You are on page 1of 16

AIAA Guidance, Navigation and Control Conference and Exhibit AIAA 2007-6611

20 - 23 August 2007, Hilton Head, South Carolina

Sense and Avoid System for a MALE UAV

uck
Eva Cr
Delegation Generale pour lArmement, 75509 Paris Cedex 15, France.

John Lygeros
ETH Zurich, CH-8092, Switzerland

In this paper, we focus on the design requirements of a Sense and Avoid function for
a Medium Altitude Long Endurance Unmanned Aerial Vehicle. We define nested zones
around the UAV corresponding with safety levels ranging from possible loss of separation to
certain separation without any action. These regions can be used not only to specify perfor-
mances of the sensing capacity, but also to design the appropriate behaviors of the guidance
system. For each region, we state the guidance problems associated with the objectives
of avoiding collision, ensuring separation and carrying out the mission. We formulate a
conflict situation between the UAV and intruding traffic as a generalized pursuit-evasion
game. One player is the UAV guidance system; its goal is always to ensure separation while,
in certain cases, optimizing a cost associated with the maneuvers. The second player is the
uncertainty on the relative trajectories.

Nomenclature
UAV Unmanned Aerial Vehicle
GCS Ground Control Station
FCS Flight Control System
ACAS Airborne Collision Avoidance System
ATM Air Traffic Management
ATC Air Traffic Control
IFR Instrument Flight Rules
VFR Visual Flight Rules
Seph Minimum radius of the protected volume around the UAV
Sepv Half height of the protected volume around the UAV
IDI Impulse Differential Inclusion

I. Introduction
In the past few years, unmanned Aerial Vehicles (UAV) have been recognized as valuable military assets.
They have been widely used in recent operations and most countries have development and/or acquisition
programs. The range of sizes and masses of UAV is very large and they lead to different operational
requirements and technical challenges. Here, we are only interested in the larger UAV which have to share
airspace with manned aircraft. Their primarily field of application is ISTAR (Intelligence, Surveillance,
Target Acquisition and Reconnaissance). In the coming years, it is expected that they will also become assets
in national defense applications such as monitoring of environment and security. A market for commercial
applications is also envisonned2 when UAV provide a viable alternative to manned aircraft or satellites.
While UAV operation in war theater is almost routine, peacetime operation raises safety concerns which
are currently addressed on a case by case basis. There are several issues which need to be solved before UAV
Research engineer, Navigation & Guidance Department, eva.cruck@dga.defense.gouv.fr, cruck@control.ee.ethz.ch, AIAA

Member.
Professor, Automatic Control Laboratory, lygeros@control.ee.ethz.ch.

1 of 16

American
Copyright 2007 by the American Institute of Aeronautics and Institute
Astronautics, Inc. All of Aeronautics
rights reserved. and Astronautics
can be allowed to fly routinely within civil airspace. They include, for instance, airworthiness certification,
crew licensing, and operational procedures. Indeed, the use of airspace is highly structured, and the current
structure has been inherited from a century of manned aviation. Evolution is necessary in order to accom-
modate unmanned aircraft without reducing the overall level of safety. For an overview of the problem and
of initiatives to address it, the reader is referred to the documentation of the USICO project.2 Among the
issues raised by all working groups dealing with UAV integration in general air traffic,2, 3, 20 a main point is
to make sure that the absence of a qualified pilot onboard the aircraft does not increase the probability of
collisions with other airspace users, or with people and properties on the ground. This aspect is commonly
referred to as the Sense and Avoid capacity (S&A), which has to replace the human pilot See and Avoid
capacity. The design of a Sense and Avoid system likely to be certified as safe as a human pilot onboard
is therefore key technological enabler for UAV operation outside segregated airspace. The word system has
to be understood in a broad sense since it may involve components aboard the UAV, components in the
Ground Control Station (GCS) and human operators on the ground.
There are several candidate technical solutions,2, 11 both cooperative and non-cooperative. In the coop-
erative setting, a general misconception is the idea that a system satisfying the Airborne Collision Avoidance
System (ACAS) standard in current or posterior version is the ultimate solution. One reason why this is
not true is that the cost and weight of a ACAS system make it difficult to impose for general aviation.
Another deeper reason is the fact that ACAS is a last ditch collision avoidance system. The see and avoid
principle includes, but is not reduced to collision avoidance. It also refers to the notion of separation. Loosely
speaking, separation is a means to avoid collision by ensuring a minimal distance between the aircraft. For
instance, in enroute space, when air traffic controllers are in charge of providing separation assurance, they
have to maintain a horizontal distance between aircraft greater than 3 Nm, 5 Nm, or 8 Nm depending on the
equipment available for getting aircraft data. The ACAS system has been designed to avoid collision in case
of failure of this separation procedure. When air traffic controller do not provide separation service, there is
no official separation norm, but a notion of passing well clear. It is unthinkable not to provide UAV which a
technological solution to maintain separation. Indeed, even with a perfect collision avoidance system, people
onboard aircraft would not accept the idea of having UAV maintaining a collision course with them up to the
last minute. Moreover, the certification of a S&A system will be easier if it is designed to ensure separation.
Then the probability of triggering the collision avoidance component is reduced, which reduces the overall
probability of collision.
A Sense and Avoid function can obviously be decomposed into a Sense function, in charge of detecting
potentially conflicting aircraft and an Avoid function, in charge of changing the UAV trajectory in order
to maintain separation or to avoid collision. Both functions can be considered in a cooperative or a non-
cooperative environment. For the Sense aspect, a pure cooperative solution cannot be envisioned for short
term application since it requires all aircraft to be equipped up to new standards. We can therefore expect a
combination of cooperative detection for equipped aircraft with non-cooperative detection for other aircraft.
For a survey of candidate solutions, the reader is referred to the documentation of the USICO project.2 For
the Avoid aspect, it is generally agreed that the operator will be in charge of commanding the maneuver, or at
least to validate a maneuver advisory computed by the system. However, autonomous avoidance capability
may be necessary in case of loss of datalink3 or in case of very late detection. It has been proposed to use
techniques from collision avoidance in robotics. Results from robotics5, 21 or from air traffic management
automation research15 would indeed provide good starting points, but they have to be adapted to the S&A
context.
The overall performance of the S&A system depends on the integration of the Sense and the Avoid
aspects. Precise specifications of the requirements which have to be met by the system have not been agreed
upon yet. The objective of reaching an Equivalent Level Of Safety (ELOS) to the level achieved by manned
aviation is qualitative. The quantification of average human perception when piloting an aircraft can be
used14 as a base. However, it may be restrictive to try to mimic human behavior while technological solution
may perform better.
In this paper, we are interested in developing a framework for deriving the specification of a S&A function
and designing the Avoid function. We use a Medium Altitude Long Endurance (MALE) UAV as a target
application. Our approach can be used for any UAV, but MALE are the more demanding with respect
to general air traffic integration. Because of their service ceiling and their range, they are the class for
which segregation from other traffic in time or in space is the most difficult to achieve. The operational
requirements for MALE UAV are discussed in Section II.

