V & V of Flight-Critical Systems. Guillaume Brat, NASA ARC

Similar documents
Autonomy Test & Evaluation Verification & Validation (ATEVV) Challenge Area

NASA Aviation Safety Program Overview

NextGen Aviation Safety. Amy Pritchett Director, NASA Aviation Safety Program

ACAS Xu UAS Detect and Avoid Solution

Stanford Center for AI Safety

Despite the euphonic name, the words in the program title actually do describe what we're trying to do:

Air Traffic Soft. Management. Ultimate System. Call Identifier : FP TREN-3 Thematic Priority 1.4 Aeronautics and Space

Safety Enhancement SE (R&D) ASA - Research Attitude and Energy State Awareness Technologies

Assurance Cases The Home for Verification*

Scientific Certification

HARMONIZING AUTOMATION, PILOT, AND AIR TRAFFIC CONTROLLER IN THE FUTURE AIR TRAFFIC MANAGEMENT

Outline. Outline. Assurance Cases: The Safety Case. Things I Like Safety-Critical Systems. Assurance Case Has To Be Right

Download report from:

SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,

Disruptive Aerospace Innovation Aeronautics and Space Engineering Board National Academy of Engineering

Transformative Aeronautics Concepts Program Overview and CAS Project Details

Modeling and Simulation Made Easy with Simulink Carlos Osorio Principal Application Engineer MathWorks Natick, MA

Changed Product Rule. International Implementation Team Outreach Meeting With European Industry. September 23, 2009 Cologne, Germany

William Milam Ford Motor Co

Credible Autocoding for Verification of Autonomous Systems. Juan-Pablo Afman Graduate Researcher Georgia Institute of Technology

NASA Aeronautics Research

SESAR EXPLORATORY RESEARCH. Dr. Stella Tkatchova 21/07/2015

Software as a Medical Device (SaMD)

ARGUING THE SAFETY OF MACHINE LEARNING FOR HIGHLY AUTOMATED DRIVING USING ASSURANCE CASES LYDIA GAUERHOF BOSCH CORPORATE RESEARCH

NRC Workshop on NASA Technologies

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 5 R-1 Line #102

Towards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1

ARMY RDT&E BUDGET ITEM JUSTIFICATION (R2 Exhibit)

Integrated Safety Envelopes

Introduction to Systems Engineering

Preliminary Safety Case for Enhanced Air Traffic Services in Non-Radar Areas using ADS-B surveillance PSC ADS-B-NRA

ELEVENTH AIR NAVIGATION CONFERENCE. Montreal, 22 September to 3 October 2003 TOOLS AND FUNCTIONS FOR GNSS RAIM/FDE AVAILABILITY DETERMINATION

Industrial Experience with SPARK. Praxis Critical Systems

Trajectory Assessment Support for Air Traffic Control

UNIT-III LIFE-CYCLE PHASES

Small Airplane Approach for Enhancing Safety Through Technology. Federal Aviation Administration

A Knowledge-Centric Approach for Complex Systems. Chris R. Powell 1/29/2015

MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY - A

EXPERIMENTAL STUDIES OF THE EFFECT OF INTENT INFORMATION ON COCKPIT TRAFFIC DISPLAYS

M&S Requirements and VV&A: What s the Relationship?

New Directions in V&V Evidence, Arguments, and Automation

A New Approach to the Design and Verification of Complex Systems

Including Safety during Early Development Phases of Future ATM Concepts

DHS-DOD Software Assurance Forum, McLean VA 6 Oct 2008 Very loosely based on Daniel s 2007 briefing

Framework and the Live, Virtual, and Constructive Continuum. Paul Lawrence Hamilton Director, Modeling and Simulation

Final Project Report. Abstract. Document information. ADS-B 1090 Higher Performance Study. Project Number Deliverable ID

Naturalistic Flying Study as a Method of Collecting Pilot Communication Behavior Data

