By on February 26, 2010

Key quote: “What I have done is, I have shown that in the fault detection strategy of the Toyota systems, there’s a window of opportunity where [an error] could occur and not be detected.”

Get the latest TTAC e-Newsletter!

98 Comments on “Dr. Gilbert Explains His Research Into Toyota Electronics...”


  • avatar
    Autojunkie

    Yeah I believe most of the media have been taking his test, shown on ABC News, and trying to show hoe UIE can easily happen. This was not his intention. His intention, all along, was to show that an error code would not produced when an error (open circuit, short circuit, voltage high/low, etc.) was induced into the vehicle’s PCM.

    While I will not defend Toyota for how they are handling this mess (or defend Washington for all of its posturing), I will state that the “voodoo” of automotive electronics are being used to scare the public because the mainstreamm media are reporting stories, like this one, incorrectly.

    • 0 avatar

      This fellow has done nothing more than place bubblegum over the sensor hole of a smoke alarm – he simply tested the vehicle until he discovered a way to stop the car’s ECM from recognizing a fault. I’m now of the opinion that this problem is more properly investigated by a statistician. I’d like to know the chances of 4 seperate wires doing the following on any given car at any given time; 4 bound wires developing a crack due to corrosion in a 3 to one year old car. 2 two of the wires gounding out through corrosion of exactly 200 ohms. 3. The third wire shorting out to a fourth wire that is powered. 4. all of this occuring while a vehicle is in motion at speeds greater than 20 mph. All the wires must stay shorted or grounded for 15 seconds or more. There should be no evidence of shorting or grounding after the event has occurred.

      I’ve invited the team of Kane and Gilbert to Canada to speak to our hearings – I’ll personally pay for them to stay in a hotel for 2 days and have said this publically on youtube.

  • avatar
    crash sled

    I don’t doubt the good doctor’s sincerity, but he’s manipulating the system to produce this “error”. We need to know the nature of these manipulations, in order to judge the probability of them occurring in normal usage, and their practical effects.

    You can add another million lines of code to the system and identify everything imaginable, sure, but that should be a response to a need, not an unrealistic expectation. To do otherwise is to introduce unneeded complexity to a system, and we all know where that leads us.

    I hope Toyota and Dr. Gilbert together write a paper on this. It’d be a good thing, and he’s got the opportunity to help the industry here, and be a focal point for our responsible advancement in drive by wire.

  • avatar
    Juniper

    And the beat goes on, a Corolla drove into a house this morning in Ga. Claiming UA
    I think Gilbert has shown the system does not trigger a fault and the failsafe system is lacking. He also says other manufacturers he has tested do trigger faults. If it doesn’t set faults the techs don’t know where to look, and like many others assume nothing is really wrong.

    • 0 avatar

      Expect EVERYBODY who drives into something (house, school bus, a group of nuns ) to be a victim of UA.

    • 0 avatar
      psarhjinian

      It probably was UA. Most people don’t intend to drive into houses.

      My wife didn’t intend to run our old Mazda into a pole when she suffered pedal confusion (in a manual, by the way), either.

    • 0 avatar
      Juniper

      So did you prevent her from driving until she attended an advanced driving school? I didn’t think so.

    • 0 avatar
      TexasAg03

      How long until someone in a non-Toyota vehicle claims UA caused an accident?

      There are many cases of people running into buildings due to hitting the wrong pedal. One 89 year old man in my hometown did it twice to the same Dairy Queen from the same parking space. By the way, he claimed he pressed the accelerator and, when the car wouldn’t move, he pressed it harder. The lot was angled downhill away from the restaurant, so there was no need to press the accelerator at all to back out. He had the car in drive BOTH times.

    • 0 avatar
      JohnAZ

      Unless Toyota’s ETCS can set a fault code in any of these situations, I don’t understand how they would know to hold (not overrun) the data in their Black Box for subsequent evaluation, other than if there was an air bag deployment while the ETCS was still failing.

  • avatar
    dougjp

    After ‘all this time’ and STILL insufficient information is being provided for us to know if his work is at all relevant in the real world. The guy can’t hardly put a sentence together and I’m thinking he must be intentionally NOT providing detail, so imagine that phone call to Toyota he made….

    Bottom line, it could be relevant or not, however the doubts about him increase by the day.

    OR, it could be mainstream journalism at work. Again.

  • avatar

    Note: In his written testimony, Gilbert says:

    “With the two APP sensor signals shorted together through a varying range of resistances, all four Toyota vehicles tested thus far reacted similarly and were unable to detect the purposely induced abnormality.”

    This is disingenuous and puts Mr. Gilbert’s electronic qualifications in question. Inducing a resistance into a circuit does not represent “a short.” A short is a connection of two points in a circuit through zero resistance (a wire break, chafed insulation, a bad connector etc.)

    Adding a resistance (as it has been noted before) is a tried and true way to fool an engine computer. The resistance changes the voltage sent by the sensor. It needs to be done intentionally. There normally are no resistance decades with banana clips rolling around in a car. Gilbert did not induce an abnormality, he tampered with the circuit.

    In Toyota’s testimony on Wednesday, Inaba said they replicated the same setup with several cars of other brands. They all reacted the same, they did not throw a fault code. Gilbert was paid for his “investigation” by Safety Research & Strategies, a company hired by trial lawyers.

    What Gilbert did is akin to a thief shimmying the lock of your house. Should you get arrested because the crook was able to shimmy your lock?

    Unless someone comes up with a better explanation, this will end like the Audi debacle: Nothing found.

    • 0 avatar
      criminalenterprise

      Audi still had a problem that it conclusively mitigated with the brake interlock.

      Until Toyota reflashes the ECUs with code for a brake override function they will continue to have problems with their customers and/or their cars. I don’t care if every one of their customers is an idiot who can’t drive. They should be able to stomp their idiot foot on the brake and have it cut off the accelerator.

      Any other fixes by Toyota seem eerily similar to Audi’s flurry of ineffective recalls and excuses. If you know your customers are stupid, make your car stupid proof.

    • 0 avatar

      EVERYBODY had that “problem” and everybody had to add the brake interlock, and later the “gear shift pattern” that drives me bonkers when I rent a car.

      I know this sounds harsh, but trying to protect every idiot from every conceivable and inconceivable idiocy is messing with Darwin and the gene-pool.

      I wear those hard contact lenses mentioned, and I have the cleaner with the red tip. After a really long night working on TTAC, even the red tip didn’t protect idiot Bertel from introducing a painful fault to his eye by way of some nasty lens cleaner. Well, I had my wits and a lot of running water … maybe I should have gone blind on one eye and sued Boston.

    • 0 avatar
      Mailbox20

      Brake override won’t prevent “pedal misapplication”. The best it will provide is some legal defense against a driver claiming “I stomped on the brakes with both feet and the car didn’t stop or even slow down”. And maybe only partial defense at that, now that Congress has unleashed the “electronic gremlins”.

    • 0 avatar
      TexasAg03

      I’m with Mr. Schmitt. I don’t think you should have to engineer for EVERY conceivable idiotic use of your product. I don’t know if it’s possible to do so.

      I suppose one could engineer a car that cannot exceed 75 mph, cannot corner with more than .5G lateral acceleration, and the stereo only goes up to 5.

      While we’re at it, let’s do away with irons that get hot (you can be burned by one); knives that are sharp (don’t want to cut yourself); and bathtubs (more children drown in tubs than are killed by accidental gun discharge).

    • 0 avatar
      Geeky1

      “A short is a connection of two points in a circuit through zero resistance (a wire break, chafed insulation, a bad connector etc.)”

