Formal Methods for Automated Diagnosis of Autosub 6000

This is a progress report on applying formal methods in the context of building an automated diagnosis and recovery system for Autosub 6000, an Autonomous Underwater Vehicle (AUV). The diagnosis task involves building abstract models of the control system of the AUV. The diagnosis engine is based on Livingstone 2, a model-based diagnoser originally built for aerospace applications. Large parts of the diagnosis model can be built without concrete knowledge about each mission, but actual mission scripts and configuration parameters that carry important information for diagnosis are changed for every mission. Thus we use formal methods for generating the mission control part of the diagnosis model automatically from the mission script and perform a number of invariant checks to validate the configuration. After the diagnosis model is augmented with the generated mission control component model, it needs to be validated using verification techniques

Autonomous Systems, Robotics, and Computing Systems Capability Roadmap: NRC Dialogue

Contents include the following: Introduction. Process, Mission Drivers, Deliverables, and Interfaces. Autonomy. Crew-Centered and Remote Operations. Integrated Systems Health Management. Autonomous Vehicle Control. Autonomous Process Control. Robotics. Robotics for Solar System Exploration. Robotics for Lunar and Planetary Habitation. Robotics for In-Space Operations. Computing Systems. Conclusion

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000

Automated verification of model-based programs under uncertainty

Thesis (M. Eng. and S.B.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2004.Includes bibliographical references (p. 89-91).Highly robust embedded systems have been enabled through software executives that have the ability to reason about their environment. Those that employ the model-based autonomy paradigm automatically diagnose and plan future actions, based on models of themselves and their environment. This includes autonomous systems that must operate in harsh and dynamic environments, like, deep space. Such systems must be robust to a large space of possible failure scenarios. This large state space poses difficulties for traditional scenario-based testing, leading to a need for new approaches to verification and validation. We propose a novel verification approach that generates an analysis of the most likely failure scenarios for a model-based program. By finding only the lost likely failures, we increase the relevance and reduce the quantity of information the developer must examine. First, we provide the ability to verify a stochastic system that encodes both off-nominal and nominal scenarios. We incorporate uncertainty into the verification process by acknowledging that all such programs may fail, but in different ways, with different likelihoods. The verification process is one of finding the most likely executions that fail the specification. Second, we provide a capability for verifying executable specifications that are fault-aware. We generalize offline plant model verification to the verification of model-based programs, which consist of both a plant model that captures the physical plant's nominal and off-nominal states and a control program that specifies its desired behavior. Third, we verify these specifications through execution of the RMPL executive itself. We therefore circumvent the difficulty of formalizing the behavior of complex(cont.) software executives. We present the RMPL Verifier, a tool for verification of model-based programs written in the Reactive Model-based Programming Language (RMPL) for the Titan execution kernel. Using greedy forward-directed search, this tool finds as counterexamples to the program's goal specification the most likely executions that do not achieve the goal within a given time bound.by Tazeen Mahtab.M.Eng.and S.B

Super Ball Bot - Structures for Planetary Landing and Exploration

Small, light-weight and low-cost missions will become increasingly important to NASA's exploration goals for our solar system. Ideally teams of dozens or even hundreds of small, collapsable robots, weighing only a few kilograms a piece, will be conveniently packed during launch and would reliably separate and unpack at their destination. Such teams will allow rapid, reliable in-situ exploration of hazardous destination such as Titan, where imprecise terrain knowledge and unstable precipitation cycles make single-robot exploration problematic. Unfortunately landing many lightweight conventional robots is difficult with conventional technology. Current robot designs are delicate, requiring combinations of devices such as parachutes, retrorockets and impact balloons to minimize impact forces and to place a robot in a proper orientation. Instead we propose to develop a radically different robot based on a "tensegrity" built purely upon tensile and compression elements. These robots can be light-weight, absorb strong impacts, are redundant against single-point failures, can recover from different landing orientations and are easy to collapse and uncollapse. We believe tensegrity robot technology can play a critical role in future planetary exploration

Technology for Future NASA Missions: Civil Space Technology Initiative (CSTI) and Pathfinder

Information is presented in viewgraph form on a number of related topics. Information is given on orbit transfer vehicles, spacecraft instruments, spaceborne experiments, university/industry programs, spacecraft propulsion, life support systems, cryogenics, spacecraft power supplies, human factors engineering, spacecraft construction materials, aeroassist, aerobraking and aerothermodynamics

RIACS

The Research Institute for Advanced Computer Science (RIACS) was established by the Universities Space Research Association (USRA) at the NASA Ames Research Center (ARC) on June 6, 1983. RIACS is privately operated by USRA, a consortium of universities that serves as a bridge between NASA and the academic community. Under a five-year co-operative agreement with NASA, research at RIACS is focused on areas that are strategically enabling to the Ames Research Center's role as NASA's Center of Excellence for Information Technology. The primary mission of RIACS is charted to carry out research and development in computer science. This work is devoted in the main to tasks that are strategically enabling with respect to NASA's bold mission in space exploration and aeronautics. There are three foci for this work: (1) Automated Reasoning. (2) Human-Centered Computing. and (3) High Performance Computing and Networking. RIACS has the additional goal of broadening the base of researcher in these areas of importance to the nation's space and aeronautics enterprises. Through its visiting scientist program, RIACS facilitates the participation of university-based researchers, including both faculty and students, in the research activities of NASA and RIACS. RIACS researchers work in close collaboration with NASA computer scientists on projects such as the Remote Agent Experiment on Deep Space One mission, and Super-Resolution Surface Modeling

