Design And Analysis Of Safety Critical Systems
Design and Analysis of Safety Critical SystemsPeter SeilerUniversity of MinnesotaMTA SztakiDecember 5, 2017AEROSPACE ENGINEERINGANDMECHANICS
University of Minnesota Founded in 1851 Campuses in Twin Cities, Duluth, Morris and Crookston. Twin Cities campus has 52,557 students ( 7,200 in CSE).2AEROSPACE ENGINEERINGANDMECHANICS
Dept. of Aerospace Engineering & Mechanics First aeronautical engineering courses offered in 1926. Departmentfounded in fall 1929 with 3 faculty members. Aeronautical Engineering merged with the Department of Mechanics andMaterials in 1958 to form current department 17 regular faculty (6 systems, 6 fluids, 5 solids) 328 undergraduates, 17 MS, and 73 PhD students3AEROSPACE ENGINEERINGANDMECHANICS
Aerospace SystemsDemoz Gebre-Egziabher:Sensor fusion; design of multisensor systems for navigationWilliam Garrard: Dynamicsand control of aerospacevehicles; parachute dynamics.Peter Seiler: Robust controlwith applications to aerospacesystems and wind energyYohannes Ketema: Dynamics;dynamics of active materials; stabilityof formations; orbital mechanics4AEROSPACE ENGINEERINGANDMECHANICS
Aerospace SystemsMaziar Hemati: Control andoptimization, primarily of fluidmechanical systemsRichard Linares: Orbital debristracking, uncertainly quantificationDerya Aksaray: Control theory, formalmethods, and machine learning withapplications to autonomous systems.5Ryan Caverly: Robust control withapplications to aerospace,mechanical and marine systems.AEROSPACE ENGINEERINGANDMECHANICS
Research SummaryJordan HoytParul SinghSanjana VijayshankarWind EnergyRaghu VenkataramanHarish VenkataramanSmall UAVsAbhineet GuptaAeroelasticityRobust Control Design and AnalysisChris ReganBrian TaylorCurt Olson6AEROSPACE ENGINEERINGANDMECHANICS
Fault Tolerance for Small UAVsWith: Raghu VenkataramanFunding:(NSF) CPS: Managing Uncertainty in the Design ofSafety-Critical Aviation Systems(MnDrive) Precision Agriculture: Robotics and SensorDevelopment for Revolutionary Improvements in theGlobal Food Supply and Reduced EnvironmentalImpact in the Agriculture Industry.7AEROSPACE ENGINEERINGANDMECHANICS
Growth in Small UAVsDJI Phantom 4Trimble UX5senseFly eBee(Source: www.dji.com)(Source: uas.trimble.com)(Source: uncrate.com)Sentera Vireo Donated to UMN in 2014 Remote sensing applications, e.g.precision agriculture Mahon et al. “Research Flight TestVehicle: Small Two Surface UAV,”UMN Technical Report, 2016.8AEROSPACE ENGINEERINGANDMECHANICS
Precision Agriculture9AEROSPACE ENGINEERINGANDMECHANICS
Precision AgricultureNominal missionLawnmower patterncontained within geofence perimeterAtkins, “Autonomy as an enabler ofeconomically-viable, beyond-line-of-sight, lowaltitude UAS applications with acceptablerisk,” AUVSI, 2014.10AEROSPACE ENGINEERINGANDMECHANICS
FlightDataFromAbortedMissionGround track in the North-East planeNorth position [km]5 Linkage to right elevonfailed, i.e. “free float” [1].4 Autopilot attempted tocontrol using left elevon. No active fault-tolerance3 Median size of US cropland 1105 acres [2].21References[1] Data courtesy of FourthWing Sensors, LLC.[2] MacDonald et al., “Farm size and theorganization of US crop farming,” USDA, 2013.0-1-101234East position [km]1156AEROSPACE ENGINEERINGANDMECHANICS
