[Update 13 Mar 2010. In my original posting I wrote: "...I believe some of the reports are 'copy cats' looking for publicity." Well, the incident pictured above may be one such Copy Cat.] As those who follow this Blog may know, my wife and I have been driving a 2004 Toyota Prius hybrid -our only car- and have been very happy with it. So, quite naturally, we have been following the controversy about runaway Toyotas very closely.The photo above shows a runaway Prius. On 8 March, this car raced up to 90 mph on a California freeway when the accelerator pedal apparently stuck. The terrified driver tried to slow the car using the brakes but they were ineffective.
He called 911 and a CHP trooper came alongside. Using his bullhorn, he told the driver to stand on the brake pedal and also apply the emergency brakes. Finally, with both brakes on and a steep uphill section of roadway, the car slowed sufficiently for the driver to turn off the ignition and coast to a safe stop.
TOYOTA'S INEFECTIVE RESPONSE
When runaway incidents began being reported by the press and TV, Toyota claimed that the runaway incidents were due to improperly installed floor mats that jammed the pedal in the full-on position. They fixed that by asking users to secure floor mats properly and not to use double mats.
Then, they admitted that the innards of some accelerator pedals could corrode and stick in the full-on position. They fixed that by installing a metal shim.
Nevertheless, the incidents keep occurring. I believe some of the reports are "copy cats" looking for publicity. Some are from people who mistakenly pressed the accelerator instead of the brakes and are falsely trying to shift the blame to a hardware defect. However, many, if not most, are genuine failures and not in any way the fault of the drivers.
WHY DIDN'T TOYOTA APPLY A SOFTWARE FIX?
When the news first came out a month or so ago, my first reaction was that -whatever the actual cause- Toyota should immediately install a software over-ride that would disconnect or limit the accelerator signal, or shift the car into neutral, if the brakes were applied while the accelerator was on.
Here is the technical detail for the CTS pedal used by Toyota. The accelerator pedal sends an analog voltage to the onboard computer. The brakes also send a signal to the computer. Toyota has the ability to update the computer software. Therefore, a software fix could limit the accelerator signal to some minimal value whenever the brake is on, perhaps by shifting to neutral. (The engine should not be shut down because that would disable the power brakes and power steering.)
Even if, as Toyota still claims, the problem is strictly mechanical, a software over-ride, to prevent acceleration when the brakes are applied, would prevent most of the accidents we have read about.
AUTOMOTIVE SOFTWARE HAS A LONG WAY TO GO
Before we retired, my wife and I worked on aircraft electronics systems and software. We currently teach online graduate courses on those subjects for the University of Maryland University College. Aircraft systems and software are developed, tested, verified and validated in a very controlled environment. Our methodology is based on "lessons learned" over the past few decades. Automotive engineers have only been in the software game for about a decade. They could learn alot from us.
It is clear to me that either the Toyota engineers and software developers are incompetent, or -more likely in my opinion- their management has restricted their efforts either due to cost concerns or legal liability, or both.
While I have no inside knowledge, I cannot believe that no engineer at Toyota ever suggested a software over-ride when brakes are applied. I can imagine some Toyota engineers, when the runaway acceleration incidents were first reported to Toyota several years ago, suggesting a software patch to over-ride whatever mechanical failures were the actual cause. "No," I can hear some anal manager say, "If we fix the software that will be costly and will imply that we are legally liable for not having the brake over-ride in the original design." I can imagine a room full of managers and lawyers nodding their heads like so many bobble-dolls!
HASN'T ANYONE HEARD OF BASIC ERROR CHECKING?
I think the press has been pretty responsible, although they have been taken in both by Toyota appologists and some publicity-seeking "experts". Brian Ross (ABC News) has done a good job but I believe he was a bit off when he rode along with a college prof who shorted the accelerator pedal wires. That made the car accelerate out of control, as Brian Ross stood on the brakes. The prof then showed that the computer in the car did not display any error codes.
