1 / 65

Timed Model-based Programming: Executable Specifications for Robust Mission-Critical Sequences

This paper introduces a visual programming paradigm for encoding and executing robust mission-critical spacecraft sequences, addressing issues of complexity and low-level system interactions. It adopts timed, state-based control specifications and models nominal and off-nominal plant behavior. Illustrations and examples are provided.

rrodrigues
Télécharger la présentation

Timed Model-based Programming: Executable Specifications for Robust Mission-Critical Sequences

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timed Model-based Programming: Executable Specifications for Robust Mission-Critical Sequences Michel Ingham, Seung Chung, Paul Elliott, Oliver Martin, Tazeen Mahtab, Greg Sullivan and Brian Williams Model-based Embedded Robotic Systems Group Space Systems Laboratory Massachusetts Institute of Technology

  2. Objectives & Outline • Timed Model-based Execution “in a nutshell” • Timed Model-based Programming: a visual programming paradigm • Illustration of Timed Model-based Execution • Executive implementation: Timed Control Sequencer • Executive implementation: Timed Mode Estimation • Executive implementation: Symbolic Reactive Planner

  3. Motivation • Mission-critical sequences: • Launch & deployment • Planetary fly-by • Orbital insertion • Entry, descent & landing images courtesy of NASA

  4. Problem Statement • Traditional programming can lead to “brittle” sequences: • complexity of control specification • complexity of plant interactions • lack of robustness (management of off-nominal behavior) • Time is central to the execution of mission-critical sequences: • plant spec: component behavior includes latency and evolution • control spec: hard-coded delays in sequence capture state knowledge • Robust executive must consider time in its control and behavior models, in addition to reactively managing complexity Approach: Timed Model-based Programming

  5. Timed Model-based Programming • Approach for graphically encoding and executing robust mission-critical spacecraft sequences. • Addresses issues of sequence complexity and low-level system interactions • Adopts timed, state-based control specifications • Reasons through probabilistic, timed models of nominal and off-nominal plant behavior.

  6. Mars Entry Example engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander

  7. Mars Entry Example heating 30-60 sec standby off engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander Descent engine to “standby”:

  8. Mars Entry Example engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander • Spacecraft approach: • 270 mins delay • relative position wrt Mars not observable • based on ground computations of cruise trajectory

  9. Mars Entry Example Switch navigation mode: Switch navigation mode: “Earth-relative” = Star Tracker + IMU “Inertial” = IMU only engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander

  10. Mars Entry Example engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander • Rotate spacecraft: • command ACS to entry orientation

  11. Mars Entry Example engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander • Rotate spacecraft: • once entry orientation achieved, ACS holds attitude

  12. Mars Entry Example engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander Separate lander from cruise stage: cruisestage landerstage pyrolatches

  13. Mars Entry Example • Separate lander from cruise stage: • when entry orientation achieved, fire primary pyro latch cruisestage landerstage pyrolatches engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander

  14. Mars Entry Example • Separate lander from cruise stage: • when entry orientation achieved, fire primary pyro latch cruisestage landerstage engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander

  15. Mars Entry Example • Separate lander from cruise stage: • in case of failure of primary latch,fire backup pyro latch cruisestage landerstage engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander

  16. Mars Entry Example • Separate lander from cruise stage: • in case of failure of primary latch,fire backup pyro latch cruisestage landerstage engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude separatelander

  17. Key Features of Executive engine to standby planetary approach switch toinertial nav rotate to entry-orient& hold attitude • simple state-based control specifications • models are writable/inspectable by systems engineers • handle timed plant & control behavior • automated reasoning through low-level plant interactions • fault-aware (in-the-loop recoveries) separatelander

