Embedded control for aircraft systems Claire J. Tomlin with Ian Mitchell, Alex Bayen, Meeko Oishi, Rodney Teo, and Jung Soon Jang August 2005 Aero/Astro, Stanford and EECS, Berkeley
Fighter Avionics Domains Radar Weapons Nav Sensors Weapon Mgmt Data Links Stick, Throttle… Actuators Mission Computing Vehicle Mgmt [from Dave Sharp, Boeing]
Mission Computing: Example Functionality Release Weapons Fuse Targets From Data Links Update Navigation State Predict Selected Weapon Trajectories Update Steering Cues Update Displays Fuse Targets From Sensors Modify Display Suite Via Pilot Pushbutton Perform Built- In-Test Activate Backup Mode Select Weapons Aperiodic Periodic Mission Computing [Dave Sharp, Boeing, 2002]
Vehicle Management: Example Functionality Manage Control Modes Update Navigation State Compute Inner Loop Controls Compute Outer Loop Controls Perform Periodic Built- In-Test Manage Redundancy Aperiodic Periodic Vehicle Mgmt Perform Initiated Built- In-Test Perform Input Signal Mgmt Perform Actuator Signal Mgmt [Dave Sharp, Boeing, 2002]
Typical Mission Computing Legacy Characteristics <=20 Hz Update Rates Up To 10 CPUs ~1M Lines of Code –O(10 3 ) Components Proprietary Hardware –Slow CPU, small memory –Fast I/O Test-Based Verification Mil-Std Assembly Language Highly Optimized For Throughput and Memory Functional Architectures –Flowchart designs Frequently No Maintained Requirements or Design –Ad-hoc models used by algorithm developers Hardcoded Hardware Specific Single System Designs Isolated Use Of –Multi-processing –Schedulability analysis Frequently overly pessimistic to be used [Dave Sharp, Boeing, 2002]
Typical Vehicle Management Legacy Characteristics 80/160 Hz Update Rates Single CPU System/ Quad Redundant Dual/Quad Redundant Sensors and Actuators <100K Lines of Code Extensive Built-In-Test –>50% of code Extensive Testing –Very conservative development culture –>50% of effort Control System Models Carefully Developed And Used –Home grown –Matlab/MatrixX with auto code generation Additional Characteristics [Dave Sharp, Boeing, 2002]
Outline Hybrid model of the physical system Reachability –Reachable Set Toolkit Collision Avoidance System –Dual aircraft demonstration User interaction with hybrid systems –Autoland demonstration Software?
Objectives Embedded software design Control design using hybrid system models A B
Finite state machine with continuous dynamics in each mode Transitions can be –User-controlled –Disturbance –Automatic Hybrid Systems
1.Reachable set States for which the property does not hold 2.Controller synthesis Design of control laws to guarantee that the system satisfies the property Unsafe Initial Verification through Reachability Verification A mathematical proof that the system satisfies a property
Unsafe Initial 1.Reachable set States for which the property does not hold 2.Controller synthesis Design of control laws to guarantee that the system satisfies the property Verification through Reachability Verification A mathematical proof that the system satisfies a property
Unsafe Initial Verification A mathematical proof that the system satisfies a property 1.Reachable set States for which the property does not hold 2.Controller synthesis Design of control laws to guarantee that the system satisfies the property Verification through Reachability
Unsafe Initial Verification A mathematical proof that the system satisfies a property 1.Reachable set States for which the property does not hold 2.Controller synthesis Design of control laws to guarantee that the system satisfies the property Verification through Reachability
Unsafe Reachable set Safe 1. Always remain outside Unsafe set States in Reachable set will eventually reach Unsafe set (despite any possible control effort) 2. Always remain inside Initial set –States in the Safe set will always remain in Initial set –provided a particular control is used on the boundary V Safe Reachable set Unsafe Reachable Set Interpretation
Hybrid System Reachability Tool
Outline Hybrid model of the physical system Reachability –Reachable Set Toolkit Collision Avoidance System –Dual aircraft demonstration User interaction with hybrid systems –Autoland demonstration Software?
