"Gilbert Report" on accelerator weakness

Ahem. The nominal difference between the primary and secondary is 0.8V. Gilbert stated several times, emphatically, that as little as 20 mV would not be noted as an error.

My take: Each voltage has manufacturing variations and/or design variations on it. Somebody said, say, the voltage on each lead is X+-0.39V. Somebody else doing the coding said (not without some justification) that the low one could be high by 0.39 V, the high one could be low by 0.39V, so the worst case, non-fault difference between the two would be 0.02 V, and that would track over all positions of the throttle. Bet that the worst case difference in the other direction, assuming that the above scenario is true, would be 0.8+0.39*2 = 1.18 V.

This is why Gilbert thought that the Honda/GM(?) solution was better: The two voltages both started low, with some finite difference, but the slopes were different. More coding for the error detector, for sure, but a straight near-short between the two wires would be detected.

Mind you, based upon what you cited, it looks like the Prius uses the same accelerator coding, with both slopes equal, and the nominal difference between the two slopes being 0.8 VDC.

KBeck.

 

Yes. The relevant repair manual page has a graph showing two lines with the same slope.

 

Hey Bob, did you not see the ECU input circuit I sent to PTS?
I could have sworn I sent it, but now I can't find my own copy so
I might have spaced. Anyway, you can read the resistor values
in all their physical glory here, on either side of where I've
scribbled "VPA". This picture is now part of the "storm" piece.
39 K to ground, and 6.8 K series going in. Chip caps on either
side of the ladder. No inductive elements I can see, but I lose
track of the signals once they dive into the vias. So you don't
have to ohm it out. Maybe I should haul this board out again
and try tracking things further. It's from the "flood" NHW20 set
Steve sent me a while back, which is why it looks so cruddy.
.
_H*

 

When I saw that graph, I too, wondered why not use two opposite slope sensors? If you had a positive slope coupled to a negative slope, not only can you get really precise on the pedal position but you should also be able to notice rather quickly any sensor/wiring faults, and that coding shouldn't be that much more difficult if you kept the same slope but reversed the polarity?

 

In addition, I'd like to see where VPA and VPA2 end up, presumably after they've gone through a little input filtering. On the same device? If that's true, I'd love to see a close-up of the top of the device so I can track it down. If not, then it's time to throw sticks at Gilbert.

Wonderful that you've got the thing.

KBeck

 

Two signals from analog sensors have to come in to the same chip. One signal is from one sensor and the other signal is from a second signal. Together they are necessary to create a feedback loop inside the same chip. A feedback loop in the chip checks the second signal to make sure the first signal was correct and to know which way it is trending.

If the first signal from the first sensor is saying "increase throttle" the chip will not increase the throttle unless the first sensor is confirmed by the second sensor a split second later. The chip will only increase throttle if the signal from the second sensor confirms the signal from the first sensor. (hence feedback) A second sensor is not necessary to run a car but it is necessary for feedback purposes so that the computer does not do something without checking from the second sensor---this is done continuously--for the same operation of the car.

When you short the two signals together, like gilbert did, there is no feedback and the feedback is destroyed. The first signal becomes the same as the second signal. Hence there is only one signal and the redundancy check is gone which is what gilbert did in his first fault.

This first fault allowed him then to introduce a second fault which was a surge of voltage through the shorted wire which created the unintended acceleration.

If the voltage surge was applied to only one sensor wire, with the feedback still intact and not sabotaged, it would have disagreed with the feedback from the other sensor and never allowed the sudden unintended acceleration. Also, it would have lit up the MIL because of the disagreement in the feedback loop.

gilbert destroyed a car and said look it's not working.

 

(I'm curious whether creating a fault like this in the ECU(?) if brake application would still break this unscheduled acceleration fault or not? I'm guessing that there is a huge difference in stopping a car with the brake if the acceleration is interrupted (normal) vs the horse power rpm continuing uninterrupted?) In parenthesis because some may object to it being off topic here though I consider it important to knowing how best to stop a runaway car if you are in the drivers seat. Thank you. Oh well...

 

The brakes still have a direct mechanical (hydraulic) link to the actuators when the brake pedal is fully depressed, so they are going to work even if all the electronics burst into flames.

So, if you ever experience a runaway car (not that I think it's likely and not that I wish you such an experience), then:

*don't panic*

1) Stomp on the brakes. Even if the engine goes wild, the brakes are still strong enough to defeat it - but you *have* to stop. Do *not* try to regulate speed with your brakes (or they will go out after a while) - bring the car to a full stop as fast as you can. You can also engage the parking brake.

