A few years ago, Toyota was in the news for a major safety issue with a number of their passenger vehicles. Seemingly at random, certain cars were accelerating without concern for driver input, causing many crashes and at least 37 confirmed deaths. They issued recalls both for the floor mats which were reported to have slid forward to jam the accelerator pedal, but this didn’t explain all of these crashes. There was another recall for stuck throttles, which [Colin O’Flynn] demonstrates a possible cause for on his test bench.
While most passenger vehicles older than about 15-20 years controlled the throttle with a cable connected directly from the throttle body to the accelerator pedal, most manufacturers have switched to a fly-by-wire system which takes sensor input from the accelerator pedal and sends that position information to the vehicle’s computer which in turn adjusts the throttle position. This might be slightly cheaper to manufacture, but introduces a much larger number of failure modes to a critical system.
[Colin] is recreating one of those failure modes by introducing an electromagnetic pulse at a specific point on the vehicle’s computer. In the real world, this could be caused by certain forms of EMF potentially including cosmic rays. This introduces a memory fault which the computer doesn’t seem capable of recognizing or clearing. With the right set of circumstances that [Colin] can reliably produce, the computer eventually will drive the throttle fully open, and the condition can only be corrected by power-cycling the vehicle’s computer.
Toyota is adamant that these problems have been successfully swept under the drivers-side floor mat, but according to IEEE and other professionals in related industries such as avionics, the passenger vehicle industry has done remarkably little to ensure enough redundancy in these systems to account for these types of failures. [Colin] does plan to test his setup in a real vehicle in the future to confirm that the vehicle will actually run under his lab scenario, so we should be seeing more information about this in the future. If you’re looking for a vehicle that is immune to all of the problems associated with computer control, take a look at this car which doesn’t even need a battery to drive, as long as you can give it a push start.
I RE’d the Mazda Speed ECU. They used two microprocessors. The larger one, A 32bit SH4, to manage the throttle position, and another (MCS9) that has a “Killswitch” to the throttle motor. If either MCU disagreed on the throttle position – lights out to the still-spring loaded throttle – and it would slap shut,
Now, all of that being said, I still think it is super stupid to have an electronica throttle. This is done for emissions control reasons / and traction control. (A throttle that closes suddenly can cause a very temporary rich condition resulting in a tad of emissions that will likely be caught by the catalytic converter) Anyhow, you thank this stupidity on the EPA. Lexus used to have a double-butterfly throttle where the ECU could block air intake for traction control, but the “real” throttle was still your spring shut foot cable control.
Electronic throttle is still helpful in other applications, like drive modes, cruise control, rev matching, and making “weird” motors driveable by having the physical throttle blade map to different pedal positions depending on load conditions.
My personal example of this is how the standard throttle mapping (“sport”) on a Subaru STi, all the way back to 2008 (mine’s a 2012) is really jumpy at ultra-low speeds. I can use the “Intelligent” mode, ostensibly for fuel savings, to instead give me more throttle control at low speeds so I don’t lurch my passengers around when driving at 7 km/h in a parking lot full of speed bumps.
Weren’t these crashes causes by cat whiskers formed under the conformal coating ? this issue became very important after rohs soldering.
Tin whiskers
https://www.thetruthaboutcars.com/2010/02/tin-whiskers-implicated-in-unintended-acceleration-problems/
https://www.edn.com/toyota-accelerations-revisited-hanging-by-a-tin-whisker/
The symptoms from tin whisker was a non-linear pedal response – the car calibrates the resistance at the startup and then expects it to be linear from there. The tin whisker interferes with that calibration. The car doesn’t “run away” so much as it acts like a dead spot in the throttle response until it moves a bit and then it picks up the correct resistance value and goes directly to that throttle condition. In older cars this could happen where the throttle plate sticks and then suddenly snaps open with greater pressure.
It could lead to a low speed jerk that might surprise a driver, but not the “full throttle” problem insinuated at the time.
Cost may have been a factor, but there were lots more reasons for throttle by wire, and in some ways it is more simple, and helps with emissions. You don’t want to open or close the throttle too fast for emissions and performance reasons. This was very much the case with carburetors. With throttle by wire, you get the ability for cruise control without the MASSIVE vacuum actuator.
Engine controls are not simple. They are balancing performance, emissions, overall reliability (yeah, it can be messed up). With a directly connected throttle plate, the ECU can only affect the mixture by adjusting fuel. All these changes have allowed us to have engines that are reliable for 100,000 miles, with minimum maintenance (regular oil changes, mostly), that are putting out 3x to 4x the power of the same displacement engines from 20 years ago.
The comparison to the original beetle is poor- as that thing produced 25 bhp originally, (up to 50ish by 1970’s) , and still less than 30MPG, while requiring quite regular maintenance and adjustments. And if you didn’t maintain the engine shrouds well, you could get CO pumped straight into the cabin!
Fly by wire isn’t the problem, but these system have to be designed to fail safe by default. So if the ECU fails for any reason the throttle should close.
The ECU wasn’t ‘failing’, it was commanding the throttle open is my understanding.
“Designed to be fail safe” also means designed for cosmic radiation, loose connections, voltage sags/spikes, abnormal temperatures, etc…
This has nothing todo with the ECU no longer running, but with the software behaving unexpectebly in certain situations.
A car is a very hostile envrionment with vibrations, temperature extremes, etc…
You standard “it works for me” design won’t be near close enough for reliability in such environments as bitflips or impossible inputs are to be expected.
There is redundancy in place and for throtle pedal resistance, there are actually 2 measurements (one increasing, one decreasing) that must align at all times.
It has been a long time ago, but what I understood was the actual throtle position to be commanded in software was kept only in a single variable, which was a global variable, which could be overrun with garbage data in certain circumstances, resulting in a full throtle response.
The software failed, but it didn’t fail safe at all.
They do. If the ECM does not send any signal to the throttle body they have a spring which closes them 95% leaving it just open enough to limp home should the throttle body control motor fail. The ECM was opening the throttle because the throttle was being commanded open by the APPS, ie the throttle pedal was jammed. Cast all the doubt you want on the cause but I’m a mechanic and I got to experience it first hand several times, every single time it was a physical obstruction holding the pedal down.
>Cast all the doubt you want
no one is casting the doubt, video provides _evidence_. Look at 8:50 – do you see any ‘physical obstruction holding the pedal down’?
Drive by wire has nothing to do with big fuel millage increases, or HP increases or engine life. It’s a Smog/Economy of Mfg thing.
My 2001 Toyota with a Throttle Cable, did 300,000 Miles, making 36 MPG on the Hwy.
or, DbW is a natural progression from mechanically linked carburetors to direct injection systems with electric controls. You can say smog control was the death nail for the carburetor however.
It was the SHED test invented by CARB. (Government loves coming up with names to make their acronyms be words.)
The basics of the SHED test is a vehicle was placed into a sealed building (sort of a shed, eh?) then the air pressure inside would be lowered a bit and after a while sampled to determine how much Volatile Organic Compounds had evaporated from the gasoline.
In short, a test designed to fail any vehicle with a carburetor, due to their having float bowls full of gasoline, vented to the air.
Since California had a test that made all carbs an automatic fail, the automotive industry had to completely switch to all fuel injection by the end of the 1990’s.
I think the government of California has SHED for brains!
That kind of milage is pretty standard today on some fairly large SUVs, no way that is happening without some serious computer control.
Cheap old cars are false economy when you get hit broadsides by a drunk driver running a light. Modern vehicles can handle this sort of collision much better. Watch the crash test videos.
The expected risk of getting broadsided by a drunk driver is low enough that you’re still better off with an old Honda than a new SUV that gets the same mileage.
The average claim for crash related injuries is $23,450 and your odds of getting into such accident are less than 1:100 in a lifetime, so the improved safety value is only couple hundred bucks per driver and car – much less than the greater cost of the SUV.
I had a 1989 Mazda MX-6 with the basically Ford 2.2 L 4-cylinder engine with a turbocharger. The car had cruise control, but it was electrically actuated. The speed regulation was a lot better than other cars I’ve owned which had the comically large vacuum operated bellows for the actuator. The throttle was cable operated by the foot pedal as well.
