Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!





Unintended Acceleration - Find the Cause

2456776

Comments

  • cbrechlincbrechlin Posts: 11
    It doesn't matter whether Toyota uses a potentiometer or hall sensor or encoder or laser to measure and control throttle, the key, just like in mechanical controls is that it defaults when it fails to "Off".

    Though the technology was patented by KG Schneider-Senator GmbH in the early 1960's for use in guillotine paper and textile machines to assure Absolute Safety for the User, it clearly has an application here:

    Two sensors (of any variety) are applied simultaneously to pedal travel, one measures "On" (in graduations) and the other measures "Off" in opposition. They are then both measured in a "Comparison Circuit" which specifies in milliseconds the "Reaction Time" for both sensors, and any deviation beyond the preselected "Tolerance" that is comparing the two sensors Defaults to Off... "Double Parallel Fail-Safe", a simple logic processor with minor cost and absolute Safety for the user.

    The "absoluteness", or guarantee of this type configuration was demonstrated back in the 1980's when a female operator of one of Schneider-Senator's machines cut off both hands of that operator. Safety regulators shut down all machines of its type for three months while the Fail-Safe system on that machine was continuously run and challenged to default again, never, ever possibly failing. The final conclusion was the one offered first, (though it certainly was a worthwhile test regardless), that the small woman habitually reached her thin arms under the infrared light barriers to violate the safety system during automatic operation.

    When a sensor fails under this logic circuit there can be no acceleration, and for the manufacturer, it would mean most often that sensors that are wearing out or out of tolerance would have to be replaced. [Of course, it is a seperate discussion as to whether the costs of electronic accelerator controls in this application really outweighs a simple spring-loaded mechanical cable? Electronic controls are inevitable, but have to be designed with safety first.]

    I believe KG Schneider-Senator has an international patent on this device and that it is used by such as Airbus for certain systems. When it comes to electronic control of 3,000lb bullets driven by average (normally unprofessional) people, I would say this is the fix if Toyota sticks with electronic control. I would also add that any and all manufacturers who are deploying electronic throttle control will also eventually suffer likewise absent a "Double Parallel Fail-Safe" type circuit.
  • Software of any complexity is rarely, if ever perfect. Unintended links or unknown states can hide from the most experienced programmers. That's why software companies send out thousands of beta copies and tell people to fully use them both properly and stupidly to try and break them. So a software fix for the Toyotas could take years to find.

    In the mean time, they should install a solenoid shutoff valve on the fuel line connected to a prominently-displayed switch on the dash. An accelerometer could light up the switch when extreme acceleration is detected. Hit the switch and the engine stops.

    I believe this is a simple, cheap, non-computerized solution, no matter what the real cause is found to be.
  • wwestwwest Posts: 10,706
    You have just described the gas pedal position sensor system Toyota/etc uses in their DBW system. Two hall effect "non-contact" sensors are used. The software is supposed to monitor both sensors and if the position signals do not match within a predetermined tolerance then the software should go into "limp home" mode. While the two sensors output signal voltage's both track the position in a linear fashion the two voltages are offset by a nominal 0.80 volts so a short between the two can be easily detection via the MIL monitoring procedure.

    What Dr. Gilbert was showing was that Toyota/etc (Denso, really) monitor did not detect that he had shorted the two sensors together. Assuming the assortment of factory shop/repair manuals I read in my research do not contain a typo the voltage difference range that Toyota/etc is using for this test, 0.02 volts, was poorly chosen. IMMHO the two sensors could easily be "shorted" together and still have at least a 0.02 volt tracking difference.

    And anyone suggesting that a potentiometer would be more reliable in this application obviously has neevr disassembled one after many hour of use. The "contact" wiper ALWAYS wears through the resistive deposition in a relatively short period of time.
  • plektoplekto Posts: 3,738
    edited March 2010
    The issue really is what type of technology they are using.(aside from the fact that the Hall Effect sensors failed and the system went full throttle vs zero throttle in response). Edmunds also is asking here about it as a systemic problem that is plaguing the industry. I'm addressing the larger issue as well.
    *note I also mentioned the other "why it failed" point first* - I'm technically addressing both questions that Edmunds is asking about here.

