Fault Aware Systems. Model-based Programming and Diagnosis Brian c. williams 16412J/6.834J March 8th. 2004 courtesy of JPL nes Four launches in 7 months MERS CSAIL Mars climate orbiter: 12/11/98 Mars polar lander: 1/3/99 Stardust: 2/7/99 Quickscat: 6/19/98 courtesy of JPL
courtesy of JPL Fault Aware Systems: Model-based Programming and Diagnosis Brian C. Williams 16.412J/6.834J March 8th, 2004 Brian C. Williams, copyright 2000 Four launches in 7 months Mars Climate Orbiter: 12/11/98 Mars Polar Lander: 1/3/99 Stardust: 2/7/99 QuickSCAT: 6/19/98 courtesy of JPL
Outline MERS CSAIL Fault aware Systems and Model-based Programming Model-based Diagnosis Multiple-fault Diagnosis based on Conflicts Mode estimation tlaa Why model-based Programming? MERS Leading Diagnosis .Legs deployed during descent loise spike on leg senso latched by monitors Laser altimeter registers 50ft Begins polling leg monitors to determine touch down Latched noise spike read as Image courtesy of JPL touchdown Engine shutdown at -50ft Mars 98 Climate Orbiter · Mars polar lander Create Embedded Languages That Reason on the fl from Commonsense models
Outline • Fault Aware Systems and Model-based Programming • Model-based Diagnosis • Multiple-fault Diagnosis based on Conflicts • Mode Estimation Why Model-based Programming? Create Embedded Languages That Reason on the Fly from Commonsense Models Leading Diagnosis: •Legs deployed during descent. • Noise spike on leg sensors latched by monitors. • Laser altimeter registers 50ft. • Begins polling leg monitors to determine touch down. • Latched noise spike read as touchdown. • Engine shutdown at ~50ft. Mars 98: • Climate Orbiter • Mars Polar Lander Image courtesy of JPL
MERS CSAIL WORLD observations Plant actions P(S sense act Diagnostic Agent AGENT · Monitors diagnoses Repairs avoids Symptom-based Probes and tests Consistency-based Model-based Programs MERS CsAIL Interact Directly with State Embedded programs interact with Model-based programs plant sensors/actuators interact with plant state · Read sensors Read state Set actuators Write state ,,, Model-based Embedded Program Embedded Program obs Cntrl Plant Plant Programmer must map between Model-based executive maps state and sensors/actuators between sensors actuators to states
sense P(s) WORLD observations actions AGENT Diagnostic Agent: • Monitors & Diagnoses • Repairs & Avoids • Probes and Tests Plant act Symptom-based Consistency-based Model-based Programs Interact Directly with State Embedded programs interact with plant sensors/actuators: • Read sensors • Set actuators Model-based programs interact with plant state: • Read state • Write state Embedded Program S Plant Obs Cntrl Model-based Embedded Program S Plant Programmer must map between state and sensors/actuators. Model-based executive maps between sensors, actuators to states
RMPL Model-based Program Titan model-based executive Control Program Executes concurrently Generates target goal states Preempts Queries(hidden) states conditioned on state estimates Asserts(hidden)state System Model State estimate State goals Track Tracks least likely plant states cost goal states Valve Open C 001-Ng Stuck Stuck Closed inflow=gclosed/ Observations Commands Plant MERS CSAIL Orbital Insertion Example Turn camera off and engine on 自自 Engine Engine EngineA Engine Science camera Science Camera
Control Sequencer Deductive Controller System Model Observations Commands Control Program Plant RMPL Model-based Program Titan Model-based Executive State estimates State goals Generates target goal states conditioned on state estimates Mode Estimation Mode Reconfiguration Tracks likely plant states Tracks least cost goal states z Executes concurrently z Preempts z Queries (hidden) states z Asserts (hidden) state Closed Valve Open Stuck open Stuck closed Open Close 0. 01 0. 01 0.01 0.01 inflow = outflow = 0 Orbital Insertion Example EngineA EngineB Science Camera Turn camera off and engine on EngineA EngineB Science Camera
Model-based Program MERS CSAIL Control program specifies Orbitinserto: state trajectories (do-watching((EngineA= Thrusting) OR (EngineB= Thrusting)) fires one of two engines (parallel sets both engines to standby (EngineA= Standby) ngineB Standby) prior to firing engine, camera must be turned off to avoid plume contamination (do-watching(EngineA=Failed) (when-donext((EngineA= Standby) AND in case of primary engine failure, fire (Camera=Off) backup engine instead (Engine= Thrusting)) (when-donext((EngineA= Failed) AND Plant Model describes (EngineB= Standby) AND (Camera=Off)) behavior of each component (EngineB= Thrusting)) Nominal and off nominal qualitative constraints likelihoods and costs Example: The model-based program sets engine=thrusting, and the deductive controller Mode estimation Mode reconfiguration Oxidizer tank Fuel tank →点 Deduces that configuration thrust is off. and the engine is healthy plans actions Deduces that a valve six valves d- stuck closed Determines valves on backup engine that will achieve thrust. and plans needed actions Mode reconfiguration Mode estimation
Model-based Program Control program specifies state trajectories: • fires one of two engines • sets both engines to ‘standby’ • prior to firing engine, camera must be turned off to avoid plume contamination • in case of primary engine failure, fire backup engine instead OrbitInsert():: (do-watching ((EngineA = Thrusting) OR (EngineB = Thrusting)) (parallel (EngineA = Standby) (EngineB = Standby) (Camera = Off) (do-watching (EngineA = Failed) (when-donext ( (EngineA = Standby) AND (Camera = Off) ) (EngineA = Thrusting))) (when-donext ( (EngineA = Failed) AND (EngineB = Standby) AND (Camera = Off) ) (EngineB = Thrusting)))) Plant Model describes behavior of each component: – Nominal and Off nominal – qualitative constraints – likelihoods and costs Example: The model-based program sets engine = thrusting, and the deductive controller . . . . Determines valves on backup engine that will achieve thrust, and plans needed actions. Deduces that a valve failed - stuck closed Selects valve configuration; plans actions to open six valves Oxidizer tank Oxidizer tank Fuel tank Fuel tank Deduces that thrust is off, and the engine is healthy Mode Estimation Mode Reconfiguration Mode Reconfiguration Mode Estimation
Has Executive Manipulates Hidden State MERS CSAIL States not directly observable or controllable Given observations (thrust zero) AND(power in nominal and command history last command issued ="standby-cmd Mode estimation infers →( Engine= Standby) “ hidden state Given state goals (ValveA= Open and estimated state (DriverA =off) AND(ValveA =closed) Mode reconfiguration =Turn on DriverA: [Open ValveA Inters commands Thinking in terms of hidden states"abstracts away complexity of robustly observing and controlling state Model-based executive raises assurance of software by correctly inferring and controlling states RMPL Model-based Program Titan Model-based Executive Control Program Control Sequencer Executes concurrently Generates goal states Pre Asserts and queries states conditioned on stay\ estimates Chooses based on reward State estimates State goals Model Mode lode Estima Tracks likely (do-watching ((EngineAs Firing) State Observations AF) (EASANDCO (do-watching(Eng neA= Fa led) Plant mera=O) EngineA s Firing》) EAF ANDEBS AND CO) twhen-donext((EngineAs Failed)AND Engine= Firing)))) hierarchical constraint utomata on state s
Given observations… and command history… Mode estimation infers “hidden state” Executive Manipulates Hidden State • States not DIRECTLY observable or controllable… (thrust = zero) AND (power_in = nominal) last command issued = “standby last command issued = “standby-cmd” ⇒ (EngineA = Standby) Given state goals … and estimated state … Mode reconfiguration infers “commands” ⇒ [Turn on DriverA]; [Open ValveA] • Thinking in terms of “hidden states” abstracts away complexity of robustly observing and controlling state. • Model-based executive raises assurance of software by correctly inferring and controlling states. (ValveA = Open) (DriverA = off) AND (ValveA = closed) Control Sequencer Deductive Controller System Model Commands Observations Control Program Plant RMPL Model-based Program Titan Model-based Executive State estimates State goals Control Sequencer: Generates goal states conditioned on state estimates Mode Estimation: Tracks likely States Mode Reconfiguration: Tracks least-cost state goals z Executes concurrently z Preempts z Asserts and queries states z Chooses based on reward OrbitInsert():: (do-watching ((EngineA = Firing) OR (EngineB = Firing)) (parallel (EngineA = Standby) (EngineB = Standby) (Camera = Off) (do-watching (EngineA = Failed) (when-donext ( (EngineA = Standby) AND (Camera = Off) ) (EngineA = Firing))) (when-donext ( (EngineA = Failed) AND (EngineB = Standby) AND (Camera = Off) ) (EngineB = Firing)))) MAINTAIN (EAR OR EBR) EBS CO LEGEND: EAS (EngineA = Standby) EAF (EngineA = Failed) EAR (EngineA = Firing) EBS (EngineB = Standby) EBF (EngineB = Failed) EBR (EngineB = Firing) CO (Camera = Off) MAINTAIN (EAF) EAS (EAS AND CO) EAR EAS AND CO (EAF AND EBS AND CO) EBR EAF AND EBS AND CO hierarchical constraint automata on state s
RMPL Model-based Program Titan Model-based executive Control Program Control Sequencer Executes concurrently Generates goal states Preempts conditioned on state estimates Asserts and queries states Chooses based on reward State estimates State goals ystem Model Mod Estimation Reconfiguration Tracks likely Tracks least-cost 空2 Command Valve fails Pla stuck closed Fire backup least cost reachable Current belief State First Action goal state Modeling Complex Behaviors through Probabilistic constraint automata Engine Model Camera model standby (= zerDAN Standby (power in= nominal) os Firing( Complex. discrete behaviors modeled through concurrency, hierarchy and timed transitions Anomalies and uncertainty modeled by probabilistic transitions Physical interactions modeled by discrete and continuous constraints