The air-to-air heat exchanger on the 1949 to … original style VW beetle was a bad idea. Of course the original beetle was about being cheap wherever it could be cheap. One my my favorite cheap-outs was using the spare tire air to power the window washer, but it had a cut-off to prevent bleeding off too much air out of the spare – I guess that is Teutonic logic that it is a good way to make sure you are required to regularly maintain your spare tire’s air pressure! Old beetles also had some plastic in the interior that always permitted the cabin with an odor reminiscent of spoiled milk. Ugh.
Casein plastic, casein wool, casein glue – all were used before synthetic plastics, and in post-war Europe because there was a lack of petrochemicals.
It was literally spoiled milk. You take milk, treat it with acid, separate the casein and then either use it as-is to spin fibers or treat it with formaldehyde to make buttons and panels. Residual sugars and fats would cause the off milk smell.
I have a saab 9-3 from -99 which has a servo operated cruise control. All nice and good but for some reason Saab didnt bother having any aquaplaning/ice skidding override on the cruise control. The slippier the merrier the cruise servo got and slammed the gas pedal to the bottom. Made for some extremely exciting drives the first few times I drove in winter/aquaplaned
I don’t know if it is cheaper to produce. I do know that emissions and protecting weak transmissions are a major reason.
Not sure about Toyota, but Honda has dual opposite potentiometers on its DBW throttle body.
Obviously really hardening it could involve a CANbus link to the throttle body with checksums, sanity checks and watchdog resets if errors are detected.
Sanitize your inputs, throw out anything that doesn’t make sense. Have multiple ways of verifying something and alternate means to enforce that. IE the computer should know what engine speed and power level it is commanding. If the throttle is not functioning, cut spark or fuel to prevent ‘runaway’.
With the way people tailgate each other in groups of 12 cars at 60-80MPH maybe it is time to mandate radar following and braking, along with FAA style redundancy in the engine systems.
Well this fault seems to affect the PWM signal generation. I guess a way to remedy this would be to have the servo in the throttle body verify that it is a precise PWM signal before using it. Or a hardware PWM chip, or code that verifies the signal isn’t corrupted within the CPU.
Everyone is moving to CANBus
I was “squealing the tires” on my wifes Toyota Corolla (2003) when the throttle stuck at full and the car took off. This happened in a strip mall parking lot. I have been a mechanic for most of my life and having dealt with runaways before promptly mashed the brake to the floor, shoved the shifter into neutral, and turned off the key almost in one swift movement. I then began to investigate what had happened. I barely moved the drivers side floor mat when I heard the tell tale pop of the accelerator pedal returning to it’s original position. The car was taken to Toyota and their fix was to cut off the bottom part of the accelerator pedal. Yes you read that right. They cut off about a half inch of the bottom of the pedal. This was just enough for the pedal not to get caught on an out of place floor mat. At least in my case it was definitely the floor mat.
I’m not against hardening systems but please design redundancies instead of trying to make a throttle body that never fails – it won’t help you if a hose comes loose for example.
Arguably an interlocking that kicks automatic gearboxes into neutral and disables fuel flow (rev-limiter style but at idle rpm) from injectors (both easily done in software) if brake and accelerator are applied simultaneously for multiple seconds would solve this issue and even more improbable ones simultaneously.
Statistics show most unintended acceleration cases are people in unfamiliar cars under stress. Therefore probably holding the accelerator down for dear life because they misplaced their feet.
Brakes beat engines, by napkin math as well as in practical tests – unless you press, release, press again on the brake pedal while at full throttle in which case power brakes don’t get significant power assist anymore (there was some controversy between Malcolm Gladwell and Consumer Reports about this in 2010).
I tend to be with Gladwells advice (would add to shift to neutral) because we don’t have these problems in manual transmission heavy Europe, makes it seem overwhelmingly likely user error (understandable one, panic sets in, I get it) to me if that shifts it. As practical advice taking the foot off the pedal, make sure to stab the right pedal this time is most likely correct in most situations – esp. if you manage to put the transmission in neutral.
Some cars even use the anti lock/stability control brake pump to stop you if you hold the E-Brake-Button down if you have one of those.
