Mustang Parts
   Carrying Saleen wheels and Bullitt wheels.

Wednesday, February 24, 2010

In Defense of ETC Part 1

When I get a chance to review Prof. Gilbert's report on how he fooled Toyota's Electronic Throttle Control (ETC) system, I will post comments.

For now, I'd like to take a few lines to defend ETC in concept.

ETC has some significant advantages over mechanical throttle linkages.

  • Fuel economy: actual throttle flow can be optimized based on operating conditions, and pedal position is used to infer driver intent.  For example, someone with a shaky foot can be "smoothed out". 
  • Mechanical simplicity, weight, and cost: Using ETC means you can get rid of the idle air control valve, throttle cable, and cruise control actuator.  Fewer things to break.
  • Robustness: ETC systems have built in algorithms for unusual conditions.  For example, the throttle plate can be shaken very quickly by the motor, as an "ice breaker", if the throttle plate is iced.  There are no cables to bind up or corrode, no exposed return springs to break.  The system has independent CPUs which monitor the throttle plate position and pedal position 100s of times a second, with fail-safe algorithms to shut the thing down if something unexpected happens.  ETC has redundant sensors, which are used to check that the information coming into the ECUs is reliable and self-consistent.  In a mechanical throttle system, the only failsafe is the driver's foot--if the thing is stuck, you pump it and pray it gets unstuck.

Trial lawyers try to sow FUD (Fear, Uncertainty, Doubt) about "complex electronic systems", and throw out scary "what if" scenarios, to try to win cases and big money.  But engineers know that complex systems are designed, tested, and validated over many years before being released into production, and are tested for every conceivable failure.  ETC systems must be qualified under a range of temperatures and wide band electromagnetic interference testing.  Failure modes, such as cut wires, broken sensors, damaged actuators, etc. are all tested using a process called FMEA (failure mode effects analysis).  FMEA was designed by NASA as a way to think through a system's reliabilty to pin down possible ways it could break; then tests are designed to validate the system under those conditions.

Is it possible that Toyota screwed up the FMEA, or cut corners, and has a dangerous-but-rare condition with their ETC system?  It is possible.  But given the excellence of Toyota's engineering, I would be surprised. 


29 comments:

Anonymous said...

Has it actually been established that there is a problem? Or is this a collection of folks (usually seniors) who hit the gas pedal thinking it was the brake, or something like that.

There are just so many cases like the latter, and so many corrupt lawyers and politicians, that I'm naturally skeptical.

With the government owning two competing auto companies, there just seems to be a conflict of interest in having Toyota dragged before Congress for the grand inquisition.

Is this part of the GM recovery program, or is it a real (but rare) defect?

Anonymous said...

Those of us who've been around the block before remember the exact same allegations about sticky accelerators made about Audi cars in the '80s.

Turned out there was nothing wrong with Audi cars, but for a driver-friendly design putting the gas and brake pedals close together (allowing for faster response time), and a bunch of individuals hitting the wrong pedal under stress.

None of this stopped Audi from having to issue a major recall that damaged its brand for years in the USA.

Here we have a case of (allegedly) a couple hundred incidents out of literally multiple millions of cars on the road.

Color me skeptical.

Scott said...

The Toyota debacle is playing out nearly EXACTLY like the Audi 5000 unintended acceleration scare of the 1980s. The NTHSA study of Audi 5000 incidents concluded that the majority of cases were due to driver error and not mechanical defect.

rhhardin said...

Fail-safe systems fail by failing to fail safe.

(One of John Gall's laws)

T J Sawyer said...

Older people with good memories may recall being able to shift from Park to Drive without putting your foot on the brake.

The brake interlock is a result of the last bunch of phantom "sudden acceleration syndrome" cases.

I wonder what extra step we are going to be burdened with this time.

Scott said...

BTW, I just bought a 2010 Honda Civic with manual transmission the fly-by-wire throttle. The car is a blast to drive! It handles like a go-cart. And I really can't tell any difference between its throttle control and the cable-type throttle on my 1999 Nissan Altima.

roger said...

"But engineers know that complex systems are designed, tested, and validated over many years before being released into production, and are tested for every conceivable failure."

As an engineer, I can tell you that this is bullshlt. In addition, reducing mechanical complexity in favor of electronic complexity never simplifies a system.

And your trust in auto engineers is probably misplaced- too many time and market forces impede the sort of rubust design that's required for truly reliable systems. I doubt that many embedded auto electronics would be able to endure the sort of testing and scrutiny that protects truly reliable systems, such as embedded medical devices or avionics.

Anonymous said...

History shows that evidence won't matter. This is a show trial and a morality play. And perhaps even a cynical effort to shore up GM.

This script has been played out so many times before, it's impossible to take it seriously. In the end, thousands of Toyota workers in the USA will be laid off. Millions, or billions, will be transferred to lawyers and other non-productive types. Auto companies will think twice about investing in US production plants. They can make cars in China, or Mexico, too.

It seems odd that a government that runs a 1950's era Air Traffic Control system is grilling the maker of some of the finest engineered product in history.

