Trustworthy Autonomy Development & Flight Demonstration

Trustworthy AutonomyDevelopment & Flight Demonstration

Multi-Monitor Run Time Assurance Research Update

Mark Skoog

Armstrong Flight Research Center

Research Timeline

Automation Research

AFTI/F-16Advanced Fighter Technology Integration

AFTI & ACAT/F-16Automated Collision Avoidance Technology

SUAV/iGCAS/SR22Improved Collision Avoidance System

1980 2000

Dedicated Safety Work for Fighters

2010 2017

Platform Diversity

Automated Collision

Avoidance

Ground

Air

Integrated

Small UAS

GA

Quad-Rotor

Automated Maneuvering Attack System

(AMAS)

Ground Collision

Avoidance

Transition

Ground Collision Avoidance System(GCAS)

3

Predict Escape Trajectories

Predict Future Threat State

Determine Need to Evade

& Threat Lethality

Evade

Notify

• Evasion Types

• Maneuvering Capability

• Evasion Trajectory Estimations

• Associated Uncertainties

• Scan/Track Pertinent Threat

• Simplify Threat Profile

• Associated Uncertainties

• Minimum Approach

• Integrity Check

• Time to Evade

• Command Evasion

• Integrity Check

• Execute

•. Evasion

• Alert

• Record

• Recall

Pilot Controls

• Mode Selection

• Interface

Sense

Own-State &Atmospherics• Sufficient to

support

trajectory

estimation

Trajectory Predictions

Sense

CollisionThreat

• Terrain• Aircraft• Weather• Missiles

Common

Interface

Autopilot

Coupler

Common Functional Architecture

Avoid Collisions

Do Not Impede the Pilot

6

Flight 18 event 6, 45 kts, 100’ buffer

sUAV

Automatic Air Collision Avoidance System(Auto ACAS)

Automatic Integrated Collision Avoidance System(Auto ICAS) - Air & Ground Multi-Ship

The Challenge of Autonomy

• Verification & Certification of a Complex System

ComplexSystem

DeterministicSafety Net

• Verification & Certification of a Complex System

• A Possible Solution – Run-Time Assurance (RTA)

9

Ground Collision Avoidance System(GCAS)

Predict Escape Trajectories

Predict Future Threat State

Determine Need to Evade

& Threat Lethality

Evade

Notify

• Evasion Types

• Maneuvering Capability

• Evasion Trajectory Estimations

• Associated Uncertainties

• Scan/Track Pertinent Threat

• Simplify Threat Profile

• Associated Uncertainties

• Minimum Approach

• Integrity Check

• Time to Evade

• Command Evasion

• Integrity Check

• Execute

•. Evasion

• Alert

• Record

• Recall

Pilot Controls

• Mode Selection

• Interface

Sense

Own-State &Atmospherics• Sufficient to

support

trajectory

estimation

Trajectory Predictions

Sense

CollisionThreat

• Terrain• Aircraft• Weather• Missiles

Common

Interface

Autopilot

Coupler

10

Multi-Monitor RTA (MM-RTA)with Risk-Based Decision Making

11

Informing the Standards Community

Research findings vetted with ASTM International through Working Group 53403 (WK53403)

• WK53403 Goal: Develop a standard practice that safely bounds the flight behavior of autonomous UAS

• Involvement originated from AFRC collaboration with FAA regarding Auto GCAS and integrity management work on early autonomy concepts

• Published Industry Standard Practice in Oct 2017

12

Recovery

Controller

RTA

Input

Manager

Veh

icle

Man

ag

em

en

t S

yste

m

Safety

Monitor

SensorsSensors

SensorsSensors RTA

Switch

Untrusted

System

Traditional RTA Framework

Baseline Aircraft

RTA Trusted Functions

Untrusted Controllers

Legend

Sensors

13

Switch

Recovery

Control

Safety/Behavioral

MonitorSafety/Behavioral

MonitorSafety/Behavioral

MonitorSafety/Behavioral

Monitor

Recovery

ControlRecovery

ControlRecovery

Control

Integrity

Monitor

Fli

gh

t C

on

tro

l S

yste

mSwitch

Control

SensorsSensors

SensorsSensors

MM-RTA FrameworkThis Work is Unique to AFRC

Flight Executivecomponents

Untrusted

Systems

14

TravelerPhase 1 EVAA DevelopmentObjective

• Develop research findings to inform standards development for certifiable autonomy

• Evaluate the dynamic interaction of an MM-RTA with no integration between monitors

Expandable Variable-Autonomy Architecture (EVAA)• Stretching the paradigm of autonomy

