FLIGHT GUARDIAN: A COMMON AVIONICS ARCHITECTURE FOR COLLISION AVOIDANCE AND SAFE EMERGENCY LANDING FOR UNMANNED AERIAL SYSTEMS Dr. Luis Mejias Mr. Duncan Greer
Australian Research Centre for Aerospace Automation Queensland University of Technology, Brisbane, Australia
Outline • Introduction & Background • Dependability in UAS • UAS capabilities – Sense and avoid – Automated Emergency Landing – Common requirements
• Proposed certification approach • Summary 2
Introduction • Significant challenges facing widespread adoption of Civilian UAS: – Demonstration of at least ELOS to manned aircraft
• What is ELOS? – Regulations that define the operational and technical requirements are not yet in place and thus UAS cannot be fully integrated into the NAS
• Cost drivers in Civil UAS – Many civil UAS applications compete directly with existing conventional aircraft capability – For small-medium UAS, cost per flight hour needs to be < O~$500
3
DEPENDABILITY IN UAS
Dependability is the property of a system that leads to the degree of trust that a user can place in the system to perform its intended function without causing undue hazards to itself, its users or its environment.
4
DEPENDABILITY IN UAS • Attributes of Dependability – (Laprie Model) – – – – – –
Availability Reliability Safety Confidentiality Integrity Maintainability
• Impairments – Faults, errors and failures
• Means – Fault prevention, tolerance, removal and forecasting
5
SAFETY • Should be inherent in the air-vehicle • Should be independent of any external system or signal • Not reliant on off-board systems • Not reliant on a Human-in-the-loop • Not reliant on data links
6
Key Capabilities • Sense and Avoid – The capability to sense other aircraft and avoid a collision autonomously • Automated Emergency Landing – The capability to safely recover the aircraft to an unpopulated area in the event that continued safe flight and landing is not possible Must be self-contained (i.e. not rely on data link or human-in-the-loop)
7
SENSE AND AVOID •Vision-based EO Sensor •Real-time processing •Autopilot-coupled
8
SAA TRADE-OFFS • Spatial Resolution vs Detection Range • False Alarm Rate vs Detection Range • Higher spatial resolution -> higher detection range at cost of narrower Field of View or Higher processing cost (SW&P) • Lower false alarm rate -> lower detection range • False Alarm Rate O~0.1 - 1.0 per flight hour might be acceptable
9
SAMPLE DATA – EASY TARGET Source: Lai, J.S. et al “Field-of-view, detection range, and false alarm trade-offs in vision-based aircraft detection “
SAMPLE DATA – CHALLENGING TARGET Source: Lai, J.S. et al “Field-of-view, detection range, and false alarm trade-offs in vision-based aircraft detection “
IMAGE ARTEFACTS AND GROUND CLUTTER Source: Lai, J.S. et al “Field-of-view, detection range, and false alarm trade-offs in vision-based aircraft detection “
IMPACT OF IMAGE RESOLUTION Lower confidence
Higher confidence
• Illustration of field of view vs. detection distance trade-off • Smaller pixel density (degrees FOV per pixel) allow further detection distances (dashed line indicates high confidence detections; solid line indicates lower confidence detections) Source: Lai, J.S. et al “Field-of-view, detection range, and false alarm trade-offs in visionbased aircraft detection “
DETECTION VERSUS FA TRADE-OFF
Source: Lai, J.S. et al “Field-of-view, detection range, and false alarm trade-offs in vision14 based aircraft detection “
SAA VIDEO
15
SAA REQUIREMENTS • What is the required – FOV ? – Detection Range / Time ? – False-Alarm Rate ? – Aircraft Control ?
• Certification – ELOS? or GLOS? – Failure Condition Classification – Development Assurance Level 16
Automated Emergency Landing • Automated Emergency Landing – Safe Emergency Landing is a critical function that is typically triggered by an unscheduled event in flight. – Is most commonly attributed to an engine failure, low fuel state, loss of navigation, or adverse weather.
• Required for flight over Populated Areas
17
AEL REQUIREMENTS •Site Selection •Size, shape, surface, slope, civilisation •Decision Making •Guidance •Navigation •Control •Final approach obstacle avoidance
18
AELS – CHALLENGING ENVIRONMENTS
19
AEL REQUIREMENTS • No known certification standards published or under development • Same questions as SAA – ELOS/GLOS determination? – Failure Condition Classification – Development Assurance Levels
20
Common Functions • Common functionalities for sense-and-avoid, and forced landing – Navigation, monitoring, decision-making and control are generic functionalities that, to some extent, are present in any autonomous aircraft.
• Use of a common EO sensor and processing capability for these functions reduces SW&P footprint 21
FLIGHT GUARDIAN COMMON ARCHITECTURE • • • • •
Dedicated EO Sensor Graphics Processor Unit (GPU) Decision Making Agent GNC Processor High Speed FMS/Autopilot Interface
22
Proposed Certification Approach • It is critical to derive requirements so that they may be certified for use in Civil Aircraft • We apply the concept of the Aircraft Certification Matrix (ACM) to define the system Development Assurance Levels (DAL) and architecture requirements in accordance with acceptable risk criteria. 23
Aircraft Certification Matrix
24
ACM – CANDIDATE AIR VEHICLE CLASSIFICATIONS • Subject of Current Work • E.g. Mass and/or KE – Small < 25kg, < 30 kts – Medium < 150kg, < 100 kts – Large > 150 kg
25
ACM – CANDIDATE OPERATING AREA CLASSIFICATION • Ground Environment – Unpopulated – Sparsely Populated – Moderately Populated – Densely Populated
• Air Environment – Class A – Class B – Class C – Class D – Class E – Class G
26
ACM – CANDIDATE CERTIFICATION CATEGORIES • • • • •
Cert 0 : Almost Zero Risk, ‘Don’t Care’ category Cert 1 : Minor - Distress or Injury Cert 2 : Major - Physical Distress or Injury Cert 3 : Hazardous - Serious or Fatal Injury Cert 4 : Catastrophic - Multiple Fatalities
27
CERTIFICATION ALLOCATION
28
ASSIGNMENT OF DAL
29
ASSIGNMENT OF DAL
30
Summary • We have examined common features between onboard functions to propose certain guidelines in the design of the system. • We assessed the safety, dependability and risk to derive requirements using an Aircraft Certification Matrix to define the system Development Assurance Level (DAL). • Flight Guardian provides a unified sensing and processing architecture enabling sense-and-avoid and automated forced landing functions for an UAS. • The certification approach applied in this work allows the designer to determine the required level of system development assurance for the system. • This allows system architects the flexibility in configuring Flight Guardian for a particular operational profile (certification category). Therefore the implementation cost and certification burden is commensurate with the safety risk posed by the particular operation. 31
Questions ARCAA W: www.arcaa.net P: +61(0)7 3138 1537 A: 22-24 Boronia Rd, Brisbane Airport, 4008 Luis Mejias E:
[email protected]
Duncan Greer E:
[email protected]
32
Acknowledgement
This research was supported under the Australian Research Council DECRA funding scheme (Project No. DE120100802).
33
