Archive for February, 2010

The Toyota webinar I would like to see

February 28, 2010

On its website,  Toyota has a webinar describing highlights of its electronic throttle control system.  (For my comments on that webinar, please see a previous blog posting).   In that webinar, Dr. Paul Williamsen of the University of Toyota and Kristen Tabar, General Manager of Electronics Engineering at Toyota Technical Center in Michigan present key features of the ETCS-I and how it is tested for electro-magnetic interference (EMI).

A Toyota webinar I would like to see will comprise of the following:

  1. A similar presentation made by Toyota engineers who were deeply involved with the design of the ETCS-I and with the testing on vehicles that exhibited udden unintended acceleration.   Real-time translation can be used if core designers are not fluent in English – but there are certainly engineers at Toyota who are well-versed in both English and Japanese.   (No dis-respect to Dr. Williamsen or Ms. Tabar – their presentations were very clear and informative.  But they were clearly not involved in the design and long-term testing of the ETCS-I, and cannot speak to all aspects of the system).
  2. Media representatives may be present but the webinar is attended by reputed experts (a) from academia, government and the private sector, (b) with in-depth knowledge in mechanical engineering, embedded hardware, embedded software, sensors, actuators, automotive electricals, diagnostics, and (c) with backgrounds in other safety-critical real-time systems including automobiles, avionics, nuclear power plants, aerospace systems, and defense systems.
  3. There is an open-ended Q&A session with the experts in attendance after the formal presentations.

Can it happen? Sure.  Will it happen?

Toyota says ETCS-I is infallible – Convincing?

February 27, 2010

The YouTube Video Clip and More

Toyota has posted an informative video clip on YouTube that explains how the electronic throttle control system (ETCS-I) on their vehicles works. The fail-safe mechanisms that are built into the system are illustrated pretty well using animations and informative diagrams. If one accelerator pedal position sensor fails, the throttle is closed. If the throttle is blocked by a mechanical object, the engine is shut down. If there is a signal coming from outside the ECM (engine control module), the engine (supposedly) shuts off. If one accelerator or throttle sensor fails, the system detects it. It can switch to ‘limp-home’ mode or ‘idle’ mode depending upon the severity of the failure conditions.  In the worst-case scenarios, the engine is shut down completely.

This is a good video clip that is presented cleanly and produced well. (Where can I get one of those desktop ETCS-I simulators?)  Toyota is trying to educate and convince its customer base that it’s still safe to buy and operate Toyota vehicles. An extended version of this clip is on Toyota’s website in webinar form with Q&A from media representatives. In this clip, additional presenters also describe EMI (electro-magnetic interference) and ESD (electro-static discharge) testing.

The Flip-Side

So, what’s not to like? It’s the assumptions behind the design and the arguments.

  • Any safety-critical system has to make assumptions about what will fail, how it will fail and what the failure rate will be. For example, there are two ECUs (processors) in the ECM (Engine Control Module). The typical assumption one makes (and Toyota makes it as well) is that they will fail independently.  This is called the independent failure assumption. But can both fail together? This is called a common mode failure. Both processors can fail together, for example, if there is a flaw in the processor design or implementation (perhaps they got too hot, there is a hardware bug that manifests itself only so often, solders were not correct for a chip, …). Now, what?
    • For the technically knowledgeable, Toyota also does not answer the important question “Is there a single point of failure in the ETCS-I”? Also, Toyota does not present a complete fault-tree analysis. I would presume that such an analysis exists but it is not presented. Toyota also does not talk about permanent and intermittent failures. Most descriptions of SSUA (sudden and sustained unintended acceleration) seem to allude to intermittent failures.  These are failures that disappear when power is turned off and the system is reset.   This property of the problem is what makes it so hard.
  • The presenters emphasize that a DTC (Diagnostic Trouble Code) would have been stored if a failure has happened and a fail-safe mechanism kicked in. However, every error condition is not stored as a DTC. For example, if one of the application pedal position sensors (APPS) fails but both processors are working, a DTC will not be stored. Such conditions may be exactly when a sequence of events that eventually lead to SSUA gets triggered.
  • A DTC code that is stored is erased after a “few” cycles of engine start/stop. They do not quantify “few” – knowing the exact number(s) would help people who experienced SSUA whether their DTC was indeed stored but subsequently erased. (Remember – the failures we see are intermittent failures).
  • Toyota does not even bring up the topic of software (wisely). According to the Sustained Computing Consortium, there can be 20-40 bugs in every 1000 lines of code. Even if Toyota or its suppliers did a spectacular job with the ETCS-I, it would still be very hard if not impossible to prove that the code is correct. The questions on this front are two-fold:
    1. Are there bugs in the software? Why not?
    2. Have there been bug fixes in various releases of the ETCS-I firmware? What were the fixes? When were they made?
  • The response to the question “Where is the ‘black box’?” is very lame. Toyota released ETCS-I in 1998, deployed it widely across its popular models since 2001/2002 and has had it on all 100% of its vehicles for the past couple of years. In other words, its investment in the technology is huge. SSUA complaints have surged (by a factor of about 10x) since its introduction in 2001. Toyota claims that nobody has been able to show that electronics is a cause for these complaints. The implication is that drivers press the gas pedal when they mean to press the brake pedal. If that were indeed true, Toyota can instantly exonerate itself if a black box (event data recorder) shows this unambiguously. So, why no black box even now after 10 years?   Why not install one and make it directly accessible to consumers and law-enforcement officials, as GM and Ford have done? Why the delay given that it would be in Toyota’s interest to have it be there?
  • The discussion about EMC is not very convincing either. They should really talk about how/whether the ETCS-I fail-safe mechanisms work under the EMI and ESD scenarios tested. From what is said, it feels like only normal working conditions are tested but not failure conditions.  For example, have one sensor fail (note that no DTC will be stored) and then let EMI/ESD crop up.