2) Try to select neutral - this can be done quickly by pressing the "P" button or selecting "Reverse" with the shifter when the car is at speed. Also, Selecting "N" and holding the lever there for at least 2 seconds should do the trick. The engine will most likely rev up, but don't worry; if the engine ECU is still working (sort of), it should prevent it from over-revving. In case the engine ECU wouldn't work, the engine would not run in the first place .

3) If selecting neutral doesn't work, try to switch the car off by pressing the power button and holding it there for at least 2 seconds (or longer).

4) Stop, bail out of the possessed car and call your service department. And an exorcist .

 

Not much difference at all, here is a good editorial from Car and Driver that includes some test data. How To Deal With Unintended Acceleration - Tech Dept. - Auto Reviews - Car and Driver

With a 268 HP Camry the difference from 70 down to 0 MPH was only 16 feet greater with full throttle applied than it was with no throttle applied. The brakes are the most powerful system on the car, but as previously stated they must be applied with determination if you have a stuck throttle. If you try to ease to a stop by applying brakes gradually you might over heat them and have no brakes left after a mile or so.

 

Tihs is not correct. Analog signals do not need to go to the same chip at all for comparison.

analog signals can go ADCs on two different chips. Their values can be compared on a third chip. Alternatively analog signals can be isolated on two different chips and compared in an analog fashion on a third chip. Note you can combine the comparison on one of the chips and do it on 2 chips. Going to one chip is not necessary or desirable for anything but cost reasons.

There is of course the other feedback in the loop, the brake signal. BMW, Chrysler, Nissan/Infiniti, Porsche, and Volkswagen/Audi all use this according to the car and driver article mentioned in this thread. Toyota has said they finally will be adding this to production. Given the reports from 2003 on, another sensor could be added to detect if a foot versus a carpet or sticky pedal was keeping the pedal down. This sensor could also turn off acceleration. As mentioned in the article multiple presses of the start button could turn off the car also.

Given the weakness of the prius engine, and the different systems I don't think we have much of an issue working around the flaw in our gen 3 prius. It does point out a design flaw that is especially a problem with toyotas with more powerful engines and hydrolic brake assist. There is nothing to say that the flaw pointed out has caused any of the unintended accelleration. Toyota says that they are adding one of the fail safes to future cars, but this does nothing to really help those that already own the cars. I hope toyota does some more serious investigating so that the future accidents and media interest will be reduced.

 

It takes 3 seconds. I have tried it a few times. It is really interesting, because it is the only way to get the car to shut off and not automatically shift to P (other than disabling the park mechanism). The car will be in N, but the power mode is like ACC. The brakes work fine for at least one or two applications. Steering is slightly more effort than normal, but not a problem.

 

Thanks for correction, Dogfriend. I have tried it too, but I didn't measure the time, so that's why I stated "or longer", because I was not sure about the exact number of seconds it takes.

 

Re: "Gilbert Report" on accelerator weakness--Pushing the On/Off Button

I tried pushing the OFF button last night going about 25 on a gravel road. It took about the 3 seconds advertised somewhere in the Toyota materials to switch the car into neutral. I then braked hard, getting the ABS system to engage and start pulsing.

After the car stopped, the display showed the car in neutral, and a statement that I should put the car in Park, and otherwise the car appeared to be OFF. I pushed the Park button and then turned the car on normally.

I also tried throwing the car into neutral while going downhill on gravel at about the same speed. That also worked as advertised, but I didn't try stopping hard that time.

 

Doesn't this just reinforce KBeck's posts early on that it is a bad design to send two signals to one chip as opposed to two separate chips?

 

Yep. And, contrary to halfmoonbay's assertion, it is not required that both analog signals end up on the same A/D converter or whatever is out there. If one is really working for reliability and detectable faults, diversity in hardware is a good and worthwhile thing. Just ask NASA.

Of course, diversity in hardware can be the antithesis of low cost, but the point is to rig things so, no matter what the fault, the fault can be detected. This does not necessarily mean gazillions of piles of hardware, but this is why hardware engineers get paid what they do: optimizing for cost, reliability, manufacturability, repairability, robustness, etc., etc..

KBeck

 

A feedback loop is the section of a control system that allows for feedback and self-correction and that adjusts its operation according to differences between the actual output and the desired output. This electrical analysis is typically based on two signals the comparison of which typically takes place in one circuit located in one chip. The feedback loop is very beneficial and serves as a safety mechanism that constantly checks and re-checks itself. You can have system that does not have feedback analysis which is more dangerous. Gilbert shorted the two feedback signals thereby erasing any feedback information. Without feedback he was then able to increase the voltage across the line to get the "sudden acceleration". Typically an increase in voltage is say pressing down on the gas pedal, he did not introduce "sensor authorized" increase in voltage. He pushed current through out of nowhere. In a real-life situation, who or what is going to go in and undo the feedback and then send non-sensor originating input? Maybe in Cicero, Illinois.

