Understanding Bounding Functions in Safety-Critical UAV Software

TL;DR

This paper provides a comprehensive analysis of Bounding Functions in UAV software, combining static classification and dynamic impact evaluation to enhance understanding of safety mechanisms in safety-critical UAV systems.

Contribution

It introduces a novel datatype-based taxonomy for classifying Bounding Functions and evaluates their impact dynamically, offering new insights into UAV safety-critical software design.

Findings

109 BFs identified in UAV software

Classification into 5 categories based on datatype

Behavioral differences observed with and without BFs

Abstract

Unmanned Aerial Vehicles (UAVs) are an emerging computation platform known for their safety-critical need. In this paper, we conduct an empirical study on a widely used open-source UAV software framework, Paparazzi, with the goal of understanding the safety-critical concerns of UAV software from a bottom-up developer-in-the-field perspective. We set our focus on the use of Bounding Functions (BFs), the runtime checks injected by Paparazzi developers on the range of variables. Through an in-depth analysis on BFs in the Paparazzi autopilot software, we found a large number of them (109 instances) are used to bound safety-critical variables essential to the cyber-physical nature of the UAV, such as its thrust, its speed, and its sensor values. The novel contributions of this study are two fold. First, we take a static approach to classify all BF instances, presenting a novel datatype-based 5-category taxonomy with fine-grained insight on the role of BFs in ensuring the safety of UAV systems. Second, we dynamically evaluate the impact of the BF uses through a differential approach, establishing the UAV behavioral difference with and without BFs. The two-pronged static and dynamic approach together illuminates a rarely studied design space of safety-critical UAV software systems.