To your point, the GM issue was involved in 30 accidents in a couple years but no fatalities. The problem is obviously not a failure in a parking lot, but at speed.

I don’t know the specifics of the system safety analysis but if the software is used to mitigate a hazard, it’s usually considered safety critical. In this case, if it shuts the EPS off, or fails to bring it back online, it it would significantly affect the vehicle handling dynamics. Again, I don’t know their classification scheme but I would assume the steering is a safety critical system. Some reports claim the vehicle lost all handling control, but I’m a little skeptical of that claim.

In any event, I wouldn’t consider it no issue. Recalls cost a lot of money. In the GM case it affected 1MM cars. I didn’t look up the cost of each fix, but I wouldn’t be surprised if it cost nine figures. I doubt they would go forward with a recall of that magnitude for a trivial issue.

I could see the same rationalization for MCAS. The system safety analysis didn’t claim an MCAS failure was catastrophic and they already had a procedural mitigation in place if it did fail. It wouldn’t take much to convince someone that such a recall fix was no big deal. This is part of the problem with systems using safety critical software

>To your point, the GM issue was involved in 30 accidents in a couple years but no fatalities. The problem is obviously not a failure in a parking lot, but at speed.

I'm not familiar with the specifics of that case, but having a low system voltage is more likely at parking lot speeds because the alternator isn't turning very fast, whereas at speed the alternator should be generating enough power to run everything including EPS, but maybe they underspecced the alternator, so I can see it happening. Still, losing your power assist at speed is still dangerous of course, but it is recoverable, and it's nothing like having a critical system fail in an aircraft. Failures in cars are always safer than in aircraft, because you're already on the ground. This is why safe design is so important in aircraft: if something goes wrong in a car, it might result in a wreck of a few vehicles at worst (multiplied by the number of cars experiencing that failure), but many times tragedy is avoided because the driver just needs to steer away from traffic and avoid running into something too fast. In an aircraft, there's no such thing as a "fender bender"; crashes are usually fatal, and they usually carry dozens to hundreds of passengers.

>Recalls cost a lot of money. In the GM case it affected 1MM cars. I didn’t look up the cost of each fix, but I wouldn’t be surprised if it cost nine figures.

That seems high: you're assuming each car cost $1000 to fix there. That's a lot of money to fix one component; at that volume, the part probably cost well under $100 each, and as another poster noted, the dealer labor required was pretty small.

I completely agree that car failures are almost always less severe than aircraft. However, to play devil's advocate, pilots have much more stringent training requirements and that's a relevant point to the MAX situation. I hope I didn't come across that I was trying to equate the two in terms of criticality, just trying to point out a couple counter examples to statements about car software not being critical. The details of the Honda case seem even more critical than the GM one.

I was estimating at $100 per fix (since it's just the labor cost of software). At roughly $120 per labor hour multiplied by 1MM vehicles is where I came up with the nine figure mark. At $1k per fix, it would be in the 10 digits. Regardless, it was overshot and I corrected it with the details in a reply (since I couldn't edit the original). It only comes in at 0.5 hours per fix. Not chump change but the decision to fix it may also have been influenced by the Toyota accelerator and GM ignition recalls that got a lot of press.

There was a problem with GM ignition switches. The detent was too short and so it was possible for it to accidentally be switched to off. Bunch of people died as a result. Three problems. Power steering and brakes no longer work. Two the anti-theft device can lock the steering wheel. Third the airbags are disabled. It's a classic systems interaction issue. And is exactly the thing that shows up as the design processes becomes Balkanized.

I remember that one; that was absolutely criminal because they were informed there was a problem, and refused to do a recall because it would cost money. Instead, they quietly changed the ignition switch to fix the design defect, but without changing the part number or informing anyone.

And, as you pointed out, it was a systems interaction problem. Losing power steering at speed isn't great, but it's recoverable (maybe less so if you're weak and you're driving some big stupid SUV, rather than a small economy car), and losing power brakes is also bad but recoverable because you have enough vacuum in the system to do a full stop (but only 1 usually), but tie them together, at speed, and also (worst of all) lock the steering wheel, and you have a recipe for disaster. This is far, far, far worse than losing your power steering assist at parking-lot speeds.

What you bring up in terms of cascading failures is termed the "swiss cheese model"[1]

This is the traditional way to deal with system hazards. What has been talked about is the need for changing the way we think about software failures on safety critical systems, distinct from traditional failure mode approaches.

"The result is that software-related accidents involve a new type of accident, which can be called a component interaction accident: None of the components fail (all satisfy their specified requirements) but the problems arise from dysfunctional interactions among the components."[2]

[1] https://en.wikipedia.org/wiki/Swiss_cheese_model

[2] https://dspace.mit.edu/handle/1721.1/58930

FWIW, the recall is for 0.3 + 0.2 hours of labor so it probably didn’t reach nine figures in cost