It’s super interesting but I think it might be an example of engineers trying to improve a thing that shouldn’t exist or in this case shouldn’t be critical. Software that a) cuts fuel if brake is applied (even if only after a delay) b) kicks automatic transmissions into neutral under prolonged braking c) uses anti-lock/stability control brake pumps if attempted hard braking seems unsuccessful (many cars already do this if you hold the E-Brake-Button down) would all make the throttle body issue redundant on their own. Brakes also handily beat engines so stabbing the correct pedal (unless you release and reapply while constantly at full throttle) does the trick, most unintended acceleration cases are people in unfamiliar cars while under stress, so the – very understandable, panic sets in and all that – human error needs more attention than cosmic radiation in my book (which is I think where the controversy between Malcolm Gladwell who made an interesting episode of Revisionist History about that and Consumer Reports who insist that letting go of the pedal *could* lead to you not getting brake assist back comse from). I also have never seen one in my native Germany where most cars are still manual transmission which I think is because you left foot clutch right foot brake in an emergency and are immediately independent of throttle anything.
There is a big, steep down hill near me. With a trailer on, you _need_ engine braking AND judiciuos footbrake application to get down alive.
b) kicks automatic transmissions into neutral under prolonged braking
is a terrible suggestion. Brakes can apply significant deceleration, but have limited thermal capacity to dissipate that kinetic energy.
Brakes easily have enough thermal capacity to deal with the kinetic energy for a few repeated stops. What you are describing is gravitational potential energy, as the vehicle comes down a long descent. The engine can pump the heat out through the exhaust.
Interestingly, how do auto transmissions fare in this situation, would you overheat the torque convertor, or do they all have convertor lock-ups these days?
Engine braking is important technique for fuel saving, beside reducing brake wear. An automated intervention can be significantly counterproductive. But engineering is not foolproof nor common sense driven, as we see i.e. by automated daylight lights, when by light fog the taillights stay off.
To be fair. The system should be more fail safe.
Though, putting the transmission into neutral decouples the engine from the rest of the drive train. Effectively, the car is allowed to just roll freely until it looses its kinetic energy.
In manual cars the concept of decoupling the engine is critical to shifting gears. So here most users would likely push down the clutch if the engine started revving uncontrollably. But I suspect a lot of people driving automatic don’t even know that they can decouple the engine, or might even expect the car to be destroyed if put into neutral while driving.
I for one rather come to a controlled stop and risk over revving the engine, rather than accelerating uncontrollably to high speeds.
But to reiterate.
A system should still have fail safes.
Relying on human intervention as a backup is rarely ideal. (Though, a manual backup to the failsafe is still often a good thing.)
When this throttle body hits 88%, you’re gonna see some serious… glitch.
As mayhem so neatly points out, you do need to have the ability to react and do something intelligent when something like this happens. A long time ago I would drive with a friend who had an ancient MG and it had a habit of the throttle cable getting stuck. You hit the brake and the clutch (something many have never had any experience with) and turn the key off. No locking steering column in those days, so just turning the key off was an option. It was just a part of driving this interesting vehicle — probably 1960s era.
Yeah – good point. These days (and for quite some time) turning off the key will lock the steering wheel. Not quite what you want when you’ve turned off the key to prevent runaway acceleration!
There were only 37 confirmed deaths before Toyota fixed the critical safety problem. How did they fix it? The comments reflect the fact that none of us knows with any certainty. Even Colin O’Flynn’s excellent work cannot confirm any verifiable solution that Toyota implemented.
From Toyota’s position, the great advantage of their “fly by wire” controls is that the safety critical code is out of sight. Those of us who have worked with Toyota / Denso, met their engineers and been in their factories, have great respect for their engineering prowess. We also know they can be fallible.
But whatever their solution was, it must be correct because only 37 people died. Thank God Denso controls are not used in passenger aircraft.
I have zero respect for their engineering. I have a Tundra. Numerous recalls. Airbags, front suspension, corrosion. They spent billions of dollars on recalls. The die-cast pot metal shift linkage failed and left me stranded. Part unavailable and left the truck inoperable for 6 weeks until I sourced the part myself. Fuel tank straps corroded. A week after the dealer certified my vehicle as safe one strap snapped and the tank almost detached. This is not an organization attentive to quality or safety.
