Cars That Won't Stop: Are Computers the Problem?

Stephen H. Unger April 26, 2010

Jamming your foot on the brakes and having your car speed up instead of slow down is the kind of thing that happens in nightmares —or in Toyotas. Fortunately, the probability of such a nightmare is extremely low. But just how low is low enough, given that brakes are applied so often and that the consequences of such a failure are likely to be catastrophic? This is a case where 99.99% reliability is far from adequate. Let's consider the causes of this problem, what can be done about them, and just how serious the whole matter is. What useful lessons can be learned?

Causes

The first suspect in any auto accident is the driver [Stephan]. In the case of an SUA (sudden unintended acceleration) incident, the most obvious explanation is that the driver's foot was on the wrong pedal. This could be due to confusion caused by unfamiliarity with the auto (rented cars were disproportionately involved), emotional upset, general incompetence, or a combination of these effects. There may also be cases where SUA reports are fraudulent, motivated by the prospect of a lucrative law suit.

Toyota has conceded that some incidents were the result of floor mats jamming the accelerator pedal, and others the result of worn gas pedal mechanisms that increase friction under certain conditions, causing the pedal to stick [Borenstein]. The company has devised fixes for these problems, implemented by dealers on recalled cars. There is nothing new about mechanical problems of this kind. Automobiles have always been vulnerable to such problems. Obviously great care must be taken in the design and maintenance of subsystems involved in safety-critical functions such as braking and steering.

Yet another possible cause of SUA is more interesting. Whereas, in the not distant past, driver-activated controls such as brake pedals were directly linked by steel cables or rods to the brakes, engines, etc., this is no longer the case for many modern vehicles. Instead, the driver controls serve as inputs to computer-based electronic systems that also receive other inputs, e.g., from speed sensors, and then generate outputs that activate the brakes, control fuel flow, etc. Such systems are called "drive-by-wire [Charrette1]. There are reports that some SUA problems may have been caused by control system failures including possible program bugs [Emison]. However, perhaps, because of the complexity of these systems and the rarity of problem incidence, specific bugs have not, to my knowledge, been identified. The search for an explanation is not helped by the incredible fact that, despite the massive use of computers in the current generation of automobiles, the National Highway Traffic Safety Administration (NHTSA), the federal agency tasked with monitoring the safety of autos sold in the US, does not have any computer engineers on its staff [Charette2].

How Worried Should We Be?

There are about 200 million American drivers (and even more cars). Over 40,000 Americans are killed annually in auto related accidents. Several thousand of these deaths are attributed to cell phone use. About 2.5 million Toyotas are sold annually in the US. So an average of fewer than 6 SUA-caused deaths per year does not seem to warrant a big response [Bensinger]. Doubtless, the reason the Toyota problems have received so much attention is the spectacular nature of the accidents. A story about a car with 3 passengers racing down a highway at 110 MPH with the driver desperately, but unsuccessfully, trying to slow down gets a lot more attention than a story about a pharmaceutical product that causes tens of thousands of people over a period of several years to die under dreary circumstances [Deer].

At present, the kinds of failures causing SUA incidents are sufficiently infrequent as to be swamped by far more common automotive failures that kill a lot more people, tho in a less dramatic fashion. I refer here to such matters as ordinary mechanical failures of brakes or steering mechanisms.

Looking Ahead

We may, however, be seeing a development that could lead to serious problems if not properly monitored. Given the frequency with which we see our personal computer systems failing in small ways, and occasionally big time, it is not comforting to contemplate having computers playing critical roles in the control of such dangerous devices as automobiles. While there seems to be no hard evidence at present that computer errors were responsible for SUA accidents, it seems very likely to me that the question is not whether this will occur in the not-distant future, but rather whether the frequency of such accidents will increase to a point where will they will become a serious matter.

This will depend on the standards set by auto manufacturers, and the extent to which engineers are able to ensure that such standards are upheld in practice. All too often we see situations in which companies set high standards on paper and then punish engineers who insist on adhering to them when violations would be profitable in the short-term [Unger].

Such standards must require that critical features be implemented in the simplest possible ways. Once computers are put in control of braking and steering, it will be tempting to use them in very sophisticated ways. For example to make driving easier, to optimize energy efficiency, and to minimize polluting emissions. (This is already being done to a considerable extent.) It is essential that these valuable benefits not be attained in such a way as to complicate the fundamental control of safety-related functions. In general, complexity greatly increases the likelihood of failures. An exception is the judicious use of redundancy. There must be no trade-offs between safety and other desirable automobile features.