      Shorts are not colloquially defined as having zero resistance. They may be considered as such in some cases for engineering purposes, but that is not the colloquial use of the term, as evidenced by Merriam Webster’s definition of the term:

      “a connection of comparatively low resistance accidentally or intentionally made between points on a circuit between which the resistance is normally much greater”

      The fact that he is (arguably, no less) using the term incorrectly carries little weight with me. I mean come on Bertel, the guy is talking to United States congressional committee for god’s sake. The combined IQ on that side of the room couldn’t have been over 40. I’m surprised that some of the representatives don’t have aides to carry drool buckets for them and remind them to breathe. Most of these clowns couldn’t tell a castle nut from a cylinder head if they were labeled and came with a tour guide and 1500 pages of supporting documentation. And you know, most of the time, when dealing with stupid people, it’s easier to just speak stupid to them.

    • 0 avatar
      criminalenterprise

      Slippery slope arguments are pointless here. No one is going to advocate that a product be made harmless under all circumstances.

      You can’t engineer a steak knife that can’t be misused to cut off a finger or stab someone to death, but if you are getting reports that an abnormal percentage of your customers are being injured while using your product, you’re obligated morally, financially and sometimes legally to do something about it.

      Toyota had a problem that was statistically noticeable and they chose to ignore it.

    • 0 avatar
      JohnAZ

      I may be wrong, but I (with 40 years experience in computer technology) would interpret a short as any connection between two circuits. ie. It could be a low resistance (0 Ohms) or higher. Implying Gilbert was a fraud because he used a variety of low resistance connections between two circuits seems to me to be just an intention on your part to discredit an honest man.

      What Gilbert did to the circuit to facilitate his test is not in my experience considered “tampering”. He was trying to induce a possible error in order to see if the computer would recognize it. A test of this nature is perfectly legitimate for it’s purpose. If he was interested in determining what would happen if there was a moisture induced short between two circuits, this would be a very legitimate method to find out. If he had hidden his method from Toyota, that would be totally different.

      It was very clear from Gilbert’s testimony that his initial testing up until he was able to reproduce the symptoms and report the test to NHTSA and Toyota was all on his own initiative. It was only after he also reported the results to Kane, that Kane provided a whopping $1800 to support his further testing. Your continued reference to Gilbert as a paid investigator, despite what he reported under oath, suggest to me that you are more than familiar with financial influences of your own.

    • 0 avatar
      crash sled

      John, Gilbert is a paid investigator, and it’s completely legitimate to make note of the fact.

      What’s illegimate is for that ABC story to come out as implying that he was something other than that, like he was all out there on his own. He has a duty and an obligation to provide that information. I realize that Dr. Gilbert is likely a noob, and unready for this scrutiny, but he should know better than to keep this hidden, until it was dragged out of him.

      I like how they attempted to mask it… “Gilbert was ‘commissioned’. Yeah right.

      Full disclosure demands that professionals disclose such issues. The very first thing he’ll learn, as he goes forward. Nothing wrong with making a buck, but don’t try to hide it. When an attorney asks me if I’m being paid, the answer is “yes” (left unsaid: “You got a problem with that, shyster?”)

    • 0 avatar
      CamaroKid

      Yes Dr. Gilbert is an honest man, who is being paid by lawyers who are suing Toyota and the information about what he did and how he did it is VAGUE at best.

      He is an honest man who holding his cards very close to his chest and is in a direct conflict of interest. If his goal is to save lives and prevent deaths why not share in detail what he has done? Why not publish the findings?

    • 0 avatar
      Steven02

      Bertel,
      You are a much better writer than electronics expert.

      A short circuit is not only a zero resistance condition, it is a low resistance condition. Using zero resistance would most often destroy circuitry. A short circuit allows the bypass of part of the circuit. It must have a lower resistance that the part of the circuit you are bypassing. Mr. Gilbert is correct in this.

      What Mr. Gilbert did is tamper with the circuit. You are correct about that. He is trying to find if there was a way to make the problem actually happen in electronics. He found a way that could happen. Cars have circuit boards like computer and are in far more hazardous conditions than desktop PC’s, but they have problems as well. Dust and moisture get into these systems, and the results could be interesting. He also introduced an abnormality that could happen.

      Finally, the comparison about a thief and your lock doesn’t really make sense. If the lock had a defect that could be present from normal use, you could probably sue the lock maker.

      I also think that this gives a good starting point for testing. This is a scenario that should be looked at. Maybe it is unrealistic, maybe it isn’t. It is absolutely worth investigating it. It is interesting that many other manufactures use opposing sensors so they don’t have the problem described here caused by a short.

    • 0 avatar
      Steven02

      crash sled,
      What do you think commissioned means? It means he was paid to look into it. I am not sure how that is hiding anything.

      From an online dictionary.

      commission: A fee or percentage allowed to a sales representative or an agent for services rendered.

      How is saying he was paid a fee for a service hiding anything?

    • 0 avatar
      crash sled

      Steven, when the congresscritters explored the “commissioning” of Gilbert, through questioning he and the shyster, they were both evasive, and the cash payment angle took a while to drag out of both.

      The ABC story? Not a clue of the payment angle. Just a humble college proffy doing good.

      Like I say, welcome to the big time, Dr. Gilbert. That disclosure stuff has to be settled up front, or it costs you credibility down the road. It has with him, as I’m sure he knows now.

      You must immediately disclose this information. Failure to do so, and down the road, you are in the hurt locker. As in, clients yank high-value contracts out from under your feet sorta hurt locker. Gilbert will lose in public opinion, perhaps no great loss, but unprofessional conduct has significant costs, always.

    • 0 avatar
      John Horner

      “I know this sounds harsh, but trying to protect every idiot from every conceivable and inconceivable idiocy is messing with Darwin and the gene-pool.”

      I am sick and tired of the gene-pool argument, which is an argument which says that such-and-such person deserved to die because they made a certain mistake. The death penalty seems a rather over-the-top punishment for the possible mistakes at issue.

      But even more so, the people killed in car accidents are often not the ones who made the error, if indeed human error was at fault. You have the passengers of the vehicle at issue plus the other people on the roads and sidewalks … not to mention inside the building which sometimes get hit.

      When a commercial airliner crashes due to pilot error do you cheer the “removal from the gene-pool” of the passengers on board?

    • 0 avatar
      Robert.Walter

      +100 Horner! I was nerved about how common this mis-application of evolutionary theory (even though I used it myself for people that partook in extra-risky activities, or didn’t use due-care), and so was gradually working up to write a rebuttal, but I think you covered it just fine with the innocent passenger example (and as one who was nearly killed in a roll-over, with my sister at the wheel (she having made a small error and poorly-over-corrected); I don’t think death would have been an appropriate punishment for either of us due to the error (duly investigated by the Michigan State Police, and pronounced due to poor maintenance of the roadway.)

  • avatar
    Billy Bobb 2

    But his homemade lab coat with the ASE patches was so impressive!

    Honestly, eff this clown. You do the same thing he did with two bent paper clips. And eff ABC TV.

  • avatar
    ExPatBrit

    Bertel.

    I agree with your first statement, a short circuit is a lack of resistance if you will.

    However an increase in resistance may be caused by corrosion and oxidation and would not be uncommon as a vehicle ages. Typically this would occur in electrical connections like sockets and plugs but might also include the solder connections on circuit boards. This is particularly true today with ROHS compliance which makes it more difficult.

    The trick is to design the system so that all the fail modes tend to shut down the correct items.

    • 0 avatar

      That’s why you have two sensors. And if they disagree: Limp home. At least that’s how it should be.

    • 0 avatar
      Sutures

      Bertel,

      The problem Gilbert was pointing out isn’t that the system can fail when the sensors disagree… he found that the system COULD fail if the sensors agree too much.

