Safety and Airworthiness Cases for Unmanned System Control Segments. George Romanski, Joe Wlad S5 Symposium, Dayton, OH June 12-14, 2012

Transcription

1 Safety and Airworthiness Cases for Unmanned System Control Segments George Romanski, Joe Wlad S5 Symposium, Dayton, OH June 12-14, 2012

2 Biography Joe Wlad, Sr. Director, Wind River FAA DER, Systems and Equipment and Software Chief Engineer, UCSWG, Safety and Information Assurance Subcommittee George Romanski, CEO, Verocel, Inc. 30+ years in design and verification of software for safety-critical systems

3 Agenda Unmanned Air System Control System Working Group Overview Goals, Objectives Organization and Architecture Summary Safety and Security Sub-committee Goals, Objectives and Work Products Airworthiness Certification Processes Goal-Structuring Notation method to implement safety and security requirements Examples for the UCS Ground Segment

4 Some Acronyms Acronym UAS UAV GSN AS CS UCS PIM PSM UCSWG POR Meaning Unmanned Air System synonymous with UAV Unmanned Air Vehicle Goal Structuring Notation Aircraft Segment Control Segment UAS Control Segment Platform Independent Model Platform Specific Model UCS Working Group Program Of Record

5 UCSWG Charter: Who and Why Through an acquisition decision memorandum signed 11 February 2009, the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics (OUSD/AT&L) directed the Services to develop a common, open and scalable architecture for command and control of UAS Vehicles greater than 20 lb GW The UCS Working Group is an enduring organization that operates as a standards development organization as defined by Public Law (the National Technology Transfer and Advancement Act of 1995) and the Executive Office of the President, Office of Management and Budget (OMB) Circular A-11

6 Current UCS Architectures Open System Interconnection (OSI), but not Open Architecture (OA) No uniform requirements for compliance to safety or security standards

7 6 Goals US DoD Unmanned Systems Roadmap Goal 1: Improve the effectiveness of COCOM and coalition unmanned systems through improved integration and Joint Services collaboration. Goal 2: Emphasize commonality to achieve greater interoperability among system controls, communications, data products, and data links on unmanned systems. Goal 3: Foster the development of policies, standards, and procedures that enable safe and timely operations and effective integration of manned / unmanned systems. Goal 4: Implement standardized and protected positive control measures for unmanned systems and their associated armament. Goal 5: Support rapid demonstration and integration of validated combat capabilities in fielded/deployed systems through a more flexible prototyping, test and logistical support process. Goal 6: Aggressively control cost by utilizing competition, refining and prioritizing requirements, and increasing interdependencies among DoD systems All Rights Reserved. 7

8 UCSWG Organization Mgmt Technical Support Executive Board and CCB Technical Review Board SC1 Implementation SC2 Application PIM SC3 Application PSM SC4 Safety and IA SC5 Architecture Chief Engineer Chief Engineer Chief Engineer Chief Engineer Chief Engineer Chief Engineer Conformance PIM Governance MDA Process Certification AD Modeling/Tools

9 Sub-committee 4: Objectives Address System Safety, Airworthiness and IA concerns, including: System Safety and Airworthiness Cases Information Assurance Cases Information Assurance and Security Services Platform Safety, Airworthiness and Information Assurance Reach out to other organizations interested in defining safety requirements for unmanned systems NASA, other DoD organizations, FAA, RTCA, etc.

10 UCS Architecture Views Services Services Services Services Application Domain 1 Application Domain 2 Application Domain 3 Application Domain 4 Technical Architecture Operating Environment, Development Environment, Certification Environment Application Architecture Platform Independent Model (Normative, Extensible) Technology Standards View (Normative, Extensible) IA and Security Management Application 1 Application 2 Application 3 Application 4 Middleware Middleware Middleware Middleware Middleware Guest OS Guest OS Guest OS Guest OS Guest OS Reference Architecture (Informative, Extensible) Embedded Hypervisor and Separation Kernel Processor Reference Implementations (Informative, Extensible)

11 UCS - Open Business Model Common UCS Architecture Marketplace UCS Composed of Mostly Common Components

12 SC 4 Safety Objectives Defined in the System Safety Airworthiness Management Plan and Information Assurance Plan Embraces SAE ARP 4761/4754, MILS-STD-882, STANAG 4671 DoD 85xx, NIST, etc. Army, Navy, Air Force and FAA Standards SC 4 Decided to embrace the concept of Goal Structuring Notation to provide guidance on implementing Safety and Security requirements

13 UCS Safety and Airworthiness Case Outline developed in Goal Structuring Notation Helped to identify the Boundaries Helped with the decomposition for Systems, Subsystems, Components, Domains, Services and their interactions Identified Composition goals to ensure robust process is used to compose a system Documented in System Safety and Airworthiness Assurance Case Part of UAS Control Segment Architecture

14 MIL-STD-882 Risk Matrix Risk Assessment and Risk Acceptance MIL-STD-882D & DoDI , E7 SEVERITY CATEGORIES PROBABILITY LEVELS I CATASTROPHIC II CRITICAL III MARGINAL IV NEGLIGIBLE HIGH (A) Frequent (B) Probable (C) Occasional SERIOUS MEDIUM LOW (D) Remote (E) Improbable As of: 02 Mar 05 14

15 Purpose of Goal Structuring Notation (GSN) A notation for presenting an Argument Argument + Supporting evidence => Assurance Case Airworthiness Case Safety Case Information Assurance Case Argument - Connects a series of statements

16 Typical Aircraft Certification Processes

17 Aircraft / Communication/ Control Segments

18 Separation of the System Activities

19 Threading an argument together. Goal The UCS shall support many services securely Closed Connector for Goals and Strategies The services may be hosted Platforms and Platforms may be linked together Strategy Sub-Goal The UCSA may be constructed from many platforms which provide security properties Sub-Goal Each platform may host many services at different security levels

20 Top Level Goal Aircraft Segment Communication Segment

21 Interactions between AS and CS Communication Segment

22 System Composition Control Segment

23 Current Progress Safety and Information Assurance case fragments have been created for the UCS Architecture These have been put into Enterprise Architect Work is underway to connect the safety cases with the various domain models and tag them with safety and security properties

24 Next Steps Complete the UCS models as well defining the safety and security properties Update and align safety and security requirements with other initiatives (FAA, DoD, NASA, RTCA SC-203, etc.) Continue outreach efforts