Dynamic Probabilistic Risk Assessment of Unmanned ...

Dynamic Probabilistic Risk Assessment of Unmanned Aircraft Adaptive Flight Control Systems Mohammad Hejase1, Arda Kurt2, Tunc Aldemir3, and Umit Ozguner4 The Ohio State University, Columbus, Ohio, 43210 Sergio B. Guarro5 and Michael K. Yau6 ASCA, Inc., Redondo Beach, California, 90277, USA Matt D. Knudson7 NASA Ames Research Center, Moffett Field, California, 94035, USA

There is a great demand for risk assessment tools and techniques that can ensure safe and robust performance of an Unmanned Aircraft System (UAS) equipped with adaptive elements in missions involving multiple phases with uncertain system or operational conditions. A dynamic probabilistic risk assessment scheme involving multiple phase-specific implementations of a Backtracking Process Algorithm (BPA) based on a Markov Cell-to-Cell Mapping Technique is proposed for risk-informed identification of scenarios involving UAS control systems with adaptive control elements operating in the National Airspace. A UAS adaptive flight control system with the capability of handling variations in the flight dynamics and flight systems domain is used as a case study. Aircraft icing is taken as a varying component in the flight dynamics domain, while the engine state is taken as a varying component in the flight systems domain. The consequence of interest in the case study is taken to be a UAS failing to complete flare during landing. Multiple BPA instances are defined and implemented for cruise, initial descent, final descent, and flare phases in the proposed case study. The results of the implementations are integrated together to allow for efficient tracing of fault propagation throughout the system, and quantification of probabilistic system evolution in time.

I. Introduction

T

echnological advances and innovations in the aerospace industry have led to the creation of more efficient and capable systems. Recently, the trend had been the migration to Unmanned Aircraft Systems (UASs) that have the intelligence to act and react under certain well known and commonly encountered scenarios. Such scenarios could possibly include encountering other UAS, or experiencing varying weather conditions. These advances, however, have imposed the need of increased integration, interdependence, and complexity, creating demand for Validation and Verification (V&V) tools and techniques that can ensure safe and robust performance of such systems. Ensuring safe and robust performance involves two main challenges. The first is being able to identify and rank the risks and hazards that a system is prone to encounter, and the second is identifying the sequences of events leading to the hazards of interest1. This paper focuses on the second challenge. Traditional risk assessment tools such as Failure Modes and Effects Analysis, Fault Tree Analysis and Event Tree Analysis have challenges when implemented on systems that have complex interactions among the epistemic and aleatory uncertainties in their behavior2. Emerging and more advanced methods for risk assessment are mostly being developed for the purpose of analysis and detection of “Near Mid-air Collisions”3-8. There is little research on the development of tools that can generically and quantitatively assess 1

Graduate Research Associate, Department of Electrical and Computer Engineering, 2015 Neil Ave, Student Member. Research Assistant Professor, Department of Electrical and Computer Engineering, 2015 Neil Ave. 3 Professor, Department of Mechanical and Aerospace Engineering, 201 W 19th Ave. 4 Professor Emeritus, Department of Electrical and Computer Engineering, 2015 Neil Ave. 5 President, 1720 S. Catalina Avenue, Suite 220. 6 Research Scientist, 1720 S. Catalina Avenue, Suite 220, Senior AIAA Member. 7 Research Computer Scientist, Intelligent Systems Division, Mail Stop 269-2. 1 American Institute of Aeronautics and Astronautics 2

risks and hazards across multiple and varying phases of UAS missions based on varying system dynamics and configuration. The majority of intelligent and adaptive behavior is accounted for in the design and analysis of the flight dynamics and flight systems domains9 of UAS. The flight dynamics domain covers UAS interaction with its environment. The flight systems domain includes hardware or software components such as the Guidance, Navigation, and Control (GNC) software. Adaptive elements are being included in UAS in order to respond to the dynamic changes a UAS may encounter in its flight dynamics or flight systems domain during flight. Such elements are mostly incorporated in the GNC component of the UAS. The GNC software mainly includes two levels of system control, the Flight Executive, and the Autopilot10. The Flight Executive is responsible of high level decision making, and steering the UAS from one operational state to another. The Autopilot is responsible of controlling the UAS states via reaching set-points issued by the Flight Executive. Adaptive elements in the Flight Executive can include transitions to safe operational states, or issuing different sets of gains of parameters to the UAS. Adaptive elements in the Autopilot can include measures for compensating and adapting to parametric or aerodynamic uncertainties. Model Based Designs (MBDs) provide effective means in the V&V process for efficient and comprehensive safety assurance for adaptive and dynamic elements of UAS. Such designs eliminate infeasible and impractical testing over extensive distances in various environments and locations. Several Dynamic Probabilistic Risk Assessment (DPRA) methods that utilize MBD of systems have been developed over the years2. These methods offer an increase in realism of modeling of stochastic system evolution in quantifying risk. Additionally, they are capable of providing frameworks that consider epistemic and aleatory uncertainties in physical processes and system safety responses on a common computational platform, making them suitable to use in V&V of UAS control systems containing adaptive and dynamic elements. The Backtracking Process Algorithm (BPA)11 is a DPRA method which is being applied within the context of a multi-step structured and risk-informed UAS control system design V&V framework developed under the sponsorship of the NASA Ames Research Center12. The method is based on a deductive and memory efficient implementation of Markov Cell-to-Cell Mapping Technique (Markov/CCMT)13,14, and its algorithm is deductive in the sense that event sequences leading to specified undesirable consequences (Top Events) are identified. The BPA can be thought of as a search tree that uses probabilistic map of the system state-space onto itself. This search tree structure is achieved by recursive enumeration of sub-trees from the Top Event and the traversal of possible paths through a branching process. In order to avoid computational explosion, only risk significant scenarios with probabilities above a user-specified cut-off value are identified. In the context of this paper, we seek to utilize multiple phase-specific and integrated BPAs to provide a safety assurance case for a UAS adaptive flight control system that has the capability of handling variations in both flight dynamics and flight systems domains. A case study is presented, with aircraft icing being taken as a varying component in the flight dynamics domain, while engine state is taken as a varying component in the flight systems domain. A scenario is constructed for a UAS performing a land maneuver starting from a cruising state, while being prone to icing conditions, and degradations in engine performance, possibly due to icing. Two adaptive flight control system elements are introduced in order to compensate for the described component variations. The first is a rulebased adaptive flight executive is introduced to transit the UAS to safe states under possibly degraded control surfaces. This adaptive controller aims at issuing trim points and controller gains that lie within control surfaces capabilities to the Autopilot. The second adaptive controller is implemented in the Autopilot, and is capable of accounting for parametric uncertainties and variations in the aerodynamic coefficients. Section II of the paper overviews the BPA. Section III of the paper describes the proposed case study, and the associated adaptive controllers. Section IV of the paper discusses the assurance scheme for the proposed control systems. Section V presents the BPA implementation and results. Section VI gives the conclusion of the study.

II. The BPA Section II.A presents an overview of BPA and Markov/CCMT, along with the required assumptions. In Section II.B, system discretization into a cell space is described. Section II.C describes cell-to-cell transition probability calculation. An equal weight quadrature scheme that can be used for this purpose is presented in Section II.D. A. BPA and the Markov-Cell-to Cell-Mapping Technique Markov/CCMT is a methodology proposed to quantify system reliability and safety under uncertainties13,14. The BPA is a memory efficient and deductive implementation of Markov/CCMT. The algorithm is deductive in a sense that event sequences leading to specified undesirable consequences (Top Events) are identified. The BPA can be thought of as a search tree that uses probabilistic map of the system state-space onto itself. This search tree structure 2 American Institute of Aeronautics and Astronautics

is achieved by recursive enumeration of sub-trees from the Top Event(s) and the traversal of possible paths through a branching process. The algorithm also prevents the occurrence of a computational explosion by only considering scenarios that occur with a greater probability than a user defined cut-off value. BPA allows dynamic tracing of fault propagation through the system via the quantification of probabilistic system evolution in time. The technique has been demonstrated on process control systems15, and recently on Unmanned Aircraft Systems (UAS)11,12 as part of a project in the National Aeronautics and Space Administration (NASA) System Wide Safety Assurance Technologies (SSAT) initiative. The algorithm is capable of accounting for nonlinear system dynamics, configuration, and uncertainties. System evolution in time is represented through a series of discrete-time transitions among computational cells that partition the system state-space in a manner similar to finite element or finite difference methods. Each cell can be regarded as accounting for the uncertainty in the system location in the state space at a given point in time. A transition probability from one system cell to another is determined via system dynamics, controller behavior, or system constituent malfunction. Such transitions produce a probabilistic mapping of the system state-space onto itself, including system hardware normal or faulted states, over a user defined time-step 𝛥t. Two assumptions are placed on the system of interest in order to employ Markov/CCMT: 1) The system configuration is fixed over the time interval [𝑡, 𝑡 + 𝛥𝑡), but can change at 𝑡 + 𝛥𝑡. 2) Transitions among cells or hardware states do not depend on system history. The first assumption means that the system components can only fail or change their mode of operation once during the interval Δ𝑡. Through small enough selection of the time-step Δ𝑡 (possibly by progressive reduction), the system configuration changes and the probabilities of change can be modeled and captured in a verifiable manner. The second assumption implies that the system has Markov property. However, as well known, the second assumption can be relaxed via the use of a sufficient number of auxiliary variables. The theoretical basis of the backtracking process is presented by Yang and Aldemir5. A flowchart of the backtracking algorithm can be seen in Fig. 1. More details on the implementation of BPA on UAS Flight Control Systems can be seen in previously published work 11.

Figure 1.

BPA Flowchart11

B. System Discretization Let 𝒳 ≜ ℝ𝐿 denote the 𝐿-dimensional state space of continuous system variables and 𝒩 ≜ ℤ𝑀 the 𝑀-dimensional discrete state space of the system components. The space 𝒳 ≜ ℝ𝐿 is discretized by partitioning each continuous variable 𝑥𝑙 ϵ 𝒳 (𝑙 = 1, … , 𝐿) into intervals of 𝐽𝑙 partitions and considering combinations of those partitions to form the cells. Knowledge of the state-space upper bounds 𝑥, and lower bounds 𝑥 of interest is required for the partitioning. 3 American Institute of Aeronautics and Astronautics

