Session III Issues for the Future of ATM CTAS Verification Darren Cofer, Honeywell
advertisement
NEXTOR Annual Research Symposium
November 14, 1997
Session III
Issues for the Future of ATM
CTAS Verification
Darren Cofer, Honeywell
Formal Specification and Analysis
of the Center-TRACON
Automation System
National Center of Excellence for Aviation Operations Research
Annual Research Symposium - 14 November 1997
Project sponsor: NASA Langley Research Center
Honeywell Technology Center
3660 Technology Dr.
Minneapolis MN 55418
Point of contact: Dr. Darren Cofer
(612) 951-7279
Honeywell Technology Center
Page 1 of _
Team
• Honeywell Technology Center
Darren Cofer, Rosa Weber, John Maloney
• University of California at Berkeley
George Pappas, Shankar Sastry
• Massachusetts Institute of Technology
John Lygeros, Nancy Lynch
Honeywell Technology Center
Page 2 of _
Unique capabilities and emphasis
• Modeling/analysis of complex systems
Weather
(disturb.)
HW + SW architecture issues, tools
Aircraft
(plant)
• Control-theoretic viewpoint
radar/
flt plan
ATC
clrnc
CTAS as input/output control system
CTAS
(control)
• Hybrid systems
Discrete-event and continuous dynamics
Honeywell Technology Center
Page 3 of _
Roadmap for presentation
• What CTAS means to me…
• Changes in ATM/NAS
• Safety Issues and Technologies
• Requirements Specification: HOPTs
• System Architecture: MetaH
• Formal Systems Analysis: Hybrid Systems
Honeywell Technology Center
Page 4 of _
Assessing changes in NAS
Honeywell Technology Center
• Increasing demands on system
• New technologies
• New procedures
Impact on system?
Affected components?
Safety?
Page 5 of _
Safety issues
Logical correctness of requirements
and implementation
System architecture and timing,
degraded modes of operation
Formal equivalence of systems,
preservation of properties
Honeywell Technology Center
A
?
=
B
Page 6 of _
Operationally embedded
reactive systems
System input
System output
Process
Sensors
Command
Scenario inputs
Title:
Creator: DoME by Honeywell Technology Center, Honeywell Inc.
CreationDate:
Actuators
Controller
Behavior outputs
Behavior inputs
Honeywell Technology Center
Modes / Procedures
• Ascent
• Descent
• Level Cruise
• Emerg. procedures
• Conflict res. mode
• Altitude target
• Speed target
• Vertical speed target
• Pitch/thrust control mode
Page 7 of _
Operational procedure table
Title:
Creator: DoME by Honeywell Technology Center, Honeywell Inc.
CreationDate:
operational procedure scenario
climb
Honeywell Technology Center
alt. cap.
alt. hold
behavior
new alt.
descend
lost ref.
new alt.
Page 8 of _
Semantics
1. Get input state
2. Compute scen
and select ope
procedure
3. Collect associated behavior
output functions
Honeywell Technology Center
4. Execute
Page 9 of _
Completeness and Consistency
f:U→Y
• Consistent: f(u) is unique.
y1
u
y2
(a function vs. a relation)
• Complete: f(u) defined ∀ u ∈ U.
(a total function)
Honeywell Technology Center
y
u1
u2
?
Page 10 of _
CTAS decision logic
Focus on algorithms
in Route Analyzer
Aircraft State
FAST
Route Analyzer
Analysis Packet
Profile Selector
Trajectory Synth
Trajectory Synth
Controller Weather
Controller Weather
Honeywell Technology Center
RUNWAY STA
Advisories
Page 11 of _
Route Analyzer
Contains many decision logic elements
Title:
Creator: DoME by Honeywell Technology Center, Honeywell Inc.
CreationDate:
Honeywell Technology Center
Page 12 of _
Update heading (OPT)
Title:
Creator: DoME by Honeywell Technology Center, Honeywell Inc.
CreationDate:
Honeywell Technology Center
Page 13 of _
Findings
• Consistent
• Some incomplete
May rely on context:
HDG 300
Heading = 300 AND
Waypoint = WYPT_GREEN
not possible
Honeywell Technology Center
DOWNWIND
WYPT_GREEN
BASE
FINAL
Page 14 of _
Assess performance in degraded
operational modes
• Hardware node failure
• Software failure
• Excess computational load
Honeywell Technology Center
Page 15 of _
What is MetaH?
graphical
editor
textual
editor
syntax/semantics
analyzer
source code
modules
HW/SW
binder
workspace
executive
generator
schedule
modeler
reliability
modeler
security
modeler
conc. proc.
modeler
application
builder
schedule
analyzer
reliability
analyzer
security
analyzer
verifier
load image
Honeywell Technology Center
analysis results
Page 16 of _
FAST model
Impl. Context
Name: TBD
Class: System
Archetype: HW_part
Reference: HW_part
Configuration: default
Processor
FAST_SPARC_1 b
Impl. Context
Name: FAST_System
Class: Application
Archetype: FAST
Reference: FAST
Configuration: default
Processor
FAST_SPARC_2 b
FAST_Memory
FAST_Memory
FAST_VME_0 b
FAST_VME_0 b
Processor
FAST_SPARC_3 b
FAST_Memory
FAST_VME_0 b
Processor
FAST_SPARC_4 b
FAST_Memory
FAST_VME_0 b
System
Impl. Context
HW_partb
Message_Types b
Message_Type
b
SW_part
Honeywell Technology Center
Name: FAST_SW
Class: Mode
Archetype: SW_part
Reference: SW_part
Configuration: default
b
Off
b
Standby
b
Initialize
b
Run
b
Reduced
b
Recovery
Page 17 of _
FAST model: Run mode
Impl. Context
Name: Run_imp
Class: Mode
Archetype: Run
Stop_CTAS
Reference: Run
Configuration: default
Failure
b
b
RA_1
TGUI
b
TS_RA1
b
b
RA_2
b
b
PGUI
CM
TS_RA2
b
b
RA_3
b
PFS
b
b
TS_RA3
TS_PFS
Others
Honeywell Technology Center
Page 18 of _
FAST Model: Reduced mode
Impl. Context
Name: Reduced_imp
Class: Mode
Stop_CTAS
Archetype: Reduced
Reference: Reduced
Configuration: default
Increased
run time
{
Failure
b
b
RA_1
TGUI
b
TS_RA1
b
RA_2
b
b
b
PGUI
CM
TS_RA2
Failed
processes
Honeywell Technology Center
b
RA_3
b
b
TS_RA3
b
PFS
b
TS_PFS
Others
Page 19 of _
FAST model: HW-SW binding
CPU_1
RA
OTH
CPU_2
RA
CPU_3
RA
PFS
CPU_4
CM
TGUI
PGUI
TS
TS
TS
TS
CPU_1
CPU_2
CPU_3
CPU_4
RA OTH
TS PGUI
CM
Honeywell Technology Center
RA
RA
TGUI
PFS
TS
TS
TS
CM
PGUI
TS
Page 20 of _
Performance: Nominal Hardware
180
100
80
RUN
160
RUN
REDUCED
140
REDUCED
Utilization %
Utilization %
120
60
40
100
80
60
40
20
20
0
0
CPU 1
CPU 2
CPU 3
N aircraft
CPU 4
CPU 1
CPU 2
CPU 3
CPU 4
2N aircraft
• In Reduced mode, processor load becomes more unbalanced.
Reduces margin to schedulability
• Doubling number of aircraft results causes scheduling failure
Unable to meet deadline for updates.
Honeywell Technology Center
Page 21 of _
Performance: One node failure
100
180
80
RUN
160
RUN
REDUCED
140
REDUCED
Utilization %
Utilization %
120
60
40
100
80
60
40
20
20
0
0
CPU 1
CPU 2
N aircraft
CPU 3
CPU 1
CPU 2
CPU 3
2N aircraft
• Load from failed CPU transferred to less busy nodes.
Reduces margin to schedulability on those nodes.
• Doubling number of aircraft results in scheduling failure.
Unable to meet deadline for updates.
Honeywell Technology Center
Page 22 of _
Other analyses...
• New processs added to system
Departure automation
• New capabilities added to existing processes
Weather data in route analysis
• Faster cycle times required
Fast radar updates or GPS data
Honeywell Technology Center
Page 23 of _
Hybrid Input/Output Automata
UA
in
A
XA
int
A
YA
out
A
A
A hybrid input/output automaton A is defined by
Input, output and internal typed variables
Input, output and internal actions
State space is set of all possible variable values
Initial conditions
A set W of trajectories of variables and D of discrete transitions
Each action has an associated precondition and effect
An execution of the automaton is α = w1 a1 w2 a2 w3 a3.....
Honeywell Technology Center
Page 24 of _
Hybrid Input/Output Automata
Compositions of compatible hybrid automata are hybrid automata
UA
XA
in
A
int
A
YA = UB
out =
A
in
B
A
•
int
B
B
Variable and action hiding allows building macrocomponents
UA
XA
in
A
int
A
A
•
XB
A
YB
out
B
out
A
YA = UB
out =
A
in
B
XB
int
B
YB
out
B
B
Composite system satisfies composite specification
Honeywell Technology Center
Page 25 of _
Safety Analysis
How can one analyze such a complex large scale system?
CTAS
TMA
DA
FAST
RA
TS
PFS
• Step 1 : Top down specification refinement
• Step 2 : Verify that low level systems meet specification
• Step 3 : Abstract behavior of composite system
Honeywell Technology Center
Page 26 of _
Safety Analysis
Safety specs can be expressed as undesirable state regions
Will aircraft lose separation? Is TRACON capacity exceeded?
Specs can also be formulated using performance monitors
The analysis approach: Forward & Backward Reachability
Initial States
and
Parameters
System State Space
Unsafe
Region
•
•
Forward : Verify safety given parameters and initial states or generate
trajectory leading to unsafe operation
Backward : Determine which initial states and parameters are reachable
from the unsafe region
Honeywell Technology Center
Page 27 of _
Safety Tools
Discrete Systems
COSPAN (Correctness of communication protocols)
VIS (Correctness of hardware/software systems)
Timed Systems
KRONOS (real-time properties of communication networks)
Timed COSPAN
Hybrid Systems
HyTech (Rectangular Hybrid Systems)
Various Mathematical Tools from
Systems Theory
Probability Theory
Computer Science and Logic
Honeywell Technology Center
Page 28 of _
Conflict Resolution in FAST
B
LONG LEF
DOWNWIND LEFT
DOF 2
BASE
DOF 1
A
FINAL
OVER THE TOP
Assume final landing order is A B C
C
Potential conflict between B and C on downwind left
Aircraft C must be delayed using 2 degrees of freedom
Speed and altitude profiles dictated by TRACON procedures
Question: For what initial configurations (horizontal and vertical
coordinates) of Aircraft C is conflict avoided?
Honeywell Technology Center
Page 29 of _
Conclusions
System perspective of safety analysis
Formal Methods Approach
Modeling, specification and analysis
Safety assessment of NAS is similar conceptually
Methodology does not depend on CTAS details
Questions are challenging, but are the right ones!
Honeywell Technology Center
Page 30 of _
