Model-Based Programming of Intelligent Embedded Systems

Model-Based Programming of Intelligent Embedded Systems

Bill GaesCSc 299 Masters Seminar Presentation and Discussion5/20/2005

Based on:Brian C. Williams et al.,

“Model-Based Programming of Intelligent Embedded Systems and Robotic Space Explorers,”

Proceedings of the IEEE, vol. 91, no 1, pp.212-237, 2003.

5/20/2005 Model-Based Programming 2

Outline

Model-Based Programming Overview Advantages Example Motivation Details Discussion


Model-Based ProgrammingProgram what you want the system to doDevelop models of what the system can

doRely on executive to:

execute program reason on-the-fly track system state diagnose faults reconfigure system to achieve desired

goals


Advantages of Model-Based Programming

Allow engineers to specify high-level control strategies

Encapsulation and separation of concerns Model composed of components (e.g.,

engine, camera, etc) Program - Object-oriented with multiple

inheritance Executive replaceable with different

implementation or one with added capabilities


Advantages of Model-Based Programming

Powerful Inference EnginesReusabilityRobustnessVerifiability


Example Embedded System - Spacecraft

Spacecraft with 2 redundant engines and a camera

Objective: insert spacecraft into orbit Camera must be off One of two engines must fire


Simple Spacecraft Model

Fuel Oxidizer Fuel Oxidizer

EngineA EngineB EngineA EngineB

Initial State Goal Stateshut valve

open valve


Simple Spacecraft Model

Initial State Goal State

Science Camera

On Off

Science Camera


Control Program - Pseudocode

Orbital Insertion Control Program:

ConcurrentlyPlace both Engines in standbyShut off Camera

When Engines are in standby And the Camera is off then Fire EngineA


Reactive Embedded Systems

Requires concurrent and synchronous programming languages such as: Esterel (~1992) Statecharts (~1987)


Programming Complex Reactive Embedded Systems

Programming using traditional reactive languages challenging, time-consuming,

and error-prone

Embedded Program

Physical Plant

Obs Cntrl


Challenges of Programming Autonomous Systems

• detecting anomalies• isolating faults• diagnosing causes• adaptive control• fault avoidance• hardware reconfiguration

• monitoring• safeing• goal tracking• standby• fault recovery• mode confirmation

Programmers must reason through system-wide interactions to generate code for:


Esterel Program For a Robot to Follow a Line

module ROBOT:input LeftSensor, RightSensor;output LeftWheelSpeed : float, RightWheelSpeed : float; loop await tick; [ present LeftSensor else

emit LeftWheelSpeed(1.0f) end present || present RightSensor else

emit RightWheelSpeed(1.0f) end present || present [LeftSensor and RightSensor] then abort loop emit RightWheelSpeed(1.0f); emit LeftWheelSpeed(-0.5f) each tick when [not LeftSensor] end present ] end loop end module

Pure signals - indicate presence or absence of stimuli

Value signals - have arbitrary value of specified type

Wheel controller - sets relative angular velocity, a value in [-1, 1], 1.0 is full speed forward.

Explicit syntax for execute in parallel

Both sensors see line so attemptcorrective action to get back on track

Continuously emit 2 signals sequentially,but at each tick, so executed at same instant- emit returns immediately


Mars Polar Lander Failure

Leading hypothesis for failure: Landing legs deployed during decent. Noise spike in Hall effect sensors latched

by monitors. Laser altimeter registered altitude of 40m At 40m leg monitors polled Monitors latched - engine shutdown at 40m


Problem and a Solution

Problem Failure space and interactions with

hardware and software too large to enumerate

Solution Provide reactive embedded languages

that reason-on-the-fly from commonsense modelsModel-based Programming


Model-Based Architecture

ControlProgram

Plant Model

Control Sequencer

Deductive Controller

Stateestimates

Configurationgoals

PhysicalPlant CommandsObservations

Reactive Model-basedProgramming Language

(RMPL) “Titan” - Model-based Executive


Simple RMPL Control Program Procedure

TakePicture(target)::{

do {

Attitude = target,

when Attitude = target donext {

SnapStore();

SnapStore();

}

} watching Picture = Stored

}


RMPL Control Program

Five design features Parallel and sequential execution threads Conditional execution Iteration Preemption Defining feature

ability to reference “hidden” states of physical plant within assertions and conditions



OrbitInsert()::{ do{ EngineA = Standby, EngineB = Standby, Camera = Off, do{ when EngineA = Standby ^ Camera = Off donext EngineA = Firing } watching Engine A = Failed,

when EngineA = Failed ^ Engine B = Standby ^ Camera = Off

donext Engine B = Firing }watching Engine A = Firing v Engine B = Firing}

assertionachieve constraint

execution conditionask constraint


Model-Based ExecutiveControl Sequencer

Executes control program Uses likely state estimate to generate configuration goals for

Deductive Controller to achieve

Control Sequencer


Stateestimates

Configurationgoals

PhysicalPlant

CommandsObservations

ControlProgram

Plant Model

Model-Based Executive


Plant Model - Concurrent Constraint Automata

Built from a set of component models Each component is represented by

Set of component modesSet of constraints defining behavior

within each nominal modeSet of probabilistic transitions

between modes


Spacecraft Engine Component Model

(thrust = zero) AND (power_in = zero) Off

Standby

Firing

Failed

Behavior within a mode described by constraintson plant variables:thrust and power_in

Component Mode

Probabilistic uncommanded transition

0.01Cmd = stdby

Cmd = off

Cmd = StdbyCmd = Fire

0.01

0.01

(thrust = zero) AND (power_in = nominal)

(thrust = full) AND (power_in = nominal)

Note: All nominal transitions are P = 99%

No constraint for engine’sbehavior in failed mode - constraint suspension


Spacecraft Camera Component Model

Note: All nominal transitions are P = 99%

(power_in = zero) AND (shutter = closed)

Off

On

Failed0.01Cmd = Cam_off

Cmd = Cam_on

0.01

(power_in = nominal) AND (shutter = open)


Spacecraft Valve Driver and Valve Component Models

on

off

dcmdin = ondcmdin = off

dcmdin = reset

dcmdin = off

permanentfailure

resettablefailure

Valve Driver Model

Note: All nominal transitions are P = 99%Failure transitions are P = 1% (not shown)

open

closed

driver = ondcmdin = open

stuck-closed

Valve Model

stuck-open

driver = ondcmdin = close

dcmdinvcmdin

dcmdout = vcmdin

interconnection constraint


Model-Based Executive

Control Sequencer

Stateestimates

Configurationgoals

PhysicalPlant CommandsObservations

Titan Model-based Executive

ModeEstimation

ModeReconfiguration

Estimates most likely transitions

Finds least-cost reachable goal state


ControlProgram

Plant Model



Selects valveconfiguration;plans actions to opensix valves

Mode Estimation

Deducesengines in standby

Mode Reconfiguration

Deduces valve failed - stuck closed

Mode Estimation

Selects valves on backupengine needed to achieve thrust, and plans needed actions



Space of Possible State Trajectories for Plant Model

Trellis Diagram

...

S(0) S(1) S(N-1) S(N)

S T

Plant state• assigns value to each state variable, e.g., 3000• consistent with all state constraints, e.g., 12,000

Discrete time step

Set of concurrent transitions• one per automata, e.g., 80

Examples from Plant Model for Deep Space One


Deductive ControllerMode Estimation (ME)

Incrementally tracks sets of component mode transitions Consistent with observations, initial

state, and plant CCA Number of transitions is nm where

n is the size of the domain of the mode variables

m is number of mode variables

Deep Space One Probe (DS-1) nm = 380


Deductive ControllerMode Estimation (ME)

Frame as Optimal Constraint Satisfaction Problem (OCSP) Conflict-directed A*

Uses propositional logic to find conflictsConflicts used to prune implausible

consistent transitions

Mode transitions reduced to less than a dozen from 380


Mode Estimation

...

S(0) S(1) S(t-1) S(t)

prob(sj)

prob(si)

most likely state - sj

state with highest probability

^^ ^ ^

Tracks most likely states consistent with plant model, observations, and control actions


Deductive ControllerMode Reconfiguration (MR)Series of commands that progresses plant

toward a maximum-reward state that achieves the configuration goal Goal Interpreter

find goal state that achieves configuration goal while maximizing reward.

Reactive Plannergenerates command sequence to move

plant to goal state.



...

S(t) S(t+1) S(t+n-1) S(t+n)

Maximum reward goal state

^ ^^ ^

Given goal and most likely current state find commands that transitions through plant state space toward maximum-rewardgoal state that achieve the configuration goal


Model-based ProgrammingReal-world Uses

Deep-Space One - 2001• Autonomous control of engine firing

MIT Sphere Spacecraft - 2004• docking maneuvers with International Space Station

Simulation system for rapid prototyping• autonomous mars exploration testbed

Toyota• Fault management and failure recovery for high-end

vehiclesNASA Mars Technology Program

• Proposing incorporation into Mars 2009 Smart Lander John Hopkins Applied Physics Lab

• Proposing applying to Messenger Mission to Mercury


Discussion

Does this paradigm appear to provide the claimed advantages?

What are potential limitations or pitfalls?

Based on its technical merit is MB-P an advancement?

Does it have enough successes and interest to sustain itself?

Model-Based Programming of Intelligent Embedded Systems

Documents

Transcript of Model-Based Programming of Intelligent Embedded Systems