After they beat the U.S. women's hockey team, the team Canada celebrated in the rink with beer and cigars. This explains how they beat the U.S. team--they are actually men! News story here.
Actually, the medal ceremony for women's hockey was very nice, as the mostly Canadian crowd changed USA! USA! after the American team was awarded the silver medal. It was generous, considering that the Canadians had been beaten in men's hockey by the U.S.
Friday, February 26, 2010
Thursday, February 25, 2010
In Defense of ETC Part 2; Professor Gilbert's Test
In his testimony to the House Oversight Committee, Professor David W. Gilbert described how he was able to induce unintended acceleration in a Toyota ETC system. You can read his remarks here. Gilbert was hired by Safety Research Strategies, a "safety advocacy" group which is primarily a research and consulting firm for trial lawyers and plaintiffs.
Gilbert's testing discovered a hole in Toyota's diagnostics for their ETC system. To fool the system, he had to induce a highly unlikely failure. Toyota's system uses two pedal position sensors, which are separated by several centimeters, which have signal wires coming out on a common harness. Gilbert shorted the signal wires of the two sensors together through a resistor. By carefully choosing the resistor, he was able to find a short combination which the Toyota diagnostics did not detect. However, a short alone was not enough to cause unintended acceleration. To do that, Gilbert had to take the shorted wires, and then add another connection, to the power wire on the harness. When both sensor signal lines were shorted to the power line, then the throttle opened because the large voltage was interpreted as a command from the pedal. Because the two signals were within range of one another, the diagnostics didn't find it.
To induce this purely electronic unintended acceleration event, Gilbert had to induce two faults into the system. In the business, this is called a multi-point failure. It is similar to saying, "what if your gas tank was leaking and your wheel fell off, creating sparks". Because the sensors are separated in the throttle pedal housing, the only feasible way for this failure to occur, in my opinion, is for the wiring harness to be cut or frayed such that the signal wires are exposed, and electrically shorted, but not cut through.
Toyota hired respected engineering consulting house Exponent to do an outside check of their ETC fault robustness. The full report is here. Exponent bought several different Toyota vehicles, spliced into the ETC wiring harness, and inserted various types of faults, using engineering data provided by Toyota. All of the faults that Exponent inserted were quickly detected by Toyota's system. The difference in methodology from Gilbert's testing was that Exponent limited their faults to the more likely type, single-point failures, where a single wire or signal was compromised.
In short, Gilbert proved that by manipulating the system just so, he could break it. But his failure mode is not something that is remotely likely to occur in the real world. Gilbert produced what Safety Research Strategies, ABC News, and some congress members wanted: a dramatic demonstration. But he didn't find a smoking gun.
Gilbert's testing discovered a hole in Toyota's diagnostics for their ETC system. To fool the system, he had to induce a highly unlikely failure. Toyota's system uses two pedal position sensors, which are separated by several centimeters, which have signal wires coming out on a common harness. Gilbert shorted the signal wires of the two sensors together through a resistor. By carefully choosing the resistor, he was able to find a short combination which the Toyota diagnostics did not detect. However, a short alone was not enough to cause unintended acceleration. To do that, Gilbert had to take the shorted wires, and then add another connection, to the power wire on the harness. When both sensor signal lines were shorted to the power line, then the throttle opened because the large voltage was interpreted as a command from the pedal. Because the two signals were within range of one another, the diagnostics didn't find it.
To induce this purely electronic unintended acceleration event, Gilbert had to induce two faults into the system. In the business, this is called a multi-point failure. It is similar to saying, "what if your gas tank was leaking and your wheel fell off, creating sparks". Because the sensors are separated in the throttle pedal housing, the only feasible way for this failure to occur, in my opinion, is for the wiring harness to be cut or frayed such that the signal wires are exposed, and electrically shorted, but not cut through.
Toyota hired respected engineering consulting house Exponent to do an outside check of their ETC fault robustness. The full report is here. Exponent bought several different Toyota vehicles, spliced into the ETC wiring harness, and inserted various types of faults, using engineering data provided by Toyota. All of the faults that Exponent inserted were quickly detected by Toyota's system. The difference in methodology from Gilbert's testing was that Exponent limited their faults to the more likely type, single-point failures, where a single wire or signal was compromised.