2 of 16

American Institute of Aeronautics and Astronautics


We do not consider here the problem of detecting and classifying the intruding traffic. Our aim is to
develop a framework for determining the performance that can be associated with a given set of sensing
capabilities, or the sensing capabilities required for a given set of system performances. For this purpose,
we characterize nested zones around the UAV which correspond with safety levels ranging from possible
loss of separation to certain separation without any action. These regions can be used not only to specify
performances of the sensing capacity, but also to design the appropriate behaviors of the guidance system.
For each region, we state the guidance problem associated with the objective of carrying out the mission
while ensuring separation or avoiding collision.
We formulate a conflict situation between the UAV and intruding traffic as a generalized pursuit-evasion
game.9 One player is the UAV guidance system; its goal is always to ensure separation while, in certain
cases, optimizing a cost associated with the maneuvers. The second player is the uncertainty on trajectories
of the aircraft. This means that we do not consider the case of a purposeful colliding maneuver (kamikaze
action, missile attack). We are only interested in maintaining separation with other airspace users which
may not be aware of the UAV presence. Our setting remains valid in a cooperative environment, with
reduced uncertainty margin on other traffic intended trajectories. The advantage of our approach is that
safety is guaranteed by design, and robustness is a byproduct of the methodology. This reduces the need
of extensive simulations for validation. Proving the safety case in nominal operation mode of the S&A
system will amount to proving that our design hypotheses are correct. Then the simulation effort can be
devoted to fault analysis. Moreover, during the development phase, several hypothesis can be tested at low
computational cost in order to trade-off the performance allocation over the system constituants.
The paper is organized as follows. The high level requirements for a S&A system used in a MALE UAV
are analyzed in Section II. We present a perspective on the S&A problem from a dynamical system point
of view in Section III and we present our assumptions on the dynamics of the UAV and of the conflicting
traffic. The mathematical formulation and the theoretical analysis are performed in Section IV and some
early numerical results are presented. In Section V, we complete our analysis with the outline of a guidance
system which integrates the S&A function.

II. High level requirements


The aim of this section is to provide some background for the setting of the S&A problem. It is based on
current situation and short term extrapolation, which means that the rules which apply to manned aviation
are considered as unvariable. For longer term extrapolation scenarii, the reader is referred to the USICO2
study and references therein.

A. A case study
A recent incident (April 25, 2006)1 involving a Predator B registered to the U.S. Customs and Border
Protection agency illustrates the difficulties of not having a human pilot onboard: A failure of the GCS
required to switch to the back-up station which was used nominally to control the UAV payload and receive
sensor data in relation with the UAV mission. The fuel control on the back-up position was set on cut-off
position because of the previous use of the station. This led to loss of altitude which was not expected by the
pilot in command of the flight.The pilot stated that after the switch to the other console, he noticed the UAV
was not maintaining altitude but did not know why. As a result he decided to shut down the GCS so that the
UAV would enter its lost link procedure, which called for the UAV to climb to 15,000 feet above mean sea
level and to fly a predetermined course until contact could be established. With no engine power, the UAV
continued to descend below line-of-site communications and further attempts to re-establish contact with the
UAV were not successful.1
In this case, the technical incident involved only the GCS, a back-up solution was available and the
operator was qualified. But a slight error in applying the back-up procedure led to the loss of the UAV
which crashed few hundred meters from an habitation. A lesson that can be learned from this incident
is that the situation awareness of a pilot in command from a GCS is quite different from the situation
awareness of a pilot aboard the aircraft. In this incident, as soon as the transfer of control to the secondary
console was effective, the UAV flight was no longer under full control of the GCS. Unaware of the loss of
power, the operator might have been unable to avoid another airspace user or to target a proper crash area.
This advocates for more autonomy of the UAV. A S&A system, which is also in charge of avoiding collision

3 of 16

American Institute of Aeronautics and Astronautics


with the ground, would have reported early that given its mode of operation (cut-off power), collision was
unavoidable.
Another important element from this incident is the procedure in case of loss of datalink. The autonomous
flight pattern programmed for the UAV would have been unexpected from another airspace user. In case
of loss of the control datalink, a military operational UAV priority is to re-establish the link, while safety
should be the overall priority for all civil applications. This illustrates the fact that current military UAV
systems cannot readily be used in civil airspace. The structure of airspace and the right-of-way as prescribed
by ICAO (Rules of the Air, Annex 2) have to be taken into account in the design of the control system in
which the S&A function has to be integrated.

B. Operational requirements
Mission requirements The service altitude of a MALE UAV is between 13,000 ft and 36,000 ft, while
airliners fly usually between 19,500 ft and 45,000 ft. Therefore, it can be expected that missions of a MALE
UAV in civil airspace cross commercial routes. The flight profile of a typical MALE UAV mission can be
described as2
A climbing phase to reach service ceiling or mission altitude which begins with an acceleration to the
climb speed and a climb at constant calibrated airspeed;
An enroute phase to mission area made of waypoints, and which can include flight level changes;
A loitering phase for the duration of the mission during which the flight is devoted to the utilization
of the payload;
A enroute phase to recuperation area which is similar to the pre-mission enroute phase;
A descent phase toward landing which begins with idle throttle, down to interception with approach
control.
The only phase which is specific to a UAV flight is the loitering phase; it can last several hours (or even
days). Each phase can be associated with a set of parameters describing the normal behavior and the possible
maneuvers. For instance, at the end of the flight, the UAV is lighter and fuel consumption may be more of
an issue; during the loitering phase, the payload may add constraints on the available set of maneuvers.