In summary, these are good technical presentations by Toyota and a good PR step to boot.  But ultimately they are unconvincing.

Did Toyota Do Anything Wrong?

February 25, 2010

Here is a list of decisions that Toyota would want to revisit if they could.

  1. Electronics components have a non-zero failure rate. Given this fact, a safety-critical system ought to have more fail-safes not fewer. Toyota did not install brake overrides even though it has been around for more than 10 years (see Audi 5000, Sudden Acceleration of). The number of SUA complaints spiked in 2002 when Toyota introduced ETCS-I across many of its models. However, Toyota engineers did not pick up the trend and put in well-known fixes. When Mr. Toyoda, the President of Toyota, said in the congressional hearing yesterday that he is “absolutely confident” that there are no problems in the electronics of Toyota vehicles, with all due respect, his subordinates are over-simplifying the situation to him.
  2. Gas pedals getting stuck in floor mats is NOT new. This has happened with other vehicles earlier. Toyota did not pay attention to this issue when even early-year Lexus models had these problems.
  3. Automobiles made by the Detroit Three have black-box recorders which store lots of relevant information AND the recorders can be directly accessed by consumers. Even though Toyota vehicles have black-box recorders, Toyota claims that they store only limited amount of data for a small number of seconds, AND the stored data can only be read by Toyota. If the black-box recorders stored more information for more time and can be read by the consumer, Toyota could exonerate itself very quickly by showing that driver error was the primary culprit.

The above blunders from the past may haunt Toyota for quite some time. They are beginning to add smart pedals on all their future models. These pedals will allow the driver to override any acceleration by braking (if both the gas and brake pedals are pressed, the brakes are deemed to override the gas pedal). A recall of 6 million vehicles was initiated recently to deal with the floor mat problem and another recall of about 2.5 million vehicles was initiated to look at sticky gas pedals. (The stick gas pedal issue, however, almost seems to be a non-issue in terms of injuries and deaths attributed to sudden acceleration).


Toyota and NHTSA must take a very close look at shielding cables to minimize the impact of EMI (electro-magnetic interference), all connectors to eliminate loose wiring harnesses, ESD (electro-static discharge) possibilities, differences in grounding potentials across the vehicle, assumptions behind the hardware and software components, code reviews, overall architecture and integration strategies.

In addition, revisit the testing strategies used by suppliers of the electronics. Do they test each product being delivered? How do they test them? What is the failure rate of components? What fraction of devices are found faulty (using sophisticated and time-consuming test equipment) but pass inspection otherwise? What kinds of failures occur on devices that do not pass inspection? Can the same kind of failures happen over time on devices that pass inspection? Are any tests repeated after 1, 2, 4, and 8 years of usage?

Mr. Toyoda and Mr. Lentz: Can Both Be Right?

February 24, 2010

In today’s congressional hearing, Mr. Toyoda, President of Toyota and the grandson of the company’s founder, said he was “absolutely confident” that there was no problem with Toyota’s computer systems.   Yesterday, Mr. Lentz, president and COO of Toyota US, told the Congressional hearing that Toyota was still examining the sudden acceleration problem, including the possibility that the electronics system might be at fault.   Mis-communications and poor coordination of messaging at the highest levels of the company!

