Incident Details

Incident: Nest Protect Recall Due to Wave Feature Issue.

Published Date: 2014-04-04

Postmortem Analysis
Timeline	1. The software failure incident involving the Nest Protect smoke and carbon monoxide detectors occurred in April 2014 as mentioned in Article 26168. 2. The incident can be estimated to have happened in April 2014 based on the published date of the article (2014-04-04) and the information provided in the article.
System	1. Nest Protect smoke and carbon monoxide detectors with the Wave feature [26862, 26168]
Responsible Organization	1. Nest - The software failure incident was caused by a feature in the Nest Protect called Wave that allowed users to unintentionally silence the detector during a real emergency [26862, 26168].
Impacted Organization	1. Nest (the company) [26862, 26168] 2. Consumers who owned the Nest Protect smoke and carbon monoxide detectors [26862, 26168] 3. US Consumer Product Safety Commission (CPSC) [26862]
Software Causes	1. The software cause of the failure incident was the problematic feature in the Nest Protect called Wave, which allowed users to silence the detector by waving their hand, leading to accidental silencing of the device in a real emergency [26862]. 2. The Nest Wave feature being switched on by default in every alarm on sale, making it prone to unintentional deactivation, was another software cause of the failure incident [26168].
Non-software Causes	1. The Nest Protect smoke and carbon monoxide detectors had a problematic feature called Wave that allowed users to silence the detector by waving their hand, which could accidentally silence the device in a real emergency [26862]. 2. The Nest Wave feature was switched on by default in every alarm on sale, leading to the potential for unintentional deactivation [26168]. 3. The Nest Protect devices were temporarily halted from sales due to concerns that people could disable them unintentionally through the Nest Wave feature [26168].
Impacts	1. The software failure incident with the Nest Protect's Wave feature caused a recall of more than 440,000 units by the US Consumer Product Safety Commission (CPSC) due to the potential risk of accidentally silencing the device in a real emergency [26862]. 2. Nest had to temporarily halt sales of its Protect smoke and carbon monoxide alarm after discovering that people could unintentionally disable the alarms, leading to a delay in alarms going off during a real fire situation [26168]. 3. Customers who had already purchased the Nest Protect devices were required to connect them to the Internet via Wi-Fi and a Nest Account to remotely disable the Wave feature, ensuring the safety of the detectors [26862]. 4. The recall and temporary halt in sales impacted Nest's reputation and sales, with the company needing to address the issue and provide refunds to affected customers [26862, 26168].
Preventions	1. Implementing thorough testing procedures to identify potential issues with the Wave feature before releasing the product to the market could have prevented the software failure incident [26862, 26168]. 2. Conducting more extensive user testing to uncover any unintended consequences or vulnerabilities in the Nest Wave feature could have helped prevent the incident [26862, 26168]. 3. Providing clearer instructions or warnings to users about the potential risks associated with the Nest Wave feature and how to mitigate them could have prevented accidental deactivation of the alarms [26862, 26168]. 4. Enforcing stricter quality control measures during the manufacturing process to ensure that all devices are functioning correctly and that potentially risky features are properly addressed before distribution could have helped prevent the incident [26862, 26168].
Fixes	1. Connecting the Nest Protect devices to the Internet via Wi-Fi and a Nest Account to remotely disable the Wave feature by the company [26862]. 2. Updating the Nest Protect devices over home Wi-Fi to automatically disable the Wave feature [26862]. 3. Confirming the receipt of the automatic repair that disabled the Nest Wave feature by going to Nest Sense on the Nest account mobile or web application and ensuring the Nest Wave button is set to 'off' and grayed out [26862]. 4. Ensuring that devices already connected to a Nest account and Wi-Fi will have the feature disabled within 24 hours [26168].
References	1. Nest spokesperson Kate Brinks - Article 26862 2. US Consumer Product Safety Commission (CPSC) - Article 26862 3. Tony Fadell, Nest's chief executive - Article 26168

