Analyzing Unintended Acceleration and
Electronic Controls
Prof. Todd Hubing
Michelin Professor of Vehicle Electronic Systems Integration
Clemson University International Center for Automotive Research
Outline of Presentation
 Background Information – 10 minutes
 Description of the Problem – 20 minutes
 Proposed Solution – 20 minutes
 Questions – 10 minutes
July 1, 2010
2
Background Information
July 1, 2010
3
Professional Background
EDUCATION
B.S. (E.E.), Massachusetts Institute of Technology, 1980
M.S. (E.E.), Purdue University, 1982
Ph.D. (E.E.), North Carolina State University, 1988
PROFESSIONAL EXPERIENCE
2006 – present
Michelin Professor of Vehicular Electronics, Clemson University
1999-2006
Professor of Electrical and Comp. Eng., Univ. of Missouri-Rolla
Summer 2002
Visiting Faculty at Sandia National Laboratories, Albuquerque, NM
Summer 2000
Visiting Professor at Okayama University, Okayama, Japan
1995-1999
Associate Professor of Electrical Engineering, Univ. of Missouri-Rolla
1989-1995
Assistant Professor of Electrical Engineering, Univ. of Missouri-Rolla
Spring 1989
Adjunct Assistant Professor, North Carolina State University
1982-1989
Staff Engineer, Electromagnetic Compatibility Laboratory,
IBM Communications Products Division, Raleigh NC
PROFESSIONAL ACTIVITIES
American Society for Engineering Education
Fellow of the Applied Computational Electromagnetics Society
Fellow of the Institute for Electrical and Electronics Engineers (IEEE)
IEEE Electromagnetic Compatibility Society
- President (2002 - 2003)
- Board of Directors (1995 - 2005, 2007 - )
July 1, 2010
4
Vehicular Electronics Laboratory Researchers
Faculty
Todd Hubing
Michelin Professor
Graduate Students
Xinbo He
Changyi Su
Hua Zeng
Ho-Cheol Kwak
Nan Maung
Li Niu
Chentian Zhu
Ph.D. Student - ECE
Ph.D. Student - ECE
Ph.D. Student - ECE
Ph.D. Student - ECE
Ph.D. Student - ECE
Ph.D. Student – AuE
Ph.D. Student - AuE
Visiting Scholars
Yanqiang Li
Shandong Academy of Sciences
Visiting Students
Yi Sun
Beijing Jiao Tong University
July 1, 2010
5
Vehicular Electronics Laboratory Facilities
Electronics Lab
EMC Test Facility
Chassis
Dynamometer
July 1, 2010
6
EMC Research Funding Sources
(1990 – 2010)
 Intel
 LG Electronics
 Siemens
 Boeing
 Viewlogic
 Sony
 General Motors
 Zuken
 NEC
 National Science Foundation  IBM
 Texas Instruments
 John Deere
 Nortel
 Touchstone Research Lab
 Sun Microsystems
 Honeywell
 Hitachi
 Hewlett Packard
 FCI
 Huawei
 Chrysler
 Mentor Graphics
 Cisco Systems
 NCR
 AVX
 Michelin Americas
 Lucent
 Microsoft
 Samsung
 Innoveda
 Visteon
 Battelle
 AMP
 Honeywell
 Bailey & Glasser …
 Caterpillar
 Italtel
 Panasonic
 Parker Chomerics
 Dupont
 Electrolux
July 1, 2010
7
Automotive and Aerospace Experience









Boeing
General Motors
John Deere
Chrysler
Caterpillar
General Dynamics
NASA
General Electric
Allison Transmission









July 1, 2010
Sandia National Labs
Visteon
Honeywell
Siemens
NEC
Texas Instruments
Freescale
Hitachi
Michelin
8
We’ve been successful because …

We understand electromagnetic compatibility.

We know how to design for electromagnetic compatibility.

We know how to model electromagnetic compatibility
problems.

We know what it takes to meet EMC test requirements.

We know understand automotive design and
manufacturing constraints.

