System Safety Risk Management:
An Autonomous UAV Example from a
Course on Safety By Design and Flight
Certification
Dr. Daniel P. Schrage
Professor and Director, CASA and CERT
School of Aerospace Engineering
Georgia Institute of Technology
Atlanta, GA 30332-0150
Presentation Outline
 Overview of Georgia Tech graduate
program in Aerospace Systems Design
 Brief description of the Safety By Design
and Flight Certification Course
 Example from Safety Course for an
Autonomous Unmanned Aerial Vehicle
(UAV) – The GTMAX
Georgia Tech Practice-Oriented M.S. Program
in Aerospace Systems Design
Semester I
Semester II
Summer
IPPD Methods/Techniques
Integrated
Product/Process
Development
Disciplinary
Courses
Applied
Systems
Design
Design II
Modern
Design
Methods I
Propulsion
Systems
Design
Applied
Systems
Design
Design IIII
Modern
Design
Methods II
Product
Life Cycle
Management
IPPD Tools/Infrastructure
Mathematics (2 Required)
Legend:
Core Classes
Special
Project
Safety By
Design
Design
Seminars
Internships
Other Electives
Elective Classes
Safety By Design and Flight Certification
Course
 First taught in 1998 as a project oriented course to orient





students on the role of safety by design and flight certification
in the design iteration process
Course builds on the Integrated Product/Process Development
(IPPD) through Robust Design Simulation (RDS) environment
created in the Georgia Tech Aerospace Systems Design
Laboratory (ASDL)
Course taught in the summer semester to allow students to
analyze the designs they developed during the fall and spring
semesters (Fixed Wing,V/STOL Rotorcraft, Space, and Missiles)
Course has been continuously improved each year to address
more of the issues in moving to a risk based managed process
Course has sought to incorporate user friendly tools for System
Reliability Prediction, FTA, FMEA and Markov Analysis
Emphasis on the course taught this summer was on the
interaction of Hardware, Software, and Liveware (Human)
reliabilities & partnerships with industry and government
Course Projects for Summer
2002
 Quiet Supersonic Aircraft – in conjunction with
Gulfstream Aerospace Corporation
 The ICBM Peacekeeper as a Commercial
Launch Vehicle – in conjunction with the FAA Space
Systems Development Division
 A VTOL Personal Air Vehicle (PAV) – in
conjunction with the NASA PAV Evaluation program
 *An Autonomous UAV: GTMAX – in
conjunction with the DARPA Software Enabled Control (SEC)
program and the GT Entry in the International Aerial Robotics
Competition (IARC)
* Example to be illustrated
Development of a Certification Plan
(ARP 4754:Cert Considerations For Highly-Integ or Complex Aircraft Systems)
 Each Plan should include:










A functional and operational description of the system and the aircraft
on which the system will be installed
A statement of the relationship of this certification plan to any other
relevant system certification plans
A summary of the functional hazard assessment (aircraft hazards,
failure conditions, and classification)
A summary of the preliminary system safety assessment (system
safety objectives & preliminary system development assurance levels)
A description of any novel or unique design features that are
planned to be used in meeting the safety objectives
A description of the new technologies or new technology applications
to be implemented
The system certification basis including any special conditions
The proposed methods of showing compliance with the certification
basis
A list of the data to be submitted and the data to be retained under
configuration control, along with a description or sample of data formats
The approximate sequence and schedule for certification events
The Overall GT Safety By Design Approach
DO-178B/160D
DO-178B
Aircraft/Spacecraft
FHA/FTA
RELIABILITY
PREDICTION
System
FHA/FTA
FHA/FTA
AIRCRAFT/SPACECRAFT
AIRCRAFT/SPACECRAFT
SYSTEM DESIGN
DESIGN
SYSTEM
ARP 4754
ARP 4761
Safety
Goals
SAFETY
PREDICTION
ANALYSIS
TECHNIQUES
Technology Insert.
TIF/TIES ?
Other PSSA Methods
CRITICALITY
MATRIX
SYSTEM RELIABILITY
(PRISM)
PREDICTION
PROGRAMS
RELIABILITY
SIMULATION
MARKOV ANALYSIS
(MEADEPS)
PROBABILISTIC ASSESSMENT
(CRYSTAL BALL)
NO
APPLY
SATISFIED?
YES
SBD Process Overview
Concept
Development
Preliminary
Design
Aircraft FHA
System FHA
•Functions
•Hazards
•Effects
•Classifications
•Functions
•Hazards
•Effects
•Classifications
Detailed
Design
Design Validation
& Verification
PSSA
Aircraft FTA
•Qualitative
•System Budgets
•Intersystem
Dependencies
System FTA
•Qualitative
•Subsystem
Budgets
SSA
System FTAs
System
FMEAs
FMES
•Qualitative
•Failure Rates
DD
MA
Particular Risk Analysis
CCA
Common Mode Analysis
Zonal Safety Analysis
GTMax
Preliminary Safety Assessment and
Certification Plan
Han Gil Chae
Adeel Khalid
Kayin Cannon
Colin Pouchet
Henrik B. Christophersen
Overview
 Introduction

General facts about GTMax
 GTMax Certification





General Information of UAV Certification
Analysis for particular system
Human Errors
Proposed system improvement
Proposed Certification plan
 Conclusions
Introduction
 System Description
 System Requirements
GTMax :
Development
Originally developed
for aerial pest control
Modified for DARPA SEC
Program and for Aerial
Robotics
Test bed for Manned Vehicle
Electronic System
Software Enabled Control
(SEC)
The objective of SEC is to co-develop advanced
real-time control system algorithms and the
software services and infrastructure necessary to
implement them on distributed embedded
processors in a robust and verifiable way
Dr. John Bay
DARPA/IXO
DARPA SEC Participants
 Open Control Platform (OCP) Developers:
-Georgia Tech
- Boeing Phantom Works
- UC Berkeley
-Honeywell Technology Labs
 SEC Technology Developers (Active State Modelers, On Line
Control Customization,Coordinated Multi-Modal Control, High
Confidence Software Control Systems):
-Georgia Tech - UC Berkeley - Rockwell Collins
- Cornell
- MIT
- Northrop
Grumman Corp
- Cal Tech
- Draper Labs - Honeywell Labs
- U of Min
- Vanderbilt
- OGI
- Stanford
 University Led Experiments (Rotary Wing): Georgia Tech
 Industry Led Experiments (Fixed Wing): Boeing Phantom
Works
The Georgia Tech GTMAX : A Truly
Modular Open System Testbed
 The Georgia Tech GTMAX consists of
 The Yamaha RMAX Remotely Piloted Helicopter: a
rugged, proven air vehicle which is becoming the vehicle
testbed choice for VTOL UAV autonomous vehicle
research
 The Georgia Tech Modular Avionics Package: built for
reconfigurability, growth and easy upgrade
 The Boeing - Georgia Tech OCP: a Real Time CORBA
based open system software architecture
 As a system the GTMAX provides an excellent resource for
the UAV community for developing and evaluating UAV
technologies, both hardware and software, as well as Home
Security Experiments
GTMAX :
Vehicle Specifications
(mm)
Performance
Weight
Engine
Gross Weight
Gasoline
Fuel
2-Cylinder
: 6L: (1.6
204.6gal)
lb
Water
EmptyCooled
Endurance
Weight
: 60:min
127.6 lb
Payloadoutput : :21Hp
Power
66 lb
1800
1080
3115
720
3630
GT Research UAV: GTMAX
GEORGIA TECH
GPS
GPS Reference
Georgia Tech
Onboard
Avionics
Boeing-GT
OCP
Data Link I
Ethernet
Data Link II
YAMAHA
Yamaha Attitude
Control System
(YACS)
Data Link II
Ground
Computer(s)
And
Network
Ground Control Station
3x RS-232 Serial
Actuators
Data Link I
RC
Receiver
On-board Avionics
RC
Transmitter
Safety Pilot
Onboard Avionics Hardware
Architecture
Magnetometer
Sonar
Altimeter
Radar
Altimeter
IMU
Power
Dist
ServoInterface
Computer
#1
D-GPS
Computer
#2
Wireless
Serial
Ethernet
Hub
Wireless
Ethernet
Ext Power
Video Camera,
Radar and Possibly
Lidar to be installed
this summer
Serial Data
Ethernet
Power
GTMAX Avionics HW Integration
 GTMAX hardware is packaged
into exchangeable modules:
 Flight Computer Module
 GPS Module
 Data Link Module
 IMU/Radar Module
 Unused Module (Growth)
 Sonar/Magnetometer
Assemblies
 Power Distribution System
 Each module has selfcontained power regulation
and EMI shielding
 Shock-mounted main module
rack
GTMAX Hardware Integration
 Power System
On-board generator
outputs 12V DC, 10 A
 Power source hotswappable between onboard and external
 Each module is powered
via individual circuit
breakers
 Interfacing and Wiring
 Interface Types: RS-232
Serial, Ethernet, 12V DC
 All interfaces on module
back-sides
 Aviation-quality wiring
harness

Open Control Platform Motivation
Limitations of State-of-the-Art
Complex Control Systems:
• Tightly coupled
• Difficult to adapt or evolve
• Complex, inflexible data
interchange
• Computationally limited
• Closed, proprietary systems
Desired Capabilities:
• Adaptibility and dynamic
reconfigurability
• Plug-and-play extensibility,
component interchangeability
• Real-time quality of service
• Interoperability, distributed
communication
• Openness
Boeing-GIT Baseline Open Control Platform (OCP)
Software Implementation on the GTMAX
GPS
Controls API Input Port
Sensors Serial
Interface
IMU
Controls API Output Port
Magnetometer
sonar
Vehicle Serial
Interface
timeout_in
RMAX Attitude sensors
receiver commands
I/O
Component
100 Hz
Timer
Vehicle Health
DataLink Interface
Ethernet “Serial” Port
Serial port
NavData_out
ControlData_out
1 Hz & 10 Hz
1 Hz & 10 Hz
50 Hz
Ethernet “Serial” Port
Serial port
100 Hz
ControlData_in
NavData_in
Navigation Module
Component
NavControl_in
50 Hz
NavControl_out
Controller
Component
Actuator Serial
Interface
50 Hz
RMAX Actuator demultiplexer
Input datalink ports
read @ 100 Hz
m0 written at 10 Hz
m1 written at 1 Hz
Mission Intelligence Flow for GT Research
Situation Awareness
Mission Planning
Obstacle/Target
Tracking
Mode Selection
Mode Switching
Obstacle/Target
Identification
Obstacle/Target
Detection
Flight Control System
UAV
Sensors
Sensor Fusion
Fault Tolerant
Control
Yes
Emergency ?
No
Diagnostics
Continue
Mission
GTMax :
Aerial Robotics Mission & SEC
Scenario
15 min
T/O (manually)
Fly Autonomously
3Km
Get Information
from the Inside
Identify Structure
No Need to Return
after the Mission
GTMax Certification
 Certification Basis
 Analysis (Functional, FHA, PSSA)
 Human Errors
 Strategy for achieving compliance
 Sequence of certification events
FAA Certification
Design
Type Design
Approval
Type
Certificate
Production
Operation
Quality
Assurance
Approval
Type Design
Conformity
Production
Certificate
Airworthiness
Certificate
Defect found in operation
Continued
Airworthiness
Certification Basis
No Certification Basis for UAVs
System Design/Analysis
- AC 25.1309-1A
Safety Assessment
- SAE APR4761
Rotorcraft
- FAR 27
Suggested Regulations
Certification basis?
 Presently no certification basis for unmanned aircraft.
 Unmanned vs. manned aircraft:




Increased reliance on electronic flight control systems in
unmanned aircraft
Safety = threat to persons and property outside aircraft
Flight over populated areas vs. isolated areas
Ground Control System
Suggested Regulations
 Flight crewmember(s) on the ground
 Safety equipment for occupants not required




Impact protection for occupants
Safety belts
Oxygen
Warning lights
 Flight Control System Certification
 Ground Control System Certification
 Categories of unmanned aircraft
Certification basis
Amended FARs
 FAR Part 1: Definitions and Abbreviations
 FAR Part 21: Certification Procedures for Products and Parts
 FAR Part 27: Airworthiness Standards: Normal Category
Rotorcraft
 FAR Part 33: Airworthiness Standards: Aircraft Engines
 FAR Part XX: Airworthiness Standards: Electronic Flight Control
Systems for Unmanned Aircraft
 FAR Part XX: Airworthiness Standards: Ground Control Systems
for Unmanned Aircraft
Functional Analysis
 Top Level
1.0
Manage
Organization
AND
AND
5.0
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
NO GO
Execute
Mission
(UAV)
4.0
GO
Prepare for
mission
AND
AND
6.0
Execute
Mission
(GCS)
Functional Analysis
1.0
Manage
Organization
AND
AND
5.0
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
NO GO
Execute
Mission
(UAV)
4.0
GO
Prepare for
mission
AND
AND
6.0
Execute
Mission
(GCS)
 Manage Organization





Manage Operation
Manage Personnel
Manage finances
Manage sales/marketing
Manage supporting
equipment/facilities
 Maintain Equipment



Maintain mission vehicle(s)
Maintain Ground Station
Equipment
Maintain Supporting
Equipment
Functional Analysis
1.0
Manage
Organization
AND
AND
5.0
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
NO GO
Execute
Mission
(UAV)
4.0
GO
Prepare for
mission
 Receive Mission Assignment
AND
AND
6.0
Execute
Mission
(GCS)
Ref. 2.0
Maintain
Equipment
3.1
Receive Mission
Description
3.2
3.3
Study map of
route
Make preliminary
flight plan
AND
AND
3.4
Checkweather
3.5
3.6
3.7
3.8
Investigate
regulatory issues
Request
additional
information from
customer
Evaluate Mission
Negotiate rate
with customer
NO GO
NO GO
Ref. 2.0 Maintain
Equipment
GO
Ref. 4.0 Prepare
for mission.
Functional Analysis
1.0
Manage
Organization
AND
AND
5.0
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
NO GO
Execute
Mission
(UAV)
4.0
GO
Prepare for
mission
AND
 Prepare for mission
AND
6.0
Execute
Mission
(GCS)






Verify readiness of UAV
Create flight plan
File NOTAM
Verify that all necessary equipment is loaded and
ready
Obtain/sign release form
Depart for launch site
Functional Analysis
1.0
Manage
Organization
AND
AND
5.0
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
NO GO
Start
executing
mission
Execute
Mission
(UAV)
4.0
GO
Prepare for
mission
AND
 Execute Mission (UAV)
AND
6.0
Execute
Mission
(GCS)
5.1
5.2
5.3
5.4
5.5
Arrive at launch
site
Prepare UAV
Preflight UAV
Take off
and climb
Cruise
5.6
5.7
5.8
5.9
5.10
Search for target
Locate target
Search for
portals
Find open
portal(s)
Prepare for
subvehicle
launch
5.11
5.12
5.13
5.14
Deploy
subvehicle
Hover in relay
position
Cruise (return)
Descend and
land
Finished
Executing Mission
Functional Analysis
1.0
Manage
Organization
AND
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
4.0
GO
Prepare for
mission
 Execute Mission (GCS)
AND
5.0
Execute
Mission
(UAV)
AND
AND
6.0
Execute
Mission
(GCS)
NO GO
6.3
Start
executing
mission
(GCS)
Simulate mission
in GCS
6.1
6.2
Arrive at launch
site
Prepare GCS for
launch
6.5
AND
Establish
communication
link with UAV
AND
6.4
Brief crew
6.6
Upload
software/flight
plan to UAV
6.7
Perform BIT
6.9
GO
Prepare for
take off
NO GO
6.3
5.8
5.9
Perform manual
take off
Activate flight
plan
(autonomous
flight)
Monitor UAV
during mission
execution
OR
OR
OR
OR
6.4
5.9
Perform
autonomous
take off
Control UAV
(high-level
commands)
6.8
Troubleshoot
and repair
ABORT MISSION
6.3
6.3
6.3
Land UAV upon
return to Launch
site
Download data
from UAV as
needed
Shut down GCS
Prepare for next flight
Finished
Executing Mission (GCS)
FHA & FTA :
Flight Control as Critical
System Safety Subsystem
 Control System (Collective)
Mechanical System
Electronic System
A1.1
Generate Rotor Force Loss of Lift Force of Rotor
a. Loss of Rotor structure
Catastropic
b. Loss of Aerodynamic Forces Take off
Causes whole aircraft failure and crash.
May cause severe damage of people on
the ground
Need aircraft to land back imediately
c. Loss of Aerodynamic Forces
Causes loss of control capability
Major
May cause severe crash. Depends on
Hazardous
FHA & FTA :
All
Mechanical System
Cruise
d. Loss of Aerodynamic Forces Landing
A1.2
A1.1
A1.3
Generate Power
Loss of engine operation
More likely
Loss ofheight.
Collective
Pitchthan T/O phase.
All
Needcapability
aircraft to land back as soon as
Control
Function
Failure Condition
Phase
a. Loss of engine structure
Generate Rotor Force Loss
of of
Liftinlet
Force
b. Loss
air of Rotor
c. Fuel system failure
a.
structure
All
d. Loss
Loss of
of Rotor
electricity
e. Exhaust system failure
Loss of Actuator
Capability
f. Cooling system failure
b.
Loss
of
Aerodynamic
Forces Take off
g. Lubrication failure
Transmit Power
Loss of Transmission capability
c. Loss of Aerodynamic Forces Cruise
a. Loss of Transmission
All
d. Loss of Aerodynamic Forces Landing
structure
A 2.1
A1.2
Failure of
Control Collective
Loss of Control Capability
All
Mechanical
Generate Power
Loss of engine operation
Loss of ElectiricityAll
Pitch
Component of
Actuator
A 2.2
Control Cyclic Pitch
A1.3
Transmit Power
A 2.3
A 2.1
Control Yaw
Control Collective
Pitch
Hazardous
Hazardous
possible. Limited flight may be possible to
Effect
of Failure
Classfication
find landing
spot.Condition
Causes whole aircraft failure and crash.
May cause severe damage
of people on
Loss of Mechanical
the ground
Linkage Capability
Need aircraft to land back imediately
Ref. To Supporti
Material
Catastropic
Hazardous
1E-6
Causes loss of control capability
Major
Causes loss of rotor capability
Catastropic
May cause severe crash. Depends on
Hazardous
height. More
thanfailure
T/O phase.
Causes
wholelikely
aircraft
and crash. Catastropic
Needcause
aircraft
to land
back as
as on Hazardous
May
severe
damage
ofsoon
people
possible.
Limited flight may be possible to
the
ground
Loss of steering
Loss of steering
find landing spot.
a. Loss of Control sys. Structure
commands from
commands from
a.1E-5
Loss of engine structure
Remote Control
Flight Control
b.
air
Receiver
Computer
b. Loss
Loss of
of inlet
electricity
c.
Fuel
system
failure
c. Loss of Command
d.
Loss
electricity
Loss
of of
Control
Capability
All
Causes whole aircraft failure and crash. Catastropic
e. Exhaust
system
failure
Loss
of Battery
Failure of Wire May cause severe damage of people on
Capability
Harness
f. Cooling system
failure
the ground
g.
failure
a. Lubrication
Loss of Control
sys. Structure
Loss of Transmission capability
To Electronic
System
b. Loss of electricity
a.
Loss of
of Command
Transmission
c. Loss
structure
Loss of Control Capability
Loss of Control Capability
a. Loss of Control sys. Structure
a. Loss of Control sys. Structure
All
Causes
of rotor capability
Failure ofloss
On-Board
Failure of Ground
Catastropic
All
All
System
Station
Causes
whole aircraft failure
and crash.
Catastropic
Catastropic
Causes
whole
aircraft
failureofand
crash.
May cause
severe
damage
people
on
May
cause
severe
damage
of
people
on
the ground
the ground
Aircraft will not be able to perform
complex maneuvers.
B2
Communicate with GCS Data Link:
/ other UAVs
Unable to Receive
signals from GCS.
a. Unable to receive
GCS high-level
steering commands
FHA & FTA :
B1
B3
Electronic System
T/O,
The crew will not be able to alter
Landing
the UAV’s existing flight plan.
and inSafety pilot may switch to manual
range
control.
Cruise
Function
Failure
Condition
Phase commands
Effect
of Failure
b.
Unable
toLoss
receive
Cruise
The
crew
will notCondition
be able to alter
of steering
GCS high-level from Flight
(out of Control
RC the UAV’s existing flight plan.
Generate actuator
Loss of valid
steering
commands Computer
range)
Could result in a hazardous
steering commands
commands from FCS.
condition.
c. Unable to receive T/O,
Missions requiring precise
a. Invalid
or missing Landing
T/O &
Safety pilotshould
will assume
control of
DGPS
corrections.
navigation
be cancelled.
output from FCS.
Landing
aircraft and bring it to a safe
and
landing.
Cruise
b. Invalid
Safety pilot will assume control of
Data
Link:or missing Cruise
output from
FCS.
(within RC aircraft and bring it to a safe
Unable
to transmit
range)
landing.
signals to GCS.
c.
Invalid
or
missing
Cruise
High
probability
Lossthe
of Aircraft.
a. Unable to send
T/O,
The GCS
will notofhave
up-tooutput from
FCS.
(out of RC date information about the current
telemetry
data
to GCS Landing
Loss of steeringand
of Heartbeat
Loss of steering
range) Failure
location
of the UAV Heartbeat Monitor
switches incorrectly
commands from
Monitor to switch to
commands from
Partial loss of
to Backup Contr.
Main ComputerCruise Backup Controller
Backup Controller
commands
from FCS.
Monitor
Failure
to detect
3E-3
1E-3
systems/performance 1E-4
problem
Intermittent
or
T/O &
Safety pilot
a. Failure
to detect
T/O,
Problem
willwill
notassume
surface control
unless of
erratic
output
from
Landing
aircraft
and
bring
it
to
a
safe
Main Computer failure
there is an actual Main Computer
FCS (unstable flight) and inlanding. Safety pilot may take
failure.
Failure of Main
b. Intermittent or
Cruise
Safety
will assume control of
range
control.pilot
Computer to
Internal failure in
erratic output from discontinue
(within sending
RC aircraft and
bring
it to a safe
Heartbeat
Monitor
Cruise
heartbeats. landing.
FCS (unstable flight) range)
c. Intermittent or
Cruise 1E-3 High probability of1E-4
Loss of Aircraft.
erratic output from
(out of RC
FCS (unstable flight) range)
d. FCS causes stable T/O &
Safety pilot will assume control of
flight at incorrect
Landing
aircraft and bring it to a safe
position.
landing.
To Mechanical
System
Minor (D)
Classfication
Major
(C)
Ref. To Supp
Material
No effect (E) to
(D)
Minor (D)
Minor (D)
Catastrophic
Minor (D) to (A)
Major (C)
Loss of steering
commands from
Backup Controller
1E-4
Minor (D)
Minor (D)
Catastrophic (A)
Minor (D)
PSSA :
Software Exploration
Prism
MEADEP
Crystal Ball
What
for ?
System failure
rate modeling
Markov
analysis
Monte Carlo
Simulation
Easy ?


Database
Redundancy
Multiple
Events
Distribution
Fuctions





PSSA :
Strategy
Fault Tree based on FHA
PRISM
for
Mech. Components
Loss of Collective Pitch
Control capability
Loss of Actuator
Capability
Loss of Mechanical
Linkage Capability
1E-6
Loss of Electiricity
Failure of
Mechanical
Component of
Actuator
1E-5
Loss of Battery
Capability
Mech.
Failure of Wire
Harness
Loss of steering
commands from
Remote Control
Receiver
Failure of On-Board
System
Loss of steering
commands from
Flight Control
Computer
Failure of Ground
Station
Heartbeat Monitor
switches incorrectly
to Backup Contr.
Loss of steering
commands from
Backup Controller
1E-3
Loss of steering
commands from
Backup Controller
Loss of steering
commands from
Main Computer
1E-4
3E-3
Elec.
1E-4
Failure of Heartbeat
Monitor to switch to
Backup Controller
Failure of Main
Computer to
discontinue sending
heartbeats.
1E-3
Markov Analysis
for
Mechanical System
& Electronic System
Internal failure in
Heartbeat Monitor
1E-4
Monte Carlo Simulation
for
Whole System
PSSA :
Prism modeling
 Mechanical components
Failure rates
Failure/M calendar hr Failure/Operation hr
Linkage
27.089
9.36E-04
Yoke
8.1256
2.81E-04
Main Rotor
3.7443
1.29E-04
Swash P
2.8822
9.96E-05
Servo
9.2274
3.19E-04
 Prism Database
 Total Failure Rate
- 1.76 E-3/Op. hr
PSSA :
Markov Analysis
 Mechanical System
 MTTF
- 6023.275 /hr
 Reliability
- 93.57 hr
PSSA :
Markov Analysis
 Electronic System
 MTTF
- 1000.249 /hr
 Reliability
- 90.48 hr
PSSA :
Monte Carlo Simulation
Loss of Collective Pitch
Control capability
Fault Tree from FHA
loverall =
l1 + l2 + l3 + (l5
+ l6)Block
× l4
+ l7
Simplified
Diagram
Loss of Actuator
Capability
Loss of Mechanical
Linkage Capability
1E-6
Loss of Electiricity
Failure of
Mechanical
Component of
Actuator
1E-5
Loss of Battery
Capability
Failure of Wire
Harness
Loss of steering
commands from
Remote Control
Receiver
Loss of steering
commands from
Flight Control
Computer
Actuator Capability
Steering command from Remote
Control Receiver
Failure of On-Board
System
Failure of Ground
Station
Heartbeat Monitor
switches incorrectly
to Backup Contr.
Electricity
Loss of steering
commands from
Backup Controller
1E-3
Mechanical
Component of
Actuator
l1
l2
Battery
Capability
1E-4
l5
l6
On-Board
System
Ground
System
Mechanical
Linkage
Capability
l3
l7
Wire
Harness
Loss of steering
commands from
Backup Controller
Loss of steering
commands from
Main Computer
1E-4
3E-3
Failure of Heartbeat
Monitor to switch to
Backup Controller
Failure of Main
Computer to
discontinue sending
heartbeats.
1E-3
Steering commands
From Flight Control
Computer
l4
Internal failure in
Heartbeat Monitor
1E-4
PSSA :
Monte Carlo Simulation
Actuator Capability
Steering command from Remote
Control Receiver
Electricity
B4
Mechanical
Component of
Actuator
Mean = 0.00
0.00
0.00
0.00
0.00
0.00
B4
B4
Battery
Capability
Wire
Harness
B4
On-Board
System
Ground
System
Mean = 0.00
0.00
Mean = 0.00
0.00
1E-5
B4
0.00
0.00
0.00
0.00
1E-6
0.00
0.00
0.00
0.00
1E-5
0.00
0.00
0.00
0.00
0.00
0.00
0.00
1E-6
Mean = 0.00
0.00
B4
Mean = 0.00
0.00
Mechanical
Linkage
Capability
Mean = 0.00
B4
0.00
1E-5
0.00
Steering commands
From Flight Control
Computer
0.00
0.00
0.00
0.00
1E-5
Mean = 0.00
0.00
0.00
0.00
0.00
0.00
1E-6
 Same order as Inputs
Overlay Chart
Frequency Comparison
.017
.012
.008
.004
.000
0.00290
0.00300
0.00310
0.00320
0.00330
 Normal curve fit gives
 m = 3.1×10-5
 s = 7.0 ×10-5
PSSA :
10 / 100,000 flight hrs
= 1E-4 / flight hr
Reliability Goals
10%
Reliability Goal
LOAFlight Control= 1E-5
Human error plays
significant roll in UAV
60%
- Mechanical system failures
- “Other” external causes
General Aviation Loss Of Aircraft (LOA)
Human Errors :
Introduction
 Direct or Indirect
 Intentional or Unintentional
 Flying into Electrical Lines
- Mission planner
- Ground control
- Maintenance
:
Human Errors
Human Safety and Reliability
Better Working
Environment
Increased Worker
Reliability
Increased Worker
Safety
Increased ROA
Reliability
Reduced Delays
Due to Injury
Increased Safety
of ROA and Environment
Increased Mission
Success
Human Errors :
Working Environment
 Some important factors and issues
Documentation
- Stay 500 feet from power lines
Information
- There are power lines here
Communication
Training
- We should move away
- What do I do now?
Visual/Aural Alerts
- Warning!
Workload
- What? I’m busy
Human Errors :
Environment
 Each Top Level Function has a Different
Environment
1.0
Manage
Organization
AND
AND
5.0
2.0
3.0
Maintain
Equipment
Receive
Mission
Assignment
NO GO
Execute
Mission
(UAV)
4.0
GO
Prepare for
mission
AND
AND
6.0
Execute
Mission
(GCS)
 Possible Dangers in the Environment
 High workload / Time critical workload / High stress
 Unnoticed errors / no quality assurance
 Too many details to consider
 Hazardous equipment and materials
 Distractions
Human Errors :
Launch Site Setup
 Major Dangers:
 Suggestions:
High workload
Unnoticed errors
Hazardous equipment
and materials
Weather and terrain
Document procedure
Labels and color
Range safety officer
Familiarization
with all equipment
Information about
launch site
before arrival
New technology
 Fault tolerant software
 Fault tolerant system
architecture
Fault Tolerant Design:
Software
 LPE Step 1


