modeling incremental autonomy of a uas in support of … · 2017-08-12 · method (rationale)...

Modeling Incremental Autonomy of a UAS in Support of Reasoning About

Applicable Assurance Methods

NASA SASO Contract NNL16AA06C

Dr. Jonathan Rowanhi l l and Dr. John Knight

Dependable Computing

August 2 , 2017

Ongoing Work: Exploring How to Verify and Validate Increasingly Autonomous UAS


• Explore: How to verify and validate increasingly autonomous unmanned aerial system (UAS)• Agricultural mid-weight rotorcraft• Crop spraying and cargo delivery

• Approach: Build explicit safety arguments• Multiple models of the same UAS• Each with increasing autonomy• See what the exposed rationales

reveal about assurance methods and required V&V techniques.August 2, 2017 S5, Dependable Computing LLC 2

Figure 1. This illustration makes artists and safety engineers cringe.



August 2, 2017 S5, Dependable Computing LLC 3

Safety Req. ASatisfied


AutonomyIncrement






AssuranceMethod(Rationale)

AutonomyIncrement







AutonomyIncrement

Correlate with State-of-the-art from domain experts







Evidence=> V&V Requirements

AutonomyIncrement

Correlate with State-of-the-art from domain experts







Evidence=> V&V Requirements

AutonomyIncrement

JustificationCorrelate with State-of-the-art from domain experts

How Do We Model Incremental Autonomy?• Require compelling and feasible

arguments• For a specific (hypothetical)

system• Standard autonomy models

guided high level descriptions (ex. NHTSA, ALFUS)

• Model incremental autonomy through system function model before we go hunting for matching technologies


System S

Function A Function B Function C

A1 A2 A3 C1 C2

C1a C1b

Operator Role TheoryAutomation in the Decision Loop

• Operator Role Theory: • The role of a human

operator in a decision function

• Linearly increasing decision loop automation

• Allows rapid description of automation

• Modern autonomy often diverges from this model of automation









ManualController(Pre-Existing Terminology)









Supervisory









Supervisory

Executive

Operator Role TheoryModeling Automation at the System Function Level

• Meant to be applied to a decomposed system function model

• Supports fine-grained modeling of automation

• This model was useful for us to model increasing autonomy in a UAS.

• Can we apply a model like this to modern UAS autonomy?


Direct

System S

Function A Function B Function C

A1 A2 A3 C1 C2

C1a C1bManualSupervisory SupervisoryExecutive

Executive

Applying Operator Roles to Drive Construction of Assurance Arguments

•We propose and apply extensions to operator role theory to model autonomy

•The resulting model suggests a bridge between autonomy specifications and assurance methods


Extending Operator Role TheoryExtending Decision Roles

• Additional roles common with today’s technology• A few more roles fills in

many common cases• Does not capture all

possible combinations or peer machine/human relationships


(ex. Diagnostic Systems)

(ex. You Unjamming a Laser Printer)

Supervisory

Manual

Executive







Advised

(ex. You Unjamming a Laser Printer)

Supervisory

Manual

Executive







Advised

Serving(ex. You Unjamming a Laser Printer)

Supervisory

Manual

Executive







Advised

Serving(ex. You Unjamming a Laser Printer)

Supervisory

Manual

Executive

Peer

Extended Operator Role TheoryModeling Learning Roles

• The “two-level loop” model of learning• Similar forms appear in

• Learning Theory,• Management Science, and• Artificial Intelligence

• Can we apply this to further extend autonomy models that describe machine intelligence?



•Define operator roles to learning loops


DecisionLoop

LearningLoop




DecisionLoop

LearningLoop

Manual




DecisionLoop

LearningLoop

Manual

Assisted




DecisionLoop

LearningLoop

Manual

AssistedSupervised




DecisionLoop

LearningLoop

Manual

AssistedReviewer

Supervised




DecisionLoop

LearningLoop

Manual

AssistedReviewer

Supervised

Executive




DecisionLoop

LearningLoop

Manual

AssistedReviewer

Supervised

Executive

Peer

Enhanced Operator Role Model


Advised

Supervisory

Manual

Executive

Peer28

Manual

AssistedReviewer

Supervised

ExecutivePeer

• Ordered Pair• (Decision operator,

Learning Operator)

Modeling “Snapshots” of Increasing Autonomyfor an Agricultural UAS

• System function model of the UAS•7 autonomy

allocation designs•Results model

“fine-grained” autonomy increments


0 1 2 3 4 5 6

Modeling Incremental Autonomy and How it Might Be Useful for Assurance

• Important for Common Engineering Questions:•Heterogeneous Autonomy: Modeling autonomy that

differs across system functionality• Selecting Autonomy: Best-fit autonomy design for

system with safety concerns (Assurance vs. cost trade-offs in design)• Increasing Autonomy: Effects of increasing autonomy

on safety assurance?August 2, 2017 S5, Dependable Computing LLC 13

Assurance Analysis Methodfor Indexing Assurance Method Concepts

• Extends system function analysis to the level of choosing assurance methods•Can index an assurance library

by operator role and assigned technology


Define Function

Choose Assurance Methods Architectures

Assign Operator Roles

Select Technology

Architectures& Assurance

MethodsLibrary

ArgumentPatterns

Example Function: Motion PlanningAvoid Getting Trapped!

• High speed re-planning (frames per second)• Short Look Ahead• Ex. ”Space-time” planner for dynamic object

avoidance with tunable “risk taking”• Req. : Keep a Clear Maneuvering Workspace

• A free space where if no object is inside of it, the UAV can change course to avoid any object that is going to encroach

• Sub-Req. : Don’t Get Trapped: Short term planning gets boxed in between dynamic objects


Ex. Motion Planning—Avoid Getting TrappedExploring Assurance Methods under Different Operator Roles

August 2, 2017 S5, Dependable Computing LLC16

Executive ControllerReviewing Learner

Supervisory ControllerManual Learner Vs.

Ex. Motion Planning—Avoid Getting TrappedSupervisory Controller, Manual Learner


Ex. Assurance Methods:• Assure constrained functionality with

run-time detection of constraint failures• No objects above motion path• Maximum no. of dynamic objects

• Assure safe and reliable hand-off and control to/by human pilot avoiding traps

• Assure safe values of space-time planner object probability field penetration

1 2

3

4

Argument “Trunk” Contains Assurance MethodsSupervisory Controller, Manual Learner


SatisfactoryPlanner Input Correct Space-time

Planning Algorithm

VerifiedImplementation

Conditional RequirementSatisfaction

Condition Handling Satisfactory

Ex. Motion Planning—Avoid Getting TrappedExecutive Controller, Reviewing Learner


Ex. Assurance Methods:• Assure detection and avoidance

approaches• Sufficient, effective human review of

trap detection rules deduced by AI• Sufficient rules engine

scaling/performance• Resilience of conservative

entrapment detection behavior

EntrapmentScenarioAvoidance

ConservativeEntrapmentDetection

Argument “Trunk” Changes (Some) Assurance MethodsExecutive Controller, Reviewing Learner


SatisfactoryPlanner Input Correct Space-time

Planning Algorithm

VerifiedImplementation

Conditional RequirementSatisfaction

Condition Handling

Satisfactory

Summary• An extended operator role model allows us to build incremental

function-level models of autonomy• This is useful for both exploring and mapping to assurance techniques• We have extended the operator role model for

• Modern forms of advanced autonomy in decision making• Autonomy through automated learning

• This model might be useful as a means to organize and guide use of appropriate assurance methods for system models applying autonomy


The EndQuestions?


modeling incremental autonomy of a uas in support of … · 2017-08-12 · method (rationale)...

Documents