Dr. Daniel P. Schrage Professor and Director, CASA and CERT School of Aerospace Engineering
description
Transcript of Dr. Daniel P. Schrage Professor and Director, CASA and CERT School of Aerospace Engineering
System Safety Risk Management: An Autonomous UAV Example from a
Course on Safety By Design and Flight Certification
Dr. Daniel P. SchrageProfessor and Director, CASA and CERT
School of Aerospace EngineeringGeorgia Institute of Technology
Atlanta, GA 30332-0150
Presentation OutlineOverview of Georgia Tech graduate
program in Aerospace Systems Design
Brief description of the Safety By Design and Flight Certification Course
Example from Safety Course for an Autonomous Unmanned Aerial Vehicle (UAV) – The GTMAX
Georgia Tech Practice-Oriented M.S. Program
in Aerospace Systems Design
Legend: Core Classes Elective Classes
SummerSemester IISemester I
IPPD Methods/TechniquesSpecialProject
DesignSeminars
IntegratedProduct/Process
DevelopmentDisciplinary Courses
PropulsionSystemsDesign
SystemsDesign IAppliedDesign I
SystemsDesign IIAppliedDesign II
IPPD Tools/Infrastructure
ModernDesign
Methods I
Modern Design
Methods II
ProductLife Cycle
Management
Internships
Mathematics (2 Required) Other Electives
Safety ByDesign
Safety By Design and Flight Certification Course
First taught in 1998 as a project oriented course to orient students on the role of safety by design and flight certification in the design iteration process
Course builds on the Integrated Product/Process Development (IPPD) through Robust Design Simulation (RDS) environment created in the Georgia Tech Aerospace Systems Design Laboratory (ASDL)
Course taught in the summer semester to allow students to analyze the designs they developed during the fall and spring semesters (Fixed Wing,V/STOL Rotorcraft, Space, and Missiles)
Course has been continuously improved each year to address more of the issues in moving to a risk based managed process
Course has sought to incorporate user friendly tools for System Reliability Prediction, FTA, FMEA and Markov Analysis
Emphasis on the course taught this summer was on the interaction of Hardware, Software, and Liveware (Human) reliabilities & partnerships with industry and government
Course Projects for Summer 2002
Quiet Supersonic Aircraft – in conjunction with Gulfstream Aerospace Corporation
The ICBM Peacekeeper as a Commercial Launch Vehicle – in conjunction with the FAA Space Systems Development Division
A VTOL Personal Air Vehicle (PAV) – in conjunction with the NASA PAV Evaluation program
*An Autonomous UAV: GTMAX – in conjunction with the DARPA Software Enabled Control (SEC) program and the GT Entry in the International Aerial Robotics Competition (IARC)* Example to be illustrated
Development of a Certification Plan(ARP 4754:Cert Considerations For Highly-Integ or Complex Aircraft
Systems)
Each Plan should include: A functional and operational description of the system and the aircraft
on which the system will be installed A statement of the relationship of this certification plan to any other
relevant system certification plans A summary of the functional hazard assessment (aircraft hazards, failure
conditions, and classification) A summary of the preliminary system safety assessment (system safety
objectives & preliminary system development assurance levels) A description of any novel or unique design features that are planned
to be used in meeting the safety objectives A description of the new technologies or new technology applications to
be implemented The system certification basis including any special conditions The proposed methods of showing compliance with the certification
basis A list of the data to be submitted and the data to be retained under
configuration control, along with a description or sample of data formats The approximate sequence and schedule for certification events
The Overall GT Safety By Design Approach
FHA/FTA
Other PSSA Methods
PROBABILISTIC ASSESSMENT(CRYSTAL BALL)
MARKOV ANALYSIS(MEADEPS)
SYSTEM RELIABILITY(PRISM)
CRITICALITYMATRIX
DO-178B
ARP 4754
ARP 4761
NO
YES
RELIABILITYPREDICTION
SAFETYPREDICTION
AIRCRAFT/SPACECRAFTSYSTEM DESIGN
SATISFIED?
PREDICTIONPROGRAMS
RELIABILITY SIMULATION
ANALYSISTECHNIQUES
APPLY
Technology Insert.TIF/TIES ?