Color me deeply skeptical.

Robert said...

Electronic throttle control is fine. Taking away the mechanical link to the transmission is another story. If an electronic fault can disable my ability to shift into neutral, then we have a real problem.

Steven E said...

Two comments critical of ETC - NASA experience with software errors (remember one craft crashed because of a units mismatch) gives me little confidence that well-engineered and tested fly-by-wire systems do not have serious flaws lurking - phase space is just too large to test; my own experience with a 2008 Camry with bad delay from gas pedal press to acceleration tells me that Toyota's software has flaws.

Much as I like Toyota products, I think an ETC problem could be at fault.

sniklacg said...

Both of my cars are Chrysler Drive-by-wire cars. I like them and wouldn't want to go back.

1. Traction control is great and easy for the manufacturer to implement.
2. One of my cars didn't have factory cruise control. I had the dealership add it and the cost was only about $200. I guess it's as simple as plug in the driver controls because everything else was already there.

Previous posters here have opined that Toyota is being targeted because GM and Chrysler are government backed. I don't believe it for a minute. I believe the real issue here is Toyota is being targeted because they are non-union and GM and Chrysler are union shops. Politicians don't crave money, they crave power.

rhhardin said...

A kill switch is always a nice improvement, provided it involves minimal electronics.

Anonymous said...

Every system can fail. There is a rare case where fuel can freeze in a 777 after a long, cold flight. Should we drag Boeing and the engine manufacturer before Congress for a show trial?

There's a reason Congress has an approval rating of about 10%.

Anonymous said...

Being government-backed and union are one in the same. The only reason the government owns two auto companies is that it was a payoff for union support to those currently in power. The bond holders got screwed, the unions got the company. And now, for act two, a show trial.

Anonymous said...

ETC is not failsafe as evidenced by the Airbus crashes that are believed to have been a result of conflicting airspeed readings from their pilot tubes. And the testimony from Toyota crash drivers show cars accelerating on their own while drivers pump the brakes and swerve lane-to-lane to avoid collisions. That's not consistent with drivers who have just hit the wrong pedal. If a sensor erroneously says that the driver has pushed the accelerator to the floor, what will the car do? It will accelerate. Of course the madness could be stopped by just switching off the ignition key. But since that might also lock the steering if turned too far, I would suggest every car have a big red PANIC button that just shuts everything down immediately.

Anonymous said...

Toyota is being targeted because they are non-union and GM and Chrysler are union shops.


We will all know that is true if Toyota magically reveals a deal with union labor as part of a larger "settlement" with the government. Stay tuned.

Gaius Larmanius Maximus said...

Re: The testimony of the Lexus lady yesterday. Could it possibly be true?

I am skeptical of all computer systems--been in the biz for over 20 years.

She testified that car took off AND both feet on brake did nothing AND parking brake did nothing AND shifting to all gears including neutral and reverse did nothing AND could not turn off engine. Must be recent Lexus, as she noted use of bluetooth phone.

Could this POSSIBLY be true? It does sound like BS...and it would have to be intentional in her case, given the multiple systems and specificity of her testimony.

Audi 5000 had no similar case--it was always busting forward into people/things/garage door.

Is there any credible theory that this ladie's testimony could be true?

I can believe in goofy cruise control, cold weather, crazy throttle response, and suring in general COULD be true and case incident.

Something doesn't add up.

Anonymous said...

It was found during the Audi 5000 aftermath that there was no car on the market that didn't have brakes stronger than the engine. These stories about "I had the brakes all the way down and it wouldn't stop" are driver error, period.

Don't believe me? Go try it yourself. Hold the throttle down on your car and stand on the brake. It will stop.

Locomotive Breath said...

As the owner of an Audi 5000 with a manual transmission, I followed that incident very closely. Note, of course, that the problem was only with the automatic transmissions. The "I was standing on the brake pedal and the car wouldn't stop" stories were refuted by the accelerator pedals that were broken from being stood on.

D said...

"there was no car on the market that didn't have brakes stronger than the engine."

yup, but those cars didn't have COMPUTER CONTROLLED ANTILOCK BRAKES.

The more computer control you have in the system the less you can manually control. Seems simple, yes? If the software goes wrong, what are you going to do?

What if there is no key in the ignition. Most high end stuff now, and even the Camry I believe has PUSHBUTTON start. No Key. No direct control to the tranny either.

What I can't figure out, and maybe becuase it hasn't gone to court, is for the wrecked cars, their should be flash memory that has a last state when the airbags deployed. Should tell the speed and what things were being done. If the accelerator was all the way open and the brakes were on, maybe that'll help with the discrepancy.

Oddly enough? My 1973 chevy truck doesn't have such problems, since the mechanical linkage will probably last forever. We have to weigh what the advantage of all this stuff is.

If you are going to take direct controll out of the hands of the driver, than you have to have a master key they can turn off to fail-safe.

_Jon said...

Well, be surprised then.

This Toyota problem appears to be two-fold.

