On-board Timeline Validation and Repair:

A Feasibility Study

Maria Fox, Derek LongUniversity of Strathclyde, Glasgow, UK

Les Baldwin, Graham Wilson, Mark WoodsSciSys Ltd, UK

Davide JameuxESA, Netherlands

Ruth AylettHeriot-Watt University, Edinburgh, UK

Background• MMOPS: Mars-Mission On-board

Planner and Scheduler• ESA funded project to develop a

demonstrator • Show potential on-board capabilities

for autonomous plan repair using Beagle 2 on-board software

Context• Scientists identify objectives and propose activities

– Priorities set by lead scientist(s)– Constraints generally implicit (eg ordering and dependencies

between activities)• Lander Operations personnel construct a plan

(timeline), integrating proposed science activities and lander-oriented activities over predetermined interval

• Plan downlinked to lander; lander attempts execution– Plan might execute successfully– Plan might fail during execution and lander enter safe mode

• Results uplinked for return to ground staff and analysis

Typical Operations Sequence

Execute plan iReturndata i

Generateplan j

Check Landerstate

Time

FCT

Plan

Evaluate

Exploit

Support

Teams

Sendplan j

Execute

Sol i Sol j Sol l

Check plan hexecution

Generatescience

products h

Analysescienceresults h

MPT MET GOT

Execute plan jReturndata j

Generateplan k

Check Landerstate

FCT

Sendplan k

Check plan iexecution

Generatescience

products i

Analysescienceresults i

MPT MET GOT

Sol k

Execute plan kReturndata k

Generateplan l

Check Landerstate

FCT

Sendplan l

Check plan jexecution

Generatescience

products j

Analysescienceresults j

MPT MET GOT

Execute plan lReturndata l

Generateplan m

Check Landerstate

FCT

Sendplan m

Check plan kexecution

Generatescience

products k

Analysescienceresults k

MPT MET GOT

21 22 23 24 25 26 27 28 29 30 31 33

99 => Experiment 99

Sequence with failure

Executeplan i Return

data i

Generateplan j

Time

FCT

Plan

Evaluate

Exploit

Support

Teams

Sendplan j

Execute

Sol i Sol j Sol l

Generatescience

products h

Analysescienceresults h

MPT MET GOT

Returndata j

Generatediagnostic

plan k

FCT

Sendplan k

Generatescience

products i

Analysescienceresults i

MPT MET GOT

Sol k

Execute diagnosticplan k Return

data k

FCT

Send noplan

MPT MET GOT

Returndata l

Generaterepair plan

m

FCT

Sendplan m

MPT MET GOT

Bang!

Analysefailure

Identifydiagnostics

Analysediagnostic

data

IdentifyrepairsAnalyse failure

Check Landerstate

Check plan hexecution

Check Landerstate

Check plan iexecution

Check Landerstate

Check Landerstate

Check plan kexecution

Generatereduced

plan l

Execute reducedplan l

Generatescience

products i

Analysesc ienceresults i

21 24 26 27S

99 => Experiment 99 Z => Diagnostic Z

On-board Autonomy

t

Priority/Constraint Based

Pre-Planned

t

Pre-Planned

t

Adaptive

t

Goal OrientatedGoals

Planner

TVCR

Event ActionOBCP

Priorities & Constraints

Opportunities

Target Problems• Isolation of plan failure

– Protect the remainder of the plan• Over-subscription

– Reduce planned activity to avoid use of over-subscribed resources

• Under-subscription– Attempt to exploit potential opportunities

to make use of under-subscribed resources

Ground-based and On-board Partnership

ConTool

Timeline Construction:Primary timelineOpportunity fragments

Packaged date

Standard timeline downlink

On-boardsoftware

TVCR

Ground Operations On-board Operations

Using CONTOOL• Timeline constructed, but now

annotated: constraints made explicit • Additional timeline fragments are then

added: opportunities• Further constraints are added:

– Ordering constraints between opportunities themselves and between opportunities and fragments in the main timeline

– Dependencies– Mutual exclusions (pairs of fragments which should not

both be executed)– Priorities

•Ordering between activities or connected elements of a timeline (fragments)

•Dependencies between activities or fragments (eg the rock surface should only be ground if the microscope successfully imaged it beforehand)

