View
216
Download
2
Tags:
Embed Size (px)
Citation preview
High Confidence Systems forPersonal Mobility
Dr. Shankar Sastry,
Department of EECS, Berkeley
Aviation Safety: A Military Perspective
Current status– High-cost FAA certification (RTCA Task Force IV Report)
Process- and test-based certification Delayed commercialization of safety- and performance-enhancing
technology Consequence: Airspace restrictions for MAC CONUS operation
AF Safety Office collision data: – 41 aircraft lost due to air-to-air collisions since 1989– 4 per year– $30-40M/aircraft, over $100M/year
Future of military aviation– Field operation with airborne, rather than ground-based, airspace
management support– ATC-compliance required for joint, CONUS operations – High-density airspaces, variable configuration for urban operations– Need low-cost, but safety-critical (human transport) vehicles
Assurance Technology and Integration Gap
Ubiquity
Design & DevelopmentDesign & DevelopmentComposition
Safety Security
Interoperability
Scalability
V&V/CertificationV&V/Certification
EvidenceTrust
Accountability
Criticality
Risk
High Confidence OperationHigh Confidence Operation
Fault DetectionIsolation & Recovery
Fault/Intrusion Tolerance
Fault/Failure Avoidance
Coordination/Interaction
Overload Skill Mode ConfusionAuthority & Access Control
Allocation HW/SW
Cost
Complexity
Autonomy
Mobility
“Over the wall designs” V&V is post-development
activity Testing-centered V&V
– “Black-box” methods predominate
– Reliability concepts adapted from hardware “wear-out” models
– Software reliability growth models lack ability to detect complex flaws
– Unit testing methods do not scale for integration testing
Isolated, problem-specific design tools, lack support for integrated reasoning
Limited support: modeling, simulation, rigorous reasoning requires separate, redundant effort
Testing costs >50% of development for some systems (“test until the money runs out”)
“Over the wall designs” V&V is post-development
activity Testing-centered V&V
– “Black-box” methods predominate
– Reliability concepts adapted from hardware “wear-out” models
– Software reliability growth models lack ability to detect complex flaws
– Unit testing methods do not scale for integration testing
Isolated, problem-specific design tools, lack support for integrated reasoning
Limited support: modeling, simulation, rigorous reasoning requires separate, redundant effort
Testing costs >50% of development for some systems (“test until the money runs out”)
Future Aviation Outlook
Tactical and transport– Challenges for emerging and future vehicles (increasing)
Complex system, operational modes; complex airspace Harder-to-fly VTOL/STOL vehicles Complex full-envelope training regimes Adequacy of operator skill levels Control designs for full range of environmental conditions
Trend-makers– Example: NASA Agate/SATS programs
Small, fast, quiet vehicles Reduced airport infrastructure
– Lighting, guidance equipment, small runway protection zones (STOL)
Citizen pilots
– UAV technologies Autonomous operations, RPV assist
NASA/FAA Small Aircraft Transport System (Strawman)
“Smart” Airports (Highway in the Sky Approaches; Airport databus; “Virtual” Terminal Procedures (TerPs); Synthetic tower/towerless-radarless operations)
Ultra- Propulsion (non-hydrocarbon and heat engine options; low-noise/emissions) AutoFlight (Integrated Vehicle and Air Traffic Services automation; Control de-
coupling; Ride Smoothing) Airborne Internet (Satellite-based communications-navigation-surveillance for
