By on February 18, 2010

At the Wednesday press conference in Tokyo, Toyota slipped in the remark that they “will more actively use on-board event data recorders, which can, in the event of a malfunction, provide information necessary for conducting such activities as technological investigations and repairs.”

This remark was widely overlooked. It should not have been.

Five days before, the Wall Street Journal had written:

“The safety problems that have engulfed Toyota Motor Corp. are focusing renewed attention on one of the most controversial components in an automobile: the black box. The box, officially called an “event data recorder,” is a small, square, virtually indestructible container akin to those found on commercial airplanes. Tucked inside the dash or under the front seats of most newer vehicles, it records vehicle and engine speeds as well as brake, accelerator and throttle positions and other data that can help determine the causes of accidents.”

If there would have been such a black box in the Toyotas that had crashed, it would have been easy to read out whether the foot was on the gas or on the brake. Guess what: Toyota has this box. It had been in many of the crashed vehicles, says the Wall Street Journal:

“Toyota, like Japanese peers Honda Motor Co. and Nissan Motor Co., has a proprietary black-box system, and it says the data it collects isn’t intended or capable of accident reconstruction because it is only recorded for a short duration—about one second. The system mainly monitors the performance of a vehicle’s safety devices, such as air bags, seat belts and, in some cases, throttle application. Toyota says there is no rule or legislation that requires otherwise until a new NHTSA rule comes into effect later in the decade.”

One would think that Toyota is pouring over the contents of its data recorders to prove that nothing more serious than a loose carpet or a missing metal shim creates mayhem in their cars. Instead, Toyota seems to have strange troubles with its proprietary system, as chronicled by the Wall Street Journal:

- On Nov. 27, 2009, 55-year-old Barbara A. Kraushaar drove through three Auburn, NY, downtown stoplights at high speed and crashed into another vehicle, killing its driver, Colleen Trousdale. Says the WSJ: “According to the Auburn police, an investigator from the National Highway Traffic Safety Administration arrived in town and took the Camry’s data recorder, saying he planned to take it to California, where Toyota has its U.S. headquarters, so their expert could download the data.” Auburn Police never heard from Toyota, says the WSJ. Also “NHTSA didn’t reply to requests for comment on the Auburn incident.”

- “In 2007, Bulent Ezal was pulling into the parking lot of a cliffside restaurant in Pismo Beach, Calif., when his 2005 Camry surged, went over the bluff and crashed on rocks 70 feet below. Mr. Ezal, 75, survived, but his wife, who was in the passenger seat, was killed.” Police could find no mechanical fault, and concluded that Ezal was at fault. Ezal’s Lawyer, Donald Slavik, has been trying to get data from the car’s black box for nearly three years. He was told by Toyota that the data would only be provided if Mr. Slavik got a court to order the company to do so. Later, Toyota told the lawyer “the data in the black box was unusable.”

- “On Dec. 26, Monty Hardy, 56, was driving three passengers in his 2008 Toyota Avalon on Lonesome Dove Drive in Southlake, Texas, when the car ran through a stop sign at about 45 mile per hour, crashed through a fence, struck a tree and landed upside down in a pond, according to a police report. All four occupants were killed… After the crash, investigators from NHTSA and Toyota’s black-box expert flew to Texas to join police in searching for the cause of the accident. They found the black box in the car covered in muck from the pond. According to police reports, the Toyota investigator tapped into the box and said the only data it contained was the difference in the speed of the car immediately before and after hitting the fence and the tree.”

- A black box was in the 2009 Lexus ES350, driven by Mark Saylor, a 45-year-old California Highway Patrol officer. He and three members of his family were killed when their vehicle hit speeds exceeding 120 mph and crashed. The 911 call made by one of the family members was on all the airwaves. In an answer to the questions of the LA Times, Toyota said :“Toyota agreed to perform a readout of the EDR in the Saylor vehicle. In the presence of representatives of all interested parties and the Sheriff’s department, Toyota attempted to perform the readout as agreed. However, due to the extensive damage to the EDR unit from the crash, it was impossible to perform a readout.”

Is the black box technology in such an early stage of development that there is only one prototype readout tool, as Toyota said to the LA Times, and that it is so hard to retrieve conclusive data? Thetruthaboutcars.com asked an interested reader with 20 years experience in automotive safety components and recall investigation to give us an update on the state of the black box art. Here is his report:

Event Data Recorder Access: What Is Toyota Hiding Behind Its Black Box?

For almost a decade, the increasing sophistication and interconnectedness of the electronically-controlled devices and systems in passenger vehicles has offered the opportunity to collect and store ample data for post-crash accident investigation.

Since the late 1990′s, individuals have participated in DOT-sponsored workgroups with the aim of developing industry guidelines (e.g. IEEE & SAE) for and advising government rule-makers on EDR-related topics. Represented were the US and Canadian governments, EDR suppliers, universities, the insurance industry, and certain OEM’s, among them GM, Ford, DaimlerChrysler, VW, Honda and Toyota.

According to an August 2001 report from the workgroup, “The results of a NHTSA-sponsored engineering analysis show that EDR data can objectively report real-world crash data and therefore be a powerful investigative and research tool, by providing very useful information to crash reconstructionists and vehicle safety researchers. Due to significant limitations however, EDR data should always be used in conjunction with other data sources.”

The types of data that can be captured and stored are limited only by the available sensors, integration into a vehicle-communication protocol (i.e. CAN-BUS or Flex-Ray), software-design, computing power, and available memory. At the time of the NHTSA report (2001), GM’s EDRs were already capable of the following:

Capture: State of the driver’ belt, vehicle speed, engine RPM, “brake odoff,” and throttle position;

Transmit and Input: The driver seat belt switch signal is typically input into the SDM, while the remaining sensors are monitored by one or more other electronic modules that broadcast data according to a “send on change” based design (e.g. a change in engine speed of more than 32 RPM, broadcasts the new RPM value on the serial bus).

Store, archive, update and recover: In airbag deployment or a near-deployment crashes, the last 5-seconds of data are stored in an EEPROM (recoverable with appropriate PC-based equipment.) This means, every second, the SDM takes the most recent sensor data values and stores them in a recirculating buffer (RAM), one storage location for each parameter for a total of 5-seconds. When the airbag sensing system “enables” on impact, buffer refreshing is suspended;

Certain 1999 models had this capability, and almost all GM vehicles were expected to add that capability over the next few years.

Compare where GM was in 1999, with the claims found by the L.A. Times on the Toyota website. Toyota’s EDR’s are capable of recording data including, among other things, brake pedal application and degree of application of the accelerator pedal.

On the side of reading data out of EDR’s, in 2000, the Robert Bosch Corporation developed their CDR (Crash Data Retrieval) unit. Many models by GM (1994), Ford (2001), Chrysler (2005) and Nissan (2007) have the capability for crash-event data to be stored in their proprietary EDR’s, and to be freely retrieved by licensed 3rd parties via a Bosch CDR unit.

While the Bosch CDR units can be freely purchased and used, and training and support is widely available through Bosch, in North America, Toyota takes a totally opposite posture. Toyota appears to engage in practices intended to limit access to the data recorded by Toyota’s EDRs.

Contrast the situation surrounding the OEM’s above with Toyota’s own answers to questions from the L.A. Times (edited for brevity). Given Toyota’s apparent lack of confidence in the software or electronics in its prototype crash analysis tool, one can not help but wonder if this is really due to the tool, or the production systems it was designed to analyze:

“Toyota does not yet have a commercially available EDR readout tool and currently has only one prototype readout tool in the U.S. Toyota performs EDR readouts for law enforcement under certain circumstances. We are also occasionally ordered by various courts to perform EDR readouts. A readout for law enforcement is a community service that Toyota performs. Toyota does not have the capacity to perform readouts using its one prototype tool in all cases.”

“Toyota’s EDR is capable of recording only the previous several seconds of activity before and/or a fraction of a second after a crash or near-crash situation.”

“Given the fact that the readout tool is a prototype and has not been validated, it is Toyota’s policy not to use EDR data in its investigations. However, Toyota has used the readout tool under certain circumstances.”

“EDR data ownership varies state by state. The prototype software used by Toyota to perform EDR readouts is proprietary, as is the case with all auto manufacturers. Toyota does not contend that the EDR readout data is proprietary. When a data retrieval tool is commercially available, any data retrieved will then as now be subject to applicable state law.”

“Federal regulators require Toyota and all other OEMs w/EDR equipped vehicles to make a data retrieval tool commercially available by 9/1/12. Toyota will, of course, comply with this requirement.”

Given the mature nature of EDR technology and the degree to which its competitors have made their EDR data available for 3rd-party download; the limited circumstances (e.g. court order) under which Toyota makes its single “prototype” device available, the way in which Toyota characterizes the software within as “unvalidated” and unreliable, and Toyota’s persistence in these actions despite the obvious conflict of interest (as the sole party that can release EDR data), one has to wonder what Toyota is hiding behind their black box.

Get the latest TTAC e-Newsletter!

110 Comments on “What’s Wrong With Toyota’s Black Boxes?...”


  • avatar
    CarPerson

    Unless more sensors are added, it CANNOT tell if a pedal is being pressed. It can only report what the signal level was being received at the other end of the wires from the pedals.

