Professional Documents
Culture Documents
uck
Eva Cr
Delegation Generale pour lArmement, 75509 Paris Cedex 15, France.
John Lygeros
ETH Zurich, CH-8092, Switzerland
In this paper, we focus on the design requirements of a Sense and Avoid function for
a Medium Altitude Long Endurance Unmanned Aerial Vehicle. We define nested zones
around the UAV corresponding with safety levels ranging from possible loss of separation to
certain separation without any action. These regions can be used not only to specify perfor-
mances of the sensing capacity, but also to design the appropriate behaviors of the guidance
system. For each region, we state the guidance problems associated with the objectives
of avoiding collision, ensuring separation and carrying out the mission. We formulate a
conflict situation between the UAV and intruding traffic as a generalized pursuit-evasion
game. One player is the UAV guidance system; its goal is always to ensure separation while,
in certain cases, optimizing a cost associated with the maneuvers. The second player is the
uncertainty on the relative trajectories.
Nomenclature
UAV Unmanned Aerial Vehicle
GCS Ground Control Station
FCS Flight Control System
ACAS Airborne Collision Avoidance System
ATM Air Traffic Management
ATC Air Traffic Control
IFR Instrument Flight Rules
VFR Visual Flight Rules
Seph Minimum radius of the protected volume around the UAV
Sepv Half height of the protected volume around the UAV
IDI Impulse Differential Inclusion
I. Introduction
In the past few years, unmanned Aerial Vehicles (UAV) have been recognized as valuable military assets.
They have been widely used in recent operations and most countries have development and/or acquisition
programs. The range of sizes and masses of UAV is very large and they lead to different operational
requirements and technical challenges. Here, we are only interested in the larger UAV which have to share
airspace with manned aircraft. Their primarily field of application is ISTAR (Intelligence, Surveillance,
Target Acquisition and Reconnaissance). In the coming years, it is expected that they will also become assets
in national defense applications such as monitoring of environment and security. A market for commercial
applications is also envisonned2 when UAV provide a viable alternative to manned aircraft or satellites.
While UAV operation in war theater is almost routine, peacetime operation raises safety concerns which
are currently addressed on a case by case basis. There are several issues which need to be solved before UAV
Research engineer, Navigation & Guidance Department, eva.cruck@dga.defense.gouv.fr, cruck@control.ee.ethz.ch, AIAA
Member.
Professor, Automatic Control Laboratory, lygeros@control.ee.ethz.ch.
1 of 16
American
Copyright 2007 by the American Institute of Aeronautics and Institute
Astronautics, Inc. All of Aeronautics
rights reserved. and Astronautics
can be allowed to fly routinely within civil airspace. They include, for instance, airworthiness certification,
crew licensing, and operational procedures. Indeed, the use of airspace is highly structured, and the current
structure has been inherited from a century of manned aviation. Evolution is necessary in order to accom-
modate unmanned aircraft without reducing the overall level of safety. For an overview of the problem and
of initiatives to address it, the reader is referred to the documentation of the USICO project.2 Among the
issues raised by all working groups dealing with UAV integration in general air traffic,2, 3, 20 a main point is
to make sure that the absence of a qualified pilot onboard the aircraft does not increase the probability of
collisions with other airspace users, or with people and properties on the ground. This aspect is commonly
referred to as the Sense and Avoid capacity (S&A), which has to replace the human pilot See and Avoid
capacity. The design of a Sense and Avoid system likely to be certified as safe as a human pilot onboard
is therefore key technological enabler for UAV operation outside segregated airspace. The word system has
to be understood in a broad sense since it may involve components aboard the UAV, components in the
Ground Control Station (GCS) and human operators on the ground.
There are several candidate technical solutions,2, 11 both cooperative and non-cooperative. In the coop-
erative setting, a general misconception is the idea that a system satisfying the Airborne Collision Avoidance
System (ACAS) standard in current or posterior version is the ultimate solution. One reason why this is
not true is that the cost and weight of a ACAS system make it difficult to impose for general aviation.
