March 8, 2010
The purpose of Dr. David Gilbert’s research study was to contribute to a better understanding of Electronic Throttle Control (ETC) system malfunctions and the failsafe detection capabilities of some Toyota vehicles equipped with ETC. His research primarily examined the failsafe detection capabilities of electrical circuitry, particularly, at the Accelerator Pedal Position Sensor (APPS) and the voltages and associated wiring circuits.
The most significant finding from Dr. Gilbert’s preliminary study is that there are conditions in the Toyota and Lexus models tested in which the failsafe redundancy of electronic circuitry in the ETC can be lost – particularly in the APPS – without detecting an error code or employing a failsafe mode. Once the redundant failsafe is lost and it is not detected as an error, the vehicle is in an unsafe condition. The purpose for setting an error code and putting the vehicle into a failsafe mode is to protect the driver from any further potential scenarios in which the ETC behaves in a manner inconsistent with driver input.
Quite simply, Dr. Gilbert’s findings prove that Toyota’s assertion that its electronics are infallible is incorrect and they form the basis for further study of potential electronic failures that might lead to Sudden Unintended Acceleration.
Dr. Gilbert’s findings further showed that once the failsafe is lost and undetected by the vehicle computer as an error, various scenarios can be introduced in which the Electronic Control Module (ECM) can read a wide-open throttle condition without any input from the driver, again without setting any error codes. Simply increasing the voltage to the APPS while in a compromised state can induce an uncommanded wide-open throttle condition, again resulting in no detectable codes. These scenarios can occur because the Toyota failsafe parameters are broad – the design allows a wide window of opportunity for problems to occur that are not seen as abnormal.
Prior to Dr. Gilbert’s findings, Toyota consistently argued that its ETC design and failsafe systems were built with multiple redundancies and that the electronic throttle cannot malfunction without its diagnostic system catching the error and employing one of four failsafe modes. In response to NHTSA the company flatly rejected the very concept of unintended acceleration stating:
“With regard to allegations of unintended acceleration, Toyota does not believe that uncontrollable acceleration can occur without the driver applying the accelerator pedal … If an abnormal condition occurs, such as the ETC sending the signal to the throttle body to open the throttle without applying the accelerator pedal due to a failure of a component or a malfunction of the system, or if the throttle simply were to open on its own, the system goes into failsafe mode.”
These findings provide an important baseline for understanding a potential electronic root cause of unintended acceleration in Toyota vehicles. While Dr. Gilbert’s testing demonstrates that vehicles can react to sensor errors in ways that appear consistent with consumer complaints of unintended acceleration, it will take additional research to determine whether there is a connection between the two.
Toyota, through their outside experts at Exponent Failure Analysis Associates, claim that the scenario Dr. Gilbert describes in his report “would be highly unlikely to occur naturally” and that other makes and models responded in a similar manner. Exponent goes on to claim, “[T]hese findings illustrate the artificial nature of Dr. Gilbert’s demonstration and its inability to explain reported incidents of SUA.”
In general, Exponent’s report mischaracterizes Dr. Gilberts findings, but it does validate his primary findings – Toyota’s failsafe system does not always detect critical errors or go into failsafe mode as the company has claimed. Further, once in this non-failsafe mode the introduction of a voltage spike can cause wide-open-throttle without driver input and again, undetected as an error.
Dr. Gilbert’s preliminary findings, which were detailed to Toyota technical staff a week before the Congressional hearings, are a step toward better understanding areas for further study.
According to Safety Research & Strategies president, Sean Kane, “These preliminary findings are critical because they demonstrate that the Toyota’s electronics can fail to detect significant errors – including uncommanded wide-open-throttle. This serves as a bookend – the other bookend is the consumer complaints which continue to allege uncommanded wide-open-throttle and subsequent inspections by Toyota find no error codes. Whether they are connected still needs to be determined.”