SAS_05_Contingency_Lutz_Tal1 Contingency Software in Autonomous Systems Robyn Lutz, JPL/Caltech & ISU Doron Tal, USRA at NASA Ames Ann Patterson-Hine,

Slides:



Advertisements
Similar presentations
The U.S. Department of Transportation and the Next Generation Jenny Hansen, Contractor – NG9-1-1 Project Coordinator USDOT/NHTSA.
Advertisements

PROJECT RISK MANAGEMENT
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
WPI CS534 Showcase Jeff Martin. * Computer Software on Deep Space 1 * Used to execute plans/mission objectives * Model based * Constraint based * Fault.
1 Independent Verification and Validation Current Status, Challenges, and Research Opportunities Dan McCaugherty IV&V Program Manager Titan Systems Corporation.
Computer ScienceSoftware Engineering Slide 1 Review l The need for software engineering l Processes Waterfall Iterative waterfall Evolutionary Formal systems.
Team GPS Rover Alex Waskiewicz Andrew Bousky Baird McKevitt Dan Regelson Zach Hornback.
NASA Space Launch System (SLS) Independent Verification and Validation (IV&V) Analysis Processes within Enterprise Architecture (EA) September 11, 2013.
Software causes many failures - significant mission risk Hard to quantify effects on system risk of: software defects software development practices software.
National Aeronautics and Space Administration SAS08_Classify_Defects_Nikora1 Software Reliability Techniques Applied to Constellation Allen P. Nikora,
Introduction to Computer Technology
Airbus flight control system  The organisation of the Airbus A330/340 flight control system 1Airbus FCS Overview.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.
Airbus flight control system
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
SAS 03/ GSFC/SATC-ERAU-DoC Fault Tree Analysis Application for Safety and Reliability Massood Towhidnejad Embry-Riddle University Dolores Wallace & Al.
SAS_08_AADL_Exec_Gluch MAC-T IVV Model-Based Software Assurance with the SAE Architecture Analysis & Design Language (AADL) California Institute.
CLEANROOM SOFTWARE ENGINEERING.
1. 2 Purpose of This Presentation ◆ To explain how spacecraft can be virtualized by using a standard modeling method; ◆ To introduce the basic concept.
Managing Risk. Objectives  To Describe Risk Management concepts and techniques  To calculate and analyze a project using Probability of completion 
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Requirements Engineering Processes l Processes used to discover, analyse and.
T. Dawson, TASC 9/11/13 Use of a Technical Reference in NASA IV&V.
Command and Data Handling (C&DH)
Computerised Air Traffic Management Tools - Benefits and Limitations OMAR BASHIR (March 2005)
Protecting the Public, Astronauts and Pilots, the NASA Workforce, and High-Value Equipment and Property Mission Success Starts With Safety Believe it or.
.1 RESEARCH & TECHNOLOGY DEVELOPMENT CENTER SYSTEM AND INFORMATION SCIENCES JHU/MIT Proprietary Titan MESSENGER Autonomy Experiment.
NMP EO-1 TECHNOLOGY WORKSHOP Section 2 Meeting Objectives.
Architectural Design lecture 10. Topics covered Architectural design decisions System organisation Control styles Reference architectures.
California Institute of Technology Requirements Decomposition Analysis, Model Based Testing of Sequential Code Properties Allen P. Nikora, John D. Powell.
Verifying Autonomous Planning Systems Even the best laid plans need to be verified Prepared for the 2005 Software Assurance Symposium (SAS) DS1 MSL EO1.
Integrated Risk Management Charles Yoe, PhD Institute for Water Resources 2009.
SAS ‘05 Reducing Software Security Risk through an Integrated Approach David P. Gilliam, John D. Powell Jet Propulsion Laboratory, California Institute.
Software Testing and Quality Assurance Software Quality Assurance 1.
California Institute of Technology Formalized Pilot Study of Safety- Critical Software Anomalies Dr. Robyn Lutz and Carmen Mikulski This research was carried.
