Between 2009 and 2011, a wave of complaints alleged that certain Toyota and Lexus vehicles accelerated without the driver pressing the pedal, in some cases fatally. The reports triggered large recalls, congressional hearings, and a flood of lawsuits, and they focused public attention on a question that had rarely reached mainstream news: could a software bug in a car’s engine-control computer cause it to run away?
At the request of the National Highway Traffic Safety Administration (NHTSA), engineers from NASA’s Engineering and Safety Center conducted a technical assessment of Toyota’s Electronic Throttle Control System with intelligence (ETCS-i). The team examined the electronics and analyzed the throttle-control software. The US Department of Transportation summarized the result: NASA engineers “found no evidence that a malfunction in electronics caused large unintended accelerations.” The two mechanical causes NHTSA had already identified - accelerator pedals that could stick, and pedals that could be trapped by floor mats - remained the only confirmed causes of dangerous unintended acceleration.
That official finding did not end the engineering debate. In subsequent civil litigation, software experts retained to examine Toyota’s source code testified that the throttle-control software contained serious defects: thousands of global variables, code complexity far beyond recommended limits, inadequate protection against stack overflow, and single points of failure where a single memory bit-flip could put the throttle into an unsafe state without the watchdog catching it. The phrase “spaghetti code” entered the coverage of the trials. One Oklahoma jury found Toyota liable in a case involving an unintended-acceleration crash.
The two narratives - the government review that cleared the software of causing runaway acceleration, and the courtroom experts who described a fragile, hard-to-verify codebase - are both part of the historical record. They illustrate how hard it is to prove or disprove that a specific software defect caused a specific real-world event in an embedded system that does not log enough state to reconstruct what happened.
For the history of programming, the Toyota episode is a landmark in public awareness of safety-critical embedded software. It pushed regulators, automakers, and the press to take seriously the idea that the correctness of millions of lines of car software is a safety question, and it strengthened the case for the disciplined coding standards, redundancy, and verification practices that the safety-critical software field had long advocated.