Software glitch causes Prius to lose power and possible shutdown.
Risk Level: Safety Critical
In May of 2011 Toyota began to receive reports of the 3rd generation Prius losing power unexpectedly and shutting down. By the start of 2014 over 400 reports and incidents of this nature had been received by Toyota, with the large majority of these reports originating in the company’s home market of Japan. The geographic breakdown of where these reports originated from is as follows:
- Japan: 300
- North America: 90
- Europe: 11
On the 12th of February 2014 Toyota issued a statement recalling all of the affected vehicles, in this statement Toyota indicated their belief that this was a possible safety issue. However they also stated that there had been no accidents or injuries as a result of this specific failure.
► Daily Mail Video
- Intelligent Power Module (IPM)- An IPM is a combination of hardware and software that optimizes the distribution and use of electrical power. One of the pieces of hardware used in the IPM is a booster converter. The IPM of a Toyota Prius is located inside the Invertor Module of the control system.
- Booster Converter – A booster converter is a DC-to-DC converter, it takes the available input voltage of a power source and boost this voltage to produce a much higher output voltage. In the terms of the Toyota Prius the booster converter takes the 220 volts available form the battery packs and boost it to an output of 500 volts, which is the voltage necessary to power the vehicle’s electric motor.
A setting within the software for the vehicle’s IPM, which in turn controlled the vehicle’s booster converter, caused the booster converter to overheat. The thermal stress created by the overheating of the booster converter then damaged the transistors housed within the booster converter. The overall result of this failure was a loss of power to the main engine. This loss of power could cause a number of warning lights to activate and the vehicle to either, enter a fail-safe mode that allowed the vehicle to continue driving at a reduced power for a short distance or the engine to stop completely and send the vehicle in to a stall.
Official US Recall Document
This failure resulted in the recall of 1.9 million vehicles worldwide. The recall was made up of all 3rd generation Toyota Prius manufactured between March 2009 and February 2014. All of the vehicles were required to return to a Toyota dealership where a software patch could be installed, this process took approximately 40 minutes to complete on each vehicle.
This was the 3rd recall issued on the Toyota Prius in five years and continued to highlight the major quality issues that have plagued Toyota in the same timeframe. In the United States alone from 2010 to 2014 Toyota recalled almost 24 million vehicles, making Toyota the most recalled manufacturer in that period.
In our opinion this was a non-functional failure, while it has been reported that it was a setting within the software that triggered the failure, the system was fully functional. This setting impacted on non-functional, performance related requirements, such as the thermal stress produced by the booster converter and the temperature rating of the transistors housed with in the booster converter.
In our opinion the use of equivalence partitions and boundary value analysis could have proved valuable in preventing this failure. Using black box testing methods, setting temperature as a scale, the temperature rating of the transistors to set the partitions and boundaries, then measuring the heat produced by the booster converter from various variables set within the IPM software, a set of test could be drawn up check the robustness of the system. Just from developing these tests, safe operational limits could be developed and integrated into the code.
How to be avoided in the future
It is critical in the design and development phase of a project to ensure that all of the safe operational limits of individual parts are identified and documented. By reviewing this documentation testers can then ensure that they develop appropriate tests for these limits. Tests should also be developed to ensure that, all of the parts that are dependant on each other ,are constrained within an operational envelope that is safe for all parts.
Source and Reference material:
http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM462135/RCMN-14V053-8582.pdf (Offical US recall Notice)