Contingency Software in Autonomous Systems

SAS_05_Contingency_Lutz_Tal 1

Contingency Software in Autonomous Systems

Robyn Lutz, JPL/Caltech & ISUDoron Tal, USRA at NASA AmesAnn Patterson-Hine, NASA Ames

This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, and at NASA Ames Research Center, under a contract with the National Aeronautics and Space Administration. The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program led by the NASA Software IV&V Facility. This activity is managed locally at JPL through the Assurance and Technology Program Office

NASA OSMA Software Assurance Symposium August 9-11, 2005


CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS

Problem

PROBLEM STATEMENT

Autonomous vehicles currently have a limited capacity to diagnose and mitigate failures.

We need to be able to handle a broader range of contingencies (anomalous situations).

GOALS

1. Speed up diagnosis and mitigation of anomalous situations.2. Automatically handle contingencies, not just failures.3. Enable projects to select a degree of autonomy consistent with

their needs and to incrementally introduce more autonomy.4. Augment on-board fault protection with verified contingency scripts


CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSAvailability of Data: High

Autonomous Rotorcraft Project: http://is.arc.nasa.

gov/AR/tasks/ARP.html


Right Grayscale Camera

Left Grayscale Camera

Color Camera

Vision Computer

Flight Computer

Camera Manager

Stereo Vision Stereo

Conversion to World Frame

StereoPoint Cloud InWorld Frame

Tilt Control

SICKLaser

ImageRectification

R image

L image

L image

Pan/Tilt

Camera PoseMIDG

GPS

3-axis accelerometer

3-axis gyro

Laser Conversion to World Frame

Laser Point Cloud In

World Frame

IMU: 6 DOF

Tilt

6 DOF

6 DOF

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSOverview of Perception Subsystem

Perception is a critical function in systems

requiring obstacle avoidance, threat detection,

science missions and “opportunistic” discovery.


CLAWFlight Control Laws

DOMSDistributed Messaging

System

GPS

APEXReactive Planner

Telemetry

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSPartial Onboard Architecture

*domsD – DOMS transport daemon

*

Yamaha System

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Perception Instrumentation Onboard Rotorcraft

Gray scale wing tip (stereo vision)

Color Camera

Firewire Hub

Onboard Flight Computer

Left WingRight Wing

Scanning Laser Range Finder (SICK)

RS232

Firewire


Cases in which the cameras are a critical system:1. Cameras assigned responsibility during nominal ops

• No line of sight -> Camera provides position info2. Cameras are backup when other subsystems fail

• Failed/degraded GPS -> Camera provides position info• Failed/degraded ARP -> Camera provides landing-site data

3. Images as mission objective (surveillance)• Failure of cameras can jeopardize success

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSCamera Criticality


ARP Functional Requirements:

CurrentPlanned

Contingency Analysis:SFMECA

SFTA

Contingency Planning:Available indicatorsContingency triggers

Contingency responses2-Level (recover/predict)

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Contingency Process Overview

1. Brainstorm with UAV team to uncover candidates for software contingencies

Review UAV literature and project reportsLead brainstorming sessions with domain expertsWork with team to identify and prioritize high-concern candidatesSelect top priority candidates

2. Model unit of interest (i.e. cameras, communications systems…)Model system including: Architecture & State diagramVerify models with UAV team

3. Contingency requirements verificationPerform SFMECA and SFTA in context of Obstacle Analysis [RE’05]

4. Analyze testabilityIdentify how each contingency can be detectedPerform SFTAExperiment with assignment of measure of uncertainty

5. Develop recovery strategyDetermine candidate strategies for contingency responses

(prevent/respond/safe)Determine availability of data needed to determine/execute appropriate

contingency6. Prototype contingency in progressively higher fidelity testbeds 7. Monitor contingency performance


CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Contingency Analysis

• Used Bi-Directional Safety Analysis to find contingencies• Forward analysis from potential failures to their effects (Software

Failure Modes, Effects & Criticality Analysis)• Backward analysis from failures to contributing causes (Software

Fault Tree Analysis)• Guides to thinking about possible ways to handle contingencies:

• Use “Mitigation” column in SFMECA• Remove leaf nodes from SFTA graphs • Use obstacle resolution patterns [van Lamsweerde & Letier, 2000]

• TEAMS produces a diagnostic tree of checks needed to detect & isolate contingencies, identifies missing checks and recovery action

• “Testability Engineering and Maintenance System”• Modeling & analysis toolset• Won NASA Space Act Award• Used successfully on 2nd generation RLV IVHM risk reduction

program


Properties for each function, switch & test-point are enteredinto the TEAMS tools

TEAMS builds a Dependency Matrix inwhich each row is a fault source (e.g., a camera that can fail) and each column is a test (e.g., whether we have a good Stereo image).Here, we select the normal or contingencyscenario (camera OK or not) for the analysis.

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSResults


Executing the Contingency scenario, wecheck that the behavior is correct: left COLOR camera is available (no red slash) & being used; confirm that testscan isolate failure to which camera.

