Safety Mechanism for Sensors and Actuators
In this post, we will learn about Safety Mechanisms used in Sensors and Actuators. The Safety Mechanisms described in this post are based on ISO 26262-5:2018 Annex D.
D.2.8.1 Sensor valid range
The Sensor Valid Range technique is a safety mechanism used in embedded systems, particularly in automotive applications, to detect electrical problems with sensors such as shorts to ground, shorts to power, and open circuits. By defining a valid range within the sensor’s electrical output, the system can identify readings that fall outside this range as potential issues, ensuring that only reliable data is processed by the system.
Aim
- Detecting ground, shorts to power, and partial open circuits of the sensor: Early detection of electrical faults in the sensor ensures safety and reliability of the system.
Description
- Limiting the valid range:
- Using the middle part: The middle part of the sensor’s electrical output range is set as the valid range, preventing errors that may occur at extreme values.
- Detecting values outside the valid range:
- Short to power or ground: If the sensor output is shorted to power or ground, the output value will fall outside the valid range.
- Open Circuit Detection: Abnormal outputs due to open circuits in the sensor can also be out of range.
- Fault Condition Indication:
- Abnormal Condition Detection: If the sensor output is out of range, this indicates an electrical problem with the sensor, and the system detects this and takes action.
How It Works
1. Defining Sensor Valid Range:
- The midpoint of each sensor’s electrical output range is defined as the valid range.
2. Monitoring Sensor Output:
- Continuously monitor the sensor output to determine if the output value is within the valid range. 3. Abnormal condition detection:
- If the sensor output is out of the valid range, it is considered an electrical problem such as a short to power, short to ground, or open circuit.
3. Fault detection and response:
- Fault detection: If an abnormal condition is detected, the system reports it as an error and issues a warning.
- Take protective action: The system automatically takes protective action for detected errors to prevent further damage.
4. Automatic correction and recovery:
- If necessary, the system isolates damaged sensors or corrects errors to maintain the integrity of the system.
5. Integration with ADC (Analog-to-Digital Converter): It is mainly used with sensors that are read via an ADC of an ECU (Electronic Control Unit).
Example
Example 1: Monitoring the valid range of an automotive engine temperature sensor
- Configuration: Establish a valid range for an automotive engine temperature sensor to prevent abnormal temperature detection.
- Operation principle:
- Monitors the electrical output range of the engine temperature sensor to determine if it is within the mid-range.
- If the sensor output is out of the valid range, it indicates an electrical fault, and the system issues a warning and takes engine protection measures as needed.
- Advantages:
- Improves engine safety and reliability, and prevents malfunctions caused by electrical faults in the sensor.
Example 2: Application of the valid range of industrial pressure sensors
- Configuration: Set the valid range of the pressure sensor in an industrial control system to prevent abnormal pressure detection.
- Operating principle:
- Monitors the electrical output range of the pressure sensor to ensure that it is within the valid range.
- If the sensor output is out of the valid range, the system issues a warning and stops the process as needed.
- Advantages:
- Improves the reliability of industrial control systems, and prevents accidents caused by sensor faults.
Limitations and challenges
1. Limitations of the sensor
- Accuracy of the sensor: The accuracy and response time of the sensor can directly affect the system’s ability to detect errors.
2. Increased design complexity
- Complex signal processing: Implementing a system that monitors and manages the outputs of various sensors can be complex.
3. Performance overhead
- Additional computational requirements: Monitoring sensor outputs can result in performance overhead, which should be minimized through optimization.
D.2.8.2 Sensor correlation
Sensor Correlation is a safety mechanism used in embedded systems to detect in-range sensor drifts, offsets, or other errors using redundant sensors. By comparing two identical or similar sensors, this technique can identify discrepancies between the sensors that may indicate potential failures. This method is particularly useful in detecting subtle errors that occur within the expected range of sensor readings, which might not be immediately obvious without redundancy.
Aim
- Detecting in-range sensor drift, offset, or other errors: This method is used to detect situations where a sensor appears to be reporting correct values but may actually be reporting errors.
Description
- Sensor comparison:
- Using identical or similar sensors: Using two identical or similar sensors to detect in-range faults such as drift, offset, or stuck-at failures.
- Use two sensors with opposite slopes: Detect in-range errors in sensors by comparing two sensors with the same but opposite slopes.
