Sie sind auf Seite 1von 10

Certification Challenges for

Autonomous Flight Control System

Mr. David B. Homan


AFRL Air Vehicles Directorate
david.homan@wpafb.af.mil
(937) 255 - 4026
Cooperative Airspace Operations
Background

To be effective assets in the force structure and mission plans,


UAS’s must …

• Be Safe & Reliable


• Be Responsive & Effective
• Be Interoperable
• Not Adversely Effect
Operations Capability
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Background: Flight Safety and
Manned/Unmanned Functional Migration
Mission Critical Situational awareness Flight Critical

es
Manned Aircraft Vehicle Mgmt

om
Off-board On-board

Mission Mgmt e c
” b e Pilot is Integrator and

n ss u Contingency Manager;

Flight Mgmt io
FMS is mostly advisory.

t
c &V i
n
u V
Unmanned Aircraft Off-board On-boardF
t d Vehicle Mgmt
Situational awareness? i lo an
“ PMgmtgn
, si
FMS and VMS
Mission
s
V de
provide
Integration and

U A e
Contingency
Mgmt;
r g Flight Mgmt
Fo hu
Operator
manages at
high-level.

VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Background:
V&V Requirements
Mission Critical Flight Critical

System Focus is System Focus is


Performance/Security Performance/Assurance,
u e
Performance Metric: Throughput and Performance Metric: i ssSampling Rate
Bandwidth [event driven] and Latency [time a re triggered]
f t w
Assurance Metric: Probability of Assurance s o Metric: Probability of
Mission Success [Simplex or Back- Loss
s t aof Control
e !! and N x Fail Op/Fail
up] j u [Triplex
Safe s u or Quad]
n ’ t i s
Confidence Rqmt: Performance and s m
i teConfidence Rqmt: Performance
V s
& sy and Assurance must be validated;
security are validated.
l V a
i c a ’ s Failure Modes
[Failure Modes and and Effects
Effects Testing]
Testing
Consequence of Failure: r itPotential
it
mission failure t C Consequence of Failure: Loss of
h
F lig Aircraft,
Aircraft, potential
potential loss of of
loss lifelife
Rule of Thumb: When you mix
mission with flight criticality , the Developmental Timeline:
testing is held to most stringent Flight Critical ready by First Flight!
requirement. Any changes requires Total Re-test!
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
New Capabilities Challenge V&V

New Capabilities (and increasing complexity) are


presenting new challenges to the V&V problem.
• Mixed Criticality Architecture: Non-obtrusive co-existence of mixed criticality
• Adaptive/Learning/Multi-Modal Functions: Indeterminate or untraceable
functionality

• Mixed Initiative/Authority Mgmt: Human/autonomy or autonomy/autonomy


interactions

• Multi-Entity Systems: Functions that encompass multiple platforms.


• Sensor Fusion/Integration: Highly confident sensor-derived information

These new systems/capabilities Need to be


affordably provable
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Mixed Criticality Challenge

Processors
How can we separate the mission and flight critical
functionality as to guarantee safety?
A
B SOA: Middleware that provides time/space
X partitioning (ARINC 653).

A Issue:
X
Serial bus

C Both Criticalities use common HW resources (i.e.


backplanes

processors, backplanes, busses etc); how do we


determine PLOC and fault tolerance?
XBA • Understand failure mechanisms for partitioning
• Non-critical function must not take out shared resources…Or
the probability of its occurrence is predictable…
• Need guarantee on fault tolerance
Answer may reside in a SW/HW architecture
specifically designed for mixed operation
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Adaptive/Learning/Multimodal
Challenge
Input 1st 2nd Output
How can we trust functionality that we may
Layer Hidden
Layer
Hidden
Layer
Layer
not be able to fully test?
Delta
X
Delta Y
SOA: We must try to test the complete
Delta Z
Align Flight Vector
functional envelope (till $$ runs out…)!
Delta X

Issue:
Dot Move Towards Assigned Position
Delta Y dot
Maintain a Minimum Distance
Delta Z

Some new Control capabilities are


Dot
Delta A+B+C

untraceable and/or non-deterministic


Delta CATA

• Adaptive systems
• Huge test space
• Perfect Input data
• Learning systems
• Environmental stimuli
• Lost memory
• Multi-modal systems
• Mode transition stability
• Mode synchronization
• Recovery mode
Answer may reside in bounding the function in run-
time to known safe behavior.
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Mixed Initiative Challenge
AF Poster Child: How can man and autonomy safely
Auto-Aerial Refueling (AAR)
interact?
SOA: Human operator always get
authority!
Issue:
Human operator may not have all the
information or be able to comprehend
situation in real-time:
• Situational Awareness versus Response
Time
• Assessment of UAV mode/state/health
• Assessment of surrounding environment
• “Consequence of mishap” is a factor
• Complete system health is a factor
• Workload is a factor
Answer may reside in a authority management specification that would
allow the correct party to have decision authority.
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
Multi-Entity Challenge
How can trust systems with multiple players
to safely perform cooperative functions?

SOA: Keep humans away and hope for the


best…

Issue:
Entities participating in the coordinated
function may not be part of individual V&V
testing:
• Linked Interface Control Documents?
• Entities with different manufacturers?
• System Configuration Management?
• Mission-specific programming?
Answer may reside in a specification for contingency
management, based on system degradation
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578
High Confidence Sensing Challenge
How can we trust visual/radar systems for
flight critical functions?

SOA: Brute force and analytic redundancy

Issue:
Mission-style sensors don’t have acceptable
real-time methods for FDIR…
• Sensors will likely be multi-function!
• Redundant HW may not be answer, redundant
information?
• Built-in-test may not provide good real-time
coverage.
• Reliable signal processing/sensor fusion software

Answer may reside in sensor designs that compensate for


sensor degradation and plan for contingencies
VACC Technical Paper Nr. VAO-04-288. Cleared for Public Release on 11 Aug 04. AFRL-WS 04-0578

Das könnte Ihnen auch gefallen