DAF26BZ01-NV008 — Runtime Assured Autonomy
Award Maximum: $300,000 Period of Performance: 6 months Phase Type: Phase I
OBJECTIVE: The Need for Advanced Autonomy: The Air Force has gained wide interest in fully autonomous, unmanned air platforms operating in teams making collaborative decisions to successfully complete missions. Highest level, real-time decision making will be the responsibility of advanced autonomy. This autonomy will include both flight-level autonomy and mission-level autonomy. Flight-level autonomy functions will generate local commands that keep the vehicle operating safely. Mission-level autonomy functions will continuously deliver courses of action (COAs) to each platform in the fleet, commanding mission progress in real time. Although all vehicles in the fleet will have instantiations of the mission-level autonomy functions, COAs will typically be generated by a chosen fleet leader.
The Need for Runtime Assured Autonomy: Autonomy approaches under current development can be highly complex and nondeterministic in their behaviors. AFRL is currently developing approaches for autonomously executed missions using complex event processing techniques. This class of autonomy will be difficult, if not impossible, to fully certify from an airworthiness perspective, and therefore cannot be trusted to correctly operate under all mission conditions. Further, the capabilities of artificial intelligence and autonomy are rapidly increasing with continually updated versions and design iterations expected to occur throughout the operational lifecycles of unmanned systems. Such protocols are clearly not amenable to the time consuming and expensive airworthiness certification process.
To address this hurdle, Runtime assured autonomy (RTAA) functions will be needed to perform runtime monitoring of the autonomy and enact procedures to mitigate any adverse effects due to errors in the autonomy design. The safety and performance protections provided by RTAA will lessen the certification burden, allowing rapid fielding of autonomy functions.
Topic Objective: The objective of this topic is to develop innovative approaches to RTAA systems that protect the individual platform and the fleet against undiscovered design errors in the autonomy functions. The focus should be on use cases in which the RTAA determines whether the autonomy is generating infeasible, incorrect, and/or non-optimal solutions (e.g., commanded paths or task allocation) that may affect mission progress and effectiveness.
DESCRIPTION: Several of the Air Force's Operational Imperatives call for unmanned platforms to support manned platforms. The Advanced Battle Management System, Moving Target Engagement, Tactical Air Dominance and Global Strike imperatives all call for less expensive, attritable uncrewed platforms to aid in executing complex battle missions. These uncrewed systems cannot always be guaranteed to be controlled by remote human operators due to loss of radio communications or saturated operator workload. Full autonomy will need to fill the gap when human command/control cannot. To address future Air Force tactical and strategic needs, an increasing number of advanced systems with intelligent autonomy are being envisioned. Intelligent autonomy is central to systems involving a wide range of advanced adaptation, reconfiguration, autonomous decision making and contingency management.
Assured autonomy is the requirement that the autonomy operates safely and correctly under all circumstances and mission scenarios. RTAA fulfills this Air Force technology need, providing continuous monitoring/mitigation of autonomy functions to deliver required assurances of safe flight and correct mission execution. There are considerable challenges to developing a working RTAA system. The two key functions of the RTAA are:
Fault detection & isolation: The RTAA system must be able to determine if the autonomy is correctly producing COAs and other commands, which is especially difficult if agnostic of the autonomy function details. Developing strategies that can indirectly detect and isolate autonomy design faults in dynamic environments will be key to developing the RTAA system. Faults within the autonomy will need to be determined through the effects those faults have on the platform's safety, performance, and/or mission effectiveness. RTAA fault determination may come from comparing the current actions of the autonomy with nominal functional or performance requirements (e.g., what defines correct behavior), sanity checks, rubrics, rule sets, etc.
Mitigation response: If the RTAA determines that errors in the design of the autonomy functions are adversely affecting flight and mission decisions, it must then activate proper recovery or reversionary protocols. This may include first commanding the vehicle to a failsafe loiter point, then clearing functional states and restarting the autonomy functions. As a last resort, the RTAA may activate return-to-base or ditch procedures. If available, the RTAA may switch to simpler, reversionary autonomy functions that can continue the mission either temporarily until the advanced autonomy is back online, or to mission completion, if capable.
