Moderated Discussion Areas
ContinuousWave: Small Boat Electrical
Digital Electronic Throttle Controls--Revisited
|Author||Topic: Digital Electronic Throttle Controls--Revisited|
posted 05-29-2010 09:27 AM ET (US)
Many current outboard manufacturers offer outboard motors where the engine throttle control is actuated using electrical actuators, and the control system that operates the throttle actuators uses digital data and communication. These systems are often called "fly-by-wire" controls. In the recent past there was very high profile reporting--a media storm--of problems with similar electronic controls in cars made by TOYOTA. The concern about runaway full-throttle conditions received very widespread coverage. It is my impression that the effect of the TOYOTA media storm was to raise concerns about the safety and reliability of fly-by-wire control systems in general. In the case of marine fly-by-wire control systems, I think there was also increased concern due to the relatively small number of systems in place and the limited time such systems had been offered.
During the TOYOTA controversy, the ABC News organization aired reports that indicated the problems were likely to be due to fundamental bugs in the electronics or the underlying software code used to in the controls, which could, under the right conditions, cause full-throttle acceleration to occur without leaving any sort of digital record or recording of the event in the control systems error log or putting the vehicle into fail safe mode.
An interesting article by Drew Winter on page 12 of the APRIL 2010 issue of the car industry magazine, WARD'S AUTOWORLD, notes that the source of the information used by ABC News in their reporting was a professor at Southern Illinois University, David Gilbert. Mr. Gilbert's research in this area was funded by Sean Kane, who is an advocate for lawyers suing Toyota. Gilbert's demonstration to the media was done using a circuit to which wires had been intentionally striped bare, and an extra component added to the circuit. Further, the material that was broadcast by ABC was edited in a misleading way. ABC inserted a scene showing the tachometer needle rising rapidly to red-line, when in actuality the engine acceleration that was demonstrated was much slower.
Toyota asked teams of engineering and electronic experts at Stanford University to review Mr. Gilbert's research. Their finding was that Gilbert's demonstration was rigged to produce the outcome. Further, by adding the same circuitry used by Gilbert to other models of cars using fly-by-wire controls, such as BMW, Mercedes, Honda, Ford, and Chevrolet, the same engine speed acceleration could also be produced.
Toyota's ultimate response to the unintended acceleration problem focused on mechanical friction reduction and elimination of sticking, not on fundamental problems in electronic circuitry or control systems. See:
In another article in that same edition of the magazine, John McElroy speculates that most instances of unintended acceleration are caused by human error--the driver hitting the wrong pedal--and not by hidden "ghosts" in electronic controls.
Because so much negative publicity was given to electronic throttle controls from Toyota, my impression is boaters may have become increasingly worried about reliability of outboard motors controlled with fly-by-wire techniques. It is reassuring to learn that the fundamental cause of problems with Toyota throttles was simple mechanical friction, not electronic or software bugs.
posted 05-29-2010 11:55 AM ET (US)
Jim, I don't think the facts support your conclusion. While it may be true that Gilbert's demonstration was rigged, and it is also true that Toyota's implemented fix, thus far, has been mechanical in nature, that does not exonerate Toyota's vehicle control firmware. As an embedded developer myself, though not knowing the in-depth technical details in this case, I'd have to say that the whole thing has the smell of software defect about it.
With regards to other digital engine controls, either automotive or marine, all I can say is that any significant piece of software, unless developed under rare and extraordinarily expensive methodologies, has defects. Usually many defects, though most are either never expressed because the unusual conditions required never occur, or are sufficiently benign to be no more than an annoyance. It's not unusual for "good-quality" software to have several defects per thousand lines of source code, and when you consider that there may be tens of thousands of lines of code in an embedded system, you can see we might be talking about a few hundred errors remaining in a well-designed, well-tested product. To say nothing of poor-quality products.
posted 05-29-2010 12:08 PM ET (US)
Toyota makes a clear statement about the existence of any defects in their electronic control unit or ECU:
"Toyota is confident that no defect exists in the ECU."
(From the Toyota website linked above.)
posted 05-29-2010 12:14 PM ET (US)
Bob--I appreciate facts, so you are welcome to present the facts that contradict the conclusion of Toyota, as well as the team of experts from Stanford University. Your statement that defects exist in design of the Toyota ECU or its firmware is not a fact, but speculation.
posted 05-29-2010 02:45 PM ET (US)
The only thing that does support part of Bob's speculation
Is the fact that Mercury DTS (digital throttle and shift) guardian software has had to be corrected to allow shift on demand from the ERC (electronic remote control).
