December 3, 2014
For a report that’s a quarter of a century-old, testing old technology and resting on questionable assumptions, An Examination of Sudden Acceleration (also known as the Silver Book) has exerted an out-sized influence over the search for root causes in unintended acceleration events. Manufacturers have loved the document, for its emphasis on driver error as the cause of any event that cannot be readily reproduced. In the absence of any expertise, the National Highway Traffic Safety Administration has used it as a crutch whilst hobbling around a UA defect investigation it cannot resolve.
Antony Anderson, the U.K.-based electronics engineering consultant, says it’s time to consign its conclusions to the dung heap of discredited scientific lore with the likes of alchemy and spontaneous generation. His newest technical paper Intermittent Electrical Contact Resistance as a Contributory Factor in the Loss of Automobile Speed Control Functional Integrity published online by the Institute of Electrical and Electronics Engineers (IEEE) debunks one of The Silver Book’s central tenets, documents the real gaps the automotive industry’s fail-safe systems and makes suggestions for a course correction going forward.
Anderson’s observations are particularly astute in light of a rulemaking on functional safety in automotive electronics. In October, the agency published a Federal Register Notice seeking comments on the possibility of writing regulations to ensure the safety of automotive electronics. The 10-page request for comments satisfies a directive from the federal legislation known as MAP–21 to “complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles.” Comments are due on Monday.
Anderson devotes a couple of sections to taking apart An Examination of Sudden Acceleration and its flawed diagnostic approach:
A major obstacle to the discussion of electrical intermittency in relation to SA incidents is the claim, often repeated by the automobile industry and by NHTSA, that the 1989 NHTSA Sudden Acceleration Report proves beyond all doubt that SA incidents were most probably the result of driver error. This collective mind-set appears to brook no argument and tends to kill stone-dead all reasoned discussion on the subject of electrical intermittency.
It’s most important and destructive assumption, he argues, has no scientific foundation, although it “remains the basis of diagnostic testing for `intermittent electronic failures’ that might cause an SA to this day: ‘If the cause of an SAI is an intermittent electronic failure, physical evidence may be difficult to find, but the failure mode should be reproducible either through in-vehicle or laboratory bench tests.”
This assumption belies the findings of electronics experts who agree that intermittent faults are extremely difficult to find, and that their random, intermittent nature can escape the notice of a vehicle’s diagnostic system. No Fault Found in a field return is a field failure, and should be used in the quest to identify the cause. Further, “the arbitrary introduction of ‘reproducibility’ by NHTSA as the proof for intermittency defines most suspected electronic intermittencies out of existence,” Anderson says.
Any Sudden Acceleration Incident that cannot be replicated leads to the “inescapable” conclusion that the event was the result of driver error. In the driver-error scenario, the Silver Book posits that some vehicle malfunction causes the engine to surge, startling the driver and causing him to depress the accelerator on the mistaken belief that it is the brake. Here, Anderson observes that the root cause is actually the malfunction that caused the driver to startle in the first place and that two of the hypothetical culprits – an idle stabilizer malfunction or a cruise control malfunction – were intermittent electronic malfunctions. (In the case of Unintended Accelerations in Audi, which prompted the report in the first place: Between 1982 and 1987, Audi issued six recalls to address Sudden Unintended Acceleration in its vehicles. Three of them replaced worn idle stabilizer units.)
Anderson then sets about challenging that premise by using a reed relay to simulate a mechanically-induced electrical intermittency either as an open circuit or a short circuit. His experiments show that intermittent speed sensor connections can generate false speed signals that overcome the vehicle’s low speed inhibit logic. For example, a single mechanically-induced intermittency in one of the speed sensor connections or on the microcontroller PCB, plus a signal to tell the cruise control to engage makes it possible for the system to take over speed control from the driver.
And, because vehicles with electronic throttle controls are not fitted with an independent failsafe system, the driver “becomes the fail-safe for any potential malfunction of the electronic throttle,” Anderson writes. “The automobile industry is unique in this respect – in any other industry loss of speed control would be protected against and, as a last resort, there would be an emergency stop button.”
He scoffs at electronic brake over-ride systems, software patches that run on the same hardware as the electronic throttle – they wouldn’t work in a software malfunction, and therefore are only a “partial fail safe against pressing the accelerator at the same time as the brake.”
Instead, Anderson makes several suggestions for dealing with unintended accelerations: restricting the fuel supply to the engine the moment that an un-commanded wide open throttle condition is detected; suppression of half or a lower fraction of the ignition pulses to reduce engine power; opening a bypass valve in the hydraulic torque converter to reduce the transmitted power.
Anderson’s false speed signal experiments joins other research studies that show how a vehicle can go to an uncommanded wide-open throttle, with no fault found. Southern Illinois University Automotive electronics Professor David Gilbert showed that a short in the accelerator pedal position sensor could cause a wide-open throttle. Scientists from NASA’s Engineering Safety Center demonstrated tin whiskers could cause a UA with no trouble code set and embedded systems expert Michael Barr found a mountain of software errors could lead to vehicle malfunctions, including a UA, unbeknownst to the diagnostic system.
We can only hope that eventually, these more empirically based efforts will overcome the Silver Book’s unfathomable momentum.