A Description of the Monitoring

Architecture and Design Justification

used for Automotive Electronic Throttle
Control Systems
Gavin McCall BSc. (Hons.), C.Eng., M.I.E.E.
Visteon UK Limited
Laindon, UK

This paper will describe an automotive industry use of a novel

architecture for the indirect monitoring of a control system. The
model used within the industry is a system containing a main control
processor and a secondary monitor processor. This secondary monitor
observes the correct functioning of the control, and not the correct
operation of the plant. This system is used in production systems by
several vendors today. This paper will present the design justification
behind this arrangement.

1 Background
Today's automobiles contain sophisticated computers controlling many functions,
including the engine, transmission, anti-locking brakes and radio to name a few.
The control of the engine has moved from carburettor and mechanical spark timing
to the PowerPC based controllers, found for example in the new Ford Mondeo.
This controller is now performing complex calculations to control fuel, spark
timing and idle airflow. Additionally, many emission systems such as exhaust gas
re-circulation and evaporative emissions are under direct computer control.

The basic algorithm in these controllers is to measure the airflow into the engine,
and to control a matching fuel flow to maintain a precise air/fuel ratio control. This
control maximises the efficiency of the catalytic converter, maximising the
conversion of harmful gases into the less harmful carbon dioxide. During this
addition of technology, the throttle system has remained mechanical. The airflow is
controlled using a mechanical cable link from the foot pedal to the throttle butterfly
valve. Complex cams allow the matching of throttle' feel to throttle movement.
Additionally, speed control (incorrectly called cruise control) is achieved by
mechanically actuating the cable, using an additional actuator.

To date, most computer based control systems added to the vehicle have been
ancillary systems. The basic operation of the engine controller is in the airflow
limited by a mechanical system. The authority of the computer is limited to best
power at the given airflow. There are no active functions built into the system to
cause the engine to stall. The controller will maintain engine speed limits to
prevent over-revving. A typical system today contains about 500,000 lines of code
written in the C programming language.

F. Redmill et al. (eds.), Aspects of Safety Management

© Springer-Verlag London Limited 2001
 127

2 Electronic Throttle Control System

2.1 Electronic Throttle Body

Electronic throttle control replaces the mechanical throttle with an electronic

throttle control (see figure I). This replaces the mechanical throttle body, the air
bypass valve for idle speed control, and allows direct speed control without
additional hardware. A pedal assembly having direct electrical outputs replaces the
pedal and cable. The electrical signal is a function of the pedal position. (Note: the
pedal assembly can be either of a displacement type, or a pressure type. The
current preference is a displacement type, mimicking directly the mechanical
system.) The electronic throttle body and accelerator pedal are connected to the
powertrain control module, which contains the microprocessor, and additional
electronics.

The function of the air-bypass value to control idle engine speed is now performed
using the throttle plate. Speed control can also be implemented without the need
for an additional throttle actuator.

The legal requirement for a throttle body is that two forms of energy are available
to close it. This is satisfied by (a) a spring that closes the throttle plate, and (b) by
the action of the motor. First generation throttle bodies would completely close
when no electrical power was applied, which results in no engine operation.
Second generation throttle bodies have a second spring which pushes the throttle to
a just open "default" position. This therefore allows continued vehicle operation
should control of the motor be lost. The use of these two springs causes an
128

interesting control problem, in that a major non-linearity is placed into the control
system. This default position will be described in detail later in this paper. The
actual position of the throttle plate is measured using sensors, and this is passed to
the powertrain control module.

The electronic throttle control allows the powertrain control module full authority
over engine power from zero to full power. The engine controller can now
command zero engine power to full power. FADEC (Full authority digital engine
controller) is used in other industries to describe the type of controller.

2.2 Electronic Throttle Control Algorithms

Early Electronic Throttle Control systems simply operated as cable replacement
systems. The relationship between pedal demand and throttle position was a
simple, linear and deterministic. For these simple control strategies, an external
monitor can observe this relationship, and perform a containment action if this
relationship is lost. Complications arise around idle speed control since this opens
the throttle for no pedal demand. This can be accommodated, and the monitor can
be designed to detect only gross errors.

