"Gilbert Report" on accelerator weakness

I have to agree with you in this - the real tragedy in all of this is that these are clearly very rare events, and when Toyota was given a chance to investigate further these purported malfunctions, it seems (I could be wrong) that they didn't pursue this to the utmost. Now, it will be nearly impossible to re-create the identical situations and we can only guess at what happened that day. But when they had the vehicle that was malfunctioning, in such a life-safety related system, they really should have sent that car or components of it for detailed, methodical testing including reading of the supposed "black box" ABS ECU (although that inputs that record, I don't know, hopefully acceleration and accelerator pedal position/ECM state at minimum...)

 

Hi Kbeck,

I find that Ms. Smith was terrified. She convinced me she was terrified. That is about all. The rest of her testimony was inconcise and imprecise. Consequently, her data point is useless in determining cause, only useful that further investigation is neccassary.

 

Agreed. And, frankly, given Ms. Smith's eyewitness account, it sure doesn't sound like a bad pedal.

And you're right - if the thing were really susceptible, we'd be up to our keesters in rampaging Toyotas, which we're not.

However, there are the numbers. Maybe (being generous here) a couple hundred cars out of what, fifteen million total? Let's call it ten million. That implies a failure rate of 100/1e7 = 1e-5, or ten parts in a million. (Watch out, in a minute I'm going to start calculating FITS.)

Point is, that kind of number implies a low runner. Could be software, could be hardware. If it's hardware, it could be a marginal design and we're running into a six-sigma fault case with manufacturing variations; it could be an operator on a particular production line who wasn't doing their EMI/ESD protection correctly. I'm a hardware guy, mainly, so I usually lean towards hardware faults as causes. My usual reaction to a problem is to spout a zillion possible reasons that it could die, then weed out the idiot ones and go for the ones that make sense. (My compatriots complain that I'm like the old guy hunting squirrels with his young nephew; the old guy has the tremors, but points his gun at the tree and gets the squirrel on the first shot. The nephew compains that it was no fair - the old guy was holding the gun "all over the tree!").

Oh, yeah. Six sigma. Analog parts, in particular, have manufacturing, temperature, and voltage based parameter variations that are Guassian bell-curves in shape. One sigma puts one down by 0.36 from the peak. If one is designing at six sigma, then the probability of failure is much reduced. However, sometimes the manufacturers change specs without telling anyone (and get yelled at when they do), leading to angst and remediation efforts.

I've got to go watch that video, which I'll do later today. However, Toyota says that they're studying the problem, and that's the right thing to do.

Kbeck

 

Terrified, right. Gallons of adrenaline running through her veins, absolutely right. I do not know, I've been in a couple of situations where I thought death might be around the corner and it's amazing how (a) it focuses the mind and (b) sticks with you afterward.

She said she saw the cruise light come on. She said she turned it off. She said she had both feet on the brake. She said she switched gears, including into reverse. She had the presence of mind to call her husband. He said she called him, corroboration. They called a tow truck driver. He saw weird stuff and signed a paper saying that he did.

She's a gol-danged eyewitness swearing by her oath that she's telling the truth as she sees it. She sure doesn't sound like a person who screamed loudly until she hit the abutment, especially that, if she had, she wouldn't have been sitting there.

OK, I've actually had the mispleasure of running into a person who lied under oath. And there are bad people in the world who will do nearly anything to get a couple of zillion dollars in a class action lawsuit. However, my personal belief is that most people do tell the truth.

She has some backup, too. From the testimony there are at least, what, a hundred-fifty cars out there that have had problems that apparently weren't attributable to floor mat problems, including the two that stuck out to me: 1) the guy who claimed that he had his foot under the gas pedal, prying up; 2) the safety expert who stated that there were at least a couple of cars at dealers that exhibited the problem.

Maybe the whole thing is a scam by money-hungry potential plaintiffs in some massive lawsuit. But I don't think so. (Not that a few scammers aren't going to latch on; such is life.)

Kbeck.

 

Are you talking about plausable deniability in a lawsuit, or what.

The blame of driver error in many of these cases just is not to be belived. Yes, if you take proactive steps to stop safety investigations, hide data from other countries from safety issues on the same cars there, testify in court and arbitration that things are safe but do not check them out. Yes if people die, and toyota has not tried to fix the problems they are to blame.

The same goes for gm or other manufactures.

