Autonomous, Adap4ve, and Safe?

Autonomous, Adap4ve, and Safe? John A McDermid OBE FREng Professor of SoHware Engineering University of York 1 Overview Automa4on and capability of UAS Safety What does safe mean? Cer4fica4on At least as good Illustra4ve requirements Assessment Conclusions 2 1

Automa4on and Capability Building UAS requires capability in Aerodynamics Control Propulsion Safety assessment UAS func4onality enabled through sohware Much of which is safety cri4cal This is where the automa4on and adapta4on comes in Will consider systems and sohware issues 3 X- 47: First Carrier Landing 4 2

Wot, No Pilot? For fully autonomous opera4on No remote pilot UAS flies to mission plan And may have alterna4ves if necessary Control system must replace human capability Sensing what is happening to the aircrah Sensing what is happening in the environment Taking appropriate ac4on, adap4ng to circumsatnces The automa4on and adapta4on challenges 5 Safety Intrinsically no difference to other systems Accident: event or sequence of events leading to unintended harm Death, injury, environmental or material damage Safe: risk of harm (probability x severity) is low enough UAS don t have crew or passengers Harm therefore is to third par4es e.g. occupants of other aircrah, people on the ground, like the August 9 th crash in Conne4cut 6 3

How do we cause harm? Essen4ally two ways Uncontrolled release or transfer of energy Inappropriate control over hazardous materials (toxic, asphyxia4ng, etc.) For UAS primarily about energy May be from weapons (excluded for now) A primary considera4on is kine4c energy The higher the mass, the higher the speed (terminal velocity) the greater the capacity for damage 7 Cer4fica4on For UAS to operate in controlled airspace Follow as similar as possible rules Systems safety aspects of cer4fica4on For example, para 25.1309 (large aircrah) Now have UK drah UAS.1309 Retain hazard severity categories Where automa4ng pilot func4ons Principle at least as good as the pilot, e.g. Sense and avoid, emergency landing, an4- ice/de- ice 8 4

Kine4c Energy 9 At Least As Good The term at least as good might mean No- one can tell the difference! For example In interac4on with air traffic control, the controller doesn t know if automated or not Some experiments with voice synthesis Synthesise request for, say, change in flight level Also need voice recogni4on to hold dialogue And those specific func4ons Which must be as good as humans 10 5

Sense and Avoid (1) 11 Sense and Avoid (2) May require detec4on of small obstacles Moving at high velocity What about their sense and avoid capability? 12 6

Sense and Avoid (3) Civil aircrah fiped with TCAS Can fit to UAS too But Recall Uberlingen Two aircrah on collision course, but one followed TCAS and one ATC 13 Sense and Avoid (4) TCAS Specifica4on TCAS is a backup to ATC TU- 154M Flight Opera4ons Manual For the avoidance of in- flight collisions correct execu4on of all instruc4ons issued by ATC to be regarded as the most important TCAS is an addi4onal instrument TCAS not high enough integrity 14 7

Sense and Avoid (5) This is perhaps the biggest obstacle to cer4fica4on Need a capability at least as good as humans If purely autonomous, no remote pilot, then need TCAS- like func4on of higher integrity Ability to determine if other aircrah following TCAS Ability to deal with mul4- body problem Or much longer- range capability (perhaps and ) Perhaps ADS- B will be the basis for a solu4on in 4me, but it is not currently high enough integrity (not trustworthy) 15 An4- Ice/De- ice (1) Ice build- up is poten4ally hazardous Reduces controllability of the aircrah Ice detaching can go into engines Cause blade damage and failure Three strategies for ice protec4on Avoid via flight planning Heat/vibrate to avoid ice build up (an4- ice) Heat/vibrate to remove ice (de- ice) Pilots normally ini4ate an4- ice/de- ice 16 8

An4- Ice/De- ice (2) 17 An4- Ice/De- ice (3) 18 9

SAS: Engine Ice Inges4on 19 An4- Ice/De- ice (4) Need to detect icing condi4ons Using protec4on systems all the 4me is a hazard Overheat and damage structure Are automated detec4on systems But pilot needs to ac4vate heater mats, etc. Pilot also detects Flying into icing condi4ons (cloud type, al4tude ) Change in control behaviour, e.g. sluggish, vibra4on Visual cues, e.g. ice on nose, or on windscreen wipers Need vision analysis, autonomy, integrity 20 10

An4- Ice/De- ice (5) Worked on an agent- based system for an4- ice/de- ice with AOS Pty Not flown Developed to assess issues in cer4fica4on Illustrate with some fragments Design (of agents) Analysis 21 An4- Ice/De- ice (6) 22 11

Fragment of agent hierarchy Element which detects change in controllability Drag Trim Control forces Replica4ng pilot behaviour An4- Ice/De- ice (7) 23 An4- Ice/De- ice (8) Goal: MonitorUnexplainedControlForces_Goal actwhen: Increases or decrease in elevator, rudder or aileron control forces. Sub- Plan: DetectIcingControlForces_Plan body If control forces are changing in a way that is not explained by the current aircrah configura4on etc. and is consistent with icing, assume that Icing is the cause. Create a new Icing_Condi4on in the local belief set, which iden4fies the source of the informa4on (this par4cular plan) and the es4mated severity. Set icing_from_feedback to true 24 12

An4- Ice/De- ice (9) 25 An4- Ice/De- ice (10) A mixture of classical and novel approaches UML diagrams Func4onal hazard analysis Fault trees Agent- based sohware which is adap4ve Need to demonstrate Integrity Safety of autonomy and adapta4on (at least as good as humans) 26 13

An4- Ice/De- ice (11) The engine for the agent- based sohware Determinis4c, can prove in classical way Other aspects more difficult The issue of at least as good as comes down to valida4on of agent rules Check against accident reports Check with experts (pilots) Are these surrogates for pilot behaviour truly equivalent? Or sufficient? 27 Assessment (1) Do we know how to build UAS? Yes, for example, see progress with the X47 Not the only UAS project, but probably the most advanced Although some func4ons challenging Sense and avoid, image analysis Do we know how to cer4fy them? To operate in controlled airspace With high kine4c energy so can do substan4al harm No, although making some progress 28 14

Illustra4ons of Progress ASTRAEA Jetstream flown in controlled airspace hpp://www.bbc.co.uk/news/technology- 22511395 Has sense and avoid as does NASA s LD- CAP Cirrus SR- 22 29 Assessment (2) From a cer4fica4on/safety perspec4ve Some concepts read across, e.g. UAS 1309, FHA for (agent- based) sohware, integrity of code Challenges more in valida4on Especially at least as good as Something like preserves safety goals, with right priori4es, whilst aircrah flyable beper? Can build UAS beyond competence to assess But catching up, e.g. ASTRAEA, NASA LD- CAP And now European roadmap on UAS/RPAS 30 15

Conclusions (1) UAS are here and here to stay Many are actually remotely piloted (challenges too) The truly autonomous can be designed Challenges for cer4fica4on The at least as good as or beper criterion Specific capabili4es, e.g. sense and avoid, an4- ice Challenge to competence Designed beyond assessment capability? Also need new breed of engineers AI, airworthiness, safety, high integrity sohware and vision analysis 31 Image Analysis 32 16

Conclusions (2) Humans are (make systems) resilient Adapt to and absorb disrup4ons that fall outside the design basis Automa4on may remove the opportunity for these human skills to be applied It implicitly makes closed world assump4ons So can be robust (to predicted faults) but not resilient Quo4ng Sidney Dekker (and I agree) our technologies have got ahead of our theories If a big gap (far ahead), then an ethical decision Is the gap small enough to deploy UAS??? 33 17