    When you are designing a drive-by-wire system, you have two choices, normally. Sensor type A and sensor type B. Hall Effect or Potentiometer. Both cost roughly the same and it's really a "pick one you like" scenario for the engineering team.

    None of this really matters, though(both get the job done), until you look at what happens when they both fail. The Hall Effect sensor fails in a manner that you would never want for something involving a moving object. You might use a potentiometer for an airplane(not sure if any do, but say you're designing a fly-by-wire airplane that does), but you'd never use a Hall Effect sensor for the controls of an airplane. Because one merely causes a problem and the other simply crashes the plane and you die.

    Systems to mitigate or deal with catastrophic failures are entirely separate from this issue of the wrong technology between the two being chosen in the first place. Magnetic sensors are a bad idea for throttle and brake controls because of how they fail. This can be worked around with software and specialized hardware as you mentioned, but it's still the wrong technology to begin with when lives are potentially at stake. It shouldn't *need* a second backup sensor as a normal design parameter.

    *edit* yes, Potentiometers do wear out quicker. It's a known issue but many auto makers do use them and they last reasonably well, considering. Of course, neither is an adequate substitute for a good old fashioned throttle cable.
  • wwestwwest Posts: 10,706
    Yes, ALL of the climate control servomotors in my '01 F/awd RX300 use specialty potentiometers for position feedback. Single potentiometers but with dual wipers internally for additional long term reliability.

    In past years I have used hall effect sensors in a myriad of applications in minicomputer and microprocessor real time process control systems in harsh environments (lumber mills, etc.) and have never experienced any abnormal failure modes.
  • wwestwwest Posts: 10,706
    edited March 2010
    "..The Hall Effect sensor fails in a manner that you would never want.."

    http://www.toyota.com/recall/?siteid=OM_SLA_AID1792905_CID4251042

    Could you explain, expand on that thought..?
  • plektoplekto Posts: 3,738
    edited March 2010
    http://en.wikipedia.org/wiki/Throttle_position_sensor
    Read this.

    http://en.wikipedia.org/wiki/Electronic_throttle_control
    And this.

    I mentioned both in my original post over a month ago. The critical line, and Wikipedia's entry is interesting(and wrong):

    ***
    The potentiometer is a satisfactory way for non-critical applications such as volume control on a radio, but as it has a wiper contact rubbing against a resistance element, and dirt and wear between the wiper and the resistor can cause erratic readings. The more reliable solution is the magnetic coupling that makes no physical contact, so will never be subject to failing by wear.

    This is an insidious failure as it may not provide any symptoms until there is total failure.
    ***
    The author here states that Hall Effect sensors are "more reliable" as it has no wear, yet when it does fail, it is "an insidious failure an insidious failure as it may not provide any symptoms until there is total failure."? He's obviously an engineer who is looking at it like most engineers would. "More reliable" in terms of life span and number of movements/MTBF. Versus a "mission critical" scenario. Sudden failure without any warning of any kind is a deal-breaker here and is NOT satisfactory for automotive controls. No matter what this particular author states. This is doubly true since the feedback system in a broken Hall Effect sensor is the only thing keeping it from being a deathtrap. If the software or hardware fails to detect the problem instantly, you end up off the road.

    What happened here, I'm sure, is that Toyota originally used or considered potentiometers but listened to their engineers who quoted things like lifespan and MTBF and went on about dirt and wear and used the Hall Effect sensor instead. They thought that they could overcome the inherent flaw in the design by using two redundant sensors and a lot of fancy software.

    Yet when it failed and didn't work as intended, people died. If they had used a potentiometer, they would have had to do a *lot* more warranty repairs(the major downside to potentiometer-based ETC systems in their view), but it's unlikely that anyone would have died. Because when a potentiometer fails, you get a drastic change in resistance, which is easy to design any monitoring system to detect. (just a few lines of code that triggers the system to shut down)

    *EDIT
    Remember, Wikipedia is merely a collection of posts by random authors and not necessarily to be used as "proof" of anything other than basic ideas and concepts. Here the basic ideas and concepts do support how it fails(without warning - that's easy to verify elsewhere). His assertion about it being "more reliable" doesn't apply to something like this, though - that's obviously wrong.