Way back when, when Toyota had a better reputation, they thought
they could learn something from American auto makers. So they (Toyota)
sent many of their management to attend MBA courses in the USA.
We now see the end results.
@Bob I used to own a Toyota tacoma. In the spring of about 2010 or 2011 I got a notice that the dealer needed to inspect my frame for rust. The notice stated that they would either replace the frame if it was a 2002 or newer or buy the truck back if it was 2001 or older. Mine was a 2002. I put off the inspection until about november right before the notice expired. When I received the notice I looked at the frame — no rust. Looked at it again in November and I could stick my fist in the holes in the frame!!!! I circled the holes with chalk and headed to the stealership. The service writer was informed of the chalk and after the inspection told me “Say this vehicle is unsafe to drive and you will get a loaner until your frame is replaced”. Oh yeah!! They gave me a loaner(rental) Corolla until my truck got fixed. I checked the box on the rental form for the damage waiver and loaded my tools and ladders in/on the corolla. I do HVAC for a living. 4 months later I got my truck back. When i returned the rental the agent walked around it and just stared. The roof was smashed flat from my ladders, the back seat was utterly destroyed, and the inside was dirty dirty dirty. The agent asked what happened and my response was that I owned a truck and they gave me a car. He looked at the form and saw the damage waiver checked and yelled at me for five minutes for destroying the car. My response was that I owned a truck and they gave me a car!!! By the way they do not rent trucks.
I am sorry to hear your Toyota let you down. Over here in the North east european region Toyota leads the annual inspection pass rate for the first 10 years easily when it comes to cars and pickups.
As others have mentioned, when a throttle becomes stuck or stuck wide open, there are several things the driver can do to control the situation… assuming the driver has the appropriate skill set and reactionary response. However, as time marches on and more and more “features” are added to vehicles drivers are becoming more and more dependent on these features at the expense of their own skills. These days many people rely on ABS, front/rear/side radar warning, backup cameras, etc… All of these things are indeed good things, but have resulted in drivers to become complacent and dependent on such tech. Basic driving skills do not seem to be as common as it once was and those that do drive older cars without the host of new features, are “forced” to maintain these skills.
In addition to these new safety features, there could be a time where the driver is not given any control over the vehicle’s particular core functions… A relatively recent example for me was driving a newer-ish high end car where there is no longer hydraulic connection between the brake pedal and the brakes. The vehicle’s battery dropped below the minimum voltage deemed by the car’s ECUs (internal cell within the battery failed) and the result was a shut down of most of the electrics including the servos controlling the brakes… and so I had lost 95% of my brakes with the instrument lights flashing like a Christmas tree and behaving like the original 60’s Lost In Space robot. Thankfully I was able to pull over and coast to a stop, otherwise I would have had to fumble trying to engage the parking brake, etc…
There is a point where adding more and more features and removing control of the driver has consequences.
what car specifically has only brake by wire? last I knew we still had a physical hydraulic connection from petal to piston. your story appears to support this as it sounds like you just lost power assist.
2004-2009 Prius does not use its wheel brakes at speeds above 7 MPH. Over that speed it’s all regenerative braking by switching the drive motor to generator mode.
Really doubt that. Regen braking is normally ‘just about right’ for most driving conditions. But it will be insufficient for any emergency conditions.
Nope… did not lose power assist…brake pedal went right to the floor. Mercedes 500 series 2003 and onwards. There are two batteries where one is specifically for starting and the other for everything else. If the 2nd battery craps and/or if the battery drops below a certain point, all hell brakes loose… if you forgive the pun. It was certainly startling for me to press on the brake pedal and feel no resistance. Thankfully I was not too far from home (about 2 blocks) and so once traffic lightened up I hobbled my way back. Checked the battery… yup… around 10V… Installed a replacement in about 10 mins and everything was back to normal and no issues since. I now routinely check my battery.
I have designed electronics and software for small general aviation, and for a case that was way less safety critical than a throttle control, I setup the hardware PWM generator in one-shot mode, so it had to be retriggered by the software after every output cycle. This ensures the output goes low after at most a few milliseconds when the software fails.
