Some control system malfunctions outside the automobile industry

IN discussing alleged automobile sudden unintended acceleration incidents, it is instructive to note that there have been a number of well documented examples of somewhat similar control system malfunctions in other fields. Here are a variety examples of malfunction in non-automotive systems, chosen to represent situations from the trivial to life threatening:

1. Computers cause electronic cat flap latch to malfunction
2. Transient magnetic fields produced by an electric drill alter second hand of an electric watch by 10 seconds 
3. Uncommanded operation of powered Wheelchair causes man to go over cliff.
4. Geomagnetic storm blacks out Quebec
5. Uncommanded release of munitions from a Navy jet landing on the aircraft carrier U.S.S. Forrestal causes 134 deaths 
6. A DC 10 Autopilot disrupted during final landing approach by a battery-powered CD player forcing pilot to take emergency action to override the autopilot 
7. Black Hawk Helicopter knocked out of the sky by radio waves.
8. Chinook Mark II Helicopters experience spurious engine accelerations and decelerations
9. Washington State Ferries replace "sail by wire" electronic control system with pneumatic controls

Alleged incidents of sudden unintended acceleration

Moving now to automobiles. Reported complaints of  sudden unintended acceleration, or unintended acceleration,  are relatively infrequent. The main source of information is the NHTSA Complaints Database. 

• NHTSA  gives complaint figures of between 4.7 and 10.2/100,000 vehicles for GM vehicles of 1996-97 model years. Reference
• NHTSA's  analysis of 1985-99 Lincoln Town Cars  gives complaint rates of  13.7/100,000  vehicles for "stand-alone" cruise control designs, versus 15.1/100,000 vehicles for "integrated" cruise control designs. Reference
•  NHTSA analysis of complaint figures for Audi 5000s model years 1983 to 86 record an incidence of 586/100,000 vehicles. [1989 NHTSA Report]
•  NHTSA quotes complaint figures of 1.7/100,000  for Aerostars fitted with shift locks. Reference

Castelli, Nash, Ditlow and Pecht in their analysis of the NHTSA Complaints Database through to mid May 2001 report 25,181 (4.2%) complaints of "sudden acceleration" out of more than 600,000 consumer complaints, a figure that they judge conservative. Sudden acceleration complaints to NHTSA accounted for 5,412 injuries and 303 deaths. By their estimation, ninety four vehicle types in the examined NHTSA database had sudden acceleration complaint rates of at least 30/100,000.  In my opinion, a range of between 5 and 50 sudden acceleration incidents per 100,000 vehicles  would not seem an unreasonable interpretation of the information currently available.

Some well publicised examples of alleged incidents of sudden acceleration are listed below. Note 1 

Litigation on alleged sudden unintended acceleration

There have been a number of occasions where malfunction of a cruise control system has been proposed in court as the possible cause of a sudden unintended acceleration incident. See section 9.5 for references. The main counter-argument brought in litigation against a cruise control malfunction has been that the event may have been caused by driver mistakenly pressing the accelerator while thinking that they were applying the brake. 

Simplifying matters, and ignoring cases of stuck throttles, trapped actuator cables etc.,  there seem to be two plausible potential explanations of how the throttle might move to the fully open position: 

(1) cruise control OFF : therefore cruise control cannot act :  driver malfunction causes throttle to open
(2) cruise control ON  : therefore driver cannot act : cruise control malfunction causes throttle to open

How could it be hat a cruise control system that is to all appearances OFF may still be capable of a malfunction? The answer lies in understanding the distinction between the functions of control and protection. Electronic switching devices or controllers control the voltage or current in a load, but they do not electrically isolate a load from its power supply or provide protection against damage in the event of a fault while in operation. For electrical isolation and protection an electromechanical switch, a relay or a contact breaker is required. 

This principle is generally adopted, for example in domestic electrical supply. The individual device ( Kettle, washing machine, lawnmower etc.) has a controller of some kind and is protected by an overload cutout and fuse so that in the event of any failure the device is disconnected from the electrical supply. At the next level the ring main is protected against overload by its own circuit breaker. If that fails, then there is a main circuit breaker for the whole dwelling which will operate. Should the lawnmower controller become jammed in the fully open condition creating a potential runaway situation, the connector and socked between the power lead and the lawnmower will automatically disconnect the moment tension is applied to the lead, so bringing the lawnmower to a rapid halt. A similar distinction between control and protection/isolation is to be found in large turbogenerators where the speed is controlled by controlling the flow of steam using electrohydraulic governor valves. Protection is provided by emergency stop valves placed in series with the governor valves which cut off the supply of steam from the boiler in an emergency and isolate the turbine.

It appears that  the  isolation and protection functions normally provided for control systems are absent in many automobile cruise control systems. Perhaps this is one of the reasons why cruise control systems appear to display the potential to malfunction with such serious knock-on results. 