- Out-of-range area:
- Out-of-range area for each sensor: The out-of-range area for each sensor is different, and this difference can be used to detect in-range errors.
- Integration with ECU and ADC: Mainly used with sensors that are read by the ECU (Electronic Control Unit) via an ADC.
- Detection Mechanism:
- Conformal Sensor Comparison: The sensor outputs are converted into a constant slope and compared to each other to check if they match within a tolerance.
- Threshold Setting: The threshold is set considering the ADC tolerance and the variation of the electrical components.
- Simultaneous Sampling: The ECU samples both sensors as simultaneously as possible to avoid errors due to dynamic changes in the sensors.
- Limitations:
- Failure to detect short circuit conditions: Does not detect situations where two sensors are shorted to each other, producing correlated readings at the intersection.
- Failure to detect common cause faults: Does not detect common cause faults where a single component, such as an ADC, similarly corrupts the two sensor results.
- Alternative Design:
- Alternative Design (Using One Full and One Half-Slope Sensor): Provides additional fault detection by using one full and one half-slope sensor (see Figure D.6).
Example
Example 1: Correlation of Automotive Temperature Sensors
- Configuration: Use two identical temperature sensors in an automotive engine to detect in-range faults.
- Operating Principle:
- The two sensors have opposite slopes and the ECU samples them simultaneously.
- The converted sensor outputs are compared to see if they match within an acceptable threshold.
- If they do not match, the system assumes a sensor fault and issues a warning.
- Advantages:
- Increases the reliability of engine temperature monitoring and prevents damage due to in-range faults.
Example 2: Industrial Pressure Sensor Correlation
- Configuration: Detect drift and offset errors using two similar pressure sensors in an industrial control system.
- Operational Principle:
- The two sensors have different slopes, and the ECU samples them simultaneously.
- Checks if the sensor outputs match within an acceptable threshold.
- If they do not match, the system issues an alert and stops the process as needed.
- Advantages:
- Increases the reliability of industrial control systems and prevents accidents due to sensor failures.
Limitations and Challenges
1. Correlation Errors Between Sensors
- Failure to Detect Common Cause Faults: A single component may fail to detect a common cause fault that similarly corrupts the outputs of both sensors.
2. Increased Design Complexity
- Complex Correlation Setup: Implementing a system that monitors and manages correlations across multiple sensors can be complex.
3. Performance Overhead
- Additional Computational Requirements: Performance overhead may occur due to sensor correlation monitoring, which should be minimized through optimization.
D.2.8.3 Sensor rationality check
The Sensor Rationality Check is a safety mechanism used to detect sensor errors such as drifts, offsets, or stuck-at failures using multiple diverse sensors. By comparing sensors that measure different properties but can be correlated to a common reference, this technique enhances the system’s ability to identify subtle, in-range sensor errors. This method leverages the diversity of sensor types to reduce the risk of systematic faults affecting the readings in the same way, thereby improving the reliability and safety of the system.
Aim
- Detecting drift, offset, or other errors in-range of sensors: Using a variety of sensors to detect in-range errors of sensors and increase the reliability of the system.
Description
- Compare diverse sensors:
- Use sensors that measure different properties: Using two or more diverse sensors to measure different physical properties and compare them by transforming these properties to a common reference.
- Sensor Measurement Conversion: Converts the measurements from each sensor to an equivalent value using a model. This allows direct comparisons between different sensors.
- Sensor Error Detection:
- In-range Errors: Detects in-range errors such as drift, offset, or stuck-at failures.
- Reduce Systematic Failures: Reduces the impact of systematic failures by using a variety of sensors.
- Examples:
- Compare Gasoline Engine Sensors: Converts throttle position, manifold pressure, and mass airflow sensors to airflow values and compares them. This allows for cross-consistency between sensors.
Examples
Example 1: Sensor Reasonability Check for Gasoline Engines
- Configuration: Compares airflow values using throttle position, manifold pressure, and mass airflow sensors in a gasoline engine.
- Operation Principle:
- Each sensor measures a different physical property that affects airflow.
- Each property is converted to an airflow value, and the converted values are compared to each other.
- If there is a mismatch or out of expected range, the system considers it as a sensor error and issues a warning.
- Advantages:
- Increases the reliability of engine sensors and prevents damage due to sensor errors within the range.
Example 2: Sensor Reasonability Check in Industrial Processes
- Configuration: In an industrial automation system, temperature, pressure, and flow sensors are used to compare different measurements.