Another deeper reason is the fact that ACAS is a last ditch collision avoidance system. The see and avoid
principle includes, but is not reduced to collision avoidance. It also refers to the notion of separation. Loosely
speaking, separation is a means to avoid collision by ensuring a minimal distance between the aircraft. For
instance, in enroute space, when air traffic controllers are in charge of providing separation assurance, they
have to maintain a horizontal distance between aircraft greater than 3 Nm, 5 Nm, or 8 Nm depending on the
equipment available for getting aircraft data. The ACAS system has been designed to avoid collision in case
of failure of this separation procedure. When air traffic controller do not provide separation service, there is
no official separation norm, but a notion of passing well clear. It is unthinkable not to provide UAV which a
technological solution to maintain separation. Indeed, even with a perfect collision avoidance system, people
onboard aircraft would not accept the idea of having UAV maintaining a collision course with them up to the
last minute. Moreover, the certification of a S&A system will be easier if it is designed to ensure separation.
Then the probability of triggering the collision avoidance component is reduced, which reduces the overall
probability of collision.
A Sense and Avoid function can obviously be decomposed into a Sense function, in charge of detecting
potentially conflicting aircraft and an Avoid function, in charge of changing the UAV trajectory in order
to maintain separation or to avoid collision. Both functions can be considered in a cooperative or a non-
cooperative environment. For the Sense aspect, a pure cooperative solution cannot be envisioned for short
term application since it requires all aircraft to be equipped up to new standards. We can therefore expect a
combination of cooperative detection for equipped aircraft with non-cooperative detection for other aircraft.
For a survey of candidate solutions, the reader is referred to the documentation of the USICO project.2 For
the Avoid aspect, it is generally agreed that the operator will be in charge of commanding the maneuver, or at
least to validate a maneuver advisory computed by the system. However, autonomous avoidance capability
may be necessary in case of loss of datalink3 or in case of very late detection. It has been proposed to use
techniques from collision avoidance in robotics. Results from robotics5, 21 or from air traffic management
automation research15 would indeed provide good starting points, but they have to be adapted to the S&A
context.
The overall performance of the S&A system depends on the integration of the Sense and the Avoid
aspects. Precise specifications of the requirements which have to be met by the system have not been agreed
upon yet. The objective of reaching an Equivalent Level Of Safety (ELOS) to the level achieved by manned
aviation is qualitative. The quantification of average human perception when piloting an aircraft can be
used14 as a base. However, it may be restrictive to try to mimic human behavior while technological solution
may perform better.
In this paper, we are interested in developing a framework for deriving the specification of a S&A function
and designing the Avoid function. We use a Medium Altitude Long Endurance (MALE) UAV as a target
application. Our approach can be used for any UAV, but MALE are the more demanding with respect
to general air traffic integration. Because of their service ceiling and their range, they are the class for
which segregation from other traffic in time or in space is the most difficult to achieve. The operational
requirements for MALE UAV are discussed in Section II.
2 of 16
A. A case study
A recent incident (April 25, 2006)1 involving a Predator B registered to the U.S. Customs and Border
Protection agency illustrates the difficulties of not having a human pilot onboard: A failure of the GCS
required to switch to the back-up station which was used nominally to control the UAV payload and receive
sensor data in relation with the UAV mission. The fuel control on the back-up position was set on cut-off
position because of the previous use of the station. This led to loss of altitude which was not expected by the
pilot in command of the flight.The pilot stated that after the switch to the other console, he noticed the UAV
was not maintaining altitude but did not know why. As a result he decided to shut down the GCS so that the
UAV would enter its lost link procedure, which called for the UAV to climb to 15,000 feet above mean sea
level and to fly a predetermined course until contact could be established. With no engine power, the UAV
continued to descend below line-of-site communications and further attempts to re-establish contact with the
UAV were not successful.1
In this case, the technical incident involved only the GCS, a back-up solution was available and the
operator was qualified. But a slight error in applying the back-up procedure led to the loss of the UAV
which crashed few hundred meters from an habitation. A lesson that can be learned from this incident
is that the situation awareness of a pilot in command from a GCS is quite different from the situation
awareness of a pilot aboard the aircraft. In this incident, as soon as the transfer of control to the secondary
console was effective, the UAV flight was no longer under full control of the GCS. Unaware of the loss of
power, the operator might have been unable to avoid another airspace user or to target a proper crash area.
