Title: Unmanned Systems Safety Workshop
1Unmanned Systems Safety Workshop
2Agenda
- Goals for this week
- TLM-Hazard-Precept Mapping
- Precept clarification
- Current precept product
- Final precept product
3Goals for this week
- TLM-Hazard-Precept Mapping
- Precept clarification
4Basic Terminology
Hazard A real or potential condition
- Consequence
- To People
- Death, injury,
- illness
- Damage to systems or property
- Damage to environment
Mishap Unplanned event or series of events
- Contributing Factor
- Not a hazard cause
- Makes mishaps more serious
- Makes mishaps more likely
From MIL-STD-882D
5Adding Precepts
PRECEPTS
Eliminate hazards or reduce probability
Hazards
Consequences
Mishaps
Contributing Factors
Leaking fluids
Reduce severity
PRECEPTS
Mitigate contributing factors
PRECEPTS
Level of Autonomy Situation awareness
6Safety Issue Venn Diagram Manned vs. Unmanned
Systems
Manned Systems Only
Unmanned Systems Only
Common to both Manned and Unmanned Systems
TLMs and Precepts addressing Unmanned Systems only
7Basic Terminology
UMS Hazards
Common Hazards
UMS Contributing Factors
UMS Mishaps Unmanned Systems only
- Consequences
- To People
- Death, injury,
- illness
- Damage to systems or property
- Damage to environment
Common Contributing Factors
UMS Hazards
Common Mishaps
Common Hazards
UMS Contributing Factors
Common Contributing Factors
Common to both Manned as well as Unmanned
systems
8Current Precept Product
- Document containing descriptive and clarifying
text for each precept.
9Current Precept Product
REF PRECEPT Rev B
Design Safety Precepts
DSP-1 The unmanned system shall provide safety design features to minimize the mishap risk during all life cycles phases.
DSP-2 The unmanned system shall be designed to only respond to fulfill valid commands from the authorized entity(s).
DSP-3 The unmanned system shall be designed to provide control and situational awareness feedback adequate to support safe operations.
DSP-4 The unmanned system shall be designed to isolate power until as late in the operational sequence as practical from a) Weapons b) Rocket motor initiation circuits c) Bomb release racks.
DSP-5 The unmanned system shall be designed to prevent release/firing of weapons into unmanned system structure or other weapons.
DSP-6 The unmanned system shall be designed to prevent uncommanded fire/release of weapons or propagation/radiation of hazardous energy.
DSP-7 The unmanned system shall be designed to prevent hazardous system mode combinations or transitions.
DSP-8 The unmanned system shall be designed to provide for an authorized entity(s) to abort a weapon fire sequence and return the system to a safe state.
DSP-9 The unmanned system shall be designed to safely change states and modes.
DSP-10 Safety critical software for the unmanned system design shall not include unintended/non-required functionality.
10Current precept product
DSP-2 The unmanned system shall be designed to only respond to fulfill valid commands from the authorized entity(s).
Scope (what?) This precept presents 3 main points only fulfill VALID commands from their origination, that the UMS WILL perform any valid command, and only accept commands from authorized entities.
Rationale (why?) This precept addresses the hostile, inadvertent, or unauthorized control of the system asset and its weapon systems (see also authorized user guidance), and unauthorized or invalid commands which may lead to unintended or inadvertent motion or weapon action resulting in injury, death, system damage, or environmental damage.
Example Enemy takes control of the UMS. (Enemy takes controls a weaponized UMS and controls it to fire upon friendly troops) Hand-off from one operator to another Hand-off from one ground controller to another Inadvertent control of another UMS Unauthorized operator attempts to use UMS (Provide two-step commanding for verification of authorized commands) Attempts to maneuver outside of UMS capabilities (physical performance bounds) Performs commands in a timely manner (Flying a UAV in tele-operational mode operator commands a hard-right turn, UAV does not respond in a timely manner resulting in a collision) Performs valid commands even if ill-advised (Controlling entity commands UMS to navigate off a cliff UMS complies)
Detailed Considerations (How?) The UMS should ensure command messages are valid. Valid commands/input are commands that the system is capable of performing in the current mode (a system can not do any more than it is designed to do). The UMS should ensure the controlling entity is authorized. The UMS should provide an override capability for semi and fully autonomous commands.
