Upload
parson
View
59
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Contingency Software in Autonomous Systems. NASA OSMA Software Assurance Symposium August 9-11, 2005. Robyn Lutz, JPL/Caltech & ISU Doron Tal, USRA at NASA Ames Ann Patterson-Hine, NASA Ames. - PowerPoint PPT Presentation
Citation preview
SAS_05_Contingency_Lutz_Tal 1
Contingency Software in Autonomous Systems
Robyn Lutz, JPL/Caltech & ISUDoron Tal, USRA at NASA AmesAnn Patterson-Hine, NASA Ames
This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, and at NASA Ames Research Center, under a contract with the National Aeronautics and Space Administration. The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program led by the NASA Software IV&V Facility. This activity is managed locally at JPL through the Assurance and Technology Program Office
NASA OSMA Software Assurance Symposium August 9-11, 2005
SAS_05_Contingency_Lutz_Tal 2
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS
Problem
PROBLEM STATEMENT
Autonomous vehicles currently have a limited capacity to diagnose and mitigate failures.
We need to be able to handle a broader range of contingencies (anomalous situations).
GOALS
1. Speed up diagnosis and mitigation of anomalous situations.2. Automatically handle contingencies, not just failures.3. Enable projects to select a degree of autonomy consistent with
their needs and to incrementally introduce more autonomy.4. Augment on-board fault protection with verified contingency scripts
SAS_05_Contingency_Lutz_Tal 3
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSAvailability of Data: High
Autonomous Rotorcraft Project: http://is.arc.nasa.
gov/AR/tasks/ARP.html
SAS_05_Contingency_Lutz_Tal 4
Right Grayscale Camera
Left Grayscale Camera
Color Camera
Vision Computer
Flight Computer
Camera Manager
Stereo Vision Stereo
Conversion to World Frame
StereoPoint Cloud InWorld Frame
Tilt Control
SICKLaser
ImageRectification
R image
L image
L image
Pan/Tilt
Camera PoseMIDG
GPS
3-axis accelerometer
3-axis gyro
Laser Conversion to World Frame
Laser Point Cloud In
World Frame
IMU: 6 DOF
Tilt
6 DOF
6 DOF
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSOverview of Perception Subsystem
Perception is a critical function in systems
requiring obstacle avoidance, threat detection,
science missions and “opportunistic” discovery.
SAS_05_Contingency_Lutz_Tal 5
CLAWFlight Control Laws
DOMSDistributed Messaging
System
GPS
APEXReactive Planner
Telemetry
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSPartial Onboard Architecture
*domsD – DOMS transport daemon
*
Yamaha System
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Perception Instrumentation Onboard Rotorcraft
Gray scale wing tip (stereo vision)
Color Camera
Firewire Hub
Onboard Flight Computer
Left WingRight Wing
Scanning Laser Range Finder (SICK)
RS232
Firewire
SAS_05_Contingency_Lutz_Tal 7
Cases in which the cameras are a critical system:1. Cameras assigned responsibility during nominal ops
• No line of sight -> Camera provides position info2. Cameras are backup when other subsystems fail
• Failed/degraded GPS -> Camera provides position info• Failed/degraded ARP -> Camera provides landing-site data
3. Images as mission objective (surveillance)• Failure of cameras can jeopardize success
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSCamera Criticality
SAS_05_Contingency_Lutz_Tal 8
ARP Functional Requirements:
CurrentPlanned
Contingency Analysis:SFMECA
SFTA
Contingency Planning:Available indicatorsContingency triggers
Contingency responses2-Level (recover/predict)
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Contingency Process Overview
1. Brainstorm with UAV team to uncover candidates for software contingencies
Review UAV literature and project reportsLead brainstorming sessions with domain expertsWork with team to identify and prioritize high-concern candidatesSelect top priority candidates
2. Model unit of interest (i.e. cameras, communications systems…)Model system including: Architecture & State diagramVerify models with UAV team
3. Contingency requirements verificationPerform SFMECA and SFTA in context of Obstacle Analysis [RE’05]
4. Analyze testabilityIdentify how each contingency can be detectedPerform SFTAExperiment with assignment of measure of uncertainty
5. Develop recovery strategyDetermine candidate strategies for contingency responses
(prevent/respond/safe)Determine availability of data needed to determine/execute appropriate
contingency6. Prototype contingency in progressively higher fidelity testbeds 7. Monitor contingency performance
SAS_05_Contingency_Lutz_Tal 9
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Contingency Analysis
• Used Bi-Directional Safety Analysis to find contingencies• Forward analysis from potential failures to their effects (Software
Failure Modes, Effects & Criticality Analysis)• Backward analysis from failures to contributing causes (Software
Fault Tree Analysis)• Guides to thinking about possible ways to handle contingencies:
• Use “Mitigation” column in SFMECA• Remove leaf nodes from SFTA graphs • Use obstacle resolution patterns [van Lamsweerde & Letier, 2000]
• TEAMS produces a diagnostic tree of checks needed to detect & isolate contingencies, identifies missing checks and recovery action
• “Testability Engineering and Maintenance System”• Modeling & analysis toolset• Won NASA Space Act Award• Used successfully on 2nd generation RLV IVHM risk reduction
program
SAS_05_Contingency_Lutz_Tal 10
Properties for each function, switch & test-point are enteredinto the TEAMS tools
TEAMS builds a Dependency Matrix inwhich each row is a fault source (e.g., a camera that can fail) and each column is a test (e.g., whether we have a good Stereo image).Here, we select the normal or contingencyscenario (camera OK or not) for the analysis.
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSResults
SAS_05_Contingency_Lutz_Tal 11
Executing the Contingency scenario, wecheck that the behavior is correct: left COLOR camera is available (no red slash) & being used; confirm that testscan isolate failure to which camera.
