DAVOS

Distributed Autonomy Vehicle Operating System (DAVOS)

The primary objective of this effort is to research a new paradigm of autonomous vehicle control and, thereby, an avenue to affordable, safe certification. The name of this proposed system is the Distributed Autonomy Vehicle Operating System (DAVOS). This object of this research is to determine the degree to which DAVOS is unique and advance the depth of the system design. Human resources and other resources required for the DAVOS to proceed to phase II will also be secured. In depth understanding of the DAVOS concept and function requires a simulator that can handle software written for DAVOS. Investigation of the options for a simulator for DAVOS will be carried out.

Proposed Layout for the DAVOS Simulation Laboratory

IDENTIFICATION AND SIGNIFICANCE OF THE PROBLEM

1. Definition of the Problem

As intelligent and autonomous UAVs, and other autonomous systems, are developed for civilian and military service, an unprecedented sea change is seen ahead. The following will need to be addressed:

  1. Can we certify a decision-making, intelligent system?
  2. Can self-actualizing machines be made as predictable, or even more predictable, than the human pilot?
  3. Autonomous software and hardware will require completely new methods and processes
  4. The system options and actions need to easily seen before it ever flies. Autonomous control adds a whole new layer of safety and security issues
  5. Can the cost of safety/security issues be kept in line
  6. How can up-grades, verification and recertification be made sure and simple
  7. Can the decision-making skills, acquired through many man-centuries of human piloting experience, be instilled into the pilotless system
  8. The system needs to be adaptable and scaleable to be used on many UAVs.

UAV Operating Systems Technologies

2. Levels of Autonomy

The following table shows six conceptual levels of autonomy. Level zero, by wire or radio link, has been the usual until recently. Level one through three represent degrees of automation that cannot be considered autonomy. Both levels four and five are autonomous, but only level five represents the required capability for any UAV operating autonomously in the National Airspace System (NAS).

2.1 Level of Autonomy

The above table shows six conceptual levels of autonomy. Level zero, by wire or radio link, has been the usual until recently. Level one through three represent degrees of automation that cannot be considered autonomy. Both levels four and five are autonomous, but only level five represents the required capability for any UAV operating autonomously in the National Airspace System (NAS).

2.2. UAV Control Techniques

Various historic UAV control schemes, both non-autonomous and autonomous, will be documented. Techniques used in these systems will be evaluated against DAVOS. This investigation will include single code block systems, subordination systems, automatic and remotely operated UAV control systems.

2.3. UAV Scale Factors

Our investigation will include the discovery of scale factors that may drive this proposed UAV control system design in unforeseen directions. Current and future UAV designs are sized from the bumblebee to the Airbus A380. The proposed UAV control system, to serve the widest market, needs to be scalable for the above vehicles and all in between.

3. Risk Management
Phase I will examine all risks, financial, technological and legal, for DAVOS in its proposed progresses through phase II and into production in phase III.

2. PHASE I TECHNICAL OBJECTIVES 4. DAVOS technical Description

Once the UAV control system has reached true autonomy, it may be said to have a personality. In the case of the first and second generation UAVs, the personality will probably have the complexity and versatility of the bumblebee. Even that will take a great effort to invent and to build. The approach of DAVOS is to divide the UAV digital personality into sub-parts or modules that are, in themselves, somewhat autonomous. That is, given a range of stimuli, each module will be able to deduce an acceptable response. Each part can then be tested within that range of stimuli and certified as a trusted part. The assembly of the trusted parts will form DAVOS and can be, after thorough testing, trusted.

The DAVOS is proposed to have a personality that consists of: An Id, an Ego and a Superego.

The Id is an important part of the system personality that takes care of basic needs, for instance, fuel, air, light, lift and warmth. The Id, known as the “Mine” module when in hardware, only assesses the needs of the UAV. It must make requests of the Ego to have them met.

