Design Con 2015
Breaking News
Automotive DesignLine Blog

NASA enlisted to study Toyota throttles

NO RATINGS
View Comments: Oldest First | Newest First | Threaded View
Page 1 / 2   >   >>
parkgate
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
parkgate   4/1/2010 8:19:22 AM
NO RATINGS
Isn't the problem that the firmware doesn't give priority to the brake so if the accelerator is jammed and the driver presses the brake pedal the firmware doesn't resolve the conflict in a safe way? And isn't this a system or requirements issue rather than a low level coding or language issue? Also does anyone know if turning the ignition key off will stop the car? If it does provide a temporary solution than it should be advertised in order to save lives. And before the arguments about Ada vs C start didn't NASA land a man on the moon using some primitive firmware that pre-dated C? Terry

primeMover
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
primeMover   4/1/2010 9:00:56 AM
NO RATINGS
It's a mechanical issue, that also affected other cars that were built in the same fab (Peugeot 107 and Citroen C1)

Dr_T
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
Dr_T   4/1/2010 2:02:50 PM
NO RATINGS
Firmware may not be the exclusive problem here! Here is the thing. NASA or anyone else who attempts to solve this problem will have to do the following. Construct a test station that will probe the firmware, throttle sensor, and any and all other sensors that are interfaced to the engine control unit including any coprocessor involved. A storage oscilloscope channel needs to be established and dedicated for each and every sensor and digital input to the ECU and its coprocessors, if any. Then, and only then will the test engineers put the driver controls through their paces consisting of every throttle and brake position combination possible. MOST LIKELY the problem may be this: during hard acceleration, then deceleration, with and without braking, when one or more hysteresis loops of the mechanical and electronic/electrical systems will be crossed providing an infinite control loop that is almost impossible to detect or reproduce. Every hot rod high performance engine guy knows the following. If you manually take the throttle of a carbureted engine and open it briefly, then close it, then open it, and continue this cycle in just the right way, the engine will backfire because the hysteresis loops of the pneumatic circuits in the carburetor have been crossed!! This is an example of multiple mechanical hysteresis loops that can be easily placed into a failure mode. This failure mode is much more difficult to reproduce, however, when mechanical, digital, and analog electrical components are integrated into a complex control system such as in the Toyota Prius. I estimate that a single such test set up will require approximately half a million dollars in instrumentation for just one station. We are looking for the proverbial needle in the hay stack or worse! LOTS OF LUCK, GUYS!!!!

parkgate
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
parkgate   4/1/2010 3:16:37 PM
NO RATINGS
I don?t believe Peugeot/Citroen share factories with Toyota so it?s unlikely to be the same problem. I?ve drive a Citroen where the accelerator stuck and all I had to do was pull the peddle up with my foot. A drop of oil fixed the problem long term. As I?m in Europe I drive a manual car so I?m not worried about sticking accelerators as all I need do is put my foot on the clutch to stop the car. This is much more of a problem in the US where automatic gear boxes are used. So what is the short term fix to stop people dying in the US? Will turning the ignition off do it? And I believe it?s a failure mode and effects problem and the long term fix is to change the firmware to give the brake pedal the highest priority and shut down the engine. Terry

willflanery
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
willflanery   4/1/2010 4:55:12 PM
NO RATINGS
If it turns out to be an EMI glitch or ordinary software bug, then regulations need to be tightened to prevent such things. Car control systems need to be treated like airplanes' systems. I'm not in that niche, so I don't know what current requirements are, but I'm sure that hardware/software redundancy and coding standards are a good idea. Turning off the ignition will NOT work because the Prius does not have an ignition switch. It uses a "Power" button (computer controlled, obviously) which is disabled while driving. However, you can switch the car into neutral. This is still entirely electronic, but it works, even if fully depressing the gas pedal. Also, the Prius DOES allow the brake to override the gas pedal input. That is one reason that the recent San Diego runaway Prius incident looks like a hoax. Also, while his front brakes were very overheated, his rear brakes were fine, indicating that he wasn't pressing the pedal all the way. RE: Toyota/Citron/Peugeot, I believe the issue was sharing a parts supplier, not sharing a factory.

Eric Verhulst
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
Eric Verhulst   4/1/2010 9:19:00 PM
NO RATINGS
It is clear that the automotive industry as a whole, not just one particular brand, is learning the hard way what it really means to replace mechanical parts with electronics and software. It saves fuel and weight, but the complexity is not for free as we are now in the discrete domain. Rigorous requirements/specifications analysis, formal modeling and verification and last but not least a clean architecture. For the safety critical parts like throttle and brakes, only fault-tolerance will do. Triplicate at mechanical, electronic and software level and vote. When there is a failure, it should still work but the next error will put the car in a fail-safe mode (this is now supposedily the standard). Formal development as well as formal verification is a must. Also, generate logs at runtime so that post-accident analysis becomes real and start a mandatory database where all incidents are recorded and analysed. Traffic can be made a lot faster and safer using automatisation but if these fundamental safety engineering principles are not understood, it makes more sense to gives control back to the driver. Beware, safety also means that we make the systems error resilient (introduce graceful degradation) contrary to the current static approach taken in some safety related domains. Eric Verhulst CEO/CTO Altreonic

green_is_now
User Rank
CEO
re: NASA enlisted to study Toyota throttles
green_is_now   4/2/2010 12:58:38 AM
NO RATINGS
it is hard or impossible to solve intermittent unknown states that cannot be duplicated. Is the design fail safe per mil std requirements? Is their a return to zero throttle default in the code for each cycle execution? If all conditions are not met then RTZ is defaulted to. Is there a safety over-ride condition that must be met to allow a non zero throttle setting each cycle? Like a braking action, a large rapid braking action, multiple breaking actions, any of the above should force RTZ or it is not fail safe. was the response time to excessive for the cheap 8 bit? micro that was forced on engineering by the MBA's when these type of features were included in prototypes? same story different company...

ellesse
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
ellesse   4/2/2010 8:47:09 AM
NO RATINGS
Quote: "Turning off the ignition will NOT work because the Prius does not have an ignition switch. It uses a "Power" button (computer controlled, obviously) which is disabled while driving. " This is incorrect! And unfortunately copied by journalists all over without verification or any simple research... All Toyotas equipped with a power button instead of a conventional ignition key, will switch off (or to be more precise: power down to standby mode) when the power button is pressed for more than three seconds. Such models with a 'car key' (or 'fob') that must be inserted will *not* enter into steering lock mode when the power down is activated, unless that key is removed. Models with a so-called 'smart key system' are not equipped with a steering lock mechanism at all. Braking and steering is still available when the car has been powered down, but obviously power steering and brake assist are no longer available. The older drivers will certainly remember how that feels: when they were young those 'luxuries' were unheard of in the average car... ;) In both "power button"-models the car can only be restarted when the brake pedal is firmly pressed and the car has stopped completely. Hope this clarifies that issue...

parkgate
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
parkgate   4/6/2010 8:37:17 AM
NO RATINGS
A power button looks like a bad idea to me because it relies on the firmware running correctly to work. How many people have had a PC lock up and holding the power button does not cause a shutdown, so they have to switch off at the mains? So the only immediate short term fix is to remove the fuse box cover, add a cord to the engine management fuse with a note saying in the event of an emergency pull cord. This looks to me like an improvement in the failure modes and effects analysis is required at the design stage. Terry

PUSOI
User Rank
Rookie
re: NASA enlisted to study Toyota throttles
PUSOI   4/6/2010 12:06:01 PM
NO RATINGS
And maybe the car must have a RESET buton like PC's

Page 1 / 2   >   >>
Radio
LATEST ARCHIVED BROADCAST
EE Times Senior Technical Editor Martin Rowe will interview EMC engineer Kenneth Wyatt.
Top Comments of the Week
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Flash Poll