October 24, 2013, jury in Oklahoma City found Toyota Motor liable for a 2007 crash after a Toyota Camry suddenly accelerated. The jury also found Toyota acted with 'reckless disregard' for the rights of others, which triggered a second phase of the trail to determine punitive damages. Toyota was able to have reached a settlement for an unspecified amount on punitive damages beyond the court approved $3 million actual lost.
This case was significant because for the first time, a technical team was able to recreate the sudden acceleration symptom under a controlled environment that was recognized by a court. By ejecting a flip of a single digit number, which could be caused by many possible scenarios listed, the testing item entered a verifiable potential fatal status.
There are many things Toyota could have done to avoid the fatal crash:
- Amateur architectural design. There are 67 functions with complexity over 50 - untestble, and 12 functions with complexity over 100 - unmaintainable. The key culprit function that controls the throttle and other sensors contains over 1300 lines of code and 146 degrees of complexity. Unbelievable, Toyota used more than 11,000 global variables, which should be entirely avoided.
- Not following developing guidelines. As a safety critical system (SCF), there is an existing guidelines MISRA C, which is adopted by major automakers. Toyota claimed that they followed their own internal guidelines, which is 50% compatible with the industrial guidelines. However, the real overlapping is less than 10%. What's more, Toyota did not even follow it's own internal guidelines. The tech team found over 80,000 violations in Toyota's code. Toyota had proposed its own finding that every coding violation implied one major defect and ten minor defects.
Recursion technique, a taboo in embedded programming, was used extensively.
- Lack of protection to key variables, including the most critical variable: the TargetThrottleAngle global variable. Toyota used an uncertified operating system. In some cases, they did not use ECC code. In other cases, they used insufficient ECC code.
- No stack protection. Toyota estimated their stack is used 41% max in the worst case, while the tech team found it could be as high as 94% without taking into consideration of the recursion issue. With recursion it would be unlimited, thus a real risk of accidentally overwriting key program values. Some models of Toyota has no monitor of stack overflow (to a key OS task allocation record area).
- An overwhelming task X.
- No watchdog program on tasks, and an insufficient watchdog on CPU overloading (using hardware interrupt to feed the dog).
- A hardware protection system fails when task X fails.
- Brake Echo Check must be triggered by an act on brake.
- Brake Override System included in task X.
- A 'litany' of other faults were found in the code, including buffer overflow, unsafe casting, and reac condition among others.
Toyota's statement on Oct 25, 2013:
While we strongly disagree with the verdict, we are satisfied that the parties reached a mutually acceptable agreement to settle this case. We remain committed to providing our customers with safe and reliable vehicles, and we will continue to defend our products vigorously at trial in other legal venues.
The biggest problem? NASA, contracted by the NHTSA, did not find the problem in a previous government investigation.
Further reading at EDN, and do not miss the comments which are very informative.