Design of a Fault Detection and Isolation System for Intelligent Vehicle Navigation System

This paper deals with the design of a fault detection and isolation (FDI) system for an intelligent vehicle, a vehicle equipped with advanced driver assistance system (ADAS). The ADASs are outfitted with sensors for acquiring various information about the vehicle and its surroundings. Since these sensors are sensitive to faults, an efficient FDI system should be developed. The designed FDI system is comprised of three parts: a detection part, a decision part, and a fault management part. The detection part applies a generalized observer scheme (GOS). In the GOS, there is bank of extended Kalman filters (EKFs), each excited by all except one sensor measurement. The residual generated from the measurement update of each EKF is therefore sensitive to all sensor faults but one. This way, the fault sensitivity pattern of the residual makes it possible to detect a fault and locate the faulty sensor. The designed FDI system has been implemented and tested off-line with actual experiment data. Good results have been obtained with diagnosing individual sensor faults and outputting fault-free vehicle states.


Introduction
Nowadays, the development of ADASs, which aids the driver by controlling the vehicle, is emphasized in the road transportation research.These automotive mechatronic systems are outfitted with sensors, such as radar, odometers, and accelerometers, for acquiring various information about the vehicle and its surroundings.Since these sensors are sensitive to faults, an efficient FDI system should be developed, such that based on the sensor measurements, sensor faults can be detected and isolated online, therefore ensuring the correct functionality of ADASs.
A sensor is called faulty if it displays a measurement that deviates significantly from the characteristic properties.This deviation could appear in several forms, namely, bias, drift, complete failure, and precision degradation.The FDI system contains a fault detection system, which is followed by a fault isolation system.The definition of the fault detection is to make a decision: whether some fault happens or not.The definition of the fault isolation is to determine exactly the location of the fault, for example, which sensor has become faulty.Because a reliable vehicle model can be constructed, the discussion of model-based FDI strategies will be emphasized.Additionally, regarding the sensor fault that might occur, the following assumptions can be made: (1) Only one fault can be present at the same time.
(2) All sensors can have partial and complete faults.
(3) Complete faults can be considered as an additive fault with fault size equal to the negative value of the real sensor signal.
(4) Usually faults are additive and transient (i.e., they disappear after a while).
Model-based FDI is the method to determine faults of a system from the comparison of available system measurements with a priori information represented by the system's mathematical model.The structure of model-based FDI can be seen in Figure 1, where the residual is a fault indicating signal and the decision making is to examine the residual for the likelihood of the faults [1].
Since the early 1970s, many approaches for model-based FDI have been developed and the available literature is very broad.Survey papers that give a comprehensive overview of the available methods for FDI are [2][3][4][5][6][7].During the 1990s the number of applications of model-based FDI especially increased rapidly.Applications to automotive control systems can be found in [8][9][10][11][12][13][14][15][16][17].Research into FDI for ADASs has principally been carried out by California PATH.Various publications treat the application of different FDI approaches and discuss experimental results.
In the following, the outline of the widely used modelbased FDI strategies is provided.The state observers [3,18] mainly include dedicated observers (deterministic system) and innovation based approach (stochastic system) for multioutput processes.
(1) Observer, excited by one output: from this output the other outputs can be reconstructed and compared with the corresponding measurements (single sensor fault detection).
(2) Single Kalman filter (KF) driven by all outputs: the change in the stochastic innovation indicating changes on the internal states of the process.
(3) Bank of observers, excited by all outputs: this is suitable if the faults inflict changes on the internal states of the process.
(4) Bank of observers, each excited by a different output (dedicated observer scheme, DOS): it can be used to diagnose a single sensor fault or multiple sensor faults.
(5) Bank of observers, each excited by all outputs except one (generalized observer scheme, GOS): this method improves the robustness of the FDI system but can only diagnose a single sensor fault.
The model-based FDI schemes have been successfully applied to the complex vehicle dynamics model and achieved the robustness to the model uncertainties.In [19], the dedicated observer is designed.The yaw rate and the lateral acceleration can be reconstructed and compared with the corresponding measurement from the gyroscope and the accelerometer.The method detects and isolates a single fault in one of these sensors accurately.Authors in [20] use a single KF driven by the full output vector and make use of the fact that the residual is white noise with zero mean when no fault occurs.The occurrence of a fault is monitored by statistical innovation tests of whiteness, mean, and covariance.The application of GOS can be found in [3], where a bank of observers or KFs is applied to construct a GOS.Each observer is driven by all inputs and all but one output to diagnose a sensor fault.Additionally, in the very recent work from [21][22][23], the EKF is used to calculate the measurement probability distribution of the intelligent vehicle position for nonlinear models driven by Gaussian noise.Using the probability distribution of innovation obtained from EKF, it is possible to test if the measured data are fit with the models.When the sensor faults happen, the models will not be valid and the innovation will not be Gaussian and white.
The main contributions of this work are that, unlike previous studies this work will emphasize on the following: in order to ensure the proper functioning of ADASs on an intelligent vehicle, a model-based FDI system is designed to diagnose a single sensor fault with the consideration of the system's disturbance and noise.The details of the contributions are to (1) improve residual generation using observer-based method, (2) increase the robustness of model-based FDI to disturbances and noises, (3) construct analytical redundancy to provide a reliable estimate for the faulty sensor signal, such that the ADAS performance can still be guaranteed.
The overview of the designed FDI system is shown in Figure 2.This paper is organised as follows.Section 2 describes the sensor measurements.In Section 3, vehicle state estimation strategy is provided.Section 4 deals with the fault detection and isolation system design.In Section 5, experimental results are shown.The conclusion and future work are discussed in Section 6.

