The investigations carried out for unintended acceleration in Toyotas didn't paint a good picture.

https://www.safetyresearch.net/blog/articles/toyota-unintend... https://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_...

Damn...

- "No configuration management"

- "No bug tracking system"

- "No formal specifications"

- "9,273 – 11,528 global variables"

- "Uses recursion, no mitigation for stack overflow. Memory just past stack is OSEK RTOS area"

I thought of Toyota as a much better company in terms of safety and reliability. I can't imagine other manufacturers and their code.

The slides are very bad quality work, the guy clearly never worked in the automotive world. Example: the automotive safety norms is called ASIL (iso26262), and it is perfectly ok to have a single ADC chip sampling the accelerator pedal input. SIL safety levels requires much more rendundancy than ASIL which is aimed at enabling carmaker to build affordable yet safe systems.

Another is the race conditions. Unless toyota/denso is very stupid, I really doubt than more than one thread is running on the CPU, because automotive OSEK typically run in locked step mode, meaning everything is run in one sequential thread, even if there are several cpu core.

Thirdly, global variables, as there is just one thread, are a perfectly ok thing to use, provided you add a special thing in the OS which guarantees that all inputs are frozen when a block of functions are called.

It is a very orientated slideshow with unproven claims, he discredit himself.

Jesus...

Thanks for posting that. That was a horrifying read. I'm at a loss for words.

Looks like I've got some more reading to do...

The Toyota / Arthur Deming quality philosophy is really applicable to repeatable process where quality control means detecting abnormal variation amidst normal variation.