They should have had either a separate process monitoring this system, with the ability to cut fuel when something goes wrong. For example, if the output transistors fail, and the throttle is actuated 100% because of that, it should detect the discrepancy between the position setpoint and position feedback of the throttle position sensor, and if that persist for more than a very short time, cut fuel and ignition.
In computing redundant systems are the answer for failure.
Toyota i’ve heard uses a second set of injectors to wash the carbon off the valves, which are run while closed mostly. So if there was a separate ecu for those wash injectors then that could be used to run the engine at idle speed, with small flow injectors that cannot run any faster.
Then use a microswitch on the throttle pedal to engage the high rpm ecu when pressed. since both ecus are software isolated from each other a bug should not bring down both. if the engine runs away at speed, take your foot off the pedal, the engine starts to idle.
tldr, one ecu for idle, one ecu for driving, or just run two maps, like how vw cheated the emissions test. perhaps a map designed to run at idle speed and no faster should be impossible to runaway.
Always link to this presentation when talking about Toyota acceleration issues: https://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf
@MOAGX I’ve never seen that presentation nor knew of other reasons for the throttle going WOT. My god man, who the hell coded this and how did it ever make it into a vehicle? No redundancy, stack overflows, ecsessive code required to run, 80+% CPU usage at 5000 rpm. I’m not sure I will ever buy a Toyota product again. Thank you for the awakening!
On page 3 of that PDF, one of the drivers killed in a runaway Lexus was described as a 45-year-old “California Highway Patrol Officer; vehicle inspector”. I’m having trouble reconciling that fact with a failure to shift into neutral. Is there some circumstance in which it might not be possible to successfully do so? It’s hard to believe that a driver with those qualifications would fail to attempt a shift to neutral – I’m pretty sure I would do that almost reflexively, and my driving experience isn’t nearly as comprehensive as that of a highway patrol office who both drives and inspects vehicles for a living.
Any sufficiently old car with a manual transmission will push start and run without a battery. My ’97 Ranger happily runs this way, and I’ve taken advantage of it several times when my battery had died. Some definite advantages to these older, simpler vehicles.
My Citabria flew just fine without a battery but with a hand prop.
The “Stuck Throttle” was a software bug.
https://embeddedgurus.com/barr-code/2013/10/an-update-on-toyota-and-unintended-acceleration/
n a nutshell, the team led by Barr Group found what the NASA team sought but couldn’t find: “a systematic software malfunction in the Main CPU that opens the throttle without operator action and continues to properly control fuel injection and ignition” that is not reliably detected by any fail-safe.
Back then I read a bit about it, and I found it completely unbelievable that that code was ever approved in a vehicle. It was riddled with global variables and other nasties, and it was about 2 orders of magnitude too complex for what software for controlling the accelerator should ever be.
Additionally:
https://hackaday.com/2016/10/24/toyotas-code-didnt-meet-standards-and-might-have-led-to-death/
It seems like the need is to have an ECU/ECM that bricks the controller if the lid is removed to prevent this sort of fault injection to take place. Like a 10,000V cap that shorts right through the main CPU and blows the lid completely off.
The main cause of runaway is the driver catching the accelerator pedal and being startled when thinking they are pressing the brake pedal. Every maker sees these every year. On some models blame is placed on too small a gap between the pedals.
The central example car had the exact same oversized floor mat installed that another customer complained had trapped the pedal the day before. That customer jammed on the brakes and held them to pull over at the side of the road and shut off the motor. When he found the pedal was trapped, he freed it and drove safely and when he returned the loaner car to the dealer, he read them the riot act about nearly killing him. That dealer left the mat in place and loaned it out to the family that died.
In the old days the accelerator pedal was hinged at the floor. If the mat pushed up it could lean on the pedal. With the pedals now integrated into the dash assembly the end of the pedal can snap behind an over-sized mat – this is the position it is in from someone flooring the accelerator – jamming it as hard as they can. Unlike the old version where the return spring could fight the weight of the floor mat, the new concept (as used in all cars now) is a one-way switch.
