TECH FOCUS AREAS: Autonomy TECHNOLOGY AREAS: Air Platform OBJECTIVE: The concept of runtime assurance (RTA) was first introduced in the 1990s and has been studied, developed, and applied to several specific systems since that time. However, if RTA applications are to be expanded for more operational uses and fielded in a wider range of platforms and systems (i.e., beyond R&D and flight-testing stages), then a number of technical hurdles will need to be addressed. Past and current R&D efforts in RTA have and are being conducted by both NASA and the Air Force Research Laboratory (AFRL). The near-term objective of this topic is to invest basic and applied research to build on accomplished R&D, address specific identified technical challenges, advance specific RTA design applications, and develop general design methods and approaches applicable to future Air Force, DoD and commercial systems. Far term objectives involve advanced technology development to construct RTA avionics packages, perform real-time hardware and flight testing of the RTA products, accomplish full V&V and certification of their intended uses, and manufacture and field the developed RTA systems in specific Air Force, DoD and commercial platforms. DESCRIPTION: To address future Air Force strategic needs, an increasing number of advanced systems with intelligent autonomy are being envisioned. Intelligent autonomy is central to systems involving advanced automation, artificial intelligence, machine learning, and a wide range of intelligent adaptation, reconfiguration and autonomous decision making. However, a critical roadblock to the implementation and ultimate fielding of such systems are the required assurances that these advanced functions will always do the right thing. Advances in formal methods give new tools for design-time verification & validation (V&V) of these cutting-edge concepts. Yet, it is widely recognized that RTA will also be a necessary part of the overall solution towards trusted systems. This topic addresses the need for new approaches to realize implementation of RTA systems. RTA provides protection from errors in advanced functions not discovered during design-time V&V by 1) continually monitoring critical system states and parameters, 2) determining whether the system is safe and operating correctly, 3) if not, switching to a trusted, albeit less capable reversionary/backup function, and 4) allowing the reversionary system to recover to a safe/correct condition. The determination in step 2) is usually performed by observing if one or more system states have violated pre-defined boundaries. In general, this is denoted as the switching condition or the condition that determines when to switch to the reversionary/backup function. Original aerospace applications of RTA focused on protecting the inner-loop control and guidance systems from errors in advanced, adaptive controllers that could not be fully V&V'd to their required levels. However, there is now wide interest in expanding RTA applications to protect higher-level functions, including advanced intelligent-autonomy systems at the flight management and real-time mission planning/decision making functions in unmanned systems [1, 2]. There is also increasing interest in investigating how multiple interacting RTA systems should be designed for complex, multi-agent, distributed cyber-physical systems [3, 4]. Proposers can respond to one or more of the following sub-topics: (1) Physics-Based Switching Condition Accuracy: Current fielded RTA systems have been beneficial for flight test research aircraft and have been termed envelope protection systems, employing physics-based switching condition boundaries (e.g., aerodynamic parameters, load factors, attitude rates, etc.). These research aircraft often perform iterative testing of experimental flight control code. At such design stages, it is too time consuming and costly to perform extensive V&V analysis of this type of onboard code. However, the aircraft needs to remain safe during flight and if the human test pilot or remote operator cannot recognize an impending safety violation due to an error in the experimental code, the automated envelope protection system will detect the safety breach and immediately shut down the experiment, returning operation to the aircraft's production flight control system [5]. Current fielded RTA systems have also been beneficial for turbofan engine control. Engine protection systems monitor sensed physical states of the engine, such as fan and compressor speed, burner pressure and temperature, estimated surge margin, etc. If any of these parameters exceed their respective pre-defined bounds, then damage to the engine can occur or stable combustion lost. To prevent this, a reversionary fuel flow regulator takes over control of the engine and returns it to safe/stable operation [6]. Although beneficial, the envelope protection systems for flight test aircraft and the engine protection systems for turbofan controllers are broadly considered too conservative. Current allowable flight test operating envelopes are very restrictive to ensure safety of the pilots and aircraft, and the engine protection systems severely restrict the engine's transient performance. These systems are conservative because there are no practical methods to construct accurate physics-based switching conditions in an RTA system [5, 6]. Formal definitions of the switching condition boundaries that ensure safe operation were developed in [1]. However, these definitions involve complex control-theoretic conditions and do not provide realizable methods to construct the switching condition boundaries. For this reason, adding excessive safety margins seems to be the only current solution. For RTA to be broadly employed in operational applications, this problem needs to be solved. This need is not being currently addressed in NASA or AFRL R&D programs on RTA. This solicitation seeks proposals with innovative approaches to developing practical methods for the construction of accurate