Sensors Measurements Specification
The test vehicle is a Smart vehicle that is a small 2-door vehicle with an automatic gearbox.The Smart is rear wheel driven and the engine is placed in the middle of the vehicle.In this work, the Smart is equipped with necessary sensors, GPS and INS: accelerometer, odometer, and gyroscope.Interfacing of the sensors of the Smart is done using combination of a controller area network (CAN) and a laptop.Table 1 describes the variance, bias, and the drift of each sensor measurement, Two accelerometers have been used to record the lateral and longitudinal acceleration of the vehicle.The accelerometer signals have an update rate of 50 Hz and are biased.This bias is a low frequency signal in the accelerometer that is always present.The yaw rate measured from the gyroscope has the range of 100 degree/s and its bias is less than 2 degrees/hour.In our experiment, odometers are used to measure the wheel speeds of the vehicle.

Vehicle State Estimation
For nonlinear systems the general stochastic difference equation for discrete systems is defined by where  is the nonlinear function.In this work, Euler's numerical integration method with a fixed time step is used for deriving the difference equation.In practice, the values of the noises   and V  are not known and   is also set to zero because in the proposed system there is no control input; therefore the state and measurement vectors have to be approximated by where x is the estimate of the state based on the measurement (a posteriori).The variables   and V  are assumed to be Gaussian with zero mean and are represented by their covariance matrices  and . represents a normal distribution: Two kinds of estimation errors can be defined, the  priori estimation error   − and the a posteriori estimation error   .They are described by where x− is the a priori state estimate based on knowledge of the process prior to step  and x is the  posteriori state based on the measurement   .The covariances of the estimation errors are defined by where  −  is the  priori estimate error covariance and   is the  posteriori estimate error covariance.
The EKF algorithm consists of two stages, time update and measurement update [24].The different steps in the time update stage are where   is the Jacobian of the system model equations (⋅).
The different steps in the measurement update stage are where   is the Kalman gain that minimizes the posteriori estimate error covariance   and   is the Jacobian of the measurement function ℎ(⋅).
Although, the variables   and V  in (1) are assumed to be Gaussian with zero mean, the assumption Gaussian is not often practically satisfied.Hence, the matrices  and  cannot be seen as covariance matrices, but as high level tuning parameters, leading to suboptimal solutions.Additionally, the linearization in EKF can lead to poor performance and divergence of the filter for highly nonlinear problems.An improvement to the EKF is some local nonlinear estimators, divided difference filter, unscented Kalman filter (UKF), and so forth.The UKF approximates the probability density resulting from the nonlinear transformation of a random variable instead of approximating the nonlinear functions with a Taylor series expansion.The UKF has a slightly optimal performance compared to the EKF when used in a vehicle navigation state estimation system.However, since the low dynamics of a vehicle make the potential linearization errors of the EKF negligible and the computational time of the UKF is much greater than that of the EKF, the EKF is still chosen in this work to do the vehicle state estimation [25].

