Should I Take Toyota's Software Update? 750
kiehlster writes "I'm a software developer, and I know that most software has bugs, but how much trust can we put in the many lines of code found in our automobiles? I have a 2009 Camry that is involved in both of the recent Toyota recalls. As part of the floor-mat issue, they're offering to install a software update that would cause 'the brake pedal to take precedence over the gas pedal if both were pressed,' or, as their latest notice states, 'would cut power to the engine if both pedals were pressed.' In the computer world, we're all taught to install firmware updates only if there is a real problem because a large percentage of firmware updates actually brick the hardware or cause other unforeseen consequences. On a base of 100 million lines of code, can I really trust a software update to work safely when it is delivered in a three-month development cycle? My driving habits don't cause the floor mat to slide much, so I see the update as overkill. What do you think? If it doesn't void the warranty, should I tell them to skip the update?"
Are you kidding? (Score:5, Interesting)
Take the upgrade. Shipping firmware always has bugs. Always. As a system administrator, the first thing I do out of the box is download and install the current firmware while it's still under warranty. And if they brick your computer they'll replace it.
Not a Smart Move to Turn Down The Upgrade (Score:1, Interesting)
IANAL, but if you refuse the software update and your car proceeds to have an accident caused by flaws in the old software, you'll have no legal recourse against Toyota for any deaths, injuries or property damages caused by the software malfunction.
Re:You're looking at it wrong. (Score:5, Interesting)
Good luck getting any money from Toyota or your insurance company if you _don't_ take that update.
Besides, there's not 100 million lines of code in _that_ particular part, they won't be updating your blinkenlights firmware and such at the same time.
Re:You're looking at it wrong. (Score:5, Interesting)
I think you'd have to be nuts not to install it.
I will say this (Score:2, Interesting)
closed source software model so much more fascinating when there is a body count, no?
Known Bad vs Unknowns (Score:3, Interesting)
Well, Toyota is giving hearings on capital hill, they have taken a non-trivial finical hit, and I think their president is one piece of bad news away from sepaku. Yeah, you can probably trust that they did everything in their power not to screw it up. I probably would take a potentially unknown problem on a firmware updates that is being watched by dozens of agencies and internal company auditors over a firmware that is known bad with a questionable dedication to quality. Even if their is a problem, it is a safe bet that it will be detected very early due to the number of eyes on it.
Having been inside of a company that has had to do a recall, I can say that nothing sharpens a company's overzealous safety instincts and risk avoidance mania than a major recall. Recalls, especially the type that Toyota is experiencing, are a complete disaster for the company. They are extremely expensive both in terms of cost and reputation. I am pretty sure that the internal state of Toyota right now is a safety mania that trumps all else that would make a Puppeteer proud. In fact, you can probably rest assured that Toyota is currently wildly overshooting the 'proper' levels of safety. It will probably be a few quarters before they unwind to more reasonable levels.
You need to consider it from the perspective of a manager. If you, as a manager, are in charge of a critical safety component, what is in your best interest? Yeah, you could try and cut a corner and skim an extra 2% profit that your boss might or might not notice, but if it backfires and YOU result in a safety issue, especially in the current environment, you should get a friend with a sword and a basket for your head and save the company the trouble. Right now, kudos in Toyota are earned by being a safety nut and being the one to discover and 'fix' some absurdly low probability safety concern, not for squeezing the budget a little further. Speaking as someone who has been in a company in full recall mode, if there is ever a time to trust that a company really is putting safety first, now is the time.
Re:huh? (Score:2, Interesting)
You know, I've never actually bricked anything by upgrading firmware. Routers, mobile phones, DVRs, computers, televisions, even microwave ovens...never bricked anything. I don't know anyone who has bricked a device, either. Am I lucky? Are my friends lucky?
Re:Jane, you ignorant slut... (Score:4, Interesting)
Its a nice feature, but Toyota's brakes can stop (Score:3, Interesting)
the car even with the throttle wide open.
Motor Trend's own test of a Camry found that even with the accelerator wide open the brakes can overcome the engine, easily in fact. Better yet, it still stopped shorter than the Taurus with no accelerator problems!
http://forums.motortrend.com/70/8007011/the-general-forum/c-d-toyota-dealing-with-unintended-acceleration-te/index.html [motortrend.com]
so take the update, its not like your car hasn't already have a program, one declared defective.
Re:You're looking at it wrong. (Score:5, Interesting)
Then you're using it wrong.
I work for a rather large corporation that uses Simulink for all of our stuff. Nothing gets re-written. The stuff that goes into production is stuff that IS assembled by the electronics group.
Other groups that design the control algorithms do use XPC boxes [speedgoat.ch] to create strategies quickly. Once this is done a software specification is written and given to the group that actually makes the model 'their way' (fixed point, design standards, naming conventions, etc). This gets compiled and put into production ECMs that customers use.
