On-board Timeline Validation and Repair: A Feasibility Study
description
Transcript of On-board Timeline Validation and Repair: A Feasibility Study
On-board Timeline Validation and Repair:
A Feasibility Study
Maria Fox, Derek LongUniversity of Strathclyde, Glasgow, UK
Les Baldwin, Graham Wilson, Mark WoodsSciSys Ltd, UK
Davide JameuxESA, Netherlands
Ruth AylettHeriot-Watt University, Edinburgh, UK
Background• MMOPS: Mars-Mission On-board
Planner and Scheduler• ESA funded project to develop a
demonstrator • Show potential on-board capabilities
for autonomous plan repair using Beagle 2 on-board software
Context• Scientists identify objectives and propose activities
– Priorities set by lead scientist(s)– Constraints generally implicit (eg ordering and dependencies
between activities)• Lander Operations personnel construct a plan
(timeline), integrating proposed science activities and lander-oriented activities over predetermined interval
• Plan downlinked to lander; lander attempts execution– Plan might execute successfully– Plan might fail during execution and lander enter safe mode
• Results uplinked for return to ground staff and analysis
Typical Operations Sequence
Execute plan iReturndata i
Generateplan j
Check Landerstate
Time
FCT
Plan
Evaluate
Exploit
Support
Teams
Sendplan j
Execute
Sol i Sol j Sol l
Check plan hexecution
Generatescience
products h
Analysescienceresults h
MPT MET GOT
Execute plan jReturndata j
Generateplan k
Check Landerstate
FCT
Sendplan k
Check plan iexecution
Generatescience
products i
Analysescienceresults i
MPT MET GOT
Sol k
Execute plan kReturndata k
Generateplan l
Check Landerstate
FCT
Sendplan l
Check plan jexecution
Generatescience
products j
Analysescienceresults j
MPT MET GOT
Execute plan lReturndata l
Generateplan m
Check Landerstate
FCT
Sendplan m
Check plan kexecution
Generatescience
products k
Analysescienceresults k
MPT MET GOT
21 22 23 24 25 26 27 28 29 30 31 33
99 => Experiment 99
Sequence with failure
Executeplan i Return
data i
Generateplan j
Time
FCT
Plan
Evaluate
Exploit
Support
Teams
Sendplan j
Execute
Sol i Sol j Sol l
Generatescience
products h
Analysescienceresults h
MPT MET GOT
Returndata j
Generatediagnostic
plan k
FCT
Sendplan k
Generatescience
products i
Analysescienceresults i
MPT MET GOT
Sol k
Execute diagnosticplan k Return
data k
FCT
Send noplan
MPT MET GOT
Returndata l
Generaterepair plan
m
FCT
Sendplan m
MPT MET GOT
Bang!
Analysefailure
Identifydiagnostics
Analysediagnostic
data
IdentifyrepairsAnalyse failure
Check Landerstate
Check plan hexecution
Check Landerstate
Check plan iexecution
Check Landerstate
Check Landerstate
Check plan kexecution
Generatereduced
plan l
Execute reducedplan l
Generatescience
products i
Analysesc ienceresults i
21 24 26 27S
99 => Experiment 99 Z => Diagnostic Z
On-board Autonomy
t
Priority/Constraint Based
Pre-Planned
t
Pre-Planned
t
Adaptive
t
Goal OrientatedGoals
Planner
TVCR
Event ActionOBCP
Priorities & Constraints
Opportunities
Target Problems• Isolation of plan failure
– Protect the remainder of the plan• Over-subscription
– Reduce planned activity to avoid use of over-subscribed resources
• Under-subscription– Attempt to exploit potential opportunities
to make use of under-subscribed resources
Ground-based and On-board Partnership
ConTool
Timeline Construction:Primary timelineOpportunity fragments
Packaged date
Standard timeline downlink
On-boardsoftware
TVCR
Ground Operations On-board Operations
Using CONTOOL• Timeline constructed, but now
annotated: constraints made explicit • Additional timeline fragments are then
added: opportunities• Further constraints are added:
– Ordering constraints between opportunities themselves and between opportunities and fragments in the main timeline
– Dependencies– Mutual exclusions (pairs of fragments which should not
both be executed)– Priorities
•Ordering between activities or connected elements of a timeline (fragments)
•Dependencies between activities or fragments (eg the rock surface should only be ground if the microscope successfully imaged it beforehand)
Opportunities: Features• Opportunities are designed as consistent self-
contained timeline fragments• Fragments generally represent subplans needed for
future operations• Often generic fragments capturing an experimental
process consisting of multiple activities, so reusable• Opportunities are designed on the ground, by
operations personnel• Constraints make explicit relationships required of
lander operations by both scientists and operations personnel
Exploiting Opportunities• If an activity fails during execution, a new fragment can
be executed – an opportunity– Failed fragments are removed from the plan, together with
fragments that depend on them
• Opportunities are selected:– to respect the existing resource constraints within the current
timeline– according to priority and according to the constraints between
them and with main plan fragments
• Execution of the main plan remains highest priority • Opportunities are only selected from those identified
and constructed by operations personnel
Timeline validatedFlaw identifiedBroken elements removedOpportunity consideredOpportunity insertedConstraints checked
Operations with TVCR
Executediagnostics &opportunities
Executeplan i Return
data i
Generate plan j
Time
FCT
Plan
Evaluate
Exploit
Support
Teams
Sendplan j
Execute
Sol i Sol j Sol l
Generatescience
products h
Analysescienceresults h
MPT MET GOT
Generate repair plank
FCT
Generatescience
products i
Analysescienceresults i
MPT MET GOT
Sol k
FCT MPT MET GOT
Generate plan m
FCT MPT MET GOT
Bang!
