Does anyone know for certain what exactly is wrong with all of Toyota's accelerator systems? No. But at least one fact is now clear: Electronic throttle-by-wire systems are not infallible, and the very nature of the technology may explain why accident investigators and Toyota engineers missed the problem for so long.
A couple of important points must be acknowledged:
First, throttle-by-wire systems, for all the complaints, are probably much safer, statistically speaking, than the old mechanical pedal-to-cable systems I grew up with. They have several redundant systems and are often used in conjunction with electronic stability control systems (ESC). ESC is so effective at saving lives that no one should buy a car without it.
Second, nobody wants to say it in public given some of the tragedies but doubtless driver error contributed to or caused some (not all) of the accidents involving Toyota vehicles. In fact, pedal misidentification (standing on the gas instead of the brake) is a very common cause of accidents and some of the so-called acceleration problems attributed to Toyota were no doubt caused in this way; we may never know how many. Just as certain, some of the sudden acceleration accidents have been caused by accelerator pedals jammed under floor mats and some by pedals that physically stuck.
But that's not the whole story.
Up until about 15 years ago, the computer controls and systems on most vehicles were relatively simple. Not to diminish the complex work done on emissions and fuel and braking systems at that time, but most essential systems in cars were still at root mechanical. If power steering or active assist failed, you could still steer the car. If electronic stability controls failed, you could still brake and turn the car.
Also at that time, throttles hadn't changed much since the first combustion engine. You step on a pedal, the pedal pulls a cable, the cable is attached to the throttle and opens it. Take your foot off the accelerator, and the cable goes slack and throttle closes (well, technically, almost closes). (This is easy to see working on a gas-powered lawn mower.)
However, cables rust and get stuck. Springs under accelerators give out. And other mechanical parts fail. So using fewer moving parts seems like a good idea, particularly if you can add more sophisticated control for fuel efficiency, more power, or coordinating the throttle with cruise controls and electronic stability controls. Hence, the idea of replacing the old throttle by cable with electronic throttle controls or throttle-by-wire controls.
The first widespread drive-by-wire system to actually completely replace the mechanical components in favor of a computer controlled electrical wire based system is the so-called throttle-by-wire system that is the focus of the Toyota acceleration problems. It is also a system used by BMW, Chrysler, Land Rover, and many others
In its most rudimentary form, a throttle-by-wire system uses two independent position sensors in the accelerator pedal that are connected by separate electrical wires to a motor at the throttle. At the throttle, there are also two more independent position sensors, plus a computer module and the main computer control module. The reason there are at least two sensors at each of these points is to create a failsafe system. The information transmitted from the sensors is compared to each other and to the other sensors to make sure they are all in agreement. If anything is amiss or the readings don't match each other (at the pedal or at the throttle position), the system shuts down, either putting the car into idle or a "limp home" mode. That's how it's supposed to work.
But the number of ways in which such a system could fail is quite daunting. Engineers and computer programmers have tried to account for every eventuality–voltage changes, sensor failures, temperature changes, electrical power failure, dirty throttle bodies, IAC failures, dirty IACs, etc.–but compared to old mechanical throttle systems, these are still very new systems. So engineers are still learning, which is why the Toyota executives would not say unequivocally that there is absolutely no possibility of a computer-related problem in its cars. Who could possibly give such a guarantee, ever? (As an example, there were throttle position sensors that prematurely wore out in early throttle-by-wire systems and subsequently manufacturers switched to a different type of sensor. Lesson learned.)
Nevertheless, from a software point of view, one should be able to account for nearly all potential problems simply by instructing the computer that if anything seems wrong–any position seems out of tolerance, there's conflicting information from the sensors, or there's no information from the sensors–to simply shut down the throttle to idle (say, until the driver turns off and then turns on the car or it is taken to a dealer and analyzed through the ODB-II port).
However, Professor David Gilbert has shown that there nevertheless is at least one loophole in the fail safe system in some Toyota vehicles, and worse, it actually is a two-fold problem. First, Gilbert showed that if there is a short circuit between to the two electronic pedal position circuits, the computer system can mis-read that as full throttle down and it causing sudden unintentional acceleration. The second problem is that unlike with other malfunctions, this problem does not generate an error code on the electronic control module.
This is in one way not so surprising. Crossing the two wires and shorting them out together is a purposeful way to defeat such a system. (Of course, the computer control module should detect the voltage change and shut down.) Furthermore, since the program doesn't see a problem, it's also not surprising that the system doesn't generate an error code.
So now its clear why forensic engineers wouldn't uncover a problem with a vehicle that crashed and burned. Assuming the ECM could be recovered and read, there would be no recorded error code. No code, no problem. And the black boxes or event recorders that government officials referred to in hearings aren't standard yet, so there's no appeal to another source of information for engineers–yet.
So, the answer: Yes, electronic throttle controls can be foiled. Whether or not one feels the Gilbert test cases are "realistic" is beside the point: You shouldn't be able to fool such systems at all. Moreover, such failures do not necessarily generate an evidence trail (i.e., an error code) so we now understand how they could go undetected. No error code, no problem.
Of course, the question still remains whether anything like this occurred in cases of sudden acceleration on Toyota's throttle-by-wire systems. We may never know for certain. But now we do know that more safeguards are needed. Specifically:
– NHTSA must deploy industry standards for drive-by-wire systems. Making brake override mandatory on throttle-by-wire designs would, for example, solve some of these sudden acceleration problems. (They now say they are considering it.) If a car suddenly accelerated–and even if the driver was standing on the accelerator–the car would stop if the driver also simultaneously stamped on the brake. Such brake overrides are common in the industry but not mandated by law. (NB: Brake overrides do not solve the problem of pedal misidentification in which the driver believes he's stomping the brake when he's actually pressing down the accelerator.)
– More independent testing: With many other even more sophisticated computer controlled systems on the market, and likely to become standard on more mainstream cars in the future, we're going to need more independent testing and regulation. At the moment, NHTSA doesn't test such systems in advance unless they run against some current regulation. (For example, you cannot replace side rear view mirrors with video cameras because such mirrors are part of the regulations. However, you can introduce a computer controlled crash prevention system, since that is not specifically regulated.)
– Added Standards: If you introduce a new system on a car, every single aspect of it should be monitored and produce industry standard error codes. We're sort of getting to this point, but the process has been slow. It's also quite a challenge for regulators. However, if this isn't done we'll face more problems down the road.
One GM executive pointed out to me that conventional car have about 25 systems that need to be coordinated. Hybrid vehicles have about 250 such systems. (Witness the slight hiccup in the 2010 Prius that resulted in braking problems.)
It's not as simple as blaming Toyota or blaming NHTSA. One has to be careful how standards are adopted (and that they don't generate new safety issues). And as someone who makes his living learning about and testing new technologies, I don't want to see manufacturers slow down their research or the introduction of systems that can make our lives better, cars safer, and improve energy efficiency. The technological trend looks to be toward more drive-by-wire systems–steering, transmission, brakes, etc. That means a new type of testing, new standards, and, yes, more regulation.
FOR MORE OF JQ'S NEWS AND REVIEWS, VISIT J-Q.COM
You can also follow updates on Twitter.
Read and post comments | Send to a friend