Do Car Safety Problems Come From Outer Space? 437
Hugh Pickens writes "As electronic devices are made to perform more and more functions on smaller circuit chips, the systems become more sensitive and vulnerable to corruption from single event upsets. This is especially true of Toyota, which has led the auto industry in its widespread inclusion of electronic controls in the manufacture of their various car models. 'These circuit families store not just data, but their basic function electrically,' says Lloyd W. Massengill, director of engineering at the Vanderbilt Institute for Space and Defense Electronics at Vanderbilt University. 'In the unfortunate event of a particle flipping just the right bit, a circuit configured to carry out a benign action may be reprogrammed to carry out some unintended action.' Denise Chow writes in Live Science that some scientists are pointing to cosmic ray radiation as a plausible mechanism behind the sudden, unexplained acceleration reported to have occurred with the late model Toyotas."
"As the design of automobile systems continues to evolve from mechanical to electronic controls, relying more and more on various circuitry and chips, these electronic components may be vulnerable to being confounded by high-energy radiation writes Chow. Federal regulators were prompted to look into the possible role that cosmic rays played in Toyota's product recall fiasco after an anonymous tipster suggested the design of Toyota's microprocessors, software and memory chips could make them more vulnerable (PDF) to interference from radiation compared with other automakers. 'What's not known is what direction Toyota and other automakers are taking in terms of finding and correcting these issues,' says senior researcher Ewart Blackmore."
Why they tell you to turn off your phone... (Score:5, Informative)
Interference from radiation doesn't just come from outer space, it comes from cell phones, TV/radio stations, microwaves.... you see where this is going. I once worked in an office where there was a cell phone relay antenna too close to a PC, and we were constantly reinstalling the OS until I told them to move things around in the area.
Thing is, when Windows gets a corrupted OS... it BSODs and we move on. Single-bit errors shouldn't send the car out of control... there should be some checksum that shouldn't add up. When a fault is detected, it should go to a backup program about safely shutting down the car.
Re:Why they tell you to turn off your phone... (Score:5, Funny)
Re: (Score:3, Insightful)
Re:Everyone Loves Space Ray (Score:4, Funny)
Space Ray: Hey, Deborah, did you hear what happened to my car?
Deborah: Don't worry about it, Space Ray, you didn't cause it this time (simulated audience laughter)
With a special guest appearance by Ace Frehley as "Just Another Confused Alien". Coming up right after "The Ghosts of Gilligan's Island"
Re: (Score:3, Informative)
Boeing's 737 production since 1967: 6,285 aircraft
Toyota's production in 2007 alone: 8,880,000 vehicles
Re: (Score:3, Insightful)
Is there a reason why cars aren't doing the same thing?
Because there's no way that these problems are cause by "cosmic rays". If it *was* a problem, then we'd be hearing about all kinds of random electrical problems in all kinds of vehicles. Cars have had computer-controlled fuel injection and ignition for over twenty years now. Granted, the 68000-based engine management unit in my 1990 Citroen XM has a smaller transistor density than the extremely compact and powerful processors in modern systems, but
Re:Why they tell you to turn off your phone... (Score:5, Insightful)
Radiation that can upset bits in an electronic circuit don't come from your cell phone, TV/radio stations or microwave oven. You may get enough EMI to interfere with your radio, but flipping individual bits in a chip pretty much requires an ion - basically a nucleus or neutron stripped of it's electrons flying through your chip. These come from two main sources. First, there's the Sun. Even with the magnetic shielding of the Earth, many fly through us all the time. Most common are single protons, but we occasionally are struck with gold nuclei, or even heavier. Older larger geometry chips were immune to single-event-upsets (SEUs) due to protons, but heavier elements could cause trouble. Newer, more advanced electronics are even sensitive to individual protons and neutrons. The other common source for radiation is neutrons from decays in lead used in electronic packaging. Ever hear of RohS compliance? Basically, a bunch of electronics companies around the world suddenly decided to "go green" and save us from lead poisoning by removing lead from their packaging. Ever wonder why? Do you really think they suddenly cared if they were killing our babies with lead poisoning? Uh... I'm afraid not. They removed the lead because of neutron radiation from lead decay.
I'm guessing that studying radiation effects isn't very popular in Japan, possibly because we nuked them twice. However, they should get a clue and start learning about how to deal with rogue ions and neutrons.
Re:Why they tell you to turn off your phone... (Score:5, Insightful)
I don't hear much about comsumer electronics being fritzed by cosmic rays, or microwave ovens, etc, though I suppose this might explain the random failurs. But comsmic radiation? That's a new one.
