Timed model-based programming: executable specifications for robust mission-critical sequences

There is growing demand for high-reliability embedded systems that operate robustly and autonomously in the presence of tight real-time constraints. For robotic spacecraft, robust plan execution is essential during time-critical mission sequences, due to the very short time available for recovery from anomalies. Traditional approaches to encoding these sequences can lead to brittle behavior under off-nominal execution conditions, due to the high level of complexity in the control specification required to manage the complex spacecraft system interactions. This work describes timed model-based programming, a novel approach for encoding and robustly executing mission-critical spacecraft sequences. The timed model-based programming approach addresses the issues of sequence complexity and unanticipated low-level system interactions by allowing control programs to directly read or write “hidden” states of the plant, that is, states that are not directly observable or controllable. It is then the responsibility of the program's execution kernel to map between hidden states and the plant sensors and control variables. This mapping is performed automatically by a deductive controller using a common-sense plant model, freeing the programmer from the error-prone process of reasoning through a complex set of interactions under a range of possible failure situations. Time is central to the execution of mission-critical sequences; a robust executive must consider time in its control and behavior models, in addition to reactively managing complexity. In timed model-based programming, control programs express goals and constraints in terms of both system state and time. Plant models capture the underlying behavior of the system components, including nominal and off-nominal modes, probabilistic transitions, and timed effects such as state transition latency. The contributions of this work are threefold. First, a semantic specification of the timed model-based programming approach is provided. The execution semantics of a timed model-based program are defined in terms of legal state evolutions of a physical plant, represented as a factored Partially Observable Semi-Markov Decision Process. The second contribution is the definition of graphical and textual languages for encoding timed control programs and plant models. The adoption of a visual programming paradigm allows timed model-based programs to be specified and readily inspected by the systems engineers in charge of designing the mission-critical sequences. The third contribution is the development of a Timed Model-based Executive, which takes as input a timed control program and executes it, using timed plant models to track states, diagnose faults and generate control actions. The Timed Model-based Executive has been implemented and demonstrated on a representative spacecraft scenario for Mars entry, descent and landing. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  Martín Abadi,et al.  An old-fashioned recipe for real time , 1994, TOPL.

[2]  Rob Sherwood,et al.  Using Iterative Repair to Increase the Responsiveness of Planning and Scheduling for Autonomous Spacecraft , 1999 .

[3]  Mark Shirley,et al.  Ground tools for autonomy in the 21st century , 2000, 2000 IEEE Aerospace Conference. Proceedings (Cat. No.00TH8484).

[4]  Daniel S. Weld An Introduction to Least Commitment Planning , 1994, AI Mag..

[5]  Dimitri P. Bertsekas,et al.  Dynamic Programming and Optimal Control, Two Volume Set , 1995 .

[6]  Marie-Odile Cordier,et al.  Using model-checking techniques for diagnosing discrete-event systems , 2001 .

[7]  E. J. Sondik,et al.  The Optimal Control of Partially Observable Markov Decision Processes. , 1971 .

[8]  Brian C. Williams,et al.  Mode Estimation of Model-based Programs: Monitoring Systems with Complex Behavior , 2001, IJCAI.

[9]  D. Dvořák,et al.  Challenging encapsulation in the design of high-risk control systems , 2002 .

[10]  Marta Z. Kwiatkowska,et al.  Verifying Quantitative Properties of Continuous Probabilistic Timed Automata , 2000, CONCUR.

[11]  Brian C. Williams,et al.  Model-Based Programming: Controlling Embedded Systems by Reasoning About Hidden State , 2002, CP.

[12]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[13]  Andreas Frederik Wehowsky,et al.  Safe Distributed Coordination of Heterogeneous Robots through Dynamic Simple Temporal Networks , 2003 .

[14]  Brian C. Williams,et al.  Autonomous sequencing and model-based fault protection for space interferometry , 2001 .

[15]  Marcel Schoppers,et al.  Universal Plans for Reactive Robots in Unpredictable Environments , 1987, IJCAI.

[16]  R. Bellman,et al.  Dynamic Programming and Markov Processes , 1960 .

[17]  Van Eepoel,et al.  Achieving Real-Time Mode Estimation through Offline Compilation , 2002 .

[18]  P. Pandurang Nayak,et al.  Back to the Future for Consistency-Based Trajectory Tracking , 2000, AAAI/IAAI.

[19]  Erann Gat The MDS autonomous control architecture , 2000 .

[20]  Robert J. Ragno,et al.  Solving Optimal Satisfiability Problems Through Clause-Directed A* , 2002 .

[21]  Brian C. Williams,et al.  Diagnosis with Behavioral Modes , 1989, IJCAI.

[22]  Craig Boutilier,et al.  Computing Optimal Policies for Partially Observable Decision Processes Using Compact Representations , 1996, AAAI/IAAI, Vol. 2.

[23]  P. Pandurang Nayak,et al.  Fast Context Switching in Real-Time Propositional Reasoning , 1997, AAAI/IAAI.

[24]  Erann Gat,et al.  ESL: a language for supporting robust plan execution in embedded autonomous agents , 1997, 1997 IEEE Aerospace Conference.

[25]  Seung H. Chung A Decomposed Symbolic Approach to Reactive Planning , 2003 .

[26]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[27]  Robert Rasmussen,et al.  Goal-based fault tolerance for space systems using the mission data system , 2001, 2001 IEEE Aerospace Conference Proceedings (Cat. No.01TH8542).

[28]  Erann Gat,et al.  Smart Executives for Autonomous Spacecraft , 1998, IEEE Intell. Syst..

[29]  Charles Pecheur,et al.  Formal Verification for a Next-Generation Space Shuttle , 2002, FAABS.

[30]  Leslie Pack Kaelbling,et al.  Planning and Acting in Partially Observable Stochastic Domains , 1998, Artif. Intell..

[31]  P. Pandurang Nayak,et al.  Validating the DS-1 Remote Agent Experiment , 1999 .

[32]  Eric A. Hansen,et al.  An Improved Policy Iteration Algorithm for Partially Observable MDPs , 1997, NIPS.

[33]  Radha Jagadeesan,et al.  Models for Concurrent Constraint Programming , 1996, CONCUR.

[34]  Nicola Muscettola,et al.  Fast Transformation of Temporal Plans for Efficient Execution , 1998, AAAI/IAAI.

[35]  E. D. Smith,et al.  Increased Flexibility and Robustness of Mars Rovers , 1999 .

[36]  Vijay A. Saraswat The category of constraint systems is Cartesian-closed , 1992, [1992] Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science.

[37]  Jan Lunze,et al.  Diagnosis of quantized systems based on a timed discrete-event model , 2000, IEEE Trans. Syst. Man Cybern. Part A.

[38]  Peter Norvig,et al.  Unifying Model-based and Reactive Programming within a Model-based Executive , 1999 .

[39]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[40]  Brian C. Williams,et al.  Improving Model-based Mode Estimation through Offline Compilation , 2001 .

[41]  Ronald E. Parr,et al.  Solving Factored POMDPs with Linear Value Functions , 2001 .

[42]  Rajeev Alur,et al.  Timed Automata , 1999, CAV.

[43]  Radha Jagadeesan,et al.  Timed Default Concurrent Constraint Programming , 1996, J. Symb. Comput..

[44]  Reid G. Simmons,et al.  From Livingstone to SMV: Formal Verification for Autonomous Spacecrafts , 2000 .

[45]  Amir Pnueli,et al.  Timed and Hybrid Statecharts and Their Textual Representation , 1992, FTRTFT.

[46]  Richard Washington,et al.  The Remote Agent Executive Capabilities to Support Integrated Robotic Agents , 2005 .

[47]  James Kurien,et al.  Continuous Measurements and Quantitative Constraints: Challenge Problems for Discrete Modeling Techniques , 2001 .

[48]  Martin L. Puterman,et al.  Markov Decision Processes: Discrete Stochastic Dynamic Programming , 1994 .

[49]  Daniel L. Dvorak,et al.  Reduced, Reusable and Reliable Monitor Software , 1997 .

[50]  P. Pandurang Nayak,et al.  A Reactive Planner for a Model-based Executive , 1997, IJCAI.

[51]  Mark Abramson,et al.  Executing Reactive, Model-based Programs through Graph-based Temporal Planning , 2001, IJCAI.

[52]  Glenn Reeves,et al.  Software architecture themes in JPL's mission data system , 1999 .

[53]  Thomas A. Henzinger,et al.  Timed Transition Systems , 1991, REX Workshop.

[54]  L. M. Fesq,et al.  Validation of autonomous fault diagnostic software , 1998, 1998 IEEE Aerospace Conference Proceedings (Cat. No.98TH8339).

[55]  John Penix,et al.  Formal Analysis of the Remote Agent Before and After Flight , 2000 .

[56]  David P. Watson,et al.  Model-Based Autonomy in Deep-Space Missions , 2003, IEEE Intell. Syst..

[57]  Nicolas Halbwachs,et al.  Synchronous Programming of Reactive Systems , 1992, CAV.

[58]  Stavros Tripakis,et al.  Kronos: A Model-Checking Tool for Real-Time Systems , 1998, CAV.

[59]  Gabor Karsai,et al.  The Generic Modeling Environment , 2001 .

[60]  Nicola Muscettola,et al.  Planning in Interplanetary Space: Theory and Practice , 2000, AIPS.

[61]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[62]  Jeffrey S. Lavell,et al.  Report on the Loss of the Mars Polar Lander and Deep Space 2 Missions , 2000 .

[63]  Brian C. Williams,et al.  Diagnosing Multiple Faults , 1987, Artif. Intell..

[64]  John N. Tsitsiklis,et al.  The Complexity of Markov Decision Processes , 1987, Math. Oper. Res..

[65]  Randall Davis,et al.  Diagnostic Reasoning Based on Structure and Behavior , 1984, Artif. Intell..

[66]  P. Pandurang Nayak,et al.  A Model-Based Approach to Reactive Self-Configuring Systems , 1996, AAAI/IAAI, Vol. 2.

[67]  P. Pandurang Nayak,et al.  Fragment-based Conformant Planning , 2002, AIPS.

[68]  Brian C. Williams,et al.  Model-based programming of intelligent embedded systems and robotic space explorers , 2003, Proc. IEEE.

[69]  Brian C. Williams,et al.  Mode Estimation of Probabilistic Hybrid Systems , 2002, HSCC.

[70]  P. Pandurang Nayak,et al.  Immobile Robots AI in the New Millennium , 1996, AI Mag..

[71]  Brian C. Williams,et al.  MODEL-BASED AUTONOMY FOR THE NEXT GENERATION OF ROBOTIC SPACECRAFT , 2002 .

[72]  Thierry Gautier,et al.  Programming real-time applications with SIGNAL , 1991, Proc. IEEE.

[73]  Nicolas Rouquette,et al.  The 13th Technology of Deep Space One - Abstract , 2000 .

[74]  Brian C. Williams,et al.  A Reactive Model-based Programming Language for Robotic Space Explorers , 2001 .

[75]  Erann Gat,et al.  A Hybrid Procedural/Deductive Executive for Autonomous Spacecraft , 1998, Agents.

[76]  Nicola Muscettola,et al.  Design of the Remote Agent experiment for spacecraft autonomy , 1998, 1998 IEEE Aerospace Conference Proceedings (Cat. No.98TH8339).

[77]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[78]  Richard J. Doyle,et al.  Spacecraft Autonomy in the New Millenium , 1996 .

[79]  Herbert Wiklicky,et al.  An operational semantics for probabilistic concurrent constraint programming , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[80]  Prakash Panangaden,et al.  The semantic foundations of concurrent constraint programming , 1991, POPL '91.

[81]  Reid G. Simmons,et al.  A task description language for robot control , 1998, Proceedings. 1998 IEEE/RSJ International Conference on Intelligent Robots and Systems. Innovations in Theory, Practice and Applications (Cat. No.98CH36190).

[82]  Brian C. Williams,et al.  Model-based Reactive Programming of Cooperative Vehicles for Mars Exploration , 2001 .