Karl, dear, I know just how you feel.
Finally, finally, once again NHTSA has been forced by a Toyota owner to open an investigation after a pretty plain-as-day UA event occurred that was similar to many others, and for which there isn't any good explanation other than "the electronics did it."
Let's see if NHTSA's Scott Yon or Jeff Quandt will find a way to wiggle out of this one, this time. And by the way, guys, there are still ways that you could learn the real truth, that very same truth that I have been trying to tell you for a few years. You have not listened. What will you do tomorrow?
Dr. Phil Koopman says:
Testing alone is insufficient to ensure safety in critical systems. Other technical approaches and software development process management approaches must also be used to assure sufficient software integrity.
Consequences:
Relying upon just system functional testing to achieve safety can be expected to eventually lead to an unsafe situation in a widely released product. Even if system functional testing is completely representative of situations that will happen in practice, such testing normally won’t be long enough to see all of the infrequent events that will occur with a much larger fleet of vehicles deployed for a much longer period of time.
Consequences:
Relying upon just system functional testing to achieve safety can be expected to eventually lead to an unsafe situation in a widely released product. Even if system functional testing is completely representative of situations that will happen in practice, such testing normally won’t be long enough to see all of the infrequent events that will occur with a much larger fleet of vehicles deployed for a much longer period of time.
Today I spent nearly the entire day reviewing Toyota's testing-related documents.
I can't say much more than OMG.
And if, like Toyota, you do not listen to Dr. Koopman's sage advice, you get THIS!!