      As he stated in the original ABC video, the vehicle was already driving in a fault condition due to the senor signals being combined. This COULD be the difference in the manufactures, IF others add an offset voltage to the two sensors AND IF the other vehicles LOOK for that offset to allow a no-fault condition.

      What is the use of having two sensors if you allow a condition that the vehicle’s brain cannot distinguish that the sensors have been compromised?

      All that aside… I’m surprised no one has yet jumped on Gilbert for his call for more equipment/money at about the 2:20 mark in the video above (his win/win speech)… /sigh He needs to learn to shut up when he’s ahead. That, if anything, really tarnishes his credibility for doing the research for “academic reasons”.

  • avatar
    Contrarian

    Well, not to split hairs a true absolute short of 0 Ohms is only a theoretical concept since all materials, even superconductors, have some resistance.

    Also, a short is defined as an uncharacetristically low resistance where a higher one is typically found… Here’s Webster’s def:

    “a connection of comparatively low resistance accidentally or intentionally made between points on a circuit between which the resistance is normally much greater”

    Having said that, I absolutely agree his findings lack meaning.

    Also, it is a fact that software is never perfect – and never really finished. Finding an induced backdoor failure mode is not necessarily indicative of a dangerous condition.

  • avatar
    niky

    Not really hearing anything new. Basically he says that he’s found a way to create a short which the fault-detection system can’t detect, but hasn’t explained how he achieved it, except that he tested a wide range of different resistances before stumbling on it.

    The one burning question I would like to see answered is whether or not said fault can realistically be replicated by wear-and-tear and moisture damage.

    EDIT: missed a flurry of comments. Basically, I agree with Bertel. While a real short will have some resistance, the problem is that signal transfer between wires that are shorted together won’t behave in the same way as when they’re connected by a resistor that delivers a steady current.

    Resistors are the simplest and easiest way to fool any ECU, as a constant output falling strictly within normal ranges looks normal to an ECU. It’s one of the simplest tricks tuners use to get around that pesky powertrain control module emissions system…

    Whoops… did I say that out loud?

  • avatar
    a-viking

    This brings back my earlier comment about keeping things simple. There is simply no legitimate reason to substitute a simple throttle linkage with an electronic throttle. I am an electrical engineer and business owner and have wast experience with electronics under harsh marine conditions. Things fail, programs are buggy, EMI does happen. Gilbert’s simple analysis simply states that IF the throttle position sensor is compromised you will get actuation of the throttle. Heck I would say there are many more places for failure in such a system. Failure of the circuit from the TPS to the computer. Induces EMI into these cable (I bet they are not shielded all the way). Component failures within the computer. Failure on the output or driven circuit. EMI on the output wires. Failure in electrical motor that drives the throttle plate. Failure in the gearbox that drives the throttle plate.
    If any failure is to be considered critical, then the entire system should be designed to fail safe or better yet be completely redundant. Of course redundancy adds more layer of complexity.
    In cars there simply is no reason to replace the mechanical throttle and steering that makes sense, unless you absolutely have to have automatic radar/lase based cruise control or you are part of law-enforcement and would like to do a remote shut-down through On-Star of a fleeing car.

    • 0 avatar
      poltergeist

      There are many “legitimate” reasons for electronic throttle control. The primary one is the soon to be mandated (by the feds) use of “vehicle stability assist” in all cars in the US. If you retard ignition timing to contol power output from the engine (as had been done in the early days of VSA systems, you increase emmisions. So if you want VSA and low emmisions, electronic throttle control is the way to go.

    • 0 avatar
      Sutures

      Poltergeist beat me to it… yes, emissions and fuel efficiency are leading the use of electronic throttle control.

      For steering, if (big IF) a system could be made that was reliable and safe, there are many engineers who would be overjoyed. The current direct connection to the steering wheels causes many headaches in terms of packaging and liability.

    • 0 avatar
      Robert.Walter

      @aviking: I agree with you, but your “w” instead of “v” typo:

      “I am an electrical engineer and business owner and have wast experience with electronics,” reminded me of: “I am Elmer J. Fudd, millionaire. I own a mansion and a yacht.”

    • 0 avatar
      psarhjinian

      If any failure is to be considered critical, then the entire system should be designed to fail safe or better yet be completely redundant. Of course redundancy adds more layer of complexity.

      …which is really hard to do with a mechanical throttle linkage, and really easy to do with an electronic pedal.

      Believe it or not, there are less SUA incidents with ETCS than with throttle cables, partially because it’s much easier for a mechanical system to stick, but also because it’s hard to build sanity checks into something mechanical.

  • avatar
    CamaroKid

    Why does he steadfastly REFUSE to share what he did? Lots of mumbling about low resistance, fault detection and other stuff…

    Dr. Gilbert, which circuits did you short? at what resistance? with what voltages? Where did you splice the wires, is there any real world evidence that what you are proposing is true.

    Why doesn’t he explain ANY of this?

    There are only two reasons that I can see.
    One he is working for plaintiff attorneys and he has been asked to be as vague as possible so that the “details” can be a “Perry Mason” moment in court or
    Two, his is just that inarticulate. I mean can you imagine sitting through a lecture with this guy… They don’t make enough Red Bull.

    • 0 avatar
      JohnAZ

      I believe Dr. Gilbert is using very simple sentences for ease of understanding by members of Congress and Camaro fans.

    • 0 avatar
      Steven02

      Did you actually read the text of his statement? He says he shorted the sensors, and then applied the 5V power for the sensors to the same short. The only thing he didn’t give was the different resistance values that he used. One would think you would use a potentiometer to determine what resistances show the problem, and which don’t. You might need a few more granularity, but this isn’t rocket science. It is pretty much spelled out for you.

    • 0 avatar
      CamaroKid

      He spelled out NOTHING.

      Again, what resistance, which circuits, Where did he get the 5v from? How long has he ran this tampered pedal without an ECM error? minutes? seconds? days? Is this error even possible given the layout of the circuit board? How could such a short of mysterious low resistance actually occur? What is the equally mysterious voltage of just the right amount to get the car to take off? Where do you get that from? is that even possible? Do all cars he tested need the same resistance? or is that a variable thing too?

      I get that he is on Camera and feels the need to talk in short sentences… He is a rare PhD in that regard. Most PhD’s LOVE to go on and on and on about their research… this guy… Uhmm err ah if you trigger a “low resistance short” of unknown resistance between to sensors on undisclosed circuits and fed that “tampered” circuit with 5 volts (maybe 5volts who knows… None us for sure) (and I’ll keep the source of that current secret too…) After a while you kind of go… Is this guy making this up?

      He talks for over 3 minutes and he talks about “experimenting” without saying what he did. He talks about compromising the pedal without saying what he did. He talks about going to Washington without saying what he did…

      I also note that this is edited all to hell… Why? Why not show the entire clip? Who edited it? What are they cutting out?

    • 0 avatar
      DanM

      Steven02: Did you actually read the text of his statement? He says he shorted the sensors, and then applied the 5V power for the sensors to the same short

      This is actually a *very* common fault condition which is typically caused by a floating / high-resistance ground line which then causes the sensors to rail high (it’s much more common to have a broken / intermittent connection than a short). Just because the guy appears to be a yahoo doesn’t mean he hasn’t stumbled onto something meaningful. Give it time to play out …. or better yet: TTAC try the test; cut the ground wire to the Throttle and/or short the two throttle output lines to the throttle power line. It’d be interesting to see what happens.

      I believe most drive-by-wire throttle systems use redundant sensors with opposite polarities. i.e. ones is active-high, the other active-low such that a fault is immediate obvious.

      Yes, I’m an EE.

      //dan.

