Closing the Certification Gaps in Adaptive Flight Control Software

Over the last five decades, extensive research has been performed to design and develop adaptive control systems for aerospace systems and other applications where the capability to change controller behavior at different operating conditions is highly desirable. Although adaptive flight control has been partially implemented through the use of gain-scheduled control, truly adaptive control systems using learning algorithms and on-line system identification methods have not seen commercial deployment. The reason is that the certification process for adaptive flight control software for use in national air space has not yet been decided. The purpose of this paper is to examine the gaps between the state-of-the-art methodologies used to certify conventional (i.e., non-adaptive) flight control system software and what will likely to be needed to satisfy FAA airworthiness requirements. These gaps include the lack of a certification plan or process guide, the need to develop verification and validation tools and methodologies to analyze adaptive controller stability and convergence, as well as the development of metrics to evaluate adaptive controller performance at off-nominal flight conditions. This paper presents the major certification gap areas, a description of the current state of the verification methodologies, and what further research efforts will likely be needed to close the gaps remaining in current certification practices. It is envisioned that closing the gap will require certain advances in simulation methods, comprehensive methods to determine learning algorithm stability and convergence rates, the development of performance metrics for adaptive controllers, the application of formal software assurance methods, the application of on-line software monitoring tools for adaptive controller health assessment, and the development of a certification case for adaptive system safety of flight

Certification of Safety-Critical Software Under DO-178C and DO-278A

The RTCA has recently released DO-178C and DO-278A as new certification guidance for the production of airborne and ground-based air traffic management software, respectively. Additionally, RTCA special committee SC-205 has also produced, at the same time, five other companion documents. These documents are RTCA DO-248C, DO-330, DO-331, DO- 332, and DO-333. These supplements address frequently asked questions about software certification, provide guidance on tool qualification requirements, and illustrate the modifications recommended to DO-178C when using model-based software design, object oriented programming, and formal methods. The objective of this paper is to first explain the relationship of DO-178C to the former DO-178B in order to give those familiar with DO- 178B an indication of what has been changed and what has not been changed. With this background, the relationship of DO-178C and DO-278 to the new DO-278A document for ground-based software development is shown. Last, an overview of the new guidance contained in the tool qualification document and the three new supplements to DO-178C and DO-278A is presented. For those unfamiliar with DO-178B, this paper serves to provide an entry point to this new certification guidance for airborne and ground-based CNS/ATM software certification

Survey of Verification and Validation Techniques for Small Satellite Software Development

The purpose of this paper is to provide an overview of the current trends and practices in small-satellite software verification and validation. This document is not intended to promote a specific software assurance method. Rather, it seeks to present an unbiased survey of software assurance methods used to verify and validate small satellite software and to make mention of the benefits and value of each approach. These methods include simulation and testing, verification and validation with model-based design, formal methods, and fault-tolerant software design with run-time monitoring. Although the literature reveals that simulation and testing has by far the longest legacy, model-based design methods are proving to be useful for software verification and validation. Some work in formal methods, though not widely used for any satellites, may offer new ways to improve small satellite software verification and validation. These methods need to be further advanced to deal with the state explosion problem and to make them more usable by small-satellite software engineers to be regularly applied to software verification. Last, it is explained how run-time monitoring, combined with fault-tolerant software design methods, provides an important means to detect and correct software errors that escape the verification process or those errors that are produced after launch through the effects of ionizing radiation

Adaptive Inverse Control for Rotorcraft Vibration Reduction

This thesis extends the Least Mean Square (LMS) algorithm to solve the mult!ple-input, multiple-output problem of alleviating N/Rev (revolutions per minute by number of blades) helicopter fuselage vibration by means of adaptive inverse control. A frequency domain locally linear model is used to represent the transfer matrix relating the higher harmonic pitch control inputs to the harmonic vibration outputs to be controlled. By using the inverse matrix as the controller gain matrix, an adaptive inverse regulator is formed to alleviate the N/Rev vibration. The stability and rate of convergence properties of the extended LMS algorithm are discussed. It is shown that the stability ranges for the elements of the stability gain matrix are directly related to the eigenvalues of the vibration signal information matrix for the learning phase, but not for the control phase. The overall conclusion is that the LMS adaptive inverse control method can form a robust vibration control system, but will require some tuning of the input sensor gains, the stability gain matrix, and the amount of control relaxation to be used. The learning curve of the controller during the learning phase is shown to be quantitatively close to that predicted by averaging the learning curves of the normal modes. For higher order transfer matrices, a rough estimate of the inverse is needed to start the algorithm efficiently. The simulation results indicate that the factor which most influences LMS adaptive inverse control is the product of the control relaxation and the the stability gain matrix. A small stability gain matrix makes the controller less sensitive to relaxation selection, and permits faster and more stable vibration reduction, than by choosing the stability gain matrix large and the control relaxation term small. It is shown that the best selections of the stability gain matrix elements and the amount of control relaxation is basically a compromise between slow, stable convergence and fast convergence with increased possibility of unstable identification. In the simulation studies, the LMS adaptive inverse control algorithm is shown to be capable of adapting the inverse (controller) matrix to track changes in the flight conditions. The algorithm converges quickly for moderate disturbances, while taking longer for larger disturbances. Perfect knowledge of the inverse matrix is not required for good control of the N/Rev vibration. However it is shown that measurement noise will prevent the LMS adaptive inverse control technique from controlling the vibration, unless the signal averaging method presented is incorporated into the algorithm

