scope:

MOTIVATIONS AND PURPOSE OF THIS WORK

The history of aeronautics and aviation, even to the present, has been one of evolving machines and systems to overcome human limitations and deficiencies resulting from us being naturally maladapted to the flight environment. This seemingly began at Kitty Hawk with the first demonstration of a machine that overcame the obvious human limitation associated with physically generating sufficient lift and controlling the amount and direction of that lift force. Other early milestones included extension of these machines, in the form of instruments, automatic controllers, and life support equipment, to overcome the mental and physiological deficiencies associated with operating our lifting machines with reduced visibility, with precision, over long periods of time, or at altitude. Even the systems and processes used to build our flying machines were prone to human error and, coupled with the unforgiving nature of the flight environment, posed serious safety concerns. This required a transformation of the development processes into a generally accepted codified set of specific requirements that attempted to mitigate the potential for human deficiencies in design and construction as a source of failure.

The evolution of aeronautics for this purpose continues to the present day with development of computer-based technologies to enhance safety by assisting, supplementing, or superseding human decision-making. This "increased automation" is currently being proposed and developed for a myriad of applications in many of the manned and unmanned segments of civil and military aviation, ranging from assistive technologies to enable human pilot and air traffic controller functions to increasingly autonomous capabilities that enable a system to make decisions independently and without predetermined actions. For this report, automation is used as a holistic term encompassing both automated and autonomous systems. Increased automation may be enabled by a combination of multiple sensors, intelligent algorithms, and computing hardware to assist, augment, or even replace human functioning at varying levels of capacity.

For aviation segments, such as general aviation (GA) and light sport aircraft (LSA), these new technologies hold near-term promise to make aircraft easier to fly and to improve safety by addressing specific accident root causes with technology solutions. Data gathered from several sources^1-3 reveal that occupants of traditionally piloted GA and LSA are several times more likely to be killed per mile traveled when compared to travel in a car and several hundreds of times when compared with commercial airline travel. The accident data point to insufficient or incorrect pilot action as the primary cause of a large majority of small aircraft fatal accidents. Thus, it seems reasonable to conclude that small aircraft pilot proficiency and decision-making do not always compare favorably with the demands of the small airplane environment, and this has led to a relatively large number of accidents. Despite attempts to improve safety by increasing training, introducing design improvements, and improving maintenance for small aircraft, there are key root causes that have kept the accident rate relatively flat over time. However, many in the industry and regulatory communities believe that technology and automation may hold the key to breaking this trend, leading to a breakthrough in personal aviation safety.

For emerging aviation segments such as unmanned aircraft systems (UAS) or urban air mobility (UAM), increased automation will likely be required due, in part, to the inability for current human-centric pilot and air traffic control (ATC) models to be scalable to a level that will reach the planned number of operations affordably. This is attributable, at least in majority, to the fact that the flight of any aircraft, large or small, requires a mechanism for attentive and continuous control. This means that in the absence of supplementation, human attention cannot be easily shared between controlling even two aircraft; and therefore, a financially prohibitive large number of human pilots would be required to realize the diverse and widespread operations envisioned for UAS and UAM. Furthermore, these financial considerations are in addition to safety concerns already discussed for GA and LSA operations.

It should be pointed out, however, that while increased automation undoubtedly holds significant promise for aviation in multiple domains, the aviation system, as a whole, was developed based on the assumption of a human pilot. This does not mean that the current aviation system does not utilize automated functionality; in fact, it does. But this functionality largely depends on direct human oversight and, perhaps more critically, oftentimes relies on the ability to regress to human control when a failure occurs. Unfortunately, this level and type of human interaction for increased automation at the levels necessary to produce the described benefits may be inadequate or counterproductive and may even be a flawed principle, fundamentally. Therefore, the aviation system itself must be further and continuously adapted to accept the inclusion of aircraft without a human in command. This transition must be planned methodically and implemented safely through a collaborative effort among developers, users, and regulators. Each will have certain responsibilities in order to ensure these systems are developed in a way that produces safe, repeatable, and reliable operation at each level of integration. The methodical transition must focus on the safe replacement of functions currently performed by pilots and controllers but with the ability for automated and human-centric systems to continue to operate together in the same airspace.

The purpose of this document is to begin this process and to capture several pillars of complex system development that must be considered when engineering increased automation for aviation. These pillars, which are distinct from the functions that the automation is accomplishing, are well-understood and robust principles in the areas of system architecture, dynamic functionality, and development processes that have been utilized by avionics and aviation systems designers and researchers for many years. They take the form of six interrelated topic areas, described here, and shown with their relationships in figure 1. These topics are described in individual sections in this document, each containing discussions on motivations for their development, the current state of the art in practice and research, and their relevance to increased automation. While not meant to be exhaustive, they were derived from individuals from government, industry, and academia with extensive experience and knowledge of the development of automation and autonomy over the last four to five decades in aviation. While some may debate the specific terms used, the consensus of these specialists indicates that these six pillars constitute foundational knowledge for automation and autonomy in aviation. The pillars are:

• Development Assurance:

Techniques to gain safety assurance for complex systems as part of the development process.

• Modularity and Partitioning:

System architecture approaches that ensure that components can be developed and analyzed separately, while assuming a certain amount of independence from other unrelated functions (especially ones with differing criticality levels).

• Operational Considerations and the Human Role:

All automation systems must be considered in an operational context that includes the role of the human, including whether the system is assisting, augmenting, or replacing human decision-making.

• Dynamic Consistency Checking:

Functionality that continuously checks data from sensors and algorithmic processing for logical consistency based upon a set of rules tied to established logical principles.

• Fail Functional Design:

Design approaches-including redundancy-that ensure that even when failures occur, the system as a whole continues to function.

• Run-Time Assurance:

Functional safety checks that monitor algorithm and system states in real time and, if necessary, trigger appropriate recovery (also known as safe'ing) behaviors.