    This may seem to be a minor quibble, but it is not. If the pedal is at the idle position but the wire terminals under the hood at the other end is reporting the command for wide open throttle, it validates what many have been saying. It takes three sensors, count ‘em, to determine the situation.

    The Airbus A330-A340 records the pedal position, what signal was being broadcast, and what signal was being received at the other end of the wires. These models are extremely well instrumented. Up to as many as 1300 signals are being monitored.

    For those keeping score: the recorder is a Honeywell (AlliedSignal) unit made in the United States. It is also used on the 747 and some Gulfstreams.

    • 0 avatar

      You are way ahead of Toyota.

      They aren’t at the point of “is the pedal being pushed or is the pedal sensor acting up?”

      Toyota seems to have trouble reading their own black boxes. They have only one prototype data reader. What’s so complicated about dumping the content of an EEPROM? Jeez, I did this in the late 70′s with a tool called DDT (Dynamic Debugging Tool). Just in case all else fails.

      Do we have the feeling we are being snowed?

    • 0 avatar
      CarPerson

      Further down in this thread a poster mentions that BMW measures the pedal position and compares it with the pedal output signal. If they correspond, everything is Ok. If they do not, a “Check Engine” light is illuminated and latched. Way cool.

      I would add measurement at the computer input ports to incorporate checking the signal integrity from the pedal to the computer then compare all three. Double way cool.

      Add the above to the “If Brakes >15%, Throttle limited to <15%" that was posted about a week ago.

      NHTSA, are you listening???

    • 0 avatar
      Robert.Walter

      IIRC, somebody else posted here on TTAC in the last month or so, on this topic, that an OEM (I’m not sure, needs verification, but I thought they said Toyota) was doing the comparison between Voltage-up and Voltage-down from the two different Hall-sensors…

    • 0 avatar
      Patrickj

      The additional sensor required to tell whether a pedal was stuck or being pressed by the driver would be a strain gauge on the pedal arm or a pressure switch in the pedal body.

      Current systems cannot distinguish a stuck pedal from an intentionally depressed pedal.

    • 0 avatar
      shaker

      I agree that the addition of a strain gauge on the gas pedal arm would add another critical data point – it seems that the lack of such a (relatively inexpensive) item is an error.

      The presence of strain gauge data could either prove that Toyota is correct, and driver error is the cause, or it would prove that the pedal was *not* being depressed, which would put Toyota in an awkward position.

      Any guess as to why this sensor is not installed on (AFAIK) any passenger car today?

    • 0 avatar
      Ernie

      @CarPerson/Bertel

      It seems so simple as you both put it . . . I have to wonder whether this is going to be an opportunity to fix, or more if it’s going to turn into an “onstar” situation where people get questioned on “What are you doing with OUR car?” (meaning a liability dodge).

      Don’t get me wrong, I don’t necessarily believe that GM has any truly bad intentions with onstar (or rather the organizational skills to have any), but a lot of people are creeped out by the data logging that they do.

      I guess I just hope that Toyota is beyond the “blame the customer” mentality that dealerships occasionally use as SOP.

    • 0 avatar
      john.fritz

      I agree that the addition of a strain gauge on the gas pedal arm would add another critical data point – it seems that the lack of such a (relatively inexpensive) item is an error.

      I purchase strain gauge sensors for our R&D department and they aren’t cheap. At least I don’t think they’d be considered cheap in an automobile manufacturing environment. Aren’t these the guys who will engineer a plastic tab to hold something together just to save the money they’d spend on buying a couple $0.01 sheet metal screw per car? (Ford, I’m looking at you)

      Not that it isn’t a good idea. Because it is. But will they do it?

    • 0 avatar
      CarPerson

      A pedal position sensor would identify where the pedal is. Adding a strain gauge may help identify if it was being pressed or was stuck in that position by something wedged under the pedal or a mechanical malfunction in the pedal hinge. However, it may not clearly differentiate between being jammed or being pressed.

      The above only checks the operator command (pedal position) against the command being delivered to the Engine Control Computer (sensor, wire, and connector integrity), not beyond. How can the integrity of the pedal command from the pedal to the quantity of air and fuel being delivered to the cylinders be verified?

      Measuring the signal at the Engine Control Computer (ECC) output terminals would allow verifying the output was appropriate to the input (computer integrity). A sensor at the fuel injection actuator would allow determining how the actuator was being commanded. Finally, a sensor somewhere in the throttle body or air or fuel system to measure what was actually being delivered to the cylinders.

      As far as I know, all engines have a throttle position sensor in or near the intake manifold.

      A quick and dirty command integrity implementation would be to compare the pedal position sensor data with the signal data received at the ECC, with the data out of the ECC, with the throttle position sensor data. You would know for sure what was going on inside the engine matched the pedal position and if not, where the problem is.

      However, this does not help a floormat-jammed pedal.

      “Pre-pedal command” integrity (i.e. floormat jammed under pedal) and overall safety would be the “if brake >15%, throttle max = <15%" programmed into the ECC.

      Our old mechanical system had hard links between the pedal command and what was going past the intake valves. If any of that chain is broken by substituting electrical devices, it would seem prudent to bridge that section with advanced redundancy, verification, and auditing capability.

    • 0 avatar
      zbnutcase

      The ONLY thing that is WAY COOL is a CABLE from the pedal to the throttle body. This electronic BS must stop before we all die. ‘nutcase

    • 0 avatar
      postjosh

      CarPerson: “Our old mechanical system had hard links between the pedal command and what was going past the intake valves. If any of that chain is broken by substituting electrical devices, it would seem prudent to bridge that section with advanced redundancy, verification, and auditing capability.”

      please, tell me that these system aren’t dependent on the cars central computer to control the throttle level. it’s obvious that to be safe the system needs to be analogous to the mechanical system it replaces i.e. as direct a connection as possible.

  • avatar
    jmo

    If the instruments recorded full throttle and no braking effort it would indicate driver error. If the instruments recorded full throttle and full braking effort that would indicate some sort of engineering flaw.

  • avatar
    gslippy

    Toyota may be justified in their hesitance. I would not call it “hiding”. Releasing raw data without context can lead to very incorrect conclusions. This is one reason why airplane investigations can typically take a whole year or more.

    For example, discovery of a wide-open-throttle condition in the last second of a crash could mean a) it stuck, b) it was intentional (accident avoidance), or c) an incorrect reading. Such a finding only means something when coupled with other data, both hard (electronic), and soft (photos and witnesses).

    Toyota’s proprietary reader system may only be in the prototype stages because of the need to apply context to the readings, which no two manufacturers will do in the same way. Does anyone know what 3.8V means for a throttle position sensor, or 204 mV for an oxygen sensor?

    Just peruse the NTSB’s report on the crash of USAir Flight 427 in 1994; the investigation took years to complete because of all the conflicting data which had to be sorted into a probable cause, which turned out to be a very rare rudder problem. Similarly, Toyota’s throttle issue is a rare problem that armchair experts will not sort out by reviewing EDR data from a few accidents. Toyotas crash every day; what tiny fraction of them are caused by throttle problems? I guarantee that fraction increases with the price of your lawyer. Shall each accident be analyzed for this issue?

    If data ownership varies by state, then Toyota is correctly waiting until the legal system sorts out Toyota’s (or any manufacturer’s) responsibility to analyze and release it.

    • 0 avatar
      baldheadeddork

      Not releasing the data for independent review is in itself removing context.

      What readings mean could be decrypted by examining the function of the input sensors. This isn’t brain surgery.

      And picking what the NTSB called “the most difficult accident investigation in the history of the agency” isn’t a very good context for crash investigation, and using it as a comparison to Toyota’s mess is not accurately representing how aircraft crash investigation works. Aircraft crash investigations are totally transparent. The entire system depends on a full and public understanding of what went wrong, even though a screw up is going to mean a massive liability penalty for anyone who screwed up. The idea of an avionics or powerplant company claiming they wouldn’t cooperate without a court order because of trade secrets is unimaginable.

    • 0 avatar
      gslippy

      @baldheadeddork:

      Your points are well-taken, except that Toyota produces consumer products for private consumption, whereas airliners are commercial products that are publicly regulated.

      On the question of whether the work is “brain surgery”, I’d suggest that providing raw data is not, but interpreting it can be akin to brain surgery. As CarPerson alludes to above, a Toyota is not as well-instrumented as an airplane, and therefore some gaps will exist in some cases.

      One of the benefits of airplane investigations is precise knowledge of vehicle position and attitude in 3 dimensions, collected by the aircraft as well as radar in many cases. Accident reconstruction for cars is hampered by not having this precise information.

      If the industry is forced to provide aircraft-like instrumentation to help weed out the few accidents caused by mechanical failure, we’ll see prices go up and reliability go down for all cars.

      When the day arrives that Toyota’s EDR data becomes a matter of public record, I would expect to see a very boring automotive marketplace, possibly preceded by a fight over Fourth Amendment issues related to acquisition and use of that data.

    • 0 avatar
      baldheadeddork

      @gslippy:

      You’re trying to say that only commercial aircraft are regulated and investigated this way?

      About automotive EDR’s not collecting “vehicle position and attitude in 3 dimensions”, I don’t know how you drive your X-Box but Mrs. Dork doesn’t often experience roll, climb or descent in hers. Measuring one axis on a car is fine as long as you get enough history of the sensor inputs to reconstruct what was happening before the crash. With flash memory going for pennies a megabyte and almost all of these parameters being tracked for OBD-II (the rest, most notably brake pedal positioning, is tracked when the car is equipped with stability control), the additional cost would be negligible.