Analysescienceresults j
Analysesc ienceresults k
Generatescience
products j
Generatescience
products k
Execute viable parts ofplan j & opportunities Return
data j
Sendplan k Execute repair plan k
Returndata k
Sendplan l
Generate plan l
Execute plan l Returndata l
Sendplan m
Generate diagnostics& opportunities
Check Landerstate
Check plan hexecution
Check Landerstate
Check plan iexecution
Check Landerstate
Check plan jexecution
Check Landerstate
Check plan kexecution
Analysediagnostic
data
Identifyrepairs
Generate diagnostics& opportunities
Generate diagnostics& opportunities
Generate diagnostics& opportunities
21 24 22 23 25 26 27S Q K M
99 => Experiment 99 Z => Diagnostic or Opportunity Z
On-board: TVCR• TVCR: Timeline Validation, Control and
Repair– a module invoked by on-board software
• Requirements of TVCR:– The timeline, fragments and constraints constructed on
the ground– A model of the activities
• Preconditions for execution; effects on execution• Built once – unlikely to change
– A view of the current state• At level of abstraction used by activity models• Built on-board using diagnosis of sensor signals
TVCR Architecture
TVCR
Primed with activity models
TimelineOpportunitiesConstraints
Sensed state
On-boardControl
Software
Lander Hardware Systems
On-board Software
TVCR: Behaviours• On validate request:
– Validate newly entered timeline from the current state– Report anticipated failures and causes
• On control request:– Validate current remaining fragment of timeline from
current state• On repair request:
– If the current timeline is predicted to fail and there is time to react before the next action, construct a new timeline
– Remove broken fragments– Insert opportunities
Taking Opportunities• When opportunities can be added to a
timeline, choices often exist:– Which opportunities to add– Where to add them
• Use a bounded search– Not a full search: save space and time and ensure bounded
termination– Not guaranteed to find optimal repairs in terms of
opportunities added– Greedy approach to opportunity insertion – Fallback position: execute the fragments of the original main
plan that are still valid (repairs to link activities where fragments removed)
Example Test Case• A timeline is planned including two Mössbauer
experiments• During the first experiment, the Mössbauer signals a
failure…• Repair removes second Mössbauer experiment and
related activities• Opportunities are considered in priority order and
one is identified as a candidate for insertion– The opportunity selected is an environmental sensor
suite experiment• The timeline is repaired by the addition of the
opportunity and connecting activities• New downlink schedule is recorded
Example Repair• Failed fragment removed from timeline• Benefits
– After first failure, timeline continues execution– Subsequent expected failure anticipated by
TVCR and isolated– Timeline executes successfully to conclusion– Science data is collected during execution of
parts of this timeline that would otherwise be aborted
Example Repair• Broken fragment removed and
opportunity fragment added• Benefits:
– Timeline successfully executes to completion– Broken fragments do not cause timeline to abort– Broken fragment removed and replaced with
valid opportunity fragment– Resources are utilised and science data gathered– Downlink schedule modified to allow for new data
log
Conclusions• Successful demonstration of a level of
autonomy that lies between reactive responses and full on-board planning
• Demonstrable benefits for science gathering
• Conservative approach reduces risks and makes it more attractive to operations personnel