Expert Says Electronic Design Flaw Linked to Runaway Toyotas

But guess what shuts the engine to idle! It is the ECU computer. If the computer has become defective, then what. I tried it with my '07 and it works as you stated, but still a computer command. What Toyota may need to do is have a brake override independent of the computer, like a switch opening the command line to the Hybrid System.

 

The essay Bob referred to is here, including a pointer to the
latest chapter from our esteemed "professor".
.
It's been hard to pull together because of trying to find the better
supporting links amid the noise. It's part technical rundown and
part opinion piece, and I certainly don't expect everyone to agree
with it, but that's how I see the whole sad acceleration/braking
flap primarily as it applies to the Prius. I'm not necessarily an
apologist for Toyota, but I really hope they don't take an additional
beating because congresscritters don't understand the meaning of
deliberate faults introduced into environments where they're
otherwise highly unlikely. Jam a stick into your mechanical
throttle linkage to see what happens? Sure, why not, just don't
tell the lawyers.
.
I also hope to chat with Sean Kane later this week and explain
how the braking system works.
.
_H*

 

The professor never changed his story. The author interweaved the opinion of someone else in with the professor's narrative. Classic media trick.

The someone else is Sean Kane, and he's been around since the start claiming that there is some big electronic problem. He claims to have uncovered the Ford/Firestone issue as well. It's unclear how accurate that statement is, since NHTSA started an investigation before Mr. Kane claims he broke the story. But he is likely just overstating his role, not being deceptive. In any case, I would bet that he serves as a consultant to plaintiff counsel in the eventual class action..

 

Are you talking about the video or the story? In the video, I think Dr. Gilbert becomes more alarmist as the interview proceeds. Just my perception? Maybe. Or maybe it was a cut-and-paste interview with some reporter encouragement?

A bit off-topic, but I find it interesting that everyone will believe one professor over Toyota's engineers, but completely discount the opinions of a couple of pro-global climate change scientists over the skeptics.

That sounds like an interesting discussion!

 

Oh, I'm sure they'll take a beating by stuffed shirts anxious to show their constituents how seriously they take safety. This has happened in my industry as well - heart defibrillators. There's been some failures, and congress leaned on the FDA, asking why they weren't doing their job, so now the FDA is uber-cautious on approving new devices and trigger-happy to demand recalls. The question then becomes - are they killing more people because the medical devices aren't available than they're saving because they're worried about the very rare singular failure?

A lot of these people don't realize a complex system (as most things are these days) cannot be made completely safe, especially in the face of multiple failures. In our world, we have risk severity, risk likelihood, and then risk mitigation where the combined severity and likelihood are too high. Note that we don't have risk elimination, that is often impossible or renders the device unusable. Real life is full of calculated risks.

Regarding the comparison between Toyota's vehicles and the Buick Lucerne, I would still look up their safety crash ratings and treat that with much higher regard than a rare electronics failure. People worry about shark attacks when swimming but there's a 100 ways more likely to die at the beach than from sharks. But leg cramps, lack of swimming ability, riptides and getting knocked in the head by a jet-ski don't sell newspapers the same way. Women are 8x more likely to die from heart disease than breast cancer, but guess which one gets more attention. (Also, 1% of breast cancer occurs in men, where it's more fatal because it's not caught as soon).

BTW, my company uses the same RTOS in their defibrillators that the Prius uses. I'm not sure that means anything, other than it's not WinCE.

 

Its worth noting that the terms "expert" and "professor" here seem to be used rather loosely. He's probably a smart enough guy, but as far as I can tell he's basically teaching future mechanics at a glorified community college program. That's a far cry from being an expert on automotive system design, or electronics systems. Kind of like being an EMS (which is a very noble profession) and claiming to be an expert on heart surgery. I find it pretty telling that a google search of "david gilbert "southern illinois university" " results in almost no info except stuff about this article. The website for the University of Southern Illinois Carbondale's Automotive Technology program just says information about its faculty is "coming soon". Wow, these guys are so high tech/cutting edge they have almost gotten around to building a website! Its pretty tough to be an "expert' in academia without your name ending up all over the web, as a result of your research projects and papers. Unless you haven't done any of either.

