Victor Carreño

A formal methods approach to the analysis of mode confusion

The goal of the new NASA Aviation Safety Program (AvSP) is to reduce the civil aviation fatal accident rate by 80% in ten years and 90% in twenty years. This program is being driven by the accident data with a focus on the most recent history. Pilot error is the most commonly cited cause for fatal accidents (up to 70%) and obviously must be given major consideration in this program. While the greatest source of pilot error is the loss of situation awareness, mode confusion is increasingly becoming a major contributor as well. This paper will explore how formal models and analyses can be used to help eliminate mode confusion from flight deck designs and at the same time increase our confidence in the safety of the implementation. The paper is based upon interim results from a new project involving NASA Langley and Rockwell Collins in applying formal methods to a realistic business jet Flight Guidance System (FGS).

Simulated fault injection: a methodology to evaluate fault tolerant microprocessor architectures

A simulation-based fault-injection methodology for validating fault-tolerant microprocessor architectures is described. The approach uses mixed-mode simulation (electrical/logic analysis), and injects transient errors in run-time to assess the resulting fault-impact. To exemplify the methodology, a fault-tolerant architecture which models the digital aspects of a dual-channel, real-time jet-engine controller is used. The level of effectiveness of the dual configuration with respect to single and multiple transients is measured. The results indicate 100% coverage of single transients. Approximately 12% of the multiple transients affect both channels; none result in controller failure since two additional levels of redundancy exist. >

A Fault Behavior Model for an Avionic Microprocessor: A Case Study

This paper describes an experimental analysis of the impact of transient faults on a microprocessor-based jet-engine controller, used in the Boeing 747 and 757 aircrafts. A hierarchical simulation environment based on SPLICE which allows the injection of transients during run-time and, the tracing of their impact is described. Results show that given a transient fault, there is approximately an 80% chance that there is no impact on the chip. If no latch-errors occur within 8 clock cycles, no significant damage is likely to happen. Thus, the overall impact of a transient is well contained. An empirical model is also derived to identify and isolate the critical fault propagation paths, the module most sensitive to fault propagation and, the module with the highest potential of causing external pin-errors.

Formal verification of conflict detection algorithms

Abstract.Safety assessment of new air traffic management systems is a main issue for civil aviation authorities. Standard techniques such as testing and simulation have serious limitations in new systems that are significantly more autonomous than the older ones. In this paper, we present an innovative approach for establishing the correctness of conflict detection systems. Fundamental to our approach is the concept of trajectory, and how we represent a continuous physical trajectory by a continuous path in the x-y plane constrained by physical laws and operational requirements. From the model of trajectories, we extract, and formally prove, high-level properties that can serve as a framework to analyze conflict scenarios. We use the AILS (Airborne Information for Lateral Spacing) alerting algorithm as a case study of our approach.

Formal analysis of the operational concept for the small aircraft transportation system

The Small Aircraft Transportation System (SATS) is a NASA project aimed at increasing access to small non-towered non-radar airports in the US. SATS is a radical new approach to air traffic management where pilots flying instrument flight rules are responsible for separation without air traffic control services. In this paper, the SATS project serves as a case study of an operational air traffic concept that has been designed and analyzed primarily using formal techniques. The SATS concept of operations is modeled using non-deterministic, asynchronous transition systems, which are then formally analyzed using state exploration techniques. The objective of the analysis is to show, in a mathematical framework, that the concept of operation complies with a set of safety requirements such as absence of dead-locks, maintaining aircraft separation, and robustness with respect to the occurrence of off-nominal events. The models also serve as design tools. Indeed, they were used to configure the nominal flight procedures and the geometry of the SATS airspace.

Modeling and verification of an air traffic concept of operations

A high level model of the concept of operations of NASAs Small Aircraft Transportation System for Higher Volume Operations (SATS-HVO) is presented. The model is a non-deterministic, asynchronous transition system. It provides a robust notion of safety that relies on the logic of the concept rather than on physical constraints such as aircraft performances. Several safety properties were established on this model. The modeling and verification effort resulted in the identification of 9 issues, including one major flaw, in the original concept. Ten recommendations were made to the SATS-HVO concept development working group. All the recommendations were accepted and incorporated into the current concept of operations. The model was written in PVS. The verification is performed using an explicit state exploration algorithm written and proven correct in PVS.

A case-study application of RTCA DO-254: design assurance guidance for airborne electronic hardware

In a joint project with the FAA, NASA Langley is developing a hardware design in accordance with RTCA DO-254: Design Assurance Guidance for Airborne Electronic Hardware. The purpose of the case study is to gain understanding of the new guidance document and generate an example suitable for use in training. For the case study, we have selected a core subsystem of the Scalable Processor-Independent Design for Electromagnetic Resilience (SPIDER). SPIDER is a new fault-tolerant architecture under development at NASA Langley Research Center.

Safety Verification of the Small Aircraft Transportation System Concept of Operations

A critical factor in the adoption of any new aeronautical technology or concept of operation is safety. Traditionally, safety verification is accomplished through a rigorous process that involves human factors, low and high fidelity simulations, and flight experiments. As this process is usually performed on final products or functional prototypes, concept modifications resulting from this process are very expensive to implement. This paper describes an approach to system safety that can take place at early stages of a concept design. It is based on a set of mathematical techniques and tools known as formal methods .I n contrast to testing and simulation, formal methods provide the capability of exhaustive state exploration analysis. We present the safety analysis and verification performed for the Small Aircraft Transportation System (SATS) Concept of Operations (ConOps). The concept of operations is modeled using discrete and hybrid mathematical models. These models are then analyzed using formal methods. The objective of the analysis is to show, in a mathematical framework, that the concept of operation complies with a set of safety requirements. It is also shown that the ConOps has some desirable characteristic such as liveness and absence of dead-lock. The analysis and verification is performed in the Prototype Verification System (PVS), which is a computer based specification language and a theorem proving assistant.

FOCUS: an experimental environment for validation of fault-tolerant systems-case study of a jet-engine controller

A simulation environment that allows the run-time injection of transient and permanent faults and the assessment of their impact in complex systems is described. The error data from the simulation are automatically fed into the analysis software in order to quantify the fault-tolerance of the system under test. The features of the environment are illustrated with case study of a fault-tolerant, dual-configuration real-time jet engine controller. The entire controller, described at the logic and functional levels, is simulated, and transient fault injections are performed. In the controller, fault detection and reconfiguration are performed by transactions over the communication links. The simulation consists of the instructions specifically designed to exercise this cross-channel communication. The level of effectiveness of the dual configuration of the system to single and multiple transient errors is measured. The results are used to identify critical design aspects from a fault-tolerance viewpoint.<<ETX>>

Conflict Prevention and Separation Assurance Method in the Small Aircraft Transportation System

A multilayer approach to the prevention of conflicts due to the loss of aircraft -to -aircraft separation which relies on procedures and on -board automation was implemented as part of the SATS HVO Concept of Operations. The multilayer system gives pilots support and guidance during the execution of normal operations and advance warning for procedure deviations or off -nominal operations. This paper describes the major concept elements of this multilayer approach to separation assurance and conflict prevention and provides the rationale for its design. All the algorithms and functionality described in this paper have been implemented in an aircraft simulation in the NASA Langley Research Center’s Air Traffic Operation Lab and on the NASA Cirrus SR22 research aircraft.