Some control system malfunctions outside the automobile industry

Alleged incidents of sudden unintended acceleration

Moving now to automobiles.  The main source of statistics regarding sudden acceleration incidents is the NHTSA Complaints Database:

• NHTSA  gives complaint figures of between 4.7 and 10.2 per 100,000 vehicles for GM vehicles of 1996-97 model years. Reference
• NHTSA's  analysis of 1985-99 Lincoln Town Cars  in the year 2000 gives complaint rates of  13.7 per 100,000  vehicles for "stand-alone" cruise control designs, versus 15.1 per 100,000 vehicles for "integrated" cruise control designs. Denial of McMath Petition DP99-004
•  NHTSA analysis of complaint figures for Audi 5000s model years 1983 to 86 record an incidence of 586 per100,000 vehicles. Denial of McMath Petition DP99-004
•  NHTSA quotes complaint figures of 16.6 per 100,000 for Aerostars not fitted with shift locks as against 1.7 per 100,000  for Aerostars fitted with shift locks. Denial of McMath Petition DP99-004 Table 2
  

Here are a few examples of alleged sudden acceleration incidents:

• During the 1980s over 1000 sudden unintended acceleration incidents involving  Audi 5000 vehicles were reported. Reference

• In 1986 4561 Toyota Celicas were recalled because soldered terminals on the cruise control module might develop cracks due to improper application of the coatings to the printed circuit board. The consequence of the defect was said to be that the  engine speed would instantly rise and the vehicle could suddenly accelerate, possibly resulting in an accident.Reference

• On October 4, 1996 Chrysler disclosed in a letter to the NHTSA Office of Defects investigation that it knew of  98 incidents  of sudden unintended acceleration in the period 1993 to 1996 involving Cherokees and another 241 incidents involving Grand Cherokees. Reference

• In the Autumn of 2000 a Channel 4 TV documentary on runaway cars reported several incidents involving unexplained sudden acceleration in Ford Explorer vehicles in the UK. The vehicles in question had all been on the move and apparently did not have their cruise controls engaged. One Bristol driver, Chris Merrick drove his Explorer into a park to avoid a line of stopped cars ahead of him and was killed when the car hit a tree. About a month after the programme Ford Explorer vehicles in the UK were apparently recalled to correct for a cruise control software fault. Reference

• In December 2002 General Motors Corporation was ordered to pay $80 million to a Missouri woman who lost  control while backing down her driveway. The car’s cruise control allegedly caused the vehicle to speed up when she shifted into reverse sending her car 120 feet backwards before it crashed into a tree. The case went to appeal and was then settled privately. Reference
  

• In early 2003 the driver of a brand new Proton Waja fitted with an electronic throttle got caught in a tropical rainstorm in Malaysia and the vehicle suddenly accelerated to 100Km per hour. 5 days later the driver experienced a second incident.  The  local dealer claimed that the incidents were due to corrosion on the pins of the ECU and offered to change the unit. The owner refused the offer  and successfully negotiated the exchange of the vehicle for another fitted with a manual throttle and without cruise control. Reference AFA
  

• On August 7th 2000 Mary Hill of Orlando Florida was driving her younger daughter and two teenage friends home from school in her 1996 BMW 740i. She stopped at traffic lights. When the lights changed, she moved her foot from the brake to the accelerator in order to turn left, a manoeuvre that she performed at that particular junction several times a day. On this occasion the car "took off". She tried to bring the car under control by pumping the brakes but could not slow the car down. The car fishtailed, left the road and hit a tree, sideways on, at a speed that the investigators estimated was 73 mph. Her own daughter and another child were killed. The third child was concussed and she herself was thrown clear of the vehicle. In 2005 she was tried on a charge of vehicular homicide, found guilty and sentenced to 15 years imprisonment. The appeal procedure has been exhausted and she remains in prison for the duration of her sentence. Reference
  

• January 23rd 2007 Safety concerns take cruiser off road by Paul Leighton Staff Writer Salem News. BEVERLY - Police Chief John Cassola said he has taken another police cruiser off the road "as a precautionary measure" in the wake of Saturday's fatal crash involving another cruiser. The safety of three Police Department cruisers has been called into question by the crash that killed 61-year-old Bonney Burns on Saturday morning on Cabot Street. Burns was sitting in her parked car outside her apartment building when a cruiser driven by Patrolman Stuart Merry crossed the center line and slammed into her Toyota Camry. She was pronounced dead at the scene. Police are not saying what caused Merry to veer across the road. But Cassola has said that Merry's cruiser, along with two other 2006 Ford Crown Victoria cruisers, has had a history of incidents with "random acceleration." Follow up article May 2009
  

Litigation on alleged sudden unintended acceleration

There are only two possible ways in which the throttle can open and cause a sudden acceleration from near standstill:

• if the driver for some reason depresses the accelerator pedal to the floor [ the driver  malfunction or "pedal error" hypothesis];
  
• if the cruise control servo - or the electronic throttle servo in the case of an electronic throttle system - moves the throttle to the open position uncommanded.[the electronic system malfunction hypothesis]
  

There have been a number of occasions where an electronic malfunction - either in the cruise control system or, more recently, in the electronic throttle control system - has been proposed in court as the possible cause of the throttle opening and giving rise to a sudden unintended acceleration incident. See section 9.5 for references. In product liability cases a common defence against a claim of an electronic malfunction is driver malfunction, i.e. the defence asserts that the driver mistakenly pressed the accelerator pedal in the belief that they were applying the brake. In criminal cases, the prosecution may argue that the absence of physical evidence of an electronic component failure points towards the driver having pressed the accelerator pedal to the floor, thereby causing the vehicle to accelerate. In both product liability and criminal cases, the pedal error hypothesis is presented as if supported by solid evidence where, in fact, there is none.

