Formally Verified Next-Generation Airborne Collision Avoidance Games in ACAS X

The design of aircraft collision avoidance algorithms is a subtle but important challenge that merits the need for provable safety guarantees. Obtaining such guarantees is nontrivial given the unpredictability of the interplay of the intruder aircraft decisions, the ownship pilot reactions, and the subtlety of the continuous motion dynamics of aircraft. Existing collision avoidance systems, such as TCAS and the Next-Generation Airborne Collision Avoidance System ACAS X, have been analyzed assuming severe restrictions on the intruder's flight maneuvers, limiting their safety guarantees in real-world scenarios where the intruder may change its course. This work takes a conceptually significant and practically relevant departure from existing ACAS X models by generalizing them to hybrid games with first-class representations of the ownship and intruder decisions coming from two independent players, enabling significantly advanced predictive power. By proving the existence of winning strategies for the resulting Adversarial ACAS X in differential game logic, collision-freedom is established for the rich encounters of ownship and intruder aircraft with independent decisions along differential equations for flight paths with evolving vertical/horizontal velocities. We present three classes of models of increasing complexity: single-advisory infinite-time models, bounded time models, and infinite time, multi-advisory models. Within each class of models, we identify symbolic conditions and prove that there then always is a possible ownship maneuver that will prevent a collision between the two aircraft

Sense and Avoid Characterization of the Independent Configurable Architecture for Reliable Operations of Unmanned Systems

AbstractIndependent Configurable Architecture for Reliable Operations of Unmanned Systems (ICAROUS) is a distributed software architecture developed by NASA Langley Research Center to enable safe autonomous UAS operations. ICAROUS consists of a collection formally verified core algorithms for path planning, traffic avoidance, geofence handling, and decision making that interface with an autopilot system through a publisher-subscriber middleware. The ICAROUS Sense and Avoid Characterization (ISAAC) test was designed to evaluate the performance of the onboard Sense and Avoid (SAA) capability to detect potential conflicts with other aircraft and autonomously maneuver to avoid collisions, while remaining within the airspace boundaries of the mission. The ISAAC tests evaluated the impact of separation distances and alerting times on SAA performance. A preliminary analysis of the effects of each parameter on key measures of performance is conducted, informing the choice of appropriate parameter values for different small Unmanned Aircraft Systems (sUAS) applications. Furthermore, low-power Automatic Dependent Surveillance Broadcast (ADS-B) is evaluated for potential use to enable autonomous sUAS to sUAS deconflictions as well as to provide usable warnings for manned aircraft without saturating the frequency spectrum

Differential Adaptive Stress Testing of Airborne Collision Avoidance Systems

The next-generation Airborne Collision Avoidance System (ACAS X) is currently being developed and tested to replace the Traffic Alert and Collision Avoidance System (TCAS) as the next international standard for collision avoidance. To validate the safety of the system, stress testing in simulation is one of several approaches for analyzing near mid-air collisions (NMACs). Understanding how NMACs can occur is important for characterizing risk and informingdevelopment of the system. Recently, adaptive stress testing (AST) has been proposed as a way to find the most likely path to a failure event. The simulation-based approach accelerates search by formulating stress testing as a sequential decision process then optimizing it using reinforcement learning. The approach has been successfully applied to stress test a prototype of ACAS Xin various simulated aircraft encounters. In some applications, we are not as interestedin the system's absolute performance as its performance relative to another system. Such situations arise, for example, during regression testing or when deciding whether a new system should replace an existing system. In our collision avoidance application, we are interested in finding cases where ACAS X fails but TCAS succeeds in resolving a conflict. Existing approaches do not provide an efficient means to perform this type of analysis. This paper extends the AST approach to differential analysis by searching two simulators simultaneously and maximizing the difference between their outcomes. We call this approach differential adaptive stress testing (DAST). We apply DAST to compare a prototype of ACAS X against TCAS and show examples of encounters found by the algorithm

Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks

Deep neural networks have emerged as a widely used and effective means for tackling complex, real-world problems. However, a major obstacle in applying them to safety-critical systems is the great difficulty in providing formal guarantees about their behavior. We present a novel, scalable, and efficient technique for verifying properties of deep neural networks (or providing counter-examples). The technique is based on the simplex method, extended to handle the non-convex Rectified Linear Unit (ReLU) activation function, which is a crucial ingredient in many modern neural networks. The verification procedure tackles neural networks as a whole, without making any simplifying assumptions. We evaluated our technique on a prototype deep neural network implementation of the next-generation airborne collision avoidance system for unmanned aircraft (ACAS Xu). Results show that our technique can successfully prove properties of networks that are an order of magnitude larger than the largest networks verified using existing methods.Comment: This is the extended version of a paper with the same title that appeared at CAV 201

Compositional Verification for Autonomous Systems with Deep Learning Components

As autonomy becomes prevalent in many applications, ranging from recommendation systems to fully autonomous vehicles, there is an increased need to provide safety guarantees for such systems. The problem is difficult, as these are large, complex systems which operate in uncertain environments, requiring data-driven machine-learning components. However, learning techniques such as Deep Neural Networks, widely used today, are inherently unpredictable and lack the theoretical foundations to provide strong assurance guarantees. We present a compositional approach for the scalable, formal verification of autonomous systems that contain Deep Neural Network components. The approach uses assume-guarantee reasoning whereby {\em contracts}, encoding the input-output behavior of individual components, allow the designer to model and incorporate the behavior of the learning-enabled components working side-by-side with the other components. We illustrate the approach on an example taken from the autonomous vehicles domain

Automating Geometric Proofs of Collision Avoidance with Active Corners

Avoiding collisions between obstacles and vehicles such as cars, robots or aircraft is essential to the development of automation and autonomy. To simplify the problem, many collision avoidance algorithms and proofs consider vehicles to be a point mass, though the actual vehicles are not points. In this paper, we consider a convex polygonal vehicle with nonzero area traveling along a 2-dimensional trajectory. We derive an easily-checkable, quantifier-free formula to check whether a given obstacle will collide with the vehicle moving on the planned trajectory. We apply our method to two case studies of aircraft collision avoidance and study its performance.Comment: 13 pages, 11 figures, conference pape

Next generation flight management systems for manned and unmanned aircraft operations - automated separation assurance and collision avoidance functionalities

The demand for improved safety, efficiency and dynamic demand-capacity balancing due to the rapid growth of the aviation sector and the increasing proliferation of Unmanned Aircraft Systems (UAS) in different classes of airspace pose significant challenges to avionics system developers. The design of Next Generation Flight Management Systems (NG-FMS) for manned and unmanned aircraft operations is performed by addressing the challenges identified by various Air Traffic Management (ATM) modernisation programmes and UAS Traffic Management (UTM) system initiatives. In particular, this research focusses on introducing automated Separation Assurance and Collision Avoidance (SA&CA) functionalities (mathematical models) in the NG-FMS. The innovative NG-FMS is also capable of supporting automated negotiation and validation of 4-Dimensional Trajectory (4DT) intents in coordination with novel ground-based Next Generation Air Traffic Management (NG-ATM) systems. One of the key research contributions is the development of a unified method for cooperative and non-cooperative SA&CA, addressing the technical and regulatory challenges of manned and unmanned aircraft coexistence in all classes of airspace. Analytical models are presented and validated to compute the overall avoidance volume in the airspace surrounding a tracked object, supporting automated SA&CA functionalities. The scientific basis of this approach is to assess real-time measurements and associated uncertainties affecting navigation states (of the host aircraft platform), tracking observables (of the static or moving object) and platform dynamics, and translate them to unified range and bearing uncertainty descriptors. The SA&CA unified approach provides an innovative analytical framework to generate high-fidelity dynamic geo-fences suitable for integration in the NG-FMS and in the ATM/UTM/defence decision support tools