Analyzing Unintended Acceleration and Electronic Controls

Prof. Todd HubingMichelin Professor of Vehicle Electronic Systems IntegrationClemson University International Center for Automotive Research

Outline of Presentation

Background Information – 10 minutes

Description of the Problem – 20 minutes

Proposed Solution – 20 minutes

Questions – 10 minutes

July 1, 2010 2

Background Information

July 1, 2010 3

Professional BackgroundEDUCATION

B.S. (E.E.), Massachusetts Institute of Technology, 1980M.S. (E.E.), Purdue University, 1982Ph.D. (E.E.), North Carolina State University, 1988

PROFESSIONAL EXPERIENCE2006 – present Michelin Professor of Vehicular Electronics, Clemson University1999-2006 Professor of Electrical and Comp. Eng., Univ. of Missouri-RollaSummer 2002 Visiting Faculty at Sandia National Laboratories, Albuquerque, NMSummer 2000 Visiting Professor at Okayama University, Okayama, Japan1995-1999 Associate Professor of Electrical Engineering, Univ. of Missouri-Rolla1989-1995 Assistant Professor of Electrical Engineering, Univ. of Missouri-RollaSpring 1989 Adjunct Assistant Professor, North Carolina State University1982-1989 Staff Engineer, Electromagnetic Compatibility Laboratory,

IBM Communications Products Division, Raleigh NCPROFESSIONAL ACTIVITIES

American Society for Engineering EducationFellow of the Applied Computational Electromagnetics Society Fellow of the Institute for Electrical and Electronics Engineers (IEEE)IEEE Electromagnetic Compatibility Society

- President (2002 - 2003)- Board of Directors (1995 - 2005, 2007 - )

July 1, 2010 4

Vehicular Electronics Laboratory Researchers

FacultyTodd Hubing Michelin Professor

Graduate StudentsXinbo He Ph.D. Student - ECEChangyi Su Ph.D. Student - ECE Hua Zeng Ph.D. Student - ECE Ho-Cheol Kwak Ph.D. Student - ECE Nan Maung Ph.D. Student - ECELi Niu Ph.D. Student – AuEChentian Zhu Ph.D. Student - AuE

Visiting ScholarsYanqiang Li Shandong Academy of Sciences

Visiting StudentsYi Sun Beijing Jiao Tong University

July 1, 2010 5

Vehicular Electronics Laboratory Facilities

Chassis Dynamometer

Electronics Lab

EMC Test Facility

July 1, 2010 6

EMC Research Funding Sources

July 1, 2010 7

Intel Boeing General Motors National Science Foundation John Deere Sun Microsystems Hewlett Packard Chrysler NCR Lucent Innoveda AMP Caterpillar Parker Chomerics

LG Electronics Viewlogic Zuken IBM Nortel Honeywell FCI Mentor Graphics AVX Microsoft Visteon Honeywell Italtel Dupont

Siemens Sony NEC Texas Instruments Touchstone Research Lab Hitachi Huawei Cisco Systems Michelin Americas Samsung Battelle Bailey & Glasser … Panasonic Electrolux

(1990 – 2010)

Automotive and Aerospace Experience

July 1, 2010 8

Boeing General Motors John Deere Chrysler Caterpillar General Dynamics NASA General Electric Allison Transmission

Sandia National Labs Visteon Honeywell Siemens NEC Texas Instruments Freescale Hitachi Michelin

We’ve been successful because …

July 1, 2010 9

We understand electromagnetic compatibility.

We know how to design for electromagnetic compatibility.

We know how to model electromagnetic compatibility problems.

We know what it takes to meet EMC test requirements.

We know understand automotive design and manufacturing constraints.

We understand aerospace design and manufacturing constraints.

The Problem

July 1, 2010 10

Slide from 2006 Presentation

July 1, 2010 11

Automobiles are Complex Electronic Systems

July 1, 2010 12

Automobiles are Complex Electronic Systems!

