Of course, it is clear that the driver still has the ultimate responsibility and must be prepared to intervene when the driver assistance systems regulate. In our opinion, however, this cannot apply to (sometimes serious) system malfunctions in which the vehicle takes on a life of its own and initiates completely implausible, unpredictable driving maneuvers.
Adaptive Cruise Control (ACC) is described as follows in the manual in the version dated 23.9.2020
“Predictive cruise control: if the vehicle has traffic sign recognition and an infotainment system with navigation, ACC can adapt the speed predictively to recognized speed limits and the course of the route (equipment-dependent and not available in all countries).”
This means that if, for example, you are driving at 130 km/h on the highway and activate ACC and set this speed using the set function, the control module adopts this driver’s request. In other words: The car drives automatically at exactly this speed and brakes just as automatically – for example, if the distance to a car in front becomes/is too small or bends are too tight for the set speed. Once such a situation is over, the car then automatically accelerates back to the set speed or the new maximum permitted speed. In this example, by leaving the highway at 100 km/h. To illustrate this, this video shows exactly the situation described:
https://www.youtube.com/watch?v=NROEARxUoSQ&t=434s
Already documented software errors
The following examples show that driver assistance systems have faults that go beyond the normal function and the usual apparent but controllable peculiarities that occur in practice.
Example 1
https://www.youtube.com/watch?v=SWdq4LAisOI
A vehicle is on the highway in an 80 km/h zone and has ACC set to a speed of 83 km/h. At the end of the 80 km/h zone, the traffic sign recognition recognizes the unlimited sign. The car then sets a new maximum speed and accelerates. However, it uses the completely implausible value of 180 km/h as the target speed. This is implausible because the target speed for highways is preset by the manufacturer at 130 km/h and cannot be changed by the driver. Furthermore, the maximum possible speed for this vehicle is 160 km/h. This is clearly a software error.
Also noteworthy is the high deflection of the blue bar in the driver display, here again as a picture. This indicates how strongly the car is accelerating. This also indicates that these unpredictable situations with high acceleration can take the driver by surprise.
Example 2
In another case, a driver of the other affected vehicle type documented that the Lane Keeping Assist, Traffic Sign Recognition and Front Assist systems regularly failed at exactly the same point in Nuremberg:
https://youtu.be/4orP1tY66Rw?si=krX63zsQV0dj_vor&t=50s
When the vehicle was read out by the workshop, no entry was made in the fault memory according to the driver and the associated authorized workshop. One reason for this is that faults must first be detected by the system before they are saved. For this purpose, watchdog timer are often used in real-time software programming, which wait for regular signs of life from software modules. If these fail to appear for a certain period of time, the non-responding modules are restarted or the entire affected system is restarted directly.
In addition, Level 2 systems are not necessarily intended to store entries in the fault memory, as they indicate their failure in the vehicle.
In addition, error entries are also deleted again when the function has worked again a certain number of times without errors, this is known as the forgetting counter. See the manufacturer’s manual for the onboard diagnostic system VCDS page 13.
This makes it all the more important that an accident-damaged vehicle is not moved and that there are readout options for these internal functions that are also available to independent experts.
In addition, error entries are also deleted again when the function has worked again a certain number of times without errors, this is known as the forgetting counter. See the manufacturer’s manual for the onboard diagnostic system VCDS page 17.
This makes it all the more important that an accident-damaged vehicle is not moved and that there are readout options for these internal functions that are also available to independent experts.
Incidentally, the workshop suspects an induction loop as the trigger for the failure of the assistance systems documented in the video. Colleagues suspect that a reset can be seen in this video. The display of the failure and, after a certain time, the availability of the system again indicate this.
Example 3
Here, a user in the forum describes how his car briefly failed to accept the driver’s request to accelerate. The driver then went to the workshop and there was no entry in the fault memory.
The extent to which an accident can mask a system failure, in which the fault is only detected after the accident and it is then not clear what caused the accident (a failed sensor) and what is the consequence of the accident (a sensor destroyed by the accident) cannot necessarily be distinguished. This means that the storage of error messages from driver assistance systems has its limits. Therefore, it cannot be ruled out that at the time of the accident, acceleration was not caused by a faulty driver assistance system. The driver’s statement should therefore be given much greater weight.
Is it possible to rely on the accident data and fault memory in such a complex system?
What a vehicle records when the level 2 assistance systems described above perform a reset and whether this influences the recording cannot be ruled out. In any case, a reset always means a brief initialization of all values with default values before real measured values from the sensors are received by the system again. The failures of the assistance systems and what they cause in the vehicle are described in the videos.
It is not known whether this very special situation is part of the system test and is tested in combination with accident recording in the area of crash analysis.