Aero Astro Open House MERS Research Group Model-based Embedded

Aero/Astro Open House MERS Research Group Model-based Embedded and Robotic Systems Group Space Systems Laboratory Massachusetts Institute of Technology Friday, March 21, 2003 MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Motivation Apollo 13 quintuple fault Autonomous systems handle • Faults • Anomalies • Communication • Commanding Cooperative Exploration Mars Outpost Europa Probe Distant Explorers Mercury Orbiter Earth Imager Mars Polar Lander failed due to a faulty sensor. MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Model-based Programming Paradigm Spacecraft are highly complex systems, with significant interaction at the subsystem level Mars ‘ 98 Polar Lander Leading Hypothesis: • Legs deploy during descent. • Noise spike on leg sensors latched by s/w monitors. • Laser altimeter registers 50 m. • Begins polling leg monitors to determine touchdown. • Latched noise spike read as touchdown. • Engine shutdown at ~50 m. • Lander impacts planetary surface at high velocity. Spacecraft encounter harsh, uncertain environments. Robustness in such systems requires: • high-reliability software; • fault protection built into the control sequence; • highly reactive sense-decide-act loop. Using traditional embedded software approach, difficult to anticipate such low-level subsystem interaction and explicitly encode responses to each possible fault. Goal: provide an embedded language that operates on system state and reasons from commonsense models MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Robust Systems Should be “Fully State Aware” Embedded programs interact with the system’s sensors/actuators: Model-based programs interact with the system’s state: • Read sensors • Read state • Set actuators • Set state Model-based Embedded Program Obs Cntrl S Plant Programmer must map between state and sensors/actuators. MIT Dept of Aeronautics and Astronautics S’ Model-based Executive Obs Cntrl S Plant M-B Executive maps between states and sensors/actuators. March 21, 2003 Graduate Open House

Titan Model-based Executive Control e d _ c d RMPL Control Program e d Sequencer Configuration goals State estimates Model System Model Valve Stuck open 0. 01 Open Model-based Executive Mode Estimation • Compiled Goal Interpreter Mode Reconfiguration Close 0. 01 Closed Stuck closed 0. 01 Diagnose and Reconfigure • Reactive Planner inflow = outflow = 0 Flight System Control Observations B(t) B(t+1) S 1(t) S 2(t) … Sn(t) S 1(t+1) RT Control Layer Commands Mode Estimation • Compiled ME S 2(t+1) … Sm(t+1) MIT Dept of Aeronautics and Astronautics Plant • Hybrid ME • Distributed ME March 21, 2003 Graduate Open House

M-B Programming Example: Orbital Insertion Scenario Engine Model (thrust = zero) AND (power_in = zero) Off offcmd (thrust = zero) AND (power_in = nominal) Engine. A Engine. B Science Camera Systems engineers think in terms of state trajectories: 0. 01 standbycmd firecmd 0. 01 Firing Camera Model • must fire one of the two engines • set both engines to ‘standby’ • prior to firing engine, camera must be turned off to avoid plume contamination • in case of primary engine failure, fire backup engine instead MIT Dept of Aeronautics and Astronautics Failed standbycmd Standby (thrust = full) AND (power_in = nominal) Science Camera 0. 01 March 21, 2003 (power_in = zero) AND (shutter = closed) Off turnoffcmd (power_in = nominal) AND (shutter = open) turnoncmd On Graduate Open House

M-B Programming Example: Orbital Insertion Scenario Model-based Programming provides a way to encode the prescribed state trajectory into a control program: • assert and check states which may be “hidden”, rather than operating directly on observable or control variables • allow for embedded management of fault states RMPL code for Orbit. Insert control program: goal is to fire one of the two engines; terminate when accomplished (do-watching ((Engine. A = Firing) OR (Engine. B = Firing)) (parallel concurrently sets both engines to ‘standby’, and turns off camera to avoid plume contamination (Engine. A = Standby) (Engine. B = Standby) (Camera = Off) (do-watching (Engine. A = Failed) (when-donext ( (Engine. A = Standby) AND (Camera = Off) ) (Engine. A = Firing))) (when-donext ( (Engine. A = Failed) AND (Engine. B = Standby) AND (Camera = Off) ) (Engine. B = Firing)))) MIT Dept of Aeronautics and Astronautics once primary engine is in standby and camera is off, proceed to fire engine (preempt this operation if engine is ever found to be in a faulty state) in case of primary engine failure, fire backup engine instead March 21, 2003 Graduate Open House

