When Safety Features can Kill

The deeply flawed SAAB 900 ignition safety system

As a programmer, designing systems that interlock in various ways to protect users from themselves is an everyday requirement. The old-school programmers' mantra of "garbage-in, garbage-out" has given way to a large and welcome extent to "let's keep the bloody garbage out by design". So a great deal of code these days is devoted to validating a user's input, and making use of contextual state information to reject input that is inapplicable (greying out inappropriate menu choices, and so on). Another thing that has changed is useful mechanisms to deal with the unexpected - error conditions like "disk full" for example. One such is an exception mechanism, that is designed not only to detect the error, but to recover the program state sufficiently so that things are left in a working and usable state. Even if for that precise moment the user has an inconvenient problem to deal with, it means at least they don't lose their work, and can continue using a program once the problem has been rectified. Both of these things are the bread-and-butter of modern programming, so a good deal of design effort is expended on ensuring that both interlocks (preventing the user attempting something stupid) and handling all sorts of potential error condiitions are given extensive thought and testing. I can only hope that one day designers in the automobile industry are able to think through some of their decisions in a similar vein, because occasionally some crazy bits of design come to my attention and the consequences they could lead to are potentially far more serious than the loss of one's letter to Mum.

My partner's SAAB 900. Nice car, shame about the ignition switch (and auto 'box)

Recently, I bought a second-hand SAAB 900 as a family runabout. Nice car, overall. I refuse on principle to buy a brand-new car, with depreciation heading towards the 70% mark over the first three years at present. So it's actually a 94 model (the first of the so-called "new generation" 900s) meaning that I own a "luxury" type car for very little money - bangernomics at its best. Because my partner is its main driver and she prefers an automatic transmission, that's what we got. Personally, I detest autos - they are a prime example of trying to give a very dumb bit of electro-hydro-mechanical engineering the intelligence of a human being. It just doesn't work - its gear-changing decisions are rarely in line with my own. In the SAAB this is alleviated to some extent by a "sport" setting which delays the change-up when pressing on, but even so it gets confused by hills, winding roads - anywhere that a keen driver will be working a manual 'box to its full advantage; often delaying changes because the driver can anticipate the road ahead and has probably already queued the next two or three changes in his mind. Autos can only ever react to the inputs it has now, and they are far less subtle than those into a human mind. For example it drives me nuts when I'm pushing the car through a hard corner on a twisty road, balancing it on the throttle having got it all nicely set up - and the autobox goes and changes up destabilising the whole damn car - aaargh! Only a lunatic would change gear at that time with a manual transmission. Basically to have any fun you have to drive it as a manual, and the auto selector lever is poorly designed for that. Not to mention the fact that the soggy fluid coupling between engine and gearbox lend the impression of the car being very heavy and underpowered - which in fact it's not (hold it down in each gear and allow it to reach full revs and it's actually really quick, with its 2.5 litre V6 engine developing up to 230bhp). All autos have a leaden feel to them to me, so this is not unique to the SAAB. Anyway, I digress, since this isn't about the automatic gearbox directly (I just like to whinge about them whenever possible!).

SAAB have a tradition of mounting the ignition key-switch between the front seats, just aft of the auto selector. I have no idea what the original advantage of this arrangement was, or indeed if it had one - it might just have been a point of difference that SAAB settled on back in the 1960s and has remained a SAAB signature feature ever since, untouched by common sense. So here's my first actual user-interface gripe about the car - every other car these days pretty much has the standard steering-column mounted ignition switch. So the damn key is never in the expected place when you get into the SAAB. I've no doubt one gets used to it if you're a regular SAAB driver, but then probably fumble about whenever driving any other model of car. So this inconsistency in the placement of the user interface element is, at this point, merely a nuisance.

The ignition key is strongly interlocked with the gearbox selector lever and the engine management system. Unless the selector is in "Park" you cannot insert or remove the key. OK, that seems reasonable, means you can't start the car in gear, causing it to accidentally take off. The starter motor will only engage if the key is turned all the way from the 'off' position to the 'start' position in one movement. If you first switch 'on' to operate something, a timer is started that allows you to start the car only within a few seconds - exceed this and the 'start' position does nothing. Again, apparently a good safety feature to stop the car being accidentally started even if the key has been left in the ignition - I'm sure there have been cases of kids starting a car when Dad popped out for a second leaving the keys in. This system also kicks in when switching the engine off; to reset the start timer, the key not only has to be returned all the way to 'OFF', it has to be physically removed and reinserted (which requires the selector be in Park) to restart the engine. Brilliant - there is absolutly no way you can start this car unless you really, really mean to. Nothing wrong with that is there? Well, yes there is. And it comes in the form of having no anticipated solution to the "error condition" of an engine stall. When do engines stall? Typically when they are put under a sudden load. When's that? When pulling out of a junction or moving off from some other brief stop. With an automatic transmission, suddenly overloading the engine to the point of stalling is normally impossible, but like I said, it's an unexpected error condition. It can be caused in other ways. Recently (and the reason I discovered how dangerous this ignition key interlock really is) we had a batch of very poor quality fuel that was contaminated with water, which led to a spate of stalling incidents whenever the engine throttle was closed, as on arriving at a junction. Mostly the engine would stop while coasting up to the junction, but sometimes the engine would continue to tick over until the accelerator was pressed to exit the junction - splutter, stall. At which point the car had moved forward half out across the road being entered, often as not with traffic rapidly closing in on one - and expecting us to moveoudafrickinwaay!!

