Indeed, new technologies offer the opportunity to reduce the significant human carnage that result from driver errors. But these autonomous features can and do fail, taking control away from the driver in ways that are hidden beneath the millions of lines of code, and a multitude of electronic modules, sensors, and algorithms. In addition, these technologies are being tested on the public with government and manufacturer support, but few checks and balances to protect motorists from failures.
We reached out to Gladwell via email to ask him some questions about the reporting process that led to his firm conclusions in contradiction to the factual record. We received no response. We have requested that Slate correct all factual errors. ]
A Tipping Point
We can date our inability to enjoy a Malcolm Gladwell piece to May 4, 2015. That is the day The New Yorker magazine published “The Engineer’s Lament.” Gladwell, a New Yorker staff writer, and author of such popular culture best-sellers as “Blink” and “What the Dog Saw,” specializes in seductively reductive explanations for complex events. “The Engineer’s Lament” was one of Gladwell’s signature challenges to the conventional wisdom, a 7500-plus word article premised on the notion that the public’s demands that the automobiles they drive be reasonably safe were unrealistic.
If only everyone thought like an engineer – logically and rationally – and proceeded in service to the data, we would drive better. We would stop blaming car companies for gas tanks that easily rupture into deadly conflagrations in rear-ends crashes, like the Pinto in the 1970s. We would stop blaming NHTSA for missing the obvious evidence of a safety defect, like the GM ignition switch failure. And we would train our critical eyes on ourselves – average folk, not “car guys” – who, despite our many years of successfully moving our feet between the accelerator and brake pedals without incident suddenly confuse them (coinciding, coincidentally, with the advent of electronic throttle control), like all of those people who reported Unintentional Acceleration (UA) incidents in Toyotas.
And since he strayed into a topic with which we are intimately familiar, The Safety Record realized: Malcolm Gladwell is not a reporter in the traditional sense of a synthesizer of the available information on a particular topic. His approach is more novelistic – he has a story he wants to tell, and finds the most dramatic examples to underpin his narrative arc, and ignores critical context and any data that counters it. Really – how does Gladwell tell the history of Ford’s decision not to recall the Pinto without mentioning the notorious cost-benefit memo that concluded that it was significantly cheaper to pay the death and injury claims than to install a countermeasure that would make it less prone to fuel leaks and explosions?
In May 2015, we contemplated firing off a letter to the editor but, frankly, there was too much to unpack, and we were busy.
Last month, Gladwell re-worked this premise for his podcast “Revisionist History,” a production of Slate Magazine’s new podcasting network, Panoply, and now we have to set the record straight. Entitled “Blame Game,” it purported to prove that pedal misapplication was the real cause for nearly all cases of Toyota UA, and it used Safety Research & Strategies founder and President Sean Kane as a straw man to make his case.
The podcast goes like this: Toyota was forced to recall millions of vehicles for UA, and the official culprits were all-weather floor mats that could entrap the accelerator and sticking accelerator pedals that were slow to return to idle. Gladwell rightly points out that it was unlikely that the vast majority of incidents were tied to either of these causes. But Gladwell argues that the whole controversy – the Congressional hearings, the multi-million dollar fines, Toyota’s criminal fraud conviction, the recalls – were just a folie à plusieurs. The real root cause of the vast majority of UA events is pedal misapplication because brakes always overcome throttle, and because retired (and now deceased) UCLA professor Richard Schmidt said so and, ultimately, because car guys don’t think it could happen any other way. He declares pedal misapplication to be the number one cause of unintended acceleration, and anyone who believes that electronics are to blame is “deluded.” The piece concludes with Gladwell’s observation that people just don’t respect the fact that cars are “complicated” and “mechanical” machines, but if we did, we would stop finding fault with the vehicle and learn to blame UA on our own involuntary brain burps.
Adlai Stevenson once famously quipped “Here is the conclusion on which I will base my facts,” and that pretty much sums up Gladwell’s podcast. In making his case, he mixes apples, oranges, pears and cherry-picked cherries in a Big Bowl of Wrong. He blows past important details, he forgets to mention anything that doesn’t fit his conclusion, he makes assertions supported by zero evidence and he makes factual errors, large and small. Finally, he gives drivers advice that, if followed, could be deadly.
The Saylor Incident
Gladwell bookends his podcast with the tragic deaths of Mark Saylor, his wife, daughter and brother-in-law, Christopher Estrella, who died on August 28, 2009 in a UA event on Highway 125 in Santee, California. Saylor, a 19-year veteran of the California Highway Patrol, was approaching the T-intersection of Highway 125 and Mission Gorge Road in a loaner Lexus ES 350, when his vehicle accelerated. The Lexus reached speeds of up to 100 miles an hour as it entered the intersection, struck a Ford Explorer, and then an embankment. The Lexus became airborne and came to rest in a dry riverbed where it burned for an extended period of time.
Gladwell uses the audio from the 911 call that Estrella made moments before the crash, warning the listener about its graphic content and describing Gladwell’s “hesitation” before deciding to use it. Fair enough – the phone call is a horrific auditory snapshot of four people’s impending deaths. At the same time, the Saylor crash was a watershed event in the Toyota UA crisis.
But Gladwell can’t resist trying to shoehorn the Saylor incident into his thesis about pedal errors: “So why couldn’t Mark Saylor stop his Lexus that way as he sped down Highway 125? I know it sounds ridiculous and tragic but it’s the only logical explanation – because he never put his foot on the brakes.”
