408 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 60, NO.

2, FEBRUARY 2011
An Architecture for a Dependable
Distributed Sensor System
Sebastian Zug, Andr Dietrich, and Jrg Kaiser
AbstractIn future smart environments, mobile applications
will nd a dynamically varying number of networked sensors
that offer their measurement data. This additional information
supports mobile applications in operating faster, with a higher
precision and enhanced safety. The potentially increased redun-
dancy obtained in such scenarios, however, is seriously affected by
additional uncertainties as well. First, the dependence on wireless
communication introduces new latencies and faults, as well as
errors, and second, sensors of the environment may be disturbed,
of low quality, or even faulty. The quality of the collected data
therefore has to be dynamically assessed. Our work aims to pro-
vide a generic programming abstraction for fault-tolerant sensors
and fusion nodes that cope with varying quality of measurements
and communication.
Index TermsData fusion, distributed system, fault tolerance,
intelligent sensors, smart sensors.
I. INTRODUCTION
D
URING the last decade, applications for distributed en-
vironment monitoring have received increased attention.
Many example applications exist, including habitat monitoring
[1], object tracking [2], pollution detection [3], and climate
observation [4]. In addition to applications that are restricted
to a xed set of sensors, those that exploit the existence of
ambient sensors for mobile applications have also come into
focus. These include, among others, driverless transport sys-
tems and cooperating robots. In many everyday applications,
distributed sensor systems supply their information about the
environment, for example, automatic door-openers monitoring
moving objects through a combined system of cameras and
radar sensors or the heating system of a building controlled
by a temperature sensor network that provides the ambient
temperature for various mobile applications. However, todays
applications collect this perception and only use it for a single
purpose. We assume that, in the future, due to the rising number
of wireless sensor networks, more and more sensors will be
available for collecting data about the environment. In this
scenario, the different sensor nodes establish an instrumented
Manuscript received December 15, 2009; revised May 25, 2010; accepted
May 26, 2010. Date of publication November 11, 2010; date of current version
January 7, 2011. This work was supported in part by the Ministry of Education
and Science (BMBF) within the project Virtual and Augmented Reality for
Highly Safety and Reliable Embedded Systems (ViERforES). The Associate
Editor coordinating the review process for this paper was Dr. Cesare Alippi.
The authors are with the Faculty of Computer Science, Institute
of Distributed Systems, Otto-von-Guericke University Magdeburg, 39106
Magdeburg, Germany (e-mail: zug@ivs.cs.uni-magdeburg.de; dietrich@ivs.cs.
uni-magdeburg.de; kaiser@ivs.cs.uni-magdeburg.de).
Color versions of one or more of the gures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identier 10.1109/TIM.2010.2085871
and intelligent environment with the capability of varying the
degree of information exchanged according to the specic
task at hand. For example, temperature values are useful for
ultrasonic distance measurements due to the relation between
the speed of sound and temperature or a mobile transportation
platform uses the information from an automatic door system
and decreases its velocity based on knowledge of waiting
people.
The main challenge is to effectively handle the amount
and variability of the observed and relevant information. The
availability of information depends on the existence of ap-
propriate sensor nodes, as well as on network range, and
can thus be disturbed by faults (i.e., hardware, software, and
communication).
A generalized programming abstraction is necessary in this
context and leads to the notion of smart sensors and smart
fusion nodes. The idea of smart sensors is rather old [5] but
gained momentum due to the technological progress of recent
years and is supported by the development of respective stan-
dards [6]. The smart sensor is composed of a simple transducer
and a processing unit. It offers preprocessed-application-related
information via a well-dened communication interface. Our
work extends this former approach and combines smart sensor
nodes (SSNs) and adaptive fusion nodes (AFNs) for computa-
tionally expensive tasks in a single architectural concept. The
AFN exibly provides an improved result based on all relevant
sensor information. This combination represents an architec-
tural framework, dening the basic components necessary for
fault-tolerant distributed applications. A special feature of the
fault detection mechanisms is the feedback approach for SSNs.
The aggregated information is shared with all SNNs to provide
an individual validation of the current measurements inside
each SSN. In [7], we presented this idea and illustrated its
benets by exploiting the feedback of the actual joint estimation
in every SSN. The second contribution of this concept is a
common format of validity estimation transmitted with each
value. Thus, an AFN enables assessment of the quality of
measurement.
SSNs and AFNs use a generalized interface that comple-
ments each measurement value with additional information,
for example, a time stamp, localization information, and a
validity estimation. Our common interface of SSNs and AFNs
provides the correct interpretation of those values, based on
an electronic datasheet for each sensor. Of course, messages
transmitted by SSNs connected to a camera, a laser scanner, or
a simple bumper vary in the size of the result, validity, units, etc.
Only a global knowledge of the message format allows dynamic
interaction and combination [8].
0018-9456/$26.00 2010 IEEE
ZUG et al.: ARCHITECTURE FOR A DEPENDABLE DISTRIBUTED SENSOR SYSTEM 409
The distributed dynamic approach includes a number of addi-
tional sources of faults and errors. For this reason, we designed
the internal structure of the SSN and AFN to consider a broad
classication of faults and errors. In [7], we discuss different
types of faulty measurements, as well as adequate detection
mechanisms and their inuence on the nal result of fusing the
data. In this paper, we extend our analysis to communication
faults and unpredictable network latencies. This paper will
examine the inuence from both sensor and network faults.
To evaluate the concepts, we simulated an application scenario
of a mobile robot driving in an instrumented environment.
In particular, we measure the impact of sensor and network
faults on position estimation. To base the evaluation on realistic
assumptions, we derived the main parameters for the sensors
and actuators from a physical system and used them to simulate
multiple fault conditions.
The contribution of this paper is an architecture for distrib-
uted fault-tolerant and exible sensor systems. This is based
on an analysis of the different types of smart sensor faults.
Section II gives a short overview of the different issues that
are related to fault-tolerant sensing and reviews the respective
state of the art. In Section III, we summarize and compare the
faults that can be encountered in the described scenario. Based
on this analysis, our design of a fault-tolerant SSN and AFN is
developed in Section IV. The approach is validated through a
simulation that is elaborated on in Section V. A conclusion and
an outlook on future research are provided in Section VI.
II. STATE OF THE ART
A. Fault-Tolerant Fusion Abstraction
A fault-tolerant programming abstraction for the fusion of
distributed measurements involves and integrates many aspects
and disciplines. Issues such as fault detection and isolation
(FDI), fusion architectures, and fault-tolerant data fusion and
networking, among others, have to be considered. Most authors
concentrate on partial problems, for instance, self-validating
sensors without an integrated view of the distributed ensemble.
However, only a holistic approach exploits the benets of a
fault-tolerant fusion network completely.