But RHoS being forced by lead decay? I dunno, but tin whiskers is negating any advantage that offers.
Give me good old eutectic 63/37 any day. It just works. Not a lot of kids usae circuit boards as pacifiers, ya know?
Re: (Score:3, Informative)
I don't hear much about comsumer electronics being fritzed by cosmic rays,
Chances are you'll be hearing about this more and more over the next several decades or so. Scientists have discovered a large spot over the Atlantic (IIRC) where high levels of cosmic radiation are actually making it to the ocean's surface. Further investigation indicates this is because their Earth's magnetosphere is beginning to significantly weaken. Furthermore, its expected that not only will the the level of radiation exposure continue to drastically rise at this particular location, but that radiatio
Re: (Score:3, Interesting)
It's quite common actually, and many documented studies have proven it does occur. You don't hear much because well, the effects are minimal in most cases. A flipped bit in RAM does nothing if it's just unused memory, for example. Or maybe it flips the bit in an unused register (that's getting reloaded with new dat
Re: (Score:3, Interesting)
> You may get enough EMI to interfere with your radio, but flipping individual bits in a chip pretty much requires an ion
You don't need to flip individual bits in a chip to cause problems with car electronics. I suspect if something flipped dozens or thousands it would still cause problems. So you shouldn't get so fixated on individual bit flips.
From the perspective of car safet
Re:Why they tell you to turn off your phone... (Score:5, Informative)
The best chart of lead isotopes I found is here http://education.jlab.org/itselemental/iso082.html [jlab.org]. I'm not sure why, but it lists a half life for lead-204 even though I thought it was supposed to be stable. Most half lives are a few minutes or hours.
Re:Why they tell you to turn off your phone... (Score:5, Informative)
http://en.wikipedia.org/wiki/Non-ionizing_radiation [wikipedia.org]
Granted, an unshielded circuit can be vulnerable to any EM field, but gamma rays affect electronics in a completely different way than microwaves do.
Re: (Score:2)
Re: (Score:3, Informative)
Nope, the exact opposite. Gamma rays [wikipedia.org] are short wavelength and high energy.
Re: (Score:2)
Gamma rays have a higher wavelength, which makes them less likely to interact, but a correspondingly high energy which makes the possible ionizing effect greater if they do interact.
Re: (Score:3, Informative)
Gamma rays have a higher frequency,
Corrected. And thus they have a shorter wavelength.
Re:Why they tell you to turn off your phone... (Score:4, Interesting)
there should be some checksum that shouldn't add up. When a fault is detected, it should go to a backup program about safely shutting down the car.
Or how about a computer redundancy system where a group of computers that are all capable of controlling the car watch the behavior of the computer that is actually controlling the car. Through a voting system they could decide to hand the control of the car over to a another computer in the event that the controlling computer doesn't act in a way that was deemed safe. This way the car could continue to operate normally while signaling that there is a problem that needs to be addressed.
Re:Why they tell you to turn off your phone... (Score:5, Informative)
The proposal by the GP poster is actually much more difficult that it would seem at first glance. About the only place "checksum" style error detection is used is in memories/registers. The reason is that if I do a floating point addition, for example, the only way I know whether the addition gave me the right answer is to do the addition again and check.
Re:Why they tell you to turn off your phone... (Score:4, Informative)
You can build circuits that detect faults while operating. They're more complex than their normal counterparts, but the transistor count is less than 2x. On-line error detection [google.com] is a common name.
Of course, such circuits get really expensive if you don't have a large market for them. But cars represent a fairly large market, so if it was the best approach they could probably use them. Of course, that assumes there's any market or regulatory pressure to use any sort of error detection at all.
What if the cosmic rays... (Score:4, Funny)
Single-bit errors shouldn't send the car out of control... there should be some checksum that shouldn't add up.
What if the cosmic rays corrupted the checksum routine?
The mind boggles!
Re: (Score:2)
There's no way for a SINGLE bit error to hit both the main routine and the checksum routine. Cosmic rays or other EMF based changes are rare events, so the mind boggles on the chance both can go wrong in the same instance.
Re: (Score:2)
See, here's the problem with random errors that happen in the hardware from an outside source; It might happen after you did you sanity check...
Re: (Score:2)
A proper fault-tolerant design (which cannot be done entirely in software) would always fail safe on any single bit error.