FHA/FTA
Other PSSA Methods
PROBABILISTIC ASSESSMENT(CRYSTAL BALL)
MARKOV ANALYSIS(MEADEPS)
SYSTEM RELIABILITY(PRISM)
CRITICALITYMATRIX
System FHA/FTA
Other PSSA Methods
PROBABILISTIC ASSESSMENT(CRYSTAL BALL)
MARKOV ANALYSIS(MEADEPS)
SYSTEM RELIABILITY(PRISM)
CRITICALITYMATRIX
DO-178B
ARP 4754
ARP 4761
DO-178B/160D
ARP 4754
ARP 4761
NO
YES
RELIABILITYPREDICTION
SAFETYPREDICTION
AIRCRAFT/SPACECRAFTSYSTEM DESIGN
SATISFIED?
PREDICTIONPROGRAMS
RELIABILITY SIMULATION
ANALYSISTECHNIQUES
APPLY
Technology Insert.TIF/TIES ?
SafetyGoals
Aircraft/SpacecraftFHA/FTA
SBD Process Overview
Aircraft FHA•Functions•Hazards•Effects•Classifications
System FHA•Functions•Hazards•Effects•Classifications
Aircraft FTA•Qualitative•System Budgets•Intersystem Dependencies
System FTA•Qualitative•Subsystem Budgets
DDMA
SystemFMEAsFMES
System FTAs•Qualitative•Failure Rates
PSSA SSA
CCA
Concept Development
PreliminaryDesign
DetailedDesign
Design Validation& Verification
Particular Risk Analysis
Common Mode Analysis
Zonal Safety Analysis
GTMaxPreliminary Safety Assessment and Certification Plan
Han Gil ChaeAdeel KhalidKayin CannonColin PouchetHenrik B. Christophersen
Overview Introduction
General facts about GTMax GTMax Certification
General Information of UAV Certification Analysis for particular system Human Errors Proposed system improvement Proposed Certification plan
Conclusions
Introduction System Description System Requirements
GTMax : Development
Originally developed for aerial pest control
Modified for DARPA SEC Program and for Aerial Robotics
Test bed for Manned Vehicle
Electronic System
Software Enabled Control (SEC)
Dr. John BayDARPA/IXO
The objective of SEC is to co-develop advanced real-time control system algorithms and the
software services and infrastructure necessary to implement them on distributed embedded processors in a robust and verifiable way
DARPA SEC Participants Open Control Platform (OCP) Developers:
-Georgia Tech - Boeing Phantom Works- UC Berkeley -Honeywell Technology Labs
SEC Technology Developers (Active State Modelers, On Line Control Customization,Coordinated Multi-Modal Control, High Confidence Software Control Systems):-Georgia Tech - UC Berkeley - Rockwell Collins- Cornell - MIT - Northrop Grumman Corp- Cal Tech - Draper Labs - Honeywell Labs- U of Min - Vanderbilt- OGI - Stanford
University Led Experiments (Rotary Wing): Georgia Tech Industry Led Experiments (Fixed Wing): Boeing Phantom Works
The Georgia Tech GTMAX : A Truly Modular Open System Testbed
The Georgia Tech GTMAX consists of The Yamaha RMAX Remotely Piloted Helicopter: a
rugged, proven air vehicle which is becoming the vehicle testbed choice for VTOL UAV autonomous vehicle research
The Georgia Tech Modular Avionics Package: built for reconfigurability, growth and easy upgrade
The Boeing - Georgia Tech OCP: a Real Time CORBA based open system software architecture
As a system the GTMAX provides an excellent resource for the UAV community for developing and evaluating UAV technologies, both hardware and software, as well as Home Security Experiments
GTMAX : Vehicle Specifications
Weight Gross Weight : 204.6 lb Empty Weight : 127.6 lb Payload : 66 lb
1800
3630
3115
720
1080
(mm)Engine Gasoline 2-Cylinder Water Cooled Power output : 21Hp
Performance Fuel : 6L (1.6 gal) Endurance : 60 min
GT Research UAV: GTMAX
Georgia TechOnboardAvionics
RCReceiver
Data Link I
RC Transmitter
Data Link I Ground Computer(s)
AndNetwork
Ethernet
GPS Reference
On-board Avionics
Ground Control Station
Safety Pilot
Yamaha Attitude Control System
(YACS)
Data Link II Data Link II
GPS
Actuators
GEO
RGIA
TEC
HYA
MAH
A
3x RS-232 Serial
Boeing-GT OCP
Onboard Avionics Hardware Architecture
WirelessSerial
WirelessEthernet
D-GPS
IMU
RadarAltimeter
SonarAltimeter
Magneto-meter
Servo-Interface
EthernetHub
PowerDist
Ext Power
Serial DataEthernetPower
Computer#1
Computer#2
Video Camera,Radar and PossiblyLidar to be installedthis summer
GTMAX Avionics HW Integration
GTMAX hardware is packaged into exchangeable modules:
Flight Computer Module GPS Module Data Link Module IMU/Radar Module Unused Module (Growth) Sonar/Magnetometer
Assemblies Power Distribution System
Each module has self-contained power regulation and EMI shielding
Shock-mounted main module rack
GTMAX Hardware Integration
Power System On-board generator outputs