      And accident investigation is pretty damn good. I know some people who do it for a living and you’d be amazed at what you can rebuild from a crash scene and investigating the life of the person before the crash.

      Finally, the Fourth Amendment claim is ridiculous. The Fourth is a protection against searches and seizures without a warrant. Courts issue subpoenas ordering the release of documents every day.

    • 0 avatar
      gslippy

      @baldheadeddork:

      The question will arise as to how much data is enough (# of sensors, length of time), as well as its durability. The EDR is not built like an aircraft black box, but it would be possible to make it suitably durable for automotive use (lake submersion, short-term fires, etc.).

      Of course a car does not experience changes in altitude or attitude normally, but they certainly do during an accident. Stability control systems do make use of slew rates, so some of the information is already there, as you mention.

      The issue of data transparency brought up in this article may be moot due to aggravating factors in crashes (i.e., alcohol, weariness, driver skill). In the Saylor case, I would guess that the data would have revealed a WOT condition along with application (but not pressure) of the [faded] brakes. The 911 call implies as much. Everything after that is speculation. A defense attorney will argue that the driver was a victim of someone else’s negligence related to the floormats, and his own failure to shut off the ignition even when directed to do so by the 911 dispatcher. One could even cruelly argue that it was suicide given that last fact.

      I’m just saying that Toyota is going to be extremely reluctant to hand over raw data (when retreivable) when that data is limited by current instrumentation and other factors.

      Yes, forensic engineering can do wonders. I do some mechanical failure analysis in my job, but unfortunately the only data I get is in the form of broken parts to review, and very little in terms of customer profile. :( I’d love to place a recorder on the people who break our products!

    • 0 avatar
      Robert.Walter

      Gents:
      - If it has ESP, it has a yaw sensor*;
      - If it has Side Curtains, it has a Roll Sensor*;
      - If it has Side Thorasic/Head bags, it has a side-pulse accelerometer*;
      - If it has Frontal SRS, Pyrotechnic Belt Snubbers, or a Pyrotechnic Variable-Energy Absorbing St. Column, it has a front-pulse accelerometer*.
      * or similar device, or device with combined functions.

      Only thing a thing with wings has more is a pitch sensor.

    • 0 avatar
      John Horner

      Only we, Toyota, can tell you what the data means “in context”. Rather self serving, eh? To continue the airplane analogy, it would be as if only Boeing or Airbus had the ability to read out, interpret, and selectively report on the contents of a plane’s black box post-crash.

    • 0 avatar
      Steven02

      Cars are publicly regulated. Hiding the data only makes you look guilty. In the event that the data could show that Toyota has a problem with their car, looks like Toyota is the only one that can tell you that, not exactly convenient for the rest of the world.

      As far as the 911 call is concerned, calling it suicide is ridiculous. I am not saying he couldn’t have figured out a way to put it in neutral or turn the car off, but who is to say he didn’t try those things? The real point is that he shouldn’t have been in that situation in the first place.

      No one is saying that the data here won’t need context. And Toyota has lawyers and engineers who can read it and tell you about it. They can also be very clear about what the data does and does not tell you. Yes, the data says the throttle position was X and the pedal position is Y, but it can’t tell you why the pedal position was Y. It can only tell you that it was there. I think everyone understands that. The whole 1 prototype reader is BS. If Toyota didn’t was the data to be shared, they shouldn’t have even put the box in the car.

    • 0 avatar
      gslippy

      @Steven02:

      Let me be clear on the suicide thing: I only said that a defense lawyer could make such an outrageous claim in order to cast doubt on incriminating or vague data from a black box. I certainly do not believe it to be the case, and believe Toyota shares some culpability in that tragedy.

  • avatar
    rehposolihp

    Without dozens (or more) crashes to review and compare the results of the data, the ‘crash’ data is simply a few more points on an extremely complicated scatter plot. And, as the above posts have mentioned it doesn’t contain the appropriate depth of information we need. If the process is software based the error can occur anywhere along this software in addition to simple hardware error. So an error occuring simply tells you it was possibly x,y, or z; when all we know is that an error occured that is possibly caused by x,y, or z.

  • avatar
    Potemkin

    I can’t help thinking that having Toyota engineers retrieve and analyse data from the Black Boxes to be somewhat akin to asking the person you suspect of embezellment to audit the books, duh. Knowing how gadget crazed the Japanese are I somehow doubt they are as far behind in this technology as they would have us believe. Hopefully the truth will out.

  • avatar
    segfault

    The LA Times had some interesting questions for Toyota, which Toyota completely dodged…

    “In particular, why wasn’t the 2007 recall of Lexus ES and Camry floor mats effective in preventing catastrophic accidents such as the Saylor case?”

    The obvious reason is that Toyota failed to engineer a brake override, but that is completely absent from their answer.

    I don’t think Toyota will get out of the media’s crosshairs until they retrofit a brake override to all of their vehicles with an electronic throttle, AND they get high compliance rates from owners bringing the cars in for the retrofit. Also, widespread problems like the 4runner steering problem, the truck frame rusting problem, and the Tacoma idle surge problem are going to have to be addressed.

    • 0 avatar
      gslippy

      Toyota did not dodge the question.

      They answered it quite specifically: The reason the recall didn’t help in the Saylor case is because the recall was not complied with in the Saylor vehicle.

      The recall of floor mats is not intended to address the issue of brake overrides, nor the failure of the driver to turn off the vehicle even when instructed to do so: http://www.momlogic.com/2009/09/911_call_released_in_stuck_accelerator_crash.php

    • 0 avatar
      Steven02

      @gslippy

      On must then understand how to turn off the push button start of the vehicle when running and also assume that he hasn’t tried to do that yet.

    • 0 avatar
      gslippy

      Yes, I had forgotten that this was a pushbutton start vehicle – an issue that definitely must be resolved.

  • avatar
    mike_i_n_mich

    There is a legal process for black box data to be retrieved, analyzed and entered into courtroom proceedings. Third parties are involved and trusted. Just the existence of this data since the introduction of electronic throttle control has essentially put a stop to sudden acceleration lawsuits, because the vast majority of these have been driver error, where he depresses the accelerator instead of the brake. The data does not lie.

    For the case of a stuck accelerator, be it from a carpet or a mechanically sticky pedal mechanism, the black box hurts the auto company rather than helps in trials. The fact that Toyota has resisted use of this data where other auto makers have benefitted greatly from the facts makes one very suspicious of their motivations. I’m sure they have the technology to read black box data and they record the same basic signals as everyone else.

  • avatar
    the_gamper

    This sounds really shady to me. There is absolutely nothing that makes sense about equipping thousands of cars with these data recorders and having no information to retrieve from them and having only one “prototype” reader in the entire United States, Toyota’s largest market.

    another thing that doesnt make sense, how is Toyota able to hold these devises and not return them to the vehicle owners. Isnt a part of a car I own my property?

    I do think that “throttlegate” is being blown out of proportion, but Toyota doesnt exactly seem to have clean hands in the matter. The more they stonewall, the worse it is going to be for them if additional information is eventually discovered.

  • avatar
    cardeveloper

    Toyota for years has hidden behind the Japanese design, data isn’t available, there is not a problem defense. Plaintiff attorney’s can’t get the smoking gun, like they can the can with a US based maker, so they don’t sue the hard targets.

    The black box data is there, I’d bet an accelerator pedal on it :)

  • avatar
    baldheadeddork

    Toyota on recovering data from Saylor’s ES-350: “(D)ue to the extensive damage to the EDR unit from the crash, it was impossible to perform a readout.”

    Toyota on the cause of the Saylor crash: Rubber floor mats designed for another model jammed the accelerator open. We’ll recall all cars that might be affected to zip tie the floor mats to the seat frame to fix it.

    So the EDR was so badly damaged and burned that it was impossible to recover the data, but rubber floor mats survived and remained in a position that proved they jammed the accelerator open?

    FWIW, only Toyota is claiming floor mats caused the Saylor crash. Toyota announced the results of its investigation – the floor mats – on the day before Thanksgiving, but the police investigation released on December 6 was “inconclusive”. The mats may have caused a sudden acceleration event, but “Due to the catastrophic damage . . . other avenues of unintended acceleration could not be explored. Beyond the all-weather floor mat, other and/or additional factors causing a sudden acceleration event (re: electrical, mechanical or computer generated) should not be ruled out.”

    http://articles.latimes.com/2009/dec/06/business/la-fi-toyota-recall6-2009dec06

    And for your anonymous expert, Toyota told the LA Times in December that their EDR’s can capture “vehicle speed, engine speed, brake pedal application, accelerator pedal position and seat belt usage, among other things.”

    http://www.latimes.com/business/la-fi-toyota-secrecy23-2009dec23,0,557792,full.story

    • 0 avatar
      gslippy

      Toyota also says the attempted EDR readout was performed before all interested parties and the sheriff’s department, so without a rebuttal from the ‘interested parties’ I’ll take their word on it.

      The notion of the floor mats surviving a fiery crash is odd, but perhaps it was similar to the way tornadoes can leave saplings untouched but level a house. The charred remains of a rubber floormat might be more evidence than a cooked EDR.