1) Methods of Fault Detection: A systematic examination
of smart sensor faults is given in [9] and [10]. The resulting
sensor fault detection is based on a comparison of redundant
information. This redundancy in a measurement system can be
obtained in three ways.
a) Hardware redundancy: Hardware redundancy is used
for safety-critical applications in different ways [11]. Redun-
dant, heterogeneous, or homogeneous sensors measure the
same or related values and observe a common area. Faulty sen-
sors are identied by monitoring measurement deviations from
the joint mean, median, etc. The criterion for acceptance can
be, for instance, a simple threshold related to a measurement
uncertainty or based on statistical knowledge like x -percentile
[12]. Such methods discard a deviating minority as faulty
measurements like a k-out-of-n voter. This means that the
maximum number of simultaneous faulty sensors that can be
detected is dened by the number of redundant measurements.
In [13], the authors derive the number of necessary additional
sensors for different types of sensor faults. If a general distur-
bance manipulates the majority of the measurements, then the
majority-oriented approach for detection fails.
Another way of selection is to compare the impact of a
measurement to the fusion quality. If the elimination of an
individual sensor improves the consistency of the fusion result,
the sensor node is assumed to be faulty [14].
b) Model-based redundancy: Another approach is to
simulate redundancy with a mathematical model of the ob-
served system. An overview is presented in [15]. The response
to known inputs is calculated using this system model and is
compared to the reaction of the real system. If a state vector is
assumed, the resulting residuals can be classied by rule-based
systems, neural networks, or fuzzy sets [16]. This approach is
very common in fault-tolerant control applications (for a good
overview, see [17]).
c) Signal analysis: Model-based redundancy uses knowl-
edge of the observed system to derive the validity of a
measurement. Signal analysis monitors the parameters of the
measurement process and models the transducer behavior. This
is more robust in case of uncertain behavior of the controlled
system. Signal noise, frequency response, velocity of amplitude
change, etc., are known parameters of a measurement for an
undisturbed system. If such a value signicantly changes, then
the sensor is classied as faulty, or the observed system is mod-
ied. In contrast, mechanical and civil engineers reverse the last
assumption for damage detection in engines and buildings [18],
[19], whereby they assume that the observed building or engine
is damaged and the sensor works ne. We assume the opposite
situation, i.e., unchanged system parameters, and that the faulty
sensor is responsible for the changed signal.
There is a large body of research concerning methods for
online FDI. Most methods integrate redundant hardware for this
purpose. We developed a statistical method for signal analysis
comparing a short time series with a fault-free reference sam-
ple. This is included as a stochastic test in the SSN described
in [20].
B. Data Fusion Architectures
Most fusion architectures for sensor systems do not consider
fault-tolerant schemes (see [21] and [22]). Ahierarchical frame-
work is presented in [23], based on three different types of
virtual sensors. The fusion task is user dened by an SQL
statement, and the fault tolerance approach tries to match the
current available information for this query. In [24], the authors
describe a programming abstraction called logical sensor that
provides a general structure and combines self-validation mod-
ules, selection mechanisms, and a processing unit. The fault
detection is limited to each logical sensor. Validity information
for a joint validation of a measurement was not intended. The
joint fusion of different measurements using a voter is discussed
in [25] for smart sensors. The sensor message of this approach
consists of the sensor output and additional validity estimation.
As in other fault-tolerant projects for control engineering, the
authors do not consider communication parameters. Delayed or
missed messages due to a disturbed wireless communication
channel are not taken into account.
410 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 60, NO. 2, FEBRUARY 2011
Fig. 1. Categorization of faulty measurement.
The different approaches presented in this review of the state
of the art represent broad research topics from multiple elds.
Most of them handle very specic problems and have to be
combined to achieve a general fault-tolerant fusion architecture.
III. SENSOR FAULT TYPES
The design of a fault-tolerant sensor and fusion structure
requires an analysis and classication of typical sensor faults.
Based on this, we can determine an efcient error detection
strategy according to the individual properties of the fault types.
By efcient, we mean that we try to identify and handle a
sensor fault as close to its origin as possible. A sensor fault may
occur anywhere in the processing and dissemination chain from
the transducer via the computational components in the sensor
node to the components of the communication channel. In this
paper, we focus on errors originating from transducer faults
and uncertainties in the network. Faults of the computational
components are not explicitly considered. The reason for this
is that there has already been much work carried out on how
to enforce a fail silent behavior for this component. Therefore,
we assume that such faults are covered by the stuck-at fault
type in our scheme. Fig. 1 species the fault model of a smart
sensor as perceived by a remote consumer. Table I illustrates
how the faults impact the measurements of the smart sensor.
It also species the error compared to an ideal reference for
simple examples. The scheme also considers network crashes
and omissions.
We consider ve typical smart sensor faults in our analysis.
Fig. 1 relates these faults in a tree structure. Table I illustrates
how the different fault types from the classication scheme
affect measurements as compared to an ideal sensor, thus
dening an error model. The dashed lines in all diagrams of
Table I plot the correct reference measurements of the physical
value y(t). We assume a simple linear progression of this value
for illustration purposes here. Common mathematical models
are used for the description of the fault F(t), and presented
below are the respective diagrams. These basic fault models of
a smart sensor are used for the validity estimation of the current
measurement.
The rst level in the tree distinguishes between constant and
variable measurement faults. Constant faults (marked by 1
in Fig. 1 and Table I) represent a constant (relative) offset
from the correct value. This fault occurs, for example, due to
uncalibrated sensors, variations in temperature, or the offset
of an analog-to-digital converter. All other fault types change
their relation to the reference over time. On the second level,
the varying faults can be divided into continuous and non-
continuous faults with a linear or nonlinear deviation. Faults
belonging to the continuous group (2) can be modeled through
multiplicative combination of piecewise constant factors c
t
and
c
y
and time F(t) = c
t
t or in relation to the observed physical
value F(t) = c
y
y(t). Examples of multiplicative faults are
wrong assumptions about the environment or the aging process
of a transducer. Asingle sensor is not able to detect sensor faults
of type 1 and 2 in a standalone situation. It needs redundancy
to detect such faults, for example, an analytical model or
additional sensors. We discuss this issue in Section IV. In the
case of communication with remote sensor nodes, continuous
faults can also be caused by an offset between clocks resulting
in an imprecise global time. Since a sensor value is related to
the time it was acquired, an offset between clocks at different
nodes will associate the value of a sensor reading to different
points in time. The resulting error increases with the clock
offset. Usually, the offset between clocks can be bounded by
a synchronization protocol. If synchronization messages are
lost, this error grows proportionally with the time to the next
successful synchronization and the clocks skews.
