Some control system malfunctions outside the automobile industry

Alleged incidents of sudden unintended acceleration

Here are a few examples of alleged sudden acceleration incidents:

• During the 1980s over 1000 sudden unintended acceleration incidents involving  Audi 5000 vehicles were reported. 

• In 1986 4561 Toyota Celicas were recalled because soldered terminals on the cruise control module might develop cracks due to improper application of the coatings to the printed circuit board. The consequence of the defect was said to be that the  engine speed would instantly rise and the vehicle could suddenly accelerate, possibly resulting in an accident.   [NHTSA CAMPAIGN ID Number: 86V132000] Reference 

• On October 4, 1996 Chrysler disclosed in a letter to the NHTSA Office of Defects investigation that it knew of  98 incidents  of sudden unintended acceleration in the period 1993 to 1996 involving Cherokees and another 241 incidents involving Grand Cherokees.

• In the Autumn of 2000 a UK Channel 4 TV documentary on runaway cars reported several incidents involving unexplained sudden acceleration in Ford Explorer vehicles in the UK. The vehicles in question had all been on the move and apparently did not have their cruise controls engaged. One Bristol driver, Chris Merrick drove his Explorer into a park to avoid a line of stopped cars ahead of him and was killed when the car hit a tree. About a month after the programme Ford Explorer vehicles in the UK were apparently recalled to correct for a cruise control software fault. Reference

• In December 2002 General Motors Corporation was ordered to pay $80 million to a Missouri woman who lost  control while backing down her driveway. The car’s cruise control allegedly caused the vehicle to speed up when she shifted into reverse sending her car 120 feet backwards before it crashed into a tree. The case went to appeal and was then settled privately. Reference
  

• In early 2003 the driver of a brand new Proton Waja fitted with an electronic throttle got caught in a tropical rainstorm in Malaysia and the vehicle suddenly accelerated to 100Km per hour. 5 days later the driver experienced a second incident.  The  local dealer claimed that the incidents were due to corrosion on the pins of the ECU and offered to change the unit. The owner refused the offer  and successfully negotiated the exchange of the vehicle for another fitted with a manual throttle and without cruise control. Reference AFA private correspondence, available on request.
  

• On August 7th 2000 Mary Hill of Orlando Florida was driving her younger daughter and two teenage friends home from school in her 1996 BMW 740i. She stopped at traffic lights. When the lights changed, she moved her foot from the brake to the accelerator in order to turn left, a manoeuvre that she performed at that particular junction several times a day. On this occasion the car "took off". She tried to bring the car under control by pumping the brakes but could not slow the car down. The car fishtailed, left the road and hit a tree, sideways on, at a speed that the investigators estimated was 73 mph. Her own daughter and another child were killed. The third child was concussed and she herself was thrown clear of the vehicle. In 2005 she was tried on a charge of vehicular homicide, found guilty and sentenced to 15 years imprisonment. The appeal procedure has been exhausted and she remains in prison for the duration of her sentence. Reference
  

• January 23rd 2007 Safety concerns take cruiser off road by Paul Leighton Staff Writer Salem News. BEVERLY - Police Chief John Cassola said he has taken another police cruiser off the road "as a precautionary measure" in the wake of Saturday's fatal crash involving another cruiser. The safety of three Police Department cruisers has been called into question by the crash that killed 61-year-old Bonney Burns on Saturday morning on Cabot Street. Burns was sitting in her parked car outside her apartment building when a cruiser driven by Patrolman Stuart Merry crossed the center line and slammed into her Toyota Camry. She was pronounced dead at the scene. Police are not saying what caused Merry to veer across the road. But Cassola has said that Merry's cruiser, along with two other 2006 Ford Crown Victoria cruisers, has had a history of incidents with "random acceleration." Follow up article May 2009

• August 28 2009 August 28th 2009: Model Year 2009 Lexus ES350: 4 DEAD. NBC Video