What Should Toyota/NHTSA Do?

February 24, 2010

We know the following.  Toyota itself has acknowledged that it cannot rule out problems in its electronics throttle control system as a cause behind the sudden acceleration of some of its cars.  NHTSA is in the spotlight to ensure public safety.   What should they do?

The problem in the Toyota electronics could be due to

  • hardware design issues (assumptions made regarding failures that are violated),
  • hardware implementation issues (such as sensors, actuators or computers with manufacturing defects that result in higher than normally very low failure rates),
  • electrical issues including ESD (electro-static discharge), grounding and EMI (electro-magnetic interference) problems,
  • software bugs that kick in only under abnormal conditions,
  • architectural integration with each subsystem doing the “correct” thing but the completed system having an integration issue, or
  • An insidious combination of the above.

What should Toyota/NHTSA do now?

  • Each should assemble an independent team of experts – mechanical engineers, electrical engineers, embedded hardware engineers, embedded software engineers, control engineers, sensor/actuator experts, reliability engineers and safety engineers.
  • Get all documentation and internal communications available at Toyota.
    • In particular, get access to Toyota’s internal investigations and results from vehicles that have had known acceleration problems – these are critical materials to study and will narrow down the search space dramatically.
  • Evaluate the fail-safe mechanisms in ETCS-I and their effectiveness against a wide spectrum of possible failure points.   What if this sensor fails?  What if the throttle control mechanism fails? What if this board fails? What if the ECU (electronic control unit) fails? What if the output there get stuck?  What if an input here fluctuates all the time?  What if there is a voltage spike at an input? At an output?  What if any these two failures happen simultaneously? What does the software do if an unexpected event happens?   These questions can be asked (and hopefully answered) very methodically and rigorously.
  • Work backwards from the sudden acceleration event.  That is, suppose that sudden acceleration has occurred.  What events and what sequences can lead to that outcome?  What could have gone wrong (however improbable) for that outcome to be produced?   To paraphrase Sherlock Holmes, if you have eliminated all possibilities but one, then you have found the culprit, however improbable it may seem.
  • Study all architectural and design documents, then pore into the code, the wiring diagrams, and the internals of all the sensors, actuators and ECUs.

If you think that a businessperson/manager should also be on the team, think again.   It would serve Toyota much better over the long term to find the problem in its electronics (there is one!) and fix it.  Else, this cloud would hang over the company, its customers and its shareholders causing more damage.   Bite the bullet, figure out the source, fix it and move on.   The short-term pain will be much less than the long-term impact on the company (and the Japanese economy perhaps).

Addendum: Any data that Toyota has in their “black boxes” should also be studied.  As I have argued in a previous blog, it could help exonerate them too.   Any studies they may have of why drivers may press the wrong pedal (more so than in other cars) should also be looked at.

Toyota: Recalls May ‘Not Totally’ Resolve Issues

February 24, 2010

Many (including me) have pointed out that the floor mat and ‘sticky pedals’ issues do not fully address the nature of many of the complaints in the NHTSA ODI database.   Specifically,

  1. Many complainants have vouched that the accelerator pedals have not been stuck and in several cases, the floor mat was not present.
  2. There has been a significant spike in the number of SSUA (sudden and sustained unintended acceleration) incidents since Toyota introduced the ETCS-I across multiple models in 2001/2002.   Even the 2010 Toyota Camry, which has been barely on the market for a few months, has 18 complaints in the vehicle speed control category already.   The complaint count since 2002 is way disproportionate in relation to market share when compared complaints filed on other carmaker models.

Now, the US Toyota Chief has acknowledged that Toyota cannot rule out problems in electronics, and that the floor mat and sticky pedal fixes may not fully resolve the SUA issue.    Given earlier emphatic denials from Toyota that electronics was not a problem behind SUA, does the burden of proof of safety now shift unequivocally to Toyota?

Prof. Dave Gilbert’s Findings on SSUA

February 24, 2010

ABC News yesterday (Feb 22, 2010) had a video segment on findings made by Prof. Dave Gilbert of the University of Southern Illinois regarding SSUA (Sudden and Sustained Unintended Acceleration) on Toyota vehicles.