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization	(a) In the provided articles, there is information about a software failure incident related to Nest Protect, a product by Nest, which is a home monitoring company acquired by Google. The incident involved a feature called Nest Wave that allowed users to silence the alarm by waving their hand, potentially leading to accidental deactivation during a real emergency [26862, 26168]. Nest had to issue a recall and disable the Wave feature remotely for devices connected to the Internet to address the safety concern. (b) The articles do not mention any similar incident happening at other organizations or with their products and services.
Phase (Design/Operation)	design, operation	(a) The software failure incident in the Nest Protect devices was related to the design phase. The issue stemmed from a problematic feature called Nest Wave, which allowed users to silence the detector by waving their hand. This feature could accidentally silence the device during a real emergency, posing a safety risk [26862, 26168]. (b) Additionally, the software failure incident could also be attributed to the operation phase. Users unintentionally disabling the alarms by waving their hand, as discovered by the Nest team, could be considered an operational failure as it involved the misuse of the system [26168].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was primarily within the system. The issue stemmed from a problematic feature called Nest Wave, which allowed users to silence the detector by waving their hand. This feature could accidentally silence the device during a real emergency, posing a safety risk [26862, 26168]. (b) outside_system: The software failure incident also had elements originating from outside the system. The US Consumer Product Safety Commission (CPSC) issued an official recall of over 440,000 Nest Protect devices due to the safety concern with the Nest Wave feature. The CPSC ordered the recall to ensure that users who may not have received the news about the issue could still address the problem and make their detectors safe [26862].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: - The Nest Protect smoke and carbon monoxide detectors had a problematic feature called Wave that allowed users to silence the detector by waving their hand. This feature could accidentally silence the device in a real emergency, leading to a recall by the US Consumer Product Safety Commission [26862]. - The Nest Wave feature was discovered to potentially be unintentionally activated, causing concerns about delays in alarms going off during a real fire situation. This issue was identified by the Nest team themselves, although there were no reports of customers deactivating the alarms in this manner [26168]. (b) The software failure incident occurring due to human actions: - Nest, the company behind the Nest Protect, temporarily halted sales of the smoke and carbon monoxide alarm after discovering that people could unintentionally disable them using the Nest Wave feature. This decision was made by the company's chief executive, Tony Fadell, after observing a unique combination of circumstances that raised doubts about the feature's reliability [26168]. - Nest instructed users to connect their devices to the Internet via Wi-Fi and a Nest Account so that the Wave feature could be remotely disabled by the company. This action was taken to address the issue caused by the problematic feature in the Nest Protect [26862].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware can be seen in Article 26862, where Nest Protect smoke and carbon monoxide detectors were recalled due to a problematic feature called Wave. This feature allowed users to wave their hand to silence the detector during a false alarm, but it could also accidentally silence the device in a real emergency. This issue was identified as originating from the hardware design of the Nest Protect device itself, leading to the recall by the US Consumer Product Safety Commission [26862]. (b) The software failure incident related to software can be observed in both articles. In Article 26862, it is mentioned that Nest publicized the problem with the Wave feature in April and removed Protect from store shelves. They instructed users to ensure the device was connected to the Internet via Wi-Fi and a Nest Account so the Wave feature could be remotely disabled by the company. Additionally, the CPSC confirmed that Nest Protect owners who updated the device over their home Wi-Fi would not have to send it back, indicating a software update solution to address the issue [26862]. In Article 26168, it is highlighted that Nest temporarily halted sales of its Protect smoke and carbon monoxide alarm after discovering that people could unintentionally disable them due to a feature called Nest Wave. The deactivation method was discovered by the Nest team, and although there were no reports of customers deactivating the alarms in this way, the potential for unintentional deactivation raised concerns. This issue with the Nest Wave feature being switched on by default in the alarms on sale points to a software-related failure originating in the software design of the product [26168].
Objective (Malicious/Non-malicious)	non-malicious	(a) The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was non-malicious. The failure was due to a problematic feature called Nest Wave, which allowed users to silence the detector by waving their hand. This feature could accidentally silence the device during a real emergency, posing a safety risk [26862, 26168]. (b) The software failure incident was not malicious but rather a design flaw that could potentially compromise the safety of users by unintentionally deactivating the alarm system. The company took proactive measures to address the issue and issued a recall to ensure the safety of the users [26862, 26168].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) poor_decisions: The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was primarily due to poor decisions made in the design of the product feature called Nest Wave. This feature allowed users to wave their hand to silence the detector during a false alarm but could also accidentally silence the device in a real emergency. The company, Nest, had to issue a recall and disable this feature remotely for connected devices to address the safety issue [26862, 26168]. (b) accidental_decisions: The software failure incident also involved accidental decisions or unintended consequences. The Nest Wave feature, which could unintentionally deactivate the alarms, was a design flaw that could potentially delay an alarm in a real fire situation. While there were no reports of customers actually deactivating the alarms in this manner, the possibility of it happening was a significant concern for the company [26168].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident related to development incompetence is evident in the Nest Protect recall incident. The issue stemmed from a problematic feature called Nest Wave, which allowed users to silence the detector by waving their hand. This feature, while intended to provide convenience, could accidentally silence the device during a real emergency, posing a safety risk [26862, 26168]. (b) The software failure incident related to accidental factors is also highlighted in the Nest Protect incident. The unintentional deactivation of the alarms through the Nest Wave feature was a concern discovered by the company itself. While there were no reports of customers actually deactivating the alarms unintentionally, the potential for such accidental deactivation was deemed significant by the company [26168].
Duration	temporary	The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was temporary. The issue stemmed from a problematic feature called Nest Wave, where users could unintentionally disable the alarm by waving their hand, potentially delaying an alarm in a real fire situation [Article 26168]. Nest addressed this issue by instructing users to connect their devices to the Internet via Wi-Fi and a Nest Account to remotely disable the Wave feature [Article 26862]. This indicates that the failure was due to specific circumstances related to the Nest Wave feature and not a permanent issue affecting all devices.
Behaviour	omission, value, other	(a) crash: The software failure incident in the articles does not involve a crash where the system loses state and stops performing its intended functions [26862, 26168]. (b) omission: The software failure incident involves an omission where the system omits to perform its intended functions at an instance(s). Specifically, the Nest Protect had a feature called Nest Wave that could unintentionally disable the alarm, potentially delaying an alarm in a real fire situation [26862, 26168]. (c) timing: The software failure incident does not involve a timing issue where the system performs its intended functions correctly but too late or too early [26862, 26168]. (d) value: The software failure incident involves a value issue where the system performs its intended functions incorrectly. The Nest Wave feature could accidentally silence the device in a real emergency, compromising its primary function of alerting users to smoke and carbon monoxide [26862, 26168]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions [26862, 26168]. (f) other: The other behavior in this software failure incident is the potential safety risk posed by the unintentional deactivation of the alarm due to the Nest Wave feature, which could have serious consequences in a real fire scenario [26862, 26168].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, embedded_software	(a) sensor: The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was primarily due to a problematic feature in the Nest Protect called Wave, which allowed users to wave their hand to silence the detector during a false alarm. This feature could accidentally silence the device in a real emergency, indicating a sensor-related error [26862, 26168]. (b) actuator: There is no specific mention in the articles about the software failure incident being related to an actuator error. (c) processing_unit: The failure was not directly attributed to a processing unit error but rather to a feature in the Nest Protect device itself. (d) network_communication: The failure was not directly related to network communication errors but rather to a feature within the Nest Protect device that required an Internet connection for a remote fix. (e) embedded_software: The software failure incident was related to a feature called Nest Wave, which was embedded in the Nest Protect devices and allowed users to turn off the alarm with a wave of the hand. This embedded software feature was identified as the cause of the potential failure scenario [26862, 26168].
Communication	unknown	The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was not directly related to the communication layer of the cyber physical system that failed. The failure was primarily due to a problematic feature called Nest Wave, which allowed users to silence the detector by waving their hand, leading to potential accidental silencing during a real emergency [Article 26862, Article 26168]. This issue was more related to the functionality and design of the device itself rather than a failure at the communication layer of the cyber physical system.
Application	TRUE	The software failure incident related to the Nest Protect smoke and carbon monoxide detectors was indeed related to the application layer of the cyber physical system. The failure was caused by a feature called Nest Wave, which allowed users to silence the detector by waving their hand, leading to potential accidental silencing during a real emergency [Article 26862, Article 26168]. This feature was identified as a problematic aspect of the application layer that could compromise the device's functionality and safety.

