Jeffrey M. Maddalon

A Unified Fault-Tolerance Protocol

Davies and Wakerly show that Byzantine fault tolerance can be achieved by a cascade of broadcasts and middle value select functions. We present an extension of the Davies and Wakerly protocol, the unified protocol, and its proof of correctness. We prove that it satisfies validity and agreement properties for communication of exact values. We then introduce bounded communication error into the model. Inexact communication is inherent for clock synchronization protocols. We prove that validity and agreement properties hold for inexact communication, and that exact communication is a special case. As a running example, we illustrate the unified protocol using the SPIDER family of fault-tolerant architectures. In particular we demonstrate that the SPIDER interactive consistency, distributed diagnosis, and clock synchronization protocols are instances of the unified protocol.

Abstractions for Fault-Tolerant Distributed System Verification

Four kinds of abstraction for the design and analysis of fault–tolerant distributed systems are discussed. These abstractions concern system messages, faults, fault–masking voting, and communication. The abstractions are formalized in higher–order logic, and are intended to facilitate specifying and verifying such systems in higher–order theorem–provers.

Stratway: A Modular Approach to Strategic Conflict Resolution

In this paper we introduce Stratway, a modular approach to finding long-term strategic resolutions to conflicts between aircraft. The modular approach provides both advantages and disadvantages. Our primary concern is to investigate the implications on the verification of safety-critical properties of a strategic resolution algorithm. By partitioning the problem into verifiable modules much stronger verification claims can be established. Since strategic resolution involves searching for solutions over an enormous state space, Stratway, like most similar algorithms, searches these spaces by applying heuristics, which present especially difficult verification challenges. An advantage of a modular approach is that it makes a clear distinction between the resolution function and the trajectory generation function. This allows the resolution computation to be independent of any particular vehicle. The Stratway algorithm was developed in both Java and C++ and is available through a open source license. Additionally there is a visualization application that is helpful when analyzing and quickly creating conflict scenarios.

Unmanned Aircraft Hazards and their Implications for Regulation

Use of unmanned aircraft systems (UASs) has been characterized as the next great step forward in the evolution of civil aviation. Indeed, UASs are in limited civil use in the United States today, and many believe that the time is rapidly approaching when they will move into the commercial marketplace, too. To make this a reality, a number of challenges must be overcome to develop the necessary regulatory framework for assuring safe operation of this special class of aircraft. This paper discusses some of what must be done to establish that framework. In particular, we examine hazards specific to the design, operation, and flight crew of UASs, and discuss implications of these hazards for existing policy and guidance. Understanding unique characteristics of UASs that pose new hazards is essential to developing a cogent argument, and the corresponding regulatory framework, for safely integrating these aircraft into civil airspace

A case study for assured containment

While incremental steps are being taken to integrate unmanned aircraft systems (UAS) into the various national airspace systems, much work remains to establish appropriate regulatory infrastructure that allows UAS larger than 55 lb to operate for commerce or hire. The magnitude of that effort is compounded by the wide-ranging variety of UAS types and possible applications, as well as the diversity in quality and provenance of UAS components. The FAA has suggested developing design standards tailored to specific applications and operating environments as an approach to facilitate integration and safe operation of some UAS. This paper introduces a case study to investigate design standards for a midsize unmanned rotorcraft operating in a rural environment. A key aspect of this study is the concept of using a certifiable containment system, different from a conventional geofencing application, to ensure that the unmanned aircraft does not escape its intended operational area. The proposed assured containment system is expected to reduce the effort needed to regulate some UAS that could not currently meet rigorous aircraft design standards and fall outside of the parameters for operation outlined in the proposed small UAS rule. This paper discusses how assured containment may be a useful approach to limiting risk and reducing an otherwise prohibitive certification burden to enable UAS operations in confined areas. The case study examines the potential effect the assured containment approach might have on airworthiness certification requirements.

Considerations of Unmanned Aircraft Classification for Civil Airworthiness Standards

The use of unmanned aircraft in the National Airspace System (NAS) has been characterized as the next great step forward in the evolution of civil aviation. Although use of unmanned aircraft systems (UAS) in military and public service operations is proliferating, civil use of UAS remains limited in the United States today. This report focuses on one particular regulatory challenge: classifying UAS to assign airworthiness standards. Classification is useful for ensuring that meaningful differences in design are accommodated by certification to different standards, and that aircraft with similar risk profiles are held to similar standards. This paper provides observations related to how the current regulations for classifying manned aircraft, based on dimensions of aircraft class and operational aircraft categories, could apply to UAS. This report finds that existing aircraft classes are well aligned with the types of UAS that currently exist; however, the operational categories are more difficult to align to proposed UAS use in the NAS. Specifically, the factors used to group manned aircraft into similar risk profiles do not necessarily capture all relevant UAS risks. UAS classification is investigated through gathering approaches to classification from a broad spectrum of organizations, and then identifying and evaluating the classification factors from these approaches. This initial investigation concludes that factors in addition to those currently used today to group manned aircraft for the purpose of assigning airworthiness standards will be needed to adequately capture risks associated with UAS and their operations.

A Mathematical Analysis of Conflict Prevention Information

In air traffic management, conflict prevention information refers to the guidance maneuvers, which if taken, ensure that an aircrafts path is conflict-free. These guidance maneuvers take the form of changes to track angle or ground speed. Conflict prevention information may be assembled into prevention bands that advise the crew on maneuvers that should not be taken. Unlike conflict resolution systems, which presume that the aircraft already has a conflict, conflict prevention systems show conflicts for any maneuver, giving the pilot confidence that if a maneuver is made, then no near-term conflicts will result. Because near-term conflicts can lead to safety concerns, strong verification of information correctness is required. This paper presents a mathematical framework to analyze the correctness of algorithms that produce conflict prevention information incorporating an arbitrary number of traffic aircraft and with both a near-term and intermediate-term lookahead times. The framework is illustrated with a formally verified algorithm for 2-dimensional track angle prevention bands.

Some impacts of risk-centric certification requirements for UAS

This paper discusses results from a recent study that investigates certification requirements for an unmanned rotorcraft performing agricultural application operations. The process of determining appropriate requirements using a risk-centric approach revealed a number of challenges that could impact larger UAS standardization efforts. Fundamental challenges include selecting the correct level of abstraction for requirements to permit design flexibility, transforming human-centric operational requirements to aircraft airworthiness requirements, and assessing all hazards associated with the operation.

Prototype Tool and Focus Group Evaluation for an Advanced Trajectory-Based Operations Concept

Trajectory-based operations (TBO) is a key concept in the Next Generation Air Transportation System transformation of the National Airspace System (NAS) that will increase the predictability and stability of traffic flows, support a common operational picture through the use of digital data sharing, facilitate more effective collaborative decision making between airspace users and air navigation service providers, and enable increased levels of integrated automation across the NAS. NASA has been developing trajectory-based systems to improve the efficiency of the NAS during specific phases of flight and is now also exploring Advanced 4-Dimensional Trajectory (4DT) operational concepts that will integrate these technologies and incorporate new technology where needed to create both automation and procedures to support gate-to-gate TBO. A TBO Prototype simulation toolkit has been developed that demonstrates initial functionality of an Advanced 4DT TBO concept. Pilot and controller subject matter experts (SMEs) were brought to the Air Traffic Operations Laboratory at NASA Langley Research Center for discussions on an Advanced 4DT operational concept and were provided an interactive demonstration of the TBO Prototype using four example scenarios. The SMEs provided feedback on potential operational, technological, and procedural opportunities and concerns. This paper describes an Advanced 4DT operational concept, the TBO Prototype, the demonstration scenarios and methods used, and the feedback obtained from the pilot and controller SMEs in this focus group activity.

A Mathematical Analysis of Air Traffic Priority Rules

This paper analyzes priority rules, such as those in Part 91.113 of the Federal Aviation Regulations. Such rules determine which of two aircraft should maneuver in a given conflict scenario. While the rules in 91.113 are well accepted, other concepts of operation for Next Generation Air Transportation System (NextGen), such as self separation, may allow for different priority rules. A mathematical framework is presented that can be used to analyze a general set of priority rules and enables proofs of important properties. Specific properties considered in this paper include safety, effectiveness, and stability. A set of rules is said to be safe if it ensures that it is never the case that both aircraft have priority. They are effective if exactly one aircraft has priority in every situation. Finally, a set of rules is called stable if it produces compatible results even under small changes to input data.