If something went wrong in the electronics control, …

… and no Diagnostic Trouble Code (DTC) were registered, did an error really occur?

Descriptions of the Toyota ETCS-I indicate that in some cases, a DTC is registered only if a sensor (like the Acceleration Position Pedal Sensor which has a redundant copy) AND an ECU (there are two redundant copies of these Electronic Control Units) fail.  If a sensor fails, but an ECU does not fail, a DTC is not registered.   The failure condition of the sensor ought to provide substantial information but the condition is not recorded resulting in substantial loss of valuable information.   If the DTCs are meant for repair and maintenance purposes, a secondary log that contains intermediate error states would be very useful as debugging aides.  This secondary log should also augment a more detailed event data recorder (“black box”).


