110 likes | 256 Views
Certification Challenges for Autonomous Flight Control System. Mr. David B. Homan AFRL Air Vehicles Directorate david.homan@wpafb.af.mil (937) 255 - 4026. Cooperative Airspace Operations Background. To be effective assets in the force structure and mission plans, UAS’s must ….
E N D
Certification Challenges for Autonomous Flight Control System Mr. David B. Homan AFRL Air Vehicles Directorate david.homan@wpafb.af.mil (937) 255 - 4026
Cooperative Airspace Operations Background To be effective assets in the force structure and mission plans, UAS’s must … • Be Safe & Reliable • Be Responsive & Effective • Be Interoperable • Not Adversely Effect Operations Capability VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Background: Flight Safety and Manned/Unmanned Functional Migration Situational awareness Flight Critical Mission Critical Manned Aircraft Vehicle Mgmt Off-board On-board Mission Mgmt Pilot is Integrator and Contingency Manager; FMS is mostly advisory. Flight Mgmt For UAVs, “Pilot Function” becomes huge design and V&V issue Unmanned Aircraft On-board Off-board Vehicle Mgmt Situational awareness? FMS and VMS provide Integration and Contingency Mgmt; Operator manages at high-level. Mission Mgmt Flight Mgmt VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Background: V&V Requirements Flight Critical Mission Critical System Focus is Performance/Security Performance Metric: Throughput and Bandwidth [event driven] Assurance Metric: Probability of Mission Success [Simplex or Back-up] Confidence Rqmt: Performance and security are validated. Consequence of Failure: Potential mission failure System Focus is Performance/Assurance Performance Metric: Sampling Rate and Latency [time triggered] Assurance Metric: Probability of Loss of Control and N x Fail Op/Fail Safe [Triplex or Quad] Confidence Rqmt: Performance and Assurance must be validated; [Failure Modes and Effects Testing] Consequence of Failure: Loss of Aircraft, potential loss of life Flight Critical V&V isn’t just a software issue, it’s a system issue!! Failure Modes and Effects Testing Consequence of Failure: Loss of Aircraft, potential loss of life Rule of Thumb: When you mix mission with flight criticality , the testing is held to most stringent requirement. Developmental Timeline: Flight Critical ready by First Flight! Any changes requires Total Re-test! VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
New Capabilities Challenge V&V New Capabilities (and increasing complexity) are presenting new challenges to the V&V problem. • Mixed Criticality Architecture: Non-obtrusive co-existence of mixed criticality • Adaptive/Learning/Multi-Modal Functions: Indeterminate or untraceable functionality • Mixed Initiative/Authority Mgmt: Human/autonomy or autonomy/autonomy interactions • Multi-Entity Systems: Functions that encompass multiple platforms. • Sensor Fusion/Integration: Highly confident sensor-derived information These new systems/capabilities Need to be affordably provable VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Processors A B X X A C Serial bus backplanes X A B Mixed Criticality Challenge How can we separate the mission and flight critical functionality as to guarantee safety? SOA: Middleware that provides time/space partitioning (ARINC 653). Issue: Both Criticalities use common HW resources (i.e. processors, backplanes, busses etc); how do we determine PLOC and fault tolerance? • Understand failure mechanisms for partitioning • Non-critical function must not take out shared resources…Or the probability of its occurrence is predictable… • Need guarantee on fault tolerance Answer may reside in a SW/HW architecture specifically designed for mixed operation VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Input Layer 1st Hidden Layer 2nd Hidden Layer Output Layer Delta X Delta Y Delta Z Align Flight Vector Delta X Dot Move Towards Assigned Position Delta Y dot Maintain a Minimum Distance Delta Z Dot Delta A+B+C Delta CATA Adaptive/Learning/Multimodal Challenge How can we trust functionality that we may not be able to fully test? SOA: We must try to test the complete functional envelope (till $$ runs out…)! Issue: Some new Control capabilities are untraceable and/or non-deterministic • Adaptive systems • Huge test space • Perfect Input data • Learning systems • Environmental stimuli • Lost memory • Multi-modal systems • Mode transition stability • Mode synchronization • Recovery mode Answer may reside in bounding the function in run-time to known safe behavior. VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Mixed Initiative Challenge AF Poster Child: Auto-Aerial Refueling (AAR) How can man and autonomy safely interact? SOA: Human operator always get authority! Issue: Human operator may not have all the information or be able to comprehend situation in real-time: • Situational Awareness versus Response Time • Assessment of UAV mode/state/health • Assessment of surrounding environment • “Consequence of mishap” is a factor • Complete system health is a factor • Workload is a factor Answer may reside in a authority management specification that would allow the correct party to have decision authority. VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Multi-Entity Challenge How can trust systems with multiple players to safely perform cooperative functions? SOA: Keep humans away and hope for the best… Issue: Entities participating in the coordinated function may not be part of individual V&V testing: • Linked Interface Control Documents? • Entities with different manufacturers? • System Configuration Management? • Mission-specific programming? Answer may reside in a specification for contingency management, based on system degradation VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
High Confidence Sensing Challenge How can we trust visual/radar systems for flight critical functions? SOA: Brute force and analytic redundancy Issue: Mission-style sensors don’t have acceptable real-time methods for FDIR… • Sensors will likely be multi-function! • Redundant HW may not be answer, redundant information? • Built-in-test may not provide good real-time coverage. • Reliable signal processing/sensor fusion software Answer may reside in sensor designs that compensate for sensor degradation and plan for contingencies VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578