i********e
发帖数: 1782 | 1 On Thursday October 24, 2013, an Oklahoma court ruled against Toyota in a
case of unintended acceleration that lead to the death of one the occupants.
Central to the trial was the Engine Control Module's (ECM) firmware.
Embedded software used to be low-level code we'd bang together using C or
assembler. These days, even a relatively straightforward, albeit critical,
task like throttle control is likely to use a sophisticated RTOS and tens of
thousands of lines of code.
With all this sophistication, standards and practices for design, coding,
and testing become paramount – especially when the function involved is
safety-critical. Failure is not an option. It is something to be contained
and benign.
So what happens when an automaker decides to wing it and play by their own
rules? To disregard the rigorous standards, best practices, and checks and
balances required of such software (and hardware) design? People are killed,
reputations ruined, and billions of dollars are paid out. That's what
happens. Here's the story of some software that arguably never should have
been.
For the bulk of this research, EDN consulted Michael Barr, CTO and co-
founder of Barr Group, an embedded systems consulting firm, last week. As a
primary expert witness for the plaintiffs, the in-depth analysis conducted
by Barr and his colleagues illuminates a shameful example of software design
and development, and provides a cautionary tale to all involved in safety-
critical development, whether that be for automotive, medical, aerospace, or
anywhere else where failure is not tolerable. Barr is an experienced
developer, consultant, former professor, editor, blogger, and author.
Barr's ultimate conclusions were that:
Toyota’s electronic throttle control system (ETCS) source code is of
unreasonable quality.
Toyota’s source code is defective and contains bugs, including bugs that
can cause unintended acceleration (UA).
Code-quality metrics predict presence of additional bugs.
Toyota’s fail safes are defective and inadequate (referring to them as a “
house of cards” safety architecture).
Misbehaviors of Toyota’s ETCS are a cause of UA.
A damning summary to say the least. Let's look at what lead him to these
conclusions:
Hardware
Although the investigation focused almost entirely on software, there is at
least one HW factor: Toyota claimed the 2005 Camry's main CPU had error
detecting and correcting (EDAC) RAM. It didn't. EDAC, or at least parity RAM
, is relatively easy and low-cost insurance for safety-critical systems.
Other cases of throttle malfunction have been linked to tin whiskers in the
accelerator pedal sensor. This does not seem to have been the case here. | i********e
发帖数: 1782 | 2 EDN上对丰田这个firmware的评价很确切,叫纸牌屋安全系统(Toyota’s fail safes
are defective and inadequate (referring to them as a “house of cards”
safety architecture).)
独步天下啊! | X***9
发帖数: 7385 | 3
safes
您黑本田不断碰壁后改黑丰田啦?
是不是做梦也没想到本田这么强?
【在 i********e 的大作中提到】
: EDN上对丰田这个firmware的评价很确切,叫纸牌屋安全系统(Toyota’s fail safes
: are defective and inadequate (referring to them as a “house of cards”
: safety architecture).)
: 独步天下啊!
| i********e
发帖数: 1782 | 4 小二有时SB得挺可爱
【在 X***9 的大作中提到】
:
: safes
: 您黑本田不断碰壁后改黑丰田啦?
: 是不是做梦也没想到本田这么强?
| x*****3
发帖数: 422 | 5 你知不知道,你这一个本田粉顶十个本田黑?
你要是真心觉得本田不错,对版上别人发的具体的本田的问题,给点建设性意见。别人
家本田一出问题,你就不见了。
【在 X***9 的大作中提到】
:
: safes
: 您黑本田不断碰壁后改黑丰田啦?
: 是不是做梦也没想到本田这么强?
| i********e
发帖数: 1782 | 6 本田用户真有问题,它肯定逃得远远的,过两天接着跟你谈梦想,买本田车不付MSRP价
它都觉得不可原谅。
【在 x*****3 的大作中提到】
: 你知不知道,你这一个本田粉顶十个本田黑?
: 你要是真心觉得本田不错,对版上别人发的具体的本田的问题,给点建设性意见。别人
: 家本田一出问题,你就不见了。
|
|
