350 likes | 579 Vues
Model-Based Programming of Intelligent Embedded Systems. Bill Gaes CSc 299 Masters Seminar Presentation and Discussion 5/20/2005 Based on: Brian C. Williams et al., “Model-Based Programming of Intelligent Embedded Systems and Robotic Space Explorers,”
E N D
Model-Based Programming of Intelligent Embedded Systems Bill Gaes CSc 299 Masters Seminar Presentation and Discussion 5/20/2005 Based on: Brian C. Williams et al., “Model-Based Programming of Intelligent Embedded Systems and Robotic Space Explorers,” Proceedings of the IEEE, vol. 91, no 1, pp.212-237, 2003.
Outline • Model-Based Programming • Overview • Advantages • Example • Motivation • Details • Discussion Model-Based Programming
Model-Based Programming • Program what you want the system to do • Develop models of what the system can do • Rely on executive to: • execute program • reason on-the-fly • track system state • diagnose faults • reconfigure system to achieve desired goals Model-Based Programming
Advantages of Model-Based Programming • Allow engineers to specify high-level control strategies • Encapsulation and separation of concerns • Model composed of components (e.g., engine, camera, etc) • Program - Object-oriented with multiple inheritance • Executive replaceable with different implementation or one with added capabilities Model-Based Programming
Advantages of Model-Based Programming • Powerful Inference Engines • Reusability • Robustness • Verifiability Model-Based Programming
Example Embedded System - Spacecraft • Spacecraft with 2 redundant engines and a camera • Objective: insert spacecraft into orbit • Camera must be off • One of two engines must fire Model-Based Programming
Simple Spacecraft Model Initial State Goal State Fuel Oxidizer Fuel Oxidizer shut valve open valve EngineA EngineB EngineA EngineB Model-Based Programming
Simple Spacecraft Model Initial State Goal State On Off Science Camera Science Camera Model-Based Programming
Control Program - Pseudocode • Orbital Insertion Control Program: • Concurrently • Place both Engines in standby • Shut off Camera • When Engines are in standby And the Camera is off • then Fire EngineA Model-Based Programming
Reactive Embedded Systems • Requires concurrent and synchronous programming languages such as: • Esterel (~1992) • Statecharts (~1987) Model-Based Programming
Embedded Program Cntrl Obs Physical Plant Programming Complex Reactive Embedded Systems • Programming using traditional reactive languages • challenging, time-consuming, and error-prone Model-Based Programming
Challenges of Programming Autonomous Systems • Programmers must reason through system-wide interactions to generate code for: • monitoring • safeing • goal tracking • standby • fault recovery • mode confirmation • detecting anomalies • isolating faults • diagnosing causes • adaptive control • fault avoidance • hardware reconfiguration Model-Based Programming
Esterel Program For a Robot to Follow a Line module ROBOT: input LeftSensor, RightSensor; output LeftWheelSpeed : float, RightWheelSpeed : float; loop await tick; [ present LeftSensor else emit LeftWheelSpeed(1.0f) end present || present RightSensor else emit RightWheelSpeed(1.0f) end present || present [LeftSensor and RightSensor] then abort loop emit RightWheelSpeed(1.0f); emit LeftWheelSpeed(-0.5f) each tick when [not LeftSensor] end present ] end loop end module Pure signals - indicate presence or absence of stimuli Value signals - have arbitrary value of specified type Wheel controller - sets relative angular velocity, a value in [-1, 1], 1.0 is full speed forward. Explicit syntax for execute in parallel Both sensors see line so attempt corrective action to get back on track Continuously emit 2 signals sequentially, but at each tick, so executed at same instant - emit returns immediately Model-Based Programming
Mars Polar Lander Failure • Leading hypothesis for failure: • Landing legs deployed during decent. • Noise spike in Hall effect sensors latched by monitors. • Laser altimeter registered altitude of 40m • At 40m leg monitors polled • Monitors latched - engine shutdown at 40m Model-Based Programming
Problem and a Solution • Problem • Failure space and interactions with hardware and software too large to enumerate • Solution • Provide reactive embedded languages that reason-on-the-flyfrom commonsense models • Model-based Programming Model-Based Programming
Reactive Model-based Programming Language (RMPL) “Titan” - Model-based Executive Control Sequencer Control Program State estimates Configuration goals Plant Model Deductive Controller Physical Plant Commands Observations Model-Based Architecture Model-Based Programming
Simple RMPL Control Program Procedure TakePicture(target)::{ do { Attitude = target, when Attitude = target donext { SnapStore(); SnapStore(); } } watching Picture = Stored } Model-Based Programming
RMPL Control Program • Five design features • Parallel and sequential execution threads • Conditional execution • Iteration • Preemption • Defining feature • ability to reference “hidden” states of physical plant within assertions and conditions Model-Based Programming
RMPL Control Program expression --> assertion | combinator | prgm_invocation combinator --> A maintaining c | do A watching c | if c thennext A | unless c thennext A | A,B | A;B | always A prgm_invocation --> program_name(arglist) Key: c denotes constraint A and B denote well formed RMPL expressions Note: Language provides additional derived combinators, created by combining primitive combinators Model-Based Programming
