MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House Aero/Astro Open House...

MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House

Aero/Astro Open House

MERS Research Group

Model-based Embedded and Robotic Systems Group

Space Systems Laboratory

Massachusetts Institute of Technology

Friday, March 21, 2003


Motivation

Apollo 13 quintuple fault

Mars Polar Lander failed due to a faulty sensor.

Autonomous systems handle• Faults• Anomalies• Communication• Commanding

Europa Probe

Distant Explorers

Mercury Orbiter

Cooperative Exploration

Mars Outpost

Earth Imager


Model-based Programming Paradigm

Mars ‘98 Polar Lander

Goal: provide an embedded language that operates on system state and reasons from commonsense models

Leading Hypothesis:• Legs deploy during descent.• Noise spike on leg sensors

latched by s/w monitors.• Laser altimeter registers 50m.• Begins polling leg monitors to

determine touchdown.• Latched noise spike read as

touchdown.• Engine shutdown at ~50m.• Lander impacts planetary

surface at high velocity.

Spacecraft are highly complex systems, with significant interaction at the subsystem level

Spacecraft encounter harsh, uncertain environments.

Robustness in such systems requires:• high-reliability software;• fault protection built into the control sequence;• highly reactive sense-decide-act loop.

Using traditional embedded software approach, difficult to anticipate such low-level subsystem interaction and explicitly encode responses to each possible fault.


Robust Systems Should be“Fully State Aware”

Embedded programs interact withthe system’s sensors/actuators:

• Read sensors

• Set actuators

Model-based programs interact with the system’s state:

• Read state

• Set state

Embedded Program

SPlant

Obs Cntrl

Programmer must map between state and sensors/actuators.

M-B Executive maps between states and sensors/actuators.

Model-basedEmbedded Program

SPlant

S’Model-based Executive

Obs Cntrl


Diagnose and

Reconfigure

• Compiled Goal

Interpreter

• Reactive Planner

Diagnose and

Reconfigure

• Compiled Goal

Interpreter

• Reactive Planner

c

e

e

d d_d

Titan Model-based Executive

ClosedClosed

ValveValve

OpenOpen StuckStuckopenopen

StuckStuckclosedclosed

OpenOpen CloseClose

0. 010. 01

0. 010. 01

0.010.01

0.010.01

inflow = outflow = 0

B(t) B(t+1)

S1(t)

S2(t)

Sn(t)

S1(t+1)

S2(t+1)

Sm(t+1)

… …

RMPL Model-based Executive

SequencerControlProgram

SystemModel

Configurationgoals

Stateestimates

CommandsObservationsFlight System Control

RT Control Layer

ModeEstimation

ModeReconfiguration

Control

Model

Mode Estimation

• Compiled ME

• Hybrid ME

• Distributed ME

Plant


M-B Programming Example:Orbital Insertion Scenario

EngineA EngineB

Science Camera

EngineA EngineB

Science Camera

•must fire one of the two engines•set both engines to ‘standby’•prior to firing engine, camera must be turned off to avoid plume contamination

• in case of primary engine failure, fire backup engine instead

StandbyStandby

Engine ModelEngine Model

OffOff

off-off-cmdcmd standby-standby-

cmdcmd

0.010.01

(thrust = full) AND(power_in = nominal)

FiringFiring

0.010.01standby-standby-

cmdcmdfire-fire-cmdcmd

(thrust = zero) AND(power_in = zero)

(thrust = zero) AND(power_in = nominal)

0.010.01

FailedFailed

OnOn

Camera ModelCamera Model

OffOff

turnoff-turnoff-cmdcmd

turnon-turnon-cmdcmd

(power_in = zero) AND(shutter = closed)

(power_in = nominal) AND(shutter = open)

Systems engineers think in terms of state trajectories:


M-B Programming Example:Orbital Insertion Scenario

once primary engine is in standby and camera is off, proceed to fire engine (preempt this operation if engine is ever found to be in a faulty state)

Model-based Programming provides a way to encode the prescribed state trajectory into a control program:

• assert and check states which may be “hidden”, rather than operating directly on observable or control variables

• allow for embedded management of fault states

RMPL code for OrbitInsert control program:

(do-watching ((EngineA = Firing) OR (EngineB = Firing))

(parallel

(EngineA = Standby)

(EngineB = Standby)

(Camera = Off)