- Operation Principle:
- Temperature, pressure, and flow sensors each measure a different physical property, and these measurements are converted through a model that correlates them.
- Checks the consistency by comparing whether the converted values are within the expected range.
- If there is a mismatch, the system issues a warning and stops the process if necessary.
- Advantages:
- Increases the reliability of industrial automation systems and prevents accidents due to sensor failure.
Limitations and Challenges
1. Model Accuracy
- Model Accuracy: The accuracy of the model that converts the sensor measurements can directly affect the system’s ability to detect errors.
2. Increased design complexity
- Complex cross-comparison setup: The implementation of a system that compares and manages various sensors can be complex.
3. Performance overhead
- Additional computational requirements: Performance overhead may occur due to sensor rationality checks, and should be minimized through optimization.
D.2.9.1 Monitoring
The Monitoring technique is a critical safety measure used to detect the incorrect operation of actuators in embedded systems. Actuators are devices that convert electrical signals into physical actions, and their proper functioning is essential for system reliability. Monitoring involves observing the actuator’s behavior at both the physical parameter level and the system level to identify any deviations from expected performance. This approach allows for early detection of actuator failures, enabling timely corrective actions to maintain system safety and efficiency.
Aim
- Detect incorrect actuator behavior: Increases system stability and reliability by early detection of actuator behavior that deviates from expected performance.
Description
- Monitoring actuators:
- Measuring physical parameters: Measure physical parameters at the actuator level to enable high coverage monitoring. For example, measuring voltages, currents, etc.
- System-level monitoring: The effects of actuator failure can be monitored at the system level to indirectly detect failures.
- Example 1: Cooling radiator fan:
- System-level monitoring: Use a temperature sensor to detect a failure of the cooling radiator fan.
- Measure physical parameters: Measure voltage, current, or both at the input of the cooling radiator fan to detect a failure.
- Example 2: Throttle blade control:
- Use feedback control: Use feedback control to move the throttle blade to the desired position.
- Position comparison: Compare the actual throttle position to the commanded throttle position and compare it to the expected position based on the performance model. If the two values differ (after accounting for hysteresis), an error can be declared.
Examples
Example 1: Automotive Cooling Radiator Fan Monitoring
- Configuration: Monitor the operation of the cooling radiator fan in an automotive vehicle to detect a failure of the fan.
- Operating Principle:
- Continuously measures the voltage and current of the fan to ensure that the physical parameters are within the normal range.
- Uses a temperature sensor to detect the expected temperature rise in case of fan failure.
- When an electrical abnormality or temperature rise of the fan is detected, the system issues a warning and checks the fan operation.
- Advantages:
- Increases the reliability of the cooling system and prevents engine overheating due to fan failure.
Example 2: Feedback Control of Industrial Robot Arms
- Configuration: Monitors the actuators of an industrial robot arm to ensure that it moves to the desired position.
- Operating Principle:
- The feedback control system of the robot arm compares the actual position of each joint with the commanded position.
- Analyzes the difference from the expected position to detect errors and adjusts the position if necessary.
- When a malfunction is detected, the system issues a warning and adjusts the operation of the robot arm.
- Advantages:
- Increases the reliability of the operation of the robot arm and minimizes errors that may occur during operation.
Limitations and Challenges
1. Sensor Limitations
- Sensor Accuracy: The accuracy and response time of the sensor can directly affect the system’s ability to detect errors.
2. Increased Design Complexity
- Complex Monitoring Setup: The implementation of a system that monitors and manages the operation of multiple actuators can be complex.
3. Performance Overhead
- Additional Computational Requirements: Performance overhead due to monitoring can occur, and optimizations are needed to minimize this.
If you are interested in other articles about ISO 2626 Series, please refer to the links below!
[ISO 26262] #1. Part4-6 Technical Safety Concept (TSC)
[ISO 26262] #2. Safety Mechanisms for Electrical and Electronic
[ISO 26262] #3. Safety Mechanism for Processing Unit
[ISO 26262] #4. Safety Mechanisms for IO units and Interfaces
[ISO 26262] #5. Safety Mechanisms for Communication Bus
[ISO 26262] #6. Safety Mechanisms for Power Supply
[ISO 26262] #7. Safety Mechanisms for Temporal monitoring and logical programme sequence monitoring