1
play

1 Related Work Related Work State-based Specifications Timed - PDF document

Dec 08, 2023 •250 likes •422 views

Motivation Deep space exploration: Mars Polar Lander (NASA) highly uncertain environment Timed Model-based Programming: require highly robust system Executable Specifications for Mission-critical sequences: Robust Critical Sequences

  1. Motivation Deep space exploration: Mars Polar Lander (NASA) • highly uncertain environment Timed Model-based Programming: • require highly robust system Executable Specifications for Mission-critical sequences: Robust Critical Sequences • launch & deployment • planetary fly-by Michel D. Ingham • orbital insertion Brian C. Williams • entry, descent & landing Model-based Embedded Robotic Systems Group MIT Space Systems Laboratory MIT Artificial Intelligence Laboratory June 10 th , 2003 Problem Statement Current “State of the Practice” • Traditional programming can lead to “brittle” sequences: Non-Critical Mission Sequences: � complexity of plant interactions � Time-tagged nominal command sequences � complexity of control specification � complexity of off-nominal behavior GS,SITURN,490UA,BOTH,96-355/03:42:00.000; CMD,7GYON, 490UA412A4A,BOTH, 96-355/03:47:00:000, ON; CMD,7MODE, 490UA412A4B,BOTH, 96-355/03:47:02:000, INT; CMD,6SVPM, 490UA412A6A,BOTH, 96-355/03:48:30:000, 2; • Time is central to the execution of mission-critical sequences: CMD,7ALRT, 490UA412A4C,BOTH, 96-355/03:50:32:000, 6; CMD,7SAFE, 490UA412A4D,BOTH, 96-355/03:52:00:000, UNSTOW; � plant spec: component behavior includes latency and evolution CMD,6ASSAN, 490UA412A6B,BOTH, 96-355/03:56:08:000, GV,153,IMM,231, GV,153; � control spec: hard-coded delays in sequence capture state CMD,7VECT, 490UA412A4E,BOTH, 96-355/03:56:10.000, 0,191.5,6.5, 0.0,0.0,0.0, knowledge 96-350/ 00:00:00.000,MVR; SEB,SCTEST, 490UA412A23A,BOTH, 96-355/03:56:12.000, SYS1,NPERR; CMD,7TURN, 490UA412A4F,BOTH, 96-355/03:56:14.000, 1,MVR; MISC,NOTE, 490UA412A99A,, 96-355/04:00:00.000, ,START OF TURN;, • Robust executive must consider time in its control and behavior CMD,7STAR, 490UA412A406A4A,BOTH 96-355/04:00:02.000, 7,1701, 278.813999,38.74; models, in addition to reactively managing complexity CMD,7STAR, 490UA412A406A4B,BOTH, 96-355/04:00:04.000, 8,350,120.455999, -39.8612; CMD,7STAR, 490UA412A406A4C,BOTH, 96-355/04:00:06.000, 9,875,114.162, 5.341; CMD,7STAR, 490UA412A406A4D,BOTH, 96-355/04:00:08.000, 10,159,27.239, 89.028999; CMD,7STAR, 490UA412A406A4E,BOTH, 96-355/04:00:10.000, 11,0,0.0,0.0; CMD,7STAR, 490UA412A406A4F,BOTH, 96-355/04:00:12.000, 21,0,0.0,0.0; Current “State of the Practice” Current “State of the Practice” Non-Critical Mission Sequences: Non-Critical Mission Sequences: � Time-tagged nominal command sequences � Time-tagged nominal command sequences � If absolutely necessary, conditional behavior via rule-based � If absolutely necessary, conditional behavior via rule-based monitors or hard-coded state machines monitors or hard-coded state machines � Usual off-nominal behavior response is “safe mode”: • costly ground ops • lost science opportunities Critical Mission Sequences: � Standard safing mechanism is disabled � Hard-coded fault protection via highly-specialized s/w modules: • ad-hoc • complex • expensive to generate and test 1