Fault Tolerance: Commercial AircraftBoeing 787-8 Dreamliner 210-250 seatsLength 56.7m, Wingspan 60.0mRange 15200km, Speed M0.89First Composite AirlinerHoneywell Flight Control ElectronicsBoeing 777-200 12301-440 seatsLength 63.7m, Wingspan 60.9mRange 17370km, Speed M0.89Boeing’s 1st Fly-by-Wire AircraftRef: Y.C. Yeh, “Triple-triple redundant777 primary flight computer,” 1996.AEROSPACE ENGINEERINGANDMECHANICS
Fault Tolerance: Commercial AircraftBoeing 787-8 Dreamliner 210-250 seatsLength 56.7m, Wingspan 60.0mRange 15200km, Speed M0.89First Composite AirlinerHoneywell Flight Control ElectronicsBoeing 777-200 13301-440 seatsLength 63.7m, Wingspan 60.9mRange 17370km, Speed M0.89Boeing’s 1st Fly-by-Wire AircraftRef: Y.C. Yeh, “Triple-triple redundant777 primary flight computer,” 1996.AEROSPACE ENGINEERINGANDMECHANICS
777 Triple-Triple Architecture [Yeh, 96]Sensorsx3Databusx3Triple-TriplePrimary FlightComputers14Actuator Electronicsx4AEROSPACE ENGINEERINGANDMECHANICS
777 Triple-Triple Architecture [Yeh, 96]Left Primary FlightComputers15Actuator Electronicsx4AEROSPACE ENGINEERINGANDMECHANICS
Reliability ComparisonBoeing 777ReliabilityDesign 10-9 catastrophic Hardware Redundancyfailures per hour Dissimilar hardware and No single point of failure software Protect against random Limited use of analytical& common failuresredundancy [1] Fault Trees, etc to certifyReferences[1] Goupil, “Oscillatory failure case detection in the A380 electrical flight control system by analyticalredundancy,” Control Engineering Practice, 2010.16AEROSPACE ENGINEERINGANDMECHANICS
Reliability ComparisonBoeing 777ReliabilityDesign 10-9 catastrophic Hardware Redundancyfailures per hour Dissimilar hardware and No single point of failure software Protect against random Limited use of analytical& common failuresredundancy [1] Fault Trees, etc to certifyUltrastick 120ReliabilityDesign 0.8 failures/100 hrs [2] Limited by size, weight, Single points of failurepower, and cost(SWAPC) constraintsReferences[1] Goupil, “Oscillatory failure case detection in the A380 electrical flight control system by analyticalredundancy,” Control Engineering Practice, 2010.[2] Amos et al., "UAV for Reliability Build," Technical Report, University of Minnesota, 2014.17AEROSPACE ENGINEERINGANDMECHANICS
Key QuestionsBoeing 777Ultrastick 1201. What is an appropriate level of reliabilityfor small UAS? FAA Modernization and Reform Act (1/12) FAA 14 CFR Part 107 (8/16)2. Can analytical redundancy be used toincrease the reliability of small UAS? Flight with a single aero surface [1] Fault detection of actuator failures [2,3,4]3. How can analytical methods be certified? Probabilistic analysis methods and extendedfault trees [5,6][1] Venkataraman & Seiler, Safe Flight Using One Aerodynamic Control Surface, AIAA, 2016.[2] Venkataraman & Seiler, Model-Based Detection and Isolation of Rudder Faults for a Small UAS, AIAA, 2015.[3] Lakshminarayan, et al, "Designing Reliability Into Small UAS Avionics“, Inside Unmanned Systems, 2016.[4] Bauer, et al, “Fault Detection and Basic In-Flight Reconfiguration of a Small UAV ”, SafeProcess, 2018.[5] Venkataraman, et al, Reliability Assessment of Actuator Architectures for Unmanned Aircraft, AIAA, 2016.[6] Hu & Seiler, Pivotal decomposition for reliability analysis of fault tolerant control systems on UAVs, RESS, 2015.18AEROSPACE ENGINEERINGANDMECHANICS
Key QuestionsBoeing 777Ultrastick 1201. What is an appropriate level of reliabilityfor small UAS? FAA Modernization and Reform Act (1/12) FAA 14 CFR Part 107 (8/16)2. Can analytical redundancy be used toincrease the reliability of small UAS? Flight with a single aero surface [1] Fault detection of actuator failures [2,3,4]3. How can analytical methods be certified? Probabilistic analysis methods and extendedfault trees [5,6][1] Venkataraman & Seiler, Safe Flight Using One Aerodynamic Control Surface, AIAA, 2016.[2] Venkataraman & Seiler, Model-Based Detection and Isolation of Rudder Faults for a Small UAS, AIAA, 2015.[3] Lakshminarayan, et al, "Designing Reliability Into Small UAS Avionics“, Inside Unmanned Systems, 2016.[4] Bauer, et al, “Fault Detection and Basic In-Flight Reconfiguration of a Small UAV ”, SafeProcess, 2018.[5] Venkataraman, et al, Reliability Assessment of Actuator Architectures for Unmanned Aircraft, AIAA, 2016.[6] Hu & Seiler, Pivotal decomposition for reliability analysis of fault tolerant control systems on UAVs, RESS, 2015.19AEROSPACE ENGINEERINGANDMECHANICS
Final GoalTakeoffNominal missionControl surface faultSafe landingFault tolerant controlFault 46810Time20AEROSPACE ENGINEERINGANDMECHANICS
Flight With One Aero SurfaceSource: Sentera, LLC, 2016.1. Ultrastick 120 [1]Demonstrated closed-loopsteady, level flight (2015).XML2. Senior Design [2]XZTeam designed and builtflying wing. Demonstratedability to land by humanpilot (2016).LY3. Sentera VireoBuilt avionics and performedfirst flights for sys id (2016).Plan to demonstrate closedloop landing (2017).References[1] Venkataraman & Seiler, AIAA 2016.[2] Condron, et al, UMN Report, 2016.TM Control input simultaneously exciteslongitudinal and lateral-directional motion No direct yaw control21AEROSPACE ENGINEERINGANDMECHANICS
System Identification Chirp excitations on elevatorand aileron Identified frequency responsefrom: Elevator to pitch rate Aileron to roll rate Grey-box modeling Aero. Coeff. Initialized with usingvortex-lattice method Updated using flight data Plot shows aileron to roll rate Dutch roll mode visibleAEROSPACE ENGINEERINGANDMECHANICS
Single Surface Flight Right elevon stuck at5 deg trailing edge up Flight divided intocircle (set by user)and land phases The red plus sign isthe target touchdown pointAEROSPACE ENGINEERINGANDMECHANICS
Glideslope TrackingAEROSPACE ENGINEERINGANDMECHANICS
Fault Detection and ReconfigurationReference: Bauer, et al, “Fault Detection and Basic In-Flight Reconfigurationof a Small UAV Equipped with Elevons”, SafeProcess, 2018.25AEROSPACE ENGINEERINGANDMECHANICS
Fault Detection and ReconfigurationReference: Bauer, et al, “Fault Detection and Basic In-Flight Reconfigurationof a Small UAV Equipped with Elevons”, SafeProcess, 2018.26AEROSPACE ENGINEERINGANDMECHANICS
From Aerospace to Automotive .Similar reliability concerns are now common in automotiveapplications due to rise of autonomous driving.27AEROSPACE ENGINEERINGANDMECHANICS
Performance Adaptive Aeroelastic Wing (PAAW) Goal: Suppress flutter, control wing shapeand alter shape to optimize performance Funding: NASA NRA NNX14AL36A Technical Monitor: Dr. Jeffrey Ouellette Two years of testing at UMN followed by twoyears of testing on NASA’s X-56 AircraftLM BFFUMN Mini-MuttSchmidt &AssociatesLM/NASA X-5628AEROSPACE ENGINEERINGANDMECHANICS
Aeroservoelasticity (ASE)Efficient aircraft design Lightweight structures High aspect ratios29AEROSPACE ENGINEERINGANDMECHANICS
FlutterSource: NASA Dryden Flight Research30AEROSPACE ENGINEERINGANDMECHANICS
Classical ApproachController BandwidthFrequencySeparationAeroelasticModesRigid BodyModes0FrequencyFlight Dynamics,Classical Flight ControlFlutter Analysis31AEROSPACE ENGINEERINGANDMECHANICS
Flexible Aircraft ChallengesIncreasingwing flexibilityAeroelasticModesRigid BodyModes0Frequency32AEROSPACE ENGINEERINGANDMECHANICS
Flexible Aircraft ChallengesIntegrated Control DesignRigid BodyModesAeroelasticModes0FrequencyCoupled Rigid Body andAeroelastic Modes33AEROSPACE ENGINEERINGANDMECHANICS
Modeling and Control for Flex Aircraft1. Parameter Dependent Dynamics Models depend on airspeed due tostructural/aero interactionsLPV is a natural framework.2. Model Reduction High fidelity CFD/CSD models havemany (millions) of states.3. Model Uncertainty Use of simplified low order modelsOR reduced high fidelity modelsUnsteady aero, mass/inertia &structural parameters34AEROSPACE ENGINEERINGANDMECHANICS
Current PAAW AircraftmAEWing214 foot wingspan 42 poundsHalf-scale X-56Currently ground testingmAEWing110 foot wingspan 14 poundsLaser-scan replica of BFF4 aircraft, 50 flights35AEROSPACE ENGINEERINGANDMECHANICS
mAEWing1 and 236AEROSPACE ENGINEERINGANDMECHANICS
Open-Loop Flutter37AEROSPACE ENGINEERINGANDMECHANICS
Body Freedom Flutter38AEROSPACE ENGINEERINGANDMECHANICS
Pole Map for H-Inf ControllerComparison of BFF mode variation with airspeed I.D.’d from flight test data withtheoretical predictions for Open Loop and H controller; Marker descriptions – (X):theoretical poles, ( ): sys. I.D.’d open/closed loop poles.39AEROSPACE ENGINEERINGANDMECHANICS
Flight Test SummaryEstimated TrueAirspeed (m/s)21.925.828.430.933.536.1Vflutter, OLIndicated Airspeed(IAS, m/s)20232527293140Vflutter, CLSuccessful flightbeyond flutter with2 controllers!AEROSPACE ENGINEERINGANDMECHANICS
Finite Horizon Robustness Analysis of LTV SystemsUsing Integral Quadratic ConstraintsPeter SeilerUniversity of MinnesotaM. Moore, C. Meissen, M. Arcak, and A. PackardUniversity of California, BerkeleyMTA SztakiOctober 5, 2017AEROSPACE ENGINEERINGANDMECHANICS
Time-Varying SystemsWind TurbinePeriodic /Parameter-VaryingFlexible AircraftParameter-VaryingVega LauncherTime-Varying(Source: ESA)RoboticsTime-Varying(Source: ReWalk)Issue: Few numerically reliable methods to assessthe robustness of time-varying systems.42AEROSPACE ENGINEERINGANDMECHANICS
Analysis ObjectiveGoal: Assess the robustness of linear time-varying (LTV)systems on finite horizons.Approach: Classical Gain/Phase Margins focus on (infinitehorizon) stability and frequency domain concepts.Instead focus on: Finite horizon metrics, e.g.induced gains and reachable sets. Effect of disturbances and modeluncertainty (D-scales, IQCs, etc). Time-domain analysis conditions.43AEROSPACE ENGINEERINGANDMECHANICS
Two-Link Robot ArmTwo-Link Diagram [MZS]Nonlinear dynamics [MZS]:𝜂 𝑓(𝜂, 𝜏, 𝑑)where𝜂 𝜃1, 𝜃 1, 𝜃2, 𝜃2 𝑇𝜏 𝜏1, 𝜏2 𝑇𝑑 𝑑1, 𝑑2 𝑇t and d are control torques anddisturbances at the link joints.[MZS] R. Murray, Z. Li, and S. Sastry. A Mathematical Introduction to Robot Manipulation, 1994.44AEROSPACE ENGINEERINGANDMECHANICS
Nominal Trajectory (Cartesian Coords.)45AEROSPACE ENGINEERINGANDMECHANICS
Effect of Disturbances / UncertaintyJoint AnglesCartesian Coords.46AEROSPACE ENGINEERINGANDMECHANICS
Overview of Analysis ApproachNonlinear dynamics:𝜂 𝑓(𝜂, 𝜏, 𝑑)Linearize along a (finite –horizon) trajectory 𝜂, 𝜏, 𝑑 0𝑥 𝐴 𝑡 𝑥 𝐵 𝑡 𝑢 𝐵 𝑡 𝑑Compute bounds on the terminal state x(T) or other quantitye(T) C x(T) accounting for disturbances and uncertainty.Comments: The analysis can be foropen or closed-loop. LTV analysis complementsthe use of Monte Carlosimulations.47AEROSPACE ENGINEERINGANDMECHANICS
Conclusions Fault tolerance for small UAVs Commercial aircraft achieve high reliability with redundancy. Model-based fault detection methods are an alternative thatenables size, weight, power, and cost to be reduced. Develop methods for analytical fault tolerance on small UASand tools to certify the probabilistic performance. Modeling and control of flexible aircraft Robustness analysis of time-varying systemshttp://www.aem.umn.edu/ SeilerControl/48AEROSPACE ENGINEERINGANDMECHANICS
Acknowledgements US National Science Foundation Grant No. NSF-CMMI-1254129: “CAREER: Probabilistic Tools for HighReliability Monitoring and Control of Wind Farms.” Prog. Manager: J. Berg. Grant No. NSF/CNS-1329390: “CPS: Breakthrough: Collaborative Research:Managing Uncertainty in the Design of Safety-Critical Aviation Systems”.Prog. Manager: D. Corman. NASA NRA NNX14AL36A: "Lightweight Adaptive Aeroelastic Wing for EnhancedPerformance Across the Flight Envelope," Tech. Monitor: J. Ouelette. NRA NNX12AM55A: “Analytical Validation Tools for Safety Critical SystemsUnder Loss-of-Control Conditions.” Tech. Monitor: C. Belcastro. SBIR contract #NNX12CA14C: “Adaptive Linear Parameter-Varying Controlfor Aeroservoelastic Suppression.” Tech. Monitor. M. Brenner. Eolos Consortium and Saint Anthony Falls Laboratory http://www.eolos.umn.edu/ & http://www.safl.umn.edu/4949AEROSPACE ENGINEERINGANDMECHANICS
Backup50AEROSPACE ENGINEERINGANDMECHANICS
Modeling and Control for Wind EnergyJen Annoni, Shu Wang, Daniel Ossmann, Parul Singh,Jordan Hoyt, Sanjana Vijayshankar(with support from SAFL/EOLOS)AEROSPACE ENGINEERINGANDMECHANICS
Clipper Liberty, 2012:Modern utility-scale turbine. Rosemount, MN. Diameter: 96m Power: 2.5MW Eolos Consortium:http://www.eolos.umn.edu/ Saint Anthony Falls Lab:http://www.safl.umn.edu/AEROSPACE ENGINEERINGANDMECHANICS
Individual Blade Pitch ControlGoals: Reducing structural loads on the turbine to increase life time of turbine and components while keeping power production constant by adding an individual blade pitch controllerImplementation2017Controller architectureC96 Liberty research turbineRef: Ossmann, Theis, Seiler, ‘16 ASME DSCC, Best Energy Paper Award53AEROSPACE ENGINEERINGANDMECHANICS
Modeling and Control for Wind Farms1. Parameter Dependent Dynamics Models depend on windspeed due tostructural/aero interactionsLPV is a natural framework.Eolos: http://www.eolos.umn.edu/2. Model Reduction High fidelity CFD/CSD models havemany (millions) of states.Saint Anthony Falls: http://www.safl.umn.edu/3. Model Uncertainty Use of simplified low order modelsOR reduced high fidelity modelsSimulator for Wind Farm Applications, Churchfield & FA54AEROSPACE ENGINEERINGANDMECHANICS
