It is beyond my comprehension why people - even those that own Toyotas - have such an irrational view of the dangers involved.
I guess it has to with a difference between: a) someone causing the danger to you, vs: b) causing the danger to yourself, or just natural.
If you don't see why people have a problem with dangerous vehicle defects, then I have to ask if you don't see a problem if other defective products are made? Is it okay with you if drug manufacturers put tainted products on the shelf regularly and don't have to recall them and pay the penalties? What about food manufacturers; can they just forget about safety precautions because they only may poison a few dozen or a few hundred per year?
And if its okay because only a few people are killed by UA and that's no big deal; then you wouldn't have a problem if a few customers who aren't happy with their UA vehicles drive them thru the dealership window and only kill a few Toyota workers?
Also to be at the press conference is Frank Visconi, a former police officer from Dover, Tenn., who says his 2007 Toyota Tacoma accelerated and crashed in a field in June 2007. He says it was his fifth incident in the vehicle and says his foot was always on the brake. He says when he tried to get the truck fixed, he was told no problem could be found.
"I'm not an electrical engineer, but when you put your foot on the brake, it's not supposed to accelerate," he says.
If you don't see why people have a problem with dangerous vehicle defects, then I have to ask if you don't see a problem if other defective products are made? Is it okay with you if drug manufacturers put tainted products on the shelf regularly and don't have to recall them and pay the penalties? What about food manufacturers; can they just forget about safety precautions because they only may poison a few dozen or a few hundred per year?
No, I said that people's fears are way out of proportion to the risk - thus irrational. In the case of tainted drugs, unless the problem is widespread, I don't let it worry me. It's not like I would have stopped buying Tylenol when Johnson and Johnson had the problem with tainted Tylenol many years ago. And I didn't let 9-11 stop me from taking a long planned vacation that required flying. And I continued to eat hamburgers despite the problems with some of the meat packing houses several years ago.
And if its okay because only a few people are killed by UA and that's no big deal;
Again, I don't think I said it's not a big deal. Toyota needs to continue to investigate the problem until the root cause is uncovered. But even if you drive one of the affected Toyota, if you're going to worry about something, there are many other things that are far more likely to cause your demise than a UAE will.
No, I said that people's fears are way out of proportion to the risk - thus irrational. In the case of tainted drugs, unless the problem is widespread, I don't let it worry me.
That's fine not to worry. I don't worry either. But that does not mean that Toyota or any other vehicle manufacturer or any other manufacturer of defective products does not have the obligation to remove from the market or fix their products. if Tylenol puts 1 bad bottle of Tylenol out, I want them to recall the entire production run - 1 death is too many. If Toyota or GM builds 1 vehicle that has UA I want them to fix the design. I do not want owners of companies saying 'well we only killed a few people last year".
I don't care whether it's Toyota, GM, Kia, or BMW has UA. If someone has a vehicle like this ex-cop and has had 5 UA incidents before it crashed, there is something wrong with the electronics of that vehicle.
The electronic control systems of vehicles is a major mistake being made by engineers. Too many critical systems like brakes, engine and transmission are being tied together and controlled by computer chips that are susceptible to lockup, failed sensors, and bad code.
"If you're going to worry about something, there are many other things that are far more likely to cause your demise than a UAE will."
Like..... The actual motorist not in control of the vehicle!
Somebody posted the "Tennessee Tacoma" incident again...
I still fail to see why a cop is suppose to have incredible driving prowess above and beyond a mortal human. Is an automotive engineer a better driver?
In Tom Vanderbilt's book "Traffic", a statistical breakdown showed the best drivers were (drum roll).... Fire fighters! This was followed by airline pilots. I didn't see cops on the list but I think we can conclude they're pretty high up. The worst drivers were Doctors and.... Architects for some strange reason.
So, if your Doctor offers to give you a ride after he performed heart surgery on you, maybe you should politely decline the ride!
"If someone has a vehicle like this ex-cop and has had 5 UA incidents before it crashed, there is something wrong with the electronics of that vehicle."
And shouldn't an "ex-cop" with incredible gifts of driving prowess and judgement also have the cognitive ability to perhaps, think maybe, just maybe he should park the vehicle and call a tow truck? Why did it take all the way up to numero-five, and even then the light bulb still didn't go off!
The electronic control systems of vehicles is a major mistake being made by engineers.
I think that's a bit of hyperbole! Major mistake??? The systems work as intended, even in the case of Toyotas, 99.99999% (did I miss any nine's there?) of the time. It will never be 100% - nothing is.
The best that could happen is that Toyota is able to identify, and correct the root cause of the problem (if there really is one), publish their findings so that others can learn from their "mistake", and add another "9" to he reliability number above.
Unfortunately, what will probably happen (as I think was the case with the Audis) is that, under a court agreement, the record will be sealed (Toyota claiming trade secret or some other IP crap), those injured paid, and the knowledge of what really happened lost.
No, what is most likely to happen is that NipponDenso (look behind the curtain) will find the firmware design flaw, "BUG", and then provide a firmware revision, "reflash" industry wide under some mundane "cover".
"Reflash" will fix the HID headlight startup leveling sequence.
Not even Toyota/etc will ever know the true "fix", let alone the dealers.
99.99999% (did I miss any nine's there?) of the time.
No - you have too many, get a calculator. There are hundreds of official NHTSA complaints (so far) out of 8 million vehicles. There are probably thousands of customers who brought vehciles into Toyota dealerships for similar, as they are not automatically sent to the NHTSA and logged.
Like any bell-curve distribution that's a function of time, the problem may become more probable as those vehicles get more miles on them. If the MTBF measured in miles is say 100,000 miles or 150,000 miles, then some of these newer vehicles may just be entering the range of failure-mode.
Vera well stated and well thought out, I totally agree...
Except...
NipponDenso, Denso US is the firmware source and Toyota/etc probably doesn't even have access to the source code. The written specifications for any firmware aspects unique to a Toyota/etc product, maybe.
No - you have too many, get a calculator. There are hundreds of official NHTSA complaints (so far) out of 8 million vehicles.
Don't need to use one to get close. I am counting every depression of the accelerator as a chance for a UAE to occure. Say 100 accelerator presses/day, times 365 days/year, times 10 years, times (say) 5 million vehcles (average number of Toyotas over a 10 year period). Assume 1000 UAE incidents. Then that works out to 1 UAE incident in every 1.8 billion chances.
Dr. Gilbert PROVED that the Toyota sensor monitoring firmware routines comparing the two gas pedal hall effect sensors DID NOT WORK, was not functional.
Toyota's own document indicates that the two sensors must be within less than 0.02 volts in order to indicate a fault. According to the document the two sensors should always be different in voltage by at least 0.40 volts.
The analysis of Professor's Gilbert's demonstration establishes that he has reengineered and rewired the signals from the accelerator pedal. This rewired circuit is highly unlikely to occur naturally and can only be contrived in a laboratory. There is no evidence to suggest that this highly unlikely scenario has ever occurred in the real world. As shown in the Exponent and Toyota evaluations, with such artificial modifications, similar results can be obtained in other vehicles.
To a knowledge person, computer knowledgeable, that would imply only 8 bits of resolution, that, in turn, implies an 8 bit processor.
NOT POSSIBLE.
In order to attribute those 250 brake depressions to the period of the runaway it would also require a time and date "stamp" stored with each brake depression, just extremely unlikely.
FACT: The Toyota/NipponDenso firmware monitoring system continuously checks for gas pedal signal position validity by comparing the two gas pedal position sensor signals. Those signals, by design, should ALWAYS have a nominal voltage displacement of 0.80 volts
FACT: Dr. Gilbert admitted shorting the two sensor signals together.
FACT: The Toyota/NipponDenso's sensor validity monitoring system DID NOT detect the short.
FACT: Dr. Gilbert then shorted BOTH signals to a 5 volt source.
FACT: The Toyota/NipponDenso firmware monitoring system continuously checks both sensors for out of range, too low or too high, voltages.
FACT: The Voltage Dr. Gilbert applied to both sensors was well outside their normal range yet the firmware validity checking did not detect same.
FACT: The Toyota/Nippondenso system DID NOT set an MIL, on TWO counts, as it clearly should have.
Ask yourself: "Why would Toyota go to all the expense and effort to provide redundant sensing for the gas pedal position, rare as the detectable failures might be, and then not actually execute the design correctly.
Answer: Toyota is not in charge of its destiny insofar as firmware design is concerned.
What Dr. Gilbert proved, brought to the public eye, is that some extremely poor, sloppy, REALLY sloppy, firmware programming is involved here. Can we, should we, suppose that the entire firmware package is not just as sloppy..??