The cells can be regarded as means to accommodate epistemic uncertainties (such as model uncertainties) or aleatory uncertainties (such as process noise and minor environmental disturbances). The possible states of each component 𝑀 of interest are then defined (e.g. operational, degraded, failed), with each Component m, having 𝑁𝑚 possible states 𝑛𝑚 (𝑚 = 1, … , 𝑀). The unique combinations of the partitioned 𝒳 ≜ ℝ𝐿 along with the discrete system component configurations forms the complete discrete state-space (cell space) of the system, denoted by 𝒱. Each cell in the cell space is represented by an (𝐿 + 𝑀) dimensional vector [𝐣 𝐧] ≡ [𝑗1 , … , 𝑗𝑙 , ⋯ , 𝑗𝐿 , 𝑛1 , … , 𝑛𝑚 , ⋯ , 𝑛𝑀 ], where ( 𝑗𝑙 = 1,2, … , 𝐽𝑙 ; 𝑙 = 1, … , 𝐿) enumerate the partitioning of the interval 𝑥𝑙 ≤ 𝑥𝑙 < 𝑥𝑙 , and 𝑛𝑚 represents the state of Component 𝑚 (𝑛𝑚 = 1, … , 𝑁𝑚 ; 𝑚 = 1 , … , 𝑀) as indicated earlier. The cell

Figure 2. An Example Cell Space11 space 𝒱 thus is composed of 𝐽 × 𝑁 unique cells with 𝐽 = 𝐽1 × ⋯ × 𝐽𝐿 and 𝑁 = 𝑁1 × … × 𝑁𝑀 . An example cell space is illustrated in Fig. 2. C. Cell-to-Cell Transition Probability Calculation Using the Markov property, and as derived in the work of Aldemir13, the transition probabilities among the cells over a single time-step transition 𝛥t can be calculated from 𝑞(𝒋, 𝐧| 𝐣′, 𝐧′, Δt) = ℎ(𝐧|𝐧′, 𝐣′ → 𝐣, 𝛥𝑡) × 𝑔(𝐣|𝐣′ , 𝐧′, 𝛥𝑡) (1) ′ where 𝑔(𝐣|𝐣 , 𝐧′, 𝛥𝑡) represents the transition probability from cell 𝐣′ to 𝐣 over 𝛥t under configuration 𝐧′, and ℎ(𝐧|𝐧′, 𝐣′ → 𝐣, 𝛥𝑡) quantify the transition probabilities among system components over 𝛥t. For each component of interest 𝑚, a component state transition probability matrix containing all possible component state transitions ℎ(𝐧|𝐧′, 𝐣′ → 𝐣, 𝛥𝑡) is constructed. These probabilities can be based on hardware component data, such as failure rates, or expert opinion in the absence of reliable data. Using the Chapman-Kolmogorov equation under the assumptions stated in Section II.A, the system cell-to-cell state transition probabilities 𝑔(𝐣|𝐣′ , 𝐧′, 𝛥𝑡) over a single time-step can be found from13 𝑔(𝐣|𝐣′ , 𝐧′, 𝛥𝑡) =

1 ∫ 𝑑𝑥′ 𝑢𝐣 [𝐱(𝐱 ′ , 𝐧′ , 𝛥𝑡)] 𝑣𝒋′ 𝑣𝒋′

𝑢𝐣 [𝐱(𝐱 ′ , 𝐧′ , 𝛥𝑡)] = { where 𝑣𝐣 is the volume of the cell 𝐣,

1 𝑖𝑓 x ∈ 𝑣𝐣 0 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

𝑡+Δ𝑡

𝐱(𝐱 ′ , 𝐧′ , 𝛥𝑡) = ∫𝑡 𝒅𝒕′ 𝑓(𝐱(𝑡 ′ ), 𝐧′ ) + 𝐱′ and 𝑓(𝐱(𝑡 ′ ), 𝐧′ ) represents the equations describing system dynamics.

(2) (3)

(4)

D. Equal Weight Quadrature Approximation Scheme When it is not practical or possible to evaluate Eq. (2) analytically, an equal weight quadrature approximation scheme can employed via the use of a high fidelity simulator. System location in the state space is assumed to be uniformly distributed within each cell. Multiple points are sampled to represent each cell, and are passed to the simulator to compute transitions over 𝛥t. Then Eq. (2) can be approximated16 as, 𝑔(𝐣|𝐣′ , 𝐧′, 𝛥𝑡) =

# 𝑜𝑓 𝑠𝑎𝑚𝑝𝑙𝑒𝑑 𝑝𝑜𝑖𝑛𝑡𝑠 𝑖𝑛 cell 𝐣′ 𝑎𝑟𝑟𝑖𝑣𝑖𝑛𝑔 𝑖𝑛 𝑐𝑒𝑙𝑙 𝐉 𝑜𝑣𝑒𝑟 Δ𝑡 # 𝑜𝑓 𝑝𝑜𝑖𝑛𝑡𝑠 𝑠𝑎𝑚𝑝𝑙𝑒𝑑 𝑓𝑟𝑜𝑚 cell 𝐣′

(5)

III. Proposed Case Study An overview of the proposed scenario is presented in Section III.A. The flight dynamics used to model the UAS are described in Section III.B. The dynamic icing model is presented in Section III.C. An adaptive autopilot used to 4 American Institute of Aeronautics and Astronautics

compensate for aerodynamic uncertainties is discussed in Section III.D. A Rule-based Flight Executive is proposed and presented in Section III.E. A. Overview of Scenario A scenario is constructed for a UAS cruising at an altitude that makes it prone to icing. The UAS then performs a land, or a sub-nominal land maneuver with initial descent, final descent, and flare phases. It is assumed that ice accretion on the aircraft only occurs at a high altitude in the cruise phase. Once the UAS is performing a land maneuver, it is prone to a degradation in engine performance as a consequence of icing. In order to realize the proposed scenario, several components need to be modeled and integrated in the UAS simulator. Figure 3 below depicts the described scenario. Note that the Autopilot works at estimating and compensating for changes in the aerodynamic parameters. The estimated aerodynamic parameters, along with any possible degradations in control surfaces, are factored in an optimization problem in order to construct a sub-nominal landing procedure. The result of the optimization is a lookup table with parameters for the landing procedure. This lookup table can be used by a Linear Quadratic Regulator based Autopilot.