It's really amazing how settings and maps get pulled from different databases and merged together
Re:You're looking at it wrong. (Score:5, Interesting)
IT is not THE fix. it is a failsafe for THE fix.
The REAL problem is the reading from the toyota ECM when the two redundant APP (accln pedal position) signal circuits are shorted together (main and sub), From the toyota camry VSRM :
DESCRIPTION
This ETCS (Electronic Throttle Control System) does not use a throttle cable. The Accelerator Pedal Position (APP) sensor is mounted on the accelerator pedal bracket and has 2 sensor circuits: VPA (main) and VPA2 (sub). This sensor is a non-contact type, and uses Hall-effect elements, in order to yield accurate signals, even in extreme driving conditions, such as at high speeds as well as very low speeds. The voltage, which is applied to terminals VPA and VPA2 of the ECM, varies between 0 V and 5 V in proportion to the operating angle of the accelerator pedal (throttle valve). A signal from VPA indicates the actual accelerator pedal opening angle (throttle valve opening angle) and is used for engine control. A signal from VPA2 conveys the status of the VPA circuit and is used to check the APP sensor itself. The ECM monitors the actual accelerator pedal opening angle (throttle valve opening angle) through the signals from VPA and VPA2, and controls the throttle actuator according to these signals.
FAIL-SAFE
The accelerator pedal position sensor has two (main and sub) sensor circuits. If a malfunction occurs in either of the sensor circuits, the ECM detects the abnormal signal voltage difference between the two sensor circuits and switches to limp mode. In limp mode, the functioning circuit is used to calculate the accelerator pedal opening angle to allow the vehicle to continue driving. If both circuits malfunction, the ECM regards the opening angle of the accelerator pedal as being fully closed. In this case, the throttle valve remains closed as if the engine is idling.
If a pass condition is detected and then the ignition switch is turned off, the fail-safe operation stops and the system returns to a normal condition.
VPA and VPA2 are coming from the PCM with .5-1.1v at one of the sensors and 1.2-2.0v at the other when the pedal is at its relaxed position. When there's force at the pedal, one sensor will operate between 2.6-4.5v and the other at 3.4-5.0v.
Toyota specs normal voltage for both the VPA sensors between between .4-4.8v for VPA, and .5-4.8v for VPA2 with a .2v deviation between the 2 sensors. Anything out of those ranges will trigger a DTC
An internal short could occur within one or more of the paths from the circuits leading to the ecm. That could lead to a situation where the computer cannot detect its own failure.Therefore, when the system gets conflicting information, it arbitrarily ignores half the conflicting information. It does not know which of the circuits are lying or if they both are lying and shorted together. different resistance values will lead to arbitrary acceleration. Having the brake override it is a stopgap, but ixing the real problem (perhaps with a third circuit in voting mode which will require replacing the entire circuit path) is the REAL FIX. I suspect 2012 and onwards toyotas would have a third path and faraday cage/denso replacement for the magnet assembly in the plastic accelerator pedal (which is another problem with EMI which might lead to acceleration) which i am not going to go into here.
So, YES OP you should definitely install the update. Its the only thing standing between you and death if both the APP circuits short.
Re:You're looking at it wrong. (Score:1, Interesting)
The Toyotas w/o the brake override system could be stopped if you were at slow speeds with a lot of effort on the brakes and emergency brake. At higher speeds, the breaks where not enough to stop the vehicle with only the brakes.
This is absolutely not true. Even very weak brakes are strong enough to stop a car with a very powerful engine. The only time this is not true is when the user rides the brakes for a while, which causes them to overheat and fade. If you brake hard and decisively, you can stop the car with minimal effort from any speed. I suspect the trooper who killed his family in a Lexus was pussyfooting around with the brake pedal, and once he realized how bad the situation was, it was too late - the brakes were already toast.
Re:You're looking at it wrong. (Score:4, Interesting)
Number 3 is a good point...
You get in an accident. You go Well it is a Toyota bug. But Toyota goes well we gave you the fix you said "I don't know if I should install it, I mean it is a patch it just may not fix the problem"
Basically if you install it, there is a problem it is Toyota fault not you... If you don't then it is your fault.
I also fail to see where this Millions of Lines of code comes from. I haven't ever see anything that has a million of lines of code. I have seen groups of software when packaged together will be millions of lines of code. Even the Linux Kernel it is broken into a bunch of smaller programs, so a fix doesn't effect millions lines of code.
When some one says it is millions of lines of code it is them bragging how much effort they put into making the application deployable... However if there is a bug that needs to be fixed it is normally part of a module where you need to test to make sure that it doesn't effect around 5000 lines of code.
Rhonda Smith's story smells fishy (Score:5, Interesting)
Rhonda Smith's story of six miles of interstate terror, as her Lexus suddenly zoomed to 100 miles per hour, will set the mood Tuesday for the first congressional hearing on Toyota's acceleration problems.