  • avatar
    Autojunkie

    Bertel,

    With all due respect, please let me clarify.

    I used to teach automotive electrical diagnostics in the OEM manufacturing plants (until I was laid off). What he did was a common test I used to perform myself to teach my students how to read a fault code and properly root-cause its diagnosis.

    What he meant by the “varying resistances” was the redundant pedal sensor circuits. Each range within 5-Volts with one starting high (about 4.5-Volts) and the other starting low (about .5-Volt). As the pedal is pushed, each sensor ciruit voltage changes based on the resistance created by the redundant sensors (potentiometers). When/if one sensor circuit falls out of range (voltage high or low) the system SHOULD automatically go into a limp mode, the MIL should illuminate, and a fault code should be induced. Shorting the two redundant sensor circuits together should also do this without question. It did not.

    What he did was short the two sensor circuits together, and moved the pedal through varios positions, thus the “through varying resistances” statement.

    I have worked, and currently work, with several people who know this professor and have been taught by him. He’s very smart. He is highly regarded in his field.

    And just to make things clear. The Toyota Tacoma he first tested was his own truck he purchased a few months before all of the controversy had begun.

    There is NO reason at all why Toyota cars shold not induce a fault with this test being done. I’m not even going to say it was intentional, but it is definately a horrible oversight that just opened the door for trial lawyers to write their own checks.

    • 0 avatar

      Autojunkie: Please read the written testimony. Here it is again: http://energycommerce.house.gov/Press_111/20100223/Gilbert.Testimony.pdf

      He clearly says ““With the two APP sensor signals shorted together through a varying range of resistances.” He mentions various resistance values several times in the testimony.

      If he means the resistance of the pedal then he shouldn’t be teaching, because he’s confusing his students.

      If you connect (o.k. “short”) two pins or points of a circuit (o.k., “signals”) “through a resistance” then you insert a resistor between these two points. At least where I learned electronics. When you short a circuit, there shouldn’t be a resistor in that “short circuit.” The commonly accepted definition of a short circuit is: “A short circuit is an abnormal low-resistance connection between two nodes of an electrical circuit that are meant to be at different voltages.”

      If he meant what you think he meant, then he should have said: “With the two APP outputs shorted together, all four Toyota vehicles tested thus far reacted similarly. As the accelerator pedal was moved through varying positions, the ECM was unable to detect the purposely induced abnormality.”

      He did not say that.

      However, he indicates again and again that he introduced a resistance into his circuit.

      Take this as a for instance:

      “Using shorted APP signal circuit fault conditions purposely installed on the test vehicles, and with known resistance values that would not set a DTC, vehicle operational behaviors were also noted. It was observed that all testvehicles could be operated without the ECM detecting the induced malfunction. Depending on the resistance value of the APP signal circuit fault, a vehicle may or may not experience noticeable changes in accelerator pedal operational behaviors.”

      He is clearly talking about “the resistance value of the APP signal circuit fault.”

      If he didn’t use resistors in his “short” then he shouldn’t confuse the reader with opaque language.

      As far as the sensors go, I am under the impression that they are Hall sensors, and not potentiometers, but that leads away from the basic argument.

    • 0 avatar
      Steven02

      Bertel,
      He did introduce lower resistance. That is the definition of shorting. A short doesn’t always mean zero resistance. It means lower resistance to bypass part of the circuit.

      The problem is that Toyota use similar voltages in the same slow to determine pedal position.

  • avatar
    VLAD

    If Dr Gilbert teaches future American automotive engineers, it explains why GM is desperately trying to hang on to Opel engineering.

  • avatar
    Autojunkie

    @ VLAD

    MANY of his students have gone on to work for the big 3. They’ve also gone on to work for Honda, Hyundai, AND Toyota (just to name a few).

    What do YOU know about automotive electronics?

    I don’t act like I know everything about your job? In fact, I have NO idea how to use a french fry fryer…

  • avatar
    ControlsGuy

    Thanks Dr. Gilbert for revealing the flaw in Toyota’s design.

    I know that the industry practice to detect and mitigate all “single points of failure” in a fraction of a second. To do this one has to use two pedal position sensors and have one read high volts at high pedal position and the other have low voltage at high pedal position. In this manner if either sensor or wire is compromised the implied pedal positition will be very different and can easily be detected and mitigated via failure mode management (limp home) software.

    Toyota CHOSE to have each of their pedal sensors have the same voltage sign. If the associated wires for these two sensor are connected together they will read the same value, which apparently corresponds to depressed pedal. The failure is not detected because similar voltages on the two sensors for a given pedal positions is expected with this design.

    It is difficult to know the actual probability that this can happen in reality, but it is a single point of failure and it is a big mistake. CTS, the supplier of this part, has several patents on the better design. They were contracted to build to Toyota’s stupid specification.

    Expect to see yet another recall on Toyota’s pedal sensor imminently to install the design everyone else uses. This also requires new software, which apparently can only be flashed into a subset of the Toyota ETC control modules. I know this because they stated in testimony that they are only installing brake pedal override software in a subset of ETC vehicles. The others would require a whole new module, which along with cost issues most likely would have a short and even medium term supply issue.

    • 0 avatar
      crash sled

      CG, that is as succinct an analysis as I’ve seen in here. Toyota’s pedal sensors may need to be flip flopped, if they’re out of industry standard.

    • 0 avatar

      Controlsguy: This is how I read it also. This is dumb. It also explains the following:

      “In addition, the shorted APP signal circuits were connected momentarily to the sensor’s five volt supply circuit with the vehicle in drive.
        
      In all test vehicles, the EDM did not set a DTC and the engine speed increased rapidly to full throttle.”

      Again, it suggests that there was a resistor in play. Without the resistor, the ECM would have seen the full 5V and should have gone into fault mode immediately.

      Guarding against a short to VCC and to GND is common practice.I would be amazed if they overlooked THAT. Guarding against a voltage induced through a resistor is a bit much, but your (commonly used) setup would recognize even that. Amazing that the good Dr. didn’t point that out.

    • 0 avatar
      Steven02

      Bertel,

      What you have suggested is that Toyota should only look for near zero shorts and not shorts that have some other resistance level. Dust, moisture, and corrosion don’t necessarily make near zero shorts.

      The point CG is trying to make is that opposing sensors would make more sense in this application because they won’t agree at every data point. You could have on sensor output between .5-2 volts. The other sensor could output between 4.5-3 volts. One goes up, the other goes down. They never agree on voltage for the same pedal position. In fact, you could have them overlap and still never agree on pedal position. In this case, a short between the sensors indicates a fault, not an accepted measurement.

    • 0 avatar
      mcs

      If I remember correctly, although the voltages from the sensors are the same polarity, I think they use different voltage ranges. Take a look at the recall documentation and the post-installation calibration procedure.

  • avatar
    criminalenterprise

    I enjoy a healthy dose of skepticism, but too much of what I’ve been reading here this past month or two devolves into crackling cynicism.

    Assuming the worst of everyone means you’ll usually see the worst in everyone. But it is a sad way to view the world and live your life.

    • 0 avatar
      Juniper

      I agree, I don’t really understand the heavy bashing of Gilbert. We have people posting on this site that know of him and that he knows what he is doing. Especially if you don’t have the technical background, back off.

    • 0 avatar
      John Horner

      The bashing you are seeing comes from a common industry insider’s perspective.

      “Company is good, customer is bad.”

      This is a common viewpoint of insiders everywhere.

  • avatar
    Steven02

    For everyone who says that he hasn’t said exactly what he did or says that he has refused to say it, read the text from congressional transcript.

    http://energycommerce.house.gov/Press_111/20100223/Gilbert.Testimony.pdf
    In addition, the shorted APP signal circuits were connected momentarily to the sensor’s five‐volt supply circuit with the vehicle in drive.

