Toyota, sans technophobia and hype

Here is my take on the failures of the Toyota drive-by-wire accelerator system. I am not taking into consideration floor mats, unskilled or panicked drivers, or liars. Nor do I include what to do in such a situation, or whether the brake or shifter will function correctly. There are enough reports to indicate that something is occurring under the hood, even leaving out these factors.

First, about "drive-by-wire" systems: The pedals on a Toyota or other similar electronically controlled vehicles aren't really fancy. All they do is output a DC voltage which increases smoothly between totally closed and totally open throttle positions. Basically, they function like a dimmer switch or volume knob. Before the vehicle's on-board computer can decide what to do with those voltages, it must first convert them to a binary or hexadecimal number. This is how your digital bathroom scale works, for instance.

1 - First, despite accounts of the accelerator pedal "being sucked down to the floor", there is no mechanical or electrical way for this to have happened. There are simply no connections to the pedal that bear any physical force against it, other than the return springs (there are two). If these were to break or release from their retention points, they would not cause the pedal to retract. Nor would they repair themselves and make the vehicle drivable again. Yet, some of the stories from customers have the car being driven after a sudden acceleration event. There does exist a friction mechanism, sort of like a bicycle brake pad, that gives the pedal a more natural, fluid feel instead of feeling like the spring-loaded lever it is. Toyota engineers in fact identified this as the source of stuck throttle reports and responded with a metal shim to prevent the pedal from bearing down quite so far onto the friction material. The fix seems to have worked in some cases, but not all.

2 - Secondly, the likelihood of the kind of wiring fault posited by Gilbert causing both a sudden acceleration and a failure by the computer to register an error code is vanishingly slim. See a video here debunking Gilbert's scenario. To sum it up for those not wishing to view the video: the combination of two open wires shorting to each other and grounding against the vehicle with just the right amount of electrical resistance (200 Ohms) while a third open wire contacts 5 or 12 volts DC can be effectively ruled out simply because of the physical unlikelihood. Plus, such wire faults are not difficult for any trained mechanic to discover.

3 - The fact that several customers have reported additional fails - of the cruise control turning on at the same time as the over-acceleration event, for instance, suggests some common point of failure. The ECS, or engine control system (computer) is far and away the likely suspect here. An ECS fail may be hardware related: a marginal solder joint or component or an open circuit board trace, for example. It may be a circuit that is responding to RFI (radio frequency interference) or EMI (electromagnetic interference), which could be induced by nearby cellphones or power lines. It can also be a memory or microprocessor part that has experienced an ESD (electrostatic discharge) event, which doesn't always cause an immediate failure. My old digital theory instructor used to refer to such devices as 'pregnant'.

A computer fail can also be due to software, or firmware in this case. There are many thousands of lines of code that go into making any digital electronic device work. While each firmware "drop" undergoes testing before the final release, there is simply no way of anticipating and correcting every possible failure, particularly in complex systems.

To sum up - the cases which do not involve stuck pedals, floor mats, panicked, mistaken or lying drivers are unlikely to have been caused by faulty pedals or wiring harness failure. It is much more likely that the on-board computer, or ECS, has been at fault. In my opinion, it is probably a software bug. But then, I'm a hardware tech, and inclined to blame firmware whenever possible. :)

and those are HARD AS HELL to find...

It could be a mixture but in my view it is chiefly a firmware issue.

Some of the cases point clearly to one, at least in my view.

And everything else has been distraction... since finding the real issue will be ahem painful to do. In fact, harder than a Point of Failure problem... since we are talking of millions of lines of code.

We live in a soup of radiation. Have since the sun first turned on with it's solar flairs.

Aircraft use this drive (fly) by wire and have for a decade or more with no problems we can pin on the system.

Cars have to be made cheap and shielding plus filtering of extraneous radiation is expensive.

If it isn't a firmware or software issue it just might be a shielding issue.

There are lots of reasons to use drive by wire. It allows the passenger compartment to be isolated, it's cheaper, it can interact with other systems like steering and breaking and it's just a reliable as a mechanical link with all it's failure points.

It's a good idea and a sound technology but like all technologies it has risks. Unfortunately with today's mass manufacturing processes when you have a glitch you've got a whole bunch of 'em.

I agree that the current "acceleration problem" with Toyota cars is very likely a firmware (software) problem.

I say this from having worked with electronic hardware (analog and digital) and computer software systems (mainframe to PC) for many years.

The complexity of software and the difficulty in finding and fixing bugs increases geometrically with the size of the program and the number of programmers working on a software system. ("Too many cooks spoil the broth" is as true of computer programming as it is of creating a culinary masterpiece.)

My first thoughts when I heard of the "acceleration problem" is that it was software bugs or hardware failure involving the drive-by-wire throttle control, cruise control, and antilock braking systems.

Bundling all functionality into one unit (the onboard computer) is asking for trouble. In the early days of high fidelity, a high quality system would be assembled by connecting together units consisting of a separate tuner, tape deck, turntable, preamplifier, power amplifier, and speakers. A big virtue of this methodology was that if one unit malfunctioned, it was easy to track down the problem, and one could substitute another unit into the system to keep it operational, while the defective unit was being repaired.

When manufacturers started making "all-in-one" units, a defect in any one part could make the entire unit unusable, and in any case, the entire unit would have to be sent for repair.

Having a central computer controlling a large amount of functionality by running a large, complex program is building a very fragile system, where a simple failure in one part can cause catastrophic consequences and can override any failsafe features designed into the system.

There were unintended acceleration incidents for several model cars besides Toyota including cars from Ford, GM, and Chrysler during the years from 2005 to 2010. This suggests that centralizing a car's control in a computer is itself a design flaw that is not limited to Toyota products.

From my experience, a better approach would be to design separate, independent control systems each one having its own failsafe system, like in the separate component hi-fi system described above, so that a failure in one part will not affect other parts of the system. Another benefit would be reduced complexity for any one component of the system.

The general public does not understand that a complex piece of electronic equipment costing $1,000 can be made useless by a defective part that costs less than a dollar (in one case, a zener diode).

The only way to deal with this kind of situation is with failsafe design, separate control systems, and redundancy.

I've found a bit more info on Toyota's system in viewing other sites. The two voltages from the pedal get routed through the same quad op amp and arrive on adjacent pins at the Fujitsu TDFP11 processor that functions as the "brain" for the whole system. That's right; the analog-to-digital conversion is packaged into the same chip that does the math and makes decisions. It's cheaper to eliminate parts and reduce board space this way.

I realize the move in recent years has been toward cramming more and more functionality into ASIC's (Application Specific Integrated Circuit). I have no evidence that would point directly towards this as the culprit in Toyota's case, but it does make you wonder about the unintended consequences.