Denial of petition by NHTSA

It is in this context of an apparent lack of electrical isolation and  protection of the power stages of cruise control systems, that we should consider the petition  of  Mr. Sandy S. McMath  to the NHTSA[19th July 1999] to re-open their enquiry on sudden acceleration. McMath was representing the parents of two boys injured in an alleged sudden unintended acceleration incident in Mountain Home Arkansas June 7th 1995. The grounds of what seems to me to be a very reasonable petition were:

1. To date, NHTSA has neglected to consider the mechanisms that can cause sudden acceleration by bypassing the control logic of the cruise control system and thus can induce sudden acceleration in a stationary vehicle;
2. NHTSA has apparently failed to consider the data collected by the Ford Motor Company in its investigation of 2,800 incidents of sudden accleration during 1989-1992;
3. NHTSA has not addressed the fact that there is no true failsafe mechanism to overcome sudden acceleration.

With reference to (1) the Denial says in Section 4.1.2  :

"A review of the [NHTSA] Study demonstrates that this claim is without foundation. Clearly the Study considered the possibility that viable cruise control malfunctions could cause a SAI. But it found no evidence that faults "bypassing the control logic of the cruise control system" were a viable explanation for SAI.  [SAI = Sudden Acceleration Incident = Sudden Unexplained Acceleration]

...Under the petitioner's theory, a vehicle involved in a cruise control related SAI would have had to experience the following simultaneous failures: (1) at least two electrical failures of the vacuum servo solenoid system; (2) a mechanical failure of the MVDV and (3) a mechanical failure of the brake system. Moreover, according to Mr. Sero, a post-SAI vehicle inspection would find not physical evidence that any of these systems failed. Thus Mr. Sero's theory is based on simultaneous electrical and mechanical faults, involving more than one element of the vehicle's control system, which would be undetectable after the incident has occurred .

...Extensive laboratory testing of the operation of cruise controls under stress from temperature extremes, power supply variations, EMI/RFI and high voltage discharges has demonstrated no failure modes of any relevance to SAI. Analysis of their circuitry shows that for nearly all controls designed in the past few years ["all" in the case of Ford], two or more independent, intermittent failures would have to occur simultaneously to cause throttle opening in a way that would be difficult to detect after the incident. The occurrence of such simultaneous, undetectable failures is virtually impossible."

In effect the NHTSA appear to be denying the following :

1. that failure modes internal either to the cruise control module or the throttle actuating mechanism could cause the throttle to open;
2. that an intermittent fault could occur without leaving clear evidence that would be observed subsequently;
3. that two such  independent intermittent failures could occur simultaneously (concurrence 'virtually impossible')

Discussion of NHTSA Denial

One might ask the following of anyone expressing such robust views :

• Why is it unreasonable to envisage the possibility that intermittent faults might arise within the electronic control module and cause cause a malfunction in the throttle actuator?   Note 2
  

• Why would an intermittent fault, or faults, necessarily leave an observable trace(s) behind? Intermittent faults, especially in wiring and electrical contacts are sometimes extremely difficult to locate. 

• Why is the simultaneous occurrence of two independent intermittent failures necessarily 'virtually impossible'? In any case, it may be that only one fault, if it is in the right place, may be necessary.

Those who have carried out failure investigations will be aware of the difficulty in expressing  a fault hypothesis clearly and concisely. It seems that this the difficulty that Mr Sero has faced. He describes the failure mode as "a fault that bypasses the control logic of the cruise control system". This might mean :

• a fault that does not involve the control logic at all, ie. one that may occur whatever the control logic state and on which the control logic has no effect.
• Equally it might mean some fault that disables and  therefore  bypasses the control logic.
• A combination of both types of fault.

• faults  that involve malfunction of the control logic;
• faults that arise independently of the state of the control logic, i.e. faults that arise within the control system after the point of application of the control logic. [ "faults bypassing the control logic"] 

• Steam turbines,  if not fully protected against sudden loss of load, would overspeed and self destruct. 
• DC machines have to be protected against loss of field for a similar reason.

The NHTSA refutes the claim that it has "neglected to consider the mechanisms that can cause sudden acceleration by bypassing the control logic of the cruise control system and thus can induce sudden acceleration in a stationary vehicle." on the basis that it found no evidence in its original report that this postulated mechanism was a viable explanation for sudden acceleration. 

We shall see in the next section that, contrary to what the NHTSA asserts, faults on cruise control system boards are known to have occurred in the field and can be induced in the laboratory and therefore their argument loses most of its force.

• October 3rd 2004 "Vel Satis folle" - alleged case of  sudden unintended acceleration in France on the A71 between Bourges and Clermont-Ferrand.
  
• January 2003 Two cases of alleged sudden acceleration in Chrysler Jeep Cherokees in Paris and Fort Worth Texas
  
• May 2002 : Safetyforum.com report a number of alleged sudden unintended acceleration incidents involving Ford vehicles and state that in recent litigation Ford have been required to "disclose documents that revealed the breadth of the problem, .... the company's prior  knowledge of the cruise control design defects and its efforts to keep them hidden."
  
