[TerraHertz]

I'm a retired electronics design engineer and embedded programmer, and I will NEVER own a car with any kind of vehicle/engine management computer. Old cars for me, forever. I flatly refuse anything but fully manual and direct mechanical gears, clutch, steering, brakes and throttle.

Curiously the chief engineer I knew at a major car service center, also felt the same way.

And that's not even touching on the insanity of building computerized vehicle systems with always-on GSM data links to the Net. Ask Michael Hastings how that worked out for him.

Also I agree that critical systems software should be legally required to be open source.

[darkr]

Though I have a strong preference for analog/physical/mechanical systems in cars, the main reason for this is more that they're far easier and more fun to work on, rather than reasons of safety.

I'd hazard a guess that in a serious crash you're going to have a far better chance of survival in a modern car (crumple zones, airbags/side-cushions/curtains, ABS etc) vs a ~1980's or older car, and that the cause of said crash would be human error rather than a bug in the engine throttle code.

[w0utert]

I drive a 25 year old car that perfectly fits your description, but that's just because I like the way it handles, how it looks, and because it has a little more personality to it than all the dime-a-dozen cars you see on every corner of the street.

What I don't understand is how you can rationalize your preferences by thinking these old cars are safer because they don't have any software-defined points of failure. The chances of dying in a car accident because of driver error (by yourself, or by someone else) or mechanical failure (because of worn-out parts) are infinitely higher than by some kind of electronic failure. And if you end up in crash, your chance of survival will be much higher in a modern car, because of all the safety measures that have been added over the years. So IMO it doesn't make sense to stick with the things you've mentioned if safety is your primary concern.

[tonylemesmer]

he / she didn't mention safety.

[w0utert]

The article is about software systems leading to safety risks. I'd say safety is implied when an electronics designer comments on it that he/she would never drive a car that relies on software to ensure safe operation. Not worth splitting hairs over IMO.

[kozak]

Do you fly airplanes of commercial airlines? If yes, I have bad news for you. They are almost all fly-by-wire already.

[drbawb]

They're also all triply redundant control systems with rad hardened computers and error correcting memory... you won't find that level of redundancy in passenger cars; and Toyota outright lied to NASA about the type of memory that was used in the 2005 Camry. (Claiming it to be ECC when it was not.)

On top of that: pilots of any caliber undergo far more rigorous training than what is required of a licensed driver in the US. They routinely have to train for the autopilot systems they use, etc. -- I trust a pilot to react appropriately when the fly-by-wire system goes haywire moreso than the average driver.

The automotive industry has quite a ways to go before I'll consider their safety critical engineering to be anywhere near the level of robustness present on even the oldest commercial airliners in service.

[RealityVoid]

While safety relevant ECU's are not triply redundant, they ARE doubly redundant with error correction memory. So I don't know what Toyota used to do, but, from my experience, nowadays, auto companies take safety relevant applications VERY seriously.

Actually, for the division I used to work for, a lot of the people programming ECU's for cars came from aerospace. They built radars for planes, now they build radars for cars.

Also, the safety of the systems tends to improve with time, as technology matures.

Also, another interesting anecdote, the Flexray communication protocol used more and more in cars these days was first used in planes.

[ck2]

Same here, I drive the last year of the car model with mechanical steering and accelerator, on purpose.

It's really hard to find cars with curtain airbags though without electronic accelerator and fake steering.

[drbawb]

When you say fake steering do you mean power steering, or electronic assisted power steering?

Because the way I see it power steering itself is just as mechanical as hydraulic brakes; and electronic steering is a far more recent development than throttle-by-wire.

If you're willing to accept power steering it's not too hard to find vehicles w/ side curtain airbags. Lots of '01 Toyotas had side curtain airbags, and it wasn't until '02 that they started putting drive-by-wire in the Lexus lineup (much later for the rest of their lineup, I believe it was phased in over '03-'05 for Toyotas.)

I adore my '01 Camry. The 5S-FE is a bit sluggish compared to modern powertrains, but its bulletproof, insanely easy to work on, and drives quite smoothly. It'll be a cold day in hell when I have to replace that car with a glorified playstation controller.

[ck2]

Yeah I mean new cars have electronic steering, there is no real mechanical linkage to the wheels.

My steering works even with when the power assist fails, though it is much harder to turn at low speeds/standstill.

[RealityVoid]

That stance will soon become unreasonable. Incidentally, I'm also an engineer and work on embedded systems... for cars. Can embedded systems be unsafe? Sure. Can they be made reasonably safe, safer than full mechanical cars? They can.

It'll come at a point when those cars will be unmaintainable, hard to aquire, expensive. I want to see if you'll still have the sae stance then. What if in 30 years it becomes illegal to drive your own car and can only use SDC's, will you still pine over the good old mechanica components then?

[wodenokoto]

You feel the same about planes?

