Industrial robots often have powerful actuators that move large and heavy objects, and are controlled under feedback from sensor measurements (e.g., from encoders, position sensors, torque sensors, etc.). If the sensors fail, the robot is out of control, which can result in fast and dangerous robot movements. Accordingly, it is important to detect any sensor failure to initiate proper fail-safe procedures—and, if necessary, initiate robot shutdown.
Sensors can fail in a variety of different ways, some of which (such as, e.g., out-of-range sensor values) are relatively easy to detect whereas others (such as, e.g., sensor values that are plausible, but wrong) are more difficult to spot. To date, two main approaches have been taken to detect potential sensor errors: monitoring for implausible sensor values (which are usually erroneous), and redundant sensing. The first approach utilizes a monitoring system for the sensor states that identifies certain sensor failure conditions, such as, e.g., sensor values that fall outside an expected range, rates of change of sensor values that are physically impossible or highly unlikely, or loss and/or corruption of sensor data. If any of these conditions is observed, the system initiates fail-safe procedures. This approach is inherently limited in that it protects against only a finite number of specific failure modes; if these modes do not cover all possible failure conditions—which they rarely will in practice—some types of sensor failures may go unnoticed. For example, checking for out-of-range values does not help to identify in-range (and, thus, plausible), yet incorrect sensor values.
In the second approach, the sensors and their corresponding processing circuits are replicated; typically, two or more sensors for each measured quantity are provided. The outputs of the multiple sensors are compared to one another, and if they do not agree within certain tolerances, a sensor-failure flag is raised. This flag can be used to initiate fail safe procedures. Sensor duplication does not necessarily involve having two or more identical sensors measuring the same physical quantity, but may encompass arrangements where multiple different sensors measure the same quantity through different means. Although not targeting specific sensor-failure modes, the redundant sensing approach has various limitations as well. First, it adds cost and complexity to the system duplicating sensors and associated processing hardware and software. Second, for various practical reasons, such as physical design constraints or lack of space, it may be impossible or inconvenient to add redundant sensors. Third, it may be practically difficult to assure true independence of the redundant sensors, i.e., certain failure conditions may affect the redundant sensors in the same manner, thus obscuring incorrect readings. The redundant sensors may be subject to the same error not because they are all faulty, but rather because the manifestation of the quantity that is being measured is compromised. For example, redundant parallel position sensors may all measure deflection in a spring to determine the spring's compression force. If the material properties of the spring change, e.g., due to excessive yielding or hardening, all sensors will give equal, but erroneous force measurements.
Accordingly, there is a need for an alternative approach to detect sensor failures that has low rates of false positives (detection of sensor failures where the sensor readings are, in fact, correct) and false negatives (occurrence of sensor failures that are not detected), and avoids or mitigates the cost associated with sensor redundancy.