Systems and Software Research for Safety-Critical Aviation Systems: Systems and Software Research for Safety-Critical Aviation Systems Helen Gill, Ph.D.
CISE/CNS
National Science Foundation
Aviation Context for�Safety-Critical Software and Systems Research: Aviation Context for Safety-Critical Software and Systems Research Vehicle technology research
Platforms: materials, fuel-efficiency, range, …
Hypersonics, supersonics, subsonics, rotorcraft, …
Software-integrated systems, software control
Today’s US airspace and flight experience
UAV progress: Access5, Unite Alliance, National Institute of Aerospace
High altitude, long endurance vehicles
Growing civilian usage
Commercial aviation:
Industry under economic duress
Concentration at hubs
CIP/TSA waiting queues
Airspace configuration and management progress: …?
Aviation Context (continued): Aviation Context (continued) Tomorrow’s civilian airspace? (capacity/structure)
Large scale, long range transport, transatlantic/global regulation?
Shuttles/commuters, business jet cooperatives, air taxis, …
Mandatory technology increase for general aviation
Wider UAV deployment, (mixed airspace?)
Technology-enabled: GPS/satellite navigation, CA systems.…
Consequences for software certification:
More systems components will be safety-critical
Increased automation required to support capacity (reduced separation)
Technology push to increase pace, decrease cost of certification
More aircraft configurations to certify
Global compliance requirements
Aviation Systems as Critical Infrastructure: Aviation Systems as Critical Infrastructure Requirement for secure, available systems
Robustness
No essential flaws in safety design
Software:
How can we be sure?
System and Software:
How can we be sure?
What is the future for evaluated products?
TECHNOLOGY READINESS LEVELS*
TRL 1: Basic principles observed and reported
TRL 2: Technology concept and/or application formulated
TRL 3: Analytical and experimental critical function and/or characteristic proof-of-concept
TRL 4: Component and/or breadboard validation in laboratory environment
TRL 5: Component and/or breadboard validation in relevant environment
TRL 6: System/subsystem model or prototype demonstration in a relevant environment (ground or space)
TRL 7: System prototype demonstration in a space environment
TRL 8: Actual system completed and “flight qualified” through test and demonstration (ground or space)
TRL 9: Actual system “flight proven” through successful mission operations
*A White Paper, April 6, 1995, John C. Mankins, Advanced Concepts Office
Office of Space Access and Technology
NASA
Federal Activities towards �Critical Infrastructure Protection: Federal Activities towards Critical Infrastructure Protection HSPD-7
ISACs, NIPP, SCCs, etc.
CIP R&D Planning
National CIP R&D Plan
CIIP R&D Plan
NSTC Committee structure
CT – Committee on Technology
Networking, IT R&D Subcommittee
Infrastructure Subcommittee
Critical Information Infrastructure Protection Interagency Working Group (to be renamed)
NITRD High Confidence Software and Systems Coordinating Group
NSTC CT NITRD HEC CIIP HCSS … Infrastructure H&NS …
National CIP R&D Plan�April 8, 2005: National CIP R&D Plan April 8, 2005 Themes:
Detection and Sensor Systems
Protection and Prevention
Entry and Access Portals
Insider Threats
Analysis and Decision Support Systems
Response, Recovery, and Reconstitution
New and Emerging Threats and Vulnerabilities
Advanced Infrastructure Architectures and Systems Design
Human and Social Issues NCIP R&D Roadmap identifies three strategic goals:
National Common Operating Picture
Secure National Communication Network
Resilient, Self-Healing, Self-Diagnosing Infrastructure http://www.bfrl.nist.gov/PSSIWG/documents/2004NCIP_R&D_Plan_FINAL.pdf