Mission Objective
Abstract Mathematical Language
Mission Objective
Assumption : operationalt (U )  4
Goal : u U .t  T .operationalt (u) | v. post  D | 
Fault Tolerant Design:
 LPE Step 2



Mission Plan
Flowchart Language
Formal Proof
Software
Fault Tolerant Design:
 LPE Step 3





Control System
Destination Vector
Formation Vector
Proven Algorithm
Automatically
Generated Code
Software
Fault Tolerant Design :
Software
Open-Control Platform
LPE Step 1
Math. Expression
High-Level Abstraction
Located On-Board
LPE Step 2
Flowchart Validation
LPE Step 3
Executable Code
Several Languages
Code Validation
MPC, Control,
Communication
API
Real-Time Reconfig.
Mediator
Fault Tolerant Design :
system architecture
Primary
Sensor
Sensor
data
Main Flight
Computer
Steering
Commands
HB Monitor
and Steering
Relay
Secondary
Sensor
Actuators
Rotor
(Mech.
systems)
Backup
Flight
Controller
Generator
RMax
battery
Primary Avionics DC Bus
Secondary Avionics DC Bus
Backup
Battery
Trickle charge
Power plant
system
Strategy for showing compliance
 Today: No Certification basis for
unmanned aircraft
 The “5-year plan”:
1.
2.
3.
4.
5.
Demonstrate product
FAA cooperation
Initial NPRM
Amendments to FARs
Start formal Certification process
Certification Plan
Year 1
Activity
Application to FAA
O
Develop. Certification Basis
 GTMax is already flying
GCP Develop.
Cert. Schedule Develop.
Initial Type board meeting
O
Test Plan Submital
GCP Review and Approval
Interm. Type board meeting
 Structure is not so
O
Drawing Release
expensive
Prototype 1 Fab/Assemble
Prototype 1 1st FLT
Envelope expansion
Load level survey
 Tests for Autonomous
Systems/Weather/Lightning
Prototype 2 Fab/Assemble
flight & Control system
Prototype 2 1st FLT
Envelope expansion
Performance & HQ
Mod into GTV
GTV Ground Tests
Rotor & XMSN Bench Test
Static tests
Final Type Board Meeting
Certification
O
O
Conclusions
 Summary
 Further study
What was accomplished
 Suggested Certification basis
 Functional Analysis, FHA, PSSA
 Quantified System Reliability
 Considered Human Factors
 Developed fault tolerant flight control
 Proposed strategy for compliance
Further Study
 Current work to include UAVs in FARs
 Obtain more accurate failure rates
 Analysis for aircraft level reliability
 Complete safety assessment process on
all aircraft systems
 Develop systems through operational
experience
Questions ?
Thank you