Dauðsföll af völdum galla í Toyota bílum

Fólk hefur verið að deyja út af þessum galla í bílunum, nokkuð sem ég hafði ekki gert mér grein fyrir í í íslenskum fréttum.

 

Úr erlendum blöðum:

Fe Lastrella refused to speak Wednesday of the ghastly accident that devastated her family. She didn't need to.

Everyone in House hearing room knew that hers was the tragedy that galvanized attention around safety flaws of Toyotas, led to the recalls of millions of cars and brought the scion of the world's largest automaker before a congressional committee to apologize.

Akio Toyoda had left the room for a news conference when Lastrella, a petite grandmother from San Francisco, took a seat at the witness table. Tearful from the first word, she announced that she would not talk about the Aug. 28 accident that robbed her of two grown children, a granddaughter and a son-in-law.

The unspeakable details: A Lexus ES 350 sedan borrowed from a dealer, filled with Lastrella's family: her son Chris, daughter Cleofe; Cleofe's husband, Mark Saylor -- and Cleofe and Mark's 13-year-old daughter, Mahala.

 07_lexus_es350_24.jpg

The stuck accelerator that turned the car into a missile traveling at more than 100 mph, near Santee, Calif.; the recorded 911 call that captured their harrowing last moments; Chris' voice, telling the others to pray.

And finally, Lastrella's disbelief the next morning when she learned at first that three had been killed -- then, all four.

The crash got the attention of the world's largest automaker and inspired Akio Toyoda, the Japanese grandson of the company's founder, to testify in an extraordinary appearance before a committee of the U.S. Congress in Washington.

He apologized generally to Congress, millions of Toyota owners and to the Saylor family -- specifically and repeatedly -- during three hours of testimony.

Then he left, and Lastrella took her seat at the table.

She didn't mention him or the apologies. Instead, she talked of her children and their lives. She noted that Saylor, a California Highway Patrol officer at the time of the crash, had been awarded in 1997 for pulling a man from a burning car.

"It is ironic that he saved someone, and he wasn't able to save his family," Lastrella said.

 

Það er ekki fyrir venjulegt fólk að gera við bíla lengur.  Það þarf tölvu til að tala við bílinn, topplyklasett dugir ekki lengur til.  Undarlegir tímar.

Ef þessi dauðsföll verða rakin til hugbúnaðarvillu, getur verið að tölvunarfræðingar fari að fá stífari reglur um ábyrgð eins og gerðist hjá verkfræðingum fyrir öld þegar gufujárnbrautarlestir sem sprungu urðu til þess að eftirlit með verkfræðingum var stóraukið (og verkfræðingar fengu ríka stéttarmeðvitund).

 

Úr annari grein:

Anderson notes: “A control system adopting a different, anomalous and perhaps dangerous state once in a blue moon when there is an intermittent fault. The moment the fault disappears, the control system goes back to its normal state. It is hardly surprising that subsequent testing fails to reveal any fault. There are plenty of examples of physical systems having normal and faulty states and a small change may move the system from one state to the other. The manufacturers know this perfectly well. Their prescription of “wiggle tests” on connecting cables to identify poor connections and make them better is indicative of the vulnerability of car electrics to intermittent contacts.”

And in denying that this problem even occurs, manufacturers have foregone countermeasures altogether, Anderson said.

“The problem really is: these systems are designed so if they do fail there is nothing the driver can do about it.”

 

PS: Hér er gamalt dæmi um dauðsföll vegna hugbúnaðarvillu:

The accidents occurred when the high-power electron beam was activated instead of the intended low power beam, and without the beam spreader plate rotated into place. The machine's software did not detect that this had occurred, and therefore did not prevent the patient from receiving a potentially lethal dose of radiation. The high-powered electron beam struck the patients with approximately 100 times the intended dose of radiation, causing a feeling described by patient Ray Cox as "an intense electric shock". It caused him to scream and run out of the treatment room.[3] Several days later, radiation burns appeared and the patients showed the symptoms of radiation poisoning. In three cases, the injured patients died later from radiation poisoning.

Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:

  • AECL did not have the software code independently reviewed.
  • AECL did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed. These form parts of the general techniques known as reliability modeling and risk management.
  • The system noticed that something was wrong and halted the X-ray beam, but merely displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user manual did not explain or even address the error codes, so the operator pressed the P key to override the warning and proceed anyway.
  • AECL personnel, as well as machine operators, initially did not believe complaints. This was likely due to overconfidence.[4]
  • AECL had never tested the Therac-25 with the combination of software and hardware until it was assembled at the hospital.

The researchers also found several engineering issues:

  • The failure only occurred when a particular nonstandard sequence of keystrokes was entered on the VT-100 terminal which controlled the PDP-11 computer: an "X" to (erroneously) select 25MV photon mode followed by "cursor up", "E" to (correctly) select 25 MeV Electron mode, then "Enter". This sequence of keystrokes was improbable, and so the problem did not occur very often and went unnoticed for a long time.[3]
  • The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place.
  • The engineer had reused software from older models. These models had hardware interlocks that masked their software defects. Those hardware safeties had no way of reporting that they had been triggered, so there was no indication of the existence of faulty software commands.
  • The hardware provided no way for the software to verify that sensors were working correctly (see open-loop controller). The table-position system was the first implicated in Therac-25's failures; the manufacturer revised it with redundant switches to cross-check their operation.
  • The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly. This was missed during testing, since it took some practice before operators were able to work quickly enough for the problem to occur.
  • The software set a flag variable by incrementing it. Occasionally an arithmetic overflow occurred, causing the software to bypass safety checks.

