The Toyota Unintended Acceleration – finally “proven” due to faulty software

Av Even-André Karlsson
How would you react if your car suddenly starts to accelerate without you being able stop it? This is what has happened to many Toyota drivers. Over the years there has been a lot of discussion, Toyota claiming this was caused by driver, or mechanical defects rather than electronic/software. Recently there have been some court cases where the software has been found to be the probable cause of the accidents. This article provides a summary and analysis of this case that has been going on for over 10 years.

Background

Toyota introduced an electronic throttle control system (ETCS) in the 2002 model Camry. For details about the ETCS and how that works, see NASA report, Wikpedia or video. Note that even if this summary focuses on the Toyota case, this is a problem that have affected and can affect many other car manufacturers, e.g. Ford, Chrylser.

Initial incidents

Immediately after the introduction of the new Camry both Toyota and customers started to experience unintended acceleration problems, i.e. the car was speeding even if the gas pedal was not pressed, and the car did not react to the driver activation of breaks. Many of these incidents resulted in deaths and lawsuits. For details see SRS overview or Loyola consumer law review.   The NHTSA (National Highway Traffic Safety Administration) were also criticized for bad handling of these accidents. 

Toyota response

Toyota claimed that this was a mechanical or driver problem. They also recalled several models to fix for instance the mat or other possible mechanical problems. They denied that it could be an electronic/software problem, e.g. “Toyota denies a defect exists, claims there is no trend, and that its electronic control system cannot fail in ways its engineers have not already perceived.” (from SRS overview). Here is a late (2012) total denial of any ETCS problems from Toyota. There are also quite recent cases where Toyota was found innocent.

NASA investigation

NHTSA commission the NASA Engineering and Safety Center (NESC) to investigate Toyota’s ETCS system in 2010, and after 10 months NASA presented their report, where they could not find any defects in the Toyota software that could lead to the failures. Toyota took this as evidence that it was a mechanical problem, and their reaction was correct.

Koopman and Barr investigation (2012)

As part of a lawsuit related to car value loss, Koopman and Barr investigated deeper into the Toyota software and process. These reports were not public during this trial, but the trial resulted in Toyota agreeing to pay more than 1 billion US$ in compensation to Toyota owners.

Bookout v Toyota Motor Corp. (2013)

During the trial for this accident that resulted in one death and one serious injury, the Koopman and Barr reports were made public, and they showed that the Toyota software and process were sub-standard and could very well have created the problem, either just software by itself, or through a normal hardware failure, e.g. a bit flip in memory. For a good overview see SRS analysis, or even Barr’s testimonial and slides. Toyota hastily settled the case before the jury could determine punitive damages. The difference of this verdict compared to the previous ones is well explained in EE times. Bookout lawyers made a 30 minutes video explaining their case.

Toyota settlement negotiation for death and injury cases (2013)

Quite recently Toyota has started negotiating a settlement for the death and injury cases, as they probably see that the chance of being found liable for a software error based on the Bookout v Toyota case is very high.

Analysis and consequences

It is very strange that Toyota refused to consider the possibility that the accidents were caused by software earlier. The type of accidents reported clearly point to a “non-reproducible” software error, e.g.  software errors that only occur under very special/random situations or due to hardware problems. The amount of money spent on “fixing” maybe non-existent mechanical problems must have been very large, showing that they took the problem seriously. Probably this is caused by a lack of understanding of software by management, lawyers and others that dealt with this. On the other hand Toyota could have known this for a long time, and it is a purely economic decision, as replacing the electronics could cost more than $100 per car. There is evidence that the problem was more widely known within Toyota. The question is also if not Toyota will have to replace the faulty ETCS anyhow – I would not like to drive around in a car where I know that the ETCS can cause unintended acceleration.

Even if all the problems revealed by Koopman and Barr were not obvious, i.e. they were not detected by NASA, they could most probably have been found by an internal software investigation at Toyota already in 2004-2005. In particular process and coding standard problems are relatively simple to detect. There are companies that have a “Software crash commission” team that analyze serious crashes.

Also the NHTSA handling of these problems is very questionable, even if there early were many similar cases, they were not analyzed systematically, as was pointed out by LA times in 2009. The lack of software understanding by the NHTSA is strange. It took them 8 years before they initiated the first investigation of the software by NASA. But this is consistent with the handling of the earlier Ford case.

