[SystemSafety] Toyota Unintended acceleration summary and links

From: Even-André Karlsson < >
Date: Mon, 16 Dec 2013 10:47:31 +0000


Hello,

We have gone through the history of the Toyota

unintended acceleration case, and tried to summarize it

below with links.

We have also tried to speculate on the consequences of

this case.

The Toyota Unintended Acceleration – finally "proven" due to faulty software A short summary and analysis by Even-André Karlsson, Öjvind Halonen and Nicolás Martín-Vivaldi, Addalot.

Background
Toyota introduced an electronic throttle control system (ETCS) in the 2002 model Camry. For details about the ETCS and how that works, see NASA report<http://www.nhtsa.gov/UA>, Wikpedia<http://en.wikipedia.org/wiki/Electronic_throttle_control> or video<http://www.youtube.com/watch?v=6bvH9Sv7GkQ>. Note that even if this summary focuses on the Toyota case, this is problem<http://suddenacceleration.com/> that have affected and can affect many other car manufacturers, e.g. Ford<http://suddenacceleration.com/?p=669>.

Initial incidents
Immediately after the introduction of the new Camry both Toyota and customers started to experience unintended acceleration problems, i.e. the car was speeding even if the gas pedal was not pressed, and the car did not react to the driver activation of breaks. Many of these incidents resulted in deaths and lawsuits. For details see SRS overview<http://www.safetyresearch.net/toyota-sudden-unintended-acceleration/toyota-sudden-acceleration-timeline/> or Loyola consumer law review<http://lawecommons.luc.edu/cgi/viewcontent.cgi?article=1055&context=lclr>. The NHTSA (National Highway Traffic Safety Administration) were also criticized<http://www.latimes.com/news/local/la-fi-toyota-recall8-2009nov08,0,6120294.story#axzz2lGp7LRAp> for bad handling of these accidents.

Toyota response
Toyota claimed that this was a mechanical or driver problem. They also recalled several models to fix for instance the mat or other possible mechanical problems. They denied that it could be an electronic/software problem, e.g. “Toyota denies a defect exists, claims there is no trend, and that its electronic control system cannot fail in ways its engineers have not already perceived.” (from SRS overview<http://www.safetyresearch.net/toyota-sudden-unintended-acceleration/toyota-sudden-acceleration-timeline/>). Here is a late (2012) total denial of any ETCS problems from Toyota<http://www.huffingtonpost.com/mike-michels/tin-whiskers-and-other-di_b_1231080.html>. There are also quite recent cases where Toyota was found innocent<http://www.huffingtonpost.com/2013/10/11/toyota-cleared-in-death_n_4084958.html>.

NASA investigation
NHTSA commission the NASA Engineering and Safety Center (NESC) to investigate Toyota’s ETCS system in 2010, and after 10 months NASA presented their report<http://www.nhtsa.gov/UA>, where they could not find any defects in the Toyota software that could lead to the failures. Toyota took this as evidence that it was a mechanical problem, and their reaction was correct.

Koopman and Barr investigation (2012)
As part of a lawsuit related to car value loss<http://www.nytimes.com/2012/12/27/business/toyota-settles-lawsuit-over-accelerator-recalls-impact.html?_r=1&>, Koopman and Barr investigated deeper into the Toyota software and process. These reports were not public during this trial, but the trial resulted in Toyota agreeing to pay more than 1 billion US$ in compensation to Toyota owners.

Bookout v Toyota Motor Corp. (2013)
During the trial for this accident that resulted in one death and one serious injury, the Koopman and Barr reports were made public, and they showed that the Toyota software and process were sub-standard and could very well have created the problem, either just software by itself, or through a normal hardware failure, e.g. a bit flip in memory. For a good overview see SRS analysis<http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and-the-big-bowl-of-spaghetti-code/>. , or even Barr’s testimonial<http://www.safetyresearch.net/Library/Bookout_v_Toyota_Barr_REDACTED.pdf> and slides<http://www.safetyresearch.net/Library/BarrSlides_FINAL_SCRUBBED.pdf>. Toyota hastily settled the case before the jury could determine punitive damages. The difference of this verdict compared to the previous ones is well explained in EE times<http://www.eetimes.com/document.asp?doc_id=1319903>.

