Re: [SystemSafety] Automobile Safety-Critical Kit (Bookout v. Toyota Motor transcript)

From: Heath Raftery < >
Date: Mon, 04 Nov 2013 09:14:59 +1100

Responses grouped below, since a couple of people have asked the same questions:

On 3/11/2013 10:51 PM, Peter Bernard Ladkin wrote:
> The comment on the Beasley Allen WWW site makes much of the skid marks.

Yeah, that's very confusing data. They made a mess of discussing it in the transcript too - silly claims about the hand (park/emergency) brake vs the foot (service) brake. It seems to me that some clear conclusions about speed and brake usage should be determined from that evidence, but I didn't see that spelled out anywhere.

> Can you cite the document which says that the crash recorder records accelerator-pedal depression
> and no brak-pedal depression?

Only that I copied it from the Slashdot discussion on the topic. Again, it's frustrating that conclusions from the crash recorder data are not spelled out somewhere (that I could find).

> What could the cross-examiner have done? Barr has apparently established defects in the code, and
> the only counter would be that *those* defects were not active during the accident in question.

Unfortunately the transcript appears to have been pulled so I can't give you specifics. But the examiner gets stuck in these useless loops trying to get Barr to admit, as you say, negatives. Barr does exactly what he should and says his work doesn't (and couldn't) answer those questions. The examiner keeps pushing these ridiculous dead-ends and Barr just keeps responding "I don't know", "I didn't say that", "that's impossible to determine". It reminded me of some court parody!

What the cross-examiner could have done was ask questions that could have been answered - does the crash recorder data line up with your demonstrated failure sequence? What stops someone using the brake to stop the car, even if UA were to occur? Was cruise control even enabled at the time of the crash?

> Barr used fault-injection techniques, which is an obvious choice if the kit isn't using EDAC, and he
> found faults which allow UA. Ipso facto, they exist. How on earth are you going to establish that
> they didn't manifest in the specific accident under review? I imagine the manufacturer was well
> aware of what was going on, and had no suitable way of responding.

By suggesting that leaving a freeway is a strange time to enable cruise control. By going through the crash recorder and crash site data to show whether the car behaved contrary to its inputs. By finding another cause for the accident and evoking Occam's razor. No, there's no definitive way, but that's what courts are for - establishing beyond reasonable doubt.

> I agree with Martyn that effective software-quality enhancement practices need not cost more.

I was so pleased to hear that that I forwarded Martyn's comments straight to my boss!


The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sun Nov 03 2013 - 23:15:15 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST