February 8, 2011
While NHTSA and NASA have been busy in their test labs, we’ve been busy doing some testing of our own. And, although our findings are preliminary, we’re uncovering important clues to the gaps in Toyota’s electronic safety net. We haven’t seen NHTSA’s report, but we’re hearing the sound of hands dusting themselves off and feet walking away. What’s troubling is examinations of the complaint data consistently show statistically significant increases in SUA complaints in Toyota models when equipped with its Electronic Throttle Control system. (See Quality Control Systems Corporation’s What NHTSA’s Data Can Tell Us about Unintended Acceleration and Electronic Throttle Control Systems for more information.) Toyota has replicated these incidents, as reported in field technical reports. (See Toyota Replicated Incidents for more information.)
Detailed evaluations of various Toyota models with ETC have revealed some fascinating design issues that demonstrate weaknesses in Toyota’s electronic architecture. In short, their designs don’t have enough computing power to integrate ETC into the engine control and incorporate safety features needed to prevent unwanted events.
Because the algorithms that make up the software in Toyota’s engine controllers are overly simplistic they are incapable of providing a robust electronic safety net that is needed in these types of systems.
The simplified software strategies used in Toyotas demonstrate this lack of computing power and software. It is important to note that none of the physical components need to change to accommodate safety features, they are software driven, yet these key software features are not there. Following is an overview of some of the areas that we’ve examined related to design features that exemplify this problem.
Throttle learn/ Spring test:
There is a parameter in the Toyota engine controller referred to as the “Throttle Learned Value.” Throttle learning is done to account for part-to-part variations and adjusts the sensor reading up or down by an offset based on the physical components. The effect is that the entire pedal-to-throttle curve will shift up or down in response to this value. This is very evident on pedal-follower type systems such as on the 2005 Camry. What happens if the reference position is not what it was assumed to be? In short, the entire relationship of sensor voltage to throttle angle can be skewed causing more engine output than the driver requested. This condition has been documented to cause short duration UA events.
The spring self test is an important safety check performed by the engine controller when the key is on and before the car starts. The controller opens the throttle very briefly and monitors the return spring closing. This basic safety test is designed to check the response of the throttle body return spring to ensure throttle open / close response is functioning appropriately from a mechanical standpoint and gauges the dynamic response of the actuator before the engine is started. There is no such test in the Toyota models. This is important because it illuminates the lack of system integration between the electronic controller and the mechanical components they control
Many Toyota vehicles with ETC use a pedal-follower system. This system has significant limitations and doesn’t address the core concern which is engine torque output. Nor do the subsystems in a pedal-follower system communicate in a manner that facilitates a more complete control of the engine.
Level Two Engine Diagnostics
Primary diagnostics are designed to catch faults conditions usually of an electrical nature. Secondary, or Level-2 diagnostics, are rationality tests designed to catch unanticipated anomalies and to the monitor the basic functions of engine control system. This is used to check the actual engine torque versus driver input, and mitigate if necessary.
Some Toyota ETC systems examined appear to have a complete absence of secondary or Level-2 engine torque diagnostics. The lack of this safety net presents opportunities for undetected faults to create unwanted events.
Electronic brake override in an ETC system was originally a feature designed to address a physical stuck pedal condition. If the pedal is stuck but sending a valid signal to the engine controller and the driver is braking, the accelerator pedal voltage signal is overridden (via an algorithm in the software) and the engine is returned to idle. Toyota has “re-flashed” some late model vehicles with a brake override in recall 90L. However, the company claims that a similar software re-flash cannot be accomplished on most of their vehicles because of the lack of computing power.
Inputs on Toyota models appear to have no redundancy. This is an atypical design compared to other OEMs. This lack of redundancy creates the potential for failures and misinterpretations of the cruise control status due to potential electrical faults.
Accelerator Pedal Position Sensors (APPS)
Most manufacturers use a triple redundancy on the APPS. The Toyota APPS design differs in the effectiveness of the second sensor. While it is a separate sensor, it doesn’t have a different characteristic in the voltage slope which can result in “blindness” to certain external voltage influences. There are also concerns associated with the calibration of the sensor agreement diagnostic logic.
Toyota allows a wide-range of idle deviation without setting Diagnostic Trouble Codes (DTCs). Idle speed variations in excess of 2,000 RPMs have been documented in real-world conditions without driver input. This level of idle generates a substantial amount of engine torque and can result in UA events.
If we take a moment to consider the big picture, we see regulators that have failed to regulate and the investigators have failed to investigate. They’ve set themselves back – and in the process – all of the motoring public.