11Final Precept Product
- Document containing descriptive and clarifying
text for each precept. - Contains hyperlinks to navigate within the
document. - Will include definitions
12BACKUP
13REF PRECEPT Rev B
Programmatic Safety Precepts
PSP-1 The Program Office will establish and maintain an system safety program (SSP) consistent with MIL-STD-882.
PSP-2 The Program Office will establish unifying safety precepts and processes for all programs under their cognizance to ensureSafety consistent with mission requirements, cost and scheduleMishap risk is identified, mitigated and accepted.Each system can be safely used in a joint warfighting environmentThat all statutory safety regulations, laws, and requirements are met.
PSP-3 The program office will ensure that off-the-shelf items (e.g., COTS, GOTS, NDI), re-use items, original use items, design changes, technology refresh and technology upgrades (hardware and software) are assessed for safety.
PSP-4 The program office will ensure that safety is addressed for all life cycle phases.
PSP-5 Compliance to and deviation from the safety precepts shall be addressed during all formal design reviews to include SRR, PDR, and CDR.
14REF PRECEPT Rev B
Operational Safety Precepts
OSP-1 The controlling entity(ies) of the unmanned system shall have pertinent mission information to support safe operations.
OSP-2 The unmanned system shall be considered unsafe until a safe state can be verified.
OSP-3 The authorized entity(ies) of the unmanned system shall verify the state of the UMS, to ensure a safe state prior to performing any operations or tasks.
OSP-4 The unmanned system weapons will be loaded/energized as late as possible in the operational sequence/timeline.
OSP-5 Only authorized, qualified and trained personnel, with the commensurate skills and expertise using authorized procedures, will operate or maintain the unmanned system.
15REF PRECEPT Rev B
Design Safety Precepts
DSP-1 The unmanned system shall provide safety design features to minimize the mishap risk during all life cycles phases.
DSP-2 The unmanned system shall be designed to only respond to fulfill valid commands from the authorized entity(s).
DSP-3 The unmanned system shall be designed to provide control and situational awareness feedback adequate to support safe operations.
DSP-4 The unmanned system shall be designed to isolate power until as late in the operational sequence as practical from a) Weapons b) Rocket motor initiation circuits c) Bomb release racks.
DSP-5 The unmanned system shall be designed to prevent release/firing of weapons into unmanned system structure or other weapons.
DSP-6 The unmanned system shall be designed to prevent uncommanded fire/release of weapons or propagation/radiation of hazardous energy.
DSP-7 The unmanned system shall be designed to prevent hazardous system mode combinations or transitions.
DSP-8 The unmanned system shall be designed to provide for an authorized entity(s) to abort a weapon fire sequence and return the system to a safe state.
DSP-9 The unmanned system shall be designed to safely change states and modes.
DSP-10 Safety critical software for the unmanned system design shall not include unintended/non-required functionality.
16REF PRECEPT Rev B
Operational Safety Precepts
DSP-11 The unmanned system shall be designed to provide means to identify state and/or mode of the system to the authorized entity(s).
DSP-12 The unmanned system shall be designed to preclude single point or common mode failures in high and serious risks.
DSP-13 The unmanned system shall be designed to minimize the use of hazardous materials.
DSP-14 The unmanned system shall be designed to minimize exposure of personnel, ordnance, and equipment to hazards generated/created by the unmanned system equipment.
DSP-15 The unmanned system shall be designed to initialize/re-initialize in a known safe state.
DSP-16 The unmanned system shall be designed to identify to authorized entity(s) weapon being released/fired.
DSP-17 In the event of unexpected loss of command link, the unmanned system shall transition to a pre-determined and expected state and mode.
17REF PRECEPT Rev B
DSP-18 The launching/arm-enable of weapon systems shall require a minimum of 2 independent and unique validated messages in the proper sequence from an authorized entity (e.g. messages shall not originate within a launcher platform), each of which shall be generated as a consequence of separate authorized entity.
DSP-19 The unmanned system shall be designed to support options for operational or emergency contingencies.
DSP-20 The unmanned systems shall provide safety design features to ensure safe recovery of all unmanned system equipment to include the platform and equipment.
DSP-21 The system shall be designed to allow for safe and graceful degradation of the system upon system-level or sub-system-level failures.
DSP-22 Communication reliability, network availability/quality of service and data/information assurance shall be commensurate with the safety criticality of the functions supported by the communication.