Embedded control for aircraft systems Claire J Tomlin

Embedded control for aircraft systems Claire J. Tomlin with Ian Mitchell, Alex Bayen, Meeko Oishi, Rodney Teo, and Jung Soon Jang Aero/Astro, Stanford and EECS, Berkeley August 2005

Fighter Avionics Domains Stick, Throttle… Actuators Vehicle Mgmt Nav Sensors Weapons Mission Computing Weapon Mgmt Radar Data Links [from Dave Sharp, Boeing]

Mission Computing: Example Functionality Update Steering Cues Perform Built. In-Test Activate Backup Mode Fuse Targets From Sensors Mission Computing Update Navigation State Release Weapons Select Weapons Predict Selected Weapon Trajectories [Dave Sharp, Boeing, 2002] Fuse Targets From Data Links Aperiodic Update Displays Modify Display Suite Via Pilot Pushbutton Periodic

Vehicle Management: Example Functionality Compute Inner Loop Controls Perform Initiated Built. In-Test Compute Outer Loop Controls Vehicle Mgmt Perform Periodic Built. In-Test Manage Control Modes Update Navigation State Manage Redundancy Perform Input Perform Actuator Signal Mgmt [Dave Sharp, Boeing, 2002] Aperiodic Periodic

Typical Mission Computing Legacy Characteristics • <=20 Hz Update Rates • Up To 10 CPUs • ~1 M Lines of Code – O(103) Components • Proprietary Hardware – Slow CPU, small memory – Fast I/O • Test-Based Verification • Mil-Std Assembly Language • Highly Optimized For Throughput and Memory • Functional Architectures – Flowchart designs • Frequently No Maintained Requirements or Design – Ad-hoc models used by algorithm developers • Hardcoded Hardware Specific Single System Designs • Isolated Use Of – Multi-processing – Schedulability analysis • Frequently overly pessimistic to be used [Dave Sharp, Boeing, 2002]

Typical Vehicle Management Legacy Characteristics Additional Characteristics • 80/160 Hz Update Rates • Single CPU System/ Quad Redundant • Dual/Quad Redundant Sensors and Actuators • <100 K Lines of Code • Extensive Built-In-Test – >50% of code • Extensive Testing – Very conservative development culture – >50% of effort • Control System Models Carefully Developed And Used – Home grown – Matlab/Matrix. X with auto code generation [Dave Sharp, Boeing, 2002]

Outline • Hybrid model of the physical system • Reachability – Reachable Set Toolkit • Collision Avoidance System – Dual aircraft demonstration • User interaction with hybrid systems – Autoland demonstration • Software?

Objectives A B Control design using hybrid system models Embedded software design

Hybrid Systems • Finite state machine with continuous dynamics in each mode • Transitions can be – User-controlled s – Disturbance d – Automatic g

Verification through Reachability Verification A mathematical proof that the system satisfies a property Unsafe Initial 1. Reachable set States for which the property does not hold 2. Controller synthesis Design of control laws to guarantee that the system satisfies the property

Reachable Set Interpretation 1. Always remain outside Unsafe set • • 2. Always remain inside Initial set – – Unsafe States in Reachable set will eventually reach Unsafe set (despite any possible control effort) Safe Reachable set g States in the Safe set will always remain in Initial set provided a particular control is used on the boundary Unsafe Reachable set Safe V

Hybrid System Reachability Tool http: //www. cs. ubc. ca/~mitchell/Toolbox. LS/

Outline • Hybrid model of the physical system • Reachability – Reachable Set Toolkit • Collision Avoidance System – Dual aircraft demonstration • User interaction with hybrid systems – Autoland demonstration • Software?

Application: conflict detection http: //www. cs. ubc. ca/~mitchell/Toolbox. LS/

[with Chad Jennings] Blunder Zone is shown by the yellow contour Red Zone in the green tunnel is the intersection of the BZ with approach path. The Red Zone corresponds to an assumed 2 second pilot delay. The Yellow Zone corresponds to an 8 second pilot delay

[with Chad Jennings] Map View showing a blunder The BZ calculations are performed in real time (40 Hz) so that the contour is updated with each video frame.