Does NipponDenso have a good, knowledgeable, firmware design QA team...??
It looks seriously NOT...!!
Example: Toyota changed the 2010 US Prius to rear disc brakes from drum brakes. The firmware revision, already available for other countries, was not made until owners started voicing complaints.
Yes, a direct short between the two sensor signals is highly unlikely. But what about the issue of shorting both sensors to the 5 volt reference source. Not as highly unlikely, that.
On the other hand what if he had just somehow "failed" one of the two sensors..??
Say failed in a way that put one of the two sensor's output voltage at the supply voltage level, or even at ground level. Both fairly common failures of solid state integrated circuits.
What Dr. Gilbert's test did show was that the firmware is so poorly written, SLOPPY, really, that it might not, more likely WOULD NOT, detect even an "expected" failure.
My first wife was 5' 2" tall and weighed 110 lbs. I owned a 1969 "R" code Mach I with well over 500 h.p. after some modifications, and she could steer and stop the car with no power. one thing she was smart enough not to do is lock up the emergency brake to slow the car and stop it. A far as not turning the key off at speed because of steering wheel lock, if you are going in a straifht line,they will lock in that position. turn the key on to the unlock position and stop the car. Other methods to stop or slow the vehicle? Would these methods include hitting other cars, gaurdrails, trees, ditches, rear ends of semi's @120 m.p.h.? I think i"ll turn the key off.
I am counting every depression of the accelerator as a chance for a UAE to occur.
Ah I see. Similarly we could say that if we count every revolution of a propeller on every oil-tanker as a chance for a major oil-spill to occur, then we can calculate that 99.99999% of the time oil-tankers are safe. Or if we count neutron-fissions at a nuclear reactor we could conclude that in 10-to-the-50th-power of chances, nuclear reactors never have accidents.
Do you work for Toyota or what? Your piece sounds like a sound-bite off of one of these stupid television news shows - rather simplistic, not too technical, while artfully evading the issues at hand. By the way, your 1973 Dodge sounds like it needed its throttle linkage lubricated - something most people didn't bother with. I have a '76 Dodge Van (318 V8) and the throttle linkage must be lubed twice per year here in Southern CA. I've been in the electronics business for 35 years and I'll tell you what is happening with Toyota - and it's NOT floormats and people getting the brake and gas pedal mixed up. NO. Toyota's problem is EMI / RFI interference affecting the engine's electronic control unit / module (ECU). The ECU processor (computer) is being effected by 'electronic noise' which is putting the ECU computer into an open-loop mode whereby the software cannot control the computer / engine / brake systems. Toyota's problem is two-fold: a) Inadequate ECU filtering throughout the ECU circuitry and, b) engine management software. Toyota also made a huge mistake by not implementing a brake override system when the car accelerates uncontrolled. That oversight alone will bite them in court. Additionally, Toyota's fly-by-wire throttle design is absolutely insane for obvious reasons. Toyota will end up having to completely redesigning the ECU electronic system as well as reverting back to the tried and true MECHANICAL THROTTLE LINKAGE for safety reasons. In my view, it is INSANE to design a car with software controlled throttle system and brake systems - particularly without a brake override!!! I say this with many years of experience in software / electronic product development. What is more likely happening is the Toyota electronics are being effected by something such as an arc welder (they run at 220VAC / 200+ AMPS = 44 kW Power) and this in turn generates huge electromagnetic pulses as the arc is generated - which negatively effect electronic gear. It could also be occurring from high-power digital transmission towers or very high power transmission lines switching on/off in the vicinity. At any rate, Toyota MUST greatly improve their vehicle's ECU susceptibility to stray electronic noise AND re-implement MECHANICAL throttle and BRAKE control. Anytime software is being used in automobile control applications, obvious precautions must be taken.
If the problem was the cruise control circuit then Toyota should have done a couple of things - disconnect / deactivate the cruise control circuit entirely and create a software patch that does not generate an error code in the ECU and on the dashboard. This could be done on a sample set of Toyota vehicles for experimentation purposes. But is isn't the cruise circuit, it's the ECU and software.
The problem is that when the Toyota ECU goes into open-loop mode, NO AMOUNT OF SOFTWARE PATCHES will gain control over the computer. Car must be turned OFF and ECU computer rebooted, so to speak. Toyota's problem is EMI / RFI interference and their entire electronics on several models will need to be completely re-designed such that the system is ADEQUATELY FILTERED for EMI / RFI radiated noise. While we're at it, lets revert back to tried and true CABLE ACTUATED THROTTLE and BRAKING systems. Are you listening, Toyota??? Fly-by-wire throttle / braking via software control is an INSANE DESIGN RISK and will be Toyota's demise unless they make design changes. I would never buy one of these cars knowing what I know now and how arrogant Toyota management has demonstrated itself to be. These Toyota people think they're infallible.
Personally I'd settle, and heartily recommend, an independent foolproof/failsafe BTO, Brake/Throttle Override. A BTO that opens the ground return circuit for the EFI/SFI system if the brake lights are on OR there is a significant level of brake fluid pressure AND the "throttle" is not at idle OR the engine RPM is above idle.
Back in 1987 I purchased a new Cavalier, 2.8 V6. At some point after I bought it, a couple of years I guess, the engine would rev up on it's own while I was driving. It wouldn't do it all of the time, but you didn't know when it would do it. When it happened I'd just shove it into neutral. Maybe it would go back to idle, maybe not. One day I drove ten miles to work and didn't have to touch the gas pedal. I should say that it wasn't a 'runaway' situation. I think it would do twenty five or thirty miles an hour. In the beginning it was kind of disconcerting trying to stop it, meaning I didn't know if it would stop, so I think how terrifying it must be going ninety in a runaway Toyota. It was out of warranty, so I worked on it myself. I remember changing the TPS, did some other things. Didn't fix it. One day It took off on me again. The ECM was mounted in the top of glove box. For some reason I opened the glove box door and banged the ECM with my hand. The engine immediately went to idle. I hit it again and the engine speed increased and then dropped back to idle. Stupid electronics. I went and bought a rebuilt ECM. The engine never did race-a-rama on it's own again. I did open the ECM case, thinking I may spot a loose connection on a circuit board component. Didn't see any problem. I bet the General (Motors) might have been interested in taking a look at it.
I'm an engineer in a manufacturing company. I've been in manufacturing 25 years. We have quite a few automated systems. And guess what every company has fulltime IT and maintenance people to fix and maintain those systems. There are software and hardware problems with them years after they are installed, humans find combinations of operating the equipment that weren't planned for, or acts of natural effect the environment and we get electrical distturbances that cause the CPU's to seize.
I have no doubt that the people who are continuing being asked to update the systems on vehicles do not have errors, mistakes, flaws, and flawed components built into their designs and vehicles.
There are software and hardware problems with them years after they are installed, humans find combinations of operating the equipment that weren't planned for, or acts of natural effect the environment and we get electrical distturbances that cause the CPU's to seize
Exactly, and that's my gut feel for what's happening with Toyota's UAE problems. Some vague, irregular, subtle combination of environment (temperature, humidity, shock, EMC, ...) and usage (accelerator being depressed at the same time the AC kicks on when closing one of the windows...). If it was any one thing, like a voltage fluctuation or even some external interference, the problem would have surfaced long ago and be much more prevalant.
What if no way is ever found to reliably replicate the SUA failure mode..?? That's a distinct possibility given my many years of experience in this "venue". And what if, also, going over the firmware coding with a fine tooth comb by a very knowledgeable team doesn't result in a fix..??
How many DBW systems will then have to be retrofitted with an independent, foolproof, and failsave BTO....??
In my view, it is INSANE to design a car with software controlled throttle system and brake systems
You realize of course, that most of the jets flying over your head are fly by wire, right?
What is more likely happening is the Toyota electronics are being effected by something such as an arc welder (they run at 220VAC / 200+ AMPS = 44 kW Power) and this in turn generates huge electromagnetic pulses as the arc is generated - which negatively effect electronic gear.
There is EMF all around us, if this were true Toyota’s (and other vehicle manufacturers ) would be flying all over the place. The fact of the matter is (still), there are millions of these cars on the roads around the world and yet there are only a handful of people experiencing the issues reported here.
