The main failure modes for Proportional +Integral [P & I]  Controllers used in industrial applications are fairly well established. There is no reason to suppose that the failure modes in automotive applications will be greatly different. Malfunctions may  arise if a feedback sensor or one of the external switches used to exercise logical control and interlocking functions should go open or short circuit. However, there is convincing evidence that some potential modes of cruise control failure internal to the control unit could arise even if failure modes in the external circuitry had been anticipated and prevented. For example : 

• The preamble to US patent 3,937,980 of Feb 10 1976 suggests that the use of high impedance capacitors to store speed reference voltages resulted in intermittent leakage problems in cruise control electronics in the 1970s. There is no reason to suppose that similar leakage problems could not arise from time to time in current designs. The symptoms of leakage might be a rising or falling cruise control speed reference,  or a mismatch of speeds when the cruise control was resumed. 

• The two research papers (Kimseng and Gunnerhed)  mentioned in the previous section suggest possible intermittent failure modes within the cruise control module.  Kinseng et al show that intermittent open and short circuits can be reproduced in the laboratory. From a functional point of view, intermittent open or short circuits on a cruise control PCB may alter the state of the control system and could in principle result in the throttle moving to the fully open condition. Neither paper provides support for the argument that intermittent faults would leave signs of their occurrence and hence be readily detected.
  

• A paper presented by Anderson at the 2007 IET  Colloquium on Electromagnetic Reliability shows how an intermittent speed sensor connection can generate a false speed signal that may allow an automobile speed control system to engage at low speed.
  

To explain sudden uncontrolled acceleration events in terms of rogue signals resulting from internal processes going on within the control unit, or intermittent contacts [or EMI or a software glitch] is quite as reasonable as invoking malfunctioning external control logic or driver error. It would therefore be very unwise for the investigators of possible incidents of unexplained sudden acceleration to jump to foregone conclusions as to the likely causes. Rather, investigators should carry out a proper analysis of the many possible root causes of failure and seek to demonstrate which of these root causes may fit most closely the circumstances in a particular case. 

Once it is accepted that mechanisms exist that may cause intermittent failure modes to occur within the cruise control module, then it has to be granted that there is a possibility of a rogue control signal arising that may cause the electronic throttle control to move to the fully open position. This is a potentially dangerous situation because the control system is now in a state where inputs have ceased to determine the output. Switching the cruise control system off will not switch off power to the throttle actuator. Now the only way of closing the throttle is to remove the torque applied by electronic throttle actuator and allow the return spring to close it. This can only happen if the power supply to the electronic throttle actuator is removed or  the mechanical link between the actuator and the throttle is disconnected. 

A design philosophy that forgets to provide protection for the power side of a control system and encourages the driver to rely on the brakes and switching off the ignition system is, in my opinion, manifestly deficient and lacking in common sense. In this case, the failure to provide a means of electrical isolation for a malfunctioning electronic throttle actuator consuming a few watts may lead to a sudden uncontrolled acceleration in a motor capable of delivering several hundred kilowatts. To suggest that controlling sudden acceleration should be within the power of the driver if he  applies the brakes or switches off the ignition seems highly inappropriate when a small contact breaker and a push button would probably do the job much more effectively and without risk. NOTE 2

In my view,  it is necessary to consider the implications of possible alternative rogue operating states of the cruise control system at the design stage  and (1) build in protection to prevent such alternative states from occurring, as far as this is possible, (2) design in monitoring and control circuitry, where possible, to indicate changes of state if they should arise  and (3) in the event of malfunction, to provide a means of disabling/decoupling  the cruise control system electrically and mechanically. As a matter of last resort in an emergency, the driver should be provided with an unequivocal  means of disabling the electronic throttle actuator and returning to manual control, either by electrical power isolation of the actuator or mechanical disconnection from the throttle, or both. 

Currently, cruise control systems are regarded as non safety critical because engagement and disengagement are presumed, in my opinion wrongly, to be under the control of the driver.  The driver only operates on the logical inputs to the cruise control system and driver actions will therefore not necessarily have any effect on the output from a malfunctioning power stage. The driver cannot over-ride the malfunctioning control system, if its performance is being determined by an internal fault or a rogue signal, unless specific  measures have been built in that allow  the throttle actuator to be electrically de-energised or mechanically disconnected from the throttle in an emergency. 

Therefore key questions that should be asked of any particular cruise control system are (1) whether or not the possibility of rogue signals causing the throttle actuator to move has been fully taken into account and (2) whether, in that eventuality, unequivocal  means have been provided to disable the actuator and return the throttle to manual control, either by electrical power isolation of the actuator or mechanical disconnection from the throttle, or both. 

Finally, the onus would appear to be on the manufacturers of cruise control systems to demonstrate convincingly, in the event of a fault, or combination of faults, either internal or external, that their particular system will always  degrade gracefully and safely, in such a way as to minimise the risk to the vehicle, its passengers and to third parties. The first necessity is to provide emergency power isolation for the electronic throttle control valve, so that even if rogue signals should cause the electronic throttle control to open the throttle the power side of the cruise control system can  always be switched off and isolated and manual control be re-established.

© Copyright A Landerretche

Since  writing  the above note on sudden acceleration,  my attention has been drawn by M. Alain Landerretche of  Nantes, France to European Patent EP1375233A1 [published 2nd January 2004]  for a  "speed sensitive accelerator" . This appears to provide an effective alternative to cruise control that leaves the driver in control of acceleration, and hence speed, at all times. When the actual speed reaches the selected speed the actuator transforms the speed error into a variable force feedback on the accelerator pedal. According to the designer, the natural balance between the weight of the driver's foot and force feedback stabilises the speed around the selected speed in a manner that feels intuitive to the driver. The design appears to be fail-safe and proof against unintended sudden accelerations.