The two main functional levels of an RTAA system are:
Platform/fleet safety: Here, the RTAA typically treats the autonomy functions as a black box and simply monitors the platform and fleet for safety violations. The RTAA will monitor, for example, 1) flight envelope parameters such as angle of attack, angular rates, g-loading, etc., determining if their values remain within prescribed limits, 2) flight corridor values, determining if the vehicles are within their prescribed airspace and location for path deconfliction, and 3) path commands generated by the autonomy functions to determine if the vehicle's maneuvering capabilities can fly the commanded path. If it is determined that safety violations are ensuing, (and assuming no hardware faults or other contingencies are causing unsafe conditions), then the RTAA will deactivate the autonomy functions and activate simpler reversionary controllers or procedures designed to bring the vehicle/fleet back to a safe state.
Autonomy function performance: Here, the RTAA is monitoring for correct and/or optimal performance of the autonomy itself. The RTAA must determine if the autonomy functions are, for example, 1) generating correct COAs, including safe, optimal and deconflicted paths, 2) commanding proper asset allocation and reassignment of platform roles, if necessary (e.g., send the vehicle with the most fuel to the furthest mission point, or use the fastest vehicle for the most time-critical objective, etc.), 3) replanning mission objectives accordingly due to unforeseen changes in the environment (inclement weather, observed adversarial threats, etc.), changes in the commander's intent (uploaded changes to mission objectives, etc.) or other unforeseen contingencies, and 4) addressing other relevant mission aspects to maximize mission effectiveness.
PHASE I: This SBIR topic directly aligns with several current Air Force Operational Imperatives involved in autonomy and uncrewed air platforms. Phases I and II directly support R&D efforts in AFRL and larger Air Force efforts involving autonomous collaborative platforms (ACPs). Successful outcomes of Phases I and II will directly support future 6.3 efforts in autonomous combat operations, tactical teaming, advanced contingency management, and runtime assurance.
Phase I should be a feasibility study of proposed solutions, focusing on initial design ideas of architectures and approaches for the RTAA system. The effort should identify technical challenges, risks, and design requirements. The architecture should explicate functional design elements of the integrated components, interface requirements, required communication pathways, and required sensor suites. Functional designs of the two main elements of the RTAA system should be addressed:
RTAA fault determination function: The RTAA system should continually perform information acquisition, gathering relevant information from onboard sensors, information transmitted from local fleetmates, and broadcasted information from tactical and strategic sources (e.g., ground command base, satellites, AWACs, etc.). RTAA subsystems will then perform knowledge extraction, fusing and filtering the gathered information and delivering this knowledge to fault determination functions within the RTAA system.
Although monitoring for platform safety violations will be a critical part of the RTAA system, for this effort, focus should be primarily on determining the autonomy's performance in delivering correct or optimal COAs. Use cases should be developed that cover a range of faults in the autonomy design causing corrupt COA generation and subsequent erroneous actions. Use cases involving contingencies may provide rich scenarios for experimental studies (platform hardware faults, pop-up threats, unforeseen mission changes, etc.). Here, strategies should be constructed to determine if the autonomy is incorrectly responding to contingencies. Strategies may involve fault detection and isolation techniques, heuristic mechanisms, or other formal methods. Accurate determination is critical and the RTAA function should not be producing false alarms, shutting down correctly operating autonomy functions that are responding to off-nominal contingency conditions.
Mission scenarios for use case development may include ISR, patrol, supply delivery, high-value escort, weapon engagement/deployment, enemy suppression, etc. Contested areas of operation may include high-risk zones, no-fly zones, natural and urban terrain, with red team air and ground assets, etc.
RTAA mitigation function: If the RTAA system determines the autonomy is not operating correctly, it will activate recovery procedures to re-acquire safe and correct operations. This may involve simple reversionary functions that bring the platform or mission to a safe state. Here too, Phase I should be a feasibility study of proposed solutions, focusing on initial design ideas. Recovery procedures under various scenarios/context should be outlined and risks assessed. Under what conditions should the mission be abandoned and the fleet commanded to return to base? Or, should a failsafe loiter point be targeted as the autonomy functions are cleared and restarted? Can vehicles continue with the mission under a set of pre-defined COAs commanded in succession?
Phase I objectives: Initial architecture and functional design approaches may be delivered as documented descriptions. Initial, low-order design and analysis studies in desktop simulation environments can be performed to support the proposed set of use cases. A Phase II technology development plan should be completed based on Phase I results.
