WP4-37
Jump to navigation
Jump to search
Algorithms for Runtime Safety Monitoring
ID | WP4-37 |
Contributor | IMCS |
Levels | Function |
Require |
|
Provide | TBC |
Input | from drone - Autopilot, GPS, RC |
Output |
|
C4D building block | TBC |
TRL | 6 |
Contact | ugis at adsl.lv |
Motivation
- Testing of the Mission Control software is a challenging task, as it implements a state machine of high complexity.
- The most critical errors are ones that cause deviations from the normal state flow during operation. These errors may result in gross violations of drone’s normal behavior patterns, up to deadlocks and complete loss of control.
- There is a lot of evidence from field that errors of this class happen regularly. As an example, such an incident happened in Latvia in May 2020, when a drone with a flight range of more than 100 km went unresponsive during a test flight and was lost for several days.
- Errors caused by race conditions manifesting in narrow time windows, or by transient external factors applied when in specific states, are among the ones that are most difficult to simulate and discover by testing during the development process.
- Safety of operations can be improved by runtime verification, which is achieved by adding mechanisms to the device that monitor its behavior during the mission, detect errors post-factum, and apply corrective actions.
- Runtime verification can bring substantial safety enhancements in a cost-effective way.
- The component WP4-37 implements the aforementioned runtime verification capability.
Overview
- Implements monitoring of Mission Control states during operation, detects critical deviations, and applies corrective actions.
- Misbehavior detection is achieved by means of executing a parallel reference model in real time, in the component WP4-37, and comparing the internal states of the actual Mission control component with those of the reference model
- The reference model is a simplified alternative realization of the full Mission control behavior
- It is trusted thanks to its relative simplicity, which makes comprehensive testing feasible
- It allows to reliably detect critical deviations from the full behavior model
- Component WP4-37 consists of two parts:
- The simplified Mission control reference model running as a dedicated ROS node
- State deviation detection and correction module integrated into the Mission control component under monitoring
- The part of WP4-37 running in the ROS node is application-independent. The State deviation detection and correction module serves as an adaptation layer, which is specific to each implementation of the Mission control component.
Testing
- Drone with Autopilot, Sensors, and Cameras
- Remote Control with a computer running GUI and manual pilot application
- Onboard computer on the drone, running Drone control API
- Simulation computer running “DJI Assistant” application, used for fault injection
- Simulation computer with Matlab Simulink environment, running Mission Control and WP4 components
- Simulation computer with Matlab Simulink environment, running Mission scenario component