General Communication in DAVOS

The Ego understands reality and the physical principles that have to be respected and makes decisions based on those factors. In making those decisions, the Ego, known as the “Me” module when in hardware, also communicates with the Superego, which understands moral principles. It’s the Ego’s job to meet the needs of the Id, while considering, with the help of the Superego, the reality and morality of the situation.

Since the Superego makes the moral decisions for the DAVOS, it will also be referred to as the “Morality” module.

When the Id, Ego and Superego have successfully collaborated, the DAVOS, as a whole, will be satisfied. Without the assistance of the Ego and Superego, the Id might decide to take the short path through physical mountains and/or violate the rights of other aircraft to satisfy an urgent need for fuel.

The functional hardware breakout of the DAVOS will include the parts of the personality, and other UAV functions, in Line Replaceable Hardware Modules (LRHMs). Each module will be removable, replaceable, computation enabled and will be hosted on the equivalent of a single board computer.

Each module of the DAVOS has a connection to a local bus array that carries sensor data, derived data, and communication streams to and from other modules. It has a digital processor and three kinds of memory, “random access” (RAM), “read only” (ROM), and nonvolatile read and write digital storage. Thus each module has all that it needs to gather data, make decisions, and communicate those decisions to other modules for further decisions.

The following six modules are proposed to be simulated: (See Figure 2)

1. Mine (Id)

The Mine module will handle the monitoring of all of a wide range of UAV sensors. This module provides the Ego the sense of self in that it provides the signals to make the Ego aware of its size, weight, strength, health, capabilities, limitations, and so forth; in short, all that it is. Vision, including RADAR , because of the very important role that seeing has in establishing self, is the sole exception to sensor ownership of the Mine module. The Mine module sensors will sense:

  • The state of the aircraft, including the position of all control surfaces, engine parameters, aircraft size and weight,
  • Air speed, ground speed, slip, skew, altitude change, course, heading,
  • Fuel capacity, flow and current amount remaining, thrust/pound of fuel/minute
  • Air quality, particulates such as ash, smoke, temperature, dew point, snow, hail, icing,
  • Current cargo type, cargo weight, total capacity, flammability,
  • Damage detection, systems integrity, airframe integrity, engine condition
  • Kinesthetic sense to detect the presence of any deformities, doors open, unauthorized changes.

2. Me (Ego);

The Me module is really the mind of the system and formulates decisions with input from the Mine, Morality and other modules. The Me module answers questions such as the following.

  • How do I make my way to the end of the runway, take off, fly to the destination?
  • How, when, and where do I execute my mission?
  • What is my importance and the importance of my cargo?
  • How, what and when shall I communicate?
  • Is it safe for me, those around me and those on the ground to make this change?
  • Will this be a breach of security?
  • What flight changes do I need to make to avoid that balloon?
  • Is that UAV in my flock?

The Me module also:

  • Handles bi-directional multi-channel radio communications, encryption and decryption,
  • Compiles the digital instructions for the ground based speech synthesizer,
  • Contains the digital resources to enable UAV sight and image comprehension,
  • Communicates by means of icons (happy face, sad face, aircraft parts icons, etc.) some words, meaningful sounds (laughter, whimper).
  • May use Musical Instrument Digital Interface (MIDI) coding to communicate harmony, dissonance, counterpoint, affirmative tone and negative tone in verbal exchanges.
  • Can have a unique personality expressed in its laughter, its voice pitch, its patterns of speech, word usage, and so forth.

All speech synthesis and recognition is proposed to take place on the ground. All the meaning of the message will be compactly coded and transmitted by radio link from command station to the UAV. The DAVOS computers, when receiving and transmitting, will only have to deal with digital code that has direct meaning. The complex task of decoding meaning from the spoken word of the Air Traffic Controller and the creation of the spoken word of the DAVOS itself will not need to be airborne.

