New Jaguar XJ Suffers Blue Screen of Death

An anonymous reader writes "CNET UK is reporting that it crashed a £90,000 Jaguar XJ Super Sport — one of the most technologically advanced cars on the planet today. It's not the sort of crash you'd imagine, however — An unforseen glitch somewhere within the car's dozens of separate onboard computers, hundreds of millions of lines of code, or its internal vehicular network, led to the dramatic BSOD, which had to be resolved with the use of a web-connected laptop."

Re:Not that surprising.

[rotide]

What _is_ surprising to me is that a linux based infotainment system would _ever_ hamper any system outside itself. Why would my audio system glitching cause my car to not start? Ok, if it somehow drains the battery, I get that, but otherwise it should be an offering on the "LAN" and simply not used if not accessible. I mean, are these systems so horridly setup that one specific glitch in the DVD playback software can do _anything_ to the basic functions of the car (brakes, engine, etc)? Or was that just sensationalism in the article merely to illustrate how much software really is "under the hood"?

Why?

[Pentium100]

I still don't get it - why cars need so much software? Older cars worked quite well with just mechanical controls, so why there are so many computers in new cars?

Non-essential systems do not count - if the radio/usb player fails, I'll be annoyed (and I can replace the player with a simpler tape deck if I want to), if the steering or brakes fail, I'll be injured or dead.

So, why the millions of lines of code? Are they really necessary for the system to do the job what simpler (and more reliable) mechanical linkages did in the past (steering, brakes, throttle, clutch, gear selector)? Mechanical devices fail, but they usually give "notice" before doing so - you can see the rusty rod or the cracked link before it fails. Oh, and you still need the mechanical device (the wheels somehow have to turn in the direction that the user turned the steering wheel). Also, people seem to be able to design mechanical devices that work as intended, while software is almost always buggy.

My 28 year old car somehow seems to be able to work and get me from point A to point B even though the tape deck has more complex electronics (well, it has a RDS decoder, Dolby B and C NR, logic controls, LCD display, ability to control CD and MD changers etc) and the electronics of the car itself consist of a few relays.

Well, apparently not Lucas fault

[drerwk]

Lucas went defunct in 1996. The lord of darkness went dark. But the spirit lives on. The story reminded me of a TR-6 I had in college. You never knew what would happen when you turned the key. Nine out of ten it would start.

Re:Not that surprising.

[localman57]

Nobody said it was the Linux system. It could have been whatever ECM monitored the Power Button. Normally, you hit the button, and it sends out a message across a bus, typically CAN (or FlexRay in the most modern systems) which tells the other systems to "wake up", and typically also energizes the ignition wire for non-connected systems. If that one ECM was locked up, the car is pretty much hosed until you can reset it. Could well have been a $5 microcontroller imbedded in the dash, and running a fore-ground/background loop, and no real OS.

Re:No, you didn't.

[Anonymous Coward]

The critical systems - brakes and steering aren't drive-by-wire

Brakes absolutely are drive-by-wire these days. That's how stability control works. It's an advancement on ABS where a central computer can modulate the brakes for all 4 wheels. It's not exclusively electrical, it's still electrical control on a hydraulic system, but the ECU very much has the ability to screw up your breaking. We had a case on our SUV where the stability control system got confused, the skid light started blinking on the dash, and the car started jerking as the ECU tried to correct a skid or spin that wasn't occuring. All this on dry pavement at 50mph.

Re:Why?

[KwKSilver]

I still don't get it - why cars need so much software?

To drive up the price and profit margins. Silly goose.

Re:Why?

[morari]

I wonder this as well. Of course, I drive a 1972 VW Super Beetle everyday. The most complex electronics in it is my aftermarket stereo! :P

I laugh at Jaguar owners

[Reservoir Penguin]

Whatever problem they are left stranded waiting for a certified Jaguar technician. On the other hand I can fix my 1985 Jimny with a hammer and a screwdriver and will survive an EMP blast! (I think the stereo is only thing that contains digital components)

Oh yeah, "crash"...

[Anonymous Coward]

I got the context from the title instantly... and then it took me awhile to remember that the word "crash" can also refer to a vehicle colliding with something. ...I think I need to go outside more often.

Re:Unsafe at *almost* any speed?

[davidwr]

Depends on where you park it, or where the car parks itself if its computer crashes and the fail-safes cause it to park itself.

Driver Dies After Officers Crash Into Stalled Vehicle [nbcdfw.com]

Should have used QNX.

[LikwidCirkel]

It's a Bosch dash running Linux for the infotainment. I much prefer Harman dashes that run QNX like Audi, BMW, and a number of other car makers use... totally more reliable IMO. I've actually worked hands-on with some of this stuff, and I must admit, I trust QNX much more for mission-critical applications, like automobiles.

Re:Why?