I will admit (to currently owning a 2007 Toyota 4Runner V8, which is NOT involved in the recall), that my Toyota will accelerate on its own when the A/C is engaged. I can clearly reproduce this by turning off the A/C, leaving it in drive, setting the parking brake so that the car does not move while at idle, yet still in drive. Take my foot off the brake, turn on the A/C and the car WILL accelerate (albeit not too fast) with the parking brake ON in drive! This shows that the idle up circuit (in my opinion) is over compensating for the A/C (it bumps up the idle about 75-100 RPM in my tests). My point? That there are a lot of things that cause unintended acceleration. If I were not to pay attention and the A/C were to engage, I COULD theoretically accelerate into the car (or whatever) that is in front of me. If you are a light brake pressure kind of person (like me), this can be an issue for you, but it is NOT a flaw. People need to pay attention when they drive.
You realize of course, that most of the jets flying over your head are fly by wire, right?
Comparing a cheap automotive system made for the lowest price possible to an airplane is like comparing a plastic kid's bat to one used by professional baseball players. And that's not counting the redundant systems and maintainance schedule of the airplane, either.
"..Figure 1. A 200 ohm resistor is apparently placed between the output signals of the two pedal position sensors...."
Note the word "apparently"....??!!
I had assumed that the "short" Dr. Gilbert placed across the two sensor signals had just enough resistance, accidental and unintentionally, that a voltage difference greater than the monitoring system was checking for, 0.020 volts (only 20 millivolts), remained between the two signals.
I think that what Exponent is saying here is that in order to replicate Dr. Gilbert's experiment BUT NOT trigger the monitor they had to use a 200 ohm "short" between the two sensors. 200 ohms is well above any accidental or unintentional resistance I would have assumed.
Given that the two sensor output voltages should ALWAYS be displaced by at least 0.80 volts (factory document), using a difference voltage as low as 20 millivolts is unreasonable if one wishes to truly detect short between the two sensors.
Apparently (there's that word again) Exponent assumed a 200 ohm short since that's the resistance they had to use in order to NOT to trigger the firmware monitoring test.
From Exponent, again.
"..To bypass setting the DTC code on the 2007 Camry Exponent slightly modified the parameters of Dr. Gilbert's demonstration...."
"...By carefully engineering the modification.."
Carefully engineering the modification...
Yes, using empirical engineering methods to select a shorting resistance that provided "just enough" signal shorting to still allow a voltage difference above the detection threshold.
In other words the 200 ohm resistor wasn't small enough, low enough in resistance, to "fool" the 2007 Camry's firmware sensor monitoring system, so Exponent chose another value.
First they "ASSUME" Dr. gilbert used a 200 ohm resistor with absolutely no evidence of that (granted, either way), now they modify their own assumption to fit the new case.
And yes, you can "short" the two signals together with just enough resistance to still remain above the minimum voltage difference detectable by the monitoring firmware. And now, if you wish, provided you carefully select the resistance of the "short", connect the one sensor to the 5 volt reference to create a runaway engine "without" setting a DTC.
Or, if you like, you could short the one sensor to a reference voltage right at the maximum of the normal operating range, the engine would go WOT, but no DTC would be set.
"...Exponent was able to rewire the pedal sensors and achieve engine revving without setting a DTC...."
Yes, so could anyone, by empirically selecting the shorting resistance.
And finally:
"...Exponent also evaluated how vehicles made by other manufacturers would respond to the same rewiring that Dr. Gilbert showed in his demonstration. Every vehicle from other manufacturers tested by Exponent could be induced to respond with a sudden increase in engine speed and power output, although the parameters of the rewiring changed slightly from vehicle to vehicle. These demonstrations in no way indicate a defect with any of the vehicles tested (including the Toyota and Camry)..."
...although the parameters of the rewiring changed slightly...
NO SHxx, SHINOLA..!!
....no way indicate a defect with any of the vehicles...
Avoiding a public REBUTTAL by other manufacturers, "this".
But I still find myself puzzled that this worked, so far...
In my view, it is INSANE to design a car with software controlled throttle system and brake systems
You realize of course, that most of the jets flying over your head are fly by wire, right?
Of course I realize that. In a $250 million dollar 747-400 for instance, there is the best of everything electronic - i.e., sufficient electronic shielding protection, redundant systems and so on. Also, at 35,000 feet there is substantially more time to react in an emergency unlike on the road.
What is more likely happening is the Toyota electronics are being effected by something such as an arc welder (they run at 220VAC / 200+ AMPS = 44 kW Power) and this in turn generates huge electromagnetic pulses as the arc is generated - which negatively effect electronic gear.
There is EMF all around us, if this were true Toyota’s (and other vehicle manufacturers ) would be flying all over the place. The fact of the matter is (still), there are millions of these cars on the roads around the world and yet there are only a handful of people experiencing the issues reported here.
NOT TRUE, Other vehicle manufacturers are obviously using superior EMI/RFI filtering techniques throughout and not being effected from the unintended acceleration problem. You assert in your previous post that these Toyota owners are confusing the gas pedal with the brake pedal and that the carpet is also part of your equation. If that were all true, then using your logic, don't you think there would be a number of other non-Toyota vehicles crashing from out-of-control acceleration killing people and gathering attention??? Connect the dots. This is an electronic problem UNIQUE to Toyota and not a dyslexia (left-right pedal) problem. You must be on the Toyota payroll because you seem to be disregarding several important factors. Not everyone is born an engineer.
What is more likely happening is the Toyota electronics are being effected by something such as an arc welder (they run at 220VAC / 200+ AMPS = 44 kW Power) and this in turn generates huge electromagnetic pulses as the arc is generated - which negatively effect electronic gear
I don't think it's more likely than any of the other hypotheses that have been advanced.
For instance, do you know the radiated spectrum of an arc welder? Do you know where ECU's are located in Toyotas and other manufacturer's vehicles? Do you know the shielding effectiveness of the car body, at the frequencies an arc welder's spark emits, and what the strength of the radiated emissions is? Do you know the susceptibility of the circuits to disruption? Do you know if the ECU and associated interface circuits were subjected to any sort of Electromagnetic Compatibility (EMC) testing? How about the vehicle as a whole? These are all questions that need to be addressed to be able to assess whether radiated susceptibility of the ECU may be part of the problem or not.
NOT TRUE, Other vehicle manufacturers are obviously using superior EMI/RFI filtering techniques throughout and not being effected from the unintended acceleration problem
Obviously??? Do you know what the other vehicle manufacturers use, or are you just speculating, based on your guess that it's arc welder (so some other source of radiated emissions) that's causing the problem?
I wouldn't go with "PROVED." More like "created a false scenario." FACT: the test he (Dr. Gilbert) ran cannot occur in real life.
Whose word are you taking on that? Toyota's? If nothing else, Dr. Gilbert proved that the throttle redundancy system is poorly designed. The sensor output voltages should NOT run in parallel, thus allowing a short to remain undetected. As he stated, they should have differing slopes (as some other carmakers' designs do) so that eventually, shorted sensors would come out of spec.
I'm finding it hard to believe that the scenario is 'false'. The leads to the sensors and power supply are mere millimeters (or less) apart at both the accelerator and at the CPU. I think a short could easily happen if the leads were chafing.
Being a survivor of 6 SUA incidents in a 2000 Lexus LS400 I personally know that Toyota has a Sudden Unintended Acceleration (SUA) electronic throttle failure problem. There may be several other causes for SUA’s, but among them has to be the throttle failure. When confronted, Toyota’s response has been that they have never found any evidence of an electronic failure so it must be the drivers fault.
The above SUA experiences prove to me that Toyota has not yet been able to capture the failure event with their diagnostics. Hence, they can’t solve a problem they haven’t seen.
Further, I have compiled a few complaint statistics that substantiates my contention of a throttle failure problem. The first example comes from a Lexus LS400 owned by two individuals. The original owner, Peter Boddaert, had 3 episodes in the car resulting in him trading it in. The second owner, Mark Pinnock, also subsequently experienced 3 incidents, with the same car, resulting in his decision to discontinue driving it. This fact, coupled with my own experience, substantiate that Toyota has an electronic throttle problem.
In a second bizarre example: A driver began to experience an SUA event with his Avalon but was able to reach a dealer where, with the gear in neutral, the engine continued to operate at full throttle. The dealer tech verified that the floor mat was removed but was unable to stop the wide open throttle and was forced to shut the vehicle off. The same car brought in to the dealer, for a previous incident, revealed no problems when diagnostics were run on the computer. The dealer eventually offered to replace the throttle body, accelerator pedal and associated sensors free of charge to the driver after the second incident. An interesting solution for a problem Toyota claims doesn’t exist.
NHTSA never pursued the requests for investigation.
How Toyota can continue to claim they have no problem with the electronic throttle is inexcusable. The above examples clearly show that they, “indeed”, have a problem.