In order to achieve greater benefit in terms of fuel economy and driveability, a

more complex relationship is required. The relationship between pedal demands
and throttle position are dependent on many additional signals and the integration
of those signals. For example, all of the power demands on the engine can be
expressed in terms of a torque requirement. The various torque requirements are
rationalised into a single torque requirement, and air and fuel values determined to
achieve this required torque.

Applying the previously described approach requires all of the signals for the
control duplicated in the monitor. Aliasing, measurement error and other sources of
non-determinism cause deviations in these signals, which could cause false
triggering of the monitor system.

Full duplication or triplications, with mechanisms to resolve non-determinism are

required to resolve these differences. This is the approach used in other industries.
The automotive industry has developed the approach described in figure 4 to
address this need.

Figure 2 shows the air mass through the throttle body as a function of engine speed
for a range of throttle openings. The engine is a positive displacement air pump.
The mass of air pumped is proportional to the speed of the pump, until the airflow
becomes choked. At this point, greater engine speed results in no more airflow. At
closed throttle, the airflow is due to leakage around the throttle plate, and is limited
at all engine speeds. At the default/part 1 position, the airflow increases to a
maximum at about 2000 rpm, and then chokes. Above 4000 rpm, the airflow
reduces due to the loss in pumping-efficiency of the engine. This throttle position
results in a constrained level of airflow at all engine speeds. Throttle position part 2
 129

and wide open show greater airflow, again limited by the same loss of pumping
efficiency at higher engine speeds.

The default position, which is established by two springs, and taken in the event of
the motor not being powered, establishes an upper limit of the possible airflow
through the engine in this default state. This relies on the passive physics of the
mechanical components, and is not dependent on active computer control.

1.20

I , I , .
1.00
I ." . .... .
!II
!II , i ",," I
0.80
..
C'II
::E
... I
< 0.60 I ;'
,
" .. . . .. ...
"
"
.. . , . .
...
."
Q)
I
., . .
•!!! ,- ,
iii
E 0.40 !I " .' i
-- --
0 , '!, ". _ _ _ _ _ 1______
z .. "
~:....,..-
-- I
",,'~
0.20 ~

0.00 I
o 1000 2000 3000 4000 5000 I
Engine Speed

i---CIO'.d - - - D.fa"'"Part 1 -- -- -- Part' - -- -lMd. Opeo I

Figure 2: Nonnalised air mass flow

2.3 The Safe State

What is the safe state for this system?

There is not a single value. This is a trade off between the direct risks caused by
excessive engine power, and the indirect risks caused by immobilisation of the
vehicle. Figure 3 shows this relationship. Choosing a small value of default angle
results in always having a lower over-power condition when little power is
required, but provides no ability to increase this when performance is required.
Consequently, accelerating into fast moving traffic, and crossing the path of traffic
is difficult. The ideal low power setting on the flat may result in insufficient
airflow to climb grades, rendering the vehicle immobile.

Alternatively, selecting a larger default angle results in greater vehicle

performance. The downside to this is that parking and low-speed manoeuvring will
be more difficult.
130

The majority of operation of a vehicle is in cruising at urban or motorway speeds.

The value chosen by mechanical setting of the default airflow dictates the
following.
I. It provides the maximum airflow and therefore the maximum
performance of the vehicle when power is desired.
2. When no power is required, at idle position, it is the amount of unwanted
excess power.

E Region of Region of Region of

n excessively low moderate idle excessive idle
0 maximum power - power - unsafe
'" performance -
n unsafe Availability
e

r. . . . . . .
.... i
S
......
a
Safety Trade-off

e
d

...... Neutral Idle

Power
O. OOg 0.05g 0.10g 0.15g 0.20g (g=9.S1m/s 2 )
0-60mph time 54s 27s lSs 13s
Acceleration Rate - due to increasing default airflow

Figure 3: Tradeoffs between vehicle performances

The values given on the x-axis of figure 3 are indicative of the values at which the
available acceleration leads to the indicated feel.

