Example of a Complementary use of Model Checking and Agent-based Simulation Gabriel Gelman & Karen Feigh Georgia Institute of Technology & John Rushby.

Slides:



Advertisements
Similar presentations
Ex. 8 - Descending Ex. 8 - Descending.
Advertisements

Course Schedule three Assessment Scenarios Discussion Groups Discussion Groups.
The OZ Display is used in conjunction with the nose camera view provided on the STE simulation. OZ integrates flight information provided by the Predator.
Propellers and Engine Instruments
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Continuous Climb Operations (CCO) Saulo Da Silva
Learning from failure Mahabubul Alam CS/SE 6361, Fall 2014  Term Paper Presentation – I  The University of Texas at Dallas Asiana Airlines #214.
Short Field Takeoff & Landing
Lecture 9: Ground Proximity Warning System (GPWS)
Normal Procedures Cirrus SR-22 Transition Training 8/16/04.
Emergence of Regional Jets and the Implications on Air Traffic Management Aleksandra Mozdzanowska and R. John Hansman Massachusetts Institute of Technology.
Tailwinds Flying Club Fall Safety Session Know your airplane Piper Arrow III PA28R- 201T.
IMPACT OF WIND AND SINK ON GLIDER PERFORMANCE* Doug Cline * Based on topic suggested by Tom Roberts FLSC 2006 Safety Seminar.
KAP 140 Autopilot A self-study tool for pilots who fly with the Bendix/King KAP 140 Autopilot System This presentation is provided free of charge to everyone.
Predicting Performance
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Eights-on Pylons Not to be confused with Eights around pylons Eights across a road Eights along a road.
Chandelles.
Soft Field Takeoff and Landing. Soft Field Takeoff w Before landing, will you be able to take off? w Complex and high performance aircraft often have.
6.09 Flight Instruments and Performance Factors
#4918. When an airplane is accelerated, some attitude indicators will precess and incorrectly indicate a A- climb. B- descent. C- right turn.
Cessna 172 Cockpit.
Vertical Profile Navigation
Instruments, V-Speeds, and Airport Traffic Pattern Procedures
Formal Techniques for Verification Using SystemC By Nasir Mahmood.
Rasta – Dec 05 Straight-Ins Abeam VFR Entry “CS, Request Straight-In” Clear for Instrument Approaches “Below 150, Gear Clear” Lower Gear and Flaps “Physically.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Lecture 7: DESCENT PERFORMANCE
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
ILS Instrument Landing System
AVAT11001: Course Outline Aircraft and Terminology
B757 Review Questions. AutoFlight At what RA does flare mode engage? 45 feet RA.
READY OR NOT THE FLIGHT REVIEW. FLIGHT REVIEW A FLIGHT REVIEW IS REQUIRED WITHIN THE PREVIOUS 24 CALENDAR MONTHS TO ACT AS PIC.
Lecture 5: Climb PERFORMANCE
C182T Nav III GFC 700 Automatic Flight Control System Module I
Aparna Kansal & Amy Pritchett Georgia Institute of Technology, Atlanta, GA This work is funded by NASA Curtis E. Hanson, Technical Monitor Simulating Faults.
Lecture 9: Ground Proximity Warning System (GPWS)
RECITE A PRAYER…(15 SECONDS). ATM TOPIC 1. INTRODUCTION TO AIR TRAFFIC MANAGEMENT,TYPE OF CONTROL AREAS & FLIGHT PLAN 2. AERODROME CONTROL 3. AREA CONTROL.
Advanced Speed Guidance for Merging and Sequencing Techniques Chris Sweeney Thomas Jefferson High School for Science and Technology MITRE Corporation Center.
Airspeed Indicator Tells you how fast you are moving through the air Green band is safe speed range of the airplane Instrument shows airspeed in knots,
Introduction to Control / Performance Flight.
Computational Evaluation of the Allocation of Authority and Responsibility in NextGen Concepts of Operation Thesis Proposal for MS in Aerospace Engineering.
CAP - Glider Flight OPS Program Spring Glider OPS At Concord - CON right traffic vs power left traffic for RWY 35 departure left traffic with.
Slow Flight Chris Evans.
Ex. 7 - Climbing Ex. 7 - Climbing.
LECTURE 4: ICAO CHART requirements
Lecture 9 Ground Proximity Warning System (GPWS) Radio Aids & Navigational System.
Aircraft Instruments. Attitude Indicator Determines the position of the aircraft in relationship to the horizon Red/orange marker represents wings Blue.
1 Airborne Separation Assistance Systems (ASAS) - Summary of simulations Joint ASAS-TN2/IATA/AEA workshop NLR, Amsterdam, 8 th October 2007 Chris Shaw.
Computer Simulation with Flight Simulator X Introduction to Flight Simulator – Level 1.
USING MODEL CHECKING TO DISCOVER AUTOMATION SURPRISES Java class User: - getExpectation() - checkExpectation() FAULTY EXECUTION start incrMCPAlt pullAltKnob.
Potential Safety Benefits of RNP Approach Procedures
Massachusetts Institute of Technology Sophie ADENOT Carl NEHME A320 Strasbourg 1992 Accident Analysis.
Arrival Charts and Procedures
Basic Instrument Scan T6BDriver.com Created: 4 Feb 2016
1 Use or disclosure of this information is subject to the restriction on the title page of this document. Flight Symbology to Aid in Approach and Landing.
Zuliana-July Lecture 1: INTRODUCTION AIRCRAFT MASS (WEIGHT) & PERFORMANCE By: Zuliana Ismail, 2010.
Flight Test Introduction 2016 Introduction to Flight Test Engineering Dan Hrehov Flight Test Engineer.
CAP – Cessna Differences TrainingSummer 2016 Cessna Aircraft Differences Training (Autopilots)
The main goals of the new design was to reduce operating costs by:  Optimizing the climbing altitude  The route of the flight  Decent to the runway.
NOISE ABATEMENT PROCEDURE DESIGN
Cessna Aircraft Differences Training (Autopilots).
Aircraft instrument’s
Kabul RNAV Visual & RNP-AR Process & Benefits
Basic Instrument Scan T6BDriver.com Created: 4 Feb 2016
by Xiang Mao and Qin Chen
Agenda • Classroom • Lab –System Configuration – Flight scenario 1
MISCELLANEOUS PERF. The performance data for takeoff and landing an aircraft can be obtained from the aircraft's flight manual or pilot's operating handbook.
Pre-Solo Training Program
Theory of Flight Flight Instruments and Performance Factors
Presentation transcript:

Example of a Complementary use of Model Checking and Agent-based Simulation Gabriel Gelman & Karen Feigh Georgia Institute of Technology & John Rushby Stanford Research Institute

Introduction 2 Increasing Complexity Challenges in HMI Leads to Automation Surprises Such as Pilots Automation Potential Issues Model Checking Simulation Combine to leverage benefits of both System Behavior To examine Tackled by HMI = Human-Machine Interaction Agents … …

Comparison: Model Checking/ Simulation SimulationModel Checking Sophisticated modelsSimple models, few actions Limited to scenariosExhaustive state space search Slow (one simulation takes time)Fast (millions of runs in seconds) Time can be explicitly modeledNo explicit modeling of time High-Fidelity aircraft dynamicsCannot handle continuity (state explosion) 3

Method: Connecting the Frameworks 4 Scenario Narrative Create Model & Specifications for Model Checking (SAL) Analyze Using Model Checking (SAL) Create Models & Metric Specifications for Simulation (WMC) Analyze Using Simulation (WMC) Extending the Counterexample Guided Abstraction Refinement (CEGAR) method 1.Verify that the action sequence predicted by MC to be problematic continues to be problematic 2.Refine MC prediction to include specific temporal relationships between events

Automation Surprise Aviation Case Study

Automation Surprise “An Automation Surprise occurs when the automation behaves in a manner that is different from what the operator is expecting”, Palmer (1995) +Result of implementation of badly designed automation or lack of pilots’ training on system +Introduction of highly automated aircraft (glass cockpits)  Starting with aircraft like B-757, B-737 and A320 6 Failure to activate Approach Automatic Mode Changes Sarter and Woods A320 study (80% surprised; n = 167)

Case Study: Airbus Automatic Speed Protection Flight Path Angle mode engaged Airspeed too fast Overspeed Protection Open mode engaged Sequence on approach FCU: Flight Control Unit V/S: Vertical Speed FPA: Flight Path Angle FCU altitude with respect to current altitude OPEN DESCENT OPEN CLIMB Higher Lower 7 Note: During descent FCU altitude is usually set to Missed Approach altitude if Go Around required

Sequence Automation Surprise Instrument Landing System (ILS) Glideslope Runway 1 2 Step 1: Aircraft is on ILS Glideslope and in FPA V/S mode Step 2: Air Traffic Control tells aircraft to level off Step 3: Aircraft tries to recapture ILS Glideslope with higher FPA Step 4: Because of steeper approach the speed exceeds V max Step 5: Mode change to OP CLB because FCU alt higher than current alt FPA = 3° 3 10° > FPA > 3° 4 FCU Altitude = Go Around Altitude e.g. 5000ft 5 Altitude Ground 8 FCU: Flight Control Unit FPA: Flight Path Angle

Modeling Platforms

Model Checking: SAL (Symbolic Analysis Laboratory) +Simple models are checked for a given property +Reachable state space of a specification is explored +Exhaustive exploration of action space  Symbolic Model Checking does not require to explore full space 10 (singe action or combination of actions) Start State 1 Initial Conditions State 2 Action i List State OK State NOT OK State 3 Action j List Action k Action x Abstract System Model Action 1,…, Action i,…Action j,…Action k Trace of Actions