Focus on Mission Success: Process Safety for the Atychiphobist

Stevens Institute of Technology & Systems Engineering Research Center (SERC)

Proposed Curriculum Master of Science in Systems Engineering for The MITRE Corporation

Connected and Autonomous Technology Evaluation Center (CAVTEC) Overview. TennSMART Spring Meeting April 9 th, 2019

A FRAMEWORK FOR PERFORMING V&V WITHIN REUSE-BASED SOFTWARE ENGINEERING

Background T

Principal Investigators: Nadine B. Sarter Christopher D. Wickens. Scott McCray

A New Systems-Theoretic Approach to Safety. Dr. John Thomas

PROJECT FINAL REPORT Publishable Summary

Mid Term Exam SES 405 Exploration Systems Engineering 3 March Your Name

Jager UAVs to Locate GPS Interference

ERAU the FAA Research CEH Tools Qualification

Name of Customer Representative: n/a (program was funded by Rockwell Collins) Phone Number:

Design and Operation of Micro-Gravity Dynamics and Controls Laboratories

Software-Intensive Systems Producibility

A standardized Interoperability Platform for collaborative ATM Validation and Training

Pragmatic Strategies for Adopting Model-Based Design for Embedded Applications. The MathWorks, Inc.

16.400/453J Human Factors Engineering /453. Displays. Prof. D. C. Chandra Lecture 7

Adaptable C5ISR Instrumentation

SkyView. Autopilot In-Flight Tuning Guide. This product is not approved for installation in type certificated aircraft

OFFensive Swarm-Enabled Tactics (OFFSET)

Toward an Integrated Ecological Plan View Display for Air Traffic Controllers

H2020 RIA COMANOID H2020-RIA

Artificial Intelligence in Medicine. The Landscape. The Landscape

Development of a Sense and Avoid System

Debrief of Dr. Whelan s TRL and Aerospace & R&D Risk Management. L. Waganer

AC 20.IMA and RTCA/DO- 297, Integrated Modular Avionics (IMA) Development Guidance Certification and Considerations

GALILEO JOINT UNDERTAKING

A EUROCONTROL View on the Research Needs & the Network of Centres of Excellence

Deviational analyses for validating regulations on real systems

ASSEMBLY 39TH SESSION

A Survey of UAS Industry Professionals to Guide Program Improvement

Keysight Technologies Virtual Flight Testing of Radar System Performance Using SystemVue and STK

ASSEMBLY 39TH SESSION

Space Launch System Design: A Statistical Engineering Case Study

An Integrated Safety Analysis Methodology for Emerging Air Transport Technologies

Commercializing Federal R&D: Secrets to Startup Success

The Army s Future Tactical UAS Technology Demonstrator Program

Multi-Platform Soccer Robot Development System

Focusing Software Education on Engineering

A CLOSED-LOOP, ACT-R APPROACH TO MODELING APPROACH AND LANDING WITH AND WITHOUT SYNTHETIC VISION SYSTEM (SVS) TECHNOLOGY

SAFETY CASE PATTERNS REUSING SUCCESSFUL ARGUMENTS. Tim Kelly, John McDermid

Copyrighted Material - Taylor & Francis

INTEGRITY AND CONTINUITY ANALYSIS FROM GPS JULY TO SEPTEMBER 2016 QUARTERLY REPORT

progressive assurance using Evidence-based Development

Technical-oriented talk about the principles and benefits of the ASSUMEits approach and tooling

UNIT VIII SYSTEM METHODOLOGY 2014

Our Acquisition Challenges Moving Forward

Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

Enabling Model-Based Design for DO-254 Compliance with MathWorks and Mentor Graphics Tools

Multi-Axis Pilot Modeling

NSF. Hybrid Systems: From Models to Code. Tom Henzinger. UC Berkeley. French Guyana, June 4, 1996 $800 million embedded software failure

Fault Management Architectures and the Challenges of Providing Software Assurance

Transcription:

V & V of Flight-Critical Systems Guillaume Brat, NASA ARC NASA Aviation Safety Program Beavercreek, Ohio 15 June 2010 S5 1

NextGen and JPDO By 2025, U.S. air traffic is predicted to increase 2 to 3 times. The Next Generation Air Transportation System (NextGen) is the solution to safely and efficiently manage this growth and allow new aircraft classes and operational concepts. The Joint Planning and Development Office (JPDO), coordinating the Departments of Transportation, Defense, Homeland Security, Commerce, FAA, NASA, and the White House Office of Science and Technology Policy, is responsible for managing a public/private partnership to bring NextGen online. 15 June 2010 S5 2

JPDO Identified Critical Gap in V&V Methods "Developers do not have effective ways to model and visualize software complexity, including the possible range of interactions, especially unexpected and anomalous behaviors that can occur among software and hardware components. Developers also do not have time- or costeffective ways to test, validate, and certify that software-based systems will perform reliability, securely, and safely as intended, particularly under attack or in partial failure." 15 June 2010 S5 3

The JPDO Drivers R-1440 Applied Research on Complex Systems Validation and Verification Applied research on the methods and algorithms to support the validation and verification of complex systems. Complex systems provide multiple functions that support many different operating models, environments and technologies and therefore require more advanced and integrated validation and verification methods and algorithms beyond those used for less complex systems. This research will support the development of complex systems, their risk assessment and eventual certification decisions. EN-3050 Advanced Complex System Validation and Verification Methods Description: Advanced tools and processes are developed to improve the verification and validation of complex systems and software. Improvements will focus on reducing the time and resources needed to conduct validation and verification as well as improving the quality of the results.... 15 June 2010 S5 4

Impact: Cost, and Constraints on Innovation System Size Comparisons of Embedded Software Mars Reconnaissance Orbiter Lines of Code 545K Orion Primary Flight Sys. 1.2M F-22 Raptor 1.7M Seawolf Submarine Combat System AN/BSY-2 Boeing 777 3.6M 4M Boeing 787 6.5M F-35 Joint Strike Fighter 5.7M Typical GM car in 2010 100M NASA Study Flight Software Complexity, 4/23/2009 Winter, D. (VP, Engineering & IT, Boeing PW) Testimony to House Committee on Science and Technology, July 31, 2008 And this is just s/w! Also need to consider human performance, airspace concepts of operation, and new technologies! 15 June 2010 S5 5 Boehm, B. 1981 Software Engineering Economics, as cited in DAA, 2008

V&V cost and Certification For FAA compliant DO-178B Level A software, the industry usually spends 7 times as much on verification (reviews, analysis, test). So that's about 12% for development and 88% for verification. Level B reduces the verification cost by approximately 15%. The mix is then 25% development, 75% verification. Randall Fulton FAA Designated Engineering Representative (private email to L. Markosian, July 2008) 15 June 2010 S5 6

Widely Recognized Concern Fundamental research is needed to create the foundations for practical certification standards for new technologies methods and models are needed for assessing the safety and reliability of complex, large-scale, humaninteractive, nondeterministic software intensive systems 15 June 2010 S5 7

NASA s Research Assessment of V&V for NextGen NASA Aeronautics Aviation Safety Program is examining the research required to develop transformative safety V&V methods required to rigorously assure the safety of NextGen developments in a time- and cost-effective manner. NASA has completed an assessment of the most critical research activities required to develop these methods. The research activities are organized into four challenge areas. 15 June 2010 S5 8

Summary of NASA VVFCS Effort To Date Planning effort underway conducted on ARRA funds Document, Validation and Verification for Flight Critical Systems Assessment of Critical Research Activities, Nov. 2009: Development of verification and validation tools, methods and techniques that advance safety assurance and certification of complex, networked, distributed flight critical systems operating in the Next Generation Air Transportation System Objectives Meet the JPDO s critical interagency needs associated with V&V research in support of NextGen transformation Demonstrate advanced methods to answer relevant questions from aviation community Reduce barriers to innovation associated with safety V&V Develop V&V methods for safety throughout the entire life cycle 15 June 2010 S5 9