1. The gas pedal issue is mechanical. In some situations, the gears at the pivot point bind. The fix to strengthen the backing of the pedal mount and simultaneously strengthen indicate this.

2. The 'non-stop' issue is a software issue. Toyota does not appear to have a safety that shuts off throttle when brake is applied. Many (most?) other drive by wire products have this.

I agree the hearings are a worthless dog and pony show.

I want the FedGov to investigate why the NTHSA didn't keep accurate records, why they let a former employee join an automotive company within the non-hire timeframe, and why they don't have sufficient engineers in this field. We rely on the FedGov to keep us informed here and they aren't doing it. Many Toyota employees will lose their job as an impact of lower sales from this. But I'd be not one FedGov employee will be disciplined for the NTHSA letting this become a major issue.

Mr. Lion said...

ETC is one of those things that's great on paper, but not so much in practice. While it can be really quite useful if implemented as envisioned-- a replacement for a throttle cable and mechanical linkage-- like most electronic controls they are used to control considerably more than that.

ETC was ruined for mass production the second some gaggle of idiots said, hey, you know, we could program in a whole bunch of limits and controls to prevent a car owner from doing things we don't want them to do!

Very, very few electronic throttles operate as a true potentiometer meets throttle plate system. In fact, the only one I've ever run in to was on a Lotus Elise.

Pawl Bearing said...

"Is it possible that Toyota screwed up the FMEA"

While Toyota principles have many roots that are transplanted from Ford, they passed on the FMEA. That is a good thing.

Frankly, one is more likely to get screwed by an FMEA than vice-versa: Let's take an average program that has 50 known issues. Working a 60 hour week you can realistically address 40 of them. FMEAs simply act as a spoke in the wheel of supplier engineers' work. No wonder the most profitable and reliable car manufacturers of the world don't use them.

Zoe Brain said...

From the PhD project I was doing in 2006 - but which was halted due to lack of interest by the sponsors:

"
Although a careful search has revealed no publicised cases of software being directly to blame for a serious automotive mishap, the current “state of the art” of software development in the automotive domain leaves car manufacturers very vulnerable to litigation. According to Chrysler Group President Tom LaSorda [30], it has been estimated that the cost of litigation already exceeds $500 US per car in the USA.
Unlike avionics, where there are industry safety standards and techniques for software development (DO-178B) and formal proof of correctness required in key areas, no professional expert witness could say under oath that automotive software is being developed
in accordance with safety-critical software “best practices”.
It is not enough to be actually safe, the software must be seen to be safe, otherwise the manufacturers may be held partially liable even if entirely blameless....
Fear of litigation has already caused a “split” in features offered within the USA as opposed to Japan and Europe. As the New York Times [32] recently reported .... Fear of legal action has also stopped Toyota from offering its Intelligent Parking Assist feature, which is now available on the hybrid gas­electric Prius model sold in Japan....

ds.rana said...

Auto Accessories There are several places where you can buy these auto parts aftermarket.

donaldk said...

I had the Audi 5000 mishap, twice in the same year.
One time in my garage, backing, from a dead stop. And once, sad to say, in a parking lot, when I damaged a neighboring vehicle as well as my own. After 25 years I can still hear the z-z-zoom of the accelerating engine, way higher than any accelerator could have been (mistakenly) pressed. Paid the damages and traded out.

Anonymous said...

i would like to leave a comment for the auto prophet...i have been driving since 1954...i value some modern electronics,however i can drive at hiway speed and get 3-4 more miles per gallon not using the cruise control...i have done this on friends cars as well...so much for some tried and true and yes tested automobile electronics...

Anonymous said...

In response to brakes being stronger than the engine...from a dead stop yes, however most brakes will overheat long before you are able to stop a car from highway speeds (or beyond) under a WOT condition. Many cars brakes are on the verge of overheating after just one panic stop from 70 mph under ideal conditions. Now imagine a nearly 200 to 300 horsepower engine fighting the brakes from speeds in excess of 60 mph to zero. There are many wonderful benefits to ETC (stability control, fuel economy, etc.), but I still have reservations about anything computer controlled, especially without multiple redundant systems. How often does your PC give you trouble?

Karmudgeon said...

I apologize for reading all the comments yet, but in response to the brakes vs. gas argument...

http://www.caranddriver.com/features/09q4/how_to_deal_with_unintended_acceleration-tech_dept

http://www.youtube.com/watch?v=otyax6onMWw

Yeah, brakes overheat at high speeds in high horsepower cars, but they'll still stop.

As far as electronics, electronic systems generally prove more reliable than mechanical systems. Cable and mechanical throttles lock up or fail. Throttle return springs rust and snap. No system is foolproof, but in any case, an under-engineered or manufactured product will fail.

I still, don't like a system that 1. think's it's better than a driver, or at minimum, 2. isn't easily disableable. A throttle that drives how it thinks you should doesn't allow a good driver to do what they want to do. But the pragmatist in me realizes that most drivers aren't good drivers and could be helped in most situations by ETC.