Mode Estimation Example S 1 Observation: Thrust = 0 Engine A S 2 Engine A S 3 Possible Diagnoses Configuration Goal: Engine A = Firing Engine A MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Hybrid Model-based Programming: Motivation lander separates when entry attitude is achieved chute deploys when velocity drops to 493 m/s legs deploy 10 secs after heatshield is jettisoned chute jettisoned at 1300 m, lander performs controlled gravity turn maneuver Mars Entry, Descent & Landing Ø Tight coupling of attitude/position control and spacecraft configuration control Ø Mars ‘ 98 mission failure demonstrates need for improved robustness in this type of “critical sequence” Ø To achieve this level of robustness, need to track and control both discrete and continuous spacecraft states (“hybrid” system) MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Hybrid Mode Estimation – Gesture Recognition • • Robonaut – EVA astronaut’s assistant Humanoid design requires no specialized robotic tools Controlled by tele-operator, but autonomous modes under development Stereo vision system – Tracks head and hand motion of human associate • Hybrid model of human associate supports Robonaut’s recognition of human gestures – Gestures of interest include pointing to a tool, holding hand up to indicate stop, “come closer” gestures, etc. • • Continuous dynamics model of human arm includes inertial and damping terms HMM model takes output of stereo vision system as observation – Transitions between motion control point states MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Mode Reconfiguration RMPL Model-based Executive Control Program Sequencer State estimates Configuration goals System Model Mode Estimation Mode Reconfiguration Configuration goals Current State Goal Interpreter Goal State Flight System Control Observations RT Control Layer Commands INPUT • Configuration Goal Reactive Planner Command – Trust = on • Current State – – – MIT Dept of Aeronautics and Astronautics Tank = full Pressure = nominal Driver = off Valve = closed Thruster = off March 21, 2003 OUPUT • Command – Turn driver on Graduate Open House

Goal Interpreter INPUT • Current State – – – • – – – Tank = full Pressure = nominal Driver = off Valve = on Thruster = on Current State Configuration goals Goal Interpreter Goal State Configuration Goal – • Tank = full Pressure = nominal Driver = off Valve = closed Thruster = off OUPUT • Goal State Trust = on Goal Interpreter Generate optimal goal state that achieves the Configuration Goal! • Compiled Goal Interpreter Minimize online deduction by generating all partial goal interpretation offline! Online: Goal Configuration MIT Dept of Aeronautics and Astronautics March 21, 2003 Partial Goal Interpretation Best-first Kernel Goal State Generator Goal State Graduate Open House

Example: The model-based program sets the state to thrusting, and the deductive controller. . Oxidizer tank Deduces that thrust is off, and the engine is healthy Fuel tank Plans actions to open six valves Deduces that a valve failed - stuck closed Determines that valves on the backup engine will achieve thrust, and plans needed actions. MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Reactive Planner INPUT • Current State – – – • OUPUT • Command Tank = full Pressure = nominal Driver = off Valve = closed Thruster = off Goal State – – – Tank = full Pressure = nominal Driver = off Valve = on Thruster = on – Goal State Current State Turn driver on Reactive Planner guarantees to: Command • Only generate non-destructive actions • Never propose actions that lead to dead-end plans • Ensure progress toward the goal • Operate at reactive time scale Driver Reconfiguration Order Valve Goal Current 1. Tank = full On 2. Pressure = nominal 3. Valve = on Off 4. Thruster = on 5. Dept of Aeronautics and Astronautics Resettable Driver = off MIT Goal On Off idle cmd = off cmd = on idle cmd = reset cmd = off March 21, 2003 Current Open Closed Stuck Open Closed idle driver = on cmd = close driver = on cmd = open idle fail Graduate Open House

Divide and Conquer Structural Decomposition • Compile model structure into equivalent tree structure • Effort depends on structural properties (graph width) • Reasoning on equivalent tree structure is very efficient (highly parallelizable) => Distributed Algorithm Precompilation Plant Structure (cyclic) MIT Dept of Aeronautics and Astronautics Tree Decomposition (acyclic) March 21, 2003 Graduate Open House

Planning through Divide-and-Conquer Computer • Generate a plan for each grouped components. Antenna Transmitter Amplifier • Execute each plan one at a time to achieve the goal Bus Control Antenna Transmitter Amplifier Goal Current On. T, On. A On. T, Off. A Off. T, On. A idle comp = on bus = on cmd. A = off fail idle bus = on cmd. T = off fail idle fail comp = on bus = on cmd. A = off idle On. T, On. A Goal On Off On. T, Off. A On idle comp = on cmd = off Off. T, Off. A Off comp = on cmd = on idle Off. T, On. A Current MIT Dept of Aeronautics and Astronautics comp = on bus = on cmd. A = on comp = on bus = on cmd. T = on comp = on bus = on cmd. A = off March 21, 2003 comp = on bus = on cmd. T = on comp = on bus = on cmd. A = off Graduate Open House