What We re Seeking Methods of Examining for Big Issues Early-On 15 June 2010 S5 10

VVFCS Structure V&V of Flight Critical Systems Sharon Graves, LaRC Guillaume Brat, ARC Argument-based Safety Assurance Distributed Systems Authority & Autonomy Software-Intensive Systems Kelly Hayhurst LaRC Paul Miner LaRC Mike Shafto ARC Joe Coughlan ARC Experimental platform, Jim Drisbow DRFC Integrated System-level Experiments: FAA, Airspace, FAA, SSAA, Private industry SAA 15 June 2010 S5 11

Research Area 1 Argument-based Safety Assurance 15 June 2010 S5 12

Impact of NextGen on Safety Assurance A case for safety of a new/modified system is made using standards and guidelines based on experience and community wisdom Significant differences exist in how the case is made today among organizations responsible for different types of systems using different standards, vocabulary, guidance on acceptability, and degrees of design freedom for automated systems These differences and related concerns have implications for safety assessment and assurance for NextGen systems lack of a formal link between the certification or approval of different systems lack of a uniform practice of performing a systems analysis of requirements, including safety insufficient understanding of end-to-end system performance and change impact escalating certification-related costs [ref. RTCA Task Force 4 Certification, RTCA Certification Task Force, 1999] 15 June 2010 S5 13

Perceived needs for Safety Assurance Consistent and comprehensive safety assessment and assurance methods that cover the system life cycle and work for all types of aviation systems and services Improved methods, tools, and processes for requirements throughout the system life cycle such that safety requirements can be easily "seen" improving change impact assessment Improved methods, tools, and processes for safety-related evidence sources and types of evidence needed to support safety criteria and methods for analyzable arguments about safety Building a more efficient, effective, and transparent approach for managing and analyzing safety-related data 15 June 2010 S5 14

Argument-based safety assurance An argument-based approach requires: explicit requirements explicit evidence that the requirements have been met explicit arguments linking the evidence to the requirements Safety Requirements Systematic, structured, connected approach to documenting the relationship of evidence of safety to the requirements including rationale, assumptions, and context Arguments [graphic from Paul Black, National Institute of Standards and Technology, Software Assurance Metrics and Tool Evaluation, ] Evidence 15 June 2010 S5 15

Safety Case Example [Ref. Safety Case Development Manual, European Organization for the Safety of Air Navigation, EUROCONTROL, 13 October 2006] 15 June 2010 S5 16

Research Area 2 Distributed Systems 15 June 2010 S5 17

Distributed Systems A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable Leslie Lamport Or even the unexpected behavior of known external agents Recent incidents and accidents with implications for distributed systems V&V research: 2005 B777 ADIRU; 2008 A330 ADIRU 2008 STS-124 MDM 2002 mid-air collision over Uberlingen 15 June 2010 S5 18

Distributed Systems: Incidents Malaysian Air / Boeing 777 / 1 August 2005 http://www.atsb.gov.au/publications/investigation_reports/2005/aair/pdf/aair200503722 _001.pdf The FDR data indicated that, at the time of the occurrence, unusual acceleration values were recorded in all three planes of movement. The acceleration values were provided by the aircraft s ADIRU to the aircraft s primary flight computer, autopilot and other aircraft systems during manual and automatic flight Qantas / Airbus A330 / 7 October 2008 http://www.atsb.gov.au/publications/investigation_reports/2008/aair/ao-2008-070.aspx Firstly, immediately prior to the autopilot disconnect, one of the air data inertial reference units (ADIRUs) started providing erroneous data (spikes) on many parameters to other aircraft systems. The other two ADIRUs continued to function correctly. Secondly, some of the spikes in angle of attack data were not filtered by the flight control computers, and the computers subsequently commanded the pitch-down movements. 15 June 2010 S5 19