Sensor Fusion Strategy.
Based on the sensor measurements, as listed in Table 1, and a vehicle kinematic model, an EKF can be designed to estimate some important states of the Smart.An overview of the sensor configuration for the Smart is shown in Figure 3.In this configuration, INS measurements are also used to update the vehicle estimated position and heading when DGPS update is not available.which is described by a right handed orthogonal axis system (, , ) on the Earth.A second reference frame (base frame)  fixed in the vehicle is described by axes (, , and ) fixed along the central principal axes of the vehicle.The relation between navigation and base frame can be seen in Figure 4.

Extended Kalman Filters
The sensor measurements will be assigned into different frames.DGPS longitudinal, lateral positions, and heading are in the navigation frame.The acceleration and wheel speed measured from INS are in the base frame.To obtain a trajectory in the navigation frame it is necessary to convert the inertial signals from the base frame to the navigation frame, where we assume that the road is flat and then neglect the  and  axes.This can be done by the following matrix (a simplified form of the direct cosine matrix): 3.2.1.Vehicle Four-Wheel Model.In this section, the EKF based on a kinematic four-wheel vehicle model is designed, which is shown in Figure 5.The assumption is that the test track, on which the Smart is driven, is flat.In order to reproduce the trajectory followed by the vehicle, kinematic rules for the model have been used to describe the motion of a vehicle.The kinematic vehicle model can be developed as where   and   are longitudinal and lateral positions in the navigation frame and  V / indicate the longitudinal and lateral velocities in the base frame.Additionally, for each wheel speed we have where V (fl/fr/rl/rr) are wheel speeds measured from the front left, front right, rear left, and rear right wheels, ψ is the yaw rate,  1/2 are lengths from front and rear axles to the Smart COG, and  1/2 are the length of front and rear track.Equations ( 12) and ( 13) are derived from the condition that rear wheels are not steering wheels and their wheel angles are equal to zero.All model states are described in Table 2, where the bias sates are modelled as random walks.By using the random walk model, growth of uncertainty of the true value of the bias and the rate at which it varies can be reflected [26].
Additionally, the measurements of the EKF are identified in Table 3.By using Euler's method with time step , the discrete time state equations can be written as Additionally, the measurement equations can be specified as follows:

System Observability.
A dynamic system is said to be observable if it is possible to uniquely reconstruct the state information based on the model of a system given the inputs and outputs of the system.The nonlinear model for the Smart car is where ℎ = col(ℎ 1 , . . ., ℎ  ): Although this model is nonlinear, it is linearized each time for the EKF.The observability matrix, , is calculated for each linearization in the run of the EKF.If  has full rank at each run, then the linearized model is locally observable.

International Journal of Navigation and Observation
In this project, the observability matrix is accumulated over the entire time step from the initial to the final as a global check [27].Since, a state space discrete time model is used in this work, the transient event is not studied and then is neglected from the observability check.
The model is locally observable when the vehicle is driving; when the vehicle is standing still and yaw rate measurement is equal to zero, the estimated longitudinal/lateral COG velocities  V 2 /  V 2 and bias states for front/rear odometers  fl ,  fr , and  2 become unobservable.This is because when the vehicle is standing still no speed information is received from wheel encoders, so nothing can be said about the error in the speed calculation.

Fault Detection and Isolation System Design
The generalized observer scheme (GOS) provides that an estimator dedicated to a certain sensor is driven by all outputs except that of the respective sensor.This scheme allows one to detect and isolate only a single fault in any of the sensors, however, with increased robustness with respect to unknown inputs.
A GOS is suitable for detecting a single fault at a time in one of the  sensors of the system.The th observer ( = 1, 2, . . ., ) is driven by all but the th measured variable (i.e.,  1 , . . .,  −1 ,  +1 , . . .,   ).Consequently, each residual from the th observer will be sensitive to all but the th sensor fault.  is not used in the th observer because   is assumed to be corrupted by the fault and therefore does not carry usable information about the system [3].
The nonlinear system equations included sensor faults and unknown disturbances are where ℎ = col(ℎ 1 , . . ., ℎ  ):   →   . is the -dimensional state vector. is the -dimensional vector of measurements.Moreover, the model is subject to the fault signal  as well as to the unknown disturbance signal .The fault magnitude of  is an arbitrary scalar function of time that is zero when there is no fault.A GOS can be designed for the sensor FDI, where there are  EKFs, each using all but the th sensor measurement.For each EKF, its residual   can be generated from the measurement update stage as Because each EKF is excited by all but one sensor output, when a sensor fault occurs in the th sensor, the residual will satisfy the following isolation logic:  where   ( = 1, . . ., ) are isolation thresholds [28].Such a GOS scheme is shown in Figure 6.
A GOS bank of EKFs is robust to system modeling error and unknown disturbances in a realistic environment.This is because in a GOS only if all  residuals in (28) have to misfire, a bad fault decision can be made.
Here, an example is given to illustrate how a GOS can accurately diagnose a single sensor fault in the system, as shown in Figure 6.In Table 4, each row represents a fault, where a number of 1 in position th row and th column implies that fault   affects residual   .As stated before, each residual generated from GOS is sensitive to all but one sensor fault and, therefore, for the occurrence of each fault, there exists a unique combination of the residual response, which is so called generalized residual set, as can be noticed in each row in Table 4.By such a residual table, any single sensor fault   , if it happens, can be uniquely detected and isolated.