In short, Gilbert proved that by manipulating the system just so, he could break it. But his failure mode is not something that is remotely likely to occur in the real world. Gilbert produced what Safety Research Strategies, ABC News, and some congress members wanted: a dramatic demonstration. But he didn't find a smoking gun.
Wednesday, February 24, 2010
Rep Burton: "Why are the pedals different?"
Rep Burton (R-Ind): "Why are the two pedals different?" (Actually holding up pedals)
Toyoda: "Sometimes suppliers design the pedal and Toyota approves them, and we used two different suppliers".
Toyoda: "Customer misuse is a factor"
Oops. Toyoda just stated that one of four aspects of the runaway acceleration problem is "customer misuse". He's going to catch hell for that, later!
Toyota ETC Videos
Edmunds' Inside Line blog has posted a 17 minute long video from Toyota which explains in some detail how their ETC system works. It is at a layman's level, so you don't need an engineering degree to understand what they are showing.
Link
Link
In Defense of ETC Part 1
When I get a chance to review Prof. Gilbert's report on how he fooled Toyota's Electronic Throttle Control (ETC) system, I will post comments.
For now, I'd like to take a few lines to defend ETC in concept.
ETC has some significant advantages over mechanical throttle linkages.
Trial lawyers try to sow FUD (Fear, Uncertainty, Doubt) about "complex electronic systems", and throw out scary "what if" scenarios, to try to win cases and big money. But engineers know that complex systems are designed, tested, and validated over many years before being released into production, and are tested for every conceivable failure. ETC systems must be qualified under a range of temperatures and wide band electromagnetic interference testing. Failure modes, such as cut wires, broken sensors, damaged actuators, etc. are all tested using a process called FMEA (failure mode effects analysis). FMEA was designed by NASA as a way to think through a system's reliabilty to pin down possible ways it could break; then tests are designed to validate the system under those conditions.
Is it possible that Toyota screwed up the FMEA, or cut corners, and has a dangerous-but-rare condition with their ETC system? It is possible. But given the excellence of Toyota's engineering, I would be surprised.
For now, I'd like to take a few lines to defend ETC in concept.
ETC has some significant advantages over mechanical throttle linkages.
- Fuel economy: actual throttle flow can be optimized based on operating conditions, and pedal position is used to infer driver intent. For example, someone with a shaky foot can be "smoothed out".
- Mechanical simplicity, weight, and cost: Using ETC means you can get rid of the idle air control valve, throttle cable, and cruise control actuator. Fewer things to break.
- Robustness: ETC systems have built in algorithms for unusual conditions. For example, the throttle plate can be shaken very quickly by the motor, as an "ice breaker", if the throttle plate is iced. There are no cables to bind up or corrode, no exposed return springs to break. The system has independent CPUs which monitor the throttle plate position and pedal position 100s of times a second, with fail-safe algorithms to shut the thing down if something unexpected happens. ETC has redundant sensors, which are used to check that the information coming into the ECUs is reliable and self-consistent. In a mechanical throttle system, the only failsafe is the driver's foot--if the thing is stuck, you pump it and pray it gets unstuck.
Trial lawyers try to sow FUD (Fear, Uncertainty, Doubt) about "complex electronic systems", and throw out scary "what if" scenarios, to try to win cases and big money. But engineers know that complex systems are designed, tested, and validated over many years before being released into production, and are tested for every conceivable failure. ETC systems must be qualified under a range of temperatures and wide band electromagnetic interference testing. Failure modes, such as cut wires, broken sensors, damaged actuators, etc. are all tested using a process called FMEA (failure mode effects analysis). FMEA was designed by NASA as a way to think through a system's reliabilty to pin down possible ways it could break; then tests are designed to validate the system under those conditions.
Is it possible that Toyota screwed up the FMEA, or cut corners, and has a dangerous-but-rare condition with their ETC system? It is possible. But given the excellence of Toyota's engineering, I would be surprised.
Tuesday, February 23, 2010
Toyota's Lentz Weeps
Toyota USA's Lentz, relating how his 30 year old brother was killed in a car accident, got teary eyed while answering a question for Rep. Rush (D-Ill).
Subscribe to:
Posts (Atom)