Systems and Software Research for SafetyCritical Aviation Systems

1
Systems and Software Research for Safety-Critical
Aviation Systems

• Helen Gill, Ph.D.
• CISE/CNS
• National Science Foundation

2
Aviation Context forSafety-Critical Software and
Systems Research

• Vehicle technology research
• Platforms materials, fuel-efficiency, range,
• Hypersonics, supersonics, subsonics, rotorcraft,
  
• Software-integrated systems, software control
• Todays US airspace and flight experience
• UAV progress Access5, Unite Alliance, National
  Institute of Aerospace
• High altitude, long endurance vehicles
• Growing civilian usage
• Commercial aviation
• Industry under economic duress
• Concentration at hubs
• CIP/TSA waiting queues
• Airspace configuration and management progress
  ?

3
Aviation Context (continued)

• Tomorrows civilian airspace? (capacity/structure
  )
• Large scale, long range transport,
  transatlantic/global regulation?
• Shuttles/commuters, business jet cooperatives,
  air taxis,
• Mandatory technology increase for general
  aviation
• Wider UAV deployment, (mixed airspace?)
• Technology-enabled GPS/satellite navigation, CA
  systems.
• Consequences for software certification
• More systems components will be safety-critical
• Increased automation required to support capacity
  (reduced separation)
• Technology push to increase pace, decrease cost
  of certification
• More aircraft configurations to certify
• Global compliance requirements

4
Aviation Systems as Critical Infrastructure
TECHNOLOGY READINESS LEVELS TRL 1 Basic
principles observed and reported TRL 2
Technology concept and/or application
formulated TRL 3 Analytical and experimental
critical function and/or characteristic
proof-of-concept TRL 4 Component and/or
breadboard validation in laboratory
environment TRL 5 Component and/or breadboard
validation in relevant environment TRL 6
System/subsystem model or prototype demonstration
in a relevant environment (ground or space) TRL
7 System prototype demonstration in a space
environment TRL 8 Actual system completed and
flight qualified through test and demonstration
(ground or space) TRL 9 Actual system flight
proven through successful mission operations

• Requirement for secure, available systems
• Robustness
• No essential flaws in safety design
• Software
• How can we be sure?
• System and Software
• How can we be sure?
• What is the future for evaluated products?

A White Paper, April 6, 1995, John C. Mankins,
Advanced Concepts Office Office of Space Access
and Technology NASA
5
Federal Activities towards Critical
Infrastructure Protection

• HSPD-7
• ISACs, NIPP, SCCs, etc.
• CIP RD Planning
• National CIP RD Plan
• CIIP RD Plan
• NSTC Committee structure
• CT Committee on Technology
• Networking, IT RD Subcommittee
• Infrastructure Subcommittee
• Critical Information Infrastructure Protection
  Interagency Working Group (to be renamed)
• NITRD High Confidence Software and Systems
  Coordinating Group

NSTC

CT
HNS
NITRD
Infrastructure

HEC
CIIP
HCSS
6
National CIP RD PlanApril 8, 2005

• NCIP RD Roadmap identifies three strategic
  goals
• National Common Operating Picture
• Secure National Communication Network
• Resilient, Self-Healing, Self-Diagnosing
  Infrastructure

• Themes
• Detection and Sensor Systems
• Protection and Prevention
• Entry and Access Portals
• Insider Threats
• Analysis and Decision Support Systems
• Response, Recovery, and Reconstitution
• New and Emerging Threats and Vulnerabilities
• Advanced Infrastructure Architectures and
  Systems Design
• Human and Social Issues

http//www.bfrl.nist.gov/PSSIWG/documents/2004NCIP
_RD_Plan_FINAL.pdf
7
Some Grand Challenges

• Medical devices and systems of the future
• Now Practitioner closes the loop sensor feeds
  to TV monitor, manual settings
• Future Closed-loop patient monitoring and
  delivery systems, plug and play operating
  rooms/ICUs/home care
• Flight-critical aviation systems of the future
• Now Federated designs, pilot closes the loop
• Future Integrated designs autonomy vs. pilot
  control
• SCADA systems of the future
• Now Telemetry, sensor feeds to control center,
  centralized decision support
• Future Hierarchical, decentralized,
  highly-automated, market/policy driven,
  closed-loop supervisory control

Now Information-centric, human-closes-loop,
distributed a priori, soft real-time, not
secured Future Feedback control, open and
hierarchical supervisory control, mobile,
aggregated, soft and hard real-time, secured
8
Technology Grand Challenges

• Property and mechanism composition for dependable
  systems of all kinds single, composite, and ad
  hoc aggregations of (RT, FT, secure)
• Cooperative distributed/aggregated systems
  (systems technology for aggregated systems)
• Robust, self-checking, self-healing, controllable
  systems (computation and control)
• Evidence-based design and composition technology,
  to produce systems with certifiably dependable
  behavior

Dependable technology for an already- emerging
class of future, critical systems
9
Cross-cutting Technical Challenges

• Future distributed, real-time embedded system
  characteristics/requirements
• Open, reconfigurable topology, group membership
• Styles Integrated, peer-to-peer, plug and
  play, service-oriented
• Fixed mobile, RF/optical/wired/ wireless
  networking modalities
• Mixed-initiative and highly autonomous operation
• Complex multi-modal behavior, discrete-continuous
  (hybrid) control
• Reconfigurable, multi-hierarchy supervisory
  control vertical and horizontal interoperation
• End-to-end security, self-healing
• System certification
• Status many experimental systems, some science
• Interesting results, but not yet a principled
  science/engineering base
• Focus on situation awareness, sensor nets, and
  simulation, not control infrastructure

10
Embedded Software and System Control Problem
Closing the loop around combined behaviors
Physical/Biological/Engineered System
Control Software
Latency
Sensing
Latency
State Kinematic, Thermal, Electromagnetic,
Optical, Chemical,
Coordination
Mode, Thread switching
Stability
Phase
Energy production, consumption
Actuation
Frequency
Periodic calculation
Execution Rate
Dynamic scheduling, resource management
Energy Management
Clock rate
Hardware Platform Processing and Networking
Voltage scaling
Latency
Bandwidth
11
Research Goal Assured Systems Software
Technology Base

• Coordinated control systems applications
• Unmanned autonomous air vehicles, automotive
  applications
• SCADA systems for power grid, pipeline control
• Remote, tele-operated surgery?
• OR, ICU, EMT of the future?
• Nano/bio devices?
• Key areas for potential research
• Open control platforms
• Reconfigurable coordinated control
• Computational and networking substrate
• Assured RTOS, networking,
• Middleware
• Virtual machines

12
Specific Challenges for Hybrid Systems

• Multi-system/multi-modal supervisory control
• Dynamically aggregated multi-hierarchy
  supervisory control
• Beyond stability time-bounded convergence
• Safe complex transition
• Accommodating multi-system uncertainty
• Implications of tractable computational methods
  for modal structure
• Useable design considerations for modal
  structure

13
Report Card Software Certification TRL ?

• Analysis tools (4?)
• Signficant progress, acceptance of static
  analysis
• C, C, Java remain challenging
• Model checking viable for bug-finding
• System software technology base (2)
• Evaluated products not in sight, NIAP
  notwithstanding lack of systematic safety
  evaluation
• RTOS, VM, middleware chaos
• Lack of integration of security, safety, fault
  tolerance, real-time technology
• Certification for adaptive systems (1)
• Model acquisition
• Mode transition, reconfiguration

14
Certification Challenges Tools for Assured
Applications

• Comprehensive safety design, analysis
• Failure modes and effects analysis tool chain,
  system and software
• Software design for failure modes

15
HCSS and NSF/CISE Actions
16
NITRD HCSS Coordinating Group Assessment Actions

• National workshops on
• High Confidence Medical Device Software and
  Systems (HCMDSS),
• Planning Workshop, Arlington VA, November 2004,
  http//www.cis.upenn.edu/hasten/hcmdss-planning/
• National RD Road-mapping Workshop, Philadelphia,
  Pennsylvania, June 2005, http//www.cis.upenn.edu/
  hcmdss/
• High Confidence Aviation Systems (title TBD)
• Planning Workshop, Seattle, WA, November 21-22,
  2005
• National RD Road-mapping Workshop, venue TBD,
  June/July 2006
• High Confidence Critical Infrastructures The
  Electric Power Grid Beyond SCADA
• Planning
• EU-US Planning meeting, October, 2005
• US Planning Workshop, Washington, DC,
  November-December, 2005
• Workshops
• US National RD Road-mapping Workshop, venue TBD,
  March, 2006
• EU-US Workshop, Framework Program 7 linkage

17
NITRD HCSS Coordinating Group Assessment Actions
(continued)

• Backdrop
• NSF/OSTP Critical Infrastructure Protection
  Workshop, Leesburg, VA, September 2002,
  http//www.eecs.berkeley.edu/CIP/
• NSF Workshop, on CIP for SCADA, Minneapolis MN,
  October 2003
• http//www.adventiumlabs.org/NSF-SCADA-IT-Workshop
  /index.html
• National Academies study Sufficient Evidence?
  Design for Certifiably Dependable Systems,
  http//www7.nationalacademies.org/cstb/project_dep
  endable.html
• HCSS real-time operating systems research needs
  assessment
• Real-time embedded systems information technology
  base evaluation and prospectus September-October
  2005
• Scope secure RTOS, virtual machines, middleware
• Industry input (NDA)
• System integration houses, labs, FFRDCs,
• RTOS/middleware vendor perspective, OMG
• National Coordination Office summary report(s)
  derived from workshops, industry input sessions,
  NAS study

18
Conclusion A Possible PSERC Research Agenda?

• Exploit renewables and distributed
  generation/micro-grid research as CIP
  breakthrough opportunity. Why?
• Concept development hotbed for systems of secure,
  distributed, real-time embedded systems
• Vector for change via new and emerging markets,
  decentralization
• Fosters US competitiveness in control systems and
  embedded systems technologies
• Foster multi-disciplinary work that includes the
  IT research community. Why?
• Leverage investment multiplier
• NSF CISE-ENG grass-roots enthusiasm for
  cooperation in this area (Tomsovic, Baheti,
  Schwartzkopf, Rodriguez, Rotea, Gill, )
• Initial NSF/DoE/DHS cooperation for secure
  electric power systems (Cyber Trust)
• Who else will do this?

19
So Far NSF CISE Investments in Critical
Infrastructure, Power Systems

• CISE/CNS Computer Systems Research Program
• Embedded and Hybrid Systems disciplinary area
• (Watch for new emphasis areas in FY 2006
  announcement)
• CISE/CNS Networking Research
• Clean Slate Internet research initiative
• Planning grant study on real-time networking
  for critical infrastructures
• NSF Science and Technology Center TRUST
• UC Berkeley, with Vanderbilt, Cornell, Stanford,
  CMU,
• http//trust.eecs.berkeley.edu/
• Engineering Research Centers current competition
• Information Technology Research, competition
  ended, active grants remain (EU-US linkages, G.3
  and D.4)
• Center for Hybrid and Embedded Systems (CHESS),
  UC Berkeley
• Secure and Robust IT Architectures to Improve
  Survivability of the Power Grid, CMU/WSU
• Multi-Layered Architecture for Reliable and
  Secure Large-Scale Networks, CMU
• Infrastructure Programs
• Major Research Infrastructure Laboratory to
  Study FACTS Device Interactions, U. of Missouri
  at Rolla
• Cyber Trust (FY 2005 Center-Scale portfolio, TBA
  2-3 weeks)

20
Thank you
21
High-Confidence Software and Systems(HCSS)
Agencies

• Air Force Research Laboratories
• Army Research Office
• Defense Advanced Research Projects Agency
• Department of Energy
• Federal Aviation Administration
• Food and Drug Administration
• National Air Space Administration
• National Institutes of Health
• National Institute of Science and Technology
• National Science Foundation
• National Security Agency
• Office of Naval Research
• Cooperating agencies