Guaranteed Aircraft Safety for Pilot Displays

Meeko Oishi
Department of Mechanical Engineering
Stanford University
December 2001

Modern commercial aircraft have complicated computers to help the pilot fly the aircraft by performing computations, obtaining data, and alleviating the pilot of dull tasks. In such a safety-critical system, the pilot display must contain enough information so that the pilot can correctly predict the aircraft's behavior, while not overloading the pilot with unnecessary information. How can we mathematically guarantee that the aircraft, with all of its automation, will behave as the pilot anticipates? My research addresses this issue by extending a theoretical framework, "hybrid systems", to include behavior of both the aircraft and the pilot.

Hybrid systems combine two types of behaviors: how a system evolves over time according to the laws of physics, and how the system evolves according to signals and switches. The combination of these two, referred to as continuous and discrete dynamics, leads to extremely complex behavior. In the case of the aircraft, this means that we can model how the aircraft flies as well as the logic which drives the aircraft automation. Hybrid systems are controlled through the combination of continuous and discrete signals we can directly alter. My research builds upon well-developed methods for controlling hybrid systems.

Commercial aircraft are excellent examples of hybrid systems due to the interaction of complex continuous dynamics with an equally complex automation. The aircraft behaves in one manner while it holds a constant altitude, and in another manner while it is trying to climb or descend. Despite all of this complexity, aircraft are safety-critical systems that require intense certification processes to verify their dependability and accuracy. We would like to guarantee the safety of the aircraft under as wide a range of conditions as possible. Currently, this is done through extensive testing in simulators and prototypes. Hybrid systems offers an alternative to this costly process -- mathematical verification which guarantees that the system will behave within certain allowable ways. In addition to identifying the "safe" region to operate in, this method also determines what hybrid control is necessary to guarantee that the system will never leave the "safe" space. The result is quite powerful -- a complex system, subject to real-life errors and limitations, is mathematically guaranteed to be safe in the face of those errors and limitations.

My research extends this type of analysis to examine how two systems relate to each other and to their "safe" regions of operation. How does safety in one system relate to safety in the other?

One motivating example is an automatic landing scenario. The aircraft sequences through various modes -- holding a constant altitude, descending at a constant rate, then smoothly touching down on the runway -- some of which are initiated by the automation, and some which are initiated by the pilot. The pilot knows what the automation will do based on information in the aircraft manual, his own pilot training, and on information displayed to him in the cockpit interface. We would like to guarantee that the pilot does not come upon any surprises in the automation -- that the pilot's mental model of the aircraft is consistent with how the aircraft actually behaves. In this case, I hope to show that for an automation system which is well-designed, the ``safe'' region of the pilot's mental model of the aircraft is completely contained within the ``safe'' region of the actual aircraft model. This type of analysis could be used to help design cockpit interfaces, so that with the correct combination of information, the aircraft is guaranteed to either land or go-around safely.

In another application, we would like to guarantee that a given landing procedure is consistent with possible aircraft behavior. Here, I hope to show that the "safe" region of the procedural model is contained within the "safe" region of the actual aircraft model. The analysis could be used in this case to design landing procedures that are mathematically guaranteed to be safe.

The main advantage, in both scenarios, is the a priori guarantee that mathematical analysis provides. Incorporating the results of this analysis could help prevent "automation surprises" and procedural mishaps in autolandings. In future aircraft, engineers could design pilot displays to guarantee that the pilot will always be able to fly the plane safely. Hybrid analysis of this nature furthers the goal of fail-safe operation, paramount to the aircraft industry and the customers they serve.