By on March 7, 2010

This is left brain – right brain weekend. While the more image driven can submerge themselves in pictures of old car ads, the other faction can unleash their inner nerd with abandon. Yesterday, we covered how ABC had entered the grail of automotive disaster-fakery, previously populated by NBC and CBS. ABC’s smoking gun video had been torn to shreds.

Today, we turn our attention to the man who aided and abetted the tricksters: Associate professor David Gilbert of the renowned Southern Illinois University. His work has been inspected by Exponent, a research company hired by Toyota. Hired by Toyota? Well, that should discredit Exponent immediately. Not so fast.

Crash Sled thankfully has found a full copy of Exponent’s retort to Gilbert’s machinations. The report is hosted on the ABC website, so we can assume it passed ABC’s scrutiny, for what that may be worth. Let’s look at the report a little closer.

Warning: This discussion needs a basic understanding of electric circuitry. If that’s not your thing, then don’t waste you time reading further. We’ll leave you to Sunday’s pictures with the message that Gilbert is a charlatan extraordinaire, and that whoever put him on the stand to make a case against Toyota needs to have his or her head examined. However, should you own a 2010 Toyota Avalon, then you have slight cause for concern.

Quick review of the theory: You may remember the discussion that ensued after Ed Niedermeyer had first presented Gilbert’s work a little bit more than a week ago. Gilbert had introduced what he called “a short” to the throttle-by-wire circuitry of a Toyota, and the car took off. A big parsing of words ensued about what consists of a short, and what not. Never mind. Now we know what Gilbert had done.

Follow me please to the picture on top. Ignore the red and green part for a moment, we get to that in a minute. You see the basic circuitry of a Toyota Electronic Throttle Control System (ETCS.) It consists of two separate Hall sensors (housed in the “Accelerator Position Sensor”). The Hall sensors talk to the Engine Control Module (ECM). The throttle position is sent twice to the ECM, via the VPA wire and via the VPA2 wire.

The voltages on VPA and VPA2 are offset, the theory behind it becomes clear when examining the “ETCS Theory” picture on the left. This picture has been lifted from educational material, thanks to ControlsGuy.

Now what did Gilbert do? According to the Exponent document, he did what anybody would do who knows a little bit about resistors, and who has the educational material made available by ControlsGuy. Actually, just from looking at the data, I had recommended exactly the same procedure 10 days ago.

Follow the red circuit. Gilbert connected the VPA output of the primary Hall sensor to the VPA2 output of the secondary Hall sensor. He did not “short” it (this would have caused an immediate fault,) he connected it through a carefully selected 200 ohms resistor. Anything below 50 ohms and anything higher than 250 ohms would have triggered a fault. According to Exponent, “adding the resistance did not noticeably change the operation of the engine.” This does not come as a surprise to someone who knows his V = I * R. To get the engine going, Gilbert had to do something else.

Follow the green part of the circuit. Gilbert connected VPA2 to what Exponent calls “one of the 5-volt power supply wires from the accelerator pedal,” and the car took off without setting a fault. Why? Because the engine computer saw the voltages on VPA and VPA2 rise in unison. Balanced by the carefully chosen resistor, the voltages on both lines rose within the offset limits. The ECM had no reason to get alarmed, or set a fault code. It told the throttle to open wide. Gilbert carefully engineered the setup so that the ECM saw what it wanted to see. The ECM can read and compare voltages. It cannot read a wicked mind.

By the way, Gilbert and Exponent say that this circuit trickery only works if the VPA2 side is connected to +5V. Connecting VPA to +5V would trigger a fault. Students of the ETCS Theory diagram immediately see why: VPA would go to 5V, would rise above VPA2, the ECM would decide that things are solidly out of whack and would immediately surrender into limp mode.

For the Intended Gilbert Acceleration to occur in the wild, several things would have to happen in the exact sequence: First, the isolation for both VPA and VPA2 would have to break down. Then, a connection between VPA and VPA2 would have to be established. Into this connection, a resistance of no less than 50 ohms and no higher than 250 ohms would have to be connected. Once, and only once this connection between VPA and VPA2 has been established through the proper resistor, VPA2 (and not VPA) would have to be connected to +5V. Then, the car would take off.

Says Exponent: “For such an event to happen in the real world requires a sequence of faults that is extraordinarily unlikely.” What is more, the unlikely sequence would have left “a fingerprint” as Exponent calls it, broken or scorched insulation, stains, if not the “short” itself. Nothing of that kind has been recorded.

One minor problem remains. That problem has not been raised by Gilbert (shame on you,) nor by Exponent (well, they are paid by Toyota:) Connecting VPA2 to +5V should be recognized as a short to power, and the system should go into limp mode. We don’t know whether the Avalon would go into limp with the 200 ohms resistor removed and VPA2 connected to +5V. Let’s assume it would. Nonetheless, a basic failsafe step is missing in the Avalon. And the Avalon is pretty much alone with this problem, as we shall soon see.

Exponent went on to test the same setup with six other cars: A 2007 Toyota Camry, a 2009 Mercedes E350, a 2003 BMW 325i, a 2008 Honda Accord, a 2006 Subaru Impreza Outback, and a 2005 Chrysler Crossfire. Interestingly, the Gilbert rigging produced the same results in all cars. Same results. But not quite the same rigging.

When the 2007 Toyota Camry was tested, nothing happened again when VPA was connected with VPA2 through a 200 ohms resistor. However, when VPA2 was connected to +5V, the ECM registered a fault, did set an error code and put the Camry into limp mode. The older Camry computer recognized the short to power. Exponent had to do what I thought necessary 10 days ago.