Re:Why they tell you to turn off your phone... (Score:5, Insightful)
Cell phone radiation hardly qualifies. Nor, for that matter, do most terrestrial sources of radiation.
"Cosmic rays", unlike most terrestrial-source radiation, are capable of penetrating shielding and disrupting electronics.
However... striking just the right bit(s) to cause acceleration, in a large collection of cars, is so incredibly unlikely as to be in the "I don't f*ing think so" category.
Re: (Score:3, Interesting)
More to the point they generate secondary showers of ionizing radiation when they transverse metallic shields so we should be careful not to make the problem worse by creating showers of particles with a greater cross section.
Re: (Score:3, Interesting)
In order for it to interfere with a digital circuit, it first has to be radiation of the "ionizing" category
Neutron radiation isn't considered ionizing, yet interactions between the neutrons and the silicon in a typical chip will create charged particles that cause current surges. These current surges can interfere with the correct operation of a circuit and that includes individual transistors, not just bits in memory.
Re: (Score:2)
However, RF interference is well known and understood, and easy to protect against.
Cosmic radiation is relatively new in regards to how well we understand the substantial impact it may actually have on modern technology. There are also fluctuations over time in the earth's magnetic field and how well it protects us from solar and cosmic radiation. With these two factors combined, we are seeing more and more warnings from scientists that solar and cosmic radiation have the potential to do massive damage to
Re: (Score:2)
No matter what the cause, I think this is a good indication that we need a real, physical kill switch that will absolutely halt the system if things go awry in these drive-by-wire systems. No software to depend on, because you're breaking a physical connection to do it. It should be easy and noticeable, but not something you're likely to grab by accident.
Yeah I've said it before. My dad built a kill switch into his boat after he got knocked out of it by a big wave. He used a reed switch, a magnet and a short length of rope with a loop to go around the wrist. If thats too hard then a big red switch marked "EMG STOP" should not be.
Re: (Score:2)
Thing is, when Windows gets a corrupted OS... it BSODs and we move on.
How do you move on from a BSOD in your car?? No, you won’t be dragged away in a bag. You will be dragged away in several bags!
There is only one way to make bit-flips completely go away:
Design every processing component with triple simultaneous execution, so a bit-flip can be detected properly. Also do mirroring on all data storages, and use checksums on them and on all data streams. Then do constant scrubbing (like in ZFS) on all storage systems.
If you leave out even one of those things, the whole eff
Re:Why they tell you to turn off your phone... (Score:5, Interesting)
IBM System/360 anecdote (Score:4, Interesting)
After a bit he said 'Tell me when it happens'. OK... '...now' my dad said. Then he said 'I'll tell you when the next one happens' and a few seconds later said '...now'. Which is exactly when it did glitch.
It turned out that the customer's DP center was situated close to an airport. The CE could see the radar dish revolve at the end of the runway. When it pointed straight at him was when the glitch occurred. Needless to say the computer room received some RF shielding.
Re: (Score:3, Interesting)
The last few process generations of DRAM have not become more susceptible to radiation induced soft errors as or
Re:Why they tell you to turn off your phone... (Score:5, Informative)
I worked on ECMs at GM (Delco Electronics) for 10 years at the start of their use (1980 to 1990). So if a cosmic ray came along and flipped a bit, it would have to be a specific bit. If it was a msb type bit in the accelerator position, then yes, acceleration. except that the bit would unflip right away because of pedal position update. Or if it was some engine feedback msb, again, yes, temporary acceleration, but again, only for a short time. Updates happen constantly.
About EMI/EMC/RFI - the modules have been shielded and protected since day one against that. The engine is a very high disturbance environment in may ways. Sparks, for instance. The ECMs have been in almost all American cars since before 1980, because of the 1975 car air pollution reduction act Congress passed. The only way cars could meet the pollution restrictions was through ECMs. So If we have ECMs since nearly forever, and only just now one manufacturer has a bit flip problem? I don't think so. And these modules do not use the latest super-small feature processor technology. They use older temperature-resistant tech, Much larger features, far more radiation-resistant.
No, the most likely problem is either a software routine with a bug, no error handler, or similar issue, or a mechanical,problem (less likely).
Re: (Score:3, Interesting)
The effect of random bit flips on software is going to be hard to define. Modern hardware probably has all of the code running in RAM, not ROM as it would have been back in the 80's. A bit flip in a register could cause very odd things to happen. Perhaps someone coded a loop like:
for (i=0; i!=10; i++)
do_something();
Flip a bit in the register and that loop will not terminate until the register overflows.
