DE102020107950A1 - Procedure for fault detection and safe sensor system - Google Patents

Abstract

A method for detecting errors in a safe sensor system (12, 14, 16a-d) is specified, in which a measured variable is recorded by means of a multiplicity of n information sources (16a-d) and a target variable is determined from the measured variables, the sensor system (12, 14, 16a-d) is over-determined in the sense that the target variable can also be determined with fewer than n information sources (16a-d) and where the error detection determines that at least one of the information sources (16a-d) has a incorrect measured variable generated. In order to detect errors, the target variable is determined several times from different combinations of less than n information sources (16a-d) and an excessively large discrepancy between the target variables determined several times is recognized as an error in at least one information source (16a-d) and / or calculated back from the target variable which measured variable would have generated an error-free functioning information source (16a-d) and compared this with the measured variable actually generated.

Description

The invention relates to a method for detecting errors in a safe sensor system with a large number of information sources.

Safe or safety in the sense of this application means that people are protected from dangers emanating from machines, systems and other technical equipment. A sensor system for such safety-related or safety-related applications must be reliable in a precisely defined way in order to avoid accidents. In order to prove the safety-related suitability of a sensor system, requirements for the behavior in the event of a fault are decisive and normatively stipulated. In the area of machine safety, for example, the standards are here ISO 13849 or IEC 62061.

Typical secure architectures are two-channel systems in which the function of two separate channels is redundant or diversely redundant, with errors being revealed by comparing the channels. Alternatively, safety can also be guaranteed through tests or a separate diagnostic channel.

If a sensor system becomes complex because it requires numerous hardware components and / or software with complex calculations, a two-channel structure with complete redundancy or diverse redundancy, i.e. the use of several complementary measurement principles, becomes very expensive. It would be desirable to have diagnostic functions at hand that can be implemented with realistic effort.

An example of such a complex sensor system is a localization measurement system based on wireless sensor networks. Its function is to convey precise knowledge of kinematic variables such as position, direction of movement or speeds of people, vehicles and other important objects. This is required in numerous control systems, for example in the context of Industry 4.0 or modern logistics applications. Various technologies are available and tested for this in the field of automation technology.

The use of such technologies as part of safety-related controls or systems, on the other hand, is only just beginning.This is also due to the fact that the classic ways of fulfilling the relevant safety standards, as mentioned, are only used to a limited extent for complex, software-intensive systems such as a localization measurement system, and with a great deal of effort and require additional components.

It is therefore the object of the invention to improve the fault detection for a safe sensor system.

This object is achieved by a method for fault detection and a safe sensor system according to claims 1 and 10, respectively. The fault detection enables safety-related evaluation by recognizing a malfunction with a defined reliability. As already explained in the introduction, safe means that the safety requirements of a safety standard for machine safety to avoid accidents with people are met. Exemplary norms are ISO 13849 or IEC 62061. However, there should preferably not be any restriction to specific standards, as there may be modified versions or successor standards. However, this does not change the fact that such standards, which are not specifically cited, have precisely defined requirements for reliability and behavior in the event of an error, depending on the application and risk potential.

The sensor system comprises a plurality of information or data sources, denoted by n, which each record a measured variable. Sources of information differ, for example, in which receiving unit and which measuring principle are used to measure and / or which transmitting unit generates or influences the measured variable. A target variable is determined from the measured variables. The measured variables are therefore often, but not necessarily, only auxiliary variables that may only be used internally in the sensor system. The sensor system is overdetermined because there are more sources of information than would be mathematically necessary to determine the target variable. In other words, the target variable can also already be determined from i <n measured variables. As a result of the error detection, an error is found in at least one information source, which then generates an incorrect measured variable. In this context, an error means a malfunction, a defect or an unexpected result, not just a measurement error that can in any case never be avoided within the framework of typical tolerances.

The invention is based on the basic idea of using the overdetermination to detect errors in order to diagnose the information sources. In one variant, the target variable is determined several times, in each case omitting at least one information source in different constellations. In an intact sensor system, these target values should be roughly the same. Too great a deviation between the target values is therefore seen as an error in at least one Source of information considered. The target variable that deviates from an otherwise existing consensus does not have to be based on the incorrect information source. On the contrary, the faulty source of information can systematically distort the target values in a similar way and even make a correct target value appear as an outlier. In any case, it is recognized that there is an error, and that is the safety-relevant information that can be followed by a subsequent, more precise diagnosis for rectification.

In an alternatively or additionally applicable variant, the target variable is used to calculate back which hypothetical measured variable would be expected from the respective intact information sources. This is then compared with the actually recorded measured variable for each information source. A certain deviation is not yet an error, since each measured variable only provides a partial contribution to the overdetermined system and this determination of the target variable is intended to have a certain corrective effect on the individual measured variables. However, a source of information for which the above comparison shows clear differences is considered to be incorrect. In this variant, the extent of the differences therefore also provides an indication of which specific information source is affected by the error.

The invention has the advantage that a universal and scalable method for fault detection is specified as an important part of a security concept. The method can be implemented in software so that no additional hardware components are required. The multiple mentioned requirements for functional safety on fault detection in accordance with relevant safety standards, in particular for random hardware faults, are met. In doing so, practically the entire sensor system is tested; in other words, a very high degree of diagnosis (diagnostic coverage) is achieved.

The target variable is preferably determined from the measured variables of n-1 information sources, in particular from all combinations of n-1 information sources. Accordingly, when the target variables are determined multiple times from different combinations of information sources, exactly one information source is omitted. Preferably, all n possible combinations of this type are formed, thus n target variables are formed, each information source being omitted once. In this way, the influence of a possibly defective information source has a particularly clearly recognizable effect.

A standard deviation of the target variable determined several times is preferably determined and evaluated with a threshold. If no information source has an error, the target variables should be very close to one another, regardless of which of the too many information sources in the overdetermined sensor system was in each case not taken into account. This condition, whether the target values are close together or not, can be quantified using the standard deviation. A multiple of a standard deviation of an error-free sensor system is particularly preferably defined as the threshold for evaluation, the multiple defining a required significance.

The target variable, from which the measured variables of an error-free functioning information source are calculated, is preferably determined from all information sources. This leads to as precise a target as possible, taking advantage of the overdetermination. Accordingly, the hypothetical measured variables that are compared with to detect errors are also predicted as precisely as possible. The target variable is thus preferably determined only once, apart from the possible repetitions of measurements explained below, which, however, would also result in new measured variables.

The difference between a recalculated measured variable of a correctly functioning information source and a measured variable actually generated by the information source is preferably evaluated with a threshold. The threshold defines which deviations are still in the range of typical tolerances and when an error is assumed. The threshold is particularly preferably defined as a multiple of the standard deviation of the measured variable with an error-free information source. This standard deviation quantifies typical regular measurement fluctuations, and it is only when there is a significant deviation from it that this is an error. The level of significance is defined using the multiple.

Repeated measurements with determination of the measured variables are preferably carried out and these are statistically evaluated together. Thus, errors should not be inferred from just a one-off determination of the measured variables of the information sources, but a statistical statement should be made. This can again be done using the usual statistical measures, in the simplest case mean value and standard deviation. If standard deviations have already been determined in the course of a single measurement, as described above, the repeated measurements enlarge the sample.

The sensor system is preferably a safety-related localization system, in particular for a vehicle. The vehicle can be self-driving (AGV, Automated Guided Vehicle). The target variable is a kinematic variable. Usually at least the position is in one to three Degrees of freedom recorded, and by tracking them over time, other kinematic variables such as speed, direction and / or acceleration can be determined. For example, using the Doppler effect as in the case of radar, a direct speed measurement without position determination is also conceivable. The method according to the invention for fault detection enables software-based diagnosis of the entire localization system for safety-related localization during runtime. It makes use of the distributed topology of the localization system and, on this basis, realizes mutual monitoring of the individual elements.

The sensor system is preferably a UWB, RFID, ultrasound or WiFi system, and the kinematic variable is determined on the basis of signal propagation times, signal propagation time differences and / or reception angles. The fault detection according to the invention can be used for various localization technologies. This is based in particular on wireless sensor networks such as ultra-broadband technology (UWB), wireless (WiFi) or radio-based identification (RFID, radio frequency identification). Possible localization methods are based on transit times (ToA, Time of Arrival), transit time differences (TDoA, Time Difference of Arrival) and / or reception angles (AoA, Angle of Arrival). These technologies are known per se and are used for object detection, localization and object tracking, but have so far not been safe in terms of personal protection.

