Embedded control for aircraft systems
Claire J. Tomlin
with
Ian Mitchell, Alex Bayen, Meeko Oishi,
Rodney Teo, and Jung Soon Jang
Aero/Astro, Stanford
and
EECS, Berkeley
August 2005
Fighter Avionics Domains
Stick,
Throttle…
Actuators
Vehicle
Mgmt
Nav
Sensors
Weapons
Mission
Computing
Weapon
Mgmt
Radar
Data Links
[from Dave Sharp, Boeing]
Mission Computing: Example Functionality
Update Steering
Cues
Perform BuiltIn-Test
Activate Backup
Mode
Fuse Targets
From Sensors
Mission
Computing
Update
Navigation State
Release
Weapons
Select Weapons
Predict Selected
Weapon Trajectories
[Dave Sharp, Boeing, 2002]
Fuse Targets From
Data Links
Aperiodic
Update Displays
Modify Display Suite
Via Pilot Pushbutton
Periodic
Vehicle Management: Example Functionality
Compute Inner
Loop Controls
Perform
Initiated BuiltIn-Test
Compute Outer
Loop Controls
Vehicle
Mgmt
Perform
Periodic BuiltIn-Test
Manage Control
Modes
Update
Navigation State
Manage
Redundancy
Perform Input
Perform Actuator
Signal Mgmt
Signal Mgmt
[Dave Sharp, Boeing, 2002]
Aperiodic
Periodic
Typical Mission Computing Legacy Characteristics
• <=20 Hz Update Rates
• Up To 10 CPUs
• ~1M Lines of Code
– O(103) Components
• Proprietary Hardware
– Slow CPU, small memory
– Fast I/O
• Test-Based Verification
• Mil-Std Assembly Language
• Highly Optimized For Throughput
and Memory
• Functional Architectures
– Flowchart designs
• Frequently No Maintained
Requirements or Design
– Ad-hoc models used by algorithm
developers
• Hardcoded Hardware Specific
Single System Designs
• Isolated Use Of
– Multi-processing
– Schedulability analysis
• Frequently overly pessimistic to
be used
[Dave Sharp, Boeing, 2002]
Typical Vehicle Management Legacy Characteristics
Additional Characteristics
• 80/160 Hz Update Rates
• Single CPU System/ Quad
Redundant
• Dual/Quad Redundant Sensors
and Actuators
• <100K Lines of Code
• Extensive Built-In-Test
– >50% of code
• Extensive Testing
– Very conservative development
culture
– >50% of effort
• Control System Models
Carefully Developed And Used
– Home grown
– Matlab/MatrixX with auto code
generation
[Dave Sharp, Boeing, 2002]
Outline
• Hybrid model of the physical system
• Reachability
– Reachable Set Toolkit
• Collision Avoidance System
– Dual aircraft demonstration
• User interaction with hybrid systems
– Autoland demonstration
• Software?
Objectives
A
B
Control design using hybrid
system models
Embedded software design
Hybrid Systems
q1
s1
q2
d2
q3
s3
s4
q4
s5
sn
qn
sn1
d4
sn 3
q5
• Finite state machine
with continuous
dynamics in each
mode
• Transitions can be
– User-controlled s
– Disturbance d
– Automatic g
Verification through Reachability
Verification
A mathematical proof that the
system satisfies a property
Unsafe
Initial
1. Reachable set
States for which the property does not hold
2. Controller synthesis
Design of control laws to guarantee that the system
satisfies the property
Verification through Reachability
Verification
A mathematical proof that the
system satisfies a property
Unsafe
Initial
1. Reachable set
States for which the property does not hold
2. Controller synthesis
Design of control laws to guarantee that the system
satisfies the property
Verification through Reachability
Verification
A mathematical proof that the
system satisfies a property
Unsafe
Initial
1. Reachable set
States for which the property does not hold
2. Controller synthesis
Design of control laws to guarantee that the system
satisfies the property
Verification through Reachability
Verification
A mathematical proof that the
system satisfies a property
Unsafe
Initial
1. Reachable set
States for which the property does not hold
2. Controller synthesis
Design of control laws to guarantee that the system
satisfies the property
Reachable Set Interpretation
1. Always remain outside
Unsafe set
•
•
Unsafe
States in Reachable set
will eventually reach
Unsafe set
(despite any possible
control effort)
Safe
Reachable
set
g
2. Always remain inside
Initial set
–
–
States in the Safe set will
always remain in Initial set
provided a particular
control is used on the
boundary
Unsafe
Reachable
set
Safe
V
Hybrid System Reachability Tool
http://www.cs.ubc.ca/~mitchell/ToolboxLS/
Outline
• Hybrid model of the physical system
• Reachability
– Reachable Set Toolkit
• Collision Avoidance System
– Dual aircraft demonstration
• User interaction with hybrid systems
– Autoland demonstration
• Software?
Application: conflict detection
http://www.cs.ubc.ca/~mitchell/ToolboxLS/
[with Chad Jennings]
Blunder Zone is shown by the
yellow contour
Red Zone in the green tunnel
is the intersection of the BZ
with approach path.
The Red Zone corresponds to
an assumed 2 second pilot
delay. The Yellow Zone
corresponds to an 8 second
pilot delay
[with Chad Jennings]
Map View showing a blunder
The BZ calculations are
performed in real time (40Hz)
so that the contour is updated
with each video frame.
