Toyota电子油门控制的安全问题
送交者: taichi 2010年02月03日09:32:29 于 [世界军事论坛] 发送悄悄话
Toyota电子油门控制的安全问题
Toyota的油门问题很有些历史,但是直到最近才爆发,Toyota火速提出补丁,号称一个弹簧就可以解决. 真是这样吗? 看看历史吧.
Toyota的油门问题是从他把油门设计改成 Fly-by-Wire ETC开始就埋下隐患. 当年Toyota把 Fly-by-Wire ETC推进市场的时候, 就有很多人对它的安全问题表示担心.
所谓ETC, 就是 Electronic Throttle Control, 电子油门控制. 这是什么意思? 先从机械油门控制说起.机械油门控制,是通过一根线,就是自行车刹车线那种,从你的油门踏板连到发动机,油门开多大,全靠你自己控制, 如果这根线失效,你脚上也能立刻感觉到.
1988年,BMW第一个在7系车上推出了ETC系统,在这根机械连线周围加上了一些电子的玩意儿,后来其他车厂也见样学样, 纷纷加了ETC. 但是这些 ETC, 叫 Drive by Wire 是围着这跟线做文章, 油门踏板跟发动机的机械联系是一直存在的.
Toyota 呢? 就领先了一步, 干脆把油门踏板跟发动机的机械联系给取消了, Toyota的油门踏板下面,现在是一个传感器的盒子,传感器把油门位置送给一个计算机, 然后计算机根据当前发动机运行情况,把传感器信号翻译成油门大小,这就是所谓的 Fly-by-Wire. 这样做当然是有好处的, 可以避免很多司机的技术问题或者驾驶习惯问题, 比如坡起给油不够造成死火之类的, 但是它最大的问题就是现在爆发的安全问题. 因为司机对油门的直接控制被偷油他取消了, 现在油门整个在偷油他的计算机手上了,计算机可以 overwrite 司机的油门指令,如果计算机认为应该加速,你把油门松了也没用. 换句话说, Toyota现在就跟微软差不多, 假定你是SB, 你想干什么, 他比你自己知道的更清楚.
原理说完了,那问题怎么解决呢?那要先看失效机制. ‘Fly-by-Wire’的失效机制大概可以分三类:
第一类是输入信号失效, 就是传感器送给计算机的信号错了, 司机本来没踩油门, 传感器说踩了. 这也是偷油他现在试图让人相信的失效机制,从一开始的把 MAT拿掉免得卡住油门到现在换个大点弹簧把油门顶起来,都是这个路子.为什么?因为这个最便宜,也最容易解决.
第二类是输出失效, 就是从计算机输出的电子信号到油门的控制机械这一块出的问题,如果这里出了问题,可以测,也可以重复,现在比较明确这一块没有问题.
第三类问题就比较要命了,就是计算机失效. 做过嵌入式系统的都知道, 最怕的问题就是程序跑飞, 一旦跑飞, 计算机就疯了,只能RESET. 这个捣乱最有亲身体会了, 当年他的程序就老跑飞. 程序跑飞的特点是什么呢? 嘿嘿, 无法重复. 因为每次飞的地方都不一样,而且一旦重新启动,他就完全正常了.
现在知道的Toyota致死的案子,基本都表现出第三类失效的特征: 油门突然失去控制; 事后检查无法发现失效元件; 事故过程无法重复. 这个一点都不奇怪, 汽车上的环境对电子系统最不友好了, 高温,高震动,不稳定的电源,各种高压信号乱窜,程序跑飞正常,不跑飞就不正常了. 当然了, 捣乱也有许多防止程序跑飞的招, 但是百密一疏, 总有人考虑不到的地方. 几百万辆车里面, 有几辆在某个特定情况下跑飞了,再正常不过了.解决办法一个是恢复司机对油门的机械控制, 让司机可以overwrite计算机.但是且不说Toyota有没有这么多钱,就算他有,以后还有人敢买他的车吗? 还有一个可能的办法是 open source, 他的计算机的安全漏洞, 单靠他的几个工程师是很难全堵上的, 靠 open source 人海战术, 能不能堵住先不说, 应该可以早点发现安全隐患, 找到能可以重复让偷油他的计算机跑飞的条件.
http://bbs./sports/bbsviewer.php?btrd_id=1032309&btrd_trd_id=445633
Toyota Recall: Experts Point To Electronic Throttles; Not Floor Mats In Sudden Acceleration Problem
http://kansascity.injuryboard.com/automobile-accidents/toyota-recall-experts-point-to-electronic-throttles-not-floor-mats-in-sudden-acceleration-problem.aspx?googleid=275138
Robert DeGraff, January 27, 2010
I recently purchased a new 2010 Camry and am a retired professional engineer with some experience in forensic engineering investigation and have experience in applying Tepner-Tregoe analysis to puzzling situations. You have to look at "what as changed" and "what is different" between test conditions and actual field conditions in variable and extreme situations such as the reports of sudden acceleration caused or allowed by the fly by wire throttle control.
The persistent but infrequent reports indicate that Toyota engineers have missed something in their testing. Although most inside engineers are resistant to suggestion from outsiders, I'll offer my comments and concerns for their review: there are several transient situations which electronic controlled vehicles must resist, commonly called EMI and RFI.
1) when you pass under, over or next to high power electric lines, not only is some energy imposed but a doppler effect can swing the frequency. Yes , some high power lines are under you, buried under the roadway such as the emergency feeders for O'Hare airport. How adequate is the EMI shielding for emissions from beneath? Some power lines are heavily loaded and emit stronger signals when they approach capacity or during surges just before and while their breakers trip.
2) cellphones, blackberies and wireless laptops also emit some strange and variable signals. I'm told that as a cellphone gets farther from its tower, it increases its power. At least 2 of the reports of apparent fly-by wire runaways mention the use of their cellphone during the incidents. Certainly these devices get very close to the car's computer(s).
3) there are stray emissions from CBs ham radios and other (sometimes illegal) broadcasting which may induce problems with RFI on computer controls. Many years ago, early computer controlled braking systems on IH trucks suffered wild scenarios until they were very thoroughly RF shielded. Could it be that some similar transients are affecting Toyota fly by wire throttle computer controls? I am not trying to be a wise guy; just offering some outside ideas for them to reconsider in their testing for the elusive cause of infrequent but terrifying runaways.
http://pressroom.toyota.com/pr/tms/our-point-of-view-post.aspx?id=2234
