High Confidence Systems forPersonal Mobility

Dr. Shankar Sastry,

Department of EECS, Berkeley

Aviation Safety: A Military Perspective

Current status– High-cost FAA certification (RTCA Task Force IV Report)

Process- and test-based certification Delayed commercialization of safety- and performance-enhancing

technology Consequence: Airspace restrictions for MAC CONUS operation

AF Safety Office collision data: – 41 aircraft lost due to air-to-air collisions since 1989– 4 per year– $30-40M/aircraft, over $100M/year

Future of military aviation– Field operation with airborne, rather than ground-based, airspace

management support– ATC-compliance required for joint, CONUS operations – High-density airspaces, variable configuration for urban operations– Need low-cost, but safety-critical (human transport) vehicles

Assurance Technology and Integration Gap

Ubiquity

Design & DevelopmentDesign & DevelopmentComposition

Safety Security

Interoperability

Scalability

V&V/CertificationV&V/Certification

EvidenceTrust

Accountability

Criticality

Risk

High Confidence OperationHigh Confidence Operation

Fault DetectionIsolation & Recovery

Fault/Intrusion Tolerance

Fault/Failure Avoidance

Coordination/Interaction

Overload Skill Mode ConfusionAuthority & Access Control

Allocation HW/SW

Cost

Complexity

Autonomy

Mobility

“Over the wall designs” V&V is post-development

activity Testing-centered V&V

– “Black-box” methods predominate

– Reliability concepts adapted from hardware “wear-out” models

– Software reliability growth models lack ability to detect complex flaws

– Unit testing methods do not scale for integration testing

Isolated, problem-specific design tools, lack support for integrated reasoning

Limited support: modeling, simulation, rigorous reasoning requires separate, redundant effort

Testing costs >50% of development for some systems (“test until the money runs out”)

“Over the wall designs” V&V is post-development

activity Testing-centered V&V

– “Black-box” methods predominate

– Reliability concepts adapted from hardware “wear-out” models

– Software reliability growth models lack ability to detect complex flaws

– Unit testing methods do not scale for integration testing

Isolated, problem-specific design tools, lack support for integrated reasoning

Limited support: modeling, simulation, rigorous reasoning requires separate, redundant effort

Testing costs >50% of development for some systems (“test until the money runs out”)

Future Aviation Outlook

Tactical and transport– Challenges for emerging and future vehicles (increasing)

Complex system, operational modes; complex airspace Harder-to-fly VTOL/STOL vehicles Complex full-envelope training regimes Adequacy of operator skill levels Control designs for full range of environmental conditions

Trend-makers– Example: NASA Agate/SATS programs

Small, fast, quiet vehicles Reduced airport infrastructure

– Lighting, guidance equipment, small runway protection zones (STOL)

Citizen pilots

– UAV technologies Autonomous operations, RPV assist

NASA/FAA Small Aircraft Transport System (Strawman)

“Smart” Airports (Highway in the Sky Approaches; Airport databus; “Virtual” Terminal Procedures (TerPs); Synthetic tower/towerless-radarless operations)

Ultra- Propulsion (non-hydrocarbon and heat engine options; low-noise/emissions) AutoFlight (Integrated Vehicle and Air Traffic Services automation; Control de-

coupling; Ride Smoothing) Airborne Internet (Satellite-based communications-navigation-surveillance for

Ground-to-Sky Air Traffic Management functions in all airspace) Simultaneous Non-Interfering (SNI) Approaches at Class B airports for Runway-

Independent Aircraft Affordable Manufacturing (Thermoplastics, aluminum, composites automation

for integrated airframe systems design & manufacturing) Wireless Cockpit (open standards for on-board systems and architecture; databus;

through-the-window displays) Cyber-tutor and InterNet-based training systems (embedded and on-board training

and expert systems) Extremely Slow Takeoff & Landing (Configuration Aerodynamics for slow &

vertical flight; roadability)

DARPA Research in UAV andSoftware Enabled Control (SEC)

Active state models– Exploit dynamic information,

prediction Coordinated multi-modal control

– hybrid: discrete logic + continuous control

– Supports coordinated system, subsystem operation logic

– Active support for mode transition On-line control customization

– Reject extreme disturbances– Improve performance

Open Control Platform– Reusable middleware services– Systems software support for

hybrid adaptive control

Weather,Failure

System

DynamicsSensor Data

Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=

Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=

Ht(x)= …...Hd (x)=Hk (x)=Hc (x)=

Ht(x)= …...Hd (x)=Hk (x)=Hc (x)=

Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=

Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=

Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=

Ht(x)=…………...Hd (x)=Hk (x)=Hc (x)=

Translate

DescendAscend

Hover

KG

H(x)

Plant

Reaction + Prediction

Boeing DQI-NPon fluid mounting

UltrasonicHeight meter

Length: 3.5m Width:0.7mHeight: 1.08mDry Weight: 44 kg Payload: 20kgEngine Output: 12 hpRotor Diameter: 3.070mFlight time: 60 minSystem operation time: 60 min

IntegratedNav/Comm Module

Wavelan Antenna

GPS AntennaBased on Yamaha R-50 industrial helicopter

Berkeley BEAR Fleet: Ursa Magna2 (1999- )

Camera

Hierarchy of the UAVS Management System

Helicopter PlatformHelicopter Platform

RegulationRegulation

Trajectory GeneratorTrajectory Generator

Tactical PlannerTactical Planner

Strategic PlannerStrategic Planner

DetectorDetector

Discrete EventSystem

Continuous System sensory information

tracking errorsflight modes

Control Law

y_d replan

control points conflict notification

detect

GroundStation

Navigation Software: DQI-NP-Based

DQICONT

DQIGPS

INS UpdateINS Update Boeing DQI-NP

100Hz

PRTK@ 5HzPXY@1Hz

Flight Status

Command

NovAtel GPS RT-2

GPS UpdateGPS Update

ULREADUltrasonic Ultrasonic sensors@4sensors@4±1Hz1HzVCOMM

Relative Altitude

Control outputat 50Hz

Nav data

DGPS measurement

Nav Data to Vision computer

@10Hz

RS-232RS-232

Shared MemoryShared Memory

Radio linkRadio link

RX valuesRX valuesYamaha Receiver(using HW INT & proxy)

Ground computerWin 98

Processesrunning on QNX

4±1Hz10Hz

ANYTIME

APERIODIC

PERIODIC

PERIODIC

PERIODIC

The Legacy of Success in UAV Research at BErkeley AeRobotics

Pursuit-evasion games 2000- to date Architecture for multi-level rotorcraft UAVs 1996- to date Landing autonomously using vision on pitching decks 2001- to date Multi-target tracking 2001- to date Formation flying and formation change 2002, 2003 Conflict resolution with model predictive control, 2003 Airspace Management and personal aviation, 2004?

Tracking Pitching Target (Nov 02)

Mesh Stable Formation Flight2 real + 7 virtual Record Set Nov. 2002

Vehicle Platform : Tankopter

Aerobotic vehicles will need to have micro-maneuver capabilities .

PLATFORMS, PLATFORMS!!

Aggressive/evasive maneuver, trajectory planning platform, dynamic-networking, multi-modal analysis

High-level control system development, High-resolution vision-based navigation platform

High QoS wireless communication, formation flight testbed

Dynamic, low-resolution sensor network equipped with smart dust, time-critical problems

Roadmap for full-scale experiments : Vehicle Platforms

S-UAVs T-UAVs

OAVs

MAVs

Military Application: Special Ops Air Vehicles

Potential Missions– Deep Insertion: covert

delivery of small numbers of personnel with equipment

– Deep Extraction: covert recovery of personnel with equipment

– Covert Supply: delivery of equipment and consumables to covert site

– Covert Fuel Delivery: delivery of fuel to covert site

– Covert Medivac: extraction of wounded personnel from covert site

AFRL Personal Mobility Vehicle Con Ops

– No special pilot training: autonomous or highly automated guidance and control, must be easily programmable to various missions

– Modularity: easy configurability for various missions

– Scalability: single or multiple ship formations of various aircraft configurations

– Air Delivery: capability for launch from large transport aircraft

– Sea Launch: capability for launch from submarine

– Sea Delivery/Recovery: light aircraft carrier

Sample Platforms: Carter Copter

Another Platform: The Moller Skycar

NASA/DARPA/FAA Opportunity

NASA/FAA Small AircraftTransportation System

Military PMV Mission Requirements

Low vehicle cost

Highly-automated

Low training burden

High speed

GPS-based navigation

STOL/VTOL

Minimal airport infrastructure

Quiet

CONUS military aircraft flight

Advanced collision avoidance technologies

Special airspace management

Reduced cost ofcertification

Semi-autonomous & autonomous multi-systemflight

Mixed airspace: UAV, UAV/human payload, manned

In-weather flight

Terrain masking

Stealth operation

Evasion & combat

Unimproved landingsites

SAFE

Software Needs for PMV

Platforms are coming along: pricing is an issue, but this will sort itself out if there is a way to certify the airworthiness of the platforms.

Cost of Airspace Automation and Partial Automation of Flight Management Systems is a key bottleneck

Key technologies include conflict detection and resolution (Sastry/Tomlin) , airspace network management (Tomlin), sofwalls for security (Lee), and fault tolerant operations (Speyer).

High Confidence Embedded Systems Trustworthiness and Evidence -- Issues

Design concerns– FDIR (failure detection, isolation, and recovery) and defensive

mode reconfiguration– Isolation and. interference– Confidence-based resource management– Compositional design

Managing authority Constructing a dependability case

– Reliability measures vs. other evidence– Sources of confidence

Managing trust under software composition– Partial evidence– Context– Assumptions

Evidence management support

Assuring Mixed-Initiative Control

Formal operational-authority policy modeling & analysis technology -- Examples:

pilot/vehicle authority management mixed piloted/ unmanned airspace friendly/foe, controlled/uncontrolled encounter regimes airspace ATC authority, terminal area ops special ops, adverse condition constrained airspace regimes

Expected areas of IT innovation: Extended joint transition behaviors for mixed initiative operation:

enablement, forcing, blocking Fast authorization, checking methods Modularity management for aggregation & limitation of authority,

operational regimes, airspace boundaries Run-time authority management infrastructure

Certification Technology

Assurance technology for automated/autonomous human-transport vehicles

Domain-specific verification technology– Timed system verification tools– Mixed-initiative protocol language/verification tools– Hybrid maneuver design & verification tools– FT, BIT, other qualification evidence & accountability models– Mixed verification & test technology

Assume-guarantee evidence management system– Trustworthiness* applied to embedded systems– Authority sufficiency, completeness, consistency

(*Trust in Cyberspace - Schneider, et al, NRC/CSTB, 1998)

Opportunities for IT Leverage

Domain-specific development technology– Correct-by-construction techniques– Domain-specific assurance-bearing languages and

code synthesis environments Domain-specific (aviation, naval,

communication, medical systems) verification and validation technology

– Operational policy & protocol V&V tools– Scalable FTA, BIT, FMECA, HM, system-based

qualification evidence & accountability models– Hybrid and timed system design verification tools

Software assurance and certification technology

– Forensic software analysis tools (state-space search, counter-example discovery & explanation)

– Software-analytic V&V, checking– Coordinated verification & test technology

Scalable evidence composition and management technology

– Modular trust, accountability, criticality relations– Sufficiency, completeness, consistency checking

TechnologyVision:Assurance Technology for High Confidence Embedded Systems

Assurance support tightly integrated with design, development tools: – Single unified effort for construction and assurance– Support for modeling, abstraction, hierarchical analysis to reduce

complexity– Domain-specific models for system/software construction, integration,

analysis– Domain-specific languages and tool support for correctness checking– Correct-by-construction code generation

Interoperable design, analysis, & reasoning tools– Methods appropriate to task, problem– Design-time analysis– Run-time checking

Shift in balance of effort from testing-dominated to high confidence design-dominated process

Confidence case as by-product of construction