What the Symptoms Tell Us
My 6 SUA incidents with a 2000 Lexus LS400 occurred between 2004 and 2006. The symptoms were: starting from a stop with my foot on the brake, as I removed my foot but before getting to the accelerator, the car jumped to what felt like full-throttle. Since, before releasing the brake, the engine was idling normally, it suggests the accelerator position sensors were delivering the proper signal to the Electronic Control Module (ECM). After releasing the brake, the engine went to full throttle and tried to leap forward causing me to put both feet on the brake. Reviewing the event it was clear to me that the ECM CPU’s were no longer responding to the accelerator which I hadn’t touched after releasing the brake. At that time the position sensors should have been sending an idle message to the CPU. It appears that when I released the brake an unknown signal was sent to the CPU causing it to “latch up” or freeze (in a full-throttle state). With both feet on the brake, pushing as hard as I could, the car leapt forward 3 times, moving about 1 foot each time before I was able to shift to neutral. Luckily, going to neutral apparently unfroze the CPU and stopped the car just before hitting whatever was in front of me. The incidents each took only about 3-4 seconds. Once in neutral the car again came to an idle where I believe the unfrozen CPU again was able to respond to the accelerator sensors that were still in the idle position.
I would speculate that because the EMC CPU was frozen, it could not accept inputs from the sensors and was unable to neither sense nor log the problem even if any sensor messages were trying to be sent. Hence, the diagnostics showed “No trouble found.”
It would seem that the only way this issue could be overcome would be to provide a simple redundant system, immune to the freeze conditions, outside the electronic throttle system that had became disabled when frozen. Its function would be to constantly interrogate the electronic throttle system to sense when it enters a frozen state. When sensed, it should force the electronic throttle system to release control of its function, set the throttle to an idle position, and reinitialize the system. Once it had determined that the system was working properly, it would re-enable the throttle system to again exert control. This, however, may be easier said then done.
When our home computers freeze, we are forced to reboot. When this happens in a fighter plane, I understand that there is an emergency button that can be pressed to allow manual control until the fly-by-wire system can be reengaged. Perhaps the equivalent for this problem is the brake-override solution. But a concern among safety experts is that the brake-override software, which has been described as a final solution to the problem of unintended acceleration (SUA), may cause more problems by adding a new layer of software to the system. "These fixes are not dealing with the root causes of the problem," said Sean Kane, president of Safety Research and Strategies Inc. Besides if the brake override solution relies on the CPU that gets frozen what assurance is there that it will work? There must be a redundancy where the monitoring system is not dependent on the CPU running the electron throttle system
In trying to troubleshoot the electronic throttle it should be possible to cycle the logic inputs for the throttle system through all possible state combinations to see if a frozen open throttle could be invoked at a particular input combination. If that condition could be replicated it would then be possible to work toward a solution. I don’t know if this would work for a potential software bug. Ideally this should be done on the throttle system of a known SUA offender. Since the SUA events have occurred over virtually all of the automobile industry, the heart of the problem appears to be the CPU used by the ECM. Design differences by different manufacturers would make the throttle more or less sensitive to triggering an SUA event. The evidence sits in all of our homes in the form of a home computer. Who hasn’t experienced a frozen system?
A Statistical Problem
The SUA events rarely occur, being maybe only .005% or less of the Toyota population. Because it is so rare, it is equally difficult to make sure that when a SUA happens, you can capture the fact that it did. The above explanation is the only one I can think of that agrees with the SUA symptoms. Even when a car having the problem is evaluated it would be very difficult to find the exact failure mode that causes the runaway full throttle. In a normal production car I don’t think you would have a prayer.
I think Toyota is between a rock and a hard place. They know they have a problem, they don’t know the cause, can’t duplicate it and they can’t admit it. If they did they would immedia
You brought up some good points, until you got to the part about:
In trying to troubleshoot the electronic throttle it should be possible to cycle the logic inputs for the throttle system through all possible state combinations to see if a frozen open throttle could be invoked at a particular input combination.
That's where the difficulty (impossibility) is. Just for talking purposes, assume the the ECU has 8 inputs it uses, and that each of those inputs can take on 256 different values. The number of test cases that wold have to run to fullfill your desire is 256x255x254x253x252x251x250x249, which is 1.65x10^19 cases. Even running one test case every microsecond would take you over 523,000 years to run through all the cases.
But, it's worst than that because you would also have to test the various order in which the inputs may change.
See the intractability of the problem? You cannot ever verify that a system, except for perhaps a very simplistic one, is correct by testing it. Sure, the more tests you run the higher your confidence factor that you've uncovered all the bugs. But you can never get to 100% by testing.
That's why of lot of analysis and understanding of the system is needed, so that you can chose tests cases that stress the system; so that you test the system at the "corner cases" where you might expect it to break, if it's going to.
I think Toyota is between a rock and a hard place. They know they have a problem, they don’t know the cause, can’t duplicate it and they can’t admit it. If they did they would immediately
When confronted, Toyota’s response has been that they have never found any evidence of an electronic failure so it must be the drivers fault.
The above SUA experiences prove to me that Toyota has not yet been able to capture the failure event with their diagnostics. Hence, they can’t solve a problem they haven’t seen.
They surely have and know what causes it. But if they admit to anything at all, they are wide open to 44 and counting negligent homicide charges. They'll deny this until the day they are brought in kicking and screaming as a result of the potential cost of that many cases and a very hostile public.
Of course, if they were using the proper *type* of sensor instead of a hall effect design, there would have been no way for this sort of scenario to happen - or at least not be instantly detected. GM, as an example, doesn't use this type of setup and at worst their cars detect it and shut down and/or go into "limp home" mode.
Quite some number of years ago my company was "forced" to move out of a business complex after being there for twenty years. The complex owner rented a nearby business space to a company making thermocouples. That process involves a certain type of arc-welding and we soon found that our microprocessor based Mitel phone system was going bonkers on a regular basis. Those events led us to discover that our own computer manufacturing process was being compromised in the same way.
At first the new business owner was cooperative and working together we grounded and added shielding to the machines responsible.
But in the end we were forced to move because the complex owner just simply would not believe the causative factors.
The Toyota gas pedal position sensors, and the throttle position sensors do have differing/displaced voltage slopes, always 0.6 to 0.8 volts different in the normal operating range.
That's why Dr. Gilbert's discovery is so very important. The Toyota/NipponDenso firmware sensor monitoring system continually checks that the two sensors, gas and throttle, have a voltage difference. A P2138 code is set if they are not and the system goes into "limp home" mode. The most obvious problem is that the voltage "threshold" Toyota/NipponDenso uses is only 0.02 volts.
The firmware also continuously checks to verify that neither sensor's voltage output is outside the normal operating range. The 5 volts Dr Gilbert applied to simulate the runaway condition was quite clearly outside that range yet no code was set.
And yet if the system didn't use that type of sensor, there would be no need for a redundant system in the first place. That's the real underlying issue here. Unless the whole thing is designed to be bulletproof and done correctly, you run the very real likelihood of having a critical failure that results in a worst case scenario.
Toyota didn't design it correctly and instead of being a part to replace, it's causing deaths. That's the ultimate mode of failure in automotive engineering. No matter how wonderful a new technology is, if it's causing deaths, you walk away and don't use it again. Not only from a legal and liability standpoint, but from a marketing one as well(I'm not adding common sense here, since nobody seems to design with that in mind)
We're very much in agreement, but I particularly liked, and will expound on:
Unless the whole thing is designed to be bulletproof and done correctly, you run the very real likelihood of having a critical failure that results in a worst case scenario
And the more complicated a system gets the more likely it is to be flawed, to have pieces developed by different groups and individuals that then need to be integrated together, have more parts, and have more code. In the end you have more combinations of things that need to be checked in various situations. You have more components that can be sub-par quality (from the low cost bidder in China?). And it snowballs on and on.
And what's the purpose of this grand system of electronics and software? to replace what used to be a rubber-pedal, and a rod connected to a carburetor. Oh I forgot we're supposed to "oh and ah" at the great electrical engineers who design a car that parks itself. No thanks.
Maybe engineers should use their skills to make excellent, simple machines rather than so-so complex machines. Quality should be the goal, not complexity. Give me roads and structures like the Romans, Greeks, and Egyptians built, not like our modern sports stadiums that might last 40 -80 years. Give me a vehicle that I can stick my head under the hood, and understand how everything works. I guess that's a pro of building a kit-car.
#457 of 463 Potential Explanation for Sudden Unintended Accelerations by bnet Mar 26, 2010 (7:35 am)
This is why the computer registers may have the wrong information stored.
