Wednesday, February 24, 2010

In Defense of ETC Part 1

When I get a chance to review Prof. Gilbert's report on how he fooled Toyota's Electronic Throttle Control (ETC) system, I will post comments.

For now, I'd like to take a few lines to defend ETC in concept.

ETC has some significant advantages over mechanical throttle linkages.

  • Fuel economy: actual throttle flow can be optimized based on operating conditions, and pedal position is used to infer driver intent.  For example, someone with a shaky foot can be "smoothed out". 
  • Mechanical simplicity, weight, and cost: Using ETC means you can get rid of the idle air control valve, throttle cable, and cruise control actuator.  Fewer things to break.
  • Robustness: ETC systems have built in algorithms for unusual conditions.  For example, the throttle plate can be shaken very quickly by the motor, as an "ice breaker", if the throttle plate is iced.  There are no cables to bind up or corrode, no exposed return springs to break.  The system has independent CPUs which monitor the throttle plate position and pedal position 100s of times a second, with fail-safe algorithms to shut the thing down if something unexpected happens.  ETC has redundant sensors, which are used to check that the information coming into the ECUs is reliable and self-consistent.  In a mechanical throttle system, the only failsafe is the driver's foot--if the thing is stuck, you pump it and pray it gets unstuck.

Trial lawyers try to sow FUD (Fear, Uncertainty, Doubt) about "complex electronic systems", and throw out scary "what if" scenarios, to try to win cases and big money.  But engineers know that complex systems are designed, tested, and validated over many years before being released into production, and are tested for every conceivable failure.  ETC systems must be qualified under a range of temperatures and wide band electromagnetic interference testing.  Failure modes, such as cut wires, broken sensors, damaged actuators, etc. are all tested using a process called FMEA (failure mode effects analysis).  FMEA was designed by NASA as a way to think through a system's reliabilty to pin down possible ways it could break; then tests are designed to validate the system under those conditions.

Is it possible that Toyota screwed up the FMEA, or cut corners, and has a dangerous-but-rare condition with their ETC system?  It is possible.  But given the excellence of Toyota's engineering, I would be surprised. 


0 comments:

Post a Comment