    How do I know? People died. That's the ultimate "bad scenario" in any application of automotive technology. Anything that causes people to die in a vehicle needs to be changed to a different application or technology as it has been shown to be unreliable. There is no gray area here, either. Dead people means the technology isn't to be used - find something else.

    That's the larger issue in the industry, and nobody is addressing this. I hear nothing at all in the media about it. No articles, either. Sure, they mention it now about Toyota, but fail to draw the connection to the larger issue of it being the wrong type of sensor for this application. Now maybe they can design another type of sensor that isn't a Hall Effect or Potentiometer(maybe optical like they use in mice?), but this technology can be shown to produce disastrous results and shouldn't be used.
  • vulpinevulpine Posts: 4
    Really it's quite simple, if you're an electronics technician: Try looking for cold solder joints in the ECM and BCM computers. Wave soldering does fine for using the minimum amount of solder possible for computing where the ambient temperature tends to stay reasonably steady, but when you're looking at temperature swings from below freezing to possibly in excess of 140°F, then there's no way wave soldered connections can remain reliable for the life of the car; it's effectively impossible. Either find a different connection method, or apply more solder to reduce the risk of cracked/broken connections.
  • cbrechlincbrechlin Posts: 11
    By "MIL monitoring procedure" I assume you're referring to a type of "comparison circuit"?

    If so, I'd like to clarify, that in order for it to be "Fail Safe" it must be a "Timed" double-parallel circuit which is then measured in a separate comparison circuit in milliseconds, it must measure BOTH opposite voltages and the precise (parallel) Timing of each to allow activation. (our circuit required timing in the 7-15 ms range) Under this condition it is impossible to "short" the two sensors because 1. they must be opposite, identical or any other misreadings will always default "Off" as the comparison circuit is precisely designed for this purpose, and, 2. they must be entirely distinct circuits separated by hard wires and physically separated sensors. The main problem you have with this configuration is inoperability due to worn sensors (of any sort) but NEVER unexpected operation.

    That's why I don't understand how Toyota could have had this problem, unless they aren't using the type of system I describe, but I'm sure I do not fully understand exactly what the Toyota system is composed of and am very interested in more information here. I used to teach the fail-safe system around the world for Schneider so I'm intimately acquainted with how their system works and why it cannot fail except to "Off".

    On the side, I agree with your potentiometer argument, my experience is that hall sensors and even Encoders are far less vulnerable to environmental factors since there is no physical contact involved (not to mention far more precise)... all three of my vintage near 30 year old Audi's have never had a hall sensor fail in the distributor and none of the 50 year+ Schneider guillotines ever had an encoder failure either (that I am aware of), both under very harsh environmental conditions.

    Please do elaborate especially if I've misunderstood the MIL, and thanks.
  • vulpinevulpine Posts: 4
    Your analysis points to one of the biggest mistakes in this test: it assumes that 1) the systems are 100% reliable, and 2) the error will be 100% repeatable. However, when you consider the vibration, temperatures and environments the systems have to contend with on a regular basis, items 1) and 2) are essentially impossible to verify until the specific data path is discovered which triggers the acceleration. Just because you're working in a lab doesn't mean you've got the data you need.

    Put it like this: Let's say that all the troubleshooting guides point to computer A, pedal B and throttle body C. In some cases, replacing any one of the above 'seems' to fix the problem, so you apply that fix to all affected vehicles--but the problem re-occurs on a car that's already undergone the recall repair. It's not 100% repeatable, not even on the same vehicle--it's intermittent and infrequent. This alone points to a connectivity issue somewhere. It is in the wiring? Is it on the computer motherboard? What if it's due to some piece of information missing from one of the other computers/sensors? What is the most common single thing between all of these?

    Connectivity—solder, to be exact. The fact that it's intermittent almost automatically implies a cold solder joint, one that looks intact but breaks under certain vibration/temperature/humidity situations. It's bad enough when it happens in aviation but at least there are enough redundant systems to override the defective one. In a car, you rarely have redundant systems and with hundreds of millions of cars on the road, the potential for disaster is multiplied enormously!

    I'm not saying to remove computers from our cars, but how about doing something to ensure the reliability of the components and their connections. One of the first rules for soldering is to ensure you have a good mechanical connection, then solder it.
  • plektoplekto Posts: 3,738
    I didn't comment about the MIL, so I'll leave it to the other person to respond to that, but I did want to mention that from what I could see in the tear-down of the two sensors(look at my original post on page two for a link), Toyota didn't design the fail-safe properly(or the company that made the "defective" sensors didn't. It looks like a fairly crude implementation of the technology to keep costs down. But I'm no expert about these specific parts(and don't have them in front of me to take apart, either), so we'll have to wait for a complete analysis to be sure.

    Here's the link - the pictures are pretty interesting. I'd be interested to hear your take on what you can tell from them. :)

    http://www.thetruthaboutcars.com/exclusive-ttac-takes-apart-both-toyota-gas-peda- ls/
  • vulpinevulpine Posts: 4
    Check for cold solder joints in vehicles which have demonstrated this issue.
  • cbrechlincbrechlin Posts: 11
    I have to disagree that hall sensors are the problem, though you are correct that because it involves fatalities this system as it is cannot continue in use. The real solution, no matter what sensor system is deployed is that 1. there must be two distinct switches and circuits measuring Opposite conditions of the pedal (On and Off), and, 2. a comparison circuit must measure voltage and real-time and precisely compare them (that would be four signals +/- for any movement) in order to permit operation, or otherwise default "Off". This type of system can not operate unless these absolute and precise conditions are met, hence there would have been no fatalities no matter how many sensors failed.

    As noted in my other post #40, I've never personally had failures of either hall sensors or encoders (not saying they don't, they do), yet on the very same decades-old machines in harsh conditions, I can's tell you how many potentiometers I've seen fail. But again, it does not matter what technology is used to measure/control something like gas pedal control, anything and everything man made can and will fail, the key is default Fail Safe.
  • mkrileymkriley Posts: 1
    The truth about unintended acceleration is this: You will never be able to eliminate all claims of "unintended acceleration" until you eliminate the human driver. The NHTSA and all automakers receive thousands of complaints of "unintended acceleration" each year, but if they are investigated, most are found to be driver error. Even I have had those rare moments in my driving life that I accidently pushed the gas when I thought I was pushing the brake. A administrator for the Highway Patrol stated that in 95% of speeding cases, the driver claims that his gas pedal "stuck". You will waste a lot of time and money trying to pin this phenomenon on a mechanical cause. There are so many mechanical and electronic scape goats, that you could never exhaust them all. If you really want to find the primary cause, you have to look at making people better and more alert drivers. Perhaps a large display on the dashboard that says "Accelerator engaged" when the person applies the accelerator, or an audio tone that pings when the gas is first applied. It is unfortunate that the media and the US government has turned this problem into an opportunity to discredit Toyota. There have been complaints of unintended acceleration since the advent of the automobile, and there will continue to be complaints until people are willing to take responsibility for their own errors.
  • c1deanc1dean Posts: 1
    I think there might be two possible casues both related to the computer. 1) could be fuel air mixture sensors that could cause more fuel to be intorduced into the system to cause acceleration. 2) (more likely cause) If the car is equipped with a cruise control the software controling it could be malfunctioning causing the car to accelerate rapidly. the malfunction could also cause the brake disengage to not function to disable the cruise control accelerator.
  • A switch to turn the engine off? That's a novel approach.
  • wwestwwest Posts: 10,706
    "..no symptoms until there is total failure.."

