Mustang Parts
   Carrying Saleen wheels and Bullitt wheels.

Thursday, February 25, 2010

In Defense of ETC Part 2; Professor Gilbert's Test

In his testimony to the House Oversight Committee, Professor David W. Gilbert described how he was able to induce unintended acceleration in a Toyota ETC system.  You can read his remarks here. Gilbert was hired by Safety Research Strategies, a "safety advocacy" group which is primarily a research and consulting firm for trial lawyers and plaintiffs.

Gilbert's testing discovered a hole in Toyota's diagnostics for their ETC system.  To fool the system, he had to induce a highly unlikely failure.  Toyota's system uses two pedal position sensors, which are separated by several centimeters, which have signal wires coming out on a common harness.  Gilbert shorted the signal wires of the two sensors together through a resistor.  By carefully choosing the resistor, he was able to find a short combination which the Toyota diagnostics did not detect.  However, a short alone was not enough to cause unintended acceleration.  To do that, Gilbert had to take the shorted wires, and then add another connection, to the power wire on the harness.  When both sensor signal lines were shorted to the power line, then the throttle opened because the large voltage was interpreted as a command from the pedal.  Because the two signals were within range of one another, the diagnostics didn't find it.

To induce this purely electronic unintended acceleration event, Gilbert had to induce two faults into the system.  In the business, this is called a multi-point failure.  It is similar to saying, "what if your gas tank was leaking and your wheel fell off, creating sparks".  Because the sensors are separated in the throttle pedal housing, the only feasible way for this failure to occur, in my opinion, is for the wiring harness to be cut or frayed such that the signal wires are exposed, and electrically shorted, but not cut through.

Toyota hired respected engineering consulting house Exponent to do an outside check of their ETC fault robustness.  The full report is here. Exponent bought several different Toyota vehicles, spliced into the ETC wiring harness, and inserted various types of faults, using engineering data provided by Toyota.  All of the faults that Exponent inserted were quickly detected by Toyota's system.  The difference in methodology from Gilbert's testing was that Exponent limited their faults to the more likely type, single-point failures, where a single wire or signal was compromised. 

In short, Gilbert proved that by manipulating the system just so, he could break it.  But his failure mode is not something that is remotely likely to occur in the real world.  Gilbert produced what Safety Research Strategies, ABC News, and some congress members wanted: a dramatic demonstration.  But he didn't find a smoking gun.


2 comments:

Colin Sanson said...

While a double fault condition is highly unlikely to occur in the real world, Professor Gilbert has demonstrated it is possible in principle.

And if there really is a fault in the electronics or software logic of the ETC it is triggered in a tiny percentage of journeys undertaken in a Toyota based on the number of complaints.

The Toyota ETC may be too tolerant of voltages being slightly out of spec, and perhaps is unable to distinguish between an initial minor fault that still allows the vehicle to be driven and a second major fault that results in unintended acceleration.

Allen Davenport said...

Given the proper input either it be voltage or resistance I can parrallel and send in a signal that will cause a WOT condition on any vehicle that is drive by wire. Let's get real, driver error is a real concern, I have accidentally put my foot on the brake pedal to sometimes touch the accelertor at the same time. It is hell to be born with size 13D feet, can I have the government get God to recall and give me size 10 feet?

Food for thought, if the GM ONSTAR system can shut down a stolen car, could someone hack into the system and cause a runaway or shut down someone's car while they are in the passing lane with a semi-truck coming the opposite direction. Be careful who we point fingers at and booby trap systems to show the results that we desire.