Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!





Unintended Acceleration - Find the Cause

24567112

Comments

  • flaviusflavius Posts: 3
    edited March 2010
    You are right in your statement Plekto... they should give a prize for a theoretical idea and one for a practical one. I can't afford one of those cars to test my idea. If they give me one for free, just for testing, then we are in money :)

    I gave it some thinking... a more powerful car (mine it's only 85bhp) suddenly accelerating towards a 90 degrees corner (left, right, doesn't matter) would give some intense sensations. BAD sensations. :sick:
  • eliaselias Posts: 1,828
    edited March 2010
    xlu, have you ever staged/raced a car at a drag race? try it some time, it's fun. :)
    you would see that the 'reaction-time' and other times measured indicate the opposite of what you are saying about manual vs automatic, agreeing with wwest on that point. for reasons other than 'lag time', usually the dragracers prefer the automatics.

    i'm not aware of anyone dragracing any recent toyota but hey, it could have happened somewhere - maybe Prius does reduce the measured reaction time compared to other slow and lousy-handling cars.

    but i'll disagree on another wwest point:
    the hall effect sensor can certainly malfunction such as via its connections/wiring, so i disagree with the idea that it is impossible for a computer to misread a hall effect sensor. and it's certainly possible for someone one to write software that misreads a hall effect sensor reading, or that has any arbitrary bug.
  • plektoplekto Posts: 3,706
    edited March 2010
    True, but a potentiometer is dead-simple to read positioning data from by comparison. There's almost nothing to go wrong in the software unless the programmers are horrendously daft. "read resistance from sensor A" is a lot easier to program for than "find position of moving object in sensor A". That's the issue, IMO, and until they stop using these sensors, you'll get problems like these(or programmers who can't figure out how to adequately deal with it).

    BTW, GM's method of dealing with faulty potentiometers is to notice that the impedance is missing or jumping around and it triggers the famous "limp home" mode almost all of the time. A Hall Effect sensor won't be able to tell unless it's a very sophisticated design and the programming is as well. The issue is in a nutshell what happens when the system thinks the magnet went missing/disappeared or got physically stuck.(note a potentiometer will almost never physically get stuck all of a sudden, either, barring enormous abuse or again, some warning)

    EDIT - as further evidence(since it's getting late here and I need *some sleep), consider what happens if we were to replace the Hall Effect sensor in the TPS unit with a potentiometer. The type and manner in which it would fail would be different. The end result would be few if any crashes.

    That logically points to the underlying technology itself as the root cause. Not how it's interpreted or being dealt with(even IF the software is part of the problem). One will fail suddenly and without any warning and the other type of sensor almost never does. (or certainly far far less often does it fail suddenly and without any warning beforehand)

    To bring it around to cars(since we're all gear-heads here :) ), it's like comparing a car with carbs to one with fuel injection. The real issue isn't why does my car get vapor lock and is hard to start in the winter and gets such miserable performance in the mountains. It's that the same engine with fuel injection added exhibits none of these issues. Perfect example - the old Toyota 22R/RE engines. Same exact design other than fuel injection added to the later models. One has all of the issues of carbs and also stalls on steep uphill climbs(floods). And the other does not. Using a different technology on the same engine solved the problems of the former design.
  • judoaljudoal Posts: 1
    The 2008 subaru impreza sport with manual transmission and an electronic throttle, has a significant lag in the accelerator response that is most notable in 1st and 2nd gear. This reminds me of a problem I had in a college engineering control systems course regarding stability. This problem concerned remotely controlling an object over a great distance that is moving away. At what point does it become unstable? While Subaru says that the vehicle is operating normally it makes me wonder if the imposed lag is intentional and if they decreased it, if the system would be unstable. I have no way of testing it, but perhaps someone with access to the microcontroller can play with the lag in the toyota and other vehicles to see if that changes things. Perhaps there is an interaction with the vehicle operator that some combination of operator action and the system, because of the timing and phase considerations, the system becomes unstable.
  • imidazol97imidazol97 Crossroads of America: I70 & I75Posts: 17,699
    >unmodified new vehicle

    First the vehicle has to be "new." If you've owned it, it's no longer new.