As others have noted, as an EE I see a lot of problems with this article/video, but the details are so vague its hard to tell anything. The biggest problem I see, is the interviewer is completely putting words in the "experts" mouth. the article even more so. What the expert says is its possible that if a fault occurs it won't be logged in a DTC. The interviewer clearly wants us to interpret this as its likely a fault could occur, which is completely unclaimed. The expert then uses artificial means to induce a fault, and shows that it does not produce a DTC. The interviewer of course considers this proof that an electronic failure in Toyotas is causing runaway acceleration. Which is completely not the point the "expert" was trying to make, but since he's getting a lot of international spotlight he choses not to object.

I have to agree again with some of the comments above regarding probability. In a complex system, everything is based on probability. The fact that you can externally make an electronic system fail is completely irrelevant unless you show some probable way that it is likely to actually happen. There are literally an infinite number of failure scenarios in a system this complex, all you can really do is guard against as many of the most probably outcomes as you can witheither smart deisgn or specific safety features. This "expert" took a toyota and a buick, and found that hacking them in a specific way caused one to fail and not the other. That doesn't mean the Toyota is likely to fail, or the buick isn't. He just found a way to make one fail. In fact it is strongly implied in the video that he has to make at least two things fail to trigger the event, which right off the bat makes it less likely to occur in the field. By creating this external, artificial failure condition he not only may be simulating an unrealistic event, but is quite likely bypassing safety systems that are in place to catch a realistic event.

He also assumes that because his $100 DTC code reader (Acutron CP9180) says "no errors" that the car has logged nothing. That seems like a huge mistake to assume that. Priuschatters already know that the amount of insight you can gain into the toyota systems is extremely limited with a generic scanner. I know of at least one independent mechanic who had to splurge for the multi-thousand dollar toyota scanner in order to effectively work on Priuses. We already know that there are a lot of things our dealers can read out of our cars that have nothing to do with DTCs. I'm not even sure that tool, the one used by the dealerships, can truly access everything in the Toyota computers let alone a $100 scanner. As a designer of commercial ICs, I know I definitely don't give my users control of or visibility into every register and control I build into a chip. Many are for my diagnostic and design purposes only. I would not be at all surprised to find that this same dynamic exists between the designers at the Toyota factory and the techs at the dealership. The last thing you want is them messing around with things that could cause the car to operate incorrectly.

Toyota's designs are certainly worthy of scrutiny, but I'm not very impressed with this bit of "evidence".

 

In the mid 1990's, the Detroit Diesel 60 series motors with DDEC IV had some pedals that went dead. The motor would default to idle, and the driver was stranded until the pedal was replaced

I have been unable to find any supporting documentation that a PACCAR semi has experienced a "runaway" due to pedal issues

I work with that RTOS. It's also used in fly-by-wire fighter jets

 

According to ABC news tonite, apparently Toyota was sufficiently impressed -- after having been able to reproduce the specific problem "in the early hours of the morning" and testified to that fact to Congress today.

 

I'm wondering whether the posters in this string have read Dr. Gilbert's paper? If not, here's a link:

http://energycommerce.house.gov/Press_111/20100223/Gilbert.Testimony.pdf

Actually, the accelerator pedal position sensor is powered by 5V. In order to confirm the claim, you'll need to have access to a 2010 Tundra or one of the three other Toyota vehicles that he tested (as he did not test Prius.) In any event it appears his claim was subsequently confirmed by Toyota's outside engineering firm operating under an "unlimited budget".

The professor did not make any claim regarding Prius.

Although it may be a mistake to assume that no DTC was logged, one of the professor's points was that if a DTC relating to the accelerator pedal sensor was logged, then the powertrain should move to a failsafe mode. In that case engine power should drop way down. That did not happen.

From the point of view of a driver suffering unintended acceleration it does no good for a DTC to be logged if the car continues to zoom merrily along...

After reading the paper, I think the failure mode would be:

1) the two independent sensor outputs become shorted together, and

2) the output voltage approaches 5V, thus signaling the engine ECU to open the throttle motor.

That failure is certainly conceivable in an accelerator pedal sensor mechanism, although I agree it is not likely. Nevertheless, the failure doesn't have to be likely to account for some of the failures that have been reported, since the % failure rate is quite low.