General Outline of the FDI System.
The basic scheme of the FDI system is specified in Figure 7, where fault detection system is to identify a fault that occurred and fault isolation system can determine the location of the fault.The extra fault management system is used to recognize and handle the fault, which contains a state selection system.

EKFs in the GOS.
There are eight sensors installed in Smart car, which are DGPS, longitudinal/lateral accelerometers, gyroscope, and a wheel speed sensor on each vehicle wheel.In order to detect a single fault in these sensors, a GOS bank of EKFs is developed, where there are eight EKFs.In case a sensor fault happens, the output from residual evaluation block (the diagnosis information) will indicate which fault happens and subsequently select the state estimated from  the EKF, using all but the faulty sensor measurement, as the fault-free output, which is shown in Figure 8.It can be seen in the figure that residuals and states generated from each EKF are inputted to the residual evaluation and fault management system, respectively.Hereafter, each EKF (in GOS) for vehicle state estimation will be evaluated, where EKF 0 uses all sensor measurements (nominal EKF).
EKF 1: Driven by All Measurements but DGPS.This one uses all but DGPS data.In case DGPS fault happens, the estimated states from this EKF will be applied.

EKF 2: Driven by All Measurements but Longitudinal
Accelerometer.All but longitudinal acceleration measurement are used by EKF 2. When longitudinal accelerometer is faulty, EKF 2 will be applied to state estimation.It can be seen in Figure 9 that the estimated longitudinal acceleration is reliable as an analytical redundancy to replace the faulty accelerometer measurement.Gyroscope fault  5 Front left wheel speed sensor fault  6 Front right wheel speed sensor fault  7 Rear left wheel speed sensor fault  8 Rear right wheel speed sensor fault states from EKF 5 are still fault-free.EKFs 6 to 8 use all but other three wheel speed signals, respectively, and can achieve almost the same estimates results as EKF 5. Therefore, the detailed descriptions of these three EKFs are omitted.
In case any one of these wheel speed sensors is faulty, the corresponding EKF will be applied to the state estimation.

Sensor Fault Detection and Detectability.
In the GOS, ideally there is a residual generated from each EKF, which is sensitive to all but one sensor fault.To this end, we need to check in each EKF if those sensor faults are detectable with respect to the generated residual.It requires that transfer functions from these sensor faults to the residual are nonzero.

4.3.1.
Sensor Faults Description.The FDI system for the Smart is designed to diagnose eight sensor faults, which are listed in Table 5.The modeling of sensor fault   can be seen in (26), where   corresponds to each sensor measurement.

Residual
Generation.This section discusses several possibilities for residual generation from each EKF.After Rear wheels comparison, the most promising one is selected.At the beginning, a residual notation is made and will be applied throughout this work.Residual   , is the th residual generated from th EKF in the GOS.Because there are eight EKFs in the GOS, we have  ∈ {1, . . ., 8}.Meanwhile, as seven measurement equations are applied in the EKF 0, seven residuals might be generated from the GOS.To make a clear notation, the order of these seven residuals is fixed as  ∈ {1, . . ., 7} ∈ {residual generated from the measurement update: DGPS, -acceleration, -acceleration, yaw rate, front left wheel speed, front right wheel speed, and mean rear wheel speed}.DGPS signals can be blocked by buildings, trees, bridges, and so forth.In this work, the DGPS outage is simply detected by the following logic.
(1) The number of satellites dropped below 4.
(2) The value of HDOP is larger than 10, when the positional measurements should be used only to indicate a very rough estimate of the current location.
For INS FDI system design, residual generation in EKF 1 is taken as an example.As using only no DGPS measurements, this EKF can generate residuals from all INS measurement updates.The generated residuals,  12 to  17 , are listed in Table 6, where  ψ 2 is yaw rate,  V /2 are the estimated COG velocity,  1 is the length of the Smart track, and  1 is the length from the Smart COG to the front axle.It should be advised that although EKF 1 is driven by all seven INS measurements, only six residuals can be generated.The reason is that the mean rear wheel speed, instead of two separate speeds, is used in the measurement update of the EKF 1, which can be seen in (23).
Therefore, in each EKF of the GOS, there is a generated residual vector (), which contains all those six residuals but one.In order to construct a GOS, a vector residual or a scalar residual, which is affected by all sensor faults but one, needs to be generated from each EKF.
Scalar residuals are considered in this work.With respect to INS FDI, a scalar residual should be selected among  12 to  17 , which is affected by as many sensor faults as possible.Noticed in Table 6, there are more states involved for the generation of residuals  15 and  16 .Thus, either  15 or  16 may be applied to the sensors FDI system design.In the following, the detectability of each INS fault with respect to the residual  15 will be checked.

