On formal verification of Toyota´s electronic throttle controller

This practice paper examines Toyota´s electronic throttle controller (ETC) problem. ETC for passenger cars is a safety-critical, embedded control system and it must meet very high reliability and safety requirements. ETC systems continue to increase in complexity, making formal specification and verification processes an essential component of the development of safer systems. There are two ways to represent the real-time system. Firstly, we can describe the system´s structure and function by detailing its electrical, mechanical, and other components. Secondly, the real-time system´s behavior as it responds to actions and events can be described. Then we can compare the system´s specification to the safety assertion to show that the system meets the safety properties. This paper describes two research threads. In the first, we present the specification of Toyota´s electronic throttle control (ETC) system including the timing constraints. The second thread, which will be explored in a longer version of this paper, evaluates the use of conventional design versus electronic engine control by applying classical control theory.