Post on 21-Dec-2015
Certification Challenges for Autonomous Flight Control System
Mr. David B. Homan
AFRL Air Vehicles Directorate
david.homan@wpafb.af.mil
(937) 255 - 4026
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
To be effective assets in the force structure and mission plans, UAS’s must …
•Be Safe & Reliable
•Be Responsive & Effective
•Be Interoperable
•Not Adversely Effect Operations Capability
Cooperative Airspace Operations Background
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Background: Flight Safety and Manned/Unmanned Functional Migration
Flight CriticalMission Critical
Manned Aircraft
Unmanned Aircraft
Flight Mgmt
Vehicle Mgmt
Mission Mgmt
Mission Mgmt
Vehicle MgmtOn-boardOff-board
On-boardOff-board
Pilot is Integrator andContingency Manager; FMS is mostly advisory.
Flight Mgmt
FMS and VMS provide
Integration andContingency
Mgmt; Operator
manages at high-level.
Situational awareness
Situational awareness?
For UAVs, “
Pilot F
unction” b
ecomes
huge design and V&V issue
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Background: V&V Requirements
Flight CriticalMission Critical
System Focus is Performance/Security
Performance Metric: Throughput and Bandwidth [event driven]
Assurance Metric: Probability of Mission Success [Simplex or Back-up]
Confidence Rqmt: Performance and security are validated.
Consequence of Failure: Potential mission failure
System Focus is Performance/Assurance
Performance Metric: Sampling Rate and Latency [time triggered]
Assurance Metric: Probability of Loss of Control and N x Fail Op/Fail Safe [Triplex or Quad]
Confidence Rqmt: Performance and Assurance must be validated; [Failure Modes and Effects Testing]
Consequence of Failure: Loss of Aircraft, potential loss of life
Rule of Thumb: When you mix mission with flight criticality , the testing is held to most stringent
requirement.
Consequence of Failure: Loss of Aircraft, potential loss of life
Developmental Timeline:Flight Critical ready by First Flight!Any changes requires Total Re-test!
Flight C
ritical V
&V isn’t j
ust a softw
are issue,
it’s a system is
sue!!
Failure Modes and Effects Testing
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
New Capabilities Challenge V&V
• Mixed Criticality Architecture: Non-obtrusive co-existence of mixed criticality
• Adaptive/Learning/Multi-Modal Functions: Indeterminate or untraceable
functionality
• Mixed Initiative/Authority Mgmt: Human/autonomy or autonomy/autonomy
interactions
• Multi-Entity Systems: Functions that encompass multiple platforms.
• Sensor Fusion/Integration: Highly confident sensor-derived information
These new systems/capabilities Need to be affordably provable
New Capabilities (and increasing complexity) are presenting new challenges to the V&V problem.
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Mixed Criticality Challenge
How can we separate the mission and flight critical functionality as to guarantee safety?
SOA: Middleware that provides time/space partitioning (ARINC 653).
Issue:
Both Criticalities use common HW resources (i.e. processors, backplanes, busses etc); how do we determine PLOC and fault tolerance?
• Understand failure mechanisms for partitioning
• Non-critical function must not take out shared resources…Or the probability of its occurrence is predictable…
• Need guarantee on fault tolerance
A
A
A
B
B
C
ba
ckp
lan
es
Se
rial b
us
Processors
X
XX
Answer may reside in a SW/HW architecture specifically designed for mixed operation
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Adaptive/Learning/Multimodal Challenge
Delta CATA
Delta A+B+C
Delta Z Dot
Delta Y dot
Delta X Dot
Delta Z
Delta Y
Delta X
Maintain a Minimum Distance
Move Towards Assigned Position
Align Flight Vector
Input Layer
1st Hidden Layer
2nd Hidden Layer
Output Layer
How can we trust functionality that we may not be able to fully test?SOA: We must try to test the complete functional envelope (till $$ runs out…)!Issue: Some new Control capabilities are untraceable and/or non-deterministic
• Adaptive systems • Huge test space• Perfect Input data
• Learning systems• Environmental stimuli• Lost memory
• Multi-modal systems• Mode transition stability• Mode synchronization• Recovery mode
Answer may reside in bounding the function in run-time to known safe behavior.
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Mixed Initiative Challenge
How can man and autonomy safely interact?
SOA: Human operator always get authority!
Issue:
Human operator may not have all the information or be able to comprehend situation in real-time:
• Situational Awareness versus Response Time
• Assessment of UAV mode/state/health
• Assessment of surrounding environment
• “Consequence of mishap” is a factor • Complete system health is a factor• Workload is a factor
AF Poster Child:Auto-Aerial Refueling (AAR)
Answer may reside in a authority management specification that would allow the correct party to have decision authority.
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Multi-Entity Challenge
How can trust systems with multiple players to safely perform cooperative functions?
SOA: Keep humans away and hope for the best…
Issue:
Entities participating in the coordinated function may not be part of individual V&V testing:
• Linked Interface Control Documents?
• Entities with different manufacturers?
• System Configuration Management?
• Mission-specific programming?
Answer may reside in a specification for contingency management, based on system degradation
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
High Confidence Sensing Challenge
How can we trust visual/radar systems for flight critical functions?
SOA: Brute force and analytic redundancy
Issue:
Mission-style sensors don’t have acceptable real-time methods for FDIR…
• Sensors will likely be multi-function!
• Redundant HW may not be answer, redundant
information?
• Built-in-test may not provide good real-time
coverage.
• Reliable signal processing/sensor fusion software
Answer may reside in sensor designs that compensate for sensor degradation and plan for contingencies