Please proceed to the next drawing. Follow the green circuit. Exponent added a 100 ohm (Resistor 2) into the line to +5V. Resistor 2 dropped the supply voltage to a level that would not look like a short. The engine started to rev. Again, that was expected. The 200 ohms Resistor 1 maintained the offset between VPA and VPA2. The 100 ohms Resistor 2 kept the signal voltage from looking unhealthy. Varying Resistor 2 between 200 ohms and 15 ohms changed engine speed: A low cost aftermarket cruise control (don’t try this at home.)

Testing the other cars provided the same results. The Honda Accord needed a 300 ohms resistor between the two redundant pedal sensors. The Subaru wanted a 100 ohms resistor. The others were happy with the 200 ohms. All cars needed a resistor between +5, just like the Camry. None of them did set an error code.  Smoking gun? More like smoke and mirrors.

If you remember the discussion 10 days ago, the “inverted” setting of the redundant sensors in non-Toyotas drew quite some attention. Exponent notes that “for the Subaru, the two accelerator pedal position sensors produce parallel and nearly identical output voltages. For the other vehicles, the line slopes for sensor 1 and sensor 2 are different and not parallel to each other.” Surprisingly, this did not harden their circuitry against Gilbert-like shenanigans.

Says Exponent: “Dr. Gilbert opined in his report that several vehicle manufacturers currently use this fault detection strategy and that a short between the two pedal sensor outputs would be detected by the ECM. However, tests with pedal position sensors from five other manufacturers using his strategy demonstrate that the electrical wiring to the pedal can also be manipulated to create an apparent ‘sudden’ onset of acceleration and engine revving.” (Exponent does not say what happens when you vary the resistance to +5V and hence the input voltage, like they did with the Camry.)

There is much more in the report, such as a study of connectors, a look into the likelihood of wiring insulation, ECM and pedal failures. There is even a quote from NASA’s Fault Tree Construction Ground Rules that recommend to ignore shorts to ground and power: “Do not model wiring faults between components. Generally, wiring faults, such as shorts to ground and shorts to power, have very low probabilities compared to probabilities of major components failing.” What’s good enough for the space shuttle is not necessarily good enough for your car. In any case, study of this material is left as an exercise to the student.

Class and Professor dismissed.

Get the latest TTAC e-Newsletter!

61 Comments on “Gilbert’s Toyota Shenanigans Explained...”


  • avatar

    As soon as Gilbert showed up in the company of Kane, a former associate of Clarence Ditlow (ergo he has ties to Nader and Claybrook) working for ambulance chasers, I knew this was not the most reliable of research.

    Gilbert has never postulated exactly how the electrical faults can happen in real life. He’s never shown a real world case where such faults have occurred. He just figured out a way to fake out the ECU.

    The fact that Kane and ABC News hyped Gilbert as a “professor” when he’s a glorified auto shop teacher made me even more skeptical.

  • avatar
    SkiD666

    A few things.

    1. Not surprised that someone with a little bit of knowledge can figure out away to defeat progamming/sensors in a vehicle, regardless if it could happen in real life and MSM would jump at it in a quest for ratings.

    2. Whether or not Gilbert’s test could happen in the real world, it still suggests that Toyota’s (and other manufacturers) engineers still might have a ‘ghost in their machine’ that causes SUA (in very rare circumstances) and they should all have had a ‘brake override’ system in place to take care of possible programming issues when replacing mechanical devices with electrical ones.

    3. Didn’t Gilbert say that the GM vehicles tested didn’t fail his ‘test’ and Exponent didn’t test any GM vehicles. So do we know if the GM pedal design is actually more ‘robust’ than Toyota’s?
    (ie. is this why Toyota and Ford seem to be having issues and GM isn’t based on the NHTSA stats?)

  • avatar
    ClutchCarGo

    My brain hurts.

  • avatar
    Robert.Walter

    Thanks for the tutorial Bertel, very educational and enlightening. In addition to the technical discussion, I enjoyed hearing the voice of a good trial atty rebutting his opponent.

    Question: Any reason that the feed voltage has to be +5V to both sides? Given the different approaches used for output voltage, by the various OEMs, i.e. parallel v. offset, or v. inverted, I’m wondering why the input voltages are not similary modified to further distinguish the primary and secondary circuits.

    I was never a great fan of the idea of damaged wiring as a root cause here and your explanation well illustrates why.

    I’m glad that this mystery has apparently been cleared, so attention can be focussed on other potential root causes.

    • 0 avatar

      Question: Any reason that the feed voltage has to be +5V to both sides?

      Not necessarily. Popular Mechanics says the input voltage is calibrated during the power-up-self-test, (hence the wide range of permissible voltages…) but I don’t know that’s true. You’d have to put a meter on the circuit.

  • avatar
    Dynamic88

    Wow, where was “Professor” Gilbert when I was 16? I couldn’t explain who’s car I was driving, or how that 18″ piece of wire got connected across the ignition switch.

  • avatar
    VLAD

    Very good explanation.

    The utter ignorance and lack of critical thinking ability by a large segment of the US population and politicians in general, added to the addiction to getting something for nothing, is what allows these non events to develop into a nationwide dog and pony show.

  • avatar
    Eric_Stepans

    Question: Any reason that the feed voltage has to be +5V to both sides?

    There is no fundamental reason that any other voltage could not be chosen.

    5 Volts is an industry standard. By following that standard, engineers can hook all of the engine control sensors to a common power wire, which is cheaper than having separate voltages/power wires to each sensor.

    Imagine if your radio worked on 12 V, your engine computer on 22 V, your heater motor on 31 V, etc. You’d need a separate battery for each system.

