Navigation

If you have a Toyota vehicle (in the model year 2002-2010) that exhibits sudden unintended acceleration, please contact me at raj *<i>at</i>* ece.cmu.edu.

Also, please check out my blog on Automotive Safety at http://safecars.wordpress.com for my additional thoughts on this topic. Your comments are welcome.

Can Electronic Throttle Control Failure Lead to Unintended Acceleration of Cars?**

Prof. Raj Rajkumar   
   Jeff Butler
Electrical & Computer Engineering   
   Licensed Marine Engineer
Carnegie Mellon University
   Retired Power Plant Manager

February 8, 2010

First version on Jan 28, 2010
Updates on February 03 and February 4, 2010

Outline of Contents

Abstract

We try to answer the question: "Can there be a fault in the electronics of the electronic throttle control systems of recalled Toyota cars that cause sudden unintended acceleration?". According to Consumer Reports, Toyota vehicles have a market share of 16% in the US but their share of reported vehicles with sudden unintended acceleration is 41%. We review some design choices that Toyota engineers seem to have made in the design of their electronic throttle control systems (called ETCS-I). We highlight one particular feature that must be studied very closely. ETSC-I and other electronic subsystems in these Toyota vehicles seem to lack a sufficient number of voltage spike suppressors (also called voltage shunts) across different coils in these systems (including relays, motors and solenoids). Toyota's 2007 base Camry 2.4L model, for example, shows 20 relays in its electronic systems, none of which are protected by a surge protection device. It also has 4 ignition coils, which are protected by one shared surge protection device (and is referred to a 'noise filter'). There are 3 additional surge protection devices (noise filters) dispersed throughout the vehicle. This absence of an adequate number of voltage spike suppressors could cause large voltage spikes (even in the range of 1000 to 1500V) that last a few microseconds each. Over time, these voltage spikes can damage the semiconductor chips/logic that control the throttle. If the unpredictable damage that occurs ends up leaving the throttle partially or fully open, the vehicles can accelerate without driver input. NHTSA data seem to indicate that such failures are not common, but ought to be studied by Toyota and NHTSA as a genuine point of concern.

Context

Toyota has recalled and has even temporarily stopped production of many of its best-selling models. This development has stunned the automotive industry given Toyota's steady rise to the top of the global automotive market and its traditional emphasis on quality. The recalls and production stoppage are a result of some high-profile accidents, and several hundred complaints about unintended acceleration. The situation has also caused understandable concern among many car-owners. The causes for the reported incidents potentially include the following:

  1. Driver error: In a panic situation, a driver can accidentally ride the gas pedal while meaning to press the brake pedal.
  2. Floor mats: The gas pedal may get stuck on the floor mat. A high-profile accident that killed a highway patrol officer in California seems to be due to the improper installation of a floor mat that resulted in the gas pedal being stuck.
  3. Stuck levers: Under certain conditions, a gas pedal may be stuck in the pressed state or return very slowly to its normal unpressed position. Toyota and CTS, makers of the pedals in question, have pointed to some material choices and presence of moisture as possible contributors.

While each of the above causes clearly underlies many reported situations, there have also been reports where none of the above causes seems to provide a satisfactory explanation. For example, in one car that was speeding before ending up in a fatal accident, the floor mat had been apparently removed and was found in the trunk. In another incident, the throttle of a car was racing but no stuck levers were found.

It must also be added that the NHTSA database contains incidents of unintended acceleration on models from many manufacturers. However, a disproportionate number of such incidents seem to be from Toyota cars. There have been around 2000 complaints of sudden acceleration of Toyota cars, and it is alleged that these incidents have caused 16 deaths and 243 injuries. There also seems to be some quantitative evidence that the number of unintended acceleration problems associated with Toyota vehicles increased by a factor of 10 after Toyota introduced an "Electronic Throttle Control System with Intelligence" (ETCS-I) in 2002. Electronic throttle control systems remove the mechanical coupling between the accelerator pedal and the engine throttle with a wire that transmits electronic signals representing the extent to which the accelerator pedal is pressed. These signals are then interpreted by an Electronic Control Module (ECM) that opens or closes the engine throttle to allow gas and fuel to enter the engine.

This article tries to answer the question: "Can there be a fault in the electronics of the electronic throttle control systems of these cars?". Many lawsuits have apparently been filed specifically with such an allegation.

Toyota ETCS-I Features

The ETCS-I electronic throttle system uses electronics to sense and communicate commands to control the engine throttle, instead of the traditional mechanical/wire coupling. ETCS-I improves engine performance, fuel economy and emission quality. This is done by optimally controlling the throttle angle using input from the accelerator pedal and ECU (Electronic Control Unit - a small computer that serves as the brain of this system), replacing a cable-operated throttle in previous generation systems.

