ZT: Toyota電子油門控製的安全問題

Toyota電子油門控製的安全問題

送交者: taichi 2010年02月03日09:32:29 於 [世界軍事論壇] 發送悄悄話

Toyota電子油門控製的安全問題

Toyota的油門問題很有些曆史,但是直到最近才爆發,Toyota火速提出補丁,號稱一個彈簧就可以解決. 真是這樣嗎? 看看曆史吧.

Toyota的油門問題是從他把油門設計改成 Fly-by-Wire ETC開始就埋下隱患. 當年Toyota把 Fly-by-Wire ETC推進市場的時候, 就有很多人對它的安全問題表示擔心.
所謂ETC, 就是 Electronic Throttle Control, 電子油門控製. 這是什麽意思? 先從機械油門控製說起.機械油門控製,是通過一根線,就是自行車刹車線那種,從你的油門踏板連到發動機,油門開多大,全靠你自己控製, 如果這根線失效,你腳上也能立刻感覺到.

1988年,BMW第一個在7係車上推出了ETC係統,在這根機械連線周圍加上了一些電子的玩意兒,後來其他車廠也見樣學樣, 紛紛加了ETC. 但是這些 ETC, 叫 Drive by Wire 是圍著這跟線做文章, 油門踏板跟發動機的機械聯係是一直存在的.

Toyota 呢? 就領先了一步, 幹脆把油門踏板跟發動機的機械聯係給取消了, Toyota的油門踏板下麵,現在是一個傳感器的盒子,傳感器把油門位置送給一個計算機, 然後計算機根據當前發動機運行情況,把傳感器信號翻譯成油門大小,這就是所謂的 Fly-by-Wire. 這樣做當然是有好處的, 可以避免很多司機的技術問題或者駕駛習慣問題, 比如坡起給油不夠造成死火之類的, 但是它最大的問題就是現在爆發的安全問題. 因為司機對油門的直接控製被偷油他取消了, 現在油門整個在偷油他的計算機手上了,計算機可以 overwrite 司機的油門指令,如果計算機認為應該加速,你把油門鬆了也沒用. 換句話說, Toyota現在就跟微軟差不多, 假定你是SB, 你想幹什麽, 他比你自己知道的更清楚.

原理說完了,那問題怎麽解決呢?那要先看失效機製. ‘Fly-by-Wire’的失效機製大概可以分三類:

第一類是輸入信號失效, 就是傳感器送給計算機的信號錯了, 司機本來沒踩油門, 傳感器說踩了. 這也是偷油他現在試圖讓人相信的失效機製,從一開始的把 MAT拿掉免得卡住油門到現在換個大點彈簧把油門頂起來,都是這個路子.為什麽?因為這個最便宜,也最容易解決.

第二類是輸出失效, 就是從計算機輸出的電子信號到油門的控製機械這一塊出的問題,如果這裏出了問題,可以測,也可以重複,現在比較明確這一塊沒有問題.

第三類問題就比較要命了,就是計算機失效. 做過嵌入式係統的都知道, 最怕的問題就是程序跑飛, 一旦跑飛, 計算機就瘋了,隻能RESET. 這個搗亂最有親身體會了, 當年他的程序就老跑飛. 程序跑飛的特點是什麽呢? 嘿嘿, 無法重複. 因為每次飛的地方都不一樣,而且一旦重新啟動,他就完全正常了.

現在知道的Toyota致死的案子,基本都表現出第三類失效的特征: 油門突然失去控製; 事後檢查無法發現失效元件; 事故過程無法重複. 這個一點都不奇怪, 汽車上的環境對電子係統最不友好了, 高溫,高震動,不穩定的電源,各種高壓信號亂竄,程序跑飛正常,不跑飛就不正常了. 當然了, 搗亂也有許多防止程序跑飛的招, 但是百密一疏, 總有人考慮不到的地方. 幾百萬輛車裏麵, 有幾輛在某個特定情況下跑飛了,再正常不過了.解決辦法一個是恢複司機對油門的機械控製, 讓司機可以overwrite計算機.但是且不說Toyota有沒有這麽多錢,就算他有,以後還有人敢買他的車嗎? 還有一個可能的辦法是 open source, 他的計算機的安全漏洞, 單靠他的幾個工程師是很難全堵上的, 靠 open source 人海戰術, 能不能堵住先不說, 應該可以早點發現安全隱患, 找到能可以重複讓偷油他的計算機跑飛的條件.
http://bbs./sports/bbsviewer.php?btrd_id=1032309&btrd_trd_id=445633


Toyota Recall: Experts Point To Electronic Throttles; Not Floor Mats In Sudden Acceleration Problem
http://kansascity.injuryboard.com/automobile-accidents/toyota-recall-experts-point-to-electronic-throttles-not-floor-mats-in-sudden-acceleration-problem.aspx?googleid=275138


Robert DeGraff, January 27, 2010

I recently purchased a new 2010 Camry and am a retired professional engineer with some experience in forensic engineering investigation and have experience in applying Tepner-Tregoe analysis to puzzling situations. You have to look at "what as changed" and "what is different" between test conditions and actual field conditions in variable and extreme situations such as the reports of sudden acceleration caused or allowed by the fly by wire throttle control.

The persistent but infrequent reports indicate that Toyota engineers have missed something in their testing. Although most inside engineers are resistant to suggestion from outsiders, I'll offer my comments and concerns for their review: there are several transient situations which electronic controlled vehicles must resist, commonly called EMI and RFI.