Gladwell spends a breathless minute and 20 seconds speculating on how that might have occurred (Imagine a guitar thrumming ominously in the background):
“He’s driving down the highway with the cruise control on both of his feet are on the floor mat he comes up behind a car going slower than he is so he puts his right foot back on the accelerator – hard. But, as he does that, the floor mat slides under the throttle locking it open. Now comes the crucial part: he takes his foot off the accelerator to return to his cruise control speed but the car doesn’t slow down. It surges forward. The throttle is locked open by the floor mat. He’s alarmed. He picks his foot up to hit the brake – but it’s a car he’s not familiar with. It’s a loaner. And he puts his foot on the accelerator instead of the brake and he presses it down expecting the car to slow, but it doesn’t. That’s why Lastrella says the brakes don’t work. And Saylor freaks out. So he presses down harder and the car goes even faster. And he freaks out even more. I think it’s important to note here Saylor isn’t negligent. He’s not at fault. He’s not speeding or running a red light or drunk. He’s making a mistake almost any of us could make under the circumstances. What happened to him at that moment is confusion.”
Unfortunately, the facts, easily available in the public record, contradict this confidently delivered fantasy. As part of Defect Petition 09-001, NHTSA investigators who examined the Lexus indicated that it was a case of floor mat interference, based on a previous report of a pedal entrapment in that loaner ES 350 and physical evidence of the accelerator pedal melted to the upper right corner of an unsecured all-weather floor mat. The condition of the brakes showed that Saylor was clearly braking throughout the incident – hard:
“Rotors were discolored and heated, had very rough surfaces, had substantial deposits of brake pad material, and showed signs of bright orange oxidation on the cooling fins consistent with endured braking. Pads were melted and rough with a considerable amount surface material dislocated to the leading edge. The friction surfaces were burned but somewhat reflective. The edges of the pads were bubbled. The calipers were also heat discolored with heat patterns in the area adjacent to the rotor.”
In addition, witnesses to the Lexus careening wildly around other vehicles with its flashers blinking reported fire coming from the wheels – another indication of braking. In an interview with the San Diego Union-Tribune, San Diego Sheriff’s lead investigator Scott Hill said that there was evidence of: “prolonged heavy, heavy, hard braking….He did everything he could to stop that car.”
There are no living witnesses inside the vehicle, so how the event started and what Saylor did in reaction to it cannot be known for sure. But Mark Saylor was braking, and the only thing that is ridiculous and tragic is Gladwell’s assertion that he was not. He owes the Estrella and Saylor families an apology.
Brakes Always Overcome Throttle
One pillar of Gladwell’s argument is the idea that brakes always overcome the throttle, so if you find yourself in a vehicle that is “suddenly and mysteriously accelerating, all you have to do is step on the brakes, because brakes beat engines!” First, this is not always true. Second, even if brakes do eventually overcome the throttle it does not mean that you will be able to prevent a crash.
To prove this point, Gladwell conducted an “experiment” in which he and three car guys from Car and Driver took a 2003 Toyota Camry to the track at the Chrysler Proving Grounds to show that even with a wide open throttle, the brakes will stop the vehicle. Unfortunately, braking against an open throttle on a track does not replicate a real-world failure.
Time and Distance
You have to have sufficient unencumbered space on a track to bring a racing vehicle to a stop without a crash. On a highway, it may take 900 feet, as it did to the Car and Driver folks, who had previously attempted to put the brakes of a ROUSH Stage 3 Mustang – a powerful sports car – to the braking-at-wide-open-throttle test.
(As Gladwell explains: “If you’re not a car guy, I should explain: ROUSH is an independent company that takes sports cars and basically puts them of steroids.” We should explain that Gladwell, car guy, repeatedly mispronounces the name of the company. It’s “rowl-sh.” Not “roosh.”)
In a parking scenario, the amount of available space is mere inches. So, even if brakes always overcome throttle, it does not ensure that you won’t have a crash that could result in anything from a property damage claim to a fatality.
In 2007, the NHTSA researchers at the Vehicle Research and Test Center tested the braking capacity of Toyota vehicles in wide-open-throttle scenarios. They found that the distances necessary to bring a vehicle at high-speed to a stop increased from less than 200 feet to more than 1,000 feet.
Brake Assist Problems
The problem of braking against an engine operating at high speed is exacerbated by the rapid depletion of the vacuum-assisted brake booster, which multiplies the force used to push on the brake pedal, and brings the vehicle to a stop. If the driver applies the brakes firmly and consistently, he or she, with sufficient time and space, may be able to bring an accelerating car to a stop, although it will take much more force than normal. NHTSA’s 2007 tests showed that “Brake pedal force in excess of 150 pounds was required to stop the vehicle, compared to 30 pounds required when the vehicle is operating normally.” So, that’s more than five times the normal braking pressure.
However, if the driver attempts to pump the brakes, NHTSA testing showed: “With the engine throttle plate open, the vacuum power assist of the braking system cannot be replenished and the effectiveness of the brakes is reduced significantly.”
In 2011, NHTSA published the Vehicle Characterization and Performance Study of Camrys, an examination of 20 Camry vehicles, nine of which had experienced UA. The study tested Camry braking at 65 mph under different conditions – loss of vacuum, full engine power, and differing levels of brake force. It found:
“There were test situations when the accelerator was being fully depressed during braking and the applied brake force was insufficient to stop the vehicle and the test was suspended. This was also the case when the vehicle reached a slow enough speed to downshift to first gear, where the engine torque was sufficient to overcome the prescribed brake force.”