This advocates for more autonomy of the UAV. A S&A system, which is also in charge of avoiding collision
3 of 16
B. Operational requirements
Mission requirements The service altitude of a MALE UAV is between 13,000 ft and 36,000 ft, while
airliners fly usually between 19,500 ft and 45,000 ft. Therefore, it can be expected that missions of a MALE
UAV in civil airspace cross commercial routes. The flight profile of a typical MALE UAV mission can be
described as2
A climbing phase to reach service ceiling or mission altitude which begins with an acceleration to the
climb speed and a climb at constant calibrated airspeed;
An enroute phase to mission area made of waypoints, and which can include flight level changes;
A loitering phase for the duration of the mission during which the flight is devoted to the utilization
of the payload;
A enroute phase to recuperation area which is similar to the pre-mission enroute phase;
A descent phase toward landing which begins with idle throttle, down to interception with approach
control.
The only phase which is specific to a UAV flight is the loitering phase; it can last several hours (or even
days). Each phase can be associated with a set of parameters describing the normal behavior and the possible
maneuvers. For instance, at the end of the flight, the UAV is lighter and fuel consumption may be more of
an issue; during the loitering phase, the payload may add constraints on the available set of maneuvers.
Remark 1 The S&A function has to be ensured during the whole mission of the UAV. It should also be
ensured for taxiing, take-off and landing phases; we do not consider these phases here. A similar approach
can be used with specific dynamical models.
Flight rules and classes of airspace Conflict avoidance in manned aviation relies on 3 levels of
management: strategic, tactical and emergency. The strategic layer is concerned with flight planning and
with the structure of the airspace. The tactical layer is concerned with providing separation between aircraft,
which is basically defining protected volumes around aircraft and ensuring that the protected volumes of two
aircraft do not overlap. The emergency level is collision avoidance in case of failure of separation provision.
Among the strategic elements of manned aviation organisation is the notion of flight rules which defines
how the flight must be prepared, the type of equipment required onboard, the qualification of the pilot and
interface with air navigation service providers. The main existing rules are Visual Flight Rules (VFR) and
Instrument Flight Rules (IFR). Flying under VFR is allowed only under Visual Meteorological Conditions
(VMC). It requires to stay well clear of clouds. Therefore, a UAV would be allowed to fly under VFR only if
its sensors enable the operator to evaluate meteorological conditions and distance to clouds. Given its range
and endurance, it is unlikely that a MALE UAV flies under VFR. We do not consider this aspect here. In the
sequel, we assume that the UAV flies IFR, which means in particular that we do not consider that staying
well clear of clouds is an objective of the S&A system under consideration. Flying under IFR requires that
a flight plan is transmitted to the authorities in charge of Air Traffic Management (ATM).
Airspace is divided into classes which define flight rules allowed and ATM services provided to airspace
users. Airspace can be controlled or uncontrolled. In controlled airspace, Air Traffic Control (ATC) provides
separation for all IFR flights and possibly with VFR flight if radar capabilities are sufficient. In uncontrolled
airspaces, separation provision is pilot responsibility. Whatever the airspace class and the flight rule, collision
4 of 16
C. Automation issues
The S&A capability involves several decision processes. How many of them will be automated is an open
question. It can be expected that decisions which lead to modifications of the trajectory are taken by the
ground operator except in the case of loss of command datalink or if imminence of collision is not compatible
with transmission delays.3 This raises the issue of the awareness of the situation surrounding the UAV which
has to be provided to the ground operator. We do not address this aspect here, but the framework that we
propose can provide tools for enhancing the situation awareness in the GCS. In the sequel, guidance system
refers to the trajectory assignment process whether it is automated or not.
D. Certification issues
The certification process of a candidate S&A system has yet to be agreed upon by airspace stakeholders. It
can be expected that they built upon the process which has led to the acceptance of the ACAS standard.23
It requires some flight test campaigns and millions of simulations. One of the purposes of the present paper
is to reduce this number of simulations by providing powerful analysis tools.