Yes and if you read more about it you'll find several [thetruthaboutcars.com] interesting bits of info. One is that upon inspection there was no evidence that the brakes had been applied, including the MECHANICAL emergency brake. She also claimed under oath that she had complained about the problem to Toyota but the only record Toyota has is for an oil change. She also sold the car to a family member (not something you'd think she'd do if it really were unsafe) and according the the Wall Street Journal the car is still on the road [wsj.com].
Frankly I think there are a lot of people making up stories hoping to get money in a lawsuit, much the same way people made up stories about Audi a few decades ago. Yes, there appear to be some actual problems but there are a lot of liars out there too.
Re:You're looking at it wrong. (Score:2, Interesting)
>>>You could throw the car into neutral with an automatic in Toyotas with these problems. People during these incidents did not think of that though.
WRONG.
Why do people insist upon repeating wrong stuff even when I said, point blank, "ignores all other signals, even shifting to neutral"??? A victim of this bug sat on the floor of Congress and testified that she pressed the brake, shifted to neutral, even shifted to reverse, and the car ignored those commands.
Then a Toyota engineer testified that her testimony was accurate, and he confirmed that when the "acceleration bug" happens, the computer ignores everything else.
So NO shifting to neutral will not save you from dying in a runaway Toyota.
aside-
And what really ____es me off is that Toyota has been LOTS of problems over this past decade, like prematurely dying Prius batteries, and engines sludging at only 20-30,000 mile, plus this pedal situation. And you know what Toyota's response was in every case? "Customer's fault, not ours." Even when customers had their dealers backing them up with receipts, proving the car had been maintained faithfully, the Toyota Corporation still refused to honor the warranty or acknowledge the problem.
I can understand engineering mistakes. We're only human. But to deny warranty, and to deny blatant deaths, and instead blame innocent people who have done no wrong, is the height of arrogance. It reminds me of how Ford acted when their 70s-era Pintos were exploding. Deny, deny, deny..... until the government catches you.
Good thing we have government, and customers willing to file class-action lawsuits in court, otherwise Toyota would still be doing nothing.
Re:You're looking at it wrong. (Score:2, Interesting)
(Different embedded software engineer at a major corporation that uses Simulink's RTW Embedded Coder)
No, I've had a tools group go through and create a custom tlc with all of our coding standards imposed on it. Thus, I don't need to spend time optimizing and inspecting my code. I also have downstream groups integrating and testing my code. This is the way software is written. If I were to spend my time inspecting autogenerated c-code, I'd be a LOT less productive.
Re:You're looking at it wrong. (Score:3, Interesting)
That's very detailed information. Where are you getting this from? I see that ETCS issues are mentioned in a lawsuit against Toyota [findlaw.com], but you're specifying that the unintended acceleration in Toyota's may be the result of a simple short across the 2 APP sensors? That's pretty big news, and if so, it's a hardware issue with a potential software workaround, as you've detailed above.
Is this something you've determined personally, or do you have a source link for it?
Re:You're looking at it wrong. (Score:3, Interesting)
Currently, the key-start circuit cuts power to a significant portion of the engine controls. There is no way the engine can run, unless the ignition switch fails shorted. However, you are right. With modern technology, the ignition switch could be made fly-by-wire. If the car was an industrial machine, this would be a severe breach of protocol. Actually, for industrial machinery standards, the current ignition switch would not be considered a sufficient safe-disconnect device. However, it is a car. There is no specific legislative requirement for an off switch. As such, why keep an off-switch???
Re:You're looking at it wrong. (Score:3, Interesting)
The last article is bollocks since not only is the gear also fly-by-wire, but there's also witness reports of the care being set in neutral/reverse with no effect.
Re:You're looking at it wrong. (Score:5, Interesting)
Just push the power button for 5 seconds.
Yah Know.... I never really liked when computers switched to this method with the ATX revolution, Sometimes you still have to reach around and pull the plug. Sometimes it can take a minute or two.
I'd hate for this to happen in a life or death scenario. As mentioned above a hard off ala old AT cases just seams safer.
Re:Jane, you ignorant slut... (Score:1, Interesting)
I suspect this is very similar to how the Toyota dealer will install the new software. They won't do the 'rear window defroster' because they use a special cable to connect there programmer to the car/engine management computer. Turning the power off (or disconnecting the battery) would very likely brick the car, unless they added a ROM to hold the flash programming code (unlikely, since that would upgrading the flash programming code impossible).
Re:Crap! That sucks! (Score:3, Interesting)
We, the US Navy, have been driving submarines by wire for decades - and hydraulics are by far more troublesome than the electronic/electrical portions of the system. (And hydraulics require orders of magnitude more maintenance to boot.)