  • avatar
    Joel

    Great stuff! Thank you for explaining this in the terms that are required to really understand how out there this “experiment” is. One question, how is Gilbert able to gain so much traction with this report, when he had to modify the car in such an unrealistic way? I mean I could over inflate my tires to 50-60 psi and drive down the freeway until they burst, and then claim that the tires are faulty. Even after this explanation, I fail to see how Gilbert actually sheds any light on this issue as a whole. Or maybe that’s the point, that he’s a quack. If that’s the case, I’ve got a bridge to sell you….

  • avatar
    wmba

    “His work has been inspected by Exponent, a research company hired by Toyota. Hired by Toyota? Well, that should discredit Exponent immediately. Not so fast.”

    Well, Exponent are a professional engineering company, registered in California, whose engineers are subject to state registration and have further restrictions put on them by the California State Professional Engineers. Same here in Nova Scotia, and every state and province in the US and Canada.

    Since few engineers want their license revoked, it pays to point out to potential and existing customers that shading findings to their liking is not a way to keep an engineering company in business.

    Several engineers round here have found out that our licensing board have a zero tolerance policy towards poor or inappropriate work. For that matter, civil engineers cannot do electrical engineers work, and stamp drawings as ready for construction. This is to protect the public from such scenarios as microchip engineers certifying the design of a suspension bridge. Technicians or electricians doing design work that is the purview of engineers in the eye of the law, and certifying the results for construction without an engineer’s stamp for assumed responsibility, have been successfully sued too.

    I read the Exponent report yesterday, after going to ABC News a second time, to see they have added a mea culpa since the first early video. Probably pointed out to them that Exponent would not tolerate such BS, which is why the link to their report is on ABC’s site.

    Exponent is also properly certified to ISO9001, a real QA system, and post the registration certificate on their site. So as an engineer, I resent the implication that Exponent is “on” Toyota’s payroll from the results point-of-view. Just ain’t going to happen if Exponent or their employees want to stay in business. These aren’t Toyota employee engineers who can be cowed by internal managerial clowns.

    There is about zero likelihood that Exponent made up their data to help Toyota. I suggest people go to Exponent.com and see that these people are the antithesis of fly-by-nighters.

    The report is easy to follow, and shows how dumb Gilbert is. My interest was piqued by the dissection of Subaru’s system, which employs a similar parallel slope sensor output voltage strategy to Toyota.

    Yet except for 2002, when Subaru had a problem with the cruise control cables interfering with the throttle, that is prior to electronic throttles, Subaru does not even merit the 117th place in Paul’s data dives. Subaru is nowhere to be found on the list.

    This means to me as an engineer that the parallel slope strategy is fine – it’s what you do with the data that matters. Subaru’s implementation is superior to Toyota’s, that’s all. Maybe Toyota should just copy Subaru’s approach, because they own 17% of the company anyway. And get that damn FT86 out to the public ASAP won’t you Toyota?

    • 0 avatar
      crash sled

      “Since few engineers want their license revoked, it pays to point out to potential and existing customers that shading findings to their liking is not a way to keep an engineering company in business.

      Several engineers round here have found out that our licensing board have a zero tolerance policy towards poor or inappropriate work.”

      .
      .

      Excellent point, wmba.

      I have great respect for automotive angineers and automotive engineering, but they operate in a far different world than you and I, or Exponent. Our names are on our work. We are not squirreled away deep down in the bowels of some OEM’s left-knuckle-arm-chassis organization, hidden from accountability. Our sealed drawings and reports follow us around forever. If we fail, bad enough, we are accountable, personally, and our peers will have no problem holding us accountable, and likewise we will have no qualms about sticking a shiv into any fool’s back who fails unacceptably and foolishly. This is the burden of accountability.

      Several are the greasy lawyers who’ve attempted to get me to do what Gilbert has done here… misrepresent the facts, posture himself as possessing technical and specific knowledge that he clearly does not possess, and give public testimony in a manner flagrant and flaunting of the public trust that all engineers are assigned.

      He is not an engineer, and he has no credentials in that regard, and fluffy brained academics can get away with whatever nonsense they want, with no consequence. He will get away with this recklessness, no doubt.

      Make no mistake, Exponent cannot do this, nor should anybody who bears the title “engineer”, licensed or not.

    • 0 avatar
      psarhjinian

      I read the Exponent report yesterday, after going to ABC News a second time, to see they have added a mea culpa since the first early video.

      I haven’t checked, but how up-front are they with their mea culpa? Did they splash it all over their page and/or run it first off on their news program in the same timeslot as the initial exposé?

      Or did they do what most media machines do, and issue retractions in six point type on their web site on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’?

  • avatar

    His buddy Kane is pretty good at faking it as well – just posted on my YouTube channel evidence that Kane submitted false complaints to Congress on his fictional work “Toyota Sudden Unintended Acceleration.” I can’t believe CNN, Fox and all the rest will chase this electronic bigfoot to the ends of the earth but don’t bother to look closely at the evidence that is in front of them. Isn’t lying to Congress braking the law in your country?

  • avatar

    “a sequence of faults that is extraordinarily unlikely”

    Unlikely, but not impossible. And that’s the whole point. We all know that these unintended accelerations are very rare. They should be impossible.

    On a positive note, it’s good to see that Toyota uses an offset voltage between VPA and VPA2, so that a straightforward short (with close to 0 ohm) would be detected by the controller.
    Still, it’s a pretty simple setup relying on analog voltages, that are inherently error prone.