The Toyota statement that lady did not press on the brake at all, when it had UA, could be very misleading. Assume the Computer is the problem. The CPU could have been in a mode that did not register the correct output codes. You can not make an statement based on the assumptions that, the computer is never wrong. Just because every time you test the CPU the results show it is running correctly - at that time!
Therefore Toyota is assuming that, the women did not press on the brake to stop - and only pressed on the gas - because the computer chip records say so. Let's now shift the blame to her and away from the PR mess.
Don't assume the computer is correct every time, because you have no other explanation for the occurrence and can't duplicate the problem. There is something very wrong here! It may be in the electronic chips being used.
There is more PR work going on at Toyota than Fault Fact Finding.
Maybe engineers should use their skills to make excellent, simple machines rather than so-so complex machines. Quality should be the goal, not complexity.
Interesting thought. But, the reality is that most people do not want or will not buy simple devices, even if they are more reliable. Consumers seem to want all the bells and whistles. How many people do you know that still have 40+ year old Western Electric rotary dial phones? How many people do you know that buy the most basic cell phone, the kind that only (gasp!) makes calls? How many buy manual transmission cars with hand operated windows?
The issue with "quality" is that it's not apparent in a product like the bells and whistles are. You can see all the fancy doo-dads and features of a new cell phone the first time you turn it on. Whether or not it has better quality will not be know for years.
That's where the difficulty (impossibility) is. Just for talking purposes, assume the the ECU has 8 inputs it uses, and that each of those inputs can take on 256 different values. The number of test cases that wold have to run to fulfill your desire is 256x255x254x253x252x251x250x249, which is 1.65x10^19 cases. Even running one test case every microsecond would take you over 523,000 years to run through all the cases
You may be right in the above but I think that knowing nothing about the system electronics makes it difficult to speculate. One thought would be if one could get a system diagram it might be possible to see the circuit input conditions and logic that would enable full throttle. It might narrow down the options.
See the intractability of the problem? You cannot ever verify that a system, except for perhaps a very simplistic one, is correct by testing it. Sure, the more tests you run the higher your confidence factor that you've uncovered all the bugs. But you can never get to 100% by testing.
I'm very familiar with the intractabilty and I agree with you. I spent close to 30 years in trying to improve bit error rates of disk drive and drum systems. We had to contend with conducted noise, radiated noise, radar noise, arc welder noise etc. When you start looking for intermittent noise sources there is an infinite variety of possible noise sources. However, in that environment one, at least, knew when an error occurred. By Toyotas admission, their diagnostics has never told them that an SUA had occurred. Until their diagnostics tells them different they will continue to blame the driver.
But, the reality is that most people do not want or will not buy simple devices, even if they are more reliable.
Yes, surely the public wants a complex electronic system to override the errant ECU system. Why would electrical and computer engineers want a simple backup fail-safe system to shut down the engine - like a valve to close in the fuel-line? God forbid that someone puts a spring-loaded valve in the fuel-line, that snaps shut when if the driver hits a "shutdown" button. That would be too simple and there's no relays, circuits, network interfaces and such to design. God forbid that one of the engineers remembers that in order for the engine to run it needs a spark from the battery. It would be too simple of a backup system to have a way to cut the wire between the battery and the distribution-module to the spark-plugs.
They need one more output from the accelerator pedal to tell the computer that pedal has physically traveled away from idle position. Programmers can then use this signal for additional safety routines. Like validating a throttle position. i.e. there can't be a request for full throttle if pedal has not moved. Right? The 2 hall-effect sensor and related subsystems can no longer conspire to to trick the computer into going on a false 'full-throttle'.
A simple reed-switch and a magnet will do.
I googled for info on early days of throttle by wire. They did use 'validation' switch in case the less reliable potentiometers fail.
The physical position of the accelerator pedal very likely has absolutely NOTHING to do with SUA. More likely the engine/transaxle control computer is stuck in a tight instruction execution loop, continuously executing the cruise control "accel" function.
In the normal case an application of the brakes would automatically disable any of the CC modes. But in this case the sub-routine that does that disabling doesn't "know", cannot "discover", that the "accel" fucntion is continuously active.
Comments
I guess it has to with a difference between: a) someone causing the danger to you, vs: b) causing the danger to yourself, or just natural.
If you don't see why people have a problem with dangerous vehicle defects, then I have to ask if you don't see a problem if other defective products are made? Is it okay with you if drug manufacturers put tainted products on the shelf regularly and don't have to recall them and pay the penalties? What about food manufacturers; can they just forget about safety precautions because they only may poison a few dozen or a few hundred per year?
And if its okay because only a few people are killed by UA and that's no big deal; then you wouldn't have a problem if a few customers who aren't happy with their UA vehicles drive them thru the dealership window and only kill a few Toyota workers?
http://www.usatoday.com/money/autos/2010-03-23-toyota23_ST_N.htm
Also to be at the press conference is Frank Visconi, a former police officer from Dover, Tenn., who says his 2007 Toyota Tacoma accelerated and crashed in a field in June 2007. He says it was his fifth incident in the vehicle and says his foot was always on the brake. He says when he tried to get the truck fixed, he was told no problem could be found.
"I'm not an electrical engineer, but when you put your foot on the brake, it's not supposed to accelerate," he says.
No, I said that people's fears are way out of proportion to the risk - thus irrational. In the case of tainted drugs, unless the problem is widespread, I don't let it worry me. It's not like I would have stopped buying Tylenol when Johnson and Johnson had the problem with tainted Tylenol many years ago. And I didn't let 9-11 stop me from taking a long planned vacation that required flying. And I continued to eat hamburgers despite the problems with some of the meat packing houses several years ago.
And if its okay because only a few people are killed by UA and that's no big deal;
Again, I don't think I said it's not a big deal. Toyota needs to continue to investigate the problem until the root cause is uncovered. But even if you drive one of the affected Toyota, if you're going to worry about something, there are many other things that are far more likely to cause your demise than a UAE will.
http://www.signonsandiego.com/news/2010/mar/21/man-run-over-san-diego-costco-par- king-lot
http://www.myfoxboston.com/dpp/news/local/car-slams-through-peabody-business-hur- t-4-20100317
That's fine not to worry. I don't worry either. But that does not mean that Toyota or any other vehicle manufacturer or any other manufacturer of defective products does not have the obligation to remove from the market or fix their products. if Tylenol puts 1 bad bottle of Tylenol out, I want them to recall the entire production run - 1 death is too many. If Toyota or GM builds 1 vehicle that has UA I want them to fix the design. I do not want owners of companies saying 'well we only killed a few people last year".
The electronic control systems of vehicles is a major mistake being made by engineers. Too many critical systems like brakes, engine and transmission are being tied together and controlled by computer chips that are susceptible to lockup, failed sensors, and bad code.
Like..... The actual motorist not in control of the vehicle!
Somebody posted the "Tennessee Tacoma" incident again...
I still fail to see why a cop is suppose to have incredible driving prowess above and beyond a mortal human. Is an automotive engineer a better driver?
In Tom Vanderbilt's book "Traffic", a statistical breakdown showed the best drivers were (drum roll).... Fire fighters! This was followed by airline pilots. I didn't see cops on the list but I think we can conclude they're pretty high up. The worst drivers were Doctors and.... Architects for some strange reason.
So, if your Doctor offers to give you a ride after he performed heart surgery on you, maybe you should politely decline the ride!
And shouldn't an "ex-cop" with incredible gifts of driving prowess and judgement also have the cognitive ability to perhaps, think maybe, just maybe he should park the vehicle and call a tow truck? Why did it take all the way up to numero-five, and even then the light bulb still didn't go off!
I think that's a bit of hyperbole! Major mistake??? The systems work as intended, even in the case of Toyotas, 99.99999% (did I miss any nine's there?) of the time. It will never be 100% - nothing is.
The best that could happen is that Toyota is able to identify, and correct the root cause of the problem (if there really is one), publish their findings so that others can learn from their "mistake", and add another "9" to he reliability number above.
Unfortunately, what will probably happen (as I think was the case with the Audis) is that, under a court agreement, the record will be sealed (Toyota claiming trade secret or some other IP crap), those injured paid, and the knowledge of what really happened lost.
"Reflash" will fix the HID headlight startup leveling sequence.
Not even Toyota/etc will ever know the true "fix", let alone the dealers.
Wow...
That was also my first "computer" experience, ~1968. One of those Univac drum memory computer systems on a precision measuring machine at Boeing.
No - you have too many, get a calculator. There are hundreds of official NHTSA complaints (so far) out of 8 million vehicles. There are probably thousands of customers who brought vehciles into Toyota dealerships for similar, as they are not automatically sent to the NHTSA and logged.
