Toyota Unintended Acceleration: It Wasn’t Just the Floor Mats

toyotawreck(Photo from “Oklahoma Jury Finds Toyota Liable For Sudden Acceleration Fault; Awards $3M In Damages,” by Arjun Kashyap, 25 Oct 2013)

Back in 2009 this newsletter started to express skepticism about Toyota’s insistence that unintended acceleration in their vehicles — in some cases resulting in fatalities — was due to a floor mat that could cause the accelerator pedal to stick. (Those earlier posts are listed at the bottom of this post.)

The reasons for the skepticism were (a) the number of reported cases was relatively high compared to other non-Toyota models, (b) there was at least one case where it was clear that a stuck pedal could not be the cause, and (c) the investigation by the National Highway Traffic Safety Administration (NHTSA) appeared to have some major flaws. Also, DACI’s own experience in investigating several low-probability events has convinced us that customers who report such problems tend to be too easily dismissed, rather than receiving the respectful assumption that they are honest and observant and reporting the problems carefully; i.e. the sudden acceleration stories related by some Toyota owners were not consistent with the floor mat hypothesis. Finally, it didn’t help Toyota’s credibility when Toyota employees were caught congratulating themselves on how they had slowed and limited the accident investigation.

Despite the above reservations, the official report by the NHTSA was that the root cause was the floor mat. Well, after several years it turns out that a detailed analysis of the electronics, as brought out during a recent trial, has confirmed that it was not just the floor mat. Key trial results are detailed in “Toyota Case: Vehicle Testing Confirms Fatal Flaws,” by Junko Yoshida in the 31 October 2013 EETimes. Here’s an excerpted summary of the problems identified:

•  Software bugs that specifically can cause memory corruption

•  Unmaintainable code complexity in Toyota’s software

•  A multifunction kitchen-sink Task X designed to execute everything from throttle control to cruise control and many of the fail-safes

•  That all Task X functions, including fail-safes, are designed to run on the main CPU in the Camry’s electronic control module

•  That the brake override that is supposed to save the day when there is an unintended acceleration is also in Task X

•  The use of an operating system in which there is no protection against hardware or software faults

•  A number of other problems

The deficiencies in the throttle design are shocking, because good rules exist for the design of safety-critical electronics (e.g., Chapter 4, “Safety Analyses,” in The Design Analysis Handbook).

The Toyota case makes one wonder how many other possibly-catastrophic flaws are lurking within the cars we drive, or in other electronics-guided machinery, due to poorly-designed safety-related systems.