physics-based switching condition boundaries. Some approaches that could be considered are state reachability methods, targeted simulation methods, or other innovative, cutting-edge ideas. Successful outcomes would be demonstrated by reducing conservatism in currently fielded RTA systems, or in proving that advanced untrusted systems are allowed to operate throughout their defined envelopes as long as no software or design faults are detected. Performance should also be compared with baseline RTA methods that simply add additional safety margin to define the switching conditions. (2) Integrated RTA Monitoring for Both Hardware Failures and Software Errors: Another key enabling technology for advancing RTA operability is integration with hardware health monitoring and sensor redundancy management. This is related to the problem of information integrity. An RTA system that makes a decision to switch to its reversionary control function can do more harm than good if it is making that decision based on absent or incorrect information. An RTA system needs to know if observed anomalies are due to hardware malfunctions (e.g., control effector or sensor failures) or due to errors in the advanced system it is monitoring (due to software coding or algorithm design errors). The integration of RTA with hardware health monitoring has, to date, not been addressed. This solicitation seeks proposals that offer integrated software/hardware runtime assurance (integrated RTA) designs. Successful outcomes would demonstrate such integrated RTA systems, introducing seeded faults first in the advanced system's software, then seeded failures in control effectors and sensors. The integrated RTA system should respond appropriately in both cases, either shutting down the advanced system or allowing it to run, depending on the type of fault or failure determined. Comparisons should be made with RTA systems operating without hardware state knowledge showcasing the benefits of the integrated RTA approach. (3) RTA Protection for Higher-Level Intelligent Autonomy in Complex Distributed Systems: Multiple interacting RTA functions within one platform have been studied in [1, 7]. It was determined that critical information needs to be passed between the interacting RTA modules involving current operating conditions. Further, it was found that the complexity of the RTA designs grows rapidly with each introduction of another RTA protected module or subsystem. There is now wide interest in manned-unmanned teaming and other complex missions involving multiple unmanned agents operating in a cooperative command/control structure. Unmanned platforms possessing higher-level intelligent autonomy at the flight management or run-time mission planning levels will need RTA protection. This application of RTA is not currently being studied or addressed. Adding to the complexity of the problem, each platform will need to communicate with its neighboring fleetmates, negotiating tasks, deconflicting paths, etc., and coordinating current RTA operating states. For example, if one agent's RTA has switched to its less-capable reversionary flight management system, its lower-level performance could affect how it supports its fleetmates. This solicitation seeks proposals that offer design approaches and design considerations for RTA-protected platforms at the higher intelligent-autonomy levels involving functions that interact/communicate with teammates in a distributed, cooperative manner. The switching conditions of RTA systems at this level will not be checking physics-based criteria, but rather mission-based rules involving, for example, criteria that measure progress toward mission accomplishment, adherence of no-fly zones, optimality of teammate tasking, etc. Central to this effort will be to define/develop such mission-based RTA checks and to construct trusted reversionary flight management functions or procedures. Successful outcomes would demonstrate interacting RTA systems correctly keeping their ownships within defined operating parameters, and the team, as a whole, on course to successful mission completion. Reversionary operations should be demonstrated, including safe separation of a crippled vehicle from the fleet and its successful return to base. (4) Other RTA Technology Advancements (General Topic): Proposals will also be considered that offer solutions to other technical hurdles, technology advancements or other innovative approaches that will broaden RTA application and improve RTA operability. Such topics include but are not limited to a) reversionary system design approaches that guarantee recovery anywhere in the operating envelope, b) approaches that reduce complexity in multiple, integrated RTA systems; b) improved approaches for design-time V&V and certification of RTA protected systems; c) integrated training of machine learning and other AI technologies with RTA switching conditions based on mission constraints. PHASE I: In Phase I, focus should be on initial developments of proposed solutions to one or more of the aforementioned design challenges. Alternate solutions should be considered, and the most promising approaches identified. Feasibility studies should be conducted regarding proposed solution approaches. Initial design and analysis studies in desktop simulation environments should be performed. Based on initial analyses and experimental results, recommendations for further R&D and a Phase II technology development plan should be completed. Surrogate models representing Air Force platforms of interest can be used in Phase I. No government furnished data or equipment should be required. Air Force customers/stakeholders and specific Air Force technology applications of interest should be identified. These should be technologies in which advancements in RTA will provide significant benefit. PHASE II: In Phase II, design details and experimental test plans should be significantly expanded. Development and analysis in higher fidelity desktop simulation environments with representative