[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Race condition...

Hi Ian

Back in the mid 1980s when I, and the guy who wrote the blog article I linked to, were writing systems, they were around 8 bit microcontrollers with 2k ROM and 64 bytes RAM and a 16 byte stack; everything was written in assembler.

I think he was using the word "smart" to mean "sensible" rather than "complex" in this context.

But Toyota's problems would have been considerably less for a line of code that said something like

If brake
	engine = idle
else
	engine = throttle

Because then a stuck throttle would be overridden by the brake signal. It would also have ensured that if someone accidentally hit both the brake and accelerator (e.g. through driving in unsuitable footware - this has actually happened to me with new trainers that were wider than normal and an unfamiliar rental car where the pedals were offset and closer together) then the brake would take precedence.

This goes back to my original point that as the software has become more complex, it has become "disconnected" from the physical world it is actually controlling.

Back about 1985 I submitted some papers to an IEE automotive conference; one of them was sent back because I had postulated that it was possible to use some intelligence like this to make engine controllers smarter and cope with things like sensor failures. I then appended the code listing, which was only a few bytes long, and the paper was accepted. Thus, if I could find the paper, I could tell you how many lines of code the IEE reviewers considered "smart".


Tony Gore 
email  tony@xxxxxxxxxxxx 
tel +44-1278-761000  FAX +44-1278-760006  GSM +44-7768-598570 
URL: www.aspen.uk.com 
Aspen Enterprises Limited 
Registered in England and Wales no. 3055963 Reg.Office Aspen House, Burton Row, Brent Knoll, Somerset TA9 4BW.  UK 



-----Original Message-----
From: Iain Phillips [mailto:I.W.Phillips@xxxxxxxxxxx] 
Sent: 31 March 2010 08:27
To: Tony Gore
Cc: Ian East; Jones, Chris C (UK Warton); occam-com@xxxxxxxxxx
Subject: Re: Race condition...

Obviously I'm in the wrong game when one IF statement is now "smart software"

iain

On 31 Mar 2010, at 04:04, Tony Gore wrote:

> Hi Ian
>  
> See this
>  
> http://www.edn.com/blog/1700000170/post/1760052976.html?nid=3351&rid=8414203
>  
> from an engineer who used to work at Ford in around the same era that I was working in automotive. The key phrase he uses is
>  
> The system level error that Toyota made is not letting a brake signal override a throttle signal.
>  
> Although not common over here in the UK because of our penchant for stick shift (manual gearboxes), most cars in the US have automatic gearboxes and cruise control. One of the standard signals to cruise control is the brake signal to disengage it.
>  
>  
> Tony Gore
> email  tony@xxxxxxxxxxxx 
> tel +44-1278-761000  FAX +44-1278-760006  GSM +44-7768-598570 
> URL: www.aspen.uk.com 
> Aspen Enterprises Limited 
> Registered in England and Wales no. 3055963 Reg.Office Aspen House, Burton Row, Brent Knoll, Somerset TA9 4BW.  UK
>  
>  
>  
> From: Ian East [mailto:ian.east@xxxxxxxxxxxx] 
> Sent: 19 March 2010 18:39
> To: Tony Gore
> Cc: Jones, Chris C (UK Warton); occam-com@xxxxxxxxxx
> Subject: Re: Race condition...
>  
>  
> On 19 Mar 2010, at 17:55, Tony Gore wrote:
> 
> 
> Not on this one, but the original Toyota accelerator problem does appear to have been a poor piece of software. It is normal when writing an engine controller to take account of other inputs. Thus, if the brake is pressed (in my days, detected by the same switch that puts the brake light on) then you cut the fuel injection down to a small level to sustain combustion and keep the engine ticking over and this also helps keep emissions down.
> 
> This makes the brake light switch into a safety-critical component!
> 
> 
> In the case of Toyota, they do not appear to have done this, or if they have, the conflict between the signals has been mismanaged. This is why the engine can have full throttle and is not overridden by the brake. Modern engines (especially in US cars) are more powerful than the brakes, and this is why people are finding it impossible to stop the car in some circumstances.
> 
>  
> Is it not the case that the accelerator pedal is now used as a "speed control", telling the fuel management system the acceleration the driver wants?
> If so, the software will simply ramp up the power when the brake is applied, assuming it is unaware (or takes no account) of that.
>  
> Can it really be that simple?
>  
> Ian
>  
>  
> 
> Ian East
> ian.east@xxxxxxxxxxxxxxxxxxxxxxxxx
> Open Channel Publishing Ltd.
> (Reg. in England, Company Number 6818450)
> www.openchannelpublishing.com
>  
>  




Iain
--
Iain Phillips
Head of Department, Computer Science, Loughborough University
I.W.Phillips@xxxxxxxxxxx  01509 222690