We understand aerospace design and manufacturing
constraints.
July 1, 2010
9
The Problem
July 1, 2010
10
Slide from 2006 Presentation
July 1, 2010
11
Automobiles are Complex Electronic Systems
July 1, 2010
12
Automobiles are Complex Electronic Systems!
F-35 Joint
Strike
Fighter
5.7 Million Lines of Code
Boeing 787
Dreamliner
6.5 Million Lines of Code
Today’s
Typical
Luxury Car
~ 100 Million Lines of Code
July 1, 2010
13
Systems Capable of Actuating the Throttle
and/or Brakes (from 2008 NSF Proposal)
Forward Radar
Vehicle Speed
Adaptive
Cruise
Control
(ACC)
Throttle
Anti-lock
Braking
System
(ABS)
Brake Pedal Position
Vehicle Speed
Wheel Speed
BRAKES
Forward Position
Right Side Position
Rear Position
Vehicle Speed
Steering Wheel Angle
Automated
Parking
System
Steering Angle
Throttle
Throttle
July 1, 2010
Electronic
Stability
Control
(ESC)
Steering Wheel Angle
Yaw Rate
Lateral Acceleration
Wheel Speed
14
Problems with Current Automotive Designs
 Safety critical reliance on analog sensor inputs
whose accuracy cannot be validated.
 Safety critical reliance on undefined software
whose performance cannot be modeled or
validated.
 Safety critical reliance on individual hardware
components (particularly microcontrollers).
July 1, 2010
15
For Example …
Accelerator Pedal Position Sensor / Throttle Position Sensor
 Employs 2 redundant, but nearly
identical hall-effect position sensors.
 Interference that affects one sensor, can
affect the other sensor in an identical way,
resulting in a bad reading with no error
code generated.
July 1, 2010
16
For Example …
Accelerator Pedal Position Sensor / Throttle Position Sensor
Current Probe
Signal
Generator
RF currents
coupled to
wire harness
can
result in
unintended
acceleration.
Receiver
Amplifier
BCI on
Freq
Mod
Signal lines
(VPA&VPA2)
Power lines
(VCPA&VCP2)
Return lines
(EPA&EPA2)
Signal + Return
(VPA+VPA2
+EPA+EPA2)
Signal lines
(VPA&VPA2)
Power lines
(VCPA&VCP2)
100kHz
NA
100kHz
NA
100kHz
NA
100kHz
NA
380MHz
160
kHz
130
kHz
360MHz
BCI Probe
CM Current
(dBµA)
97
(At 100 kHz)
90
(At 100 kHz)
102
(At 100 kHz)
86
(At 100 kHz)
DM Current
(dBµA)
104
(At 100 kHz)
110
(At 100 kHz)
112
(At 100 kHz)
113
(At 100 kHz)
Engine
accelerated
Engine
accelerated
Engine
accelerated
Engine
accelerated
98
(At 100 kHz)
81
(At 100 kHz)
108
(At 100 kHz)
104
(At 100 kHz)
Engine
accelerated
Engine
accelerated
July 1, 2010
17
For Example …
Accelerator Pedal Position Sensor / Throttle Position Sensor
Accelerator Pedal Position Sensor Outputs vs. Varying Supply Voltage
5.0
NORMAL OPERATION
NO
RESPONSE
ERROR DETECTED
OPEN
THROTTLE
4.5
VPA min
4.0
Position Sensor Output (volts)
VPA2 min
VPA max
3.5
VPA2 max
3.0
2.5
2.0
1.5
1.0
0.5
0.0
5.0
4.8
4.6
4.4
4.2
4.0
3.8
3.6
3.4
3.2
3.0
2.8
2.6
2.4
2.2
2.0
Supply Voltage (volts)
July 1, 2010
1.8
1.6
1.4
1.2
1.0
0.8
Decrease in
voltage to
sensor can
result in
unintended
acceleration.
0.6
0.4
0.3
18
For Example …
Accelerator Pedal Position Sensor / Throttle Position Sensor
Normal
R
VPAVPA2VCP2(ohm)
EPA
EPA
EPA
(volts)
(volts)
(volts)
112
0.868
1.65
4.99
1.15
1.93
4.99
115
0.868
1.65
4.99
120
0.86
1.64
5.0
130
0.87
1.64
5.0
135
0.86
1.65 applied
4.99
Resistor
1.15
1.93
4.99
R
VPAVPA2GND10.86 GND0
1.65
4.99
(ohm)140 GND0
GND0
1.15
1.93
4.99
(volts)
(volts)
(volts)
155
0.871
1.65
5.0
1.96
5.0
10
0.9581.18
1.73
0.103
160
0.870
1.65
5.0
1.24
2.01
0.105
1.14
1.94
5.0
1.32
2.08
0.104
20
0.957
1.72
0.098
1.24
2.01
0.101
1.31
2.08
0.104
50
0.957
1.72
0.101
100
0.960
1.73
0.105
130
0.960
1.73
0.106
140
0.958
1.73
0.108
1.24
2.01
0.107
150
0.956
1.72
0.100
1.24
2.02
0.120
Engine
Speed
(rpm)
700
1500
700
700
700
700
1500
Engine
700
Speed
1500
(rpm)
700
1500
700
700
1500
1500
2000
VPAEPA