I don't think you can code so that random bit flips will not be a problem. The hardware
Re: (Score:2)
How can you protect yourself from that checksum algorithm not getting flipped?
Easy, just buy one of our new Automotive Tin Foil Hats. It keeps the space rays out - and the real crazy in.
Re: (Score:2)
Re:Why they tell you to turn off your phone... (Score:5, Funny)
But what if my car is already red?
Re: (Score:2)
Re:Why they tell you to turn off your phone... (Score:4, Informative)
If red cars are an indication of the problem, it's more widespread than engineers used to believe. On a more serious note: Fault tolerant design is the answer. Have three systems calculate the result (ideally using three different algorithms) and let them vote on the correct result. Don't assume that a set state persists, recalculate frequently and set the state even if it should be already set. Feed the control and the sensor data into a watchdog circuit (in triplicate...) to detect mismatches. Etc.
Re:Why they tell you to turn off your phone... (Score:4, Informative)
Why post AC? You obviously work for NASA [wikipedia.org]. :)
Redundancy in a car isn't essential for the computer, as long as it fails in a safe mode. In the case of a single bit being flipped in the data stream, that would be a transient error. In a throttle system, it would be so short lived, you'd never know it ever happened. How many times per second do you think the computer reads its inputs and adjusts things? (hint: it's more than 1).
Heck, you don't even (usually) notice misfires, and those happen all the time, even on perfectly tuned vehicles. It takes a whole series of misfires, or a constant fault to be noticeable. On a V8 engine, you can even lose a cylinder and not notice. I had someone once bring a car to me because it "doesn't accelerate well". It turned out three spark plug wires weren't on. And no, I didn't work on it before that, someone else messed up. It actually idled pretty well. The three cylinders weren't sequential, so it managed fine. That's even been included as a feature on some cars. For example, an 8 cyl car would disable 2 or 4 cylinders to get better fuel economy, and run on all 8 if full power was requested. It's sometimes referred to as a variable displacement engine. Versions have shown up in GM, Chrysler, Mercedes, and Honda vehicles over the years.
Re: (Score:3, Funny)
Ummm, that wasn't safe mode. I did it, and my car turned into an Autobot. How the hell do I make it into a car again? I have to drive to work in the morning. It might seem cool, but having a giant robot walking down the highway is bound to freak out at least a few people. DHS may have something to say about my walking car with giant guns too.
Re: (Score:2)
Shifting into neutral, applying brakes, even turning off the engine are all basically like pushing keys on a computer keyboard.
No. There are no drive-by-wire braking systems. The Prius does have regenerative braking, which helps a bit, but that's alongside the hydraulic (and redundant, cable-operated) brakes, not in place of them. The Prius's regenerative braking system could fall out on the ground, the engine can catch fire, and the electronics can be smoked by cosmic rays -- all at the same time -- and
Re: (Score:3, Insightful)
I think that Rolls Royce offers a pure drive-by-wire system in one model, including braking. Of course, many airplanes are completely fly-by-wire. It's just a matter of cost.
Nonw of which will prevent you from stepping on the wrong pedal. Maybe Toyota has a bug somewhere, maybe not, but remember the "Audi unintended acceleration" problem? 100% driver error. The "Toyota unintended acceleration" problem? The most likely explanation remains driver error (I'd have no doubts at all, expect I believe the Woz
Re:Why they tell you to turn off your phone... (Score:4, Interesting)
I remember a news story from several years ago that even made the evening news. Someone had a Saturn car that they realized they couldn't afford and tried to return. The dealer wouldn't just take it back for a full refund, since it was now a used car.
Over the next few months, the driver had several "emergencies" with it, each time having it towed back to the dealership, where they couldn't find a problem. One in particular that was video taped by the police, the car was circling in a parking lot and the driver called 911. The insisted the car wouldn't stop. They told her to step on the brakes, use the emergency brake, throw it in neutral, shut it off, etc, etc, etc... She circled for something like 30 minutes. Finally they got her to open the drivers window, and an officer got in the middle of where it was circling. He ran for the side of the car, grabbed the wheel, and then turned off the key. The car (amazingly enough) came to a stop.
Of course, she claimed it wouldn't stop for her. There was all kinds of talk about lemon laws, and how Saturn vehicles weren't safe. She made a whole bunch of noise, and the dealership traded her car for another one. The problems persisted for her. Obviously Saturns were amazingly dangerous vehicles. Someone from the dealership (I think the owner) actually started driving her original car to work every day, to find out what the problem really was. He never had a problem.