    Second the "unmodified." To be able to test and effect the problem, some modification may be needed. A vehicle that has the problem that's a year or more old may not have had modifications in the problem area made to it when built, without fanfare by toyota, and is a better testbed for finding one or more of the causes for unintended runaway acceleration.

    This message has been approved.

  • botiabotia Posts: 1
    Here are some of the obvious causes:
    * Alcohol
    * Old age
    * Not paying attention
    * Excuse to get out of accident
    * Floor mat
    * Kids toys
    * Leg cramps after exercise
    * Bad feedback from sensor
  • I dont know what the car has already, i presume there's multiple redundancy on accelerator and brake sensors etc

    A simple safety measure could be that if a user tries to brake while the car is accelerating that the brake overrides the accelerator. This should not be the result of the normal accelerator brake processing in the emu. Instead something physical via a seperate control channel, such as gas flow into pistons progressively reduced the longer / harder that the brakes are applied.

    An additional measure, if the car notices that it's not slowing down after a few seconds of brakes applied then that's a strong indication that there's a major safety problem and engine power output should be progressively reduced. Again this should be implemented on a seperate control channel to normal braking / acceleration processing

    Downside is reduced driving experience for people who want to build up revs while braking, but the upside is that braking will always slow down the car even if the accelerator is floored
  • enphorcer600enphorcer600 Posts: 1
    edited March 2010
    I have a funny feeling it could be RF interference from transmitters. After blowing out my UPS with only 5 watts of radio power… it can really be a problem to susceptible circuits. Different circuits would become resonant at specific frequencies. If there was a strong enough transmitter near a car, on the frequency that is resonant with critical speed control circuit, boom. Could also be illegal CB radio operators using illegal linear amplifiers. Some of these mobile amps go up to 1000W, and produce broad spectrally unclean signals. Could just be Russian roulette that’s catching some of these cars. Could be toyota’s standard electronic control package is susceptible to this.

    Auto makers are supposed to test their cars to make sure EMI/RF isn’t a problem, but who knows if something slipped through the cracks, and who knows what kind of tests dot they perform.
  • I had same problem with 1996 Chevy Blazer, where if you got the pedal close to the floor it would get trapped under the floor mat. Heard of an 2005 F150 that would do the same thing.

    Either having a raised platform under the gas pedal so you could avoid getting it stuck under the floor mat. I have seen that in a few models I suppose that is why it is there, but every auto maker should take that precaution.

    Also with electronics if the car is under heavy breaking while the car is unattended acceleration the car should shift into neutral to avoid any power getting to the wheels. Then you could safely come to a stop and with todays engines and rev limiters the engines should be fine if they are stuck revving in neutral.
  • houdini1houdini1 Kansas City areaPosts: 5,770
    Good list, I will add a couple more:

    1. Stupidity

    2. Panic

    3. Big feet

    2013 LX 570 2010 LS 460

  • cbrechlincbrechlin Posts: 11
    It doesn't matter whether Toyota uses a potentiometer or hall sensor or encoder or laser to measure and control throttle, the key, just like in mechanical controls is that it defaults when it fails to "Off".

    Though the technology was patented by KG Schneider-Senator GmbH in the early 1960's for use in guillotine paper and textile machines to assure Absolute Safety for the User, it clearly has an application here:

    Two sensors (of any variety) are applied simultaneously to pedal travel, one measures "On" (in graduations) and the other measures "Off" in opposition. They are then both measured in a "Comparison Circuit" which specifies in milliseconds the "Reaction Time" for both sensors, and any deviation beyond the preselected "Tolerance" that is comparing the two sensors Defaults to Off... "Double Parallel Fail-Safe", a simple logic processor with minor cost and absolute Safety for the user.

