Integrated Safety Envelopes - Ptolemy...
Transcript of Integrated Safety Envelopes - Ptolemy...
![Page 1: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/1.jpg)
Integrated Safety Envelopes
Built-in Restrictions of Navigable Airspace
Edward A. LeeProfessor, EECS, UC Berkeley
NSF / OSTP Workshop on InformationTechnology Research for CriticalInfrastructure Protection
Sept. 19-20, 2002
With thanks to:Adam Cataldo (Berkeley)David Corman (Boeing)Peter Huber (Forbes Magazine)Xiaojun Liu (Berkeley)Per Peterson (Berkeley)Shankar Sastry (Berkeley)Claire Thomlin (Stanford)Don Winter (Boeing)
![Page 2: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/2.jpg)
ISE, Edward A. Lee 2
The General Principle
• Networked systems can impose safety envelopes– This is the intent of the air traffic control system
• Networks fail– E.g. Malicious pilots can ignore air traffic control directives
• Components can locally impose safety envelopes– Tighter envelopes may be required when networks fail
• Software-driven control systems enable imposition ofsafety envelopes at all levels of the network hierarchy– Air traffic control– Individual aircraft– Individual engine– Individual part Principle:
Integrated Safety Envelopes
![Page 3: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/3.jpg)
ISE, Edward A. Lee 3
Flexible Networked Systemswith Rich Functionality
Principle:Integrated Safety Envelopes
Networked embedded system… with a rich set of safe behaviors
![Page 4: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/4.jpg)
ISE, Edward A. Lee 4
Compromised Networked SystemsFalls back to Less Functionality
Principle:Integrated Safety Envelopes
Compromised system… has fewer safe behaviors
![Page 5: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/5.jpg)
ISE, Edward A. Lee 5
Hierarchical Networked SystemsWith Locally Defined Safety Envelopes
Principle:Integrated Safety Envelopes
Compromised subsystem… behavior within locallydefined safety envelopes
![Page 6: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/6.jpg)
ISE, Edward A. Lee 6
Illustration of the Principle: Softwalls
• Enforce no-fly zones in the on-board avionics.• Carry on-board a 3-D database with “no-fly-zones”.• Localization technology identifies aircraft position.
– GPS + inertial navigation system
Principle:• Maximize pilot authority• Subject to the no-fly zone constraint• Maintain aircraft responsivity
• System is not networked and not hackable.• Improves aircraft safety
– prevents controlled flight into terrain.
![Page 7: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/7.jpg)
ISE, Edward A. Lee 7
No-Fly Zone with HarsherEnforcement
There are alreadyregions of space intowhich aircraft can’tfly. The idea is tomake some of thesevirtual.
![Page 8: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/8.jpg)
ISE, Edward A. Lee 8
Trajectory with Maximally Uncooperative Pilot
Assumptions:• speed: 0.1 miles/sec = 360 miles/hour• Max rate of turn: M = 2π/20 radians/sec• min turning radius: speed/M = 0.32 miles
pilot turns towards the wall
the
wall
bias starts, pilot counteracts
pilot controls saturate
pilot regains steeragetowards wall
nautical miles
![Page 9: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/9.jpg)
ISE, Edward A. Lee 9
Aircraft is Diverted by a Blending Controller,which Combines a Bias with Pilot Directives
force ofthe wind onthe sails
turnedrudderkeeps thetrajectorystraight
withstraightrudder
with turnedrudder
Even with weather helm, thecraft responds to fine-graincontrol as expected.
Sailing analogy: weather helm
![Page 10: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/10.jpg)
ISE, Edward A. Lee 10
Related Methods
• Ground proximity warning systems• Automatic ground avoidance systems• TCAS & ACAS – collision avoidance• Potential field methods for air-traffic control
HoneywellTCAS
Rockwell conflict resolution
These all share one feature:localization of safety envelopes.
![Page 11: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/11.jpg)
ISE, Edward A. Lee 11
Issues
• Reducing pilot authority is dangerous– reduces ability to respond to emergencies
![Page 12: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/12.jpg)
ISE, Edward A. Lee 12
Is There Any Aircraft Emergency Severe Enoughto Justify Trying to Land on Fifth Ave?