Eventually, she was charged, I believe with reckless endangerment. Pretty much, she was driving dangerously, and endangered the officers who tried to help her.
I won't say that the mystery Toyota is driver error or a mechanical problem, but where the cases that have been in the news have massive parallels in other vehicles too, where drivers just did the wrong things.
A older lady in a Buick several years ago was pulling into the parking lot where I worked. I happened to be in the front of the store, and heard her tires squeal. She smashed into a parked car. That broke the parking pawl and sent the parked car across the parking lot into two other parked cars. One of those cars belonged to one of my coworkers, who wasn't exactly very happy that his car was totaled. I ran out to see if she was ok (once the cars stopped moving). She said "What happened?" I told her what she did. She was very insistent that she hit the brakes. I told her she spun the tires before hitting the first car. She said the other car must have done it. The driver of the other car was in the store at the time. At least everyone with wrecked cars had a good sense of humor about it, and no one was hurt. The funniest part was, her car was fine. There was absolutely no damage. It wasn't even scratched. The other three car were severely damaged though. Her insurance gave my coworker full book value on his car, even though it was a rusted piece of junk that barely ran. They were fully aware of it, they were just avoiding potential legal problems.
Is there realy a problem? (Score:5, Insightful)
Since the biggest Toyota runaway story has turned out to be a problem exists between seat and pedals [aol.com] situation... is this all hype with no science behind it?
Re: (Score:2, Troll)
Yeah, pretty much. Besides, error correcting systems are relatively well-uderstood technology. ECC hasn't been the best available option for RAM for ages, and even the imperfect gains of ECC will work around occasional single-bit corruptions in memory. Flash can be used with extensive checksums. Executables can have hashes like MD5 and SHA checked b
Re: (Score:2, Insightful)
>Executables can have hashes like MD5 and SHA checked before being allowed to execute, etc.
That's a ONE TIME check when you load the program. Sure it can check if the data in the FLASH has start to corrupt or someone has tempered the firmware. However, It doesn't check the memory once the coding is running which is 99+% of the time the code is doing. Cosmic ray can be hitting your car ANYTIME and not just when it is parked.
ECC checks the memory bits during access and you can have periodic scrubbing to
Re: (Score:2, Interesting)
The problem is that many microcontrollers used in automotive systems don't have support for ECC or any other hardware based error checking mechanism. A lot of these systems only use the memory on the microcontroller chip. If there is external RAM on the unit, ECC memory isn't always used since it is more expensive. Flash is typically checksumed/CRCed/MD5 checked, but you don't typically see flash cells get flipped in the field. I've seen one unit get flash corrupted(out of many millions of possible units
Problem IS from outer space... (Score:3, Funny)
Since the biggest Toyota runaway story has turned out to be a problem exists between seat and pedals situation..
Ignorant alien between seat and pedals. Toyotas were designed for humans to drive. 'nuff said.
Re: (Score:3, Informative)
Since the biggest Toyota runaway story has turned out to be a problem exists between seat and pedals situation...
The article you linked to does not even begin to support that conclusion. Basically its a bunch of innuendo, like he [i]might[/i] have been late on payments on the car (since proven false) or that he should have shifted it to neutral (not an intuitive action for someone who has never driven a manual transmission - and certainly a last resort that does not negate the existence of a problem to begin with). Even information released after that article was published has been far from damning - basically toyot
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
>>Confirmed cases of runaway acceleration are virtually non-existent.
And how do you confirm it? Ask the person?
My '84 Cutlass Supreme went out of control accelerating when I was driving on the campus loop (back in '97 or so), but how could you confirm this? It did happen, but how can you verify it? (I've posted the story on Slashdot before, if you really dig back into my history, long before the runaway Toyota thing entered our national consciousness.)
And to the snarky people posting on this - it's te
Re: (Score:3, Interesting)
You replicate it and see if it happens again, or look for physical causes that might come to that result. Loose floormats have been confirmed to cause it. rusty/sticky throttle cables have been confirmed to cause it. Bad cruise control units have been confirmed to cause it (mostly because of physical errors, not all are electronic).
But "the car accelerated, I applied the brake and only the brake once the acceleration started and pushed it as hard as I could and the vehicle co
Reverse car analogy? (Score:3, Interesting)
Wrong analogy. Windows does crash a lot. It should be "It reminds me of Windows users who say Linux isn't ready for the desktop".
