Engine and other automobile systems are increasingly controlled electronically. This has led to improved fuel economy, reduced pollution,  improved driving safety and reduced manufacturing costs. However the automobile  is a hostile environment : especially in the engine compartment, where high temperatures, humidity, vibration, mechanical shock, electrical interference and a fine cocktail of potentially corrosive pollutants are present. These hostile factors may cause electrical contacts to deteriorate, surface resistances to fall and sensitive electronic systems to fail in a variety of modes. Some of these failure modes will be benign, whereas others may be dangerous and may cause accidents and endanger to human life.  The Annex to the IEE Guidance Document on EMC and Functional Safety published in 2000 lists 21 electronic systems that may be present in the modern automobile, some of which have the potential to  endanger the safety of the vehicle occupants or other road users should an error or a mis-operation occur. Estimates, as of 2009, suggest that there may now be as many as 50-70  microprocessors in the modern high-end automobile.  This figure continues to increase as electronics is embedded in more and more vehicle systems. According to Hubing in his presentation to the National Academy of Sciences in July 2010 "Analysing Unintended Acceleration and Electronic Controls"  a Boeing 787 Dreamliner passenger aircraft will have approximately 6.5 million lines of code, whereas a typical luxury car will have 100 million lines of code.

An electronic system frequently fitted to modern vehicles is a cruise control system, or vehicle speed control system, which keeps a vehicle's speed constant on long runs and therefore may help prevent driver fatigue. Logical hard-wired or software interlocks are built into the design that are intended  to prevent the cruise control from operating in certain gears, below certain speeds etc. Safety switches send  signals that deactivate the cruise control when, for example, the brakes are applied. Cruise control is not suitable for all road conditions and drivers are warned not to use it at low speeds, or in heavy traffic, on winding roads or in foggy or icy conditions.

First generation speed control systems were standalone electronic control systems, usually with an electronically controlled vacuum servo operating on the throttle. Intermediate generation speed control systems worked on similar principles and tended to use d.c. motor, or stepper motor servos. Nowadays, the speed control/ cruise control function is often handled by the ECT (electronic throttle control) and the Engine ECU working together.

Electronic throttle control (ETC), or "throtttle by wire" was first introduced by  BMW on their 7 series range in 1988. Through the 1990s ETC was introduced by a number of manufacturers  such as Mercedes on high end vehicles. Toyota introduced electronic throttles on some Lexus vehicles in 1998 and on a number of other vehicle lines such as the Camry in the 2002 Model Year. Other manufacturers started introducing electronic throttle control at about the same time as Toyota and from about 2003-4 electronic throttles have been commonly fitted on most medium and large automobiles.

With electronic throttle control the driver no longer controls the throttle directly by means of a flexible Bowden cable linking between the accelerator pedal and the throttle. The control is indirect  by means of an electronic link from the accelerator pedal to the ECT working in conjunction with the Electronic Engine Control Unit (ECU). In vehicles fitted with electronic throttle control, most of the functional elements necessary for speed control are already present in the ECU and the ETC servo. The cruise control system therefore reduces to the steering wheel switches that provide operator control and various other cruise-related inputs to the ECU such as a brake signal, a cruise deactivation signal etc. The speed signal is in all probability not derived from a dedicated speed sensor, but is already available from the ABS system.

If the driver hands over speed control to a cruise control system, then the capability of the system to control speed to the set value is just as critical to safety as is the capability of the driver to control speed manually. Yet, strangely, although the capability of the driver  is regarded as a critical safety factor - e.g. the slogan "Don't drink and drive" - this is not generally the case with cruise control systems. These tend to be classified, incorrectly in my opinion, as "leisure" or "driver convenience" systems, whereas in fact they are safety-critical systems with the potential to fail dangerously by causing the vehicle to suddenly accelerate and quite possibly cause it to crash, with a risk of  injury or death. 

It is sometimes argued that should the cruise control system or the electronic throttle control malfunction and cause the throttle to move uncommanded to the wide open position, resulting in a sudden acceleration, the driver can  intervene by one of the following means:

• applying the brakes and overcoming the engine torque;
• putting the transmission into neutral;
• switching off the ignition. 

