Toyota says ETCS-I is infallible – Convincing?

The YouTube Video Clip and More

Toyota has posted an informative video clip on YouTube that explains how the electronic throttle control system (ETCS-I) on their vehicles works. The fail-safe mechanisms that are built into the system are illustrated pretty well using animations and informative diagrams. If one accelerator pedal position sensor fails, the throttle is closed. If the throttle is blocked by a mechanical object, the engine is shut down. If there is a signal coming from outside the ECM (engine control module), the engine (supposedly) shuts off. If one accelerator or throttle sensor fails, the system detects it. It can switch to ‘limp-home’ mode or ‘idle’ mode depending upon the severity of the failure conditions.  In the worst-case scenarios, the engine is shut down completely.

This is a good video clip that is presented cleanly and produced well. (Where can I get one of those desktop ETCS-I simulators?)  Toyota is trying to educate and convince its customer base that it’s still safe to buy and operate Toyota vehicles. An extended version of this clip is on Toyota’s website in webinar form with Q&A from media representatives. In this clip, additional presenters also describe EMI (electro-magnetic interference) and ESD (electro-static discharge) testing.

The Flip-Side

So, what’s not to like? It’s the assumptions behind the design and the arguments.

  • Any safety-critical system has to make assumptions about what will fail, how it will fail and what the failure rate will be. For example, there are two ECUs (processors) in the ECM (Engine Control Module). The typical assumption one makes (and Toyota makes it as well) is that they will fail independently.  This is called the independent failure assumption. But can both fail together? This is called a common mode failure. Both processors can fail together, for example, if there is a flaw in the processor design or implementation (perhaps they got too hot, there is a hardware bug that manifests itself only so often, solders were not correct for a chip, …). Now, what?
    • For the technically knowledgeable, Toyota also does not answer the important question “Is there a single point of failure in the ETCS-I”? Also, Toyota does not present a complete fault-tree analysis. I would presume that such an analysis exists but it is not presented. Toyota also does not talk about permanent and intermittent failures. Most descriptions of SSUA (sudden and sustained unintended acceleration) seem to allude to intermittent failures.  These are failures that disappear when power is turned off and the system is reset.   This property of the problem is what makes it so hard.
  • The presenters emphasize that a DTC (Diagnostic Trouble Code) would have been stored if a failure has happened and a fail-safe mechanism kicked in. However, every error condition is not stored as a DTC. For example, if one of the application pedal position sensors (APPS) fails but both processors are working, a DTC will not be stored. Such conditions may be exactly when a sequence of events that eventually lead to SSUA gets triggered.
  • A DTC code that is stored is erased after a “few” cycles of engine start/stop. They do not quantify “few” – knowing the exact number(s) would help people who experienced SSUA whether their DTC was indeed stored but subsequently erased. (Remember – the failures we see are intermittent failures).
  • Toyota does not even bring up the topic of software (wisely). According to the Sustained Computing Consortium, there can be 20-40 bugs in every 1000 lines of code. Even if Toyota or its suppliers did a spectacular job with the ETCS-I, it would still be very hard if not impossible to prove that the code is correct. The questions on this front are two-fold:
    1. Are there bugs in the software? Why not?
    2. Have there been bug fixes in various releases of the ETCS-I firmware? What were the fixes? When were they made?
  • The response to the question “Where is the ‘black box’?” is very lame. Toyota released ETCS-I in 1998, deployed it widely across its popular models since 2001/2002 and has had it on all 100% of its vehicles for the past couple of years. In other words, its investment in the technology is huge. SSUA complaints have surged (by a factor of about 10x) since its introduction in 2001. Toyota claims that nobody has been able to show that electronics is a cause for these complaints. The implication is that drivers press the gas pedal when they mean to press the brake pedal. If that were indeed true, Toyota can instantly exonerate itself if a black box (event data recorder) shows this unambiguously. So, why no black box even now after 10 years?   Why not install one and make it directly accessible to consumers and law-enforcement officials, as GM and Ford have done? Why the delay given that it would be in Toyota’s interest to have it be there?
  • The discussion about EMC is not very convincing either. They should really talk about how/whether the ETCS-I fail-safe mechanisms work under the EMI and ESD scenarios tested. From what is said, it feels like only normal working conditions are tested but not failure conditions.  For example, have one sensor fail (note that no DTC will be stored) and then let EMI/ESD crop up.

In summary, these are good technical presentations by Toyota and a good PR step to boot.  But ultimately they are unconvincing.


2 Responses to “Toyota says ETCS-I is infallible – Convincing?”

  1. nancy408 Says:

    Toyota & Honda dropped the ball on handling the recalls , they should have came forward with a full disclosure. Instead of waiting for a huge media blitz and tons of public pressure. But Toyota & Honda are not alone , I never seen so many car companies having recalls all at the same time. I had no idea my car which is not even a Toyota or Honda, was affected until I searched on and found I had a bad Anti Lock control unit on my 2008 Pontiac G8 , So be careful

  2. The Toyota webinar I would like to see « Blog on Automotive Safety Says:

    […] Blog on Automotive Safety Just another weblog « Toyota says ETCS-I is infallible – Convincing? […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: