Crowbarr
Geoff Barrance writes today (giving me permission to quote him):
"Obviously the Toyota lawyers are using the source code PP "issue" as a crowbar to get at you and Barr, but note the testimony of Koopman, which pointed out the system level architectural deficiencies that I had sensed from the information in the NASA reports. It might be good to find the quote in the Koopman testimony about the system being unprotected from arbitrary faults. Although Koopman's testimony didn't get the publicity that Barr's did, it is actually showing even more fundamental problems with the design. My summary would be that 'you can't have a safe system if the architecture is crap (technical term that might be replaced by some other word!) even if the software were perfect.'"
* * *
Dear Tom, Lisa, and Kevin, what other juicy tidbits will you find in my emails?? Are you sure you want them? Won't you have to resign if you read them? Toyota's public position that its vehicles are safe does not seem to have changed one bit. But the evidence? Apparently it seems to prove the opposite.
from Geoffrey Barrance
Iowa (Rep. Braley's constituent)
Dear Representative Braley,
Toyota Unintended Acceleration – What Now?
I have to tell you that I am very disappointed in the lack of follow up from you and your staff (and indeed the entire Federal Government) in respect of my inputs to you on the Toyota Unintended Acceleration issue.
The situation has now changed. We have the testimony and results of the Bookout vs. Toyota case in Oklahoma. A guilty verdict and $3 million damage award, rapidly taken out of court, with a secret settlement before consideration of punitive damages. No doubt you are aware of this, but an excellent link to summarize this is:
http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and-the-big-bowl-of-spaghetti-code/
The embedded link to the presentation by Michael Barr of his analysis of the software in the ECM is well worth following up. You should also refer to Professor Koopman’s testimony, to fill out the broader system context, which is more my field. In Koopman and Barr’s assessments you will find utterly damning evidence that the Engine Control Module (indeed the entire engine control system from accelerator pedal to the throttle plate) is fundamentally flawed in design and execution, and therefore subject to arbitrary failure modes. This is, of course, what I have been telling you.
I refer to my most recent document, which was a (damning) review of the finalized Exponent report, which I handed to one of your staff at your open house in Cedar Rapids earlier this year. In it I specifically pointed out the following ETCS-i system’s deficiencies:
design of the pedals, which enclose both sensors in a common housing without barriers and physical separation or any apparent indication of application of specific segregation standards[1]
use of a single chip to enclose two hall effect sensors
1 [Added] Koopman and Barr use the term Fault Containment Regions, which is the engineering principle involved. Segregation standards are specific rules for implementing fault containment regions. Note that Koopman & Barr say the entire ETCS-i system is in only one fault containment region. They had direct access to information; I had to discover what I could from the NASA and Exponent reports.
use of single connectors to carry both sets of signals, without barrier pins or apparent application of any segregation standards
use of a common wiring loom relying on wire insulation only to assure independence of the sensor signals (better to have each set of wires in a grounded screen)
use of a single analog to digital converter for all critical and redundant signal paths, with no statement that analysis has been performed to show no failure modes exist which can compromise the independence of the pedal and/or throttle sensor redundant signals [Emphasis added here.]
incorporation of complex hardware components (processors) with no apparent consideration of arbitrary failure modes resulting in malicious faults and therefore failure-prone monitoring schemes for first fault detection [Emphasis added here.]
reliance on EMI protection components for system safety with no indication that these components are known to be present and correct at any specific point in time, and no testing done or statements to establish the system response with failed protection
reliance on power supply regulation, smoothing and stabilization components for system safety with no indication that these components are known to be present and correct at a specific point in time and no testing done or statements about system response with failed components.
With reference to the here-italicized bullets I would note again that the use of a single analog to digital converter and the inclusion of the two processors in the single fault zone is stated by Koopman to inevitably result in undetected (actually, undetectable) faults of arbitrary effect, magnitude and duration, therefore including Uncommanded Acceleration.
So perhaps the important thing is what must happen now? The Federal Government has had an utterly dishonorable role in this. First of all it (DOT/NHTSA) ignored my, unsolicited and without fee, offer to help with review of materials associated with UA in any follow up to the Waxman-Stupak Committee hearings2. Then, on receipt of the NASA reports, Secretary LaHood claimed that they showed no electronic cause of UA, which is exactly what the reports did not say. When I wrote to him about this my comments were dismissed3. Furthermore, the NASA-NESC investigations were predicated on NHTSA-set terms of reference and timescale which were slanted towards not being able to find a specific potential cause of UA. They were also compromised by dishonestly incorrect and incomplete information from Toyota, which NHTSA does not have the expertise to detect (or, I think, procedures to punish?). I have heard that
2 I can see now that this offer would be difficult for them to accept, what with non-disclosure agreements and so on, but to ignore a citizen input/offer is more than impolite. I would have been happy with a brief acknowledgement and explanation. I think I have shown that I have expertise. But it’s not about me, it’s about the people that got hurt (including Dr. Gilbert , who demonstrated the double fault in the pedal circuit and was attacked by Toyota).
3 Letter to DOT Secretary LaHood and reply from Daniel C. Smith, NHTSA, previously supplied.
some of the NASA Engineers were painfully aware of the bias towards the “predetermined answer” and refused to sign the reports, no doubt at risk to their careers (they should, of course, be praised for their stand). So the result is that the agency of the Federal Government has acted publicly and dishonorably to shelter Toyota from the actions brought by those who have been injured by Toyota’s product and conduct. This is totally unacceptable. Ignorance and lack of expertise are no defense.
So, I would ask you to bring this up to the highest level in Government, to ensure that the errors are publicly acknowledged, that actions are put in place to remove them and provide restitution to those harmed, and to ensure that it does not happen again. Changes must urgently be made so that safety issues in NHTSA’s domain will be properly and completely dealt with, proactively instead of reactively. I suspect that ex-Secretary LaHood is now beyond the reach of discipline, but he should still receive public admonishment for his disgraceful role.
In view of the lack of closure on previous communications I request that you acknowledge receipt of this letter and advise me of what actions you will pursue.
Thank you,
Geoff Barrance
By e-mail