Jamming your foot on the brakes and having your car speed up instead of slow down is the kind of thing that happens in nightmares —or in Toyotas. Fortunately, the probability of such a nightmare is extremely low. But just how low is low enough, given that brakes are applied so often and that the consequences of such a failure are likely to be catastrophic? This is a case where 99.99% reliability is far from adequate. Let's consider the causes of this problem, what can be done about them, and just how serious the whole matter is. What useful lessons can be learned?
Toyota has conceded that some incidents were the result of floor mats jamming the accelerator pedal, and others the result of worn gas pedal mechanisms that increase friction under certain conditions, causing the pedal to stick [Borenstein]. The company has devised fixes for these problems, implemented by dealers on recalled cars. There is nothing new about mechanical problems of this kind. Automobiles have always been vulnerable to such problems. Obviously great care must be taken in the design and maintenance of subsystems involved in safety-critical functions such as braking and steering.
Yet another possible cause of SUA is more interesting. Whereas, in the not distant past, driver-activated controls such as brake pedals were directly linked by steel cables or rods to the brakes, engines, etc., this is no longer the case for many modern vehicles. Instead, the driver controls serve as inputs to computer-based electronic systems that also receive other inputs, e.g., from speed sensors, and then generate outputs that activate the brakes, control fuel flow, etc. Such systems are called "drive-by-wire [Charrette1]. There are reports that some SUA problems may have been caused by control system failures including possible program bugs [Emison]. However, perhaps, because of the complexity of these systems and the rarity of problem incidence, specific bugs have not, to my knowledge, been identified. The search for an explanation is not helped by the incredible fact that, despite the massive use of computers in the current generation of automobiles, the National Highway Traffic Safety Administration (NHTSA), the federal agency tasked with monitoring the safety of autos sold in the US, does not have any computer engineers on its staff [Charette2].
At present, the kinds of failures causing SUA incidents are sufficiently infrequent as to be swamped by far more common automotive failures that kill a lot more people, tho in a less dramatic fashion. I refer here to such matters as ordinary mechanical failures of brakes or steering mechanisms.
This will depend on the standards set by auto manufacturers, and the extent to which engineers are able to ensure that such standards are upheld in practice. All too often we see situations in which companies set high standards on paper and then punish engineers who insist on adhering to them when violations would be profitable in the short-term [Unger].
Such standards must require that critical features be implemented in the simplest possible ways. Once computers are put in control of braking and steering, it will be tempting to use them in very sophisticated ways. For example to make driving easier, to optimize energy efficiency, and to minimize polluting emissions. (This is already being done to a considerable extent.) It is essential that these valuable benefits not be attained in such a way as to complicate the fundamental control of safety-related functions. In general, complexity greatly increases the likelihood of failures. An exception is the judicious use of redundancy. There must be no trade-offs between safety and other desirable automobile features.
An example of a Toyota failure to maximize safety is the omission of a mechanism for automatically cutting fuel flow to the engine when the brake pedal is depressed. Such a feature, implemented by some other manufacturers, would, by itself, prevent most SUA incidents. But it is important that it be in the form of a simple mechanical interlock rather than by a computer routine, which might be disabled by a computer software or hardware failure.
But, the introduction of computers in the control of braking and steering, and engine control in particular, could result in accidents due to computer failures due to various causes.
Ongoing advances in integrated circuit technology can be exploited in a variety of ways. One is to reduce the cost for any particular application. Or power consumption can be reduced (for a given computation rate). Or more transistors can be packed onto a chip. Or performance, i.e., computation speed, can be increased. Of course the benefit may be distributed over a combination of these factors.
Microprocessors intended for use in automobiles should be robust and as simple as possible, so as to minimize hardware design bugs or component failures. This is not the place to exploit advances in chip technology to maximize performance. Nor would it be appropriate to employ highly complex architectural features such as superscalar and dynamic pipelines, which enhance performance, but which usually have design bugs and which may entail low probability risks of subtle timing failures. They should be programmed in the most straightforward manner, particularly for safety related routines. This is also not the place to cut costs, particularly by economizing on chip testing. The prime goal should be simple, fail-safe designs. Consideration should be given to setting up a cooperative body that would facilitate the exchange of information among competing manufacturers about methods for maximizing safety.
Stephan, Karl, "Toyota Revisited: Unintended Acceleration of Judgment?", Engineering Ethics Blog, April 12, 2010
Borenstein, Seth and Ken Thomas, "Why are Toyota gas pedals sticking? It's complicated", The Japan Times, Jan. 30, 2010
Charette (1), Robert N., "This Car Runs on Code", Discovery News, Feb 5, 2010
Emison, Brett A., "Opinion: Toyota's Acceleration Problem and Carwashes", Modern Car Care, 3/5/2010
Charette (2), Robert, "US National Highway Traffic Safety Administration Has No EEs or SW Engineers Working For It ", IEEE Spectrum blog, February 23, 2010
Deer, Brian, "Vioxx death toll may hit 2,000 in UK", The Sunday Times, August 21, 2005
Unger, Stephen H., "Man Rescues Coast Guard", Ends and Means blog, July 8, 2007
Newman, Rick, "What Toyota Probes Are Likely to Find", Seeking Alpha, April 2, 2010
Bensinger, Ken and Ralph Vartabedian, "Toyota faces new reports of sudden-acceleration deaths", Los Angeles Times, February 15, 2010
Comments can be emailed to me at unger(at)cs(dot)columbia(dot)edu
Don't forget to replace (at) with @ and (dot) with .
Return to Ends and Means