Toyota Unintended Acceleration: It Wasn’t Just the Floor Mats

(Photo from “Oklahoma Jury Finds Toyota Liable For Sudden Acceleration Fault; Awards $3M In Damages,” by Arjun Kashyap, 25 Oct 2013)

Back in 2009 this newsletter started to express skepticism about Toyota’s insistence that unintended acceleration in their vehicles — in some cases resulting in fatalities — was due to a floor mat that could cause the accelerator pedal to stick. (Those earlier posts are listed at the bottom of this post.)

The reasons for the skepticism were (a) the number of reported cases was relatively high compared to other non-Toyota models, (b) there was at least one case where it was clear that a stuck pedal could not be the cause, and (c) the investigation by the National Highway Traffic Safety Administration (NHTSA) appeared to have some major flaws. Also, DACI’s own experience in investigating several low-probability events has convinced us that customers who report such problems tend to be too easily dismissed, rather than receiving the respectful assumption that they are honest and observant and reporting the problems carefully; i.e. the sudden acceleration stories related by some Toyota owners were not consistent with the floor mat hypothesis. Finally, it didn’t help Toyota’s credibility when Toyota employees were caught congratulating themselves on how they had slowed and limited the accident investigation.

Despite the above reservations, the official report by the NHTSA was that the root cause was the floor mat. Well, after several years it turns out that a detailed analysis of the electronics, as brought out during a recent trial, has confirmed that it was not just the floor mat. Key trial results are detailed in “Toyota Case: Vehicle Testing Confirms Fatal Flaws,” by Junko Yoshida in the 31 October 2013 EETimes. Here’s an excerpted summary of the problems identified:

•  Software bugs that specifically can cause memory corruption

•  Unmaintainable code complexity in Toyota’s software

•  A multifunction kitchen-sink Task X designed to execute everything from throttle control to cruise control and many of the fail-safes

•  That all Task X functions, including fail-safes, are designed to run on the main CPU in the Camry’s electronic control module

•  That the brake override that is supposed to save the day when there is an unintended acceleration is also in Task X

•  The use of an operating system in which there is no protection against hardware or software faults

•  A number of other problems

The deficiencies in the throttle design are shocking, because good rules exist for the design of safety-critical electronics (e.g., Chapter 4, “Safety Analyses,” in The Design Analysis Handbook).

The Toyota case makes one wonder how many other possibly-catastrophic flaws are lurking within the cars we drive, or in other electronics-guided machinery, due to poorly-designed safety-related systems.

—

Prior Toyota Unintended Acceleration Posts:

10 Nov 2009
Toyota Unintended Acceleration Causing Deaths And Injuries

20 Jan 2010
Toyota Sudden Acceleration Update: It’s Not Just Floor Mats

3 Feb 2010
Stop Driving Recalled Toyotas

5 Feb 2010
Toyota’s “Drive By Wire” Throttle System Suspected As Crash Cause

21 Feb 2010
Toyota Joins The Gallery Of Shame

9 Mar 2010
Customers Claim “Fixed” Toyotas Are Still Accelerating

9 Feb 2011
Toyota Unintended Acceleration: “No Electronics-Based Cause”: Not True and Misleading

20 Mar 2012
Toyota Sudden Acceleration: An Example Of How Not To Do A Failure Analysis

Boeing’s Flaming Batteries Fixed? Where’s The Proof?

“Boeing’s fix includes more insulation between each of the eight cells in the batteries. The batteries will also be encased in a new steel box designed to contain any fire and vent possible smoke or hazardous gases out of the planes.

“…both the F.A.A. administrator, Michael P. Huerta, and Transportation Secretary Ray LaHood said they were are satisfied that the proposed changes would eliminate concerns that the plane’s two lithium-ion batteries could erupt in smoke or fire.”
-“F.A.A. Endorses Boeing Remedy for 787 Battery” by C. Drew and J. Mouawad, 19 April 2013 New York Times

Conspicuously absent from this pronouncement is a definitive identification of the root cause of the lithium battery fires. Therefore Boeing, the FAA, and the Department of Transportation are all guessing that the stated modifications will fix the problem. I hope they are correct. But if they are it will be a matter of luck, not engineering diligence. The dissembling of the FAA and Department of Transportation are clearly evident in their own words: they say that they are “…satisfied that the proposed changes would eliminate concerns that the plane’s two lithium-ion batteries could erupt in smoke or fire.” If they are so satisfied, then why is it necessary to have a steel box to contain a fire? If they are so satisfied, then why did they not provide the supporting evidence to support their conclusions?

Also, Boeing and these government agencies have touted a few test flights as being of particular significance in proving the safety of the batteries. This is nonsense. The battery fires are low probability events, occurring only once for thousands of hours of operation. This implies that there are subtle variables in the battery construction, chemistry, and/or operation, which when combined worst case will cause the batteries to overheat. This combination may only occur for a small number of manufactured batteries, and fires may occur only when those particular batteries are exposed to a worst case combination of stresses (temperature, charge currents, etc.).

Therefore a handful of test flights, of a few dozen hours or so total, are not nearly sufficient to empirically identify a low-probability event. The identification of such an event would require hundred or even thousands of test flights, which is obviously not practical. Therefore the only alternative is an investigation that drills down and positively identifies the true underlying failure mechanism (as recommended here: “Flying the Flaming Skies: Should You Trust the Boeing Dreamliner?“). It is my opinion that this has not been done, because if it had, this knowledge would be trumpeted by Boeing.

I’m not flying the Boeing Dreamliner until I see the evidence that supports the optimistic conclusions of Boeing, the FAA, and the Department of Transportation.

-Ed Walker

Boeing’s Fix for its Flaming Lithium Batteries: Is There A Fatal Flaw?

“Boeing Co. is confident that proposed changes to the 787 Dreamliner will provide a permanent solution to battery problems that grounded its newest jet, a senior executive said Monday.” –Reuters, 11 March 2013

The reported changes include “adding ceramic insulation between the cells of the battery and a stronger stainless steel box with a venting tube to contain a fire and expel fumes from the aircraft.” –Reuters, Alwyn Scott and Tim Hepher and Peter Henderson, 5 Mar 2013

Why is Boeing confident? This is a mystery because, based on available published data, it does not appear that Boeing has positively determined the root cause of the battery fires. Furthermore, as for all safety-critical applications, the certainty of the cause should be determined beyond a reasonable doubt. This stringent requirement would be certified by a panel of independent experts of unquestioned expertise and integrity, who have no financial interest in the outcome of their review.

Without positive identification of the root cause, Boeing may be indulging in a logical fallacy that I have seen employed before, with very bad results. The fallacy is in trying to fix what is assumed to be the problem (e.g. inadequate thermal insulation between battery cells). But what if the assumption is wrong? If so, the “fix” could be ineffective, or even make things worse. For example, improving cell insulation will trap more heat within the cells, raising the cell temperature. If the true root cause is related to higher cell temperature, the added insulation could make cell failure more likely, not less.

There are many other troubling scenarios that can be hypothesized, and the only way to disprove them is to dig in and find the true root cause, beyond a reasonable doubt (including rigorous validation as discussed here: “Flying the Flaming Skies: Should You Trust the Boeing Dreamliner?“)

-Ed Walker

P.S. A good review of the genesis of the Boeing battery problem can be found here: “NTSB report shows Boeing’s battery analysis fell short,” Dominic Gates, Seattle Times