Remark 1 The S&A function has to be ensured during the whole mission of the UAV. It should also be
ensured for taxiing, take-off and landing phases; we do not consider these phases here. A similar approach
can be used with specific dynamical models.

Flight rules and classes of airspace Conflict avoidance in manned aviation relies on 3 levels of
management: strategic, tactical and emergency. The strategic layer is concerned with flight planning and
with the structure of the airspace. The tactical layer is concerned with providing separation between aircraft,
which is basically defining protected volumes around aircraft and ensuring that the protected volumes of two
aircraft do not overlap. The emergency level is collision avoidance in case of failure of separation provision.
Among the strategic elements of manned aviation organisation is the notion of flight rules which defines
how the flight must be prepared, the type of equipment required onboard, the qualification of the pilot and
interface with air navigation service providers. The main existing rules are Visual Flight Rules (VFR) and
Instrument Flight Rules (IFR). Flying under VFR is allowed only under Visual Meteorological Conditions
(VMC). It requires to stay well clear of clouds. Therefore, a UAV would be allowed to fly under VFR only if
its sensors enable the operator to evaluate meteorological conditions and distance to clouds. Given its range
and endurance, it is unlikely that a MALE UAV flies under VFR. We do not consider this aspect here. In the
sequel, we assume that the UAV flies IFR, which means in particular that we do not consider that staying
well clear of clouds is an objective of the S&A system under consideration. Flying under IFR requires that
a flight plan is transmitted to the authorities in charge of Air Traffic Management (ATM).
Airspace is divided into classes which define flight rules allowed and ATM services provided to airspace
users. Airspace can be controlled or uncontrolled. In controlled airspace, Air Traffic Control (ATC) provides
separation for all IFR flights and possibly with VFR flight if radar capabilities are sufficient. In uncontrolled
airspaces, separation provision is pilot responsibility. Whatever the airspace class and the flight rule, collision

4 of 16

American Institute of Aeronautics and Astronautics


avoidance is always pilot ultimate responsibility. He/She can be assisted by ATC or by an automated safety
net such as ACAS.
A minimal requirement for the UAV to be allowed in a given area is that it is equipped up to the required
level in this area. The beginning of climb and the end of descent can go through any class of airspace.
Therefore, it is possible that separation be not provided by ATC. Encounters with traffic flying under VFR
must therefore be expected. The S&A function is crucial in those segments of the flight except if segregation
can be ensured, for instance with dedicated climbing and descending routes.
The end of climb and the beginning of descent as well as the enroute and loitering phases can be assumed
to be nominally in IFR-only airspace. Then separation is nominally provided by ATC. In this case, it can
be assumed that the S&A function is a last ditch protection akin to TCAS. It must therefore satisfy ACAS
specifications.
Remark 2 Higher altitude (HALE) UAV fly their mission well above all other traffic; they are unlikely
to fly uncontrolled airspaces or to encounter VFR traffic. Therefore, a S&A system certified for MALE
applications should easily be certified for HALE applications.
Smaller tactical UAV have a range of action which can be confined to special areas on a case by case
basis; the S&A requirement is not stringent for short term applications. Moreover, size and mass of the
S&A component onboard are more of an issue and the sensing capacity requirement may be slightly different
(gliders, balloons, . . . ).
Interaction with ATC Military UAV are state aircraft. They can therefore fly as Operation Air Traffic
(OAT) for which rules and procedures are determined by national authorities. For civilian applications,
they will probably be considered as general aviation. It is generally agreed that the presence of a UAV in
the sector of responsibility of an air traffic controller should not increase significantly his/her workload. It
should be as transparent as possible, but the fact that there is no pilot onboard should be mentioned to the
controller.3 Indeed, specific emergency procedure will have to be applied for instance in case of loss of the
datalink between the UAV and its operator.
Since the UAV flies IFR, its flight plan is available to the air traffic controller. However, the part of the
flight plan relative to the loitering phase may be unreliable if the actual trajectory is sensor-driven as in the
case of a target tracking mission. OAT procedures cover this situation on a case by case basis; this issue will
have to be addressed for routine civil UAV access to airspace.
Remark 3 MALE UAV fly rather slowly as compared with airliners. Therefore, especially during the loiter-
ing phase, they may interfere with other traffic in a way that is unusual from ATC point of view. The study
of the increase of air traffic controller workload due to the presence of a MALE UAV is out of the scope of
this paper. In Section V, we outline an approach to delegate part of the separation provision function to the
S&A system with minimal impact on ATC procedure.
Interaction with other airspace users There is no reason why airspace users should apply different
rules of behavior towards UAV than they do towards other traffic of the same category. Therefore, the S&A
system should produce a behavior in accordance with the right-of-way rules and usual practice.

C. Automation issues
The S&A capability involves several decision processes. How many of them will be automated is an open
question. It can be expected that decisions which lead to modifications of the trajectory are taken by the
ground operator except in the case of loss of command datalink or if imminence of collision is not compatible
with transmission delays.3 This raises the issue of the awareness of the situation surrounding the UAV which
has to be provided to the ground operator. We do not address this aspect here, but the framework that we
propose can provide tools for enhancing the situation awareness in the GCS. In the sequel, guidance system
refers to the trajectory assignment process whether it is automated or not.

D. Certification issues
The certification process of a candidate S&A system has yet to be agreed upon by airspace stakeholders. It
can be expected that they built upon the process which has led to the acceptance of the ACAS standard.23
It requires some flight test campaigns and millions of simulations. One of the purposes of the present paper
is to reduce this number of simulations by providing powerful analysis tools.

5 of 16

American Institute of Aeronautics and Astronautics


III. A dynamical system perspective for S&A analysis
From the previous section, a S&A system for a MALE UAV in the near future has to function both in
cooperative and non-cooperative environments. It has to provide both separation assurance and collision
avoidance. The resulting trajectory has to abide by the right-of-way rules and to respect ATC clearances.
This section is devoted to the formulation of these high level requirements into dynamical system control
problems.