I would be slow to criticize Dr. Gilbert due to his academic institution affiliation, # of papers published etc. Toyota's engineering firm had a sterling reputation but did not think to do what Dr. Gilbert did.

 

I would be slow to criticize the prof, but fast to criticize the reporter who worked hard to twist his words and viewpoint.

 

I have a feeling that the Prof. could be right.
Personally, I don't believe the B.S. recalls of floormats and pedals.

 

Under intense questionoing CEO Lentz admitted that the floor map and sticky pedal don't address 70% of the complaints filed with NTHSA on Toyota sudden acceleration.

He also admitted that sticky pedal does not cause sudden acceleration because it only sticks at a small throttle opening. It only gives low power to the engine when it happens.

So, the bottom line is that Toyota doesn't know the cause of the problem yet and/or doesn't want to admit it at this moment yet. Especially after recent independent research, it's seeming more and more likely everyday that the problem is electronic and affects all Toyota cars and trucks built since 2002, and it requires substantial resources to remedy. It will probably cost the company in the order of $10 billion to fix it.

 

To the contrary, some variation of the theme of technology failure happens all the time.


The scary part is that even the professor was shocked that something could go wrong with the accelerator but not generate an error code in the main computer.

If there is no error code then nothing's wrong, right?

I wonder other people had the same problem I did with the computer in the 2001 Prius with "too much limp mode." Could Toyota have fixed the problem that makes the computer go into limp mode too often by installing one that doesn't put it into limp mode often enough? Limp mode doesn't kill anyone, so it doesn't make headlines, but it seriously inconveniences owners if their car goes in and out of limp mode, and eventually ends up costing Toyota money.) My 2001 Prius used to go into limp mode... whoa.... why did it go into limp mode... did it accelerate first and then go into limp mode? I wish I could remember. I know that Toyota service department told me that the error code said that I needed a new computer. I know that the main computer was replaced before 100K miles, and I'm pretty sure that it was replaced twice.

Why do I wait for my car to flash a warning light to tell me that the oil is low instead of checking oil levels every time I fill up my car, or at least get my oil changed regularly? I've nearly run completely out of oil twice with the old car... wait a minute, maybe the computer wasn't broken, and that was what limp mode was trying to tell me?


No Error Codes: A couple of months ago my 2007 Prius's ignition would not turn off. It was weird. Weird. I even had it towed in. But there was no error code to explain what had happened. No evidence in the computer that this incident had occurred.

No Error Codes: The electronic dashboard would occasionally go completely dark and stay that way for significant lengths of time. My son experienced it the first time, and I (like Toyota) could not replicate it and didn't understand the seriousness of the problem until I experienced it myself. I have a good relationship with their service department, but it was a new service rep who told me that there was nothing to be done if there wasn't an error code. I pitched a sufficient fit and demanded to file a complaint with Toyota to put it on record that the problem occurred... they checked again/ended up getting fixed by my platinum service contract.



All sorts of things can go wrong, and surely it's not only with Toyotas, but they and Fords are the cars I've got experience with.

There is also a business mentality that came up with a mathematical formula for the number of deaths, injuries (and associated $$$ payouts) that are acceptable , which was a big part of what went wrong with Ford for a long time.

I owned a Pinto, but my gas tank never exploded. I feel very fortunate about that, because when I was rear-ended it was not when I was in that car. Ford is a great company, and I said that when they made a hybrid I'd get one. But then, when the Escape came out and I compared prices and the developments in Prius styling, I got another Prius. Don't get me wrong. I like my Prius.

I don't like it that I can't tell when the gas pump is going out by the feel of the car. I don't like it that if I lose a key it costs $450 to replace it. And I don't like it that there are no replicable symptoms and that the error codes have cleared themselves by the time I get the car in for service, even when I've been diligent.

The way the meanings are attached to error codes is not a simple matter, either --- as a pioneer Prius owner, I know that Toyota HQ did not have any useful meaning for many error codes because it is not possible to identify in advance every possible thing that could go wrong in a car.

Better electronics in the electronic accelerator to tell the computer to put the car into "limp mode" takes care of one problem, which is good, I guess.

 

Hi Bob. The tests by Professor Gilbert show that you can still shift to neutral when this happens. This is the recommended course of action.