3 Automotive Industry Technique

The automotive industry in Europe has developed a common architecture to
address the monitoring of complex control systems such as Electronic Throttle
Control and Automated Shift Manual (ASM) control systems. Members of the
OSEK Group have described this as an "intelligent watchdog". The only public
domain information of this system is described in [Bedema 99]. This is a patent
that describes the method or structure. No design justifications are provided in this
reference. This paper will describe the system, and then present design
justifications for this system.
 131

A pragmatic approach is taken to the development of the system, similar to [UL

94]. In this approach, the possible faults that can develop in the system are
identified. For each fault mechanism, a method is defined to allow detection of the
occurrence of the fault. In the absence of any fault being detected, the system is
assumed to be operating correctly. An additional element to this is that we cannot
rely on a computing element at fault to be capable of taking correct mitigation or
containment action. Therefore a second computing element is introduced. This
second element can perform a containment action independently of the primary
element.

The system is described in figure 4.

ENABLE

Main
CPU

Fuel Mass->
Fuel pulse
width (X)

Fuel Disable (Y)

Throttle
Controller

Fuel Injector 1 Fuel Injector 2 Throttle Motor

Figure 4: Basic Control Features

132

3.1 Primary Control Software (X)

The primary software takes inputs from a number of sensors, including accelerator
pedal position and based on a number of inputs, calculates the desired engine
torque. This is then achieved by determining an appropriate fuel injection time to
deliver the desired fuel quantity. In a similar way, the air mass requirement is
converted into a throttle angle request, and this is commanded by the closed loop
Throttle Controller.

3.2 Independent Plausibility Check (Y)

This software also resides on the main processor. The purpose of this software is to
do a continuous rationality check on the operation of the primary software (X).
This is a form of n-version programming, in that the algorithm in the Independent
Plausibility Check is performing a reverse calculation. Given the current throttle
position, what would the corresponding driver command be, and how is this
compared to the actual. This software can therefore fmd software errors in the
primary software. Since this software is executing on the same CPU as the main
software, problems due to different sampling and aliasing are eliminated.
Additionally, data sharing between the sections of software can be readily
performed.

The Independent Plausibility Check software enables fuel injection and enables
operation of the throttle plate. It also informs the Quizzer if it is taking containment
action.

The following argument is made to assert that the Independent Plausibility Check
is operating correctly.

Argument - Software Y is working on CPU Main

1. Software Y is seen to be running - recognised by key points in the
software are being executed in correct sequence and at current rate,
observed for correct signature by CPU Quizzer (test 1).
2. Software Y worked to 100% branch coverage during unit test (test 2).
3. Software Y is unchanged - CRC check on ROM of Software Y,
performed by software Y (test 3).
4. CPU Main operating correctly - instruction test performed by seeded tests
and monitored for correct result by CPU Q (test 4).
5. Software Y uses a mechanism to detect memory corruption of key
variables (test 5).

Given this, we do not need to observe the input and output values of Software Y in
order to trust that it is correctly performing its function.

Software X (the primary control software) and software Y are running on the same
processor. Therefore software X can prevent or disrupt the operation of software Y.
It can cause it not to run, or not to run to completion, which is detected by logical
sequence and timing (test 1). Software X may overwrite the variables of software
 133

Y. This is addressed using a technique, which redundantly stores the key variables
utilised by software Y. The data is stored directly and in a complementary format.
On reading the data, both versions are checked for consistency before the data is
used. Error recovery to a safe value is used when the values contradict.

Software Y is written with statements included into its control paths that cause a
specific signature value to be generated. This value is based on correct dynamic
operation of software Y and the previous signature value. The failure of any such
statement to be called, or called in an incorrect sequence causes the signature value
to be different from expected. This signature is exchanged with the Quizzer
software.

Software Y also contains instruction test software. The Instruction Tests are
designed to address and check the basic operations of the CPU, such as correct
operation of the Arithmetic Logic Unit and CPU registers. A number of algorithms
and seed values exist, and the quizzer requests the main to perform a specific test
and to return the value. The test may be coded in assembler to ensure exact
coverage of the instruction set.

Software Y is considered critical to the correct operation of the system.

3.3 Quizzer
The Quizzer CPU interacts with the main CPU on a communication bus. Suitable
communications occur on a timed periodic basis. Typically, this is about ten bytes
of data exchanged every 16mS. The Main processor initiates the communication to
the Quizzer. The Quizzer detects errors in timing if the communication fails to
occur sufficiently accurately.

The Quizzer software monitors the execution signature generated by software Y.

