[SystemSafety] Request for references on measures to manage failures for homogeneous sensor redundancy

Watts Malcolm (AE-BE/ENG1-AU) Malcolm.Watts at au.bosch.com
Fri Dec 13 08:15:02 CET 2019 

Colleagues;

Can I ask for your assistance please ?  I'm looking for references that show approaches to using multiple redundant (possibly unreliable) sensors in safety-related systems.

I am supporting a project team working on a safety-related embedded system (with safety requirements equivalent to automotive ASIL B) that must make safety-related decisions on the basis of input from an array of  sensors, all of the same type, in proximity.  (The sensors are in slightly different locations in the same physical environment, so their expected output will be highly correlated but not identical).
There may be from 3 to 8 sensors; this number relates to the application and is not driven by safety concerns.

Currently, the sensors are developed according to a safety standard, and are allocated safety requirements.
The team wants to understand the impact of changing to a different sensor, that may not have been developed in accordance with safety requirements.  I expect requirement decomposition won't be possible.

What approaches may be viable for achieving and demonstrating a safe system, if it must use data from unreliable sensors, with significant (homogeneous) redundancy ?

On one hand, we want to take advantage of the redundancy... on the other, convincingly demonstrating freedom from dependent failures in an array of identical sensors seems problematic.

What are our options for safety mechanisms that take advantage of the redundancy we can achieve ?

I'm aware of work on sensor fusion, on sensor failure detection and classification, on redundant sensors in autonomous vehicle development and on "reliable consensus decisions" for (e.g.) navigation systems and distributed time signals.

What I've not found so far is approaches to formal compliance with a safety standard, without using "reliable" (in the sense of having some demonstrable safety property) sensors, but instead using sensors that are not developed to a safety standard.  I'm struggling to find anything that takes advantage of the degree of redundancy available, to provide evidence of reliability/correctness.  I'm increasingly seeing (non-safety) IoT systems with many sensors, so I expect this question will shortly come up in many other safety-related applications.

I can think of approaches (BBNs, Kalman filtering...) that I feel should be able to provide evidence of the confidence achieved (at system design time) in a safety mechanism applied at runtime, but I haven't found good references around how these might be applied specifically to safety systems.  This feels something like a "checker" safety pattern, but where the check is on some collective property of the sensor network.  I'd like to turn "feeling" into convincing evidence :).

Can anyone point to any good references or advice that will help ?

Thanks,

Mal.

Best regards,

Malcolm Watts
Mal at ieee.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20191213/c6a47b70/attachment.html>

More information about the systemsafety mailing list