Funny, this is the first time I ever saw a computer analogy used to explain a car problem in Slashdot. But, come to think of it, this is a rather neat analogy. Toyota is blaming their problems on driver error,
How about safe languages? (Score:3, Funny)
I bet they still use C for these kinds of things, how about something safer, such as Eiffel?
Re: (Score:3, Insightful)
If a cosmic ray flips a bit in the (insert safe language here) array boundary checker, then what?
No. (Score:4, Insightful)
There's a reason that our entire modern world doesn't come crashing to a halt around us every 30 seconds. If every CPU was vulnerable to bit flips from random radiation, every part of your house would be on fire and arcing electricity. Times Square would look like the bridge of the 60s enterprise under attack.
This is just some douchebag professor trying to ride the tragedies to fame. There's a reason it's always hitting the same system in the car. It's because the system is defective. There's a reason the professor has nothing but speculation to back himself up.
This is the worst kind of charlatanry from someone who should know better. I hope his hosting school takes this very, very seriously.
Re:No. (Score:5, Insightful)
Re: (Score:2)
Of course, more probable than a bit flip due to cosmic rays is a bit flip due to marginally bad RAM.
I would think that Toyota's design process includes some sort of Byzantine fault tolerance. And I would think the automobile industry would have regulation regarding how safety-critical firmware is written. But then I think how the pressure from m
Re: (Score:2)
You mean, the same marginally-bad RAM which seems to remember that the car is on and running? The same RAM that keeps the engine running properly? The same RAM allows the computer to throw an SES light if it detects that the engine is not running properly? The RAM that keeps track of the odometer, and controls the speedometer?
That RAM? The one responsible for all these other problems that might be caused by by bad RAM, but which aren't happening?
Hmm.
Naah, don't think so.
Re: (Score:3, Interesting)
You misunderstand my argument. That's OK -- it happens to me all the time.
Allow me to rephrase: What are the chances of the RAM being marginally-bad in such a way as to allow unintended acceleration, while not producing any other symptoms?
The chances of it being bad to begin with are slim (after all, all RAM is tested, often by more than one party). But this won't be just any RAM -- this will be, in today's terms, glacially slow RAM which has been tweaked to perfection over the past decade (or more), bec
Re: (Score:2)
I'm standing in line with SC on this one. This story needs to be tagged "unicorns, ponies and space rays".
Re: (Score:2)
Grandparent is also a raving lunatic stoner with serious people issues. Heh, I just realized that SC, that dude who single-handedly pissed hundreds of people off in several IRC channels until other operators finally kicked him out, also lurks around /..
Even a stopped clock is right twice a day ... unlike the professor.
Re:No. (Score:5, Informative)
Actually, every CPU _IS_ vulnerable to bit-flips from radiation. That part of it is not speculation. It does occur in commodity processors, and with probabilities large enough that we have ECC ram, and ECC and/or parity in caches. Some servers actually come with built in hardware fault tolerance methods, because when you run hundreds of servers non-stop for years, the probability that a particle strike screws up a register on chip is non-negligible. Now, still, the probability isn't _huge_. Definitely not high enough to be causing these specific problems, especially when the failure is always in the same manner. _That_ part of it is pretty much bullshit.
Sun UltraSPARC-II's anyone? (Score:5, Insightful)
Sounds a whole lot like the e-cache parity errors in the Sun UltraSPARC-II processors.
If you were never affected by that, consider yourself a lucky person.
particle-caused bitflips are very much real.
Re: (Score:2, Informative)
I work with someone who used to do tech support for Sun - those flips were due to a manufacturing error - tech support were just told to tells customers it was due to 'Sun Spots'.....
Re: (Score:2, Interesting)
Actually, it was due to a design error, as the cache wasn't ECC protected and occasional bit-flips weren't detected.
http://www.sparcproductdirectory.com/artic-2001-dec-1.html
Re:Sun UltraSPARC-II's anyone? (Score:4, Interesting)
I wouldn't say error, it was designed with parity protection only, so was incapable of correcting single bit errors, only detecting them. Hence, the reason for the crashes (i.e it detected a bit flip). If two bits were flipped you would never know.
I worked in the Sun front line call support during this time, and explaining this over and over to customers was somewhat painful. Never mind the years of mocking that still come from telling customers "it was a cosmic ray". Sun put massive effort into tracking, diagnosing and fixing this issue though. Some customers got versions of CPUs with "mirrored" SRAMs. Sad to say, I remember customers still getting errors with those.....