Two findings of Prof. Gilbert stand out:

  1. It is indeed possible to force a Toyota vehicle with ETCS-I into sudden and sustained unintended acceleration.    No fail-safe mechanism kicks in.  Recall that there is no brake override (Toyota has promised an update on recent-year models but not earlier-year models), and the driver has to switch to neutral to bring the vehicle to a safe stop.
  2. When the vehicle does go into SSUA, no corresponding diagnostic code is registered in the vehicle.  So, if this happens to a driver and they take it to the mechanic, there will be no trace of the event happening.  Then, it’s your word against the diagnostics!

Both these findings offer very useful insights for those studying whether electronics problems are behind SSUA.

Additional thoughts:

  1. Prof. Gilbert manages to put the vehicle into SSUA repeatably by shorting two pins that go into the Engine Control Module of ETCS-I (Electronic Throttle Control System with Intelligence).    Prof. Gilbert points out that moisture, corrosion and wear can cause such a short to happen.   SSUA has been known to happen even in 2010 Toyota models (for example, there are 18 complaints in the vehicle speed control category of the NHTSA database for the 2010 Toyota Camry).   It would seem unlikely that such new cars have already undergone dramatic wear and corrosion to cause a short.
  2. Toyota’s description of the ETCS-I mechanisms point out the following.  For example, a diagnostic error code is registered only when one of the acceleration pedal position sensors (or the throttle position sensors, both of which have redundant sensors) fails AND one of the redundant ECUs (computers) fails.  If only one fails, no diagnostic code is recorded.  So, it is known that only subsets of conditions are recorded as diagnostic error codes.

What Prof. Gilbert has found is that even a (dramatic) occurrence of SSUA goes unrecorded.  Toyota could perhaps argue that continued acceleration at high speed could be an intended action on the part of the driver, and therefore it should indeed go unrecorded.   If the driver is trying to override the acceleration though, the situation becomes dramatically different.  So, this matter goes back to the issue of ETCS-I in several Toyota vehicles not having a fail-safe mechanism.

Is ESD (Electro-Static Discharge) the Culprit behind Toyota ETCS-I?

February 23, 2010

Note: This post is a subset of a posting titled “Possible Electronics Causes for Sudden Unintended Acceleration“.

Electro-Static Discharge (ESD) Issues

Electrostatic discharge (ESD) is the name given to the sudden and short-lived electric current that flows between two objects at different electrical potentials (voltages) caused by direct contact or induced by an electrostatic field. These currents, while short-lived, are unwanted that may cause damage to electronic equipment.

The simplest ESD example that people see in practice is the very brief spark that happens when during winter you  touch a metallic object, get a ‘shock’ and see a spark. (Charge develops on your body as you walk across a carpet, for example, and it gets discharged when you touch a conducting material).   More than 1KV can be generated albeit for a very short time!  At home, one often uses voltage surge suppressors to connect sensitive electronics like TVs and computers to wallpower.  Without such surge suppressors, voltage spikes like lightning can enter your electronics and cause permanent damage. Lightning, therefore, is another classic example of ESD.

Due to the damage that ESD can cause to electronics, there are military, industrial, automotive and international standards to deal with the issue. Popular consumer electronics like camcorders, mobile phones, and digital cameras have built in voltage shunts that trap these spikes from reaching the core of the electronics and damaging them.

ESD damage to electronics, which worsens over time, can fall into different categories. One, the damage can be permanent and the device fails. This is often referred to as a hard fault. Two, the damage seems to reset itself and function correctly (for a while) when the device is shut down and restarted. This is often referred to as a soft fault. Some standards even define finer distinctions.   SSUA on Toyota vehicles seems to correlate to soft faults in many cases, but in cases where a vehicle was totally wrecked, the problem could have been a hard fault.

Possible Electronics Causes for Sudden Unintended Acceleration

February 23, 2010

Sudden unintended acceleration has occurred in disproportionate numbers (relative to market share) on Toyota vehicles since the introduction of the ETCS-I (Electronic Throttle Control System with Intelligence) in 2001 across multiple popular Toyota models.

Many complaints in the NHTSA database clearly indicate that in several cases, the accelerator pedals were not stuck in a floor mat when SUA occurred. The recent fix for sticky pedals that Toyota recently announced also seem to be just a red herring in this whole context.

The timing of the surge in SUA complaints and the lack of other causes points the finger directly at electronics, namely ETCS-I.

Nature of Sudden Unintended Acceleration

While the term sudden unintended acceleration (SUA) has been used quite commonly for months, a better term to use would be sudden and sustained unintended acceleration (SSUA), i.e. acceleration continues in a sustained fashion often leading to high, unsafe and unstoppable speeds.

