As automakers roll out autonomous driving features at the Consumer Electronics Show and the Detroit Auto Show this week and next, there's an unspoken question nagging at the fringes of the technology: Will future engineers have to find ways to prove these self-driving features don't cause accidents?
The question is especially relevant now in the wake of the recently settled Toyota unintended acceleration case. A jury found Toyota responsible after a 76-year-old woman sped out of control in her 2005 Toyota Camry as she was exiting an Oklahoma highway. The crash injured the woman and killed her passenger. A jury found in favor of the driver, awarding $1.5 million to her and $1.5 million to the family of the passenger.
The disturbing issue at the heart of the case is that we still don't know what caused the accident. Toyota claimed pedal misapplication -- the driver stepped on the accelerator when she thought she was stepping on the brake. The plaintiff's lawyers targeted the electronic throttle, citing testimony from an expert who said that the car's software code was faulty. But with no smoking gun-type evidence, Toyota was left with the unenviable task of proving that its questionable software didn't cause the accident.
If you think about it, that's a tough task. Virtually all software-based products have some issues. And powertrain controllers contain hundreds of thousands of lines of software code, all of which can interact with vehicle subsystems in billions of ways -- maybe trillions. To prove something didn’t happen, engineers essentially would have to say, "We know exactly how many possibilities exist. We've tried all 16 trillion of them, and we know it can't happen."
All this is relevant for today's automakers because almost every new car uses an electronic throttle, or throttle by wire, as it's known. It's a key enabler for adaptive cruise control, traction control, electronic stability control, torque blending, cam phasing, cylinder deactivation, and countless other features. "If the issue is throttle by wire, then it's not just a Toyota problem, and it's not just an autonomous vehicle problem," Gregory Shaver, associate professor of mechanical engineer at Purdue University, told us. "If we can't trust the software, then we have to step back and take a look at almost every vehicle we've made in the past 15-plus years."
The problem would be much simpler if we could point a finger at the causes of such accidents and then fix them. But we can't do that. We can only surmise and rely on likely scenarios, leaving Toyota to deal with the same unsettling problem that nearly crushed Audi in the 1980s.
The fact that the electronic throttle is essentially a time-tested technology adds to the perplexity. "Think about how many years they've been on the road, how many vehicles are driving around with electronic throttles, and how many miles have been logged," Jeremy Worm, PE, director of the Mobile Lab at Michigan Tech University, told us. "Many of these vehicles have gone through entire life cycles. That should tell us that the electronic throttle is a robust technology."
There are some partial solutions. Brake-throttle override, in which brake actuation shuts down a wide-open throttle, should help. And automotive black boxes, which record the driver's actions during an accident, will provide an explanation that's superior to a courtroom debate.
In the end, though, engineers can't think of all the possibilities or test for them. They can conduct all manner of bench tests, failure mode analyses, and road tests for torque security, but they can't be expected to imagine trillions of scenarios. "As an engineer, you're never going to be 100% sure," Worm said. "You can get to a level of comfort after you've done your bench testing and validation and verification, but you can never have 100% confidence."
That's especially true for cases like Toyota's. You can't be expected to test for a failure if you don't know what tripped it. "All you can really do is manage the risks," Shaver said. "That's what engineers do."