• December 15th 2009 circa 12.40 pm: Melbourne Australia: Cruise Control Glitch causes a ride of  terror.A motorist thought he was going to die during a terrifying ride through Melbourne's eastern suburbs after his cruise control jammed.Chase Weir, 22, was forced to dodge cars during his 30-minute ordeal after his Ford Explorer became stuck on 80km/h.The car's computer malfunctioned when he attempted to take the Burke Road exit from Kew to Greensborough about 12.40pm today.Mr Weir's attempts to stop the vehicle — including braking, shifting the car out of gear and even removing the keys — proved futile as he desperately dialled triple-0 on his mobile phone, The Age reports.Two police cars found the out-of-control 4WD and attempted to clear a path along the Eastlink roadway.But the driver was forced to veer onto the wrong side of the road to avoid banked-up traffic near Monash University's Frankston campus."That's pretty much when I thought, 'I'm dead'," Mr Weir told told Nine News.  Nine News Video Report  ABC News radio interview

• May 4th 2010: Volvo  issued a warning about unintended acceleration in several of its latest models, Volvo Cars corporate spokesman Per-Ake Froberg told CNN Tuesday.http://edition.cnn.com/2010/BUSINESS/05/04/volvo.acceleration/index.html [unintended acceleration in diesel engined models running on biofuel.]So far there have been 55 cases of unintended acceleration reported, and Volvo will now send a letter to the owners of about 158,000 cars in 30 European markets, alerting them of the problem. The first customers will get the letter by the end of the week. The affected five-cylinder diesel engine models are the Volvo S40 and V50 from 2006-2010, the C30 and C70 from 2007-2010, the S80 from 2007-2009, the V70 and XC70 from 2008-2009, and the XC60 from 2009.
• Nov 5th 2010: Two killed and two injured after a recalled 2008 Toyota Camry sped through an intersection and hit a rock wall
  

• Additional examples of sudden acceleration incidents may also be found at www.suddenacceleration.com.
  
  

Sudden Acceleration Statistics

The main source of statistics regarding sudden acceleration incidents is the US Government's  NHTSA Complaints Database:

•  NHTSA analysis of complaint figures for Audi 5000s model years 1983 to 86 record an incidence of 586 per100,000 vehicles. Denial of McMath Petition DP99-004
• NHTSA  gives complaint figures of between 4.7 and 10.2 per 100,000 vehicles for GM vehicles of 1996-97 model years. 
• NHTSA's  analysis of 1985-99 Lincoln Town Cars  in the year 2000 gives complaint rates of  13.7 per 100,000  vehicles for "stand-alone" cruise control designs, versus 15.1 per 100,000 vehicles for "integrated" cruise control designs. Denial of McMath Petition DP99-004
•  NHTSA quotes complaint figures of 16.6 per 100,000 vehicles for Aerostars not fitted with shift locks as against 1.7 per 100,000 vehicles  for Aerostars fitted with shift locks. Denial of McMath Petition DP99-004 Table 2

• In 2008 NHTSA sent a questionnaire to a sample of  1986 2007 Toyota Lexus ES-350 registered owners and about 3% or 3000 per 100,000 said that they had experienced sudden acceleration incidents. This incidence rate should be interpreted with  caution.  Note 1

• In December 2009 ConsumerReports.org reported on an analysis of the NHTSA Complaints Database for 2008. The  Consumer Reports’ Auto Test Center and Statistics Department analysed 5,916 complaint reports on 2008 models and identified 166 cases in which the complaint described sustained unintended acceleration that the driver found difficult or impossible to control. "The sudden-acceleration incidents were distributed over 22 brands, but they were not spread evenly. Forty-seven complaints were about Toyota models and five were for Lexus vehicles. Between them, Toyota and Lexus accounted for more than a third of all the unintended-acceleration incidents we found among 2008-model vehicles. Seen another way, Toyota racked up more unintended-acceleration complaints than Chrysler, GM, Honda, and Nissan combined...." Click here for details of report.
• In July 2010 Hubing put the incident rate in perspective: "Even for makes and models with the highest number of reported incidents, sudden acceleration incidents are reported about once in every 600 million miles driven."
  