Once SSUA happens, vehicles have been totaled in a wreck or had to be stopped by putting the transmission into neutral. After reset, in many cases, the vehicle runs normally. However, SSUA can occur again in the future.

Possible Scenarios

  1. The root cause of SSUA is not in the ETCS-I at all – this seems very unlikely given the above data.
  2. A root cause of SSUA lies in the ETCS-I, and Toyota could not repeat the problem in the lab. While the problem may happen under complex or non-obvious conditions, this would likely imply inadequate testing on the part of Toyota engineers (for not being able to think out of the box to find a lurking problem over several years) and/or insufficient investment of resources.
  3. Problems in the ETCS-I were indeed diagnosed in the lab or in the field when Toyota tested vehicles which exhibited SSUA. This would be a major surprise since Toyota has claimed many times in recent years that electronics was not a cause of SSUA. (The President of Toyota USA is expected to make this claim today in the ongoing Congressional hearings). If documents are found that Toyota found some problems in electronics but chose not to disclose them, this would naturally reflect very serious technical, procedural and corporate culture problems within the company and one hopes would not be the case.

Toyota, in fact, announced a few hours ago that brake overrides will be added on more Toyota cars than (quietly) announced earlier. The move is described as intended to “provide an additional measure of confidence”. Lawyers pursuing class action lawsuits against Toyota could be expected to argue that this is an indirect acknowledgement of problems with electronics.

Electro-Magnetic Interference (EMI) Issues

Can EMI (electro-magnetic interference) cause SSUA?

EMI (also called Radio Frequency Interference or RFI) corresponds to disturbances arising from electromagnetic conduction or electromagnetic radiation from a source external to the system under consideration. When your TV reception is poor (e.g. ghost images) during thunderstorms, that can be attributed to EMI. If your cordless phone or WiFi (wireless network) does not work if a nearby microwave oven is running, that can also be at attributed to EMI.

EMI from Sources External to the Automobile

There has been speculation that EMI from sources such as auto-wash houses and big restaurant ovens affect automotive electronics. The intensity of these signals drops (at least) as a square of the distance from the source. In other words, the strength of the interference decays very rapidly and is unlikely to be the source of sudden and sustained acceleration where the vehicle has traveled several hundreds of meters past the source.

EMI from Sources Internal to the Automobile

Interference from within the automobile can in principle cause problems as well. Ford recently noticed EMI from two neighboring wires causing problems in the Ford Focus Hybrid braking system. A software error that saw such EMI decided to transfer control from the regenerative brake system to the (traditional) hydraulic brake system. Additional shielding of the cables and a software patch fix the problem.

Can such EMI cause Toyota vehicles to experience SSUA? In principle, yes. But this would require two conditions to hold true: the EMI happens distorting inputs to the electronics and software interprets those values incorrectly.

My personal opinion is that if this were the problem, it is easier to detect than other sources. If software just reacts instantaneously to the fluctuating EMI signals, sustained acceleration will perhaps not happen.

Electro-Static Discharge (ESD) Issues

Electrostatic discharge (ESD) is the name given to the sudden and short-lived electric current that flows between two objects at different electrical potentials (voltages) caused by direct contact or induced by an electrostatic field. These currents, while short-lived, are unwanted that may cause damage to electronic equipment.

The simplest ESD example that people see in practice is the very brief spark that happens when during winter one touches a metal and you get a ‘shock’ and see a spark. (Charge develops on your body as you walk across a carpet, for example, which gets discharged when you touch a conducting material). At home, one often uses voltage surge suppressors to connect sensitive electronics like TVs and computers. Without such surge suppressors, voltage spikes like lightning can enter your electronics and cause permanent damage. Lightning is another classic example of ESD.

Due to the damage that ESD can cause to electronics, there are military, industry, automotive and international standards to deal with them. Popular consumer electronics like camcorders, mobile phones, and digital cameras have built in voltage shunts that trap these spikes from reaching the core of the electronics and damaging them.

ESD damage to electronics, which worsens over time, can fall into different categories. One, the damage can be permanent and the device fails. This is often referred to as a hard fault. Two, the damage seems to reset itself and function correctly (for a while) when the device is shut down and restarted. This is often referred to as a soft fault. Some standards even define finer distinctions.