    The "absoluteness", or guarantee of this type configuration was demonstrated back in the 1980's when a female operator of one of Schneider-Senator's machines cut off both hands of that operator. Safety regulators shut down all machines of its type for three months while the Fail-Safe system on that machine was continuously run and challenged to default again, never, ever possibly failing. The final conclusion was the one offered first, (though it certainly was a worthwhile test regardless), that the small woman habitually reached her thin arms under the infrared light barriers to violate the safety system during automatic operation.

    When a sensor fails under this logic circuit there can be no acceleration, and for the manufacturer, it would mean most often that sensors that are wearing out or out of tolerance would have to be replaced. [Of course, it is a seperate discussion as to whether the costs of electronic accelerator controls in this application really outweighs a simple spring-loaded mechanical cable? Electronic controls are inevitable, but have to be designed with safety first.]

    I believe KG Schneider-Senator has an international patent on this device and that it is used by such as Airbus for certain systems. When it comes to electronic control of 3,000lb bullets driven by average (normally unprofessional) people, I would say this is the fix if Toyota sticks with electronic control. I would also add that any and all manufacturers who are deploying electronic throttle control will also eventually suffer likewise absent a "Double Parallel Fail-Safe" type circuit.
  • Software of any complexity is rarely, if ever perfect. Unintended links or unknown states can hide from the most experienced programmers. That's why software companies send out thousands of beta copies and tell people to fully use them both properly and stupidly to try and break them. So a software fix for the Toyotas could take years to find.

    In the mean time, they should install a solenoid shutoff valve on the fuel line connected to a prominently-displayed switch on the dash. An accelerometer could light up the switch when extreme acceleration is detected. Hit the switch and the engine stops.

    I believe this is a simple, cheap, non-computerized solution, no matter what the real cause is found to be.
  • wwestwwest Posts: 10,706
    You have just described the gas pedal position sensor system Toyota/etc uses in their DBW system. Two hall effect "non-contact" sensors are used. The software is supposed to monitor both sensors and if the position signals do not match within a predetermined tolerance then the software should go into "limp home" mode. While the two sensors output signal voltage's both track the position in a linear fashion the two voltages are offset by a nominal 0.80 volts so a short between the two can be easily detection via the MIL monitoring procedure.

    What Dr. Gilbert was showing was that Toyota/etc (Denso, really) monitor did not detect that he had shorted the two sensors together. Assuming the assortment of factory shop/repair manuals I read in my research do not contain a typo the voltage difference range that Toyota/etc is using for this test, 0.02 volts, was poorly chosen. IMMHO the two sensors could easily be "shorted" together and still have at least a 0.02 volt tracking difference.

    And anyone suggesting that a potentiometer would be more reliable in this application obviously has neevr disassembled one after many hour of use. The "contact" wiper ALWAYS wears through the resistive deposition in a relatively short period of time.
  • plektoplekto Posts: 3,706
    edited March 2010
    The issue really is what type of technology they are using.(aside from the fact that the Hall Effect sensors failed and the system went full throttle vs zero throttle in response). Edmunds also is asking here about it as a systemic problem that is plaguing the industry. I'm addressing the larger issue as well.
    *note I also mentioned the other "why it failed" point first* - I'm technically addressing both questions that Edmunds is asking about here.

    When you are designing a drive-by-wire system, you have two choices, normally. Sensor type A and sensor type B. Hall Effect or Potentiometer. Both cost roughly the same and it's really a "pick one you like" scenario for the engineering team.

    None of this really matters, though(both get the job done), until you look at what happens when they both fail. The Hall Effect sensor fails in a manner that you would never want for something involving a moving object. You might use a potentiometer for an airplane(not sure if any do, but say you're designing a fly-by-wire airplane that does), but you'd never use a Hall Effect sensor for the controls of an airplane. Because one merely causes a problem and the other simply crashes the plane and you die.

