Post on 27-May-2020
Analyzing Unintended Acceleration and Electronic Controls
Prof. Todd HubingMichelin Professor of Vehicle Electronic Systems IntegrationClemson University International Center for Automotive Research
Outline of Presentation
Background Information – 10 minutes
Description of the Problem – 20 minutes
Proposed Solution – 20 minutes
Questions – 10 minutes
July 1, 2010 2
Background Information
July 1, 2010 3
Professional BackgroundEDUCATION
B.S. (E.E.), Massachusetts Institute of Technology, 1980M.S. (E.E.), Purdue University, 1982Ph.D. (E.E.), North Carolina State University, 1988
PROFESSIONAL EXPERIENCE2006 – present Michelin Professor of Vehicular Electronics, Clemson University1999-2006 Professor of Electrical and Comp. Eng., Univ. of Missouri-RollaSummer 2002 Visiting Faculty at Sandia National Laboratories, Albuquerque, NMSummer 2000 Visiting Professor at Okayama University, Okayama, Japan1995-1999 Associate Professor of Electrical Engineering, Univ. of Missouri-Rolla1989-1995 Assistant Professor of Electrical Engineering, Univ. of Missouri-RollaSpring 1989 Adjunct Assistant Professor, North Carolina State University1982-1989 Staff Engineer, Electromagnetic Compatibility Laboratory,
IBM Communications Products Division, Raleigh NCPROFESSIONAL ACTIVITIES
American Society for Engineering EducationFellow of the Applied Computational Electromagnetics Society Fellow of the Institute for Electrical and Electronics Engineers (IEEE)IEEE Electromagnetic Compatibility Society
- President (2002 - 2003)- Board of Directors (1995 - 2005, 2007 - )
July 1, 2010 4
Vehicular Electronics Laboratory Researchers
FacultyTodd Hubing Michelin Professor
Graduate StudentsXinbo He Ph.D. Student - ECEChangyi Su Ph.D. Student - ECE Hua Zeng Ph.D. Student - ECE Ho-Cheol Kwak Ph.D. Student - ECE Nan Maung Ph.D. Student - ECELi Niu Ph.D. Student – AuEChentian Zhu Ph.D. Student - AuE
Visiting ScholarsYanqiang Li Shandong Academy of Sciences
Visiting StudentsYi Sun Beijing Jiao Tong University
July 1, 2010 5
Vehicular Electronics Laboratory Facilities
Chassis Dynamometer
Electronics Lab
EMC Test Facility
July 1, 2010 6
EMC Research Funding Sources
July 1, 2010 7
Intel Boeing General Motors National Science Foundation John Deere Sun Microsystems Hewlett Packard Chrysler NCR Lucent Innoveda AMP Caterpillar Parker Chomerics
LG Electronics Viewlogic Zuken IBM Nortel Honeywell FCI Mentor Graphics AVX Microsoft Visteon Honeywell Italtel Dupont
Siemens Sony NEC Texas Instruments Touchstone Research Lab Hitachi Huawei Cisco Systems Michelin Americas Samsung Battelle Bailey & Glasser … Panasonic Electrolux
(1990 – 2010)
Automotive and Aerospace Experience
July 1, 2010 8
Boeing General Motors John Deere Chrysler Caterpillar General Dynamics NASA General Electric Allison Transmission
Sandia National Labs Visteon Honeywell Siemens NEC Texas Instruments Freescale Hitachi Michelin
We’ve been successful because …
July 1, 2010 9
We understand electromagnetic compatibility.
We know how to design for electromagnetic compatibility.
We know how to model electromagnetic compatibility problems.
We know what it takes to meet EMC test requirements.
We know understand automotive design and manufacturing constraints.
We understand aerospace design and manufacturing constraints.
The Problem
July 1, 2010 10
Slide from 2006 Presentation
July 1, 2010 11
Automobiles are Complex Electronic Systems
July 1, 2010 12
Automobiles are Complex Electronic Systems!
