As a materials and manufacturing engineer with decades of experience with failure analysis of manufactured products, and as an owner of a Toyota vehicle, I am saddened by the lack of expertise and insight shared with Congress and the public about the sudden acceleration problem.
When products fail due to a systemic design, materials or manufacturing flaw, large and statistically significant levels of problems emerge fairly rapidly. This is definitely not the case with the Toyota problem. With many millions of Toyota models on which even more millions of miles have been driven, if there had been an inherent materials or manufacturing design defect, then we would have seen untold thousands of cases of sudden acceleration. It literally would have been virtually a daily event happening all over the country in many Toyota models. But, in fact, little more than 1,000 Toyota and Lexus owners have reported since 2001 that their vehicles suddenly accelerated on their own. This is a tiny, minuscule percentage of Toyotas.
This infrequent runaway car problem is not analogous to a serious case of bacterial contamination of a major food product causing many thousands of cases of food poisoning in a relatively short period. It is even more difficult to find the cause of.
Understanding this nature of defects also means that the so-called solutions of replacing floor mats and gas pedals are sheer nonsense. Indeed, it did not surprise me to read today that there have already been cases of sudden acceleration in cars that had received fixes by Toyota. More than 60 Toyota owners have complained to the National Highway Traffic Safety Administration about cars already repaired under the two major Toyota recalls, saying they aren’t fixed and their throttles can still race out of control.
While recognizing the agony and suffering of sudden acceleration accidents and deaths it is also necessary to appreciate the statistically rare occurrences of this problem. Only by doing so is it possible to understand that the ultimate explanation – and solution – to the sudden acceleration problem will be a non-systemic flaw or defect in a critical component. In other words, either a random defect in a material or some unusual and infrequent deviation in a manufacturing process of some critical component. Only such a situation can logically explain so few sudden acceleration problems in so many millions of cars being operated for many more millions of hours and miles.
In my professional opinion, the likely scenario is a defect in a semiconductor chip used in the electronic control system. A defect that was caused by some infrequent flaw in a raw material or manufacturing process that would not show up in routine quality control testing of raw materials or components. That so many different Toyota models over many years have been found defective signifies the likelihood of a particular problem component made in a specific factory that has been used for quite a while. Moreover, the defect obviously does not ordinarily impair vehicle performance but only manifests itself under some infrequent conditions, as yet undetermined.
Rita Taylor of Fort Worth, Texas experienced runaway acceleration, took her car to a Toyota dealer, and had the floor mats removed. A few months later she had another frightening runaway episode. Ditto for Eric Weiss in California, who also had a second episode months after the first one and after removing the mats. Others who have not died and kept using their Toyotas have also had repeat events. Thus, perfectly normal vehicle performance is possible between runaway events.
Make no mistake, the precise cause of such a sporadic event is incredibly difficult to pin down and even more difficult to remedy. An extremely intense and costly investigation is necessary. It is the classic needle-in-the-haystack problem.
If my thinking is correct, then it is sheer folly to believe that replacing floor mats or gas pedals can solve the sudden acceleration problem. However, there is one aspect to the sudden acceleration problem that also is crystal clear and, in some ways, even more aggravating than the acceleration problem. This is the absence of an override system that absolutely prevents fuel being fed to the engine when brakes are employed while a car is accelerating. It is gratifying that the federal government is seriously considering requiring such an override system in all vehicles. An effective override system might, in the long run, be a faster and more cost-effective solution than chasing-the-defect strategy, especially for retrofitting many millions of vehicles.
Alternatively, finding the cause of the sudden acceleration problem requires a standard failure analysis methodology, namely to obtain absolutely every Toyota vehicle that has experienced sudden acceleration. Then meticulously examine through microscopic and other types of analysis and testing all critical components of the electronic system (called by Toyota the Electronic Throttle Control System with intelligence). Think of it like an autopsy.
This does not appear to have been done. To the contrary, the firm hired by Toyota tested several ordinary vehicles and components. One of the primary authors of the Exponent report said they did not examine any vehicles or components that had the unintended accelerations. This makes no sense whatsoever if the defect is rare and, therefore, its finding that there was nothing wrong was meaningless. Worse, it was a deception and distraction.
[Joel S. Hirschhorn has a Ph.D. in Materials Engineering and was formerly a full professor of metallurgical engineering at the University of Wisconsin, Madison and a consultant for many corporations, such as IBM, Texas Instruments, Polaroid, and RayOVac, and has served as an expert witness in many legal proceedings. He was a senior official at the Congressional Office of Technology Assessment and the National Governors Association and is the author of several nonfiction books and hundreds of articles
I assume you saw the story today about the Prius going 94 mph with the brakes slammed down.
Thanks SQB. We have 2005 Prius and the lack of any clear explanation of the problem has been a problem in itself.