Theory for Checking the Fault Detectability.
When faults occur in the monitored process, the response of the residual vector is where   () is defined as a fault transfer matrix which represents the relation between the residual and faults, [  ()]  is the th column of   (), and   () is the th component of   .If [  ()]  ̸ = 0, the   is detectable in the residual .This is defined as the fault detectability condition of the residual  to   [28].
The vehicle model applied in this project is nonlinear and linearized at each time step for EKF.Euler's numerical integration method with a fixed time step is used for deriving the linearized equation.Therefore, we propose to check the sensor fault local detectability at each time step for a linearized discrete time model.The model is shown as follows: ( + 1) =  () +  () ,  () =  () + V () . (30) With this system, a discrete time Kalman filter measurement update equation can be written as where  is Kalman gain and  is a shift operator in discrete time model.From (31) the transfer function from the state vector to the measurement vector can be represented as Consequently, under normal conditions, where the subscript  means the normal condition and the subscript  in the following denotes a fault condition.Now, if a measurement is disturbed by a fault vector (), Then, from (34), the state estimation becomes The normal filter residual can be defined as and the residual under fault conditions is Clearly, a sensor fault is detectable with respect to residual sequence when the term   = [ − [ −  + ] −1 ] is nonzero [28,29].

Check the Fault Detectability in GOS.
Since the used model is nonlinear, but it is linearized each time for the EKF, the detectability matrix is calculated for each linearization in some runs of the EKF.If   is nonzero at each run, then the fault is locally detectable.
Fault Detectability with respect to Residual  15 .Each transfer function in the fifth row of the matrix   can be calculated.Functions  5,2 to  5,7 are used to represent all transfer functions on the 5th row of matrix   , which are described in Table 7.In the following, the Bode diagram of each function is plotted, which can be applied to analyze the detectability of each sensor fault to the residual  15 (to show the frequency response of the residual to each sensor fault).
The Bode diagram of  5,2 , the transfer function from longitudinal accelerometer fault to  15 , is shown in Figure 10(a), From longitudinal accelerometer fault to  15  5,3 From lateral accelerometer fault to  15  5,4 From gyroscope fault to  15  5,5 From front left wheel speed sensor fault to  15  5,6 From front right wheel speed sensor fault to  15  5,7 From rear left/right wheel speed sensor fault to  15  10(c).At high frequency, the gain margin is larger than 0 db and therefore one-hundred percent of fault magnitude can be transmitted to the residual.Thus, this fault is detectable in  15 .The transfer function  5,5 should be equal to one.Additionally, looking at the Bode diagrams of  5,6 and  5,7 , the front right and rear wheel speed sensor faults are all detectable with respect to  15 .

Sensor Fault Detectability under Other Operating Situations.
Since the used model is linearized each time for the EKF 1, the detectability matrix is calculated for each linearization in some runs of the EKF 1 for the local check.Furthermore, we show the performance of this residual in response to the occurrence of each sensor fault, that is, a constant additive fault.Therefore, six separate off-line tests are performed with a different sensor fault injected at each time.The description of these faults can be seen in Table 8, where the fault sizes are chosen empirically followed by the real sensor fault size.The tests for other GOS EKFs can be conducted similarly.
It can be seen in Figures 11, 12, and 13 that upon the occurrence of all sensor faults, at any operating point the residual  15 has the obvious and constant change.Moreover, the magnitude of  15 under the nominal condition is around ±0.1 m, which can be seen in the bottom of Figure 11.In case a single sensor fault with a reasonable size as specified in Table 8 happens, the change of  15 is far larger than the nominal residual magnitude.Thus, by selecting a fixed threshold, this change can be detected.9.The formula representations of these residual generations can be seen in Table 6.
From EKF 3, lateral acceleration can be estimated.We compare this estimated state with raw lateral accelerometer measurement, the difference of which is generated as a residual,  33 .During the test, if there is a big change in this residual but all other INS residuals are nominal, then a lateral accelerometer fault can be detected.

