Four launches in 7 months Mars climate Orbiter: 12/11/98 Mars Polar lander: 1/3/99 Stardust: 2/7/99 QuicksCAT: 6/19/98 courtesy of JPL Copyright B. Williams 16412J6.834J.Fall03 Mars polar lander failure Leading Diagnosis Legs deployed during descent Noise spike on leg sensors latched by software monitors Laser altimeter registers 40m Begins polling leg monitors to determine touch down Latched noise spike read as Image courtesy of JPL touchdown Objective: Support programmers with embedded languages that avoid these Engine shutdown at -40m mistakes, by reasoning about hidden state automatically Programmers often make commonsense mistakes when Reactive Model-based reasoning about hidden state Programming Language(RMPL) Copyright B. Williams 16412J6834J.Fal03
Copyright B. Williams 16.412J/6.834J, Fall 03 Four launches in 7 months Mars Climate Orbiter: 12/11/98 Mars Polar Lander: 1/3/99 Stardust: 2/7/99 QuickSCAT: 6/19/98 courtesy of JPL Copyright B. Williams 16.412J/6.834J, Fall 03 Objective: Support programmers with embedded languages that avoid these mistakes, by reasoning about hidden state automatically. Leading Diagnosis: • Legs deployed during descent. • Noise spike on leg sensors latched by software monitors. • Laser altimeter registers 40m. • Begins polling leg monitors to determine touch down. • Latched noise spike read as touchdown. • Engine shutdown at ~40m. Reactive Model-based Programming Language (RMPL) Mars Polar Lander Failure Programmers often make commonsense mistakes when reasoning about hidden state. Image courtesy of JPL
Traditional spacecraft commanding GS, SITURN,490UA,BOTH,96-355/03:42:00.000; 工MM,231 CMD, 7VECT,490UA412A4E, BOTH 96-355/03:56:10.000 6:6:5 CMD,7sTAR,490UA412A406A4B,BOTH,96-255/04:00:04.000 CMD,7STAR,490UA412A406A4C,BOTH,96-355/04:00:06.000, 162 CMD,7sTAR,490UA412A406A4D,BOTH,96-355/04:00:08.000 CNB75A最:490424064:T:36:3570410118::1 Copyright B. Williams What makes this difficult Cassini Case Study courtesy JPL
Copyright B. Williams 16.412J/6.834J, Fall 03 Traditional spacecraft commanding GS,SITURN,490UA,BOTH,96-355/03:42:00.000; CMD,7GYON, 490UA412A4A,BOTH, 96-355/03:47:00:000, ON; CMD,7MODE, 490UA412A4B,BOTH, 96-355/03:47:02:000, INT; CMD,6SVPM, 490UA412A6A,BOTH, 96-355/03:48:30:000, 2 ; CMD,7ALRT, 490UA412A4C,BOTH, 96-355/03:50:32:000, 6 ; CMD,7SAFE, 490UA412A4D,BOTH, 96-355/03:52:00:000, UNSTOW; CMD,6ASSAN, 490UA412A6B,BOTH, 96-355/03:56:08:000, GV,153,IMM,231, GV,153; CMD,7VECT, 490UA412A4E,BOTH, 96-355/03:56:10.000, 0,191.5,6.5, 0.0,0.0,0.0, 96-350/ 00:00:00.000,MVR; SEB,SCTEST, 490UA412A23A,BOTH, 96-355/03:56:12.000, SYS1,NPERR; CMD,7TURN, 490UA412A4F,BOTH, 96-355/03:56:14.000, 1,MVR; MISC,NOTE, 490UA412A99A,, 96-355/04:00:00.000, ,START OF TURN;, CMD,7STAR, 490UA412A406A4A,BOTH 96-355/04:00:02.000, 7,1701, 278.813999,38.74; CMD,7STAR, 490UA412A406A4B,BOTH, 96-355/04:00:04.000, 8,350,120.455999, -39.8612; CMD,7STAR, 490UA412A406A4C,BOTH, 96-355/04:00:06.000, 9,875,114.162, 5.341; CMD,7STAR, 490UA412A406A4D,BOTH, 96-355/04:00:08.000, 10,159,27.239, 89.028999; CMD,7STAR, 490UA412A406A4E,BOTH, 96-355/04:00:10.000, 11,0,0.0,0.0; CMD,7STAR, 490UA412A406A4F,BOTH, 96-355/04:00:12.000, 21,0,0.0,0.0; What Makes this Difficult: Cassini Case Study courtesy JPL