3. Morality (Superego);

The Morality module has encoded, into a ROM chip, the inviolate foundation principles of UAV life. The unchanging Morality module content forms the basis of the UAV’s autonomous decisions and thereby the basis of trust and certification. It must be physically unbolted and replaced, so to speak, to change from civilian service to military service for instance. It deals with issues of Self preservation in the event of forced landing for instance,

  • Preserving the life of passengers, another UAV or manned aircraft, those on the ground, etc.,
  • Self sacrifice to save other life and property,
  • Civilian morality that avoids deliberate destruction,
  • Terrorists using counterfeit credentials,
  • Infringement on the UAV’s rights,
  • Cooperative flocking and swarming maneuvers.

4. Modes

The Modes module handles checklists and any special instructions for the following modes:

  • Start-up; all the things that a human pilot would do to get the UAV going,
  • Movement on the ground; keeping position in the queue,
  • Tower communications, etc.,
  • Take-off; rules, runway calculations, using GPS and vision to stay on the pavement, etc,
  • Cruse; course, heading, separation maintenance, Enroute
  • Landing;
  • Parking;
  • Shut-down;

5. Maneuver

The Maneuver module handles aerodynamic rules for at least the following maneuvers:

  • Climb,
  • Descend,
  • Terrain avoidance,
  • Mid-air refuel connect,
  • Collision avoidance,
  • Stance recovery,
  • Slip for crosswind landing,
  • Weather & wind contention,

6. Mission:

The RAM part of the Mission module will contain all the variable mission related data that the DAVOS needs to execute that mission. The mission package, located remotely from the DAVOS, will probably contain its own intelligence and communication capabilities making it unnecessary for the DAVOS to handle the load of most mission packages. The unchanging aspects of various missions is proposed to be encoded in the Mission module ROM. Sample RAM storable information items are:

  • Current flight path plan,
  • Aircraft attitude envelope for this mission,
  • Cargo type & amount,
  • Mission related weather envelope,
  • Projected time points for important steps in the mission,
  • Mission execution parameters.

Each module is restricted in the criteria that it is allowed to query and decision areas that it is allowed to command. Each of the modules makes its contribution and has its influence as the DAVOS traverses the different phases of the mission, copes with the different environments it encounters and deals with hostile conditions. These well-defined limits, and each unit’s self- contained construction, allow each module to be easily tested, and safely certified, alone. 

Economy

Certifying new aircraft or aircraft retrofitted with the DAVOS design is more economical because all of the parts of the concept and much of the functionality are common from one autonomous UAV to another. As the mission of any DAVOS equipped UAV changes, one or more modules can easily be changed in the field by hand to align the DAVOS lines of thought with the new conditions. Since all modules are certified as a module and in the system as a whole, changing any module will not impact certification. If a new model UAV is designed to be somewhat longer than the current model but otherwise the same, new ROM chips will be made and certified for that model UAV to accommodate the new length. There would be no need to incur the expense of changing or recertifing any of the other modules.

Safety

Safety in the DAVOS is obtained from many designed-in features. The Morality module has basic principles of DAVOS thinking and action hard coded into RAM. Many apply under every circumstance never to be violated. For instance, human life and safety would receive the highest priority. If the situation came down to a choice of either damage to human life or damage to or destruction of the UAV, the DAVOS would be aware, unalterably, that self- destruction was required. Under all other circumstances, self-destruction would be strictly prohibited.
Also, if a particular UAV would be damaged or disabled by inverted flight, that flight mode, no matter how it might work into a clever solution for a problem would be prohibited. The DAVOS would do everything in its power to fly safely by preventing inverted flight. However, if the UAV was caught in a thunderstorm and found itself inverted, the DAVOS would right the UAV, check for damage or malfunction, and report that the prohibition had been violated. Some morality entries, such as self-destruction mentioned above, are conditional. The UAV commander might ask for an ordinary course change, which, under normal circumstances, would be given very high priority. The DAVOS would then evaluate the new course. If it endangered human life or safety, it would decline the course change and state why. No amount of argument that the humans were bad or of no value would sway the DAVOS to violate that moral tenet.