Fault category 3 species transient and permanent faults that
result in stuck xed values. Accordingly, they are divided
into variants 3a and 3b: Faults of category 3a (intermittent)
may result from a massive external disturbance, like strong
sunlight for an infrared sensor. These environmental conditions
result in a constant output value X
c
as long as the external
condition holds, as shown in Table I for time slot T
d
. If a
sensor completely crashes or the communication goes down
for a longer period of time, measurement information can no
longer be received, and this is classied as fault model 3b
(permanent). A fusion node consuming respective sensor data
cannot distinguish between a network fault and a complete
sensor crash. This lack of knowledge is fatal for a sensor data
selection strategy. If it is assumed that wireless communication
is temporarily disturbed, then model 3a would be appropriate,
while a sensor crash means permanent loss (3b).
Category 4 models outliers. These are faults that are sporadic
in the temporal domain and stochastic in the value domain.
They are caused by the physical properties of the measurement
process. Good examples for this fault category are ultrasonic
sensors that show a comparatively large rate of outliers in a
sequence of measurements. We discuss a qualitative evaluation
of this fact in Section V-B2. With a well-adapted model of the
occurrence and amplitude, an SSN is able to detect outliers by
applying simple lter or smoothing algorithms.
So far, we have not considered continuous high-frequency
noise in the presented fault classes. Noise is inherent in every
measurement, and the noise level depends on environmental
ZUG et al.: ARCHITECTURE FOR A DEPENDABLE DISTRIBUTED SENSOR SYSTEM 411
TABLE I
FAULT CATEGORIES AND ERROR MODELS
conditions, the physics of the measurement process, and the
behavior of the electronic components in the sensor unit.
Network latencies are another source of noise. In a scenario
with unknown communication delays and without a global
time stamp, noise and uncertainty represent an additional fault
dimension. There are different approaches for coping with
noisy measurements and for extracting an optimal estimation of
the correct value. It is common to model the observed system
as a stochastic process using a Kalman or Bayes lter. In the
last few decades, many authors assumed that smart sensors
cannot provide such complex ltering algorithms due to their
limited computational performance, as, for instance, described
in [25]. Since prices for powerful microcontrollers and signal
processors are continuously dropping, we are convinced that
performance will not be a problem in the future and that the
most common ltering operations will be available on smart
sensors.
Timing and omission errors on the network are caused by
various factors such as oversaturated network links, corrupted
packets, signal degradation over the network medium, and er-
roneous hardware and software. Note that timing problems can
create omissions and that omissions can cause timing errors.
The occurrence of the introduced fault types depends on the
sensor types, the communication structures, and the environ-
ment conditions. A fault-tolerant fusion structure for SSNs and
AFNs therefore has to be adaptable to those varying conditions
and must consider a large number of possible combinations
because, in most realistic scenarios, the presented faults do not
occur strictly separately from each other.
IV. FAULT-TOLERANT PROGRAMMING ABSTRACTIONS
As discussed in the previous section, there are many ap-
proaches to dependable sensor-based systems. We partly use
and integrate these schemes in our work. Three major points go
beyond current approaches and distinguish our work. First, we
provide an architectural framework and a structure that allows
for integrating this previous work in a common scheme for a
sensor. We developed a generic internal structure based on an
analysis of the typical fault types. This denes the necessary
building blocks for a reliable sensor, keeping all necessary
computations and assessment within the smart sensor, which,
in turn, may greatly ease overall system development. The user
has the freedom to customize these modules, for example, the
stochastic tests or the lter, according to the specic conditions
that may vary with the sensor type and the application. Second,
we added the option to exploit a history of measurements to
be compared to the actual measurement of the transducer. This
enables a smart sensor to validate the current measurement and
to achieve a higher dependability. Because we assume a set
of sensors (possibly with different modalities) participating in
the perception of the environment, the results of the respective
aggregation or fusion should be exploited. For this feedback,
we provide an additional network interface. Finally, we include
an assessment of the quality of information provided by a
smart sensor in each of its messages. We rmly believe that
this is needed in a distributed sensor-based system, particularly
if ambient sensors are dynamically included in the overall
environmental perception.
There are already standards for smart sensors, for example,
[6]. They mainly describe a structure and an interface for
such devices. However, aspects concerning erroneous sensor
readings or faulty sensors are not considered.
Our architectural framework denes two components for
different purposes: an SSN and an AFN. They are depicted in
Figs. 2 and 4, respectively. Of course, an SSN can contain an
AFN and vice versa, but due to the limited resources of wireless
sensor nodes, it is appropriate to separate the tasks, delegating
them to different nodes. The SSN is composed of a transducer,
computational modules that form a sequence of processing
steps for improving the raw transducer data, a validity estimator
for assessing the quality of the local sensor information, and
412 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 60, NO. 2, FEBRUARY 2011
Fig. 2. Internal structure of our SSN.
a network interface. The network interface receives informa-
tion from the AFN for checking local measurements via the
network input port and disseminates its results on the network
output port.
A. Fault-Tolerant SSNs
The SSN processes measurements of a single transducer
(or sensor arrays of a unique type) and prepares the data for
dissemination. It produces a message including an information
item that reects the proper physical unit of the respective en-
vironment state and is tagged with an assessment of its validity.
The transducer module represents the sensor interface provid-
ing the digital representation of environmental conditions. This
includes the direct interaction with the sensor via I
2
C, SPI,
etc., and the analog-to-digital conversion. For error detection,
the raw measurements are compared to an expected input range
that is dened by either the sensor specications or knowledge
about the respective environmental conditions. For example,
the measurements of larger distances made by our short-range
ultrasonic sensor are not considered because of the very high
error rate in long-distance measurements. This interval check
produces a binary fault detection f
IC
R, R = {0, 1}.
The second preprocessing step is the stochastic test. It
compares the noise spectrum of the measured signal with a
reference distribution of an undisturbed measurement process
and calculates a similarity value. This allows for detection of
disturbed (different noise spectrum) or crashed sensors (fault
category 3a) with high probability. The reference distribution
is included on the electronic data sheet of the sensor element.
Of course, due to the sliding-window technique, which exploits
measurement history, the detection of a fault will be delayed.
The similarity value of 0 f
ST
1 represents the probability
that a fault will occur. Additionally, SSNs are able to receive
the results of the sensor fusion carried out by an AFN and scale
them to the current point in time, according to the available
system and environmental model.
As an example, let us assume an inertial navigation system
consisting of three SSNs equipped with odometric, gyro, and
acceleration sensors. The respective measurements are fused
on an AFN that calculates position and velocity estimates.