![Page 13: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/13.jpg)
ISE, Edward A. Lee 13
Issues
• Reducing pilot authority is dangerous– reduces ability to respond to emergencies
• There is no override– switch in the cockpit
![Page 14: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/14.jpg)
ISE, Edward A. Lee 14
No-Fly Zone with HarsherEnforcement
There is nooverride in thecockpit thatallows pilots tofly throughthis.
![Page 15: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/15.jpg)
ISE, Edward A. Lee 15
Issues
• Reducing pilot authority is dangerous– reduces ability to respond to emergencies
• There is no override– switch in the cockpit
• Localization technology could fail– GPS can be jammed
![Page 16: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/16.jpg)
ISE, Edward A. Lee 16
Localization Issues
GPS falls back to Inertial navigation
“Localization” is the technology forreliably and accurately knowing thelocation of an object.
Accurate, robust localizationtechnology is an essentialtechnology.
![Page 17: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/17.jpg)
ISE, Edward A. Lee 17
Issues
• Reducing pilot authority is dangerous– reduces ability to respond to emergencies
• There is no override– switch in the cockpit
• Localization technology could fail– GPS can be jammed
• Deployment could be costly– how to retrofit older aircraft?
![Page 18: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/18.jpg)
ISE, Edward A. Lee 18
Deployment
• Fly-by-wire aircraft– a software change
• Older aircraft– autopilot level?
• Phase in– prioritize airports
![Page 19: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/19.jpg)
ISE, Edward A. Lee 19
Issues
• Reducing pilot authority is dangerous– reduces ability to respond to emergencies
• There is no override– switch in the cockpit
• Localization technology could fail– GPS can be jammed
• Deployment could be costly– how to retrofit older aircraft?
• Deployment could take too long– software certification
![Page 20: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/20.jpg)
ISE, Edward A. Lee 20
Softwalls Works WhenAir Traffic Control Fails
This seems largelyorthogonal of airtraffic control, andcould complementsafety methodsdeployed there. It isself-contained on asingle aircraft.Improves robustnessof any air trafficcontrol system.
![Page 21: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/21.jpg)
ISE, Edward A. Lee 21
Issues
• Reducing pilot authority is dangerous– reduces ability to respond to emergencies
• There is no override– switch in the cockpit
• Localization technology could fail– GPS can be jammed
• Deployment could be costly– how to retrofit older aircraft?
• Deployment could take too long– software certification
• Fully automatic flight control is possible– throw a switch on the ground, take over plane
![Page 22: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/22.jpg)
ISE, Edward A. Lee 22
UAV Technology(Unoccupied Air Vehicle)
e.g. Global Hawk(Northrop Grumman)
Technology Support Working Group(TSWG), office of the Secretary ofDefense, recommends against anypartial control approach. Theirfeeling is that there is only onefeasible strategy: a single trigger,either on-board or remote control,that would assume complete controland take the plane to a safe base.
Northrop Grumman has such asystem in the Global Hawk UAV thatsome believe can be dropped-in topassenger airliners.
![Page 23: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/23.jpg)
ISE, Edward A. Lee 23
Potential Problems with Switching toGround Control When Threat is Detected
• Human-in-the-loop delay on the ground– authorization for takeover– delay recognizing the threat
• Security problem on the ground– hijacking from the ground?– takeover of entire fleet at once?
• Requires radio communication– hackable– jammable
This does not follow theprinciple ofIntegratedSafety Envelopes
![Page 24: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/24.jpg)
ISE, Edward A. Lee 24
Integrated Safety EnvelopesResearch Agenda
• Defining hierarchical safety envelopes– Model-based design
• Fault and threat detection– On-line models
• Fault and threat isolation– Mode changes to impose safety envelopes
• Predictable mode transitions– Avoid emergent behavior, propagating effects
• Adapting existing systems– Models must include the phase-in transition
• Policy issues– Limiting authority
![Page 25: Integrated Safety Envelopes - Ptolemy Projectptolemy.eecs.berkeley.edu/presentations/02/softwalls...Integrated Safety Envelopes Built-in Restrictions of Navigable Airspace Edward A.](https://reader033.fdocuments.in/reader033/viewer/2022053014/5f12ec54940d9203646f059b/html5/thumbnails/25.jpg)
ISE, Edward A. Lee 25
Conclusions
• Don’t have to choose between large,centralized control, and decentralized,semi-autonomous actors.– Use both– Failures or threats ⇒ tighter safety envelopes
• Need control algorithms that maintain safeoperating parameters and maximize localauthority subject to the safetyconstraints.