Transcript Softwalls: Preventing Aircraft from Entering Unauthorized

Softwalls: Preventing Aircraft
from Entering Unauthorized
Airspace
Adam Cataldo
Prof. Edward Lee
Prof. Ian Mitchell, UBC
Prof. Shankar Sastry
NASA JUP
Sep 26, 2003
Los Angeles, CA
Outline
•
•
•
•
•
Introduction to Softwalls
Objections
Control system progress
Future challenges
Conclusions
Introduction
• On-board database with “no-fly-zones”
• Enforce no-fly zones using on-board avionics
• Non-networked, non-hackable
Autonomous control
Pilot
Aircraft
Autonomous
controller
Softwalls is not autonomous control
Pilot
Aircraft
+
bias pilot
control
Softwalls
Relation to Unmanned Aircraft
• Not an unmanned
strategy
– pilot authority
• Collision avoidance
A deadly weapon?
• Project started September 11, 2001
Design Objectives
Maximize Pilot Authority!
Unsaturated Control
Pilot lets off controls Pilot tries to
fly into no-fly
Pilot turns away
zone
from no-fly zone
No-fly
zone
Control applied
Objections
• Reducing pilot control is dangerous
– reduces ability to respond to emergencies
There is No Emergency That Justifies
Landing Here
Objections
• Reducing pilot control is dangerous
– reduces ability to respond to emergencies
• There is no override
– switch in the cockpit
Hardwall
Objections
• Reducing pilot control is dangerous
– reduces ability to respond to emergencies
• There is no override
– switch in the cockpit
• Localization technology could fail
– GPS can be jammed
Localization Backup
• Inertial navigation
• Integrator drift limits
accuracy range
Objections
• Reducing pilot control is dangerous
– reduces ability to respond to emergencies
• There is no override
– switch in the cockpit
• Localization technology could fail
– GPS can be jammed
• Deployment could be costly
– Software certification? Retrofit older aircraft?
Deployment
• Fly-by-wire aircraft
– a software change
• Older aircraft
– autopilot level
• Phase in
– prioritize airports
Objections
• Reducing pilot control is dangerous
– reduces ability to respond to emergencies
• There is no override
– switch in the cockpit
• Localization technology could fail
– GPS can be jammed
• Deployment could be costly
– how to retrofit older aircraft?
• Complexity
– software certification
Not Like Air Traffic Control
• Much Simpler
• No need for air
traffic
controller
certification
Objections
• Reducing pilot control is dangerous
– reduces ability to respond to emergencies
• There is no override
– switch in the cockpit
• Localization technology could fail
– GPS can be jammed
• Deployment could be costly
– how to retrofit older aircraft?
• Deployment could take too long
– software certification
• Fully automatic flight control is possible
– throw a switch on the ground, take over plane
Potential Problems with Ground Control
• Human-in-the-loop delay on the ground
– authorization for takeover
– delay recognizing the threat
• Security problem on the ground
– hijacking from the ground?
– takeover of entire fleet at once?
– coup d’etat?
• Requires radio communication
– hackable
– jammable
Here’s How It Works
Reachable Set
set of all points reachable with
some control input
reachable set
starting at a point
in the state space
Backwards Reachable Set
set of all states that can reach the final
point for some control input
backwards
reachable set
given a final point
in the state space
Backwards Reachable Set
No-fly zone
Backwards
reachable set
States that can
reach the no-fly
zone when control
is applied
Can prevent aircraft from entering
no-fly zone
Safe States
Implicit Surface Functions
implicit surface function
implicit surface function
for no-fly zone
for backwards reachable set
No-fly zone
Backwards Reachable Set
Analytic Solution
• Hamilton-Jacobi-Isaacs PDE
backwards reachable
set implicit
implicit surface
surface function
function
no-fly zone
• Tomlin, Lygeros, Sastry
dynamics
Control from Implicit Surface Function
Control
decreases
Safe to
States
zero
Safe States
Backwards
Reachable
Set
Control at
boundary
Numerical Solution
•
Mitchell
computations
&
storage
1
2 3 4
states
Assumptions for Verification
• The pilot and control inputs could be any
bounded, measurable functions
In Fly-By-Wire Aircraft
• The pilot and control inputs will be
piecewise constant, bounded functions
which can change only every T milliseconds
T
Fly-By-Wire Aircraft
• How do we verify this?
In the News
•
•
•
•
•
ABC News
NPR Market Place
CBC As It Happens
Slashdot
Reuters…
Conclusions
• Embedded control
system challenge
• Control theory
identified
• Future challenges
identified
Acknowledgements
• Xiaojun Liu
• Steve Neuendorffer
• Claire Tomlin
Backup
• Discrete-Time Modified HJI PDE
 J * ( y, k  1),

*
J ( y, k )  min

*
max
min
J
(
g
(
y
,

(
e
),
e
),
k

1
)
[ D U ] eD

J * ( y,0)  l ( y )