      It is unbelievable that Toyota only has 1 prototype reader in the US. That really sets off the BS detector.

    • 0 avatar
      tced2

      I would like to see a description of a sensor for “floor mat stuck under accelerator”. I suspect there is no such thing, It is a condition that is inferred and is by no means “detected” by the black box.

  • avatar
    50merc

    This is the most damning article on Toyota I’ve seen. It doesn’t pass the grin test–that is, whether something can be said with a straight face. That “single prototype reader” malarkey by itself is enough to produce guffaws.

  • avatar
    Eric_Stepans

    Toyota’s explanations about its EDR problems sound fishy to me.

    If the EDRs are not recording enough data to be of use after a crash event, it’s because Toyota wants it that way

    My personal hands-on experience with BMW and Honda data systems is that there is plenty of available data, it’s not that hard to store, and it’s not that hard to interpret.

    Furthermore, the notion that car data is not as reliable as aircraft data does not quite ring true.

    For example, a BMW electronic throttle pedal has two potentiometers. One ranges from 0.5V (idle) to 4.5V (full throttle). The second one ranges from 4.5V (idle) to 0.5V (full throttle). There is also a ‘virtual’ pedal position sensor generated by the software in the DME (engine computer). It compares the pedal sensors with expected values based on engine speed, mass air flow, road speed, etc. If either physical sensor output gets too far from the computer ‘virtual’ value, the DME ignores its output, stores a fault code, and turns on the “Check Engine” light.

    I find it implausible that Toyota can’t record and store data with similar sophistication.

    • 0 avatar
      gslippy

      Toyota’s motivation to not record sufficient data may be about penny-pinching, and/or not answering a question that nobody is asking… until now.

      I’m sure the Tata Nano isn’t collecting much crash data. It will do so when its market countries require it.

    • 0 avatar
      Robert.Walter

      @Gslippy:

      The EDR hardly seems like this would be the kind of system one would value-engineer out of a car. Think about how inexpensive flash memory is, then consider how incredibly cheap it must be if it is bought in quantities of 5-10 Million per year.

      Re. measuring brake force, I believe (corroboration or refutation is welcomed) vehicles like the Saylor Lexus are equipped with ABS/ESP/EBF features, and such systems incorporate a pressure sensor.

      Look to page 22 of the NHTSA work group report … in the table, GM was in the forefront beginning in 1999 working to implement by 2004, Toyota began its phase-in in 2001, and the rest of the OEM’s couldn’t even provide much of a description about what their systems did.

      So, Toyota, at this point, a decade ago, produced vehicles with EDR’s that could get vehicle speed, engine rpm, throttle position, brake application, etc. and was arguably only behind GM in implementing this technology.

      So what happened?

    • 0 avatar
      gslippy

      @Robert.Walter:

      If I was Toyota, a sophisticated EDR would be one of my first targets to value-engineer out of a car. The value of the data is primarily to attorneys looking for mechanical fault and deep pockets, when the fact is that most crashes are caused by driver error and the causes are obvious.

      The other perspective is that the data *could* be used to exonerate Toyota. But more data only leads to more questions. Without a regulation requiring it – along with uniform interpretation – Toyota is entirely unmotivated to bake the cost into their products.

    • 0 avatar
      Robert.Walter

      Believe you me, only a lunatic would pull functionality out of a corporate safety system for which open data access was required by 2011 (its been pushed back to 2012, but the argument still holds.)

      Besides, Toyota was already beginning to implement these systems in 2001, and IIRC, the final rule from NHTSA was around 2005/6.

      When you not only know what is coming down the pike a decade before it is due, but are an active participant in the rule-making, you work to make your systems, and the systems that feed data into them, and the systems that read data out of them, as robust as possible.

      You don’t waste time, or risk losing the plot (i.e. invite screw-ups by making such changes as), by putting them in, taking them out, and then putting them in again.

    • 0 avatar
      Steven02

      gslippy,
      It would require much more than some data from an EDR to win a law suit brought against Toyota. One would think that in most cases the data could help Toyota since they wouldn’t be at fault.

      Toyota would likely want to record every bit of data they could because this could also be a diagnostic tool. You know, that whole pursuit of perfection thing.

  • avatar
    zoneofdanger

    Think of it this way: these black boxes probably cost Toyota $10-$20 per car (minimum) to make and install x how many million cars per year? Why would Toyota spend tens of millions of dollars per year on unreliable black boxes and have only one prototype reader available in the whole country? Something doesn’t add up.

  • avatar
    ZoomZoom

    Well, maybe after all this, slowpoke leftlane drivers will move into the right lane when they see my Prius behind them.

    Here I come dammit!

    (come on, laugh you people)

  • avatar
    Kamaka

    It sounds too suspicious to have only one prototype.

    I am more curious and concerned about the potential uses of EDRs. I know this has been debated when EDRs were introduced. They could be a great learning and informative tool, or legal hell for consumers between insurance/lawyers/government.

  • avatar
    shaker

    It would be wise to ascertain how advanced other manufacturers are with EDR compared to Toyota – my feeling is that GM and its OnStar system are the pinnacle of vehicle data recording, as well as the ability to upload/download data for the purpose of fault analysis and even the ability to update vehicle firmware “on the fly” (though I believe that’s not done routinely at this time).

  • avatar
    JohnAZ

    I think this EDR data availability issue, if it is brought up in Washington, could be the toughest issue for Toyoda to deal with. What possible explanation could he provide for why Toyota limits access to EDR data in the US through one device in the hands of the maker of the car in question?

    He would not get away with claiming technical complexity without exposing himself to the question of whether Toyota is sophisticated enough to deal with a complex drive by wire computer.

    If the requirements for EDRs came out of the US, where Toyota has it’s largest market, what is the possible explanation for only one reader in the US? There is none, other than control of the data.

    If these questions are raised in Washington and Toyoda does not provide convincing arguments, the MSM will be all over this and it will bury Toyota’s credibility with the public like it has with me.

  • avatar
    tced2

    Toyota’s statement “we only have one black box reader in the United States” sets off my corporate legal sensor. Since there is no requirement for support of these boxes until 2012, the legal department simply ordered them to “virtually not exist”. Now that accidents have occurred, the legal department’s nightmare has happened – Toyota must acknowledge the existence of the boxes and read them out. But don’t be disappointed if pre-requirement boxes don’t record some parameters. – this technology is evolving rapidly – and Toyota probably would not spend extra money recording parameters not required by law.

  • avatar
    Autojunkie

    Oh here we go again… Most, if not all, cars have had this for over a decade already. More and more data is able to be retreived as automotive technology advanced.

    “Black box” technology essentially started out with the airbag module. Just aboout nearly every module on cars (sometimes as many as 40 or more) are capable of recording various forms of data. PCM, ABS, SRS, and other critical modules can have data extracted from them to see what messages were being transmitted and received and what signals/voltages were being received and how output strategies were being calculated.

    This is nothing new… Ignorance is bliss…

  • avatar
    bmoredlj

    When I think of the dozens of acronymed-laced systems in the Land Cruiser, the gobs of esoteric tech baked into the LFA, I find it hard to believe Toyota when they say they don’t have the proper means to read their own black boxes.

    If this is true, it’s in Toyota’s best interest that every new car they make have a system that will record pertinent vehicle information at the moment of an collision. Sorry if I sound like Ronald Reagan with SDI, since I have no idea what it would cost, but as most traffic accidents are apparently caused by driver error and not any fault with the machine, black boxes that can reliably deconstruct the accident would either exonerate Toyota from responsibility for the crash, or possibly reveal a problem that requires another recall.

    In either case, the unambiguous truth would be revealed in most cases.

  • avatar
    chuckR

    @gslippy The value of the data is primarily to attorneys looking for mechanical fault and deep pockets

    Under our jackpot tort system, the economic value is as stated. The societal value of the data is to produce safer products, but the downside of transparency is huge for producers.

    I’m sure that ohsnapback would have something to say if he hadn’t been hit by the banhammer…..

    Bertel – do the Germans and Scandinavians still have an agreement that allows a thorough investigation – by all involved parties – of car accidents a la NTSB for aircraft accidents?

  • avatar
    AccAzda

    Maybe these are the handful of boxes made at CTS…

    Protected by a bunch of carefully and precision shims.

    Me..
    Id like to know where that pic is.
    And where the boxes are in some if not all Honda cars.

  • avatar
    crash sled

    Well, clearly, Toyota is limiting the flow of data to the public. I got no problem with that, as long as they comply with the law, and their statement appears to indicate they will be doing so in 2012, as mandated.

    I wouldn’t be so quick to assume that the Bosch equipment is currently providing a comprehensive data set, however, and I would be quite stunned if the participants to that process are providing everything available, in a simple and usable form, and I can think of nobody more capable than Bosch of acting as the participant OEMs’ consigliere. Likely as not, in effect if not in concept, all the OEMs, not just Toyota, are limiting/diffusing data flow, to limit their liability.

    I’d note that Ford’s iron requires an additional CDR system to connect with its PCM, and the Bosch unit alone won’t operate stand-alone. I wonder what’s going on in Ford’s little black box adapter?

    These guys will all proceed cautiously along this path, and I don’t blame them.