Figure 3.

Proposed Case Study

B. Flight Dynamics The UAS longitudinal dynamics of the Cessna 182 were used for the design of the UAS flight dynamics. Seven continuous states were taken into consideration to represent the UAS. These states are velocity magnitude (𝑉𝑇 ), flight path angle (𝛾), pitch angle (𝜃), pitch rate (q), altitude (ℎ), x-position (𝑥𝑝 ), and accumulated ice (ℐ𝑖𝑐𝑒 ). The control surfaces affecting the longitudinal dynamics are the thrust force (𝐹𝑇 ) the elevator deflection (𝛿𝑒 ), and flaps deflection (𝛿𝐹 ). The forces being exerted on the UAS in the longitudinal axis are the weight (𝐹𝑊 ), drag (𝐹𝐷 ), Lift (𝐹𝐿 ), friction (𝐹𝑓 ), and the normal force (𝐹𝑁 ). Cessna 182 parameters were taken from the work of Roskam17. C. Icing Dynamic Model An ice accretion model based on common icing models used in literature18-20 was taken as 𝐶(𝐴)𝑖𝑐𝑒𝑑 = (1 ± ℐ𝑖𝑐𝑒 𝒮𝑖𝑐𝑒 )𝐶(𝐴)

(1) where 𝐶(𝐴) is the affected aerodynamic coefficient, which is assumed to be either 𝐶𝐿𝛼 , 𝐶𝐷𝛼 , or 𝐶𝑀𝛼 . ℐ𝑖𝑐𝑒 ∈ [0,1] represents the amount of ice gathered on the wings, with 0 being no ice, and 1 being fully iced. 𝒮𝑖𝑐𝑒 is the severity of the icing effect on the modeled aerodynamic coefficient. Ice is assumed to be accreted based on ℐ𝑖𝑐𝑒̇ = 𝐴𝑐 (2) where 𝐴𝑐 represents the rate of ice accumulation, and is dependent on the severity of the weather. D. Adaptive Autopilot Traditionally, Autopilots are implemented via the design of linear cascaded controllers based on gain scheduling. However, it is possible that accurate aerodynamic models are not available, or are prone to changes not captured by the model during flight. An adaptive controller is introduced for the case of systems in which parametric uncertainties are present. It is assumed that the coefficient of lift is the only parameter that is known to the UAS controllers. The adaptive Autopilot will work at compensating for uncertainties in the drag and pitching moment coefficients for the case of a UAS in a cruising phase of the mission. The Autopilot is only to be implemented in the cruising phase. The adaptive Autopilot is designed using an adaptive backstepping state feedback controller based on the work of Gavilan, Vazquez, and Acosta21. The following assumptions are made The UAS is in cruise with a Flight Path Angle near the set-point 𝛾 ≈ 𝛾𝑆𝑃 . 5 American Institute of Aeronautics and Astronautics

Even though the aerodynamic coefficients are unknown, their relationships are known. Trim points under nominal conditions are known for the UAS (same points used in traditional Autopilots). Aerodynamic Drag, and Moment coefficients are estimated using an adaptive law. Engine thrust is used to bring UAS velocity to set-point, while the elevator is used to bring Flight path angle to the desired set-point. E. Rule Based Flight Executive A rule-based adaptive control strategy for the nonlinear UAS longitudinal dynamics prone to actuator failures has also been constructed. Contingency actions are added to the flight executive in order to recover a UAS mission after an actuator degradation has taken place. In the context of this work, the actuator prone to failure is assumed to be the Engine, with two operational states taken into consideration: normal engine condition, engine power loss. The contingency actions were taken based on the work of Bateman, Noura, and Ouladsine22. Once a control surface failure occurs, new trim points are obtained that make it possible to maintain mission integrity. The Flight Executive then employs an Autopilot that steers the UAS to the new trim point, and cruises until a landing point is reached. Part of the decision making process in the flight executive is based on the UAS being able to perform a sub-nominal land procedure. Based on the procedures that were described, contingency actions were augmented to a finite state machine based flight executive. The problem of computing new trim points for the UAS to follow can be formulated as a nonlinear constrained optimization problem. The optimization problem is constructed by defining 1) a cost function that the optimization problem has to minimize, 2) the lower and upper bounds on the states and control surfaces, and 3) an equality that represents the equilibrium or trim conditions. It is assumed that the set-point the UAS follows consists of a velocity and a flight path angle. A sub-nominal Landing procedure is constructed from a set of trim points computed via optimization. The different landing maneuvers that are required to guide a 2D UAS though a landing procedure are Cruise to landing point, Initial Descent, Final Descent, and Flare.