Application: conflict detection
Blunder Zone is shown by the yellow contour Red Zone in the green tunnel is the intersection of the BZ with approach path. The Red Zone corresponds to an assumed 2 second pilot delay. The Yellow Zone corresponds to an 8 second pilot delay [with Chad Jennings]
Map View showing a blunder The BZ calculations are performed in real time (40Hz) so that the contour is updated with each video frame. [with Chad Jennings]
Stanford DragonFly UAV Embedded S/W
Test set up Evader (D3) East North Blunderer (D2) Minimal separation distance Danger Zone Blunderer can commence any maneuver constrained by D3 Flight computer computes the Danger Zone and checks whether it touches boundaries
Test set up Evader (D3) East North Blunderer (D2) Danger Zone The algorithm provides control commands (three canned maneuvers) to maintain a minimal separation distance: EVADE_ACCEL_STRAI EVADE_ACCEL_45DEG EVADE_COAST_60DEG
EEM alert Separation distance (m) North (m) East (m) time (s) Above threshold Accelerate and turn EEM Put video here Evader, DF 2 (red and yellow aircraft) DF 2, the evader, is the larger blob Flight Demo 1—June 2003
EEM alert Separation distance (m) North (m) East (m) time (s) Above threshold Put video here Coast and turn EEM Evader, DF 2 (red and yellow aircraft) DF 2, the evader, is the larger blob Flight Demo 2—June 2003
Edwards Air Force Base – June 2004 T-33 Cockpit [DARPA/Boeing SEC Final Demonstration: F-15 (blunderer), T-33 (evader)]
Development of Predictive Models of Air Traffic deviated aircraft intruder min. speed avg. speed hold detour shortcut VFS alt. change max. speed
Approximation algorithms for hybrid trajectory optimization Applied to routing/scheduling aircraft in vicinities of airports Results: –5-approximation for minimum sum of arrival times –3-approximation for makespan 6 aircraft15 aircraft CPU time (sec.) Polynomial time algorithm CPLEX …leading to new control strategies
Outline Hybrid model of the physical system Reachability Reachable Set Toolkit Collision Avoidance System –Dual aircraft demonstration User interaction with hybrid systems –Autoland demonstration Writing the software
Interaction between –System’s dynamics –Mode logic –User’s actions Interface is a reduced representation of a more complex system Too much information overwhelms the user Too little can cause confusion –Automation surprises –Nondeterminisim For complex, highly automated, safety-critical systems, in which provably safe operation is paramount, What information does the user need to safely interact with the automated system? User Interaction with Aerospace Systems
Switches are controlled or automatic Discrete Abstraction
Application to Autoland Interface Controllable flight envelopes for landing and Take Off / Go Around (TOGA) maneuvers may not be the same Pilot’s cockpit display may not contain sufficient information to distinguish whether TOGA can be initiated flare flaps extended minimum thrust rollout flaps extended reverse thrust slow TOGA flaps extended maximum thrust TOGA flaps retracted maximum thrust flare flaps extended minimum thrust rollout flaps extended reverse thrust TOGA flaps retracted maximum thrust revised interface existing interface controllable flare envelope controllable TOGA envelope intersection /
Outline Hybrid model of the physical system Reachability Reachable Set Toolkit Collision Avoidance System –Dual aircraft demonstration User interaction with hybrid systems –Autoland demonstration Software?
A Decision Theoretic QoS Negotiation Each task is “tagged” with a cost – a measure of criticality Worst case execution of time of components is neither given nor guaranteed Depending on the mode of flight, components (Nav, Control, Wireless) can take on different levels of criticality and different execution times
QoS Negotiation Task 1 f 1 Task 2 f 1 f 2 f 3 Task 3 f 1 f 2 f 3 f 4 Task 5 f … as a dynamic programming problem
SCHEDULABILITY: Comparison with Simple Rate Monotonic Scheduling Schedulability of Tasks using the proposed scheduling algorithm Schedulability of Tasks using a Simple RMS 88.5% 3.5% 0.4% 8.0% 0.6%1.5% 73.5% 18.5% 6.5% 1.0 ms 80.0 ms
Summary The development of a reach set toolkit for hybrid systems: –Software C++: The toolkit can be useful for determining when (not) to switch modes, which mode(s) to switch to, and provides a set-valued feedback control law to remain in safe set A modern embedded control systems theory should include mathematical models of attributes of computational systems such as concurrency, hierarchy, heterogeneity, resource awareness, adaptability, quality of service (QoS), and controlled complexity of distributed systems.
Collaborators Ian Mitchell, Alex Bayen, Inseok Hwang, Meeko Oishi, Rodney Teo, Jung Soon Jang, Gökhan Inalhan, Ronojoy Ghosh, Hamsa Balakrishnan, Keith Amonlirdviman, Robin Raffard, Gabe Hoffmann, Kaushik Roy, Peter Brende, Steve Waslander, Duşan Stipanović, Sriram Shankaran, Jianghai Hu Stanford Hybrid Systems Lab NASA George Meyer, Len Tobias Boeing David Corman, Jim Paunicka, Don Winter DARPA John Bay ONR Behzad Kamgar-Parsi NSF Helen Gill, Kishan Baheti Honeywell Datta Godbole, Tariq Samad