  • avatar
    blue adidas

    With all the cost cutting and nickel-and-diming that Toyota has been engaged in throughout the decade, I find it tough to believe that the one device that they decided to have remain in the vehicles is a complexed yet “worthless” black box that the consumer never sees. Oh yeah, there is only one device reader in the US and the results are generally inconclusive anyway. Riiiiiight! It does appear that Toyota is struggling for plausible deniability, but is failing.

    In my opinion, Toyota should just work with investigators to get the most data out of these devices, regardless of the outcome of the results. Toyota has already been forced to admit to several serious safety defects. So rather than assume all accidents are a result of these defects, they should take their lumps and help to accurately determine which ones are genuine.

  • avatar
    guyincognito

    Wait, if the black box can survive the crash why don’t they just make the whole vehicle out of that? Sorry, couldn’t resist.

    Seriously though, I sincerely doubt Toyota is dumb enough to be outright lying about the capabilities of their black boxes, number and quality of readers available, and ability to recover data from high profile crashed vehicles.

    The only explanation I can think of for their statements to be true is that they see the black box as a potential liability and purposely limited their capabilities. Toyota’s secretive culture has been apparent in their handling of this crisis so far, so it wouldn’t suprise me.

  • avatar
    John Horner

    Toyota is intentionally hiding information and is intentionally being misleading about the reasons why. No other conclusion passes the smell test.

    Why include an EDR function and then make it hard to get to? If Toyota wanted to simply save money then they would put the box in their cars at all!

    • 0 avatar
      Robert.Walter

      (John, I think you forgot the “not” in your last sentence.)

      The reality is that as the complexity increases, the vehicle needs to sense, record, and refresh the values coming from the myriad of sensors throught the vehicle. All this real-time data is then available for plausibility checking, and comparison against stored reference values and limits.

      When all this data its needed to prepare, control, monitor, prevent, initiate, or whatever, and its all connected on a CAN-BUS, and the additional processing capability and memory are cheaper than water, where is the real opportunity for savings?

      When such systems easily exhonorate the OEM by laying to rest “chicken or egg” questions (i.e. did the airbag cause the impact, or did the impact cause the airbag?) the coin is likely to fall in the favour of the OEM provided the underlying systems are robust and reliable.

  • avatar
    tced2

    The “legal infrastructure” for the black box data is not established. Who controls it? Who owns it? Who is required to supply it? Who can use the information? for what purpose?

    Officer: you were speeding and going faster.
    Motorist: I was driving the speed limit.
    Officer: Let’s plug in and interrogate your black box.
    Motorist: I own the box and it is not going to “testify” against me.

    Insurance company: we read your black box and you were speeding prior to the accident. We’re not paying the claim.

    Insurance company: your black box indicates you didn’t brake before the crash. We’re not paying your claim.

    • 0 avatar
      Robert.Walter

      And why shouldn’t the box be available as a qualified witness to settle such disputes? Seems to me it would raise the level of accountaility for the OEM, vehicle owner, driver, authorities, insurance industry, etc.

      (Here in Europe, if you have an accident in winter and you don’t have your snow tires on, your insurance company can reduce/decline to pay … how is this different from the cop looking at your tires?)

      Everybody decries the lawyers, but this would be one sure way to reduce frivolous suits.

    • 0 avatar
      tced2

      The black box may be qualified. But the black boxes have to be held accountable to calibration (like radar guns). Those standards are not in force yet.
      Black boxes are somewhat like the much discussed and criticized camera enforcement machines. Various courts have been skeptical as to their calibration and standards. Some legislatures have outright banned them.

    • 0 avatar
      Steven02

      One would think it would need to be calibrated far less often than a radar gun or something similar. After all, it is getting the reading from the SAME PLACE that the person in the car is.

      But, IMHO, it would actually require a court order for anyone to be able to use it.

      The insurance company arguments don’t really hold water either. First, they can tell if you are speeding using pretty simple physics from the seen of the accident. They can also tell when/if you braked by looking a marks on the ground. But again, I think the data should be available, but for a municipality or insurance company to get them, they should need a court order.

    • 0 avatar
      CarPerson

      @tecd2

      The Honeywell (AlliedSignal) Black Boxes do not need re-calibration after they are installed.

      The read-out software has the totally boring name of “Read Out”.

      It animates the cockpit controls and gauges on a computer monitor. Technically, it does not determine what caused the aircraft to crash: Rather, it presents the cockpit and aircraft actions and reactions. Experienced pilots and others viewing the animations draw conclusions what was and was not happening before the crash.

      In a related comment, commerical aircraft automatically send out a constant stream of data. Some basic information is recorded in real time by ground recorders. This information can be quite usefull if the black box is never recovered: One of the bits tells if the aircraft is inverted.

  • avatar

    GM went bankrupt because of its arrogant insularity, a reflection of the wider American corporate culture that put the automaker at the top of the industry.

    Toyota’s taking hits because of its paranoid insularity, a reflection of the wider Japanese corporate culture that put the automaker at the top of the industry.

    In GM’s case, no lesson has been learned (as Mr. Lutz’ petulant remarks about GM suits’ corporate compensation indicates). In Toyota’s case, let’s just say there’s a circling of the wagons here that doesn’t bode well for their future prospects.

    • 0 avatar
      CarPerson

      Well said.

      Mr. Toyoda’s on again-off again trip to D.C. is a strong indication they have yet to understand the gravity of the situation they are in.

      At the very least, Mr. Toyoda should have stated early on he would be there in the audience while the top U.S. executives would be testifying. Instead, Toyota has yet another PR disaster to explain.

      Mr. Toyoda’s finally agreeing to show up and talk does little to un-ring that bell.

  • avatar
    fred schumacher

    As tight-fisted as Toyota is, and as conscious of cost control, Toyota’s placing of an expensive data recorder into a vehicle and then saying they can’t access it, or it doesn’t store enough data, or the data is unreliable, doesn’t make sense. It doesn’t pass the smell test. If it’s that useless, it shouldn’t be there.

  • avatar
    racebeer

    I find Toyota’s position on EDRs rather curious. In my stable I have a ’98 Firebird. According to GM, this is what the EDR records 5 seconds prior to ‘impact’:

    Vehicle speed (five seconds before impact)
    Engine speed (five seconds before impact)
    Brake status (five seconds before impact)
    Throttle position (five seconds before impact)
    State of driver’s seat belt switch (On/Off)
    Passenger’s airbag (On/Off)
    IR Warning Lamp status (On/Off)
    Time from vehicle impact to airbag deployment
    Ignition cycle count at event time
    Ignition cycle count at investigation
    Maximum velocity for near-deployment event
    Velocity vs. time for frontal airbag deployment event
    Time from vehicle impact to time of maximum velocity
    Time between near-deploy and deploy event (if within five seconds)

    That’s a bunch of data … and that’s from 1998. Like others have said, this whole thing has a bit of a stench about it.

    And, GM also has a rather lengthy blurb about who owns and can get access to the EDR data. Go here to read:

    http://www.gm.com/corporate/responsibility/safety/event_data_recorders/

    Now, if GM goes to the trouble of making all of this information public, what’s the deal with Toyota???

  • avatar
    CamaroKid

    Other then developing a conspiracy theory and helping the POV that “ooh there is a cover up going on here”. What do you think the EDR will show? It will show that the cars were traveling at a great speed (duh, we know that) It will show that the throttle was at least mostly (if not completely) wide open (duh, we know that too)… It will also show that the car crashed (duh) That the air bag system worked (again duh) It may or may not show that the brakes were repetitively applied (which again we also know).

    Guess what, the data that is in the EDR would look EXACTLY the same if
    1) The pedal was entrapped by a floor mat
    2) The pedal was wedged open by a faulty friction bit inside the pedal or
    3) Sun spots have triggered cosmic rays to create a magnetic anomaly to place exactly the right voltage signal on exactly the right curcit for the car’s ECU to think that the pedal is open (or almost completely open)

    The author and several others are missing the point of the EDR. It is a support tool to help the OEM and NHTSA determine what occurred with the AIR BAG system… To determine if that system is working properly and if that systems failed… It is NOT a “Flight Data Recorder”… It is NOT a “black box” that records every aspect of every sensor on the car.

    I think that Toyota is being truthful when they say that the EDR will not yield any additional data other then when what the ODBII and other on board system ARE recording.

    The answer to the question…
    What Is Toyota Hiding Behind Its Black Box?
    Nothing.

    • 0 avatar
      CarPerson

      We will know if Toyota is hiding something ONLY when a qualified third party connects an EEPROM reader to the device, prints out everything from all memory positions, and Toyota provides the legend for every downloaded bit.

      TTAC purchased throttle pedals, took them apart, and exposed “mis-statements” in what Toyota was saying. Expect the NHTSA or a university to do the same with Toyota’s black box within about a week to 10 days.

      This is yet another time bomb set to go off in the MSM.

    • 0 avatar
      Robert.Walter

      @camarokid:

      Nice snark… but don’t you miss the point?

      Wasn’t one of the early accusations (which Toyota did little to publicly refute) which helped to confuse the dialogue regarding Toyota’s culpability in both the mat-entrapment and sticky-pedal fiascos the “stupid operator confused the brake and accl pedals” argument?