    • 0 avatar

      Unlikely, but not impossible – are you leaving room for the unlikely that is impossible? – Unintended Acceleration complaints are the furthest thing from rare, they are as common as hell. what is rare is proof of it. We now that it is exceedingly rare that there are humans that have two heads, one or two cases in 6 billion – but we have no problem whatsoever at filming them for hours. I’ll I want is one small piece of physical evidence – just one – not more theories -

    • 0 avatar

      Well, I agree with that. They need to find a real car that demonstrates the problem, for sure…

    • 0 avatar
      Brian P

      Well, as an engineer myself, involved with safety systems and circuits (albeit in automation and robotics), I can say that when Exponent says that something is “extraordinarily unlikely”, that is as close as a professional engineer who values his license will go to saying that it’s impossible. You can never, EVER, completely and absolutely eliminate ALL possibility of something going wrong. Can’t be done. There will always be a way of simulating the response of the correct switch or sensor using some other means, in a way that the underlying control system can’t tell what has happened. Always.

      I am not alone in making this statement, either. I do know that in the latest version of the CSA (Canadian Standards Association) standard that is supposed to be followed when designing automation equipment, the words “fail-safe” (which appeared in the prior standard) have been removed and other terminology that more accurately defines the level of expectation has been substituted – presumably because it has been recognized that nothing is ever completely and absolutely “fail-safe”. You can make the possibility of a failure exceedingly remote … but not impossible.

    • 0 avatar
      psarhjinian

      “Unlikely” means “functionally impossible” in this case.

      Science and engineering use different verbiage than law and PR, which is why you’ll rarely hear an engineer give absolute assurance one way or the other because there’s always an infinitesimal chance of the untoward occurring. Hell, if you take certain aspects of quantum mechanics into play, there’s always a chance of anything happening.

      It’s also the reason why, say, the anti-Global Climate Change public relations machine makes absolute mincemeat of scientists: scientists will say they’re not 100% sure, which the more adroit skeptics will proxy into “Well, if you’re not sure, why should we believe anything you have to say?”. One side is taking about mathematics, the other is talking about law and perception. The two sides are using the same words but with very different meaning.

      Language is important, and it’s unfortunate that, despite how two sides speak what appears to be English, they mean very different things.

  • avatar
    pleiter

    OK that’s 4 failures, one of which has to be a “smart” failure (the ohms one). To design shuttle payloads, you only have to be 2 fault tolerant. Probability-wise, there was more chance of the Sun going supernova while you read that article than of these 4 failures happening instantaneously and simultaneously.

    • 0 avatar

      I’d agree 100%

      We need some physical evidence or some science demonstration to prove brake pedal misapplication

    • 0 avatar
      crash sled

      “Probability-wise, there was more chance of the Sun going supernova while you read that article than of these 4 failures happening instantaneously and simultaneously.”

      .
      .

      Wait… did you just say THE SUN WAS GOING SUPERNOVA?!!

      Somebody better call ABC.

  • avatar
    Telegraph Road

    Fortune just released its annual list of Most Admired Corporations. While Toyota’s rank in the top 10 may surprise some, more mind-blowing is Disney (owner of ABC News) at #1 in the Quality category.

    • 0 avatar
      Robert.Walter

      Many ways to define quality. In general it only means did the result meet the expectation. In the case of ABC News’ reporting, accuracy or veracity may not have been one of the corporate expectations.

  • avatar
    Juniper

    My question is: Did Toyota hire Exponent just to discredit Gilbert? Or to look at the whole UA issue and determine if there really was a likely way this could happen. If the former Toyota’s head is still in the sand. If the latter they are really trying to resolve the issue.

  • avatar
    CatFan78

    Gilbert is being paid by plantiffs attorneys so easy to understand his motives. ABC edited their infamous video showing the RPMs going out of control. In the end, this will be like what 60 Minutes did to Audi and Dateline did to GM. Fakery.

    Now if Toyota can explain this in simple human terms, they may be able to turn the tide. (where is Ross Perot and his charts when you need them)

  • avatar
    Mark out West

    Toyota should just design one sensor to go from low-to-high, and the other one from high-to-low. Solves the common-mode problem.

    I like my BMW system’s pedal sensor. Essentially a dual-redundant RVDT, it uses an AC signal modulated by a rotating cam. No AC, fault. And again, one signal goes high while the other goes low.

  • avatar
    crash sled

    Dang, Bertel, I don’t know nothin’ ’bout any of this tricky wire stuff, but this looks like some major pwn3age to me. ;-)

    .
    .

    I do have one electrical problem though, Bertel, maybe you can help me with it. I have this one floor lamp at home. When I try to plug it into the wall socket, 1/2 the time it plugs right in, and the other 1/2 it refuses to go. It’s uncanny… literally 50% success rate. I’ve trialed it over and over and nope, it will only go 1/2 the time.

    Should I just use a hammer the other 1/2 of the time?

    ANXIOUSLY AWAITING RESPONSE

  • avatar
    Steven02

    You can clearly tell that this document is meant to be presented to a jury. The first section of the article details what ABC did to enhance the results. The NASA quote should have included the rest of the line. Here is the full quote.

    That particular item also includes the following statement.
    Do not model wiring faults between components. Generally, wiring faults, such as shorts to ground and shorts to power, have very low probabilities compared to probabilities of major components failing. However, if there are no significantly higher contributors or if the wiring can be impacted by other failures (e.g., a fire) then wiring faults need to be considered. Also if the objective includes the modeling of wiring faults then they need to be included (for example, in the case of wear over time of wiring bundles due to maintenance activity on a reusable vehicle).

    To me, only including the part that is on your side (or the side you were hired to represent) and not the part that that explains when to do something is really no better than what ABC did. But, this is what I would expect when you hire an expert.

    I will say that I am happy to see that they did address corrosion of the PCB. It sounds like that PCB shouldn’t have this type of problem since the should be coated with some protective coating. The real question is, if this isn’t the problem, is the problem down to sticky pedals and floor mats? Is there anything else. Toyota has said this doesn’t seem to describe all problems, like the Avalon that was taken into Toyota that had a UA problem.

