Re: [SystemSafety] More on Bookout-Schwarz/Toyota

From: Mike Ellims < >
Date: Mon, 11 Nov 2013 12:07:56 -0000


Nancy wrote:  

> For one thing, as I understand it, NASA was not allowed to look at the
detailed code. The NASA results are meaningless.  

The latest version from of "National Highway Traffic Safety Administration Toyota Unintended Acceleration Investigation - Appendix A" - with updated redactions .I wonder why? Quite a lot of the document is blacked out.  

The document states that: "NASA engineers performed the study on Toyota premises within an access controlled area." <snip> "Access to the Toyota source code was made possible through the workstations."  

The document goes on to list three tool sets used for static code analysis i.e. Coverity, CodeSonar and Uno, and use of SPIN for model checking on select parts of the code.  

The main page of the DOT web site states "In conducting their report, NASA engineers evaluated the electronic circuitry in Toyota vehicles and analyzed more than 280,000 lines of software code for any potential flaws that could initiate an unintended acceleration incident."  

Thus it would appear that NASA did have access to the source code, it being America one assumes under the supervision of an armed guard ;-)  

Andrew Rae wrote.  

> The reports of unintended acceleration follow the pattern of
socially-propogated concerns, making it possible,

> maybe probable, that there were no underlying unintended acceleration
events caused by software faults.  

The following paper (Cars Gone Wild: The Major Contributor to Unintended Acceleration in Automobiles is Pedal Error) is an interesting study on the prevalence of throttle misapplication:
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3153815/  

Cheers.    

From: systemsafety-bounces_at_xxxxxx [mailto:systemsafety-bounces_at_xxxxxx Nancy Leveson
Sent: 11 November 2013 10:11
To: Andrew Rae
Cc: systemsafety_at_xxxxxx Subject: Re: [SystemSafety] More on Bookout-Schwarz/Toyota  

Is this a fair summary?  

For one thing, as I understand it, NASA was not allowed to look at the detailed code. The NASA results are meaningless.  

Nancy  

On Mon, Nov 11, 2013 at 5:05 AM, Andrew Rae <andrew.rae_at_xxxxxx

Peter,
Thanks for finding and sharing these. Can I ask for an opinion from you and others who have followed this, on the likely situation.

My understanding (as someone with no inside information, just following press and academic opinion):

  1. The reports of unintended acceleration follow the pattern of socially-propogated concerns, making it possible, maybe probable, that

     there were no underlying unintended acceleration events caused by software faults

2) None of the car models concerned had an independent recording device allowing _other_ causes of the unintended acceleration to to be confirmed.

3) The NASA report found problems with the software, but none that they thought were likely to be a cause of unintended accleration under the circumstances of

 the set of accidents they looked at.  

4) The Bookout trial evidence was heavily critical of the software, and found plausible ways that unintended acceleration could be caused by the software, but nothing directly linking these possibilities to the Bookout events.

Is this a fair summary?

My system safety podcast: http://disastercast.co.uk My phone number: +44 (0) 7783 446 814
<tel:%2B44%20%280%29%207783%20446%20814> University of York disclaimer:
http://www.york.ac.uk/docs/disclaimer/email.htm  

On 9 November 2013 18:53, Peter Bernard Ladkin <ladkin_at_xxxxxx wrote:

This analysis goes deeper than what I've seen to date. It links parts of Phil Koopman's testimony (Phil tells me he is not the source) and *Barr's slides*, which like his testimony, are an object lesson in presentation.  

http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and- the-big-bowl-of-spaghetti-code/  

PBL Prof. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited  



The System Safety Mailing List
systemsafety_at_xxxxxx  

The System Safety Mailing List
systemsafety_at_xxxxxx  
-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson_at_xxxxxx
URL: http://sunnyday.mit.edu





_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Mon Nov 11 2013 - 13:08:14 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST