Presentation is loading. Please wait.

Presentation is loading. Please wait.

Example of a Complementary use of Model Checking and Agent-based Simulation Gabriel Gelman & Karen Feigh Georgia Institute of Technology & John Rushby.

Published byDeirdre Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "Example of a Complementary use of Model Checking and Agent-based Simulation Gabriel Gelman & Karen Feigh Georgia Institute of Technology & John Rushby."— Presentation transcript:

1 Example of a Complementary use of Model Checking and Agent-based Simulation Gabriel Gelman & Karen Feigh Georgia Institute of Technology & John Rushby Stanford Research Institute

2 Introduction 2 Increasing Complexity Challenges in HMI Leads to Automation Surprises Such as Pilots Automation Potential Issues Model Checking Simulation Combine to leverage benefits of both System Behavior To examine Tackled by HMI = Human-Machine Interaction Agents … …

3 Comparison: Model Checking/ Simulation SimulationModel Checking Sophisticated modelsSimple models, few actions Limited to scenariosExhaustive state space search Slow (one simulation takes time)Fast (millions of runs in seconds) Time can be explicitly modeledNo explicit modeling of time High-Fidelity aircraft dynamicsCannot handle continuity (state explosion) 3

4 Method: Connecting the Frameworks 4 Scenario Narrative Create Model & Specifications for Model Checking (SAL) Analyze Using Model Checking (SAL) Create Models & Metric Specifications for Simulation (WMC) Analyze Using Simulation (WMC) Extending the Counterexample Guided Abstraction Refinement (CEGAR) method 1.Verify that the action sequence predicted by MC to be problematic continues to be problematic 2.Refine MC prediction to include specific temporal relationships between events

5 Automation Surprise Aviation Case Study

6 Automation Surprise “An Automation Surprise occurs when the automation behaves in a manner that is different from what the operator is expecting”, Palmer (1995) +Result of implementation of badly designed automation or lack of pilots’ training on system +Introduction of highly automated aircraft (glass cockpits)  Starting with aircraft like B-757, B-737 and A320 6 Failure to activate Approach Automatic Mode Changes Sarter and Woods A320 study (80% surprised; n = 167)

7 Case Study: Airbus Automatic Speed Protection Flight Path Angle mode engaged Airspeed too fast Overspeed Protection Open mode engaged Sequence on approach FCU: Flight Control Unit V/S: Vertical Speed FPA: Flight Path Angle FCU altitude with respect to current altitude OPEN DESCENT OPEN CLIMB Higher Lower 7 Note: During descent FCU altitude is usually set to Missed Approach altitude if Go Around required

8 Sequence Automation Surprise Instrument Landing System (ILS) Glideslope Runway 1 2 Step 1: Aircraft is on ILS Glideslope and in FPA V/S mode Step 2: Air Traffic Control tells aircraft to level off Step 3: Aircraft tries to recapture ILS Glideslope with higher FPA Step 4: Because of steeper approach the speed exceeds V max Step 5: Mode change to OP CLB because FCU alt higher than current alt FPA = 3° 3 10° > FPA > 3° 4 FCU Altitude = Go Around Altitude e.g. 5000ft 5 Altitude Ground 8 FCU: Flight Control Unit FPA: Flight Path Angle

9 Modeling Platforms

10 Model Checking: SAL (Symbolic Analysis Laboratory) +Simple models are checked for a given property +Reachable state space of a specification is explored +Exhaustive exploration of action space  Symbolic Model Checking does not require to explore full space 10 (singe action or combination of actions) Start State 1 Initial Conditions State 2 Action i List State OK State NOT OK State 3 Action j List Action k Action x Abstract System Model Action 1,…, Action i,…Action j,…Action k Trace of Actions

