Monitoring Unmanned Aircraft: Specification, Integration, and Lessons-learned

TL;DR

This paper discusses integrating runtime monitoring into electric aircraft, highlighting the importance of decoupling specification from integration to adapt to rapid development changes and ensure safety.

Contribution

It introduces a novel abstraction layer in RTLola that decouples specification from environment-specific integration, facilitating flexible and rapid monitor deployment.

Findings

Decoupling specification and integration improves flexibility.

The abstraction layer enables quick adaptation to environment changes.

Monitoring specifications remain stable across development stages.

Abstract

This paper reports on the integration of runtime monitoring into fully-electric aircraft designed by Volocopter, a German aircraft manufacturer of electric multi-rotor helicopters. The runtime monitor recognizes hazardous situations and system faults. Since the correct operation of the monitor is critical for the safety of the aircraft, the development of the monitor must follow strict aeronautical standards. This includes the integration of the monitor into different development environments, such as log-file analysis, hardware/software-in-the-loop testing, and test flights. We have used the stream-based monitoring framework RTLola to generate monitors for a range of requirements. In this paper, we present representative monitoring specifications and our lessons learned from integrating the generated monitors. Our main finding is that the specification and the integration need to be decoupled, because the specification remains stable throughout the development process, whereas the different development stages require a separate integration of the monitor into each environment. We achieve this decoupling with a novel abstraction layer in the monitoring framework that adapts the monitor to each environment without affecting the core component generated from the specification. The decoupling of the integration has also allowed us to react quickly to the frequent changes in the hardware and software environment of the monitor due to the fast-paced development of the aircraft in a startup company.