The AFN transmits the fused velocity/position values based
on multiple SSNs, and the odometric system uses this joint
estimated velocity to check the validity of its own measure-
ments. This way, the SSNs rst provide an improved perception
of the current environment and then are able to judge their
own primary measurements. The chain of modules dealing with
the feedback of the fusion results is depicted by the dashed
lines in Fig. 2. Because fusion results may not always be
available, these modules require some degree of adaptability.
The transformation module performs a time adjustment and
scales the received joint results to the individual coordinate
system.
Current measurements are compared with the transformed
joint estimation received from an AFN to detect outliers. The
developer species an algorithm, which examines the signif-
icance of those deviations. The result has to be matched to
an error probability value 0 f
OD
1. If the current value
derived fromthe real measurement is not identied as an outlier,
then it is passed along to the lter module. For a specic
environment and sensor type, various lter algorithms can be
utilized depending on the dynamics of the system, like the
frequency of disturbances and computational performance of
the SSN. All modules calculate a fault probability value in
addition to the current estimate x and its variance estima-
tion , which is analyzed and interpreted by the validity esti-
mation module.
Currently, we use simple rules to merge the individual fault
probabilities (f
IC
, f
ST
, f
OD
, f
FI
) into a joint validity estima-
tion v. If the measurements leave the interval f
IC
= 1 or the
lter module detects an outlier, the joint validity value becomes
zero. The message disseminated via the network includes the
value and the estimated validity as a quality indicator. The
format and contents of the messages are dened in an electronic
data sheet for each SSN [8].
Fig. 3 shows an ultrasonic measurement used in the scenario
in Section V. The diagrams compare the raw measurement of
the transducer to the output produced by an SSN. The correct
position of the robot is marked by the dotted line. The upper
diagram illustrates the noisy measurements of the ultrasonic
sensor combining fault types 3b, 4, and 5. The SSN is able
to detect outliers due to the feedback of the estimate jointly
derived from all three sensors. The system uses a dynamically
adapted and weighted sliding-window lter that signicantly
reduces the deviation. The solid line in the upper diagram in
Fig. 3 represents the output of the SSN.
The experimental evaluation shows the signicant gain in the
quality of SSN information compared to a raw sensor. Although
a raw transducer output can be ltered and improved, the use of
consolidated information from the AFN further improves the
measurement results.
ZUG et al.: ARCHITECTURE FOR A DEPENDABLE DISTRIBUTED SENSOR SYSTEM 413
Fig. 3. Noisy ultrasonic distance measurements, detected outliers, and the
resulting SSN output.
Fig. 4. Internal structure of our AFN.
B. Fault-Tolerant AFNs
An AFN, which is depicted in Fig. 4, receives the messages
of SSNs as input and computes a result according to some
fusion algorithm. The general architecture and structure of an
AFN is similar to an SSN. In fact, it outputs the information
via the common interface in a way analogous to the method
used by an SSN. It differs in that the main input does not come
from a transducer. The problems that the fusion node is faced
with center around the varying latencies of messages and the
selection of the most appropriate SSN messages. We call the
fusion node adaptive because it can respond to latencies of
the network, the dynamic availability of sensor information,
and the changing quality of sensor information in a exible
way. The synchronization module in the AFN has the same
task as the transformation module in the SSN. It maps the
sensor information received from multiple SSNs to a common
point in time exploiting the time stamp and a model of how
the respective value (e.g., a position) changes over time. This
is necessary to compensate for large skews that negatively
affect the fusion process but requires, in turn, appropriate time
synchronization. The subsequent selection module also uses
the age of a measurement and variance estimate together with
the estimation of the quality of a received value to choose the
most appropriate sensor information. The lter module takes
the selected measurements and calculates an estimation of the
observed value. It should be noted that more than one value is
usually used in this calculation. In fact, there may be a series
of values available from an SSN whereby the lter considers
them all within a dened time window. The Kalman lter is
a good choice for measurements that are disturbed only by
Gaussian noise. More general assumptions about process and
sensor uncertainties, as well as noise, may result in applying
a Bayesian lter. For less demanding requirements or systems
with substantial performance and memory constraints, simple
exponential smoothing or weighted average functions may be
sufcient.
In this section, we describe the interaction of our SSN, which
represents an improved smart sensor, and its new complement,
which is the AFN. We examined the fault tolerance related
to sensor faults in [7]. In the following section, we enhanced
the scenario with communication simulation to determine the
inuence of communication faults on the fusion result. In
Section V-D-2, we outline the individual implementation of the
SSN and AFN based on our simulated scenario.
V. EVALUATION
A. Scenario
In this section, we evaluate our approach in an experimental
setting and illustrate the benets of our SSN and AFN architec-
ture. Fig. 7 depicts the application of a mobile robot moving
through an environment with sensors. To allow for different
evaluation parameters and for producing various fault situa-
tions, we base this evaluation on a simulation. Fig. 5 presents
the respective Simulink model that shows all components and
signals included in the network.
The mobile system is equipped with an odometric velocity
sensor that measures speed and an ultrasonic system with a
limited range. A controller area network (CAN) [26] connects
those transducers with two AFNs, the virtual position and
the position estimation. The former integrates the velocity
signals and calculates a position result. This virtual position
measurement, together with the outputs of the other smart
position sensors, is merged into a joint position estimate in the
second AFN.
Two additional remote sensors are available. A precise laser
distance sensor monitors the scenario, and the camera system
414 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 60, NO. 2, FEBRUARY 2011
Fig. 5. Illustration of the simulated validation scenario.
TABLE II
SENSOR PARAMETER OF THE SCENARIO
localizes the robot within a limited area. The different sensor
periods and observation ranges are available in Table II. Both
external sensors are connected to the smart position fusion via
a ZigBee network [27].
We specify a fusion period of 100 ms. This value is motivated
by the control cycle of the position control of a real robot.
B. Sensors
To obtain realistic behavior of the SSNs, we chose the sensor
models according to parameters of real transducers.
1) Ultrasonic Sensors: With a known operating temperature
and for waves orthogonally emitted to the obstacle, previ-
ous work (see, for example, [28] and [29]) determined an
error of 2% of the measured distance for ultrasonic sensors.
Based on additional examinations with nonoptimal reection
angles, we assumed a normal distribution for the ultrasonic
system with a standard deviation of
us
(d) = (1/3) 6% d.
Seignez et al. [28] differentiated two further measurement
distortions: 5% of the measurements are outliers and generate
a larger error than expected from the default distribution and

us
. If a sensor operates in an environment with unknown
temperature, an additional uncertainty of approximately 3%
has to be taken into account. We did not consider changes
in temperature in our simulation but did account for outliers.
We assume that our mobile robot is equipped with SFR08
ultrasonic sensors made by Devantech. This type of sensor is
often used in robotics applications. The maximum distance of
3 m that can be measured by the sensor depends on the period.
