Cruise Control circuit breaker?

These reports of sudden unintended acceleration remind me of reports of autopilots gone awry. We are usually taught in such a situation (run-away trim, etc.) to simply pull the circuit breaker to the auto-pilot circuit. Is there such an equivalent in the Prius or general car w/CC? Seems to me the red-herring could be that people are all focusing on the accelerator pedal when in fact the computer, could, on its down, decide to open the throttle without accelerator pedal depression as during CC. Of course, it's supposed to turn off w/the brake application, but what if it doesn't? If there isn't a circuit breaker for the CC circuit, then maybe they should consider putting one in and isolating the circuit, i.e. a simple push-button w/software or hardware watchdog don't be sufficient b/c the likelihood of severe ECU malfuction is high if the CB needs to be pulled - it needs to kill the power to the CC logic which (hopefully) is a separate ECU and can be isolated/powered down.

 

Wow, a single point of failure could disable the entire CC circuit (not sure how feasible that is) but I'm shocked that the cruise enable and disable are all one the same input pin (granted it's a schematic) and differentiated by changing resistance (this is probably an industry standard).

But I'm most interested, I guess, in "software/firmware" of the Power Management ECM as hardware failures would show up in a subsequent diagnostic. I want to know how they program it to ensure that a single point of failure in the software/firmware cannot cause run-away cars, and how do they ensure that, in the event of a CC malfunction, the brake cancel or the CC cancel switch could still reliably disable CC.

Once I take delivery of a Prius, I do intend on the subscribing and downloading the TIS. Is the manual you mention the printed version of the relevant TIS?

Thanks for the info.

 

It's been awhile since my EE classes, but if I'm interpreting the schematic correctly, a short to ground on the input pin would effectively enable CC while preventing cancellation (and disabling all further input). I find this odd because I would have thought that the CRUISE input should be always ON/OFF and not a momentary switch, but if this were the case then the circuit should be measuring current and not voltage (because enabling the CRUISE switch and keeping it on would be equivalent to short to ground with subsequent very low voltage on the input pin regardless of how many additional resistors are then placed via switches).

As I wrote earlier, I do not believe this to be a common/likely scenario, and doubtful if it explains any of the SUA reports as there would be evidence left behind. I'm much more interested in learning how the software/firmware interprets the input pin signal and what safeguards are in place to prevent a catastrophic failure of the cruise control circuit - something I would imagine every manufacturer must design against. This question was specifically asked during the webinar, and I felt it was inadequately answered:

The speaker did not go into any details (as opposed to the accelerator issue) regarding what redundancies or fail-safes are provided except to comment that there are built-in "limits" on the CC circuit limiting acceleration and that it shares the same fail-safes as the ECM, but does not address whether, for instance, the "many things that will cause [CC] to turn off", are separately addressed and lack a common point of failure enabling at least 2 alternative routes to disable.

My concern is whether or not there exists redundancies/internal checks to ensure that a single-point failure (more likely software than hardware) can result in abnormal functioning of the CC such that it will engage and refuse to disengage (short of shutting down the entire engine, etc.).

I'm coming at this from a pilot's perspective where we don't assume everything will work perfectly, and in the case of run-away trim/auto-pilot, the procedure is often disabling of the autopilot by cutting power to it via the circuit breaker.

I'm mildly surprised to learn that the CC is embedded in the ECM, and therefore would like to know what additional safeguards are in place to prevent run-away situations, and whether or not a system similar to that found on autopilot equipped airplanes might provide a higher level of safety at minimal cost (ignoring the cost of re-design, a one-time large expense).

While I don't own a Prius (yet), I know (for instance) that the cruise control on my Volkswagen can be set to pretty high speeds (80mph) and that it can, if permitted, accelerate aggressively if one "resumes" at a substantially lower speed perhaps giving one the impression of a SUA incident.

Again, drawing from my pilot training, as much as I love technology and believe it to help more than hinder us, my programming experience have taught me to maintain a certain level of distrust especially for complex systems and would prefer a fail-safe mechanism for the user to intervene should the system malfunction.

