[weinzierl]

   I suppose you could make the argument that these programmers did not 
   know what they were doing. That they were simply given some specs, and 
   they implemented those specs, and didn't know that they were 
   accomplices in a case of massive fraud.


   I think that argument is even more asinine than Michael Horn's. They 
   knew. And if they didn't know, they should have known. They had a 
   responsibility to know.

I agree with all the points in the article except for the point that the programmers should have known.

For me it is a plausible scenario that the programmers have been told that his feature is needed for some good reason (probably testing).

When I was a young engineer I had a mentor. He was a war baby and a strict pacifist. He was also very good and his advice was much sought after so he could afford to refuse all offers from the defense industry.

He once told me that for his whole life he manged to never designed anything that could be used to harm people - except for one thing. When he was young he was hired to design a gear rim for a crane. He told me, he was given the load specifications but never saw a drawing of the actual crane. That was a bit unusual but nothing he worried about.

It turned out that the gear rim was actually for a Howitzer. He never worked for that client again.

There are all kinds of reasons why a car has to behave differently while on a dynamometer and there are all kinds of special code branches that are executed only during test. For the programmers it probably was just another special case among many.

Don't be evil and don't be a fool, but you can't be expected to do a full ethics check for every feature you are supposed to implement.

EDIT: Spelling, style and removal of some superfluous chatter.

[tzs]

From what I've read, the trigger for the mode switch was very detailed and narrowly tailored to the EPA certification testing, and included barometric pressure as a factor.

That makes it quite a bit harder to believe that whoever implemented it thought it was for some legitimate testing. For testing you want a trigger that is hard for anyone to hit accidentally, but easy for people who know about it to hit. You would not include barometric pressure, because that narrows the ability to get into the test mode way too much.

An ideal sequence would be some nonsensical sequence of inputs, like a specific sequence of left and right steering inputs, with a specific sequence of turn signals (often opposite of the direction turned) if the ECU has turn signal data available, interleaved with a specific pattern of taps on the brakes.

[weinzierl]

I don't doubt that the developers where told to specifically write code to detect the EPA certification testing environment. I just think it is a possible scenario that they were left in dark about the real reason for the detection to exist in the first place.

Hypothetical example: The Lane Keeping Assistant can actively adjust steering. Turing the wheels during a test on the dynamometer can make the car jump off the rolls and harm people. The dynamometer is a highly artificial environment that can potentially confuse the Lane Keeping Assistant.

Do you ensure safety through testing guidelines or through safety measures in code? Would this be a plausible reason for a developer to write the dynamometer testing environment detection code?

[radiorental]

"There are all kinds of reasons why a car has to behave differently while on a dynamometer and there are all kinds of special code branches that are executed only during test. For the programmers it probably was just another special case among many."

I think the point is that someone deliberately did this and they had their hands in the code. Yes, there are variants of the tune-able parameters for various regions and tests. As part of design and validation these can be used interchangeable on the test beds. However, someone, somewhere wrote the emissions defeator.

[sebastianavina]

remember, someone wrote the emissions defeatos, AND maintained the code for seven years until now.

[mpclark]

It may not have been actual code. Perhaps only values in a look-up table? Perhaps even values in an area of a multi-dimensional array that was never expected to be used.

[radiorental]

The tune-able parameters are lookup tables. I know that Ford, for example, will go through up to 15 iterations per day with testers in the field, in various physical environment, leading up to a release.

The code that detected whether the vehicle was on the road or being tested is what is at issue here. It was a software engineer/manager that implemented it.