Toyota settlement negotiation for death and injury cases (2013) Quite recently Toyota has started negotiating a settlement for the death and injury cases<http://www.nytimes.com/2013/12/14/business/toyota-seeks-settlement-for-lawsuits.html?_r=0>, as they probably see that the chance of being convicted for a software error based on the Bookout v Toyota case is very high.

Analysis and consequences
It is very strange that Toyota refused to consider the possibility that the accidents were caused by software seriously earlier. The type of accidents reported clearly point to a “non-reproducible” software error, e.g. software errors that only occur under very special/random situations or due to hardware problems. The amount of money spent on “fixing” non-existent mechanical problems must have been very large, showing that they took the problem seriously. Probably this is caused by a lack of understanding of software by management, lawyers and others that dealt with this. On the other hand Toyota could have known this for a long time, and it is a purely economic decision, as replacing the electronics could cost more than $100 per car<http://priuschat.com/threads/la-times-sunday-pg-1-for-toyota-the-crucial-question-is-the-electronics.76340/>. There is evidence that the problem<http://www.huffingtonpost.com/2012/01/27/toyota-sudden-acceleration-internal-email_n_1232279.html> was more widely known within Toyota. The questions is also if not Toyota will have to replace the faulty ETCS anyhow – I would not like to drive around in a car where I know that the ETCS can cause unintended acceleration. Even if all the problems revealed by Koopman and Barr were not obvious, i.e. they were not detected by NASA, they could most probably have been found by an internal software investigation at Toyota already in 2004-2005. In particular process and coding standard problems are relatively simple to detect. There are companies that have a “Software crash commission” team that analyze serious crashes. Also the NHTSA handling of these problems is very questionable, even if there early were many similar cases, they were not analyzed systematically, as was pointed out by LA times in 2009<http://www.latimes.com/news/local/la-fi-toyota-recall8-2009nov08,0,6120294.story#axzz2lGp7LRAp>. The lack of software understanding by the NHTSA is strange. It took them 8 years before they initiated the first investigation of the software by NASA. But this is consistent with the handling of the earlier Ford case<http://suddenacceleration.com/?p=669>. What can be the future consequences of this:

  1. Car manufacturers will have to disclose the software (source code with all connected documents) and development process evidence in trials to a larger extent, especially when it is not possible to clearly prove a mechanical failure (see statement<http://www.eetimes.com/document.asp?doc_id=1319985> by Carl Tobias, Law professor). The possibility for the car manufacturers to claim “driver error” will be largely reduced, in particular when several similar cases appear, e.g. the Honda breaking<http://www.safetyresearch.net/2013/10/31/hondas-revenge-against-the-pilot-owner-who-sparked-a-recall/>.
  2. The demand for software safety engineering experts like Barr and Koopman will explode, in particular in the US due to their legal system and size of damage payments. This type of software investigation requires substantial effort by real experts.
  3. Car manufacturers will be much more careful with the software that they put into their cars, ensuring that they follow best practices, as the cost of having sub-standard software in case of accidents is uncontrollable.
  4. The need for experienced software safety engineers and education will increase.
  5. There might be regulations of the car industry similar to the medical equipment (FDA) or aviation industry (FAA), and NHTSA will increase their software staff. NHTSA will need to take these types of accidents seriously. Their handling<http://www.latimes.com/news/local/la-fi-toyota-recall8-2009nov08,0,6120294.story#axzz2lGp7LRAp> of this case has been questionable.
  6. There will be stronger “black box” requirements on cars as there are on airplanes. Note however that the Toyota black box could malfunction during this incident, thus reporting no breaking (found in the Koopman and Barr investigation).

Even-André Karlsson
Consultant
Addalot Consulting AB
Gråbrödersgatan 8, SE-211 21 Malmö, SWEDEN Mobile: +46 706 800 533
www.addalot.se<http://www.addalot.se/>



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Dec 16 2013 - 11:52:35 CET

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 10:17:06 CEST