Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Modeling Incremental Autonomy of a UAS in Support of Reasoning About
Applicable Assurance Methods
NASA SASO Contract NNL16AA06C
Dr. Jonathan Rowanhi l l and Dr. John Knight
Dependable Computing
August 2 , 2017
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
• Explore: How to verify and validate increasingly autonomous unmanned aerial system (UAS)• Agricultural mid-weight rotorcraft• Crop spraying and cargo delivery
• Approach: Build explicit safety arguments• Multiple models of the same UAS• Each with increasing autonomy• See what the exposed rationales
reveal about assurance methods and required V&V techniques.August 2, 2017 S5, Dependable Computing LLC 2
Figure 1. This illustration makes artists and safety engineers cringe.
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
August 2, 2017 S5, Dependable Computing LLC 3
Safety Req. ASatisfied
Safety Req. ASatisfied
AutonomyIncrement
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
August 2, 2017 S5, Dependable Computing LLC 3
Safety Req. ASatisfied
Safety Req. ASatisfied
AssuranceMethod(Rationale)
AutonomyIncrement
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
August 2, 2017 S5, Dependable Computing LLC 3
Safety Req. ASatisfied
Safety Req. ASatisfied
AssuranceMethod(Rationale)
AutonomyIncrement
Correlate with State-of-the-art from domain experts
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
August 2, 2017 S5, Dependable Computing LLC 3
Safety Req. ASatisfied
Safety Req. ASatisfied
AssuranceMethod(Rationale)
AutonomyIncrement
Correlate with State-of-the-art from domain experts
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
August 2, 2017 S5, Dependable Computing LLC 3
Safety Req. ASatisfied
Safety Req. ASatisfied
AssuranceMethod(Rationale)
Evidence=> V&V Requirements
AutonomyIncrement
Correlate with State-of-the-art from domain experts
Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS
NASA SASO Contract NNL16AA06C
August 2, 2017 S5, Dependable Computing LLC 3
Safety Req. ASatisfied
Safety Req. ASatisfied
AssuranceMethod(Rationale)
Evidence=> V&V Requirements
AutonomyIncrement
JustificationCorrelate with State-of-the-art from domain experts
How Do We Model Incremental Autonomy?• Require compelling and feasible
arguments• For a specific (hypothetical)
system• Standard autonomy models
guided high level descriptions (ex. NHTSA, ALFUS)
• Model incremental autonomy through system function model before we go hunting for matching technologies
August 2, 2017 S5, Dependable Computing LLC 4
System S
Function A Function B Function C
A1 A2 A3 C1 C2
C1a C1b
Operator Role TheoryAutomation in the Decision Loop
• Operator Role Theory: • The role of a human
operator in a decision function
• Linearly increasing decision loop automation
• Allows rapid description of automation
• Modern autonomy often diverges from this model of automation
August 2, 2017 S5, Dependable Computing LLC 5
Operator Role TheoryAutomation in the Decision Loop
• Operator Role Theory: • The role of a human
operator in a decision function
• Linearly increasing decision loop automation
• Allows rapid description of automation
• Modern autonomy often diverges from this model of automation
August 2, 2017 S5, Dependable Computing LLC 5
ManualController(Pre-Existing Terminology)
Operator Role TheoryAutomation in the Decision Loop
• Operator Role Theory: • The role of a human
operator in a decision function
• Linearly increasing decision loop automation
• Allows rapid description of automation
• Modern autonomy often diverges from this model of automation
August 2, 2017 S5, Dependable Computing LLC 5
ManualController(Pre-Existing Terminology)
Supervisory
Operator Role TheoryAutomation in the Decision Loop
• Operator Role Theory: • The role of a human
operator in a decision function
• Linearly increasing decision loop automation
• Allows rapid description of automation
• Modern autonomy often diverges from this model of automation
August 2, 2017 S5, Dependable Computing LLC 5
ManualController(Pre-Existing Terminology)
Supervisory
Executive
Operator Role TheoryModeling Automation at the System Function Level
• Meant to be applied to a decomposed system function model
• Supports fine-grained modeling of automation
• This model was useful for us to model increasing autonomy in a UAS.
• Can we apply a model like this to modern UAS autonomy?
August 2, 2017 S5, Dependable Computing LLC 6
Direct
System S
Function A Function B Function C
A1 A2 A3 C1 C2
C1a C1bManualSupervisory SupervisoryExecutive
Executive
Applying Operator Roles to Drive Construction of Assurance Arguments
•We propose and apply extensions to operator role theory to model autonomy
•The resulting model suggests a bridge between autonomy specifications and assurance methods
August 2, 2017 S5, Dependable Computing LLC 7
Extending Operator Role TheoryExtending Decision Roles
• Additional roles common with today’s technology• A few more roles fills in
many common cases• Does not capture all
possible combinations or peer machine/human relationships
August 2, 2017 S5, Dependable Computing LLC 8
(ex. Diagnostic Systems)
(ex. You Unjamming a Laser Printer)
Supervisory
Manual
Executive
Extending Operator Role TheoryExtending Decision Roles
• Additional roles common with today’s technology• A few more roles fills in
many common cases• Does not capture all
possible combinations or peer machine/human relationships
August 2, 2017 S5, Dependable Computing LLC 8
(ex. Diagnostic Systems)
Advised
(ex. You Unjamming a Laser Printer)
Supervisory
Manual
Executive
Extending Operator Role TheoryExtending Decision Roles
• Additional roles common with today’s technology• A few more roles fills in
many common cases• Does not capture all
possible combinations or peer machine/human relationships
August 2, 2017 S5, Dependable Computing LLC 8
(ex. Diagnostic Systems)
Advised
Serving(ex. You Unjamming a Laser Printer)
Supervisory
Manual
Executive
Extending Operator Role TheoryExtending Decision Roles
• Additional roles common with today’s technology• A few more roles fills in
many common cases• Does not capture all
possible combinations or peer machine/human relationships
August 2, 2017 S5, Dependable Computing LLC 8
(ex. Diagnostic Systems)
Advised
Serving(ex. You Unjamming a Laser Printer)
Supervisory
Manual
Executive
Peer
Extended Operator Role TheoryModeling Learning Roles
• The “two-level loop” model of learning• Similar forms appear in
• Learning Theory,• Management Science, and• Artificial Intelligence
• Can we apply this to further extend autonomy models that describe machine intelligence?
August 2, 2017 S5, Dependable Computing LLC 9
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Manual
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Manual
Assisted
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Manual
AssistedSupervised
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Manual
AssistedReviewer
Supervised
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Manual
AssistedReviewer
Supervised
Executive
Extended Operator Role TheoryModeling Learning Roles
•Define operator roles to learning loops
August 2, 2017 S5, Dependable Computing LLC 10
DecisionLoop
LearningLoop
Manual
AssistedReviewer
Supervised
Executive
Peer
Enhanced Operator Role Model
August 2, 2017 S5, Dependable Computing LLC 11
Advised
Supervisory
Manual
Executive
Peer28
Manual
AssistedReviewer
Supervised
ExecutivePeer
• Ordered Pair• (Decision operator,
Learning Operator)
Modeling “Snapshots” of Increasing Autonomyfor an Agricultural UAS
• System function model of the UAS•7 autonomy
allocation designs•Results model
“fine-grained” autonomy increments
August 2, 2017 S5, Dependable Computing LLC 12
0 1 2 3 4 5 6
Modeling Incremental Autonomy and How it Might Be Useful for Assurance
• Important for Common Engineering Questions:•Heterogeneous Autonomy: Modeling autonomy that
differs across system functionality• Selecting Autonomy: Best-fit autonomy design for
system with safety concerns (Assurance vs. cost trade-offs in design)• Increasing Autonomy: Effects of increasing autonomy
on safety assurance?August 2, 2017 S5, Dependable Computing LLC 13
Assurance Analysis Methodfor Indexing Assurance Method Concepts
• Extends system function analysis to the level of choosing assurance methods•Can index an assurance library
by operator role and assigned technology
August 2, 2017 S5, Dependable Computing LLC 14
Define Function
Choose Assurance Methods Architectures
Assign Operator Roles
Select Technology
Architectures& Assurance
MethodsLibrary
ArgumentPatterns
Example Function: Motion PlanningAvoid Getting Trapped!
• High speed re-planning (frames per second)• Short Look Ahead• Ex. ”Space-time” planner for dynamic object
avoidance with tunable “risk taking”• Req. : Keep a Clear Maneuvering Workspace
• A free space where if no object is inside of it, the UAV can change course to avoid any object that is going to encroach
• Sub-Req. : Don’t Get Trapped: Short term planning gets boxed in between dynamic objects
August 2, 2017 S5, Dependable Computing LLC 15
Ex. Motion Planning—Avoid Getting TrappedExploring Assurance Methods under Different Operator Roles
August 2, 2017 S5, Dependable Computing LLC16
Executive ControllerReviewing Learner
Supervisory ControllerManual Learner Vs.
Ex. Motion Planning—Avoid Getting TrappedSupervisory Controller, Manual Learner
August 2, 2017 S5, Dependable Computing LLC17
Ex. Assurance Methods:• Assure constrained functionality with
run-time detection of constraint failures• No objects above motion path• Maximum no. of dynamic objects
• Assure safe and reliable hand-off and control to/by human pilot avoiding traps
• Assure safe values of space-time planner object probability field penetration
1 2
3
4
Argument “Trunk” Contains Assurance MethodsSupervisory Controller, Manual Learner
August 2, 2017 S5, Dependable Computing LLC 18
SatisfactoryPlanner Input Correct Space-time
Planning Algorithm
VerifiedImplementation
Conditional RequirementSatisfaction
Condition Handling Satisfactory
Ex. Motion Planning—Avoid Getting TrappedExecutive Controller, Reviewing Learner
August 2, 2017 S5, Dependable Computing LLC19
Ex. Assurance Methods:• Assure detection and avoidance
approaches• Sufficient, effective human review of
trap detection rules deduced by AI• Sufficient rules engine
scaling/performance• Resilience of conservative
entrapment detection behavior
EntrapmentScenarioAvoidance
ConservativeEntrapmentDetection
Argument “Trunk” Changes (Some) Assurance MethodsExecutive Controller, Reviewing Learner
August 2, 2017 S5, Dependable Computing LLC 20
SatisfactoryPlanner Input Correct Space-time
Planning Algorithm
VerifiedImplementation
Conditional RequirementSatisfaction
Condition Handling
Satisfactory
Summary• An extended operator role model allows us to build incremental
function-level models of autonomy• This is useful for both exploring and mapping to assurance techniques• We have extended the operator role model for
• Modern forms of advanced autonomy in decision making• Autonomy through automated learning
• This model might be useful as a means to organize and guide use of appropriate assurance methods for system models applying autonomy
August 2, 2017 S5, Dependable Computing LLC 21
The EndQuestions?
August 2, 2017 S5, Dependable Computing LLC 22