      EDR-brake-related data showing the pedal was applied, and with what force, can clearly show driver’s action and intent (to stop the vehicle) and, unless the driver is over 75 years old (i.e. two-footed driving style), that it was unlikely that simultaneous application of both pedals was made;

      EDR-ignition (key on/off, or button pushes) can also show driver’s actions and intent (to kill the engine);

      Just as closed-loop combustion control grew into OBD2, and SRS gave rise to increasing amounts of EDR functionality, capability and capacity, the fact that all these data sources are, or are quickly becoming commonplace, and there are more complex systems on the horizon (EPS, Super-Imposed Angular Adjustment, XbW, etc.) it begs the question, if the automotive equivalent of an FDR is available at (essentially) no additional cost, then why not?

    • 0 avatar
      CamaroKid

      @Robert.Walter,

      Its not a snark. Its the truth… I thought this website is “truth about cars”.

      This is simple logic, simple physics and simple truth.
      No one is denying that cars are accelerating out of control and killing the occupants. And no one is denying that the Brakes were applied (receptively) to the point of loss of vacuum assist, heat saturation and total fade. And no-one is denying that the three second “hold to turn off” design of the push button ignition switch is not as safe as a key.

      All I’m asking is what data do you think you will find that would have everyone go “Ah Ha”?

      As was posted by others, The EDR records vehicle speed (which we know), Brake system pressure (which we know) ignition status (which we know), Engine speed (which we know), Vehicle deceleration (which we know), Air Bag deployment (which we know) etc etc etc.

      If you think that the EDR data is some kind of smoking gun, you are in for a disappointment. Remember te EDR records EXACTLY the same inputs that the ECM sees… It talks on the same Serial II Bus. The ECU was convinced that the pedal was calling for “more speed”

      The EDR will show the exact same thing. And that would look the same as some kind of electrical glitch, or a entrapped mat, or someone pressing the wrong pedal, or a faulty pedal, or someone doing 1/4 mile run.

      You would need WAY more information then the EDR records to figure out what is going on.

  • avatar
    mike_i_n_mich

    Here is one of many third party firms that will read an EDR after an accident if the right parties agree. The site has a wealth of information including a list of vehicles have this capability.

    http://www.harristechnical.com/cdr.htm

    CamaroKid said: “The author and several others are missing the point of the EDR. It is a support tool to help the OEM and NHTSA determine what occurred with the AIR BAG system… To determine if that system is working properly and if that systems failed… It is NOT a “Flight Data Recorder”… It is NOT a “black box” that records every aspect of every sensor on the car.”

    His statement is mostly wrong. The party line in the industry is as you state, a tool for airbag research. But the OEMs added signals to the data list when Electronic Throttle Control was introduced for the expressed purpose of heading off lawsuits. As I have said in earlier posts in the cases where the driver stepped on the wrong pedal it has exonerated the automakers from countless lawsuits. In the case where the accel pedal is stuck open it implicates the auto maker.

    The suspect the reason for this difference between official position and real position has to due with charge of “big brotherism”. Even when NSHTA regulated EDRs they did not mandate their use; they just established a standard variable list “if you do use them”. Weird, but a continuation of the avoidance of the “big brother” tag by, uh hmm, big brother. They are letting the auto makers make the final decision and take any heat from the public.

    This possibility of a stuck open accelerator pedal was not believed to be a high probability by the auto makers; someone really had to work overtime to screw this simple function up.

    I suspect when Toyota saw the stuck pedal cases happening in their vehicle they decided they have nothing to loose by holding back the data. It will not generally exonerate Toyota in such cases. You will see if the brake was applied. But it will also verify that the pedal was depressed, intentionally or not.

    • 0 avatar
      CarPerson

      …it will also verify that the pedal was depressed, intentionally or not.

      I respectfully disagree.

      The current method of measuring the pedal position on a Toyota is measuring the signal being received at the engine control computer. Any engineer will have a real problem with that as it does not validate the signal from the pedal is appropriate to the actual pedal position. Indeed, some complaints are that the pedal is a idle yet the engine is racing at full throttle.

      The three missing pieces are:
      1. Was the command signal at the computer correct for the pedal position?
      2. Was the command due to a mechanical problem (floormat, “sticky pedal”, etc.) or was the operator firmly pressing it?
      3. Was the fuel injection actuator correct to the command or did it go full stroke for some unknown reason?

      These three can be easily resolved with the addition of a few more sensors and recording the signals. At present, however, Toyota’s measurement methodology appears to come up short.

      I would also argue the design is a little too “value engineered” for the job it does.

    • 0 avatar
      mike_i_n_mich

      Carperson said: “Any engineer will have a real problem with that as it does not validate the signal from the pedal is appropriate to the actual pedal position. ”

      You cannot imagine the amount of verification that takes place for the pedal position and other electronic throttle control related parameters and functions. To start with there at at least two pedal sensors, of opposite polarity to make them robust to electromagnetic radiation. Some cars have three. There are then layers of software verification including a second, separate CPU to check the primary one. It goes on from there. Failure detection and mitigation comprises roughly %50 of the engine control logic.

      I am not familiar with claims of the engine revving while pedal is at idle. But these are two different things. The pedal simply inputs a command to the computer. The computer then commands a electronic throttle position to allow air into the engine. There are many steps in between. The old cable is gone. During cruise control the pedal is closed and the throttle is open, for instance.

      If this engine revving while pedal “at idle” did happen it would not shed any light into the validity of the pedal data going into the EDR. In fact, the EDR would record the event and be usable in litigation because the EDR also records the throttle positon. And oh, there are least two throttle position sensors, of opposite polarity, in every engine.

      As the conversation progresses to attacks on the validity of the logic in the electronic computer these layers of protection will be revealed. The whole system was designed with full knowledge that the trial lawyers would be seeking out the dumbist jury in the world and claim that the “computer stepped on the gas”. The fact that it has taken 10 years of production to get this far without this happening is testimony to the engineering. Only because someone screwed up and made a pedal stick did it finally blow open. The system does not protect against that particular failure mode.

      Thus the point of the original article. Toyota is probably holding their EDR data tight because it will hurt, not help their case.

    • 0 avatar
      CamaroKid

      @mike_i_n_mich

      You are correct about the EDR being used to differentiate between a stuck throttle body and someone pressing the wrong pedal… but you are leaving out a little bit of info there.

      You are leaving out that you need to read the OBDII system to see that the pedal is calling for idle and the TB is stuck open. This INSTANTLY generates an ODBII code that is stored in the ECM for prosperity and for anyone to read with a scanner that you can buy for $150 at Pepboys.

      In the case of the run away Toyota there have been no reports of ANY ODBII error codes being set. Even the one where they guy limped the car to the dealer slamming it repetitively into neutral and then drive was ODBII error free.

      It is something else.

    • 0 avatar
      mike_i_n_mich

      I’m lost…I do know this topic but there are too many tangents and hypotheticals.

      Camarokid said: “Even the one where they guy limped the car to the dealer slamming it repetitively into neutral and then drive was ODBII error free.”

      I’m not famiiliar with this case. Do you have a link.

    • 0 avatar
      Geeky1

      mike:
      There is an ABC article about the case CamaroKid is referring to here:
      http://abcnews.go.com/Blotter/RunawayToyotas/hyundai-dealer-runaway-toyota-owner-free-car/story?id=977702

      It doesn’t mention anything about error codes, but it does say that Toyota Corporate (apparently) told the dealership to replace the pedal and the throttle body assembly.

  • avatar
    mike_i_n_mich

    Read this for a complete history of EDRs.

    http://www.harristechnical.com/articles/mcraig2007.pdf

  • avatar
    CarPerson

    To start with there at at least two pedal sensors, of opposite polarity to make them robust to electromagnetic radiation.

    This has been reported as the BMW design, not Toyota’s.

    I agree this is still unfolding.

  • avatar
    ZoomZoom

    Question:

    Is it possible that Toyota is not forthcoming with the black box data because maybe that data would point to driver error in some of the cases?

    Either to avoid embarrassing or dishonoring (or the appearance of dishonoring) the memories of dead customers?

    I ask because I know that Honor is still a big deal in the East; sometimes it’s a bigger deal than Truth.

  • avatar
    mike_i_n_mich

    CarPerson:
    2 pedal sensor oppsite poilarity and much of the rest of the electronic throttle system is pretty much common across auto makers. Again, since trial lawyers are the common enemy there is safety in numbers.

    CamaroKid said: “Even the one where they guy limped the car to the dealer slamming it repetitively into neutral and then drive was ODBII error free. ”

    I found and reviewed the stories on ABC news.com. Every story can easily be explained by a stuck pedal sensor. The gentleman who drive to the dealer said this was not the case but I’m not convinced. First, it takes very small pedal rotation to call for a lot of torque. Second: he presented no evidence for his statement. If had said that either he or the service tech reached down and tugged on the pedal and the engine did not slow down then I would have believed him.

    Here is where I am on this issue:

    Toyota pedals stick due to very poor design.

    Toyota first announced that the problems were due to carpet. I will not specualte as to their state of knowledge at this time.

    Soonafter Toyota announced that it was due to the pedals and is doing an expensive recall to fix this problem.

    Toyota has an additional problem with thier push button start systems in that it takes 3 seconds to turn off the engine. Thus one of the countermeasures for a stuck pedal is not use friendly.