[snowwrestler]

The flight-critical software in planes is at least somewhat reviewed and regulated by the FAA and other national aviation agencies. AFAIK, software in cars is totally unregulated.

[rl3]

>And that's not even touching on the insanity of building computerized vehicle systems with always-on GSM data links to the Net. Ask Michael Hastings how that worked out for him.

Thing is, if attackers that advanced are out to get you, you're pretty much screwed regardless.

Had Hastings been driving a classic car, I'm sure he would have suffered a tragic drug overdose or something instead.

Besides, even if your car isn't computerized, there's plenty of others on the road with you that are.

[luckystarr]

Agree. What about power steering? You won't get any car without nowadays. Do you count non-computerized (servo) power-steering as "mechanical steering"?

[TerraHertz]

I don't think you'd be able to get any new non-computerized car at all today. Emission control makes computerization an absolute requirement. That's why choice in cars for people who feel the way I do is limited to old cars from pre-90s. Suits me fine.

Servo power steering is acceptable, though my present car (1993 Subaru stationwaggon) has direct steering, and I prefer that.

[feintruled]

Car manufacturers have made giant leaps in driver safety though (going by NCAP star ratings and the like). Drivers can now walk away from what once would have been a fatal crash - are you comfortable forgoing all those advancements?

[pinkrooftop]

Does the safety improvements in cars introduced since 1993 designed to protect you from collisions with other vehicles, outweigh the risk of a computer fault ?

[pjc50]

I see your point, although I'd find it too limiting to impose that on myself. Speaking of GSM data links, I seem to be the only person worried about the "eCall" mandate: all cars in the EU will be required to phone home with their location in the event of a crash. That requires a GPS+GSM device in the car.

[benihana]

I love the absurdity of this and arbitrariness. You'll happily drive in a car, one of the most dangerous machines people use regularly. But if it has a computer in it, no siree, that's when things get too deadly to deal with. All of the other thousands of moving parts, like the thing that takes energy-dense hydrocarbons and ignites them several thousand times a second in hot, high pressure tubes - that's fine and totally safe. It's the ECU that makes the car dangerous. The fact that the only thing separating you walking on the sidewalk from death from a two ton metal box is the convention that we'll all stay within the lines painted on the ground. That's fine. It's the ECU that you're afraid of. Absurd.

[tinco]

You make it seem silly. But the energy-dense hydrocarbons get combusted in steel/aluminium enclosures that have been battle tested in millions of systems for over 60 years. For it to go wrong billions of atoms need to be displaced at huge energies (much higher than the single combustion).

The ECU however, was probably made ~10 years ago by a team of highly incompetent software developers trained as electronics engineers, with no access to any previous attempts by other companies and progressively getting worse over time (instead of being perfected). To make the ECU do something it wasn't made to do all it needs is a mere low voltage event just enough to flip a crucial bit, and many bits are crucial.

Not that I don't agree that it's silly to not drive cars with an ECU, but just saying that his point has merit.

[mikeash]

That battle testing also killed millions of people.

Modern cars are vastly safer. Demonstrably so.

Computers in cars may make them more dangerous. But this is far outweighed by the greater overall safety in the cars that have them. You can't buy an otherwise modern car with no computer control, so your choice is either to buy a modern car with computers, or buy an old car without them. If you're avoiding computers then you're buying an old car, and the result is greatly decreased safety.

This is typical human risk management, of course. The mostly imaginary scenario where your ECU goes nuts and causes you to crash helplessly into a concrete barrier is assigned great importance, where the sadly common scenario of some drunk or texting (or drunk texting) idiot killing you in an accident that modern safety design would have allowed you to walk away from is assigned very little importance.

It's much like people who are afraid of flying but are happy to drive, because the thought of plummeting to their death from 30,000 feet is much more vivid than the thought of being randomly run over by a tractor trailer even though the latter is much more likely.

[JoeAltmaier]

I actually know three people who were run over by a tractor trailer! While I don't know anybody killed in a plane crash.

One was rushed to the hospital with a skull cracked like an eggshell. Almost fully recovered except he can't smell anything.

One had a tractor/trailer fall over while turning a corner, onto his car. He happened to lie in the gap between tractor and trailer, leaving a little uncrushed cell with him in it. No injury.

One was slowing to turn right on a highway; sleepy tractor driver ran fullspeed into the back of his old American car, crushing it utterly up to the back of the front seat. Unhurt. So old American cars have something going for them?

[mikeash]

Sounds like any passengers in the rear seat would have been doomed in that last crash. A modern car probably would have fared much better.

Your second story is pretty amazing! Sometimes it's all about luck.

[Spooky23]

It's not absurd at all. For the questionable benefit of the ECU, you get a black box system that may or may not be garbage controlling the primary engine input, that may or may not fail safe. Give me the thing that grandpa designed 75 years ago.