A. General principle
The usual definition of a safe separation (if not provided by ATC) is of the order of 0.5 nautical miles in the
horizontal plane, and 500ft in the vertical dimension.3 Collision avoidance is generally associated with a miss
distance of 500 ft horizontally and 100 ft vertically. Here, we define the Avoid problem as keeping all traffic
out of a cylinder of radius Seph and height Sepv centered on the UAV. The same analysis can be used for
collision avoidance and for separation provision. We consider the case of potentially non-cooperative traffic,
meaning that the incoming traffic may not be aware of the UAV presence. The guidance of the UAV is the
only available control. It can be determined autonomously by the S&A system or decided by the ground
operator.
Our approach is based on the characterization of regions of a state space describing the traffic situation
which can be associated with different level of safety. The boundaries of these regions depend only on the
dynamics of the UAV and of the incoming traffic. A precise definition of the safety zones is provided in
Section IV as well as an approach to compute them without extensive simulations. Informally, they can be
described as follows:

We define Z0 as the set of positions such that, the distance between the UAV and at least one intruder
is smaller than Seph in horizontal and Sepv in vertical, or if the distance to the ground is below Sepv
This does not mean that a collision (or a loss of separation) will occur, but the guidance system has
to try to augment the distance to the intruder or to the ground.
We define Z1 as the set of positions from which it is not possible to guarantee that the detected traffic
will remain out of Z0 . Z1 is a superset of Z0 due to uncertainty and to the fact that only the UAV
dynamics is controlled. The aim of the guidance system must be to prevent the traffic from entering
Z0 and to drive it out of Z1 as fast as possible.
We define Z2 (T ) as the set of positions from which there is a risk of traffic entering Z1 during the time
horizon [0, T ] if no maneuver is undertaken. The value of T is a parameter of the system. Whenever
traffic enters Z2 (T ), it becomes a potential threat but it is still possible to take a maneuver which
guarantees separation or prevents collision. It is necessary to be ready to initiate a maneuver before
entering Z1 .
Finally, we define Z3 (T ) as the set of positions from which it is guaranteed that the intruder will
remain outside of Z1 without maneuvering. By definition, Z3 (T ) is the complement of Z2 (T ). Without
any deviation from the flight plan, the minimum separation is ensured for all possible trajectories. By
definition, traffic in Z3 (T ) should never enter Z1 .

With this approach, the S&A detection system can associate with the traffic situation the corresponding
zone, meaning that if all the traffic is in Z3 (T ), the UAV can follow its flight plan, but if a traffic enters
in Z2 (T ), maneuver must be undertaken to ensure separation. The earlier the detection, the smoother the
maneuver. This approach can be refined by using multiple values of T or different set of available maneuvers
depending on the distance to the traffic.
In the sequel, we assume that the S&A detection system can identify some parameters of the traffic
dynamics in order to compute possible future trajectories. The next subsections describe the models used
for predicting the trajectories of the UAV and of the traffic. Depending whether we are dealing with
separation provision of with collision avoidance, the available computational time is different. Therefore, the
complexity of the models that can be used is different.

6 of 16

American Institute of Aeronautics and Astronautics


B. UAV model
We begin with the general philosophy of the model that can be used for the separation assurance problem. A
graphical representation can be seen on figure 1. Our model is derived from research in air traffic control;18

Figure 1. UAV model

it is formulated in the framework of hybrid systems which is well suited to describe aircraft trajectories. It
associates a high level description of the flight phases with flight dynamics equations. We have chosen this
model because it generates realistic trajectories with moderate and adjustable complexity. Moreover, it is
compatible with the description of EUROCONTROL Base of Aircraft DAta (BADA),12 hence providing a
level of generality. A type of aircraft is easily determined as a finite set of parameters. This could be useful
if the S&A system is to be adapted for manned aircraft.

Flight model We use a point mass model which reflects dynamical coupling effects between horizontal
and vertical dynamics as well as time lag between commands and effect. The state variables are:
the horizontal position (x, y),
the altitude h,
the True Air Speed (TAS) V ,
the heading angle .
A MALE UAV is not designed for high aerodynamic performance. Therefore, we assume that it is
operated around trimmed flight conditions, and we consider that the angle of attack and the sideslip angle
are small. Then the lift and drag forces can be approximated as

CL S(h) 2 CD S(h) 2
L= V and D= V ,
2 2
in which S is the surface area of the wings, (h) is the air density (as a function of altitude), and CL and CD
are lift and drag coefficients. This assumption can be challenged in emergency avoidance maneuvers, but it
is reasonable for separation provision.
The detection of a risk of loss of separation in the context of a S&A function requires rather short term
trajectory prediction (a few minutes at most). In order to simplify the model, we can assume that mass is

7 of 16

American Institute of Aeronautics and Astronautics


constant as well as air density. Therefore, the dynamics can be written as
0
x V cos(u3 ) cos() w1

y


V cos(u3 ) sin()
w2

h = V sin(u3 ) + w3


C2m
D S
1

V V 2 g sin(u3 ) + m u1
0
CL S
2m V sin(u2 ) 0

in which w = (w1 , w2 , w3 ) stands for uncertainty due for instance to wind. The controls are the thrust u1 , the
bank angle u2 , and the flight path angle u3 . They are computed by the guidance system in order to follow
the flight plan and to optimize the flight efficiency. Using these inputs instead of control surface positions is
another simplification which can be removed for fine tuning of the system.
We represent the Flight Control System (FCS) as a finite state machine with discrete states associated
with flight phases. We also use a discrete representation of the flight plan as a succession of waypoints
and predetermined maneuvers. Each combination of the discrete states is associated with a deterministic
feedback law for the controls u1 , u2 and u3 . Currently, we use a generic FCS model.18 A specific FCS for a
MALE UAV is under development.

Remark 4 Using the flight plan in the UAV model is useful for separation provision. Indeed, a turn scheduled
in the flight plan may be sufficient to ensure separation while extrapolating a straight trajectory leads to a
conflict.

Resolution maneuvers In this paper, we are mainly interested in dimensioning the S&A requirements.
Therefore, we consider only a discrete set of controls denoted by U . Each control is a pre-determined
maneuver such as turning right or left with given sideslip angle, or climbing or diving with maximal rates, or
a combination of horizontal and vertical maneuvers. Each maneuver can be associated with a discrete state
of the finite state machine that describes the FCS and possibly with some auxiliary continuous variables.

