Actually, in every cruise control system I've used, if the desired speed (set by the accelerator pedal position) exceeds the current CC set speed, the system will still throttle up; when the pedal is released, it smoothly returns to the set speed. So when things are working, the pedal is not ignored. If task X failed, you'd notice that you couldn't speed up, either.
Thanks Junko for the thorough coverage. I've learned a lot about the case.
There seems to be serious design flaw. In order to avoid any serious issue in any software system, the design shall always avoid deadlock. There shall always be a simple task to monitor the health of the system. A watchdog to reboot the system in case of deadlock is an avoidance mechanism; system engineer shall not rely on it.
To be honest, I'm quite surprise to read the report. Toyota is a very good company. They should know better. I wonder whether there is anything missing n the findings.
Nonetheless, Toyota will learn from it and make themselves better.
There have been many-many posts here about how the braking system should always be able to override the engine.
What about the anti-lock braking system?
Virtually every car has them and the control computer has the ability to release the brakes at any time depending on factors like invididual wheel rotation speed and so on. I don't know how the ABS is tied into "Task-X" but if they all use the same microprcessor, it's entirely possible the ABS will be affected too.
Thus, pushing on the breaks would have no effect if the ABS has released them, falsely thinking the car was in a skid condition. This seems to correlate closely to what some drivers have reported; that the brakes had no effect.
It seems there should always be a mechanical overide for emergencies like these. The parking brake, otherwise known as the "Emergency Brake" which it isn't, applys only the back brakes. And the actual brake pads are tiny compared to the front pads. It would be of no use in an engine runnaway situation.
I'd really like to know how the ABS ties into all of this.
I myself have learned a great deal in following the Oklahoma case. The thing is, though, that this is not the end of the Toyota's unintended acceleration trial.
Toyota is facing another trial early Nov. -- this one will be in federal court in Santa Ana, Calif.
In many of the death and injury lawsuits, including Bookout's, plaintiffs claim that loose floor mats and sticky pedals don't explain all episodes of sudden acceleration and that the electronic throttle control system is at fault.
The reason why EE Times is following the case so closely is that the Oklahoma trial was the first instance when any of the testimonies by expert witnesses focused on software and hardware issues -- outside the floormat and sticky pedals -- became publicly available. Until now, such reports and testimonies have been sealed under the court order.
And one more disturbing fact. Bookout's vehicle, a 2005 Camry, wasn't included in the Toyota's recalls.
It would be good to also post the transcript of the Denso Monitor CPU code -- to see why it might also have potentially contributed -- Also most ECU /ABS code is supposed to also meet a set of MISRA safety checks as part of a Static Analyis -- It would be good to hear about this in the trial -- Additionally it might be good to see how any hardware features came into play.
The trial, transcript and these discussions indicate that there are millions of vehicles on the road today with a potentially lethal defect. Toyota has already settled with the NHTSA and has that settlement to wave in any Camry owner's face (provided they did nothing and accepted the settlement terms). Am I correct about this? And, if I am, what is the next step? I own a 2004 Camry and wonder if I should keep driving it - I seriously doubt that I could react appropriately if the vehicle went to full throttle w/o warning. I would for sure step on the brake, but, according to Mr. Barr's testimony, that's the wrong thing to do. What's the right thing to do? Switch off the ignition? Ram the automatic transmission lever into reverse? Given this knowledge, what's my responsibility in the event of a loss of throttle control event and the nearly inevitable accident? Morally I can't justify laying all the responsibility on Toyota but the chances of this happening to me are very, very small.
Besides the above, I'm wondering what my car is now worth and whether Toyota will step up and replace their badly-engineered software or the entire engine control module. That would be the right thing to do, but my money is on a big consumer blow-off using the NHTSA settlement as a broom to sweep it all under the floor mats.
The thing that really puzzles me is why the popular press hasn't picked this up yet - I expect to see it splashed all over the place. It shows that software can never trump celebrities or political bloviatators.
First, Toyota recalled more than 10 million vehicles for problems related to unintended acceleration in 2009 and 2010, starting with a September 2009 announcement that it was recalling 3.8 million Toyota and Lexus vehicles because of a defect that may cause floor mats to jam accelerator pedals. The company later recalled vehicles over defects involving the pedals themselves.
(Now, curiously, 2005 Camry which was the car at dispute in this Oklahoma case has NOT been recalled by Toyota yet.)
Toyota's recalls led to lawsuits claiming that defects harmed the value of Toyota vehicles or caused accidents leading to death and injury. Toyota settled suits claiming economic losses for about $1.6 billion. That was the end of Dec., 2012.
Toyota won the three unintended-acceleration claims that previously reached jury verdicts since the recalls. The defense verdicts include injury cases in New York in 2011 and in Philadelphia in June. A Los Angeles jury in October cleared Toyota of fault for the death of a 66-year-old woman.
What's important and what's different about the Oklahoma case is that this case -- among a host of lawsuits filed against Toyota concerning unintended acceleration in its vehicles -- is the first in which the plaintiff has laid the blame squarely on the electronic throttle system.
As a result, this is the first trial that any jury actually heard expert witnesses such as Michael Barr explaining the software gllitches (combined with other factors) that led to the unintended acceleration.
The experts' findings (laid out in Oklahoma case) in fact led to the one-billion dollar settlment for the economic losses, late last year. But since the case was settled (never went to a trial), the experts' report or testimony has never been made public, and no jury heard the case whose focus was on the electronic throttle system.
Because this case went to a trial in Oklahoma, now for the first time, the public had an opportunity to hear and read what were discussed during the trial. It's a matter of public record now.
The general press probably hasn't had time to look into all the details about the embedded system software malfunctioning.
But watch for the upcoming trial nex tweek in federal court in Santa Ana, Calif.
Attorneys for the plaintiffs in that case plan to argue that defective software caused Camry to accelerate and crash into the side of a Georgia schoolhouse.
Good questions, sixscrews. From the transcripts, if I understand them correctly, if the car goes into sudden uncommanded (by you) acceleration, you can brake, release the brake for a few tenths of a second, then brake again. But like you say, ramming the shift into reverse should also do the trick, an/or shutting off the engine.
As for Toyota, assuming what we all think we understand is factual, I'm not sure why they can't send out update kits to install. Some of this would be just new firmware that splits out apps better. And they would also want to reapportion tasks to different processing units, to split up this infamous Task X to different hardware (split out the monitoring and fail-safe functions). I'm not sure why this can't be done as a recall. Without any inside knowledge, it seems to me that once the new software architecture has been figured out, replicating it in cars out there now should be doable. We do this type of firmware update, remotely, one our systems, very frequently.
IMHO Toyota should be forced to publish the complete source code of the faulty ECU, as an object lesson to the industry. Clearly it's not suitable for commerce. I can't see how confidentiality can apply when people die. Besides, the threat of having your code exposed might be a better incentive to do better than the risk of dead customers. ... only half joking.