Formally Verified Next-Generation Airborne Collision Avoidance Games in ACAS X

The design of aircraft collision avoidance algorithms is a subtle but important challenge that merits the need for provable safety guarantees. Obtaining such guarantees is nontrivial given the unpredictability of the interplay of the intruder aircraft decisions, the ownship pilot reactions, and the subtlety of the continuous motion dynamics of aircraft. Existing collision avoidance systems, such as TCAS and the Next-Generation Airborne Collision Avoidance System ACAS X, have been analyzed assuming severe restrictions on the intruder’s flight maneuvers, limiting their safety guarantees in real-world scenarios where the intruder may also be changing its course. This work takes a conceptually significant and practically relevant departure from existing ACAS X models by generalizing them to hybrid games with first-class representations of the ownship and intruder decisions coming from two independent players. By proving the existence of winning strategies for the resulting Adversarial ACAS X in differential game logic, collision-freedom is established for the rich encounters of ownship and intruder aircraft with independent decisions along differential equations for flight paths with evolving vertical/horizontal velocities. We present three classes of models of increasing complexity: singleadvisory infinite-time models, bounded time models, and infinite time, multi-advisory models. Within each class of models, we identify symbolic conditions and prove that there then always is a possible ownship maneuver that will prevent a collision between the two aircraft.

[1]  Mykel J. Kochenderfer,et al.  Optimizing the Next Generation Collision Avoidance System for Safe, Suitable, and Acceptable Operational Performance , 2013 .

[2]  Thomas A. Henzinger,et al.  Rectangular Hybrid Games , 1999, CONCUR.

[3]  André Platzer,et al.  Logical Analysis of Hybrid Systems - Proving Theorems for Complex Dynamics , 2010 .

[4]  Edmund M. Clarke,et al.  Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study , 2009, FM.

[5]  André Platzer,et al.  Differential Hybrid Games , 2015, ACM Trans. Comput. Log..

[6]  Mykel J. Kochenderfer,et al.  Next-Generation Airborne Collision Avoidance System , 2012 .

[7]  George E. Collins,et al.  Hauptvortrag: Quantifier elimination for real closed fields by cylindrical algebraic decomposition , 1975, Automata Theory and Formal Languages.

[8]  Jean-Baptiste Jeannin,et al.  Hybrid Theorem Proving of Aerospace Systems: Applications and Challenges , 2014, J. Aerosp. Inf. Syst..

[9]  André Platzer,et al.  Differential Game Logic , 2014, ACM Trans. Comput. Log..

[10]  Jean-Baptiste Jeannin,et al.  Formally Verified Safe Vertical Maneuvers for Non-deterministic, Accelerating Aircraft Dynamics , 2017, ITP.

[11]  André Platzer,et al.  Logics of Dynamical Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[12]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[13]  B J Chludzinski Evaluation of TCAS II Version 7.1 Using the FAA Fast-Time Encounter Generator Model, Volume 1 , 2009 .

[14]  André Platzer,et al.  Formal verification of distributed aircraft controllers , 2013, HSCC '13.

[15]  André Platzer,et al.  Playing Hybrid Games with KeYmaera , 2012, IJCAR.

[16]  André Platzer,et al.  Differential Game Logic for Hybrid Games , 2012 .

[17]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[18]  Mykel J. Kochenderfer,et al.  Correlated Encounter Model for Cooperative Aircraft in the National Airspace System Version 1.0 , 2008 .

[19]  Ole J. Mengshoel,et al.  Differential Adaptive Stress Testing of Airborne Collision Avoidance Systems , 2017 .

[20]  Mykel J. Kochenderfer,et al.  Reachability Analysis for Neural Network Aircraft Collision Avoidance Systems , 2021 .

[21]  César A. Muñoz,et al.  Formal Verification of an Optimal Air Traffic Conflict Resolution and Recovery Algorithm , 2007, WoLLIC.

[22]  S. Shankar Sastry,et al.  Conflict resolution for air traffic management: a study in multiagent hybrid systems , 1998, IEEE Trans. Autom. Control..

[23]  Gilles Dowek,et al.  Provably Safe Coordinated Strategy for Distributed Conflict Resolution , 2005 .

[24]  Jean-Baptiste Jeannin,et al.  A Formally Verified Hybrid System for the Next-Generation Airborne Collision Avoidance System , 2015, TACAS.

[25]  Mykel J. Kochenderfer,et al.  Towards Verification of Neural Networks for Small Unmanned Aircraft Collision Avoidance , 2020, 2020 AIAA/IEEE 39th Digital Avionics Systems Conference (DASC).

[26]  Christian von Essen,et al.  Analyzing the Next Generation Airborne Collision Avoidance System , 2014, TACAS.

[27]  Nancy A. Lynch,et al.  On the formal verification of the TCAS conflict resolution algorithms , 1997, Proceedings of the 36th IEEE Conference on Decision and Control.

[28]  Mykel J. Kochenderfer,et al.  Deep Neural Network Compression for Aircraft Collision Avoidance Systems , 2018, Journal of Guidance, Control, and Dynamics.

[29]  André Platzer,et al.  A Uniform Substitution Calculus for Differential Dynamic Logic , 2015, CADE.

[30]  Jean-Baptiste Jeannin,et al.  A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system , 2016, International Journal on Software Tools for Technology Transfer.