A week later, Toyota engineers did the same wire-shorting experiment on several cars from different manufacturers, and they too did not display any error codes. Toyota did the demo to show they were blameless. But, all it indicates to me is that the other automobile manufacturers are also incompetent!
I know exactly what the prof did. There are three wires to the pedal: 1) Ground, 2) Vin, (voltage input, probably 12 volts DC) and 3) Vout (voltage output that varies from zero volts to 92% (+/- 3%) of Vin as the accellerator pedal is pushed all the way down). If, due to loose insulation (or the actions of the prof), Vin (wire 2) happens to short to Vout wire (wire 3), the computer will get a Vout equal to 100% of Vin and will interpret it as a signal that the accelerator is pushed all the way down.
If the pedal and software had been designed the way aircraft electronics is designed, the computer software would recognize that Vout was 100% of Vin, exceeding the limit of 95%, and would have set an error code. Beyond setting an error code, had the system been designed to aircraft electronics standards, exceeding 95% of Vin would have been recognized as shorted wiring and should have initiated speed limiting.
Apparently, the automotive system and software engineers have not implemented even the most basic error checking! This applies not only to Toyota but also the other manufacturers whose cars were part of the Toyota wire-shorting demo!
WHERE WERE THE REGULATORS? THE COURTS?
Toyota, the world's leading auto company, has turned out defective products that killed some customers and endangered others. Until a week ago, they did not even let the National Highway Transportation Administration (NHTSA) have access to their internal "black box" codes. NHTSA seems to have gone along with Toyota's arrogance. The regulators were either "asleep at the switch", or incompetent, or in the pocket of the industry they were regulating, or all three!
Based on the Toyota wire shorting demo, the other auto companies are nearly as incompetent. (To their credit, however, the other companies do make their "blackbox" error code translator units available to regulators and dealerships.)
According to press reports, a former Toyota liability defense lawyer, who said he alerted the company to systemic problems several years ago, and who has the emails to prove it, has recently come forward. According to him, Toyota had a "book of knowledge" that detailed known design defects. Company lawyers used that information as part of the decision process of whether to fight a lawsuit or settle. Where were the courts?
Of course, now that the facts are coming out, NHTSA and the courts will take action. Liability lawyers on both sides will get rich and some victims will be compensated.
"CREATIVE DESTRUCTION"
The term "Creative Destruction" applies here. In its normal meaning, it signifies the way, under capitalism, new technology, products, and services push out the old. As an inevitable part of the process, some backward industries and companies go bankrupt, stockholders lose their investments, employees lose their jobs, and entire communities may fall into poverty. That is the "destructive" part. At the same time, some pioneering industries and forward-looking companies rise and create newer and often better jobs, investors make money, and entire communities enjoy prosperity. That is the "creative" part.
I'd like to apply the term to the "Creative Destruction" of the now tarnished Toyota brand. It is a once valued brand that has been devalued by their coverup of known defective designs and failure to fix them promptly. They would rather stonewall and fight in court than do the right thing. I believe this will sour most consumers on the Toyota brand.
My wife and I had planned to replace our 2004 Prius with a newer plug-in Prius in a couple years. No more! I doubt we will ever buy a Prius again.
That is a pity because we have been very happy with our Prius and love their dealership in Ocala, FL. That dealership may be forced out of business and some Toyota employees will lose their jobs and stockholders will lose their investments. That is the "destructive" part.
I only wish the regulators at NHTSA and the lawyers and the court system that failed in this case would also go out of business. But no, perversely they will be rewarded with more power and more court cases.
The "creative" part is the business that will flow to Ford and other auto manufacturers who have behaved better. I am following the Ford Fusion and we may purchase their plug-in electric-only version that is expected to come out in a couple of years. (Besides, we have owned Ford stock for many years.)
MEANWHILE WE ARE DRIVING OUR TOYOTA PRIUS GINGERLY
Today, for the first time, I got up the courage to practice stopping the car by shifting to neutral. With my foot on the accelerator, I pushed the gear shift to the left. I had to hold it for about a second, but then I could feel the accelerator disconnect and the car coasted to a lower speed.