In other words, brakes did not beat engine.
There have been many real-world instances in which people are braking with all of their might and cannot, or only can barely, or don’t have enough time and distance to overcome the throttle. Here are a few:
- Juanita Grossman was a petite 77-year-old woman who died from the injuries sustained from barreling into a building in her 2003 Camry in March 2004. When the emergency medical technicians arrived to transport Mrs. Grossman to the hospital they found her with both feet still jammed on the brake pedal.
- In November 5, 2010, Paul Van Alfen was exiting I-80 West in his 2008 Toyota Camry when he tried to take the vehicle out of cruise control mode. According to witnesses, he went around two stopped vehicles at the end of the ramp, and crashed into a rock wall. The surviving occupants, his wife and son said that Van Alfen was pressing the brake firmly and was communicating this action as the crash unfolded. Van Alfen was killed, as was his son’s fiancé seated in the left rear seat.
- Rhonda Smith experienced a UA event while merging into highway traffic in October 2006 in a 2007 Lexus ES350 with 3,000 miles on it. During the six-mile event, Mrs. Smith’s vehicle reached speeds in excess of 100 mph. The engine would accelerate and decelerate independent of her attempts to stop the vehicle by changing the gears, applying the brakes with both feet and setting the emergency brake. She was finally able to shut off the engine at 33 mph and the Lexus came to a stop. The driver of the tow truck saw the vehicle attempt to start itself as Mr. Smith, who had arrived to assist his wife, put the vehicle in neutral. When NHTSA inspected the vehicle, they found: “The damage indicates excessive brake temperatures and is consistent with the brakes being applied vigorously over an extended period while the vehicle is moving at speed.”
- On December 2, 2010, Timothy Scott, 47, was driving at less than 15 mph, before braking to make a turn into his apartment complex, when he noticed that his vehicle was not slowing. Scott applied the brakes with all of his strength, but the engine was “screaming,” as he later described it, and the tachometer was approaching to “red-line.” Scott was able to slow his vehicle and shift into stop. He attempted to re-start his 2007 Lexus RX twice, but the engine continued to race.
Gladwell apparently is not familiar with the well-known phenomenon. But Neil Hannemann, who advised Congressional committees studying Toyota UA (as did Safety Research & Strategies), and is a car guy’s car guy, says that it is a significant factor in high-speed, long duration-UA events. He was an original Dodge Viper development engineer, the chief engineer for Ford’s 2005-06 GT program, the chief engineer at Saleen Inc. (a manufacturer of specialty high-performance sports cars) and Executive Director of Engineering at McLaren Motorcars in Woking, England.
“Gladwell said they tried ‘every trick in the book,’ but they did not evaluate the loss of vacuum assist, as NHTSA did. Loss of vacuum assist is also a required test for the FMVSS brake certification test,” Hannemann says. “It is hardly even a ‘trick’ yet Gladwell and his band of ‘car guys’ ignored this effect.”
Later in the piece, Gladwell heaps scorn on Jake Fisher, Consumer Reports’ director of auto testing, for advising a driver in a high-speed UA event to take his foot off the accelerator and place his foot on the brake and hold it firmly until the vehicle comes to a stop. Gladwell calls this recommendation “malpractice.”
“No, No, No, the whole problem of unintended acceleration is caused by the fact that people mistakenly think they have their foot firmly on the brake, when they don’t. He needs to say the exact opposite… it is extremely important that you lift your foot off whatever pedal it is on is because chances are your foot is already on the accelerator. Now put your foot firmly on the brake.”
A lack of knowledge is a dangerous thing. Gladwell’s assumption that the driver’s foot is most likely already mistakenly on the accelerator in a high-speed UA is wrong. Donald-Trump wrong. Most high-speed UAs began when the driver’s foot was already on the accelerator. And, if the driver actually already has his foot on the brake, and takes it off – even once – the consequences could be deadly.
“If one is to follow Gladwell’s advice, and remove their foot from the pedal (since he has decided it is always the accelerator pedal) – in the case of jammed accelerator pedals this will not help, it will cause the vehicle to continue to accelerate,” Hannemann says. “If the brake pedal is pressed and released again, then the vehicle will lose the vacuum assist to the brake system. This will cause the vehicle to be difficult to stop, if not impossible for some people.”
Richard Schmidt, Unsung Genius
Gladwell’s second pillar is Richard Schmidt. As Gladwell tells the listener: “Perhaps the most important person in this whole story is Dick Schmidt…the world’s leading expert on how your feet behave when you drive a car.” Dr. Richard Schmidt was a former Stanford University psychology professor, and a proponent of the pedal misapplication theory, in which the driver mistakenly depresses the accelerator, thinking it to be the brake, and continues to compound the error, pressing ever harder, panicked and unable to understand why the brakes aren’t working, until the crash occurs.
This idea gained currency in the 1980s during the Audi UA controversy. At the time, throttle controls were largely mechanical, and pedal misapplication was used to describe a specific type of UA – when upon starting the car and shifting it into gear, the driver intends to hit the brake, but places his or her foot on the accelerator instead. Startled by the forward movement, the driver pushes harder, still believing his foot is on the brake, until the vehicle is stopped by an inanimate object. The driver is unaware of his or her mistake and will never admit otherwise.