11 StepFlight ModeAirspeedAltitudeFlapsMax SpeedMental ModelPitch 1Other2003000Retracted400Level-1/100 2V/S FPA2012989Retracted400Descend-1/100 3V/S FPA2002988Extended180Descend0 4OPEN CLB2012989Extended180Descend0 5OPEN CLB2002990Extended180Descend1/50 6OPEN CLB1903291Extended180Descend3/100 Case Study Modeled in SAL Airplane: Flies (descending) Automation: Track Mode Pilot: Dials Descend 1 2 Airplane: Flies (descending) Automation: VS/FPA mode Pilot: Extends Flaps Airplane: Flies with Flaps (descending) (exceeds Vmax) Automation: Reverses Mode Pilot: Does nothing 3 4 Airplane: Flies with Flaps (descending) Automation: OP CLB mode Pilot: Does nothing Airplane: Flies with Flaps (descending) Automation: OP CLB mode Pilot: Does nothing 5 Note: Each step is a state transition, time is not modeled 6 AUTOMATION SURPRISE Alt increase from 2990 to 3291 Mental Model still in descend Positive Pitch 11 FCU: Flight Control Unit State State Transition Initial State (FCU Alt = 3201 feet)

12 Simulation: WMC (Work Models that Compute) 12 Aircraft Work Model Aircraft Work Model Expectations Auto Surprise Auto Surprise Human Agent Mental Model Pulls Mental Model Stores Updateable World Representation SIM Core Scripted Events Initial Conditions Traces of Key Metrics Resources Actions WMC Work Model Agents Altitude, Heading, Speed, Vertical Speed

13 Simulation Runs Based on MC Output 1.Verify that the action sequence predicted by SAL to be problematic continues to be problematic 2.Refine SAL's prediction to include specific temporal relationships between events 13 Step 2: Extend Flaps Step 1: Arm Approach Step 3: Monitor Speed Becomes t = 5: Extend Flaps t = 2: Arm Approach t = 9: Monitor Speed

14 Simulation States that Varied 14 ILS Glideslope Runway FPA = 3° Altitude Ground STAR approach Cruise Level Off Altitude Level Off Duration Go Around Altitude Flaps Extension Speed STAR: Standard Terminal Arrival Route ILS: Instrument Landing System FPA: Flight Path Angle

15 Results

16 Meaningful Scenarios from Simulation Traces 16 OPEN DES OPEN CLB No Change Simulation Traces Leads to Automation Surprise No Auto Surprise

17 Overview of Scenarios in Simulation Output SCModeASDescription 1DESNoMode reversion before level off, early flaps extension leads to overspeed 2CLBYes--"-- 3DESYes*Mode reversion after level off, early flaps extension leads to overspeed 4**CLBYes--"-- 5DESYes*After level off, dive leads to overspeed on current flap configuration 6CLBYes--"-- 17 SC: Scenario AS: Automation Surprise (*) Possibly due to artifact (**) SAL Scenario

18 Model Checking Matching Case 18 SAL WMC Unknown time step Action Value Extend flaps201 knots Level Off Altitude3200 feet Level Off Duration100 seconds GA Altitude3281 feet

19 Scenario 4: OPEN CLB 1.Level off 2.Return to glideslope (dive) 3.Flaps Extension 4.Sets max speed below current speed (former max speed = 220 knots, max speed with flaps = 205 knots) 5.OPEN CLB engages 6.Aircraft climbs 19 Zoom

20 Scenario 6: OPEN CLB 1.Level off 2.Return to glideslope (dive) 3.Overspeed from dive 4.OPEN CLB engages 5.Aircraft climbs 20 Zoom

21 Preconditions for Scenarios 21 SC: Scenario AS: Automation Surprise Go Around (GA) altitude fixed at 3291 feet (as in SAL) Flaps Extension speed fixed at 226 knots (as in SAL) Level Off altitude and duration varied

22 Preconditions for Scenarios 22 Go Around (GA) altitude fixed at 6000 feet Level Off altitude fixed at 7000 feet Level Off duration and Flaps Extension speed varied SC: Scenario AS: Automation Surprise

