The main failure modes for  industrial electronic control systems such as P + I (Proportional + Integral) controllers are fairly well established. Because the technology used is the same, there is good reason to suppose that the failure modes of automobile electronic control systems will be very similar. For example, with cruise control, malfunctions may  arise if a feedback sensor or one of the external switches used to exercise logical control and interlocking functions should go open or short circuit. But it is not only open or short circuits that may cause problems, but short-duration circuit intermittencies at poor electrical contacts.

Microphonic noise in electrical contacts caused by vibration was well-known source of problems in mechanical automatic telephone exchanges and was fully reported by Fairweather in 1946 and 1953. NOTE1  Vibration-induced intermittent contacts in low-current sensor circuits in automobiles may make circuits sensor circuits very noisy, but the average circuit parameters may still remain within the bounds of "normal" for the circuit concerned. Consequently, the monitoring of circuit impedances using software to determine when they go outside pre-specified ranges and can be regarded as having gone open or short circuit is not necessarily going to detect vibration-induced intermittencies. Some kinds of vibration-induced intermittencies in acceleration and speed sensors, for example, are unlikely to be detected and will therefore not necessarily be recorded as fault codes by on-board diagnostic software. A paper presented by Anderson at the 2007 IET Colloquium on Electromagnetic Reliability shows how an intermittent speed sensor connection can generate a false speed signal that may allow an automobile speed control system to engage at low speed.

Diagram illustrating how a false speed signal generated by vibration can cause a cruise control to "engage" when the vehicle is moving slowly [Anderson Fig 6]

It is interesting to note that as long ago as 1975 a US National Highways Traffic Safety Administration Report on the potential effects of EMI in automobiles recognised the inherent difficulty in preventing sudden accelerations from standstill and suggested that the most effective safety measure would be to keep the speed control electrically de-energised until normal speeds were reached. This simple preventive measure of not powering up the cruise control when the ignition is switched on is very rarely taken. As a result, the possibility of a false speed signal causing a sudden acceleration remains.

However, there is convincing evidence that some potential modes of cruise control failure internal to the control unit could arise even if failure modes in the external circuitry had been anticipated and prevented. For example : 

• The preamble to US patent 3,937,980 of Feb 10 1976 suggests that the use of high impedance capacitors to store speed reference voltages resulted in intermittent leakage problems in cruise control electronics in the 1970s. There is no reason to suppose that similar leakage problems could not arise from time to time in current designs. The symptoms of leakage might be a rising or falling cruise control speed reference,  or a mismatch of speeds when the cruise control was resumed. 

• The two research papers (Kimseng and Gunnerhed)  mentioned in the previous section suggest possible intermittent failure modes within the cruise control module.  Kinseng et al show that intermittent open and short circuits can be reproduced in the laboratory. From a functional point of view, intermittent open or short circuits on a cruise control PCB may alter the state of the control system and could in principle result in the throttle moving to the fully open condition. Neither paper provides support for the argument that intermittent faults would leave signs of their occurrence and hence be readily detected subsequently.
  

To explain sudden uncontrolled acceleration events in terms of rogue signals resulting from internal processes going on within the control unit, or intermittent contacts [or EMI or a software glitch] is quite as reasonable as invoking malfunctioning external control logic or driver error. It would therefore be very unwise for the investigators of possible incidents of unexplained sudden acceleration to jump to foregone conclusions as to the likely causes. Rather, investigators should carry out a proper analysis of the many possible root causes of failure and seek to demonstrate which of these root causes may fit most closely the circumstances in a particular case. 

Once it is accepted that mechanisms exist that may cause intermittent failure modes to occur within the cruise control module, then it has to be granted that there is a possibility of a rogue control signal arising that may cause the electronic throttle control to move to the fully open position. This is a potentially dangerous situation because the control system is now in a state where inputs have ceased to determine the output. Switching the cruise control system off will not switch off power to the throttle actuator. Now the only way of closing the throttle is to remove the torque applied by electronic throttle actuator and allow the return spring to close it. This can only happen if the power supply to the electronic throttle actuator is removed or  the mechanical link between the actuator and the throttle is disconnected. 