I suppose I could rig a cut off switch for the fuel pump, if I was really worried.
You say
Obvious now that you say it. Every car problem I have been present for–and that means an on-the-road problem–in the last decade and a half has been due to computer failure–masquerading as something mechanical that we knew how to improvise around or fix.
No go! The broken computer insisted on doing things incorrectly and counter-compensated any compensation we could manage.
Unlike you, I have no faith in an override–perhaps a way to cut out the computer and go to manual would prove sufficient.
I agree somewhat with your idea that the problem is a hardware (read semiconductor throttle control chip) in the Toyota Electronic Throttle Control System (ETCS). Having spent my entire career working in the hardware/software/systems environments, I believe that the Q&A manufacturing automated semiconductor chip testing systems are extremely through, and coupled with oven life test cycling will drop out most internal chip defects. The Japanese used these Q&A procedures for decades as manufacturing screens for all of their entire semiconductor, Integrated Circuit, and Field Programmable Gate Arrays (FPGA)products. So it is highly improbable a scattered batch of defective chips are the uncontrolled rapid acceleration problem in the Toyota vehicles.
On Feb. 24th, I wrote and posted a piece titled “TOYODA TESTIFIES – THE EMPEROR’S NEW CLOTHES” here on the Booman Tribune. It presented my argument for a software failure in the ETCS. In my years of software development, the most vexing problems for software engineers is foolproof management of the interrupts in a distributed computer system. Effective interrupt control is the traffic cop for all of the systems events, major and minor. Further more priority control of the interrupts must be well designed and flexible enough to facilitate random as well as scheduled events. Lastly, in the event an unforeseen catastrophic random event occurs, the system must be designed to intelligently control the rest of the system in a non-destructive manner, shutting down operations in a careful conservative manner until the event has cleared. At this point it should have the ability to automatically sequentially restore operations in a cautious safe controlled manner.
Testing software for design defects is far more complex than testing for hardware defects, due to the interactive nature of millions of lines of code. Testing of the interrupt handling capability of the host operating system for every possible permutation of interrupts from client software modules involves design of test cases which are robust enough to exhaust all of these possible interrupt permutations. If this is not done, any possible scenario including runaway uncontrolled acceleration is possible.
A proper software Q&A station for the ETCS would require a computer or computers capable of simulating every possible interrupt sequence in the engine control system, and computers capable of receiving and evaluating every output from the ETCS. The stimulus/response scenarios would have to be written by engineers compiled and stored on the test station’s master control computer for downloading during the actual testing sequences. The magnitude of these ETCS Q&A test stations for the entire line of Toyota vehicles would be huge requiring a financial R&D expense in the billions. Also keep in mind that priority software that shapes the vehicle’s performance and efficiency while being driven on the road also exercising some control over the operation of the ETCS. This code would also have to be included in the Q&A testing. It is my sincere belief that Toyota has not made an uncompromising commitment to the best software Q&A testing possible. I think that they have left the responsibility for all such Q&A operations up to contract vendors, most likely the same software houses providing the operational and application code for the many computers in their vehicles.
I remember many, many years ago when I was working at Digital Equipment Corporation (DEC) designing diagnostics for a new state of the art computer that they were developing, called the PDP-11. The PDP-11 was DEC’s first programmed firmware computer architecture. Due to the aggressive schedule, which already had been rescheduled twice, the hardware designer was making as many as three major revisions to the firmware each day. Many of these changes would take two days before they were officially released by the PDP-11 hardware group. Thus I was still finishing up my diagnostics when the PDP-11 hardware group officially released the entire computer design to manufacturing. At the same time I found a serious bug in the math calculation firmware. Basically it was a “divide by zero” error problem,i.e., if an instruction attempted to divide a floating point (FP) number by zero, the result was some crazy decimal result. The proper result of such an operation should have been an FP error termination with the operator and operand returned unchanged. I immediately went to see the Hardware Engineering manager and we then had a conference with the VP of engineering. The upshot, they refused to fix the firmware and let it proceed to manufacturing with the problem in the firmware. The VP of engineering’s argument for letting it go was (a) no one would ever write an instruction like that and (b) the compiler would most likely not compile a command that would produce this error. Four years later, I was working at a company that had several large scale PDP-11 systems as the main company software machines. One Sunday when I was just about the only one in the company, I programmed the old “divide by zero” instruction into the FP unit and it return the same crazy number with no error. DEC had sold thousands of their PDP-11 computer systems with the same old bug still in the firmware.
Why did I repeat that old shaggy dog story? I just wanted to cite a personal example to show how corporate planning always seems to take priority over everything else including the requirement for the need for the highest available Quality Control for their product.
Thanks for posting this!
I’ve been looking into buying a Prius, and I have to say, I’m a little leery now. While what happened is certainly a rare and extraordinary case, it’s still pretty terrifying!