[SystemSafety] a discursion stimulated by recent discussions of alleged safety-critical software faults in automobile software

Wed Nov 13 00:59:16 CET 2013

Peter, another problem. Because Toyota don't (reliably) monitor and record
software faults they can't show that the software was not involved in any
future accident. As there now is evidence that it plausibly could, thanks
to Barr/Koopman, they have a significant legal hurdle to overcome in any
future defence. Were I the responsible GM, that'd be the barn door I'd be
trying to close.

Stephen as to the spaghetti code, I think an argument that the 'fix' to the
problem would require the complete refactoring of the code, so therefore we
need to make compromises, so therefore we accept the status quo is
something of a straw man.

Rather than focusing on untangling the spaghetti they could have done all
or any of the following:

1. Moved the fail safe functions out of task X (the 'spaghetti 'task).
2. Given the hardware watchdog actual teeth (a better version was
implemented for the Prius).
3. Fixed the monitor CPU function so that it didn't rely on a driver input
and truly fails safe (software logic change only).
4. Implemented run time stack monitoring (already in the 2005 Corolla's
Delphi chipset).

Toyota recognised the problem, to some degree, but it seems were
sidetracked into untangling the Gordian knot of their legacy code, rather
than identifying what could be (and fairly easily) actioned immediately.
Did all involved really, truly believe the code could fail and cause an
accident? And that they were accountable and responsible?

Regards,

On Tue, Nov 12, 2013 at 8:49 PM, Peter Bernard Ladkin <
ladkin at rvs.uni-bielefeld.de <javascript:_e({}, 'cvml',
'ladkin at rvs.uni-bielefeld.de');>> wrote:

> On 11/12/13 10:25 AM, Parker, Stephen wrote:
> > Its worrying that Toyota would be in a better position by not discussing
> this internally.  That
> > seems a recipe for reducing software quality to me.
>
> First, this is a known problem for many decades, and not just with SW.
> Ever since the Ford Pinto
> case in the US in the 1970's, most large companies building
> safety-critical kit have known that
> analyses you perform are subject to discovery proceedings and can be (Ford
> and others argue:
> mis-)interpreted by courts. Some (Chris Johnson comes to mind) have
> suggested this has severely
> restricted the scope and thereby the effectiveness of incident databases
> in some industries
> otherwise renowned for their care.
>
> Second, this is hindsight about one feature. A company which never
> discussed in traceable form (that
> is, no e-mails, no documents, no minutes of meetings) anything related to
> the fitness-for-purpose of
> its safety-critical kit would, in many industries, not be able to put that
> kit on the market. Even
> as a practical matter, in the auto industry it's doubtful one would be
> able so to build a car. How
> could you possibly build a car, and emphasise its safety features in your
> adverts, without ever
> discussing in engineering or management meetings how it might kill people?
> Even if you wanted to
> attempt that in the EU, it's illegal! (EC 765/2008).
>
> Third, since safety cases and independent assessments and so on are
> required in other transportation
> industries such as rail and air travel, this might argue for imposing such
> a regime in automobile
> production and sales. Even a company which systematically destroyed all
> engineering-related
> commentary which didn't make it into the safety case is still left with a
> massive track record of
> why it thinks its kit is adequately safe, including independent criticism
> and response. Say there
> had been such regulation in 2005 in the US, and Barr had been Toyota's
> assessor of its 2005 code.
> That kit would never have made it into the car, would it?
>
> PBL
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of
> Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE <javascript:_e({}, 'cvml',
> 'systemsafety at TechFak.Uni-Bielefeld.DE');>
>

-- 
*Matthew Squair*
MIEAust CPEng

Mob: +61 488770655
Email: MattSquair at gmail.com <javascript:_e({}, 'cvml',
'MattSquair at gmail.com');>
Website: www.criticaluncertainties.com <http://criticaluncertainties.com/>

-- 
*Matthew Squair*
MIEAust CPEng

Mob: +61 488770655
Email: MattSquair at gmail.com
Website: www.criticaluncertainties.com <http://criticaluncertainties.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20131113/2f522ef9/attachment.html>