Oxidizer tank uel tank Flow,=sero Pressure, nominal Main Acceleration ero gines Reasoning through interactions is complex Houston. We have a problem Quintuple fault occurs (three shorts, tank-line and pressure jacket burst, panel flies off) Mattingly works in ground simulator to identify new sequence handling severe power limitations Mattingly identifies novel reconfiguration, exploiting LEM batteries for power courtesy of nasa Swagger Lovell follow novel procedure to repair Survival can require replanning unit Apollo 13 lithium hydroxide the complete mission on the fly
Reasoning through interactions is complex Houston, We have a problem ... courtesy of NASA • Quintuple fault occurs (three shorts, tank-line and pressure jacket burst, panel flies off). • Mattingly works in ground simulator to identify new sequence handling severe power limitations. • Mattingly identifies novel reconfiguration, exploiting LEM batteries for power. • Swaggert & Lovell follow novel procedure to repair Apollo 13 lithium hydroxide unit. Survival can require replanning the complete mission on the fly. Helium tank Oxidizer tank Fuel tank Main Engines Flow1 = zero Pressure1 = nominal Pressure2= nominal Acceleration = zero
Challenge: Thinking Through Interactions Programmers must reason through system-wide interactions to generate codes for command confirmation hardware reconfig goal tracking fault recover detecting anomalies safing isolating faults fault avoidance diagnosing causes control coordination Equally problematic at mission operations level Copyright B. Williams Outline Motivation Model-based autonomous systems Remote Agent Example Copyright B. Williams 16412J6834J.Fal03
Copyright B. Williams 16.412J/6.834J, Fall 03 Challenge: Thinking Through Interactions Programmers must reason through system-wide interactions to generate codes for: • command confirmation command confirmation • goal tracking goal tracking • detecting anomalies detecting anomalies • isolating faults isolating faults • diagnosing causes diagnosing causes • hardware hardware reconfig reconfig • fault recovery fault recovery • safing • fault avoidance fault avoidance • control coordination control coordination Equally problematic at mission operations level Equally problematic at mission operations level Copyright B. Williams 16.412J/6.834J, Fall 03 Outline • Motivation • Model-based autonomous systems • Remote Agent Example
Course objective 2 To understand fundamental methods for creating the major components of intelligent embedded systems Plan monitor Execute Diagnosis Copyright B. Williams Model-based autonomy Programmers generate breadth of functions from commonsense models in light of mission goals Model-based Programming Program by specifying commonsense, compositional declarative models Model-based Planning, Execution and Monitoring Provide services that reason through each type of system interaction from models on the fly reasoning requires significant search deduction within the reactive control loop Copyright B. Williams 16412J6834J.Fal03
Copyright B. Williams 16.412J/6.834J, Fall 03 Course Objective 2 • To understand fundamental methods for creating the major components of intelligent embedded systems. Plan Monitor & Execute Diagnosis Copyright B. Williams 16.412J/6.834J, Fall 03 Programmers generate breadth of functions from commonsense models in light of mission goals. • Model-based Programming • Program by specifying commonsense, compositional declarative models. • Model-based Planning, Execution and Monitoring • Provide services that reason through each type of system interaction from models. • on the fly reasoning requires significant search & deduction within the reactive control loop. Model-based Autonomy