Most useful: the automatic Diagnostic Tree:--Shows best sequence of checks to detect & isolate --Shows indistinguishable failures (“ambiguity groups”)--XML output option is being translated into rotorcraft’s planning language (APEX) to simulate contingencies onthe vehicle

</LABEL> <SYMPTOM /> - <NODE LABEL="1" TYPE="TEST" ID="T.small_stereo_0.1.2.4.0" PASS="YES" FAIL="NO">- <PARA>- <![CDATA[

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMSResults



Importance / Benefits

1. Contingency management is essential to the robust operation of complex systems such as spacecraft and Unpiloted Aerial Vehicles (UAVs)

2. Automatic contingency handling allows a faster response to unsafe scenarios, with reduced human intervention

3. Results, applied to the Autonomous Rotorcraft Project and Mars Science Lab, pave the way to more resilient, adaptive autonomous systems


• Improved contingency handling needed to safely relinquish control of unpiloted vehicles to autonomous controllers

• More autonomous contingency handling needed to support extended mission operations

• Potential applications: Safety-critical UAVs and Mission-critical spacecraft and rovers

Relevance to NASA



Next Steps


Autonomous Rotorcraft Project: Continue working with team to expand

and evaluate contingencies for imaging and ranging systemsTechnology Readiness Level:•FY05: 3 (“Experimental demonstration of critical function &/or proof of concept”)•FY06: 4 (“Validation in a lab environment”) on rotorcraft

Mars Science Lab: Update and enhance model for spacecraft pointing

contingencies with domain expertise from software development team

Infusion across NASA: Document process for technology transfer to

other projects


Backup Slides


TEAMS uses a hierarchical model of the system:*Boxes are key requirements (stereo processing, etc.)*Squares are switches: using left grayscale camera (nominal) or using left color camera (contingency) *Circles are test-points: #1: check whether has good (unfailed) stereo image #2: check whether good range data



Commfailure

MissionComplete

SW CONTINGENCIES FOR LOSS OF COMMUNICATIONSState Diagram

ContinueMission

TerminateFlight

Fly AutonomousHover mode

Change Heading

Increase Altitude

Check Comm

Commfailure

Commavailable

Insufficient Fuel (failure)

Commavailable

Commfailure

Commfailure

Commavailable

Reroute

Fly to Rally Point

Land

MissionFinished

Check Fuel

Limited Fuel

Commavailable

Sufficient Fuel

Sufficient Fuel



Critical Pointing for SpacecraftAutonomous, contingency response for critical scenarios:

•Commandability lost•Before trajectory-correction maneuvers

•Before Entry/Descent/Landing


What do we know when a “quit-failed” signal occurs?


What is a contingency?• Contingencies are obstacles to the fulfillment of a system’s high-

level requirements that can arise during real-time operations– Failures: camera fails due to hardware or software problem– Operational situations of concern: lens cap left on means that all

images are black, so can’t land unassisted – Environmental situations of concern: strong crosswind interferes

with imaging, thus with finding landing site• Contingency-handling involves requirements for detecting,

identifying and responding to contingencies.• Contingency handling includes, but extends, traditional fault

protection


Autonomy• Something previously not done automatically is now done by the

software– Previously done manually, or– Previously could not be done

• Example of incremental autonomy: – Collision avoidance (not hitting buildings)1. Remote control by pilot steering from ground2. Path calculated on ground, loaded into system, path-plan

executed in flight3. Path calculated in flight based on real-time imaging

• Autonomy allows system to detect and respond to a broad class of anomalies in many more ways


Safety-critical

• Safety-critical: – Requires collision-avoidance – Requires autonomous take-off & landing in

populated areas– Use for critical missions: finding lost hikers,

downed pilots; detecting highway accidents; imaging (early warning) forest fires


Obstacle Analysis Approach

• KAOS framework for goal-oriented obstacle analysis– Goal is a set of desired behaviors– Obstacle is a set of undesirable behaviors that impede a

goal• Relevance to application:

– Contingencies are• Obstacles to achieving goals, or• Indications that goals are unrealizable with available

agents• Advantages

– Structured approach early-on (anticipatory planning)– Supports more formal analysis, as needed


Obstacle Analysis Approach

• Step 1. Identify the goals• Step 2. Identify the agents • Step 3. Identify the obstacles• Step 4. Identify alternative resolutions to

the obstacles• Step 5. Select a resolution among the

alternatives.


Other Related Work• Requirements evolution

– Use goal & obstacle analysis to refine requirements in a developing system [Anton & Potts]

• Maintenance– Focus on management of requirements changes [Bennett &

Rajlich]– Evaluate in terms of traceability or change-impact [Cleland-

Huang]• Dynamic monitoring

– Monitor operational systems for mismatch assumptions/environment & perform remedial evolutions [Fickas and Feather]

• Autonomous fault handling with AI planners • Safety in autonomous systems • Vehicle health management

Documents

Contingency Software in Autonomous Systems