Ground-to-Sky Air Traffic Management functions in all airspace) Simultaneous Non-Interfering (SNI) Approaches at Class B airports for Runway-
Independent Aircraft Affordable Manufacturing (Thermoplastics, aluminum, composites automation
for integrated airframe systems design & manufacturing) Wireless Cockpit (open standards for on-board systems and architecture; databus;
through-the-window displays) Cyber-tutor and InterNet-based training systems (embedded and on-board training
and expert systems) Extremely Slow Takeoff & Landing (Configuration Aerodynamics for slow &
vertical flight; roadability)
DARPA Research in UAV andSoftware Enabled Control (SEC)
Active state models– Exploit dynamic information,
prediction Coordinated multi-modal control
– hybrid: discrete logic + continuous control
– Supports coordinated system, subsystem operation logic
– Active support for mode transition On-line control customization
– Reject extreme disturbances– Improve performance
Open Control Platform– Reusable middleware services– Systems software support for
hybrid adaptive control
Weather,Failure
System
DynamicsSensor Data
Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=
Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=
Ht(x)= …...Hd (x)=Hk (x)=Hc (x)=
Ht(x)= …...Hd (x)=Hk (x)=Hc (x)=
Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=
Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=
Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=
Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=
Translate
DescendAscend
Hover
KG
H(x)
Plant
Reaction + Prediction
Boeing DQI-NPon fluid mounting
UltrasonicHeight meter
Length: 3.5m Width:0.7mHeight: 1.08mDry Weight: 44 kg Payload: 20kgEngine Output: 12 hpRotor Diameter: 3.070mFlight time: 60 minSystem operation time: 60 min
IntegratedNav/Comm Module
Wavelan Antenna
GPS AntennaBased on Yamaha R-50 industrial helicopter
Berkeley BEAR Fleet: Ursa Magna2 (1999- )
Camera
Hierarchy of the UAVS Management System
Helicopter PlatformHelicopter Platform
RegulationRegulation
Trajectory GeneratorTrajectory Generator
Tactical PlannerTactical Planner
Strategic PlannerStrategic Planner
DetectorDetector
Discrete EventSystem
Continuous System sensory information
tracking errorsflight modes
Control Law
y_d replan
control points conflict notification
detect
GroundStation
Navigation Software: DQI-NP-Based
DQICONT
DQIGPS
INS UpdateINS Update Boeing DQI-NP
100Hz
PRTK@ 5HzPXY@1Hz
Flight Status
Command
NovAtel GPS RT-2
GPS UpdateGPS Update
ULREADUltrasonic Ultrasonic sensors@4sensors@4±1Hz1HzVCOMM
Relative Altitude
Control outputat 50Hz
Nav data
DGPS measurement
Nav Data to Vision computer
@10Hz
RS-232RS-232
Shared MemoryShared Memory
Radio linkRadio link
RX valuesRX valuesYamaha Receiver(using HW INT & proxy)
Ground computerWin 98
Processesrunning on QNX
4±1Hz10Hz
ANYTIME
APERIODIC
PERIODIC
PERIODIC
PERIODIC
The Legacy of Success in UAV Research at BErkeley AeRobotics
Pursuit-evasion games 2000- to date Architecture for multi-level rotorcraft UAVs 1996- to date Landing autonomously using vision on pitching decks 2001- to date Multi-target tracking 2001- to date Formation flying and formation change 2002, 2003 Conflict resolution with model predictive control, 2003 Airspace Management and personal aviation, 2004?
Tracking Pitching Target (Nov 02)
Mesh Stable Formation Flight2 real + 7 virtual Record Set Nov. 2002
Vehicle Platform : Tankopter
Aerobotic vehicles will need to have micro-maneuver capabilities .
PLATFORMS, PLATFORMS!!