Like any bell-curve distribution that's a function of time, the problem may become more probable as those vehicles get more miles on them. If the MTBF measured in miles is say 100,000 miles or 150,000 miles, then some of these newer vehicles may just be entering the range of failure-mode.
Except...
NipponDenso, Denso US is the firmware source and Toyota/etc probably doesn't even have access to the source code. The written specifications for any firmware aspects unique to a Toyota/etc product, maybe.
Don't need to use one to get close. I am counting every depression of the accelerator as a chance for a UAE to occure. Say 100 accelerator presses/day, times 365 days/year, times 10 years, times (say) 5 million vehcles (average number of Toyotas over a 10 year period). Assume 1000 UAE incidents. Then that works out to 1 UAE incident in every 1.8 billion chances.
Like I said, I left out some 9's.
Toyota's own document indicates that the two sensors must be within less than 0.02 volts in order to indicate a fault. According to the document the two sensors should always be different in voltage by at least 0.40 volts.
Idiots.
Not so fast, Dr. Feelbad
The analysis of Professor's Gilbert's demonstration establishes that he has reengineered and rewired the signals from the accelerator pedal. This rewired circuit is highly unlikely to occur naturally and can only be contrived in a laboratory. There is no evidence to suggest that this highly unlikely scenario has ever occurred in the real world. As shown in the Exponent and Toyota evaluations, with such artificial modifications, similar results can be obtained in other vehicles.
To a knowledge person, computer knowledgeable, that would imply only 8 bits of resolution, that, in turn, implies an 8 bit processor.
NOT POSSIBLE.
In order to attribute those 250 brake depressions to the period of the runaway it would also require a time and date "stamp" stored with each brake depression, just extremely unlikely.
FACT: Dr. Gilbert admitted shorting the two sensor signals together.
FACT: The Toyota/NipponDenso's sensor validity monitoring system DID NOT detect the short.
FACT: Dr. Gilbert then shorted BOTH signals to a 5 volt source.
FACT: The Toyota/NipponDenso firmware monitoring system continuously checks both sensors for out of range, too low or too high, voltages.
FACT: The Voltage Dr. Gilbert applied to both sensors was well outside their normal range yet the firmware validity checking did not detect same.
FACT: The Toyota/Nippondenso system DID NOT set an MIL, on TWO counts, as it clearly should have.
Ask yourself: "Why would Toyota go to all the expense and effort to provide redundant sensing for the gas pedal position, rare as the detectable failures might be, and then not actually execute the design correctly.
Answer: Toyota is not in charge of its destiny insofar as firmware design is concerned.
What Dr. Gilbert proved, brought to the public eye, is that some extremely poor, sloppy, REALLY sloppy, firmware programming is involved here. Can we, should we, suppose that the entire firmware package is not just as sloppy..??
Does NipponDenso have a good, knowledgeable, firmware design QA team...??
It looks seriously NOT...!!
Example: Toyota changed the 2010 US Prius to rear disc brakes from drum brakes. The firmware revision, already available for other countries, was not made until owners started voicing complaints.
"Is this real life?"
Is highly unlikely to occur, but...
Yes, a direct short between the two sensor signals is highly unlikely. But what about the issue of shorting both sensors to the 5 volt reference source. Not as highly unlikely, that.
On the other hand what if he had just somehow "failed" one of the two sensors..??
Say failed in a way that put one of the two sensor's output voltage at the supply voltage level, or even at ground level. Both fairly common failures of solid state integrated circuits.
What Dr. Gilbert's test did show was that the firmware is so poorly written, SLOPPY, really, that it might not, more likely WOULD NOT, detect even an "expected" failure.
Anything can be made to fail given the right circumstances.
Ah I see. Similarly we could say that if we count every revolution of a propeller on every oil-tanker as a chance for a major oil-spill to occur, then we can calculate that 99.99999% of the time oil-tankers are safe. Or if we count neutron-fissions at a nuclear reactor we could conclude that in 10-to-the-50th-power of chances, nuclear reactors never have accidents.
The problem is that when the Toyota ECU goes into open-loop mode, NO AMOUNT OF SOFTWARE PATCHES will gain control over the computer. Car must be turned OFF and ECU computer rebooted, so to speak. Toyota's problem is EMI / RFI interference and their entire electronics on several models will need to be completely re-designed such that the system is ADEQUATELY FILTERED for EMI / RFI radiated noise. While we're at it, lets revert back to tried and true CABLE ACTUATED THROTTLE and BRAKING systems. Are you listening, Toyota??? Fly-by-wire throttle / braking via software control is an INSANE DESIGN RISK and will be Toyota's demise unless they make design changes. I would never buy one of these cars knowing what I know now and how arrogant Toyota management has demonstrated itself to be. These Toyota people think they're infallible.
I should say that it wasn't a 'runaway' situation. I think it would do twenty five or thirty miles an hour. In the beginning it was kind of disconcerting trying to stop it, meaning I didn't know if it would stop, so I think how terrifying it must be going ninety in a runaway Toyota.
It was out of warranty, so I worked on it myself. I remember changing the TPS, did some other things. Didn't fix it. One day It took off on me again. The ECM was mounted in the top of glove box. For some reason I opened the glove box door and banged the ECM with my hand. The engine immediately went to idle. I hit it again and the engine speed increased and then dropped back to idle. Stupid electronics.
I went and bought a rebuilt ECM. The engine never did race-a-rama on it's own again. I did open the ECM case, thinking I may spot a loose connection on a circuit board component. Didn't see any problem.
I bet the General (Motors) might have been interested in taking a look at it.
I have no doubt that the people who are continuing being asked to update the systems on vehicles do not have errors, mistakes, flaws, and flawed components built into their designs and vehicles.
Exactly, and that's my gut feel for what's happening with Toyota's UAE problems. Some vague, irregular, subtle combination of environment (temperature, humidity, shock, EMC, ...) and usage (accelerator being depressed at the same time the AC kicks on when closing one of the windows...). If it was any one thing, like a voltage fluctuation or even some external interference, the problem would have surfaced long ago and be much more prevalant.
How many DBW systems will then have to be retrofitted with an independent, foolproof, and failsave BTO....??
Going all the way back to 2003...??
You realize of course, that most of the jets flying over your head are fly by wire, right?
What is more likely happening is the Toyota electronics are being effected by something such as an arc welder (they run at 220VAC / 200+ AMPS = 44 kW Power) and this in turn generates huge electromagnetic pulses as the arc is generated - which negatively effect electronic gear.
There is EMF all around us, if this were true Toyota’s (and other vehicle manufacturers ) would be flying all over the place. The fact of the matter is (still), there are millions of these cars on the roads around the world and yet there are only a handful of people experiencing the issues reported here.
I will admit (to currently owning a 2007 Toyota 4Runner V8, which is NOT involved in the recall), that my Toyota will accelerate on its own when the A/C is engaged. I can clearly reproduce this by turning off the A/C, leaving it in drive, setting the parking brake so that the car does not move while at idle, yet still in drive. Take my foot off the brake, turn on the A/C and the car WILL accelerate (albeit not too fast) with the parking brake ON in drive! This shows that the idle up circuit (in my opinion) is over compensating for the A/C (it bumps up the idle about 75-100 RPM in my tests). My point? That there are a lot of things that cause unintended acceleration. If I were not to pay attention and the A/C were to engage, I COULD theoretically accelerate into the car (or whatever) that is in front of me. If you are a light brake pressure kind of person (like me), this can be an issue for you, but it is NOT a flaw. People need to pay attention when they drive.
You realize of course, that most of the jets flying over your head are fly by wire, right?
Comparing a cheap automotive system made for the lowest price possible to an airplane is like comparing a plastic kid's bat to one used by professional baseball players. And that's not counting the redundant systems and maintainance schedule of the airplane, either.
From Exponents document, above...
"..Figure 1. A 200 ohm resistor is apparently placed between the output signals of the two pedal position sensors...."
Note the word "apparently"....??!!
I had assumed that the "short" Dr. Gilbert placed across the two sensor signals had just enough resistance, accidental and unintentionally, that a voltage difference greater than the monitoring system was checking for, 0.020 volts (only 20 millivolts), remained between the two signals.
I think that what Exponent is saying here is that in order to replicate Dr. Gilbert's experiment BUT NOT trigger the monitor they had to use a 200 ohm "short" between the two sensors. 200 ohms is well above any accidental or unintentional resistance I would have assumed.
Given that the two sensor output voltages should ALWAYS be displaced by at least 0.80 volts (factory document), using a difference voltage as low as 20 millivolts is unreasonable if one wishes to truly detect short between the two sensors.