5 of 16
A. General principle
The usual definition of a safe separation (if not provided by ATC) is of the order of 0.5 nautical miles in the
horizontal plane, and 500ft in the vertical dimension.3 Collision avoidance is generally associated with a miss
distance of 500 ft horizontally and 100 ft vertically. Here, we define the Avoid problem as keeping all traffic
out of a cylinder of radius Seph and height Sepv centered on the UAV. The same analysis can be used for
collision avoidance and for separation provision. We consider the case of potentially non-cooperative traffic,
meaning that the incoming traffic may not be aware of the UAV presence. The guidance of the UAV is the
only available control. It can be determined autonomously by the S&A system or decided by the ground
operator.
Our approach is based on the characterization of regions of a state space describing the traffic situation
which can be associated with different level of safety. The boundaries of these regions depend only on the
dynamics of the UAV and of the incoming traffic. A precise definition of the safety zones is provided in
Section IV as well as an approach to compute them without extensive simulations. Informally, they can be
described as follows:
We define Z0 as the set of positions such that, the distance between the UAV and at least one intruder
is smaller than Seph in horizontal and Sepv in vertical, or if the distance to the ground is below Sepv
This does not mean that a collision (or a loss of separation) will occur, but the guidance system has
to try to augment the distance to the intruder or to the ground.
We define Z1 as the set of positions from which it is not possible to guarantee that the detected traffic
will remain out of Z0 . Z1 is a superset of Z0 due to uncertainty and to the fact that only the UAV
dynamics is controlled. The aim of the guidance system must be to prevent the traffic from entering
Z0 and to drive it out of Z1 as fast as possible.
We define Z2 (T ) as the set of positions from which there is a risk of traffic entering Z1 during the time
horizon [0, T ] if no maneuver is undertaken. The value of T is a parameter of the system. Whenever
traffic enters Z2 (T ), it becomes a potential threat but it is still possible to take a maneuver which
guarantees separation or prevents collision. It is necessary to be ready to initiate a maneuver before
entering Z1 .
Finally, we define Z3 (T ) as the set of positions from which it is guaranteed that the intruder will
remain outside of Z1 without maneuvering. By definition, Z3 (T ) is the complement of Z2 (T ). Without
any deviation from the flight plan, the minimum separation is ensured for all possible trajectories. By
definition, traffic in Z3 (T ) should never enter Z1 .
With this approach, the S&A detection system can associate with the traffic situation the corresponding
zone, meaning that if all the traffic is in Z3 (T ), the UAV can follow its flight plan, but if a traffic enters
in Z2 (T ), maneuver must be undertaken to ensure separation. The earlier the detection, the smoother the
maneuver. This approach can be refined by using multiple values of T or different set of available maneuvers
depending on the distance to the traffic.
In the sequel, we assume that the S&A detection system can identify some parameters of the traffic
dynamics in order to compute possible future trajectories. The next subsections describe the models used
for predicting the trajectories of the UAV and of the traffic. Depending whether we are dealing with
separation provision of with collision avoidance, the available computational time is different. Therefore, the
complexity of the models that can be used is different.
6 of 16
it is formulated in the framework of hybrid systems which is well suited to describe aircraft trajectories. It
associates a high level description of the flight phases with flight dynamics equations. We have chosen this
model because it generates realistic trajectories with moderate and adjustable complexity. Moreover, it is
compatible with the description of EUROCONTROL Base of Aircraft DAta (BADA),12 hence providing a
level of generality. A type of aircraft is easily determined as a finite set of parameters. This could be useful
if the S&A system is to be adapted for manned aircraft.
Flight model We use a point mass model which reflects dynamical coupling effects between horizontal
and vertical dynamics as well as time lag between commands and effect. The state variables are:
the horizontal position (x, y),
the altitude h,
the True Air Speed (TAS) V ,
the heading angle .
A MALE UAV is not designed for high aerodynamic performance. Therefore, we assume that it is
operated around trimmed flight conditions, and we consider that the angle of attack and the sideslip angle
are small. Then the lift and drag forces can be approximated as
CL S(h) 2 CD S(h) 2
L= V and D= V ,
2 2
in which S is the surface area of the wings, (h) is the air density (as a function of altitude), and CL and CD
are lift and drag coefficients. This assumption can be challenged in emergency avoidance maneuvers, but it
is reasonable for separation provision.
