Breaking News
Comments
Newest First | Oldest First | Threaded View
<<   <   Page 8 / 11   >   >>
MeasurementBlues
User Rank
Blogger
Who tested this thing?
MeasurementBlues   10/27/2013 5:48:37 PM
NO RATINGS
As the resident test & measurement editor, I must ask, how do we know what caused the flipped bit? Was it caused by a glitch resulting from noise? Was it purely software initated? Is the condition repeatable enough to determine the root cause?

MeasurementBlues
User Rank
Blogger
Re: Master throttle control
MeasurementBlues   10/27/2013 5:36:24 PM
"No-one (sensible) will need to use acellerator and brake at the same time during highway driving, and it's normally expected that the same foot is used for both, and by design they are not suppoed to be used together."

My father used his right foot for the accelerator and his left for the brake. It was fairly common in his day.

MS243
User Rank
Manager
Re: Single bit flip
MS243   10/27/2013 4:44:58 PM
NO RATINGS
Unless you design a totally benign product you should expect your code to be examined by an expert  witness as a matter of certainty -- Ford and Chevy do not get to see all the code usually -- Just the expert witnesses for the prosicution and defense -- This was how $80 per share Honeywell stock of mine became $16 per share after a 757 related verdict came out that the design should not have required manual flipping of the Nav database data from one bank of memory to another by the pilot when crossing a certain line on the globe -----  In the case it was shown that other compiler vendors had the technology to automatically do this bank switching automaticaly -- 

selinz
User Rank
Manager
Re: Single bit flip
selinz   10/27/2013 10:53:58 AM
NO RATINGS
I'm curious about the mechanism by which these folks were able to obtain the ecu source code. Did Toyota give this up by court order or was it "analyzed" AKA reverse engineered?

The algorithms for acceleration can affect gas mileage and engine reliability, among other things. Do Chevy and Ford get a free look at Toyota's source code?

 

Sanjib.A
User Rank
CEO
Re: Single bit flip
Sanjib.A   10/27/2013 9:52:14 AM
NO RATINGS

@Antony Anderson: Thanks for sharing the link! I am from the industrial automation domain and I have been seeing a direct influence of the customers asking for complaince to IEC 61508 more than the regulatory authorities, which eventually has made the regulatory authorities in US, EU to make it mandatory for industrial safety critical systems. Unfortunately, in the automotive space, technology is advancing in a fast pace (electronics being used more and more) in comparison to the pace at which standards are upgraded, regulatory bodies bringing the necessary requirements/norms in, making it mandatory for the automobile industry to get their systems certified by the independent assesors such as TUV / Exida. 

elctrnx_lyf
User Rank
Manager
Re: Noise and probabilities
elctrnx_lyf   10/27/2013 4:19:32 AM
NO RATINGS
I think it is going to take a lot of effort from Toyota to dig deeper and identify all the buggy cars they have on the roads.

rode666
User Rank
Rookie
Master throttle control
rode666   10/27/2013 4:05:21 AM
NO RATINGS
I don't understand how the obvious seems to be missing. No electronics can ever be 100% fail-safe because there will always be failures either in code or hardware.  We know that, and it shouldn't be difficult to provide an external mechanism that will return the accelerator to idle if the brake pedal is used.

No-one (sensible) will need to use acellerator and brake at the same time during highway driving, and it's normally expected that the same foot is used for both, and by design they are not suppoed to be used together.

An external or separate micro-controller can easily sense that road speed is above a preset threshold, engine revs likewise, and the brake is applied.  This can then be used as an override that forces the throttle back to idle, disconnecting the ECU if needs be.

This arrangement could quite easily still allow 'heel-and-toe' operation for hill starts with a manual transmission (does anyone still do that?).  At the same time, simple sensing would activate the separate micro if any of the defined criteria were met.

So, if road speed and/or engine revs are above preset limits, the throttle is open (or open beyond a 'reasonable' limit) and the brake is applied, the micro takes over and returns the throttle to idle or kills the engine completely.  Normal human reaction is all that's needed to get the car under control.

Normal driving is unlikely to trigger the event because most people only have one right foot.  Is this idea too simple?

Antony Anderson
User Rank
Rookie
Re: Securing future for automobile electronics control
Antony Anderson   10/26/2013 8:47:03 PM
NO RATINGS
Bert22306 I think that your thoughts might be centering in the right area. Your valve controller  analogy is probably a fairly good functional fit to the electronic throttle control, except that I would imagine that a valve controller drives the valve both open and closed whereas my understanding is that in toyota's case the PWM driver for the H bridge motor is driven open and it is spring pressure that closes the throttle valve until the limp home position is reached, after which the H bridge reverses and drives the throttle to the fully closed position.

There is an interesting redacted statement in Appendix A of the NASA report which reads:

"A.11.3.4.8 Duty-Cycle Conversion The duty cycle conversion modifies scales the command based on the battery voltage and converts the signal to a duty cycle percentage. The duty cycle conversion operates at a rate of 16 ms"

So the H bridge controlling the motor voltage, instead of working from a constant voltage supply, as I think would normally be the case, switches the DC supply  voltage, which of course is far from constant, and the duty cycle is adjusted by the ECU to compensate for changes in the supply voltage. My personal view is that Toyota would have been well advised to regulate the voltage to the PWM with a standard voltage regulator and not try to combine the regulating function with the ECU software function controlling the throttle angle. It must surely add unnecessarily to the computing load on the ECU. Functionally the two configurations are effectively the same, but practically are very different.