The software was written in assembly language that might require more attention for testing and good design. However the choice of language by itself is not listed as a primary cause in the report. The machine also used its own operating system.

 


mbl.is Toyoda biðst afsökunar
Tilkynna um óviðeigandi tengingu við frétt

« Síðasta færsla | Næsta færsla »

Athugasemdir

1 identicon

"The stuck accelerator that turned the car into a missile traveling at more than 100 mph"

Afhverju slekkur fólk ekki á bílunum eða setur í hlutlausan gír þegar bensíngjöfin festist inni ?

Ásgeir (IP-tala skráð) 25.2.2010 kl. 21:08

2 identicon

Tákn um gæði eða hvað?

Ásgeir, líklega vegna þess að það panikerar.

Sigrún (IP-tala skráð) 25.2.2010 kl. 22:16

3 Smámynd: Gunnar Heiðarsson

Ég vil benda Ásgeir á að maður stekkur ekki út úr bíl á 100mph (160km/klst), þar að auki eru margir nýrri bílar þannig að ekki er hægt að setja þá í N á svo mikilli ferð.

Ég sé nú frekar sorgina í þessum fréttum, ekki hvort einhver hefði kannski, hugsanlega, getað gert eitthvað annað.

Gunnar Heiðarsson, 25.2.2010 kl. 23:26

4 Smámynd: Jón Steinar Ragnarsson

Gunnar Hreiðarson. Þú ættir að lesa athugasemdirnar betur, áður en þú hnýtir í þær. Ásgeir talar um að slökkva á bílnum. Þ.e. svissa af. Einnig leggur hann til að það sé ráð að setja í hlutlausann við essar aðstæður.  Það eru í raun ýmis ráð til að bregðast við þessu.  Ábyrgð er líka hjá ökumönnum. Bílar bila.  Það er ekki óviðeigandi að velta fyrir sér úræðum og koma þeim á framfri í stað þess að velta sér upp úr sorglegum örlögum einhverra einstaklinga. 

Mér finnst þetta allt hið einkennilegasta mál.  Af öllum þeim fjölda bíla afþessari tegund, sem framleiddir eru, eru einhver örfá tilfelli blásin upp, sem hægt hefði veið að koma í veg fyrir með kunnáttu og réttum viðbrögðum. Ég held að það sé ekki til sú bíltegund, sem ekki drepur einhverja vegna bilana og galla. Ég hef sjálfur átt bíl, sem bensíngjöfin festist á í köldum veðrum t.d. 

Jón Steinar Ragnarsson, 26.2.2010 kl. 10:51

5 Smámynd: Jón Steinar Ragnarsson

Saga Amerískra bíla í þessu samhengi er raunar afar slæm. Nú síðast var það Explorerinn, sem var alltaf á hvolfi. Hver man svo ekki eftir Bronco, með sinn vitlausa þyngdarpunkt og of mjúku fjöðrun. Breskir bílar voru líka dauagildrur þar sem stýrisendar og spindlar hrukku í sundur og engin leið að bregðast við slíku.  Það er engu að síður hið besta mál að setja þrýsting á bílaframleiðendur að vanda til framleiðslunnar, þótt h´´un hafi aldrei verið betur controleruð en í dag.

Jón Steinar Ragnarsson, 26.2.2010 kl. 11:00

6 Smámynd: Kári Harðarson

Ástæðan fyrir því að fólkið slökkti ekki á bílnum var að hann var ekki með bíllykil heldur start takka, sem á að halda inni í 5 sekúndur til að drepa á bílnum ef hann er ekki í "Park" stillingu.  Venjulega drepur þessi takki strax á bílnum.  Þetta vissi fólkið ekki, enda ekki augljóst.

(Reyndar gildir þetta um tölvur í dag líka, ef Windows frýs er hægt að drepa á  tölvunni með því að halda "Power" takkanum inni).

Gamaldags bíllykill drap alltaf á bílnum.

Gamaldags bensíngjöf sem var tengd með barka fram í vél hefði fyrst orðið svolítið stíf í einhvern tíma, svo hefði barkinn slitnað og vélin hefði dottið í hægagang.  Gormur hjá

Það er miklu ófyrirsjáanlegra þegar hún virkar 100% fram að þeim degi að vélin fer í 6 þúsund snúninga og helst þar.

Það þarf að hanna, ekki bara hvernig hlutir virka, heldur líka hvernig þeir bila.

Ég veit vel að þessar uppákomur eru mjög sjaldgæfar, en þetta er tækifæri til að vekja til umhugsunar hvernig hlutir eru hannaðir.  Af hverju hallar gólfið undir bremsunni?  Svo kókflaska rúlli ekki undir pedalann og komi í veg fyrir að hægt sé að bremsa.

Kári Harðarson, 26.2.2010 kl. 11:52

Bæta við athugasemd

Ekki er lengur hægt að skrifa athugasemdir við færsluna, þar sem tímamörk á athugasemdir eru liðin.

Innskráning

Ath. Vinsamlegast kveikið á Javascript til að hefja innskráningu.

Hafðu samband