The detection of a risk of loss of separation in the context of a S&A function requires rather short term
trajectory prediction (a few minutes at most). In order to simplify the model, we can assume that mass is
7 of 16
in which w = (w1 , w2 , w3 ) stands for uncertainty due for instance to wind. The controls are the thrust u1 , the
bank angle u2 , and the flight path angle u3 . They are computed by the guidance system in order to follow
the flight plan and to optimize the flight efficiency. Using these inputs instead of control surface positions is
another simplification which can be removed for fine tuning of the system.
We represent the Flight Control System (FCS) as a finite state machine with discrete states associated
with flight phases. We also use a discrete representation of the flight plan as a succession of waypoints
and predetermined maneuvers. Each combination of the discrete states is associated with a deterministic
feedback law for the controls u1 , u2 and u3 . Currently, we use a generic FCS model.18 A specific FCS for a
MALE UAV is under development.
Remark 4 Using the flight plan in the UAV model is useful for separation provision. Indeed, a turn scheduled
in the flight plan may be sufficient to ensure separation while extrapolating a straight trajectory leads to a
conflict.
Resolution maneuvers In this paper, we are mainly interested in dimensioning the S&A requirements.
Therefore, we consider only a discrete set of controls denoted by U . Each control is a pre-determined
maneuver such as turning right or left with given sideslip angle, or climbing or diving with maximal rates, or
a combination of horizontal and vertical maneuvers. Each maneuver can be associated with a discrete state
of the finite state machine that describes the FCS and possibly with some auxiliary continuous variables.
Some remarks on the UAV model There is obviously a trade-off between the representativeness of
the UAV model and the complexity of computation. When dealing with collision avoidance, it may seem
unnecessary to use a FCS model since it can be assumed that the parameters are constant on a short time
horizon. On the other hand, using a very good model of the FCS has a limited impact on the computational
complexity and provides some guarantees that the system behavior will not present singularities due to the
internal logic of the FCS.
The model presented here will have to be refined for realistic performance assessment. The hybrid
system framework enables an analysis methodology using successive refinement of the model.16, 17 Under
compatibility assumptions, results obtained with a simple FCS model and simple flight dynamic model can
be carried on to studies using detailed models.
8 of 16
Climb or Descent 0
x Vx cos() v1
y = Vx sin() + v2
h Vh v3
In which v1 , v2 and v3 are bounded input that account for uncertainty on the measurement and for wind.
If the Sense function is given, then the error model can be adapted. Cooperative traffic is modelled with
reduced uncertainty.
Let us underline that the menace has to be identified, that is put in one of the classes with associated
parameters and estimated uncertainty. This is part of the situation awareness which will not be discussed
here. Class allocation can be dynamic if the estimation of parameters is refined by the detection process.
A. Preliminaries
For sake of generality, our formulation is based on the mathematical abstraction of Impulse Differential
Inclusions4, 7 (IDI) which is suitable for describing a large class of hybrid systems and requires only mild
assumptions on the dynamics. It is associated with a set of theoretical and computational tools which are
introduced below.
The impulse differential inclusion formalism An IDI describe a dynamical system whose state can
evolve both through an ordinary differential system or through instantaneous jumps. In order to describe
the trajectories, we introduce the notion of hybrid time trajectory4 borrowed from hybrid systems literature.
Definition 1 A hybrid time set = {Ii }N
i=0 is a finite or infinite sequence of intervals of R such that
9 of 16
Remark 5 An ordinary differential equation x = f (x, u) with f Lipschitz continuous with respect to x
and continuous
S with respect to u has the same set of solutions as the differential inclusion x F (x) with
F (x) := uU f (x, u) if U is compact convex.
In order to ensure existence of trajectories defined on [0, +[ for all initial conditions, we need the
following
Assumption 1
The set-valued map F is upper-semicontinuous with non-empty compact convex values and linear
growth.
The set set-valued map R is upper-semicontinuous with compact values and compact domain such that
x Dom(R), R(x) Dom(R) = .
Dom(R).
Remark 6 By Assumption 1, trajectories are well defined since multiple simultaneous jumps are not allowed.
Moreover, a jump is always possible when continuous trajectory is not possible, that is when entering .
Safety verification for IDI Let us consider an IDI with no forced jumps ( = ) denoted (F, R).
Given a set of constraints K Rn and a set C K. We want to know if it is possible to stay in K forever
or to reach C before leaving K.