Most useful: the automatic Diagnostic Tree:--Shows best sequence of checks to detect & isolate --Shows indistinguishable failures (“ambiguity groups”)--XML output option is being translated into rotorcraft’s planning language (APEX) to simulate contingencies onthe vehicle
</LABEL> <SYMPTOM /> - <NODE LABEL="1" TYPE="TEST" ID="T.small_stereo_0.1.2.4.0" PASS="YES" FAIL="NO">- <PARA>- <![CDATA[
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSResults
SAS_05_Contingency_Lutz_Tal 12
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS
Importance / Benefits
1. Contingency management is essential to the robust operation of complex systems such as spacecraft and Unpiloted Aerial Vehicles (UAVs)
2. Automatic contingency handling allows a faster response to unsafe scenarios, with reduced human intervention
3. Results, applied to the Autonomous Rotorcraft Project and Mars Science Lab, pave the way to more resilient, adaptive autonomous systems
SAS_05_Contingency_Lutz_Tal 13
• Improved contingency handling needed to safely relinquish control of unpiloted vehicles to autonomous controllers
• More autonomous contingency handling needed to support extended mission operations
• Potential applications: Safety-critical UAVs and Mission-critical spacecraft and rovers
Relevance to NASA
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS
SAS_05_Contingency_Lutz_Tal 14
Next Steps
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS
Autonomous Rotorcraft Project: Continue working with team to expand
and evaluate contingencies for imaging and ranging systemsTechnology Readiness Level:•FY05: 3 (“Experimental demonstration of critical function &/or proof of concept”)•FY06: 4 (“Validation in a lab environment”) on rotorcraft
Mars Science Lab: Update and enhance model for spacecraft pointing
contingencies with domain expertise from software development team
Infusion across NASA: Document process for technology transfer to
other projects
SAS_05_Contingency_Lutz_Tal 15
Backup Slides
SAS_05_Contingency_Lutz_Tal 16
TEAMS uses a hierarchical model of the system:*Boxes are key requirements (stereo processing, etc.)*Squares are switches: using left grayscale camera (nominal) or using left color camera (contingency) *Circles are test-points: #1: check whether has good (unfailed) stereo image #2: check whether good range data
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS
SAS_05_Contingency_Lutz_Tal 17
Commfailure
MissionComplete
SW CONTINGENCIES FOR LOSS OF COMMUNICATIONSState Diagram
ContinueMission
TerminateFlight
Fly AutonomousHover mode
Change Heading
Increase Altitude
Check Comm
Commfailure
Commavailable
Insufficient Fuel (failure)
Commavailable
Commfailure
Commfailure
Commavailable
Reroute
Fly to Rally Point
Land
MissionFinished
Check Fuel
Limited Fuel
Commavailable
Sufficient Fuel
Sufficient Fuel
CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS
SAS_05_Contingency_Lutz_Tal 18
Critical Pointing for SpacecraftAutonomous, contingency response for critical scenarios:
•Commandability lost•Before trajectory-correction maneuvers
•Before Entry/Descent/Landing
SAS_05_Contingency_Lutz_Tal 19
What do we know when a “quit-failed” signal occurs?
SAS_05_Contingency_Lutz_Tal 20
What is a contingency?• Contingencies are obstacles to the fulfillment of a system’s high-
level requirements that can arise during real-time operations– Failures: camera fails due to hardware or software problem– Operational situations of concern: lens cap left on means that all
images are black, so can’t land unassisted – Environmental situations of concern: strong crosswind interferes
with imaging, thus with finding landing site• Contingency-handling involves requirements for detecting,
identifying and responding to contingencies.• Contingency handling includes, but extends, traditional fault
protection
SAS_05_Contingency_Lutz_Tal 21
Autonomy• Something previously not done automatically is now done by the
software– Previously done manually, or– Previously could not be done
• Example of incremental autonomy: – Collision avoidance (not hitting buildings)1. Remote control by pilot steering from ground2. Path calculated on ground, loaded into system, path-plan
executed in flight3. Path calculated in flight based on real-time imaging
• Autonomy allows system to detect and respond to a broad class of anomalies in many more ways
SAS_05_Contingency_Lutz_Tal 22
Safety-critical
• Safety-critical: – Requires collision-avoidance – Requires autonomous take-off & landing in
populated areas– Use for critical missions: finding lost hikers,
downed pilots; detecting highway accidents; imaging (early warning) forest fires
SAS_05_Contingency_Lutz_Tal 23
Obstacle Analysis Approach
• KAOS framework for goal-oriented obstacle analysis– Goal is a set of desired behaviors– Obstacle is a set of undesirable behaviors that impede a
goal• Relevance to application:
– Contingencies are• Obstacles to achieving goals, or• Indications that goals are unrealizable with available
agents• Advantages
– Structured approach early-on (anticipatory planning)– Supports more formal analysis, as needed
SAS_05_Contingency_Lutz_Tal 24
Obstacle Analysis Approach
• Step 1. Identify the goals• Step 2. Identify the agents • Step 3. Identify the obstacles• Step 4. Identify alternative resolutions to
the obstacles• Step 5. Select a resolution among the
alternatives.
SAS_05_Contingency_Lutz_Tal 25
Other Related Work• Requirements evolution
– Use goal & obstacle analysis to refine requirements in a developing system [Anton & Potts]
• Maintenance– Focus on management of requirements changes [Bennett &
Rajlich]– Evaluate in terms of traceability or change-impact [Cleland-
Huang]• Dynamic monitoring
– Monitor operational systems for mismatch assumptions/environment & perform remedial evolutions [Fickas and Feather]
• Autonomous fault handling with AI planners • Safety in autonomous systems • Vehicle health management