Matt Clark, Program Manager Air Force Research Laboratory · Approved for Public Release, AFRL Case...

Approved for Public Release, AFRL Case No. 88ABW-2015-2813DISTRIBUTION A. Approved for Public Release, Case Number 88ABW-2016-1452

John Schierman, Michael DeVoreJared Cooper, Nathan Richards, Neha Gandhi, Kenny Horneman

Barron Associates, Inc., Charlottesville, Virginia

Scott Smolka and Scott StollerSUNY Stony Brook

Matt Clark, Program ManagerAir Force Research Laboratory

S5 BriefingDayton, OHJune, 2016

Approved for Public Release, AFRL Case No. 88ABW-2015-2813 2

• Review of final year of three year AFRL-funded program

• Last two years at S5 gave presentations on 1st & 2nd years’ progress

• Focus of talk

• How do we construct an argument that a complex runtime protected system is safe to operate• Must assure that the runtime monitoring will always correctly identify

unsafe operations & correctly execute mitigation/recovery strategies throughout the operational envelope of the system

• Goal

• Build up trust in runtime protection

• Present convincing arguments in certification process

Approved for Public Release, AFRL Case No. 88ABW-2015-2813

• Industry desires more advanced systems

• Adaptive/Intelligent/Autonomous

• Adapt to physical damage/faulted H/W

• Autonomous decision making

• Current V&V analysis tools cannot adequately certify these advanced systems

• Typical exhaustive testing techniques cannot cover entire operating space due to nondeterministic nature of these advanced systems

• Solutions under development

• Advancements in design-time analysis (formal methods)

• Advancements in run-time monitoring or Run Time Assurance (RTA)

3


• A Run Time Assurance (RTA) Protected System

Untrusted or “Uncertified”

Trusted or “Certified”

Reversionary System

Advanced System

RTA Monitor & Switch

Mechanism

Plant or System being

Controlled

= Cannot be certified to required assurance level

= Design-Time Assured (DTA): certified to required assurance level

To: Downstream Feedback Levels

From: Upstream Feedback Levels


• Multi-vehicle Unmanned Air Systems (UASs) operations• Cooperative/decentralize (distributed) command/control/comm.

• Fleets of heterogeneous assets

• Fully autonomous decision

makingSplit up

Surveil Area A Surveil

Area B

Surveil Area C

Rendezvous; share/transmit data

Urban Operations

Surveillance/Reconnaissance

Morphing Wing UASs


• Looking at all feedback levels in aerospace systems

GLAW CLAWControl

EffectorsAirframe & Engine

NAV(INS)

Comms.

Fleet & Base

Navigation Solution(Current State)

GuidanceLaws

ControlLaws

Physical Actuators

Physical Plant

Physical Sensors

Radio Transmission & Receiving

Communications with Other Vehicles & Ground Base

IVHM

FMS* SensorsGPSIMUCompassRadarAltimeterPitot TubeEO/IR…

ElevatorsRudderAileronFlapsSpeedbrakeThrottle…

Integrated Vehicle Health Management

Advanced (uncertifiable) elements potentially present at any/all feedback levels

MPS*

*MPS = Mission Planning System (plans out mission)FMS = Flight Management System (carries out mission)


• Looking at all feedback levels in aerospace systems

GLAW CLAWControl

EffectorsAirframe & Engine

NAV(INS)

Comms.

Fleet & Base

Navigation Solution(Current State)

GuidanceLaws

ControlLaws

Physical Actuators

Physical Plant

Physical Sensors

Radio Transmission & Receiving

Communications with Other Vehicles & Ground Base

IVHM

FMS* SensorsGPSIMUCompassRadarAltimeterPitot TubeEO/IR…

ElevatorsRudderAileronFlapsSpeedbrakeThrottle…

Integrated Vehicle Health Management

Advanced (uncertifiable) elements potentially present at any/all feedback levels

MPS*

*MPS = Mission Planning System (plans out mission)FMS = Flight Management System (carries out mission)

Control EffectorsAirframe & Engine

Sensors


• Potential for interacting RTA protected systems for all feedback levels…

• Interacting RTA systems cannot operate in isolation - must check:

• Current feedback level safe? (state crossing defined safety boundary?)