MIT-NASA Ames Mars ’ 03 Simulation Center Analyze this rock! MIT Dept of Aeronautics and Astronautics • Simulate Mission Objective of Mars ’ 03 – Use NASA’s MERBoard to visualize the environment and control the rovers. – Demonstrate the ability to achieve mission autonomously March 21, 2003 Graduate Open House

Future Missions SPHERES MER 2003 Mars 2007 MIT Dept of Aeronautics and Astronautics Courtesy JPL March 21, 2003 Graduate Open House

New Slides MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Plant Model Implementation MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Next Generation RMPL • Tentatively called ROOMPL, for “Reactive, Object-Oriented Model-based Programming Language”. Language Design Goals • • • Surface / Syntax – consistent, across plant and control specifications. – analyzable, for static (i. e. pre-runtime) correctness. Below the Surface – extensible – amenable to language experimentation by non-programming language experts. Long Term – apply to general purpose programming domains. – dynamic, reflective. MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Plant Models • instances of “primitive classes” are CCA’s (MPL components) ROOMPL primitive classes components primitive fields observable variables methods control variables references dependent variables MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Example: Engine models MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Control Programs • • Instances of non-primitive classes are HCA’s Classes still have modes Goals established with try blocks Preemption at block level with watch (similar to RMPL when) MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Implementation Notes • Implementing language in OCAML – has a bunch of language hacking tools. • Initially, will generate MOF. • Later, will use C interface to talk to current executive components. MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Old Slides MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Compiled Mode Estimation • Off-line Operations Model Compilation • • (Press 1 = nom) G(S) SH(S) U(S) (Thrust = on) O(V) U(V). . Dissents represent same model in a smaller theory. On-line Operations 0. 084 Partial Diagnosis Trigger G(S) 0. 084 SL(S) U(S) 0. 002 0. 017 SH(S) SL(S) U(S) C(V) U(V) MIT Dept of Aeronautics and Astronautics B(C) U(C) March 21, 2003 Most Likely Diagnosis: • Sensor = Stuck Low • Valve = Closed • Catalyst Bed = Good Graduate Open House

Mode Estimation RMPL Model-based Executive Control Program Sequencer State estimates • – Commands – Observations – System Model Configuration goals System Model • Mode Estimation Mode Reconfiguration Mode estimation relies on: Encoded as propositional logic with probabilistic transitions to determine the most likely state of the system. Flight System Control Observations RT Control Layer Commands OPSAT MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Mode Reconfiguration (GI) MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Hybrid Model-based Programming: Approach Model-based Control Programs • extend M-B Programming to include: – assertion of discrete & continuous states – conditional branching on discrete states, continuous states & time S’ • requires integration of engines for discrete state reconfiguration, and continuous control (e. g. spacecraft attitude control system) Model-based Executive Plant Model S Plant • need both discrete & continuous state estimation capability cont. & discrete state estimates Hybrid Mode Estimation Cntrl Obs attitude & hardware position goals config goals Discrete Controller Continuous Controller Hybrid Model-based Executive MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Hybrid Mode Estimation • failures can manifest themselves through coupling between a system’s continuous dynamics and its evolution through different behavior modes must track over continuous state changes and discrete mode changes • symptoms initially on the same scale as sensor/actuator noise need to extract mode estimates from subtle symptoms Hybrid Model Hidden Markov Models Continuous Dynamics m 1 t 11 t 21 t 12 t 13 m 3 t 22 m 2 yc(k) uc(k-1) Kalman Filter Bank ^ (k) xci Pi(k) Ck MIT Dept of Aeronautics and Astronautics t 23 t 33 Mode Estimation old estimate: Xk-1={mi, xk-1} ^ Xk X+ k-1={mj, xk-1} new estimate: Xk={mj, xk} Hybrid Mode Estimation tracks a set of trajectories March 21, 2003 Graduate Open House

Plant Model Implementation Physical plant modeled as Timed Concurrent Constraint Automata: • variant of factored POSMDP (time continuous, but observations and decisions at discrete points) constraints pt(t) nominal modes 0. 1 0. 2 t guarded & timed probabilistic transitions fault modes MIT Dept of Aeronautics and Astronautics modal rewards March 21, 2003 Pt = 99. 9% Graduate Open House