Certification Challenges for Autonomous Flight Control System Mr. David B. Homan AFRL Air Vehicles Directorate [email protected] (937) 255 - 4026

Certification Challenges for Autonomous Flight Control System

Mr. David B. Homan

AFRL Air Vehicles Directorate

[email protected]

(937) 255 - 4026

VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578

To be effective assets in the force structure and mission plans, UAS’s must …

•Be Safe & Reliable

•Be Responsive & Effective

•Be Interoperable

•Not Adversely Effect Operations Capability

Cooperative Airspace Operations Background


Background: Flight Safety and Manned/Unmanned Functional Migration

Flight CriticalMission Critical

Manned Aircraft

Unmanned Aircraft

Flight Mgmt

Vehicle Mgmt

Mission Mgmt

Mission Mgmt

Vehicle MgmtOn-boardOff-board

On-boardOff-board

Pilot is Integrator andContingency Manager; FMS is mostly advisory.

Flight Mgmt

FMS and VMS provide

Integration andContingency

Mgmt; Operator

manages at high-level.

Situational awareness

Situational awareness?

For UAVs, “

Pilot F

unction” b

ecomes

huge design and V&V issue


Background: V&V Requirements

Flight CriticalMission Critical

System Focus is Performance/Security

Performance Metric: Throughput and Bandwidth [event driven]

Assurance Metric: Probability of Mission Success [Simplex or Back-up]

Confidence Rqmt: Performance and security are validated.

Consequence of Failure: Potential mission failure

System Focus is Performance/Assurance

Performance Metric: Sampling Rate and Latency [time triggered]

Assurance Metric: Probability of Loss of Control and N x Fail Op/Fail Safe [Triplex or Quad]

Confidence Rqmt: Performance and Assurance must be validated; [Failure Modes and Effects Testing]

Consequence of Failure: Loss of Aircraft, potential loss of life

Rule of Thumb: When you mix mission with flight criticality , the testing is held to most stringent

requirement.

Consequence of Failure: Loss of Aircraft, potential loss of life

Developmental Timeline:Flight Critical ready by First Flight!Any changes requires Total Re-test!

Flight C

ritical V

&V isn’t j

ust a softw

are issue,

it’s a system is

sue!!

Failure Modes and Effects Testing


New Capabilities Challenge V&V

• Mixed Criticality Architecture: Non-obtrusive co-existence of mixed criticality

• Adaptive/Learning/Multi-Modal Functions: Indeterminate or untraceable

functionality

• Mixed Initiative/Authority Mgmt: Human/autonomy or autonomy/autonomy

interactions

• Multi-Entity Systems: Functions that encompass multiple platforms.

• Sensor Fusion/Integration: Highly confident sensor-derived information

These new systems/capabilities Need to be affordably provable

New Capabilities (and increasing complexity) are presenting new challenges to the V&V problem.


Mixed Criticality Challenge

How can we separate the mission and flight critical functionality as to guarantee safety?

SOA: Middleware that provides time/space partitioning (ARINC 653).

Issue:

Both Criticalities use common HW resources (i.e. processors, backplanes, busses etc); how do we determine PLOC and fault tolerance?

• Understand failure mechanisms for partitioning

• Non-critical function must not take out shared resources…Or the probability of its occurrence is predictable…

• Need guarantee on fault tolerance

A

A

A

B

B

C

ba

ckp

lan

es

Se

rial b

us

Processors

X

XX

Answer may reside in a SW/HW architecture specifically designed for mixed operation


Adaptive/Learning/Multimodal Challenge

Delta CATA

Delta A+B+C

Delta Z Dot

Delta Y dot

Delta X Dot

Delta Z

Delta Y

Delta X

Maintain a Minimum Distance

Move Towards Assigned Position

Align Flight Vector

Input Layer

1st Hidden Layer

2nd Hidden Layer

Output Layer

How can we trust functionality that we may not be able to fully test?SOA: We must try to test the complete functional envelope (till $$ runs out…)!Issue: Some new Control capabilities are untraceable and/or non-deterministic

• Adaptive systems • Huge test space• Perfect Input data

• Learning systems• Environmental stimuli• Lost memory

• Multi-modal systems• Mode transition stability• Mode synchronization• Recovery mode

Answer may reside in bounding the function in run-time to known safe behavior.


Mixed Initiative Challenge

How can man and autonomy safely interact?

SOA: Human operator always get authority!

Issue:

Human operator may not have all the information or be able to comprehend situation in real-time:

• Situational Awareness versus Response Time

• Assessment of UAV mode/state/health

• Assessment of surrounding environment

• “Consequence of mishap” is a factor • Complete system health is a factor• Workload is a factor

AF Poster Child:Auto-Aerial Refueling (AAR)

Answer may reside in a authority management specification that would allow the correct party to have decision authority.


Multi-Entity Challenge

How can trust systems with multiple players to safely perform cooperative functions?

SOA: Keep humans away and hope for the best…

Issue:

Entities participating in the coordinated function may not be part of individual V&V testing:

• Linked Interface Control Documents?

• Entities with different manufacturers?

• System Configuration Management?

• Mission-specific programming?

Answer may reside in a specification for contingency management, based on system degradation


High Confidence Sensing Challenge

How can we trust visual/radar systems for flight critical functions?

SOA: Brute force and analytic redundancy

Issue:

Mission-style sensors don’t have acceptable real-time methods for FDIR…

• Sensors will likely be multi-function!

• Redundant HW may not be answer, redundant

information?

• Built-in-test may not provide good real-time

coverage.

• Reliable signal processing/sensor fusion software

Answer may reside in sensor designs that compensate for sensor degradation and plan for contingencies