What will be the future consequences of this:

  1. Car manufacturers will have to disclose the software (source code with all connected documents) and development process evidence in trials to a larger extent, especially when it is not possible to clearly prove a mechanical failure (see statement by Carl Tobias, Law professor). The possibility for the car manufacturers to claim “driver error” will be largely reduced, in particular when several similar cases appear, e.g. the Honda breaking.
  2. If it can be shown that the car manufacturer has not followed best practices we will see lawyers requesting “treble damages” or “punitive damages”.
  3. The demand for software safety engineering experts like Barr and Koopman will explode, in particular in the US due to their legal system and size of damage payments. This type of software investigation requires substantial effort by real experts.
  4. Car manufacturers will be much more careful with the software that they put into their cars, ensuring that they follow best practices, as the cost of having sub-standard software in case of accidents is uncontrollable.
  5. The need for experienced software safety engineers and education will increase.
  6. There might be regulations of the car industry similar to the medical equipment (FDA) or aviation industry (FAA) – however with the current US political situation that is doubtful.
  7. NHTSA will have to increase their software staff, and they need to take these types of accidents seriously. Their handling of this case has been questionable.
  8. There will be stronger “black box” requirements on cars as there are on airplanes. Note however that the Toyota black box could malfunction during this incident, thus reporting no breaking (found in the Koopman and Barr investigation).

There is an ongoing discussion about this case on the system safety mailing list, e.g. http://www.systemsafetylist.org/0678.htm. Another very thorough analysis of these accidents as well as many other links is done by Anthony Anderson.

Photo Credits:  Salem News 

References

SRS’s overview page of the history of this problem up to 2010. http://www.safetyresearch.net/toyota-sudden-unintended-acceleration/toyota-sudden-acceleration-timeline/

A similar, but more law focused review is found in http://lawecommons.luc.edu/cgi/viewcontent.cgi?article=1055&context=lclr

SRS description of some early cases, and the insistence on mechanical problems: http://www.safetyresearch.net/2012/07/19/dot-settles-lawsuit-over-toyota-ua-documents-new-congressional-inquiry-raises-more-questions/

A strong criticism of the NHTSA handling of these cases http://www.latimes.com/news/local/la-fi-toyota-recall8-2009nov08,0,6120294.story#axzz2lGp7LRAp

A recent denial of any ETCS problems from Toyota: http://www.huffingtonpost.com/mike-michels/tin-whiskers-and-other-di_b_1231080.html

A recent case where Toyota were found innocent: http://www.huffingtonpost.com/2013/10/11/toyota-cleared-in-death_n_4084958.html

NASA’s software report: http://www.nhtsa.gov/UA

SRS current evaluation of this case, and why it is so important: http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and-the-big-bowl-of-spaghetti-code/

Barr’s testimonial: http://www.safetyresearch.net/Library/Bookout_v_Toyota_Barr_REDACTED.pdf and slides: http://www.safetyresearch.net/Library/BarrSlides_FINAL_SCRUBBED.pdf 

EE times’ analysis of the Bookout v Toyota case: http://www.eetimes.com/document.asp?doc_id=1319903

Similar cases, Honda braking by itself: http://www.safetyresearch.net/2013/10/31/hondas-revenge-against-the-pilot-owner-who-sparked-a-recall/

Consequences of Toyota software problems and a good overview of the recent history: http://www.eetimes.com/document.asp?doc_id=1319985

The 1 billion$ car value loss settlement http://www.nytimes.com/2012/12/27/business/toyota-settles-lawsuit-over-accelerator-recalls-impact.html?_r=1&

The latest development in the death and injury cases: http://www.nytimes.com/2013/12/14/business/toyota-seeks-settlement-for-lawsuits.html?_r=0

The Sudden Acceleration web: http://suddenacceleration.com/

How Ford has treated the similar problem: http://suddenacceleration.com/?p=669

There have been some more direct electrical suggestions for the failure, e.g. http://www.thetruthaboutcars.com/2010/03/gilbert%E2%80%99s-toyota-shenanigans-explained/, but none of them were correct. However they showed that there were provoked “electrical failures” that where not correctly handled by the software, and that should have led to further investigations.

The smart pedals, i.e. braking pedal overruling the accelerator pedal as installed in many cars would have made the system more robust, but not eliminated the problem. This is now suggested as mandatory http://www.nytimes.com/2012/04/13/automobiles/brake-override-systems-in-proposed-rule-for-new-cars.html

Even-André Karlsson
Even-André Karlsson
even-andre.karlsson@addalot.se