System Model

We begin by noting that many of the techniques used in sensor fusion are independent of system dynamics (i.e., they are applied at every time step and provide guarantees even if the dynamics are unknown). That is why we do not specify a dynamics model at this point and leave the dynamics model in its most general form, i.e.,

xk+1 =f(xk, uk) +νkp. (4.1)

At the same time, some of the following sections are developed with specific dynamics models in mind – the corresponding assumptions are always explicitly noted in their

respective sections.

The sensor model, on the other hand, is markedly different from the one in Chap- ter 3 – while in Chapter 3 we used a probabilistic model, here we adopt an abstract sensor model (also known as a set membership model). The reason for this is that although probabilistic models are well suited for describing a system’s expected op- eration and expected state estimation given the measurements, their safety detection performance may suffer when the wrong noise distributions are selected. Under the abstract model, on the other hand, a set is constructed around each sensor’s mea- surement containing all possible values for the true state, where the size of the set depends on the sensor’s accuracy. By tracking these sets over time, one may be able to draw conclusions about the system’s safety even in the worst case, e.g., if none of the received “measurements” contain unsafe states, then the system must be safe. Thus, the abstract model does not require any assumptions on the process or measurement noise distributions and is naturally suited for safety and security analysis.

Another modification to the sensor model is that in this chapter we abstract away the functional relation between the state and the measurements. More specifically, we assume that all sensors measure the state directly despite the fact that the actual measurements may be some non-linear functions of the state. This assumption al- lows us to consider sensors as truly providing redundant information and to directly compare their “measurements”. Note that while this assumption may not hold in certain systems (e.g., in medical scenarios it is difficult to convert most available measurements to other available measurements), it is a reasonable assumption in many other cases where the same variable may be estimated through several sensors (e.g., speed can be estimated using multiple sensors on the LandShark as shown in Figure 1.2a). Naturally, these different sensors will have varying accuracy depending on the estimation technique that is used; yet, by leveraging the redundant informa- tion that they provide, the system should be able to detect when it is unsafe even in

the presence of attacks/faults in some of the sensors.

We now formalize the above notions by using the abstract sensor framework, as

noted above. Thus, each sensoriprovides a direct measurement of the state at time

k of the form

yi,k =xk+νi,km, (4.2)

where νm

i,k is bounded measurement noise. Using the bounds on νm, one may then

construct the set of all possible values for xk given yi,k. These bounds can be ob-

tained by using sensor specifications and manufacturer guarantees or they can also be learned from data by observing the system’s operation and the largest deviations of the measurements from the true states.

An intuitive approach to specifying the bounds on νm is to select bounds in each

dimension independently, i.e., form an d-rectangle around the measurement. How-

ever, since most modern sensors employ internal filtering techniques (e.g., Kalman

filters in GPS) these bounds are not always as simple as d-rectangles; furthermore,

some camera-based velocity and position estimators used in urban robotics appli- cations, for example, guarantee different position precisions at different velocities.

Therefore, we use a more expressive notion thand-rectangles, namelyd-dimensional

polyhedra.1 _{Thus, each abstract sensor i can now be considered as providing an}

d-dimensional polyhedron Pi,k (constructed around the actual measurement yi,k) of

the form

Pi,k ={yi,k +z ∈Rd|Biz ≤bi}, (4.3)

where Bi ∈ Rq×d and bi ∈ Rq (for some q) are parameters that are determined by

the accuracy of sensor i.

By construction, each polyhedron Pi,k in (4.3) is guaranteed to contain the true

state under nominal conditions. At the same time, sensors often experience transient 1_{Note that in some areas the term “polyhedron” is used to refer to three-dimensional objects}

only. In this work, polyhedra can have arbitrary dimensions; in some areas, a “convex polytope” is another synonym for “polyhedron” as used in this thesis.

faults, e.g., a camera might be affected by the sun or by temporary obstructions. Thus, we distinguish between a correct and a faulty measurement depending on whether a polyhedron contains the true value.

Definition. A measurement is said to be correct if the corresponding polyhedron contains the true state times and faulty, otherwise.