Programming Long-lived Embedded Systems With Complex Autonomic Processes Model-based Programming: Controlling Embedded Systems by Reasoning about Hidden State Brian C. Williams And Michel Ingham Artificial Intelligence and Space Systems Labs Massachusetts Institute of Technology Large collections of devices must work in concert to achieve goals • Devices indirectly observed and controlled • Need quick, robust response to anomalies throughout life • Must manage large levels of redundancy Outline Why Model-based Programming? Polar Lander Leading Diagnosis: • Model-based Programming • Legs deployed during descent. • An Example • Noise spike on leg sensors latched by software monitors. • Plant Model as Constraint-based POMDP • Laser altimeter registers 40m. • Model-based Executive • Begins polling leg monitors to determine touch down. • Mode Estimation Objective: Support programmers • Latched noise spike read as with embedded languages that touchdown. avoid these mistakes, by • Engine shutdown at ~40m. reasoning about hidden state automatically. Programmers often make commonsense mistakes when Reactive Model-based reasoning about hidden state. Programming Language (RMPL) Model-based Programs RMPL Model-based Program Titan Model-based Executive Interact Directly with State Control Program Embedded programs interact with Model-based programs interact with plant state: plant sensors and actuators: � Executes concurrently Generates target goal states • Read state • Read sensors � Preempts Control Sequencer conditioned on state estimates � Queries (hidden) states • Write state • Set actuators � Asserts (hidden) state Model-based Embedded Program Embedded Program System Model State estimates State goals Obs Cntrl S’ Tracks Tracks least Mode Mode Model-based Executive Deductive Controller likely Estimation cost goal states Reconfiguration Obs Cntrl S plant states Valve Valve S Plant Stuck 0.01 0.01 Stuck Plant Open Open open open 0. 01 0. 01 Open Open Close Close Programmer must map between Model-based executive maps 0. 01 0. 01 Stuck Stuck state and sensors/actuators. between state and sensors/actuators. Observations Commands Closed Closed closed closed 0.01 0.01 inflow = outflow = 0 Plant 1
Outline Orbital Insertion Example • Model-based Programming Turn camera off and engine on • An Example • Plant Model as constraint-based POMDP • Model-based Executive • Mode Estimation EngineA EngineB EngineA EngineB Science Camera Science Camera Plant Model Model-based Program component modes… Control program specifies OrbitInsert():: described by finite domain constraints on variables… state trajectories: ( do-watching ((EngineA = Firing) OR deterministic and probabilistic transitions (EngineB = Firing)) • fires one of two engines ( parallel cost/reward (EngineA = Standby) • sets both engines to ‘standby’ (EngineB = Standby) • prior to firing engine, camera must be (Camera = Off) Engine Model Engine Model Camera Model Camera Model turned off to avoid plume contamination ( do-watching (EngineA = Failed) 0 v ( when-donext ( (EngineA = Standby) AND (thrust = zero) AND • in case of primary engine failure, fire Off Off (power_in = zero) AND 0 v 0 v (Camera = Off) ) (power_in = zero) Off Off (shutter = closed) backup engine instead (EngineA = Firing))) 0.01 0.01 off- off - standby- standby - ( when-donext ( (EngineA = Failed) AND cmd cmd (thrust = zero) AND cmd cmd Failed Failed (EngineB = Standby) AND (power_in = nominal) 2 kv Plant Model describes 0.01 0.01 turnoff turnoff- - turnon turnon- - (Camera = Off) ) Standby Standby cmd cmd cmd cmd 0.01 0.01 behavior of each component: (EngineB = Firing)))) fire- fire - standby standby- - 0 v cmd cmd cmd cmd 0.01 0.01 (thrust = full) AND – Nominal and Off nominal (power_in = nominal) (power_in = nominal) AND On 20 v On 2 kv (shutter = open) Firing Firing – qualitative constraints – likelihoods and costs one per component … operating concurrently Example: The model-based program sets engine = thrusting, and the Executive Manipulates