Softwalls: Preventing Aircraft from Entering Unauthorized Airspace

Adam CataldoProf. Edward LeeProf. Ian Mitchell, UBCProf. Shankar Sastry

NASA JUPSep 26, 2003Los Angeles, CA

Outline

• Introduction to Softwalls • Objections• Control system progress• Future challenges• Conclusions

Introduction

• On-board database with “no-fly-zones”• Enforce no-fly zones using on-board

avionics• Non-networked, non-hackable

Autonomous control

Pilot

Aircraft

Autonomouscontroller

Softwalls is not autonomous control

Pilot

Aircraft

Softwalls

+

bias pilotcontrol

Relation to Unmanned Aircraft

• Not an unmanned strategy– pilot authority

• Collision avoidance

A deadly weapon?

• Project started September 11, 2001

Design Objectives

Maximize Pilot Authority!

Unsaturated Control

No-flyzone

Control applied

Pilot lets off controls

Pilot turns away from no-fly zone

Pilot tries to fly into no-fly

zone

Objections

• Reducing pilot control is dangerous– reduces ability to respond to emergencies

There is No Emergency That Justifies Landing Here

Objections

• Reducing pilot control is dangerous– reduces ability to respond to emergencies

• There is no override– switch in the cockpit

Hardwall

Objections

• Reducing pilot control is dangerous– reduces ability to respond to emergencies

• There is no override– switch in the cockpit

• Localization technology could fail– GPS can be jammed

Localization Backup

• Inertial navigation• Integrator drift

limits accuracy range

Objections

• Reducing pilot control is dangerous– reduces ability to respond to emergencies

• There is no override– switch in the cockpit

• Localization technology could fail– GPS can be jammed

• Deployment could be costly– Software certification? Retrofit older

aircraft?

Deployment

• Fly-by-wire aircraft– a software change

• Older aircraft– autopilot level

• Phase in– prioritize airports

Objections

• Reducing pilot control is dangerous– reduces ability to respond to emergencies

• There is no override– switch in the cockpit

• Localization technology could fail– GPS can be jammed

• Deployment could be costly– how to retrofit older aircraft?

• Complexity– software certification

Not Like Air Traffic Control

• Much Simpler• No need for

air traffic controller certification

Objections

• Reducing pilot control is dangerous– reduces ability to respond to emergencies

• There is no override– switch in the cockpit

• Localization technology could fail– GPS can be jammed

• Deployment could be costly– how to retrofit older aircraft?

• Deployment could take too long– software certification

• Fully automatic flight control is possible– throw a switch on the ground, take over plane

Potential Problems with Ground Control

• Human-in-the-loop delay on the ground– authorization for takeover– delay recognizing the threat

• Security problem on the ground– hijacking from the ground?– takeover of entire fleet at once?– coup d’etat?

• Requires radio communication– hackable– jammable

Here’s How It Works

Reachable Set

starting at a pointin the state space

set of all points reachable with some control input

reachable set

Backwards Reachable Set

given a final pointin the state space

set of all states that can reach the final point for some control input

backwards reachable set

Backwards Reachable Set

No-fly zone

Backwards reachable set

Safe States

States that canreach the no-flyzone when control is appliedCan prevent aircraft from

entering no-fly zone

Implicit Surface Functions

No-fly zone

implicit surface functionfor no-fly zone

Backwards Reachable Set

implicit surface functionfor backwards reachable set

Analytic Solution

• Hamilton-Jacobi-Isaacs PDE

no-fly zone implicit surface function

dynamics

backwards reachable set implicit surface function

• Tomlin, Lygeros, Sastry

v

Control from Implicit Surface Function

BackwardsReachable

Set

Safe States Safe States

Control atboundary

Control decreases

to zero

Numerical Solution

• Mitchell

states

1 2 3 4

computations&

storage

Assumptions for Verification

• The pilot and control inputs could be any bounded, measurable functions

In Fly-By-Wire Aircraft

• The pilot and control inputs will be piecewise constant, bounded functions which can change only every T milliseconds

T

Fly-By-Wire Aircraft

• How do we verify this?

In the News

• ABC News• NPR Market Place• CBC As It Happens• Slashdot• Reuters…

Conclusions

• Embedded control system challenge

• Control theory identified

• Future challenges identified

Acknowledgements

• Xiaojun Liu• Steve Neuendorffer• Claire Tomlin

Backup

• Discrete-Time Modified HJI PDE

)()0,(

)1),),(,((minmax

),1,(min),(

*

*

][

*

*

ylyJ

keeygJ

kyJkyJ

DeUD