~ 100 Million Lines of Code
5.7 Million Lines of Code
6.5 Million Lines of Code
F-35 Joint Strike Fighter
Boeing 787Dreamliner
Today’s Typical
Luxury Car
July 1, 2010 13
Systems Capable of Actuating the Throttle and/or Brakes (from 2008 NSF Proposal)
BRAKES
AdaptiveCruiseControl(ACC)
Anti-lockBrakingSystem(ABS)
AutomatedParkingSystem
ElectronicStabilityControl(ESC)
Brake Pedal Position
Steering Wheel Angle
Yaw Rate
Lateral AccelerationWheel SpeedThrottle
Vehicle Speed
Wheel Speed
ThrottleForward Radar
Vehicle Speed
Forward Position
Right Side Position
Rear Position
Vehicle SpeedSteering Wheel Angle
Steering Angle
Throttle
July 1, 2010 14
Problems with Current Automotive Designs
July 1, 2010 15
Safety critical reliance on analog sensor inputs whose accuracy cannot be validated.
Safety critical reliance on undefined software whose performance cannot be modeled or validated.
Safety critical reliance on individual hardware components (particularly microcontrollers).
For Example …
July 1, 2010 16
Accelerator Pedal Position Sensor / Throttle Position Sensor
Employs 2 redundant, but nearly identical hall-effect position sensors.
Interference that affects one sensor, can affect the other sensor in an identical way, resulting in a bad reading with no error code generated.
For Example …
July 1, 2010 17
Accelerator Pedal Position Sensor / Throttle Position Sensor
RF currentscoupled to
wire harness can
result in unintended
acceleration.
BCI on Freq Mod CM Current (dBµA)
DM Current (dBµA)
Signal lines(VPA&VPA2)
100kHz NA 97(At 100 kHz)
104(At 100 kHz)
Engine accelerated
Power lines(VCPA&VCP2)
100kHz NA 90(At 100 kHz)
110(At 100 kHz)
Engine accelerated
Return lines(EPA&EPA2)
100kHz NA 102(At 100 kHz)
112(At 100 kHz)
Engine accelerated
Signal + Return(VPA+VPA2+EPA+EPA2)
100kHz NA 86(At 100 kHz)
113(At 100 kHz)
Engine accelerated
Signal lines(VPA&VPA2)
380MHz 160kHz
98(At 100 kHz)
108(At 100 kHz)
Engine accelerated
Power lines(VCPA&VCP2)
360MHz 130kHz
81(At 100 kHz)
104(At 100 kHz)
Engine accelerated
Signal Generator
Receiver
BCI ProbeAmplifier
Current Probe
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
5.0 4.8 4.6 4.4 4.2 4.0 3.8 3.6 3.4 3.2 3.0 2.8 2.6 2.4 2.2 2.0 1.8 1.6 1.4 1.2 1.0 0.8 0.6 0.4 0.3
Posit
ion S
enso
r Out
put (
volts
)
Supply Voltage (volts)
Accelerator Pedal Position Sensor Outputs vs. Varying Supply Voltage
VPA min
VPA2 min
VPA max
VPA2 max
NORMAL OPERATION NORESPONSE
ERROR DETECTEDOPENTHROTTLE
For Example …
July 1, 2010 18
Accelerator Pedal Position Sensor / Throttle Position Sensor
Decrease in voltage to
sensor can result in
unintendedacceleration.