IV. Adaptive Flight Controller Assurance Scheme Control systems in the aerospace domain may involve multiple modes of operation tailored to different phases a UAS is prone to be in. For instance, a controller a UAS would typically use for cruising would be very different to one that is used in a take-off phase. The difference in controllers implemented across the various phases stems from a difference in the phase-specific dynamics, or system configuration. As such, it would not be practical, or feasible, to expect efficient and comprehensive scenario coverage and risk assessment from a single BPA implementation across all mission phases. For instance, changes in altitude during a cruise performed at a high altitude are much less critical than changes of altitude during take-off or landing phases. In terms of BPA implementation, this means that the discretized altitude partition size, and the time-step size should be larger in cruise than those defined in take-off or land. When discretizing the system and computing its probabilistic transition map, the use of a smaller partition size, or time-step than necessary can lead to a large and unnecessary increase in computational loads and storage requirements. For large scale systems, this increase in computational loads and storage requirements can be very expensive. Additionally, a single implementation of BPA across all phases would require a domain expert, or possibly a team of experts, in order to properly coordinate, set up, and initialize the BPA. The proposed solution to overcoming the aforementioned challenges is the use of phase-specific implementations of the BPA, and the integration of the obtained results. The phase-specific implementations of the BPA means that it is possible to define and initialize the BPA with a higher degree of independence for each phase. This makes for a more optimal implementation in terms of computation, and storage. The BPA is to be used in providing an assurance case for the UAS control system under icing conditions and possible engine failures. BPA requires the definition of UAS continuous states, a partitioning scheme, UAS system components and states, and TEs of interest. Ultimately, the Top Event of interest in this case study is the UAS failing to touchdown on the runway in a desired fashion due to undesirable behavior in the Flare phase. It is also desired to find the icing conditions that can possibly lead to such a TE. Such consequences, however, don’t typically occur simultaneously. They rather could occur as a result of gradual changes in the system states and component behavior. These changes can be triggered by external environmental conditions such as icing, and may lead to a failure or accident in the latter stages of a mission. The proposed scheme for the identification of such scenarios of risk significance over multiple phases as seen in Fig. 4(a) involves implementing BPA in the following steps: 6 American Institute of Aeronautics and Astronautics

1.

BPA is run in the Flare phase of the mission, with the TE being failure to land in a desired manner. The BPA returns the sequence of events starting from the very end of the final descent phase, or the very start of the flare phase. 2. BPA is run in the final descent phase of the mission, with the TE being the combination of UAS states that were identified in the first iteration. The BPA returns the sequence of events starting from the very end of the initial descent phase, or the very start of the final descent phase. 3. BPA is run in the initial descent phase of the mission for the identification of events starting from the very end of the cruise phase, or the very start of the initial descent phase. 4. The BPA is then run in the cruise phase of the mission, and the risk significant combination of icing conditions and system states that led to the landing failure multiple stages later can be identified. The scheme used to convert bottom nodes of one implementation to the TEs of the next is highlighted in Fig. 4(b). The bottom nodes are identified and then converted to their continuous state representations. The continuous state representations are then expressed as cells in the partitioning scheme of the next step and treated as TEs. Once a search tree is constructed from these TEs, the results are linked to the bottom nodes of the previous implementation.

Figure 4.

(a) Proposed BPA scheme for the Case Study (b) Cell Re-discretization Scheme

V. Implementation of BPA, Results, and Discussion In this section, user interaction with the BPA in defining and integrating the phase-specific implementation will be highlighted, and a portion of the obtained results will be displayed and discussed. In Section V.A, the Step 1 of the multiphase BPA implementation (see Section IV) will be discussed. Section V.B discusses Step 2 and Step 3 and Section V.C discusses Step 4. Section V.D contains a sample from the resulting BPA search tree, and a discussion of the results. A. BPA implementation on Flare Phase – Step 1 As discussed in Section IV, the Step 1 is implemented on the Flare phase. The TE of interest is defined to be a UAS failing to complete Flare in the desired manner. For the purpose of this case-study, it is assumed that the UAS is required to complete the Flare phase with a velocity of 30-36 m/s, and a flight path angle of 0-3°. Flare is assumed to be completed once the UAS is about to touchdown over a runway located at an x-position of 2500m (see Fig.4). The Top Event, “Failure to Flare”, is defined as the UAS being at an x-position exceeding 2500m, at an altitude below 15m, and with a flight path angle less than -3°, or a velocity beyond the range of 30-36 m/s. Three system configuration variables are defined: set-point mode, icing accumulation, and engine state. Two setpoint modes are defined for the Flare phase with the first being the UAS descending at a velocity in the range of 30 to 36 m/s, and flight path angle -2.35° to 2°, with a non-negative pitch angle, the second set-point mode is for a UAS descending at a velocity of 30 to 36 m/s, and a flight path angle of -2.7° to 2.35°, with a non-negative pitch angle. 7 American Institute of Aeronautics and Astronautics