First "negotiated" lack of investigation was 2004. There was ample time for toyota to investigate this. Toyota knew about sticky throttles in europe, but kept this hidden from authorities in the us for at least a year (and those authorities should have been able to find out it was hidden so bad on both). A simple brake interlock as all german auto have could have likely prevented many deaths. It is highly suspect that toyota will not at least sell the us regulators a key to read information from their cars.

So yes, if there is still a problem there is plenty of blame. But that is really for other threads.

I would expect 6 sigma from electronic brakes and throttle. Toyota reports are statistically much higher than other makers on unintended acceleration. Technically it is not satisfying to me that these cases are all driver error, floor mats, and sticky throttles.

 

Did anyone catch who was paying him?
It was the guy sitting next to him. (kane)???
Did anyone hear who was funding that guy(kane)???
It is 5 lawyers that are suing Toyota. Hmmmmm seems kinda strange to me.

 

All right. I've sat through the webinar.

Interesting. Two CPU's, watchdogs both ways, and so forth.

Important point #1: There are two CPUs in there, fine. However, Dr. Gilbert's comment about their being a common piece of silicon receiving the analog signals from the throttle are not negated by anything in the webinar. So, as far as that goes, Dr. Gilbert's work still stands.

As far as the rest: Good, standards based engineering going on out there. And it sure sounds like they're chasing problems.

However, there are still issues. If there was one thing that I'd be staring at, it'd be that engine control module. Two CPUs or no two CPUs... That box does the cruise control. And I've heard rumors before now on Priuses about out of whack, unintended acceleration of the cruise control. And, no, I'm not talking about that Woz guy.

KBeck

 

kbeck,

I do ESD for a living and I'm getting a kick out of your comments.

I don't claim to be an expert in automotive electronics, I only develop/provide the on-chip ESD protection. If you read some of the automotive specs, you'll see that the ESD/EMI immunity requirements are insane. I had designers asking me for such crazy stuff that I had to get copies of the specs to be sure of what they were asking for.

Just a taste:
- ISO 7637 is about transients on the 12V supply. Some of the transients peak at +100V, others at -100V, most in between but still well more than 12V. I believe (but don't hold me to it) that the devices are supposed to remain operational during these transients.
- IEC 61000-4-2 is a relatively common system-level ESD standard that's designed to test full systems (like computers that have ESD protection on the board). The peak current is ~10x more than HBM (Human Body Model) that's common in the consumer industry (designed for sandalone chips, but often applied to full systems like cell phones). Some automotive communication specs require that the part survive an IEC zap directly to the I/O pins (no ESD protection on the board to help).

 

First time I've ever met an ESD designer. Hi!

Well, I mainly muck with -48V/-60V systems. We do lightning surge testing at +-500 V differential mode on the battery feeds, 100V common mode to ground. Fun.

ESD is more fun. Throwing 15 kV air-discharge spikes (about a 1/4") onto any and all exposed metal and LEDs can sometimes lead to serious fun. It's cool watching an ESD spark hit the front of an LED lens, travel along the surface, dive between the holder and the lens, and zap onto a metal lead behind the faceplate! (Much hilarity with fried electronics and how to fix the problem ensue.) And, of course, there's the never-ending battle between people who believe in ESD ground rings around the circuit board and those who don't, but I digress.

Actually, in an automotive environment, I'd think that 100V spikes in either direction are relatively tame. I can immediately think of two reasons why:

1. Big inductive loads that get switched on and off. Think starter motors, windshield wipers, fan motors, you name it. When those things get switched off, inductive spikes are what you get.

2. Lightning strikes. Ye customer wants to drive the car away after lightning has struck either on, or nearby, the car. Lightning strikes, even when they don't hit directly, set up massive currents that inductively couple into everything. Central office telecom gear has to survive +-500V, 2us rise, 50us fall (or thereabouts) spikes due to lightning strikes hitting the iron members of a building, inducing big currents, which then couple into the DC battery feeds.

Outdoor stuff has to survive much higher voltages. I remember reading this one procedure: A certain grade of cheesecloth is put on the gear, the door closed, and the box hit with the lightning surge voltage. What was the phrase? Oh yeah: "The equipment under test shall not become a fire or fragmentation hazard after the test." Sheesh.

Cars are, I guess, supposed to be able to handle direct strikes. Fun.

Kbeck.