Theorem 1 Under Assumption 1 we call viability kernel of K with target C, denoted Viab(F,R) (K, C), the
set of initial conditions x0 K such that there exists x() S(F,R) (x0 ) which stays in K as long as C has
not been reached, namely:
t inf{s : x(s) C, x(t) K}.
Then Viab(F,R) (K, C) is the largest element of the set of closed subsets D K such that for all x D
where N PD (x) denotes the set of proximal normal to D at x: N PD (x) := { : inf yD ||(x + ) y|| = ||||}.
The viability kernel is a useful tool for safety analysis. If the IDI is used to represent a control system,
then Viab(F,R) (K, C) is the set of initial positions such that the control can prevent the state from violating
the constraints represented by K as long as a set of desirable states C has not been reached. If the IDI is
used to represent an uncertain system (without control), then Viab(F,R) (K, C) is the set of initial positions
such that the disturbance can prevent the state from reaching the set of desirable states Rn \ K and can
eventually drive it to the dangerous set C.
Now, if the interior of Dom(R) has empty intersection with K, under technical assumptions on the
boundary of Dom(R), Viab(F,R) (K, C) is the set of initial conditions x0 K such that there exists x()
S(F,R) (x0 ) associated with a run {Ii , (xi ())}N
i=0 which stays in K as long as C as not been reached and such
that
i < N, xi (i0 ) = inf{t : xi (t) Dom(R)}.
This means that a safety problem with dynamics (F, R, ) can be analyzed using Viab(F,R) (K \ , C).
10 of 16
such that for any > 0, and for any trajectories y() and y() of S(G,P ) (y0 ) which coincide on [t0 , t0 + ],
the trajectories z() = B(y()) and z() = B(
y ()) coincide on [t0 , t0 + ]. We denote by B(y0 , z0 ) the set of
control VR-strategies at (y0 , z0 ).
Let us mention that the use of this type of strategies is necessary for a correct mathematical statement of
the game. We consider the usual setting for robust control,13 in which the disturbance chooses an open-loop
trajectory, while the control chooses a VR-strategy.
Now in the safety problem, a closed subset K of the state space represents constraints for the second
player (the control). The first player (the disturbance) tries to drive the state (y, z) out of K while preventing
it to reach a closed subset C K representing a safe set. The second player (the control) has the opposite
goal to keep the state in K as long as it has not reached the safety of set C. Theorem 1 can be generalized for
this case9 and leads to the notion of discriminating kernel. The geometrical conditions which generalize (2)
are omitted for sake of space.
Definition 4 We denote by Disc(K, C) the discriminating kernel of K for the second player with target
C. It is the set of initial conditions (y0 , z0 ) K such that there exists a VR-strategy B such that for any
y() SG,P (y0 ), (y(), B(y())) stays in K as long as C has not been reached.
in which () denotes the Dirac measure. Therefore the hybrid model of the UAV can be written as an IDI.
By definition, a jump (or impulse) is associated with a change in the state of the FCS. Autonomous jumps
model changes of the states which are triggered when one or a combinaison of state crosses a threshold. A
jump is allowed, but not forced, if it is associated with the initiation of a resolution maneuver.
In our model, a trajectory x() of the UAV can be written
11 of 16
We have defined Z1 as an unsafe set in the sense that from any point in Z1 , there does not exist a
control which can prevent the state from entering in Z0 . In the game formulation described above, the set
of constraint for the second player is K = Rn \ Z0 , (Z0 an open set), and there is no safe set for the control.
This leads to:
Z1 = Rn \ Disc(Rn \ (Z0 ), ), (3)
which means that the control wins only if it can find a strategy which keeps the state out of Z1 forever.
Because we have only a discrete set of controls which are represented by jumps, a strategy in this case is the
choice of the set of positions from which maneuvers will be initiated, and the associated maneuvers. This
strategy can be obtained from9 Disc(Rn \ (Z0 ), ).
The computation of Z1 is challenging for the general model of Section III. To the best of our knowledge,
no tool can deal with the general hybrid non-linear uncertain model. We are currently working on a tool
derived from viability computation.6, 10 There are no theoretical limitations, but the curse of dimension
limits the state of the state space that we can deal with. Approximation can be computed using simplified
models. The representativeness of these approximations can be guaranteed thanks to the rigorous game
setting.