It’s not clear that any of the other deaths that were reported as throttle runaway were the result of any mechanical or electrical problems at all. Critically, they didn’t show brakes being overheated as one would expect from trying to stop an out-of-control vehicle. Instead, many showed the accelerator pedal being deflected farther as the incident went on – the pedal being examined and found defect-free afterwards. It is clear is many of these cars know when the driver is over 65 years old.
What is significant is that of the millions of people with cell phones and all the Toyota vehicles that no one ever found a reproducible problem. What did happen is experiments like the one above where investigators pulled the cover off and added circuits that aren’t part of the ECU/ECM.
Clarification: Blows the lid of the chip off, not the lid of the ECU/ECM. Just a quick little “pop”.
“The central example car had the exact same oversized floor mat installed that another customer complained had trapped the pedal the day before. That customer jammed on the brakes and held them to pull over at the side of the road and shut off the motor. When he found the pedal was trapped, he freed it and drove safely and when he returned the loaner car to the dealer, he read them the riot act about nearly killing him. That dealer left the mat in place and loaned it out to the family that died. ”
Sounds like the Boeing 737 Max fiasco where prior to the fatal crash, pilots on a previous flight reported problems.
Notably Toyota failed to account for task/thread death with their watchdogs and monitors. I can’t find the full report from the Barr group to the court but the slides get the point across.
https://www.safetyresearch.net/Library/BarrSlides_FINAL_SCRUBBED.pdf
Pardon me it’s not the report I was looking for, it was the transcript of his testimony:
http://www.safetyresearch.net/Library/Bookout_v_Toyota_Barr_REDACTED.pdf
I have a car that has some electronic glitchery going on. 1997 Taurus LX. It’s Idle Air Control passage in the throttle body got all gunked up with oil and crud (running PCV vapors into any dry part of the intake, especially the throttle body, is a damn stupid thing) and it suddenly ran horribly.
So I removed the upper intake manifold, cleaned it out, cleaned the throttle body too. All passages nice and clean. It got new spark plugs, new plug wires, new genuine Motorcraft PCV valve, new PCV hoses to replace the ones that were oil soaked and mushy.
Since then it has refused to relearn how to control its IAC motor. I’ve replaced the Throttle Position Sensor and the IAC motor and nothing changed. After several attempts I did get it to do the Warm Idle Relearn.
The problem is that when cold it will open the IAC to 100%, allowing enough air to bypass the throttle plate it can slowly accelerate to at least 35 MPH without pressing the accelerator.
When the temperature gauge indicates the engine is warm (it blows warm air out the vents long before the temp gauge starts to move!) it *may* settle down and idle at the speed it is supposed to.
Another almost reliable method of getting it to idle properly is after driving the car a bit, stop and shift to Park then back to Drive.
But at any time it may or may not operate properly, even from a cold start.
Nobody can figure out WTH the problem is or why it only started this *after* the tuneup and cleaning that should have made it run *better* than it had in years.
I do have a VCM-II clone which I used to (supposedly) completely wipe all the learned stuff from the ECU then I redid the Warm Idle Relearn. Didn’t change anything about how it runs wrong.
In my opinion there’s a serious software defect going on. What *should* happen is the ECU should read the TPS and have a hard limit on the IAC so that if the TPS is at minimum reading the IAC should not ever be allowed to open to 100%. If that causes it to run rough or not at all due to IAC passage clogging, then it’s time to clean it, and curse whomever thinks dumping the PCV fumes into the thottle body was a good idea.
It has to be able to detect airflow conditions to adjust how much the IAC opens to accommodate the progressive clogging of the IAC passages. But the decoupling of TPS VS IAC positions is a dumb oversight that should not have gotten out the factory door. There should also be a specific Cold Idle Relearn procedure to forcibly recalibrate the IAC setting for the period before the engine reaches running temperature.
Same for pumping oily crankcase vapors through the throttle body. Automotive engineers who put PCV vapors into places where the deposits don’t get washed away by fuel ought to be flogged – especially when those vapors go through “mission critical” places like the IAC passage.