A design philosophy that forgets to provide protection for the power side of a control system and encourages the driver to rely on the brakes and switching off the ignition system is, in my opinion, manifestly deficient and lacking in common sense and is irresponsible. In this case, the failure to provide a means of electrical isolation for a malfunctioning electronic throttle actuator consuming a few watts may lead to a sudden uncontrolled acceleration in a motor capable of delivering several hundred kilowatts. To suggest that controlling sudden acceleration should be within the power of the driver if he  applies the brakes or switches off the ignition seems highly inappropriate when a small contact breaker and a push button would probably do the job much more effectively and without risk. NOTE 2

Discussions on the subject of sudden acceleration from standstill mention that such incidents appear to be confined to vehicles with automatic gearboxes and occur at or near the moment of  gear engagement. The potential significance of this observation is however never made clear. What is never discussed is the possible role of the torque converter between the engine and the automatic transmission in making it very difficult to stop the vehicle. If the engine speed and the transmission speed are widely different, as they would be under wide open throttle conditions, there will be a great deal of slip in the torque converter, whose characteristics are such that it will act as a sort of extra gearbox with anything up to an extra  2:1 reduction ratio. This means that there will be roughly twice the torque developed at the road wheels for a given engine torque that there would be if the drive and transmission sides of the torque converter were moving at the same speed. In terms of braking effort, the driver will have to exert twice as much braking force tas he would have to do if there was no slip in the torque converter.

In my view,  it is necessary to consider the implications of possible alternative rogue operating states of the cruise control system at the design stage  and (1) build in protection to prevent such alternative states from occurring, as far as this is possible, (2) design in monitoring and control circuitry, where possible, to indicate changes of state if they should arise  and (3) in the event of malfunction, to provide a means of disabling/decoupling  the cruise control system electrically and mechanically. As a matter of last resort in an emergency, the driver should be provided with an unequivocal  means of disabling the electronic throttle actuator and returning to manual control, either by electrical power isolation of the actuator or mechanical disconnection from the throttle, or both. 

Currently, cruise control systems are regarded as non safety critical because engagement and disengagement are presumed, in my opinion wrongly, to be under the control of the driver.  The driver only operates on the logical inputs to the cruise control system and driver actions will therefore not necessarily have any effect on the output from a malfunctioning power stage. The driver cannot over-ride the malfunctioning control system, if its performance is being determined by an internal fault or a rogue signal, unless specific  measures have been built in that allow  the throttle actuator to be electrically de-energised or mechanically disconnected from the throttle in an emergency. 

Therefore key questions that should be asked of any particular cruise control system are (1) whether or not the possibility of rogue signals causing the throttle actuator to move has been fully taken into account and (2) whether, in that eventuality, unequivocal  means have been provided to disable the actuator and return the throttle to manual control, either by electrical power isolation of the actuator or mechanical disconnection from the throttle, or both. 

The onus would appear to be on the manufacturers of cruise control systems to demonstrate convincingly, in the event of a fault, or combination of faults, either internal or external, that their particular system will always  degrade gracefully and safely, in such a way as to minimise the risk to the vehicle, its passengers and to third parties. The first necessity is to provide emergency power isolation for the electronic throttle control valve, so that even if rogue signals should cause the electronic throttle control to open the throttle the power side of the cruise control system can  always be switched off and isolated and manual control be re-established.

© Copyright A Landerretche

Since  writing  the original version of the above note on sudden acceleration,  my attention has been drawn by M. Alain Landerretche of  Nantes, France to European Patent EP1375233A1 [published 2nd January 2004]  for a  "speed sensitive accelerator" . This appears to provide an effective alternative to cruise control that leaves the driver in control of acceleration, and hence speed, at all times. When the actual speed reaches the selected speed the actuator transforms the speed error into a variable force feedback on the accelerator pedal. According to the designer, the natural balance between the weight of the driver's foot and force feedback stabilises the speed around the selected speed in a manner that feels intuitive to the driver. The design appears to be fail-safe and proof against unintended sudden accelerations.