Litigation on alleged sudden unintended acceleration

There are only two possible ways in which the throttle can open and cause a sudden acceleration from near standstill:

• if the driver for some reason depresses the accelerator pedal to the floor [ the driver  malfunction or "pedal error" hypothesis];
  
• if the cruise control servo - or the electronic throttle servo in the case of an electronic throttle system - moves the throttle to the open position uncommanded.[the electronic system malfunction hypothesis]
  

There have been a number of occasions where an electronic malfunction - either in the cruise control system or, more recently, in the electronic throttle control system - has been proposed in court as the possible cause of the throttle opening and giving rise to a sudden unintended acceleration incident. See section 9.5 for references. In product liability cases a common defence against a claim of an electronic malfunction is driver malfunction, i.e. the defence asserts that the driver mistakenly pressed the accelerator pedal in the belief that they were applying the brake. In criminal cases, the prosecution may argue that the absence of physical evidence of an electronic component failure points towards the driver having pressed the accelerator pedal to the floor, thereby causing the vehicle to accelerate. In both product liability and criminal cases, the pedal error hypothesis is presented as if supported by solid evidence where, in fact, there is none.

The pedal error hypothesis supposes that it is the driver who causes the sudden acceleration to occur and not a vehicle system malfunction. If, for the sake of argument,sudden accelerations were the result of "pedal error" then clearly, by definition, the vehicle could play no part in causation. If sudden accelerations were in no way related to the vehicle, this should become immediately apparent from a study of  sudden acceleration complaint databases. In other words, the incidence rate of sudden accelerations per hundred thousand vehicles should be more or less the same for all ages and makes of car. There would be little difference in the sudden acceleration incidence rates of vehicles (a) of different makes (b) of the same make, but different marques (c) of different model years (d) fitted with manual or  automatic gearboxes; (e) with/without cruise control (f) with or without electronic throttle control.

• To the best of my knowledge, although there appear to have been accidents caused by throttles that have stuck in the open position, there do not appear to have been any sudden acceleration incidents  from standstill before the introduction of automatic gearboxes and the fitting of cruise control. Clearly if there had been such incidents in the pre-electronic days of motoring they would undoubtedly have been drawn to the attention of the public.


• The sudden acceleration incidence rate appears to vary widely between vehicles of different manufacture and between vehicles of the same type but different model years. This strongly suggests that whatever the factors are that cause sudden accelerations these are related to the vehicle characteristics rather than the driver.
  

Concerning the second of the above points, the study by Sayler and Bizzak of sudden accelerations in 1991 to 1995 model year in Jeep Cherokees and Jeep Grand Cherokees is particularly illuminating. They have compared the RSAI rates of Jeep XJ/ZJ 1991 to 1995 model years up until a cut off point of April 1997 and find a variation from a minimum of 0.75 per 10,000 vehicles for 1992 model year vehicles to a maximum of 2.7 per 10,000 vehicles for 1993 model year vehicles. The comparable figures for Ford Explorers were 0.15 per 10,000 minimum to 0.6 maximum per 10,000 vehicles and for Chevy Blazers 0.2 to 0.6 per 10.000 vehicles. If the incidence of sudden accelerations was related to drivers rather than the vehicle, then it would seem fairly obvious that completely different results would have been expected from the NHTSA complaints database, namely that the incidence rates per 10,000 vehicles would be more or less the same from one vehicle to another and would show very little variation from model year to model year. In my opinion a jump from an incidence of 0.75 to 2.7 per 10,000 for Jeep XJ/ZJ models from one model year to the next strongly suggests that it is vehicles and not drivers that have been malfunctioning. If we compare these incidence figures with those for 1983-1986 model year Audi 5000s, given above, of 586 per 100,000 vehicles, i.e. 58.6 per 10,000 vehicles, we can see an overall incidence rate difference from lowest to highest of 0.75 to 58.6 per 10,000 vehicles, i.e. a ratio of   78:1, which is nearly two orders of magnitude. Such a variation cannot be explained in terms of drivers making pedal errors because there ought to be little or no variation between vehicles.