Increased safety is engineered into the hardware. For instance, module connectors will have some unique feature to prohibit inserting duplicate modules. The DAVOS could be installed redundantly to increase damage tolerance.

Security

For the reasons listed above in “Safety”, the DAVOS would also be secure and trustworthy. The DAVOS is also inherently secure because of the unalterable, sealed, solid- state nature of the ROM. The outside of each module would have a certification stamp or mark with perhaps a fingerprint of the certifier. In any case, just as counterfeit ID cards can be made, a counterfeit module could be made that had breaches of security built in. A way would needed to verify any given module’s authenticity. In the same way that the module’s inner workings are to be visualized in the proposed DAVOS simulator/visualizer/commander’s workstation, the deployed workstation could visualize the difference between a known authentic module and the suspect module. Because of the factory hard coded ROM chips, if there is any difference, the unknown module is either damaged, tampered with or counterfeit. It cannot be good but different.

The Wisdom Index

A multidimensional matrix of all possible ordinate and subordinate module decisions will then be constructed to test and certify the DAVOS as a whole. Since the matrix will be large, complex and contain degrees of right and wrong, a new generation simulator/test-station will be necessary. This simulator will take the DAVOS on virtual flights and assess the mental acuity, decision agility and moral maturity of each module and the DAVOS as a whole. The resulting array of scores may well be called the DAVOS Wisdom Index (WI). The WI will address and quantify complex questions of morality, strategy, efficiency, efficacy, NAS rules and procedures, piloting decisions, in general, all the behavior of the human pilot that it replaces. At the outset, these are understood to be questions that have no easy answer. These questions include: Is it wise to kill a human? Also, is it wise to kill oneself or a fellow AUS? The answers to these and a multitude of other questions must come from the AUS itself and will require a depth of thinking and moral discovery that, for a machine, will cover unfamiliar ground. New ground will also be covered by the intricate web of information displayed on the simulator to communicate the thoughts of the AUS to the researchers. New ways to display these thoughts will need to be conceived and refined.

8. Secondary Objectives

4. RELATED WORK

The individuals who will perform the Phase I study bring a wealth of experience in the area of aircraft security and safety and UAV technology. DAVOS, Inc. is confident that the strong team we assembled to work this research project has the technical capabilities to bring transparency and confidence to the autonomous UAV scene, and produce a viable and cost-effective product.

9. Infrastructure Protection Related Activities

An employee of DAVOS, Inc., is a world-renowned expert in Aviation Security Technologies and will be a valuable consultant for the program. He will assist the principal investigator to make this a highly successful program.

10. Project Management

An employee of DAVOS, Inc., will focus primarily on the project management, scheduling, cost control, operational feasibility, implementation and reporting of the proposed program. He has over thirty years of experience in system engineering and will also assist in reconfiguring existing systems to make them transportable.

5. COMMERCIALIZATION STRATEGY

DAVOS, Inc. sees a great deal of potential in the DAVOS concept. NASA, UNITE (a consortium of UAV related industries) FAA and the DOD are all looking forward to an exponentially increasing number of autonomous UAVs soon to be flying in the National Airspace System. Each of these will need an operating system and each of these will need to be safe, secure and certified. A standard OS among all or most autonomous UAVs would save a great deal of money to certify and security and safety would be enhanced. The DAVOS system could contribute a great deal to all these areas.

Our research approach will include coordination efforts with manufacturers of UAVs, government organizations and trade associations. Our research coordination effort will begin with NASA, FAA, Air Traffic Control (ATC) organizations, UAV pilots (commanders) and other potential users. Some regulations and legislation are currently in place and more will have to be developed to ensure that the safety and security of the public are protected.

Specific costs and sales projection data will be developed during Phase I in order to develop the required commercialization strategy and company commercialization report for Phase II.

