Modelbased Programming of Fault Aware Systems

1
Model-based Programmingof Fault Aware Systems

• Brian C. Williams
• CSAIL, MIT

2
Three Challenges

• Creating Fault-Aware Systems
• Elevating Programming to Coaching
• Programming Robust Dexterous Explorers

3
2. Elevating Programming to Coaching
Target
Day 4 During the Day Science Activities
Three Days to Find a Rock
Courtesy JPL, NASA ARC
4
3. Programming Robust Dexterous Explorers
5
Creating Fault-Aware SystemsGrabbing Success
From the Jaws of Failure

• Mars Exploration Rovers
• Uploaded software patch shortly before entry,
  descent and landing.
• Memory leak crashes processor shortly after
  landing.
• Dragging wheel
• Stuck in sand trap.

• Subtle interactions between software, digital
  hardware, analog hardware and environment.
• Frequent novel failures.
• Couplings are too vast to pre-enumerate.

Courtesy JPL
6
Executable Specifications OfferA Starting Point
For Robustness

• Embedded programs interact withplant sensors and
  actuators
• Read sensors
• Set actuators

• Issue
• State mapping implicit in specification.
• Difficult to catch specification errors
• Limited flexibility to adapt at run-time

Programmer must map between state and
sensors/actuators.
7
Model-based Programs Interact Directly with State

• Model-based programs interact with plant state
• Read state
• Write state

• Embedded programs interact withplant sensors and
  actuators
• Read sensors
• Set actuators

Model-basedEmbedded Program
S Plant
Programmer must map between state and
sensors/actuators.
Model-based executive maps between state and
sensors/actuators.
? Produces executable specifications that are
state and fault aware.
8
Model-based Programmingof Fault Aware Systems

• Model-based programming languages elevate the
  programmingtask to state-based storyboarding and
  modeling.
• System engineers program their high-level
  intentions in terms of how they would like the
  state of the world to evolve.
• Programmers describe the embedded world using
  commonsense models of normal and faulty
  behavior.
• Model-based Executives implement these intentions
  by reasoning on the fly and at compile time.
• They continually hypothesize the likely states of
  the world, given what they observe.
• They continually plan and execute actions in
  order to achieve the programmers intentions
  robustly.

9
ExampleCassini and Deep Space One
10
Deep Space 1 Remote Agent Experiment

• Given Goal Specification and Declarative Models
  (HW,Ops)
• May 17-18th experiment Mission-level Fault
  Protection
• Generate plan for course correction and thrust
• Diagnose camera as stuck on
• Power constraints violated, abort current plan
  and replan
• Perform optical navigation
• Perform ion propulsion thrust
• May 21th experiment Engineering-level Fault
  Protection
• Diagnose faulty device and
• Repair by issuing reset.
• Diagnose switch sensor failure.
• Determine harmless, and continue plan.
• Diagnose thruster stuck closed and
• Repair by switching to alternate method of
  thrusting.
• Back to back planning

RA was a toolbox, not a seamless language
11
Orbital Insertion Example
Turn camera off and engine on
EngineA
EngineB
EngineA
EngineB
Science Camera
Science Camera
12
Titan Model-based Executive
RMPL Model-based Program
Control Sequencer
Control Program
Generates target goal states conditioned on state
estimates

• Executes concurrently
• Preempts
• Queries (hidden) states
• Asserts (hidden) state

System Model
State goals
State estimates
Deductive Controller
Commands
Observations
Plant
13
Titan Model-based Executive
RMPL Model-based Program
Control Sequencer
Control Program
Generates target goal states conditioned on state
estimates

• Executes concurrently
• Preempts
• Queries (hidden) states
• Asserts (hidden) state

System Model
State goals
State estimates
Deductive Controller
Commands
Observations
Plant
Probabilistic constraint automata (PCA)
14
Example The model-based program sets engine
firing, and the deductive controller . . . .
Mode Estimation
Mode Reconfiguration
Mode Reconfiguration
Mode Estimation
15
Titan Model-based Executive
RMPL Model-based Program
Control Sequencer
Control Program
Control Sequencer Generates goal states
conditioned on state estimates

• Executes concurrently
• Preempts
• Asserts and queries states
• Chooses based on reward

State goals
State estimates
System Model
Deductive Controller
Commands
Observations
Plant
16
Possible BehaviorsVisualized by a Trellis Diagram
The Plants Behavior

• Probability clustered around few states.
• Encode trellis diagram symbolically.
• Enumerate only k most likely states, by
  exploiting conditional independence.
• Enumeration framed as Optimal CSP.

17
Diagnosing Complex Systems
Mars Polar Lander
Mission lost due to interaction between software
monitors and Hall effect sensors.

• Challenges
• Monitor complex hardware/software behaviors
• Delayed symptoms
• Monitoring efficiency

18
Vision-based Navigation Scenario
MERS Rover Testbed
Poweroff
Probability
Time
0
Power On and Take Picture
19
Modeling Complex Processes
Mikaelian, Williams Martin, AAAI 05
PHCA
Embedded Program (Esterel) ? Hierarchical
Automata Probabilistic Constraint
? Hierarchical Probabilistic Program
(RMPL) Constraint Automata PHCA
PCA HCA from plant model from control
program
20
Mapping Probabilistic Embedded Programs (RMPL)to
Hierarchical Probabilistic Constraint Automata
21
Diagnostic Process
Mikaelian, Williams Martin, AAAI 05
PHCA
22
Delayed Symptoms Encode PHCA as an N-stage
Filter Based on an Optimal CSP
Observable variables command, Power State
(location) variables Off, On, Broken Auxiliary
variables encoding transition constraints
(multiple simultaneous transitions may be
possible per PHCA) T1-T7 Edges/brackets
indicate constraints among variables
23
Diagnostic Process
Mikaelian, Williams Martin, AAAI 05
Cost based on Viterbi
Tree Decomp Implicate Gen
N-Stage OCSP/COP
PHCA
Offline compilation phase
Online solution phase