• Input/output validity of each feedback level (params. within allowable bounds, etc.?)

• Meet performance requirements of each feedback level

• (Safety implications for other levels)

• Mode status of other subsystem levels: Advanced or reversionary mode? Reversionary mode may have implications on what performance that subsystem can deliver – need an overall monitor manager to pass critical information to all subsystems

• Environment and IVHM checks: Operating in acceptable environment? All hardware (sensors/actuators) working properly?

Control EffectorsAirframe & Engine

SensorsRCLAW

ACLAW

CLAWRTA

RGLAW

AGLAW

GLAWRTA

RFMS

AFMS

FMSRTA

RMPS

AMPS

MPSRTA

Mission Planning Flight Management Guidance Law Control Law

All feedback channels add further

interconnectedness and complexity

Physical Plant

MonitorManager


• Compositional Reasoning Design Approach• Isolate analysis of design constraints/requirements at each

subcomponent level to “modularize complexity”

• Construct Assume-Guarantee (A-G) contracts for each subcomponent level

• Analyze overall system in successively higher levels • Children to parent elements => CLAW -> GLAW -> FMS -> MPS

• Ensure contracts are met at each level and when connected to higher levels

• A-G contracts form the “checks” that are analyzed by the RTA monitors• Crossing safety boundary

• Performance requirements

• Input/output validity

All part of A-G contracts at each level


• A-G Contracts… (or constraints/design requirements)

Guidance System

ControllerControl

EffectorsAircraft Sensors/

Processing

Dist(winds/turbulence)

+-

w (sensornoise)INS: State

reconstruction

ActuatorsControl Surfaces

PowerPlant

Airframe

Propeller Engine FuselageWings

Horiz./Vert.Tail

Landing Gear

Payload

Fuel Tank

H_c or Gamma_cPsi_c or Phi_cV_c

Altitude or Flight Path AngleHeading or Bank AngleAirspeed

Feedback to upstream levels

A-G contracts can be developed for lower level subsystems – as detailed as needed –

Inputs to morphing wing model

c

c

c

H H

e

V V

Other state feedback

_

_

_

e c

c a c

r c

e

a

r

[ , , , , , , , , , , , ]Tx X Y H U V W P Q R

Motor Hydraulics


• Assumptions on GLAW output (constraints on input to inner-loop)

• Frequency content assumptions – command frequencies not greater than closed inner-loop bandwidth (actuators have bandwidth limits)

( ) max

max

max

_ min

_ _ max

max

0

if 0,

if 0,

max roll rate

AGL c

c c

stall c

c sr c

c clmb clmb rate

c

c c

H H

V V V

H H H

H H H

V V

Several “max” altitude definitions (typically functions of weight & g-loading):Service ceiling – max altitude for “efficient flight” Absolute ceiling or “coffin corner”: stall speed = max speedFor small UAS – max altitude may be defined by other factors such as comm. range

Max roll – loss of lift too great for stable flight

Airspeed limits may be functions of air density, aerodynamic angles, weight & loading, configuration, etc.

May have defined limit on sink rate, especially on final approach to landingAll aircraft have max climb rate limits – function of air density, loading, etc.

Function of roll inertia characteristics, aileron sizing, etc.

Function of engine spool up/down characteristics, drag characteristics, etc.

0 db

Commands will be followed below this corner frequency

In Summary:Assumptions on inner-loop inputs involve constraints on their allowable values, allowable rates of change and frequency content(Don’t “over drive” the inner-loop and it will accurately follow the commanded inputs)


• Assumptions• Actuators & control surfaces working

properly (No damage or faulted H/W)

• Guarantees

_ min _ _ max

_ min _ _ max

_ min _ _ max

_ min _ _ max

_ min _ _ max

_ min _ _ max

e e c e

a a c a

r r c r

e e c e

a a c a

r r c r

Rate and deflection limits not violated

_ max settle settleT T t

overshoot < Max overshoot

c t

(1)

(2)

(3)

All guarantees achieved

A-G Contracts True

Step change violates rate and freq. content assumptions

(3) Not achieved

(2) Not achieved

(1) Not achieved

A-G Contracts Violated

freq. content assumption violated – cannot follow

2 * *( ) 2 ( ) ( ) 0, = , x t x t x t (4)


• Assumptions• Sensors working properly

• Environment assumptions –

• e.g. For E/O camera – no night time, dust,

smoke, clouds

• Radar altimeter – only used below, say 2000 ft AGL

• Sensor noise

• Approx. Gaussian or other characteristics

• Mean, variance, etc.