The sensor system preferably has at least one moving receiver and a transmitter generating a localization signal as information sources. In this context, the sources of information are also referred to as anchors (beacons). Because of the over-determination, there is at least one more anchor than required. Since not every anchor can be received from everywhere, especially in the interior, the even stricter condition is preferably met that at least one additional anchor can be received from everywhere in the relevant navigation area. Their respective transmission or localization signal, which is physically a radar, RFID or ultrasonic signal depending on the sensor system used, is recorded by the moving receiver, which localizes itself with it. Instead of a mobile receiver that localizes itself using the localization signals from several anchors, conversely, a mobile tag can generate a localization signal that is received by the anchors or information sources

In a preferred development, a safe sensor system with a large number of information sources and a control and evaluation unit is provided, which is designed to determine a target variable from measured variables from the information sources and to detect errors according to the invention. The sensor system is in particular a safety-related localization system according to one of the above-mentioned embodiments. The fault detection according to the invention makes an important contribution to making the sensor system safe.

• 1 eine Draufsicht auf ein Lokalisierungssystem für ein Fahrzeug mit mehreren Ankern;
• 2 eine Darstellung der von einem Lokalisierungssystem geschätzten zweidimensionalen Positionen bei verschiedenen Versatzfehlern in einem der Anker;
• 3 eine Darstellung der unter Auslassung jeweils eines Ankers geschätzten Positionen, der tatsächlichen Position sowie von Mittelwert und Standardabweichung der geschätzten Positionen bei einem beispielhaften Versatzfehler in einem der Anker;
• 4 eine Darstellung der Standardabweichung der geschätzten Positionen in Abhängigkeit des Versatzfehlers in einem der Anker; und
• 5 eine Darstellung der Abweichung zwischen einer aus einer Position rückgerechneten TDoA und einer tatsächlichen TDoA an den verschiedenen Ankern jeweils in Abhängigkeit von einem Versatzfehler in einem der Anker.

The invention is explained in more detail below also with regard to further features and advantages by way of example using embodiments and with reference to the accompanying drawings. The figures in the drawing show in:

• 1 a top view of a location system for a vehicle having multiple anchors;
• 2 a representation of the two-dimensional positions estimated by a localization system given various offset errors in one of the anchors;
• 3 a representation of the positions estimated with the omission of one anchor in each case, the actual position and the mean value and standard deviation of the estimated positions in the case of an exemplary offset error in one of the anchors;
• 4th a representation of the standard deviation of the estimated positions as a function of the offset error in one of the anchors; and
• 5 a representation of the deviation between a TDoA calculated back from a position and an actual TDoA at the various anchors, each depending on an offset error in one of the anchors.

1 shows a schematic plan view of a localization system for a vehicle 10 . The vehicle 10 is to be used as an example of an application of a safety-oriented localization of objects in complex environments, for example in modern logistics, to automatically navigate (AGV, automated guided vehicle).

The localization system has one on the vehicle 10 moving localization sensor 12th with a control and evaluation unit 14th on. The location sensor 12th is only shown schematically as an antenna. The specific structure depends on the specific localization technology, but is then known per se. The control and evaluation unit 14th can as a separate component as shown, but also at least partially in the localization sensor 12th integrated or vice versa in a higher-level system such as the vehicle control system 10 be integrated. The localization system also includes a large number of transmitters 16a-d that are in known positions and that have a localization signal generate that from the location sensor 12th Will be received. The control and evaluation unit 14th evaluates each from the localization sensor 12th generated measured variables.

In connection with localization methods, the fixed transmitters arranged in a distributed manner are used 16a-d in the following as an anchor 16a-d designated. Various wireless signals are conceivable as physical basic technology, for example wireless networks (WiFi), radio frequency processes (RFID) or ultra-broadband technology (UWB). A real bidirectional communication connection is advantageous, but not absolutely necessary, for example in an embodiment with ultrasonic transmitters and an ultrasonic receiver. Furthermore, different methods for determining a position are known, for example the measurement of transit times (ToA, Time of Arrival TOA), the measurement of transit time differences (TDoA, Time Difference of Arrival TDoA) or the measurement of angles at which signals are received ( AoA, Angle of Arrival). Each of the n anchors can 16a-d , in the representation of the 1 there are four anchors, for example 16a-d , can be understood as a source of information that can be obtained with the help of the localization sensor 12th a measured variable is generated.