One person said it *may* be the transmission shifter position sensor, but I’m fed up with throwing money at it. Would be extremely coincidental for the shift sensor to develop an intermittent fault at precisely the time I worked on the engine, touching nothing with the transmission.
The oft repeated cry of “vacuum leak” is also tossed out there. It could only be a vacuum leak if there’s a computer controlled valve randomly opening when it shouldn’t. Oh, wait, that would be the IAC. If it was a simple vacuum leak it would want to run too fast 100% of the time, which it doesn’t do.
Electronics on cars have a lot of stupid crap designed in that anyone with a bit of common sense will look at and think “Well, ain’t that *special*. I can think of 4 or 5 ways that could go bad.”. One has to wonder if they’re driving around with a Therac 25 level of spaghetti code operating their vehicle.
Try plugging the iac passage with something – make sure it doesn’t come loose and get ingested and do your cold start test again.
I’m not familiar with this iac system, is it a stepper or a voice coil?
If memory serves, the firmware was a mess.
2005 Camry L4 has >11,000 global variables
https://archive.org/stream/BarrSlidesFINALSCRUBBED/BarrSlides_FINAL_SCRUBBED_djvu.txt
I was reading up on the ECU in my 2001 Honda Insight, which has a directly connected cable operated throttle butterfly. The Honda ECU has a limp home mode that if the ECU is lobotomized by the main CPU going dead, there is enough capability in the surrounding combinational logic that it able to generate control output sufficient to keep the car running. I assume that is mostly reading the crank angle sensor and then generating spark trigger and fuel injector trigger. The main CPU could be mostly used for tweaking the values to achieve desired emission characteristics. The Insight has a three cylinder 997 cc engine, so the CPU has to separately manage three sparks per revolution. Honda also has a crazy mode called lean burn where the CPU plays with the stoichiometry making the A/F ratio up to 25:1 when the engine is lightly loaded. Normally that would drive your NOx output really high, but there is absorptive catalyst which can store for later burn off. Honda was able to get ULEV rating for the manual transmission Insight and SULEV rating for the CVT, which does not have lean burn. Some Honda models had an indicator lamp for lean burn, but not the Insight. You can tell when lean burn is in effect because the estimated MPG will go up to around 100 and there might be a slight judder. Lean burn works. I’ve gotten over 80 MPG on long mostly highway trips and my over-all efficiency has been about 55 MPG in the 57K miles I’ve owned the Insight. It has about 189K total miles.
A 3 cylinder engine sparking 3 times per revolution, is it a 2-stroke engine?
A jacketed cable snaking its way from a pedal, through a firewall, between high-speed rotating components and into the throttle body is inherently less reliable than a sensor, a wire, and an actuator.
The problem is that the latter system requires software, which exposes the design to an “entire field that is bad at what [they] do” (https://xkcd.com/2030/), making the final product less safe, until it has been through enough iterations to happen across one that works.
Even on a throttle by wire system, wires go to/from the engine bay/firewall/cabin… and also around rotating components… which are usually way up front. Cables have been used for a very long time and ones not under a lot of stress are extremely robust. Even cutting a cabled throttle is really tough because it is technically armoured. Drive by wire, wires, are significantly smaller and not usually armoured other than a plastic loom.
I don’t get it. If the engine keeps revving without foot on pedal can’t you just press the clutch, put it into neutral and stop using brakes?
If you are tired, retuning from visit, car full of your family, it is evening, slightly raining – and suddenly the car accelerated in the curve, you will hit the brake, get into skid, hit the tree and – multiple funeral. Got it?
I’m always suspicious when the manufacturer claims the computer did not detect the brake pedal as it was accelerating to full speed. That does not prove that the brake was not being applied. It does prove the computer was not slowing the car down. Being an EE, makes one a non believer.
Yah really. I was in an older vehicle approaching a busy roundabout, full of traffic, when noes, my throttle hung up, took about 0.25 seconds of consideration to snag it into neutral and roll over to the shoulder. In 5 mins I’d had the hood up, determined that the bowden cable outer had corroded and kinked, snipped off a bit of wire coathanger as a splint, bound that on with tape, added wire ties to not give it as much freedom of movement, and was merrily on my way again. It barely even counted as drama.