Possible Error Sources for Electronic Throttle Control

The following could be possible reasons why any problems in the electronic throttle system have gone undetected to date.

  1. No mechanical fail-safety: It appears that there are no mechanical fail-safe features in ETCS-I. According to a legal complaint, a redundant mechanical linkage between the gas pedal and the engine throttle control was considered but not included in the final design. One could speculate that cost-benefit considerations played a role in this decision.
  2. No smart brakes: As has been widely reported in the press, compared to other carmakers particularly German ones, Toyota cars currently do not have smart brakes that when pressed override the throttle and close it completely.
  3. No electronic redundancy: It appears that there are no electronic backup systems in the ETCS-I. In other words, if the ECU (the brain of the ETCS-I) fails for some reason, there is no backup for that ECU that can step in. Alternatively, the outputs from two ECUs could be compared and if the two do not agree, the system can in principle go into a fail-safe or "limp-home" mode. Such redundant systems clearly cost more. In the future, safety-critical subsystems such as drive-by-wire and brake-by-wire functions may need to consider such redundancy. A patent by an inventor from Toyota presents one such possible design.
  4. High-voltage electrical spikes: Coils used in motors, relays and solenoids, when powered by the automotive DC supply, generate a magnetic field. When DC power is removed, the magnetic field collapses and becomes its own (temporary) electrical power source. This generates an electrical pulse that can last for a short amount of time (typically of the order of microseconds). Interestingly, this can be a high-voltage signal, albeit short-lived. This high-voltage electrical spike, when applied repeatedly over time, can damage the semiconductor logic in the ECUs causing them to behave unpredictably in the presence of the spikes. Outputs from the ECUs could therefore cause unintended effects, including leaving the engine throttle in a fully or partially open state. Eventually, the ECUs will fail completely but before they do, the ECUs will not show any errors when tested in the lab. That is, before this error manifests itself, NO symptoms will be visible. So, the electronics will show itself to be non-culpable in the lab but they can be the misbehaving components in the vehicle [1]. The ETCS-I could also use a Hall Effect sensor which could potentially induce spikes if not carefully designed. Finally, in all such circuits, it is customary to add a mechanism called a voltage shunt that prevents any generated spikes from reaching sensitive electronics. The presence and efficacy of any shunts in ETCS-I need to be checked.

To re-emphasize, the absence of a voltage shunt (or spike suppressor) can manifest itself in two potentially insidious ways:

  1. Any voltage spikes that occur have very short lifetimes of the order of microseconds. So, unless one is specifically looking for these spikes, one cannot see them. As incremental damage accumulates over time, vehicles with these electronics subsystems will behave correctly until some threshold is crossed. So, the negative effect of the absence of these shunts is, at least at first, NOTHING. This would explain why Toyota engineers have been unable to detect any flaws in their extensive testing in the lab.
  2. Secondly, over time, the logic within these electronic systems can get damaged and behave in very unpredictable ways. When will the damage occur if it does? In which vehicle(s) will the damage happen if at all? What will the extent of any damage be? What will the actual functional impact of any damage on throttle control and other electronic functions be? These are good questions, but answers to them are all inherently unknowable. Empirical evidence tends to offer the best guidance in this regard.

Rough Failure Estimate

The volume of complaints regarding sudden unintended acceleration in the NHTSA database seem to indicate that such misbehaviors is not very common. It is diffcult to exactly quantify the potential rate of failure without extensive testing and potential reclassification of current data. A crude current estimate is that about 1 in 10,000 vehicles could encounter some electronics problems (based on a few hundreds of possible complaints in this category out of a few million recent-year Toyota vehicles in the US). Errors in this estimate can arise from incorrect classification of problems (driver error being classified as sudden unintended acceleration, or vice-versa, for example) and unregistered complaints. Another trend worth studying will be whether the failure rate increases or stabilizes with the age of the vehicle. An increasing rate of failure with vehicle age will be consistent with the notion of voltage spikes damaging the electronics.

What Needs to be Tested?

In order to rule out the ETCS-I as a possible source of problems, Toyota and NHTSA should test the following aspects of the electronic throttle systems within the car models in question.

