In 2013, a jury found that Toyota had exhibited “reckless disregard” in its response to faulty electronic throttle systems that were causing unintended acceleration. Then, in 2015, Volkswagen admitted its diesel vehicle emissions achievements were a ruse, and earlier this year Mitsubishi revealed that it had manipulated fuel economy tests to exaggerate the fuel efficiency of minicars. Just last month, Suzuki became the latest car maker to admit that it had not been providing accurate information, saying that it had found discrepancies in fuel emissions testing.
Why are so many of the world’s big car makers embroiled in these scandals? And can such scandals be prevented in the future?
In 2009, Toyota began to be targeted with complaints in regard to unintended acceleration in some vehicles. However, the company dismissed these complaints, saying that the problem was the result of floor mats being pushed into positions where they caused accelerator pedals to stick. It wasn’t until fatalities were reported that Toyota was forced to act, finally admitting in 2014 that it had been lying, and that a problem with the electronic throttles was causing the unintended acceleration.
In an article on his Critical Uncertainties blog, Matthew Squair argues that development of the Toyota Engine Control Module (ECM) did not meet two common security/safety principles. The first principle is that the design should be kept as simple and small as possible, and the second principle is that there should be fail safe defaults, where unanticipated design errors or omissions tend to fail in a safe fashion.
In regard to the first principle, rather than being simple and small, Toyota’s throttle code:
…scored over 100 using the McCabe complexity scale indicating it was effectively unmaintainable spaghetti, with the data structures being just as bad. Toyota also failed to separate the system fail safes away from non-safety functions, such as throttle control, which hugely increased the amount of analytical/inspection grunt required to verify system safety properties. Probably making it effectively impossible to verify their performance in practice.
In regard to the second principle:
…Toyota’s design looks good on paper with data mirroring (redundancy), fail safe modes, watchdog supervisor and finally a separate the U6 chip based monitor CPU. But, in reality all these layers were subverted because they failed to ensure:
- that system failures were visible and recorded;
- all critical data was mirrored, thereby assuring the presence of single points of failure due to bit corruptions, most significantly in the OSEK operating systems critical arrays;
- separation (partitioning) of the fail safe (safety mechanisms) from the control functions;
- that the watchdog actually had teeth; and
- that the monitor function didn’t rely on unrealistic driver inputs before it would act, nor result in an unsafe failure mode (engine stall).
Squair accuses Toyota of engaging in an exercise of safety theatre, where the appearance of safety is created through theatrical devices that don’t deliver real safety.
Why would Toyota engage in such theatre, and why did it extend this theatre by initially seeking to deny that there was a problem with the electronic throttles? It would be easy to dismiss these failures as overconfidence by a car maker that had long been lauded for quality and innovation.
However, in an article in Quartz discussing the blunders of Toyota, Volkswagen, and GM, Steven LeVine and Jason Karaian argue that to reach the top, car makers need to cut corners. Economic margins are so tight that success doesn’t come without engaging in inappropriate behaviour.
This reality does not appear to have been considered in the way in which government agencies manage the automotive industry. An industry where safety is paramount but this is put at risk by inappropriate corporate behaviour suggests the need for strict regulation and close independent supervision. However, responsible authorities in Europe, which is home to Volkswagen, did very little for nearly a decade in regard to checking for devices that defeat emissions standards.
Toyota’s flawed electronic throttles led to fatalities, and Volkswagen’s diesel cars and other vehicles that breach emissions standards can cause environmental and social harm. Isn’t it high time that stronger regulation and supervision of car makers was introduced?