    That's why Denso uses TWO Hall effect sensors that track the gas pedal position. The theory being that the likelihood of both failing simultaneously was too small to consider. The computer continously monitors both sensors directly via separate A/D channels and if the tracking voltage of each does not follow its opposite within 0.80 volts a "limp home" mode is entered. A limp home mode should also be entered should the two voltages track TOO closely. While the documents say that Denso uses this latter technique Dr. Gilbert's testing indicated this latter technique to be inoperative.
  • wwestwwest Posts: 10,706
    "..comparison circuit.."

    Yes, but a "virtual" comparison circuit embedded in firmware DSP, Digital Signal Processing, routines.

    In my '92 LS400 I was able to INSTANTLY "fool" the climate control computer into thinking the cabin had gone instantly COLD simply by switching a resistance into the cabin temperature sensor, thermistor, circuit. That didn't work in my '01 F/awd RX300 because in the interim Denso had added anough DSP to discover that was not a valid change in the short term.
  • cbrechlincbrechlin Posts: 11
    This link you provide addresses only mechanical failure of these pedals, but I was under the impression that there were electronic problems identified. If all such acceleration problems are caused strictly by mechanical pedal movement issues then the fix is going to require a mechanical solution, for instance, a piggy-backed and redundant spring unit resulting in somewhat increased pedal pressure.

    The double-parallel system addresses only electronic controls. Is the electronic issue buried, or are all these failures just mechanical?
  • mkriley1mkriley1 Posts: 3
    The truth about unintended acceleration is this: You will never be able to eliminate all claims of "unintended acceleration" until you eliminate the human driver. The NHTSA and all automakers receive thousands of complaints of "unintended acceleration" each year, but when they are investigated, most are found to be driver error. Even I have had those rare moments in my driving life that I accidently pushed the gas when I thought I was pushing the brake. An administrator for the Highway Patrol stated that in 95% of speeding cases, the driver claims that his gas pedal "stuck". You will waste a lot of time and money trying to pin this phenomenon on a mechanical or electronic cause. There are so many mechanical and electronic scape goats, that you could never exhaust them all. If you really want to find the primary solution, you have to look at making people better and more alert drivers. Perhaps a large display on the dashboard that says "Accelerator engaged" when the person applies the accelerator, or an audio tone that pings when the gas is first applied.

    It is unfortunate that the media and the US government have turned this problem into an opportunity to discredit Toyota. There have been complaints of unintended acceleration since the advent of the automobile, and there will continue to be complaints until people are willing to take responsibility for their own errors. The automakers have the most to lose or gain by manufacturing the safest acceleration systems possible. Their reputations and future business ride on it. They also have the best resources to employ. I don’t want a backyard mechanic or engineer tinkering with my acceleration system. In the US senate hearing on Tuesday, NHTSA administrator David Strickland said, “Toyota has had the same percentage of sudden acceleration issues as other manufacturers; they just had more of them because they have more cars”. The one constant in all complaints of unintended acceleration? Human drivers. Auto makers cannot engineer away distracted driving, or impaired driving, or speeding. Or medical conditions, or just plain driver error. Find a way to correct all of these variables, and you have solved the million dollar dilemma. How about a controlled study where robots drive the cars and make the decisions. Take away the human element and see how many events of “sudden acceleration” occur. This will not be a popular conclusion, but it may well be the truth.
  • imidazol97imidazol97 Crossroads of America: I70 & I75Posts: 18,376
    >but when they are investigated, most are found to be driver error.

    I'd like to see your documentation for that opinion. Got a link?
  • Very well said mkriley! I was going to make a post stating almost exactly what you have. I personally know 2 people who have had accidents because they pushed the wrong pedal. You can go on to youtube and watch videos of people running into stores because they hit the wrong pedal. When you hit the gas while trying to hit the brake and the car accelerates instead of stopping, even the most intelligent mind spends precious seconds trying to sort out those 2 conflicting inputs before realizing what he is doing. If there are cars close in front of you an accident is very likely. I absolutely agree, these problems will not go away until we remove the human from every aspect of driving a car.
  • mkriley1mkriley1 Posts: 3
    My own daughter drove through my garage door because she thought she hit the brake but hit the gas instead. Cost me $1500. She was driving a Mazda. Did I sue Mazda? Did I file a complaint with the NHTSA? Either action could have kept me from writing the $1500 check. But my daughter owned up to her error, and I just gave her a hug and paid the bill.
  • elfgrrrlelfgrrrl Posts: 1
    I think hackers may have hacked into the electronic systems of these vehicles experiencing difficulties via onstar. Remember than Onstar can help, for example, to start your engine during difficulties, etc.