    I’ve seem no evidence of computer problems. Note, for a stuck pedal the throttle could be very open and the engine revving but there is no failure sensed, no OBD-II code or otherwise. The computer cannot detect a stuck pedal; it looks the same as a driver depressed pedal.

    The EDR issue is a bit spurious. I don’t know why they limit access while other auto makers do not. But if access was granted it would likely show that during these sudden acceleration incidents the pedal is depressed AND the brake is depressed.

    • 0 avatar
      CarPerson

      Note, for a stuck pedal the throttle could be very open and the engine revving but there is no failure sensed, no OBD-II code or otherwise.

      By “stuck”, I presume you mean the pedal is, for example, half-way down and sending out a “half-way down” signal. In this situation, as there is no failure, no failure code would be recorded.

      However, if the pedal is, for example, in the idle position, and sending out a “half-way down” signal, a fault has occurred but in Toyota’s, the failure is not detected because their design cannot detect a faulty pedal signal (actual position vs. signal-implied position). In the absence of any indication of braking, we would label it a suicide.

      If there was an indication of heavy braking during full throttle, it’s either the operator pressing both pedals firmly or the throttle system is not properly responding to the operator’s intent (floormat interference, sticky pedal not returning to idle, pedal sensor malfunction, computer or injection actuator error, interconnection error, etc.).

      In all of this, I am presuming the Toyota design does not incorporate a second sensor in the pedal and no error-checking other than the signal is within the design range. As we learn more about the pedal sensor design and what the recorder records, this may be proven correct or may be proven wrong.

    • 0 avatar
      mike_i_n_mich

      AS I suspected Toyota uses the industry standard practive of two
      electrically independent acclerator pedal position sensors. The link also shows the industry standard two air throttle sensors.

      From this link: http://www.timloto.org/download/pdf_lesbrieven/deltapress/motormanagement/taskETCSToyota.pdf

      Here is a snipet:

      “Accelerator Pedal Position Sensor Fail-safe
      The accelerator pedal position sensor is comprised of two sensor circuits. If a malfunction occurs in
      either one of the sensor circuits, the engine ECU detects the abnormal signal voltage difference
      between these two sensor circuits and switches to the ‘limp-home’ mode. The ‘limp-home’ mode
      operates by calculating the angle of the depressed accelerator pedal.”

      Although I don’t have a reference yet, it is likely they also use the industry standard practive of two brake sensors, usually a position switch and a brake pressure switch.

      CarPerson also suggests there is some information in the EDR after a crash and he is right. If the pedal is depressed and the brake is depressed is does give some indication to the customers state of mind. But some people drive this way all of the time:) Note that the brake pressure sensor is usually a switch, and does not differentiate between a light touch of the brake and a heavy pressure.

      The reason most auto makers use and like the EDR is because it will give a very clear indication of depressed acclerator and no brake, which has historically been the cause of many so called sudden accelerator crashs, where the customer insisted his foot was on the brake, but in fact was not.

    • 0 avatar
      CarPerson

      The link did not come through too well. Here it is again:

      http://www.timloto.org/download/pdf_lesbrieven/deltapress/
      motormanagement/taskETCSToyota.pdf

      If the Toyota Electronic Throttle Control System (ETCS-i) is implemented EXACTLY like the sketches, particularly figures 3, 4, and 5, it appears they already have quite a bit instrumentation on board to check each piece in the system.

      I skimmed all the TTAC articles for the number of connectors at the pedal. I thought I had read 3 or 4. Figure 4 shows 6 wires. If 6 wires are indeed present in the CTS design, Toyota has more pedal and total throttle system data than they are letting on.

      Not shown is any capability for auditing fuel flow through the injectors. I would want to know if cosmic forces have sent them full stroke contrary to a proven idle command. With that final piece, the schema would be appear to be quite acceptable.

      However, they still have to design the parts with quality and durability in mind and route the wires away from excessive heat, RFI, and sharp edges during installation.

      It is hard to believe Toyota would design an electrical throttle system as well as they apparently did then turn around and NOT record the information from each of these sensors.

  • avatar
    golden2husky

    While these EDRs serve a purpose, I have no interest in my property ratting me out to the police or the scoundrels in the insurance industry. My car, my recorder, my data. I am considering locating these boxes and making a “quick disconnect” so that I can take it out if I am ever in an accident. No way I am willing to let my car squeal. Where are the civil libertarians who should be outraged over this snooping…

    • 0 avatar
      CarPerson

      Driving your vehicle on your own farmland gives you a lot more “rights” than when driving it on public streets.

      Expect the NHTSA to become more actively involved in this including more monitoring of the vehicle systems and very stiff penalities if you tamper with the recording.

  • avatar
    Potemkin

    If, as you say, Toyota has the boxes involved in the fatalities in their hands the data they contain will never be made public. As we all know tech glitches or a ghost in the machine can corrupt data.

  • avatar
    mike_i_n_mich

    The data recorder is in the air bag control module. Ddisable at your own peril.

    Potemkin says: ” As we all know tech glitches or a ghost in the machine can corrupt data.”

    I say that is pure speculation. Currupt data would be very evident and in fact is caught by diagnostics. A good set of data is self evident. That is why this data is being accepted in trials even after all of the hypothetical objections have been raised and dealt with.

  • avatar
    Potemkin

    When your car starts accelerating without you doing anything your first thought is that the gas pedal is stuck when in fact that may not be the case. Is there any hard evidence, other than driver comment, that the pedal was actually depressed/trapped on the cars involved in accidents?

  • avatar
    Potemkin

    mike_i_n_mich. “tech glitches or a ghost in the machine can corrupt data”. This comment was meant tongue-in-cheek. What I was alluding to was data gets lost and damming data gets lost quicker when $billions are on the line. The NHTSA relies on Toyota engineers and equipment to read the boxes. If you were the engineer where would your loyalties lie? Also don’t forget the NHTSA and their chummy relationship with Toyota. Remember we have the best government money can buy.

  • avatar
    yankinwaoz

    I work as a software developer. This hubbub over the black box recorder has me baffled.

    When I write systems, one of the first things I do is install an event recording system (a virtual black box) that keeps a rolling log of critical events. Next, any component I write then throws information to the recorder when something important happens. The end result, I can go back and attempt to reconstruct the events that caused a problem.

    I can’t image that a car would be any different. Just like an airplane’s black box, it can keep a rolling log of critical metrics and events. I would think that this would required.

    There is the big question of who owns this data, and what can be done with it. Some parties would want the data destroyed. Others want it to defend themselves or prosecute others.

    The solution to that is pretty simple and inexpensive… public-key encryption. Give a unique public key to each new car. Have the black box encrypt all messages received with that key before recording.

    Have a trusted 3rd party hold the private key. If the data stored on the black box needs to be read, then only this 3rd party can do so. They can do it in response to a court order, and keep a log of all parties who were granted access.

    This prevents a car maker from “loosing”, or altering the data. It gives all parties the exact same set of data to interpret as they see fit. It prevents insurance companies and law enforcement from accessing the data without a court order.

    The 3rd party can’t use the private key the hold without having physical access to the recorder. Holders of the recorder can’t read the contents without the help of the 3rd party key holder.

  • avatar
    GS650G

    Ford took a beating on the Pinto. Nevermind the fact it took another vehicle crashing into the car to cause the tank to rupture, they were sued and derided for it. It took a specific action to cause.

    Not only is there some question about what may (or may not) be causing this problem the best we get out of the world’s foremost maker of cars is pretty much no comment. Sorry, that’s not good enough.

    Proprietary my ass. Tell me someone couldn’t extract data from that box. We have people that hack computers day and night. This looks more like the legal department is covering some backsides. Why would they go to the trouble to engineer and install a EDR they could not read accurately?

    The sushi is not looking too fresh on this.

  • avatar
    joeaverage

    Through this whole Toyota debacle I keep shouting “PUT IT IN NEUTRAL PEOPLE!”

    NONE of these accidents would happen if people had clutches b/c you’d intuitively know how to disconnect the engine from the transmission – your left foot (in North America anyhow).

    None of the news outlets seem to mention putting it into neutral. Who cares if the engine grenades? You’re safe. Your family is safe.

    I don’t want a black box in my car capable of telling too much on me.

  • avatar
    BTEFan

    It is very sad what happened to Mark Saylor and his family.

    But, at risk of blaming the victim, there is one thing is bothering me:

    As a California Highway Patrol Officer, isn’t it odd that he did not know that putting the car in neutral was an option for slowing the vehicle down?
    As a CHP officer, is it safe to assume he would have been experienced in operating a vehicle at a high rate of speed, and, if anyone would be qualified to bring an out of control vehicle to a safe stop, it would be a Highway Patrol Officer?
    This might be something the older folk might not figure out, but a professional driver such as Saylor should have been able to bring the car to a halt by putting it in neutral and letting the engine race.
    Maybe automatic transmissions should be banned and folks that use cars as appliances would be forced to participate in teh driving experience more.
    Regarding Automotive Blackboxes – if they were to be implemented, the same media that is lambasting Toyota will be crying foul at that idea as ‘Big Brother’ interfering in personal freedom and right to privacy. What do we want folks – safety from Big Brother or personal freedom protected?