• March 2001: Santosa v. Gerstel and DaimlerChrysler Corporation – Jury verdict in Seattle, Washington State that sudden acceleration incident  was not due to driver error but to a vehicle defect. The jury found that the accident in which Ms. Santosa was injured was not due to driver error by the defendant Mrs. Ida Gerstel, but concluded  that the accident was caused by defect in the 1993 Grand Cherokee that she was driving . The verdict was appealed by Daimler Chrysler but was upheld by the Court of Appeals. Expert Testimony for the defence in this case was provided by  Romualdi, Davidson and Associates, in conjunction with Mr. Walter D. Salyer II of Infospace, who had just completed  an extensive investigation of sudden acceleration events in certain 1991-1995 Jeep Cherokees and Grand Cherokees. After the trial, Romualdi, Davidson and Associates submitted a formal defect petition to the National Highway Traffic Safety Administration, requesting that an engineering investigation of the SAI issue be opened. The text of the submittal and NHTSA’s response can be downloaded from the RDA Website
  
• Autumn of 2000 : Several examples of Sudden Unexplained Acceleration in Ford Explorer vehicles in the UK, were reported in a Channel 4 TV documentary on Runaway Cars. UK vehicles in question had all been on the move and apparently without Cruise Control engaged. About a month later Ford Explorer vehicles were recalled for a cruise-connected software fault.
  
• Dec 1999 : "2000 Ford Focus (31,000 vehicles) recalled because the speed control cable end fitting can allow water to enter the speed control servo assembly. If this occurs corrosion the servo assembly could develop and cause intermittent speed control operation or prevent the throttle from returning to idle. A throttle that does not return to idle could result in unexpected acceleration, increasing the risk of a crash."
• May 1999 : Ford recalled about 279,000 1992 and '93 Lincoln Town Car, Mercury Grand Marquis and Ford Crown Victoria sedans equipped with factory-installed cruise control. Ford is reported as saying in a statement that "a potentially defective cruise control deactivation switch could short-circuit, which in turn could overheat and catch fire. A short also could disable the cruise control system and blow the brake light fuse." Ford also reported 47 incidents involving a fire that may have been caused by the faulty switch and two injuries, but that there had been no fatalities related to the problem. [NHTSA Recall No. 99V-124/Ford Recall No. 99S15]

• Oct 4, 1996 :  Chrysler disclosed in a letter to the Office of Defects Investigation that it knew of 98 incidents of sudden unintended acceleration between 1993 and 1996 involving Cherokees and another 241 involving Grand Cherokees ref: See Section 9.5  Strategic Safety. Special investigation Chrysler Cherokee 1998
• A group of independent engineering experts claims to have uncovered a defect specific in the 1993-96 5.2 litre V8 Grand Cherokee. If cruise control is left in the ON position a short to ground in the power control module connector can cause the vehicle's engine to race. The short is said to be caused by water, moisture etc. getting into the connector and causing corrosion.  ref: See Section 9.5  Strategic Safety. Special investigation Chrysler Cherokee 1998
• 26 March 1994 Hoffman Car Wash. Albany, NY. (1992 Jeep Cherokee Laredo. VIN 1J4FJ5880NL246884) An employee of the  car wash shifted the Jeep into Drive, and the vehicle suddenly accelerated into the car wash tunnel. The vehicle entered  the detailing area, struck the right wall and proceeded past two cars and an employee. Employees on the scene witnessed brake lights during the incident. ref: See Section 9.5  Strategic Safety. Special investigation Chrysler Cherokee
• 1992 Chrysler tested a 1992 Jeep Cherokee for susceptibility to Radio Frequency radiation. The vehicle was part of a rental fleet from Dollar Rent-a-car that had experiences sudden unidentified acceleration. A police radar gun was aimed at the vehicle under the hood (bonnet) and in the passenger compartment. Chrysler concluded "radiated RF did not have any adverse effects on the Jeep. However, the summary notes that testing resulted in "engine surging" but was not considered "excessive engine/vehicle accelerations." ref: See Section 9.5  Strategic Safety. Special investigation Chrysler Cherokee

• During the 1980's over 1000 sudden unintended acceleration incidents involved Audis. ref: http://www.safetyforum.com/sua/
• Buick Regal recalls in 1979, 1984, 1988 and 1989 relating to cruise control problems
• 1986 : 4561 Toyota Celicas were recalled  because soldered terminals of the cruise control module may develop cracks due to improper application of the coating to the printed circuit board. The consequences of the defect were said to be that continued use of cruise control could lead to complete separation of soldered terminals and circuit failure; engine speed would instantly race and vehicle could suddenly accelerate, possibly resulting in an accident. [NHTSA CAMPAIGN ID Number: 86V132000].