Several anchors are needed to determine a position as the target variable actually sought from these measured variables 16a-d required, whereby this number also depends on how many dimensions a position is to be determined in. Are more anchors 16a-d if it is purely mathematically necessary to determine the target variable, the system is overdetermined. However, this is often wanted in order to increase the accuracy, availability and robustness of the localization.

The overdetermination is now used for a software-based method for fault detection with mutual diagnosis of the elements of the localization system. Statistical approaches reveal deviations caused by an anchor malfunction 16a-d be evoked. The behavior of the intact localization system and the expected behavior in the event of a fault can be used as a yardstick.

The following is based on simulations with reference to the 2 until 4th a first embodiment and then with reference to FIG 5 a second embodiment of an error detection presented. In these embodiments, there are at least three anchors 16a-d needed to determine a two-dimensional position. In fact, there are four anchors 16a-d available. These numbers are purely exemplary. TDoA (Time Difference of Arrival) is also used as a localization method. The localization sensor registers 12th the arrival time of the respective anchors 16a-d transmitted signals. A comparison of the respective arrival times reveals the armature when the relative positions are known 16a-d the position of the vehicle 10 regarding the anchors 16a-d determine. Depending on the method, there are synchronizations between the anchors 16a-d and / or the location sensor 12th necessary. The procedure can also be used in reverse. Then a transmitter generates on the vehicle 10 a signal in the anchors 16a-d Will be received

Various errors can occur in the localization system, in which a reliable localization can no longer be guaranteed. As an example, an error is assumed here, that of an anchor 16d causes a systematic additional time offset. Other errors are revealed in a similar way.

2 shows an example of the positions of four anchors 16a-d . The actual position 18th of the vehicle 10 should be estimated with the localization method. The arrival times for the various anchors 16a-d are not exact even in an error-free localization system, but are subject to the typical and unavoidable measurement inaccuracies caused by jitter, antenna geometry, antenna alignment and the like. An optimization process uses overdetermination in order to obtain the best possible estimate of the position under these real conditions 18th to reach. In addition to the position estimate, statistical measures of the uncertainty can be calculated.

In 2 are out of the exact position 18th different estimates 20th the position shown assuming that the anchor 16d has a systematic time offset due to an error, which for this case varies from -5 ns to 5 ns. For the sake of simplicity, the estimates do not also have additional measurement tolerances. In this exemplary embodiment, the challenge in detecting errors is to recognize whether there is such a systematic distortion due to a time offset at an armature 16a-d gives. Here is the exact position 18th of course not known, and it should also be recognized whether the inaccuracies are more than the expected inaccuracies. Responding to typical measurement inaccuracies would not be a safety problem, but it would reduce the availability and thus the acceptance of the localization system completely unnecessarily.

$$\overrightarrow{r_3\left[A_1,A_2,A_4\right]}=\left(\begin{array}{c}{x}_3\\ y_3\end{array}\right),\overrightarrow{r_4\left[A_1,A_2,A_3\right]}=\left(\begin{array}{c}{x}_4\\ y_4\end{array}\right).$$

3 shows the four anchors again 16a-d as well as the exact position symbolized by a triangle and unknown to the localization system 18th . With an "x" are estimated positions 22nd marked with the measurands respectively Arrival times of three of the four anchors 16a-d were determined. The information of the fourth anchor 16a-d is therefore not taken into account. This way there is four times a position 22nd estimated: $$\overrightarrow{r_1\left[{\mathrm{A.}}_2,{\mathrm{A.}}_3,{\mathrm{A.}}_{\mathrm{4th}}\right]}=\left(\begin{array}{c}{x}_1\\ y_1\end{array}\right),\overrightarrow{r_2\left[{\mathrm{A.}}_1,{\mathrm{A.}}_3,{\mathrm{A.}}_{\mathrm{4th}}\right]}=\left(\begin{array}{c}{x}_2\\ y_2\end{array}\right),$$