In 1989, NHTSA published An Examination of Sudden Acceleration which lent significant credence to this notion. But this theory has no empirical basis and is not well-supported by what little research has been done to test real drivers behavior against this scenario. Even the 1988 Rogers and Weirwille driving simulation study, “The Occurrence of Accelerator and Brake Pedal Actuation Errors During Simulated Driving”, concluded that this type of pedal error (i.e. drivers slamming down the accelerator when they intended to put it on the brake) is very rare. The majority, with maybe one or two exceptions, will correct that problem almost right away.
In a deposition taken by attorney Thomas Murray Jr. in Stimpson v. Ford, Schmidt was unable to explain exactly at what point the driver mis-positions his foot in this sequence which results in what he calls a “classic” UA crash. He also testified that he knew nothing about automotive engineering or electronics, that he had never sought out any such information, and that his “model” is not derived from empirical research, but from a “thought experiment.”
In August 2010, Schmidt was a guest at a gathering of rehabilitation specialists convened by researchers, privately contracted by NHTSA, to explore pedal misapplication as a cause of UA. The transcript of the day-and-a-half meeting of rehabilitation specialists, which SRS obtained through a FOIA request, illustrates that some, who work with clients suffering from a range of cognitive and physical ailments that might actually lead a driver to misapply the pedal, questioned their participation:
“I’ve seen thousands of Alzheimer’s patients, dementia patients; I’ve never seen one make an application error,” said Tom Kalina, of the Bryn Mawr Rehab Hospital in Malvern, Pennsylvania. “I’ve seen people with a lot of cognitive impairments. That’s the one thing they know how to do, just going back and forth between the gas and brake. There’s a lot of other executive functioning errors, but very rarely do I ever see a pedal error. The only time I ever see it is if there’s a sensory problem with the foot, inappropriate reception or numbness. The intention is to do the right thing, but they don’t know where their foot is and they hit the wrong pedal. Just about every case has been that way.”
Schmidt questioned the entire relevance of this panel: “Come on, guys, what is the evidence that anyone of those motor deficits caused unintended acceleration? What’s the evidence?”
Indeed.
People do make pedal errors. But they are rare, and what scant research exists shows that they are almost always self-corrected. If one bothered to read the public record, or the complaints in the NHTSA Vehicle Owner Questionnaires or, even better, interview people who have experienced high-speed, long-duration UA events, one would understand that pedal misapplication is not a cause. These events go on for too long, and people are not static in their responses. They take many actions to try to stop the vehicle, including pumping the accelerator and the brakes, and looking down at their feet to ensure they are pressing the right pedal.
For example, Jeffery Pepski, of Plymouth, Minn., was able to keep his 2007 Lexus from crashing as it sped under its own command for several miles one February evening in 2009, until suddenly stopping. But the incident was so disturbing, he refused to drive the vehicle again and filed a detailed petition to NHTSA in March, describing his nearly uncontrollable drive home, reaching speeds of almost 80 miles per hour. Applying the brakes with all the force he could muster, Pepski was able to slow the vehicle to 40 mph. In his original complaint to the agency, Pepski noted: “I alternated between pumping the accelerator pedal and pulling up on it from the underside with my right foot as it became clear that the throttle was stuck in an open position. The vehicle continued to speed back up to over 65 mph with less pressure on the brake pedal.” Pepski tried pressing the ignition button, and shifting the vehicle into neutral, without bringing the event to an end. Suddenly, the acceleration stopped.
NHTSA tried to squeeze the Pepski incident into its pet floor mat theory, but Pepski’s vehicle only had the OE carpeted mat. Here’s Toyota in an internal May 2009 email explaining NHTSA’s conundrum in dealing with an incident that didn’t conform to conclusions:
“I have discussed our rebuttal with them, and they are welcoming of such a letter, They are struggling with sending an IR letter, because they shouldn’t ask us about floormat issues because the petitioner contends that NHTSA did not investigate throttle issues other than floor mat-related. So they should ask us for non-floor mat related reports, right? But they are concerned that if they ask for these other reports, they will have many reports that just cannot be explained, and since they do not think that they can explain them, they don’t really want them. Does that make sense? I think it is good news for Toyota.”
Floor Mats Cause Pedal Misapplication?
Floor mats have been implicated in some UA events. This occurs when the edge of the accelerator pedal becomes trapped in the groove of a heavy all-weather floor mat. Gladwell has another theory: the real reason that floor mats are implicated in UA events is because “they throw off the expected geometry of the car. A big, thick winter mat stacked on top of an existing mat raising the floor of the footwell and makes the accelerator and brake seem much closer to your right foot and if you are in a strange car, that just increases the odds of impulse variability. It’s one of the little things that leads to a garble between intention and action.”
There is zero evidence that this occurs.
In 1989, Schmidt, the “leading expert” on where drivers place their feet, “and perhaps the most important person in his story,” postulated that in UA, “the farther the foot is from the intended pedal when the driver initiates a movement toward it, the larger the variable errors will be in hitting the pedal (due to the greater force).”
Revisionist History?
“Blame Game” does not revise the history of UA in the least. Gladwell merely recounts the official record that, to this day, only acknowledges mechanical causes and driver error as the causes of UA, going all the way back to the Audi Sudden Acceleration controversy.
Audi became the poster child for what was then called Sudden Unintended Acceleration (SUA) after more than 1,000 consumers alleged that their Audi 5000 vehicles had accelerated without driver input; 175 had been injured and four died in SUA crashes. The company denied that there was anything wrong with the vehicles and blamed the problem on shorter than average drivers who did not have much experience driving an Audi. These confused drivers had mistakenly depressed the gas pedal when they meant to step on the brake, Audi said. Between 1982 and 1987, Audi issued six recalls to address SUA in its vehicles: one shielded the accelerator pedal to prevent floor mat entrapment; another moved the brake pedal to prevent pedal misapplication; three recalls replaced worn idle stabilizer units. The final recall added a brake-to-shift interlock, which prevents drivers from shifting the vehicle out of park unless the brake is applied. That component is now nearly an industry-wide standard.