Sensor Fault Isolation.
Residuals generated from each EKF are evaluated in this section and the diagnosis information which indicates the location of the faulty sensor can be made.Residual evaluation can in its simplest form be a thresholding test on the residual, such as a test if residual is larger than a threshold.Due to model uncertainties and measurement noise, residual will not be 0 in the faultfree case.Therefore a nonzero threshold has to be selected.Residual evaluation in its complex form can be distinguished as various tests of mean, variance, or the  2 test [30].
As stated in Section 4.3.4,when single sensor faults with reasonable sizes happen, there are considerable changes of residual  15 , which largely exceed the nominal residual magnitude, ±0.1 m.Therefore, it is reasonable to select the nonzero threshold in this work for residual evaluation.For the change detection, a binary number is used to indicate the change of a residual.After evaluating, if the residual is larger than a fixed threshold, the value of its change detection is set to 1; otherwise it is 0.
Based on the functioning of the designed GOS, while a single sensor fault happens, all selected EKF residuals but one will fire.Such pattern of the residual response constructs a generalized residual set, which can identify the location of a sensor fault.Therefore, a look-up table for INS faults isolation is designed and provided as in Table 10, where  2/4/5/6/7/8 stand for longitudinal accelerometer, gyroscope, and four wheel speed sensors faults.Moreover, because both  residuals  15 and  35 , generated from EKF 1 and 3, are sensitive to all faults of  2/4/5/6/7/8 , they are omitted from decision logic during the off-line test, and a simplified isolation table is presented as in Table 11.Decision logic for lateral accelerometer fault detection is implemented in the second row of Table 11.

Sensor Fault Management
System.An extra fault management system is integrated into the designed FDI system for recognizing and handling the diagnosed fault.
The basic scheme of this fault management system is shown in Figure 14, where the state selection is explained.In the designed FDI system, there are nine EKFs, which can be  seen in Figure 8. Nominal EKF (EKF 0) uses all sensor measurements for the vehicle state estimation.Others, from EKF Corresponding to these eight states, there are eight state selection blocks in the fault management system, each using th state,  ∈ {1, . . ., 8}, estimated from each EKF.The diagnosis information   , generated from fault isolation block, is a variable, ranging from 0 to 8. A number of 0 means all sensors are fault-free and an integer among 1 to 8 indicates a corresponding sensor fault  1 to  8 , listed in Table 5, occurred.Each state selection block, after reading such diagnosis information, will let the state estimated from the specified EKF (0 to 8) pass through as the most reliable state to the following ADASs application.

FDI System Testing and Experiment Result
The off-line tests are designed to evaluate the FDI system for the Smart with actual experiment data.The road test is conducted on the test track as shown in Figure 15.During the experiment, the Smart starts at the starting point  1 and runs in the counterclockwise direction.With the CAN interface and data acquisition system installed on the Smart, the actual measurement data can be obtained from all sensors in vehicles.Afterwards, they are inputted to the FDI system built in a Simulink environment on a Windows XP Laptop (Intel Core2 6300 1.86 Hz, 2 Gb of RAM) for the state estimation.Meanwhile, the real-time FDI system validation test will be conducting on a prototype ECU, which has a 208 MHz ARM9 CPU, 32 MB RAM, and 16 GB flash.

Fault Generation and Injection.
For evaluating the designed FDI system, some additive faults with appropriate size are generated and injected to the nominal sensor data during the off-line test.The strategy for the sensor fault injection is shown in Figure 16, where a fault   is added to each single sensor.The fault magnitude of   is a scalar function of time and is chosen depending on the real sensor fault size, which is zero when there is no fault.  stands for the sensor fault direction, which for each single fault is equal to one.A zero block in Figure 16 is used to represent a complete sensor fault (power off).In the off-line test, such a fault injection block is added to each sensor measurement.