• Guarantees• Magnitudes on filter residuals < max value for all time (or most of the time)

• Mag. on peak error < etc.

In Summary:Assumptions: sensors are working properly and are used in an environment they were designed for

Guarantees: Accuracy in measuring sensed values will adhere to specifications


• Assumptions• All equipment working properly

• Environment assumptions –• Magnitudes on winds/turbulence < max allowed

• Guarantees• Aircraft flying characteristics can be modeled as:

• (aircraft dynamics will be as expected to within

some uncertainty delta)

max

max

max

min max

_ max

max

max

min max

( , ,...)

( ,...)

[ , , ] [ , , ]

[ , ] [ , ] [ , ]

stall

z z

f V

f V

P Q R P Q R

N N

V V

q q

Aerodynamic limits not violated

Attitude stability considerations, or stable flight – no excessive loss of lift, etc.

Structural loading considerations

Actuator hinge moment limits

In Summary:A-G contracts for aircraft will be defined and refined through the configuration design-time cycles- If assumptions hold…- Guarantee aircraft dynamics are as expected

( , , ) , x f x Dist or

x Ax B Dist

Assume control effector guarantees hold


• Assumptions• All A-G contracts for all other blocks

within inner-loop hold true

• Assumptions on guidance commands hold

• Guarantees• Output of controller will be such that:

• Closed loop system remains stable in attitude dynamics (stability)

• Certain defined characteristics of the error vector hold (performance)

• Stability & performance reqs. hold under allowable uncertainty & disturbances (robustness)

• Stated assumptions on command inputs to control effectors hold

• Commanded rate/deflection limits not exceeded

• Frequency content valid

_

*

_

_

( ( , , )), s.t.

,

e c

c a c

r c

n

f f x Dist e t

or e

c

c

c

H H

e

V V

Some norm bound (e.g. peak value) holds, asymptotic stability, etc. – depends on control law design approach


• Reversionary Controller• Assumptions• Same as general controller• Start out in a safe state

• Guarantees• Same as general CLAW and…• Specific requirements on RCLAW hold (ability to safely recover to a safe state if activated)

• RTA monitor & switch• Assumptions• Same as Rev. controller • Start out in a safe state

• Guarantees• Ensuing loss of safe state always detected with enough margin s.t. RCLAW can maintain safety if activated• Ensuing loss of tracking performance requirements of Advanced Controller always detected with enough

margin s.t. minimum required performance always maintained (by RCLAW)

• Advanced Controller• Assumptions• Same as Rev. or general controller

• Guarantees • None

Now, controller is an RTA protected block


• Safety Check• Has state crossed defined safety boundary? (This boundary provides sufficient margin)

• Performance Check• Tracking performance (however defined) of altitude, bank angle & airspeed cmds being

maintained by advanced controller?

• Output check• Are the outputs of the advanced system valid for downstream subsystem?• Upper/lower limits on actuator deflection cmds• Upper/lower limits on actuator deflection cmd rates• Frequency content

• Input check• Are GLAW commands coming into current RTA protected feedback level valid?• Upper/lower limits, frequency content, etc.

• Environment check• Is the platform operating within its defined valid operating conditions?