Each of those set-point modes are used to define boundary conditions of the optimization problem to be solved in the rule-based adaptive Flight Executive. Icing accumulation is defined to have one of the following states: no icing, low icing, medium icing, and high icing. Engine state is defined to be either in normal condition, or in a power loss. When normal, the engine is capable of delivering maximum thrust, while in power loss it is only able to deliver up to 600N of thrust. Engine maximum thrust was also factored in the optimization problem in the rule-based Flight Executive. Now that all the variables, and system configuration modes have been defined for Flare, as seen in Table 1, the user can run Step 1 of the BPA. The BPA discretizes the system state-space augmented with the system configuration modes into a 9-dimensional discretized space composed of cells. This process was illustrated in Fig. 2. Each cell is a 9-tuple defined as a unique combination of the variable partitions and the system configuration modes. The first six elements in the cell represent the system state space, or process variable, partitions: velocity, flight path angle, pitch, pitch rate, altitude, and x-position. The last three elements of the tuple represent the aircraft set-point modes, ice accumulation, and the engine states, which make up the possible system configuration combinations. With the system being defined and discretized successfully, and the Top Event specified, the BPA is then run using a user-defined time-step of 5 seconds, and a search depth of 5 time-steps. The results of the BPA implementation can be seen in Fig. 5. Note that the time-step was needs to be selected such that the system dynamic behavior is adequately captured, and the search depth needs to be selected such that the results of BPA implementation in the Flare phase would indicate cells spatially lying at the very beginning of the Flare phase, or the very end of the preceding Final Descent phase. B. BPA Implementation on Final & Initial Descent Phases – Steps 2 and 3 Following Step 1, user is prompted to define the discretization scheme of the Final Descent phase as illustrated in Table 1. The bottom nodes of the cells indicated in the Flare BPA implementation are then converted to the cell representation of the Final Descent phase via the method illustrated in Fig. 4(b). In other words, the bottom nodes of Step 1 are used as the TEs of the Final Descent partitioning. The user then runs Step 2 by defining a time-step of 12s, and a search depth of 3 time-steps. Notice that the user opts for a larger time-step in the final descent than that of the flare phase, this is due to dynamic behavior of the system being less critical in final descent. The search depth was selected such that the UAS is spatially at the very beginning of the final descent phase, or the very end of the initial descent phase. Similarly, the user runs Initial Descent phase (Step 3) using the BPA inputs seen in Table 1. This implementation of the BPA uses the bottom nodes of Step 2 (Final Descent) as the Top Event. The user runs it by defining a simulation time-step of 60s, and a search depth of 9 time steps. The bottom nodes resulting from this BPA implementation are spatially contained at the very beginning of initial descent, or the very end of the Cruise phase. C. BPA Implementation on the Cruise Phase – Step 4 Step 4 of BPA implementation is done in the Cruise phase of the mission. In cruise, the engine is assumed to be healthy, and it is assumed that weather conditions can cause the amount of ice accumulated on the UAS to increase. System configuration defined in cruise is different than that of the other phases. Weather severity is taken as the configuration of interest with the weather being normal, moderately freezing, and severely freezing. These Table 1.

User input to backtracking Process Algorithm for each Phase

Variable Name numProcessVariables processVariableNames

numSystemConfigurations systemConfigurationNames

variableUpperBounds variableLowerBounds numberOfVariablePartitions timeStepSize Search Depth

Value Flare 6 Velocity, Flight path angle, pitch, pitch rate, altitude, x-position

Final Descent 6 Velocity, Flight path angle, pitch, pitch rate, altitude, x-position

3 Set-point Mode Icing Accumulation Engine State [42,0,0.35,0.5,80,2400 ] [26,-0.07,-20,-0.5,0,0]

3 Set-point Mode Icing Accumulation Engine State [50,0,0.35,0.5,200,2400 ] [34,-0.1047,-0.345,0.5,0,0] [8,6,1,1,5,6] 12 seconds 3

[8,8,1,1,6,12] 5 seconds 5

8 American Institute of Aeronautics and Astronautics

Initial Descent 6 Velocity, Flight path angle, pitch, pitch rate, altitude, xposition 3 Set-point Mode Icing Accumulation Engine State [65,0,0.35,0.5,1650,2 400] [30,-0.1047,-0.35,0.5,0,-30000] [7,2,1,1,11,17] 60 seconds 9

Cruise 7 Velocity, Flight path angle, pitch, pitch rate, altitude, xposition, accumulated ice 2 Set-point mode Weather severity [70,0.07,0.345,0.5,1825,17000,1] [35,-0.1047,-0.35,0.5,1325,-65000,0] [7,5,1,1,10,12,5] 100 seconds 3

configuration modes are defined through selection of 𝐴𝐶 = 0, 0.5, or 1 respectively. The user defines the inputs to the BPA for Step 4 (Cruise) as seen in Table 1. A time-step of 100 seconds is selected, with a search depth of 9 timesteps. Notice in Table 1 that in the Flare phase, a time-step of 5 seconds was selected, with smaller variable partitions defined. In the Cruise phase, we are selecting a time-step that is twenty times larger, along with larger variable partition sizes. This considerable difference is due to the fact that system dynamic changes occur at a much slower rate in cruise than they would in flare. The advantage of using multiple BPA instances is clear to see in this case. For if both phases were to be included in the same analysis, time-step selection would have been bottlenecked by the Flare phase’s sensitivity to system dynamic changes. Separating the analysis of the two phases can potentially save significant amounts of storage and computational resources. D. Combined Analysis Results and Discussion Once all four steps of BPA implementations have been successfully completed, with results integrated, a search tree is obtained which stretches from the Top Event defined in the Flare phase, to the cells contained in the bottom nodes of the Cruise phase. Note that due to space constraints in Fig. 5, risk insignificant scenarios were truncated, and only risk significant sequences were retained for illustration. An example sequence obtained from the shaded portion of the search tree in Fig. 5 was used to provide an interpretation of the search tree results. The interpretation of the sequence can be seen in Table 2. The sequence conditional probability can be obtained as follows:

Figure 5.

BPA Implementation Results 9

American Institute of Aeronautics and Astronautics

𝑃(𝑇𝐸|[2 3 1 1 3 8 2 𝟏 𝟑]C) = 𝑃(𝑇𝐸|[5 4 1 1 2 7 𝟏 𝟒 𝟐 ]𝐹𝑙 ) × 𝑃([5 4 1 1 2 7 𝟏 𝟒 𝟐 ]𝐹𝑙 |[1 3 1 1 1 1 𝟐 𝟒 𝟐]FD ) × 𝑃([1 3 1 1 1 1 𝟐 𝟒 𝟐]FD |[3 1 1 1 10 5 𝟏 𝟒 𝟐]ID ) × 𝑃([3 1 1 1 10 5 𝟏 𝟒 𝟐]ID |[2 3 1 1 3 8 2 𝟏 𝟑]C ) = 0.1024 × 0.3969 × 0.0018662 × 0.49 = 3.7165𝑒 − 05.