Some remarks on the UAV model There is obviously a trade-off between the representativeness of
the UAV model and the complexity of computation. When dealing with collision avoidance, it may seem
unnecessary to use a FCS model since it can be assumed that the parameters are constant on a short time
horizon. On the other hand, using a very good model of the FCS has a limited impact on the computational
complexity and provides some guarantees that the system behavior will not present singularities due to the
internal logic of the FCS.
The model presented here will have to be refined for realistic performance assessment. The hybrid
system framework enables an analysis methodology using successive refinement of the model.16, 17 Under
compatibility assumptions, results obtained with a simple FCS model and simple flight dynamic model can
be carried on to studies using detailed models.

C. Other traffic models


We use simple models for incoming traffic. Here again, there is a trade-off between the complexity of the
models of intruders and the conservativeness of the avoidance maneuvers. Sophisticated models for the
intruders also require the detection system to be able to identify the parameters of these models.
We use as an inspiration the See and Avoid function performed by human pilot. Human use very simple
models for extrapolating trajectories based on a priori knowledge strongly related to the nature of incoming
traffic. Basically, they use constant parameters assumed to hold as long as the observed trajectory remains
within acceptable bounds of the expected trajectory. This assumption is reasonable given the short time
horizon of the prediction necessary for this application. As a first set of models, we propose to use the
following:

Steady level flight !0 ! !


x
V cos() v1
= +
y
V sin() v2

8 of 16

American Institute of Aeronautics and Astronautics


Constant speed turn 0
x V cos() v1
y = V sin() + v2


V

R
v3

Climb or Descent 0
x Vx cos() v1
y = Vx sin() + v2

h Vh v3
In which v1 , v2 and v3 are bounded input that account for uncertainty on the measurement and for wind.
If the Sense function is given, then the error model can be adapted. Cooperative traffic is modelled with
reduced uncertainty.
Let us underline that the menace has to be identified, that is put in one of the classes with associated
parameters and estimated uncertainty. This is part of the situation awareness which will not be discussed
here. Class allocation can be dynamic if the estimation of parameters is refined by the detection process.

IV. Mathematical characterization of the safety zones


Our definition of safety zones relates the S&A problem to safety/reachability/viability verification prob-
lems in which a yes-or-no type question is asked about the trajectories of a dynamical system avoiding a
dangerous region of the state space, or reaching a given target, or satisfying constraints. This section is
devoted to the formal definition of the safety zones from this perspective.

A. Preliminaries
For sake of generality, our formulation is based on the mathematical abstraction of Impulse Differential
Inclusions4, 7 (IDI) which is suitable for describing a large class of hybrid systems and requires only mild
assumptions on the dynamics. It is associated with a set of theoretical and computational tools which are
introduced below.

The impulse differential inclusion formalism An IDI describe a dynamical system whose state can
evolve both through an ordinary differential system or through instantaneous jumps. In order to describe
the trajectories, we introduce the notion of hybrid time trajectory4 borrowed from hybrid systems literature.
Definition 1 A hybrid time set = {Ii }N
i=0 is a finite or infinite sequence of intervals of R such that

for all i < N , I = [i , i0 ];


0 0 0
if N < , then either IN = [N , N ) (with possibly N = +), or IN = [N , N ];
for all i, i i0 = i+1 .
An IDI describes trajectories of impulsive dynamical system with continuous state variable x using two
multi-valued functions F : Rn  Rn and R : Rn Dom(R)  Rn and an open set Dom(R) in the
following way:
Definition 2 (Runs and trajectories) A run of IDI (F, R, ) on a hybrid time set {Ii }N i=0 for initial
condition x0 , is defined by a sequence {xi ()}N n
i=0 of the set SF (R ) of absolutely continuous solutions to the
differential inclusion x F (x), such that
for all i < N ,
xi (i0 ) Dom(R)
xi+1 (i+1 ) R(xi (i0 ))

for all i such that i < i0 ,

x i (t) F (xi (t)) for almost all t Ii .


xi (t) / for all t Ii .

9 of 16

American Institute of Aeronautics and Astronautics


We call trajectory of impulse system (F, R, ) the function (when it exists) x : R Rn associated with a
run in the following way: (
x0 if t < 0
x(t) = (1)
xi (t) if t Ii
We denote by SF,R, (x0 ) the set of trajectories of IDI (F, R, ) starting at x0 . The stationary trajectory for
time smaller than 0 is an artifice to keep track of initial conditions when 00 = 0 .

Remark 5 An ordinary differential equation x = f (x, u) with f Lipschitz continuous with respect to x
and continuous
S with respect to u has the same set of solutions as the differential inclusion x F (x) with
F (x) := uU f (x, u) if U is compact convex.

In order to ensure existence of trajectories defined on [0, +[ for all initial conditions, we need the
following
Assumption 1
The set-valued map F is upper-semicontinuous with non-empty compact convex values and linear
growth.
The set set-valued map R is upper-semicontinuous with compact values and compact domain such that
x Dom(R), R(x) Dom(R) = .

Dom(R).

Remark 6 By Assumption 1, trajectories are well defined since multiple simultaneous jumps are not allowed.
Moreover, a jump is always possible when continuous trajectory is not possible, that is when entering .

Safety verification for IDI Let us consider an IDI with no forced jumps ( = ) denoted (F, R).
Given a set of constraints K Rn and a set C K. We want to know if it is possible to stay in K forever
or to reach C before leaving K.

Theorem 1 Under Assumption 1 we call viability kernel of K with target C, denoted Viab(F,R) (K, C), the
set of initial conditions x0 K such that there exists x() S(F,R) (x0 ) which stays in K as long as C has
not been reached, namely:
t inf{s : x(s) C, x(t) K}.
Then Viab(F,R) (K, C) is the largest element of the set of closed subsets D K such that for all x D

N PD (x), inf hy, i 0 or R(x) (D C) 6= , (2)


yF (x)

where N PD (x) denotes the set of proximal normal to D at x: N PD (x) := { : inf yD ||(x + ) y|| = ||||}.

The viability kernel is a useful tool for safety analysis. If the IDI is used to represent a control system,
then Viab(F,R) (K, C) is the set of initial positions such that the control can prevent the state from violating
the constraints represented by K as long as a set of desirable states C has not been reached. If the IDI is
used to represent an uncertain system (without control), then Viab(F,R) (K, C) is the set of initial positions
such that the disturbance can prevent the state from reaching the set of desirable states Rn \ K and can
eventually drive it to the dangerous set C.
Now, if the interior of Dom(R) has empty intersection with K, under technical assumptions on the
boundary of Dom(R), Viab(F,R) (K, C) is the set of initial conditions x0 K such that there exists x()
S(F,R) (x0 ) associated with a run {Ii , (xi ())}N
i=0 which stays in K as long as C as not been reached and such
that
i < N, xi (i0 ) = inf{t : xi (t) Dom(R)}.
This means that a safety problem with dynamics (F, R, ) can be analyzed using Viab(F,R) (K \ , C).