platform applications should be performed. Develop realistic use cases exercising RTA functionality and demonstrating benefits of RTA recovery processes. The RTA system should be agnostic of seeded faults in capstone demonstrations, proving its utility over a wide range of scenarios. Success will be defined by demonstrating the benefits of the advanced RTA technology as compared to current baseline RTA systems or platforms absent of RTA altogether. Develop real-time functionality and test/demonstrate the developed technologies in a software/hardware integration laboratory environment. Repeat some or all of the capstone experiments performed in desktop simulations. Cost and schedule permitting, port developed real time code to flight processors and perform initial flight demonstrations with surrogate sUAS platform(s), again testing capstone experiments. Depending on contractual arrangements, government furnished data or equipment could be provided in the form of simulation models or equipment supporting laboratory or flight testing. At this stage, systems used to demonstrate the developed RTA technologies should closely align with Air Force programs of interest that employ advanced, adaptive and intelligent autonomy. Technology transfer plans should be constructed showing how the developed Phase II products can directly support such programs in preparations for Phase III efforts. PHASE III DUAL USE APPLICATIONS: In Phase III, teaming arrangements should be made with airframe/avionics manufacturers to develop/finalize RTA system design(s) in a pre-production phase. Required V&V, safety analysis and testing for eventual certification should be performed. Phase III activities should directly support Air Force programs of interest with flight testing and demonstrations on full scale vehicles. One such potential effort is the current Skyborg Vanguard program. This program is integrating autonomous UAV technology with open missions systems to enable manned-unmanned teaming. A successful Skyborg program will deliver a prototype suite of technologies to enable autonomous UAVs with enhanced capabilities for Air Force missions. However, trust in the autonomy will be paramount for close-in manned-unmanned operations and RTA will be a key enabling technology to provide the required level of trust in the unmanned systems. Another potential program is Agility Prime, which is developing transformative technologies for urban/advanced air mobility (UAM/AAM). These vehicles are incorporating non-traditional electric or hybrid propulsion vertical takeoff and landing capabilities (eVTOL/hVTOL). These aircraft are being developed for both manned and unmanned operations, typically utilizing a single onboard pilot, remote pilot, or fully autonomous control. Mission applications include personnel recovery/delivery, medical evacuation, resupply/distribution, patrol, search and rescue, etc. Here too, trust in the onboard autonomy will be critical. Often the onboard pilot will have limited flight training (e.g., an EMT or first responder). This, along with operations over densely populated urban areas will require significant evidence that the autonomy will be bounded to safe/correct actions. Again, RTA will be a key enabling technology to provide this evidence. Follow-on Phase III activities should expand applications to other branches of the military and DoD customers. RTA technologies are not limited to military applications and there is substantial potential to expand the developed products to commercial markets. Clear applications include civil/commercial uses of UAVs/UAMs with use cases in law enforcement, civil air patrol, firefighting, disaster/humanitarian relief, border patrol, bridge/building/utility inspections, environmental services, agriculture, etc. RTA applications should be extended to ground vehicles, self-driving cars, and other autonomous modes of transportation. Other applications may include industrial systems, medical devices, robotic applications and any functions requiring assured intelligent autonomy. NOTES: The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the proposed tasks intended for accomplishment by the FN(s) in accordance with section 5.4.c.(8) of the Announcement and within the AF Component-specific instructions. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws. Please direct questions to the Air Force SBIR/STTR Help Desk: usaf.team@afsbirsttr.us REFERENCES: [1] Schierman, J., DeVore, M., Richards. N., Clark, M., Runtime Assurance for Autonomous Aerospace Systems, Journal of Guidance, Control, and Dynamics, Vol. 43, No. 12, Dec. 2020, https://doi.org/10.2514/1.G004862; [2] Aiello, A., Berryman, J., Grohs, J., Schierman, J., Run-Time Assurance for Advanced Flight-Critical Control Systems. Proc. AIAA Guidance, Navigation, and Control Conference, AIAA 2010-8041, Toronto, Ontario Canada, Aug., 2010; [3] Bak, S., et al. Using Run-Time Checking to Provide Safety and Progress for Distributed Cyber-Physical Systems, Proc. IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2013; [4] Clark, M., Koutsoukos, X., Kumar, R., Lee, I., Pappas, G., Pike, L., Porter, J., Sokolsky, O., A Study on Run Time Assurance for Complex Cyber Physical Systems, AFRL Final Report, April, 2013; [5] Pavlock, K., Full-Scale Advanced Systems Testbed: Ensuring Success of Adaptive Control Research Through Project Lifecycle Risk Mitigation, DFRC-E-DAA-TN3663, 2011 SFTE International Symposium, June 2011; [6] May, R., Garg, S., Reducing Conservatism in Aircraft Engine Response Using Conditionally Active Min-Max Limit Regulators, Paper No. GT2012-70017, Proceedings of ASME Turbo Expo, June, 2012, Copenhagen, Denmark; [7] Schierman, J., Ward, D., Dutoi, B., et al., Run-Time Verification and Validation for Safety-Critical Flight Control Systems, AIAA Paper 2008- 6338, Proceedings of the AIAA Guidance, Navigation, and Control Conference, Honolulu, Hawaii, Aug., 2008. KEYWORDS: Runtime Assurance; Verification and Validation; Certification; Safety Assurance; Assured Intelligent Autonomy