Comparison of Five System Identification Algorithms for Rotorcraft Higher Harmonic Control

This report presents an analysis and performance comparison of five system identification algorithms. The methods are presented in the context of identifying a frequency-domain transfer matrix for the higher harmonic control (HHC) of helicopter vibration. The five system identification algorithms include three previously proposed methods: (1) the weighted-least- squares-error approach (in moving-block format), (2) the Kalman filter method, and (3) the least-mean-squares (LMS) filter method. In addition there are two new ones: (4) a generalized Kalman filter method and (5) a generalized LMS filter method. The generalized Kalman filter method and the generalized LMS filter method were derived as extensions of the classic methods to permit identification by using more than one measurement per identification cycle. Simulation results are presented for conditions ranging from the ideal case of a stationary transfer matrix and no measurement noise to the more complex cases involving both measurement noise and transfer-matrix variation. Both open-loop identification and closed- loop identification were simulated. Closed-loop mode identification was more challenging than open-loop identification because of the decreasing signal-to-noise ratio as the vibration became reduced. The closed-loop simulation considered both local-model identification, with measured vibration feedback and global-model identification with feedback of the identified uncontrolled vibration. The algorithms were evaluated in terms of their accuracy, stability, convergence properties, computation speeds, and relative ease of implementation

Small-Satellite Mission Failure Rates

The purpose of this report is to determine the failure rate of small-satellite missions launched between the years 2000 and 2016. This analysis considers the rates of both partial and total mission failure, as well as the failures attributable to failure of the launch vehicle. This study observed that between the years of 2000 to 2016, 41.3% of all small satellites launched failed or partially failed. Of these small satellite missions, 24.2% were total mission failures, another 11% were partial mission failures, and 6.1% were launch vehicle failures. The small satellite failure data reveals an increase in the failure rate as the yearly launch rate has increased. The period 2000 to 2008 averaged 15 launches per year, during which 28.6% of the small satellite missions failed or partially failed. The period from 2009 to 2016 averaged 48 launches per year, during which 42.6% of the small satellite missions failed or partially failed. The launch vehicle failure rate for both periods was the same at around 6.1%. The implication is that for modern small satellite missions, almost one out of every two small satellite missions will result in either a total or a partial mission failure. Counting the partial mission successes as successful missions reduces the failure rate, but only to 38.2% for the period 2009 to 2016

Small-scale rotor test rig capabilities for testing vibration alleviation algorithms

A test was conducted to assess the capabilities of a small scale rotor test rig for implementing higher harmonic control and stability augmentation algorithms. The test rig uses three high speed actuators to excite the swashplate over a range of frequencies. The actuator position signals were monitored to measure the response amplitudes at several frequencies. The ratio of response amplitude to excitation amplitude was plotted as a function of frequency. In addition to actuator performance, acceleration from six accelerometers placed on the test rig was monitored to determine whether a linear relationship exists between the harmonics of N/Rev control input and the least square error (LSE) identification technique was used to identify local and global transfer matrices for two rotor speeds at two batch sizes each. It was determined that the multicyclic control computer system interfaced very well with the rotor system and kept track of the input accelerometer signals and their phase angles. However, the current high speed actuators were found to be incapable of providing sufficient control authority at the higher excitation frequencies

Baseline Assessment and Prioritization Framework for IVHM Integrity Assurance Enabling Capabilities