In our early implementation, we consider only planar conflicts and planar resolution by using left of right
turn with a given radius. We assume that both UAV and intruder are flying level at constant speeds. The
only variables are the angle between the intended trajectories and the uncertainty on the measurement of
the intruder velocity and of its heading with respect to the UAV. The constant parameters are the following:
Speed of the intruder: 400 kts
12 of 16
Figure 3. Z1 and Z2 with uncertainty on speeds and heading for T = 60 s and target estimated heading 135 .
The region Z2 (T ) = Rn \ Z3 (T ) has been defined as the set of positions from which there is a risk of
entering Z1 if no maneuver is undertaken. It means that no control is involved in the computation of Z2 .
Let us define the maps
: , y, z {1} G(y) H(z)
: , y, z {1} {y} Q(z)e
Then we have
Z3 (T ) = {(y, z) : (T, y, z) Viab(,) ([0, T ] (Rn \ (Z1 )), {T } Rn ) . (4)
The computation of Z3 (T ) is less challenging than the computation of Z1 because we do not need to consider
maneuvers. Therefore, computation for each intruder is independent of results of computation for all other
intruders. It requires however the knowledge of the global Z1 which has to be projected on the relevant state
space. If only an over-approximation of Z1 is available, then an over-approximation of Z2 can be computed.
An example for T = 60 s is displayed on figure 3.
13 of 16
A. Guidance logic
In our approach, the S&A function performs iteratively two main subfunctions: surveillance of the surround-
ing traffic and modification of the UAV intended trajectory. The surveillance process consists in updating
the internal model of the traffic situation and determining the current safety zone. It requires tracking of
neighboring aircraft and update of the associated intruder models. Depending on the traffic situation model
built by the surveillance process, the guidance which has been determined at the previous step is modified.
The rate of iteration depends on sensing rates and on processing power; it can also depend on the current
safety zone for dynamic ressource allocation. The logic can be represented as follows:
Algorithm 1
Enable Mission guidance and surveillance mode
while TRUE
Update the surrounding traffic data according to surveillance mode
If traffic in Z0
Enable Z0 guidance and surveillance mode
If traffic in Z1
Enable Z1 guidance and surveillance mode
If traffic in Z2
Enable Z2 guidance and surveillance mode
Else
Enable Mission guidance and surveillance mode
The traffic situation model maintained by the surveillance process and the current safety zone are part of
the situation awareness that can be downloaded to the GCS.
B. Guidance in Z0 and in Z1
When in Z1 , there is no control action which can guarantee separation. Therefore, guidance in Z0 or in Z1
must be very similar. Mission priority is cancelled, and all effort is devoted to increase separation with the
intruders. The difference between being in Z0 or in Z1 may be the set of maneuvers which is considered. If
there is a very high risk of collision, drastic maneuvers which may compromise the mission may be allowed.
The guidance principle must be compatible with ACAS. In the current version of ACAS, resolution
advisories are provided for separation ranging from 0.2 Nm to 1.2 Nm in horizontal, and 300 ft to 700 ft
in vertical.23 By definition, this should correspond to traffic situations at the boundary of Z1 when dealing
with collision avoidance.
C. Guidance in Z2
When in Z2 (T ) but out of Z1 , there exists a control action which can guarantee separation. From differential
game theory, we know that as long as the boundary of Z1 has not been crossed, it is always possible for
the guidance system to find a strategy which keeps the intruders out of Z1 . Therefore, the guidance law in
Z2 should depend on a trade-off between mission priority, and separation priority. It should also depend
on the class of airspace. Indeed, in controlled airspace, air traffic controller will expect the UAV to follow
its flight plan. They base their decision for providing separation assurance on this expectation. For sake of
transparency, it may be better to keep on expected trajectory until the risk of entering Z1 becomes high.
Then as in the case of ACAS alerts, the air traffic controller must be informed of the reason why a maneuver
is undertaken.
If the detection range is large, and T accordingly large, separation can be ensured with minimum deviation
from the fly plan or with small changes in the velocity of the UAV. These deviation may be small enough
so as not to be detected by the air traffic controller while reducing his/her workload. This approach may
be useful during the loitering phase which is devoted to the use of the UAV payload. Then smoothing the
trajectories may be an issue.