 

I think you mis-understood my query, in all due respect, Bob. First, mine was more of an academic question as opposed to a reference to real physical conditions. Second, again, I'm much more interested in the software aspect of fail-safes and other internal checks on the cruise control. However, as you have so nicely shown us the schematic for the physical wiring of the CC inputs, I did raise the question of why put all CC inputs, including activation and de-activation, on the very same pin? Now if you tell me that the ECM can ignore CC input when it senses brake pedal press on a separate pin (a likely condition, I would hope), then I would be hard pressed to suggest that a CC fault might cause some of the SUA incidents. However, lacking that knowedge, the best I can do is ask if anyone is familiar with how CC cancel operates, and whether or not everything is dependent on that single input pin to the power management ECM, and if so, is it plausible that a simple short on that input pin would enforce the CC to remain in "ON" mode, attempt to accelerate to set speed, and ignore any additional inputs including cancel CC?

I don't think we should be doing the testing ourselves unless there is a safe place for it, and there really isn't a need to figure out how the "black box" power management ECM is operating when Toyota's engineers should know the answer to these questions.

For what it's worth, since you asked, I currently have a Volkswagen Golf, 2001 model, with a Bosch Motronic 7.5(?) ECM, and I do not have the Bentley's repair manual with me at the moment (it's at my parent's house because our family has quite a few VWs and the manual covers quite a few models) nor have I taken a close look at the CC circuit so I do not know the answer to this question. However, I have a manual car so I have no fear that if anything should happen - stuck throttle, stuck pedal, faulty CC, the easy and natural thing for me to do would be to engage the clutch and pop it into neutral without any further ado.

On an automatic with electronic transmission, I cannot say the same because now I have to trust the very same ECM which may or no may not be the source of a CC malfunction (but inside which the CC circuitry also resides) to perform the "gear" change.

 

I might need a refresher on circuits, but if I remember correctly, in the way the circuit above is setup, there is a sort of "hierarchy" in the positions, in that the switches above each other would "dominate" over lower positioned switches by virtue of their lower overall-resistance, is that correct? If that's the case, I wonder why is "CANCEL" at the bottom indicating that if any of the above 3 switches were to remain engaged, one would not be able to signal a "CANCEL" request to the Power Management ECM, or am I missing something?

I'm going by the very vague/simple recollections of DC circuits and assuming that the ECM is reading voltage referenced to ground and that the voltage will reflect the lowest resistance path but I could be wrong because I do recall something about Wheatstone bridges, etc., and let's not go through Kirchow's voltage/current laws (oh the headaches!)

 

Again, I think you are somehow mis-interpreting my queries. As a pilot of all people, you should be familiar with "trust but verify" approach, and while I'm skeptical of complex systems working perfectly all the time, I'm often the one requesting further automation/technological advances [I'm interested in the Prius soley for the PCS system, not for its hybrid drive, which is just a plus].

I'm not speculating on any specific event(s), real or alleged, but am posing an academic question of "what-if". You are asking me to demonstrate a particular scenario in the real world - a request I cannot comply. My quest is to determine if a particular scenario is possible, no matter how remote the possibility. The poll you requested is unlikely to yield answers especially for low-probability events, but fail-safes are intended specifically for those unexpected, low-probability scenarios.

The CC circuit you so generously posted makes me ask the "what-if" question. It's clearly different from the Bosch Motronic ME7.5 on my Volkswagen which has a regular switch (not momentary) that enables/disables cruise control - this type of design I suspect is more robust against wiring/HW problems where a simple toggle of the switch should (again this is all pure speculation as I do not have access to the technical documents of the CC module in the VW, but I do know from reading various forums that the CC module is integrated into the ECM - new for ME7.5 I believe) disable the CC not all that different from "pulling a circuit breaker" to disable it as it's an independent signal (again, so far as I can tell - I could be wrong).