2) Odometric Sensors: The small robot modeled in our sce-
nario has an odometric system with 120 ticks per rotation. The
assumptions concerning noise in the velocity measurements are
similar to the approaches presented in [30].
3) Laser Distance Sensor: The model of the laser distance
sensor was inspired by a YT87MG sensor made by Wenglor
[31], which we use in robot applications for dependable dis-
tance measurements. The maximum deviation is known to
be 2% of the working range. The manufacturer species the
response time to be 8 ms.
4) Camera: Based on our experience in robot localization
with web cameras, we assume a processing time of 100 ms
for one frame in our scenario. If the environment provides a
constant homogeneous illumination, a precise localization is
possible. The error function of the calculated position can be
approximated by a Gaussian distribution like the one used in
the robot simulator described in [32].
Knowledge of the sensor specication and individual uncer-
tainties was used to implement a realistic measurement of the
robots position by the SSNs in the validation scenario.
C. Communication Simulation
Every simulation has the challenge of reproducing results as
close as possible to a real environment. Next to an adequate
simulation of the sensors, we also tried to realistically model
the communication. As described in Section III, we consider
communication characteristics like jitter and latencies. Con-
sidering end-to-end delivery, packet loss produces by far the
largest latencies. Other sources such as media access therefore
have a rather small impact, and we will therefore concentrate
on packet loss rates in our evaluation. For an examination of the
inuence of the packet loss, we have to choose an appropriate
network simulator.
A good overview of different simulators is given in [33],
and a table overview with various attributes like parallel
execution, radio propagation models, mobility models,
and physical-layer and antenna models can be found in
[34]. Of course, today, a wide range of network simulators
and emulators for different domains and purposes exist. The
most common are ns-2 [35] and ns-3 [36], which support the
simulation of TCP, UDP, routing, and multicast protocols over
wired and wireless networks. ns-2 is also applicable for network
simulations in combination with Matlab/Simulink through the
cosimulator PiccSIM [37], which handles communication, time
synchronization, and the update of node positions between
both simulators. In addition to PiccSIM, however, some other
toolboxes for the simulation of communication channels in
Matlab/Simulink exist, such as the SimEvents toolbox [38] and
TrueTime [39]. SimEvents offers models for queues, servers,
routing, timers, etc., and built-in statisticssuch as delay,
throughput, and average queue lengthwhich allows for the
simulation of transactions between components. This func-
tionality makes it possible to model various types of network
protocols. In contrast to SimEvents, TrueTime is aimed at
real-time networks, as well as real-time kernels. The major
advantage of TrueTime is that it already has models for the
distribution of messages according to a chosen network model.
We chose TrueTime for the network simulation because of its
huge number of communication models, its simple extensibil-
ity, and the fact that TrueTime is easy to integrate into Simulink
simulations.
As stated earlier, packet loss causes the largest variance in
end-to-end latency. Therefore, we were mainly interested in
ZUG et al.: ARCHITECTURE FOR A DEPENDABLE DISTRIBUTED SENSOR SYSTEM 415
Fig. 6. GilbertElliot model.
determining the impact of this parameter on the sensor informa-
tion and ran the simulation under different packet loss rates and
distribution models. In addition, TrueTime simulates latency
and jitter for the respective CAN and the wireless network
to provide realistic network characteristics. In the following
paragraphs, we introduce two common models that we used for
simulating packet losses.
1) Random: This is the standard model in TrueTime, where
packet loss occurs independently with a specied probability
P
R
during a transmission.
2) Simplied GilbertElliot: As the name suggests, this
model is a simplied version of the computationally expensive
GilbertElliot bit-error model, which was rst introduced by
Gilbert [40] in 1960 and extended by Elliot [41] in 1963. It was
proved in [42] that this model is useful for simulating errors
on wireless links in industrial environments. In contrast to the
previous model, packet losses do not occur independently but
are instead correlated.
The simplied GilbertElliot model as described in [43]
consists of two states (see Fig. 6), where G denotes the good
channel state, and B denotes the bad channel state. The
probability of a packet loss in the good state is zero, and in
the bad state, it is greater than zero (for simplicity, we set this
probability to 0.95). The probability of landing in state G if the
previous state was also G is assumed with P
GG
, and that of
landing in the bad state if the previous state was B is P
BB
. The
transition from state G to state B takes place with probability
P
BG
= 1 P
BB
, and that for the opposite direction takes place
with the probability P
GB
= 1 P
GG
.
Unlike the previous model, the determination of parameters
even in the simplied GilbertElliot model can be very com-
plicated. Gilbert himself suggested a method to estimate those
parameters from a measured trace. Different methods for the
parameter estimation were proposed in [44] and [45]. In the
method we used, the transition probabilities P
GB
and P
BG
are deduced according to the variance of the burst length of
packet losses and the variance of the burst length of correctly
transmitted packets (see [46]).
3) Other Packet Loss Models: For different areas of appli-
cation, like wireless local area network or, for example, global
system for mobile communications, there also exist some other
packet loss models based on Markov chains with more than
two states, like the three-state packet loss model introduced in
[47] or the four-state model introduced in [48]. An advantage
of using Markov chains is that they can be trained to produce
results that are similar to a measured trace. In some cases, it is
also common to directly use traces to decide whether a packet
is lost or not [35]. Periodic packet loss models are mostly used
to build reliable multimedia applications [49].
D. Simulation Implementation
1) Simulink: The robot model, SSNs, AFNs, and the com-
munication simulation were implemented in the Simulink
model shown in Fig. 7. On the left side, the blocks of the inter-
nal SSN are connected with the CAN simulation. In Simulink,
the small arrows and those blocks with a point on one side
represent data ow between two blocks. The simulated SSNs
of the intelligent environment are visible on the right. Above
the central position estimator, the virtual position calculation
receives the measurements of the velocity sensor. The output
of the position estimation block is fed back to every SSN for
outlier detection.
2) AFN and SSN Implementation: Each AFN and SSN uses
a noise acceleration model (described, for example, in [50])
for smoothing and estimation. The maneuvering model of the
robot movement is dened for two state variablesposition and
velocity x(t) = [p p]
T
in a discrete-time system, i.e.,
x(t
k+1
) =

1 T
0 1

x(t
k
) + v(t
k
)
y(t
k
) =[1 0]x(t
k
) + w(t
k
)
where T is the sampling interval of the sensor or the tempo-
ral distance from the last sensor measurement to the current
estimation. The variable v(t
k
) represents a zero-mean white
Gaussian process noise. The observation model for the sensors
is dened such that w is a zero-mean white Gaussian process
with the covariance R.
Of course, this model does not describe realistic robotic
motion. Hence, for this specic scenario, we had to nd a more
sophisticated model. We do not aim for a perfectly adapted
mathematical description of the process but wish to show that
a quite general model can be used in our context with good
results.