 

One congress man highlighted this during the hearing.
Not that I question Dr Gilbert's integrity (yet), but once lawyers are involved, anything goes.

 

Correct me if I'm wrong, but as far as I understand after reading the "Gilbert Report", a short-circuit between VPA and VPA2 means only that the redundancy is lost, but the throttle still works, at least sort of.

So, to cause a wide open throttle, you need to short VPA and VPA2 *and* to connect them both to Vcc, right? This *might* happen (and might have happened in isolated causes among the milions of Toyotas over the globe), although it does not sound very likely to me. This definitelly does not seem to be a major concern, in my point of view.

In general, it is not the best design I have seen, and not the worst either. The 20mV allowable difference among both signals intrigues me however. On the other hand, it is good that a non-contact sensor is used. Overall, I think I can live with that - seems safe enough for me.

BTW, Bob, SPI and I2C are both meant to connect integrated circuits on a single PCB, in a very short distance (say 2 inches at maximum). Both are very prone to EMC noise and totally unsuitable for the purpose you propose. A CAN or RS-485 would be much more suitable if you insist on digital encoding - however, all that implies that you would have to have a separate MCU right on the sensor PCB, which would be an entirely different design approach.

On the other hand, you could produce a PWM signal (as others proposed) with a simple voltage-to-PWM conversion circuit not involving any MCU, which seems like the most elegant solution to me. BTW, if you want to safely transfer a PWM signal for a longer distance in a noisy environment, you could conveniently use a RS-485 *physical layer* for that - so that you would transmitt not dataframes, but a *PWM* signal using a RS-485 driver. RS-485 is differential and generally pretty resistant to EMC noise, and RS-485 drivers are very cheap. A friend of mine came up with this idea some time ago and used it several times, with excellent results.

 

All true, but there's one important point that you may have missed. During the spoken testimony (but not in the report) Dr. Gilbert stated that, in the Engine Control Unit, the two signals went through a single piece of silicon.

Presumably those signals went further on their way to the two separate microprocessors in the ECU.

His statement might be right; it could be wrong. But if it's true, then a single defect on that silicon could give both a signal-to-signal short and a connection to VCC, ground, or some other interesting signal. It doesn't have to be an ESD defect; it could just be a bad part, or part going bad over time.

Hence: A single point of failure.

I certainly haven't seen schematics of the ECU. I imagine that kind of thing is a deep, dark secret of Toyota. But I make a guess that Gilbert may have taken the covers off and gone looking.

Basic answer: Nobody knows, and, except for that one short statement of Gilbert's, there's no further clues.

KBeck.

 

Thanks for further clarification - I haven't heard the spoken testimony, only read the report, hence I didn't know that.

Yes, that is a possible single point of failure, I agree - the signal paths should be completely decomposed for redundant signals when designed properly. This seems like the guy who designed it was having a bad day or something?

But still, it won't make me stop driving my Prius .

 

Sorry Bob, that's where you lost me. I started thinking about that movie with Johnny Depp, then I thought about Grapes and stopped for lunch.

I appreciate that there are people like yourself and others to figure this stuff out. Figure it out then dumb it down for me. If you could use an analogy involving a talking elephant and a circus, I think I could stretch my attention span.

Otherwise I'm lost. I do like the phrase "pathological jumpers" I'm going to steal that and use it myself, for something totally inappropriate.

Keep up what I'm pretty sure is the good work.

 

Hi Bob,

Although your test results on the above ECU would be quite interesting to read about, they would not relate to Dr. Gilbert's work since he did not test a 2010 Prius. If you're interested in confirming or denying his work, then wouldn't you want to obtain an engine ECU from one of the four Toyota models listed at the back of his paper?

However, if your research interest is limited to Prius, then referring to the 2G Prius repair manual, the difference between the two accelerator position sensors for any given pedal position is supposed to be 0.8V. The maximum voltage range is supposed to be 1.6V - 4.4V for one sensor while the other is supposed to operate from 0.8V to 3.6V.

Although I've downloaded numerous sections of the 3G repair manual I did not download the sections relating to DTC codes since that amounts to hundreds of pages... Is 3G supposed to operate in a similar fashion?

It would be quite interesting if the application of 5V, outside the allowable range for either sensor, did not log a DTC and resulted in a full open throttle situation. It would also be quite interesting if the hybrid vehicle ECU would not report an error until the difference narrowed to 0.02V.