• Evidently not in the case of Kevin Nicolle  (March 5th 2006). Nicolle was was driving south in his 1998 BMW 318 on the A1 trunk road near Thirsk, North Yorkshire, UK. He lifted his foot off the accelerator to keep his distance from traffic ahead, at which point the car experienced a sudden uncommanded acceleration. His attempts to put the car into neutral failed. He was able to keep the speed down to 70 mph by braking until the brakes burnt out and then he found himself driving at speeds of up to 135 mph. He phoned the Police, with whom he kept in constant contact via his hands-free mobile phone. The Police told him to switch on his hazard lights and headlights and sent a helicopter to track him and guide him. After travelling 63 miles Nicolle crashed at a roundabout and miraculously survived shocked but unhurt. [http://news.bbc.co.uk/1/hi/england/4796264.stm    Daily Telegraph 11 March 2006

• Nor in the case of Chase Weir, 22, who thought he was going to die during a terrifying ride through the eastern suburbs of Melbourne, Australia  on 15th December 2009 after his cruise control jammed. Weir  was forced to dodge cars during his 30-minute ordeal after his 2002 Ford Explorer became stuck on 80km/h.The car's computer malfunctioned when he attempted to take the Burke Road exit from Kew to Greensborough about 12.40pm. Mr Weir's attempts to stop the vehicle — including braking, shifting the car out of gear and even removing the keys — proved futile as he desperately dialled triple-0 on his mobile phone. Two police cars found the out-of-control 4WD and attempted to clear a path along the Eastlink roadway. But Weir was forced to veer onto the wrong side of the road to avoid banked-up traffic near Monash University's Frankston campus."That's pretty much when I thought, 'I'm dead'," Mr Weir told told Nine News.  Nine News Video Report  ABC News radio interview

• On the morning of 16th November 2012 an unnamed mother living in Stevenson Ranch California on car pool duty was carrying three teenage girls to school in her 2012 Toyota Highlander. As she pulled slowly into the parking area in front of a property at the end of O'Hara Lane to pick up a fourth child, the vehicle suddenly accelerated a short distance into the right hand of two garages. It appears that the driver then put the vehicle into reverse. As the vehicle accelerated backwards into the road, the driver managed to slow it down by putting it into forward gear. The vehicle then accelerated forward and hit the second garage. She then put the vehicle into reverse for the second time and it accelerated back into the road once more, at which point it rotated anti-clockwise about its back end through more than 180 degrees. The incident terminated when the front left hand wheel hit the curb violently and the stub axle was damaged. By a miracle nobody was hurt.

A classic feature of many sudden acceleration incidents is that the driver is unable to bring the vehicle to a halt using the brakes. This is not altogether surprising because car braking systems are not specifically designed to brake against full engine power and are likely to overheat and temporarily lose some, if not most, of their effectiveness. (Brake fade on steep hills is a well known cause of loss of vehicle control and for this reason it is necessary to change down at the top of the hill to get the maximum effect of additional braking from the idling engine.) Vacuum assist can be quickly lost if the driver should pump the brakes while the throttle is wide open. Would it be wise to switch off the engine or apply the brakes in some situations? Surely, the manufacturers should design in gentler and more reliable means of bringing such potentially dangerous situations under control? Why not provide some means to reduce engine power output  in an emergency? For example:

• a kill switch is used in stock car racing and on motorcycles to protect against the throttle plate sticking in the wide open position;
  
• a supplementary slam shut throttle plate, in series with the main throttle, is used as part of some ABS systems to rapidly reduce the fuel/air mix flowing into the engine; 
  
• an independen sub-throttle could be used in series with the main throttle if the main throttle stuck open as in Toyota/Denso US Patent 4995364 (1991)  
• some vehicles already have an economy mode to save fuel where fuel is only injected into half of the the cylinders. Surely such an economy mode system could be adapted to partially de-fuel the engine in an emergency?

Some car manufacturers now include  so-called "intelligent throttle" software that detects if the brake and accelerator pedals are accidentally depressed at the same time and reduces the engine speed to idle. The "intelligent throttle" software appears to be implementing something like the following rule:

IF the Accelerator pedal is depressed AND the Brake is depressed  AND  the vehicle is moving,
          THEN ignore the Accelerator pedal and close the throttle.

From a functional point of view, this is an electronic interlock implemented in software. It mimicks the mental interlock built into the driver's reflex actions that ensures that the driver controls speed by using accelerator and brake pedals in concert. There can be no doubt that this is a practical way of preventing simultaneous operation of the accelerator and the brake, but, in my opinion,  it is of no use whatsoever in dealing with uncommanded acceleration if that should be the result of a malfunction within the electronic throttle control itself.

Many drivers have reported sudden acceleration incidents where the accelerator was not depressed at the time. They claim that the car "took off by itself". Clearly in such cases where the accelerator pedal has not been depressed, the so-called "intelligent throttle" software will not close the throttle. Therefore, in my opinion, the "intelligent throttle" is not a truly independent fail-safe for an uncommanded wide open throttle. It is unlikely to work in those dangerous situations of "electronic disobedience" where the electronic throttle demonstrates a will of its own and refuses to be commanded to move to the closed position. In my opinion, a truly independent fail-safe mechanism must operate entirely independently of the ECT and the Engine ECU and would monitor accelerator, brake and throttle positions with a dedicated set of independent sensors. 

 Don't forget to bookmark Section 9 Links and References before leaving this site.