14 of 16
Acknowledgments
We would like to thank M. Strong, from EUROCONTROL and R. Brigaud, from DGA, authors respec-
tively of EUROCONTROL Specifications for the use of military unmanned aerial vehicles as operational air
traffic outside segregated airspace 3 and UAV Systems Airworthiness Requirements 20 for valuable discussions.
We also would like to thank C. Le Tallec, from ONERA, for his precious suggestions.
References
1 National Transportation Safety Board. http://www.ntsb.gov/.
2 USICO Project. http://www.uavnet.com/projects/usico.htm.
3 EUROCONTROL Specifications for the use of military unmanned aerial vehicles as operational air traffic outside segre-
15 of 16
avoidance. In Proceedings of the 5th EUROCONTROL Innovative Research Workshop & Exhibition, December 2006. Available
at http://inoworkshop.eurocontrol.fr/.
6 P. Cardaliaguet, M. Quincampoix, and P. Saint-Pierre. Numerical Methods for Differential Games. In M. Bardi, T.E.S.
Raghavan, and T. Parthasarathy, editors, Stochastic and Differential Games: Theory and Numerical Methods, Annals of the
International Society of Dynamic Games, pages 177247. Birkh auser, 1999.
7 E. Cruck. Target Problems under State Constraints for Nonlinear Controlled Impulsive Systems. Journal of Mathematical
Analysis and Applications, 270(2):636656, 2002.
8 E. Cruck and J. Lygeros. Subliminal air traffic control:human friendly control of a multi-agent system. In American
Control Conference, 2007.
9 E. Cruck, M. Quincampoix, and P. Saint-Pierre. Pursuit-Evasion games with impulsive dynamics, volume 9 of Advances
in Dynamical Games, chapter 11, pages 223247. Birkh auser, 2006.
10 E. Cruck and P. Saint-Pierre. Nonlinear Impulse Target Problems under State Constraints: A Numerical Analysis Based
on Viability Theory. Set-Valued Analysis, 12(4):383416, 2004.
11 EUROCONTROL. 5th EUROCONTROL Innovative Research Workshop & Exhibition - Parallel Workshop on UAV.
http://inoworkshop.eurocontrol.fr/.
12 Eurocontrol Experimental Centre. User manual for the base of aircraft data (BADA) revision 3.3, 2002.
13 Y. Gao, J. Lygeros, and M. Quincampoix. The reachability problem for uncertain hybrid systems revisited: A viability
theory perspective. In J. Hespanha and A. Tiwari, editors, Hybrid Systems: Computation and Control, number 3927 in LNCS,
pages 242256. Springer-Verlag, Berlin, 2006.
14 ASTM International. Standard Specification for Design and Performance of an Airborne Sense-and-Avoid System. Avail-
able for purchase at http://www.astm.org, July 2005. The referred version is designated F 2411 - 04 .
15 J. Kuchar and L. Yang. A review of conflict detection and resolution methods. IEEE Transactions on Intelligent
system (TCAS).
17 C. Livadas and N. Lynch. Formal verification of safety-critical hybrid systems. In S. Sastry and T.A. Henzinger, editors,
Hybrid Systems: Computation and Control, number 1386 in LNCS, pages 253272. Springer-Verlag, Berlin, 1998.
18 I. Lymperopoulos, A. Lecchini, W. Glover, J. Maciejowski, and J. Lygeros. A stochastic hybrid model for air traffic
management processes. Technical Report CUED/F-INFENG/TR.572, University of Cambridge, Cambridge, CB2 1PZ, UK,
February 2007.
19 I. Lymperopoulos, J. Lygeros, and A. Lecchini. Model based aircraft trajectory prediction during takeoff. In AIAA
Conference, 2007.
22 J. Villiers. Automatisation du controle de la circulation aerienne - projet ERASMUS une voie originale pour mieux
utiliser lespace aerien. Technical Report Volume 58, ITA, 2004.
23 A. Zeitlin, A. Lacher, J. Kuchar, and A. Drumm. Collision avoidance for unmanned aircraft: Proving the safety case.
16 of 16