Respondents can propose use of their own models and simulation environments in Phase I. No government furnished data is required. However, awardees should expect significant interaction and involvement with the Air Force during initial planning for Phase II and beyond to align with specific platforms, architectures and missions of interest to the Air Force.
PHASE II: In Phase II, design architectures should be significantly matured and align with the Air Force's Autonomy-Government Reference Architecture (A-GRA). Technology maturation should be a significant part of the Phase II, with design iteration and testing in higher fidelity desktop simulation environments with representative platform applications and mission scenarios of interest to the Air Force. Develop realistic use cases that exercise the functionality of the RTAA fault detection and subsequent mitigation measures. Benefits of the recovery processes and operation over a wide range of scenarios should be demonstrated. Capstone demonstrations should be constructed showcasing the utility of the technology advancements.
The technology readiness level of the developed products should then be matured further, constructing real-time functionality and testing the developed technologies in a real-time software integration laboratory environment. Repeat capstone experiments that were performed in desktop simulations.
Depending on contractual arrangements, government furnished data or equipment could be provided in the form of simulation models or equipment supporting laboratory bench testing. At this stage, systems used to demonstrate the developed technologies should closely align with Air Force programs of interest that employ advanced intelligent autonomy. Technology transfer plans should be constructed showing how the developed Phase II products can directly support such programs in preparations for Phase III efforts.
PHASE III DUAL USE APPLICATIONS: Phase III efforts should be pursued in Air Force programs, other DoD branches and commercial endeavors. The AFWERX's STRATFI/TACFI programs could serve as potential starting points, supporting identified Air Force customers in, for example, 1) AFRL directorates, 2) AFWERX's Autonomy Prime with application to low-cost unmanned aircraft system test beds, 3) Agility Prime with application to air mobility systems with autonomy, or 4) current and future air wings that focus on platforms and systems driven by autonomy. For example, the 412th Test Wing at Edwards Air Force Base has conducted multiple autonomous flight tests and research projects to advance the capabilities of unmanned aircraft systems.
Proposed activities should directly support these Air Force customers and their programs of interest with advanced technology development and flight testing. Teaming arrangements should be made with airframe/avionics manufacturers to develop/finalize the system designs in a pre-production phase. The Phase II-developed real time code should be ported to flight processors and initial flight demonstrations with surrogate sUAS platforms should be performed, again testing capstone experiments.
Follow-on Phase III programs should focus on final design developments, completely expanding the RTAA products for full envelop operation and integrated with fully matured contingency management and flight and mission autonomy systems. Required V&V, safety analysis and testing for eventual certification should be performed at this stage.
Commercialization efforts should be pursued in parallel, teaming with industry to license the developed code and/or manufacture relevant avionics subsystems. The developed products could support DoD platforms and mission systems of interest, or advanced civilian applications, such as urban/advanced air mobility (UAM/AAM). These vehicles are incorporating non-traditional electric or hybrid propulsion vertical takeoff and landing capabilities (eVTOL/hVTOL). These aircraft are being developed for both manned and unmanned operations, typically utilizing a single onboard pilot, remote pilot, or fully autonomous control. Mission applications include personnel recovery/delivery, medical evacuation, resupply/distribution, patrol, search and rescue, etc., with applications in law enforcement, civil air patrol, firefighting, disaster/humanitarian relief, border patrol, bridge/building/utility inspections, environmental services, agriculture, etc.
With these applications, trust in the onboard autonomy will be critical. Often the onboard pilot will have limited flight training (e.g., an EMT or first responder) and he/she will not have sufficient experience to correctly respond to complex contingencies that may arise. Fully automatic contingency management integrated with the onboard autonomy will be required. Further, operations over densely populated urban areas will require significant evidence that the autonomy will be bounded to safe/correct actions. RTAA systems will be a key enabling technology to provide this evidence.
RTAA applications should be extended to ground vehicles, self-driving cars, and other autonomous modes of transportation. Other applications may include industrial systems, medical devices, robotic applications and any functions requiring assured intelligent autonomy.
Wherever autonomy is needed, systems that assure that autonomy will always do the right thing will also be needed. RTAA is not only a required technology, it is an enabling technology for future systems driven by autonomy. Sending unchecked autonomy out into the world will simply not be allowed. Societal regulations will not allow untrusted autonomy to control machinery that can harm people or cause physical damage. RTAA will be required without doubt.