High integrity sensing systems must provide “trusted” data, with an extremely low probability of the data being erroneous and/or misleading. To ensure that inaccurate data is properly identified and that only tested and verified data is presented to the data user as “trusted” data, multiple independent data measurements are made. The measurements are compared to each other by data comparison and voting routines. A minimum of three independent data sources are often used since comparing two sources can expose a problem, but it is often not possible to determine which one is correct. For most systems, three independent sources is sufficient to both detect and isolate any single offender, so that normal operation can continue as long as the exposure time for a second failure is less than 1/(failure rate).
Two approaches are commonly used. The first approach is middle or median value selection. Median value selection, in its simplest implementation, selects the middle value of the three values, and uses it as the selected output. If the input data is noisy, the output can step between the various input channels because the output will always be the middle value for each set of the three readings. This results in a smooth output as long as the offset difference between the various input channels is small, and the amplitude of any noise on the individual channels is small and cyclic. However, this can result in step changes (toggling) of the output if there is significant offset between the 3 input channels and cyclic noise is present.
Toggling can be overcome in more complex implementations by generating error signals for each input based on the difference from the last valid middle value. These error signals are then used to correct the following input signals to force convergence of the 3 channels around the middle value. The correction signals are also magnitude checked to detect excessive input errors, and they are limited to and accumulated for the signal convergence routine. In a stable environment, all input channels will eventually converge to the value of the middle input, independent of any influence of the other two channels.
This median value selection technique requires complex data processing and, in a stable environment, results in the same output as the simple implementation. However, in a less stable environment, and/or in the presence of an input channel failure, this technique results in an output value that transitions smoothly when the middle value changes to a new value from the same input channel, or a different input channel with a different value.
The second approach is a limit test and average approach. The limit test and average approach performs a comparison of the three inputs A, B, and C. It compares the difference between A and B; A and C; and B and C to a specified limit. If the difference between the inputs is less than the specified limit, then the limit test is in a condition to pass. If all three limit tests pass, the three inputs are averaged together to provide an output value. If two of the three limit tests fail, the failures can be isolated to the channel common to the two limit tests. But, if only one limit test fails, additional comparison testing is required to determine the failed channel. This is because the normal difference between the high and low channels is always greater than the difference between the high and middle channels, and low and middle channels. This normal difference is not accommodated by this simple three way comparison technique. To address this issue, a higher failure threshold could be used for any single comparison test failure for the single failure case. However, this requires additional test logic and added complexity. All input data that passes the threshold test are used to produce an average output.