Gladwell conflates the Audi explanations – short drivers who were unfamiliar with the vehicle and experienced an incident upon start-up – with the Toyota UA incidents. There is no evidence to link the two.
If Gladwell truly wanted to revise history of Toyota UA, he would focus on the electronic/software causes which have been given short shrift, and he would take the time to understand the nuances that make Event Data Recorders (EDR) less-than-objective and unassailable witnesses to crashes. He might have read “Technical Support to the National Highway Traffic Safety Administration (NHTSA) on the Reported Toyota Motor Corporation (TMC) Unintended Acceleration (UA) Investigation,” the January 2011 NHTSA-NASA report which concluded: “Due to system complexity which will be described and the many possible electronic software and hardware systems interactions it is not realistic to prove that the ETCS-i cannot cause UAs. Today’s vehicles are sufficiently complex that no reasonable amount of analysis or testing can prove electronics and software have no errors. Therefore, absence of proof that the ETCS-i caused a UA does not vindicate the system.”
Retired NASA Failure Analyst Norman Helmold, who worked on the NASA Engineering Safety Center team that looked at Toyota UA, said that Gladwell’s single-minded pursuit of pedal misapplication left him “speechless. There’s more than one cause of unintended acceleration; there’s more than two causes, and there’s more than three.”
He is currently working on a technical paper further analyzing NHTSA Vehicle Owners Questionnaires involving UA complaints for 1998-2010 model year Toyota vehicles that the NESC team “reviewed with the objective of exploring clues of potential failure modes.”
Helmold says that project managers never completed a thorough analysis of the data, which was unfortunate, because they clearly show that the hazard risk estimate for the Camry rose significantly after Toyota installed electronic throttle controls. What that means is that drivers experienced UA events in Camry vehicles with mechanical throttles – via pedal misapplication, trapped accelerator pedals or mechanical causes, such as bound Bowden cables – and continued to experience the problems with those root causes after the introduction of Toyota’s Electronic Throttle Control System Intelligent. But the sharp upward tick after Toyota implemented ETCS-i shows that additional mechanisms of UA were likely introduced.
“On some of the Toyota car models, after 2002, the hazard rate estimate goes up and stays way up by three to six times, indicating that electronics probably introduced a whole new family of problems that were not present when the Toyotas were mechanical,” he says. “In 2010, this would have told [the NESC team] which cars to look at. The models with higher hazard rate are very similar – they have common chassis components. “
And, the NESC report shows that Toyota’s main defense in previous UA investigations is false. The team found scenarios in which engine speed can be increased, RPMs can surge, and the throttle can be opened to various degrees in contradiction to the driver’s command and not set a Diagnostic Trouble Code. The NESC team uncovered numerous design inadequacies in Toyota’s electronic architecture, as well as thousands of software coding violations.
The NESC team found several ways that Toyota’s electronic throttle control system could cause a UA event.
Among those was one real-world cause of electronic malfunction: tin whiskers in the APP Sensor of potentiometer-type pedals. Tin whiskers are hair-like structures which can cause electrical shorts. The team found the presence of this well-known electronics phenomenon in virtually every potentiometer accelerator pedal assembly inspected. The NESC report document says that the NESC team found 17 tin whiskers long enough to be easily seen using a hand lens and a bright light, in Toyota Camry vehicles that had shown driving misbehaviors they examined. Two of these tin whiskers were long enough (more than a millimeter) to bridge between connectors inside the potentiometer. One caused a short circuit between these connectors that resulted in an electrical misbehavior while driving, but could clear later when the car is inspected.
The NESC team showed that the pedal potentiometers in Toyota Camry vehicles in the 2002-2006 model years grow whiskers during the natural aging of the car, and these tin whiskers can create shorts between connectors that induce misbehaviors.
Further, the team found that the bridging tin whisker induced a ‘galloping mode’ in the car’s behavior: when one’s foot was applied to depress the pedal, the engine did not respond to the first part of the pedal-depression, but would continue to run at idle. However, if the driver – in search of a response — pressed the pedal far enough, it would elicit a sudden engine speed up that would rapidly take the car into the range 20 to 25 mph. Removing the foot from the pedal would return the engine speed to idle. The brakes would work. The “fault indication” would clear after the car was started several times.
“Not in the NASA report is the list of reports of accidents in which a car is claimed to suddenly develop this ‘galloping mode’, and then strike people, as the driver is not able to adjust to this sudden change in behavior. Examination of the records will show many such claims,” says Dr. Henning W. Leidecker, Jr. the chief Failure Analyst at NASA Goddard Space Flight Center, and a member of the team that found the tin whiskers.
Rigged UA Tests
Exhibit C in Gladwell’s prosecution of electronic errors is an ABC story by reporter Brian Ross in which he attempted to show how a short circuit in the accelerator pedal position sensor could cause a Camry to go to wide-open throttle, based on the research of Dr. David Gilbert of Southern Illinois University Carbondale. Ross and ABC were criticized for a misleading edit in which a shot of the tachometer spiking at 6,000 RPMs purported to occur while the vehicle was underway, was actually induced while the vehicle was in park and the door was ajar. A month after the story aired, on February 22, the recently shuttered gossip and politics website Gawker reported that sharp-eyed viewers noted the lighted telltales in the shot showing that the parking brake was on and a door was open. ABC admitted the error and acknowledged Gawker’s story pointing it out. The network explained that it had swapped shots because the video taken while the vehicle was moving was too shaky.