  • avatar
    Billy Bobb 2

    Thanks, Mr. Schmitt.

    Previously, I’ve described this as two paper clips and a clown.

    Gilbert is still a clown.

    Nice homemade ASE certified Auto Professor lab coat he was sportin”.

  • avatar
    VLS_GUY

    I deal with troubleshooting failures in complex mission critical systems every day. I have dealt with failures on systems that had no physical evidence that have both been traced to hardware and software problems. From what I have seen Toyota does not possess the ability to run to ground either type of failure mechanism. Let me explain:
    The Exponent Inc. report is at best an incomplete report and the authors either did not understand or omitted the possibility of tin whiskers creating another conduction path between adjacent pins (in this case pins 18 and 19). Having a resistance of around 200 ohms would not be out of line for a tin whisker problem. To learn more about this problem go to a NASA site: http://nepp.nasa.gov/WHISKER/background/index.htm. I would like to see the pins of the the control module tested for tin whiskers by CALCE at the University of Maryland: http://www.calce.umd.edu/. Exponent Inc. from their website has no such diagnostic capability. I would also like to know Toyota’s RoHS planning-again lacking in the report.
    A second thing that disturbs me is that Toyota only had one device that could read data recorder data (laptop with software) that was not fully functional (according to reports) in the United States. Even if the data available is only from few seconds surrounding an air bag deployment it could provide very valuable data; again in this report no attempt to retrieve this data to explain the failures was given.
    Another thing to keep in mind is that Toyota controls the publication of the report. Exponent could have published another report and this is what survived the chop cycle.
    By the way I work on missile systems that are weapons. I operate in a safety regulatory environment that demands rigorous engineering procedures and safety problems be solved. If I was delivered this report I would tell the authors to revisit their fault tree since it is incomplete and gather more evidence as per above.

  • avatar
    VLS_GUY

    One thing I forgot to mention is that usually the metal whisker vaporizes due to the heat generated by the current going through a very thin whisker a few millimeters long. Hence no evidence is apparent after failure occurs. This makes determination of root cause tough- I know by experience!

    • 0 avatar

      Ah, the tin whisker contingent is out.

      Some remarks:

      – In this particular case, Exponent’s job was not to find tin whiskers. Their job was to prove that Gilbert is a charlatan, and that he and ABC had attempted to fool the public. Mission accomplished. As an engineer you will understand the importance of remaining on topic.
      – Exponent also has another wide ranging mission to find any cause for SUA. This was not the topic of this report. I guess they will look into whiskers.
      – In the meantime, proving the whisker theory is easy: Pull the ECMs, and look for whiskers. So far, none have been reported. I think we can put the whisker speculation to rest until someone sees and documents hairy tin growth.
      – In the unlikely event that a whisker builds between pin 18 and 19, a whisker with a resistance greater that 50 ohms and smaller than 250 ohms, nothing would happen. Another nasty whisker would have to grow after-wards, from pin 26 or pin 27 all the way to pin 19, without touching the other pins. How high do you figure the likelihood of such a contortionist whisker?
      – And as for the vanishing whiskers (that was an afterthought, right?): As an engineer, you will surely know that it depends on the amps flowing through that whisker. If the power is sufficient to zap that theoretical whisker immediately, then the theoretical acceleration will stop as immediately. Car will not race three blocks down. And even if there are whiskers that burned off sight unseen, there would be other ones to be detected.
      – The correct amount of conformal coating, common with PCBs that are used in harsh environments, will mitigate most whisker effects. Does Toyota use conformal coating? I don’t know, but easy to find out: Open the can. Does Toyota suffer from tin whiskers? I don’t know, but easy to find out: Open the can.

      As far as the EDR goes, we have covered that at length before. Toyota would be well advised to give access to that EDR, and to record as much history before a fault as possible. One second is not enough.

    • 0 avatar
      crash sled

      Speaking of hysteria, let’s talk about the hysteria which brought on the banning of lead. Some claim that mixing tin with lead can eliminate these tin whiskers as an electronics issue. Unfortunately, the radical environmentalists went hysterical over lead, and society succumbed to that hysteria. Now, we are paying the price.

      For decades now, the use of lead has been very carefully prescribed, and it’s hard to understand how the radicals could possibly view its responsible use as any kind of threat.

      Similarly with hexavalent chromium, I’ve worked on many millions of dollars of projects dealing with clean up of sites contaminated long ago. But today? The level of site containment employed in the use of chromium would make Fort Knox blush, and yet still we hysterically swat at this chimera… this demon.

      Hysteria is the antithesis of the scientific method, and good engineering practice. Probably a responsible thing if we speak up about the negative effects this hysteria is inflicting on society.

    • 0 avatar
      Robert.Walter

      Hi Bertel! IIRC, EDR’s typically record 5s pre-event and 1s post-event (I didn’t go back to check the facts, but I think this applies to TMC as well.) But in any case, 1s or 5s, there is no reason that pre-event capture couldn’t be significantly expanded.

  • avatar
    FloorIt

    Southern Illinois is known to be a party school. Sounds like Gilbert spent some time at Delta House frat then came up with the idea.

  • avatar
    Disaster

    Good stuff. I can see the new hot media term “fingerprints” taking off, as in “the presence of such faults would certainly leave “fingerprints”…” Soon it will be part of popular jargon. “If the he manipulated that stock price he surely would have left “fingerprints.””…or….”If you really believe that happened where are the fingerprints?”

  • avatar
    Autojunkie

    The fact that remains constant here is that Toyota DOES have am UA issue on it’s hands.

