vulture ii unmanned aircraft system reliability russell w. morris, technical fellow, bsee, mcse, sm...
TRANSCRIPT
Vulture II
Unmanned Aircraft System Reliability
Russell W. Morris, Technical Fellow, BSEE, MCSE, SM IEEE, M INCOSEThe Boeing Company
Boeing Defense
and SpaceAbstract
Development of Unmanned aircraft avionic systems design generally takes two paths; fully autonomous (with update) and semi-autonomous or remotely piloted aircraft. The reliability and systems engineering elements for these aircraft take different forms specifically for the RPV versus the UAV. A generalized comparison of the attributes of these two different types of system is presented along with the major elements of their employment challenges. Both vehicle types are dependent upon significant level of fault detection an isolation and redundancy management as well as ability to return to base or alternate field in the event of a failure. Mission duration plays a major role in the reliability demands on the system. An element that must be included is the potential for multiple failures or interrupts combined with other effects such as those associated with radiation. This presentation addresses the global system attributes and design reliability elements needed to ensure safety of flight and successful mission completion.
Boeing Defense
and Space
Unmanned Aircraft System Architectures
Problem Statement UAC must be perceived to be as good as manned UAC must be capable of see and avoid if used in manned AC flight paths
Solution Space Limited size, weight and power (SWAP) and reliability Must use sensors to replace the human (adds to SWAP)
Depending on AC type may be unconditionally unstable\ Flight control is critical
System must include Ground Operations Electronics and man elements
Define Success and Failure (not necessarily inverse)
Two types of AC Remotely Piloted Vehicles (RPV) – man in the loop Unmanned Autonomous Vehicles (UAV) – man planning the flight
Boeing Defense
and SpaceGeneral Operating Requirements
Metric Low Medium High
Temperature F (C) -40C to +55C -90C to +75C
Altitude Ft (m) <5000 (1.6Km) >60,000 (>12Km)
Vibration Grms(hz) .25grm 3grms
Shock Gs, ½ sine peak 3 11
Radiation .e-.p+,CR, 10/cm2/hr 8000/cm2/hr + flares
Humidity %RH/Condensing 90 0-100
Sand and Dust Silica/Basalt Blowing S&D Volcanic Si/Basalt
Fungus Acidic surface effects
Aerosols Acidic/Base HNO3, H2SO4,
Duration hours .25-1 1-6 6-120+
Winds Mph (Kmph) -100 +100
Ozone corrosive 1000ppm
Boeing Defense
and Space
NASA Crash Course ReviewBoeing Automated Landing and Takeoff
Takeoff Hold WP:Pilot command takeoff to proceed.
Proceed to Runway:Monitor vehicle health and taxi performance; command stop if necessary.
Taxi Phase:Monitor vehicle health and taxi performance; command stop if necessary.
Runway Hold WP:Monitor wait for ATC clearance before proceeding to runway.
End of Runway WP:WP points to self.
Takeoff WP:Go / No-Go Decision Point(Commit to takeoff)
Runway Aimpoint WP:Reference point for landing glideslope.
Waypoint Types= Steering Waypoint= Hold Waypoint= End of Runway Waypoint= Runway Aimpoint WP
• Pilot is removed – but all flight control elements reside in a van not a cockpit
• Rely extensively on Radio Communications – compounds C&C
• Must provide for contingencies ahead of time – humans must identify and code ALL possible scenarios.
• System must still interact with ATC, ARTCC, …
Courtesy of the Boeing Company
NASA – Crash Course - Lessons Learned from Accidents involving Remotely Piloted and Autonomous Vehicles 2013
Boeing Defense
and SpaceOn-board Avionic Systems
Controls the vehicle (Flight Controls) Navigates the vehicle (Guidance) Controls subsystems (Subsystem Control) Adapts to emergencies (Contingency Management)
Safety/Reliability Criteria
MAC PLOC <1*10-5 (CAC<1*10-10) MAC PLOA <1*10-6 (CAC<1*10-9) MR>0.9
MAC – Military AircraftCAC – Commercial Aircraft
These drive the architecture and design and reliability is allocated to all levels fo the aircraft
Boeing Defense
and SpaceMission Avionics
Tested to assure ability to acquire and transmit information Weapons require man in the loop Drives communication reliability
Real time data is paramount Pipes must be large enough to handle detailed data
Must be able to detect on-board MS failures or respond to commanded RTB
Usage Profiles Aerial Surveillance Communication Relay Surveying
o Oil and Gaso Archeologyo Disaster Assessment
Motion Pictures Military Cargo Transport
Boeing Defense
and SpaceFlight Control
Ability to navigate/fly mission with or without update and in the event of communication loss follow the embedded protocol
Requires extensive mission planning for way points and flight variables (speed, altitude, etc.)
Human reliability in the mission planning process becomes critical Requires significant testing to assure safety of flight out-bound or in-
bound over friendly territory and minimize potential loss in Indian country.
Autocode generation can reduce general errors – Unique errors can still exist if ground rules and assumptions are wrong
Primary VMS software functions: Autonomously controls the air vehicle Implements Redundancy Management (RM) and Contingency Management
(CM) Interfaces with air vehicle's Avionics subsystems Interfaces with Mission Management System Computer Supports the operational modes
Requires Ground Support Station(s) and Communications to perform Mission
Software does not fly the air vehicle – hardware does –
Boeing Defense
and SpaceRPV
Single-Dual architecture with direct link Must make allowances for lag time in communication and command and
control Potential for loss of vehicle is high given the generalized failure
mechanisms and modes even when including attributes of auto RTB High winds Gusting winds Single point failures
See and Avoid not used in Indian country Must be able to follow ARTCC or ATC commands Or Must be within visual range at all times
Loss of Navigation Flew East and kept on flying
Loss of Control Changed flight station – engine shut off
Boeing Defense
and SpaceUAV
Triplex-Quad, majority voting Ability to resync
CCDL (Common Computer Data Link) Commanded Reset Commanded Power Cycle
Ability to update or redirect aircraft is considered a prime requirement Satellite like reliability for long endurance
Robustness Redundancy
o Functional o Actual
Microprocessor and Memory driven
The Boeing Company
Boeing Defense
and SpaceExample
Post crash analysis 157 single point failures
o Single noise transient on power bus would reset both computerso Jammed or frozen or loss of a flight control surface would result in inability of AC
to fly to way pointso To auto balance fuel – open port between main tanks – no bank control of fuelo Single actuation of LG doors – single failure in string would result in inability to
lower landing gearo Common software could result in inflight loss of control
Flight Control system is critical for unconditionally unstable aircraft
Lockheed Martin
Boeing Defense
and SpaceReliability/Architectural Drivers
Duration Safety
Category 1 Hull Losso PLOAo PLOC
CAT 2 Major Damage Mission Criticality
Danger Close ISR
Proceedings of the 2012 IEEE, International Conference on Robotics and BiomimeticsDecember 11-14, 2012, Guangzhou, China’”An Implement of RPV Control System for Small Unmanned Helicopters”Yicheng Zhang, Tianmiao Wang, Jianhong Liang, Chaolei Wang,Yang Chen, Yi Zhou, Yubao Luan,Han Gao
Boeing Defense
and Space
Two Major Type of Avionics on boardand Ground Flight Control
Mission AC management Mission Package - Supplier built (e.g., EO/IR, SCR, SAR, etc) Communications
Flight Control Navigation Engine control (FADEC) Fuel control (CG)
Communication is THE major link
One or two stations Fully redundant controls Capability to split workload
o Flight o Mission Package
"CBP unmanned aerial vehicle control" by Gerald Nino, CBP, U.S. Dept. of Homeland Security - CBP
Boeing Defense
and SpaceGeneralized Example
Mission Duration – 4 hours Range >500 nm Intermediate operating altitude ISR mission type MR>0.9 Autonomous Operation with inflight route planning updates Autonomous landing and take off under control of ATC
Communication
PLA Comman
d
Actuator Command
s
Navigation
Waypoints
Subsystem H/W
Interface
Command&
Control
CM Monitor Status(Set / Clear)
Au
ton
om
ou
s A
cti
on
s
FlightControl
(inner loops)
MissionPlan
Redundancy &
Contingency Management
SubsystemControl
PropulsionFuelECS
:
Boeing Defense
and SpaceMicroprocessor/Memory Failure
Structure Internal registers I/O registers Cache Memories
Level of damage Upset Latch up Burnout
Error Detection Codes Can slow down processor If encryption is involved makes processing worse Need for CCDL (Cross Channel Data link) to monitor and resync
microprocessors
Current technologies are too oriented to consumer market to be usable by aerospace
Boeing Defense
and Space
App 1
App 2
App n-1 App n• • • •
UAV/RPV Computing Basic Structure
Isolation layer prevents OS from becoming corrupted Isolation provides interface between API OS is both control and real time System is run synchronously to prevent race conditions and to
ensure proper timing for critical events
Operating System
Isolation Layer
HW HW HW HW HW HWHW
HW Test CCDL TimersClock Memory Discretes
Boeing Defense
and SpaceSW Systems
Synchronous (Command and Control) Asynchronous (Emergent operation and independent sensor) Master/Slave (Provides a who is driving) Majority Voting (Ensures that single failures do not affect operation) Mediator to assess failure conditions and force fights between
asynchronous operation Extensive use made of prior history for:
Simulation Emulation Autocode Generation Envelope testing Parametric Testing Use Case Testing Simulation of element out conditions
o Communicationo Flight control o Engine control
Boeing Defense
and SpaceReliability Of HALE Aircraft
Mission Reliability for long duration aircraft can no longer be based on mean time to failure (exponential distribution:
Recommend use of failure distributions: Gaussian (Normal) Weibull, Beta>1 Log-Normal Exponential (Limited)
Boeing Defense
and Space
Use Dominant Failure Modes to Assess Reliability
Failure Mode Factor DistributionStructural failure (catastrophic) Time NormalBinding or jamming Time Stress Normal
Fatigue Time, cycles, stress Normal
Fails to remain in position (Drift) Time, cycles NormalLeakage Wear, Corrosion NormalFails closed Jam, wear, time NormalFails open Jam, wear, time NormalOut of tolerance (high/low) WeibullOpen Circuit-Electrical Random ExponentialShort Circuit-Electical Random ExponentialFails to Operate Time WeibullIntermittent operation Random ExponentialReduced flow Time, WeibullErratic operation Random Exponential
Erroneous failure indication (false positive/negative) Random Exponential
Fails to start Time BinomialIncorrect Timing Random Fails to Charge Time, Chemistry WeibullOverheat Time, cycles NormalFails to charge Time, cycles NormalOver/Under Pressure Operational Use NormalOutput Open, Short or floating - Electronic Time - physics Weibull
Dielectric Leakage (electrical) Time, Chemical Degradation Weibull
Solder Creep, fatigue Weibull
19
Boeing Defense
and Space
CONCLUSION
Boeing Defense
and SpaceUnmanned Aircraft
Have and continue to be a future for aviation Require focused design and development for ‘removing the human from
the aircraft’ Can do some flying that humans can’t Demands extensive testing for verification and validation Requires man plan for ALL contingencies Automation is the source of loss of sharpness of pilots RPV pilots can’t ‘feel’ the aircraft Lag time between command and execution can be hazardous Long Duration demands much higher reliability to achieve safety and
high probability of mission success