• System hardware health check (IVHM or FDI check)• Are the inputs into the current subsystem trustworthy? (sensor H/W check)• Unsafe/anomalous state due to actuator/platform damage?• If so, allow advanced system to adapt to changes in platform dynamics, if possible


Guidance System

ControllerControl

EffectorsAircraft Sensors/

Processing

Dist(winds/turbulence)

+-

w (sensornoise)INS: State

reconstruction

H_cPhi_cV_c

AltitudeBank AngleAirspeed

Feedback to upstream levels

c

c

c

H H

e

V V

Other state feedback

_

_

_

e c

c a c

r c

e

a

r

[ , , , , , , , , , , , ]Tx X Y H U V W P Q R

Guidance System

CLAW Plant+-

H_cPhi_cV_c Plant includes control

effectors, airframe, sensors


• From “child-to-parent” reasoning

• Guidance Law sees the Closed Inner Loop as:

Guidance System

CLAW Plant+-

H_cPhi_cV_c

Guidance System

Certified Closed Inner Loop

(CCIL)

H_cPhi_cV_c

Again, could be a DTA_clawOr RTA Protected ACLAW/RCLAW- Guidance system sees it as a black box that is safe at all times

Certified to be safe and correctly operating at all times


• Let’s construct the A-G contracts for each element around the GLAW feedback loop

Guidance System


(CCIL)

H_cPhi_cV_cFlight

Management System (FMS)

States

Feedback to higher levels

Waypoints


• Assumptions• Inputs to GLAW are waypoints

• Assume these waypoints adhere to standardized industry guidelines

• Positioning of waypoints shall not require climb, descent or turning performance beyond vehicle’s capabilities

• Waypoints shall not be spaced so close together that vehicle cannot properly follow them

• Waypoints shall not be placed in hazardous locations (near objects, terrain that can lead to collisions, etc.)

• Waypoints shall not be placed in defined no fly zones

• Waypoints shall not be placed in restricted airspace

• etc….


• Assumptions• Inputs to CCIL – already covered

• Guarantees• Vehicle is stable in attitude

• Vehicle is structurally intact

• Airflow attached, etc.

• Vehicle closely follows GLAW cmds. by some performance metrics


• Assumptions• A-G contracts for CCIL block

& A’s on waypoint inputs hold

• Guarantees• Output of GLAW will be such that:• Spatial safety maintained at all time• Closed outer-loop system remains stable in translational dynamics (stability)

• Vehicle remains within a defined safety corridor or Required Separation Volume

• (Vehicle is approximately where it is supposed to be)

• Certain defined path following characteristics hold (performance)

• Stability & performance reqs. hold under allowable uncertainty & disturbances (robustness)• (Vehicle is approximately where it is supposed to be within a certain accuracy

subject to modeling uncertainties, winds/turbulence)

• Stated assumptions on command inputs to the CCIL hold (see last slide)


• Reversionary GLAW (covers General GLAW A-G’s, but more specific)• Assumptions• Same as general GLAW• Start out in a safe state

• Guarantees• Same as general GLAW and…• Specific requirements on RGLAW hold (able to safely maintain tracking performance/remain in safe place if activated)

• RTA monitor & switch• Assumptions• Same as RGLAW• Start out in a safe state

• Guarantees• Ensuing loss of safe state always detected with enough margin s.t. RGLAW can maintain safety (stay within safe

volume) if activated• Ensuing loss of waypoint following performance requirements of AGLAW always detected with enough margin s.t.

minimum required performance always maintained (by RGLAW)

• Advanced GLAW• Assumptions• Same as RGLAW or general GLAW

• Guarantees • None


• Safety Check• Has state crossed defined safety boundary? (This boundary provides sufficient

margin)

• Performance Check• Waypoint tracking performance (however defined) being maintained by

advanced GLAW?

• Output check• Are the outputs of the advanced system valid for downstream subsystem?• Upper/lower limits on altitude, bank angle & airspeed cmd.• Frequency content

• Input check• Are FMS commands coming into RTA protected GLAW valid?• Requirements on waypoint placement, etc.

• Environment check• Is the platform operating within its defined valid operating conditions?

• System hardware health check (IVHM or FDI check)• Are the inputs into the current subsystem trustworthy? (sensor H/W check)• etc.


• GLAW feedback system…

• FMS feedback system

Guidance System


(CCIL)

H_cPhi_cV_c


Flight Management System (FMS)

States


Waypoints

FMSCertified Closed

G&C System(CCGC)

Mission Planning

System (MPS)

States


Certified to be safe and correctly operating at all times (stable in attitude, stable in translation, etc…)

FMS_In

Waypoints


• FMS_In (current mission plan)• Mission level critical locations defined

• Rendezvous points, objective locations, etc.