[Fishead]

After years of driving a 1990 Nissan Pathfinder powered by a 3.0L V6 outputting around 140HP we upgraded to a 2005 Nissan Xterra with a 4.0L V6 that has around 270 HP and consumes less fuel. What changed? Variable Valve Timing. The engine now has the ability to change the CAM on the fly. When I want power I get power. If I'm cruising on the highway and want efficiency I get efficiency. Sure it's immensely more complex then my '77 Chevy truck with the most high tech component being the AM radio, but my truck gets similar power to the Xterra with over twice the fuel consumption. When I assembled my engine I chose which CAM I wanted. I love that the Xterra can swap that up as necessary.

      What I don't understand is how the car manufacturer could let entertainment options potentially take down the entire system. Sure it's great that my vehicle has all these fantastic features, but how about we isolate them from the critical functions? What would happen if I was driving my Xterra in the winter time and the software failed while I was going around a corner in the snow at the precise moment that the TCS system applied the brakes to one of my wheels to control a small amount of slip? My reckless driving aside, a system that is able to apply the brakes on my vehicle should not be so unstable as to kill me just because a third party application locked up.

Re:Should have used QNX.

[LoRdTAW]

That is pretty much the realm of QNX, a real-time embedded mission critical operating system. I once met a guy who wrote software for QNX used on communications satellites. So yea its pretty damn reliable. They used to offer a free desktop OS (Neutrino RTOS) around the same time Be Inc released BeOS R5 PE. I still have a download kicking around too. Before that (1999 ish) they offered a single floppy image that booted your PC and even provided a few small and simple demo programs and even a game. Its amazing feature was a web browser and Ethernet card drivers. Pretty amazing stuff for its time.

Re:Jaguar?

[couchslug]

That is NOT a Troll, as any (old and experienced) mechanic can tell you!

The British car and motorcycle industries tried manfully to commit suicide. They built pretty, beautifully finished, delicate unreliable junk.

That worked until Japan and Germany ate their lunch by producing tough, reliable vehicles you didn't have to be a skilled mechanic to keep on the road. I grew up working on both the cars and bikes, and have no desire to go back. They were fine vehicles by 1940s reliability standards, but that was a long time ago even in the 1960s when the decline began.

Here's the classic on the Britbike implosion, the car story is similar:

http://www.amazon.com/Whatever-Happened-British-Motorcycle-Industry/dp/1859604277 [amazon.com]

Re:Not that surprising.

[zwede]

You can't use a used BCM as that is exactly what GM was trying to prevent (for anti-theft reasons). What you do is you get a brand new, never powered up BCM (they are not especially expensive). The first time it is powered up, it will accept the ignition key and unlock everything. That first key is then permanently stored in the BCM.

Again, it's supposed to work this way and it really did help drastically reduce theft of both radios and entire cars. For instance, before GM had the Passkey system the Camaro was the most stolen car year after year. Once Passkey was introduced it completely dropped off the list.

Insufficient paranoia

[Animats]

Many years ago, I was at Ford Aerospace, where we had some slight involvement with the Ford EEC IV engine control module [auto-diagnostics.info]. The designers of that were paranoid about a failure of the module making the car immobile. So they did the following:

• The device was designed for a 30 year life span. (Many 1980s Fords are still running with EEC IV modules, so they did it.)
• The program for the device was etched into the silicon of the CPU. There is no way to change it without replacing the entire module. Huge amounts of effort were put into getting this small program right, including some proof of correctness work. It was successful; there's never been a recall.
• There is a removable module with a ROM that has engine parameters. (The format is known; people have made their own for racing purposes.) It's just tables, no code. It's a bulky metal-cased plug-in module, hard to damage.
• The device starts from a clean ground state at power-up. There is no persistent state that can prevent startup.
• There's a dumb backup mode in the program. If the complex engine control algorithm fails, it reverts to a simple backup mode. Performance isn't very good.
• There's a second hardware backup mode in the ignition controller. This was referred to internally as "limp-home mode". If a timer in the ignition controller detects that the EEC isn't responding, it drops into a mode where the spark fires each time a pulse from the crankshaft position sensor comes in. In this mode, there's no spark advance, no smart fuel injection, no active emissions control, no engine/transmission coordination, and top speed is about 25MPH. You can still drive the car.

Designers today are not being sufficiently paranoid. They're assuming that the entire system stays up and that tow trucks are easily available.

Re:Not a BSOD

[paeanblack]

Exactly. A less sensational headline could have been "XJ Power button kinda flakey". This kinda stuff is what drives technical support people nuts.

I stopped at "hundreds of millions of lines of code"

# find /usr/src/linux/ -name "*.[ch]" -exec cat {} \;|wc -l
11561604

A car OS beats that by twentyfold?

Re:Not that surprising.