    Systems to mitigate or deal with catastrophic failures are entirely separate from this issue of the wrong technology between the two being chosen in the first place. Magnetic sensors are a bad idea for throttle and brake controls because of how they fail. This can be worked around with software and specialized hardware as you mentioned, but it's still the wrong technology to begin with when lives are potentially at stake. It shouldn't *need* a second backup sensor as a normal design parameter.

    *edit* yes, Potentiometers do wear out quicker. It's a known issue but many auto makers do use them and they last reasonably well, considering. Of course, neither is an adequate substitute for a good old fashioned throttle cable.
  • wwestwwest Posts: 10,706
    Yes, ALL of the climate control servomotors in my '01 F/awd RX300 use specialty potentiometers for position feedback. Single potentiometers but with dual wipers internally for additional long term reliability.

    In past years I have used hall effect sensors in a myriad of applications in minicomputer and microprocessor real time process control systems in harsh environments (lumber mills, etc.) and have never experienced any abnormal failure modes.
  • wwestwwest Posts: 10,706
    edited March 2010
    "..The Hall Effect sensor fails in a manner that you would never want.."

    http://www.toyota.com/recall/?siteid=OM_SLA_AID1792905_CID4251042

    Could you explain, expand on that thought..?
  • plektoplekto Posts: 3,706
    edited March 2010
    http://en.wikipedia.org/wiki/Throttle_position_sensor
    Read this.

    http://en.wikipedia.org/wiki/Electronic_throttle_control
    And this.

    I mentioned both in my original post over a month ago. The critical line, and Wikipedia's entry is interesting(and wrong):

    ***
    The potentiometer is a satisfactory way for non-critical applications such as volume control on a radio, but as it has a wiper contact rubbing against a resistance element, and dirt and wear between the wiper and the resistor can cause erratic readings. The more reliable solution is the magnetic coupling that makes no physical contact, so will never be subject to failing by wear.

    This is an insidious failure as it may not provide any symptoms until there is total failure.
    ***
    The author here states that Hall Effect sensors are "more reliable" as it has no wear, yet when it does fail, it is "an insidious failure an insidious failure as it may not provide any symptoms until there is total failure."? He's obviously an engineer who is looking at it like most engineers would. "More reliable" in terms of life span and number of movements/MTBF. Versus a "mission critical" scenario. Sudden failure without any warning of any kind is a deal-breaker here and is NOT satisfactory for automotive controls. No matter what this particular author states. This is doubly true since the feedback system in a broken Hall Effect sensor is the only thing keeping it from being a deathtrap. If the software or hardware fails to detect the problem instantly, you end up off the road.

    What happened here, I'm sure, is that Toyota originally used or considered potentiometers but listened to their engineers who quoted things like lifespan and MTBF and went on about dirt and wear and used the Hall Effect sensor instead. They thought that they could overcome the inherent flaw in the design by using two redundant sensors and a lot of fancy software.

    Yet when it failed and didn't work as intended, people died. If they had used a potentiometer, they would have had to do a *lot* more warranty repairs(the major downside to potentiometer-based ETC systems in their view), but it's unlikely that anyone would have died. Because when a potentiometer fails, you get a drastic change in resistance, which is easy to design any monitoring system to detect. (just a few lines of code that triggers the system to shut down)

    *EDIT
    Remember, Wikipedia is merely a collection of posts by random authors and not necessarily to be used as "proof" of anything other than basic ideas and concepts. Here the basic ideas and concepts do support how it fails(without warning - that's easy to verify elsewhere). His assertion about it being "more reliable" doesn't apply to something like this, though - that's obviously wrong.

    How do I know? People died. That's the ultimate "bad scenario" in any application of automotive technology. Anything that causes people to die in a vehicle needs to be changed to a different application or technology as it has been shown to be unreliable. There is no gray area here, either. Dead people means the technology isn't to be used - find something else.