 

First: I know precisely what a feedback loop is. I build them for a living.

A typical feedback system has the following:

1. An input. (That's not precisely a part of the loop).
2. A "summer" that takes the input, subtracts from it a feedback signal, and generates what is known as an "error output".
3. Typically (but not always) the error output is filtered.
4. The filtered error output is then (typically) applied to, for lack of a better term, we'll call an actuator.
5. Going along this line, the state of the actuator is then "fed back" to the summer, in such a fashion so, in a steady state condition, the "error output" is minimized.

The feedback loop, then, is:
summer->error signal->filter->actuator->feedback signal->summer.

Notice that we go "around the loop". Negative feedback is defined when, under normal conditions, the two signals present at the summer (the input and the feedback term) subtract from each other. Positive feedback is when they add and is, normally, a Bad Thing. (Ever hear an out-of-control mike squealing away?)

I now take a wild swing at the terminology and state that the state variable that's driving the loop is the "desired throttle opening". The output of the summer is (desired_throttle_opening - actual_throttle_opening). If something breaks in that loop (motor gone bad on the throttle; wires broken; reporting servo gone west, etc.) the error signal gets large because, well, the loop's broken. THAT is what Toyota detects, and that's a good thing. Note that one could build a throttle control without the loop, if desired, but then broken parts could do cause anything evil that one could think of.

Now, the gas pedal signals to the engine controller is not a part of this particular loop. What that signal is is an input to the summer function. If that signal is at max, min, or in the middle, the loop itself is just going to follow whatever that signal happens to be. For that matter, when the car is running in Cruise Control, the input to the summer is the "virtual gas pedal" run by the cruise control software.

The duplicated signals from the pedal to the EC are intended to check for errors in the pedal and pedal electronics. The general intent with duplicated signals is that a single point failure (remember that term, it's an important point!) should result in non-agreeing signals at the EC. If that non-agreement is detected, all sorts of error recovery kick in, mostly resulting in the throttle being closed on the engine. But, assuming a failure of the pedal is being handled, the throttle control loop is likely working just fine. Admittedly, a software command to close the throttle is probably directly to the throttle motor itself, bypassing the loop entirely, but only the Toyota software developers know which trick they did.

So, Gilbert discovered two things:
1. If the resistance between the two duplicated signals gets to a relatively low value, the error checker over at the EC doesn't notice. Once that happens, the pedal position can be anything, and the EC thinks that's what the customer wants. Full throttle forever? Maybe the customer's running from a bandersnatch, and why would the EC argue with that? It doesn't have eyeballs.
2. According to Gilbert's testimony both of the analog signals from the pedal assembly go through a single analog chip inside the EC. As an engineer, that sounds dangerous to me. Depending upon where those signals go in, a single failure inside that chip would give both a semi-short between the two analog signals and give whatever kind of detected pedal signal that one could dream of.

The control loop wouldn't detect a fault because, well, the failure is outside the loop. It's the input to the loop, a different thing altogether.

Now, I'm not saying that this is the cause of any or all of the unintended acceleration events of Toyotas on the road. However, if true, it is a sign of bad engineering and blows Toyota's "nothing can go wrong with the electronics" statements out of the water. And, yes, I wouldn't be vastly surprised if at least one out of control car had this as a fault; heck, if I squint at it hard enough, I could probably invent a scenario where it might show up as a transient (that is, it does it, then clears somehow).

Finally: I mentioned before that the gas pedal wasn't part of the loop. That's not quite correct. There's a human being with eyeballs, brain, hands, legs, and feet that can see and feel vehicle operation that can and does do semi-autonomous things (to attempt) to keep the car under control. I know and have worked with people who have degrees in what is called "Human Factors" where the response time and such of a human is calculated and made part of the loop equation for the overall control of a car. It is possible to make a normally functioning car with internal responses that, once you throw a human in the loop, is literally undriveable. (And this includes everything - steering, accelerator, brakes.) On airplanes, they have special people who take airplanes out for the first time before the Human Factors issues are adjusted: They're called Test Pilots, and it's considered a dangerous profession. For good reason.

If you think about it, people standing on the brakes to stop an out of control car is a form of feedback, although not necessarily a kind of feedback that one would like to employ.

KBeck.