  2. Related Work Related Work • State-based Specifications • Timed Formal Modeling Visual Representations – StateCharts (Harel, ‘87) – Timed Transition Systems State-based (Henzinger, Manna, & Pnueli, ‘92) – Timed StateCharts (Kesten & Specifications Pnueli, ‘92) – Timed Automata (Alur & Dill, ‘94) • Synchronous Programming • Model-based Execution Goal-driven, Closed-loop Control Timed Control Programs, – Esterel (Berry & Gonthier, ‘92) – GDE, Sherlock (deKleer & Williams, RMPL and Timed Plant Models, Robotic ‘87-’89) – Lustre (Halbwachs, ‘93) Execution Control Sequencer Semi-Markov Semantics – Livingstone (Williams & Nayak, ‘96- • Constraint Programming Model-based Embedded ‘97) TMBP Programming Programming – TCC (Saraswat, Jagadeesan & – Livingstone2 (Kurien & Nayak, ‘00) Constructs Constraint Modeling Gupta, ‘94) Synchronous Constraint • Model-based Programming Programming Programming • Robotic Execution – RBurton (Williams & Gupta, ‘99) – RAPs (Firby, ‘89) Non-deterministic – Titan (Williams, Ingham, Chung & Timed Transitions – ESL (Gat, ‘96) Elliott, ‘03) Deductive Estimation & Control Timed Mission – TDL (Simmons, ‘98) • Mission Data System Formal Data Model-based Modeling System Execution – MDS (Dvorak, Rasmussen, et al., ‘00) Principal Contributions Objectives & Outline 1. Language definition Capability Overview • Timed Model-based Execution “in a nutshell” • Textual & graphical programming languages for control spec • Extension of plant modeling language to capture timed effects • Timed Model-based Programming: 2. Formal execution semantics a visual programming paradigm • Plant modeled as factored Partially Observable Semi-Markov Decision Process (POSMDP) • Illustration of Timed Model-based Execution • Control program expressed as timed deterministic automaton • Execution defined in terms of legal plant state evolutions Technical Details • Execution semantics 3. Algorithm specification & implementation • Execution of timed control specifications • Executive implementation • Reasoning on timed plant models (for estimation and reconfiguration) 4. Architecture design & implementation • Contributions and future directions • Modular, state-based & fault-aware • Demonstrated on representative mission scenario Objectives & Outline Objectives & Outline • Timed Model-based Execution “in a nutshell” • Timed Model-based Execution “in a nutshell” • Timed Model-based Programming: • Timed Model-based Programming: a visual programming paradigm a visual programming paradigm • Illustration of Timed Model-based Execution • Illustration of Timed Model-based Execution • Execution semantics • Execution semantics • Executive implementation • Executive implementation • Conclusions • Conclusions 2

  3. Mars Entry Sequence: Mars Entry Sequence: State-based Specification State-based Specification engine to standby engine to standby planetary approach planetary approach switch to switch to inertial nav inertial nav rotate to entry-orient rotate to entry-orient & hold attitude & hold attitude separate separate Descent engine to “standby”: lander lander off heating standby (Loosely based on Mars Polar Lander Entry Sequence) Mars Entry Sequence: Mars Entry Sequence: State-based Specification State-based Specification engine to standby engine to standby planetary approach planetary approach switch to switch to inertial nav inertial nav rotate to entry-orient rotate to entry-orient & hold attitude & hold attitude separate separate Descent engine to “standby”: Spacecraft approach: lander lander off • 270 mins delay heating • Relative position wrt Mars not 30-60 sec observable standby • Based on ground computations of cruise trajectory Mars Entry Sequence: Mars Entry Sequence: State-based Specification State-based Specification engine to standby engine to standby planetary approach switch to planetary approach switch to inertial nav inertial nav rotate to entry-orient rotate to entry-orient & hold attitude & hold attitude separate separate Switch navigation mode: Switch navigation mode: Rotate spacecraft: lander lander • Command ACS to entry orientation “Earth-relative” = Star Tracker + IMU “Inertial” = IMU only 3

  4. Mars Entry Sequence: Mars Entry Sequence: State-based Specification State-based Specification engine to standby engine to standby planetary approach planetary approach switch to switch to inertial nav inertial nav rotate to entry-orient rotate to entry-orient & hold attitude & hold attitude separate separate Rotate spacecraft: Separate lander from cruise stage: lander lander • Once entry orientation achieved, ACS holds attitude cruise stage lander pyro stage latches Mars Entry Sequence: Mars Entry Sequence: State-based Specification State-based Specification engine to standby engine to standby planetary approach planetary approach switch to switch to inertial nav inertial nav rotate to entry-orient rotate to entry-orient & hold attitude & hold attitude separate separate Separate lander from cruise stage: Separate lander from cruise stage: lander lander • When entry orientation achieved, • When entry orientation achieved, fire primary pyro latch fire primary pyro latch cruise cruise stage stage lander lander pyro stage stage latches Mars Entry Sequence: Mars Entry Sequence: State-based Specification State-based Specification engine to standby engine to standby planetary approach switch to planetary approach switch to inertial nav inertial nav rotate to entry-orient rotate to entry-orient & hold attitude & hold attitude separate separate Separate lander from cruise stage: Separate lander from cruise stage: lander lander • In case of failure of primary latch, • In case of failure of primary latch, fire backup pyro latch fire backup pyro latch cruise cruise stage stage lander lander stage stage 4

Recommend

More recommend