Over-Simplified {Aviation} Network Pilots Controllers 15 June 2010 S5 20

Distributed Systems: Research Objective and Approach Objective: Provide advanced analytical, architectural, and testing capabilities to enable sound assurance of safety-critical properties for distributed systems of systems Approach: 1. Develop validated models of failures, disturbances, & degradations 2. Verify properties of distributed algorithms (e.g. for diagnosis, resource management, aircraft separation, etc.) using various communication topologies and technologies, in presence of disruptions identified in (1) Validate using research test bench 3. Develop modeling approaches for new system decompositions and functional integration enabled by technological advances Models of coupling and dependencies Non-interference between functions of different criticalities 4. Transition models into practical engineering realizations 15 June 2010 S5 21

Research Area 3 Authority & Autonomy 15 June 2010 S5 22

TCAS in the Uberlingen incident Traffic Alert and Collision Avoidance System (TCAS) compliance statistics: 13% Fully Compliant (meets assumptions about vertical speed, and promptness) 64% Partial Compliance (pilots moved in the proper direction, but not as prompt or aggressive as told) 23% Non-compliance (pilots moved in the OPPOSITE direction as told) 10 June 2010 23

Roles and responsibilities The challenge is to assure, early in design, that authority and autonomy of flight-critical systems are clear, deadlock- and conflict-free, comprehensive, and, consistent with agreed-upon roles and responsibilities. roles & responsibilities 10 June 2010 24

Safety and Organizational Models Safety analysis of existing organizational models for ATS advance methods to analyze organizationoriented models of ATS elements explore the potential for formal methods and simulation techniques to safety analysis. 10 June 2010 25

Build on Agent and Organization Work Human-Machine model V&V develops methods that verify and validate machine-readable representations capturing how humans interact with systems. Build on current efficient work domain and task description tools which may require modification to adhere to an unambiguous semantic. 10 June 2010 26 Formal Semantic Layer

Network Form Game Explore a novel method for predicting behavior of interacting humans in specific scenarios of decision-making. Combines two large existing bodies of work (Bayesian Networks and Game Theory) Offers a probabilistic framework to model interacting humans in decision-making. Is a much more powerful technique for accurately modeling human behavior. 10 June 2010 27

Research Area 4 Software-Intensive Systems 15 June 2010 S5 28

Complexity of ATM Software "Software problems are delaying the completion of the world's most advanced air-traffic-control centre". The $570M center is said by National Air Traffic Services (NATS) to be "the largest and most advanced development of its kind in the world". The problems have delayed the opening by 15 months and "stem from the unusually high number of `bugs' which prime-contractor is having to remove from the 1.82 million lines of software code at the heart of the system." Peter Ladkin, April 1997 3300 functional requirements Designed to work on 203 workstations Defect rate: 15 bugs per 1000 LoC Clearing 500 bugs per month We know where all the bugs are Peter Ladkin: This last statement stands a very, very good chance of being false 15 June 2010 S5 29

Research Thrust Apply V&V techniques earlier in the development process Advanced Testing Validation Requirements Formal Methods Expand the applicability of advanced formal methods by making them more precise and more scalable Code Verification Testing Simulation Automate and optimize current techniques 15 June 2010 S5 30

S/W Lifecycle Perspective Time, $, safety risk Requirements theorem proving model checking static analysis certifiable code synthesis Code Verification Validation advanced testing 10 June 2010 31

Scalability Strategy Today verification algorithms suffer from well-known inherent complexity limitations when applied to large systems. First avenue is to develop new abstraction techniques... Second avenue involves moving from monolithic verification to compositional techniques. Joseph Sifakis 2007 Turing award winner (with E. Clark and A. Emerson) 10 June 2010 32

Who is involved? Experienced research groups in formal methods LaRC: theorem proving + model checking ARC: theorem proving, static analysis, model checking, advanced testing Collaborations with formal method groups in academia and labs DFC: practical experience in avionics testing and simulation Access to researchers working towards NextGen LaRC and ARC Space provided us with great experience V&V-ing unique complex software systems 15 June 2010 S5 33