• Lazy Dynamic Programming
• Set-based BB w ADDs
• Forward Conflict-directed BF Search

24
Demonstration Scenarios
NASA Earth Observing One (EO-1) Models
MIT SPHERES Testbed Models

• Advanced Land Imager
• Hyperion Instrument
• Wideband Advanced Recorder Processor
• EO-1 (12 components)

• Global Metrology Subsystem
• SPHERES 1 (5 components)
• SPHERES 2 (18 components)

25
Results Online
(1.6 GHz Pentium M)
Solver Sachenbacher and Williams, CP 2004
26
Recovering From Failure
27
Hybrid Estimation

• Hybrid case estimate hybrid state from noisy
  observations

• Hybrid probabilistic constraint automata
• Stochastic transitions between discrete modes
• Different continuous dynamics for each mode

28
Kalman Filters Track Subset of Trajectories
Blackmore, Funiak, Williams AAAAI 05
t 0
t 1
t 2









29
Mixed Greedy/Stochastic Sampling

• K-best performs best for concentrated priors.
• Rao-Blackwell particle filtering performs best
  for flat prior.
• Mixed strategy, balances best of both.

• Concentrated Posterior

• Flat Posterior

30
Estimation Results

• Transfer scenario

31
Estimation Results

• Stuck scenario

32
Commanding as Coaching Finding a Rock in Less
than Three Days
Target
Day 4 During the Day Science Activities
Courtesy JPL, NASA ARC
33
Model-Predictive Method Selection

• To ensure safe, optimal execution, the control
  sequencer
• Receives descriptions of possible contingencies.
• Dynamically selects consistent methods over
  future horizon,
• Adapts to uncertainty by selecting execution
  times dynamically,
• Monitors outcomes and plans contingencies.

Continuous Temporal Planner
Control Program
Plan Runner
control sequencer
Commands
Observables
deductive controller
34
Control Sequencer Continually Searches for
Optimal Consistent Threads of Execution
imageScienceTargets(Rover1, Rover2)
5,10 Rover1.goto(p4) choose
do 5,10
Rover1.goto(p5)
maintaining( site1 ? obstructed)
2,5 Rover1.imageTargets()
2,5 Rover1.imageTargets()
5,10 Rover1.goto(p5)
5,10
Rover1.goto(p3) , 5,10
Rover2.goto(p1) choose
do 2,5 Rover2.imageTargets()
maintaining ( site1 ? obstructed)
5,10 Rover2.goto(p2)
5,10 Rover2.goto(p3)
5,10 Rover2.goto(p2)
5,10 Rover2.goto(p3)
2,5 Rover2.imageTargets()
p4
p5
p1
p2
p3
Ask site1 ? obstructed
Rover1.goto(p5)
Rover1.imageTargets
Rover1.goto(p3)
Start
End
Rover1.imageTargets
Rover1.goto(p5)
Rover1.goto(p4)
Throw Type imageTargets Reason site1
obstructed
Ask site1 ? obstructed
Rover2.imageTargets
Rover2.goto(p2)
Rover2.goto(p1)
Rover2.goto(p3)
Rover2.goto(p2)
Rover2.goto(p3)
Catch Type imageTargets Handler
Rover1.goto(p4) Tell site1 obstructed
Rover2.imageTargets
obstructed
Tell site1 ? obstructed
35
A Walk on Mars
36
Model-based Programs Specify Qualitative Gaits

• Muybridge, 1955
• Stop-action photographic study of human and
  animal motion
• Gaits depicted as sequences of distinct
  qualitative poses

Flexible spatial and temporal constraints
37
Hybrid executive coordinates controllers - to
sequence biped through qualitative state plan
Executive is like a marionetteer
38
Nominal Walking

• Allows for linearizing controllers that decouple
  state variables and makes them directly
  controllable
• Hofmann, et al 2004

• Angular momentum tightly conserved during normal
  walking

39
Feasible trajectories must go through goal regions
40
Flow tubes denote all feasible trajectories
41

• Center of Mass CM tube constrained by foot
  position tubes
• Foot positions define support polygon..
• Center of foot Pressure CP constrained to be
  inside support polygon.
• CM coupled to CP.

42
Disturbance displaces trajectory in state space

• Dispatcher selects trajectory within tubes
  online.
• If disturbance not too large, displacement stays
  in tube.
• Activity still executes successfully.

43
Disturbance displaces trajectory in state space

• If disturbance too large, trajectory pushed
  outside tube.
• Goal region not achievable at the required time.
• Plan failure detected immediately leaving more
  room for recovery.

44
(No Transcript)
45
Self-repairing
Coached
Model-based Executive
RMPL Model-based Program
Control Sequencer
Control Program

• Executes concurrently
• Preempts
• Queries (hidden) states
• Asserts (hidden) state

System Model
State goals
State estimates
Mode Reconfiguration
Mode Estimation
Commands
Observations
Plant
46
Model-based Programming

• Provides a programmer idealization in which
  state is directly observable, while managing
  robustness automatically.
• A wide range of systems can be modeled and
  reasoned about using variants of constraint
  automata
• Probabilistic, decision-theoretic, timed,
  hierarchical, hybrid.
• Execution reasons over abstract descriptions of
  possible trajectories over a limited horizon.
• Symbolic trellis, temporal plan networks, flow
  tubes.
• High performance achievable through Forward,
  Conflict-directed Optimal Search