Observations on the Toyota Driver Error Investigation

Observations on the Toyota Driver Error Investigation

Published by Tardis43
Observations on the HHTSA report on the Toyota Unintended Acceleration problem
Observations on the HHTSA report on the Toyota Unintended Acceleration problem

Published by: Tardis43 on Feb 21, 2011
According to an article in the Feb. 9, 2011 issue of the Wall Street Journal, “Federalhighway safety officials on Tuesday absolved the electronics in Toyota Motor Corp.vehicles for unintended acceleration, and said driver error was to blame for most of theincidents”.First of all my credentials: I am Reliability/Safety Engineer with about 40 yearsexperience in space as well as aerial, ground, and sea transportation, I decided toresearch for the NHTSA report to find out why so many North-Americans can’t tell their right from left pedal!I found The NHTSA Study of Unintended Acceleration in Toyota Vehicles on theier website: www.nhtsa.gov/UA. According to NHTSA’s own review of data andexamination of vehicles as explained in this report (and NASA’s evaluation of Toyota’sETC system), NHTSA concluded that “the Toyota ETC system does not have design or implementation flaws that could reasonably be expected to cause UA events involvinglarge throttle openings as described in consumer complaints to NHTSA”.“No single failure can produce such a condition. Two failures in the preciseresistance range necessary to create the exact circuit configuration in the correct timephase are necessary for this functional failure to occur. As NHTSA understands thesituation, the likelihood of two such specific failures occurring in a consumer’s use of avehicle in the precise resistance range and in the required sequence necessary toproduce the UA condition is remote. Moreover, the occurrence of such failures outsideof these very narrow conditions will *always set a diagnostic trouble code (DTC)”.Note: (* = Emphasis added to quoted text)“NASA did determine through microscopic analysis of a failed pedal obtained from afield incident that certain resistive faults can result from the presence of tin whiskerswithin the accelerator pedal position sensor. In vehicles with potentiometer sensors (MY2002-2006), NASA found that this kind of resistive short generally produces a DTC,warning light, and failsafe operation, but results in different vehicle responsesdepending on the subsequent operation of the vehicle following the occurrence of thefault. In the field incident in which the pedal examined by NASA was involved and in theonly other three incidents that appear to be of that nature found in the VOQs, theresistive short triggered a DTC and fail-safe operation. In each case, the owner broughtthe vehicle for servicing because of the lack of acceleration and somewhat jumpythrottle response and the vehicle was repaired without damage or injury.Also, the unwanted acceleration in this situation is relatively small (up to 15 degrees of throttle opening), ceases immediately when the accelerator pedal is released, and isreadily controlled by braking, which is unaffected. Moreover, NHTSA’s analysis of itsown complaint data and Toyota’s warranty data indicates that conditions that produce aDTC related to pedal failure are very rare in these vehicles, indicating an extremelysmall likelihood of such conditions, and an even more remote chance of conditions
producing such a short without producing a DTC. *Accordingly, there is currently noevidence of a real-world safety risk produced by this phenomenon”.Really? If this conclusion is true, then I will only assume that NASA was totally unawareof the paper “Impact of Soft Errors in a Brake-by-Wire System” presented atProceedings of the 2007 IEEE Workshop on Silicon Errors in Logic. (P.S. this paper isalso available on-line).This paper presents an experimental evaluation of the impact of soft errors in a brake-by-wire system with the participation of Göteborg University and Volvo Technology.Their goal is to assess the risk that soft errors will cause the brake system to produceundetected dangerous outputs. To this end, they injected single bit-flips in the CPUregisters and the main memory of a MPC565 microcontroller running a brake controller program. For each injected bit-flip, they recorded the outputs to the brake actuator for more than one thousand control cycles. Their results showed that 24% (769 of 3149) of the bit-flips injected in the CPU registers resulted in undetected erroneous outputs. Of these, *24% (188 of 769) resulted in dangerous outputs.These conclusions piqued my curiousity, so I searched for the NASA-NHTSA report,which I also found on the NHTSA website. (Just open the full NASA report).My first discovery was that the core NESA team did not comprise anyone with expertisein Safety! (page 11), and yet this is clearly a catastrophic safety issue (as defined byMIL-STD-882).The second was a catastrophic safety observation related to NASA’s analysis andconclusions on the presence of tin whiskers, where NASA states (page 16) “Destructivephysical analysis of this pedal found tin whiskers
, one of which had formed the resistivepartial short circuit between the pedal signal outputs”. Then on page 127, states thatToyota printed circuit boards are not conformally coated! ( Note: superscript 2 refers toNASA’s website on lead-free tin whiskers: http//nepp.nasa.gov/whisker/ )Based on the examination of one model year 2007 Engine Control Module, (page 127),NASA states “the inspection of this ECM revealed no tin or zinc metalic whisker growth”., and on page 170, Finding F-1 states “No TMC vehicle was identified that couldnaturally and repeatedly reproduce large throttle opening UA effects for evaluation bythe NESC team”.Given that conforming to the ROHS regulations on elimination of lead in all products,mitigation of tin whiskers is a major issue for all manufacturers, as searching for thistopic will show, and demonstrates that this serious safety issue has not been completelyresolved.The above NASA statements should concern any safety engineer and brings up a third,major disconnect that I observed on page 16 of the NASA report where it is stated:
“Based on postulated failure modes and predicted system responses, numerouselectrical *system hardware failure modes were tested on benchtop simulators”. Page22 adds: “Test scenarios were developed based on analysis of software and hardwaredocumentation” and later states: “Model responses were compared to the hardwareexternal responses. Monitoring of actual responses inside the ECM hardware was notpossible; however, the software model and ASIC block diagrams did give a level of insight into system function”.In simple terms, this means that NASA took the existing Toyota documentation andassumed that the Toyota data was complete as well as accurate. NASA conducted their analyses and test scenarios (both hardware and software) at a functional block level, ascan be seen by doing a deep dive into the NASA report. This approach is only as goodas the data input into the software simulation as well as the test scenarios emulating thefaults listed in the functional block analyses. This methodology relies on the premis thatthe existing data from Toyota completely describes all possible failure nodes. Engineersshould recall the expression “garbage in, garbage out”. Note: a functional level failuremode analysis is only a preliminary top-down analysis, and should be followed by amore detailed bottoms-up component level analysis.Obviously the Toyota and NASA experts did not consider all failure modes, asexemplified by the Göteborg University and Volvo Technology paper published in theProceedings of the 2007 IEEE, an internationally accreddited Institution.In conclusion, I sincerely hope that the NHTSA Transportation officials follow up on theNESC recommendation to “consider conducting more research on electronic controlsystems”.
NHTSA-NASA Study of Unintended Acceleration in Toyota Vehicles:http://www.nhtsa.gov/staticfiles/nvs/pdf/NHTSA-Toyota_keywords.pdf P 14 –Of 426,911 NHTSA Vehicle Owners’ Questionnaire (VOQ) system, (2000 –2010), for all vehicles, there were 9698 identified as unintentional acceleration (UA),and of these 3054 were TMC vehicles. However, no evidence of a failure in ether theelectronic throttle control system-intelligent or brake system typically was reported ashaving been found following these events.P 26 -NHTSA: VOQ is voluntary and therefore difficult to extrapolate frequency of events to total events reported, causes: P 28 Public did not know of VOQ prior topublicity,

