An automobile cruise control system is an outer speed control loop that  "takes over" control of the throttle - normally exercised by the driver through the accelerator pedal - and holds the vehicle speed steady at a set value.  The driver controls the state of the cruise or speed control system (typically : ON, OFF, RESUME, SET/ACCEL, COAST) by means of a set of switches usually mounted on the the steering wheel. 

• Below about 30 mph, interlocking  switches and control logic supposedly prevent the cruise control from being switched ON. However, if there is noise on the speed input then it is quite possible for a false speed signal to be generated well below 30 mph that appears to indicate that the speed is 30 mph or above. In such a situation the cruise control can lock  at well below 30 mph, see Anderson.
  

• For safety reasons, the onus is on the driver NOT to use cruise control in heavy traffic, on bends, on wet or icy roads etc.
  

• Above 30 mph, the choice of whether or not to engage cruise control rests with the driver. 

• Cruise control systems  are designed to kick out of action immediately a very modest touch of braking is applied. 

• It is implicitly assumed that a cruise control system will only come into operation if the driver switches it ON and that the OFF button will always disengage it and that in an emergency it will always be disabled by the brake switch or the cruise deactivation switch.

• First, the driver may be unable to exercise command over the cruise control system if high resistance in the signal lines to the control unit should cause the states of the cruise control switches (often on the steering wheel) to be incorrectly decoded by the control unit. 

• Second, the protective measures taken against cruise control malfunction that operate on the inputs may not protect against an internal fault, a false speed signal or other rogue signal causing the power stage to malfunction and open the throttle. 

• Third, a wrongly decoded command signal or an internal fault may each have the potential to cause a sudden acceleration event. 

1. Can the power stage of an electronic throttle servo or actuator be made immune  to rogue signals? This question also has to be asked if the link between the accelerator pedal and the throttle is electronic.  [Note] .
2. If rogue signals  reach the electronic throttle servo power stage when the cruise control is off, can uncontrolled  throttle movement be prevented? 
3. If rogue signals reach the electronic throttle servo power stage and cause the electronic throttle servo or actuator to open the throttle, can the driver deactivate or disengage the  throttle servo and regain manual control?

Don't forget to bookmark Section 9 Links and References before leaving this site.

A Dependability Case Study on Electronic Throttle Control published by Siemens AG examines the situation in which the link between the accelerator pedal and the throttle is electronic. It scrutinises the safety and availability of a variety of electronic control architectures and their capability to ensure that under fault conditions built-in system redundancy will either maintain  system performance, or ensure that it degrades gracefully to allow safe limp home  or a safety stop. It considers that about 1% of  single faults may cause a runaway condition. The faults that might lead to runaway  include: faulty torque requests induced by faults in various car components (gear switch signals, deceleration slip control, faulty pedal reference signal etc.), faults in      analogue to digital converters, faults in the torque computing process, processor faults. It concludes that  a dual  processor system is required with each processor checking the other processor, as a minimum, to ensure an adequate degree of  safety and that  the best solution would be a full dual electronic system, with each system checking the other, and with one processor checking the process calculations. Although cruise control - i.e. an outer speed control loop - is not specifically  mentioned in the study, similar arguments probably apply, since it would hardly be logical to apply different design criteria to the engine control system, with in effect a dual control system, and less stringent design criteria to the cruise control (single control system with no redundancy).

Journal of Universal Computer Science

Volume 5, Issue 10
http://www.jucs.org/jucs_5_10/electronic_throttle_control