Just finished reading the complete 177 page report of NASA's analyis of the Toyota unintended acceleration investigation.
I found some key discrepancies in what the EDN author has claimed, (at least according to the posts above) compared to the NASA analysis.
Has anyone else read the NASA report?
Does anyone have a link to detailed documentation citing the enginering analysis methodology and test findings that the EDN article is based on?
Maybe it is my skepticism brought about from my experience as an product development engineer working for another company that had many frivolous lawsuits brought against it, and were successfully defended, but I like to see all information be well supported by hard evidence and test findings. Conclusions stated without this supporting data questions credibility.
Here are just a few excerpts from the 177 page NASA report..
7.1 Findings
F-1. No TMC vehicle was identified that could naturally and repeatedly reproduce large throttle opening UA effects for evaluation by the NESC team.
F-2. Safety features are designed into the TMC ETCS-i to guard against large throttle opening UA from single and some double ETCS-i failures. Multiple independent safety features include detecting failures and initiating safe modes, such as limp home modes and fuel cut strategies.
F-3. The NESC study and testing did not identify any electrical failures in the ETCS-i that impacted the braking system as designed. a. At large throttle openings (35 degrees (absolute) or greater), if the driver pumps the brake, then the power brake assist is either partially or fully reduced due to loss of vacuum in the reservoir.
b. NHTSA demonstrated that a MY 2005 Camry with a 6 cylinder engine travelling at speeds up to 30 mph can decelerate at better than 0.25g with 112 lbf on the brake while the throttle is open up to 35 degrees (absolute), with a depleted vacuum assisted power brake system.
……………..
Fundamentally, the ETCS-i uses two sets of sensors and CPUs to control the throttle and disengage the throttle control function when the sensors or CPUs do not agree. The prime sensors (VPA1 and VTA1) and the Main CPU control the intended throttle opening. The second sensors, VPA2, VTA2, and the Sub-CPU are used to validate consistent sensor data and a properly operating Main CPU. Both CPUs must agree that the throttle motor should be engaged in order for the throttle motor to drive the throttle valve open.
While the second sensors and CPU do not directly provide a means for driving the throttle, both pedal sensors are needed to indicate off idle in order to open the throttle. Either pedal sensor, throttle sensor, or CPU can declare a fault and disable and/or disengage the throttle. These sensors and CPUs are in "series" to open the throttle.
The two sensors and two CPUs are functionally arranged in a series manner, as described above, providing for two methods for closing the throttle.
……………………..
The Main CPU and Sub-CPU must be functioning and must agree that the throttle motor can be driven. Each CPU has its own oscillator, memory error detect and correct along with a watchdog that can reset the processor. The CPUs also communicate with each other to assure that both receive consistent sensor data and are functioning properly. If either CPU fails, throttle motor drive is disabled. The system is redundant to preventing a failed Main CPU from controlling the throttle.
…………………………
Two throttle sensors need to agree that the throttle valve is positioned properly. If the throttle valve does not achieve its intended position, power to the throttle motor is shut off. When the throttle position sensors disagree, throttle control is disabled and the throttle valve is returned to a spring loaded detent position of 6.5 degrees opening which is about 3 degrees more open than typical warm idle. At this point the diverse fuel cut function controls engine speed. Multiple sensors and signal sources are used to identify if the throttle motor is having trouble driving the throttle to its intended position.
……………………………
Diverse backup controls utilizing the Electronic Fuel Injection (EFI) module limit engine speed and power through a power management function employing fuel cut and ignition timing to protect the system against the consequences of unintended throttle opening due to the failure of sensors, CPU, or a mechanically stuck open throttle valve or otherwise mechanically failed throttle valve. The diverse backup is the fuel cut function that will stop fuel flow to the engine if either VPA1 or VPA2 indicate idle and the engine speed is above 2500 rpms.
………………………
6.7.2.2 Heartbeat
The heartbeat pulse train signal from the Main CPU is provided to the power ASIC and also to the Sub-CPU. The Sub-CPU watchdog pulse train is provided to the Main CPU. The Main CPU can reset the Sub-CPU and the power ASIC can reset the Main CPU and Sub-CPU. The heartbeat pulse train is software generated and acts as an external indication of proper CPU hardware and software operation.
During any CPU reset, the CPU outputs to the H-Bridge that drive the throttle motor are pulled-low, disabling the motor drive.
………………..
6.7.2.3 Watch Dog Timer
Implemented in hardware, one watchdog timer exists in the sub CPU, and one exists in the Main CPU. Each watchdog timer is initiated at startup, and requires constant re-initiation by software. If a watchdog timer expires without being re-initiated by software, the CPU hardware is reset and restarts. The software function that re-initiates the watchdog timer executes in the lowest priority task. If this lowest priority task does not execute, it indicates abnormal processing or timing within either the software or hardware.
During watch dog timer reset, the CPU outputs to the H-Bridge that drive the throttle motor are pulled-low, disabling the motor drive.
6.7.2.6 Software Data Checks
A subset of software data is protected by implementing software data mirroring. When the data is written, a second location is written with the complement of the data. When the data is read, the second location is also read and checked. If the check fails, a default value is used.
When this software data mirroring is used, it protects data from being overwritten, such as by stack or buffer overflows.
6.7.2.7 Fuel Cut and Electronic Fuel Injection (EFI) and Ignition
When the pedal position sensors indicate the driver foot is off the pedal, a fuel cut function is used to limit maximum engine speed. An exception is when cruise control is engaged. When cruise control is engaged, this fuel cut function is disabled.
The moment the pedal is disengaged, the engine speed is sensed, and this level determines whether fuel cut is enabled. Fuel cut is enabled when this engine speed is above the fuel cut threshold. Following fuel removal from the engine, the speed decreases. When the engine speed reduces below the fuel cut recovery threshold, fuel is restored to the engine.
6.7.3 Software Study and Results
The software study applied analysis and modeling tools to the actual MY 2005 Camry source code. Models were developed of functional areas to achieve an integrated understanding of the system behavior and simulations were run on these models to explore areas of interest. These simulations were confirmed against vehicle hardware, and the models were further refined. Ultimately, the software study supported the development of specific vehicle hardware tests.
................
Major CPU and software failures are protected through Sub-CPU and Main CPU checks, watchdog, heartbeat, and voltage monitoring. Data corruption is protected through EDAC and software-implemented data mirroring. Data limits are applied to detect sensor and output failures.