The selected sequence illustrates how a UAS can be affected by severe weather conditions in the Cruise phase, and dynamically evolve within the mission envelope, leading to an eventual failure in the Flare phase.

VI. Conclusion This paper proposes a scheme that utilizes the BPA for the assurance of control systems equipped with adaptive control functions and operations consisting of multiple phases. A case study of a UAS experiencing icing conditions, and a possible engine failure, while performing a land maneuver was used in this paper to illustrate the proposed methodology on a system that contains and adapts to varying configurations in both the flight dynamics, and flight systems domain. Results show that the scheme was capable of capturing and probabilistically quantifying system dynamic behavior leading to an undesirable event of interest (i.e. TE). Table 2. Ph ase

Interpretation of Selected Scenario (Cr: Cruise, ID: Initial Descent, FD: Final Descent, Fl: Flare) Timestep

Cr

Cell representation of Process Variables & System Configuration [2 3 1 1 3 8 2 𝟏 𝟑]C

100s

Elap sed Time 0s

Cr

[2 3 1 1 3 9 4 𝟏 𝟑]C

100s

100s

Cr

[2 3 1 1 3 10 5 𝟏 𝟑]C

100s

200s

ID

[3 1 1 1 10 5 𝟏 𝟒 𝟐]ID

60s

300s

ID

[2 1 1 1 9 6 𝟏 𝟒 𝟐]ID

60s

360s

ID

[2 1 1 1 8 7 𝟏 𝟒 𝟐]ID

60s

420s

ID

[2 1 1 1 7 8 𝟑 𝟒 𝟐]ID

60s

480s

ID

[6 1 1 1 6 10 𝟑 𝟒 𝟐]ID

60s

540s

ID

[6 1 1 1 5 12 𝟑 𝟒 𝟐]ID

60s

600s

ID

[6 1 1 1 4 13 𝟑 𝟒 𝟐]ID

60s

660s

ID

[6 1 1 1 3 14 𝟏 𝟒 𝟐]ID

60s

720s

ID

[2 1 1 1 2 15 𝟏 𝟒 𝟐]ID

60s

780s

FD

[1 3 1 1 1 1 𝟐 𝟒 𝟐]FD

12s

840s

FD

[1 4 1 1 1 2 𝟐 𝟒 𝟐]FD

12s

852s

FD

[1 4 1 1 1 3 𝟐 𝟒 𝟐]FD

12s

864s

Fl

[5 4 1 1 2 7 𝟏 𝟒 𝟐 ]Fl

5s

876s

Fl

[5 3 1 1 2 8 𝟏 𝟒 𝟐]Fl

5s

881s

Fl

[5 4 1 1 2 9 𝟐 𝟒 𝟐]Fl

5s

886s

Fl

[5 3 1 1 2 10 𝟐 𝟒 𝟐]Fl

5s

891s

Fl

[5 4 1 1 2 11 𝟐 𝟒 𝟐]Fl

5s

896s

TE

[𝐅𝐥𝐚𝐫𝐞 𝐅𝐚𝐢𝐥𝐮𝐫𝐞]

901s

Cell Description *only the process variables and configurations relevant to the system evolution are described UAS level at [1425,1475) m, a velocity of [40, 45) m/s, [20,40) % icing, under severe weather conditions. UAS level at [1425,1475) m, a velocity of [40, 45) m/s, [40,60) % icing, under severe weather conditions. UAS level at [1425,1475) m, a velocity of [40, 45) m/s, [80,100) % icing, under severe weather conditions. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [40, 45) m/s, altitude of [1350, 1500) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [35,40) m/s, altitude of [1200, 1350) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [35,40) m/s, altitude of [1050, 1200) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [35,40) m/s, altitude of [900, 1050) m, full icing, and engine power loss. Set-point mode changes from 1 to 3 (higher velocity) UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [55,60) m/s, altitude of [750, 900) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [55,60) m/s, altitude of [600, 750) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [55,60) m/s, altitude of [450, 600) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [55,60) m/s, altitude of [300, 450) m, full icing, and engine power loss. Set-point mode changes from 3 to 1 (adjusting FPA for flare entry). UAS descending at 𝛾 ∈ [−6°, −3°), a velocity of [35,40) m/s, altitude of [150, 300) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−4°, −3°), a velocity of [34,36) m/s, altitude of [0,40) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−3°, −2°), a velocity of [34,36) m/s, altitude of [0,40) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−3°, −2°), a velocity of [34,36) m/s, altitude of [0,40) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−2.5°, −2°), a velocity of [34,36) m/s, altitude of [13,26.7) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−3°, −2.5°), a velocity of [34,36) m/s, altitude of [13,26.7) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−2.5°, −2°), a velocity of [34,36) m/s, altitude of [13,26.7) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−3°, −2.5°), a velocity of [34,36) m/s, altitude of [13,26.7) m, full icing, and engine power loss. UAS descending at 𝛾 ∈ [−2.5°, −2°), a velocity of [34,36) m/s, altitude of [13,26.7) m, full icing, and engine power loss. SP Mode is changed from 2 to 1 in preparation for touchdown UAS arrives at touchdown point under undesirable conditions.

10 American Institute of Aeronautics and Astronautics

Acknowledgments This work is funded by NASA Ames Research Center under contract NNA14AB55C. The work is also partially funded by the National Science Foundation (NSF) Cyber-Physical Systems (CPS) project under contract 60046665. The authors express their appreciation for the support and insights provided by the sponsors. The conclusions presented herein are those of the authors and do not necessarily represent the views or positions of NASA, or NSF.