~ 100 Million Lines of Code

5.7 Million Lines of Code

6.5 Million Lines of Code

F-35 Joint Strike Fighter

Boeing 787Dreamliner

Today’s Typical

Luxury Car

July 1, 2010 13

Systems Capable of Actuating the Throttle and/or Brakes (from 2008 NSF Proposal)

BRAKES

AdaptiveCruiseControl(ACC)

Anti-lockBrakingSystem(ABS)

AutomatedParkingSystem

ElectronicStabilityControl(ESC)

Brake Pedal Position

Steering Wheel Angle

Yaw Rate

Lateral AccelerationWheel SpeedThrottle

Vehicle Speed

Wheel Speed

ThrottleForward Radar

Vehicle Speed

Forward Position

Right Side Position

Rear Position

Vehicle SpeedSteering Wheel Angle

Steering Angle

Throttle

July 1, 2010 14

Problems with Current Automotive Designs

July 1, 2010 15

Safety critical reliance on analog sensor inputs whose accuracy cannot be validated.

Safety critical reliance on undefined software whose performance cannot be modeled or validated.

Safety critical reliance on individual hardware components (particularly microcontrollers).

For Example …

July 1, 2010 16

Accelerator Pedal Position Sensor / Throttle Position Sensor

Employs 2 redundant, but nearly identical hall-effect position sensors.

Interference that affects one sensor, can affect the other sensor in an identical way, resulting in a bad reading with no error code generated.

For Example …

July 1, 2010 17

Accelerator Pedal Position Sensor / Throttle Position Sensor

RF currentscoupled to

wire harness can

result in unintended

acceleration.

BCI on Freq Mod CM Current (dBµA)

DM Current (dBµA)

Signal lines(VPA&VPA2)

100kHz NA 97(At 100 kHz)

104(At 100 kHz)

Engine accelerated

Power lines(VCPA&VCP2)

100kHz NA 90(At 100 kHz)

110(At 100 kHz)

Engine accelerated

Return lines(EPA&EPA2)

100kHz NA 102(At 100 kHz)

112(At 100 kHz)

Engine accelerated

Signal + Return(VPA+VPA2+EPA+EPA2)

100kHz NA 86(At 100 kHz)

113(At 100 kHz)

Engine accelerated

Signal lines(VPA&VPA2)

380MHz 160kHz

98(At 100 kHz)

108(At 100 kHz)

Engine accelerated

Power lines(VCPA&VCP2)

360MHz 130kHz

81(At 100 kHz)

104(At 100 kHz)

Engine accelerated

Signal Generator

Receiver

BCI ProbeAmplifier

Current Probe

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

5.0

5.0 4.8 4.6 4.4 4.2 4.0 3.8 3.6 3.4 3.2 3.0 2.8 2.6 2.4 2.2 2.0 1.8 1.6 1.4 1.2 1.0 0.8 0.6 0.4 0.3

Posit

ion S

enso

r Out

put (

volts

)

Supply Voltage (volts)

Accelerator Pedal Position Sensor Outputs vs. Varying Supply Voltage

VPA min

VPA2 min

VPA max

VPA2 max

NORMAL OPERATION NORESPONSE

ERROR DETECTEDOPENTHROTTLE

For Example …

July 1, 2010 18

Accelerator Pedal Position Sensor / Throttle Position Sensor

Decrease in voltage to

sensor can result in

unintendedacceleration.

Resistor applied Switch closedR

(ohm)VPA-GND0(volts)

VPA2-GND0(volts)

GND1-GND0(volts)

Engine Speed(rpm)

VPA-GND0(volts)

VPA2-GND0(volts)

GND1-GND0(volts)

Engine

Speed(rpm)

10 0.958 1.73 0.103 700 1.08 1.82 0.249 7001.24 2.01 0.105 1500 1.35 2.09 0.247 21001.32 2.08 0.104 2000 1.41 2.17 0.245 2600

20 0.957 1.72 0.098 700 1.18 1.92 0.364 12001.24 2.01 0.101 1500 1.45 2.19 0.300 30001.31 2.08 0.104 2000 1.52 2.24 0.380 3600

50 0.957 1.72 0.101 700 1.54 2.22 0.825 4000100 0.960 1.73 0.105 700 2.08 2.68 1.45 5500130 0.960 1.73 0.106 700 4.73 4.80 1.93 5500140 0.958 1.73 0.108 700 4.81 4.85 2.01 700*