Like most of the podcast, Gladwell doesn’t quite get it quite right. He says that the story aired in March and involved a Prius that ABC rigged to give a fake demonstration of UA. Gladwell was conflating Ross’s February 22, 2010 story about simulating a UA event in a Camry with a March 2010 story about James Sikes, a 61-year-old Prius owner who alleged that his vehicle accelerated suddenly and would not respond to hard braking. His struggles to regain control of his vehicle were observed by a California Highway Patrol officer, who was called to the scene, and recorded it on a 911 tape. The police report noted that the Prius’ brakes were burnt out and that an examination of Sykes’ vital signs by emergency medical personnel immediately after the event showed he had very high blood pressure and heart rate. The police did not charge Sikes.
Gladwell brings in Patrick George, an editor of Jalopnik, a Gawker-affiliated automotive site, to deliver the coup de grâce:
“They got a university professor to cut three wires within the electronic throttle system and then connect two of the wires to each other in a specific pattern with a specific resistor to create a link between the two final wires, with a switch so that he could control it. In other words this vehicle was rigged. It was rigged in such a way that you would never produce these results in real life.”
Gilbert is an associate professor of automotive technology who has taught automotive electronics diagnostics for 30 years to students who are frequently hired by car companies as high-level technicians in their field service divisions. He has also been hired by automakers, such as Honda, to develop technical teaching materials for their vehicle electronics instructors. His preliminary research showed that there are conditions under which the redundancy of Toyota’s electronic circuitry in the electronic throttle control is lost, resulting in a wide-open throttle without the generation of an error code. Gilbert’s research was simply born of curiosity – Toyota UA had become a staple of the nightly news, and he had just purchased a Toyota Tundra. Gilbert wanted to understand how a vehicle could have an uncommanded acceleration without setting an error code.
Gilbert’s preliminary tests, done for Safety Research & Strategies and presented to Congress, focused on the Accelerator Pedal Position Sensor (APPS), a high-priority sensor which electrically coveys the driver’s commands. The sensor system contains two circuits as a failsafe – if one fails the other is programmed to witness the failure (i.e. lodge a fault code in the Electronic Control Module) and put the vehicle into a limp-home mode. However, if the circuit redundancy is lost, the failsafe system no longer works as programmed. The system will not detect an error – no “Diagnostic Trouble Codes” are set. Further, without a redundant failsafe, the Electronic Control Module (ECM) can be induced into a wide-open-throttle condition without any input from the driver. For example, simply increasing the voltage to the APP Sensor while in a compromised state can result in an uncommanded wide-open throttle condition, with no detectable codes. These scenarios can occur because the Toyota failsafe parameters are broad – the design allows a wide window of opportunity for problems to occur that are not seen by the system as abnormal
Toyota commissioned the science-for-hire firm Exponent to attack Gilbert’s work. In a March 2010 report, Exponent concluded: “Dr. Gilbert has presented no evidence of his postulated sequence actually occurring in a real vehicle, or even evidence of an incipient event (e.g., signs that a resistive fault was developing), and did not look at any incident vehicles for “fingerprints” of any such fault.”
Gilbert never claimed that Toyota UA was caused by short circuits in the APP Sensor; he was testing the fault detection system. However, the NASA failure analysts who examined Camry accelerator pedals found that short-circuits in the APP Sensor, capable of inducing a wide-open throttle, could happen in the real world via the growth of tin whiskers bridging circuits. Leidecker says that the argument that these faults could not occur in the real world “is an ignorant claim.”
In a 2014 St. Louis Post- Dispatch story, Leidecker praised Gilbert’s work:
“Leidecker and other NASA scientists were so taken by Gilbert’s research that they call the unique sequence of events required for a pedal sensor to short out ‘the Gilbert Mechanism.’
‘I think he’s a hero. What he found was ingenious,’ Leidecker said.”
Edmund’s Inability to Award its Million Prize Proves Driver Error
Gladwell does not address the possibility of an electronic malfunction, except to marvel at Edmunds.com’s inability to award a million dollar prize to anyone who could prove that UA could be caused by the vehicle. Edmunds, a web-based car-selling company, offered this prize in 2010 at the height of the Toyota UA scandal. In Gladwell’s mind, the unclaimed million dollars is the ultimate proof that there is no cause other than pedal misapplication. He sneers at Kane for calling the Edmunds offer a stunt with little probative value:
“Remember Sean Kane – Mr. Sudden Acceleration – the guy with the software coding gone awry theory? Not even he wants the million dollars. A media circus? Kane doesn’t want to try to win a million dollars? Because it’s a media circus? I’ll tell you what’s a media circus: the entire Toyota sudden acceleration scandal, because people like Sean Kane insisted that there’s some elaborate electronic cover-up behind it. Because people like Sean Kane couldn’t admit that this was just overwhelmingly a matter of human error.”
And, neither had plaintiffs’ lawyers alleging electronic software defects in fatality and injury UA crashes sought the prize, says the website’s Director of Testing Dan Edmunds, “because of the nature of litigation, they probably wanted to focus on that.”
As Gladwell mentions, Toyota now settles its UA litigation. But it’s not due to a case of mass hysteria. It’s because of one particular case: Bookout and Schwarz v. Toyota.