$$\overrightarrow{r_3\left[{\mathrm{A.}}_1,{\mathrm{A.}}_2,{\mathrm{A.}}_{\mathrm{4th}}\right]}=\left(\begin{array}{c}{x}_3\\ y_3\end{array}\right),\overrightarrow{r_{\mathrm{4th}}\left[{\mathrm{A.}}_1,{\mathrm{A.}}_2,{\mathrm{A.}}_3\right]}=\left(\begin{array}{c}{x}_{\mathrm{4th}}\\ y_{\mathrm{4th}}\end{array}\right).$$

die Positionsinformation, die ohne den i-ten Anker 16a-d berechnet wird, wobei umgekehrt die Anker 16a-d, die zur Bestimmung der jeweiligen Position 22 verwendet werden, in eckigen Klammern aufgeführt sind.Here referred to $\overrightarrow{r_l}$

the position information without the i-th anchor 16a-d is calculated, reversing the anchor 16a-d that are used to determine the respective position 22nd used are listed in square brackets.

These positions 22nd are correlated, as the influencing measured variables of the anchor 16a-d overlap each other. In an ideal localization system, the exact position should also result in each case 18th . However, this is not to be expected in a real localization system even if there are no errors due to measurement tolerances. By comparing the estimated positions 22nd together with their uncertainties, in order to detect errors, it is determined whether the measurements are outside the expected range.

In the example of the 3 the anchor points 16d an error in the form of a time offset of 1.5 ns. This anchor 16d is only in the one valued position 22nd left below unconsidered, so that here the exact position except for measuring tolerances 18th is hit. The three remaining estimated positions 22nd are systematically distorted. But that can only be judged with the eye, because the exact position is unknown 18th is shown with.

In order to quantify the deviation in an automatic error detection, the standard deviation is used 24 of the estimated positions 22nd formed, with the mean value to complete it 26th is pictured. The standard deviation 24 is greater, the greater the error in the anchor 16d and this is how the fault can be identified.

To illustrate this for different manifestations of the error, shows 4th the standard deviation on the Y-axis 24 depending on the error that occurs on the X-axis as in 2 varies from -5 ns to 5 ns. The standard deviation curve is twofold for each of the X and Y directions according to 3 shown with small vertical lines or circles. There is a very clearly pronounced minimum at 0 ns, ie an anchor that is working properly 16d . Note the logarithmic representation on the Y-axis. Thus, a threshold indicated by a dashed line can be used to distinguish whether the deviations between the estimated positions 22nd are within the expected range or an error must be assumed. The threshold is preferably expressed as a multiple of the standard deviation of the estimated positions 22nd of an error-free localization system, ie with a systematic offset of zero.

Instead of the presented statistical comparison based on the standard deviation 24 could be estimated positions 22nd can also be compared directly with each other, but that would be less robust. Other statistical methods such as correlation methods, stochastic networks and also approaches of machine learning including neural networks are also conceivable.

Diese Position wird dann verwendet, um die theoretisch zu erwartende Laufzeitunterschiede für jeden der Anker 16a-d zurückzurechnen. Diese theoretischen oder hypothetischen Laufzeitunterschiede werden dann mit den tatsächlich gemessenen Laufzeitunterschieden verglichen. 5 illustrates a further embodiment for fault detection in the localization system. In this embodiment, the position, possibly including the uncertainty, is initially determined in the best possible way with the four anchors available 16a-d estimated: $\overrightarrow{r\left[{\mathrm{A.}}_1,{\mathrm{A.}}_2,{\mathrm{A.}}_3,{\mathrm{A.}}_{\mathrm{4th}}\right]}=\left(\begin{array}{c}x\\ y\end{array}\right).$

This position is then used to calculate the theoretically expected maturity differences for each of the anchors 16a-d to calculate back. These theoretical or hypothetical runtime differences are then compared with the actually measured runtime differences.

