Oleksandr Bezdieniezhnykh
3.6 KiB
Resilience Tests
NFT-RES-01: Total Visual Blackout With GPS Spoofing
Summary: Validate degraded-mode behavior when the camera feed is totally occluded/blacked out and real GPS is spoofed or denied.
Traces to: AC-3.5, AC-5.2, AC-NEW-8
Preconditions:
- Plane SITL or replay trace is emitting normal telemetry.
- System has a recent trusted visual/satellite anchor.
Fault injection:
- Full camera blackout/total occlusion for 5 s, 15 s, and 35 s while spoofed GPS is present.
| Step | Action | Expected Behavior |
|---|---|---|
| 1 | Inject total occlusion/blackout and spoofed GPS | Camera gate reports usable_for_vio=false, BASALT is bypassed, and system switches to dead_reckoned within <=1 processed frame or <=400 ms |
| 2 | Continue blackout | IMU-only covariance grows monotonically and spoofed GPS is ignored |
| 3 | Exceed 30 s or covariance >500 m | System emits no-fix/failsafe fields and QGC VISUAL_BLACKOUT_FAILSAFE |
Pass criteria: All pre-VIO occlusion gate, timing, covariance, fix_type, horiz_accuracy, and status thresholds match AC-NEW-8.
NFT-RES-02: Sharp Turn And Disconnected Segment Relocalization
Summary: Validate recovery when frame-to-frame overlap drops below the VO threshold.
Traces to: AC-3.2, AC-3.3, AC-3.4, AC-8.6
Preconditions:
- Public or representative replay contains sharp-turn/disconnected segment cases, or equivalent synthetic sequence is generated from mapped imagery.
Fault injection:
- Sequence transition with <5% overlap, heading change <70°, and drift <200 m.
| Step | Action | Expected Behavior |
|---|---|---|
| 1 | Replay normal segment | BASALT + wrapper emits normal vo_extrapolated estimates |
| 2 | Inject sharp-turn/disconnected transition | VO failure is expected; system triggers VPR relocalization |
| 3 | Continue next segment | System connects segment through verified satellite anchor or reports degraded status |
Pass criteria: Relocalization request is issued when no position is available for >=3 consecutive frames and >=2 s; verified anchor reconnects the segment or output remains degraded with growing covariance.
NFT-RES-03: Companion Computer Restart Mid-Flight
Summary: Validate reboot recovery from flight-controller state and preloaded cache.
Traces to: AC-5.3, AC-NEW-1
Preconditions:
- Replay/SITL mission is in progress.
- FDR has current segment logs.
Fault injection:
- Kill and restart the GPS-denied service during a GPS-denied segment.
| Step | Action | Expected Behavior |
|---|---|---|
| 1 | Kill service | FC continues on last known/IMU-extrapolated state |
| 2 | Restart service | Service reloads cache/index and uses FC state handoff |
| 3 | Observe first valid output | First valid GPS_INPUT emitted within <30 s |
Pass criteria: No raw frames are required for recovery; first valid fix <30 s p95; failure is logged in FDR.
NFT-RES-04: Tile Cache Freshness Degradation
Summary: Validate graceful behavior when the only available tile candidates are stale.
Traces to: AC-8.2, AC-NEW-6
Fault injection:
- Mark cache tiles older than 6 months for active-conflict sector and older than 12 months for stable sector.
| Step | Action | Expected Behavior |
|---|---|---|
| 1 | Replay frame requiring satellite anchor | Stale tiles are rejected or down-confidence weighted |
| 2 | Inspect emitted estimate | No stale tile produces satellite_anchored label past hard rejection threshold |
Pass criteria: Freshness decay and hard rejection match AC-NEW-6.