In September 2007, Jean Bookout and her friend and passenger Barbara Schwarz were exiting Interstate Highway 69 in Oklahoma in a 2005 Camry. As she sped down the ramp, Bookout realized that she could not stop her car. She pulled the parking brake, leaving a 100-foot skid mark from right rear tire, and a 50-foot skid mark from the left. The Camry, however, continued speeding down the ramp, across the road at the bottom, and finally came to rest with its nose in an embankment. Schwarz died of her injuries; Bookout spent two months recovering from head and back injuries.
In October 2014, an Oklahoma jury determined that Toyota acted with “reckless disregard,” awarding $1.5 million in damages to Bookout and another $1.5 million to the Schwarz family. But before the trial could move to the punitive damages stage, Toyota quickly settled the case.
The case turned, in part, on the testimony of two plaintiff’s experts in software design and the design process, who reviewed Toyota’s software engineering process and the source code for the 2005 Toyota Camry, and concluded that the system was defective and dangerous and riddled with bugs and gaps in its failsafes that led to the root cause of the crash.
Michael Barr, a well-respected embedded software specialist, spent nearly 20 months reviewing Toyota’s source code at one of five cubicles in a hotel-sized room staffed by security guards, who ensured that entrants brought no paper in or out and wore no belts or watches. Barr testified about the specifics of Toyota’s source code (see trial transcript and his slides) based on his 800-page report. Phillip Koopman, a Carnegie Mellon University professor in computer engineering and safety critical embedded systems specialist who authored a textbook, Better Embedded System Software, and performs private industry embedded software design reviews, including some for the automotive industry, testified about Toyota’s engineering safety process (part 1 and part 2). Both used a programmer’s derisive term for what they saw: spaghetti code – badly written and badly structured source code.
Barr testified:
“There are a large number of functions that are overly complex. By the standard industry metrics some of them are untestable, meaning that it is so complicated a recipe that there is no way to develop a reliable test suite or test methodology to test all the possible things that can happen in it. Some of them are even so complex that they are what is called unmaintainable, which means that if you go in to fix a bug or to make a change, you’re likely to create a new bug in the process. Just because your car has the latest version of the firmware — that is what we call embedded software — doesn’t mean it is safer necessarily than the older one. And that conclusion is that the failsafes are inadequate. The failsafes that they have contain defects or gaps. But on the whole, the safety architecture is a house of cards. It is possible for a large percentage of the failsafes to be disabled at the same time that the throttle control is lost.”
Even a Toyota programmer described the engine control application as “spaghetti-like” in an email Barr read into his testimony.
Koopman was highly critical of Toyota’s computer engineering process. The accepted voluntary industry coding standards were first set by the Motor Industry Software Reliability Association (MISRA) in 1995. Accompanying these rules is an industry metric, which equates broken rules with the introduction of a number of software bugs: For every 30 rule violations, you can expect on average three minor bugs and one major bug. Toyota made a critical mistake in declining to follow those standards, he said.
When NASA software engineers evaluated parts of Toyota’s source code during their NHTSA contracted review in 2010, they checked 35 of the MISRA rules against the parts of the Toyota source code to which they had access and found 7,134 violations. Barr checked the source code against MISRA’s 2004 edition and found 81,514 violations.
Toyota substituted its own process, which had little overlap with the industry standard. Even so, Toyota’s programmers often broke their own rules. And they failed to keep adequate track of their departures from those rules – and the justification for doing so – which is also standard practice. Koopman testified that if safety is not baked into the recipe in the process of creating the product, it cannot be added later.
Barr and Koopman persuaded the jury that Toyota’s process was so flawed, and its software so tangled, that electronics were most certainly the cause of the Bookout crash.
Source code is proprietary; and even if an automaker willingly let an outsider examine it to find the weaknesses in the system – which it wouldn’t – the task would cost more than $1 million to go through the code line by line as Barr did. So Edmunds did not take any risks in offering a prize, and no serious expert would even consider it.
What a Car Is and What It Isn’t
Central to Gladwell’s podcast is a paradox. A car is: “a complicated mechanical object that requires attention and skill to be operated safely.” At the same time: “Cars do not have minds of their own; they just do what the driver tells them to do.”
Neither of these statements is correct. The cables and rods that once linked the accelerator to the throttle butterfly began to pass into history in 1988, when BMW introduced the first electronic throttle controls in its 7-Series. According to a 2009 IEEE story This Car Runs on Code: The “current S-Class Mercedes, for example, had 20 million lines of code and nearly as many ECUs as the new Airbus A380… Even low-end cars now have 30 to 50 ECUs embedded in the vehicle.” As Kane pointed out in the “Blame Game” podcast, the F-35 Joint Strike Fighter is running on about 7 million lines of code; a luxury car today can run on 100 million lines of code – the complexity is exponentially greater.
When a driver depresses an accelerator pedal, he is not controlling a Bowden cable. Virtually all vehicles produced today employ electronic throttle systems that rely on sensors to relay the driver’s intentions to the engine control module, a computer that controls the opening and closing of the throttle. The ECU makes the decision, based on algorithms, and acting in concert with other vehicle systems to honor that request. Or not. Like any electronics, these systems can be subject to error – caused by electrical shorts, mis-manufactured microchips or faulty software – and may not leave a trace.
The industry is well aware of the problems that have been caused by the proliferation of automotive electronics. In 2003, Mercedes removed 600 electronic functions because of quality concerns. Executives at Bosch, a major global supplier, declared at a 2004 industry meeting that there was direct correlation between the size of a vehicles’ electronic architecture and the number of defects. Other industry experts have acknowledged that automakers have overloaded vehicles with electronics without understanding how these systems, which might work well in isolation, operate together.