Because of the dynamic and challenge-response behaviour of the communications

between the processors, different message content is required at each
communication event. Therefore if the Main processor were to repeatedly send a
once correct message, this would fail when repeated.

The Quizzer also performs tests on its ROM, RAM and instruction set.

The Quizzer software is considered critical to the correct operation of the system.

3.4 Summary

Basic Control Software (X) executes.

Independent Plausibility Check (Y) checks the function of key parts of Basic
Control Software (X)
134

Quizzer observes the correct operation of Independent Plausibility Check software.

(Y)
The function X is not checked directly by Quizzer, but indirectly via Y.

All known failure mechanisms of Y are addressed by techniques within Y, or by

operational observation performed by Quizzer.

3.5 Consequences of Architecture

The Independent Plausibility Check software and the Quizzer software are critical
to the correct operation of the software. The importance of the primary software is
reduced, and can be developed at less stringent standards. The critical software has
been isolated to a smaller section, and this section can receive the necessary
scrutiny. This is in line with current thinking that critical systems should be small
and considered separately from the non-critical parts of the system.

4 Containment Actions
An Electronic Throttle Control system uses a diversity of mechanisms to prevent
any single or common-cause mechanism that can result in hazardous conditions.
The primary hazardous condition is engine power excessively greater than demand,
and the secondary hazard is engine stall. An internal combustion engine needs both
correct air and correct fuel in order to make power. By limiting either of these
quantities, the possible power of the engine is limited to the smaller.

Therefore the containment action utilises both fuel and air to assure that a safe state
can be reached under fault conditions.

The 2nd generation throttle body includes the default position mechanism. This
selects a specific throttle position as a function of non-electronic components. Both
the Main processor and the Quizzer processor enable the operation of the electronic
throttle, and without this enabling the default position is selected. Air flow and
consequently power is limited by the physical properties of the throttle body.

Engine Speed limiting by using fuel disabling is a tried and tested principle, which
as been necessary on all engines since the replacement of carburettors by fuel
injection. Simply put, when the engine speed exceeds a threshold, the fuel injection
is inhibited. The engine is now un-powered, and the engine speed will drop back
below the limit. At this point, fuel is re-enabled, causes the engine speed to
increase back to the limit. In this way, the engine speed hunts around the desired
maximum speed. A suitable speed limit of around 3000rpm (typical value) limits
the maximum amount of engine acceleration before this limit is reached. Either the
Main and/or Quizzer processor can perform engine speed limiting.

Each of the air limit and fuel limit is sufficient to constrain engine power. Both are
applied, therefore failure of one or other is accommodated in the following manner.
 135

If the fuel limit fails, the airflow is limited by throttle dynamics and this constrains
power. Note that in the fifteen years since active speed limiting, no known
examples of failing are known.

The worst-case scenario for the throttle body is that the plate jams at wide open.
Careful design is made to make this a very unlikely event. In the event that this
occurs, the engine power is constrained by the engine speed limit using fuel. The
hunting of the engine around the control point will be more extreme since the
engine will accelerate beyond the limit with greater speed. So even under these
conditions, the possibility of unconstrained acceleration is limited.

The key measure of driver demand is made via a two-track pedal sensor. Should
these tracks disagree, the signal is qualified using the brake pedal inputs. The
assumption is then made that if the brake is depressed, the engine power is not
required, and any pedal demand is disregarded. If both accelerator tracks are lost, a
raised idle speed is allowed to offer continuing vehicle availability.

5 Scope of Indirect Monitoring

The scheme explained could best be described as indirect monitoring. This is in
contrast to direct monitoring schemes where the status of the plant is directly
observed by the monitor.

This indirect monitoring scheme is suitable for control systems such as Electronic
Throttle Control. It may be suitable when an incremental control is added to an
existing complex control function and for which a passive safe state can be
defined.

The architecture is not suitable for systems that require uninterrupted functioning
such as steering or brake systems.

The architecture described here may be described as a single channel system with
both internal and external self-diagnosis. Robust fault management supplements
this.

6 References
[Bederna 99] Bederna F. et al: Method and arrangement for controlling the
drive unit ofa vehicle, US Patent 5,880,568, 1999.

[UL 94] Underwriters Laboratories Inc: Standard for Safety Related

Software, UL 1998, First Edition. [see www.ul.com]