Upload
ngothu
View
215
Download
0
Embed Size (px)
Citation preview
Safety and Airworthiness Cases for Unmanned System Control
Segments
George Romanski, Joe Wlad
S5 Symposium, Dayton, OH
June 12-14, 2012
Biography
• Joe Wlad, Sr. Director, Wind River
– FAA DER, Systems and Equipment and Software
– Chief Engineer, UCSWG, Safety and Information Assurance Subcommittee
• George Romanski, CEO, Verocel, Inc.
– 30+ years in design and verification of software for safety-critical systems
Agenda
• Unmanned Air System Control System Working Group Overview – Goals, Objectives
– Organization and Architecture Summary
• Safety and Security Sub-committee – Goals, Objectives and Work Products
• Airworthiness Certification Processes
• Goal-Structuring Notation method to implement safety and security requirements
• Examples for the UCS Ground Segment
Some Acronyms
Acronym Meaning
UAS Unmanned Air System – synonymous with UAV
UAV Unmanned Air Vehicle
GSN Goal Structuring Notation
AS Aircraft Segment
CS Control Segment
UCS UAS Control Segment
PIM Platform Independent Model
PSM Platform Specific Model
UCSWG UCS Working Group
POR Program Of Record
UCSWG Charter: Who and Why
• Through an acquisition decision memorandum signed 11 February 2009, the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics (OUSD/AT&L) directed the Services to develop a common, open and scalable architecture for command and control of UAS – Vehicles greater than 20 lb GW
• The UCS Working Group is an enduring organization that operates as a standards development organization as defined by Public Law 104-113 (the National Technology Transfer and Advancement Act of 1995) and the Executive Office of the President, Office of Management and Budget (OMB) Circular A-11
Current UCS Architectures Open System Interconnection (OSI), but not Open Architecture (OA) No uniform requirements for compliance to safety or security standards
| © 2012 All Rights Reserved. 7
6 Goals US DoD Unmanned Systems Roadmap 2007-2032
Goal 1: Improve the effectiveness of COCOM and coalition unmanned systems through improved integration and Joint Services collaboration. Goal 2: Emphasize commonality to achieve greater interoperability among system controls, communications, data products, and data links on unmanned systems. Goal 3: Foster the development of policies, standards, and procedures that enable safe and timely operations and effective integration of manned / unmanned systems. Goal 4: Implement standardized and protected positive control measures for unmanned systems and their associated armament. Goal 5: Support rapid demonstration and integration of validated combat capabilities in fielded/deployed systems through a more flexible prototyping, test and logistical support process. Goal 6: Aggressively control cost by utilizing competition, refining and prioritizing requirements, and increasing interdependencies among DoD systems.
UCSWG Organization
Executive Board
and CCB
Technical Review Board
SC1
Implementation
Chief Engineer
Conformance
SC2
Application PIM
Chief Engineer
PIM Governance
SC3
Application PSM
Chief Engineer
MDA Process
SC4
Safety and IA
Chief Engineer
Certification
SC5
Architecture
Chief Engineer
AD
Chief Engineer
Modeling/Tools
Mgmt
Technical Support
Sub-committee 4: Objectives
• Address System Safety, Airworthiness and IA concerns, including:
– System Safety and Airworthiness Cases
– Information Assurance Cases
– Information Assurance and Security Services
– Platform Safety, Airworthiness and Information Assurance
• Reach out to other organizations interested in defining safety requirements for unmanned systems
– NASA, other DoD organizations, FAA, RTCA, etc.
UCS Architecture Views
Guest OS Guest OS Guest OS Guest OS Guest OS
Middleware Middleware Middleware Middleware Middleware
IA and Security Management
Application 1 Application 2 Application 3 Application 4
Embedded Hypervisor and Separation Kernel
Processor
Technical Architecture Operating Environment, Development Environment, Certification Environment
Reference Implementations (Informative, Extensible)
Reference Architecture (Informative, Extensible)
Services Services Services
Technology Standards View (Normative, Extensible)
Application Domain 1 Application Domain 2 Application Domain 3
Application Architecture Platform Independent Model (Normative, Extensible)
Services
Application Domain 4
UCS - Open Business Model
Common UCS Architecture Marketplace
UCS Composed of ‘Mostly’ Common Components
SC 4 Safety Objectives
• Defined in the System Safety Airworthiness Management Plan and Information Assurance Plan – Embraces SAE ARP 4761/4754, MILS-STD-882, STANAG
4671
– DoD 85xx, NIST, etc.
– Army, Navy, Air Force and FAA Standards
• SC 4 Decided to embrace the concept of Goal Structuring Notation to provide guidance on implementing Safety and Security requirements
UCS Safety and Airworthiness Case
• Outline developed in Goal Structuring Notation • Helped to identify the Boundaries • Helped with the decomposition for Systems,
Subsystems, Components, Domains, Services and their interactions
• Identified Composition goals to ensure robust process is used to compose a system
• Documented in System Safety and Airworthiness Assurance Case
• Part of UAS Control Segment Architecture
MIL-STD-882 Risk Matrix
As of: 02 Mar 05 14
PROBABILITY
LEVELS
SEVERITY CATEGORIES
I
CATASTROPHIC
II
CRITICAL
III
MARGINAL
IV
NEGLIGIBLE
(A) Frequent 1 3 7 13
(B) Probable 2 5 9 16
(C) Occasional 4 6 11 18
(D) Remote 8 10 14 19
(E) Improbable 12 15 17 20
Risk Assessment and Risk Acceptance
MIL-STD-882D & DoDI 5000.2, E7
HIGH
LOW
SERIOUS
MEDIUM
Purpose of Goal Structuring Notation (GSN)
• A notation for presenting an Argument
• Argument + Supporting evidence => Assurance Case
• Argument - Connects a series of statements
Airworthiness Case Safety Case Information Assurance Case
Threading an argument together.
The UCS shall support many services securely
The services may be hosted
Platforms and Platforms may
be linked together
The UCSA may be constructed from
many platforms which provide security
properties
Each platform may host many services
at different security levels
Goal
Sub-Goal Sub-Goal
Strategy
Closed Connector for Goals and Strategies
Current Progress
• Safety and Information Assurance case fragments have been created for the UCS Architecture
• These have been put into Enterprise Architect
• Work is underway to connect the safety cases with the various domain models and tag them with safety and security properties