See some video of him actually performing the test in the thread I posted here : http://priuschat.com/forums/gen-ii-prius-main-forum/76825-some-audio-video-runaway-ford-toyota.html

 

Cruise control problem? Any discussion of that being a possible cause?

It's my guess that the demise of the off-duty CHP officer and his family may have been caused by a malfunction of the cruise control system. Three points make my assertion: 1) The driver's M.O. would indicate excessive speed, since every law enforcement person I've ever known believe they have immunity in regard to posted speed limits.
2) The area on the southbound I-15 where the accident occurred, would be a normal place where one would be in a cruise control mode.
3) I have had personal rapid acceleration 'experiences' in an Audi (remember that problem?). In those instances, one would be driving at, let's say, 70 mph with CC engaged. Then, come to a town, dis-engage CC because most towns don't really like folks cruising at 70 through their village. Then, I found after one could return to the prior speed, from a stop I could engage the Resume on the CC and the Audi would go balls out to try to hit the previous setting (70) ASAP. Would scare the bejeebus out of me. As we know, Audi recovered from all the fear-hype and became a major world-class winner. But, I'm not sure they ever really found the underlying fault with their sudden unintended acceleration either. Did the excuse that it's just seniors mistaking the gas pedal for the brake pedal hold water, or did they actually determine the true cause?

 

I own a 2008 Prius and following all this with interest. I am still driving mine & know there is a possibility of a problem. I am also aware that motor vehicles come with a degree of risk in routine operation. There are appx. 6 million motor vehicle accidents per year in the US that account for appx. 40,000 deaths per year & a high number of injuries. If you are truly concerned enough, you can quit driving or being a passenger in any motor vehicle. Right now I believe there is a chance of a problem with my vehicle, but taking a calculated risk. All the hype & hysteria have little effect on me outside the possibility of a lowered vehicle value. Outside of that, I have better things to do & more immediate problems to deal with. However, if it is indeed found to be a very high risk of occurance, I would like my car repaired/brought up to date. I am surprised this made it through Toyota R&D.

 

This particular experiment wasn't performed on a Prius, it was performed on other Toyota models; a Toyota Avalon was used for the ABC News "demonstration".

From what I have read in the Toyota tech manual, and what Hobbit posted earlier, I believe the 2nd Gen Prius would throw a code or two if a similar experiment was performed because the Prius tracks the voltage relationship of the two independent hall effect sensors in the accel pedal.

I still hold the opinion that you need to consider the whole system design to determine if the type of malfunction demonstrated in the ABC News video is likely to occur in real life, and that was not addressed by the professor either in the news video or in his written presentation that Patrick provided the link to.

 

The "prof" may be onto something and able to demonstrate that
the cross-checking between the two signals is a little on the
sloppy side, but what he's doing *is* deliberate tampering.
I added some of yesterday's "revelations" to the rant.
.
I finally managed to watch the c-span session from yesterday
morning. It was pure theatre, and it was painful. I could have
explained the whole two-inputs thing to that roomful of buffoons
in five minutes, not the two hours *I* wasted watching the thing.
I love how the congresscritters celebrate their own stupidity/
ignorance on national TV and think it's funny. Really carries a
statement about the people supposedly at the helm of this country.
.
We're having a fairly in-depth discussion about a lot of this over
on prius_technical_stuff@yahoogroups, should anyone care to join
up and download the recent archives...
.
_H*

 

Bob Wilson posted a link to a Toyota seminar (webinar) on ETCS here:

http://priuschat.com/forums/prius-hybrid-news/76831-electronic-throttle-control-webinar.html

 

Driving a car is dangerous, probably the most dangerous thing any of us do on a regular basis. But the most common danger on the roads is from drunk driving and driving while distracted. Mechanical and electrical problems with the car are far, far down the list, even for the drivers of the Pinto and the older Ford Escape w/Goodyear tires.

Given the number of Toyota owners and the number of reported accidents (a few dozen last I heard), I really don't think this will be found to have a high rate of occurrence. I'll still keep in mind the shift to neutral recommendation, as well as other methods (drive in the ditch, sideswipe a parked car) to avoid a direct crash at high speeds, but just like the safety instructions on how to use a life vest in an airplane, I really don't expect to use them.