Stanford Dragon. Fly UAV Embedded S/W

Test set up Blunderer can commence any maneuver constrained by Danger Zone Blunderer (D 2) D 3 Flight computer computes the Danger Zone and checks whether it touches boundaries M in im di al s sta ep nc ara e ti Evader (D 3) on East North

Test set up Danger Zone Blunderer (D 2) The algorithm provides control commands (three canned maneuvers) to maintain a minimal separation distance: • EVADE_ACCEL_STRAI • EVADE_ACCEL_45 DEG • EVADE_COAST_60 DEG Evader (D 3) East North

Flight Demo 1—June 2003 Accelerate and turn EEM North (m) Evader, DF 2 (red and yellow aircraft) Separation distance (m) East (m) EEM alert Above threshold time (s) DF 2, the evader, is the larger blob Put video here

Flight Demo 2—June 2003 DF 2, the evader, is the larger blob Coast and turn EEM North (m) Evader, DF 2 (red and yellow aircraft) Separation distance (m) East (m) EEM alert time (s) Above threshold Put video here

Edwards Air Force Base – June 2004 T-33 Cockpit [DARPA/Boeing SEC Final Demonstration: F-15 (blunderer), T-33 (evader)]

hold avg. speed min. speed max. speed detour shortcut VFS alt. change deviated aircraft intruder Development of Predictive Models of Air Traffic

…leading to new control strategies • Approximation algorithms for hybrid trajectory optimization • Applied to routing/scheduling aircraft in vicinities of airports • Results: – 5 -approximation for minimum sum of arrival times – 3 -approximation for makespan 6 aircraft Polynomial time algorithm CPLEX 15 aircraft

Outline • • Hybrid model of the physical system Reachability Reachable Set Toolkit Collision Avoidance System – Dual aircraft demonstration • User interaction with hybrid systems – Autoland demonstration • Writing the software

User Interaction with Aerospace Systems • Interaction between – – – • • • System’s dynamics Mode logic User’s actions Interface is a reduced representation of a more complex system Too much information overwhelms the user Too little can cause confusion – – Automation surprises Nondeterminisim For complex, highly automated, safety-critical systems, in which provably safe operation is paramount, What information does the user need to safely interact with the automated system?

Discrete Abstraction Switches are controlled or automatic

Application to Autoland Interface • Controllable flight envelopes for landing and Take Off / Go Around (TOGA) maneuvers may not be the same • Pilot’s cockpit display may not contain sufficient information to distinguish whether TOGA can be initiated controllable TOGA envelope existing interface intersection flare TOGA flaps extended minimum thrust flaps retracted maximum thrust rollout flaps extended reverse thrust revised interface flare flaps extended minimum thrust controllable flare envelope TOGA flaps retracted maximum thrust rollout slow TOGA flaps extended reverse thrust flaps extended maximum thrust http: //www. cs. ubc. ca/~mitchell/Toolbox. LS/

Outline • • Hybrid model of the physical system Reachability Reachable Set Toolkit Collision Avoidance System – Dual aircraft demonstration • User interaction with hybrid systems – Autoland demonstration • Software?

A Decision Theoretic Qo. S Negotiation Worst case execution of time of components is neither given nor guaranteed Depending on the mode of flight, components (Nav, Control, Wireless) can take on different levels of criticality and different execution times t 4 Worker Task Cond. Var t 1 t 2 td Event( ) t 3 Cond. Wait Intr. Wait Task 1 Task 2 Task 3 Task 5 Task 4 t 1 t 2 t 3 t 4 t 5 t+n. T msec t+n. T+Di msec Each task is “tagged” with a cost – a measure of criticality

Qo. S Negotiation …as 2 1 a dynamic programming problem Task 3 5 f 1 Task 2 f 1 Task 3 f 2 Task 1 f 1 Task 2 f 2 3 7 4 8 Task 3 f 4 9 Task 5 f 1 Task 3 f 3 Task 2 f 3 6

SCHEDULABILITY: Comparison with Simple Rate Monotonic Scheduling 88. 5% 73. 5% 1. 0 ms 80. 0 ms 18. 5% 0. 4% 3. 5% 8. 0% 0. 6% Schedulability of Tasks using the proposed scheduling algorithm 1. 5% 6. 5% Schedulability of Tasks using a Simple RMS

Summary • The development of a reach set toolkit for hybrid systems: – Software C++: http: //www. cs. ubc. ca/~mitchell/Toolbox. LS/ • The toolkit can be useful for determining when (not) to switch modes, which mode(s) to switch to, and provides a set-valued feedback control law to remain in safe set • A modern embedded control systems theory should include mathematical models of attributes of computational systems such as concurrency, hierarchy, heterogeneity, resource awareness, adaptability, quality of service (Qo. S), and controlled complexity of distributed systems.

Collaborators Stanford Hybrid Systems Lab Ian Mitchell, Alex Bayen, Inseok Hwang, Meeko Oishi, Rodney Teo, Jung Soon Jang, Gökhan Inalhan, Ronojoy Ghosh, Hamsa Balakrishnan, Keith Amonlirdviman, Robin Raffard, Gabe Hoffmann, Kaushik Roy, Peter Brende, Steve Waslander, Duşan Stipanović, Sriram Shankaran, Jianghai Hu George Meyer, Len Tobias NASA Boeing David Corman, Jim Paunicka, Don Winter Honeywell Datta Godbole, Tariq Samad John Bay NSF Helen Gill, Kishan Baheti DARPA Behzad Kamgar-Parsi ONR