The person who has done a lot of work on the implications of the duty cycle conversion is Dr Ron Belt who has written up several technical memos for circulation which you and others might find interesting as a stimulus to your own thinking. If you Google "Belt Hypothesis Toyota" you will find two memos on the subject which are hosted on my website.

Now there is another aspect to the toyota throttle mechanism itself that may be relevant and that is if you plot DC motor current against throttle angle you get a very wide hysteresis loop so that the current has to be greatly reduced before you get any  reduction in throttle angle. This stiction is  not mechanical stiction and appears to depend on the motor armature current.

Now this is with  DC excitation and it might be different with a 500 HZ pulsed DC voltage from the PWM because you might expect to get a certain amount of jitter which might overcome the stiction. What is notable about this "stiction" is that it is much greater than the normal mechanical stiction. I have yet to take a motor to pieces and check the design, but a possible explanation is electromagnetic cogging torque. This could be very dependent on manufacturing tolerances if the airgap is small.

So in reality I suspect that we may be seeing a combination of a whole variety of factors including electromagnetic design of the motor, the gearing, the design of the PWM the means for compensating for changes in battery voltage, timing errors, the software,not to mention electrical contact intermittencies, all of which very occasionally might combine together to cause the throttle to move to the wide open position and remain there but which under other circumstances might, for example, result in a sudden uncommanded deceleration. It will be interesting to see what comes out from under the Toyota all-weather floormat as a result of the Bookout case within the next few weeks.

 

 

 

 

 

DrQuine
User Rank
CEO
Noise and probabilities
DrQuine   10/26/2013 7:46:01 PM
NO RATINGS
With the numbers of miles cars are driven and the large number of engine cylinder operations per mile (say 12,000 for a 6 cylinder car being driven at 60 mph at 2,000 rpm), low probability problems are likely to surface. That said, in electrically noisy environments with connectors subjected to adverse conditions and wires flexing, the possibility that a bit might get flipped doesn't seem surprising. I guess the question becomes: what processes enable engines to quickly return to proper operating modes when errors are detected? I know for sure that problem hasn't yet been solved on my home computer.

Bert22306
User Rank
CEO
Re: Securing future for automobile electronics control
Bert22306   10/26/2013 6:15:40 PM
NO RATINGS
"There is in my opinion no way of 100% preventing an uncommanded wide open throttle condition occurring from time to time ..."

Yes, this is all about probabilities, and btw, exactly the same holds for mechanical throttles. I myself had this occur to me, in the pre-electronic car control era (well, not full throttle, but certainly open throttle).

It should not be too difficult to design throttle controls that only give the command for a short period of time, which is the way we tend to do this sort of control. E.g., you read the throttle or other command signal at, say, 10 Hz. If the signal is not consistent for n hits, you either go to an alternate source, or you fail safe. If updated commands are not received by the output process, again you fail safe. If the output process dies, again the throttle controller fails safe.

I've had one odd situation in which the valves we were controlling would slowly cycle open with only a single discrete command. So EVEN IF that single discrete command corrected itself after 100 msec, the valve would continue to cycle to full open, before laboriously beginning the close cycle. A very unfortunate combination of events. Since changing the valves appeared to be impossibly difficult, we ended up dramatically improving the error detection logic before closing any discrete signal to valves, which solved the problem (well, at least for several 10s of thousands of years, doing the statistical analysis).

I suspect that the Toyota throttle issue might be caused by a similar combination of unfortunate coincidences.

<<   <   Page 8 / 11   >   >>


Flash Poll
EE Life
Frankenstein's Fix, Teardowns, Sideshows, Design Contests, Reader Content & More
Engineer's Bookshelf
Caleb Kraft

The Martian: A Delightful Exploration of Math, Mars & Feces
Caleb Kraft
3 comments
To say that Andy Weir's The Martian is an exploration of math, Mars, and feces is a slight simplification. I doubt that the author would have any complaints, though.

The Engineering Life - Around the Web
Caleb Kraft

Surprise TOQ Teardown at EELive!
Caleb Kraft
Post a comment
This year, for EELive! I had a little surprise that I was quite eager to share. Qualcom had given us a TOQ smart watch in order to award someone a prize. We were given complete freedom to ...

Design Contests & Competitions
Caleb Kraft

Join The Balancing Act With April's Caption Contest
Caleb Kraft
54 comments
Sometimes it can feel like you're really performing in the big tent when presenting your hardware. This month's caption contest exemplifies this wonderfully.

Engineering Investigations
Caleb Kraft

Frankenstein's Fix: The Winners Announced!
Caleb Kraft
8 comments
The Frankenstein's Fix contest for the Tektronix Scope has finally officially come to an end. We had an incredibly amusing live chat earlier today to announce the winners. However, we ...

Top Comments of the Week
Like Us on Facebook
EE Times on Twitter
EE Times Twitter Feed

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)