Editor’s note: I have known John Dunn for many years. We were on the IEEE Long Island NY Executive Committee together. John is a long time engineer/consultant with many, many years of experience; check out the Living Analog blog for proof of his expertise. This is a very controversial topic and John’s experience below got him thinking about the electronics that could be a possible cause of this event. Even if it turns out not to be the case, he brings up a valid point. Please read on. —Steve Taranovich, EDN
I have a 2006 Toyota Camry that has twice gone into runaway acceleration. The events each began instantly and then stopped. I think I know why it happened.
Tracing the car’s wiring diagram, I looked at the throttle position sensor, which is really just a potentiometer whose rotating shaft is mechanically coupled to the gas pedal. As the gas pedal is depressed by the driver’s foot, the slider moves up toward the rail voltage and an increased voltage gets fed to a control module input. which I have called the sense voltage. The higher that sense voltage becomes, the higher the engine speed becomes.
The danger in Figure 1 is that if the circuit path from the low end of the throttle position sensor to the car frame opens up as from a cracked harness wire or cracked connector pin or within the sensor itself, the sense voltage will instantly rise up to the rail voltage and the engine will instantly go into runaway acceleration. Again, runaway acceleration has happened twice to my own car. A break in that one single wire can turn the car into a runaway missile.
The first time this happened was when I was exiting from a parkway. When this happened the second time in my driveway, my tachometer dial went way up into the “red” zone, well above 6000 RPM as I threw the gearshift into park. After the engine slowed down again, I tried to get the engine up to that RPM by depressing the gas pedal all the way down with my foot but I couldn’t depress the pedal far enough down to get the engine to go above 4000 RPM.
That means to me that what happened in those two incidents was not the result of an improperly positioned floor mat, even though that had been the argument which Toyota had advanced in court and which was, in my opinion, improperly accepted by that court in Toyota’s favor.
The problem of one broken wire is a single point failure, much like the issue of a single point failure on the MCAS system on the Boeing 737 MAX8 aircraft and much like the use of single chamber master brake cylinders in automobiles built prior to 1967. In today’s world, cars are required by law to have dual master brake cylinders and I assert that there is an equivalent duality imperative regarding throttle control.
Figure 2 Revised throttle position sensor
In the revisions of Figure 2 , an opened return wire, either one, running from the low end of the throttle sensor to the car frame would be ohmmeter detected without the loss of throttle control. An alarm signal (the check engine light) could be generated, unintended acceleration would not occur and lives would be saved.
Does this or something like it have any chance of becoming a requirement by law?
John Dunn is an electronics consultant, and a graduate of The Polytechnic Institute of Brooklyn (BSEE) and of New York University (MSEE).
” If we consider wire shorting as possibility, we still have single point failure mode if the 'sense' wire shorted to the 'rail'”
“One should look at ISO 26262 on how to classify risks, and the recommended system approach to bring them to an acceptable level in an automotive environment.nnISO26262 was released shortly after the Camry incidents, wich if I got it correctly, included
“I would be surprised if the throttle position sensor and ECU were in fact using an (electrically noisy) chassis ground connection rather than dedicated wiring. In either case, an open on the reference (ground) would indeed cause a full scale input to th
“I like the theory of failure and it seems reasonable.nnAlternatively, what if the throttle were limited in range to say 0-5V while sill pulled up to say 12V. Then any occurrence of 5+V would instantly mean there is a problem.nThis would be really simp
“I don't know how Toyota does it, but more typical is:n1) the sensor is electronic, not a mechanical pot/wipern2) the return (ground) for the sensor is a dedicated circuit to the ECU, not connected to body groundn3) there are dual sense elements in the
“My question is why this should happen only with Toyotas, and not every other “fly by wire” vehicle on the road? I mean, even fuel level sensors operate on pretty much the same principle, but we don't see a spate of fuel gauges running to max (or maybe t
“It's possible to monitor for an open fault without additional wires. It would require two additional resistors, or limiting the range of motion of the throttle position sensor (potentiometer).nnGiven an 8K pot, with 1k resistors on each end, and 10V app
“I agree with the other comments, such that it would surprise me if Toyota's design were as postulated by the author then they should have been able to duplicate the problem during the investigation.nnThat being said, I recently tried to remote the throt
“I have had a close to personal exp with this reality. SA occurred twice to my wife's Ford Explorer in the 2000's. During an almost marriage ending interrogation, she made a subtle but startling comment; she “heard it”. Heard it? At a full stop, when sh
“Intermittent open-circuits are pretty common, just wiggling a wire can do it, which might explain the self-healing behavior. It's worth noting that 'broken wire' (bad connection) is probably the most common failure in all of electronics, and 'shorted wir
“John.. I don't pretend to know what your experience in this area is. (on your 2006 Toyota)nThe referenced NASA review of the Toyota 2005.. indicates : 1) there are no pots, the position sensor is a dual hall effect sensors. No single point failures here.