    I’ve driven test mules with a BRS (big red switch) mounted nearby that will create an open on both 5-Volt curcuits between the PPS and the PCM. I’ve driven test mules with early PCM software that have taken off on me and it was NOT a pedal issue. It WAS a programming issue.

    In something only slightly related… I once worked on a truck during it’s early development stages. It had a new, at the time, type of PDC that was supposed to be all solid-state and contain no relays at all. The truck went out for some water leak tests and eventually came back to our test area and was parked. The keys were taken out and put up in the sun visor. About an hour after the truck was parked, it just took off and bumped into the garage door. I say bumped, but it went quit fast. If someone was in front of the truck they could have been killed.

    What happened was that the truck was left in gear (it was a stick) when it was parked. The PDC did not have a very robust design to protect against the elements and when the truck went in for leak testing, the inside of the PDC got a little wet. The water, after some time, managed to create a short across the circuit board in the PDC eventually engaging the starter motor. With the truck in gear, and the starter motor engaged, the truck just took off.

    What I’m trying to say here is that anything can happen. Everything aligned just perfectly for that to happen. A little bit of human error, mixed with a little bit of component failure, can create some disasterous effects.

    I’m not going to say I know what the Toyota root-cause is, but I will say that ANYTHING is possible.

  • avatar
    VLS_GUY

    Betel,

    Read the papers I linked to. They will help you understand metal whiskering. A good tutorial: http://nepp.nasa.gov/WHISKER/ Note that I said that the report was incomplete. Why didn’t Exponent and Toyota look for whiskering and include the results in the report? All also are the parts used lead free? Again missing information.
    Betal what educational qualifications and job experience do you posses in troubleshooting problems in electronics like this? Your response to my post is sophomoric in the least and shows a lack of ability to consider all ideas in solving a problem.
    I am not bluffing on my background. I have many investigations being ran at any one time on mission critical hardware and had better be done right or I won’t be doing it long. If I make a mistake I can easily kill people. If I put my name on this report I would be a laughing stock in the technical community that I am part of.

    • 0 avatar

      Betel,

      Read the papers I linked to …

      Betal what educational …

      People who cannot copy the spelling of my name, and spell it differently in two paragraphs, should not engineer deadly missiles. Or maybe, they should.

    • 0 avatar
      Robert.Walter

      @Beetle: Swiss TV just replayed The Sting … the whole Betel – Betal thing reminds me of Newman’s character continually calling Shaw’s character by a different mispronounciation…

      @jaron: Thanks for the update on Ol’ Sol … I feel much better now ;O)

  • avatar
    jaron

    “Probability-wise, there was more chance of the Sun going supernova while you read that article than of these 4 failures happening instantaneously and simultaneously.”

    Just a note, the sun can’t go supernova. Its mass is below the Chandrasekhar limit. Point taken, though.

    • 0 avatar
      crash sled

      “Just a note, the sun can’t go supernova.”

      .
      .

      Ladies and gentlemen, we got ourselves a heretical supernova DENIALIST here. Break out the tar and feathers!

  • avatar
    Jack Denver

    So Gilbert proves that you can rig the ECM of Toyotas to create a throttle open failure mode if you hot wire just the right amount of resistance between the right pins. Toyota counters that (a) this is equally true of many other engine control systems (b) Gilbert fails to explain how his hotwiring scheme could spontaneously arise “naturally” in the wild and (c) no one has been able to show that ANY of the Toyota SUA vehicles in fact had shorts of the Gilbert variety or indeed wiring faults of any kind. “Tin whiskers” that appear, cause a fault and magically disappear without a trace are about as believable an explanation as the divine intervention that saved that woman who testified before Congress or pixie dust.

    I’d say there is virtually no “fail safe” system on earth that could not be induced to “fail unsafe” if you intentionally analyze the system and reverse engineer some hack to interfere with the failsafe mechanism, and car manufacturers, so far at least, have not been required to make their cars failsafe against sophisticated vandalism, which is what Gilbert’s hack amounts to. Without any evidence whatsoever that such shorts have actually arisen of their own accord and without even a plausible theory as to how the requisite shorts could arise spontaneously, Gilbert’s demonstration proves about as much as if they had pinned the pedal to the floor with a broomstick in order to film their demo (knowing the press, I don’t rule out that they did this too). Ho, hum you can redline the tach if you try hard enough, you can make the gas tank explode if you put a bomb in it, you can blow out the tires with explosives, etc. So what?

    I should add, I sympathize with the TV producers – TV is a visual medium and we know that SUA (if it exists at all) is exceedingly rare. The ABC producers could have driven a Toyota around for a lifetime (no less the production deadline for a TV segment, where public attention span is measured in days) and not captured a SUA event on camera. So who could blame them (and the plaintiff’s lawyers that pay Gilbert too) for helping nature out a little? You would have to have the integrity of a saint to resist this temptation and real saints are as common as invisible tin whiskers.

  • avatar
    VLS_GUY

    Denial will get you nowhere. Tin whiskers are huge problem and billions of dollars world wide are being expended to try and find solders and soldering techniques that do not whisker because it is such a problem. Just because it is not in the popular press daily does not mean it is not a big problem. After all what’s more boring than solder and manufacturing issues on electronics-until you are impacted. To find out how big an issue whiskering is look at the NASA website I gave. It is a good introduction to the problem. Henning Leedecker has been approached by auto companies in the past expressing concern they may have this issue. Call him for the details.
    Lastly, my problem with the report is that the fault tree was poorly done and did not consider failure mechanisms known to cause similar issues in addition to whiskers such as EMI or software. I did not state that any of these mechanisms were the source of the failure but eliminating these potential sources of failure makes the investigation less rigorous and flawed from a legal point of view.
    Lastly how many of you work for Toyota, a Toyota dealer or one of their suppliers? A little disclosure would be appreciated here.