(do-watching (EngineA = Failed)

(when-donext ( (EngineA = Standby) AND (Camera = Off) )

(EngineA = Firing)))

(when-donext ( (EngineA = Failed) AND (EngineB = Standby) AND (Camera = Off) )

(EngineB = Firing))))

goal is to fire one of the two engines;terminate when accomplished

concurrently sets both engines to ‘standby’, and turns off camera to avoid plume contamination

in case of primary engine failure, fire backup engine instead


S3

S2

S1

Mode Estimation Example

Configuration Goal:EngineA = Firing

Observation:Thrust = 0

Configuration Goal:Engine A = Firing

Pos

sib

le D

iagn

oses

Observation:Thrust = 0

Engine A

Engine A

Engine A

Engine A


Mars Entry, Descent &Landing

Hybrid Model-based Programming:Motivation

Tight coupling of attitude/position control and spacecraft configuration control

Mars ‘98 mission failure demonstrates need for improved robustness in this type of “critical sequence”

To achieve this level of robustness, need to track and control both discrete and continuous spacecraft states (“hybrid” system)

chute deploys when velocity drops to 493 m/s

lander separates when entry attitude is achieved

legs deploy 10 secs after heatshield is jettisoned

chute jettisoned at 1300m, lander performs controlled gravity turn maneuver


Hybrid Mode Estimation – Gesture Recognition

• Stereo vision system– Tracks head and hand motion of human associate

• Hybrid model of human associate supports Robonaut’s recognition of human gestures

– Gestures of interest include pointing to a tool, holding hand up to indicate stop, “come closer” gestures, etc.

• Continuous dynamics model of human arm includes inertial and damping terms

• HMM model takes output of stereo vision system as observation– Transitions between motion control point states

• Robonaut – EVA astronaut’s assistant

• Humanoid design requires no specialized robotic tools

• Controlled by tele-operator, but autonomous modes under development




SystemModel

Configurationgoals

Stateestimates


RT Control Layer

ModeEstimation

ModeReconfiguration

Mode Reconfiguration

INPUT• Configuration Goal

– Trust = on

• Current State– Tank = full– Pressure = nominal– Driver = off– Valve = closed– Thruster = off

N2H4

GHe

P

SDriver

Goal Interpreter

Reactive Planner

Configurationgoals

GoalState

Command

CurrentState

OUPUT• Command

– Turn driver on


Goal Interpreter

N2H4

GHe

P

SDriver

INPUT• Current State

– Tank = full– Pressure = nominal– Driver = off– Valve = closed– Thruster = off

• Configuration Goal– Trust = on

OUPUT• Goal State

– Tank = full– Pressure = nominal– Driver = off– Valve = on– Thruster = on

Goal Interpreter

Configurationgoals

GoalState

CurrentState

Generate optimal goal state that achieves the Configuration Goal!

TruthMaintenance

System

NewConflicts

Configuration Goal

Checked Solution

ConflictDatabase

Can

dida

tes

Best-firstAgenda

Most LikelyCandidate

All Conflicts

Goal State

Theory(Including

Estimated State)

Conflict-directed A*

Search

• Goal Interpreter • Compiled Goal Interpreter

PartialGoal

Interpretation

Best-first Kernel Goal

State Generator

Minimize online deduction by generating all partial goal interpretation offline!

Online:

Goal State

Goal Configuration


Example: The model-based program sets the state to thrusting, and the deductive controller . . . .

Determines that valveson the backup engine

will achieve thrust, andplans needed actions.

Deduces that a valve failed - stuck closed

Plans actionsto open

six valves

Fuel tankFuel tankOxidizer tankOxidizer tank

Deduces thatthrust is off, and

the engine is healthy


Reactive Planner

Reactive Planner

GoalState

Command

CurrentState

INPUT• Current State

– Tank = full– Pressure = nominal– Driver = off– Valve = closed– Thruster = off

• Goal State– Tank = full– Pressure = nominal– Driver = off– Valve = on– Thruster = on

fail

Goal

fail

driver = oncmd = open

idle

idledriver = on

cmd = close

Current

Open

Closed

Stuck

Open Closed

Goal

cmd = on idle

idle cmd = off

Current

On

Off

Resettable

On Off

cmd = reset cmd = off

ValveDriver

OUPUT• Command

– Turn driver on

ReconfigurationOrder

1. Tank = full2. Pressure = nominal3. Valve = on4. Thruster = on5. Driver = off

N2H4

GHe

P

SDriver

Planner guarantees to:

• Only generate non-destructive actions

• Never propose actions that lead to dead-end plans

• Ensure progress toward the goal• Operate at reactive time scale


Divide and Conquer

PlantStructure(cyclic)

TreeDecomposition

(acyclic)

Structural Decomposition

• Compile model structure into equivalent tree structure

• Effort depends on structural properties (graph width)

• Reasoning on equivalent tree structure is very efficient (highly parallelizable) => Distributed Algorithm

Precompilation


Planning through Divide-and-Conquer

BusControl

Computer• Generate a plan for each

grouped components.

• Execute each plan one at a time to achieve the goal

AntennaAmplifierTransmitter

AntennaAmplifierTransmitter

comp = onbus = on

cmdT = on

Goal

comp = onbus = on

cmdT = on

comp = onbus = on

cmdA = onidle

idlecomp = onbus = on

cmdA = off

Current

OnT, OnA

OnT, OffA

OffT, OffA

OnT, OnA OnT, OffA

idle

bus = oncmdT = off

comp = onbus = on

cmdA = off

OffT, OffA

fail

fail

fail

OffT, OnA

comp = onbus = on

cmdA = off

comp = onbus = on

cmdA = off

comp = onbus = on

cmdA = offidleOffT, OnA

Goal

comp = oncmd = on

idle

idlecomp = oncmd = off

Current

On

Off

On Off


MIT-NASA Ames Mars ’03 Simulation Center

• Simulate Mission Objective of Mars ’03– Use NASA’s MERBoard to visualize

the environment and control the rovers.

– Demonstrate the ability to achieve mission autonomously

255.30 sq. ft.

13'-6"

15'- 1"

7'-0"

8'- 6 1/2"

6'-6"

23'- 7 1/2"

4 ft. 0.0 in

. x 2 ft. 0.0 in

.

2 ft. 0.0 in. x 4 ft. 0.0 in. 2 ft. 0.0 in. x 4 ft. 0.0 in. 3 ft. 6.0 in. x 2 ft. 0.0 in.

11'- 11"

3 ft. 0.0 in. x 3 ft. 0.0 in

.

0 ft. 9

.0 in

. x 0 ft. 9

.0 in

.0

ft. 9.0

in. x 0

ft. 9.0

in.

0 ft. 9.0 in. x 0 ft. 9.0 in. 0 ft. 9.0 in. x 0 ft. 9.0 in.0 ft. 9.0 in. x 0 ft. 9.0 in.0 ft. 9.0 in. x 0 ft. 9.0 in.

Analyze this rock!


Future Missions

Courtesy JPL

MER 2003

Mars 2007

SPHERES


New Slides


Plant Model Implementation

PlantCommands

Configurationgoals

Observations

Control Sequencer

Stateestimates

TimedPlant

Model

TimedControlProgram

Deductive Controller

Timed Model-basedProgram

Timed Model-basedExecutive

SystemClock

ModeEstimation

ModeReconfigurationestimates

State



Next Generation RMPL

• Tentatively called ROOMPL, for “Reactive, Object-Oriented Model-based Programming Language”.

Language Design Goals

• Surface / Syntax– consistent, across plant and control specifications.– analyzable, for static (i.e. pre-runtime) correctness.

• Below the Surface– extensible – amenable to language experimentation by non-programming

language experts.• Long Term

– apply to general purpose programming domains.– dynamic, reflective.


Plant Models

• instances of “primitive classes” are CCA’s (MPL components)

ROOMPL MPL

primitive classes components

primitive fields observable variables

methods control variables

references dependent variables


Example: Engine models


Control Programs

• Instances of non-primitive classes are HCA’s• Classes still have modes• Goals established with try blocks• Preemption at block level with watch

(similar to RMPL when)



Implementation Notes

• Implementing language in OCAML– has a bunch of language hacking tools.

• Initially, will generate MOF.• Later, will use C interface to talk to current executive

components.


Old Slides


Compiled Mode Estimation

• Dissents represent same model in a smaller theory.