The deviations between hypothetical and measured runtime differences are shown in 5 on the Y-axis for the various anchors 16a-d against a systematic error of an armature which again varies on the X-axis from -5 ns to 5 ns 16d applied. A threshold indicated by dashed lines can be used to determine when a deviation can no longer be ascribed to typical measurement inaccuracies, but rather an error is considered to be detected. A particularly suitable threshold is a multiple of the standard deviation of measurement differences in a localization system without errors.

The fault detection is less clear in this embodiment than in the previous embodiment with reference to FIG 2 until 4th presented embodiment. The computational effort is significantly lower for this. In this embodiment, too, instead of the explained concrete comparison with a threshold based on the standard deviation of the usual measurement errors, a direct comparison or another statistical method or a method of machine learning would be conceivable. to distinguish differences due to measurement uncertainties and errors.

The two embodiments were each described for a single measurement, in the anchor 16a-d only one measured variable is determined, for example an arrival time. Even more robust error detection can be achieved by repeating measurements several times. As a result, the standard deviations in particular become more reliable and random fluctuations in the measurement uncertainties have less of an effect. This improves the availability of the localization system, while relevant errors continue to be reliably detected.

Since the error detection is based on the information that is required to determine the position, all types of errors can be detected, for example random hardware errors, systematic errors or even temporary failures. This achieves a high degree of diagnosis ("diagnostic coverage") in terms of functional safety.

The error detection method was described using a localization system as an example. However, the application is not limited to this. Error detection works in the same way for sensor systems and measurement principles that require n information sources and at least n + 1 such information sources are available.

QUOTES INCLUDED IN THE DESCRIPTION

This list of the documents listed by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Non-patent literature cited

• ISO 13849 [0002, 0008]

Claims (10)

Method for fault detection in a safe sensor system (12, 14, 16a-d), in which a measured variable is recorded by means of a multiplicity of n information sources (16a-d) and a target variable is determined from the measured variables, the sensor system (12, 14 , 16a-d) is over-determined in the sense that the target variable can also be determined with fewer than n information sources (16a-d) and where the error detection establishes that at least one of the information sources (16a-d) generates an incorrect measured variable, characterized in that, in order to detect errors, the target variable is determined several times from different combinations of less than n information sources (16a-d) and an excessive deviation of the target variables determined several times from one another is recognized as an error of at least one information source (16a-d) and / or from the target variable, it is calculated back which measured variable would have generated an error-free functioning information source (16a-d), and this with de The measured variable actually generated is compared. Procedure according to Claim 1 , the target variable being determined from the measured variables of n-1 information sources (16a-d), in particular from all combinations of n-1 information sources (16a-d). Procedure according to Claim 1 or 2 , wherein a standard deviation (24) of the target variable determined several times is determined and evaluated with a threshold, the threshold in particular being defined as a multiple of a standard deviation (24) of an error-free sensor system (12, 14, 16a-d). Method according to one of the preceding claims, wherein the target variable, from which the measured variables of an error-free functioning information source (16a-d) are calculated back, is determined from all information sources (16a-d). Method according to one of the preceding claims, wherein the difference between a recalculated measured variable of an error-free functioning information source (16a-d) and a measured variable actually generated by the information source (16a-d) is evaluated with a threshold, the threshold in particular as a multiple of the standard deviation of the Measured variable with an error-free information source (16a-d) is specified. Method according to one of the preceding claims, wherein repeated measurements with determination of the measured variables are carried out and these are jointly evaluated statistically. Method according to one of the preceding claims, wherein the sensor system (12, 14, 16a-d) is a safety-related localization system, in particular for a vehicle (10), and the target variable is a kinematic variable. Procedure according to Claim 7 , wherein the sensor system (12, 14, 16a-d) is a UWB, RFID, ultrasound or WiFi system and the kinematic variable is determined on the basis of signal transit times, signal transit time differences and / or reception angles. Method according to one of the preceding claims, wherein the sensor system (12, 14, 16a-d) has at least one moving receiver (12) and a transmitter (16a-d) generating a localization signal as information sources or, conversely, a moving tag generates a localization signal that is received from information sources (16a-d). Safe sensor system (12, 14, 16a-d) with a large number of information sources (16a-d) and a control and evaluation unit (14) which are used for determining a target variable from measured variables of the information sources (16a-d) and for a method is designed for fault detection according to one of the preceding claims.

Images