Hardware Issues

Can any problems in Toyota throttle electronics lie in hardware?  Here are the possibilities:

  1. There are no logical errors in the hardware particularly when all goes according to plan (such as no EMI, no sensor and Electronic Control Unit failures). It is very likely that this situation reflects the vast majority of cases. In practice, Toyota could not successfully ship a faulty ETCS-i since around 2001 if the design was behaving in
    faulty fashion across most of its models.
  2. Hardware component failures, when they happen, lead to unexpected outputs (causing SSUA). Safety-critical systems such as electronic throtle control systems are supposed to have built-in fail-safe mechanisms. A designer must make assumptions about what could fail and how the system will react to it. See my earlier posting on
    Brake Overrides: The Devil in the Details for additional details. The lack of brake overrides in the ETCS-I is an issue that Toyota has to deal with for quite some time. Its promise to add brake overrides to recent models is a good step in the right direction but leaves open the question “What about the older models?”. Another
    question that applies to all models (even those with the promised overriddes) is the lack of a (say, mechanical) over-ride mechanism that does not depend on the ECU (Electronic Control Unit) inside the ETCS-I to process and execute the over-ride requirement.
  3. Sensor failures (throttle position sensors, for example) can also cause ETCS-I to believe that all is well with the engine control when it is not.  If the throttle position were fully open in reality, but the throttle position sensor reports that it was nearly or fully closed, the engine could experience a surge in acceleration as the throttle is commanded by the ECU to open more and more.   Similarly, if the accelerator pedal position sensor (APPS) were malfunctioning and it reports that the gas pedal was pressed down when it actually is not, SSUA would be a natural result.

Software Issues

Could software in the ETCS-I have problems?

It would be very hard to prove that there are no software problems – such verification technology for the complex situations that ETCS-I can encounter (including noise and failures) is not very mature yet. Those outside Toyota can only conjecture. Only those with access to the source code of the programs running on the ETCS-I can make
more precise statements.

One or two lines of code can in principle do the wrong thing under a complex set of conditions that happen in the accelerator pedal position and throttle position sensors, combined with internal context.


In principle, many things can go wrong in Toyota’s ETCS-I due to many factors including electro-static discharge (ESD), electro-magnetic interference (EMI), hardware or software.  We are currently focusing on ESD as the likely source of soft and hardware faults in the electronics that can lead to SSUA (sudden and sustained unintended acceleration).   Individual or combinations of these elements can be causing the problems.

Brake Overrides: The Devil in the Details

February 19, 2010

Why Toyota does not install brake overrides of the throttle control system on all their recalled cars and future models is a topic of considerable discussion.   Toyota has indeed announced that they will have such ‘smart brakes’, which prioritize braking actions over throttle actions’, in future models.  In addition, some but also past models will be upgraded with a software patch.

Let’s look at some details of what this means.  In a fully throttle-by-wire system like Toyota’s ETCS-i, the override mechanism can be made completely electronic as well.  If the brake pedal is pressed, that information can be communicated to the throttle control system (using a message over a wire/communication bus), which in turn can close the throttle in response, and independent of the position of the gas pedal.   Cost: a software update.  But, this solution makes several assumptions:

  1. There exists a communication medium between the braking system and the throttle control system.   This may or may not be true.
  2. There exists enough bandwidth/message slots in this communication medium that do not disrupt other messages.  Probably true, if the medium by itself is present.
  3. The ECU (Electronic Control Unit, i.e. computer) and software are all functioning correctly so that the brake override message is both received and processed correctly.  If the root of the problem is that the ECU and/or software has failed in some way, the override will not work.  However, an electronic override would be better than having no override at all.
  4. The throttle mechanism continues to work correctly under electronic control.  This aspect too would depend on whether the root of the problem lies at the interface between the ECU and the throttle control.

An override mechanism that is better and stronger than the electronic mechanism would be mechanical in nature.  In this solution, when the brake pedal is pressed, it mechanically (or electro-mechanically) pushes the throttle to close.    The link from the brake pedal to this mechanical override could be mechanical or electronic (but must be completely independent of the throttle control electronics).

Yes, this superior fail-safe alternative would be costlier. Nevertheless, such independent fail-safe mechanisms should be deemed necessary in all future vehicles particularly for the safety-critical subsystems for acceleration, braking, steering and transmission control.   Using laws of physics (such as gravity or Maxwell’s Laws for Electro-magnetism) so that the fail-safe mechanisms will be guaranteed to kick in is a ripe area of innovation as electronics and software take on more and more functionality in automobiles.