10 of 16

American Institute of Aeronautics and Astronautics


Pursuit-Evasion impulse differential game In order to analyze safety problems for systems with
both control and disturbance, we can use a worst case approach in a game against nature. The disturbance
is seen as the opponent of the control and plays to destroy safety. Results on games with hybrid or impulse
dynamics are still partial.9, 13 For the S&A problem we can consider a game with separated impulsive
dynamics given by (G, P ) for the first player, and (H, Q) for the second player.
When the dynamics of the players are separated, we can consider that the players play by selecting a
trajectory y() SG,P (y0 ) and z() SH,Q (z0 ) respectively. This choice has to be made without a priori
knowledge of the opponent actions. A suitable notion of strategies is the following:9
Definition 3 We call Varaiya-Roxin strategy (VR-strategy) at initial condition (y0 , z0 ) a map

B : S(G,P ) (y0 ) SH,Q (z0 )

such that for any > 0, and for any trajectories y() and y() of S(G,P ) (y0 ) which coincide on [t0 , t0 + ],
the trajectories z() = B(y()) and z() = B(
y ()) coincide on [t0 , t0 + ]. We denote by B(y0 , z0 ) the set of
control VR-strategies at (y0 , z0 ).
Let us mention that the use of this type of strategies is necessary for a correct mathematical statement of
the game. We consider the usual setting for robust control,13 in which the disturbance chooses an open-loop
trajectory, while the control chooses a VR-strategy.
Now in the safety problem, a closed subset K of the state space represents constraints for the second
player (the control). The first player (the disturbance) tries to drive the state (y, z) out of K while preventing
it to reach a closed subset C K representing a safe set. The second player (the control) has the opposite
goal to keep the state in K as long as it has not reached the safety of set C. Theorem 1 can be generalized for
this case9 and leads to the notion of discriminating kernel. The geometrical conditions which generalize (2)
are omitted for sake of space.
Definition 4 We denote by Disc(K, C) the discriminating kernel of K for the second player with target
C. It is the set of initial conditions (y0 , z0 ) K such that there exists a VR-strategy B such that for any
y() SG,P (y0 ), (y(), B(y())) stays in K as long as C has not been reached.

B. Reformulation of the S&A dynamics


The UAV dynamics is described by the interaction of a continuous-time system which describes the flight
dynamics, and a finite state machine which closes the loop by determining the thrust, the bank angle, and
the flight path angle. If no resolution maneuver is necessary, a given flight plan would lead to a deterministic
trajectory in the absence of uncertainty. Let us denote by S the set of states of the finite state machine.
Then we can embed S in R and associate with a run of the machine s0 , s1 , . . . , sn with transition times
t1 , . . . , tn the trajectory X
s(t) = s0 + (t ti )(si si1 ),
i

in which () denotes the Dirac measure. Therefore the hybrid model of the UAV can be written as an IDI.
By definition, a jump (or impulse) is associated with a change in the state of the FCS. Autonomous jumps
model changes of the states which are triggered when one or a combinaison of state crosses a threshold. A
jump is allowed, but not forced, if it is associated with the initiation of a resolution maneuver.
In our model, a trajectory x() of the UAV can be written

t 0, x(t) = xnom (t) + x (t)

in which x () represents the uncertainty contribution to the trajectories.


We denote by (H, Q, ) the dynamical system associated with the nominal (controlled) trajectories of the
UAV. The contribution of uncertainties and the intruder dynamics are represented by a differential inclusion
y G(y). Then we can formulate a pursuit-evasion game in which the nominal system, controlled by the
UAV guidance system, plays against the uncertainty on its trajectory and the intruders. The state space
associated with this game depends on the models used for each aircraft and on the number of intruders
considered in a given scenario. In the sequel, we denote it Rn . Then we have Z0 Rn ; we define Z0 as an
open set.

11 of 16

American Institute of Aeronautics and Astronautics


Remark 7 The assumptions on the dynamics which lead to separateness of nominal UAV trajectories and
contribution of the uncertainty is not really restrictive if uncertainty is only due to wind and if the time
horizon is short enough so that wind magnitude does not depend on the position of the UAV.

We also introduce the system (H, Q,


e ) to describe the dynamics without maneuvers of the UAV.

C. Formal definition and computation of Z1

Z1 for a right angle conflict without uncertainty


Worst case Z1 and Z1 if it is known that the and with uncertainty on the speeds of
angle between UAV heading and intruder respectively 2% for the UAV and 10% for the
heading is 90 . intruder and uncertainty of 10 on the
intruder bearing.
Figure 2. Some examples of Z1

We have defined Z1 as an unsafe set in the sense that from any point in Z1 , there does not exist a
control which can prevent the state from entering in Z0 . In the game formulation described above, the set
of constraint for the second player is K = Rn \ Z0 , (Z0 an open set), and there is no safe set for the control.
This leads to:
Z1 = Rn \ Disc(Rn \ (Z0 ), ), (3)
which means that the control wins only if it can find a strategy which keeps the state out of Z1 forever.
Because we have only a discrete set of controls which are represented by jumps, a strategy in this case is the
choice of the set of positions from which maneuvers will be initiated, and the associated maneuvers. This
strategy can be obtained from9 Disc(Rn \ (Z0 ), ).
The computation of Z1 is challenging for the general model of Section III. To the best of our knowledge,
no tool can deal with the general hybrid non-linear uncertain model. We are currently working on a tool
derived from viability computation.6, 10 There are no theoretical limitations, but the curse of dimension
limits the state of the state space that we can deal with. Approximation can be computed using simplified
models. The representativeness of these approximations can be guaranteed thanks to the rigorous game
setting.
In our early implementation, we consider only planar conflicts and planar resolution by using left of right
turn with a given radius. We assume that both UAV and intruder are flying level at constant speeds. The
only variables are the angle between the intended trajectories and the uncertainty on the measurement of
the intruder velocity and of its heading with respect to the UAV. The constant parameters are the following:
Speed of the intruder: 400 kts

Speed of the UAV: 160 kts


UAV maximal bank angle: 18

12 of 16

American Institute of Aeronautics and Astronautics


Figure 2 presents some early numerical results for the problem of separation provision (Seph = 0.5 N m).
Figure 2-left shows the union of the sets Z1 for all relative headings of the intruder in relative coordinates
with respect to the UAV if both velocities are perfectly known; the smaller area shows Z1 if it is known that
the angle between the UAV heading and the intruder heading is 90 . This advocates for some sort of model
identification in order to avoid maneuvers which are not necessary. On figure 2-right, Z1 if it is known that
the angle between the UAV heading and the intruder heading is 90 with some uncertainty on speeds and
on target heading. It can be seen that a good model identification reduces the necessary range of detection.

