How not to put computers in control -- Toyota as runaway machines

[Dave Farber <dfarber () me com>]

> From: "Ed Gerck, Ph.D." <egerck () nma com>
> To: "David Farber" <dave () farber net>, "Ip Ip" <ip () v2 listbox com>
> Date: March 10, 2010 07:13:44 AM EST
> Subject: (updated) How not to put computers in control -- Toyota as runaway machines
>
> [Dave: please use this version, if possible]
>
> How not to put computers in control -- Toyota as runaway machines
>
> The absence of a clearly labeled, directly acting with no intermediate
> computer control, fail-safe, zero delay, emergency power off (EPO)
> switch, which is mandatory for machines that can cause an injury if not
> halted immediately, is becoming obvious:
>
> http://www.cnn.com/2010/US/03/08/california.runaway.prius/index.html?hpt=T2
>
> Toyota's problem is not the computerization of cars -- the problem is
> not following well-established risk procedures when putting computers in
> control.
>
> For more than 50 years, machine designers worldwide must obey
> regulations to provide an EPO. Asking Toyota drivers to shift to Neutral
> for 2 seconds or press the OFF switch for 3 seconds is not an intuitive,
> familiar thing to do and will take too long to act -- it should be
> immediate -- if it acts at all, because the car's computer may hang and
> just not do it.
>
> In terms of usability, not only the 3+ second delay is an eternity in
> emergency terms, but it can intuitively give the driver the idea that it
> is not working after (say) 2 seconds, after which time the driver in
> panic gives up and the EMERGENCY OFF function is not used by the vehicle.
>
> To put matters in perspective, for a vehicle at 68 miles per hour, 3
> seconds means more than 90 meters (100 yards). At 90 mph, as in a
> possible emergency situation with unintended acceleration, it represents
> more than 120 meters at high speed.
>
> After 3 seconds, with the current Toyota design, the vehicle will likely
> need much more than the normal braking distance to stop. The actual
> distance to stop the Toyota vehicle may far exceed the 100 meter delay
> plus the normal braking distance, due to the expected brake fade that
> should set in with heavy brake use during the 100 meter delay period.
>
> Thus, even in common situations and speed ranges, the resulting
> overlarge distances caused and amplified by the current Toyota EMERGENCY
> OFF design can easily lead to a life-threatening disaster before the
> driver has any chance to act.
>
> Further, considering that 0.3 seconds is the average human delay to
> respond physically, which human delay is 1/10th the EMERGENCY OFF delay
> imposed mechanically by Toyota, we find that it is imprudent and
> unreasonable for the Toyota design to force such overlarge delay on the
> driver, who could easily in case of an emergency act correctively in the
> first tenth of the 3 second delay.
>
> The Toyota brake override system does not solve the overlarge EMERGENCY
> OFF delay and is not an alternative to an EPO switch either. It is not
> fail-safe (e.g., it requires the ECU to be functional) and is not
> immediate (it requires 5+ seconds to engage). It cannot be used, thus,
> to eliminate the EPO or reduce the 3 second EMERGENCY OFF delay.
>
> Therefore, as we have said for weeks (see IP archives for my postings),
> we find that Toyota did not follow safety standards that exist even
> since the steam locomotive – you need a single OFF switch/button that
> acts directly.
>
> Further, this fault cannot be cured by the current recalls or
> enhancements, by removing or changing floor mats, or even by adding more
> redundancy and diagnostics.
>
> Lack of a proper EPO is a basic design flaw that makes Toyota vehicles
> such as the Prius literally unsafe at any speed. I just may not be able
> to turn the thing off at will, even when I absolutely need and want it.
>
> To address these concerns Toyota and other vehicle brands need to do a
> couple modifications:
>
> - Install a clearly labeled EPO, which must be functional immediately at any
> time that the driver may want it. I advance that there are design solutions
> that can comply with this request and do not significantly alter the dashboard
> or the vehicle's appearance inside and outside.
>
> - Activating the EPO button should still keep power-assisted braking and
> steering to help with handling the emergency in a safe manner, but no engine
> would be driving the wheels.
>
> - To allay concerns of unintended activation, the suggested EPO may be
> implemented to only operate as an EPO by at the same time having to press the
> brake. This can be achieved without ECU control, by wiring logic. And the EPO
> can be just like a key that you have to twist,  as familiar to drivers in a
> 70's car, or depressed in a slot, as the norm for machines also allows, and not
> easily reachable by others but the driver.
>
> - Shifting to neutral should act directly, as I ask for the EPO, even though
> still with ECU supervision and control. If the ECU works, this is useful for
> example to let the ECU change the engine to idle.  Shifting to neutral
> (reportedly, recommended by Toyota) is currently not safe as it is
> ECU-controlled, so it will not happen if there is an ECU fault, and also takes
> 2 seconds to be applied – which may seem as an eternity in an emergency, or
> simply too long if the vehicle is at 90 mph (2 seconds at 90 mph means more
> than 80 meters).
>
> The absence of these modifications is currently life-threatening.
>
> Best regards,
> Ed Gerck
> www.gerck.com (my opinion, not my employer's)


-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com