[SystemSafety] a discursion stimulated by recent discussions of alleged safety-critical software faults in automobile software

From: Matthew Squair < >
Date: Wed, 13 Nov 2013 10:59:16 +1100

Peter, another problem. Because Toyota don't (reliably) monitor and record software faults they can't show that the software was not involved in any future accident. As there now is evidence that it plausibly could, thanks to Barr/Koopman, they have a significant legal hurdle to overcome in any future defence. Were I the responsible GM, that'd be the barn door I'd be trying to close.

Stephen as to the spaghetti code, I think an argument that the 'fix' to the problem would require the complete refactoring of the code, so therefore we need to make compromises, so therefore we accept the status quo is something of a straw man.

Rather than focusing on untangling the spaghetti they could have done all or any of the following:

  1. Moved the fail safe functions out of task X (the 'spaghetti 'task).
  2. Given the hardware watchdog actual teeth (a better version was implemented for the Prius).
  3. Fixed the monitor CPU function so that it didn't rely on a driver input and truly fails safe (software logic change only).
  4. Implemented run time stack monitoring (already in the 2005 Corolla's Delphi chipset).

Toyota recognised the problem, to some degree, but it seems were sidetracked into untangling the Gordian knot of their legacy code, rather than identifying what could be (and fairly easily) actioned immediately. Did all involved really, truly believe the code could fail and cause an accident? And that they were accountable and responsible?


On Tue, Nov 12, 2013 at 8:49 PM, Peter Bernard Ladkin < ladkin_at_xxxxxx 'ladkin_at_xxxxxx

> On 11/12/13 10:25 AM, Parker, Stephen wrote:
> > Its worrying that Toyota would be in a better position by not discussing
> this internally. That
> > seems a recipe for reducing software quality to me.
> First, this is a known problem for many decades, and not just with SW.
> Ever since the Ford Pinto
> case in the US in the 1970's, most large companies building
> safety-critical kit have known that
> analyses you perform are subject to discovery proceedings and can be (Ford
> and others argue:
> mis-)interpreted by courts. Some (Chris Johnson comes to mind) have
> suggested this has severely
> restricted the scope and thereby the effectiveness of incident databases
> in some industries
> otherwise renowned for their care.
> Second, this is hindsight about one feature. A company which never
> discussed in traceable form (that
> is, no e-mails, no documents, no minutes of meetings) anything related to
> the fitness-for-purpose of
> its safety-critical kit would, in many industries, not be able to put that
> kit on the market. Even
> as a practical matter, in the auto industry it's doubtful one would be
> able so to build a car. How
> could you possibly build a car, and emphasise its safety features in your
> adverts, without ever
> discussing in engineering or management meetings how it might kill people?
> Even if you wanted to
> attempt that in the EU, it's illegal! (EC 765/2008).
> Third, since safety cases and independent assessments and so on are
> required in other transportation
> industries such as rail and air travel, this might argue for imposing such
> a regime in automobile
> production and sales. Even a company which systematically destroyed all
> engineering-related
> commentary which didn't make it into the safety case is still left with a
> massive track record of
> why it thinks its kit is adequately safe, including independent criticism
> and response. Say there
> had been such regulation in 2005 in the US, and Barr had been Toyota's
> assessor of its 2005 code.
> That kit would never have made it into the car, would it?
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of
> Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx > 'systemsafety_at_xxxxxx >

*Matthew Squair*

Mob: +61 488770655
Email: MattSquair_at_xxxxxx
Website: www.criticaluncertainties.com <http://criticaluncertainties.com/>

*Matthew Squair*

Mob: +61 488770655
Email: MattSquair_at_xxxxxx
Website: www.criticaluncertainties.com <http://criticaluncertainties.com/>

_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Wed Nov 13 2013 - 00:59:26 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST