Trusted Autonomy for Space Flight Systems

NASA has long supported research on intelligent control technologies that could allow space systems to operate autonomously or with reduced human supervision. Proposed uses range from automated control of entire space vehicles to mobile robots that assist or substitute for astronauts to vehicle systems such as life support that interact with other systems in complex ways and require constant vigilance. The potential for pervasive use of such technology to extend the kinds of missions that are possible in practice is well understood, as is its potential to radically improve the robustness, safety and productivity of diverse mission systems. Despite its acknowledged potential, intelligent control capabilities are rarely used in space flight systems. Perhaps the most famous example of intelligent control on a spacecraft is the Remote Agent system flown on the Deep Space One mission (1998 - 2001). However, even in this case, the role of the intelligent control element, originally intended to have full control of the spacecraft for the duration of the mission, was reduced to having partial control for a two-week non-critical period. Even this level of mission acceptance was exceptional. In most cases, mission managers consider intelligent control systems an unacceptable source of risk and elect not to fly them. Overall, the technology is not trusted. From the standpoint of those who need to decide whether to incorporate this technology, lack of trust is easy to understand. Intelligent high-level control means allowing software io make decisions that are too complex for conventional software. The decision-making behavior of these systems is often hard to understand and inspect, and thus hard to evaluate. Moreover, such software is typically designed and implemented either as a research product or custom-built for a particular mission. In the former case, software quality is unlikely to be adequate for flight qualification and the functionality provided by the system is likely driven largely by the need to publish innovative work. In the latter case, the mission represents the first use of the system, a risky proposition even for relatively simple software.

[1]  Guillaume Brat,et al.  Static Analysis of the Mars Exploration Rover Flight Software , 2004 .

[2]  Ryan W. Proud,et al.  Methods for Determining the Level of Autonomy to Design into a Human Spaceflight Vehicle: A Function Specific Approach , 2003 .

[3]  E. Gat On Three-Layer Architectures , 1997 .

[4]  Michael Matessa,et al.  How Apex Automates CPM-GOMS , 2003 .

[5]  Nicola Muscettola,et al.  Fast Transformation of Temporal Plans for Efficient Execution , 1998, AAAI/IAAI.

[6]  Corina S. Pasareanu,et al.  Learning Assumptions for Compositional Verification , 2003, TACAS.

[7]  Nicola Muscettola,et al.  Planning in Interplanetary Space: Theory and Practice , 2000, AIPS.

[8]  Dennis Koga,et al.  Design for Verification: Using Design Patterns to Build Reliable Systems , 2003 .

[9]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[10]  Michael R. Lowry,et al.  Verification and Validation of AI Systems that Control Deep-Space Spacecraft , 1997, ISMIS.

[11]  Michael Shafto,et al.  Adjustable Autonomy in NASA's Exploration Vision , 2004 .

[12]  Michael R. Lowry,et al.  Formal Analysis of a Space-Craft Controller Using SPIN , 2001, IEEE Trans. Software Eng..

[13]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[14]  Howard Barringer,et al.  Assumption generation for software component verification , 2002, Proceedings 17th IEEE International Conference on Automated Software Engineering,.

[15]  Nicola Muscettola,et al.  Design of the Remote Agent experiment for spacecraft autonomy , 1998, 1998 IEEE Aerospace Conference Proceedings (Cat. No.98TH8339).

[16]  Corina S. Pasareanu,et al.  Assume-guarantee verification of source code with design-level assumptions , 2004, Proceedings. 26th International Conference on Software Engineering.

[17]  Grigore Rosu,et al.  Java PathExplorer: A Runtime Verification Tool , 2001 .

[18]  M.D. Ingham,et al.  Planning for V&V of the Mars Science Laboratory rover software , 2004, 2004 IEEE Aerospace Conference Proceedings (IEEE Cat. No.04TH8720).

[19]  John Penix,et al.  Formal Analysis of the Remote Agent Before and After Flight , 2000 .

[20]  Erann Gat,et al.  Experiences with an architecture for intelligent, reactive agents , 1997, J. Exp. Theor. Artif. Intell..

[21]  Grigore Rosu,et al.  Specification and Error Pattern Based Program Monitoring , 2001 .

[22]  David Kortenkamp,et al.  Three tier architecture for controlling space life support systems , 1998, Proceedings. IEEE International Joint Symposia on Intelligence and Systems (Cat. No.98EX174).

[23]  P. Pandurang Nayak,et al.  A Model-Based Approach to Reactive Self-Configuring Systems , 1996, AAAI/IAAI, Vol. 2.

[24]  Brian C. Williams,et al.  Model-based programming of intelligent embedded systems and robotic space explorers , 2003, Proc. IEEE.

[25]  Thomas B. Sheridan,et al.  Telerobotics, Automation, and Human Supervisory Control , 2003 .

[26]  Robert O. Ambrose,et al.  Automation of bioregenerative habitats for space environments , 1997, Proceedings of International Conference on Robotics and Automation.

[27]  Rob Sherwood,et al.  Using Iterative Repair to Increase the Responsiveness of Planning and Scheduling for Autonomous Spacecraft , 1999 .

[28]  Michael R. Lowry,et al.  Experimental Evaluation of Verification and Validation Tools on Martian Rover Software , 2013, Formal Methods Syst. Des..

[29]  Michael R. Lowry,et al.  Experiments with Test Case Generation and Runtime Analysis , 2003, Abstract State Machines.

[30]  Rob Sherwood,et al.  The EO-1 autonomous science agent , 2004, Proceedings of the Third International Joint Conference on Autonomous Agents and Multiagent Systems, 2004. AAMAS 2004..

[31]  Johann Schumann,et al.  Adding assurance to automatically generated code , 2004, Eighth IEEE International Symposium on High Assurance Systems Engineering, 2004. Proceedings..