ZT: Toyota电子油门控制的安全问题

Toyota电子油门控制的安全问题

送交者: taichi 2010年02月03日09:32:29 于 [世界军事论坛] 发送悄悄话

Toyota电子油门控制的安全问题

Toyota的油门问题很有些历史,但是直到最近才爆发,Toyota火速提出补丁,号称一个弹簧就可以解决. 真是这样吗? 看看历史吧.

Toyota的油门问题是从他把油门设计改成 Fly-by-Wire ETC开始就埋下隐患. 当年Toyota把 Fly-by-Wire ETC推进市场的时候, 就有很多人对它的安全问题表示担心.
所谓ETC, 就是 Electronic Throttle Control, 电子油门控制. 这是什么意思? 先从机械油门控制说起.机械油门控制,是通过一根线,就是自行车刹车线那种,从你的油门踏板连到发动机,油门开多大,全靠你自己控制, 如果这根线失效,你脚上也能立刻感觉到.

1988年,BMW第一个在7系车上推出了ETC系统,在这根机械连线周围加上了一些电子的玩意儿,后来其他车厂也见样学样, 纷纷加了ETC. 但是这些 ETC, 叫 Drive by Wire 是围着这跟线做文章, 油门踏板跟发动机的机械联系是一直存在的.

Toyota 呢? 就领先了一步, 干脆把油门踏板跟发动机的机械联系给取消了, Toyota的油门踏板下面,现在是一个传感器的盒子,传感器把油门位置送给一个计算机, 然后计算机根据当前发动机运行情况,把传感器信号翻译成油门大小,这就是所谓的 Fly-by-Wire. 这样做当然是有好处的, 可以避免很多司机的技术问题或者驾驶习惯问题, 比如坡起给油不够造成死火之类的, 但是它最大的问题就是现在爆发的安全问题. 因为司机对油门的直接控制被偷油他取消了, 现在油门整个在偷油他的计算机手上了,计算机可以 overwrite 司机的油门指令,如果计算机认为应该加速,你把油门松了也没用. 换句话说, Toyota现在就跟微软差不多, 假定你是SB, 你想干什么, 他比你自己知道的更清楚.

原理说完了,那问题怎么解决呢?那要先看失效机制. ‘Fly-by-Wire’的失效机制大概可以分三类:

第一类是输入信号失效, 就是传感器送给计算机的信号错了, 司机本来没踩油门, 传感器说踩了. 这也是偷油他现在试图让人相信的失效机制,从一开始的把 MAT拿掉免得卡住油门到现在换个大点弹簧把油门顶起来,都是这个路子.为什么?因为这个最便宜,也最容易解决.

第二类是输出失效, 就是从计算机输出的电子信号到油门的控制机械这一块出的问题,如果这里出了问题,可以测,也可以重复,现在比较明确这一块没有问题.

第三类问题就比较要命了,就是计算机失效. 做过嵌入式系统的都知道, 最怕的问题就是程序跑飞, 一旦跑飞, 计算机就疯了,只能RESET. 这个捣乱最有亲身体会了, 当年他的程序就老跑飞. 程序跑飞的特点是什么呢? 嘿嘿, 无法重复. 因为每次飞的地方都不一样,而且一旦重新启动,他就完全正常了.

现在知道的Toyota致死的案子,基本都表现出第三类失效的特征: 油门突然失去控制; 事后检查无法发现失效元件; 事故过程无法重复. 这个一点都不奇怪, 汽车上的环境对电子系统最不友好了, 高温,高震动,不稳定的电源,各种高压信号乱窜,程序跑飞正常,不跑飞就不正常了. 当然了, 捣乱也有许多防止程序跑飞的招, 但是百密一疏, 总有人考虑不到的地方. 几百万辆车里面, 有几辆在某个特定情况下跑飞了,再正常不过了.解决办法一个是恢复司机对油门的机械控制, 让司机可以overwrite计算机.但是且不说Toyota有没有这么多钱,就算他有,以后还有人敢买他的车吗? 还有一个可能的办法是 open source, 他的计算机的安全漏洞, 单靠他的几个工程师是很难全堵上的, 靠 open source 人海战术, 能不能堵住先不说, 应该可以早点发现安全隐患, 找到能可以重复让偷油他的计算机跑飞的条件.
http://bbs./sports/bbsviewer.php?btrd_id=1032309&btrd_trd_id=445633


Toyota Recall: Experts Point To Electronic Throttles; Not Floor Mats In Sudden Acceleration Problem
http://kansascity.injuryboard.com/automobile-accidents/toyota-recall-experts-point-to-electronic-throttles-not-floor-mats-in-sudden-acceleration-problem.aspx?googleid=275138


Robert DeGraff, January 27, 2010

I recently purchased a new 2010 Camry and am a retired professional engineer with some experience in forensic engineering investigation and have experience in applying Tepner-Tregoe analysis to puzzling situations. You have to look at "what as changed" and "what is different" between test conditions and actual field conditions in variable and extreme situations such as the reports of sudden acceleration caused or allowed by the fly by wire throttle control.

The persistent but infrequent reports indicate that Toyota engineers have missed something in their testing. Although most inside engineers are resistant to suggestion from outsiders, I'll offer my comments and concerns for their review: there are several transient situations which electronic controlled vehicles must resist, commonly called EMI and RFI.

