The Safety Monitor system architecture was developed to enable the appropriate safety claims to be made to a certification authority. This included allowing an operator to take control for launch and recovery. Given the UAS speed, especially potential closing speeds with other aircraft, reaction times needed to be very fast. Air traffic that was apparently far away could be a collision risk in a very short time. It was therefore assumed from the start that the UAV would have to have an autonomous capability to manoeuvre in emergency scenarios, unless there was a direct override by a controller in situations where, for example, they had a line of sight. In normal operations a controller will be communicating with a UAV. However, if it can be shown that once the UAV is beyond line of sight communications, it will always behave correctly and be able to complete its task, then that may negate the need for the weight and expense of satellite communications.
A key issue for the project was to demonstrate that an independent control algorithm (Safety Monitor) within the UAV control system could take the information from a sensor and use it to apply control in the emergency scenarios. Although only the ADS-B sensor was used in this project, it was recognised that sensor fusion from multiple sensors such as optical or/and radar, might be required in future to be able to make decisions on the correctly classified threats. A key component of the project was how to account for some major faults that might affect the ability of an aircraft to safely complete its task. Whilst for demonstration purposes, hover capable UAVs would be used, hovering as an potential behaviour for collision avoidance was disallowed in the proposed architecture. A final consideration was that while the default operating mode would be behaving in accordance with the rules of the air, there was scope to allow the aircraft to behave in a non-standard manner, should the situation demand.
The aerospace software certification standard DO-178C would be used for this project and compliance would make use of D-RisQ’s automatic formal verification tools and technologies throughout the project utilising DO-333, the Formal Methods Supplement to DO-178C. DO-330 would also be used as part of the guidance for the development of those verification tools. Because of this DO-178C and DO-330 compliance can be achieved in a quite straightforward and relatively cheap way. It was decided that, as far as possible given the constraints of the project, the software development would be conducted to comply with DO-178C Level A, the highest level of verification.DISCOVER MORE
The system behavioural requirements for the Safety Monitor were developed in a series of project workshops which generated a System Requirements Document reviewed and approved by the project partners. These requirements covered many different facets of the UAV, the use case, the COLREGS the environment it had to operate in together with the safety requirements that had to be met. The System Requirements were then developed by D-RisQ into a set of Software High Level Requirements (HLRs). At this stage, a prototype of the D-RisQ Kapture® tool was used to develop the software design requirements in a verifiable format. As part of Kapture®, the semantics for a set of templates had been developed showing that there was sufficient expressivity for use by 3rd parties in a future commercial tool. The HLRs were reviewed against the System Requirements and claims could be made that the appropriate DO-333 objectives had been met.DISCOVER MORE
Design, code and verification
A design for the decision- making software was undertaken based upon the HLRs and using Simulink / Stateflow. The question that needed to be answered by the project was “Does this design satisfy the HLRs?” To prove this D-RisQ Modelworks® tool was utilised to undertake the automatic verification of the design against the HLRs. This again supported meeting the DO-333 objectives.
System validation simulation was done to show that the system behaviour was as intended at the system level. C code was then automatically generated from the design into subset of the C programming language for which a formal semantics had been provided. Beyond the scope for this project was the verification of the source code or the compiled code in order to claim the appropriate DO-178C or DO-333 objectives, although some successful test cases were run.
A considerable number of simulations were run by D-RisQ and, with the hardware in the loop, by Callen-Lenz. The scenarios included pathological situations in order to see how the vehicle would behave in extreme circumstances. The results in all cases were that the UAV avoided all other objects and in every case, the manoeuvre was one that would be recognised by another air user as the way they too, would react. This included the extreme, pathological scenarios where the UAV sometimes had to interpret the Rules-Of-The-Air in a manner that was unconventional. A successful set of air based trials were conducted by Callen-Lenz with both static and moving obstacles (see video).DISCOVER MORE
The automatic decision-making Safety Monitor software worked exactly as required. A limited number of air tests were run by Callen-Lenz that showed that the behaviour was exactly as intended. This is backed up by the mathematical proof of the system’s behaviour, against the requirements described in English. The project accelerated the development of the D-RisQ Kapture® tool and expanded the capabilities of Modelworks®. A safety summary and certification material for future use was also generated to aid future development. The next steps for D-RisQ will be to commercialise automatic formal verification of the automatically produced source code (CLawZ® tool) and then an automatic formal verification of the executable object code (FEVER tool).DISCOVER MORE
Artificial Intelligence, Safety and Costs
This project extended the knowledge D-RisQ had, of how to produce safety monitoring software for embedded real time systems that exploit risk- based or AI- based software. It means that a solution exists allowing the benefits of AI without having to worry about its safety. A route was provided to independent, high integrity decision-making software that allows safe operations of the Unmanned Air Vehicles for Beyond Visual Line of Sight operations. Utilising D-RisQ tools and technology, this was achieved at very low cost and showed how a developer could comply with internationally recognised software standards. The approach is therefore an enabler of AI systems as the project showed that the required trust in such autonomous systems at a cost that is affordable can be provided.DISCOVER MORE