References 1Verma,

Ajit Kumar, Ajit Srividya, and Durga Rao Karanki. Reliability and safety engineering. Vol. 43. London: Springer, 2010. 2Aldemir, Tunc. "A survey of dynamic methodologies for probabilistic safety assessment of nuclear power plants." Annals of Nuclear Energy 52 (2013): 113-124. 3Blum, David M., David Thipphavong, Tamika L. Rentas, Ye He, Xi Wang, and M. Elisabeth Pate-Cornell. "Safety analysis of the advanced airspace concept using Monte Carlo simulation." In Proceedings of the AIAA Guidance, Navigation, and Control Conference. 2010. 4Thipphavong, David. "Accelerated Monte Carlo simulation for safety analysis of the advanced airspace concept." In Proceedings of the 10th AIAA Aviation Technology, Integration, and Operations (ATIO) Conference, Fort Worth, Texas. (2010). 5Blom, Henk AP, B. Klein Obbink, and G. J. Bakker. "Safety risk simulation of an airborne self separation concept of operation." In Proceedings of the 7th AIAA Aviation Technology Integration and Operations (ATIO) Conference, AIAA, vol. 7729, p. 2007. 6Blom, Henk AP, Bart Klein Obbink, and G. J. Bakker. "Simulated safety risk of an uncoordinated airborne self separation concept of operation." Air Traffic Control Quarterly 17, no. 1 (2009): 63-93. 7Lindsten, Fredrik, Per-Johan Nordlund, and Fredrik Gustafsson. "Conflict detection metrics for aircraft sense and avoid systems." IFAC Proceedings Volumes 42, no. 8 (2009): 65-70. 8Lee, Ritchie, Mykel J. Kochenderfer, Ole J. Mengshoel, Guillaume P. Brat, and Michael P. Owen. "Adaptive stress testing of airborne collision avoidance systems." In Digital Avionics Systems Conference (DASC), 2015 IEEE/AIAA 34th, pp. 6C2-1. IEEE, 2015. 9Kornfeld, R. P., Prakash, R., Devereaux, A. S., Greco, M. E., Harmon, C. C., & Kipp, D. M. (2014). Verification and validation of the Mars science laboratory/curiosity rover entry, descent, and landing system. Journal of Spacecraft and Rockets, 51(4), 12511269. 10Hejase, M., Oguz, A.E., Kurt, A., Ozguner, U. and Redmill, K. A Hierarchical Hybrid State System Based Controller Design Approach for an Autonomous UAS Mission. In 16th AIAA Aviation Technology, Integration, and Operations Conference, p. 3294 (June, 2016). 11Hejase, Mohammad, Arda Kurt, Tunc Aldemir, Umit Ozguner, Sergio Guarro, Michael K. Yau, and Matt Knudson. "A Quantitative and Risk Based Framework for UAS Control System Assurance." In AIAA Information Systems-AIAA Infotech@ Aerospace, p. 0882. 2017. 12S. Guarro, M. Yau, Tunc Aldemir, Umit Ozguner, Arda Kurt, Hejase, and Matt Knudson, “Formal Framework and Models for Validation and Verification of Software-Intensive Aerospace Systems,” AIAA SciTech Forum 2017, Grapevine, TX, Jan 9-13, 2017 13T. Aldemir, “Computer-Assisted Markov failure modeling of process control systems,” IEEE Trans. Relibility, 36, 133-144 (1987). 14M. Belhadj, T. Aldemir, "The Cell-to-Cell Mapping Technique and Chapman-Kolmogorov Representation of System Dynamics", J. Sound and Vibration, 181(4), 687-707 (April 1995) 15Yang, Jun, and Tunc Aldemir. "An algorithm for the computationally efficient deductive implementation of the Markov/Cellto-Cell-Mapping Technique for risk significant scenario identification." Reliability Engineering & System Safety 145 (2016): 1-8. 16Aldemir, T. "Utilization of the cell-to-cell mapping technique to construct Markov failure models for process control systems." PSAM Proceedings, Elsevier Publishing Company Co. Inc., NY (1991): 1431-1436. 17 Roskam, J. (1995). Airplane flight dynamics and automatic flight controls. DARcorporation. 18 Bragg, M., Hutchison, T., & Merret, J. (2000). Effect of ice accretion on aircraft flight dynamics. In 38th Aerospace Sciences Meeting and Exhibit (p. 360). 19 Kowaleczko, G., & Wachłaczenko, M. (2012). Aircraft dynamics during flight in icing conditions. Journal of Theoretical and Applied Mechanics, 50(1), 269-284. 20 Ranaudo, R., Mikkelsen, K., McKnight, R., & PERKINS, JR, P. (1984, January). Performance degradation of a typical twin engine commuter type aircraft in measured natural icing conditions. In 22nd Aerospace Sciences Meeting (p. 179). 21 Gavilan, Francisco, Rafael Vazquez, and José Á. Acosta. "Adaptive control for aircraft longitudinal dynamics with thrust saturation." Journal of Guidance, Control, and Dynamics 38, no. 4 (2014): 651-661. 22 Bateman, François, Hassan Noura, and Mustapha Ouladsine. "A fault tolerant control strategy for an unmanned aerial vehicle based on a sequential quadratic programming algorithm." 47th IEEE Conference on Decision and Control, 2008.

11 American Institute of Aeronautics and Astronautics

Publication Date (online): January 8, 2017 Read More: https://arc.aiaa.org/doi/abs/10.2514/6.2018-1982

12 American Institute of Aeronautics and Astronautics