    That's the larger issue in the industry, and nobody is addressing this. I hear nothing at all in the media about it. No articles, either. Sure, they mention it now about Toyota, but fail to draw the connection to the larger issue of it being the wrong type of sensor for this application. Now maybe they can design another type of sensor that isn't a Hall Effect or Potentiometer(maybe optical like they use in mice?), but this technology can be shown to produce disastrous results and shouldn't be used.
  • vulpinevulpine Posts: 4
    Really it's quite simple, if you're an electronics technician: Try looking for cold solder joints in the ECM and BCM computers. Wave soldering does fine for using the minimum amount of solder possible for computing where the ambient temperature tends to stay reasonably steady, but when you're looking at temperature swings from below freezing to possibly in excess of 140°F, then there's no way wave soldered connections can remain reliable for the life of the car; it's effectively impossible. Either find a different connection method, or apply more solder to reduce the risk of cracked/broken connections.
  • cbrechlincbrechlin Posts: 11
    By "MIL monitoring procedure" I assume you're referring to a type of "comparison circuit"?

    If so, I'd like to clarify, that in order for it to be "Fail Safe" it must be a "Timed" double-parallel circuit which is then measured in a separate comparison circuit in milliseconds, it must measure BOTH opposite voltages and the precise (parallel) Timing of each to allow activation. (our circuit required timing in the 7-15 ms range) Under this condition it is impossible to "short" the two sensors because 1. they must be opposite, identical or any other misreadings will always default "Off" as the comparison circuit is precisely designed for this purpose, and, 2. they must be entirely distinct circuits separated by hard wires and physically separated sensors. The main problem you have with this configuration is inoperability due to worn sensors (of any sort) but NEVER unexpected operation.

    That's why I don't understand how Toyota could have had this problem, unless they aren't using the type of system I describe, but I'm sure I do not fully understand exactly what the Toyota system is composed of and am very interested in more information here. I used to teach the fail-safe system around the world for Schneider so I'm intimately acquainted with how their system works and why it cannot fail except to "Off".

    On the side, I agree with your potentiometer argument, my experience is that hall sensors and even Encoders are far less vulnerable to environmental factors since there is no physical contact involved (not to mention far more precise)... all three of my vintage near 30 year old Audi's have never had a hall sensor fail in the distributor and none of the 50 year+ Schneider guillotines ever had an encoder failure either (that I am aware of), both under very harsh environmental conditions.

    Please do elaborate especially if I've misunderstood the MIL, and thanks.
  • vulpinevulpine Posts: 4
    Your analysis points to one of the biggest mistakes in this test: it assumes that 1) the systems are 100% reliable, and 2) the error will be 100% repeatable. However, when you consider the vibration, temperatures and environments the systems have to contend with on a regular basis, items 1) and 2) are essentially impossible to verify until the specific data path is discovered which triggers the acceleration. Just because you're working in a lab doesn't mean you've got the data you need.

    Put it like this: Let's say that all the troubleshooting guides point to computer A, pedal B and throttle body C. In some cases, replacing any one of the above 'seems' to fix the problem, so you apply that fix to all affected vehicles--but the problem re-occurs on a car that's already undergone the recall repair. It's not 100% repeatable, not even on the same vehicle--it's intermittent and infrequent. This alone points to a connectivity issue somewhere. It is in the wiring? Is it on the computer motherboard? What if it's due to some piece of information missing from one of the other computers/sensors? What is the most common single thing between all of these?

    Connectivity—solder, to be exact. The fact that it's intermittent almost automatically implies a cold solder joint, one that looks intact but breaks under certain vibration/temperature/humidity situations. It's bad enough when it happens in aviation but at least there are enough redundant systems to override the defective one. In a car, you rarely have redundant systems and with hundreds of millions of cars on the road, the potential for disaster is multiplied enormously!

    I'm not saying to remove computers from our cars, but how about doing something to ensure the reliability of the components and their connections. One of the first rules for soldering is to ensure you have a good mechanical connection, then solder it.
Sign In or Register to comment.