[Anonymous Coward]

I work at Jaguar - hence anonymous post...

I can confirm we've had lots of trouble with the integration of the various systems and trying to centralise it all. There are lots of different systems onboard, all talking differently and it had delayed us a lot but we had finally resolved all the issues... well almost! Unless this was an older car which hasn't been flashed with the update.

Re:Jaguar?

[V!NCENT]

Actually, the best programmers _ARE_ in america:
http://www.fastcompany.com/node/28121/print [fastcompany.com]

Most bug-free and mission critical code on the planet (and beyond).

Re:But from a Use Case perspective ...

[dgatwood]

My guess would be a separate power management controller somewhere that was wedged with everything in a powered down state. They couldn't talk to the main computer (ECU, maybe?) to reset it, which probably means that the main computer itself wasn't getting properly powered up by the power button. You wouldn't typically leave a computer system running off the car battery (even with the displays powered down) while the car is shut off. It would consume too much power.

Either way, I agree that it probably can't have been the button itself, or else the power cycle wouldn't have fixed it. Well, I suppose it could be a self-resetting fuse somewhere, or (maybe) a stuck latching relay, but odds are, it's a power management controller or similar.

In the grand scheme of things, this probably calls for the addition of a power management reset feature, e.g. two extra sets of switch contacts and a 555 timer IC wired up as a pulse delay circuit so that if you hold the power button down for ten seconds, the chip's power gets momentarily interrupted by a depletion-mode MOSFET. You know, something so simple that it is almost guaranteed not to fail in the lifetime of the vehicle.

Re:Not that surprising.

[KahabutDieDrake]

NO NO NO. Lets not got back to pure mechanical. Lets instead remove the arduous emissions regulators, and instead of the silly emissions grading system we use now, use only real world driving data for emissions testing and control.

The problem isn't the electronics themselves. It's the silly ass way that emissions are tested. Causing car makers to profit by making convoluted systems which retard emissions under certain circumstances (cold start, etc etc). Interestingly, while emissions would be slightly higher, gas mileage and output horsepower would be substantially increased without these regulations.

Electronic control systems on cars are capable of being a boon to both performance and emissions. The regulations we currently have, and the peculiar way they are enforced causes the problem we see. Where a faulty sensor will totally fuck the car up. Most of those sensors don't actually help the performance, longevity, or output of the car in any way. What they do instead is gimp it significantly so that the emissions are also gimped. All one has to do is looking at the high performance track cars to see where emissions control has gone wrong. More power, more torque, more efficiency, only slightly more emissions.

The second half of this is maintenance. More than 1/3 of GM income is from after market repair, upkeep and parts. We need a law that states that all vehicle diagnostic systems must be open source/freeware (or at least provided with vehicle purchase). Then we need to encourage auto makers to include the kinds of health check systems that would notice a faulty sensor, and thereby allow the car to bypass that feedback loop until it can be fixed (or at the very least moderate it). This is far easier said than done, I know, but it is possible, and it's not a cost issue, it's an upkeep issue. GM doesn't want you to be able to figure out that you need to replace a 3$ relay. They want you to bring your car into a certified shop, and pay them 80$/hr to diagnose the issue, and replace the 3$ relay with a 36$ part, at their labor rates. (it'll take an hour, even though I could do it in about 2 minutes).

I used to have a VW passat 2.0t GLX. It was a nice car by all accounts. But the engine was a fucking nightmare. I purchased it used, within 24 hours the valve train gave out, caused by a oil sludge issue, causing failure of the oil pump. A "rebuilt" engine was put in at no cost to me (damn right!). For the next 4 weeks, every other day (averaged) I got some kind of warning light on my dash, or some kind of funky behavior from the engine. Each time it was a different "sensor" or "relay" module. Now one could argue that they should have all been replaced when the engine was rebuilt, but that's another story. So after the third time, at 150$ a pop for diagnostics and replacement, I got fed up and spoke to the head of the service department about it. She (yes, female, and hot, and knew cars backwards, sexy sexy sexy) told me to buy the diagnostic cable and software off of ebay and replace the modules myself as they failed. I did one better, I got the diag software and cable for 20$. Then I replaced every relay, sensor and module I could get to without tearing the engine out of the car. It ran like a champ for a year. I resold all the used modules to an independent VW shop (where I got the replacements) and the whole endeavor only cost me 80$. Then I sold that piece of shit and got a BMW, because at least their engines work. (the onboard navi-tainment system, not so much, currently working on replacing it with a stand alone computer of my own build)

Re:Why?

[Giometrix]

As an owner of a 2009 Mercedes, let me tell you, its not electronics, but unintuitive Mercedes design...

For instance, if you want to lower the volume on the navigation, you have to wait for it to speak and then lower the volume through the steering wheel. Every other car on the planet has a setting for navigation volume.