In Conclusion: Planning Approach Common Themes Make V & V Cost- and Time-Effective Support the Entire Lifecycle Consider Disturbances & Degradations Humans and Software Are Central Challenge Areas Argument-based Safety Assurance Distributed Systems Autonomy and Authority Software-Intensive Systems Common Test Cases Applied Throughout - Vehicle System: Integrated Alerting and Notification - Airspace 15 June 2010 S5 34

Progress Completed Research Assessment (Jul-Nov 2009) Coordinate planning with other government agencies Held Interagency Coordination Meeting on Sept 7 th, 2009 Present assessment of critical research areas at Aviation Safety Technical Conference (Nov 18, 2009) Near-term research activities (FY09 & FY10) Present Research Assessment for long-term research Completed NRA Solicitation NNH09ZEA001N-VVFCS1. Awards decided SOW under negotiation. 15 June 2010 S5 35

VVFCS Points of Contact Douglas Rohn, Acting Director, Aviation Safety Program, douglas.a.rohn@nasa.gov John Orme, Technical Integration Manager, Aviation Safety Program, john.s.orme@nasa.gov Sharon Graves, Acting Project Manager, sharon.s.graves@nasa.gov Guillaume Brat, Acting Project Scientist, guillaume.p.brat@nasa.gov Paul Miner, Technical POC for Distributed Systems, p.s.miner@nasa.gov Kelly Hayhurst, Technical POC for Safety Assurance, kelly.j.hayhurst@nasa.gov Mike Shafto, Technical POC for Authority and Autonomy, mike.shafto@nasa.gov Joe Coughlan, Technical POC for SW Intensive Systems, joseph.c.coughlan@nasa.gov Jim Disbrow, Technical POC for Testbench, james.d.disbrow@nasa.gov 15 June 2010 S5 36

Backup slides 15 June 2010 S5 37

Flight Software Incidents In August 2005, a Malaysian Airlines Boeing 777 flying from Australia to Malaysia suddenly ascended 3,000 feet, with no input from the flight crew. The pilot disengaged the autopilot and pointed the nose down to avoid a stall, but the plane went into a steep dive. When he throttled back on the engines to reduce the speed, the plane arched into another climb. The flight crew eventually got things under control and returned their 177 passengers safely to Australia. Wall Street Journal, 08/05 A faulty computer program recently installed on all 777s had provided incorrect information about the plane's speed and acceleration, confusing flight computers. 15 June 2010 S5 38

Compositional Verification Use system s natural decomposition into components to break-up the verification task Divide-and-Conquer approach Components typically satisfy requirements in specific contexts / environments safety assumptions about contexts System safety derives from the ability to compose the components contexts at the system level 15 June 2010 S5 39

Two potential application domains Integrated Alerting and Notification concepts, implemented in Integrated, Modular Avionics (IMA) Architecture Dryden Flight Research Center will provide h/w & s/w in the loop test bench at the highest level of fidelity Investigating Congested Airspace Applications Automated conflict detection & resolution Efficient Flows into Congested Airspace (EFICA) 15 June 2010 S5 40

Airspace Case Study The airspace-centric case study is a new operational concept for NextGen, which supports high-density merging and spacing operations New procedures and tools for merging and spacing developed by Airspace Super Density Operations project S/W prototypes and algorithms can be used to support S/W V&V research 15 June 2010 S5 FMS With Integrated enav Guidance Meter fix 41

Vehicle Case Study Research prototypes developed for IAN will be ported on an IMA platform developed and hosted at Dryden It includes models, source code, and executables for the research prototypes developed by IAN S/W V&V Research 15 June 2010 S5 42

Use of Assessment Environment Test Scripts Test Bench Model Checker Static Analyzer Theorem Prover results results Compare Establish baselines to quantify gains of formal methods Establish validity of formal methods Ground research in reality 15 June 2010 S5 43

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback