Transcript Systems and Software Research for Safety-Critical Aviation Systems Helen Gill, Ph.D. CISE/CNS National Science Foundation.

Systems and Software Research for
Safety-Critical Aviation Systems
Helen Gill, Ph.D.
CISE/CNS
National Science Foundation
1
Aviation Context for
Safety-Critical Software and Systems Research
• Vehicle technology research
– Platforms: materials, fuel-efficiency, range, …
– Hypersonics, supersonics, subsonics, rotorcraft, …
– Software-integrated systems, software control
• Today’s US airspace and flight experience
– UAV progress: Access5, Unite Alliance, National Institute of
Aerospace
• High altitude, long endurance vehicles
• Growing civilian usage
– Commercial aviation:
•
•
•
•
Industry under economic duress
Concentration at hubs
CIP/TSA waiting queues
Airspace configuration and management progress: …?
2
Aviation Context (continued)
• Tomorrow’s civilian airspace? (capacity/structure)
– Large scale, long range transport, transatlantic/global
regulation?
– Shuttles/commuters, business jet cooperatives, air taxis, …
– Mandatory technology increase for general aviation
– Wider UAV deployment, (mixed airspace?)
– Technology-enabled: GPS/satellite navigation, CA
systems.…
• Consequences for software certification:
– More systems components will be safety-critical
– Increased automation required to support capacity (reduced
separation)
– Technology push to increase pace, decrease cost of
certification
– More aircraft configurations to certify
– Global compliance requirements
3
Aviation Systems as Critical Infrastructure
TECHNOLOGY READINESS LEVELS*
• Requirement for secure,
available systems
– Robustness
– No essential flaws in safety
design
• Software:
– How can we be sure?
• System and Software:
– How can we be sure?
• What is the future for
evaluated products?
*A White Paper, April 6, 1995, John C. Mankins, Advanced Concepts Office
Office of Space Access and Technology
NASA
TRL 1: Basic principles observed and reported
TRL 2: Technology concept and/or application
formulated
TRL 3: Analytical and experimental critical function
and/or characteristic proof-of-concept
TRL 4: Component and/or breadboard validation in
laboratory environment
TRL 5: Component and/or breadboard validation in
relevant environment
TRL 6: System/subsystem model or prototype
demonstration in a relevant environment (ground or
space)
TRL 7: System prototype demonstration in a space
environment
TRL 8: Actual system completed and “flight qualified”
through test and demonstration (ground or space)
TRL 9: Actual system “flight proven” through
successful mission operations
4
Federal Activities towards
Critical Infrastructure Protection
• HSPD-7
NSTC
– ISACs, NIPP, SCCs, etc.
• CIP R&D Planning
– National CIP R&D Plan
– CIIP R&D Plan
H&NS
…
CT
Infrastructure
• NSTC Committee structure
• CT – Committee on Technology
– Networking, IT R&D Subcommittee
– Infrastructure Subcommittee
CIIP
NITRD
…
HCSS
HEC
• Critical Information Infrastructure Protection Interagency Working
Group (to be renamed)
• NITRD High Confidence Software and Systems
Coordinating Group
5
National CIP R&D Plan
April 8, 2005
NCIP R&D Roadmap identifies three strategic goals:
• National Common Operating Picture
• Secure National Communication Network
• Resilient, Self-Healing, Self-Diagnosing Infrastructure
Themes:
• Detection and Sensor Systems
• Protection and Prevention
• Entry and Access Portals
• Insider Threats
• Analysis and Decision Support Systems
• Response, Recovery, and Reconstitution
• New and Emerging Threats and Vulnerabilities
• Advanced Infrastructure Architectures and Systems
Design
• Human and Social Issues
http://www.bfrl.nist.gov/PSSIWG/documents/2004NCIP_R&D_Plan_FINAL.pdf
6
Some “Grand Challenges”
• Medical devices and systems of the future
– Now: Practitioner closes the loop; sensor feeds to TV monitor,
manual settings
– Future: Closed-loop patient monitoring and delivery systems,
“plug and play” operating rooms/ICUs/home care
• Flight-critical aviation systems of the future
– Now: Federated designs, pilot closes the loop
– Future: Integrated designs; autonomy vs. pilot control
• SCADA systems of the future
– Now: Telemetry, sensor feeds to control center, centralized
decision support
– Future: Hierarchical, decentralized, highly-automated,
market/policy driven, closed-loop + supervisory control
Now: Information-centric, human-closes-loop, distributed a
priori, soft real-time, not secured
Future: Feedback control, open and hierarchical supervisory
control, mobile, aggregated, soft and hard real-time, secured
7
Technology Grand Challenges
• Property and mechanism composition for dependable
systems of all kinds: single, composite, and ad hoc
aggregations of (RT, FT, secure)
• Cooperative distributed/aggregated systems
(systems technology for aggregated systems)
• Robust, self-checking, self-healing, controllable
systems (computation and control)
• Evidence-based design and composition technology,
to produce systems with certifiably dependable
behavior
Dependable technology for an alreadyemerging class of future, critical systems
8
Cross-cutting Technical Challenges
• Future distributed, real-time embedded system
characteristics/requirements:
–
–
–
–
–
–
Open, reconfigurable topology, group membership
Styles: Integrated, peer-to-peer, “plug and play”, service-oriented
Fixed & mobile, RF/optical/wired/ wireless networking modalities
Mixed-initiative and highly autonomous operation
Complex multi-modal behavior, discrete-continuous (hybrid) control
Reconfigurable, multi-hierarchy supervisory control; vertical and
horizontal interoperation
– End-to-end security, “self-healing”
– System certification
• Status: many experimental systems, some science
– Interesting results, but not yet a principled science/engineering base
– Focus on situation awareness, sensor nets, and simulation, not control
infrastructure
9
Embedded Software and
System Control Problem
Closing the loop around combined behaviors…
Physical/Biological/Engineered
System
Control Software
Latency
Sensing
Coordination
Mode, Thread
switching
State: Kinematic, Thermal,
Electromagnetic, Optical,
Chemical,…
Frequency
Execution Rate
Dynamic
scheduling,
resource
management
Clock rate
Voltage scaling
Bandwidth
Stability
Phase
Actuation
Periodic
calculation
Latency
Energy
production,
consumption
Energy
Management
Hardware Platform
Processing and Networking
Latency
10
Research Goal: Assured Systems
Software Technology Base
• Coordinated control systems applications
–
–
–
–
–
–
Unmanned autonomous air vehicles, automotive applications
SCADA systems for power grid, pipeline control
Remote, tele-operated surgery?
OR, ICU, EMT of the future?
Nano/bio devices?
…
• Key areas for potential research
– Open control platforms
– Reconfigurable coordinated control
– Computational and networking substrate
• Assured RTOS, networking,…
• Middleware
• Virtual machines
11
Specific Challenges for
Hybrid Systems
• Multi-system/multi-modal supervisory control
• Dynamically “aggregated” multi-hierarchy supervisory
control
• Beyond stability: time-bounded convergence
• Safe complex transition
• Accommodating multi-system uncertainty
• Implications of tractable computational methods for
modal structure
• “Useable design” considerations for modal structure
12
Report Card:
Software Certification TRL ?
• Analysis tools (4?)
– Signficant progress, acceptance of static analysis
– C, C++, Java remain challenging
– Model checking viable for bug-finding
• System software technology base (2)
– “Evaluated products” not in sight, NIAP
notwithstanding; lack of systematic safety
evaluation
– RTOS, VM, middleware chaos
– Lack of integration of security, safety, fault
tolerance, real-time technology
• Certification for adaptive systems (1)
– Model acquisition
– Mode transition, reconfiguration
13
Certification Challenges: Tools for
Assured Applications
• Comprehensive safety design, analysis
– Failure modes and effects analysis tool chain, system and
software
– Software design for failure modes
14
HCSS and NSF/CISE Actions
15
NITRD HCSS Coordinating Group
Assessment Actions
National workshops on:
• High Confidence Medical Device Software and Systems
(HCMDSS),
– Planning Workshop, Arlington VA, November 2004,
http://www.cis.upenn.edu/hasten/hcmdss-planning/
– National R&D Road-mapping Workshop, Philadelphia, Pennsylvania, June
2005, http://www.cis.upenn.edu/hcmdss/
• High Confidence Aviation Systems (title TBD)
– Planning Workshop, Seattle, WA, November 21-22, 2005
– National R&D Road-mapping Workshop, venue TBD, June/July 2006
• High Confidence Critical Infrastructures: “The Electric
Power Grid: Beyond SCADA”
– Planning
• EU-US Planning meeting, October, 2005
• US Planning Workshop, Washington, DC, November-December, 2005
– Workshops
• US National R&D Road-mapping Workshop, venue TBD, March, 2006
• EU-US Workshop, Framework Program 7 linkage
16
• Backdrop:
NITRD HCSS Coordinating Group
Assessment Actions (continued)
– NSF/OSTP Critical Infrastructure Protection Workshop, Leesburg, VA,
September 2002, http://www.eecs.berkeley.edu/CIP/
– NSF Workshop, on CIP for SCADA, Minneapolis MN, October 2003
http://www.adventiumlabs.org/NSF-SCADA-IT-Workshop/index.html
– National Academies’ study: “Sufficient Evidence? Design for Certifiably
Dependable Systems”, http://www7.nationalacademies.org/cstb/project_dependable.html
• HCSS real-time operating systems research needs assessment:
– Real-time embedded systems information technology base evaluation
and prospectus: September-October 2005
• Scope: secure RTOS, virtual machines, middleware
• Industry input (NDA):
– System integration houses, labs, FFRDCs,
– RTOS/middleware vendor perspective, OMG
• National Coordination Office summary report(s) derived from
workshops, industry input sessions, NAS study
17
Conclusion:
A Possible PSERC Research Agenda?
• Exploit renewables and distributed generation/micro-grid
research as CIP breakthrough opportunity. Why?
– Concept development hotbed for systems of secure, distributed,
real-time embedded systems
– Vector for change via new and emerging markets, decentralization
– Fosters US competitiveness in control systems and embedded
systems technologies
• Foster multi-disciplinary work that includes the IT research
community. Why?
– Leverage; investment multiplier
– NSF CISE-ENG grass-roots enthusiasm for cooperation in this area
(Tomsovic, Baheti, Schwartzkopf, Rodriguez, Rotea, Gill, …)
– Initial NSF/DoE/DHS cooperation for secure electric power systems
(Cyber Trust)
• Who else will do this?
18
So Far: NSF CISE Investments in
Critical Infrastructure, Power Systems
•
CISE/CNS Computer Systems Research Program
•
CISE/CNS Networking Research
–
–
–
–
•
Embedded and Hybrid Systems disciplinary area
(Watch for new emphasis areas in FY 2006 announcement)
“Clean Slate” Internet research initiative
Planning grant: study on real-time networking for critical infrastructures
NSF Science and Technology Center: TRUST
– UC Berkeley, with Vanderbilt, Cornell, Stanford, CMU, …
–
•
•
http://trust.eecs.berkeley.edu/
Engineering Research Centers: current competition
Information Technology Research, competition ended, active grants
remain (EU-US linkages, G.3 and D.4):
–
–
–
Center for Hybrid and Embedded Systems (CHESS), UC Berkeley
Secure and Robust IT Architectures to Improve Survivability of the Power Grid,
CMU/WSU
Multi-Layered Architecture for Reliable and Secure Large-Scale Networks, CMU
•
Infrastructure Programs:
•
Cyber Trust (FY 2005 Center-Scale portfolio, TBA 2-3 weeks)
–
Major Research Infrastructure: Laboratory to Study FACTS Device Interactions, U. of
Missouri at Rolla
19
Thank you
20
High-Confidence Software and Systems
(HCSS) Agencies
•
•
•
•
•
•
•
•
•
•
•
•
Air Force Research Laboratories*
Army Research Office*
Defense Advanced Research Projects Agency
Department of Energy
Federal Aviation Administration*
Food and Drug Administration*
National Air & Space Administration
National Institutes of Health
National Institute of Science and Technology
National Science Foundation
National Security Agency
Office of Naval Research*
* Cooperating agencies
21