Apparently (there's that word again) Exponent assumed a 200 ohm short since that's the resistance they had to use in order to NOT to trigger the firmware monitoring test.
From Exponent, again.
"..To bypass setting the DTC code on the 2007 Camry Exponent slightly modified the parameters of Dr. Gilbert's demonstration...."
"...By carefully engineering the modification.."
Carefully engineering the modification...
Yes, using empirical engineering methods to select a shorting resistance that provided "just enough" signal shorting to still allow a voltage difference above the detection threshold.
In other words the 200 ohm resistor wasn't small enough, low enough in resistance, to "fool" the 2007 Camry's firmware sensor monitoring system, so Exponent chose another value.
First they "ASSUME" Dr. gilbert used a 200 ohm resistor with absolutely no evidence of that (granted, either way), now they modify their own assumption to fit the new case.
And yes, you can "short" the two signals together with just enough resistance to still remain above the minimum voltage difference detectable by the monitoring firmware. And now, if you wish, provided you carefully select the resistance of the "short", connect the one sensor to the 5 volt reference to create a runaway engine "without" setting a DTC.
Or, if you like, you could short the one sensor to a reference voltage right at the maximum of the normal operating range, the engine would go WOT, but no DTC would be set.
"...Exponent was able to rewire the pedal sensors and achieve engine revving without setting a DTC...."
Yes, so could anyone, by empirically selecting the shorting resistance.
And finally:
"...Exponent also evaluated how vehicles made by other manufacturers would respond to the same rewiring that Dr. Gilbert showed in his demonstration. Every vehicle from other manufacturers tested by Exponent could be induced to respond with a sudden increase in engine speed and power output, although the parameters of the rewiring changed slightly from vehicle to vehicle. These demonstrations in no way indicate a defect with any of the vehicles tested (including the Toyota and Camry)..."
...although the parameters of the rewiring changed slightly...
NO SHxx, SHINOLA..!!
....no way indicate a defect with any of the vehicles...
Avoiding a public REBUTTAL by other manufacturers, "this".
But I still find myself puzzled that this worked, so far...
You realize of course, that most of the jets flying over your head are fly by wire, right?
Of course I realize that. In a $250 million dollar 747-400 for instance, there is the best of everything electronic - i.e., sufficient electronic shielding protection, redundant systems and so on. Also, at 35,000 feet there is substantially more time to react in an emergency unlike on the road.
What is more likely happening is the Toyota electronics are being effected by something such as an arc welder (they run at 220VAC / 200+ AMPS = 44 kW Power) and this in turn generates huge electromagnetic pulses as the arc is generated - which negatively effect electronic gear.
There is EMF all around us, if this were true Toyota’s (and other vehicle manufacturers ) would be flying all over the place. The fact of the matter is (still), there are millions of these cars on the roads around the world and yet there are only a handful of people experiencing the issues reported here.
NOT TRUE, Other vehicle manufacturers are obviously using superior EMI/RFI filtering techniques throughout and not being effected from the unintended acceleration problem. You assert in your previous post that these Toyota owners are confusing the gas pedal with the brake pedal and that the carpet is also part of your equation. If that were all true, then using your logic, don't you think there would be a number of other non-Toyota vehicles crashing from out-of-control acceleration killing people and gathering attention??? Connect the dots. This is an electronic problem UNIQUE to Toyota and not a dyslexia (left-right pedal) problem. You must be on the Toyota payroll because you seem to be disregarding several important factors. Not everyone is born an engineer.
I don't think it's more likely than any of the other hypotheses that have been advanced.
For instance, do you know the radiated spectrum of an arc welder? Do you know where ECU's are located in Toyotas and other manufacturer's vehicles? Do you know the shielding effectiveness of the car body, at the frequencies an arc welder's spark emits, and what the strength of the radiated emissions is? Do you know the susceptibility of the circuits to disruption? Do you know if the ECU and associated interface circuits were subjected to any sort of Electromagnetic Compatibility (EMC) testing? How about the vehicle as a whole? These are all questions that need to be addressed to be able to assess whether radiated susceptibility of the ECU may be part of the problem or not.
NOT TRUE, Other vehicle manufacturers are obviously using superior EMI/RFI filtering techniques throughout and not being effected from the unintended acceleration problem
Obviously??? Do you know what the other vehicle manufacturers use, or are you just speculating, based on your guess that it's arc welder (so some other source of radiated emissions) that's causing the problem?
FACT: the test he (Dr. Gilbert) ran cannot occur in real life.
Whose word are you taking on that? Toyota's? If nothing else, Dr. Gilbert proved that the throttle redundancy system is poorly designed. The sensor output voltages should NOT run in parallel, thus allowing a short to remain undetected. As he stated, they should have differing slopes (as some other carmakers' designs do) so that eventually, shorted sensors would come out of spec.
I'm finding it hard to believe that the scenario is 'false'. The leads to the sensors and power supply are mere millimeters (or less) apart at both the accelerator and at the CPU. I think a short could easily happen if the leads were chafing.
The above SUA experiences prove to me that Toyota has not yet been able to capture the failure event with their diagnostics. Hence, they can’t solve a problem they haven’t seen.
Further, I have compiled a few complaint statistics that substantiates my contention of a throttle failure problem. The first example comes from a Lexus LS400 owned by two individuals. The original owner, Peter Boddaert, had 3 episodes in the car resulting in him trading it in. The second owner, Mark Pinnock, also subsequently experienced 3 incidents, with the same car, resulting in his decision to discontinue driving it. This fact, coupled with my own experience, substantiate that Toyota has an electronic throttle problem.
In a second bizarre example: A driver began to experience an SUA event with his Avalon but was able to reach a dealer where, with the gear in neutral, the engine continued to operate at full throttle. The dealer tech verified that the floor mat was removed but was unable to stop the wide open throttle and was forced to shut the vehicle off. The same car brought in to the dealer, for a previous incident, revealed no problems when diagnostics were run on the computer. The dealer eventually offered to replace the throttle body, accelerator pedal and associated sensors free of charge to the driver after the second incident. An interesting solution for a problem Toyota claims doesn’t exist.
NHTSA never pursued the requests for investigation.
How Toyota can continue to claim they have no problem with the electronic throttle is inexcusable. The above examples clearly show that they, “indeed”, have a problem.
What the Symptoms Tell Us
My 6 SUA incidents with a 2000 Lexus LS400 occurred between 2004 and 2006. The symptoms were: starting from a stop with my foot on the brake, as I removed my foot but before getting to the accelerator, the car jumped to what felt like full-throttle. Since, before releasing the brake, the engine was idling normally, it suggests the accelerator position sensors were delivering the proper signal to the Electronic Control Module (ECM). After releasing the brake, the engine went to full throttle and tried to leap forward causing me to put both feet on the brake. Reviewing the event it was clear to me that the ECM CPU’s were no longer responding to the accelerator which I hadn’t touched after releasing the brake. At that time the position sensors should have been sending an idle message to the CPU. It appears that when I released the brake an unknown signal was sent to the CPU causing it to “latch up” or freeze (in a full-throttle state). With both feet on the brake, pushing as hard as I could, the car leapt forward 3 times, moving about 1 foot each time before I was able to shift to neutral. Luckily, going to neutral apparently unfroze the CPU and stopped the car just before hitting whatever was in front of me. The incidents each took only about 3-4 seconds. Once in neutral the car again came to an idle where I believe the unfrozen CPU again was able to respond to the accelerator sensors that were still in the idle position.
I would speculate that because the EMC CPU was frozen, it could not accept inputs from the sensors and was unable to neither sense nor log the problem even if any sensor messages were trying to be sent. Hence, the diagnostics showed “No trouble found.”
It would seem that the only way this issue could be overcome would be to provide a simple redundant system, immune to the freeze conditions, outside the electronic throttle system that had became disabled when frozen. Its function would be to constantly interrogate the electronic throttle system to sense when it enters a frozen state. When sensed, it should force the electronic throttle system to release control of its function, set the throttle to an idle position, and reinitialize the system. Once it had determined that the system was working properly, it would re-enable the throttle system to again exert control. This, however, may be easier said then done.