• Off-line Operations

Compiled Mode Estimation

Offline

OptimizedConstraint

Satisfaction

Online

PartialDiagnosis

Trigger

Best-firstKernel

DiagnosisGenerator

Monitors

PartialDiagnosis

RuleGenerator

SystemModel

Most LikelyDiagnosis

Dissents ConflictsPartial DiagnosisRules

DiscreteObservations

ContinuousObservations

(Press1 = nom) G(S) SH(S) U(S)

(Thrust = on) O(V) U(V)....

Model Compilation

• On-line Operations0.084

0.084

G(S) U(S)SL(S)

0.0020.017

U(S) U(V)C(V)SL(S) B(C) U(C)SH(S)

Partial Diagnosis

Trigger

Most Likely Diagnosis:• Sensor = Stuck Low• Valve = Closed• Catalyst Bed = Good




SystemModel

Configurationgoals

Stateestimates


RT Control Layer

ModeEstimation

ModeReconfiguration

Mode Estimation

• Mode estimation relies on:– Commands

– Observations

– System Model

• Encoded as propositional logic with probabilistic transitions to determine the most likely state of the system.

ModeEstimator

SystemModel

Commands Observations

Most LikelyState Estimate

TruthMaintenance

System

NewConflicts

Observations

Checked Solution

ConflictDatabase

Can

dida

tes

Best-firstAgenda

Most LikelyCandidate

All Conflicts

Diagnosis

Theory(Including

Predicted State)

Conflict-directed A*

Search

OPSAT


Mode Reconfiguration (GI)

A B A B

A BA


Hybrid Model-based Programming:Approach

• extend M-B Programming to include:– assertion of discrete & continuous

states – conditional branching on discrete

states, continuous states & time

• requires integration of engines for discrete state reconfiguration, and continuous control (e.g. spacecraft attitude control system)

• need both discrete & continuous state estimation capability

SPlant

Obs Cntrl

Model-basedControl Programs

Model-basedExecutive

S’

PlantModel

cont. & discretestate estimates

HybridMode

Estimation

hardware config goals

s Discrete Controller

Continuous Controller

attitude & position goals

Hybrid Model-based Executive


Hybrid Mode Estimation

• failures can manifest themselves through coupling between a system’s continuous dynamics and its evolution through different behavior modes must track over continuous state changes and discrete mode changes

• symptoms initially on the same scale as sensor/actuator noise need to extract mode estimates from subtle symptoms

mm11

21211212

2323

1313

mm33

mm22

2222

1111

3333

Hidden Markov Models Continuous Dynamics

11

1

( 1) ( ( ), ( ), ( )):

( ) ( ( ), ( ))

( 1) ( ( ), ( ), ( )):

( ) ( ( ), ( ))

c c c c c

c c c c

c ci c c ci

c ci c c

x k f x k u k v km

y k g x k v k

x k f x k u k v km

y k g x k v k

Hybrid Model

old estimate:Xk-1={mi,xk-1} X+

k-1={mj,xk-1}new estimate:Xk={mj,xk}

Hybrid Mode Estimation tracks a set of trajectories

KalmanFilter Bank

yc(k)

uc(k-1)

ModeEstimation

xci(k)

Pi(k)

^

k

Xk^


Plant Model Implementation

Physical plant modeled as Timed Concurrent Constraint Automata:• variant of factored POSMDP (time continuous, but observations

and decisions at discrete points)

Engine:

Off

Firing Standby

cmd = standby

cmd = fire

Failed

cmd = off

Camera:

cmd = standby

(power = off) AND(thrust = zero)

(power = on) AND(thrust = zero) AND

(temp = nominal)

(power = on) AND(thrust = full) AND(temp = nominal)

Heating

(power = on) AND(thrust = zero) AND(temp = increasing)

cmd = off

tE>=30& tE<=60

Inactive

TakingPicture

Idle

cmd = camOn

cmd = takePicture

Failed

cmd = camOff

(power = off) AND(shutter = closed)

(power = on) AND(shutter = closed)

(power = on) AND(shutter = open)

tC>=0.1& tC<=0.2

constraints

guarded & timed probabilistic transitions

nominal modes

fault modes

p(t)

t0.1 0.2

P= 99.9%modal rewards

Date post:	02-Jan-2016
Category:	Documents
Upload:	owen-johns
View:	214 times
Download:	1 times

MIT Dept of Aeronautics and Astronautics March 21, 2003 Graduate Open House Aero/Astro Open House...

Documents