D. Formal definition and computation of Z2 and Z3

Figure 3. Z1 and Z2 with uncertainty on speeds and heading for T = 60 s and target estimated heading 135 .

The region Z2 (T ) = Rn \ Z3 (T ) has been defined as the set of positions from which there is a risk of
entering Z1 if no maneuver is undertaken. It means that no control is involved in the computation of Z2 .
Let us define the maps
: , y, z {1} G(y) H(z)
: , y, z {1} {y} Q(z)e
Then we have
Z3 (T ) = {(y, z) : (T, y, z) Viab(,) ([0, T ] (Rn \ (Z1 )), {T } Rn ) . (4)
The computation of Z3 (T ) is less challenging than the computation of Z1 because we do not need to consider
maneuvers. Therefore, computation for each intruder is independent of results of computation for all other
intruders. It requires however the knowledge of the global Z1 which has to be projected on the relevant state
space. If only an over-approximation of Z1 is available, then an over-approximation of Z2 can be computed.
An example for T = 60 s is displayed on figure 3.

V. Determination of the guidance laws


We have shown in the previous section how the game formulation and the definition of safety zones can be
used as a tool for the specification of the sensing performances of a S&A system. Here we describe guidance

13 of 16

American Institute of Aeronautics and Astronautics


modes which can be derived from the safety zone analysis.

A. Guidance logic
In our approach, the S&A function performs iteratively two main subfunctions: surveillance of the surround-
ing traffic and modification of the UAV intended trajectory. The surveillance process consists in updating
the internal model of the traffic situation and determining the current safety zone. It requires tracking of
neighboring aircraft and update of the associated intruder models. Depending on the traffic situation model
built by the surveillance process, the guidance which has been determined at the previous step is modified.
The rate of iteration depends on sensing rates and on processing power; it can also depend on the current
safety zone for dynamic ressource allocation. The logic can be represented as follows:
Algorithm 1
Enable Mission guidance and surveillance mode
while TRUE
Update the surrounding traffic data according to surveillance mode
If traffic in Z0
Enable Z0 guidance and surveillance mode
If traffic in Z1
Enable Z1 guidance and surveillance mode
If traffic in Z2
Enable Z2 guidance and surveillance mode
Else
Enable Mission guidance and surveillance mode

The traffic situation model maintained by the surveillance process and the current safety zone are part of
the situation awareness that can be downloaded to the GCS.

B. Guidance in Z0 and in Z1
When in Z1 , there is no control action which can guarantee separation. Therefore, guidance in Z0 or in Z1
must be very similar. Mission priority is cancelled, and all effort is devoted to increase separation with the
intruders. The difference between being in Z0 or in Z1 may be the set of maneuvers which is considered. If
there is a very high risk of collision, drastic maneuvers which may compromise the mission may be allowed.
The guidance principle must be compatible with ACAS. In the current version of ACAS, resolution
advisories are provided for separation ranging from 0.2 Nm to 1.2 Nm in horizontal, and 300 ft to 700 ft
in vertical.23 By definition, this should correspond to traffic situations at the boundary of Z1 when dealing
with collision avoidance.

C. Guidance in Z2
When in Z2 (T ) but out of Z1 , there exists a control action which can guarantee separation. From differential
game theory, we know that as long as the boundary of Z1 has not been crossed, it is always possible for
the guidance system to find a strategy which keeps the intruders out of Z1 . Therefore, the guidance law in
Z2 should depend on a trade-off between mission priority, and separation priority. It should also depend
on the class of airspace. Indeed, in controlled airspace, air traffic controller will expect the UAV to follow
its flight plan. They base their decision for providing separation assurance on this expectation. For sake of
transparency, it may be better to keep on expected trajectory until the risk of entering Z1 becomes high.
Then as in the case of ACAS alerts, the air traffic controller must be informed of the reason why a maneuver
is undertaken.
If the detection range is large, and T accordingly large, separation can be ensured with minimum deviation
from the fly plan or with small changes in the velocity of the UAV. These deviation may be small enough
so as not to be detected by the air traffic controller while reducing his/her workload. This approach may
be useful during the loitering phase which is devoted to the use of the UAV payload. Then smoothing the
trajectories may be an issue.

14 of 16

American Institute of Aeronautics and Astronautics


The type and amplitude of the maneuvers to be considered here has to be determined. It depends on
air traffic controller perception and expectations regarding aircraft trajectories. This is currently under
investigation for application in ATC modernization.8, 22
Whatever the set of allowed maneuvers, the guidance system has to avoid entering Z1 while keeping impact
on the mission as low as possible. Therefore, Z1 can be considered as a virtual obstacle and techniques for
obstacle avoidance can be used.

