Kamis, 25 Februari 2010

In Defense of ETC Part 2; Professor Gilbert's Test

In his testimony to the House Oversight Committee, Professor David W. Gilbert described how he was able to induce unintended acceleration in a Toyota ETC system. You can read his remarks here. Gilbert was hired by Safety Research Strategies, a "safety advocacy" group which is primarily a research and consulting firm for trial lawyers and plaintiffs.

Gilbert's testing discovered a hole in Toyota's diagnostics for their ETC system. To fool the system, he had to induce a highly unlikely failure. Toyota's system uses two pedal position sensors, which are separated by several centimeters, which have signal wires coming out on a common harness. Gilbert shorted the signal wires of the two sensors together through a resistor. By carefully choosing the resistor, he was able to find a short combination which the Toyota diagnostics did not detect. However, a short alone was not enough to cause unintended acceleration. To do that, Gilbert had to take the shorted wires, and then add another connection, to the power wire on the harness. When both sensor signal lines were shorted to the power line, then the throttle opened because the large voltage was interpreted as a command from the pedal. Because the two signals were within range of one another, the diagnostics didn't find it.

To induce this purely electronic unintended acceleration event, Gilbert had to induce two faults into the system. In the business, this is called a multi-point failure. It is similar to saying, "what if your gas tank was leaking and your wheel fell off, creating sparks". Because the sensors are separated in the throttle pedal housing, the only feasible way for this failure to occur, in my opinion, is for the wiring harness to be cut or frayed such that the signal wires are exposed, and electrically shorted, but not cut through.

Toyota hired respected engineering consulting house Exponent to do an outside check of their ETC fault robustness. The full report is here. Exponent bought several different Toyota vehicles, spliced into the ETC wiring harness, and inserted various types of faults, using engineering data provided by Toyota. All of the faults that Exponent inserted were quickly detected by Toyota's system. The difference in methodology from Gilbert's testing was that Exponent limited their faults to the more likely type, single-point failures, where a single wire or signal was compromised.

In short, Gilbert proved that by manipulating the system just so, he could break it. But his failure mode is not something that is remotely likely to occur in the real world. Gilbert produced what Safety Research Strategies, ABC News, and some congress members wanted: a dramatic demonstration. But he didn't find a smoking gun.


Tidak ada komentar:

Posting Komentar