12V DC, 10 A Power source hot-
swappable between on-board and external
Each module is powered via individual circuit breakers
Interfacing and Wiring Interface Types: RS-232
Serial, Ethernet, 12V DC All interfaces on module
back-sides Aviation-quality wiring
harness
Limitations of State-of-the-ArtComplex Control Systems:• Tightly coupled• Difficult to adapt or evolve• Complex, inflexible data interchange• Computationally limited• Closed, proprietary systems Desired Capabilities:
• Adaptibility and dynamic reconfigurability• Plug-and-play extensibility, component interchangeability• Real-time quality of service• Interoperability, distributed communication• Openness
Open Control Platform Motivation
Boeing-GIT Baseline Open Control Platform (OCP) Software Implementation on the GTMAX
GPS
IMU
Magnetometer
sonar
receiver commands
Vehicle Health
RMAX Attitude sensors
Navigation ModuleComponent
ControllerComponent
Sensors SerialInterface
Vehicle SerialInterface
Controls API Input Port
Controls API Output Port
RMAX Actuator demultiplexer
Actuator SerialInterface
ControlData_out
ControlData_in
NavControl_out
NavControl_in
NavData_out
NavData_in
timeout_in
100 HzTimer
50 Hz
50 Hz 50 Hz
100 Hz
I/OComponent
DataLink Interface Ethernet “Serial” PortSerial port
Ethernet “Serial” Port
Serial port1 Hz & 10 Hz1 Hz & 10 Hz
Input datalink portsread @ 100 Hz
m0 written at 10 Hzm1 written at 1 Hz
Mission Intelligence Flow for GT Research
Mission Planning
Mode Selection
Mode Switching
Flight Control System
UAV
Sensors
Sensor Fusion
Obstacle/Target Detection
Obstacle/Target Identification
Obstacle/Target Tracking
Situation Awareness
Diagnostics
Fault Tolerant Control
Continue MissionEmergency ?
Yes
No
15 min
GTMax : Aerial Robotics Mission & SEC Scenario
Get Information from the Inside
Identify Structure
No Need to Return after the Mission
T/O (manually) 3KmFly Autonomously
GTMax Certification Certification Basis Analysis (Functional, FHA, PSSA) Human Errors Strategy for achieving compliance Sequence of certification events
FAA CertificationDesign Production Operation
Type Design Approval
Type Certificate
Quality AssuranceApproval
Type DesignConformity
Production Certificate
Airworthiness
Certificate
Continued Airworthine
ss
Defect found in operation
Certification Basis
Suggested Regulations
Rotorcraft- FAR 27
No Certification Basis for UAVs
Safety Assessment- SAE APR4761
System Design/Analysis- AC 25.1309-1A
Certification basis? Presently no certification basis for unmanned
aircraft. Unmanned vs. manned aircraft:
Increased reliance on electronic flight control systems in unmanned aircraft
Safety = threat to persons and property outside aircraft
Flight over populated areas vs. isolated areas Ground Control System
Suggested Regulations Flight crewmember(s) on the ground Safety equipment for occupants not required
Impact protection for occupants Safety belts Oxygen Warning lights
Flight Control System Certification Ground Control System Certification Categories of unmanned aircraft
Certification basisAmended FARs
FAR Part 1: Definitions and Abbreviations FAR Part 21: Certification Procedures for Products and
Parts FAR Part 27: Airworthiness Standards: Normal Category
Rotorcraft FAR Part 33: Airworthiness Standards: Aircraft Engines FAR Part XX: Airworthiness Standards: Electronic Flight
Control Systems for Unmanned Aircraft FAR Part XX: Airworthiness Standards: Ground Control
Systems for Unmanned Aircraft
Functional AnalysisTop Level
AND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Maintain Equipment
Maintain mission vehicle(s)
Maintain Ground Station Equipment
Maintain Supporting Equipment
Manage Organization
Manage Operation Manage Personnel Manage finances Manage
sales/marketing Manage supporting
equipment/facilities
Functional AnalysisAND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Receive Mission AssignmentAND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Functional Analysis
Receive Mission Description
3.1Study map of
route
3.2
Checkweather
3.4
Make preliminary flight plan
3.3
AND AND
Request additional
information from customer
3.6
Negotiate rate with customer
3.8
Evaluate Mission
3.7
Ref. 2.0 Maintain
Equipment
Investigate regulatory issues
3.5
NO GO
GO
NO GO
Ref. 2.0 Maintain Equipment
Ref. 4.0 Prepare for mission.