    That one sentence pretty much sums up what he did. He doesn’t say what resistance he used, but a potentiometer would do the trick to find out which ones he might have used.

  • avatar
    ControlsGuy

    Bertel said:

    “What he meant by the “varying resistances” was the redundant pedal sensor circuits. Each range within 5-Volts with one starting high (about 4.5-Volts) and the other starting low (about .5-Volt). As the pedal is pushed, each sensor ciruit voltage changes based on the resistance created by the redundant sensors (potentiometers). ”

    Bertel seems to know his stuff. Note he assumes above the sensors go in opposite direction “and the other starting low”, whic is the way everyone else I know of does it.

    I forgive Bertel for not knowing this, because it is non-standard, but Toyota does NOT do this. Dr.Gilbert started to say this sevral times in testimony but was cut off by people too ignorant to know he was getting to the punchline. But the below link to Toyota instructional material shows in figure 5 the problem. Two sensors with the same sign separated by a small voltage.

    This is a big mistake and could cause a sudden acceleration for a single point of failure; two wires touching each other.

  • avatar
    ControlsGuy

    Oops, references above to Bertel should have been to autojunlkie.

  • avatar
    ControlsGuy

    The link to toyota design material is here:

    http://www.timloto.org/download/pdf_lesbrieven/deltapress/motormanagement/taskETCSToyota.pdf

    • 0 avatar
      crash sled

      CG, I believe you that the Toyota pedal has parallel sensors, as opposed to the opposed sensors of industry standard, however your link takes me to some generic site, and not a nice dumbed-down wiring diagram. We like dumbed-down here on the internets.

    • 0 avatar
      Robert.Walter

      First indication to me that parallel sensors were employed was the common magnet geometries on the end of the pedal lever (the parts that pass by the hall sensor pyramid in the ePedal housing) … I don’t think I actually brought that up then (maybe I did and forgot about it, but) because somebody posted that there was inverted voltage … and so I kept quiet rather than make too many unsupported assumptions.

      Go back and look at Paul’s photos and you’ll see what I mean.

  • avatar
    Juniper

    Wow look at the response. Gilbert must be the most popular guy in Carbondale.

  • avatar
    Autojunkie

    @ CG
    Thanks for the recognition, but you’re right when you say that I “assumed” Toyota did it the way everyone else does it. Unfortunately for me I am ignorant to how Toyota does it. The more I see how they have been doing it, the more I see room for error.

    @ Bertel
    You’re correct and I apologize. It is a hall-effect, but I wrote potentiometer only because most people understand the concept much easier than a hall-effect.

    Regarding how he stated and performed his test procedure. You may be right as you have been able to spend more time disecting exactly what he said. Regardless of how you or I understand his test, a fault code SHOULD have been induced and the system SHOULD have gone into limp mode without hesitation. Without that it’s no wonder that Toyota would blame the cutomers and tell them they are lying. Toyota has no starting point to even verify the customer complaint.

  • avatar

    With all due respect to Professor Gilbert, he’s a glorified auto shop teacher. He’s not an engineer, nor does he teach engineering. He teaches people how to fix cars. If I was dictator there were not be 4 year college degrees in wrenching cars, nor PhDs in “automotive technology” (aka auto shop). I say that not to disrespect good technicians and troubleshooters but rather to disrespect our educational system. I looked at the curriculum of the program where he teaches. That’s not a college, it’s a vocational school.

  • avatar

    I have studied the document at http://www.timloto.org/download/pdf_lesbrieven/deltapress/motormanagement/taskETCSToyota.pdf

    Assuming that this is definitely how the Toyota system works (the document is on a Dutch site that seems to be targeted at auto technology teachers) then the two Hall ICs (Fig 4) do not provide inverted signal voltages as other manufacturers do.

    However, the two Hall ICs (in this schematic) do NOT supply identical voltages. The text says the Hall IC “converts the angle of the depressed accelerator pedal into electric signals with two differing characteristics and outputs them to the Engine ECU.” It doesn’t say more.

    The accompanying illustration shows two output voltages in relationship to the accelerator pedal depressed angle, VPA and VPA2. These appear to be the output voltages from two separate Hall sensors. There also are two not defined EPA signals, EPA and EPA2, in addition to VCP and VCP2 (also not explained, the assumption is that these are the pins for the reference voltage.)

    VPA starts at approximately 0.8V for pedal not pressed and ends at approximately 3.6 V for WOT. VPA2 starts at approximately 1.6V for pedal not pressed and ends at approximately 4.4 V for WOT (this from looking at the drawing, no guarantees). There appears to be an offset of 0.8V between VPA and VPA2.

    While it is true that inverted signals (i.e. VPA going from 0.8V for no pedal pressed to 3.6V for WOT, and VPA2 going from 3.6V for no pedal pressed to 0.8V for WOT) would be more robust, the current setup as shown serves the same purpose. As long as VPA and VPA2 are 0.8 V apart, and as long as VPA is not less than 0.8 V, and not more than 3.6 V, and as long as VPA2 is not less than 1.6V and not higher than 4.4 V (which would indicate a short to GND or the supply power) all is well. If VPA and VPA2 are not 0.8V apart, then there is reason for alarm.

    If Dr. Gilbert shorted VPA and VPA2 without an intervening resistor, VPA and VPA2 would read the same and the ECU should register a fault. If it did not, then there is a software problem. If Dr. Gilbert introduced a resistor that produced a voltage drop of 0.8V between VPA and VPA2, the ECU would see nothing untoward.

    If Dr. Gilbert connected the full 5V to VPA and VPA2, then the ECU should have assumed a short to supply voltage and should have registered a fault. If he applied the signal through another resistor that dropped the 5V to 4.4V on VPA2 while a resistor in the “short” between VPA and VPA2 produces a 0.8V drop to VPA, then the ECU would see a valid request for WOT and would have no cause for alarm.

    Bottom line: If the above holds true, the system can be fooled with some alligator clips and two resistors. This must be done deliberately, with the exact resistor values. This is not a fault that happens by itself.

    If no resistors were used, there clearly would be a design fault: A short between VCC, VPA and VPA2 is conceivable, for instance, in form of a malfunctioning Hall sensor unit. A real short between VCC, VPA2 and VPA would cause acceleration, if the ECU does not detect a short condition. It requires that the ECU does not protect against a short against ground or VCC, which would be a glaring omission.

    IF I would have detected something stupid like this, then I would have said this in the opening paragraph of the written testimony in bold letters.

    All assuming that the Dutch document reflects the true setup. Not knowing the function of EPA and EPA2, we cannot comment.

    Bottom-bottom line: We don’t know.

    • 0 avatar
      crash sled

      Another doggone good and simple write up. Thanks, Bertel.

      So the status of this issue is not quite as cut and dried as you and I thought, ControlsGuy.

      I have one noob question, Bertel. Why would the opposed sensors be more “robust”?

      I’m disappointed that Dr. Gilbert isn’t being more forthcoming, as some of the methodology unknowns that Bertel’s presented here require firm answers. And they don’t require Toyota, GIlbert could provide them, right now.

      It’s been days now, isn’t it time you put it all on the table, Dr. Gilbert? Publish a simple design verification schematic, showing your test method and means. Because if you’ve used 2 (two) resistors, synchronized to apply a precise voltage delta, as well as intervened into the system in 2 (two) places, this isn’t a “short circuit”. It’s a significant manipulation, and I have some concerns with what you’re pressing here. I’ll let the electronics experts fight it out, but I am certainly curious as to their fight.