VI. Conclusion and directions for future work


We have provided a mathematical framework for the analysis of the Sense and Avoid problem which can
help specify, design and test a S&A system. If the Sense function is given, then the safety zones can be used
to define the requirements of the Avoid function. Reciprocally, if the Avoid function is given, then the safety
zones lead to requirements for the Sense function. If neither function is defined, then several solution can
be tested without extensive simulations. If both functions are given, then the analysis provides a measure
of the performance of the overall system.
Our perspective on the S&A problems relies on theoretical and numerical tools from safety analysis. The
hybrid system framework enables description of the system based both on logic decisions and on dynamic
equations. Differential games and viability theory provide a handy set of concepts for formal analysis of a
S&A function. Moreover, transcription of these concepts into tools for a S&A function implementation is
straightforward from the theoretical points of view. From numerical point of view, there are some challenges
which derive from the size of the state space to te considered.
The level of uncertainty on the intruding traffic dynamics increases the number of possible trajectories.
Therefore, it increases the required detection range. In order to determine the minimal acceptable detection
range for a MALE UAV, the identification of dimensioning scenarii must be performed based on an encounter
model.23
We have defined our safety regions without using a priori knowledge of disturbances probability profiles;
we have only used bounds on its amplitude. This could appear like a limitation since it can be expected23
that the target level of safety for S&A systems be specified in terms of probabilities of loss of separation and
probabilities of near midair collision for a given encounter model. However, a related probabilistic definition
of the safety zones is straightforward using the framework of stochastic hybrid systems for which Monte-
Carlo techniques have been developed.19 This means that the design process and the validation process can
be performed in a coherent framework.
Future research includes the development of numerical tools for supporting our approach. It also includes
work on the models used for computation. It may be good to be able to model some characteristics of the
detection tools, such as the rate of refreshment. And if the ground operator has to be in the loop, it is
necessary to model also his/her reaction time. If adequate models violate the assumption of separateness
of UAV nominal trajectory and uncertainty contribution to its trajectory, or if they introduce coupling
between the UAV trajectory and the models of the traffic trajectory, further theoretical development on
impulse differential games will be necessary.

Acknowledgments
We would like to thank M. Strong, from EUROCONTROL and R. Brigaud, from DGA, authors respec-
tively of EUROCONTROL Specifications for the use of military unmanned aerial vehicles as operational air
traffic outside segregated airspace 3 and UAV Systems Airworthiness Requirements 20 for valuable discussions.
We also would like to thank C. Le Tallec, from ONERA, for his precious suggestions.

References
1 National Transportation Safety Board. http://www.ntsb.gov/.
2 USICO Project. http://www.uavnet.com/projects/usico.htm.
3 EUROCONTROL Specifications for the use of military unmanned aerial vehicles as operational air traffic outside segre-

gated airspace. Available at http://www.eurocontrol.int, April 2006.


4 J.-P. Aubin, J. Lygeros, M. Quincampoix, S.S. Sastry, and N. Seube. Impulse differential inclusions: A viability approach

to hybrid systems. 47(1):220, January 2002.

15 of 16

American Institute of Aeronautics and Astronautics


5 C. Carbone, U. Ciniglio, F. Corraro, and S. Luongo. Decision-making algorithms for aircraft autonomous collision

avoidance. In Proceedings of the 5th EUROCONTROL Innovative Research Workshop & Exhibition, December 2006. Available
at http://inoworkshop.eurocontrol.fr/.
6 P. Cardaliaguet, M. Quincampoix, and P. Saint-Pierre. Numerical Methods for Differential Games. In M. Bardi, T.E.S.

Raghavan, and T. Parthasarathy, editors, Stochastic and Differential Games: Theory and Numerical Methods, Annals of the
International Society of Dynamic Games, pages 177247. Birkh auser, 1999.
7 E. Cruck. Target Problems under State Constraints for Nonlinear Controlled Impulsive Systems. Journal of Mathematical
Analysis and Applications, 270(2):636656, 2002.
8 E. Cruck and J. Lygeros. Subliminal air traffic control:human friendly control of a multi-agent system. In American
Control Conference, 2007.
9 E. Cruck, M. Quincampoix, and P. Saint-Pierre. Pursuit-Evasion games with impulsive dynamics, volume 9 of Advances
in Dynamical Games, chapter 11, pages 223247. Birkh auser, 2006.
10 E. Cruck and P. Saint-Pierre. Nonlinear Impulse Target Problems under State Constraints: A Numerical Analysis Based
on Viability Theory. Set-Valued Analysis, 12(4):383416, 2004.
11 EUROCONTROL. 5th EUROCONTROL Innovative Research Workshop & Exhibition - Parallel Workshop on UAV.

http://inoworkshop.eurocontrol.fr/.
12 Eurocontrol Experimental Centre. User manual for the base of aircraft data (BADA) revision 3.3, 2002.
13 Y. Gao, J. Lygeros, and M. Quincampoix. The reachability problem for uncertain hybrid systems revisited: A viability

theory perspective. In J. Hespanha and A. Tiwari, editors, Hybrid Systems: Computation and Control, number 3927 in LNCS,
pages 242256. Springer-Verlag, Berlin, 2006.
14 ASTM International. Standard Specification for Design and Performance of an Airborne Sense-and-Avoid System. Avail-

able for purchase at http://www.astm.org, July 2005. The referred version is designated F 2411 - 04 .
15 J. Kuchar and L. Yang. A review of conflict detection and resolution methods. IEEE Transactions on Intelligent

Transportation Systems, 1(4):179189, 2000.


16 C. Livadas, J. Lygeros, and N.A. Lynch. High-level modeling and analysis of the traffic alert and collision avoidance

system (TCAS).
17 C. Livadas and N. Lynch. Formal verification of safety-critical hybrid systems. In S. Sastry and T.A. Henzinger, editors,

Hybrid Systems: Computation and Control, number 1386 in LNCS, pages 253272. Springer-Verlag, Berlin, 1998.
18 I. Lymperopoulos, A. Lecchini, W. Glover, J. Maciejowski, and J. Lygeros. A stochastic hybrid model for air traffic

management processes. Technical Report CUED/F-INFENG/TR.572, University of Cambridge, Cambridge, CB2 1PZ, UK,
February 2007.
19 I. Lymperopoulos, J. Lygeros, and A. Lecchini. Model based aircraft trajectory prediction during takeoff. In AIAA

Guidance, Navigation and Control Conference, August 2006.


20 Del
egation G en
erale pour lArmement. UAV Systems Airworthiness Requirements, January 2005.
21 D.H. Shim and S. Sastry. An evasive maneuver algorithm for uavs in See-and-Avoid situations. In American Control

Conference, 2007.
22 J. Villiers. Automatisation du controle de la circulation aerienne - projet ERASMUS une voie originale pour mieux
utiliser lespace aerien. Technical Report Volume 58, ITA, 2004.
23 A. Zeitlin, A. Lacher, J. Kuchar, and A. Drumm. Collision avoidance for unmanned aircraft: Proving the safety case.

Technical report, MITRE and Lincoln Laboratory, October 2006.

16 of 16

American Institute of Aeronautics and Astronautics

You might also like