  1. Check if any fail-safe features are indeed present. If so, check for failures of the fail-safe features themselves. Revisit all assumptions and probabilities about fault models and failure rates.
  2. Enumerate all coils, motors, solenoids, relays, and magnetic field sensors such as Hall Effect sensors.
  3. Check for voltage spikes using a power-disturbance analyzer (or a high-end high-frequency digital oscilloscope). High-speed transients, in particular, must be captured. Spikes may last only for a few microseconds but their amplitudes could be high.
  4. Stress-test an ECU (Electronic Control Units or processors used) with several (possibly hundreds of thousands) voltage spikes.
  5. Check for high or stuck values generated by the ECUs particularly when spikes are generated or after stress testing. (Also, check values sent to the throttle control motors, outputs from analog-to-digital subsystems, and all associated outputs). Checking ECUs and electronics in quiescent conditions may not necessarily offer any useful information. It is possible that these voltage spikes eventually damage some electronics, which in turn start behaving erratically and unpredictably. Eventually, a failure that leads to a throttle being left open can cause sudden unintended acceleration.

Is This Theory Evidence-Based?

Establishing conclusively whether short-lived but large voltage spikes damage the ECU or other ETCS-I components requires extensive testing of many Toyota cars with power disturbance monitors (or digital oscilloscopes). This can currently most effectively be done by Toyota or NHTSA. Testing of cars which have seen sudden acceleration (not attributed to entrapment by floor mats or by sticky pedals) would yield much greater insight (i.e. 'observability'). Such voltage spikes will be short-lived and once they have disappeared, the car will indeed behave normally - there will be no telltale signs showing malfunction. This is a primary reason why even extensive testing will not detect the occurrence of the problem under normal lab conditions. Adding voltage shunts across every coil or every ECU pin should help resolve the issue.

Voltage spikes of the above kind have caused problems in many other situations. The Space Shuttle Discovery in 2005 encountered for months a vexing problem with its Engine Cut-Off (ECO) sensors and had tens of NASA engineers studying the problem at one time. Eventually, the problem was traced to short-lived voltage spikes generated not within the ECO subsystem but propagated to the ECO subsystem from within another electric circuit. There are also known cases where spikes along wires on the electric grid caused problems in factories more than half a mile away. Many consumers today are awere of the damage that spikes from lightning and other sources can cause to their electronic appliances and computers. The solution for these cases is to plug in electronic equipment into appropriately-sized surge suppressors. For internally generated spikes, voltage shunts are required within the subsystem being protected.

Comparison of Electronics in Toyotas and Other Vehicles

Toyota vehicles, as noted by Consumer Reports, have a disproportionate number of vehicles that have exhibited sudden unintended acceleration (16% US market share but 41% of these problems in 2008). Similarly, Ford had 16% US market share and 28% of the problems with 2008 models. Conversely, Chrysler (12% market share and 9% of problems), General Motors (23% market share and 5% of problems), Honda (10% market share and 4% of problems) and Nissan (6% market share and 3% of problems) encountered fewer problems with sudden acceleration relative to their market share.

Some media reports indicate that some accidents point to electronics as a possible source of problems. Given the data about sudden unintended acceleration and anecdotal information, we looked at whether there are different design approaches used by these carmakers on their electronic subsystems. We compared 2007 models, for which wiring information of the electronic subsystems was available. A quick summary of our findings is given below.

The 2007 Toyota Camry 2.4L model has 20 relays, none of which is protected by a voltage spike suppression mechanism. Please see Figure 1 below for a sample. There are 4 ignition coils which share a single voltage spike suppression mechanism. Three additional voltage spike suppression mechanisms are dispersed throughout the vehicle. Toyota refers to these devices as noise filters. (A similar study of the 2003 Toyota Matrix showed that none of the relays in it had any voltage spike suppression mechanisms, and one shared noise filter was used across all 4 ignition coils. Another noise filter was located on the rear defogger circuit. This tendency to use fewer voltage spike suppressors, therefore, appears to be a Toyota design approach for quite a few years now. This vehicle was chosen since it was available to the authors).

2007 Camry 2.4L Relays

Figure 1. 2007 Toyota Camry 2.4L Relays without Voltage Spike Suppression.

The 2007 Buick LaCrosse 3.6L has 14 relays, with all having voltage spike suppression mechanisms. There are 6 ignition coils, each with its own voltage spike suppression mechanism. Figure 2 shows an example of such usage on the LaCrosse.

2007 LaCrosse 3.0L Relays

Figure 2. 2007 Buick LaCrosse 3.0L Relays with Voltage Spike Suppression.

According to technical specifications from Tyco Electronics, a supplier to the automotive sector, a simple resistor across a relay/coil helps to suppress its voltage spikes. (The resistor is the zig-zag symbol to the left of the wiggly/spiral coil within the green ovals of Figure 2.) The 2007 LaCrosse has these resistors across its relays but the Camry does not. Tyco also indicates that there are better suppression mechanisms than resistors but these alternatives* may be ill-suited for use in printed circuit boards. Automobiles are likely to have such printed circuit boards.

Potential Rationale for Toyota's Choice

A natural question to ask would be "Why would Toyota not protect each of its relays with voltage spike suppression mechanisms?". The question is even more relevant since the addition of a single resistor across a relay will introduce minimal additional costs. Consider the following.

