Bad design and its consequences; US legal ruling on Toyota's “killer firmware”

October 30, 2013 // By Michael Dunn, EDN
In the USA, certain Toyota car models have been alleged to have contained a fault that caused them to accelerate or continue to accelerate contrary to the driver's inputs. This has now reached the stage that a US court has ruled against Toyota, as reported here by EDN's Michael Dunn.

On Thursday October 24, 2013, an Oklahoma court ruled against Toyota in a case of unintended acceleration (“UA”) that lead to the death of one of the occupants. Central to the trial was the Engine Control Module's (ECM) firmware.

Embedded software used to be low-level code we'd bang together using C or assembler. These days, even a relatively straightforward, albeit critical, task like throttle control is likely to use a sophisticated RTOS and tens of thousands of lines of code.

With all this sophistication, standards and practices for design, coding, and testing become paramount – especially when the function involved is safety-critical. Failure is not an option. It is something to be contained and benign.

So what happens when a car maker decides to wing it [improvise] and play by their own rules? To disregard the rigorous standards, best practices, and checks and balances required of such software (and hardware) design? People are killed, reputations ruined, and billions of dollars are paid out. That's what happens. Here's the story of some software that arguably never should have been.

For the bulk of this research, EDN consulted Michael Barr, CTO and co-founder of Barr Group , an embedded systems consulting firm, last week. As a primary expert witness for the plaintiffs, the in-depth analysis conducted by Barr and his colleagues illuminates a shameful example of software design and development, and provides a cautionary tale to all involved in safety-critical development, whether that be for automotive, medical, aerospace, or anywhere else where failure is not tolerable. Barr is an experienced developer, consultant, former professor, editor, blogger, and author.

Barr's ultimate conclusions were that:

- Toyota’s electronic throttle control system (ETCS) source code is of unreasonable quality.

- Toyota’s source code is defective and contains bugs, including bugs that can cause unintended acceleration (UA).

- Code-quality metrics predict presence of additional bugs.

- Toyota’s fail-safes are defective and inadequate (referring to