An example of a Toyota failure to maximize safety is the omission of a mechanism for automatically cutting fuel flow to the engine when the brake pedal is depressed. Such a feature, implemented by some other manufacturers, would, by itself, prevent most SUA incidents. But it is important that it be in the form of a simple mechanical interlock rather than by a computer routine, which might be disabled by a computer software or hardware failure.

Common Sense and Computer Technology

Computer technology can be deployed in automobiles to serve a number of very worthwhile functions. Examples include air bag activation, controlling air and fuel flow to the engine, implementing anti-lock brakes, regenerative braking, and electric power assisted steering. When properly designed, these are very beneficial, reducing fuel consumption, reducing harmful emissions, improving driver control thereby reducing the likelihood of accidents, or, in the case of airbags reducing the harmful effects of accidents.

But, the introduction of computers in the control of braking and steering, and engine control in particular, could result in accidents due to computer failures due to various causes.

Ongoing advances in integrated circuit technology can be exploited in a variety of ways. One is to reduce the cost for any particular application. Or power consumption can be reduced (for a given computation rate). Or more transistors can be packed onto a chip. Or performance, i.e., computation speed, can be increased. Of course the benefit may be distributed over a combination of these factors.

Microprocessors intended for use in automobiles should be robust and as simple as possible, so as to minimize hardware design bugs or component failures. This is not the place to exploit advances in chip technology to maximize performance. Nor would it be appropriate to employ highly complex architectural features such as superscalar and dynamic pipelines, which enhance performance, but which usually have design bugs and which may entail low probability risks of subtle timing failures. They should be programmed in the most straightforward manner, particularly for safety related routines. This is also not the place to cut costs, particularly by economizing on chip testing. The prime goal should be simple, fail-safe designs. Consideration should be given to setting up a cooperative body that would facilitate the exchange of information among competing manufacturers about methods for maximizing safety.

Throw out the Computers?

The fact that computers in control of automobile brakes, steering or engines could malfunction to cause serious, life threatening accidents could be used to argue that they shouldn't be used for such purposes. But we must also consider the positive value of computers serving these functions. Anti-lock brakes, for example, are in use on a daily basis by millions of drivers, and almost always function properly. I think it is reasonable to assume, even in the absence of hard data, that they prevent a great many accidents—far more than the very small number of accidents that, at present, can be attributed to their malfunctioning [Newman]. It seems clear that carefully implemented computer technology can, on balance, promote safety. (This is in addition to their beneficial role in increasing efficiency and reducing pollution.) Similar considerations hold wherever computers are involved in critical processes, e.g., in hospital intensive-care units, or in the control of trains.

A Disclaimer

This essay is mainly about computers controlling vital components of automobiles. It is not about the role of automobiles in our society, and it should not be inferred that I am in any way an automobile enthusiast. In my opinion, the widespread use of cars in the US, and in many other countries, as the principal means of transportation of people is an ongoing disaster of the first magnitude. The annual death toll of 40,000 mentioned above and an order of magnitude more injuries (just in the US) is only the most obvious harm. To this, we must add major environmental damage, waste of energy and other resources, and wasteful use of good land.

References

Stephan, Karl, "Toyota Revisited: Unintended Acceleration of Judgment?", Engineering Ethics Blog, April 12, 2010

Borenstein, Seth and Ken Thomas, "Why are Toyota gas pedals sticking? It's complicated", The Japan Times, Jan. 30, 2010

Charette (1), Robert N., "This Car Runs on Code", Discovery News, Feb 5, 2010

Emison, Brett A., "Opinion: Toyota's Acceleration Problem and Carwashes", Modern Car Care, 3/5/2010

Charette (2), Robert, "US National Highway Traffic Safety Administration Has No EEs or SW Engineers Working For It ", IEEE Spectrum blog, February 23, 2010

Deer, Brian, "Vioxx death toll may hit 2,000 in UK", The Sunday Times, August 21, 2005

Unger, Stephen H., "Man Rescues Coast Guard", Ends and Means blog, July 8, 2007

Newman, Rick, "What Toyota Probes Are Likely to Find", Seeking Alpha, April 2, 2010

Bensinger, Ken and Ralph Vartabedian, "Toyota faces new reports of sudden-acceleration deaths", Los Angeles Times, February 15, 2010

Comments can be emailed to me at unger(at)cs(dot)columbia(dot)edu

Don't forget to replace (at) with @ and (dot) with .

Return to Ends and Means