“You are correct.. yet I have never known of a microcontroller/processor to be built from the “ground up” in this manner. It was proposed to require this type of design process for processors used in critical processes back in the 1970s.. but was quickl
“Airplane cockpits (older) … full of indicators … used to require dual element lamps to provide protection from a critical indicator not working. nThe problem: the first element would fail.. and no one would notice the slight change in brightness in
“I was a bit surprised to see Michael Dunn's reporting on the software issues of the Toyota .. yet see a proposed a hardware “solution” from another Dunn. “
“Michael and I share the same last name, but we're not related. I did tell him though about the actor Michael Dunn whom you might recall as the dwarf in the Star Trek story “Plato's Stepchildren”.nnMichal Dunn had the most marvelous singing voice. He o
“As written, accelerator pedal is mechanically connected to the throttle and a potentiometer is signalling throttle position to the ECU. If so, the ECU cannot increase the speed of the motor as it is the throttle mechanical position that sets the amount of
“Twenty years ago, I used to work designing off-road large hydraulic machines at Sauer-Danfoss (pea harvesters, tree cutters, boat lifts etc.). We used the same idea, with 1k resistors at each end of a 4k7 pot. Then if any of the three connections is lost,
“I would disagree with the proposed solution as it would add more wires than needed. An alternate solution would be to have the sense voltage vary from say 1 to 4 volts and is of a two wire connection where the pot pulls up the sense input against an Cont
“Interesting issue with older cockpit indicators. I assume the filaments were in parallel. A circuit change to series connection, but with a resistor shunt across each filament would allow selecting a resistor value that would make the burnout more evide
“Great article…!!! i enjoyed it thoroughly thanks for sharing it.”
“You are right, this is ALWAYS done.”
“Ron Belt had a lengthy reply, so I (Steve Taranovich) am posting that here in about four consecutive parts—Part 1:nnThe explanation you described for runaway acceleration has been shown to be inapplicable to Toyotau2019s back in 2012. Since then, mo
“Ron Belt comment Part 2:nnThis voltage compensation function works well as long as the DC supply voltage is sampled correctly. But sometimes an error can occur during the voltage sampling operation. This can happen when the 12V supply DC voltage is sa
“Ron Belt comment Part 3:nnBut there is more. It turns out that the inputs to the throttle motor controller donu2019t come directly from the driver pushing on the accelerator pedal. Instead, they come from a table that issues set-points to the throttl
“Ron Belt comment Part 4:nnOne can also see from this explanation why no evidence is ever found afterward for the cause of sudden acceleration. This is because after the ignition is turned off, when it is turned back on again, a new voltage sample is ta
“Ron Belt comment Part 5:nnThere are more implications to this explanation for sudden acceleration that one can find by reading the authoru2019s papers at https://www.autosafety.org/dr-ronald-a-belts-sudden-acceleration-papers/. It is recommended t
“This write-up gets deeper into the issue of runaway acceleration that I ever thought of and I must commend the author. nnAnother commentator suggested that the throttle position sensoru2019s slider (This model does use a potentiometer.) to the control
“To see where the connector/harness repair was done on my 2006 Camry, please see:nnhttps://licn.typepad.com/my_weblog/2019/05/toyota-camry-uncontrolled-acceleration-part-4-john-dunn-consultant-ambertec-pe-pc.html”
“Some time back, I sent a complaint about the runaway acceleration issue to The National Highway Traffic Safety Administration and they have replied. Please see:nnhttps://licn.typepad.com/my_weblog/2019/05/toyota-camry-uncontrolled-acceleration-par
“Hi everyone, nI just registered to this site as I was searching the web for meaningful commentary on sudden unintended acceleration (SUA) in cars. I experienced this with my Tesla Model 3. The NHTSA database has several incidents of SUA (there is a lot
I THINK, later systems use a Hall effect sensor, possibly two in parrallel. Either way, it is easy to detect it the sense voltage changed very rapidly, and shutdown the effect. Even if you stamp on the pedal, that is slow in electronic terms.
It has now been sixteen months since the connector at the throttle position sensor was repaired and there has been no repeat of uncontrolled acceleration. I am pretty certain at this point that the mechanism behind the problem was correctly identified and remedied.
It is now over two years since this episode took place and the repaired car has not shown any further problem..
I am no longer “pretty certain”.
I am utterly convinced that what I described did indeed occur.
You must Sign in or Register to post a comment.