In the olden times, the throttle was controlled by a mechanical device and tensioned springs. The failure characteristics were studied for 150+ years, and the state of the mechanical components could be assessed by visual or physical inspection. The failure scenarios for open throttle are also non-obvious things to workaround. What do you do? Pump the brake? Take the car out of gear? Depress the accelerator to reset? Turn the key? It's a complex decision matrix with life-and-death consequences, and the correct answer will vary by car configuration and vendor.

The ridiculous positions taken by posters here are indicative of how engineering fail like this happens.

[lalalandland]

It's absurd because the reported incidents are so few. In 2010 worldwide 1,24 million people died in car accidents. Over 3000 a day. In 2010 the US 36,166 died.

The number of incidents related to speeding Toyota's is pretty insignificant to that number.

[drbawb]

You speak of the olden times like they're long gone? My car is from 2001, has side curtain airbags which will render most common crashes non-fatal, and it still has a fully mechanical throttle and no electronic brake controller of any kind. I don't consider it all that old.

Yes it has an ECU, but EFI is not the problem in my opinion, and the computer by itself doesn't frighten me. EFI was a fantastic invention as far as I'm concerned. Also despite it being a "black box" I find it much more pleasurable to tune and maintain EFI systems over fickle carburetors.

The real problem was making the ECU an _active control system_ which directly controls the engine, throttle, brakes, etc. in response to your inputs; as opposed to a passive one which merely _reacts in response to changes in its environment_ (e.g: more air moving through the intake, wheels locked up, losing traction on one side.)

So yes, my '01 Toyota has a black box, but it's simple enough that it could be replaced by a handful of aftermarket controllers, many of which have their source freely available, or available for a modest licensing fee.

---

Also I'd like to disagree that reacting to WOT is a "complex decision matrix." -- My instinctual reaction would be as follows.

First you open the clutch and/or put the car in neutral. Disconnecting the motor from the wheels is the most reasonable solution to this problem. When I was taught to drive stick the very first thing I was told, before I ever moved the car an inch, was: "when you need to stop, clutch and brake."

(Of course if it's an automatic transmission: "going into neutral" is just controlled by another black box. Sucks to be you if you hit deadly bugs in two separate powertrain management controllers.)

(As an aside I do personally know people that commute every day in the US, and they don't even know what a transmission does. Why are we licensing these people as skilled motorists?)

If I somehow found myself without even the most basic control of my transmission then you just press the brakes as hard as you can and you stop in ~300 feet.[1]

If that didn't work, or if I had stopped but hadn't regained control of the vehicle, I would then kill the ignition. (To be fair: I'm told this is not quite so simple in modern cars! Apparently someone thought "pushing and holding a button for 3 seconds" was a better idea than "turn a key." -- However I also wouldn't agree to drive a car if I didn't know something as basic as how to kill the ignition under duress. I'm the sort of guy that reads the manual cover to cover for fun.)

If killing the ignition doesn't work[2] and your transmission is somehow stuck engaged then today is really not your day.

I don't see how any of this requires any more skill than driving does normally. To me this is not some complex decision tree, it's reflex at this point.

(Also there is a good reason I would brake before killing the ignition. Brakes and steering are mechanically assisted by the engine. It would be extremely irresponsible to cut the ignition in a vehicle w/ power steering and power brakes on a public motorway in my opinion. -- Again I don't think this is some complex decision, I believe it should be requisite knowledge for being licensed to operate a motor vehicle under such conditions.)

tl;dr: the complexity in this matrix is inherent in the task itself. If this is "too complex" then maybe we should work to improve our driver training and licensing programs; or better yet consider having more people take public transit, instead of handing out licenses like candy.

[1]: http://media.caranddriver.com/images/media/51/braking-result... [2]: https://www.youtube.com/watch?v=3NRaqgab0_w

[hga]

Apparently someone thought "pushing and holding a button for 3 seconds" was a better idea than "turn a key."

You know, that's not completely insane: https://en.wikipedia.org/wiki/General_Motors_ignition_switch...

Although, wow, that's an awful article, skimming it there's only this hint of the root cause: "After being asked by Missouri Senator Claire McCaskill whether a GM engineer had apparently lied under oath, [GM CEO] Barra confirmed that this had indeed happened (or at least seemed to)." The problem, besides GM having a procurement system that assumed people in it wouldn't lie through their teeth about lethal problems, was a single engineer who selected an out of spec switch, and then, for example, slipstreamed a better one into the system without a part number change.

(Otherwise we're in total agreement.)

[dmschulman]

You could easily extrapolate this argument to the Internet of Things if you need a way to understand the poster's point differently. Do you want or even really need a toaster with a computer in it? A refrigerator with a computer in it?

Analog toaster and refrigerator technology has been working quite well for us for almost a century.