Other Details

Category	Option	Rationale
Consequence	delay, non-human, theoretical_consequence	(a) death: There is no mention of any deaths resulting from the software failure incident in the provided articles [26862, 26168]. (b) harm: The software failure incident did not result in any physical harm to individuals as mentioned in the articles [26862, 26168]. (c) basic: The software failure incident did not impact people's access to food or shelter [26862, 26168]. (d) property: The software failure incident did not result in any direct impact on people's material goods, money, or data [26862, 26168]. (e) delay: The software failure incident could potentially cause a delay in the alarm going off in a real fire situation due to the Nest Wave feature unintentionally deactivating the alarm [26168]. (f) non-human: The software failure incident impacted the Nest Protect smoke and carbon monoxide detectors, which are non-human entities [26862, 26168]. (g) no_consequence: The articles do not mention any real observed consequences of the software failure incident [26862, 26168]. (h) theoretical_consequence: There were potential consequences discussed, such as the possibility of the alarm being unintentionally deactivated in a real fire situation, but there were no reports of this actually happening [26168]. (i) other: There were no other consequences of the software failure incident mentioned in the articles [26862, 26168].
Domain	information	(a) The failed system in the articles is related to the information industry as it involves smart-home products like the Nest Protect and the Nest Thermostat, which are Internet-connected devices designed for home monitoring and safety [26862, 26168]. (m) Additionally, the incident involves emergent technologies and the unique recall process due to the nature of the smart-home products, which could be categorized under the broader technology industry [26862].

Sources

Despite smoke-alarm recall, you can probably keep your Nest Protect - CNET - Published on: 2014-05-21
Article ID: 26862
Nest halts sales of Protect smoke and carbon monoxide alarm on safety fears - The Guardian - Published on: 2014-04-04
Article ID: 26168

Back to List