Re: [SystemSafety] More on Bookout-Schwarz/Toyota

From: Peter Bernard Ladkin < >
Date: Mon, 11 Nov 2013 13:14:41 +0100


I'll just answer your questions straight.

On 11/11/13 11:05 AM, Andrew Rae wrote:
> 1) The reports of unintended acceleration follow the pattern of socially-propogated concerns,

I think "follow" is wrong. The event happened in 2007. According to (for what Wikipedia info is worth) there were two isolated reports in Toyota Camrys before that, one which was explained mechanically ("tin whisker") and one it seems unexplained.

The mass of Toyota UA reports I think was around 2009 and following. This event was before that.

> making
> it possible, maybe probable, that
> there were no underlying unintended acceleration events caused by software faults

Unlike Bishop Berkeley, I don't see any plausible relation between any social or psychological phenomena and the likelihood of UAs being caused by SW faults.

> 2) None of the car models concerned had an independent recording device allowing _other_ causes of
> the unintended acceleration to to be confirmed.

I think they had the devices, indeed I think this car had a recorder. It's that the recorder was written by the same task that it was proposed had hung, Task X.

Besides, Toyota (Dr. Ishii, if I remember the name right) determined that the event recorder did not always record adverse events that were known with certainty to have occurred (through bench testing).

> 3) The NASA report found problems with the software, but none that they thought were likely to be a
> cause of unintended accleration under the circumstances of
> the set of accidents they looked at.

NASA didn't commit to likelihood, as far as I know. They said that they couldn't rule out SW misbehavior as a cause of the UA event. They seem to have been well aware that not inspecting the source code significantly limits what one can conclude.

> 4) The Bookout trial evidence was heavily critical of the software, and found plausible ways that
> unintended acceleration could be caused by the software, but nothing directly linking these
> possibilities to the Bookout events.

That seems to be right, depending on what one takes as a "direct link".

Only the general sequence of events in the Bookout incident were determined, as far as I know; no one reconstructed the sequence in detail. For example, there were significant skid marks from the car some way before the collision point, and the court could not determine whence they were caused. Plaintiff said they came from an attempt to use the parking brake; defendant couldn't show that that was not the case, neither was an alternative shown to be plausible.

As far as I can tell from my currently-limited knowledge, the Barr scenario is consistent with the Bookout events. Being "consistent with" is obviously not "caused". But it does seem to me from what I have read so far that a Barr-type scenario is intuitively plausible as a possible cause of the Bookout events, and I'm not sure one can do any better than that here in determining cause, given the unknowns. But I am open to being corrected.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Nov 11 2013 - 13:14:53 CET

This archive was generated by hypermail 2.3.0 : Tue Feb 19 2019 - 13:17:05 CET