  18. TMBP for Mars Science Lab Technology Demo 2005 MSL Mission (2009) courtesy NASA JPL

  19. Related Work Visual Representations State-based Specifications Harel, ‘87; Kesten & Pnueli, ‘92 Closed-loop Control Timed Control Programs, Timed Plant Models, Semi-Markov Semantics Goal-driven Execution RMPL and Control Sequencer Model-based Programming TMBP Firby, ‘89; Simmons, ‘98; Gat, ‘96 Embedded Programming Constructs Constraint Modeling Williams, Ingham, Chung & Elliott, ‘03 Synchronous Programming Constraint Programming Saraswat, Jagadeesan & Gupta, ‘94 Berry & Gonthier, ‘92 Halbwachs, ‘93 Non-deterministic Timed Transitions Timed Formal Modeling Deductive Estimation & Control Mission Data System Model-based Execution Alur & Dill, ‘94 Henzinger, Manna & Pnueli, ‘92 Kwiatkowska, et al., ‘00 Largouet & Cordier, ‘00 Dvorak, Rasmussen, et al., ‘00 deKleer & Williams, ‘87-‘89 Williams & Nayak, ‘96-’97 Kurien & Nayak, ‘00

  20. Objectives & Outline • Timed Model-based Execution “in a nutshell” • Timed Model-based Programming: a visual programming paradigm • Illustration of Timed Model-based Execution • Executive implementation: Timed Control Sequencer • Executive implementation: Timed Mode Estimation • Executive implementation: Symbolic Reactive Planner

  21. Timed Model-based Program

  22. Timed Model-based Program

  23. Timed HierarchicalConstraint Automata primitive locations composite locations • graphical specification language for control programs • in spirit of Timed StateCharts (Kesten & Pnueli, Harel) • writable, inspectable by systems engineers • compact encoding: multiple locations can be simultaneously marked

  24. Timed HierarchicalConstraint Automata goal constraint (hidden state) clock initialization • graphical specification language for control programs • in spirit of Timed StateCharts (Kesten & Pnueli, Harel) • writable, inspectable by systems engineers • act on hidden state • clocks provide timing mechanism

  25. Timed HierarchicalConstraint Automata transition guard maintenance constraint transition • graphical specification language for control programs • in spirit of Timed StateCharts (Kesten & Pnueli, Harel) • writable, inspectable by systems engineers • conditioned on time & state constraints

  26. Timed HierarchicalConstraint Automata parallel sequential iteration preemption • graphical specification language for control programs • in spirit of Timed StateCharts (Kesten & Pnueli, Harel) • writable, inspectable by systems engineers

  27. Timed Model-based Program

  28. Timed ConcurrentConstraint Automata pt(t) nominal modes t 0.1 0.2 fault modes Pt = 99.9% • variant of factored POSMDP (time continuous, but observations and decisions at discrete points) constraints guarded & timed probabilistic transitions modal rewards

  29. Objectives & Outline • Timed Model-based Execution “in a nutshell” • Timed Model-based Programming: a visual programming paradigm • Illustration of Timed Model-based Execution • Executive implementation: Timed Control Sequencer • Executive implementation: Timed Mode Estimation • Executive implementation: Symbolic Reactive Planner

  30. Timed Model-basedExecutive Architecture

  31. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  32. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander Control Sequencer executes THCA

  33. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander pt(t) t 30 60 goal: Standby obs: Deductive Controller provides state estimates and command sequences that achieve goals

  34. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  35. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  36. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  37. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  38. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  39. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  40. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  41. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  42. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  43. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  44. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander goal: Separated primary pyro misfired! backup pyro fired obs: Model-based executive provides robustness in the goal-driven control loop

  45. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  46. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  47. Mars Entry Example engine to standby switch toinertial nav planetary approach rotate to entry-orient& hold attitude separatelander

  48. Full Demonstration • Proof-of-concept on a representative mission scenario: “Full” Entry, Descent and Landing scenario • Control program (57 locations, 16 state vars, 6 clock vars) • Plant model (~25 components, avg. 3-4 modes per component)

  49. Demonstration: Highlights Key Capabilities • Nominal operations: • execution conditioned on state constraints • execution conditioned on time constraints • nominal mode tracking through commanded and timed transitions • accept configuration goal and generate appropriate command sequence (single-step, multi-step reconfigurations) • Operations in the presence of faults: • fault diagnosis through commanded transitions • fault diagnosis through timed transitions • recovery by repair (deductive controller) • recovery by leveraging physical/functional redundancy (control sequencer)

  50. TMBP for Mars Science Lab Technology Demo 2005 MSL Mission (2009) courtesy NASA JPL

More Related