6. KEY PERSONNEL

John Kirkwood is the Principal Investigator (PI) of this proposed effort.

John M. Kirkwood, CHFP

Experience:

During Mr. Kirkwood’s tenure as a Human Factors Engineer and User Interface Designer, he has striven to provide to the user an environment that will promote an easy and intuitive understanding of a system’s capability, status, position and other factors to further the mission goals with safety and facility. At the same time the user must feel a sense of mastery of control in conveying instructions to the system and receiving feedback from the system. Feedback is also important to the system designer in the form of data and opinion from potential and actual users throughout the lifecycle of the project. This feedback information is often important to management and therefore needs to be reduced and presented in its friendliest form. Mr. Kirkwood researched the technology of both the natural human system and the natural and synthetic systems between which the User-System Interface exists. He has an understanding of system design concepts from all disciplines so as to be able to propose human factors solutions that are realizable. He also has a professional familiarity with the research tools, techniques, and resources of the trade that enable discovery and disclosure of the capabilities and limitations of both man and machine.

Related life experiences have added to the above; piloting general aviation aircraft, inventing and designing/engineering ultra large aircraft, construction of homebuilt aircraft, and other flight related pursuits such as air travel safety, handheld GPS UI design, and pilotless aircraft design and construction.

Education and Training:
MA: Industrial Design & Human Factors Engineering, University of Idaho, 1976
BFA: Art, Communications & Mechanical Engineering, University of Idaho, 1972
Human Factors Engineering, University of Michigan, 1983

Work Experience.
Hi-Tec Systems, http://www.hitecsystems.com/home.htm, Human Factors Engineer II. Feb 02 to Present
The American Law Institute and ALI-ABA, http://www.ali-aba.org Administrator, Author, Human Factors Engineering (HFE) Designer. Jan 99 to Feb 02
CSC, Senior Human Factors Engineer and Industrial Designer, on contract to HRED (US Army)
A O-K Consulting Services, Senior Human Factors Engineer, Industrial Designer. July 91 to May 94.
CTA Inc. Industrial Designer and Human Factors Engineer. Sep 90 to July 91. RCA/General Electric (GE), Senior Human Factors Engineer, Industrial Designer & Operability Lab Supervisor, June 82 to July 90.

Professional Affiliations, Awards, and Honors
Certification: Certified Human Factors Professional, Dec. 1993,
Board of Certification in Professional Ergonomics (BCPE) (Certificate # 184). Professional Memberships in the following:
Human Factors Society (1975-present),
Registered Apple Macintosh developer (90-92),
Patent: Electrocrystalochromic solid state video display technology 1991, #4982184
Security Clearance: Secret: 1982-1990, 1994 to 1998, 2005 DISCO

Publications Synopsis: (Full list available on request)
Coauthor, white paper “Secure Air Traveler Profile Acquisition System (SATPAS)” Hi-Tec Systems, September 2002
Law Publication Markup Language (LPML) DTD, http://www.LegalXML.org, January 2002,
Document Exchange Team, A Proposal, The American law Institute and ALI- ABA, 1999
UAV-CR, Prototype Man-Machine Interface Concept Study, HEL: AMSRL-HR- SE, 1993
Cruiser, Guided Missile 65 (CG65) Combat Information Center Mockup Lighting Survey Report, Government Electronic Systems Division, March 1990

7. FACILITIES AND EQUIPMENT

The full staff, facilities and financial resources of DAVOS, Inc. of New Jersey, will support the work on the Phase I program.

8. SUBCONTRACTORS/CONSULTANTS

We plan to utilize the services of a computer programmer with specific experience in designing and coding autonomous systems. He or she will focus on ensuring the technical feasibility and cost-effectiveness of the DAVOS.

9. PRIOR, CURRENT, OR PENDING SUPPORT

DAVOS, Inc. is not submitting identical proposals or proposals containing a significant amount of essentially equivalent work to other federal program solicitations.