    • 0 avatar
      geozinger

      I can’t speak for the CHP officer, but as someone who has had an accelerator ‘stick’ (not in a Toyota), the panic that occurs when you can’t figure why the car won’t stop as you speed towards the armco barrier is a lifelong memory. I’d like to think I was a good driver and had my wits about me when it happened, but luckily for me there was no one else near me and with much effort, I was able to stop the car before any property damage happened.

      According to reports, the CHP officer was renting the car in question and even though he may have had training in emergency maneuvers, an unexpected action in an unfamiliar car could equal unwanted results. There have been other reports that people experiencing the unintended acceleration HAD tried to put the car in neutral and the transmission did not respond. Until this situation is resolved, it would be wise to investigate all possibilities.

      Additionally, my service brakes have failed (due to a ruptured line) and I have an idea of what to do NOW, after it happened to me. But when I was going through the incident, it was all I could do to stay calm and find a way to stop the car without hurting anybody.

      Until it happens to you, it’s very easy to say that you will do ‘this and that’ and be condescending about the whole situation. It’s a whole different ballgame when it’s you behind the wheel of a car you can’t control suddenly.

  • avatar
    mike_i_n_mich

    Excuse me, I was wrong in one of the above posts regarding Toyota’s pedal sensor design.

    Dr. Gilbert suggested Toyota pedal sensor design was different than rest of industry. A review of the diagram here in figure 4:

    http://www.timloto.org/download/pdf_lesbrieven/deltapress/motormanagement/taskETCSToyota.pdf

    confirms this. Systems I am familiar with have opposite polarity on the two sensors. That is, one sensor reads 5 volts at full depression of the pedal; the other reads zero. This eliminates a whole host of potential (no pun intended) issues including certain shorts and open circuits.

    Toyota, on the other hand, has the same sign on both sensors. Both read high voltage at full pedal depression. This allowed Dr. Gilbert’s experiment to produce a sudden accleration.

    It remains ot be proven that Dr.Gilbert’s experiment represents anything that can really happen. If you short two chosen wires simultaneously I bet you can get anything to fail including airplanes, elevators, furnaces and so on. But the Toyota design is much less robust than at least some of the competition.

  • avatar
    Robert.Walter

    **(Re-)Flash** From the Lentz testimony:
    - Re. pedal recall, technician measures wear inside pedal and installs one of 7-different-sized precision-cut shims based on measurement;
    - The mat-fix and the pedal-fix will not solve all problems;
    - Re. responding to customer complints: We were much too slow. I’m embarassed about the way Toyota responded to the Smith’s issue;
    - Exponent was given an unlimited budget by Toyota to study the SUA issue. Exponent’s full report will be made available to the public;
    - We will add 3 new engineering centers, and ~80 engineers, goal being 24-hour on-site response;
    - Not all Toyotas have EDR installed;
    - Only one proto EDR reader today;
    - 100 EDR readers to be made available in USA by April;
    - I don’t know how accurate the proto tool is;
    - I’m responsible for marketing and sales, but not for manufacturing and/or quality and safety.

    Two big questions:
    1. If there are 7 different size shims, this means a degree of precision is necessary (use size 5 not 6) to correctly complete the repair. This repair has potential flaws: a) technician accuracy, b) “gage R & R”, c) confusion of shim sizes during mfg, logistic, or repair process;
    2. How can the prototype of a tool which is going to be available in-market in April be currently described as anything other than 100% accurate?

    • 0 avatar
      Robert.Walter

      In later testimony, Lentz contradicted himself by claiming that the “prototype” EDR-reader is in Japan, and that EDR’s would have to be sent back to Japan for reading … very curious.

  • avatar
    Robert.Walter

    Re. the “Dr.” preceding Gilbert…

    I went to the USI-C website and looked at the faculty list (I think C-SPAN did this as well, and identified him as a Psychology Professor … but this was a different Gilbert on faculty)

    Then I went to Gilbert’s faculty web-page. It lists him as having, as his highest-level degree, an M.S. … far as I can see, he has no phD.

  • avatar
    ponchoman49

    My BS detector is blaring off the charts at this flim flam nonsense. So they are saying that yeah we have a black box in our vehicles but no we never can seem to obtain any data from them and we are the only ones able to decode this data. Hogwash. The Koolaid Toyota has been feeding the American public and blinding it to reality will soon wear off and people will see them for exactly the frauds they are.

  • avatar
    logandiagnostic

    It should be noted..

    The picture at the start of this article is actually a GM air bag SDM module.

    I took this picture in 2004. It is the GM air bag SDM from my 2001 Cadillac DTS.

    This picture has been used by USAToday, NYTimes etc.

    So current GM vehicles can have 30-40 pages of good, reliable crash data, but Toyotas offer only a few MS of scrambled data?

    Only 1 prototype Toyota tool available?

    More info can be seen here:

    http://www.airbagcrash.com

  • avatar
    AccAzda

    Not being an engineer, but deeply understanding the basic concepts of what has been mentioned in here.. is pretty damn interesting.

    Also, watching C-span 3 (http://www.c-span.org/Watch/C-SPAN3.aspx) the Toyota grilling session.. truly doesn’t make much sense in why these boxes aren’t designed in a way that can be easily accessible.

    In-addition,
    It has occurred to me that while Toyota is inherently “sorry” for the damage they’ve done, I don’t see them being forth-right in how the machine was designed to be used or the properties in which data can be recovered.

    Then again on this second day of the grilling…
    It appears that Toyota of USA isn’t communicating with Toyota of Japan, or is that the feeling they want us to believe.

    But the most interesting part..
    And this is another reason why I do enjoy this site..
    The inane debates about articles and or concepts that are never mentioned on mainstream media.

  • avatar
    infoforensics

    A possible non-mechanical reason low incidence lays with electronic control system design. Aside from the undiscovered programming errors, aka bugs, computer systems are susceptible to errors in various memories.

    Even electronic computer memories are not perfect nor retain original quality and they do not benefit from error-correcting codes essential to modern disk drives. In fact, when computer systems require utmost reliability in unforgiving environments, e.g. aerospace or airplane manufacturers, the designers acknowledge and plan for degrading of electronic memory accuracy over time.

    Potentially, some of the Toyota electronic controls were designed under the assumption of that memories will not degrade and, thereby, the internal system checks on start-up do not validate that allocated memory space performs accurate writes/reads. When failures in single bits occur, albeit infrequently, and interfere with accurate readbacks of critical information, a system that depends on that information could exhibit unxpected behaviors.

  • avatar
    RogerB34

    CarChip E/X will record speed, acceleration, braking, time, date, speed, distance. For monitoring vehicle use. Also can record 4 of 23 engine parameters. I use for recording long term fuel trim and oxygen sensor voltage. Doesn’t work for the Honda air fuel ratio sensor however.

  • avatar
    pamarti

    Hi ! Someone could be kind enough to tell me if my ’09 Vibes share his EDR box with the Matrix , or if it’s an GM’s specs EDR inside my Pontiac ? Just hope I get the Toyota one… don’t like the idea to get a stool box inside a thing ( my car ) I paid the big price for .

  • avatar
    christo12

    The answer is simple:
    If a device can digitally record information that can determine liability in an accident,
    What will prevent hacking into the data recorder and manipulate the data in order to blame the manufacturer? Is there technology that is hacker proof? Hacker proof data in an open platform system? We are not there yet.

  • avatar

    For near a decade Toyota has said these are prototypes, the data can’t be relied upon, and has questioned their accuracy every step of the way. Sometimes data is missing, sometimes its garbled, and Toyota will only release what Toyota wants to release, sometimes sending redacted information out.

    Meanwhile, in the real world, Honda, Nissan, GM, Ford, and Chrysler EDRs have been used just like a flight-data-recorder in an aircraft to computer recreate accidents, determine guilt and innocence, and just about any slob with a computer, or who asks nice, can get the data. Reams and reams of the data.

    Now, all of a sudden, in two high profile incidents they are as reliable as the Rock of Gibraltar – full data. Amazing how that happened.

    Further, Toyota quietly back pedaled on the Sikes’ Prius incident, saying that the EDR actually doesn’t show that Sikes was going brake/gas, brake/gas, brake/gas, but that the throttle was open the whole time, continuously, but gee, amazing, they knew on the 2005 Harrison, New York Prius the throttle was wide open, but they couldn’t determine that on the Sikes Prius. Ain’t that SOMETHING!!!

    I know one thing Toyota is guilty of, failing PR101 miserably. Right or wrong, epic fail. I find it very hard to believe that Toyota can’t figure out data logging, on WOT and full-brake fail-safes, or how to even design a floor mat or gas pedal when the dumb asses in Detroit have these issues pretty much figured out.

  • avatar
    PeteMoran

    As Segfault and Camarokid alluded to the data is pointless and I do believe there is no legal requirement for any passenger car to carry an EDR in any country.

    So, the question becomes, and the scandal should be;

    Brake application and Accelerator application should be handled with an engine fuel-cut. Why Toyota, why?

    Everything else is noise.


Back to TopLeave a Reply

You must be logged in to post a comment.

Subscribe without commenting

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Authors

  • Brendan McAleer, Canada
  • Marcelo De Vasconcellos, Brazil
  • Matthias Gasnier, Australia
  • Tycho de Feyter, China
  • W. Christian 'Mental' Ward, Abu Dhabi
  • Mark Stevenson, Canada
  • Faisal Ali Khan, India