Page 105 - Toyota Under Fire
P. 105
TOYOT A UNDER FIRE
modules at every stage of the process (see Figure 3.1, a Toyota
diagram of its vehicle electronics). These multiple sensors aren’t
redundant—they aren’t designed so that if the first sensor fails,
the second can pick up where the first left off. Instead, the systems
are designed to snitch on each other. The two pedal sensors send
a simultaneous signal to the ECM. If the signals don’t agree with
each other, the system enters a fail-safe mode. To further guard
against errors, the signals from the two pedal sensors are different
voltages, offset from each other at a precise interval. Again, if the
interval in voltages changes, the system enters a fail-safe mode.
Checks for consistent signals are made constantly. Within
the ECM, there are two computer processing units, one that runs
the system and a second that confirms that the behavior of the
first is following the signals that it is receiving. These two com-
puters are independent of each other: neither controls the other,
but either can send the system into one of a number of fail-safe
modes to limit the speed or stop the vehicle if it sees the other
acting incorrectly. Similarly, the throttle position is monitored
by two separate sensors that send signals with different voltages,
similar to the pedals.
If any of the sensors or computers fail, or if any of the mes-
sages and multiple interpretations of the messages conflict with
one another (for instance, if one sensor says that the accelerator
is pressed to the floor and the other says that it’s only halfway
depressed), the system enters a fail-safe mode. Thus, the mul-
tiple signals don’t protect against failures; they protect against
errors. In addition to entering a fail-safe mode, any problem is
also recorded in another computer system, and a warning light is
turned on. While the specifics of this redundant fail-safe system
are unique to Toyota, the basic design is standard in the industry.
74