The US-III chips came out with end to end ECC protection, but the problems remained. In the end it turned out to be a host of socket mounting, pin contact and design specification issues that caused the errors, mostly solved by the time the 1200MHz CPUs were out. I wouldn't be surprised if it was something similar with the US-II.
As for Toyota, if they dont have end to end ECC they only have themselves to blame.
Re: (Score:3, Insightful)
Re: (Score:2)
Not necessarily, clouds absorb cosmic radiation - or more accurately water vapor absorbs cosmic radiation and forms clouds, so anywhere with a lot of cloud cover is going to have a lot of cosmic-ray cover too. Higher altitudes generally occur in hilly or mountainous regions (duh, that's what makes them high), and they also tend to have a lot more cloud cover because wind and moisture get blocked by the mountains.
You'd probably be most likely to see lots of cosmic rays in dry, flat areas that usually have l
Re: (Score:2)
Prove It, Implement Fix, Pay Out Families (Score:5, Insightful)
It's not out of the question, IBM noted in the 90s [scientificamerican.com]:
Extensive background radiation studies by IBM in the 1990s suggest that computers typically experience about one cosmic-ray-induced error per 256 megabytes of RAM per month. If so, a superstorm, with its unprecedented radiation fluxes, could cause widespread computer failures.
You have to fix this though. As a large manufacturer you have to accept this risk just like your competitors do. Airlines accept this risk and triple check their data because people's lives are at risk. As a car manufacturer, you are in the exact same position.
I hope the fix they already rolled out as a recall includes triple checking data or -- if the article is correct -- we won't see a drop in these horrible accidents. I hope for drivers and public safety that it does. It's led to death and possibly wrongful incarceration [go.com]. Restitution is in order. Take testing motor vehicles seriously.
Re: (Score:2)
Finally, a wayward floor mat doesn't make a good news story unless you're writing it up for the Darwin awards.
Re: (Score:2)
So, the bottom line is that
- the test facilities (heavy ion and neutron sources) to perform those tests are available
- the single even effect theory and event rate predictions methods are well known (even if they are not perfect)
Which means
Space Rays, My Ass (Score:5, Funny)
This type of thing is just plain bat shit crazy. There is a problem somewhere in Toyota's system somewhere. Either a software bug or bad chips or something real and tangible
If someone here on
Re: (Score:2)
If there is a hard to define race condition locking up systems on the cars due to a software bug, it may be triggered by a bit getting flipped that is assumed to be an impossible event, this could be caused by a hardware glitch, a voltage spike, a cosmic ray strike or any combination.
Re: (Score:2)
> If there is a hard to define race condition locking up systems on the cars
> due to a software bug, it may be triggered by a bit getting flipped that is
> assumed to be an impossible event...
That assumption is a design error.
Checksums? (Score:2)
Shouldn't there then be a well-insulated ROM copy in the car that can replace corrupt values with reasonable def
Re: (Score:2)
"Check Chips at Mechanic" light that, well, tells the driver to send the car with its chips to the mechanic?
I think there is a "Check Chips at Mechanic" light ... but it's only activated when the car is racing forward uncontrollably. Hey, who knows, maybe the car is just trying to get to a mechanic on its own? It's as likely as this "rays from outer space" theory.
Re: (Score:2)
Excuse me? (Score:2)
This would be a shame. It is very well known that the size of the chips influences their susceptibility to charged particles. I am sure the people estimating the reliability have numbers about that. And there is no reason to use hi density electronics for this purpose, besides saving 10cents.
Cop-out (Score:2)
This sounds more like a cop-out for Toyota's design practices than anything. If it's not reliable enough for the road, then don't sell it! (safety laws and all).
What's so wrong with simple and effective that good design philosophy gets thrown out in favor of industry buzzwords?
Re: (Score:2)
Re: (Score:2)
How about tinfoil hats for the engine compartment? (Score:2)
Oh, right. Hoods and bonnets. They already have those.
They should start making them out of lead, maybe?
The "Oh My God" Particle excuse (Score:2)
We had a system quit working that had not been modified in years. Upon investigation the problem was found in a Perl script. The date on file was years in the past. The error was due to a change to a single character and the character was changed by one bit. Someone suggested that this was caused by an "Oh-My-God" [fourmilab.ch] particle interaction - who knows?
Long Answer: No (Score:2)
If this were true then more electronics would go haywire at higher altitudes. They do not. I used to live in Leadville, CO and our computers (and cars) worked just fine. In fact, I'd say that a car receives more radiation from the trace amounts of Uranium in the asphalt than from the cosmos.