RMPL Control Program OrbitInsert()::{ do{ EngineA = Standby, EngineB = Standby, Camera = Off, do{ when EngineA = Standby ^ Camera = Off donext EngineA = Firing } watching Engine A = Failed, whenEngineA = Failed ^ Engine B = Standby ^ Camera = Off donext Engine B = Firing }watching Engine A = Firing v Engine B = Firing } assertion achieve constraint execution condition ask constraint Model-Based Programming
Model-Based Executive Control Sequencer Control Program State estimates Configuration goals Deductive Controller Plant Model Physical Plant Commands Observations Model-Based Executive • Control Sequencer • Executes control program • Uses likely state estimate to generate configuration goals for Deductive Controller to achieve Model-Based Programming
Plant Model - Concurrent Constraint Automata • Built from a set of component models • Each component is represented by • Set of component modes • Set of constraints defining behavior within each nominal mode • Set of probabilistic transitions between modes Model-Based Programming
Spacecraft Engine Component Model Behavior within a mode described by constraints on plant variables: thrust and power_in Probabilistic uncommanded transition (thrust = zero) AND (power_in = zero) Off 0.01 Failed Cmd = stdby Cmd = off (thrust = zero) AND (power_in = nominal) Standby 0.01 Cmd = Stdby Cmd = Fire No constraint for engine’s behavior in failed mode - constraint suspension Component Mode 0.01 (thrust = full) AND (power_in = nominal) Firing Note: All nominal transitions are P = 99% Model-Based Programming
(power_in = zero) AND (shutter = closed) Off 0.01 Failed Cmd = Cam_off Cmd = Cam_on On 0.01 (power_in = nominal) AND (shutter = open) Spacecraft Camera Component Model Note: All nominal transitions are P = 99% Model-Based Programming
Spacecraft Valve Driver and Valve Component Models dcmdout = vcmdin vcmdin dcmdin Valve Driver Model Valve Model interconnection constraint stuck-open dcmdin = reset on open resettable failure dcmdin = on driver = on dcmdin = open driver = on dcmdin = close dcmdin = off dcmdin = off permanent failure stuck-closed closed off Note: All nominal transitions are P = 99% Failure transitions are P = 1% (not shown) Model-Based Programming
Model-Based Executive Titan Model-based Executive Control Sequencer Control Program Finds least-cost reachable goal state State estimates Configuration goals Plant Model Mode Estimation Mode Reconfiguration Deductive Controller Estimates most likely transitions Physical Plant Commands Observations Model-Based Programming
Deductive Controller Mode Estimation Mode Reconfiguration Selects valve configuration; plans actions to open six valves Deduces engines in standby Deduces valve failed - stuck closed Selects valves on backup engine needed to achieve thrust, and plans needed actions Mode Reconfiguration Mode Estimation Model-Based Programming
Space of Possible State Trajectories for Plant Model Trellis Diagram S(0) S(1) S(N) S(N-1) Discrete time step ... S T • Plant state • assigns value to each state variable, e.g., 3000 • consistent with all state constraints, e.g., 12,000 • Set of concurrent transitions • one per automata, e.g., 80 Examples from Plant Model for Deep Space One Model-Based Programming
Deductive ControllerMode Estimation (ME) • Incrementally tracks sets of component mode transitions • Consistent with observations, initial state, and plant CCA • Number of transitions is nm where • n is the size of the domain of the mode variables • m is number of mode variables • Deep Space One Probe (DS-1) nm = 380 Model-Based Programming
Deductive ControllerMode Estimation (ME) • Frame as Optimal Constraint Satisfaction Problem (OCSP) • Conflict-directed A* • Uses propositional logic to find conflicts • Conflicts used to prune implausible consistent transitions • Mode transitions reduced to less than a dozen from 380 Model-Based Programming
... Mode Estimation ^ ^ ^ ^ S(0) S(1) S(t) S(t-1) prob(si) most likely state - sj state with highest probability prob(sj) Tracks most likely states consistent with plant model, observations, and control actions Model-Based Programming
Deductive ControllerMode Reconfiguration (MR) • Series of commands that progresses plant toward a maximum-reward state that achieves the configuration goal • Goal Interpreter • find goal state that achieves configuration goal while maximizing reward. • Reactive Planner • generates command sequence to move plant to goal state. Model-Based Programming
Mode Reconfiguration ^ ^ ^ ^ S(t) S(t+1) S(t+n) S(t+n-1) Maximum reward goal state ... Given goal and most likely current state find commands that transitions through plant state space toward maximum-reward goal state that achieve the configuration goal Model-Based Programming
Model-based ProgrammingReal-world Uses • Deep-Space One - 2001 • Autonomous control of engine firing • MIT Sphere Spacecraft - 2004 • docking maneuvers with International Space Station • Simulation system for rapid prototyping • autonomous mars exploration testbed • Toyota • Fault management and failure recovery for high-end vehicles • NASA Mars Technology Program • Proposing incorporation into Mars 2009 Smart Lander • John Hopkins Applied Physics Lab • Proposing applying to Messenger Mission to Mercury Model-Based Programming
Discussion • Does this paradigm appear to provide the claimed advantages? • What are potential limitations or pitfalls? • Based on its technical merit is MB-P an advancement? • Does it have enough successes and interest to sustain itself? Model-Based Programming