Skip to main content

VW behaving badly.

I now cover this issue in more detail in my podcast!

The EPA (The US government's Environmental Protection Agency) recently issued Notice of Violations regarding the emissions from Volkswagen cars. Volkswagen is actually a group of brands, therefore the Notice affects other cars such as Audi, Porsche and Skoda.

A lot of the focus has been on what was going on in Volkswagen, for example who knew what was being done? Did the VW testers know? Did they pass the details on etc.

What interests me is the wider issue of how this could have been possible for so long?  (Since 2009)  If so many cars were affected and for so long, why didn’t we hear about this sooner? Why isn’t there a team of people assigned to finding this stuff out... Oh wait, there is...

In the UK these emissions tests are governed by the Vehicle Certification Agency, answering to the Department of Transport.

One might expect the manufacturer to be less inclined to investigate the cars emissions, after-all testing costs money (less profit). I might also expect them to exploit the test rules and tolerances as best they could. This behaviour, while not ethical, is explainable given their motivations and incentives.

I'm even understanding of the mistaken belief that they can 'prove' their cars are compliant. This is highlighted in this quote from Vauxhall/Opel/GM when the BBC asked about possible irregularities in their vehicle NOx emissions:

"We have in-house testing that proves that the Zafira 1.6 meets all the legal emission limits."

A curious statement, Given that the systems concerned are software controlled, and as Dijkstra put it: "Testing shows the presence, not the absence of bugs".

An independent tax-funded regulatory body is in theory acting in our interests, the vehicle buyers and breathers of the emissions. So why did they not discover the issue? A closer look at the 'tests' themselves gives some clues. Here are a few points worth noting:

1) The test is carried out in a controlled temperature of 20-30 degrees centigrade. At first this might seem OK to non testers. But if you look-up the average temperatures, in the hottest month, of a few European locations:

 Bonn       August  18°C (64°F)
 London     July    19°C (66°F)
 Lisbon     July    24°C (74°F)
 Paris      July    20°C (68°F)
 Brussels   July    18°C (64°F)
 Rome       July    26°C (78°F)
 Vienna     July    19°C (66°F)
 Stockholm  July    18°C (64°F)


You begin to see that this rule is suspect. E.g.: In Paris, in the hottest month, approximately half the time will you meet this criteria in real life.

2) The relevant UK/EU test dates back to 1996. Some parts of the test date back 40 years.  Odd, given that the Engine Control Units, usually responsible for managing emissions behaviour, were introduced in the 1980s & 90s (<40years ago).

3) The procedure is highly predictable and repeatable - it always took 20mins 20secs to complete.

4) The rules require the 'driver' to stay within 2km/h (1.2mph) of an 'ideal' speed throughout the test.


In summary, old, highly scripted and rigidly enforced checks were performed in an unrealistic environment. The emissions-test isn't really testing at all. The procedure is a successful attempt to provide a repeatable scripted acceptance-test of a systems behaviour.

A systems behaviour was developed so when the car was driven in a defined manner, all the checks passed. The car can pass the test, but this provides no indication as to whether this is normal behaviour, or what might occur in any number of other realistic situations.

On a BBC Panorama programme, A former Automotive Type Approval Engineer talking about how cars have been only passing the emissions tests in the most unrealistic of conditions, is quoted as saying:
"...Testing the wrong things, in the wrong way, for quite a while"

This wasn’t testing, But it was done in the name of testing. Sound familiar?

Comments

  1. The best used car sites offer a user-friendly interface that provides shoppers with comprehensive details about the car they’re looking at, like high-resolution photos showing the interior and the exterior. atlanticvw.com

    ReplyDelete

Post a Comment

Popular posts from this blog

Betting in Testing

“I’ve completed my testing of this feature, and I think it's ready to ship” “Are you willing to bet on that?” No, Don't worry, I’m not going to list various ways you could test the feature better or things you might have forgotten. Instead, I recommend you to ask yourself that question next time you believe you are finished.  Why? It might cause you to analyse your belief more critically. We arrive at a decision usually by means of a mixture of emotion, convention and reason. Considering the question of whether the feature and the app are good enough as a bet is likely to make you use a more evidence-based approach. Testing is gambling with your time to find information about the app. Why do I think I am done here? Would I bet money/reputation on it? I have a checklist stuck to one of my screens, that I read and contemplate when I get to this point. When you have considered the options, you may decide to check some more things or ship the app

XSS and Open Redirect on Telegraph.co.uk Authentication pages

I recently found a couple of security issues with the Telegraph.co.uk website. The site contained an Open redirect as well as an XSS vulnerability. These issues were in the authentication section of the website, https://auth.telegraph.co.uk/ . The flaws could provide an easy means to phish customer details and passwords from unsuspecting users. I informed the telegraph's technical management, as part of a responsible disclosure process. The telegraph management forwarded the issue report and thanked me the same day. (12th May 2014) The fix went live between the 11th and 14th of July, 2 months after the issue was reported. The details: The code served via auth.telegraph.co.uk appeared to have 2 vulnerabilities, an open redirect and a reflected Cross Site Scripting (XSS) vulnerability. Both types of vulnerabilty are in the OWASP Top 10 and can be used to manipulate and phish users of a website. As well has potentially hijack a user's session. Compromised URLs, that exp

DevOps and Software Testing.

Most of my recent work has been with DevOps teams. While in one sense DevOps is another evolution in software development. It also introduces some new skill requirements and responsibilities into the daily routine of a tester. These diagrams tend to confuse people, hence the video... I've created a short video to highlight some of these changes and the opportunities they bring. It's not an exhaustive view of DevOps but it gives a highlight of what you could be working with. While DevOps isn't a panacea to our software development problems, I have found that empowering teams with the ability to build and use the tools they need, can rapidly improve team morale and productivity.