From Formal Requirements to Highly Assured Software for Unmanned Aircraft Systems

Operational requirements of safety-critical systems are often written in restricted specification logics. These restricted logics are amenable to automated analysis techniques such as model-checking, but are not rich enough to express complex requirements of unmanned systems. This short paper advocates for the use of expressive logics, such as higher-order logic, to specify the complex operational requirements and safety properties of unmanned systems. These rich logics are less amenable to automation and, hence, require the use of interactive theorem proving techniques. However, these logics support the formal verification of complex requirements such as those involving the physical environment. Moreover, these logics enable validation techniques that increase con dence in the correctness of numerically intensive software. These features result in highly-assured software that may be easier to certify. The feasibility of this approach is illustrated with examples drawn for NASA's unmanned aircraft systems

Architecture and Information Requirements to Assess and Predict Flight Safety Risks During Highly Autonomous Urban Flight Operations

As aviation adopts new and increasingly complex operational paradigms, vehicle types, and technologies to broaden airspace capability and efficiency, maintaining a safe system will require recognition and timely mitigation of new safety issues as they emerge and before significant consequences occur. A shift toward a more predictive risk mitigation capability becomes critical to meet this challenge. In-time safety assurance comprises monitoring, assessment, and mitigation functions that proactively reduce risk in complex operational environments where the interplay of hazards may not be known (and therefore not accounted for) during design. These functions can also help to understand and predict emergent effects caused by the increased use of automation or autonomous functions that may exhibit unexpected non-deterministic behaviors. The envisioned monitoring and assessment functions can look for precursors, anomalies, and trends (PATs) by applying model-based and data-driven methods. Outputs would then drive downstream mitigation(s) if needed to reduce risk. These mitigations may be accomplished using traditional design revision processes or via operational (and sometimes automated) mechanisms. The latter refers to the in-time aspect of the system concept. This report comprises architecture and information requirements and considerations toward enabling such a capability within the domain of low altitude highly autonomous urban flight operations. This domain may span, for example, public-use surveillance missions flown by small unmanned aircraft (e.g., infrastructure inspection, facility management, emergency response, law enforcement, and/or security) to transportation missions flown by larger aircraft that may carry passengers or deliver products. Caveat: Any stated requirements in this report should be considered initial requirements that are intended to drive research and development (R&D). These initial requirements are likely to evolve based on R&D findings, refinement of operational concepts, industry advances, and new industry or regulatory policies or standards related to safety assurance

Safeguard: Progress and Test Results for a Reliable Independent On-Board Safety Net for UAS

As demands increase to use unmanned aircraft systems (UAS) for a broad spectrum of commercial applications, regulatory authorities are examining how to safely integrate them without compromising safety or disrupting traditional airspace operations. For small UAS, several operational rules have been established; e.g., do not operate beyond visual line-of-sight, do not fly within five miles of a commercial airport, do not fly above 400 feet above ground level. Enforcing these rules is challenging for UAS, as evidenced by the number of incident reports received by the Federal Aviation Administration (FAA). This paper reviews the development of an onboard system - Safeguard - designed to monitor and enforce conformance to a set of operational rules defined prior to flight (e.g., geospatial stay-out or stay-in regions, speed limits, and altitude constraints). Unlike typical geofencing or geo-limitation functions, Safeguard operates independently of the off-the-shelf UAS autopilot and is designed in a way that can be realized by a small set of verifiable functions to simplify compliance with existing standards for safety-critical systems (e.g. for spacecraft and manned commercial transportation aircraft systems). A framework is described that decouples the system from any other devices on the UAS as well as introduces complementary positioning source(s) for applications that require integrity and availability beyond what can be provided by the Global Positioning System (GPS). This paper summarizes the progress and test results for Safeguard research and development since presentation of the design concept at the 35th Digital Avionics Systems Conference (DASC '16). Significant accomplishments include completion of software verification and validation in accordance with NASA standards for spacecraft systems (to Class B), development of improved hardware prototypes, development of a simulation platform that allows for hardware-in-the-loop testing and fast-time Monte Carlo evaluations, and flight testing on multiple air vehicles. Integration testing with NASA's UAS Traffic Management (UTM) service-oriented architecture was also demonstrated