The mentioned model was implemented in each SSNand was
used for outlier detection according to [51] and in combination
with a Kalman lter for state and variance estimation. The
selection module of the AFN sorts all incoming measurements
according to their time stamp. Depending on the current ve-
locity of the robot, the last n measurements were selected and
smoothed, and a fusion estimate was calculated by a Kalman
lter.
3) Network Conguration: The TrueTime-CAN and the
TrueTime-ZigBee networks were congured in compliance
with the CAN standard (see [26]) and the IEEE 802.15.4 stan-
dard [52], as listed in Table III. The standard allows a maximum
of seven retransmissions if no acknowledgment packet (ACK)
is received within a given time. To examine the impact of
retransmissions, we run simulations with and without them.
4) Simulation: For the sake of repeatability, we initialized
all random number generators before a simulation run with
a given seed. A sequence of simulations for one packet loss
model, one packet loss probability, and a xed number of
retransmissions was performed with different seeds until no
more signicant change in the cumulative position estimation
error occurred. The results of all simulations are presented and
discussed in the following section.
416 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 60, NO. 2, FEBRUARY 2011
Fig. 7. Simulink implementation of the validation scenario.
TABLE III
TRUE TIME NETWORK CONFIGURATION
E. Results
In Fig. 8, we present the results of the position estimation of
the AFN. The deviation of the estimation is presented in by a
cumulative error for different models and packet loss probabil-
ities. The pictures of the rst row are based on simulations with
random package loss, while the second row contains the results
produced with the simplied GilbertElliot model. Different
types of lines indicate different error probabilities, as shown
in the legends. The columns separate communication without
retransmissions on the left and up to seven retransmissions on
the right.
All four diagrams show a joint result for different packet loss
probabilities (e.g., 0, 0.2, 0.5, 0.8, and 1, where 0 means that
no disturbance occurred and 1 means that no communication
was possible)the position estimation error increases with
communication disturbances. The inuence of the packet loss
probability differs according to the disturbance model.
1) Random Package Loss Model: The loosely dashed line
indicates a packet loss of 50%. The comparison of the cumula-
tive error for this disturbance level with the optimal estima-
tion (upper solid), which means that no packet loss occurred,
shows only a small deviation. Our dynamic integration of all
incoming measurements into an appropriate fusion model copes
with communication disturbances up to 50%. However, in the
same simulations, we also obtain larger outliers of up to 40 cm,
although with a small frequency. The appearance rate and value
of those extreme outliers rises with a higher rate of packet loss.
As expected, the retransmission of packets stabilizes the
position estimation. Retransmission reduces the overall prob-
ability of losing one of the packets. Now, the loss rate of 80%
shows a similar level of deviation compared to a packet loss of
50% without retransmissions.
2) Simplied GilbertElliot Model: According to the results
in [42], we dened a period of 50 consecutively transmitted
packets as the average packet loss free burst length. For that
reason, we calculated a xed value for P
GG
= 0.979800, which
is consistent with that average amount of transmitted packets,
with the method proposed in [46]. We calculated different val-
ues for P
BB
according to increasing packet loss burst lengths.
The tested burst lengths of packet losses and the corresponding
overall packet loss probabilities are listed in Fig. 8(c) and (d).
The left value denes the average burst length of consecutive
lost packets, while the right one in brackets determines the
probability of a packet loss.
The more realistic GilbertElliot model produces a larger
estimation error than comparable settings using the random
model. The loosely dashed line indicating 50% packet loss
shows that 80% of the estimation errors are smaller than
10 cm. According to this, the random model depicts an error of
2.2 cm in Fig. 8(a). The retransmission of lost packets improves
the position estimation validity. It should be noted that the
results of both models exhibit similar behavior in this respect
[compare the loosely dashed lines in Fig. 8(b) and (d)]. Re-
transmission decreases the probability of larger bursts of lost
packets.
3) Problem of Undersampled Measurements: In
Fig. 8(a)(d), we illustrate that the integration of external
measurements improves the position estimate. The cumulative
error of an estimation based on local sensors represents a
ZUG et al.: ARCHITECTURE FOR A DEPENDABLE DISTRIBUTED SENSOR SYSTEM 417
Fig. 8. Cumulative error probability of the estimation for a random disturbance in the communication and based on the GilbertElliot model; The single values
represent the overall packet loss probability, while the values in brackets for the GilbertElliot model correspond to the mean packet loss burst length. (a) Random
disturbance. (b) Random disturbance with retransmission. (c) GilbertElliot disturbance. (d) GilbertElliot disturbance with retransmission.
lower limit. In case of no retransmission, however, we observe
that the results concerning the loss probability become less
precise. The cumulative error graphs on the right of the lower
solid reference line (no external sensor) indicate this. We
suppose that the reason for this behavior might be caused by
our assumptions of a Gaussian distribution for our selection,
synchronization, and fusion implementation. Packet losses
reduce the number of measurements and therefore change the
distribution function of the measurements. Undersampling
decreases the possibility of estimating the underlying value
from a number of measurements within a given condence
range.
VI. CONCLUSION AND FUTURE WORK
We have presented a holistic concept of fault-tolerant distrib-
uted environment perception. In contrast to other approaches,
we have considered all aspects in a distributed measurement
chainsensing, communication, and fusion. For those ele-
ments, we have analyzed and classied the possible faults of
transducers and the network. Based on this investigation, we
have derived a generic programming abstraction. The basic
elements are SSNs and AFNs, which closely cooperate to
improve robustness and dependability.
To validate our approach, we have considered disturbances
in the environment and faults of the system. We have shown
the benet of the exible and modular architecture of SSNs and
AFNs. The outcome of our experiments further demonstrated
major advantages. First, our modules provide information about
the quality of a measurement that is exploited for fusion and
application programming. Second, the fault tolerance properties
of the sensing system are improved by using information from
previous fusions. This results in the detection of a large number
of failures and disturbances that are difcult to detect by other
forms of redundancy. The results of the combined mechanisms
of the quantitative evaluation show that we can tolerate packet
losses of as much as 50% without major validity degradation.
Our experiments have also shown that the results of the aggre-
gated position estimation are much better than those based on
local sensors only.
Currently, we are working on the extension of the presented
structure in the following directions.
Fault classication within the SSN uses a simple rule-
based method to analyze and identify faults. We want
to examine adaptable and robust classication strategies
within the SSN and AFN structure. The extended fault
identication method could be used for an improved se-
lection of measurements, and it will result in a ne-grain
adaptation of smoothing and estimation algorithms in the
SSN and AFN.
As shown in the preceding section, packet loss produces
an incorrect perception of the environment, because in a
418 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 60, NO. 2, FEBRUARY 2011
periodic system, those missing messages can be detected.
If this loss of packets affects the current distribution func-
tion of sensor measurements in a way that it signicantly
differs from the reference, then we have to adapt the next
processing steps.
The data sheets of sensors integrated in our scenario so
far are simple Matlab structures. More general solutions
are presented in [8] and [53]. Based on the XML descrip-
tion, we will automatically generate the implementation of
the SSN and AFN.
Currently, our results are based on a simulation. The
Matlab/Simulink environment offers a code generation
tool chain for embedded devices. We are pursuing work
on an improved tool chain to apply this concept to real
hardware.
REFERENCES
[1] R. Szewczyk, E. Osterweil, J. Polastre, M. Hamilton, A. Mainwaring, and
D. Estrin, Habitat monitoring with sensor networks, Commun. ACM,
vol. 47, no. 6, pp. 3440, Jun. 2004.
[2] N. Priyantha, A. Chakraborty, and H. Balakrishnan, The cricket location-
support system, in Proc. 6th Annu. Int. Conf. Mobile Comput. Netw.,
2000, pp. 3243.
[3] W. Tsujita, A. Yoshino, H. Ishida, and T. Moriizumi, Gas sensor network
for air-pollution monitoring, Sens. Actuators B, Chem., vol. 110, no. 2,
pp. 304311, Oct. 2005.
[4] N. Leonard, D. Paley, F. Lekien, R. Sepulchre, D. Fratantoni, and
R. Davis, Collective motion, sensor networks, and ocean sampling,
Proc. IEEE, vol. 95, no. 1, pp. 4874, Jan. 2007.
[5] R. Breckenridge and S. Katzberg, The status of smart sensors, in Proc.
Sensor Syst. 80s Conf., Colorado Springs, CO, 1980, pp. 4146.
[6] IEEE Standard for a Smart Transducer Interface for Sensors and
Actuators, IEEE 1451.2, 1997.
[7] S. Zug and J. Kaiser, An approach towards smart fault-tolerant sensors,
in Proc. Int. Workshop ROSE, Lecco, Italy, Nov. 2009, pp. 3540.
[8] J. Kaiser, S. Zug, M. Schulze, and H. Piontek, Exploiting self-
descriptions for checking interoperations between embedded compo-
nents, in Proc. Int. Workshop DNCMS, Napoli, Italy, Oct. 2008.
pp. 4145.
[9] M. van der Meulen, On the use of smart sensors, common cause fail-
ure and the need for diversity, in Proc. 6th Int. Symp. Programmable
Electron. Syst. Safety Related Appl., Cologne, Germany, May 2004.
[10] G. Vachtsevanos, F. Lewis, M. Roemer, A. Hess, and B. Wu, Intelligent
Fault Diagnosis and Prognosis for Engineering Systems. Hoboken, NJ:
Wiley, 2006.
[11] V. P. Nelson, Fault-tolerant computing: Fundamental concepts,
Computer, vol. 23, no. 7, pp. 1925, Jul. 1990.
[12] B. Hardekopf, K. Kwiat, and S. Upadhyaya, Secure and fault-tolerant
voting in distributed systems, in Proc. IEEE Aerosp. Conf., 2001, vol. 3,
pp. 11171126.
[13] K. Marzullo, Tolerating failures of continuous-valued sensors, ACM
Trans. Comput. Syst. (TOCS), vol. 8, no. 4, pp. 284304, Nov. 1990.
[14] F. Koushanfar, M. Potkonjak, and A. Sangiovanni-Vincentelli, On-line
fault detection of sensor measurements, in Proc. IEEE Sensors, 2003,
vol. 2, pp. 974979.
[15] R. Isermann, Model-based fault-detection and diagnosisStatus and
applications, Annu. Rev. Control, vol. 29, no. 1, pp. 7185, 2005.
[16] P. Frank and B. Kppen-Seliger, Fuzzy logic and neural network applica-
tions to fault diagnosis, Int. J. Approx. Reason., vol. 16, no. 1, pp. 6788,
Jan. 1997.
[17] R. Patton, Fault-tolerant control systems: The 1997 situation, in Proc.
IFAC Symp. Fault Detection Supervision Safety Tech. Processes, 1997,
vol. 3, pp. 10331054.
[18] K. Worden, G. Manson, and N. Fieller, Damage detection using outlier
analysis, J. Sound Vib., vol. 229, no. 3, pp. 647667, Jan. 2000.
[19] S. Doebling, C. Farrar, and M. Prime, A summary review of vibration-
based damage identication methods, Shock Vib. Dig., vol. 30, no. 2,
pp. 91105, 1998.
[20] A. Dietrich, S. Zug, and J. Kaiser, Detecting external measurement dis-
turbances based on statistical analysis for smart sensors, in Proc. IEEE
ISIE, 2010, pp. 20672072.
[21] A. Makarenko and H. Durrant-Whyte, Decentralized data fusion and
control in active sensor networks, in Proc. 7th Int. Conf. Inf. Fusion,
2004, pp. 479486.
[22] B. Agarwalla, P. Hutto, A. Paul, and U. Ramachandran, Fusion channels:
A multi-sensor data fusion architecture, Georgia Tech College Comput.,
Atlanta, GA, Tech. Rep. 53, GIT-CC-02, 2002.
[23] R. Bose, A. Helal, V. Sivakumar, and S. Lim, Virtual sensors for service
oriented intelligent environments, in Proc. 3rd IASTED Int. Conf. Adv.
Comput. Sci. Technol., 2007, pp. 165170.
[24] T. C. Henderson and M. Dekhil, Instrumented sensor system architec-
ture, Int. J. Robot. Res., vol. 17, no. 4, pp. 402417, Apr. 1998.
[25] H. Bentez Prez, J. Ortega Arjona, and G. Reza Latif Shabgahi, De-
nition and empirical evaluation of voters for redundant smart sen-
sor systems, Computacin y Sistemas, vol. 11, no. 1, pp. 3960,
Sep. 2007. [Online]. Available: http://redalyc.uaemex.mx/redalyc/pdf/
615/61511105.pdf.
[26] CAN Specication, Robert Bosch GmbH, Stuttgart, Germany, Sep. 1991.
ver. 2.0.
[27] ZigBee Specication, IEEE 802.15.4, 2003.
[28] E. Seignez, M. Kieffer, A. Lambert, E. Walter, and T. Maurin, Real-time
bounded-error state estimation for vehicle tracking, Int. J. Robot. Res.,
vol. 28, no. 1, pp. 3448, Jan. 2009.
[29] J. de Gois and M. Hiller, Ultrasound sensor system with fuzzy data
processing, in Proc. 7th Int. Conf. CLAWAR, 2004, pp. 411417.
[30] A. Martinelli and R. Siegwart, Estimating the odometry error of a
mobile robot during navigation, in Proc. ECMR, Warsaw, Poland,
Sep. 2003.
[31] Wenglor Sensoric, Data sheet YT87MGV802003. [Online].
Available: http://www.q-tech.hu/pdf/Wenglor/Photoelectric%20sensors/
YT87MGV80.pdf
[32] R. Gro and M. Dorigo, Evolving a cooperative transport behavior
for two simple robots, in Proc. 6th Int. Conf. Artif. Evol., Evolution
Articielle (EA), vol. 2936, Lecture Notes in Computer Science, 2004,
pp. 305317.
[33] G. Nicolescu and P. J. Mosterman, Model-Based Design for Embedded
Systems. Boca Raton, FL: CRC Press, 2009.
[34] M. Becker, Simulation tool comparison matrixCRUISE IST
project2008. [Online]. Available: http://www.comnets.uni-bremen.de/~
mab/cruise/simulation-tool-comparison-matrix.html
[35] The network simulatorns-2, 2006. [Online]. Available: http://www.isi.
edu/nsnam/ns/
[36] The ns-3 network simulator, 2009. [Online]. Available: http://www.
nsnam.org
[37] PiccSIMSimulation of wireless control systems, 2009. [Online].
Available: http://autsys.tkk./en/Control/PiccSIM
[38] SimEvents 3.0Model and simulate discrete-event systems, 2009.
[39] TrueTime: Simulation of networked and embedded control systems, 2009.
[Online]. Available: http://www.control.lth.se/truetime/
[40] E. Gilbert, Capacity of a burst-noise channel, Bell Syst. Tech. J., vol. 39,
no. 9, pp. 12531265, Sep. 1960.
[41] E. Elliott, Estimates of error rates for codes on burst-noise channels,
Bell Syst. Tech. J., vol. 42, no. 9, pp. 19771997, Sep. 1963.
[42] A. Willig, M. Kubisch, C. Hoene, and A. Wolisz, Measurements of
a wireless link in an industrial environment using an IEEE 802.11-
compliant physical layer, IEEE Trans. Ind. Electron., vol. 49, no. 6,
pp. 12651282, Dec. 2002.
[43] B. Wysocki and A. Dadej, Advanced Wired and Wireless Networks.
New York: Springer-Verlag, 2004.
[44] M. Yajnik, S. Moon, J. Kurose, and D. Towsley, Measurement and
modeling of the temporal dependence in packet loss, in Proc. IEEE
INFOCOM, 1999, vol. 1, pp. 345352.
[45] J. Hartwell and A. Fapojuwo, Modeling and characterization of frame
loss process in IEEE 802.11 wireless local area networks, in Proc. IEEE
60th VTCFall, Sep. 2004, vol. 6, pp. 44814485.
[46] J. Poikonen, Geometric run length packet channel models applied in
DVB-H simulations, in Proc. IEEE 17th Int. Symp. PIMRC, Helsinki,
Finland, 2006, pp. 15.
[47] B. Milner, Robust speech recognition in burst-like packet loss, in Proc.
IEEE ICASSP, Salt Lake City, UT, May 2001, vol. 1, pp. 261264.
[48] A. Clark, Modeling the effects of burst packet loss and recency on sub-
jective voice quality, in Proc. Internet Telephony Workshop, New York,
2001, pp. 123127.
[49] J. Ellis, C. Pursell, and J. Rahman, Voice, Video, and Data Network
Convergence. New York: Academic, Sep. 2003.
[50] Y. Bar-Shalom, X.-R. Li, and T. Kirubarajan, Estimation With Ap-
plications to Tracking and Navigation, 1st ed. Hoboken, NJ: Wiley,
Jun. 2001.
ZUG et al.: ARCHITECTURE FOR A DEPENDABLE DISTRIBUTED SENSOR SYSTEM 419
[51] H. B. Mitchell, Multi-Sensor Data Fusion: An Introduction, 1st ed.
Berlin, Germany: Springer-Verlag, 2007. [Online]. Available: http://www.
loc.gov/catdir/enhancements/fy0825/2007926176-d.html
[52] Wireless Medium Access Control (MAC) and Physical Layer (PHY) Spec-
ications for Low-Rate Wireless Personal Area Networks (WPANs), IEEE
802.15.4, 2006. [Online]. http://standards.ieee.org/getieee802/download/
802.15.4-2006.pdf
[53] J. Kaiser and H. Piontek, CODES: Supporting the development process
in a publish/subscribe system, in Proc. 4th WISES, Vienna, Austria,
Jun. 30, 2006, pp. 112.
Sebastian Zug received the diploma degree in me-
chanical engineering from the Technical University
of Cottbus, Cottbus, Germany, in 2005. He is cur-
rently working toward the Ph.D. degree at Otto-
von-Guericke University Magdeburg, Magdeburg,
Germany. His Ph.D. research focuses on methods
and architectures for fault-tolerant data fusion in dis-
tributed heterogeneous systems, which is supervised
by Prof. J. Kaiser.
Since 2005, he has been a member of the Depart-
ment of Embedded Systems and Operating Systems
(EOS), Faculty of Computer Science, Institute of Distributed Systems, Otto-
von-Guericke University Magdeburg.
Andr Dietrich received the Masters degree in
computer science from the University of Leipzig,
Leipzig, Germany, in 2009.
He was Application Developer with the Re-
search Establishment for Applied Science (FGAN),
Wachtberg, Germany. He is currently a Research
Assistant with the Virtual and Augmented Re-
ality for Highly Safety and Reliable Embedded
Systems-Project (ViERforES), Faculty of Com-
puter Science, Institute of Distributed Systems, Otto-
von-Guericke University Magdeburg, Magdeburg,
Germany.
Jrg Kaiser received the M.S. and Ph.D. degrees
from Bonn University, Bonn, Germany.
He worked with the German National Research
Centre for Information Technology, St. Augustin,
Germany, and was a Professor with the University
of Ulm, Ulm, Germany. He is currently a Full Pro-
fessor with the Faculty of Computer Science, Otto-
von-Guericke University Magdeburg, Magdeburg,
Germany, where he also leads the Department of
Embedded Systems and Operating Systems (EOS).
His research work ranges fromcomputer architecture
and operating systems to distributed systems and middleware, with emphasis
to component orientation, fault tolerance, and real time. His current research
areas have a strong emphasis on large-scale distributed real-time systems
supervising and controlling real-world applications. He has recently coinitiated
a Competence Centre for Service Robotics together with the Fraunhofer IFF
in Magdeburg to foster the exchange between academia and more industry-
oriented developments.