FDI System Evaluation with
Off-Line Tests.In this section, the designed FDI system is tested with the occurrence of each sensor fault, either a real or a injected fault.The offline test is conducted with the real experiment data, during the time interval  = 0-120 s.In this period, The Smart was accelerated and decelerated in both longitudinal and lateral direction, which make the driving scenarios comprehensive enough for the FDI system test.In the following, residual generation, evaluation, and the nominal states selection are provided.Depending on these test results, the function of the FDI system is analyzed.As discussed in Section 4.5, at the time   = 1, the state selection in fault management system selects the estimated states from the EKF 1, driven by all but DGPS data, as the nominal vehicle states.As shown in Figure 17, at time points,   position is still accurate even if DGPS faults occur, which can be seen in Figure 19.

INS Fault Diagnosis.
In the real experiment, there was a fault that happened in the rear left wheel speed sensor and all other sensors are fault-free.
Longitudinal Accelerometer FDI.Additive sensor faults are generated and injected to the raw acceleration measurement.The fault size is chosen around 3.5 m/s 2 , which is an appropriate size of the real accelerometer fault.The fault descriptions can be read in Table 13 and the comparison of raw and faulty acceleration signals is plotted in Figure 20.From Figure 21, we notice that all but residual  25 change in response to the sensor fault.Depending on the nominal magnitude of each residual, a threshold can be chosen, which is shown in Figure 21.Such a threshold value for each residual is fixed and will be applied to all INS fault detection in the following sections.
In response to longitudinal accelerometer faults, the diagnosis information is generated from isolation block and plotted in Figure 22, where a number of 2 indicates the fault  2 happens.There exists a time delay, around 0.1 s, for the diagnosis of longitudinal accelerometer sensor fault.The estimated fault-free longitudinal acceleration, outputted from the fault management system, is provided as the black curve in Figure 23.
It can be seen at  = 15.8 and 95.8 s that when   is equal to 2, the state selection switches the longitudinal acceleration estimated from EKF 2 (the black curve) instead of from EKF 0 (the gray curve) as the output.Therefore, even if a sensor fault occurs, the estimated acceleration outputted from the fault management system is still fault-free.However, due to a 0.1 s time delay during fault diagnosis, a big spike appears at the beginning of the state switch, which can be easily removed by a low pass filter.
Gyroscope FDI.For this sensor measurement, both complete and additive faults are generated and injected.The fault size is chosen around 0.5 rad/s.The injected faults are described in Table 14 and the comparison of raw and faulty yaw rate signals is plotted in Figure 24.From Figure 25, we notice that For indicating the gyroscope fault, the diagnosis information is generated from isolation block and shown in Figure 26, where a number of 4 indicates this fault happens.The estimated fault-free yaw rate, outputted from the fault management system, is plotted as the black curve in (the black curve) instead of from EKF 0 (the gray curve) as the output.
Front Left Wheel Speed Sensor FDI.For front left wheel speed sensor, faults are generated either with magnitudes around 2 m/s or as complete faults.The fault descriptions are given in Table 15 and the comparison of raw and faulty wheel speed signals is plotted in Figure 28.
The estimated fault-free longitudinal COG velocity, outputted from the fault management system, is plotted as the black curve in Figure 29.Additionally, the front right, rear left, and rear right wheel speed sensors FDI can be handled in the same way.

Conclusions and Future Work
This work deals with the design of sensors fault detection and isolation (FDI) system for a Smart car.In the FDI system, a generalized observer scheme (GOS) is developed.The GOS is constructed by a bank of EKFs, each excited by all but one sensor measurement.Therefore, there is a unique pattern of the residuals change with respect to the occurrence of each fault, which subsequently can be isolated by decision logic.The robustness of the FDI system to disturbances and model uncertainty is improved by the application of the GOS.
For evaluating the function of the designed FDI system, some off-line tests are conducted, where vehicle data measured from a road test are applied.The sensor faults, which either actually happened during the road test or are injected during off-line test, are considered.The size of the generated fault is chosen based on the real sensor fault size.It is shown that the FDI system can accurately diagnose each single sensor fault and subsequently output fault-free estimated states from its fault management system.
Future work would consider several problems which have not been handled by the designed system in this paper.
(1) The designed FDI system can detect and isolate only a single sensor fault at each time.But it is possible to extend the FDI system with extra sensors and residuals to detect and isolate multiple faults [30].
(2) For residual evaluation, in order to reduce false alarms in some sensor faults diagnosis, statistical tests

Figure 2 :
Figure 2: Schematic overview of the ADAS with FDI system.