1) when you pass under, over or next to high power electric lines, not only is some energy imposed but a doppler effect can swing the frequency. Yes , some high power lines are under you, buried under the roadway such as the emergency feeders for O'Hare airport. How adequate is the EMI shielding for emissions from beneath? Some power lines are heavily loaded and emit stronger signals when they approach capacity or during surges just before and while their breakers trip.

2) cellphones, blackberies and wireless laptops also emit some strange and variable signals. I'm told that as a cellphone gets farther from its tower, it increases its power. At least 2 of the reports of apparent fly-by wire runaways mention the use of their cellphone during the incidents. Certainly these devices get very close to the car's computer(s).

3) there are stray emissions from CBs ham radios and other (sometimes illegal) broadcasting which may induce problems with RFI on computer controls. Many years ago, early computer controlled braking systems on IH trucks suffered wild scenarios until they were very thoroughly RF shielded. Could it be that some similar transients are affecting Toyota fly by wire throttle computer controls? I am not trying to be a wise guy; just offering some outside ideas for them to reconsider in their testing for the elusive cause of infrequent but terrifying runaways.

http://pressroom.toyota.com/pr/tms/our-point-of-view-post.aspx?id=2234

• Very well written... -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:06:25

• 其他车厂也用同样技术，用计算机来控制油门吗？ -凤凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:09:36

• 我的车都是刚性的 -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:11:47

• 我觉得计算机控制油门是趋势，人类中不能总停在自行车时代吧 -凤凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:14:06

• 趋势并不都是对的 -狼主- ♀ (0 bytes) () 02/03/2010 postreply 08:16:24

• 那飞机也是用计算机控制油门，刹车的，你还敢坐飞机吗？ -凤凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:18:44

• 飞机电脑成本是多少? 汽车的是多少？ -biglow- ♂ (16 bytes) () 02/03/2010 postreply 08:22:07

• 飞机并不仅仅是用计算机控制油门和刹车，还有备份系统 -狼主- ♀ (20 bytes) () 02/03/2010 postreply 08:23:08

• 我同意你这一点。但要计算机控制油门不能乱飞 -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:18:32

• 没错，但出错有个概率问题，就和轮胎爆胎一样。 -凤凰小城- ♂ (16 bytes) () 02/03/2010 postreply 08:19:56

• 明知山有虎，偏向虎山行？你以为你是武松啊？ -internuts- ♂ (40 bytes) () 02/03/2010 postreply 08:22:52

• 人家或许早打定注意，过来讨个口彩，心理实在点就去买。 -用户名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 08:25:07

• Toy 的出错概率太大 -biglow- ♂ (40 bytes) () 02/03/2010 postreply 08:23:17

• 我去买个SIENNA看看，如果出事了，大家就再也别买了。 -凤凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:25:05

• Take care! Drive safely!! -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:31:21

• let us know what happens. ... be safe of course. -用户名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 08:36:50

• 舍身饲虎，壮士也！ -狼主- ♀ (0 bytes) () 02/03/2010 postreply 08:57:22

• 烈士也 -金马力- ♂ (0 bytes) () 02/03/2010 postreply 09:48:38

• 不壮不烈老虎不吃也 -用户名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 10:11:41

• Well said, just hit the point! -biglow- ♂ (133 bytes) () 02/03/2010 postreply 08:20:42

• Very enlightening -- thanks! If that is the case, then more -mdgg- ♂ (104 bytes) () 02/03/2010 postreply 08:41:44

• Toyota什么时候开始采用ETCde -H&CMom- ♀ (0 bytes) () 02/03/2010 postreply 09:09:17

• 真后悔，三周前刚把Accord处理了留下了2001的Sienna -H&CMom- ♀ (50 bytes) () 02/03/2010 postreply 09:10:50

• 开了10年得车？ -用户名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 09:26:53

• 10年的车怎么啦？不是车？ -H&CMom- ♀ (24 bytes) () 02/03/2010 postreply 14:36:36

• 很好的分析，我早就说过，很可能是软件的BUG。 -TBz- ♂ (141 bytes) () 02/03/2010 postreply 09:57:30

• well said. thank you! -sdww2010- ♂ (0 bytes) () 02/03/2010 postreply 10:16:01

• This article cannot be further away from the truth -TYM- ♀ (509 bytes) () 02/03/2010 postreply 11:05:28

• 好像说突然加速里三分之一是Toyota的，有点高 -搬家了- ♂ (0 bytes) () 02/03/2010 postreply 12:27:14

• 回复：好像说突然加速里三分之一是Toyota的，有点高 -TYM- ♀ (269 bytes) () 02/03/2010 postreply 16:07:33

• The problem is Toyota does not have braking override -once4all09- ♂ (0 bytes) () 02/03/2010 postreply 12:31:43

• 回复：ZT: Toyota电子油门控制的安全问题 -xc70- ♂ (238 bytes) () 02/03/2010 postreply 13:35:39

• 噢，现在明白了。TOYOYA，用的是..... -GODLOVESDOG- ♂ (36 bytes) () 02/03/2010 postreply 13:46:22

• 学了，明白丰田的苦日子更多了。 -8年驾龄- ♂ (0 bytes) () 02/03/2010 postreply 14:42:41

• 现在车和软件一样！新版就是画蛇添足，乱改。远离新车型吧。 -tuulon- ♂ (0 bytes) () 02/05/2010 postreply 22:35:05