Adding a voltage spike suppressor across a relay could reduce the lifetime of the relay itself. Tyco notes (on page 3) that "The best protection method ... has the worst influence on lifetime of the relay." In other words, if the voltage spikes are trapped across the relay itself, this causes relay damage over time! Therefore, there is a built-in tradeoff. One can suppress the spikes across the relay, potentially reducing its reliability and requiring its replacement over time. On the other hand, the spikes can be not trapped across the relay and possible damage to other circuits could happen. The designer is certainly between a rock and a hard place.

Relay manufacturers recommend that any damage to other electronics be verified before relays are left unprotected. It appears that Toyota allows voltage spikes caused by relays to get into the wiring system of the vehicle. However, 3 noise filters dispersed throughout the vehicle then may attempt to reduce the impact of these spikes. Testing by Toyota may have indicated, to their satisfaction, that voltage spikes were reduced and/or damage to other electronics components did not occur. The duration and stress levels of their testing must, in principle, be strong enough to evaluate the long-term impact on aging vehicles with different operating conditions (such as natural changes in driving patterns and seasonal temperature variations). Questions may arise in this regard which Toyota and NHTSA may want to address.

How to Fix Any ETCS-I Problems?

If indeed any of the problems we cite above are found in the ETCS-I, one or more of the following options can be adopted:

  1. Add electrical shunts that allow high voltages to be bypassed before they reach the electronic (solid-state) components. One possibility to seriously consider would be the addition of a shunt across every coil and/or to all input pins of the ECU chip.
  2. Backup electronic components with independent electrical circuits may need to be added.
  3. Add smart brakes/throttles which allow the throttle system to be disengaged if the brake is pressed (even lightly). This could be done in the electronics using software modifications. Additional messages may need to be transmitted on internal communication buses between the brake and throttle systems.
  4. Add a fail-safe feature such as a mechanical lever that allows the throttle to close if the brake is pressed.
  5. Build safety features which automatically throttle back the engine if acceleration and speeds reach unsafe values.
  6. On detection of possible problems, transition engine into "limp-home" mode that only permits low-speed driving.

What Should A Driver do?

Surprisingly, a car's brakes may not be powerful enough to stop a car with a stuck throttle while the car is traveling at highway speeds. The brakes, in fact, can fail rapidly. According to Consumer Reports, here's what to do:

  1. Move the transmission to Neutral. You may need to press the brake to change gears. Do NOT pump the brakes.
  2. Use the brakes to come to a stop safely on the side (or off) the road.
  3. Shut off the engine with the transmission in Neutral.
  4. Move the transmission into Park.
  5. Call for help.

Condition Your Reflexes

We would add that every individual will react somewhat differently when faced with a sudden unintended acceleration while driving. Normally calm drivers may become nervous. A typically jittery person may see the situation clearly. Some could panic. Others may register the need to act quickly and follow through with precision. It is useful for every driver to rehearse the sequence in one's own mind several times to condition oneself. If the situation arises, one can then fall back to the mentally rehearsed sequence and carry it through.

One may also want to practice switching to neutral while driving - just practice in an empty parking lot to avoid any incidents. One may also want to turn on the flashers after switching to neutral.

We also strongly recommend that training manuals and lessons begin to include this step as part of the exercises that one goes through before obtaining a driving license.

Conclusions

Given currently known data, it is not clear that all problems related to the sudden acceleration of some Toyota cars can be explained by driver error, improperly installed floormats or stuck levers. In this article, we posit some possible issues that may be worth studying in the ETCS-I lectronic throttle systems used in many Toyota models. In addition to potentially over-optimistic assumptions about the failure possibilities of components, high-voltage spikes could possibly lead to errors that cause unpredictable and unreliable behaviors. Toyota models seem to use fewer spike protection mechanisms across relays and coils by design, and this could be a potential source of problems. Furthermore, any problems may not be readily reproducible in the lab. The capture of high-speed transient data is likely to help in diagnosing any problem. The addition of voltage shunts, the incorporation of fail-safe features and/or the use of redundancy could be called for.

References

  1. Jeff Butler, "Finding, curing dangerous voltage spikes boosts reliability", Power Magazine, January 1995.

Footnotes

* An alternative, for example, would be the use of a reverse-biased rectifier diode in series with a zener diode.

** This article reflects only the authors' opinions and does not in any way represent the opinions of the authors' employers or that of any of their sponsors. This article has not been peer-reviewed, with peer reviews considered the global standard for research publications. It is being released here due to the possible positive impact that it can have on ongoing events in the automotive sector. Our goal always is that the driving public have access to safe vehicles.