Actions
Forum Thread Details
  • Replies 3 replies
  • Subscribers 480 subscribers
  • Views 485 views
  • Users 0 members are here
Related

Consequences of Bad Firmware

fustini

I read this EDN article today:

Toyota's killer firmware: Bad design and its consequences | EDN

On Thursday October 24, 2013, an Oklahoma court ruled against Toyota in a case of unintended acceleration that lead to the death of one the occupants. Central to the trial was the Engine Control Module's (ECM) firmware.

It was very interesting to learn of the different coding standards and safety measures.  For exmaple, error detecting and correcting RAM:

 

Toyota claimed the 2005 Camry's main CPU had error detecting and correcting (EDAC) RAM. It didn't. EDAC, or at least parity RAM, is relatively easy and low-cost insurance for safety-critical systems.

and issues with software not conforming to standards:

On top of that, stack-killing, MISRA-C rule-violating recursion was found in the code, and the CPU doesn't incorporate memory protection to guard against stack overflow.

Toyota's ETCS used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor-supplied version was not certified compliant.

 

Has anyone dealt with systems and standards like this?

 

thanks!

drew

  • I think one should exercise great caution in interesting the reports on this subject. The current court proceedings are based on a huge project conducted entirely by those with a vested interest in blaming Toyota. What would really inform the discussion would be comparative analysis of other suppliers code for similar applications. My limited experience of safety critical systems development (mainly as an onlooker) suggests that Toyota's practices (as alleged) are not unusual.

    No evidence has been offered (as far as I am aware) that the Toyota ECU actually malfunctioned - the assertion (probably true) is that it could.

    In my view the most worrying aspect of the design was the lack of a fully independent check/failsafe system able to cut off fuel injection if the brake pedal was pressed.

    I have zero confidence that any complex software system is free from faults - the only safe approach is to assume that the ECU is actually intelligent and quite determined to crash the car - and install some other simple system to shut it down when it goes off the rails. If this isn't possible then don't automate the functions in question.

     

    MK

  • It's always difficult to comment on these, especially when there's lawyers involved. Design work in the automotive industry has long been cost based, and part of that is weighing up the likelihood and effect of a failure.

    No complex software is foolproof, the more you add, the more could possibly go wrong. There's plenty of things that could go wrong, some of them are very unlikely and trying to write in the code everything you could think of makes the matter worse.

    Safety Critical applications I have come across usually involve redundancy, status monitoring and a link to a hardware correction path (eg cut power and progressively apply brakes in Rail applications). It deals independently with one component in system failing by having another able to override what is usually a non-responsive module. Note usually the case in automotive, the braking power of a car always well exceeds the power of the engine, stand on the brakes and you'll stop and stall the engine.

  • Hi Drew,

     

    The safety issues in software/firmware development has been a hot topic for years.

    The requirements for a system are usually not passed down to the components since the end user/manufacturer is on the hook for testing/demonstrating compliance.

     

    It is very hard to determine what a company did or did not do to verify compliance.

    I know that in the DoD, the government would usually insist on an independent verification and validation group for any device that could result in a life threatening scenario.  Having participated on a number of these, the review process is very thurough and the testing is always scrutinized heavily to make sure that the conditions for catching failures is always observed.

     

    I have been very disappointed to see the the Auto industry is reinventing a lot of software, standards and testing capability that the Aerospace industry has spent decades resolving.  I see a lot of "Not Invented Here" mentality as the vehicles get more and more software/firmware driven.

     

    So in many ways, I am not surprised at the results.  A look back at the incidents of software issues in Aerospace should have alerted the Auto industry about the issues.

    Their failure to learn from the Billions of dollars spent making systems "safe" has been very disappointing.

     

    Perhaps this ruling on Toyoda will wake them up so that they do a better job of researching systems designs and borrow many of the standards that are common in the Aerospace industry.

     

    Or they can continue to sell defective vehicles just waiting to crash.

     

    Just my opinion,

    DAB