This was previously not available when the lever fault alarm was triggered leaving the engine(s) unable to be shifted in or out of gear.
Considering this fault took some time to be discovered it is not unreasonable to speculate of others yet to occur.
Although the odds of any of them being potential dangerous is very small IMO and will probably be diagnosed wrongly and put down to other problems than software, as it would be hard to replicate the error.
posted 05-29-2010 03:25 PM ET (US)
In automotive applications, there are two controls, the throttle and the brake. There is a great deal of speculation that most of the problems reported with unintended acceleration in automobiles with electronic throttle controls have occurred because the operator pressed the wrong control--the operator pressed the throttle control instead of the brake. In marine applications there is no brake control, only a throttle control. Adjustment of the throttle control is unambiguous--you push one way to go faster and pull back to go slower. As far as I know, there has never been a report of unintended acceleration in a marine application with electronic throttle controls. The Mercury DTS system problem was related to something other than unintended acceleration to full throttle.
Nothing made by man can be perfect or completely reliable. Even in a mechanically linked throttle, there could be latent defects. A cable might have a weakness and could break.
In most modern engines, the actual control of the engine speed is via electronic methods irrespective of how the throttle plate position is moved. That is, the position of the throttle plate is electrically sensed and relayed to the engine control system so that the engine speed can be adjusted. The input of the mechanical movement of the throttle plate in an electronic throttle control system just changes the mechanism of moving the throttle plate from a purely mechanical linkage to a combined electrical, electronic, and mechanical linkage. If there were intrinsic risk in any form of engine control involving electronics and software, all modern engines have this risk because all modern engines operate under the control of very complex and sophisticated electronics and software-driven control systems.
In my view, adding a bit of additional software and electronics to control the mechanical position of the throttle plate does not constitute a significant increase in risk of inherent defect due to poor software design or poor electronic implementation. There is already a computer running the whole motor. Why have fits because a small system runs a servo to move the throttle?
posted 05-30-2010 11:45 AM ET (US)
I think the point jimh made about EFI is important to keep in mind, essentially if you a modern fuel injected engine, which in a automobile has been the case since the late 80's. It is controlled by a computer, with a mechanical cable telling the computer what to do.
However if you want to understand what it takes to make "perfect" engine control software, or really any software, the following article on how the flight control system for the Space Shuttle is a must read to appreciate the effort involved: http://www.fastcompany.com/magazine/06/writestuff.html?page=0,0
I don't believe Mercury or Toyota goes to that extreme and there is a high probability of some defects in their software, even if they cause no issues. Keeping in mind complex mechanical systems like carburetors all have defects as well.
posted 05-30-2010 12:17 PM ET (US)
ASIDE: Thank you for the pointer to the article about the Space Shuttle software and the process used to create control system software with very few errors. It was a very interesting read. I am going to pass it on to some people I know who write software for a living.
Ironically, I found several errors in the article. For example, this sentence:
"And money is not the critical constraint: the groups $35 million per year budget is a trivial slice of the NASA pie, but on a dollars-per-line basis, it makes the group among the nation's most expensive software organizations."
The possessive apostrophe was omitted from "groups." I noticed at least one other instance where a possessive apostrophe was omitted.
Also, the follow-up comments appended to the article were mostly automated advertisements for various products. The software that manages the website does not do a very good job preventing robots from appending comments filled with advertisements.
It is ironic that an article about error-free software should have errors.
posted 05-30-2010 05:53 PM ET (US)
I would point out that fly-by-wire systems are pretty much standard on commercial aircraft built within the last 10 years, and with all due respect to the 8 or 10 people on a space shuttle, the hundreds of lives at stake on a commercial airliner would tell me that, not only is the technology viable, but the means to implement it in a mostly error-free fashion, is well-understood.
Now as a retired software engineer, it is indeed true that relative costs come into play here, and traditionally software where faults do not have catastrophic consequences (like most of the stuff on your average PC) is not developed with a huge testing and verification budget.
I suspect software that runs outboards is in some middle ground here - there is probably some extra care taken, but the cost of airline-style testing methodology would be prohibitive.
Bottom line: it all depends on how many people you might kill if you get it wrong.
Powered by: Ultimate Bulletin Board, Freeware Version 2000
Purchase our Licensed Version- which adds many more features!
© Infopop Corporation (formerly Madrona Park, Inc.), 1998 - 2000.
Powered by: Ultimate Bulletin Board, Freeware Version 2000