      EDIT: And if all he did is to hotwire between those 2 pedal wires, and he did nothing more, and it took him 3.5 hours to do it, then he really is just a shop teacher. There better be more to this than that. But if there is more to it, then it gets into the realm of “significant manipulation”. I think I smell a rat here.

      EDIT 2: I’m guessing that we could take any vehicle on the road, with parallel or opposed sensors, and using 2 synchronized resistors, I could trick the system into believing all was fine, just as Gilbert did with this Toyota. Correct?

    • 0 avatar
      CamaroKid

      @Bertel Schmitt
      By far the best post of the thread.

      It nicely explains much of what Dr. Gilbert is mumbling about and it nicely explains why Dr. Gilbert is mumbling (and NOT documenting his work). If we knew the total resistance of VPA1 and VPA2 we could calculate what this mystery resistor value is.

      Long and the short (pun intended) of it. The good Doctor’s work proves nothing.

      We still don’t know.

  • avatar
    ihatetrees

    In Toyota’s testimony on Wednesday, Inaba said they replicated the same setup with several cars of other brands.

    For the truly amoral trial attorney, there’s lies opportunity. (N.B. GM – via Uncle Taxpayer – has very deep pockets.)

    It’d WOULD be interesting to historically chart NHTSA UA reports by make/model vrs the number of such make/models on the road.

  • avatar
    crash sled

    OK, since I’ve discovered I’m driving a 2008 Toyota Tacoma deathmobile, complete with the
    deadly pedal sensor system, I’ve researched this a bit.

    For my 4-banger, from the OEM manual, here’s the pedal
    inspection writeup, including the required voltage range spec:
    http://www.customtacos.com/tech/files/05FSM/data/ileaf/06toyrm/06toypdf/06rmsrc/rm2006ta/00601210.pdf

    The acceptable released/depressed voltages are given as
    a range, not sure this is good, bad or indifferent, but
    it may be worth noting. Bertel’s numbers seem to fit
    within these ranges.

    Here’s the engine control scheme, see page 95 for the pedal sensor to ECM detail:

    http://www.customtacos.com/tech/files/05FSM/data/ileaf/06toyewd/06toypdf/ewd/2006/tacoma/h/em01d4.pdf

    The 2 sensors appear to be working in parallel, as has been implied.
    (I am curious as to what the dotted line between VPA and VPA2 implies.)

    • 0 avatar

      Crash sled: Thank you for the data. Now we know what EPA and VCPA are = the two ends of the (theoretical) pot (which is actually a Hall sensor, if I’m informed correctly.) VPA is the output of the theoretical “wiper”. Standard voltage divider stuff.

      Don’t know what the dotted line is, I assume it denotes some mechanical linkage between the two theoretical “wipers.”

      On the acceptable ranges, I don’t want to comment without knowing the setup intimately. An acceptable 5V would be disconcerting, because it would not allow the ECU to differentiate between a valid reading and a short to VCC (Or VCPA as it is denoted here.)Injecting 5V into VPA definitely would be beyond the acceptable 4.5V range.

      What IS interesting is that these signals appear to be available at the OBD connector. Therefore, they are readily available to an Event Data Recorder. As demonstrated by Toyota’s own “Intelligent Tester,” evaluation of the raw data is no witchcraft. By connecting a data recorder to the OBD connector one could literally record hours worth of data, given enough (cheap) memory. An honest to goodness short, followed by an open throttle and an increase in engine speed would jump off the data list immediately

      The secrecy surrounding the Event Data Recorder becomes less and less understandable.

  • avatar
    Steven02

    Thanks for the documents guys. Now, I think I have read the information that will settle this once and for all.

    Again, from the same document that has been referenced a few times…
    http://www.timloto.org/download/pdf_lesbrieven/deltapress/motormanagement/taskETCSToyota.pdf

    On page 7, it actually gives ranges for sensor readings. When Bertel posted that there should be a .8V difference, I thought to myself, that would require very very very accurate equipment in a very low noise environment to have a prayer for working. So, I read more of the document to see how large the fluctuation could be from .8V. What I found is actually quite surprising, it is the data on page 7.

    accelerator position no.1
    min. 0 V, max .5 V
    0.5 to 1.1 V pedal released
    2.6 to 4.5 V pedal fully depressed

    accelerator position no.2
    min. 0 V, max .5 V
    1.2 to 2.0 V pedal released
    3.4 to 5.0 V pedal fully depressed

    The problem is that if they are shorted, and applied voltage is between 3.4V and 4.5V, it looks to be an acceptable condition of fully depressed. This does NOT require precise resistors. This is a decent range here.

    Looking at this now, this is a very very very bad design. Interestingly enough, there is no overlap at idle, but there is a large overlap at fully depressing the pedal. This might be a red herring and have nothing to do with the problems of UA, but this design should be reworked.

    • 0 avatar
      crash sled

      Yeah, Steven, but those values are the acceptable voltage ranges for a pedal maintenance inspection, aren’t they?

      The ECM can still apply Bertel’s “check for a 0.8V delta and show a fault if it’s lost” logic, can’t it?

      I’d agree with your ideas that noise might be a complication to reading these values.

      I see the potential concern about the voltage overlap, but I’d like to understand this better. And, I still don’t understand why the opposed system is considered more robust, and a presumed industry standard. I’m sure these are simple questions for the electronics folks, but I’d appreciate some help with these understandings.

    • 0 avatar
      Brian P

      Having the sensors operate in opposing directions addresses the possibility of a “common mode fault”; i.e. some phenomenon which causes a sensor of this design to give an erroneously high or low signal. If the signals go in opposite directions then a common-mode fault that causes both signals to go high will be detected, and a common-mode fault that causes both signals to go low will be detected.

      This isn’t necessarily the only way to achieve redundancy, though. Another way is to use a plain ordinary microswitch contact at either end of pedal travel. If pedal position switch shows accelerator “off” and the variable-resistor (or whatever) doesn’t agree … instant fault. If the pedal position switch shows accelerator “floored” and the variable resistor doesn’t agree … instant fault. If the variable-resistor shows a mid-travel position and the microswitches haven’t changed state … instant fault.

    • 0 avatar
      Steven02

      Crash,
      No, it can’t work that way. First, saying it is .8V means that basically noise has to be reduced to nearly nothing in this environment, that would be quite hard to do. There has to be some fudge room because not every sensor will put out the exact same voltage.

      Besides, how are the inspection numbers useful in the slightest bit if the ECM will put out errors on sensors that are putting out a acceptable condition. The ECM MUST to be accepting these values as inputs.

      Also, I don’t think the .8V static value makes sense. Look at the acceptable ranges of values on the sensors. The ranges have different total ranges. 4.0 V for sensor 1, and 3.8 V for sensor 2. This suggest that sensors might actually increment at slightly different slopes. My guess is that the ECM will look to see if the sensors are within an acceptable range of each other to determine if a sensor is bad.

      Guys, this is a bad design.

    • 0 avatar
      crash sled

      Steven, if there’s noise, does it affect both sensors in parallel, and in like manner? And if it does, can we infer that the speculated 0.8V delta maintains through the noisy environment? I can’t comment on whether that increment has true value, or is even Toyota’s strategy here.

      The sensors aren’t binary, as the contact switches Brian mentioned above would be. The sensors have to have an operating range, as listed in the inspection process. The ECM is using some unknown portion of that operating range, in some unknown way. The inspection numbers are useful in determining whether the sensors are functional, for the ECM to do its thing, but that’s about all I’d guess we can infer from those values.

      I agree the 2 sensors’ individual outputs are likely read and used in slightly different increments, but this may be a feature, not a bug. The fact that these sensor outputs report and are used at different slopes may be as useful to segregating these 2 sensors from external influence as reversing the polarity of the 2 sensors, the industry standard you mention, no? Does this concept remove these sensors from the “common” category, and thus remove them from the “common mode fault” that Brian mentioned?