From reading news stories, I now know that the ON/OFF button must be held for three seconds to take effect. In case shift to neutral does not work, that is how I will stop my Prius if it happens to run away.
[Update 13 Mar 2010. The person involved in the runaway incident reported above seems to have some baggage. He apparently owes lots of money. Parts of his story do not ring true. The Prius he was driving supposedly has the brake over-ride software I described above. This raises two quesions: 1) If brake over-ride has been available on Prius cars for so long, why isn't it on all Toyotas? 2) If the car involved in this incident had brake over-ride, did it fail or did the driver purposely work around it? Assuming the car actially had brake over-ride and it was working, the driver would have had to alternately press the accelerator to speed up, then release it and press the brakes to get them to heat up and smoke as reported, and so on. According to the 911 tape, the 911 agent told him to put the car into neutral but he refused, saying he feared it would cause the car to flip.
According to Toyota from FAQ issued 3 Feb 2010: "the Prius, and all hybrids for that matter, already have a version of the override system. The override system will be standard by the end of 2010." Thus, the runaway problem does not exist for our Prius nor any other hybrid. The brake override will be standard on all newly-manufactured Toyota automobiles after 2010. According to this, the brake override will be added to previous model years of some non-hybrid Toyotas back to 2005 .]
Ira Glickstein
6 comments:
The news this morning said that Toyota cannot figure out how the scenario described in which the brake is applied and the accelerator is still active can happen. They say that the computer is wired such that a simultaneous signal from both cause the accelerator to be disconnected.
In effect, they have said that they've used your software approach but it doesn't seem to work. To me that points to a programming error coupled with insufficient debugging or a pathological case that only shows up with the "right" combination of inputs. Being an old fuddy duddy and a mechanical engineer, I'm prejudiced toward the principle of design for"graceful failure." Before we had computers and fly-by-wire, when we thought there was a possibility for failure we tried to design so that there was inherent warning rather than catastrophic failure. Examples are brakes that screech as the pad wears out. Another would be gauges rather than idiot lights. Still another would be brake pedals that slowly go soft when there's air in the brake line. When we opt to take humans out of the loop and substitute a computer, we generate a whole new set of risks. I don't think we can say that aerospace is guilt free. I seem to recall at least one Airbus crash that was attributed to a computer over-ride of the pilot upon landing. -Joel
See the update I made to the original Topic posting. It is possible the brake over-ride supposedly on all recent Prius cars did fail, as you speculate Joel, but I think it is more likely the driver in the incident described is a "copy cat" who purposely staged the runaway.
I guess I am not as much of an "old fuddy duddy" as you. IMHO, I believe we are generally better off with computer-based solutions to failures in complex products, like modern autos. True, some of these computer-based systems and software were not designed and implemented and tested properly. However, once a problem with them is detected, and properly fixed, it should not re-occur. Depending on humans to read meters and react properly to sounds and feel is, IMHO, more prone to repeated error.
As a driver of a 2004 Prius, I am somewhat relieved to hear that my car has two microprocesors and power will be cut to the wheels if the processors have different data or if both brakes and accelerator are active at the same time. I only wish all Toyotas and other cars had the same features.
I also wish Toyota had been more open about the runaway problems and addressed them years ago. Their brand is badly tarnished. The "creative destruction" inherent in capitalism, together with news reports and Internet chatter, will cost Toyota much more grief and has been effective much more rapidly than government regulation, which has been totally ineffective thus far.
Ira Glickstein
You have some good questions and hopefully Toyota will provide some honest answers. Since every car I know has cruise control, it would seem that everything necessary is already present except for a few lines of code. A tap of the brake already shuts off the cruise control. The only situation that comes to mind where one might want the brake to override is when you're trying to rock out of snow or mud.