Fundamental to vehicle health management is the deployment of systems incorporating advanced technologies for predicting and detecting anomalous conditions in highly complex and integrated environments. Integrated structural integrity health monitoring, statistical algorithms for detection, estimation, prediction, and fusion, and diagnosis supporting adaptive control are examples of advanced technologies that present considerable verification and validation challenges. These systems necessitate interactions between physical and software-based systems that are highly networked with sensing and actuation subsystems, and incorporate technologies that are, in many respects, different from those employed in civil aviation today. A formidable barrier to deploying these advanced technologies in civil aviation is the lack of enabling verification and validation tools, methods, and technologies. The development of new verification and validation capabilities will not only enable the fielding of advanced vehicle health management systems, but will also provide new assurance capabilities for verification and validation of current generation aviation software which has been implicated in anomalous in-flight behavior. This paper describes the research focused on enabling capabilities for verification and validation underway within NASA s Integrated Vehicle Health Management project, discusses the state of the art of these capabilities, and includes a framework for prioritizing activities

Cardiac safety of dihydroartemisinin-piperaquine and sulfadoxine pyrimethamine among pregnant women with and without asymptomatic parasitaemia in Tanzania: results from an open-label, parallel-group, randomised phase II trial

Background: Dihydroartemisinin-Piperaquine (DP) can induce transient prolongation of the corrected QT interval (QTc) and is a candidate for use with sulfadoxine-pyrimethamine (SP) in intermittent preventive treatment of malaria in pregnancy (IPTp). Pregnancy can alter pharmacokinetics of antimalarial drugs. Acute malaria infection can increase QTc prolongation. Whether DP alters cardiac function in pregnant women with or without asymptomatic parasitaemia is not well characerised. Methods: This was an open-label, parallel-group, randomised phase 2 study among pregnant women in Handeni, Tanzania (NCT02909712). Women were screened for P. falciparum by microscopy and, if positive, received a rapid diagnostic test (RDT). If RDT-positive, they received DP or SP, and the next microscopy-negative woman was randomly allocated to receive DP or SP. Enrolment and allocation continued in this alternating manner to reach 200 (50/group): Grp 1 (neg; SP), Grp 2 (pos; SP), Grp 3 (neg: DP), Grp 4 (pos: DP). Standard 12-lead ECGs were used to record cardiac function in triplicate. DP groups were measured on day 0 (predose), day 2 (predose and hours 3,4,5,6,7,8), and day 7; SP groups had day 0 (predose), and day 7 ECGs. Results: DP resulted in QTcF prolongation that peaked ~30 msec at 5-h post dose 3 on day 2 (schedule: days 0,1,2). The mean maximum increase was slightly more in group 4 compared to group 3 (33.1 vs 29.1 msec). On day 7, QTcF returned to baseline in group 3; a small and non-clinically significant increase of 3.4 (90%CI: 0.3, 6.5) msec was still present among RDT-positive women. QTcB measurements were similar. There was a marked decrease in heart rate (HR) among all DP recipients on day 2, which appeared greater in group 4 compared to group 3 (13.3 vs 8.9 bpm), baseline HR was higher in group 4 than group 3 (92.7 vs 88.5 bpm). This potentially represents a regression towards the mean. On day 7, HR had returned to baseline in both groups. Conclusion: Parasite presence did not alter the effect of DP on the different ECG parameters with the possible exception of HR. No marked differences were observed between pregnant women with and without asymptomatic parasitaemia

Why do banks promise to pay par on demand?

We survey the theories of why banks promise to pay par on demand and examine evidence about the conditions under which banks have promised to pay the par value of deposits and banknotes on demand when holding only fractional reserves. The theoretical literature can be broadly divided into four strands: liquidity provision, asymmetric information, legal restrictions, and a medium of exchange. We assume that it is not zero cost to make a promise to redeem a liability at par value on demand. If so, then the conditions in the theories that result in par redemption are possible explanations of why banks promise to pay par on demand. If the explanation based on customers’ demand for liquidity is correct, payment of deposits at par will be promised when banks hold assets that are illiquid in the short run. If the asymmetric-information explanation based on the difficulty of valuing assets is correct, the marketability of banks’ assets determines whether banks promise to pay par. If the legal restrictions explanation of par redemption is correct, banks will not promise to pay par if they are not required to do so. If the transaction explanation is correct, banks will promise to pay par value only if the deposits are used in transactions. After the survey of the theoretical literature, we examine the history of banking in several countries in different eras: fourth-century Athens, medieval Italy, Japan, and free banking and money market mutual funds in the United States. We find that all of the theories can explain some of the observed banking arrangements, and none explain all of them