    • 0 avatar
      Jack Denver

      I have no personal interest in Toyota, etc. I don’t doubt that tin whiskers are a real problem. What I do doubt is the existence of a single invisible tin whisker that arises, causes a problem and then vaporizes without a trace. Even if the short vaporizes the problem whisker, a board infected with whiskers would surely have more than one, in various stages of whisker growth.

      From a legal point of view (and I am a lawyer) the burden of proof is on the plaintiff to show that a product is defective and the defect was the proximate cause of the injury and not on the defendant (Toyota) to prove that no defect exists and to eliminate all possible failure modes as an explanation. In other words, I don’t think a “tin whisker” theory would get a plaintiff very far in court unless he could demonstrate that there were ACTUAL and not hypothetical tin whiskers present in a particular automobile. Even if the fault tree was poorly done, you still have to prove that there was really an electronic fault present and not just present a theory of how a fault MIGHT be present. One of the reasons that the plaintiffs bar is trying to stir up public sympathy is that they know that they have to meet this hurdle and are more likely to get past it with a jury pool that has been softened up in advance.

  • avatar
    Sandy A

    I have read Exponents report about Dr. Gilbert’s experiment and I watched their demonstrations today.

    Exponent really seemed to focus on the wiring between the pedal sensor assembly and the ECM. They seemed to be looking for a fault with the external wiring. What about the pedal sensor assembly itself?

    While there may be two independent circuits, both circuits actually reside on a single PCB (see Gilbert’s original report)! Isn’t it possible that a SINGLE fault on the PCB could cause the type of situation Dr. Gilbert demonstrated? Moreover, the fault could occur on either the sensor or the ECM side. Those signals from the two “independent” circuits are most likely sampled at the same location before the ECM gets a hold of them.

    It seemed to me that all Dr. Gilbert did was to identify a “gap” in the diagnostic code/fault coverage of the ETC system. His reasoning seemed to make sense to me. That is, if these vehicles are experiencing sudden acceleration without any faults being detected, then what types of events are NOT covered by the fault codes? He studied the situations under which faults are detected and found a gap.

    BTW, although Exponent actually did duplicate Dr. Gilbert’s experiment with non-Toyota vehicles, they actually had to use much larger resistor values for a majority of the cars. (See the Toyota website for these values).

    Has anyone considered that Single-Event Upsets (SEU) may be causing these problems? The Avionics industry has had to deal with them for a very long time but as electronics have gotten smaller and voltages lower, SEUs have been shown to occur at sea level.

    • 0 avatar
      crash sled

      “BTW, although Exponent actually did duplicate Dr. Gilbert’s experiment with non-Toyota vehicles, they actually had to use much larger resistor values for a majority of the cars. (See the Toyota website for these values).”

      .
      .

      Disagree, Sandy. If you take a look at the resistor values they used, some were less, some were more.

      But resistor value is a red herring, in any event. Toyota selected a resistor value to obtain the results they wanted, which is exactly what Gilbert did. He chose 6 specific interventions, all having to occur in sequence and in kind, and that was his “experiment”. Exponent mirrored his methodology, precisely, and came up with precisely the same results… for all vehicles.

      I agree with you that the circuit boards are a potential weak point, as this is often true in my (limited) experience with electronics. You’re squeezing stuff together, with all attendant issues.

      I know all these OEM guys claim to have tested and baked their vehicles inside every radiological oven known to man, with enough kryptonite to kill Superman, but I’m always gonna be mistrustful, because if you bake the wrong piece of silicon the wrong way, and suddenly you have a problem. That’s technical talk, by the way.

      I’d suspect if there’s a problem with a circuit, it’s in those boards, either from being zapped by some unkosher waves, or by water, or the tin whisker effect.

      Somebody needs to get their hands on one of the effected vehicles, and do an autopsy.

    • 0 avatar
      Jack Denver

      “Those signals from the two “independent” circuits are most likely sampled at the same location before the ECM gets a hold of them.”

      No they don’t – that’s the whole point of having two circuits – they originate from 2 different sensors, and travel down 2 separate wires to 2 separate pins on the ECM – there is no sampling BEFORE the ECM – the ECM IS the thing that does the sampling.

      I’m unimpressed by the fact that he found a gap (one that apparently exists in most drive by wire systems and if that particular gap doesn’t exist then another one does – there’s no system that can’t be reverse engineered if you try hard enough). In order to be meaningful, you have to offer some plausible explanation of how this scenario (a resistance of a particular narrow value between 2 particular pins, followed by a dead short to power on another pair ) could spontaneously create itself in the wild (and then apparently magically disappear so that no trace of it was detectable afterward).

      It’s true that the resistor values required to trick the ECM vary among designs, but can you offer any explanation (or better yet proof) of why the resistor values needed to trigger the Toyota fault are more likely to arise spontaneously than these other values?

      Reread this sentence : ” For the Intended Gilbert Acceleration to occur in the wild, several things would have to happen in the exact sequence: First, the isolation for both VPA and VPA2 would have to break down. Then, a connection between VPA and VPA2 would have to be established. [P.S. 1 and 2 are really one thing (connection is the opposite of isolation), but whatever.] Into this connection, a resistance of no less than 50 ohms and no higher than 250 ohms would have to be connected. Once, and only once this connection between VPA and VPA2 has been established through the proper resistor, VPA2 (and not VPA) would have to be connected to +5V. Then, the car would take off.”