It is sometimes claimed that sudden accelerations from standstill cannot be caused by a cruise control malfunction because the cruise control is designed not to come into operation until the vehicle speed rises above 30 mph. However, witnesses often claim of sudden accelerations from standstill that the cruise control was OFF and yet the throttle moved of its own accord. Either the witnesses are lying, or they are telling the truth and some further explanation is required. See Anderson.

How can a cruise control system that seems to be OFF still be be capable of a malfunction? The answer lies in understanding the distinction between the functions of control and protection. Electronic switching devices or controllers control the voltage or current in a load, but they do not electrically isolate a load from its power supply or provide protection against damage in the event of a fault while in operation.

For electrical isolation and protection an electromechanical switch, a relay or a contact breaker is required.  This principle is generally adopted, for example in domestic electrical supply. The individual device ( Kettle, washing machine, lawnmower etc.) has a controller of some kind and is protected by an overload cutout and fuse so that in the event of any failure the device is disconnected from the electrical supply. At the next level the ring main is protected against overload by its own circuit breaker. If that fails, then there is a main circuit breaker for the whole dwelling which will operate. Should the lawnmower controller become jammed in the fully open condition creating a potential runaway situation, the connector and socked between the power lead and the lawnmower will automatically disconnect the moment tension is applied to the lead, so bringing the lawnmower to a rapid halt.

A similar distinction between control and protection/isolation is to be found in large turbogenerators where the speed is controlled by controlling the flow of steam using electrohydraulic governor valves. Protection is provided by emergency stop valves, which are placed in series with, and ahead of,  the governor valves and which cut off the supply of steam from the boiler in an emergency and isolate the turbine. The main point to note here is that steam turbine governor valves, which have a similar function controlling steam input to a steam turbine as the throttle valve does in controlling the air/gasoline flow into an automobile engine, are only used for everyday control. The emergency stop valves come into play in an emergency and are separately and independently controlled.

It appears that  the isolation and protection functions normally provided for the control of power in safety-critical industrial systems, as outlined above, are absent in many automobile cruise control systems and electronic throttle control systems. The function equivalent to the emergency stop valve in the steam turbine seems generally to have been left out altogether! Somewhat curiously, the driver seems  to be expected to act as the fail-safe for the speed control system by braking the vehicle against full engine power. This seems to be the case whether the engine is under the control of a cruise control servo or an electronic throttle. This use of the driver as a substitute for a true and independent fail safe is one of the reasons why cruise control systems and electronic throttle systems give rise to such serious knock-on runaway effects when they malfunction.  

Denial of petition by NHTSA

It is in this context of an apparent lack of electrical isolation and  protection of the power stages of cruise control systems, that we should consider the petition  of  Mr. Sandy S. McMath  to NHTSA [19th July 1999] to re-open their 1989 enquiry on sudden acceleration. McMath was representing the parents of two boys injured in an alleged sudden unintended acceleration incident in Mountain Home Arkansas June 7th 1995. The grounds of what seems to me to be a very reasonable petition were:

1. To date, NHTSA has neglected to consider the mechanisms that can cause sudden acceleration by bypassing the control logic of the cruise control system and thus can induce sudden acceleration in a stationary vehicle;
2. NHTSA has apparently failed to consider the data collected by the Ford Motor Company in its investigation of 2,800 incidents of sudden accleration during 1989-1992;
3. NHTSA has not addressed the fact that there is no true failsafe mechanism to overcome sudden acceleration.

With reference to (1) the Denial says in Section 4.1.2  :

"A review of the [NHTSA] Study demonstrates that this claim is without foundation. Clearly the Study considered the possibility that viable cruise control malfunctions could cause a SAI. But it found no evidence that faults "bypassing the control logic of the cruise control system" were a viable explanation for SAI.  [SAI = Sudden Acceleration Incident = Sudden Unexplained Acceleration]

Interestingly, the NHTSA Sudden Acceleration Report of 1989 ignores an earlier NHTSA Report (DOT HS-801 737, October 1975, Section 7.6, page 196) which provided precisely the evidence that "faults bypassing the control logic of the cruise control system" were a viable explanation for SAI. The 1975 Report took the possibility of an EMI-induced sudden acceleration from standstill very seriously and came up with a very practical means of its prevention:

...Under the petitioner's theory, a vehicle involved in a cruise control related SAI would have had to experience the following simultaneous failures: (1) at least two electrical failures of the vacuum servo solenoid system; (2) a mechanical failure of the MVDV and (3) a mechanical failure of the brake system. Moreover, according to Mr. Sero, a post-SAI vehicle inspection would find not physical evidence that any of these systems failed. Thus Mr. Sero's theory is based on simultaneous electrical and mechanical faults, involving more than one element of the vehicle's control system, which would be undetectable after the incident has occurred .