At times like that, the most important thing is to eliminate the danger, and the best way to do that would be to restart the engine as quickly as possible and complete the manouever. But in the SAAB, you cannot do this. In the heat of the moment, the first problem is (for me anyway), I can't find the frickin' key - it's not on the steering column where every other car I've ever known has it - so valuable seconds are lost remembering its unsual location. Then just restarting doesn't do any such thing - the start position is locked out, but even worse - to reenable it, I have to remove the key altogether by first putting the car in Park, turning the key, removing it right out of the lock (just lifting it part way out isn't enough to reset the mecahnical interlock). By which time, the B-Double truck you pulled out in front of with plenty of assumed time to spare is now having a great deal of trouble managing to stop its 40+ tonne bulk before it slams into you (and the 140dB air horns that are expressing its driver's sheer panic are not helping to reduce yours). In other words, the "safety" features that the designers of this lock system put together are now conspiring to kill you. It's crazy. Needless to say after the second or third stalling incident, you simply do not attempt to pull out of junctions until you're damn sure that engine will keep going. But even in less threatening situations, it's a bloody nuisance at best - inconveniencing other road users and creating potential accident situations, even if it were only for someone to run into the back of you. As an experiment, I timed how long it takes to restart the engine on my ultra-basic Holden 'ute (manual), and the SAAB. To make it realistic to the stalling situation, I did both while moving at a slow speed - 10 km/h. This makes a difference because in the SAAB, you have to bring the vehicle to a stop to put it in Park. The Holden required much less than a second to restart - I couldn't reliably time it because I merely turned the key forward while still rolling. I'd say easily under 0.5s. In the SAAB, under simulated 'panic' (including a bit of fumbling for the key, then reacting to each new safety obstacle as it was encountered) about 15 seconds. Even with anticipating each step, as one would after the second or third such stall, and one is wise to it, would take from 5- 7 seconds. This doesn't sound much but it's very slow when you consider that in 10 seconds a truck at 100km/h covers a distance of 277m - over quarter of a kilometre. That's easily a distance you'd be prepared to allow when pulling into traffic.

The point here is that the designers of the lock system apparently didn't think about unexpected error conditions, thus rendering their safety system a positive contribution to danger. In computer software, such oversights happen also, but lives are rarely threatened. But this is in a car for crissake! At the very least, the 'start' interlock should be disabled for the case of an unexpected stall, since the fastest possible restart is the fastest way out of danger. Maybe this has been addressed on the much newer models, though in some ways I doubt it because stalling is probably considered a low probability event. However, so is a "disk full" situation and most programmers worth their salt will code for that. Another irony to the whole stalling problem is that the stall itself is caused by another "safety" system kicking in. Normally, some water in the fuel will not cause anything worse than a bit of rough running. However, on the SAAB (and in most modern fuel-injected cars), the fuel system is operated at a high pressure so that the injectors can efficiently atomise the fuel. But in the event of a breach of the fuel system (in an accident say) the high-pressure fuel pump could push a great deal of fuel out in short order, increasing the fire hazard. So the system includes a pressure sensor that detects the slightest drop in fuel pressure, and immediately shuts off the fuel. You guessed it - a little water in the system also triggers this, so the engine instantly shuts off at the first hint of a problem - there's no rough running - it's either perfect or dead. So given this, the "low probability of stalling" is actually a lot higher than might be assumed.

So, while my irritation here is aimed at the designers of this "safety system", I strongly suspect that the situation has also been created to a large extent by safety legislation requiring such interlocks in the first place. No doubt these arose in the USA, because that's where most crazy legislation that isn't fully baked does originate, and this model of car had a strong export market in the USA. I grew up with cars that stalled commonly and had no such safety features - indeed, I can remember on one occasion stalling in a dangerous location and immediately being able to turn the key to the start position - the engine didn't start but the starter motor itself hauled the car out of danger! Try that in a modern car - you can't. For the most part, cars have got a lot better than they used to be, and I don't really have a complaint about being prevented from starting a car in gear - idiots do try that all the time. But there are special, exceptional circumstances, and like software, they must be acknowledged and "coded" for.