      Try just this simple experiment – take 2 wires and an ohm meter and try (without using any resistors) to touch or rub the 2 wires together so that a stable (remember that these SUA events go on sometimes for many minutes, allegedly) resistance ranging between 50 and 250 ohms is established. And remember when you have succeeded with this (and I’ll bet you won’t) you’re only halfway done – you still need to get +5 volts magically to that other pin.

  • avatar
    VLS_GUY

    A SEU may indeed be the cause here. I have seen many such firmware/software problems in the past on systems i work on. Unfortunately here we do not have the instrumentation to detect such problems. Things like custom designed data reordering hardware/software along with network/protocol analyzers become necessary to find SEUs. However we just don’t know enough since Toyota does not posses the capability to collect the data unless they are developing the instrumentation right now to allow this investigation to go forward. The fall out may be that the ability to detect SEUs may be designed into a car model and its test equipment just to get out of a safety regulatory approval process to get on the road.

  • avatar
    VLS_GUY

    Jack,

    I do not disagree with your legal arguments. You are right in that where their is one whisker their are likely to be many. The big problem with whiskers is that unless you follow good collection procedure and have the correct equipment you won’t see them or you may crush them to dust. After all things things are microns in diameter.
    The whole point of my posts is that when putting a fault tree together all possible failure modes however remote must be included for all avenues of investigation to be explored. In short the better the fault tree the better the results. This Exponent did not do. If the fault tree is augmented it complicates things since handling material handling procedures etc must be considered. Changing the fault tree is like starting the investigation over in many respects. It is as important as establishing a fact pattern in analyzing a legal case.

    • 0 avatar
      crash sled

      “The whole point of my posts is that when putting a fault tree together all possible failure modes however remote must be included for all avenues of investigation to be explored. In short the better the fault tree the better the results. This Exponent did not do.”

      .
      .

      Neither did Gilbert, VLS_GUY.

      Exponent’s charge was to show that Gilbert’s work was a sham and unsupportive of his conclusions, and they did this most effectively.

      As for the rest of the investigative process, well, Gilbert’s assistance won’t likely be beneficial. Shop teachers aren’t generally qualified to address electronics design issues, and variants such as this tin whiskers phenomenon. These are design engineering issues, of which he has no relevant knowledge or experience. We’ll have to wait on all that. For now, it appears the process has taken the efficient step, and cleared away the hysterical Gilbertine underbrush.

  • avatar
    VLS_GUY

    Crash Sled,

    David Gilbert did not include a fault tree because his demonstration was not given as a failure investigation into the root cause of untended acceleration; the Exponent paper was. Dr. Gilbert was merely demonstrating that it was possible to have a failure with out triggering a fault code. The Toyota news conference demonstrated exactly the same thing as Dr. Gilbert. Given the relative access to technical data on the system for Dr. Gilbert and Exponent that is how it should be. For the data available to Exponent and Toyota I would have expected a better effort. By the way system failures that do not generate fault codes is a common problem on systems with automatic test equipment.
    David Gilbert is not an Engineer but that does not lessen his value in a failure investigation. He is a master mechanic with a PhD in in designing vocational education programs. So much for the High School Shop Teacher put down. This makes him a highly trained technician on auto mechanics and technician training.
    When I put together a failure investigation team I want some one that is familiar with how the technician that service the system are trained and know how the cars are serviced in practice. Why? Because for all anyone knows this may be a training issue either in the assembly plant or in the dealers. In such a case someone like Dr. Gilbert will be needed to design the training to correct the problem.
    I do have some sympathy for Toyota in all this. They are going to get hit with frivolous law suits etc. that will do no good for anyone except for a few unethical people. By putting out studies and demonstrations with little technical content and exclude failure modes they hurt rather than help their own cause.

    • 0 avatar
      crash sled

      “David Gilbert did not include a fault tree because his demonstration was not given as a failure investigation into the root cause of untended acceleration; the Exponent paper was.”

      VLS_GUY, Gilbert didn’t include a fault tree because he’s a shop teacher, spectacularly unqualified for such work. Thus, his fault tree would bear precisely zero validity, and because he used his slapdash work to jump to easily disproven conclusions, he now has zero personal credibility, in any event.

      Exponent’s work in this report was not an investigation into root cause of unintended acceleration, it was to expose Gilbert as a fool. They did so.

      And no, moving forward, design verification of this or any other system in the automotive world would not and should not include the participation of charlatans such as this Gilbert guy .

  • avatar
    VLS_GUY

    If you are going to put someone’s ideas or actions down at least have a reasoned scientific analysis of your own. Your grade school level name calling reveals you to be someone not capable of discussion of any serious issue.
    By the way the big problem Toyota has now is that their former corporate Counsel has come out on this issue with 6,000 documents he claims are about Toyota’s safety cover ups. Now that is something to worry about..

    • 0 avatar
      crash sled

      All of the “scientific analysis” necessary to discredit this Gilbert charlatan was performed right here in this forum, long before Exponent formally took the time to do so. If my posts are unworthy of you, then read through those. No matter that you have some fixation on this fool, he’s still a fool.

      And would the 6,000 documents you mentioned be those arising from Biller, the documents that a plaintiff’s trial attorney has previously deemed worthless?

      I think you need to catch up a bit, on all of this.


Back to TopLeave a Reply

You must be logged in to post a comment.

Subscribe without commenting

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Contributing Writers

  • Jack Baruth, United States
  • Brendan McAleer, Canada
  • Marcelo De Vasconcellos, Brazil
  • Vojta Dobes, Czech Republic
  • Matthias Gasnier, Australia
  • W. Christian 'Mental' Ward, Abu Dhabi
  • Mark Stevenson, Canada
  • Cameron Aubernon, United States
  • J Emerson, United States