The pedal error hypothesis supposes that it is the driver who causes the sudden acceleration to occur and not a vehicle system malfunction. If, for the sake of argument,sudden accelerations were the result of "pedal error" then clearly, by definition, the vehicle could play no part in causation. If sudden accelerations were in no way related to the vehicle, this should become immediately apparent from a study of  sudden acceleration complaint databases. In other words, the incidence rate of sudden accelerations per hundred thousand vehicles should be more or less the same for all ages and makes of car. There would be little difference in the sudden acceleration incidence rates of vehicles (a) of different makes (b) of the same make, but different marques (c) of different model years (d) fitted with manual or  automatic gearboxes; (e) with/without cruise control (f) with or without electronic throttle control.

• To the best of my knowledge, although there appear to have been plenty of  accidents caused by throttles that have stuck in the open position, there do not appear to have been any sudden acceleration incidents  from standstill before the introduction of automatic gearboxes and the fitting of cruise control. Clearly if there had been such incidents in the pre-electronic days of motoring they would undoubtedly have been drawn to the attention of the public.
  
• The sudden acceleration incidence rate appears to vary widely between vehicles of different manufacture and between vehicles of the same type but different model years. This strongly suggests that whatever the factors are that cause sudden accelerations these are related to the vehicle characteristics rather than the driver.
  

Concerning the second of the above points, the study by Sayler and Bizzak of sudden accelerations in 1991 to 1995 model year in Jeep Cherokees and Jeep Grand Cherokees is particularly illuminating. They have compared the RSAI rates of Jeep XJ/ZJ 1991 to 1995 model years up until a cut off point of April 1997 and find a variation from a minimum of 0.75 per 10,000 vehicles for 1992 model year vehicles to a maximum of 2.7 per 10,000 vehicles for 1993 model year vehicles. The comparable figures for Ford Explorers were 0.15 per 10,000 minimum to 0.6 maximum per 10,000 vehicles and for Chevy Blazers 0.2 to 0.6 per 10.000 vehicles. If the incidence of sudden accelerations was related to drivers rather than the vehicle, then it would seem fairly obvious that completely different results would have been expected from the NHTSA complaints database, namely that the incidence rates per 10,000 vehicles would be more or less the same from one vehicle to another and would show very little variation from model year to model year. In my opinion a jump from an incidence of 0.75 to 2.7 per 10,000 for Jeep XJ/ZJ models from one model year to the next strongly suggests that it is vehicles and not drivers that have been malfunctioning. If we compare these incidence figures with those for 1983-1986 model year Audi 5000s, given above, of 586 per 100,000 vehicles, i.e. 58.6 per 10,000 vehicles, we can see an overall incidence rate difference from lowest to highest of 0.75 to 58.6 per 10,000 vehicles, i.e. a ratio of   78:1, which is nearly two orders of magnitude. Such a variation cannot be explained in terms of drivers making pedal errors because there ought to be little or no variation between vehicles.

It is sometimes claimed that sudden accelerations from standstill cannot be caused by a cruise control malfunction because the cruise control is designed not to come into operation until the vehicle speed rises above 30 mph. However, witnesses often claim of sudden accelerations from standstill that the cruise control was OFF and yet the throttle moved of its own accord. Either the witnesses are lying, or they are telling the truth and some further explanation is required.

How can a cruise control system that seems to be OFF still be be capable of a malfunction? The answer lies in understanding the distinction between the functions of control and protection. Electronic switching devices or controllers control the voltage or current in a load, but they do not electrically isolate a load from its power supply or provide protection against damage in the event of a fault while in operation. For electrical isolation and protection an electromechanical switch, a relay or a contact breaker is required.  This principle is generally adopted, for example in domestic electrical supply. The individual device ( Kettle, washing machine, lawnmower etc.) has a controller of some kind and is protected by an overload cutout and fuse so that in the event of any failure the device is disconnected from the electrical supply. At the next level the ring main is protected against overload by its own circuit breaker. If that fails, then there is a main circuit breaker for the whole dwelling which will operate. Should the lawnmower controller become jammed in the fully open condition creating a potential runaway situation, the connector and socked between the power lead and the lawnmower will automatically disconnect the moment tension is applied to the lead, so bringing the lawnmower to a rapid halt. A similar distinction between control and protection/isolation is to be found in large turbogenerators where the speed is controlled by controlling the flow of steam using electrohydraulic governor valves. Protection is provided by emergency stop valves placed in series with the governor valves which cut off the supply of steam from the boiler in an emergency and isolate the turbine.