Stanford DragonFly UAV Embedded S/W
Test set up
Danger Zone
Blunderer
(D2)
Blunderer can commence any
maneuver constrained by
D3 Flight computer computes the
Danger Zone and checks whether
it touches boundaries
Evader
(D3)
East
North
Test set up
Danger Zone
Blunderer
(D2)
The algorithm provides control
commands (three canned maneuvers)
to maintain a minimal separation
distance:
• EVADE_ACCEL_STRAI
• EVADE_ACCEL_45DEG
• EVADE_COAST_60DEG
Evader
(D3)
East
North
Flight Demo 1—June 2003
Accelerate and turn EEM
North (m)
Evader, DF 2
(red and yellow
aircraft)
Separation distance (m)
East (m)
EEM alert
Above
threshold
time (s)
DF 2, the evader, is the larger blob
Put video here
Flight Demo 2—June 2003
DF 2, the evader, is the larger blob
Coast and turn EEM
North (m)
Evader, DF 2
(red and yellow
aircraft)
Separation distance (m)
East (m)
EEM alert
Above
threshold
time (s)
Put video here
Edwards Air Force Base – June 2004
T-33 Cockpit
[DARPA/Boeing SEC Final Demonstration:
F-15 (blunderer), T-33 (evader)]
hold
avg.
speed
min.
speed
max.
speed
detour
shortcut
VFS
alt.
change
deviated aircraft
intruder
Development of
Predictive Models of
Air Traffic
…leading to new control strategies
• Approximation algorithms for hybrid trajectory optimization
• Applied to routing/scheduling aircraft in vicinities of airports
• Results:
– 5-approximation for minimum sum of arrival times
– 3-approximation for makespan
6 aircraft
Polynomial time
algorithm
CPLEX
15 aircraft
Outline
•
•
•
•
Hybrid model of the physical system
Reachability
Reachable Set Toolkit
Collision Avoidance System
– Dual aircraft demonstration
• User interaction with hybrid systems
– Autoland demonstration
• Writing the software
User Interaction with Aerospace Systems
•
Interaction between
–
–
–
•
•
•
System’s dynamics
Mode logic
User’s actions
Interface is a reduced representation
of a more complex system
Too much information overwhelms
the user
Too little can cause confusion
–
–
Automation surprises
Nondeterminisim
For complex, highly automated, safety-critical systems, in
which provably safe operation is paramount,
What information does the user need to safely interact
with the automated system?
Discrete Abstraction
Switches are controlled or automatic
Application to Autoland Interface
• Controllable flight envelopes for landing and Take Off / Go
Around (TOGA) maneuvers may not be the same
• Pilot’s cockpit display may not contain sufficient information to
distinguish whether TOGA can be initiated
existing interface
controllable TOGA envelope
intersection
flare
TOGA
flaps extended
minimum thrust
flaps retracted
maximum thrust
rollout
flaps extended
reverse thrust
revised interface
controllable flare envelope
flare
TOGA
flaps extended
minimum thrust
flaps retracted
maximum thrust
rollout
slow TOGA
flaps extended
reverse thrust
flaps extended
maximum thrust
http://www.cs.ubc.ca/~mitchell/ToolboxLS/
Outline
•
•
•
•
Hybrid model of the physical system
Reachability
Reachable Set Toolkit
Collision Avoidance System
– Dual aircraft demonstration
• User interaction with hybrid systems
– Autoland demonstration
• Software?
A Decision Theoretic QoS Negotiation
Worst case execution of time of components is neither given nor guaranteed
Depending on the mode of flight, components (Nav, Control, Wireless) can
take on different levels of criticality and different execution times
t4
Worker Task
CondVar
t1
t2
td
Event( )
t3
CondWait
CondWait
CondWait
CondWait
IntrWait
Task 1
Task 2
Task 3
Task 5
Task 4
t1
t2
t3
t4
t5
t+nT msec
t+nT+Di msec
Each task is “tagged” with a cost – a measure of criticality
QoS Negotiation
…as a dynamic programming problem
Task 3 5
f1
Task 2
f1
2
1
Task 3
f2
Task 1
f1
6
Task 2
f2
3
Task 5
f1
Task 3
f3
7
Task 2
f3
4
8
Task 3
f4
9
SCHEDULABILITY: Comparison with Simple Rate
Monotonic Scheduling
88.5%
73.5%
1.0 ms
80.0 ms
18.5%
3.5%
0.4%
8.0%
0.6%
Schedulability of Tasks using the
proposed scheduling algorithm
1.5%
6.5%
Schedulability of Tasks using a
Simple RMS
Summary
• The development of a reach set toolkit for hybrid
systems:
– Software C++:
http://www.cs.ubc.ca/~mitchell/ToolboxLS/
• The toolkit can be useful for determining when (not)
to switch modes, which mode(s) to switch to, and
provides a set-valued feedback control law to remain
in safe set
• A modern embedded control systems theory should
include mathematical models of attributes of
computational systems such as concurrency,
hierarchy, heterogeneity, resource awareness,
adaptability, quality of service (QoS), and controlled
complexity of distributed systems.
Collaborators
Stanford
Hybrid
Systems
Lab
Ian Mitchell, Alex Bayen, Inseok Hwang, Meeko Oishi,
Rodney Teo, Jung Soon Jang, Gökhan Inalhan, Ronojoy Ghosh,
Hamsa Balakrishnan, Keith Amonlirdviman, Robin Raffard,
Gabe Hoffmann, Kaushik Roy, Peter Brende, Steve Waslander,
Duşan Stipanović, Sriram Shankaran, Jianghai Hu
George Meyer, Len Tobias
NASA
Boeing David Corman, Jim Paunicka, Don Winter
Honeywell Datta Godbole, Tariq Samad
John Bay
NSF
Helen Gill, Kishan Baheti
DARPA
Behzad Kamgar-Parsi ONR