[SystemSafety] Automobile Safety-Critical Kit (Bookout v. Toyota Motor transcript)

Sun Nov 3 23:14:59 CET 2013

Responses grouped below, since a couple of people have asked the same 
questions:

On 3/11/2013 10:51 PM, Peter Bernard Ladkin wrote:
> The comment on the Beasley Allen WWW site makes much of the skid marks.

Yeah, that's very confusing data. They made a mess of discussing it in 
the transcript too - silly claims about the hand (park/emergency) brake 
vs the foot (service) brake. It seems to me that some clear conclusions 
about speed and brake usage should be determined from that evidence, but 
I didn't see that spelled out anywhere.

> Can you cite the document which says that the crash recorder records accelerator-pedal depression
> and no brak-pedal depression?

Only that I copied it from the Slashdot discussion on the topic. Again, 
it's frustrating that conclusions from the crash recorder data are not 
spelled out somewhere (that I could find).

> What could the cross-examiner have done? Barr has apparently established defects in the code, and
> the only counter would be that *those* defects were not active during the accident in question.

Unfortunately the transcript appears to have been pulled so I can't give 
you specifics. But the examiner gets stuck in these useless loops trying 
to get Barr to admit, as you say, negatives. Barr does exactly what he 
should and says his work doesn't (and couldn't) answer those questions. 
The examiner keeps pushing these ridiculous dead-ends and Barr just 
keeps responding "I don't know", "I didn't say that", "that's impossible 
to determine". It reminded me of some court parody!

What the cross-examiner could have done was ask questions that could 
have been answered - does the crash recorder data line up with your 
demonstrated failure sequence? What stops someone using the brake to 
stop the car, even if UA were to occur? Was cruise control even enabled 
at the time of the crash?

> Barr used fault-injection techniques, which is an obvious choice if the kit isn't using EDAC, and he
> found faults which allow UA. Ipso facto, they exist. How on earth are you going to establish that
> they didn't manifest in the specific accident under review? I imagine the manufacturer was well
> aware of what was going on, and had no suitable way of responding.

By suggesting that leaving a freeway is a strange time to enable cruise 
control. By going through the crash recorder and crash site data to show 
whether the car behaved contrary to its inputs. By finding another cause 
for the accident and evoking Occam's razor. No, there's no definitive 
way, but that's what courts are for - establishing beyond reasonable doubt.

> I agree with Martyn that effective software-quality enhancement practices need not cost more.

I was so pleased to hear that that I forwarded Martyn's comments 
straight to my boss!

Regards,
Heath