(volts)
0.747
0.858
1.72
2.50
2.87
2.88
2.88
VPA2.87
GND0
2.87
(volts)
2.83
2.82
1.08
2.81
1.35
2.80
1.41
700
1500
700
1500
1.18
1.45
1.52
1.54
2.08
4.73
4.81
4.82
4.84
4.86
Various
shorts and
faults can700
1500
result in 2000
unintended700
700
acceleration.
700
July 1, 2010
Resistor applied
VPA2VCP2Engine
EPA
EPA
Speed
(volts)
(volts)
(rpm)
1.27
3.42
700
1.37
3.42
700
2.25
3.30
5500
2.76
3.24
5500
2.91
3.17
5500
2.90
3.12
700*
Switch closed
2.83
3.12
5500
VPA2GND1Engin
2.89
3.09
GND0
GND0 700*
e
2.83
3.08
(volts)
(volts) 5500
Speed
2.84
3.02
700*
(rpm)
2.80
3.01
5500
1.82
0.249
700
2.82
2.98
700*
2.09
0.247
2100
2.78
2.98
700*
2.17
0.245
2600
1.92
0.364
1200
2.19
0.300
3000
2.24
0.380
3600
2.22
0.825
4000
2.68
1.45
5500
4.80
1.93
5500
4.85
2.01
700*
4.87
2.02
5500
4.88
2.06
700*
2.08
3900*
4.85
19
For Example …
Cruise Control
 One ECM input determines on/off, set
speed, and resume speed.
 A 2-meter floating wire is attached to that
input.
 This design is inherently susceptible to
radiated electromagnetic interference. We
can’t be sure what is done within the ECM
software to ensure that the cruise control
doesn’t engage and set do to spurious
inputs.
July 1, 2010
20
For Example …
Grounding Differences
July 1, 2010
21
3 Possible UA Failure Modes
 Bad sensor input - fools ECM into opening the throttle.
 A software “glitch” – gives unintended command to open
throttle (may or may not involve a bad input).
 A hardware (microprocessor) malfunction – processor
latches up or jumps to wrong subroutine requiring a hard
reset.
July 1, 2010
22
Some Key Points
 Due largely to the electronics, today’s cars are safer than
ever before.
 Even for makes and models with the highest number of
reported incidents, sudden acceleration incidents are
reported about once in every 600 million miles driven.
July 1, 2010
23
Some Key Points
 The electronics in virtually any car sold today is capable
of causing the types of failures being reported as
“sudden acceleration” events; though failure detection
and mitigation capabilities vary significantly.
 It is not possible to fully model, test or validate the safety
of electronic systems in automobiles due to a lack of
standard design platforms, meaningful EMC test
procedures, or OEM control of subsystem designs.
 Recreating a particular failure mode can be extremely
difficult due to the thousands of possible failure
mechanisms and software/hardware states.
July 1, 2010
24
Proposed Solution
July 1, 2010
25
Short-term Recommendations
 A software subroutine that cuts the throttle when the
brake pedal is depressed would compensate for a large
percentage of the possible failure mechanisms. A
hardware solution (e.g. BMW’s approach) should be
even more reliable.
 The driver should have some way to override the engine
control module (e.g. a key switch that physically removes
the power to the ECM).
 Hardware redundancy and fault-tolerant software design
would be relatively inexpensive and easy to implement if
adopted by the entire automotive industry.
July 1, 2010
26
Long-term Recommendations
 Must be able to model all system behavior including all
hardware and software interactions.
 This requires design constraints and interface standards.
 Continuous refinement of these standards would be
greatly facilitated by the installation of black boxes in
automobiles.
July 1, 2010
27
Final Thoughts
 Odds of being involved in an unintended acceleration
accident are much lower than odds of being involved in
other types of car accidents.
 Unintended automotive system behavior is a problem
that will certainly get worse without a major change in
automotive standards and design practices.
July 1, 2010
28
Questions
July 1, 2010
29