I looked at fly-by-wire aviation. It seems that there are two situations that justify its use. One is jet fighters in which the planes are so unstable that an unaided pilot cannot maneuver safely. Another is very large passenger planes in which the existing hydraulics with all its control and redundancy became too cumbersome. Pilots and engineers still argue over the issues of computer override. In automobiles, there is little to be gained for the operator. Distances are short enough to permit efficient use of mechanical or hydraulic links. Manufacturing and assembly costs are much lower for drive-by-wire, but as we have seen recently, catastrophic failure rather than graceful failure may be the rule. Strangely there is a cultural cost that cannot be assessed.
When I was young, I used to have to change the clutch slave cylinder on my Toyota every six months. Kids would change spark plugs, points and rotors on their old Chevys. The more ambitious could even replace an engine. We live in a world in which young people can operate technology,but don't understand it. it.
My wife and I used to drive cars with standard, manual-shift, transmissions, Joel. I felt I was being downgraded when we changed to automatic, and gave as an excuse that automatic cost more to manufacture and would more likely to go bad. In truth, I felt bad because I had worked to develop a skill that was now obsolete (like my ability to sweat solder copper pipes or fix TV sets!)
Somewhat similarly, around twenty years ago we found a new car on the lot at a good price that had what we wanted, but it also happened to have automatic windows. I worried they would go bad. They didn't go bad and now I wonder how we got along without automatic windows all those years.
I once installed a hand throttle on a car so I could warm it up in the winter without having to sit in the seat with my foot on the accelerator. Thinking back on it, that mechanism could have easily stuck full-on and I could have had a runaway car.
The same is true of a manual gas pedal - they could corrode and get stuck full-on as well - perhaps more likely than an electronic pedal. Were mechanical linkages and hydraulic control more reliable? I doubt it.
The good thing about built-in cruise control and other automatic features is that they can be relatively easily programmed to have brake override. I am angry that Toyota and other car companies have been so slow to include that feature in their electronic controlled cars.
Another good feature of electronic control is the error codes that can be captured for analysis in the control computer storage memory. (A separate Event Data Recorder "black box" collects information for a few seconds before during and after an air bag deployment. This is not applicable to the runaway Toyota since there was no air bag deployment).
Amazingly (but I guess not surprising ^) the "privacy" advocates are opposed to this "invasion" of their private lives. Give me a break!
Toyota claims data from the runaway Prius indicates the driver was using the brakes and accelerator in an unusual way, possibly indicating he was a "copy cat" staging this incident.
See this for more.
Ira Glickstein
Ira said: The same is true of a manual gas pedal - they could corrode and get stuck full-on as well - perhaps more likely than an electronic pedal. Were mechanical linkages and hydraulic control more reliable? I doubt it.
Joel responds: Although you're right about failure of mechanical or hydraulics, I think they would fail gracefully. That doesn't mean that there won't be people who ignore the warning signs. When self service gas stations came into existence, there were a lot more burnt out engines, because women never checked oil or water levels. After awhile men also lost the habit of checking. Besides, there's a reason why they call them IDIOT lights.
Well, I now feel (a bit) better about driving my Prius. After reading the full CHP officer's report and this Forbes piece, it is now pretty clear the "runaway" Prius in San Diego was most likely a ruse. The impounded Prius was under the control of the CHP and NHTSA from the time of the incident through testing and download of its computer data by Toyota technicians. That data confirms my theory of how the ruse may have been staged.
The driver, Sikes, most likely sped up to 90+ then took his foot off the accelerator and braked for a while, then repeatedly accelerated and braked, etc.
That would explain his average speed of only 65 to 75 MPH over the 20 minute period. It would also explain the CHP officer's report of overheated and worn brakes. Sikes was most likely only pretending when the CHP officer, observing through the right rear window of the Prius where he could not see Sikes feet, says he saw him apparently standing on the brakes.
Oh, and the woman in NY whose "runaway" Prius slammed into a stone wall apparently mistakenly had her foot on the accelerator instead of the brakes, according to NHTSA based on data downloaded from the computer on that car.
BOTTOM LINE: I still do not trust Toyota because they withheld data and delayed fixing real problems (sticking accelerator pedals were real). Also because, other than the Prius, they did not implement brake override for years after they could have and should have done so.
Ira Glickstein
Post a Comment