On-board Timeline Validation and Repair: A Feasibility Study Maria Fox, Derek Long University of Strathclyde, Glasgow, UK Les Baldwin, Graham Wilson, Mark Woods SciSys Ltd, UK Davide Jameux ESA, Netherlands Ruth Aylett Heriot-Watt University, Edinburgh, UK

Background MMOPS: Mars-Mission On-board Planner and Scheduler ESA funded project to develop a demonstrator Show potential on-board capabilities for autonomous plan repair using Beagle 2 on-board software

Context Scientists identify objectives and propose activities –Priorities set by lead scientist(s) –Constraints generally implicit (eg ordering and dependencies between activities) Lander Operations personnel construct a plan (timeline), integrating proposed science activities and lander-oriented activities over predetermined interval Plan downlinked to lander; lander attempts execution –Plan might execute successfully –Plan might fail during execution and lander enter safe mode Results uplinked for return to ground staff and analysis

Typical Operations Sequence

Sequence with failure

On-board Autonomy t Priority/Constraint Based Pre-Planned t t Adaptive t Goal Orientated Goals PlannerTVCR Event Action OBCP Priorities & Constraints Opportunities

Target Problems Isolation of plan failure –Protect the remainder of the plan Over-subscription –Reduce planned activity to avoid use of over- subscribed resources Under-subscription –Attempt to exploit potential opportunities to make use of under-subscribed resources

Ground-based and On-board Partnership ConTool Timeline Construction: Primary timeline Opportunity fragments Packaged date Standard timeline downlink On-board software TVCR Ground Operations On-board Operations

Using CONTOOL Timeline constructed, but now annotated: constraints made explicit Additional timeline fragments are then added: opportunities Further constraints are added: –Ordering constraints between opportunities themselves and between opportunities and fragments in the main timeline –Dependencies –Mutual exclusions (pairs of fragments which should not both be executed) –Priorities Ordering between activities or connected elements of a timeline (fragments) Dependencies between activities or fragments (eg the rock surface should only be ground if the microscope successfully imaged it beforehand)

Opportunities: Features Opportunities are designed as consistent self- contained timeline fragments Fragments generally represent subplans needed for future operations Often generic fragments capturing an experimental process consisting of multiple activities, so reusable Opportunities are designed on the ground, by operations personnel Constraints make explicit relationships required of lander operations by both scientists and operations personnel

Exploiting Opportunities If an activity fails during execution, a new fragment can be executed – an opportunity –Failed fragments are removed from the plan, together with fragments that depend on them Opportunities are selected: –to respect the existing resource constraints within the current timeline –according to priority and according to the constraints between them and with main plan fragments Execution of the main plan remains highest priority Opportunities are only selected from those identified and constructed by operations personnel Timeline validatedFlaw identifiedBroken elements removedOpportunity consideredOpportunity insertedConstraints checked

Operations with TVCR

On-board: TVCR TVCR: Timeline Validation, Control and Repair –a module invoked by on-board software Requirements of TVCR: –The timeline, fragments and constraints constructed on the ground –A model of the activities Preconditions for execution; effects on execution Built once – unlikely to change –A view of the current state At level of abstraction used by activity models Built on-board using diagnosis of sensor signals

TVCR Architecture TVCR Primed with activity models Timeline Opportunities Constraints Sensed state On-board Control Software Lander Hardware Systems On-board Software

TVCR: Behaviours On validate request: –Validate newly entered timeline from the current state –Report anticipated failures and causes On control request: –Validate current remaining fragment of timeline from current state On repair request: –If the current timeline is predicted to fail and there is time to react before the next action, construct a new timeline –Remove broken fragments –Insert opportunities

Taking Opportunities When opportunities can be added to a timeline, choices often exist: –Which opportunities to add –Where to add them Use a bounded search –Not a full search: save space and time and ensure bounded termination –Not guaranteed to find optimal repairs in terms of opportunities added –Greedy approach to opportunity insertion –Fallback position: execute the fragments of the original main plan that are still valid (repairs to link activities where fragments removed)

Example Test Case A timeline is planned including two Mössbauer experiments During the first experiment, the Mössbauer signals a failure… Repair removes second Mössbauer experiment and related activities Opportunities are considered in priority order and one is identified as a candidate for insertion –The opportunity selected is an environmental sensor suite experiment The timeline is repaired by the addition of the opportunity and connecting activities New downlink schedule is recorded

Example Repair Failed fragment removed from timeline Benefits –After first failure, timeline continues execution –Subsequent expected failure anticipated by TVCR and isolated –Timeline executes successfully to conclusion –Science data is collected during execution of parts of this timeline that would otherwise be aborted

Example Repair Broken fragment removed and opportunity fragment added Benefits: –Timeline successfully executes to completion –Broken fragments do not cause timeline to abort –Broken fragment removed and replaced with valid opportunity fragment –Resources are utilised and science data gathered –Downlink schedule modified to allow for new data log

Conclusions Successful demonstration of a level of autonomy that lies between reactive responses and full on-board planning Demonstrable benefits for science gathering Conservative approach reduces risks and makes it more attractive to operations personnel