1.24 2.01 0.107 1500 4.82 4.87 2.02 5500150 0.956 1.72 0.100 700 4.84 4.88 2.06 700*

1.24 2.02 0.120 1500 4.86 4.85 2.08 3900*

For Example …

July 1, 2010 19

Accelerator Pedal Position Sensor / Throttle Position Sensor

Normal Resistor appliedR

(ohm)VPA-EPA

(volts)

VPA2-EPA

(volts)

VCP2-EPA

(volts)

Engine Speed(rpm)

VPA-EPA

(volts)

VPA2-EPA

(volts)

VCP2-EPA

(volts)

Engine Speed(rpm)

112 0.868 1.65 4.99 700 0.747 1.27 3.42 7001.15 1.93 4.99 1500 0.858 1.37 3.42 700

115 0.868 1.65 4.99 700 1.72 2.25 3.30 5500120 0.86 1.64 5.0 700 2.50 2.76 3.24 5500130 0.87 1.64 5.0 700 2.87 2.91 3.17 5500135 0.86 1.65 4.99 700 2.88 2.90 3.12 700*

1.15 1.93 4.99 1500 2.88 2.83 3.12 5500140 0.86 1.65 4.99 700 2.87 2.89 3.09 700*

1.15 1.93 4.99 1500 2.87 2.83 3.08 5500155 0.871 1.65 5.0 700 2.83 2.84 3.02 700*

1.18 1.96 5.0 1500 2.82 2.80 3.01 5500160 0.870 1.65 5.0 700 2.81 2.82 2.98 700*

1.14 1.94 5.0 1500 2.80 2.78 2.98 700*

Various shorts and faults can result in

unintended acceleration.

For Example …

One ECM input determines on/off, set speed, and resume speed.

A 2-meter floating wire is attached to that input.

This design is inherently susceptible to radiated electromagnetic interference. We can’t be sure what is done within the ECM software to ensure that the cruise control doesn’t engage and set do to spurious inputs.

July 1, 2010 20

Cruise Control

For Example …

July 1, 2010 21

Grounding Differences

3 Possible UA Failure Modes

Bad sensor input - fools ECM into opening the throttle.

A software “glitch” – gives unintended command to open throttle (may or may not involve a bad input).

A hardware (microprocessor) malfunction – processor latches up or jumps to wrong subroutine requiring a hard reset.

July 1, 2010 22

Some Key Points

Due largely to the electronics, today’s cars are safer than ever before.

Even for makes and models with the highest number of reported incidents, sudden acceleration incidents are reported about once in every 600 million miles driven.

July 1, 2010 23

Some Key Points

The electronics in virtually any car sold today is capable of causing the types of failures being reported as “sudden acceleration” events; though failure detection and mitigation capabilities vary significantly.

It is not possible to fully model, test or validate the safety of electronic systems in automobiles due to a lack of standard design platforms, meaningful EMC test procedures, or OEM control of subsystem designs. Recreating a particular failure mode can be extremely difficult due to the thousands of possible failure mechanisms and software/hardware states.

July 1, 2010 24

Proposed Solution

July 1, 2010 25

Short-term Recommendations

A software subroutine that cuts the throttle when the brake pedal is depressed would compensate for a large percentage of the possible failure mechanisms. A hardware solution (e.g. BMW’s approach) should be even more reliable.

Hardware redundancy and fault-tolerant software design would be relatively inexpensive and easy to implement if adopted by the entire automotive industry.

The driver should have some way to override the engine control module (e.g. a key switch that physically removes the power to the ECM).

July 1, 2010 26

Long-term Recommendations

This requires design constraints and interface standards.

Must be able to model all system behavior including all hardware and software interactions.

Continuous refinement of these standards would be greatly facilitated by the installation of black boxes in automobiles.

July 1, 2010 27

Final Thoughts

Odds of being involved in an unintended acceleration accident are much lower than odds of being involved in other types of car accidents.

Unintended automotive system behavior is a problem that will certainly get worse without a major change in automotive standards and design practices.

July 1, 2010 28

Questions

July 1, 2010 29