Figure 3 :Figure 4 :
Figure 3: Sensor configuration block diagram of the Smart.

Figure 8 :
Figure 8: Scheme of the sensors FDI system for the Smart.

Figure 14 :
Figure 13: (a) Test 3: front left wheel speed sensor fault and the response of  15 ; (b) test 4: front right wheel speed sensor fault and the response of  15 .

Figure 18 :
Figure 18: Diagnosis information generated from residual evaluation.

Figure 21 :
Figure 21: Residuals generation in response to longitudinal accelerometer faults.

Figure 27 :
Figure 27: Faulty versus nominal EKF estimated yaw rate upon the occurrence of gyroscope faults.

Figure 28 :
Figure 28: Raw and faulty front left wheel speed.

Figure 29 :
Figure 29: Faulty versus nominal EKF estimated COG longitudinal velocity upon the occurrence of front left wheel speed sensor faults.

Table 1 :
Sensor measurements in Smart.In our experiment, the following GPS signals are applied: quality, horizontal dilution precision (HDOP), number of satellites, time, longitudinal/lateral position, heading, and velocity.Based on the product datasheet, we know the DGPS update rate is 1 Hz and the accuracy is ±5 m.
Design for the Smart Car.The motion of a vehicle will be referred to as a navigation frame

Table 2 :
States of the EKF of Smart car.In navigation frame In base frame   2 : LONG position   2 : LONG acceleration [m/s 2 ]   2 : LAT position   2 : LAT acceleration [m/s 2 ]   2 : yaw angle  V 2 : LONG SPD in COG [m/s]  ψ 2 : yaw rate  V 2 : LAT SPD in COG [m/s]   2 : bias state for LONG ACC   2 : bias state for LAT ACC  ψ 2 : bias state for GYRO  fl : bias state, front left ODO  fr : bias state, front right ODO  2 : bias state for rear ODO

Table 3 :
Measurement used by the EKF of Smart car.In the navigation frame In the base frame   2 : DGPS LONG     2 : LONG ACC   2 : DGPS LAT     2 : LAT ACC   2 : DGPS heading   fl2 : front left wheel SPD   ψ 2 : GYRO yaw rate   fr2 : front right wheel SPD     2 : rear wheels mean SPD

Table 4 :
Example of generalized residual set.
3: Driven by All Measurements but Lateral Accelerometer.EKF 3 is driven by all but lateral acceleration signal.At the moment a lateral accelerometer fault occurs, states estimated from EKF 3 will be applied.
EKF 4: Driven by All Measurements but Gyroscope.This EKF uses all but gyroscope measurement.In case gyroscope is faulty, EKF 4 will be used for vehicle state estimation.EKF 5/6/7/8: Driven by All Measurements but Each Wheel Speed Sensor.EKF 5 is driven by all but front left wheel speed signal.When this sensor fault happens, the estimated

Table 8 :
Residual generation in separate tests for fault detectability check.
where only the high frequency band is taken into account.Because sensor faults are assumed transient, they are always high frequency signals.At this frequency, the gain margin is around −20 db and thus ten percent of the fault magnitude can be transmitted to  15 .This fault is detectable in case of applying a small threshold.The Bode diagram of  5,3 can be seen in Figure10(b).At high frequency, the gain margin is around −70 db and therefore this fault is almost undetectable in  15 .The Bode diagram of  5,4 , the transfer function from gyroscope fault to  15 , is plotted in Figure

Table 9 :
Residual generation in each EKF.For all INS, it is considered at the first step to generate a residual to detect all but lateral accelerometer sensor fault.The detection of lateral accelerometer fault can de achieved by a simple strategy, that is, checking the difference between the raw and estimated acceleration only generated from the EKF 3, which is driven by all but lateral accelerometer measurement.Hereby, all residuals generated for the FDI system design are classified and listed in Table

Table 11 :
Simplified INS fault isolation table.
[30,1.DGPS Fault Detection.Based on the simple logic descried in Section 4.3.2, the GPS outage is detected during  =[30, 65]s in the test, since the GPS signal was blocked by the lab building while the Smart was on the test track.This outage can be treated as additive sensor faults and easily detected as shown in Table12.The faulty / position signals are plotted as the gray curve in Figure17.The diagnosis information   , which is generated from fault isolation block to indicate the location of the sensor fault, is plotted in Figure18.In this figure, a number of 1 indicates the occurrence of DGPS fault.

Table 15 :
Generated front left wheel speed sensor faults.