Resistor applied Switch closedR
(ohm)VPA-GND0(volts)
VPA2-GND0(volts)
GND1-GND0(volts)
Engine Speed(rpm)
VPA-GND0(volts)
VPA2-GND0(volts)
GND1-GND0(volts)
Engine
Speed(rpm)
10 0.958 1.73 0.103 700 1.08 1.82 0.249 7001.24 2.01 0.105 1500 1.35 2.09 0.247 21001.32 2.08 0.104 2000 1.41 2.17 0.245 2600
20 0.957 1.72 0.098 700 1.18 1.92 0.364 12001.24 2.01 0.101 1500 1.45 2.19 0.300 30001.31 2.08 0.104 2000 1.52 2.24 0.380 3600
50 0.957 1.72 0.101 700 1.54 2.22 0.825 4000100 0.960 1.73 0.105 700 2.08 2.68 1.45 5500130 0.960 1.73 0.106 700 4.73 4.80 1.93 5500140 0.958 1.73 0.108 700 4.81 4.85 2.01 700*
1.24 2.01 0.107 1500 4.82 4.87 2.02 5500150 0.956 1.72 0.100 700 4.84 4.88 2.06 700*
1.24 2.02 0.120 1500 4.86 4.85 2.08 3900*
For Example …
July 1, 2010 19
Accelerator Pedal Position Sensor / Throttle Position Sensor
Normal Resistor appliedR
(ohm)VPA-EPA
(volts)
VPA2-EPA
(volts)
VCP2-EPA
(volts)
Engine Speed(rpm)
VPA-EPA
(volts)
VPA2-EPA
(volts)
VCP2-EPA
(volts)
Engine Speed(rpm)
112 0.868 1.65 4.99 700 0.747 1.27 3.42 7001.15 1.93 4.99 1500 0.858 1.37 3.42 700
115 0.868 1.65 4.99 700 1.72 2.25 3.30 5500120 0.86 1.64 5.0 700 2.50 2.76 3.24 5500130 0.87 1.64 5.0 700 2.87 2.91 3.17 5500135 0.86 1.65 4.99 700 2.88 2.90 3.12 700*
1.15 1.93 4.99 1500 2.88 2.83 3.12 5500140 0.86 1.65 4.99 700 2.87 2.89 3.09 700*
1.15 1.93 4.99 1500 2.87 2.83 3.08 5500155 0.871 1.65 5.0 700 2.83 2.84 3.02 700*
1.18 1.96 5.0 1500 2.82 2.80 3.01 5500160 0.870 1.65 5.0 700 2.81 2.82 2.98 700*
1.14 1.94 5.0 1500 2.80 2.78 2.98 700*
Various shorts and faults can result in
unintended acceleration.
For Example …
One ECM input determines on/off, set speed, and resume speed.
A 2-meter floating wire is attached to that input.
This design is inherently susceptible to radiated electromagnetic interference. We can’t be sure what is done within the ECM software to ensure that the cruise control doesn’t engage and set do to spurious inputs.
July 1, 2010 20
Cruise Control
For Example …
July 1, 2010 21
Grounding Differences
3 Possible UA Failure Modes
Bad sensor input - fools ECM into opening the throttle.
A software “glitch” – gives unintended command to open throttle (may or may not involve a bad input).
A hardware (microprocessor) malfunction – processor latches up or jumps to wrong subroutine requiring a hard reset.
July 1, 2010 22
Some Key Points
Due largely to the electronics, today’s cars are safer than ever before.
Even for makes and models with the highest number of reported incidents, sudden acceleration incidents are reported about once in every 600 million miles driven.
July 1, 2010 23
Some Key Points
The electronics in virtually any car sold today is capable of causing the types of failures being reported as “sudden acceleration” events; though failure detection and mitigation capabilities vary significantly.
It is not possible to fully model, test or validate the safety of electronic systems in automobiles due to a lack of standard design platforms, meaningful EMC test procedures, or OEM control of subsystem designs. Recreating a particular failure mode can be extremely difficult due to the thousands of possible failure mechanisms and software/hardware states.
July 1, 2010 24
Proposed Solution
July 1, 2010 25
Short-term Recommendations
A software subroutine that cuts the throttle when the brake pedal is depressed would compensate for a large percentage of the possible failure mechanisms. A hardware solution (e.g. BMW’s approach) should be even more reliable.
Hardware redundancy and fault-tolerant software design would be relatively inexpensive and easy to implement if adopted by the entire automotive industry.
The driver should have some way to override the engine control module (e.g. a key switch that physically removes the power to the ECM).
July 1, 2010 26
Long-term Recommendations
This requires design constraints and interface standards.
Must be able to model all system behavior including all hardware and software interactions.
Continuous refinement of these standards would be greatly facilitated by the installation of black boxes in automobiles.
July 1, 2010 27
Final Thoughts
Odds of being involved in an unintended acceleration accident are much lower than odds of being involved in other types of car accidents.
Unintended automotive system behavior is a problem that will certainly get worse without a major change in automotive standards and design practices.
July 1, 2010 28
Questions
July 1, 2010 29