As long as I can remember people have been blaming cosmic rays for all sorts of unexplained problems. It's just a convenient scapegoat for shoddy workmanship because few people understand comic rays or even what radiatio
Re: (Score:2)
Frontline Auto Engineer's Perspective (Score:5, Informative)
My little part of ETC involved adding a sub processor which watch-dogged the main micro. The little micro asked a series of questions of the main micro. Both processors would need to agree on all the inputs and output of the system. The little micro would also ask question regarding real time OS (RTOS) of the main micro. The main micro would need to have tasks executing in the right order to satisfy the small micro. Lastly, the small micro would ask the main micro to perform math operations to verify accuracy. Oh, and the main micro was continuously checksumming it's memory too.
Both micros had a direct hardware disable path to the H-bridge which was delivering power to the throttle plate. The throttle plate was spring loaded, so, with power cut, the throttle plate would snap to an idle position.
Next came the electro / magnetic compatibility testing (EMC). We spent months inside huge chambers testing both radiation and susceptibility. One of the tests for susceptibility involved using a zap gun to spark a 20kV spark on each pin of our ECU. Not satisfied with that, our customer opened one of our modules and used a sparking spark plug to slowly zap our board to failure. Bottom line, that throttle plate better never stick one way, or the other.
In the end, it always amazed me that the whole thing would work at all. Seemed to me that the system was always seconds away from going into some kind of fail safe mode.
No, a stray bit flip is not going to facilitate a run away car. Least not on my system!
McMurdo (Score:5, Interesting)
When I was working for NASA, on the NISN network, we'd get these weird router crashes for the old Cisco router located at (or very near) the South Pole in Antarctica. It was always a memory problem, and I'd always have to call someone to get them to powercycle the router. It irritated me to keep bothering those guys, so I opened a case with Cisco TAC.
The TAC guy sent a terse response, saying that particular crash was a "transient memory error" due to "alpha radiation or sun spots." That really pissed me off -- Cisco TAC just gave me a standard BOFH response! I escalated, and swung the NASA club around some, and finally got a senior engineer on the phone. "You said this router's at the South Pole, right? So that means it's at very high altitude, with very little ozone shielding, right?" "Umm, yeah." "Well there you go. There's a lot more radiation at that altitude than at sea level. Our stuff's only rated for sea level. See if they can .. I dunno, put a lead blanket over it or something."
I relayed the info to my contact at McMurdo, and he laughed and said he'd figure something out.
On a hunch, I checked the other two "high-altitude" routers we had, and sure enough, they both had a statistically higher failure rate for "transient memory errors".
Re: (Score:3, Insightful)
"You said this router's at the South Pole, right? So that means it's at very high altitude, with very little ozone shielding, right?" "Umm, yeah." "Well there you go. There's a lot more radiation at that altitude than at sea level.
His explanation sounds a bit off; a few molecules of ozone may be good for stopping UV but I doubt it makes a lot of difference to cosmic rays.
Just being at the South Pole is a much greater risk factor than mere altitude though, because it's where the magnetosphere funnels all the crap.
Weird (Score:4, Interesting)
Are manual gearboxes that rare in the States?
Re: (Score:2)
Wiring on fly-by-wire on planes are double or triple weave shielded. They aren't on Toyota's, they're just plastic coated wires.
Re: (Score:2)
Are you talking about Airbus style fly-by-wire or Boeing style Fly-by-wire? In the Airbus the pilot flies the computer and the computer flies the plane, computers crash and so does the Airbus; In the Boeing style the pilot flies the plane the computer helps but the pilot is boss.
Not really WAS (Re:Not really...) (Score:2)
Almost ALL airplane manufacturers use fly-by-wire for at least something. You are only considering commercial airliners that are entirely fly-by-sire. Military aircraft have have fly-by-wire for decades before Airbus came along. Airbus is better-known
Re: (Score:2)
Re: (Score:2)
Military airplanes commonly use fly-by-wire. Not all air-o-planes are airliners, you know.
Re: (Score:2)
I agree.
I trust mechanical systems more than I do some software. Yes, the mechanics also fail, but they can be inspected better ("It looks like this this linkage is rusty/cracked. I should replace it just in case") and people seem to be able to design mechanics better than software (a TV or a tape recorder does not need constant patches to fix various bugs like Firefox or other software do, it works right the first time). Mechanical systems are not affected by small intensity cosmic rays like microchips are