Opportunities: Features• Opportunities are designed as consistent self-

contained timeline fragments• Fragments generally represent subplans needed for

future operations• Often generic fragments capturing an experimental

process consisting of multiple activities, so reusable• Opportunities are designed on the ground, by

operations personnel• Constraints make explicit relationships required of

lander operations by both scientists and operations personnel

Exploiting Opportunities• If an activity fails during execution, a new fragment can

be executed – an opportunity– Failed fragments are removed from the plan, together with

fragments that depend on them

• Opportunities are selected:– to respect the existing resource constraints within the current

timeline– according to priority and according to the constraints between

them and with main plan fragments

• Execution of the main plan remains highest priority • Opportunities are only selected from those identified

and constructed by operations personnel

Timeline validatedFlaw identifiedBroken elements removedOpportunity consideredOpportunity insertedConstraints checked

Operations with TVCR

Executediagnostics &opportunities

Executeplan i Return

data i

Generate plan j

Time

FCT

Plan

Evaluate

Exploit

Support

Teams

Sendplan j

Execute

Sol i Sol j Sol l

Generatescience

products h

Analysescienceresults h

MPT MET GOT

Generate repair plank

FCT

Generatescience

products i

Analysescienceresults i

MPT MET GOT

Sol k

FCT MPT MET GOT

Generate plan m

FCT MPT MET GOT

Bang!

Analysescienceresults j

Analysesc ienceresults k

Generatescience

products j

Generatescience

products k

Execute viable parts ofplan j & opportunities Return

data j

Sendplan k Execute repair plan k

Returndata k

Sendplan l

Generate plan l

Execute plan l Returndata l

Sendplan m

Generate diagnostics& opportunities

Check Landerstate

Check plan hexecution

Check Landerstate

Check plan iexecution

Check Landerstate

Check plan jexecution

Check Landerstate

Check plan kexecution

Analysediagnostic

data

Identifyrepairs

Generate diagnostics& opportunities

Generate diagnostics& opportunities

Generate diagnostics& opportunities

21 24 22 23 25 26 27S Q K M

99 => Experiment 99 Z => Diagnostic or Opportunity Z

On-board: TVCR• TVCR: Timeline Validation, Control and

Repair– a module invoked by on-board software

• Requirements of TVCR:– The timeline, fragments and constraints constructed on

the ground– A model of the activities

• Preconditions for execution; effects on execution• Built once – unlikely to change

– A view of the current state• At level of abstraction used by activity models• Built on-board using diagnosis of sensor signals

TVCR Architecture

TVCR

Primed with activity models

TimelineOpportunitiesConstraints

Sensed state

On-boardControl

Software

Lander Hardware Systems

On-board Software

TVCR: Behaviours• On validate request:

– Validate newly entered timeline from the current state– Report anticipated failures and causes

• On control request:– Validate current remaining fragment of timeline from

current state• On repair request:

– If the current timeline is predicted to fail and there is time to react before the next action, construct a new timeline

– Remove broken fragments– Insert opportunities

Taking Opportunities• When opportunities can be added to a

timeline, choices often exist:– Which opportunities to add– Where to add them

• Use a bounded search– Not a full search: save space and time and ensure bounded

termination– Not guaranteed to find optimal repairs in terms of

opportunities added– Greedy approach to opportunity insertion – Fallback position: execute the fragments of the original main

plan that are still valid (repairs to link activities where fragments removed)

Example Test Case• A timeline is planned including two Mössbauer

experiments• During the first experiment, the Mössbauer signals a

failure…• Repair removes second Mössbauer experiment and

related activities• Opportunities are considered in priority order and

one is identified as a candidate for insertion– The opportunity selected is an environmental sensor

suite experiment• The timeline is repaired by the addition of the

opportunity and connecting activities• New downlink schedule is recorded

Example Repair• Failed fragment removed from timeline• Benefits

– After first failure, timeline continues execution– Subsequent expected failure anticipated by

TVCR and isolated– Timeline executes successfully to conclusion– Science data is collected during execution of

parts of this timeline that would otherwise be aborted

Example Repair• Broken fragment removed and

opportunity fragment added• Benefits:

– Timeline successfully executes to completion– Broken fragments do not cause timeline to abort– Broken fragment removed and replaced with

valid opportunity fragment– Resources are utilised and science data gathered– Downlink schedule modified to allow for new data

log

Conclusions• Successful demonstration of a level of

autonomy that lies between reactive responses and full on-board planning

• Demonstrable benefits for science gathering

• Conservative approach reduces risks and makes it more attractive to operations personnel