      I’m asking more questions than answering, I know, but this ain’t mah thang. We’re trying to reverse engineer what Gilbert’s done here, and we have neither his test procedure nor Toyota’s control strategy in hand.

    • 0 avatar
      Steven02

      crash,
      Noise does not effect both sensors equally. Minute differences such as where they are placed on the circuit board to the location of noise that is being generated effects this. Now, Toyota does have some capacitors on the design, which should help but not eliminate noise. This goes to my point that a static .8V difference isn’t achievable because of noise, but also because no 2 sensors will give the exact same voltage of the life of the sensor. So, there is a big of a fudge factor here. You have to read one sensor, read another, and see if they are reading close to the same thing (as in pedal position, not voltage). If you reverse the polarities, you have to do the same thing, read sensor 1 and 2 and determine if they match. In the case of Toyota, this might be all that they do. They may not do a voltage offset check because reading the sensors for pedal position essentially does the same thing. Besides, it is all speculation that the ECU is actually doing a delta voltage check at all. I mean, it does when it would check pedal position and use the fudge factor I am talking about, but with the large full pedal pushing range, they aren’t necessarily doing it there. An assumption that they are checking for a delta voltage at full pedal is very much an assumption. All we can be sure of is the documented data on voltage outputs of those sensors.

      I am not sure where you think that I said the sensors are binary. I know they are not. They put out a voltage based on a pedal position. You will have to explain to me where you think I said or implied they are binary.

      I don’t understand how you can say that the acceptable values for testing mean that they won’t be understood by the ECU and are only for testing sensors. How can they test if a sensor is bad then? I mean, the test would absolutely have to be voltages that were acceptable. If these weren’t the acceptable voltages, why not publish what the acceptable voltages for the ECU are and actually test on those?

      I didn’t say it was a bug that they have different slopes. In fact, I think it is a good idea that they do this. But it also means that the .8V static WOULD NOT APPLY. You would have to calculate a different voltage check at different positions to make sure the sensors were functioning correctly. It might be .8V, it might be .5V. But, this again is mostly done by just interrupting pedal position and assuming it is correct. The real question is, what is the logic to test the 100% pedal position? How much fudge factor is there? Is there a delta voltage check at all if both read full pedal? I agree we don’t know everything that Toyota is doing here. But the behavior of the sensor voltages opens up the system to fault conditions that don’t appear to be detected, according to Gilbert.

    • 0 avatar
      crash sled

      Stephen, yeah, Gilbert has made a lot of claims here, none of them substantiated. We don’t know what he did. Still.

      From the tone of your previous post, you seemed to be inferring that the sensor inspection values told us something of Toyota’s control strategy, and it really doesn’t, imo. The inspection protocol for the sensors confirms whether they are functional, in a given range. That is all. I daresay this is a common practice, in my experience.

      However, that inspection and its values tell us nothing of Toyota’s control strategy, or how those sensor ranges are utilized within it. Presumably, they’d be using only a portion of that sensor’s functional range. That is all we know right now, as Toyota hasn’t published this strategy or code, to my knowledge. You can’t infer anything more, as to that strategy, in my opinion.

      We’re speculating that the sensors report in different increments, and on different slopes, but that too is speculation, when you get right down to it, at least for the fully depressed mode, which seems to have a voltage range overlap between the 2 sensors.

      The “industry standard” angle is a good evenue for exploration, however. Not sure about CTS, but Denso is a big company, big enough to get in trouble with the SEC anyways. Do they utilize this parallel sensor strategy throughout the world? Does anybody else use it?

    • 0 avatar
      Steven02

      crash,
      I don’t think you quite understand electronic sensors. If Toyota is putting out information that sensors can read between these ranges different ranges, it HAS to mean that those ranges are expected and used. After all, the ranges are all from valid pedal positions, from fully depressed to not depressed. It would be different if it said that the range of the sensors are X and Y volts. That isn’t what they said. They gave sensor ranges at different pedal positions. So, unless the full range of pedal positions is not an acceptable to the computer, you can take the data and know the computer will accept these ranges.

      For the record, Gilbert has said what he did. He didn’t say the exact resistance on the reports, but I bet he did tell them to Toyota. But, with sensor ranges being so close together, and in some cases, overlapping, it doesn’t take a genius to figure out that this is possible to do. I guess we should throw out Consumer Reports because they don’t give the exact numbers for their ratings. Of course you shouldn’t. If this was such a big deal, the exact resistors used, why doesn’t Toyota come out with the details and say why it is BS?

    • 0 avatar
      crash sled

      “They gave sensor ranges at different pedal positions. So, unless the full range of pedal positions is not an acceptable to the computer, you can take the data and know the computer will accept these ranges.”

      Steven, I think we’re saying the same thing, with the exception that you seemed to be implying that these inspection values give some indication of Toyota’s comprehensive control strategy, and it really doesn’t. It just confirms the sensors are functional, within those ranges. Sorry to be a tight-ass engineer, but that’s what they pay me to be. We know what we know, and the rest is unknown. We can’t guess or bet on it.

      And no, Gilbert hasn’t told us what he did. That’s been the whole point of this discussion, everybody’s been trying to figure out what he did. Where he cut in, whether he used one or 2 resistors, or none, or maybe a transistor, or maybe just whacked that system with 5V direct, as he first seemed to imply.

      Toyota has disparaged Gilbert’s exercise, if you notice. I wouldn’t expect them to hit that too hard as it makes no sense for them to do so, but we on the outside certainly can. If you throw something out on the table, unverified, undocumented, and it’s been 7-days, then you are a charlatan. Sorry, Dr., but absent support, you are just a shyster’s shill.

      As of now, here’s the status of this, as far as I can see:

      1. We don’t know Toyota’s control strategy for this system (and terminal point locations and voltage ranges are not strategy).

      2. We don’t know what Gilbert did, or didn’t do.

      Somebody somewhere needs to start filling in the above gaps. Nobody has to this point, certainly not this Gilbert guy.

    • 0 avatar
      Steven02

      You aren’t the only engineer on here. While I agree that we don’t have Toyota’s design control in front of us, the data we do have does show some flaws. The acceptable range of the sensors overlaps. There is the possibility for having overlapping voltages causing problems. The design is bad. The design allows for a double high failure that Gilbert is inducing.

      Toyota has been able to reproduce this issue now.
      http://money.cnn.com/2010/02/23/autos/Toyota_recall_hearing/index.htm
      Of course they say it isn’t a valid test. I would expect no less from them with lawsuits pending. But they also don’t say what they did to recreate it.

      IMHO as an engineer, this is a bad design that should be looked at. It might not be causing the issue, but if the board has some corrosion, signals could short, problems could be had. Saying we don’t know how Toyota is handling this is a weak argument. Given the acceptable ranges vs. pedal position that is described, Toyota MUST be able to deal with these ranges. They are valid inputs. Could you give me an example of how Toyota could accept the inputs full range and be able to detect a double high fault?

  • avatar
    crash sled

    By the way, as somebody above mentioned that Dr. Gilbert owns a Tacoma, and is an enthusiast, he was likely viewing the exact same OEM manuals and data that we all just looked at. He certainly would have had the above voltage range values in hand long before he ever approached this pedal issue, because he’s a geek, and every shop kid in the class has access to bootleg OEM stuff like this.

    Now, does that confirm that he rigged up a flawed and contrived experiment? No, but I’d still like to see his procedure.

    I’d also like to see Toyota’s black box reader, as Bertel mentioned.