• Required mission segment arrival/completion times

• Hazard & no-fly locations defined

• Current “flight plans” of neighboring fleetmates passed through

• Global or theater-wide information (for longer horizon planning purposes)

• Assumptions

• H/W working correctly – radios for intra-fleet transmissions working

• Sensors to detect hazards/obstacles working properly

• Fleetmates doing correct things (if “broken” they leave proximity of fleet, adhering to proper protocols)

• FMS_In information all correct

• Current mission plan physically achievable

• Hazard and other theater/environment information correct (or accurate enough)


• A-G Contract of CCGC

• Assumptions • Already covered

• Guarantees• Already covered


• Assumptions • See last slides (All other A-G contracts hold for this loop)

• Guarantees• A safe path home is currently available to the ownship• Ownship has enough fuel reserves to get home by that safe path• FMS is generating airspeeds such that the ownship can stay within its safety corridor• Waypoints generated by FMS avoid all known obstacles, no-fly zones, ground, fleetmates• Path is deconflicted with fleetmates through negotiations• Intra-fleet communications correctly passes path plans to/from each vehicle in fleet

• Waypoints are positioned such that defined safety corridor is deconflicted with all known obstacles• Solution (waypoint locations, commanded airspeeds} for next MS completed before arriving at next RP• Solution adheres to all constraints defined by MPS (e.g. vehicle maintains its “slot” w.r.t. fleetmates)• Waypoint location adhere to defined protocols (TERPs)• Path defined by waypoints is flyable

• Commanded airspeeds are such that MPS timing plan is achieved• Ownship arrives at next RP at proper time (within some margin)

• Other design-specific guarantees• Some min-distance performance metric is met• Safety margins maximized • Weather conditions addressed properly• Geographic conditions addressed properly


• GLAW feedback system…

• FMS feedback system

• MPS feedback system

Guidance System


(CCIL)

H_cPhi_cV_c


Flight Management System (FMS)

States


Waypoints

FMSCertified Closed

G&C System(CCGC)

Mission Planning

System (MPS)

States


Certified to be safe and correctly operating at all times (stable in attitude, stable in translation, etc…)

FMS_In

Waypoints

MPS

Certified Closed G&C&FMS

System(CCGCFMS)

StatesMPS_In(fleet planning)

RPs, timing plan

Certified to be safe and correctly operating at all times (stable in attitude, stable in translation, fleet is deconflicted and flying to objectives at correct timing, etc…)


• RMPS = Air Tasking Order (ATO) • (Details of ATOs not readily available in public domain)

• AMPS • Includes autonomous decision making capabilities• Can add additional tasks during mission operations

• Assumptions• Initial Air Tasking Order (ATO) is correct

• Main updates to ATO during mission (from C&C center) are correct

• Guarantees• RTA protected MPS adheres to ATO plan • Rules/Constraints/Objectives

• RTA monitors that min. reqs. of ATO are achieved


• Initial look into using GSN diagrams• Our focus: use GSN tool like a fault tree analysis with fault mitigation

arguments (mitigation comes from using RTA system)

• Fundamental safety case argument from compositional reasoning used in constructing GSN diagrams• Started with overarching goal: fleet of vehicles successfully completes mission (ATO)

Top level diagram argues safety maintained for fleet as long as each vehicle acting properly

GSN Template for single vehicle at one feedback level


MPS Level Safety Argument FMS Level Safety Argument

GLAW Level Safety Argument CLAW Level Safety Argument


• Highly complex systems will have highly complex RTA protection

• Objective of RTA protection is to allow fielding of uncertifiable advanced systems

• This can only be accomplished if overall RTA protected system can be certified (which will be difficult)

• Building a safety case for complex system

• Compositional reasoning approach partitions complexity into manageable subsystems

• Safety assured if Assume-Guarantee (A-G) contracts hold

• RTA system can be viewed as an A-G contract checker

Matt Clark, Program Manager Air Force Research Laboratory · Approved for Public Release, AFRL Case...

Documents

Transcript of Matt Clark, Program Manager Air Force Research Laboratory · Approved for Public Release, AFRL Case...