When our home computers freeze, we are forced to reboot. When this happens in a fighter plane, I understand that there is an emergency button that can be pressed to allow manual control until the fly-by-wire system can be reengaged. Perhaps the equivalent for this problem is the brake-override solution. But a concern among safety experts is that the brake-override software, which has been described as a final solution to the problem of unintended acceleration (SUA), may cause more problems by adding a new layer of software to the system. "These fixes are not dealing with the root causes of the problem," said Sean Kane, president of Safety Research and Strategies Inc. Besides if the brake override solution relies on the CPU that gets frozen what assurance is there that it will work? There must be a redundancy where the monitoring system is not dependent on the CPU running the electron throttle system
In trying to troubleshoot the electronic throttle it should be possible to cycle the logic inputs for the throttle system through all possible state combinations to see if a frozen open throttle could be invoked at a particular input combination. If that condition could be replicated it would then be possible to work toward a solution. I don’t know if this would work for a potential software bug. Ideally this should be done on the throttle system of a known SUA offender. Since the SUA events have occurred over virtually all of the automobile industry, the heart of the problem appears to be the CPU used by the ECM. Design differences by different manufacturers would make the throttle more or less sensitive to triggering an SUA event. The evidence sits in all of our homes in the form of a home computer. Who hasn’t experienced a frozen system?
A Statistical Problem
The SUA events rarely occur, being maybe only .005% or less of the Toyota population. Because it is so rare, it is equally difficult to make sure that when a SUA happens, you can capture the fact that it did. The above explanation is the only one I can think of that agrees with the SUA symptoms. Even when a car having the problem is evaluated it would be very difficult to find the exact failure mode that causes the runaway full throttle. In a normal production car I don’t think you would have a prayer.
I think Toyota is between a rock and a hard place. They know they have a problem, they don’t know the cause, can’t duplicate it and they can’t admit it. If they did they would immedia
In trying to troubleshoot the electronic throttle it should be possible to cycle the logic inputs for the throttle system through all possible state combinations to see if a frozen open throttle could be invoked at a particular input combination.
That's where the difficulty (impossibility) is. Just for talking purposes, assume the the ECU has 8 inputs it uses, and that each of those inputs can take on 256 different values. The number of test cases that wold have to run to fullfill your desire is 256x255x254x253x252x251x250x249, which is 1.65x10^19 cases. Even running one test case every microsecond would take you over 523,000 years to run through all the cases.
But, it's worst than that because you would also have to test the various order in which the inputs may change.
See the intractability of the problem? You cannot ever verify that a system, except for perhaps a very simplistic one, is correct by testing it. Sure, the more tests you run the higher your confidence factor that you've uncovered all the bugs. But you can never get to 100% by testing.
That's why of lot of analysis and understanding of the system is needed, so that you can chose tests cases that stress the system; so that you test the system at the "corner cases" where you might expect it to break, if it's going to.
I think Toyota is between a rock and a hard place. They know they have a problem, they don’t know the cause, can’t duplicate it and they can’t admit it. If they did they would immediately
I think that's it in a nutshell.
The above SUA experiences prove to me that Toyota has not yet been able to capture the failure event with their diagnostics. Hence, they can’t solve a problem they haven’t seen.
They surely have and know what causes it. But if they admit to anything at all, they are wide open to 44 and counting negligent homicide charges. They'll deny this until the day they are brought in kicking and screaming as a result of the potential cost of that many cases and a very hostile public.
Of course, if they were using the proper *type* of sensor instead of a hall effect design, there would have been no way for this sort of scenario to happen - or at least not be instantly detected. GM, as an example, doesn't use this type of setup and at worst their cars detect it and shut down and/or go into "limp home" mode.
At first the new business owner was cooperative and working together we grounded and added shielding to the machines responsible.
But in the end we were forced to move because the complex owner just simply would not believe the causative factors.
That's why Dr. Gilbert's discovery is so very important. The Toyota/NipponDenso firmware sensor monitoring system continually checks that the two sensors, gas and throttle, have a voltage difference. A P2138 code is set if they are not and the system goes into "limp home" mode. The most obvious problem is that the voltage "threshold" Toyota/NipponDenso uses is only 0.02 volts.
The firmware also continuously checks to verify that neither sensor's voltage output is outside the normal operating range. The 5 volts Dr Gilbert applied to simulate the runaway condition was quite clearly outside that range yet no code was set.
Firmware FAULT.
Toyota didn't design it correctly and instead of being a part to replace, it's causing deaths. That's the ultimate mode of failure in automotive engineering. No matter how wonderful a new technology is, if it's causing deaths, you walk away and don't use it again. Not only from a legal and liability standpoint, but from a marketing one as well(I'm not adding common sense here, since nobody seems to design with that in mind)
Unless the whole thing is designed to be bulletproof and done correctly, you run the very real likelihood of having a critical failure that results in a worst case scenario
And the more complicated a system gets the more likely it is to be flawed, to have pieces developed by different groups and individuals that then need to be integrated together, have more parts, and have more code. In the end you have more combinations of things that need to be checked in various situations. You have more components that can be sub-par quality (from the low cost bidder in China?). And it snowballs on and on.
And what's the purpose of this grand system of electronics and software? to replace what used to be a rubber-pedal, and a rod connected to a carburetor.
Oh I forgot we're supposed to "oh and ah" at the great electrical engineers who design a car that parks itself. No thanks.
Maybe engineers should use their skills to make excellent, simple machines rather than so-so complex machines. Quality should be the goal, not complexity. Give me roads and structures like the Romans, Greeks, and Egyptians built, not like our modern sports stadiums that might last 40 -80 years. Give me a vehicle that I can stick my head under the hood, and understand how everything works. I guess that's a pro of building a kit-car.
This is why the computer registers may have the wrong information stored.
The Toyota statement that lady did not press on the brake at all, when it had UA, could be very misleading. Assume the Computer is the problem. The CPU could have been in a mode that did not register the correct output codes. You can not make an statement based on the assumptions that, the computer is never wrong. Just because every time you test the CPU the results show it is running correctly - at that time!
Therefore Toyota is assuming that, the women did not press on the brake to stop - and only pressed on the gas - because the computer chip records say so. Let's now shift the blame to her and away from the PR mess.
Don't assume the computer is correct every time, because you have no other explanation for the occurrence and can't duplicate the problem. There is something very wrong here! It may be in the electronic chips being used.
There is more PR work going on at Toyota than Fault Fact Finding.
LG
Interesting thought. But, the reality is that most people do not want or will not buy simple devices, even if they are more reliable. Consumers seem to want all the bells and whistles. How many people do you know that still have 40+ year old Western Electric rotary dial phones? How many people do you know that buy the most basic cell phone, the kind that only (gasp!) makes calls? How many buy manual transmission cars with hand operated windows?
The issue with "quality" is that it's not apparent in a product like the bells and whistles are. You can see all the fancy doo-dads and features of a new cell phone the first time you turn it on. Whether or not it has better quality will not be know for years.
You may be right in the above but I think that knowing nothing about the system electronics makes it difficult to speculate. One thought would be if one could get a system diagram it might be possible to see the circuit input conditions and logic that would enable full throttle. It might narrow down the options.
See the intractability of the problem? You cannot ever verify that a system, except for perhaps a very simplistic one, is correct by testing it. Sure, the more tests you run the higher your confidence factor that you've uncovered all the bugs. But you can never get to 100% by testing.
I'm very familiar with the intractabilty and I agree with you. I spent close to 30 years in trying to improve bit error rates of disk drive and drum systems. We had to contend with conducted noise, radiated noise, radar noise, arc welder noise etc. When you start looking for intermittent noise sources there is an infinite variety of possible noise sources. However, in that environment one, at least, knew when an error occurred. By Toyotas admission, their diagnostics has never told them that an SUA had occurred. Until their diagnostics tells them different they will continue to blame the driver.
Yes, surely the public wants a complex electronic system to override the errant ECU system. Why would electrical and computer engineers want a simple backup fail-safe system to shut down the engine - like a valve to close in the fuel-line? God forbid that someone puts a spring-loaded valve in the fuel-line, that snaps shut when if the driver hits a "shutdown" button. That would be too simple and there's no relays, circuits, network interfaces and such to design. God forbid that one of the engineers remembers that in order for the engine to run it needs a spark from the battery. It would be too simple of a backup system to have a way to cut the wire between the battery and the distribution-module to the spark-plugs.
can then use this signal for additional safety routines. Like validating a throttle position. i.e. there can't be a request for full throttle if pedal has not moved. Right? The 2 hall-effect sensor and related subsystems can no longer conspire to to trick the computer into going on a false 'full-throttle'.
A simple reed-switch and a magnet will do.
I googled for info on early days of throttle by wire. They did use 'validation' switch in case the less reliable potentiometers fail.
In the normal case an application of the brakes would automatically disable any of the CC modes. But in this case the sub-routine that does that disabling doesn't "know", cannot "discover", that the "accel" fucntion is continuously active.