It appears that  the  isolation and protection functions normally provided for electronic control systems are absent in many automobile cruise control systems. Somewhat curiously, the driver seems in a number of cases to be expected to act as the fail-safe for the electronic system. Perhaps this is one of the reasons why cruise control systems appear to display the potential to malfunction with such serious knock-on results. 

Denial of petition by NHTSA

It is in this context of an apparent lack of electrical isolation and  protection of the power stages of cruise control systems, that we should consider the petition  of  Mr. Sandy S. McMath  to NHTSA [19th July 1999] to re-open their 1989 enquiry on sudden acceleration. McMath was representing the parents of two boys injured in an alleged sudden unintended acceleration incident in Mountain Home Arkansas June 7th 1995. The grounds of what seems to me to be a very reasonable petition were:

1. To date, NHTSA has neglected to consider the mechanisms that can cause sudden acceleration by bypassing the control logic of the cruise control system and thus can induce sudden acceleration in a stationary vehicle;
2. NHTSA has apparently failed to consider the data collected by the Ford Motor Company in its investigation of 2,800 incidents of sudden accleration during 1989-1992;
3. NHTSA has not addressed the fact that there is no true failsafe mechanism to overcome sudden acceleration.

With reference to (1) the Denial says in Section 4.1.2  :

"A review of the [NHTSA] Study demonstrates that this claim is without foundation. Clearly the Study considered the possibility that viable cruise control malfunctions could cause a SAI. But it found no evidence that faults "bypassing the control logic of the cruise control system" were a viable explanation for SAI.  [SAI = Sudden Acceleration Incident = Sudden Unexplained Acceleration]

...Under the petitioner's theory, a vehicle involved in a cruise control related SAI would have had to experience the following simultaneous failures: (1) at least two electrical failures of the vacuum servo solenoid system; (2) a mechanical failure of the MVDV and (3) a mechanical failure of the brake system. Moreover, according to Mr. Sero, a post-SAI vehicle inspection would find not physical evidence that any of these systems failed. Thus Mr. Sero's theory is based on simultaneous electrical and mechanical faults, involving more than one element of the vehicle's control system, which would be undetectable after the incident has occurred .

...Extensive laboratory testing of the operation of cruise controls under stress from temperature extremes, power supply variations, EMI/RFI and high voltage discharges has demonstrated no failure modes of any relevance to SAI. Analysis of their circuitry shows that for nearly all controls designed in the past few years ["all" in the case of Ford], two or more independent, intermittent failures would have to occur simultaneously to cause throttle opening in a way that would be difficult to detect after the incident. The occurrence of such simultaneous, undetectable failures is virtually impossible."

In effect the NHTSA appear to be denying the following :

1. that failure modes internal either to the cruise control module or the throttle actuating mechanism could cause the throttle to open;
2. that an intermittent fault could occur without leaving clear evidence that would be observed subsequently;
3. that two such  independent intermittent failures could occur simultaneously (concurrence 'virtually impossible')

Discussion of NHTSA Denial

One might ask the following of anyone expressing such robust views :

• Why is it unreasonable to envisage the possibility that intermittent faults might arise within the electronic control module and cause cause a malfunction in the throttle actuator?   Note 1
  

• Why would an intermittent fault, or faults, necessarily leave an observable trace(s) behind? Intermittent faults, especially in wiring and electrical contacts are sometimes extremely difficult to locate. It might take months or years before an intermittent fault might repeat itself.
  

• Why is the simultaneous occurrence of two independent intermittent failures necessarily 'virtually impossible'? In any case, it may be that only one fault, if it is in the right place, may be necessary.
  

Those who have carried out failure investigations will be aware of the difficulty in expressing  a fault hypothesis clearly and concisely. It seems that this the difficulty that Mr Sero has faced. He describes the failure mode as "a fault that bypasses the control logic of the cruise control system". This might mean :

• a fault that does not involve the control logic at all, ie. one that may occur whatever the control logic state and on which the control logic has no effect.
• Equally it might mean some fault that disables and  therefore  bypasses the control logic.
• A combination of both types of fault.

• faults  that involve malfunction of the control logic, as perhaps with a malfunction of a switch or sensor;
  
• faults that arise independently of the state of the control logic, i.e. faults that arise within the control system electronics after the point of application of the control logic. [ "faults bypassing the control logic"] 

• Steam turbines,  if not fully protected against sudden loss of load, would overspeed and self destruct. 
• DC machines have to be protected against loss of field for a similar reason.

The NHTSA refutes the claim that it has "neglected to consider the mechanisms that can cause sudden acceleration by bypassing the control logic of the cruise control system and thus can induce sudden acceleration in a stationary vehicle." on the basis that it found no evidence in its original 1989 report that this postulated mechanism was a viable explanation for sudden acceleration. 

We shall see in the next section that, contrary to what the NHTSA asserted in the year 2000, faults on cruise control system boards are known to have occurred in the field and can be induced in the laboratory and therefore their 1989 argument loses most of its force.