23 Conclusion

24 Next Step: Simulation  Model Checking +Implement capability for new scenarios into model checking +Make model checking model more detailed 24 Scenario Narrative Create Model & Specifications for Model Checking (SAL) Analyze Using Model Checking (SAL) Create Models & Metric Specifications for Simulation (WMC) Analyze Using Simulation (WMC)

25 Conclusion +Examined same scenario using both model checking and simulation +Simulation results show expansion of Model Checking results (more scenarios & comprises aircraft dynamics and time) +Method was shown how to use the two frameworks in conjunction to examine system behavior 25 Model Checking Simulation IntroAuto SurpPlatformsMethodResultsConclusion

26 Questions & Comments Welcome Now 26

Download ppt "Example of a Complementary use of Model Checking and Agent-based Simulation Gabriel Gelman & Karen Feigh Georgia Institute of Technology & John Rushby."

Similar presentations

Ex. 8 - Descending Ex. 8 - Descending.

Ex. 8 - Descending Ex. 8 - Descending.
Course Schedule three Assessment Scenarios Discussion Groups Discussion Groups.

Course Schedule three Assessment Scenarios Discussion Groups Discussion Groups.
The OZ Display is used in conjunction with the nose camera view provided on the STE simulation. OZ integrates flight information provided by the Predator.

The OZ Display is used in conjunction with the nose camera view provided on the STE simulation. OZ integrates flight information provided by the Predator.
Propellers and Engine Instruments

Propellers and Engine Instruments
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Continuous Climb Operations (CCO) Saulo Da Silva

Continuous Climb Operations (CCO) Saulo Da Silva
Learning from failure Mahabubul Alam CS/SE 6361, Fall 2014  Term Paper Presentation – I  The University of Texas at Dallas Asiana Airlines #214.

Learning from failure Mahabubul Alam CS/SE 6361, Fall 2014  Term Paper Presentation – I  The University of Texas at Dallas Asiana Airlines #214.
Short Field Takeoff & Landing

Short Field Takeoff & Landing
Lecture 9: Ground Proximity Warning System (GPWS)

Lecture 9: Ground Proximity Warning System (GPWS)
Normal Procedures Cirrus SR-22 Transition Training 8/16/04.

Normal Procedures Cirrus SR-22 Transition Training 8/16/04.
Emergence of Regional Jets and the Implications on Air Traffic Management Aleksandra Mozdzanowska and R. John Hansman Massachusetts Institute of Technology.

Emergence of Regional Jets and the Implications on Air Traffic Management Aleksandra Mozdzanowska and R. John Hansman Massachusetts Institute of Technology.
Tailwinds Flying Club Fall Safety Session - 2007 Know your airplane Piper Arrow III PA28R- 201T.

Tailwinds Flying Club Fall Safety Session Know your airplane Piper Arrow III PA28R- 201T.
IMPACT OF WIND AND SINK ON GLIDER PERFORMANCE* Doug Cline * Based on topic suggested by Tom Roberts FLSC 2006 Safety Seminar.

IMPACT OF WIND AND SINK ON GLIDER PERFORMANCE* Doug Cline * Based on topic suggested by Tom Roberts FLSC 2006 Safety Seminar.
KAP 140 Autopilot A self-study tool for pilots who fly with the Bendix/King KAP 140 Autopilot System This presentation is provided free of charge to everyone.

KAP 140 Autopilot A self-study tool for pilots who fly with the Bendix/King KAP 140 Autopilot System This presentation is provided free of charge to everyone.
Predicting Performance

Predicting Performance
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Eights-on Pylons Not to be confused with Eights around pylons Eights across a road Eights along a road.

Eights-on Pylons Not to be confused with Eights around pylons Eights across a road Eights along a road.
Chandelles.

Chandelles.
Soft Field Takeoff and Landing. Soft Field Takeoff w Before landing, will you be able to take off? w Complex and high performance aircraft often have.

Soft Field Takeoff and Landing. Soft Field Takeoff w Before landing, will you be able to take off? w Complex and high performance aircraft often have.
6.09 Flight Instruments and Performance Factors

6.09 Flight Instruments and Performance Factors

Similar presentations

Ads by Google