Aggressive/evasive maneuver, trajectory planning platform, dynamic-networking, multi-modal analysis
High-level control system development, High-resolution vision-based navigation platform
High QoS wireless communication, formation flight testbed
Dynamic, low-resolution sensor network equipped with smart dust, time-critical problems
Roadmap for full-scale experiments : Vehicle Platforms
S-UAVs T-UAVs
OAVs
MAVs
Military Application: Special Ops Air Vehicles
Potential Missions– Deep Insertion: covert
delivery of small numbers of personnel with equipment
– Deep Extraction: covert recovery of personnel with equipment
– Covert Supply: delivery of equipment and consumables to covert site
– Covert Fuel Delivery: delivery of fuel to covert site
– Covert Medivac: extraction of wounded personnel from covert site
AFRL Personal Mobility Vehicle Con Ops
– No special pilot training: autonomous or highly automated guidance and control, must be easily programmable to various missions
– Modularity: easy configurability for various missions
– Scalability: single or multiple ship formations of various aircraft configurations
– Air Delivery: capability for launch from large transport aircraft
– Sea Launch: capability for launch from submarine
– Sea Delivery/Recovery: light aircraft carrier
Sample Platforms: Carter Copter
Another Platform: The Moller Skycar
NASA/DARPA/FAA Opportunity
NASA/FAA Small AircraftTransportation System
Military PMV Mission Requirements
Low vehicle cost
Highly-automated
Low training burden
High speed
GPS-based navigation
STOL/VTOL
Minimal airport infrastructure
Quiet
CONUS military aircraft flight
Advanced collision avoidance technologies
Special airspace management
Reduced cost ofcertification
Semi-autonomous & autonomous multi-systemflight
Mixed airspace: UAV, UAV/human payload, manned
In-weather flight
Terrain masking
Stealth operation
Evasion & combat
Unimproved landingsites
SAFE
Software Needs for PMV
Platforms are coming along: pricing is an issue, but this will sort itself out if there is a way to certify the airworthiness of the platforms.
Cost of Airspace Automation and Partial Automation of Flight Management Systems is a key bottleneck
Key technologies include conflict detection and resolution (Sastry/Tomlin) , airspace network management (Tomlin), sofwalls for security (Lee), and fault tolerant operations (Speyer).
High Confidence Embedded Systems Trustworthiness and Evidence -- Issues
Design concerns– FDIR (failure detection, isolation, and recovery) and defensive
mode reconfiguration– Isolation and. interference– Confidence-based resource management– Compositional design
Managing authority Constructing a dependability case
– Reliability measures vs. other evidence– Sources of confidence
Managing trust under software composition– Partial evidence– Context– Assumptions
Evidence management support
Assuring Mixed-Initiative Control
Formal operational-authority policy modeling & analysis technology -- Examples:
pilot/vehicle authority management mixed piloted/ unmanned airspace friendly/foe, controlled/uncontrolled encounter regimes airspace ATC authority, terminal area ops special ops, adverse condition constrained airspace regimes
Expected areas of IT innovation: Extended joint transition behaviors for mixed initiative operation:
enablement, forcing, blocking Fast authorization, checking methods Modularity management for aggregation & limitation of authority,
operational regimes, airspace boundaries Run-time authority management infrastructure
Certification Technology
Assurance technology for automated/autonomous human-transport vehicles
Domain-specific verification technology– Timed system verification tools– Mixed-initiative protocol language/verification tools– Hybrid maneuver design & verification tools– FT, BIT, other qualification evidence & accountability models– Mixed verification & test technology
Assume-guarantee evidence management system– Trustworthiness* applied to embedded systems– Authority sufficiency, completeness, consistency
(*Trust in Cyberspace - Schneider, et al, NRC/CSTB, 1998)
Opportunities for IT Leverage
Domain-specific development technology– Correct-by-construction techniques– Domain-specific assurance-bearing languages and
code synthesis environments Domain-specific (aviation, naval,
communication, medical systems) verification and validation technology
– Operational policy & protocol V&V tools– Scalable FTA, BIT, FMECA, HM, system-based
qualification evidence & accountability models– Hybrid and timed system design verification tools
Software assurance and certification technology
– Forensic software analysis tools (state-space search, counter-example discovery & explanation)
– Software-analytic V&V, checking– Coordinated verification & test technology
Scalable evidence composition and management technology
– Modular trust, accountability, criticality relations– Sufficiency, completeness, consistency checking
TechnologyVision:Assurance Technology for High Confidence Embedded Systems
Assurance support tightly integrated with design, development tools: – Single unified effort for construction and assurance– Support for modeling, abstraction, hierarchical analysis to reduce
complexity– Domain-specific models for system/software construction, integration,
analysis– Domain-specific languages and tool support for correctness checking– Correct-by-construction code generation
Interoperable design, analysis, & reasoning tools– Methods appropriate to task, problem– Design-time analysis– Run-time checking
Shift in balance of effort from testing-dominated to high confidence design-dominated process
Confidence case as by-product of construction