Toward Safe Intelligent Unmanned Aircraft Using Formal Methods and Runtime Monitoring

Abstract

Future unmanned aircraft are expected to be autonomous, perform missions automatically, and act intelligently when unforeseen events or degraded situations occur. This results in enormous complexity for modeling and computing the system states, system behavior, and environmental data. Furthermore, the aerospace domain is a safety-critical domain, enforcing specific levels of safety and compliance to extensive standards. Therefore, software has to be of high quality and free of safety-critical errors. But the verification and validation of a complex system, especially the high-level software components, is a critical element. Because of software complexity and the fact that the state-space of theoretically possible executions cannot be covered by testing, a holistic testing concept, utilizing complementary test methodologies, is required. This chapter discusses the high-level autonomous capabilities of the German Aerospace Center (DLR) Autonomous Research Testbed for Intelligent Systems (ARTIS) framework and focuses on the challenges and best practice approach for verification and certification for autonomous unmanned aircraft. One of the first challenges for developing an intelligent unmanned aircraft is the development of a high-quality set of requirements that describes the autonomous behavior of the system. Furthermore, this work proposes the development of a generic set of high-level requirements describing the targeted level of autonomy. To complement traditional verification methodologies, which also play an important role, model checking is also used to proof consistency of behavior and compliance to the requirements. Another way to assure safety, specifically for autonomous behavior, is to utilize runtime monitoring concepts. The idea is to supervise the execution and escalate any error as soon as it occurs to a high-level decision-making unit, such as a pilot. Furthermore, it is commonly understood that self-awareness, maintenance of information about the system status, is necessary to be able to act intelligently.