embedded software boot camp

2012 Explained – Toyota

Thursday, December 27th, 2012 by Nigel Jones

Regular readers of this blog will no doubt have noticed the paltry number of articles posted by me this year. While there have been a number of contributing factors, one of the more significant has been Toyota. I have been part of the team that has spent a large part of 2012 examining the engine control module hardware and firmware for Toyota cars and light trucks in light of reports on unintended acceleration. Yesterday, a tentative settlement was announced in the class action lawsuit. Other litigation concerning personal injury is still pending. As a result of the pending litigation, together with various protective orders (confidentiality agreements) I can’t comment or provide any details. For those of you that are interested, here are some key links.

Settlement announced: Approximately 5pm EST on December 26th 2012

Statement by the plaintiffs.

Statement by Toyota.

Information about the settlement.

The proposed settlement

Update: The federal judge has given provisional approval to the settlement.

For a primer on Toyota’s engine control module, you can read the lengthy report published by NASA. Readers of this blog will find appendix A the most illuminating.

Anyway, it is my hope that I will be able to blog considerably more frequently in 2013.

 

6 Responses to “2012 Explained – Toyota”

  1. John Culver says:

    Link to the Proposed Settlement is non-functional

  2. Mike Ficco says:

    I remember hearing on the radio that NASA reviewed the Toyota engineering and concluded sudden acceleration could not happen. At the time I laughed, thinking of all the times I experienced things that couldn’t happen on my projects. After your recent blog I did a quick search and found statements like:

    “Toyota exonerated by NHTSA, NASA” and

    “Toyota welcomes the findings of NASA and NHTSA regarding our Electronic Throttle Control System with intelligence (ETCS-i) and we appreciate the thoroughness of their review. We believe this rigorous scientific analysis by some of America’s foremost engineers should further reinforce confidence in the safety of Toyota and Lexus vehicles. We hope this important study will help put to rest unsupported speculation about Toyota’s ETCS-i, which is well-designed and well-tested to ensure that a real world, un-commanded acceleration of the vehicle cannot occur.”

    ———-

    Nigel I’m not sure how much the confidentiality agreements will allow you to say but I’m confused and wonder if you could comment. I skimmed the NASA report and read the appendix.

    Some of their guidelines are silly, like – “Do not use function calls in if conditionals (to avoid possible side-effects)”

    Some of their guidelines are wrong, like – “Place the opening curly brace of a block on same line as an if, while, or for statement.” Everyone knows they go on the NEXT line.

    However, some things in the NASA report reflect badly on the Toyota engineering. Among other things, NASA reported that there were 2,659 uses of #undef, 17 Potentially unbounded loops, and the use of 13 uninitialized variables. There were also 2,272 global variable declared with different types, 962 buffer overruns, 13 macros called with insufficient parameters. This kind of stuff jumps out at me and says SLOPPY PROGRAMMING! How can anybody conclude that there is no chance of unintended acceleration with this many smoking guns? Wait, the piece de resistance is a whole slew of global variables accessed from different asynchronous tasks (including 909 accessed by 2 tasks and 6 accessed by 14 tasks (14!!!)).

    Also, why all the redactions in the NASA report?

    So, let me be clear – I have not reviewed any of the Toyota code, have never spoken to anybody from Toyota, and am under no confidentiality agreements. My most detailed knowledge of this comes from the publicly available NASA report. So here is my question: How can anyone say and how dare reputable news agencies report that Toyota was exonerated when their code appears to be a sloppy mess and safety appears to rest on the watchdog triggering when something goes wrong – a watchdog that NASA notes does not log its triggering. Why would you not log the watchdog triggering? THAT is additional bad engineering.

    Exonerated? I hope the billion dollar settlement also requires them to fix their sloppy mess.

    Full disclosure – There is more than one Toyota product in my family and so far none of them have gone nuts… I hope that continues.

  3. GroovyD says:

    … so is their code a mess or what?

    for(;;)
    throttleValve += footOnBrake ? 10 : 0;

  4. Coder says:

    Interesting. I have been waiting for the outcome of this, but I am disappointed I must admit.

    I get the feeling that even NASA could not find the problem, had to report something and came up with a list of other issues/errors as a band-aid. Given all the issues they have found, it does make me wonder if it is just a matter of time before another incident. The brake override offered by Toyota seems like a backup plan in case it happens again – does not really do much for customer confidence.

    It is interesting that all is deemed safe now after NASA did not find the cause. It just means they could not find the cause, it does not mean that it doesn’t exist. (It has not been proven that it doesn’t). Yes, there are many cars on the road that have never had this problem, but it still leaves the few that have been affected with serious consequences, without any explanation…

    No, I don’t drive a Toyota, but I do like their cars. Doubt I would buy one.

Leave a Reply to Nigel Jones

You must be logged in to post a comment.