Safety Analysis Methods for Complex Systems in Aviation

Each new concept of operation and equipment generation in aviation becomes more automated, integrated and interconnected. In the case of Unmanned Aircraft Systems (UAS), this evolution allows drastically decreasing aircraft weight and operational cost, but these benefits are also realized in highly automated manned aircraft and ground Air Traffic Control (ATC) systems. The downside of these advances is overwhelmingly more complex software and hardware, making it harder to identify potential failure paths. Although there are mandatory certification processes based on broadly accepted standards, such as ARP4754 and its family, ESARR 4 and others, these standards do not allow proof or disproof of safety of disruptive technology changes, such as GBAS Precision Approaches, Autonomous UAS, aircraft self-separation and others. In order to leverage the introduction of such concepts, it is necessary to develop solid knowledge on the foundations of safety in complex systems and use this knowledge to elaborate sound demonstrations of either safety or unsafety of new system designs. These demonstrations at early design stages will help reducing costs both on development of new technology as well as reducing the risk of such technology causing accidents when in use. This paper presents some safety analysis methods which are not in the industry standards but which we identify as having benefits for analyzing safety of advanced technological concepts in aviation

The Changing Face of Airmanship and Safety Culture Operating Unmanned Aircraft Systems

The notion of using drones for commercial purposes has evolved in the past 5 years from the initial “boom” of excitement around this, somewhat of a novelty and curiosity, to more calculated and sophisticated use of unmanned aircraft systems (UAS), or drones. In the hands of true professionals, drones can offer highly efficient and profitable solutions for industrial, and commercial inspections and other data capturing tasks. The appetite for safe and efficient collection of data is a changing face of safety cultures and how teams and individuals apply airmanship principles, and how inspection crew and UAS crew interact. UAS are no longer viewed as novelty or useful addition to the inspectors’ “toolbox,” but as an integrated part of safety critical system. While there is much to be learned from tradition manned aviation, UAS pilots are confronted with different task priorities in order to effectively “aviate,” and therefore, like the changing face of airmanship and safety culture, to “aviate” emerges has having different attributes when compared to manned aviation

Advanced Manned Launch System (AMLS) study

To assure national leadership in space operations and exploration in the future, NASA must be able to provide cost effective and operationally efficient space transportation. Several NASA studies and the joint NASA/DoD Space Transportation Architecture Studies (STAS) have shown the need for a multi-vehicle space transportation system with designs driven by enhanced operations and low costs. NASA is currently studying an advanced manned launch system (AMLS) approach to transport crew and cargo to the Space Station Freedom. Several single and multiple stage systems from air-breathing to all-rocket concepts are being examined in a series of studies potential replacements for the Space Shuttle launch system in the 2000-2010 time frame. Rockwell International Corporation, under contract to the NASA Langley Research Center, has analyzed a two-stage all-rocket concept to determine whether this class of vehicles is appropriate for the AMLS function. The results of the pre-phase A study are discussed

Dynamic Hardware-in-the-loop UAV Ground Testing System

Ukraine Section SP/AES Joint ChapterThe paper shows how dynamic hardware-in-the-loop ground test system can be used when solving problems for preflight testing in unmanned aerial vehicle development process. The problem of different unmanned aerial vehicle subsystems check of different-type features for irregularities discovery and decision- making during extensive test procedures is considered. The paper also describes the architecture of a developed dynamic test rig that can be used for test program data acquisition and analysis

A Geofence Violation Prevention Mechanism for Small UAS

The ability to safely confine the trajectories of small UAS to a specific geographical area is a key enabler for capabilities that require operating in close proximity to populated areas as well as other users of the airspace. These capabilities require highly reliable geofencing algorithms. In particular, these algorithms must promptly alert imminent breaches of keep-in/keep-out geofences by considering factors such as the vehicle speed and uncertainties in the state of the aircraft. This paper presents a novel approach to the prevention of geofence boundary violation based on closure rate constraints. These constraints are incorporated into a control framework to effectively prevent fence breaches. Simulation results illustrating an example use case of this framework are presented