• Deterministic Rulesets Bounding Autonomous Behavior

• Functionally Partitioned Monitors

• Risk-Based Decision Making

• A process enabling certification• Software Architecture/Framework

• Test Approach

• Scalable autonomy• Pilot-in-the-Loop to “Fully Autonomous”

Low Altitude Small UAS Test Ranges (LASUTR)• A tool for certification

• High-risk integrated research

TN36657

Phase 1 EVAA

MM-RTA: Key EVAA Accomplishments

16

• Aircraft/Testbed Modifications

• Research Processor Integrated Jan 17

• Sound & Lighting System Installed May 17

• Research System

• Functional Requirements Completed Nov 16

• Design Completed Feb 17

• Coding Completed Mar 17

• Patent for GCAS Monitor Issued May 17

• V&V

• Hardware in the Loop Sim Completed Mar 17

• Integrated V&V Completed May 17

• Flight Test

• Aircraft Characterization Test Completed Mar 17

• EVAA Flight Test Began May 17

• Reporting

• Update to FAA & ASTM May 17

Flight Controls

EVAA Processor

Development Environment HITLS

LiDAR data for Obstacle Avoidance

MM-RTA Flight Test Begun

Flight Test AccomplishmentsEVAA Command Delegation with Conflicting Multi-Monitor Resolution

Waypoint Following Control

GeoFence Control

60

0’ T

all

Ob

sta

cle

No-Fly Zone

Ground Collision Avoidance Control

EVAA Phase 2

EVAA Phase 2 DevelopmentOSD’s JCTD Resilient Autonomy Project

EVAAFlight Executive

Expandable Variable-Autonomy Architecture (EVAA)Phase 2

Mission Functions:• Takeoff

• Landing

• WP Follower

• In-Flight Route Planner

• Mission Planner

• Terrain Following

Coupler• Elissa

• HQ-x

• Cozy – MGL

• Towed Glider

Light

System

Voice

System

Sound

System

Pilot

Ground

Control

Station

Moral

Compass

Maneuver

Selection

Sh

are

d D

ata

iGCAS

Privacy & Personal

Space Asur.

Auto ACAS

Geo-Fence

Sep. Asur.

Person

Avoidance

Wx Avoidance

Obstacle

Avoidance

Map Manager

Trajectory Manager

• Terrain• Features• Risk• Imagery

Monitors

Helper

Functions

In-Flight

Re-Planner

Re-Route

SelectionSensors:• Aircraft State

• Attitudes• Rates

• Navigation• GPS• INS• TRN• Vis Nav

• Physical Threats• Stereo Vis• DAA Radar

• Environmental Threats• Winds• Weather

Nothing

System Wide Integrity

Monitors

Contingency

MangersRules of Behavior

Radio

Select Highest

Consequence

Non-Viable

Maneuvers by

Consequence

Re-Routing

Validated

Data

Guidance

Commands

AP Engagement

& Capture

Commands

FCS

Status &

Health

Dynamic

Consistency Checks

OLIV• Boundary Crosschecks

• Monitor Persistence

Checks

• Mission Progress

Checks

Test Safety

Self-Health Checks

Coupler

Sh

are

d D

ata

.

FLS

Geo-Recover

RTB

Where-to-Land

FCSLOC Prevention*

LOC Recovery*

Autopilot

De

rive

d D

ata

Flight

Plan/Req

Route Verifier

Intent

Manager

External

Data

Interface

Cellular

Network

Internet

OSD Resilient Autonomy

ADS-B & DAA Radar

Non-Safety Critical Link

Cooperative & Non-Cooperative Targets

GCS Features• Mission Plan Verification• Situational Awareness

Displays

Visual-Nav System – transient operation in GPS denied or degraded environment

Automatic Well-Clear & Air Collision-Avoidance

Automatic Ground & Obstacle Collision-Avoidance

EVAA

Processor

EVAA• Certifiable Autonomy• Safe Pilotless BLOS Ops• Risk-Based Decision Logic• Easily Tailored to any Vehicle &

Mission

Obstacles

Terrain

Automatic Airspace Boundaries & Safe-Ditch Contingency Management

Cellular or

Other Link

HQ-90

Non-Safety Critical Link

HQ-90 Testbed• 103 Lbs. Max Gross Takeoff Weight

• 14’ 8” Wingspan

• 20 to 30 Pound Payload

• 12 to 24 hours Endurance

Command

& Control

Link

Safety Pilot

Radio

GCS

Laptop

Piccolo 2

Autopilot

EVAA

Processor

Cellular or

Other Link

Big

Data

ADS-B

DAA Radar

VisNav &

Detection

Flight Test

Only

Ground Control

Station

Flight Test

Link

DAA Approach

24

Separation AssuranceBehavioral

Air Collision AvoidanceLoss of life

Ground

Collision AvoidanceLoss of property

25

Questions