Here NHTSA appears to seriously misconstrue Mr Sero's opinions. "Mr Sero's theory" appears to be a construct of NHTSA and , as far as I am able to assess, seems to bear  little or no relation to Mr Sero's actual views. Having created "Mr Sero's theory", more or less out of thin air, NHTSA then attacks the "theory". This seems to me to be somewhat unfair on Mr Sero.  http://www.forensicfacts.com/ForensicFacts/McMath_petition_denial_rebuttal.pdf

...Extensive laboratory testing of the operation of cruise controls under stress from temperature extremes, power supply variations, EMI/RFI and high voltage discharges has demonstrated no failure modes of any relevance to SAI. Analysis of their circuitry shows that for nearly all controls designed in the past few years ["all" in the case of Ford], two or more independent, intermittent failures would have to occur simultaneously to cause throttle opening in a way that would be difficult to detect after the incident. The occurrence of such simultaneous, undetectable failures is virtually impossible."

In effect the NHTSA appear to be denying the following :

1. that failure modes internal either to the cruise control module or the throttle actuating mechanism could cause the throttle to open;
2. that an intermittent fault could occur without leaving clear evidence that would be observed subsequently;
3. that two such  independent intermittent failures could occur simultaneously (concurrence 'virtually impossible')

Discussion of NHTSA Denial

One might ask the following of anyone expressing such robust and uncompromising views as the NHTSA :

• Why is it unreasonable to envisage the possibility that intermittent faults might arise within the electronic control module and cause a malfunction in the throttle actuator?    Note 2       
  

• Why would an intermittent fault, or faults, necessarily leave an observable trace(s) behind? Intermittent faults, especially in wiring and electrical contacts are sometimes extremely difficult to locate. It might take months or years before an intermittent fault might repeat itself.
  

• Why is the simultaneous occurrence of two independent intermittent failures necessarily 'virtually impossible'? (In any case, it may be that only one fault, if it is in the right place, may be necessary. )
  

Those who have carried out failure investigations will be aware of the difficulty in expressing  a fault hypothesis clearly and concisely. It seems that this the difficulty that Mr Sero has faced. He describes the failure mode as "a fault that bypasses the control logic of the cruise control system". This might mean :

• a fault that does not involve the control logic at all, ie. one that may occur whatever the control logic state and on which the control logic has no effect.
• Equally it might mean some fault that disables and  therefore  bypasses the control logic.
• A combination of both types of fault.

• faults  that involve malfunction of the control logic, as perhaps with a malfunction of a switch or sensor;
  
• faults that arise independently of the state of the control logic, i.e. faults that arise within the control system electronics after the point of application of the control logic. [ "faults bypassing the control logic"] 

• Steam turbines,  if not fully protected against sudden loss of load, would overspeed and self destruct. 
• DC machines have to be protected against loss of field for a similar reason.

The NHTSA refutes the claim that it has "neglected to consider the mechanisms that can cause sudden acceleration by bypassing the control logic of the cruise control system and thus can induce sudden acceleration in a stationary vehicle." on the basis that it found no evidence in its original 1989 report on sudden acceleration that this postulated mechanism was a viable explanation for sudden acceleration.

We shall see in the next section that, contrary to what the NHTSA asserted in the McMath Denial of Petition the year 2000, faults on cruise control system boards are known to have occurred in the field and can be induced in the laboratory and therefore their 1989 argument loses most of its force.

The NHTSA has followed very similar arguments when denying all sudden acceleration petitions, whatever the make or marque of vehicle.

Don't forget to bookmark Section 9 Links and References before leaving this site.