Prepare for mission
Verify readiness of UAV Create flight plan File NOTAM Verify that all necessary equipment is
loaded and ready Obtain/sign release form Depart for launch site
Functional AnalysisAND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Execute Mission (UAV)
Functional AnalysisAND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Arrive at launch site
5.1
Prepare UAV
5.2
Preflight UAV
5.3
Take offand climb
5.4
Cruise
5.5
Search for target
5.6
Locate target
5.7
Search for portals
5.8
Find open portal(s)
5.9
Prepare for subvehicle
launch
5.10
Deploy subvehicle
5.11
Hover in relay position
5.12
Cruise (return)
5.13
Descend andland
5.14
Start executing
mission
Finished Executing Mission
Execute Mission (GCS)
Functional AnalysisAND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Arrive at launch site
6.1
Prepare GCS for launch
6.2
Brief crew
6.4
Upload software/flight
plan to UAV
6.6
Perform BIT
6.7
Prepare fortake off
6.9Activate flight
plan (autonomous
flight)
5.8
Monitor UAV during mission
execution
5.9
Start executing mission (GCS)
Finished Executing Mission (GCS)
Simulate mission in GCS
6.3
AND
Troubleshoot and repair
6.8
AND
Perform autonomous
take off
6.4
Perform manual take off
6.3
OR OR
Establish communication
link with UAV
6.5
GO
NO GO
ABORT MISSION Control UAV(high- level commands)
5.9OR OR
Land UAV upon return to Launch
site
6.3
Download data from UAV as
needed
6.3
Shut down GCS
6.3
Prepare for next flight
FHA & FTA : Flight Control as Critical System Safety Subsystem
Control System (Collective)
Electronic SystemMechanical System
FHA & FTA : Mechanical System
Function Failure Condition Phase Effect of Failure Condition Classfication Ref. To SupportingMaterial
Verification
A1.1 Generate Rotor Force Loss of Lift Force of Rotor FTA
a. Loss of Rotor structure All Causes whole aircraft failure and crash.May cause severe damage of people onthe ground
Catastropic
a. Loss of Transmissionstructure
All Causes loss of rotor capability Catastropic
A 2.1 Control CollectivePitch
Loss of Control Capability All Causes whole aircraft failure and crash.May cause severe damage of people onthe ground
Catastropic
a. Loss of Control sys. Structure
b. Loss of electricityc. Loss of Command
A 2.2 Control Cyclic Pitch Loss of Control Capability All Causes whole aircraft failure and crash.May cause severe damage of people onthe ground
Catastropic
a. Loss of Control sys. Structure
Loss of Collective PitchControl capability
Loss of MechanicalLinkage Capability
Loss of ActuatorCapability
Loss of Electiricity
Failure ofMechanical
Component ofActuator
Loss of steeringcommands from
Flight ControlComputer
Loss of steeringcommands fromRemote Control
Receiver
Failure of WireHarness
Loss of BatteryCapability
Failure of GroundStation
Failure of On-BoardSystem
1E-6
1E-5
Loss of Collective PitchControl capability
To ElectronicSystem
FHA & FTA : Electronic SystemFunction Failure Condition Phase Effect of Failure Condition Classfication Ref. To Supporting
MaterialB1 Generate actuator
steering commandsLoss of validcommands from FCS.
a. Invalid or missingoutput from FCS.
T/O &Landing
Safety pilot will assume control ofaircraft and bring it to a safelanding.
Minor (D)
b. Invalid or missingoutput from FCS.
Cruise(within RCrange)
Safety pilot will assume control ofaircraft and bring it to a safelanding.
Minor (D)
a. Unable to sendtelemetry data to GCS
T/O,LandingandCruise
The GCS will not have the up-to-date information about the currentlocation of the UAV
Minor (D) toMajor (C)
B3 Monitorsystems/performance
Failure to detectproblema. Failure to detectMain Computer failure
T/O,Landingand in-rangeCruise
Problem will not surface unlessthere is an actual Main Computerfailure. Safety pilot may takecontrol.