StepFlight ModeAirspeedAltitudeFlapsMax SpeedMental ModelPitch 1Other Retracted400Level-1/100 2V/S FPA Retracted400Descend-1/100 3V/S FPA Extended180Descend0 4OPEN CLB Extended180Descend0 5OPEN CLB Extended180Descend1/50 6OPEN CLB Extended180Descend3/100 Case Study Modeled in SAL Airplane: Flies (descending) Automation: Track Mode Pilot: Dials Descend 1 2 Airplane: Flies (descending) Automation: VS/FPA mode Pilot: Extends Flaps Airplane: Flies with Flaps (descending) (exceeds Vmax) Automation: Reverses Mode Pilot: Does nothing 3 4 Airplane: Flies with Flaps (descending) Automation: OP CLB mode Pilot: Does nothing Airplane: Flies with Flaps (descending) Automation: OP CLB mode Pilot: Does nothing 5 Note: Each step is a state transition, time is not modeled 6 AUTOMATION SURPRISE Alt increase from 2990 to 3291 Mental Model still in descend Positive Pitch 11 FCU: Flight Control Unit State State Transition Initial State (FCU Alt = 3201 feet)

Simulation: WMC (Work Models that Compute) 12 Aircraft Work Model Aircraft Work Model Expectations Auto Surprise Auto Surprise Human Agent Mental Model Pulls Mental Model Stores Updateable World Representation SIM Core Scripted Events Initial Conditions Traces of Key Metrics Resources Actions WMC Work Model Agents Altitude, Heading, Speed, Vertical Speed

Simulation Runs Based on MC Output 1.Verify that the action sequence predicted by SAL to be problematic continues to be problematic 2.Refine SAL's prediction to include specific temporal relationships between events 13 Step 2: Extend Flaps Step 1: Arm Approach Step 3: Monitor Speed Becomes t = 5: Extend Flaps t = 2: Arm Approach t = 9: Monitor Speed

Simulation States that Varied 14 ILS Glideslope Runway FPA = 3° Altitude Ground STAR approach Cruise Level Off Altitude Level Off Duration Go Around Altitude Flaps Extension Speed STAR: Standard Terminal Arrival Route ILS: Instrument Landing System FPA: Flight Path Angle

Results

Meaningful Scenarios from Simulation Traces 16 OPEN DES OPEN CLB No Change Simulation Traces Leads to Automation Surprise No Auto Surprise

Overview of Scenarios in Simulation Output SCModeASDescription 1DESNoMode reversion before level off, early flaps extension leads to overspeed 2CLBYes--"-- 3DESYes*Mode reversion after level off, early flaps extension leads to overspeed 4**CLBYes--"-- 5DESYes*After level off, dive leads to overspeed on current flap configuration 6CLBYes--"-- 17 SC: Scenario AS: Automation Surprise (*) Possibly due to artifact (**) SAL Scenario

Model Checking Matching Case 18 SAL WMC Unknown time step Action Value Extend flaps201 knots Level Off Altitude3200 feet Level Off Duration100 seconds GA Altitude3281 feet

Scenario 4: OPEN CLB 1.Level off 2.Return to glideslope (dive) 3.Flaps Extension 4.Sets max speed below current speed (former max speed = 220 knots, max speed with flaps = 205 knots) 5.OPEN CLB engages 6.Aircraft climbs 19 Zoom

Scenario 6: OPEN CLB 1.Level off 2.Return to glideslope (dive) 3.Overspeed from dive 4.OPEN CLB engages 5.Aircraft climbs 20 Zoom

Preconditions for Scenarios 21 SC: Scenario AS: Automation Surprise Go Around (GA) altitude fixed at 3291 feet (as in SAL) Flaps Extension speed fixed at 226 knots (as in SAL) Level Off altitude and duration varied

Preconditions for Scenarios 22 Go Around (GA) altitude fixed at 6000 feet Level Off altitude fixed at 7000 feet Level Off duration and Flaps Extension speed varied SC: Scenario AS: Automation Surprise

Conclusion

Next Step: Simulation  Model Checking +Implement capability for new scenarios into model checking +Make model checking model more detailed 24 Scenario Narrative Create Model & Specifications for Model Checking (SAL) Analyze Using Model Checking (SAL) Create Models & Metric Specifications for Simulation (WMC) Analyze Using Simulation (WMC)

Conclusion +Examined same scenario using both model checking and simulation +Simulation results show expansion of Model Checking results (more scenarios & comprises aircraft dynamics and time) +Method was shown how to use the two frameworks in conjunction to examine system behavior 25 Model Checking Simulation IntroAuto SurpPlatformsMethodResultsConclusion

Questions & Comments Welcome Now 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.