BarrSlides_FINAL_SCRUBBED.pdf?utm_content=bufferb9206&utm_medium=social&utm_source=twitter

Recommendations

Info

TOYOTA’S DEFECTIVE SOFTWARE PROCESSFMEA was incomplete; single points of failure are present! Because: Toyota didn’t adopt a formal safety processPeer reviews not done on OS code and ESP-B2 code! Because: Toyota didn’t perform code reviews; used non-standard OSEKToyota’s own “power train” coding standard not enforced! Because: Toyota didn’t follow through with software suppliersWatchdog supervisor doesn’t detect most task’s deaths! Generally costs less to push the limits than upgrade to faster CPUNo EDAC protection against hardware bit flips46! Generally costs less to make memory chips without EDACIf confident, why let NASA believe there was EDAC?
TOYOTA’S INADEQUATE SOFTWARE PROCESSØ Toyota failed to exercise a safestandard of care for softwareØ Relied too much on vendorsØ Lacked internal expertiseØ Inadequate supervision andtraining of software47Barr Chapter RegardingToyota’s Code Complexity
Page 3 and 4: BOOKS BY MICHAEL BARR1ed: 1999; 2ed
Page 5 and 6: MY REVIEW OF TOYOTA’S SOURCE CODE
Page 7 and 8: ELECTRONIC THROTTLE CONTROLfdadg7
Page 9 and 10: SAFETY-CRITICAL SYSTEMSNot all embe
Page 11 and 12: SUMMARY OF 2005 CAMRY L4 CONCLUSION
Page 13 and 14: NASA DID NOT RULE OUT UA BY SOFTWAR
Page 15 and 16: 15ETCS SOFTWARE MALFUNCTION
Page 17 and 18: TOYOTA’S OPERATING SYSTEM (OSEK)1
Page 19 and 20: MEMORY CORRUPTION AND TASK DEATH0Bi
Page 21 and 22: SOFTWARE CAUSES OF MEMORY CORRUPTIO
Page 23 and 24: TOYOTA’S SPAGHETTI CODETOY-MDL049
Page 25 and 26: STACK ANALYSIS FOR 2005 CAMRY L4OSE
Page 27 and 28: TOYOTA’S MAJOR STACK MISTAKESToyo
Page 29 and 30: TOYOTA FAILED TO COMPLY WITH STANDA
Page 31 and 32: TOYOTA FAILED TO COMPLY WITH STANDA
Page 33 and 34: NASA’S SOFTWARE AREAS OF CONCERNN
Page 35 and 36: LAYER 1: MIRRORING OF CRITICAL VARI
Page 37 and 38: UA VIA MEMORY CORRUPTIONTask X deat
Page 39 and 40: LAYER 2: DTCs AND FAIL-SAFE MODESNA
Page 41 and 42: TOYOTA’S DEFECTIVE WATCHDOG DESIG
Page 43 and 44: TOYOTA FAILED TO REVIEW MONITOR CPU
Page 45: MONITOR CPU IS LAST LINE OF UA DEFE
Page 49 and 50: NASA SOUGHT WHAT BARR GROUP FOUND
Page 51 and 52: INDIVIDUAL TASK DEATH OUTCOMES(Watc
Page 53 and 54: UA FOREVER IF BRAKE ON AT TASK DEAT
Page 55 and 56: OTHER SIMILAR INCIDENT CRITERIAVehi
Page 57: TOYOTA’S EXPERT HAS NOT REBUTTEDM

BarrSlides_FINAL_SCRUBBED.pdf?utm_content=bufferb9206&utm_medium=social&utm_source=twitter

Create successful ePaper yourself

Delete template?

Save as template?