Safety and Airworthiness Cases for Unmanned System Control

Segments

George Romanski, Joe Wlad

S5 Symposium, Dayton, OH

June 12-14, 2012

Biography

• Joe Wlad, Sr. Director, Wind River

– FAA DER, Systems and Equipment and Software

– Chief Engineer, UCSWG, Safety and Information Assurance Subcommittee

• George Romanski, CEO, Verocel, Inc.

– 30+ years in design and verification of software for safety-critical systems

Agenda

• Unmanned Air System Control System Working Group Overview – Goals, Objectives

– Organization and Architecture Summary

• Safety and Security Sub-committee – Goals, Objectives and Work Products

• Airworthiness Certification Processes

• Goal-Structuring Notation method to implement safety and security requirements

• Examples for the UCS Ground Segment

Some Acronyms

Acronym Meaning

UAS Unmanned Air System – synonymous with UAV

UAV Unmanned Air Vehicle

GSN Goal Structuring Notation

AS Aircraft Segment

CS Control Segment

UCS UAS Control Segment

PIM Platform Independent Model

PSM Platform Specific Model

UCSWG UCS Working Group

POR Program Of Record

UCSWG Charter: Who and Why

• Through an acquisition decision memorandum signed 11 February 2009, the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics (OUSD/AT&L) directed the Services to develop a common, open and scalable architecture for command and control of UAS – Vehicles greater than 20 lb GW

• The UCS Working Group is an enduring organization that operates as a standards development organization as defined by Public Law 104-113 (the National Technology Transfer and Advancement Act of 1995) and the Executive Office of the President, Office of Management and Budget (OMB) Circular A-11

Current UCS Architectures Open System Interconnection (OSI), but not Open Architecture (OA) No uniform requirements for compliance to safety or security standards

| © 2012 All Rights Reserved. 7

6 Goals US DoD Unmanned Systems Roadmap 2007-2032

Goal 1: Improve the effectiveness of COCOM and coalition unmanned systems through improved integration and Joint Services collaboration. Goal 2: Emphasize commonality to achieve greater interoperability among system controls, communications, data products, and data links on unmanned systems. Goal 3: Foster the development of policies, standards, and procedures that enable safe and timely operations and effective integration of manned / unmanned systems. Goal 4: Implement standardized and protected positive control measures for unmanned systems and their associated armament. Goal 5: Support rapid demonstration and integration of validated combat capabilities in fielded/deployed systems through a more flexible prototyping, test and logistical support process. Goal 6: Aggressively control cost by utilizing competition, refining and prioritizing requirements, and increasing interdependencies among DoD systems.

UCSWG Organization

Executive Board

and CCB

Technical Review Board

SC1

Implementation

Chief Engineer

Conformance

SC2

Application PIM

Chief Engineer

PIM Governance

SC3

Application PSM

Chief Engineer

MDA Process

SC4

Safety and IA

Chief Engineer

Certification

SC5

Architecture

Chief Engineer

AD

Chief Engineer

Modeling/Tools

Mgmt

Technical Support

Sub-committee 4: Objectives

• Address System Safety, Airworthiness and IA concerns, including:

– System Safety and Airworthiness Cases

– Information Assurance Cases

– Information Assurance and Security Services

– Platform Safety, Airworthiness and Information Assurance

• Reach out to other organizations interested in defining safety requirements for unmanned systems

– NASA, other DoD organizations, FAA, RTCA, etc.

UCS Architecture Views

Guest OS Guest OS Guest OS Guest OS Guest OS

Middleware Middleware Middleware Middleware Middleware

IA and Security Management

Application 1 Application 2 Application 3 Application 4

Embedded Hypervisor and Separation Kernel

Processor

Technical Architecture Operating Environment, Development Environment, Certification Environment

Reference Implementations (Informative, Extensible)

Reference Architecture (Informative, Extensible)

Services Services Services

Technology Standards View (Normative, Extensible)

Application Domain 1 Application Domain 2 Application Domain 3

Application Architecture Platform Independent Model (Normative, Extensible)

Services

Application Domain 4

UCS - Open Business Model

Common UCS Architecture Marketplace

UCS Composed of ‘Mostly’ Common Components

SC 4 Safety Objectives

• Defined in the System Safety Airworthiness Management Plan and Information Assurance Plan – Embraces SAE ARP 4761/4754, MILS-STD-882, STANAG

4671

– DoD 85xx, NIST, etc.

– Army, Navy, Air Force and FAA Standards

• SC 4 Decided to embrace the concept of Goal Structuring Notation to provide guidance on implementing Safety and Security requirements

UCS Safety and Airworthiness Case

• Outline developed in Goal Structuring Notation • Helped to identify the Boundaries • Helped with the decomposition for Systems,

Subsystems, Components, Domains, Services and their interactions

• Identified Composition goals to ensure robust process is used to compose a system

• Documented in System Safety and Airworthiness Assurance Case

• Part of UAS Control Segment Architecture

MIL-STD-882 Risk Matrix

As of: 02 Mar 05 14

PROBABILITY

LEVELS

SEVERITY CATEGORIES

I

CATASTROPHIC

II

CRITICAL

III

MARGINAL

IV

NEGLIGIBLE

(A) Frequent 1 3 7 13

(B) Probable 2 5 9 16

(C) Occasional 4 6 11 18

(D) Remote 8 10 14 19

(E) Improbable 12 15 17 20

Risk Assessment and Risk Acceptance

MIL-STD-882D & DoDI 5000.2, E7

HIGH

LOW

SERIOUS

MEDIUM

Purpose of Goal Structuring Notation (GSN)

• A notation for presenting an Argument

• Argument + Supporting evidence => Assurance Case

• Argument - Connects a series of statements

Airworthiness Case Safety Case Information Assurance Case

Typical Aircraft Certification Processes

Aircraft / Communication/ Control Segments

Separation of the System Activities

Threading an argument together.

The UCS shall support many services securely

The services may be hosted

Platforms and Platforms may

be linked together

The UCSA may be constructed from

many platforms which provide security

properties

Each platform may host many services

at different security levels

Goal

Sub-Goal Sub-Goal

Strategy

Closed Connector for Goals and Strategies

Top Level Goal

Aircraft Segment

Communication Segment

Interactions between AS and CS

Communication Segment

System Composition Control Segment

Current Progress

• Safety and Information Assurance case fragments have been created for the UCS Architecture

• These have been put into Enterprise Architect

• Work is underway to connect the safety cases with the various domain models and tag them with safety and security properties

Next Steps

• Complete the UCS models as well defining the safety and security properties

• Update and align safety and security requirements with other initiatives (FAA, DoD, NASA, RTCA SC-203, etc.)

• Continue outreach efforts