Hidden State deductive controller . . . . • States like (EngineA = Standby) , (ValveA = Open) Mode Estimation Mode Reconfiguration are not DIRECTLY observable or controllable… Oxidizer tank Oxidizer tank Fuel tank Fuel tank Given observations… (thrust = zero) AND (power_in = nominal) and command history… last command issued = “ last command issued = “standby standby- -cmd cmd” ” Mode estimation infers ⇒ (EngineA = Standby) Selects valve “hidden state” Deduces that configuration; Given state goals … thrust is off, and plans actions (ValveA = Open) Deduces that a valve the engine is healthy to open and estimated state … (DriverA = off) AND (ValveA = closed) failed - stuck closed six valves Mode reconfiguration ⇒ [Turn on DriverA]; [Open ValveA] infers “commands” Determines valves • Thinking in terms of “hidden states” abstracts away on backup engine that complexity of robustly observing and controlling state. will achieve thrust, and • Model-based executive raises assurance of software by plans needed actions. correctly inferring and controlling states. Mode Reconfiguration Mode Estimation 2
Plant as a Partially Observable Outline Markov Decision Process Ω • Model-based Programming • S, A, : Finite States, Actions & Observations • An Example • Plant Model as Constraint-based POMDP • T(s,a,s’): Probabilistic state transition function ( ) T : S × A → Π S • Model-based Executive • Mode Estimation • O(s’,a,o): Probabilistic observation function ( ) O : S × A → Π Ω • R(s): Reward function → ℜ R : S Possible Behaviors Plant Model as Probabilistic Concurrent, Constraint Automata Visualized by a Trellis Diagram – Compact Encoding: X 0 X 1 X N-1 X N – Concurrent transitions – State constraints between variables –Transitions are conditionally independent on previous state. S T – Rewards form a multi-attribute decision problem that satisfies preferential independence Camera Model Camera Model Engine Model Engine Model Off Off (thrust = zero) AND Off Off 0 v 0 v 0 v (power_in = zero) (power_in = zero) AND 0.01 0.01 off off- - standby- - (shutter = closed) standby cmd cmd cmd cmd 2 kv Failed Failed 0.01 0.01 (thrust = zero) AND Standby Standby turnoff turnoff- - turnon turnon- - (power_in = nominal) cmd cmd cmd cmd fire fire- - standby standby- - •Assigns a value to each •A set of concurrent 0.01 0.01 cmd cmd cmd cmd 0 v (power_in = nominal) 0.01 0.01 (thrust = full) AND AND variable. transitions, one per automata. (power_in = nominal) (shutter = open) 20 v Firing Firing 2 kv On On •Consistent with all state •Previous & Next states Typical Example (DS1 spacecraft): constraints. consistent with source & – 80 Automata, 5 modes on average target of transitions – 3000 propositional variables, 12,000 propositional clauses RMPL Model-based Program Titan Model-based Executive Outline Control Program Control Sequencer: � Executes concurrently Control Sequencer Generates goal states � Preempts • Model-based Programming conditioned on state estimates � Asserts and queries states � Chooses based on reward • An Example State estimates State goals System Model • Plant Model as constraint-based POMDP Mode Mode Estimation: Reconfiguration: Deductive Controller MAINTAIN (EAR OR EBR) • Model-based Executive Tracks likely Tracks least-cost LEGEND: OrbitInsert():: EAS (EngineA = Standby) EAS EAF (EngineA = Failed) States state goals ( do-watching ((EngineA = Firing) OR EAR (EngineA = Firing) • Mode Estimation (EngineB = Firing)) EBS (EngineB = Standby) EBS EBF (EngineB = Failed) ( parallel EBR (EngineB = Firing) CO CO (Camera = Off) (EngineA = Standby) Commands (EngineB = Standby) Observations MAINTAIN (EAF) (Camera = Off) (EAS AND CO) Plant ( do-watching (EngineA = Failed) EAR ( when-donext ( (EngineA = Standby) AND EAS AND CO (Camera = Off) ) (EngineA = Firing))) (EAF AND EBS AND CO) ( when-donext ( (EngineA = Failed) AND (EngineB = Standby) AND EBR (Camera = Off) ) EAF AND EBS AND CO (EngineB = Firing)))) hierarchical constraint automata on state s 3
Recommend
More recommend