This complexity means that a vehicle does not always do what the driver tells it to do. For example, in 2013, Honda recalled 344,187 2007 and 2008 model year vehicles because of a combination of system components and software malfunctions that caused the Vehicle Safety Assist System to apply the brakes unexpectedly and hard – without illuminating the brake lights. In July 2015, Toyota recalled 713,000 Toyota Prius vehicles to fix a software malfunction that could cause the vehicles to automatically shut down while underway and go into limp-home mode.
Vehicle ECUs are processing and interpreting hundreds of signals in milliseconds to determine what actions it will take and how they will be done. Even when a vehicle functions as designed, it does not follow all of the driver’s commands. For example, today’s cars will not obey a driver’s command to keep the throttle at wide open for very long. In most modern vehicles, the driver can depress the accelerator pedal to the floor with the car in Park and the engine may race for a few minutes. But even with the pedal held down the software interprets the driver’s actions as unwarranted and reduces the engine RPMs. When accelerating hard on a slick surface, many vehicles will cut the engine power and apply the brakes when wheel spin is detected. This is a far cry from mechanical controls that followed simple driver inputs.
As the industry speeds toward self-driving cars, Gladwell’s assertion that drivers exert complete control over a vehicle is sweetly old-fashioned, if wrongheaded. It certainly isn’t the pronouncement of a car guy.
Car Guys
One thing is clear: If you own a Porsche, you will instantly have Gladwell’s regard. For example, in “The Engineer’s Lament,” he mentions that his main character – Denny Gioia, who worked Ford’s recall office in the 1970s – “is a car guy. His everyday drive is a 2013 Porsche 911 S, and his weekend ride is a red 1979 Ferrari 308 GTS – the kind with an engine that can rattle windows.” In “Blame Game”, he tells us that Schmidt is a remarkable man, because, among other achievements “he owned five Porsches and raced cars – a car guy.”
And that’s because Malcolm Gladwell is also a car guy. As he tells us: at age 13 he sent away for the marketing brochures for every vehicle in the world, except the Russian-made ZiL, and he still has them. And “Blame Game” is littered with references to the things car guys know, such as, car guys call the accelerator pedal the throttle.
Car guys do know a lot about some aspects of cars. But they don’t know everything about cars. The days when you could throw open the hood and identify every mechanical part that made your car stop and go are gone. Detecting intermittent electronic or software-related faults is difficult, and you will never find them by driving a 2003 Camry around the Chrysler Proving Grounds.
But some car guys, we notice, are so in love with their enthusiasm for cool cars, that they don’t realize or acknowledge their own information gaps. For them, the world is divided between car guys and the rest of us poor slobs. A car may be a “complicated and dangerous” machine, as Gladwell says. But it is also a mass-produced consumer commodity, and you shouldn’t have to know what a ROUSH Stage 3 Mustang is – or how to pronounce it – to be able to make it stop and go without incident. So they tend to dismiss the lived experience of the average every-day driver, even as that driver is giving them important information about a defect.
And a car guy’s confidence can lead to the kind of arrogance that causes one to assert that a highway patrol officer who was braking his vehicle in an attempt to save his life and those of his family never put his foot on the brake in clear contradiction to the record, or that pedal misapplication is the “number one” cause of UA, or tell a driver in a UA incident that all he or she has to do is apply the brakes – and, by the way, take your foot off the brake, because you are actually stepping on the accelerator. The kind of arrogance that leads you to call anyone who does not accept the received truths of Richard Schmidt “deluded,” “nutty” “crazy” or “insane.”
In Conclusion
In pushing pedal error, Gladwell would have done better to stick to parking scenarios, which make up the vast number of UA complaints. In these circumstances, drivers are moving their feet between the accelerator and the brake, so the pedal error theory is at least more plausible, although it would still be inaccurate to call it the number one cause of UA, and there is plenty of evidence to suggest that it is not the cause of most UAs.
But fender-benders don’t produce frantic 911 calls. And parking lots aren’t nearly as much fun as test tracks.
UA events occur in parking scenarios, they occur on neighborhood streets when the driver is going 30 mph, and they happen on highways in high-speed, long-duration events. There’s too much variation in the data to definitely state there is only one cause. NHTSA tried for nine years. To this day, Toyota UA events are still occurring – long after the media circus struck this particular tent and moved on. Drivers are still lodging complaints with NHTSA, and the issue shows up frequently in the death and injury claims that manufacturers must file quarterly with the agency as part of their Early Warning Reporting obligations. For two years, The Safety Institute has published a list of the top fifteen vehicle defects, by make, model, model year, and coded defect component, associated with the most death and injury claims, as a means of determining what potential defects might need further investigation. The Toyota Camry – in various model years – has made the list every quarter for speed control issues.
UA remains a controversial topic because it is a multi-root cause phenomenon – and because pinpointing intermittent electronic and software-related problems is very difficult and costly. Blaming all UA events on the humans who drive the cars, as opposed to the humans who design or build the cars, in the age of drive-steer-and-brake-by-wire is merely convenient. Like a car, this story is complicated. And misinformation promulgated by podcasts like “Blame Game,” riddled with factual errors, bad assumptions, logical fallacies, poor reporting and poor sources, is one of the reasons that the debate rages on.
Gladwell plays the blame game, too, but he cheats.