Minor (D)
Loss of steering commandsfrom Flight Control
Computer
Loss of steering commandsfrom Flight Control
Computer
Loss of steeringcommands from
Backup Controller
Loss of steeringcommands fromMain Computer
Failure of HeartbeatMonitor to switch toBackup Controller
3E-31E-4
Failure of MainComputer to
discontinue sendingheartbeats.
Internal failure inHeartbeat Monitor
Heartbeat Monitorswitches incorrectly
to Backup Contr.
Loss of steeringcommands from
Backup Controller
1E-3 1E-4
1E-3 1E-4
To MechanicalSystem
PSSA : Software Exploration
MEADEPPrism Crystal BallSystem failurerate modeling
Markovanalysis
Monte CarloSimulation
Whatfor ?
Easy ?
Redundancy MultipleEvents
DistributionFuctions
Database
Monte Carlo Simulationfor
Whole System
PRISMfor
Mech. Components
PSSA : Strategy
Loss of Collective PitchControl capability
Loss of MechanicalLinkage Capability
Loss of ActuatorCapability
Loss of Electiricity
Failure ofMechanical
Component ofActuator
Loss of steeringcommands from
Flight ControlComputer
Loss of steeringcommands fromRemote Control
Receiver
Failure of WireHarness
Loss of BatteryCapability
Failure of GroundStation
Failure of On-BoardSystem
1E-6
1E-5
Loss of steeringcommands from
Backup Controller
Loss of steeringcommands fromMain Computer
Failure of HeartbeatMonitor to switch toBackup Controller
3E-31E-4
Failure of MainComputer to
discontinue sendingheartbeats.
Internal failure inHeartbeat Monitor
Heartbeat Monitorswitches incorrectlyto Backup Contr.
Loss of steeringcommands from
Backup Controller
1E-3 1E-4
1E-3 1E-4
Fault Tree based on FHA
Markov Analysisfor
Mechanical System& Electronic SystemMech.
Elec.
PSSA : Prism modelingMechanical components
Prism Database Total Failure
Rate - 1.76 E-3/Op.
hr
Failure/M calendar hr Failure/Operation hr
Linkage 27.089 9.36E-04
Yoke 8.1256 2.81E-04
Main Rotor 3.7443 1.29E-04
Swash P 2.8822 9.96E-05
Servo 9.2274 3.19E-04
Failure rates
PSSA : Markov AnalysisMechanical System
MTTF -
6023.275 /hr Reliability - 93.57 hr
PSSA : Markov AnalysisElectronic System
MTTF -
1000.249 /hr Reliability - 90.48 hr
Loss of Collective PitchControl capability
Loss of MechanicalLinkage Capability
Loss of ActuatorCapability
Loss of Electiricity
Failure ofMechanical
Component ofActuator
Loss of steeringcommands from
Flight ControlComputer
Loss of steeringcommands fromRemote Control
Receiver
Failure of WireHarness
Loss of BatteryCapability
Failure of GroundStation
Failure of On-BoardSystem
1E-6
1E-5
Loss of steeringcommands from
Backup Controller
Loss of steeringcommands fromMain Computer
Failure of HeartbeatMonitor to switch toBackup Controller
3E-31E-4
Failure of MainComputer to
discontinue sendingheartbeats.
Internal failure inHeartbeat Monitor
Heartbeat Monitorswitches incorrectlyto Backup Contr.
Loss of steeringcommands from
Backup Controller
1E-3 1E-4
1E-3 1E-4
Fault Tree from FHA
MechanicalComponent of
Actuator
BatteryCapability
WireHarness
On-BoardSystem
GroundSystem
Steering commandsFrom Flight Control
Computer
Electricity
Steering command from RemoteControl Receiver
MechanicalLinkage
Capability
Actuator Capability
Simplified Block Diagram
PSSA : Monte Carlo Simulation
1 2 3
4
5 67
overall = 1 + 2 + 3 + (5 + 6) × 4 + 7
Frequency Comparison
.000
.004
.008
.012
.017
0.00290 0.00300 0.00310 0.00320 0.00330
Overlay Chart Same order as Inputs
MechanicalComponent of
Actuator
BatteryCapability
WireHarness
On-BoardSystem
GroundSystem
Steering commandsFrom Flight Control
Computer
Electricity
Steering command from RemoteControl Receiver
MechanicalLinkage
Capability
Actuator Capability
PSSA : Monte Carlo Simulation
Normal curve fit gives = 3.1×10-5
= 7.0 ×10-5
Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4
Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4
Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4 Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4
Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4
Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4
Mean = 0.00
0.00 0.00 0.00 0.00 0.00
B4
1E-5 1E-5
1E-5
1E-51E-6
1E-6
1E-6
PSSA : Reliability Goals
General Aviation Loss Of Aircraft (LOA)
10 / 100,000 flight hrs = 1E-4 / flight hr
60%- Mechanical system failures- “Other” external causes
Human error plays significant roll in UAV
10%Reliability GoalLOAFlight Control= 1E-5
Human Errors : IntroductionDirect or Indirect Intentional or Unintentional
Flying into Electrical Lines- Mission planner
- Ground control- Maintenance
Human Errors : Human Safety and Reliability
Increased Mission Success
Increased Safetyof ROA and Environment
Better Working Environment
Increased Worker Safety
Reduced DelaysDue to Injury
Increased Worker Reliability
Increased ROAReliability
Human Errors : Working EnvironmentSome important factors and issues
Information - There are power lines here
Documentation - Stay 500 feet from power lines
Communication - We should move away
Workload - What? I’m busy
Visual/Aural Alerts - Warning!
