BarrSlides_FINAL_SCRUBBED.pdf?utm_content=bufferb9206&utm_medium=social&utm_source=twitter

Recommendations

Info

UNREASONABLE SINGLE POINTS OF FAILURESafety critical systems shouldn’t have single points of failure! This is the normal mode of design in automotive industryToyota tried to mitigate such risks, including in software! But missed some dangerous single points of failureFailed to prevent or contain faults …! There are single points of failure in the ETCSSome demonstrated in 2005 and 2008 Camry L4 vehiclesUnpredictable range of vehicle misbehaviors via task deathOther memory corruptions can be expected50Barr St. John Report
INDIVIDUAL TASK DEATH OUTCOMES(Watchdog should have detected them all!)Task DeathResponse (Fail-Safe)Task DeathResponse (Fail-Safe)taskECM Reset (watchdog)spark on cyl. 4Not Detectedwheel speedNot Detectedspark off cyl. 4Not Detectedcrank speedNot Detectedfuel injectionstall (mechanical)engine speedNot DetectedtaskNot Detectedtaskstall (comm. Check)30° med stall (mechanical)motor controlif accel change stall (sys guards)Task Xif brake change cut-stall (echo)spark on cyl. 1Not Detectedduty solenoidNot Detectedspark off cyl. 1Not Detectedtaskif accel change cut (echo)spark on cyl. 2Not Detectedtaskif brake change cut (echo)spark off cyl. 2Not Detectedtaskstall (immobilizer)spark on cyl. 3Not Detected30° low Not Detected51spark off cyl. 3Not DetectedtaskNot DetectedSources: Arora and Loudon Vehicle Testing; source code analysis. Legend: “Not Detected” means in at least one vehicle test.
Page 3 and 4: BOOKS BY MICHAEL BARR1ed: 1999; 2ed
Page 5 and 6: MY REVIEW OF TOYOTA’S SOURCE CODE
Page 7 and 8: ELECTRONIC THROTTLE CONTROLfdadg7
Page 9 and 10: SAFETY-CRITICAL SYSTEMSNot all embe
Page 11 and 12: SUMMARY OF 2005 CAMRY L4 CONCLUSION
Page 13 and 14: NASA DID NOT RULE OUT UA BY SOFTWAR
Page 15 and 16: 15ETCS SOFTWARE MALFUNCTION
Page 17 and 18: TOYOTA’S OPERATING SYSTEM (OSEK)1
Page 19 and 20: MEMORY CORRUPTION AND TASK DEATH0Bi
Page 21 and 22: SOFTWARE CAUSES OF MEMORY CORRUPTIO
Page 23 and 24: TOYOTA’S SPAGHETTI CODETOY-MDL049
Page 25 and 26: STACK ANALYSIS FOR 2005 CAMRY L4OSE
Page 27 and 28: TOYOTA’S MAJOR STACK MISTAKESToyo
Page 29 and 30: TOYOTA FAILED TO COMPLY WITH STANDA
Page 31 and 32: TOYOTA FAILED TO COMPLY WITH STANDA
Page 33 and 34: NASA’S SOFTWARE AREAS OF CONCERNN
Page 35 and 36: LAYER 1: MIRRORING OF CRITICAL VARI
Page 37 and 38: UA VIA MEMORY CORRUPTIONTask X deat
Page 39 and 40: LAYER 2: DTCs AND FAIL-SAFE MODESNA
Page 41 and 42: TOYOTA’S DEFECTIVE WATCHDOG DESIG
Page 43 and 44: TOYOTA FAILED TO REVIEW MONITOR CPU
Page 45 and 46: MONITOR CPU IS LAST LINE OF UA DEFE
Page 47 and 48: TOYOTA’S INADEQUATE SOFTWARE PROC
Page 49: NASA SOUGHT WHAT BARR GROUP FOUND
Page 53 and 54: UA FOREVER IF BRAKE ON AT TASK DEAT
Page 55 and 56: OTHER SIMILAR INCIDENT CRITERIAVehi
Page 57: TOYOTA’S EXPERT HAS NOT REBUTTEDM

BarrSlides_FINAL_SCRUBBED.pdf?utm_content=bufferb9206&utm_medium=social&utm_source=twitter

Create successful ePaper yourself

Delete template?

Save as template?