  • avatar
    tomf

    I don’t see consistancy of NHTSA complaints if this is the problem.
    The Corolla has and approximate 425% higher NHTSA complaint rate for SUA than the Camry from 2005 thru Feb 3 2010 according to stats from edmunds(adjusted for sales volume)
    http://www.autoobserver.com/2010/02/toyota-leads-in-nhtsa-unintended-acceleration-complaints-edmundscom-analysis-shows.html

    The 4cyl/V6 model mix of the Camry is 90% – would be very surprised if Toyota is not using the same pedal sensors.
    The Corolla and Vibe are consistant/close SUA complaints -also are within 15% of Ford Escape SUA complaints(adjusted for sales volume).

    Lexus ES350 NHTSA complaints are 1000%+ more than the Corolla when adjusted for sales volume and launch date.

  • avatar

    Update:

    Autoguide says that Toyota contacted Gilbert. Gilbert said he did not use a resistor, he used a TRANSISTOR for crying out loud. No transistor was mentioned in his testimony. Introducing a transistor would put the matter on the same hoax level as the 60 Minute Audi scandal, and the NBC exploding gas tanks. Now, it’s ABC’s turn.

  • avatar
    Kiwi_ME

    I have to wonder what the point of asking for comments is when my input does not appear after several days.

    Kiwi_ME
    February 26th, 2010 at 6:46 pm
    Your comment is awaiting moderation.

    My interpretation of Dr. Gilbert’s preliminary report is this:

    (a)He showed that the backup Hall sensor output (the higher output of the two) could be within about 20 mV of the main sensor …

  • avatar
    autonewb

    The preliminary report from Dr. Gilbert is found here http://www.safetyresearch.net/Library/Preliminary_Report022110.pdf

    • 0 avatar
      crash sled

      Well good, we finally shamed the good doctor into posting this.

      While I was troubled by his use of “variable resistance” in his induced short circuit, as I’d agree that this seems contrived, he did produce some results that require some follow-up from the B&B of our electronics crowd:

      Several different combinations of trials were made before discovering that when VPA and VPA2 were shorted together, with an undetectable resistance, and a connection was made from either VCPA or VCP2 to the VPA2 circuit only – both VPA voltages would rise together in unison. As a direct result of the connection to the VCP 5 volt supply circuit, the ECM responded by opening the engine’s throttle. Surprisingly, the ECM was repeatedly unable to detect this serious circuit fault abnormality.”

      Here, the doctor shorted VPA and VPA2 with an “undetectable resistance” (say like with tin whiskers for example?), and no fault arose. If he’d done this with a variable resistance, synchronized to maintain the proper voltage delta, I’d argue with his results. But if this is truly an uncontrolled short…..?!

      Also, this is troubling:

      “In addition, the shorted APP signal circuits were connected momentarily to the sensor’s 5 Volt supply circuit with the vehicle in drive. In all test vehicles, the ECM did not set a DTC and the engine speed increased rapidly to full throttle. This result shows that unusual or sudden unintended acceleration of the vehicle was possible in the ETC test vehicles.”

      If a 5V surge didn’t set a fault, a value outside at least one sensor’s normal test range, that’s very troubling.

      The doctor’s plotted data shows voltages for the 2 sensors operate in parallel, not on different slopes, so a voltage delta can’t itself be used as a back check for a potential fault condition. This is troubling, as it removes a validity check from the process. I agree with Gilbert, I’d use another strategy here.

      Toyota claims they rigged up other OEM’s vehicles and they did the same things, and I have no reason to doubt them. Much as existence/absence of brake override is scattered randomly throughout the fleet, I suspect control strategies are scattered likewise. Gilbert opens up the discussion here, and I still think he’d do well to work up a paper with Toyota, and sort through this drive by wire challenge. I suspect it’s gonna cost the entire industry though. Fine. Better now, then wait ’til our steering and brakes and everything else goes over to an artificial unintelligence.

    • 0 avatar
      Steven02

      Thanks for finding the document autonewb.

      For everyone saying that he hasn’t told what he did yet, this was published the day before the ABC interview. (At least the day on the ABC website that has the story).
      http://www.safetyresearch.net/toyota-sudden-unintended-acceleration/

      crash,
      I think the variable resistance means he tried different resistances for different tests and probably used a potentiometer for this. As in, make a change, test. Make a change test. I think he put that in because he wasn’t changing out resistors, but using potentiometers to do this.

  • avatar
    crash sled

    Steven, no, Gilbert’s paper wasn’t published on that shyster’s SRS website you linked to, because I went there when this was all going down last week, and it was blank. And it didn’t show up on the House committee’s website, as one of Gilbert’s documents. He’s been reticent to publish this, for some unknown reason. Which is strange, because he seems to have some supportable points, and it does raise some interesting questions, to me and the noobs at least.

    I suspect the electronics experts are still digesting this, and will have a response to it eventually. I agree with Bertel’s idea a bit earlier, that if he had zapped that system with a clean 5V, and it failed, he woulda put that up front in his testimony, in bold letters. That’s what makes Gilbert’s reticence so confusing here.

    • 0 avatar
      Steven02

      Well, I don’t know if you didn’t see it on that site, but here is a link saying it was up there at least by last Thursday morning.
      http://priuschat.com/forums/gen-iii-2010-prius-technical-discussion/76885-gilbert-report-accelerator-weakness.html

      Here is another link, check the comments section on Thursday.
      http://spectrum.ieee.org/riskfactor/computing/it/us-national-highway-traffic-safety-administration-has-no-ees-or-sw-engineers-working-for-it

      The document is dated 2-21. 2-22 is the ATT report. 2-23 is the hearing. 2-25 is the date on the links from other websites that show people talking about them. I don’t think there is any reluctance to him doing this at all. I think we did a bad job of looking for the report.

      I also disagree that he has tried to hide anything. I mean, what proof that we have that, if the document publication was delayed, that he was the one doing it. After all, he submitted the report to congress on the 23rd. It is on the congressional website here.
      http://energycommerce.house.gov/index.php?option=com_content&view=article&id=1903:response-by-toyota-and-nhtsa-to-incidents-of-sudden-unintended-acceleration&catid=133:subcommittee-on-oversight-and-investigations&Itemid=73

      Again, I didn’t look at all for the links, so I don’t know when they were officially up, but it was by the 25th for the SRS website.

      Regardless, Toyota may have a few more problems with this yet.
      http://money.cnn.com/2010/03/03/autos/Toyota_complaints_after_fix/index.htm
      http://www.msnbc.msn.com/id/35690247/

      Some news outlets are reporting that the NHTSA has received reports of “fixed” Toyotas still having some UA issues.

  • avatar
    kenowen1

    A short is nothing more than a path from one circuit to another. If the impedance of one affected is 1 megohm then a path of less than that that that interrupts the normal signal is a short. With a 5 volt logic of a TTL signal it will be below a milliamp of current.

    40 year of electronics!

  • avatar
    kenowen1

    There appears to be two problems:
    1. Unintended accelerations and anomalous behavior.
    2. Cruise control engagement problems.

  • avatar
    kenowen1

    Don’t know what the dotted line is, I assume it denotes some mechanical linkage between the two theoretical “wipers.”

    Dashed lines show that mechanically they are connected in motion, no electrical connection.


Back to TopLeave a Reply

You must be logged in to post a comment.

Subscribe without commenting

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Authors

  • Brendan McAleer, Canada
  • Marcelo De Vasconcellos, Brazil
  • Matthias Gasnier, Australia
  • J & J Sutherland, Canada
  • Tycho de Feyter, China
  • W. Christian 'Mental' Ward, Abu Dhabi
  • Mark Stevenson, Canada
  • Faisal Ali Khan, India