Training - What do I do now?
Human Errors : Environment
Possible Dangers in the Environment High workload / Time critical workload / High
stress Unnoticed errors / no quality assurance Too many details to consider Hazardous equipment and materials Distractions
AND
Execute Mission(GCS)
6.0
Execute Mission(UAV)
5.0
Receive Mission
Assignment
3.0
Maintain Equipment
2.0
Manage Organization
1.0
AND
ANDAND
GO
NO GO
Prepare for mission
4.0
Each Top Level Function has a Different Environment
Human Errors : Launch Site Setup
Major Dangers: Suggestions:High workload
Unnoticed errors
Hazardous equipment and materials
Weather and terrain
Document procedure
Range safety officerLabels and color
Information about launch site
before arrival
Familiarization with all equipment
New technology Fault tolerant software Fault tolerant system architecture
Fault Tolerant Design: Software
LPE Step 1 Mission Objective Abstract Mathematical Language
Mission Objective4)(: UloperationaAssumption t
|.|)(..: DposvuloperationaTtUuGoal tt
Fault Tolerant Design: Software LPE Step 2
Mission Plan Flowchart
Language Formal Proof
Fault Tolerant Design: Software
LPE Step 3 Control System Destination Vector Formation Vector Proven Algorithm Automatically
Generated Code
Fault Tolerant Design : Software
Open-Control Platform
APIReal-Time Reconfig.Mediator
High-Level Abstraction
Located On-Board
LPE Step 1Math. Expression
LPE Step 2Flowchart Validation
MPC, Control, Communication
LPE Step 3Executable CodeSeveral LanguagesCode Validation
Fault Tolerant Design : system architecture
PrimarySensor
SecondarySensor
Rotor(Mech.systems)
Actuators
Power plantsystem
Generator
RMaxbattery
HB Monitorand Steering
Relay
SteeringCommandsMain Flight
Computer
BackupFlight
Controller
Sensordata
BackupBattery Trickle charge
Primary Avionics DC Bus
Secondary Avionics DC Bus
Strategy for showing complianceToday: No Certification basis for
unmanned aircraftThe “5-year plan”:
1. Demonstrate product2. FAA cooperation3. Initial NPRM4. Amendments to FARs 5. Start formal Certification process
Structure is not so expensive
GTMax is already flying
Certification PlanActivityApplication to FAA ODevelop. Certification BasisGCP Develop.Cert. Schedule Develop.Initial Type board meeting OTest Plan SubmitalGCP Review and ApprovalInterm. Type board meeting ODrawing ReleasePrototype 1 Fab/AssemblePrototype 1 1st FLTEnvelope expansionLoad level surveySystems/Weather/LightningPrototype 2 Fab/AssemblePrototype 2 1st FLTEnvelope expansionPerformance & HQMod into GTVGTV Ground TestsRotor & XMSN Bench TestStatic testsFinal Type Board Meeting OCertification O
Year 1
Tests for Autonomous flight & Control system
Conclusions Summary Further study
What was accomplished Suggested Certification basis Functional Analysis, FHA, PSSAQuantified System ReliabilityConsidered Human FactorsDeveloped fault tolerant flight
controlProposed strategy for compliance
Further StudyCurrent work to include UAVs in FARsObtain more accurate failure ratesAnalysis for aircraft level reliabilityComplete safety assessment process
on all aircraft systemsDevelop systems through operational
experience
Questions ?
Thank you