In the circuit you showed for the Prius (and likely all Toyota's/Lexus), it's confusing to me why the system would be designed for:
1) Momentary activation of CRUISE request, and
2) Positioning of the voltage divider circuit (thanks KBeck) such that failures in the switches above CANCEL can then over-ride the CANCEL request?

As I suspected and I believe KBeck has confirmed, if there is a short of either "CRUISE" or "RES/ACC" switch, then the system will receive as input only the signal to turn ON the CC or (perhaps worse) increase CC setpoint (ACC) even when off (RES) and cannot in such a condition, receive a "CANCEL" signal. Such a setup is inherently dangerous, in my opinion, and would result in a "sudden, unintended acceleration" not unlike Steve Wozniak's situation (except in that case it was user error). Again, I would like to point out that I do not believe hardware malfunction of the CC system is likely to be the culprit in SUA incidents as they should leave behind a trace of their failure. Much more plausible, for me, is a software issue, and hence my quest to identify the software designed fail-safes for CC malfunction, i.e. is there some sort of supervisory circuit that monitors the CC engine request/output and ensures that it makes sense?

However, again, as I posted earlier, I'm pretty confident that Toyota engineers most likely foresaw this and I'm sure that the CC cancel input can come in from additional sources not documented on the schematic shown, for instance, the brake pedal signal is hopefully a separate pin input into the ECM which should, hopefully, over-ride any CC request or RES/ACC input.

As an aside, I have really appreciated reading your posts and your technical insights - and you are certainly one willing to go out to perform testing to verify your hypotheses. However, in this particular situation, given the likely rarity of the scenario, I think the answer is best sought from Toyota engineers who wrote the code/engineered the power management ECM.

 

I really doubt one would find such a hardware fault, at least within a reasonable number of car samples given the low probability. But this all goes to my original question:

Should there be some sort of malfunction in the CC "logic" (not the hardware), what fail-safes are in play to prevent "run-away" car? This was the very same question posed during the webinar and the answers were vague.

I understand that the "Stop light switch" or "Transmission switch" should disable CC, but my question is: who's checking these "cancel" requests? The CC unit itself, or some other supervisory circuit (I hope)? If the CC unit gets in some weird software loop and cannot respond to the cancel requests, does the Power Management ECM disable the CC when the cancel request comes in (possibly through an alternate source like stop light switch)?

My original question and simple concern is that if all CC-related inputs go only through the CC unit, then that would be concerning. I highly doubt this is the case, and am glad to see that on the Gen2 wiring diagram it's clear the Stop Light switch is a separate pin on the ECM (who knows how the logical units are setup, but I'll bet the Toyota engineers are no dummies and have already accounted for this).

All these speculations could be avoided if during the webinar they gave us more concrete examples of safe-guards just as much as they did focusing on the accelerator pedal (which I've felt all along may be a red herring and in any case would be very difficult to differentiate from manual (user) error - perhaps why the lawyers focus on it so much and Toyota must defend against it so rigorously).

In the current design scheme, I don't think it's always clear what a short to ground would do on the CC switch. If CC were already enabled, it would probably disable it (assuming the logic were to switch on a HIGH->LOW transition), on the other hand, if CC were OFF then it would turn it on (again, assuming HIGH->LOW transition) but presumably NOT cause the car to accelerate or even try to maintain set speed (that takes 2 actions I'm guessing: CC ON, then SET or RES). In that manner, I feel the hw is pretty well safe-guarded against problems, and my guess is the the CC logic is so deeply embedded in the Power Man ECM that it would be impossible to isolate it and shut it down - so there goes my theory of a CC circuit breaker.

[Just re-read your earlier post more carefully - you're saying it would take three steps: ON, SET, then RES/ACC. Intersting - in my VW w/Motronic ME7.5, you can simply hit "RES" and it would resume at last set speed (v dangerous I think, esp. if you don't recall what that last SET speed was) even after vehicle is OFF. I like the Prius mode better.]

Gotta say though, I wonder what pilot would feel ok flying an airplane equipped with the simplest 3-axis autopilot that DOESN'T have a circuit breaker to disable the AP/trim?