    So it is logical that the source of the difficulties is that people have somehow hacked Onstar and maliciously unbalanced certain variables with their hacking.
  • a_l_hubcapsa_l_hubcaps Posts: 518
    The discussion about sensors is interesting stuff, but I'm seeing surprisingly little in this thread (or in any of the discussions/news stories about this problem) about software. There's a lot of assumption that as long as the pedal assembly is sending the proper voltages to the computer, there cannot be a problem. Given how rare and intermittent the problems are, it seems a lot more likely to me that it's a software bug that's only triggered under specific circumstances. It may have no relationship at all to the voltage signals coming from the pedal -- it could be something like a buffer overrun triggered by a completely unrelated section of code, that's clobbering data that the computer is using to decide how to move the throttle.

    If there is a "real" problem here at all (that is, separate from the floor mat and sticky mechanism problems already fixed), I don't think it will be found unless we can analyze the software.

    -Andrew L
  • a_l_hubcapsa_l_hubcaps Posts: 518
    Just thought of another question. Does anyone know about the interface between the pedal assembly and the ECM? Is it like the "old days" where the sensor just outputs an analog voltage signal through a wire, and the ECM interprets the signal internally? Or is the pedal assembly a "smart" device, that is itself converting the sensor outputs to digital data and using CAN-BUS or something to send its data to the ECM? If the latter, that opens up possibilities for data from the pedal being somehow interrupted or corrupted in transit to the ECM.

    -Andrew L
  • wwestwwest Posts: 10,706
    "..media and US government have turned this problem into an opportunity to discredit..."

    No, the media may have opened the door, and the US government may have held it open, but the way I see it it was PURELY Toyota/etc that made the decision to walk through that door totally ill-prepared.
  • steverstever Viva Las CrucesPosts: 41,297
    cold solder joints

    Is there any correlation between using more solder and "whisker" shorts?

    Moderator
    Minivan fan. Feel free to message or email me - stever@edmunds.com.

  • wwestwwest Posts: 10,706
    I believe "whisker" shorts are most often the result of the printed circuit board etching process. Small copper tiny whisker paths that should have been etched away but were not. Sometimes these "paths" are not quite complete until the solder flow process bridges them.
  • plektoplekto Posts: 3,738
    edited March 2010
    This link you provide addresses only mechanical failure of these pedals, but I was under the impression that there were electronic problems identified.
    ***
    The electronics/software act as a final fail-safe should there be a mechanical or electrical problem. As was pointed out previously, unless you *properly* design the feedback system, and/or the software is badly written, you leave yourself open to these sorts of failures.

    Toyota cut corners somewhere by the looks of it and the worst did happen.

    Can this technology work? Probably, if properly implemented with proper fail-safe designs. Is it better than a simple throttle cable? I don't see how, quite honestly. Note - GM as an example again, spent a small fortune on potentiometer failures under warranty, so it's not a very good method either. (though decently safe if it fails) Most modern systems like this in other applications tend to use purely solid-state optical sensors for exactly this reason. They're a bit more expensive, but are amazingly robust and failures are easy to detect. No signal = shut off, signal doesn't vary for x amount of time = off, etc.

    If you have, say, a variable between 0 and 1023(keep it simple of course), no human can possibly maintain a value of 565 for 30 seconds straight. It'll vary a tiny bit. If it doesn't, they're probably asleep or there's a problem with the optical sensor. This isn't much harder than the programming that controls and monitors the mouse on your PC.

    Removing the mechanical part is an obvious step if they want this to work correctly. But I'd still rather have a throttle cable.
Sign In or Register to comment.