California Institute of Technology Formalized Pilot Study of Safety- Critical Software Anomalies Dr. Robyn Lutz and Carmen Mikulski Software Assurance.
DSL Distributed Systems Laboratory ATC 23 August Model Mission: Magnetospheric Multiscale (MMS) Mission Goal “To study the microphysics of three.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
Validating Requirements Determining Completeness and Correctness of Requirements Using the System Reference Model IV&V Workshop 16 September 2009.
IV&V T ESTING S TRATEGIES FOR I NDEPENDENT V ERIFICATION OF NASA M ISSION S OFTWARE I MPLEMENTATION 3 rd Annual Workshop on Independent Validation and.
March 2004 At A Glance NASA’s GSFC GMSEC architecture provides a scalable, extensible ground and flight system approach for future missions. Benefits Simplifies.
Intelligent Systems Software Assurance Symposium 2004 Bojan Cukic & Yan Liu, Robyn Lutz & Stacy Nelson, Chris Rouff, Johann Schumann, Margaret Smith July.
Contingency Software in Autonomous Systems Stacy Nelson, Nelson Consulting/QSS Robyn Lutz, JPL/Caltech & ISU SAFE Terminate Flight This research was carried.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Accelerated Long Range Traverse (ALERT) Paul Springer Michael Mossey.
Toulouse, September 2003 Page 1 JOURNEE ALTARICA Airbus ESACS  ISAAC.
Distributed Models for Decision Support Jose Cuena & Sascha Ossowski Pesented by: Gal Moshitch & Rica Gonen.
New Products from NASA’s Software Architecture Review Board
University of Southern California Center for Software Engineering CSE USC SCRover Increment 3 and JPL’s DDP Tool USC-CSE Annual Research Review March 16,
Solar Probe Plus A NASA Mission to Touch the Sun March 2015 Instrument Suite Name Presenter's Name.
Pavan Rajagopal, GeoControl Systems James B. Dabney, UHCL Gary Barber, GeoControl Systems 1Spacecraft FSW Workshop 2015.
Final Version Kequan Luu May 13-17, 2002 Micro-Arcsecond Imaging Mission, Pathfinder (MAXIM-PF) Flight Software.
Discovery and Systems Health Technical Area NASA Ames Research Center - Computational Sciences Division Automated Diagnosis Sriram Narasimhan University.
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
Boeing-MIT Collaborative Time- Sensitive Targeting Project July 28, 2006 Stacey Scott, M. L. Cummings (PI) Humans and Automation Laboratory
SAS_08_ Architecture_Analysis_of_Evolving_Complex_Systems_of_Systems_Lindvall Architecture Analysis of Evolving Complex Systems of Systems Executive Status.
Human-Centered Systems Background People play a critical role in the safety, reliability and performance of NASA systems. Their creativity, adaptability.
ESA Harwell Robotics & Autonomy Facility Study Workshop Autonomous Software Verification Presented By: Rick Blake.
SAS_05_Contingency_Lutz_Tal1 Contingency Software in Autonomous Systems Robyn Lutz, JPL/Caltech & ISU Doron Tal, USRA at NASA Ames Ann Patterson-Hine,
Capturing Requirements. Questions to Ask about Requirements 1)Are the requirements correct? 2)Consistent? 3)Unambiguous? 4)Complete? 5)Feasible? 6)Relevant?
1 SAS ‘04 Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell.
March 2004 At A Glance The AutoFDS provides a web- based interface to acquire, generate, and distribute products, using the GMSEC Reference Architecture.
SwCDR (Peer) Review 1 UCB MAVEN Particles and Fields Flight Software Critical Design Review Peter R. Harvey.
Autonomy: Executive and Instruments Life in the Atacama 2004 Science & Technology Workshop Nicola Muscettola NASA Ames Reid Simmons Carnegie Mellon.
Failure Modes, Effects and Criticality Analysis
GLAST Large Area Telescope:
NASA Ames Research Center
Intelligent Systems Software Assurance Symposium 2004
Chapter 10 – Software Testing
Software Engineering for Safety: a Roadmap
Presentation transcript:

SAS_05_Contingency_Lutz_Tal1 Contingency Software in Autonomous Systems Robyn Lutz, JPL/Caltech & ISU Doron Tal, USRA at NASA Ames Ann Patterson-Hine, NASA Ames This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, and at NASA Ames Research Center, under a contract with the National Aeronautics and Space Administration. The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program led by the NASA Software IV&V Facility. This activity is managed locally at JPL through the Assurance and Technology Program Office NASA OSMA Software Assurance Symposium August 9-11, 2005

SAS_05_Contingency_Lutz_Tal2 CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Problem PROBLEM STATEMENT Autonomous vehicles currently have a limited capacity to diagnose and mitigate failures. We need to be able to handle a broader range of contingencies (anomalous situations). GOALS 1.Speed up diagnosis and mitigation of anomalous situations. 2.Automatically handle contingencies, not just failures. 3.Enable projects to select a degree of autonomy consistent with their needs and to incrementally introduce more autonomy. 4.Augment on-board fault protection with verified contingency scripts

SAS_05_Contingency_Lutz_Tal3 CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Availability of Data: High Autonomous Rotorcraft Project: gov/AR/tasks/ARP.html

SAS_05_Contingency_Lutz_Tal4 Right Grayscale Camera Left Grayscale Camera Color Camera Vision Computer Flight Computer Camera Manager Stereo Vision Stereo Conversion to World Frame Stereo Point Cloud In World Frame Tilt Control SICK Laser Image Rectification R image L image Pan/Tilt Camera Pose MIDG GPS 3-axis accelerometer 3-axis gyro Laser Conversion to World Frame Laser Point Cloud In World Frame IMU: 6 DOF Tilt 6 DOF CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Overview of Perception Subsystem Perception is a critical function in systems requiring obstacle avoidance, threat detection, science missions and “opportunistic” discovery.

SAS_05_Contingency_Lutz_Tal5 CLAW Flight Control Laws DOMS Distributed Messaging System GPS APEX Reactive Planner Telemetry CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Partial Onboard Architecture *domsD – DOMS transport daemon * Yamaha System

CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Perception Instrumentation Onboard Rotorcraft Gray scale wing tip (stereo vision) Color Camera Firewire Hub Onboard Flight Computer Left Wing Right Wing Scanning Laser Range Finder (SICK) RS232 Firewire

SAS_05_Contingency_Lutz_Tal7 Cases in which the cameras are a critical system: 1.Cameras assigned responsibility during nominal ops No line of sight -> Camera provides position info 2.Cameras are backup when other subsystems fail Failed/degraded GPS -> Camera provides position info Failed/degraded ARP -> Camera provides landing-site data 3.Images as mission objective (surveillance) Failure of cameras can jeopardize success CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Camera Criticality

SAS_05_Contingency_Lutz_Tal8 ARP Functional Requirements: Current Planned Contingency Analysis: SFMECA SFTA Contingency Planning: Available indicators Contingency triggers Contingency responses 2-Level (recover/predict) CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Contingency Process Overview 1. Brainstorm with UAV team to uncover candidates for software contingencies Review UAV literature and project reports Lead brainstorming sessions with domain experts Work with team to identify and prioritize high-concern candidates Select top priority candidates 2. Model unit of interest (i.e. cameras, communications systems…) Model system including: Architecture & State diagram Verify models with UAV team 3. Contingency requirements verification Perform SFMECA and SFTA in context of Obstacle Analysis [RE’05] 4. Analyze testability Identify how each contingency can be detected Perform SFTA Experiment with assignment of measure of uncertainty 5. Develop recovery strategy Determine candidate strategies for contingency responses (prevent/respond/safe) Determine availability of data needed to determine/execute appropriate contingency 6. Prototype contingency in progressively higher fidelity testbeds 7. Monitor contingency performance

SAS_05_Contingency_Lutz_Tal9 CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Contingency Analysis Used Bi-Directional Safety Analysis to find contingencies Forward analysis from potential failures to their effects (Software Failure Modes, Effects & Criticality Analysis) Backward analysis from failures to contributing causes (Software Fault Tree Analysis) Guides to thinking about possible ways to handle contingencies: Use “Mitigation” column in SFMECA Remove leaf nodes from SFTA graphs Use obstacle resolution patterns [van Lamsweerde & Letier, 2000] TEAMS produces a diagnostic tree of checks needed to detect & isolate contingencies, identifies missing checks and recovery action “Testability Engineering and Maintenance System” Modeling & analysis toolset Won NASA Space Act Award Used successfully on 2 nd generation RLV IVHM risk reduction program

SAS_05_Contingency_Lutz_Tal10 Properties for each function, switch & test-point are entered into the TEAMS tools TEAMS builds a Dependency Matrix in which each row is a fault source (e.g., a camera that can fail) and each column is a test (e.g., whether we have a good Stereo image). Here, we select the normal or contingency scenario (camera OK or not) for the analysis. CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Results

SAS_05_Contingency_Lutz_Tal11 Executing the Contingency scenario, we check that the behavior is correct: left COLOR camera is available (no red slash) & being used; confirm that tests can isolate failure to which camera. Most useful: the automatic Diagnostic Tree: --Shows best sequence of checks to detect & isolate --Shows indistinguishable failures (“ambiguity groups”) --XML output option is being translated into rotorcraft’s planning language (APEX) to simulate contingencies on the vehicle - - <![CDATA[ CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Results

SAS_05_Contingency_Lutz_Tal12 CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS Importance / Benefits 1.Contingency management is essential to the robust operation of complex systems such as spacecraft and Unpiloted Aerial Vehicles (UAVs) 2.Automatic contingency handling allows a faster response to unsafe scenarios, with reduced human intervention 3.Results, applied to the Autonomous Rotorcraft Project and Mars Science Lab, pave the way to more resilient, adaptive autonomous systems

SAS_05_Contingency_Lutz_Tal13 Improved contingency handling needed to safely relinquish control of unpiloted vehicles to autonomous controllers More autonomous contingency handling needed to support extended mission operations Potential applications: Safety-critical UAVs and Mission-critical spacecraft and rovers Relevance to NASA CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS

SAS_05_Contingency_Lutz_Tal14 Next Steps CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS  Autonomous Rotorcraft Project: Continue working with team to expand and evaluate contingencies for imaging and ranging systems Technology Readiness Level: FY05: 3 (“Experimental demonstration of critical function &/or proof of concept”) FY06: 4 (“Validation in a lab environment”) on rotorcraft  Mars Science Lab: Update and enhance model for spacecraft pointing contingencies with domain expertise from software development team  Infusion across NASA: Document process for technology transfer to other projects

SAS_05_Contingency_Lutz_Tal15 Backup Slides

SAS_05_Contingency_Lutz_Tal16 TEAMS uses a hierarchical model of the system: *Boxes are key requirements (stereo processing, etc.) *Squares are switches: using left grayscale camera (nominal) or using left color camera (contingency) *Circles are test-points: #1: check whether has good (unfailed) stereo image #2: check whether good range data CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS

SAS_05_Contingency_Lutz_Tal17 CONTINGENCY SOFTWARE in AUTONOMOUS SYSTEMS

SAS_05_Contingency_Lutz_Tal18 Critical Pointing for Spacecraft Autonomous, contingency response for critical scenarios: Commandability lost Before trajectory-correction maneuvers Before Entry/Descent/Landing

SAS_05_Contingency_Lutz_Tal19 What do we know when a “quit-failed” signal occurs?

SAS_05_Contingency_Lutz_Tal20 What is a contingency? Contingencies are obstacles to the fulfillment of a system’s high- level requirements that can arise during real-time operations –Failures: camera fails due to hardware or software problem –Operational situations of concern: lens cap left on means that all images are black, so can’t land unassisted –Environmental situations of concern: strong crosswind interferes with imaging, thus with finding landing site Contingency-handling involves requirements for detecting, identifying and responding to contingencies. Contingency handling includes, but extends, traditional fault protection

SAS_05_Contingency_Lutz_Tal21 Autonomy Something previously not done automatically is now done by the software –Previously done manually, or –Previously could not be done Example of incremental autonomy: –Collision avoidance (not hitting buildings) 1.Remote control by pilot steering from ground 2.Path calculated on ground, loaded into system, path-plan executed in flight 3.Path calculated in flight based on real-time imaging Autonomy allows system to detect and respond to a broad class of anomalies in many more ways

SAS_05_Contingency_Lutz_Tal22 Safety-critical Safety-critical: –Requires collision-avoidance –Requires autonomous take-off & landing in populated areas –Use for critical missions: finding lost hikers, downed pilots; detecting highway accidents; imaging (early warning) forest fires

SAS_05_Contingency_Lutz_Tal23 Obstacle Analysis Approach KAOS framework for goal-oriented obstacle analysis –Goal is a set of desired behaviors –Obstacle is a set of undesirable behaviors that impede a goal Relevance to application: –Contingencies are Obstacles to achieving goals, or Indications that goals are unrealizable with available agents Advantages –Structured approach early-on (anticipatory planning) –Supports more formal analysis, as needed

SAS_05_Contingency_Lutz_Tal24 Obstacle Analysis Approach Step 1. Identify the goals Step 2. Identify the agents Step 3. Identify the obstacles Step 4. Identify alternative resolutions to the obstacles Step 5. Select a resolution among the alternatives.

SAS_05_Contingency_Lutz_Tal25 Other Related Work Requirements evolution –Use goal & obstacle analysis to refine requirements in a developing system [Anton & Potts] Maintenance –Focus on management of requirements changes [Bennett & Rajlich] –Evaluate in terms of traceability or change-impact [Cleland- Huang] Dynamic monitoring –Monitor operational systems for mismatch assumptions/environment & perform remedial evolutions [Fickas and Feather] Autonomous fault handling with AI planners Safety in autonomous systems Vehicle health management

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.