Minneapolis and St. Paul, Minnesota Twin Cities Population 3.5Million Average daily low/high in January is -15.4oC / -5.6oC Strong outdoor culture with many lakes and bike trails55AEROSPACE ENGINEERINGANDMECHANICS
Department HistoryJohn D. Akerman was firstDepartment Head 1929 - 1957 Born in Latvia late 1890’s Studied with Niklolai Joukowsky Acquainted with Igor SikorskyJean and Jeanette Piccardperformed pioneering research inhigh altitude ballooning (1930’s)56AEROSPACE ENGINEERINGANDMECHANICS
Dept. of Aerospace Engineering & Mechanics First aeronautical engineering courses offered in 1926. Department founded in fall 1929 with 3 faculty members. Aeronautical Engineering merged with the Department of Mechanics and Materials in 1958 to form current department 17 regular
Human Factors in Safety Job Safety Analysis Kitchen Safety Laboratory Ladder Safety Laser Safety Lead Lift Trucks Machinery & Equipment Miscellaneous Office Safety Paper Industry Personal Side of Safety Personal Protective Equipment Respirator Safety. Retail Safety Management Safety Talks Supervision Tools Trenching & Shoring
–Tri-Fold Poster Boards –Trim –Colored Paper, Scissors, Glue or Glue Sticks, Tape. Student Safety Fair –Chosen Topics Food Safety Shark Safety Tornado Safety Sports Injuries Video Game Safety Sunburn & Tanning Safety Medication Safety Halloween Safety Lawnmower Safety Driver Safety
implement their Strategic Highway Safety Plans (SHSP). A new generation of safety analysis tools and methods has been developed to help identify safety issues and provide recommendations for improvements. These safety analysis tools, such as the Highway Safety Manual (HSM), SafetyAnalyst, and the Interactive Highway Safety Design
Environmental Health and Safety Office Job Safety Analysis Guide 05/2015 2 Supervisors must maintain Job Safety Analysis Forms, make them available to employees, and submit completed JSA to EHS. D. STEPS . 1. Obtain Job Safety Analysis Form (Appendix A): The Job Safety Analysis Forms is available online at ehs.gmu.edu or from EHS upon request.
Laser Safety Training Laser Safety Offi cer Advanced Laser Safety Offi cer Principles of Lasers and Laser Safety Safety of Lasers Outdoors Laser Safety Masterclass Laser Safety for Art and Entertainment Measurements for Laser Safety Non-Ionizing Radiation ILSC 2015 Conference Agenda* Sunday, March 22 9:00am ASC Z136 Annual Meeting
Texas Association for Behavior Analysis. A speaker at safety conferences worldwide, Terry also founded the annual Behavioral Safety Now Conference (BSN). He has published over 100 articles and authored the seminal book on behavior-based safety: The Values-Based Safety Process: Improving Your Safety Culture with Behavior-Based Safety.
2.1 Principles of safety net design 2.2 Safety net systems 2.3 Safety net classification 2.4 Mesh rope 2.5 Border rope 2.6 Tie rope 2.7 Coupling rope 2.8 Safety net label 2.9 Removable test mesh 2.10 Size of safety nets 2.11 Safety nets less than 35 m2 SAFETY NETS 02/ 2.12 Fall height 2.13 Clearance distances 2.14 Net sag
Present ICE Analysis in Environmental Document 54 Scoping Activities 55 ICE Analysis Analysis 56 ICE Analysis Conclusions 57 . Presenting the ICE Analysis 59 The ICE Analysis Presentation (Other Information) 60 Typical ICE Analysis Outline 61 ICE Analysis for Categorical Exclusions (CE) 62 STAGE III: Mitigation ICE Analysis Mitigation 47 .