Some “Grand Challenges”: Some “Grand Challenges” Medical devices and systems of the future
Now: Practitioner closes the loop; sensor feeds to TV monitor, manual settings
Future: Closed-loop patient monitoring and delivery systems, “plug and play” operating rooms/ICUs/home care
Flight-critical aviation systems of the future
Now: Federated designs, pilot closes the loop
Future: Integrated designs; autonomy vs. pilot control
SCADA systems of the future
Now: Telemetry, sensor feeds to control center, centralized decision support
Future: Hierarchical, decentralized, highly-automated, market/policy driven, closed-loop + supervisory control Now: Information-centric, human-closes-loop, distributed a priori, soft real-time, not secured
Future: Feedback control, open and hierarchical supervisory control, mobile, aggregated, soft and hard real-time, secured
Technology Grand Challenges: Technology Grand Challenges Property and mechanism composition for dependable systems of all kinds: single, composite, and ad hoc aggregations of (RT, FT, secure)
Cooperative distributed/aggregated systems (systems technology for aggregated systems)
Robust, self-checking, self-healing, controllable systems (computation and control)
Evidence-based design and composition technology, to produce systems with certifiably dependable behavior Dependable technology for an already-
emerging class of future, critical systems
Cross-cutting Technical Challenges: Cross-cutting Technical Challenges
Future distributed, real-time embedded system characteristics/requirements:
Open, reconfigurable topology, group membership
Styles: Integrated, peer-to-peer, “plug and play”, service-oriented
Fixed & mobile, RF/optical/wired/ wireless networking modalities
Mixed-initiative and highly autonomous operation
Complex multi-modal behavior, discrete-continuous (hybrid) control
Reconfigurable, multi-hierarchy supervisory control; vertical and horizontal interoperation
End-to-end security, “self-healing”
System certification
Status: many experimental systems, some science
Interesting results, but not yet a principled science/engineering base
Focus on situation awareness, sensor nets, and simulation, not control infrastructure
Embedded Software and System Control Problem: Embedded Software and System Control Problem Control Software Physical/Biological/Engineered
System
Closing the loop around combined behaviors… Frequency
Phase Hardware Platform
Processing and Networking Sensing Mode, Thread switching Periodic calculation Energy Management Execution Rate Dynamic scheduling, resource management Latency Bandwidth Clock rate Energy production, consumption Voltage scaling Coordination Actuation State: Kinematic, Thermal,
Electromagnetic, Optical, Chemical,… Latency Latency Stability
Research Goal: Assured Systems Software Technology Base: Coordinated control systems applications
Unmanned autonomous air vehicles, automotive applications
SCADA systems for power grid, pipeline control
Remote, tele-operated surgery?
OR, ICU, EMT of the future?
Nano/bio devices?
…
Key areas for potential research
Open control platforms
Reconfigurable coordinated control
Computational and networking substrate
Assured RTOS, networking,…
Middleware
Virtual machines
Research Goal: Assured Systems Software Technology Base
Specific Challenges for Hybrid Systems: Specific Challenges for Hybrid Systems Multi-system/multi-modal supervisory control
Dynamically “aggregated” multi-hierarchy supervisory control
Beyond stability: time-bounded convergence
Safe complex transition
Accommodating multi-system uncertainty
Implications of tractable computational methods for modal structure
“Useable design” considerations for modal structure
Report Card: �Software Certification TRL ? : Report Card: Software Certification TRL ? Analysis tools (4?)
Signficant progress, acceptance of static analysis
C, C++, Java remain challenging
Model checking viable for bug-finding
System software technology base (2)
“Evaluated products” not in sight, NIAP notwithstanding; lack of systematic safety evaluation
RTOS, VM, middleware chaos
Lack of integration of security, safety, fault tolerance, real-time technology
Certification for adaptive systems (1)
Model acquisition
Mode transition, reconfiguration
Certification Challenges: Tools for Assured Applications: Certification Challenges: Tools for Assured Applications Comprehensive safety design, analysis
Failure modes and effects analysis tool chain, system and software
Software design for failure modes
HCSS and NSF/CISE Actions: HCSS and NSF/CISE Actions
NITRD HCSS Coordinating Group Assessment Actions : NITRD HCSS Coordinating Group Assessment Actions National workshops on:
High Confidence Medical Device Software and Systems (HCMDSS),
Planning Workshop, Arlington VA, November 2004, http://www.cis.upenn.edu/hasten/hcmdss-planning/
National R&D Road-mapping Workshop, Philadelphia, Pennsylvania, June 2005, http://www.cis.upenn.edu/hcmdss/
High Confidence Aviation Systems (title TBD)
Planning Workshop, Seattle, WA, November 21-22, 2005
National R&D Road-mapping Workshop, venue TBD, June/July 2006
High Confidence Critical Infrastructures: “The Electric Power Grid: Beyond SCADA”
Planning
EU-US Planning meeting, October, 2005
US Planning Workshop, Washington, DC, November-December, 2005
Workshops
US National R&D Road-mapping Workshop, venue TBD, March, 2006
EU-US Workshop, Framework Program 7 linkage
NITRD HCSS Coordinating Group �Assessment Actions (continued): NITRD HCSS Coordinating Group Assessment Actions (continued) Backdrop:
NSF/OSTP Critical Infrastructure Protection Workshop, Leesburg, VA, September 2002, http://www.eecs.berkeley.edu/CIP/
NSF Workshop, on CIP for SCADA, Minneapolis MN, October 2003
http://www.adventiumlabs.org/NSF-SCADA-IT-Workshop/index.html
National Academies’ study: “Sufficient Evidence? Design for Certifiably Dependable Systems”, http://www7.nationalacademies.org/cstb/project_dependable.html
HCSS real-time operating systems research needs assessment:
Real-time embedded systems information technology base evaluation and prospectus: September-October 2005
Scope: secure RTOS, virtual machines, middleware
Industry input (NDA):
System integration houses, labs, FFRDCs,
RTOS/middleware vendor perspective, OMG
National Coordination Office summary report(s) derived from workshops, industry input sessions, NAS study
Conclusion: �A Possible PSERC Research Agenda?: Conclusion: A Possible PSERC Research Agenda?
Exploit renewables and distributed generation/micro-grid research as CIP breakthrough opportunity. Why?
Concept development hotbed for systems of secure, distributed, real-time embedded systems
Vector for change via new and emerging markets, decentralization
Fosters US competitiveness in control systems and embedded systems technologies
Foster multi-disciplinary work that includes the IT research community. Why?
Leverage; investment multiplier
NSF CISE-ENG grass-roots enthusiasm for cooperation in this area (Tomsovic, Baheti, Schwartzkopf, Rodriguez, Rotea, Gill, …)
Initial NSF/DoE/DHS cooperation for secure electric power systems (Cyber Trust)
Who else will do this?
So Far: NSF CISE Investments in �Critical Infrastructure, Power Systems�: So Far: NSF CISE Investments in Critical Infrastructure, Power Systems CISE/CNS Computer Systems Research Program
Embedded and Hybrid Systems disciplinary area
(Watch for new emphasis areas in FY 2006 announcement)
CISE/CNS Networking Research
“Clean Slate” Internet research initiative
Planning grant: study on real-time networking for critical infrastructures
NSF Science and Technology Center: TRUST
UC Berkeley, with Vanderbilt, Cornell, Stanford, CMU, …
http://trust.eecs.berkeley.edu/
Engineering Research Centers: current competition
Information Technology Research, competition ended, active grants remain (EU-US linkages, G.3 and D.4):
Center for Hybrid and Embedded Systems (CHESS), UC Berkeley
Secure and Robust IT Architectures to Improve Survivability of the Power Grid, CMU/WSU
Multi-Layered Architecture for Reliable and Secure Large-Scale Networks, CMU
Infrastructure Programs:
Major Research Infrastructure: Laboratory to Study FACTS Device Interactions, U. of Missouri at Rolla
Cyber Trust (FY 2005 Center-Scale portfolio, TBA 2-3 weeks)
Thank you: Thank you
High-Confidence Software and Systems�(HCSS) Agencies: High-Confidence Software and Systems (HCSS) Agencies Air Force Research Laboratories*
Army Research Office*
Defense Advanced Research Projects Agency
Department of Energy
Federal Aviation Administration*
Food and Drug Administration*
National Air & Space Administration
National Institutes of Health
National Institute of Science and Technology
National Science Foundation
National Security Agency
Office of Naval Research*
* Cooperating agencies