1) when you pass under, over or next to high power electric lines, not only is some energy imposed but a doppler effect can swing the frequency. Yes , some high power lines are under you, buried under the roadway such as the emergency feeders for O'Hare airport. How adequate is the EMI shielding for emissions from beneath? Some power lines are heavily loaded and emit stronger signals when they approach capacity or during surges just before and while their breakers trip.

2) cellphones, blackberies and wireless laptops also emit some strange and variable signals. I'm told that as a cellphone gets farther from its tower, it increases its power. At least 2 of the reports of apparent fly-by wire runaways mention the use of their cellphone during the incidents. Certainly these devices get very close to the car's computer(s).

3) there are stray emissions from CBs ham radios and other (sometimes illegal) broadcasting which may induce problems with RFI on computer controls. Many years ago, early computer controlled braking systems on IH trucks suffered wild scenarios until they were very thoroughly RF shielded. Could it be that some similar transients are affecting Toyota fly by wire throttle computer controls? I am not trying to be a wise guy; just offering some outside ideas for them to reconsider in their testing for the elusive cause of infrequent but terrifying runaways.

http://pressroom.toyota.com/pr/tms/our-point-of-view-post.aspx?id=2234

• Very well written... -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:06:25

• 其他車廠也用同樣技術，用計算機來控製油門嗎？ -鳳凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:09:36

• 我的車都是剛性的 -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:11:47

• 我覺得計算機控製油門是趨勢，人類中不能總停在自行車時代吧 -鳳凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:14:06

• 趨勢並不都是對的 -狼主- ♀ (0 bytes) () 02/03/2010 postreply 08:16:24

• 那飛機也是用計算機控製油門，刹車的，你還敢坐飛機嗎？ -鳳凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:18:44

• 飛機電腦成本是多少? 汽車的是多少？ -biglow- ♂ (16 bytes) () 02/03/2010 postreply 08:22:07

• 飛機並不僅僅是用計算機控製油門和刹車，還有備份係統 -狼主- ♀ (20 bytes) () 02/03/2010 postreply 08:23:08

• 我同意你這一點。但要計算機控製油門不能亂飛 -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:18:32

• 沒錯，但出錯有個概率問題，就和輪胎爆胎一樣。 -鳳凰小城- ♂ (16 bytes) () 02/03/2010 postreply 08:19:56

• 明知山有虎，偏向虎山行？你以為你是武鬆啊？ -internuts- ♂ (40 bytes) () 02/03/2010 postreply 08:22:52

• 人家或許早打定注意，過來討個口彩，心理實在點就去買。 -用戶名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 08:25:07

• Toy 的出錯概率太大 -biglow- ♂ (40 bytes) () 02/03/2010 postreply 08:23:17

• 我去買個SIENNA看看，如果出事了，大家就再也別買了。 -鳳凰小城- ♂ (0 bytes) () 02/03/2010 postreply 08:25:05

• Take care! Drive safely!! -internuts- ♂ (0 bytes) () 02/03/2010 postreply 08:31:21

• let us know what happens. ... be safe of course. -用戶名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 08:36:50

• 舍身飼虎，壯士也！ -狼主- ♀ (0 bytes) () 02/03/2010 postreply 08:57:22

• 烈士也 -金馬力- ♂ (0 bytes) () 02/03/2010 postreply 09:48:38

• 不壯不烈老虎不吃也 -用戶名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 10:11:41

• Well said, just hit the point! -biglow- ♂ (133 bytes) () 02/03/2010 postreply 08:20:42

• Very enlightening -- thanks! If that is the case, then more -mdgg- ♂ (104 bytes) () 02/03/2010 postreply 08:41:44

• Toyota什麽時候開始采用ETCde -H&CMom- ♀ (0 bytes) () 02/03/2010 postreply 09:09:17

• 真後悔，三周前剛把Accord處理了留下了2001的Sienna -H&CMom- ♀ (50 bytes) () 02/03/2010 postreply 09:10:50

• 開了10年得車？ -用戶名被占用了- ♂ (0 bytes) () 02/03/2010 postreply 09:26:53

• 10年的車怎麽啦？不是車？ -H&CMom- ♀ (24 bytes) () 02/03/2010 postreply 14:36:36

• 很好的分析，我早就說過，很可能是軟件的BUG。 -TBz- ♂ (141 bytes) () 02/03/2010 postreply 09:57:30

• well said. thank you! -sdww2010- ♂ (0 bytes) () 02/03/2010 postreply 10:16:01

• This article cannot be further away from the truth -TYM- ♀ (509 bytes) () 02/03/2010 postreply 11:05:28

• 好像說突然加速裏三分之一是Toyota的，有點高 -搬家了- ♂ (0 bytes) () 02/03/2010 postreply 12:27:14

• 回複：好像說突然加速裏三分之一是Toyota的，有點高 -TYM- ♀ (269 bytes) () 02/03/2010 postreply 16:07:33

• The problem is Toyota does not have braking override -once4all09- ♂ (0 bytes) () 02/03/2010 postreply 12:31:43

• 回複：ZT: Toyota電子油門控製的安全問題 -xc70- ♂ (238 bytes) () 02/03/2010 postreply 13:35:39

• 噢，現在明白了。TOYOYA，用的是..... -GODLOVESDOG- ♂ (36 bytes) () 02/03/2010 postreply 13:46:22

• 學了，明白豐田的苦日子更多了。 -8年駕齡- ♂ (0 bytes) () 02/03/2010 postreply 14:42:41

• 現在車和軟件一樣！新版就是畫蛇添足，亂改。遠離新車型吧。 -tuulon- ♂ (0 bytes) () 02/05/2010 postreply 22:35:05