Magnetic diagnostics algorithms for LISA Pathfinder: system identification and data analysis

LISA (Laser Interferometer Space Antenna) is a joint mission of ESA and NASA, which aims to be the first space-borne gravitational wave observatory. LISA will consist in a constellation of three spacecraft at the vertexes of an equilateral triangle of side 5 million kilometers. The constellation will orbit around the Sun trailing the Earth by some 20 degrees. Each of the spacecraft harbors two proof masses, carefully protected against external disturbances such as solar radiation pressure and charged particles, which ensures they are in nominal free-fall in the interplanetary gravitational field. Gravitational waves will show as differential accelerations between pairs of proof masses, and the main aim of LISA is to measure such acceleration using laser interferometry. The technologies required for the LISA mission are many and challenging. This, coupled with the fact that some flight hardware cannot be tested on ground, led ESA to define a technology demonstrator to test in flight the required critical technologies. This precursor mission is called LISA Pathfinder (LPF). The payload of LISA Pathfinder is the LISA Technology Package (LTP), and will be the highest sensitivity geodesic explorer flown to date. The LISA Technology Package is designed to measure relative accelerations between two test masses in nominal free fall placed in a single spacecraft, since one LISA arm is squeezed from 5 million kilometer to 35 cm. Its success will prove the maturity of the necessary technologies for LISA such as the Optical Metrology System and the Drag Free concept. The differential acceleration reading will be perturbed by identified disturbances, such as thermal fluctuations or magnetic effects. These disturbances are monitored by the Diagnostics Subsystem. The Magnetic Diagnostics System is one of its modules and is a critical subsystem, since magnetic noise is apportioned to 40% of the total noise budget. In this respect, to estimate the magnetic noise contribution, the Magnetic Diagnostics Subsystem will have two main tasks: (1) estimate the magnetic properties of the test masses, i.e., their remanent magnetic moment and susceptibility, and (2) infer the magnetic field and its gradient at the location of the test masses. To this end, the Magnetic Diagnostics Subsystem includes two coils which generate controlled magnetic fields at the locations of the test masses. These magnetic fields will excite the dynamical response of both test masses. Thus, by adequate processing of the kinematic excursions delivered by the interferometer, the magnetic characteristics of the test masses can be estimated within 1% accuracy level. Additionally, the Magnetic Diagnostic Subsystem includes a set of four tri-axial fluxgate magnetometers. However, the magnetic field and its gradient need to be measured at the positions of the test masses and the readouts of the magnetometers do not provide a direct measurement of the magnetic field at these positions. Thus, an interpolation method must be implemented to calculate them. This is a difficult problem, mostly because the magnetometers are too distant from the locations of the test masses (more than 20 cm away) and because there are not sufficient magnetic channels to go beyond a classical linear interpolation method, which yields extremely poor interpolation results. Consequently, in this thesis we present and validate an alternative interpolation method based on neural networks. We put forward its robustness and accuracy in several mission scenarios and we stress the importance of an extensive magnetic testing campaign. Under these assumptions, we deliver magnetic field and gradient estimates with 10% accuracy. Finally, the estimate of the magnetic noise contribution to the total acceleration between the two LPF’s test masses is determined with an accuracy of 15%. This result represents an enhancement of the estimation quality in one order of magnitude with respect to former studies.LISA (Laser Interferometer Space Antenna) és un missió espacial conjunta de l’ESA i la NASA, que serà el primer detector d’ones gravitacionals a l’espai. LISA consisteix en una constel·lació de tres satèl·lits situats als vèrtexs d’un triangle equilàter de 5 milions de quilòmetres de costat. La constel·lació orbitarà al voltant del Sol seguint la Terra a uns 20 graus. Cada un dels satèl·lits contindrà dues masses de prova, curosament protegides de pertorbacions externes com la pressió de la radiació solar, assegurant que estiguin en una caiguda lliure nominal en el camp gravitacional interplanetari. Les ones gravitacionals creen acceleracions diferencials entre el parell de masses de prova. Així doncs el principal objectiu de LISA és mesurar l’esmentada acceleració utilitzant interferometria làser. Les tecnologies necessàries per LISA són molt exigents. A més, la majoria d’elles no poden ser testejades a la Terra. Per tant, l’ESA va determinar la necessitat de llançar una missió precursora que actués com a demostrador tecnològic, aquesta missió és LISA Pathfinder (LPF). La seva càrrega útil és el LISA Technology Package (LTP) i serà el sensor geodèsic de més alta sensitivitat a l’espai. El LISA Technology Package està dissenyat per mesurar acceleracions diferencials entre dues masses de prova en caiguda lliure situades en un sol satèl·lit, reduint un dels braços de LISA des de 5 milions de quilòmetres fins a 35 cm. L’èxit de la missió suposaria la demostració de la maduresa de les tecnologies necessàries per LISA, com són el Optical Metrology System i el concepte Drag Free. La mesura de l’acceleració diferencial estarà afectada per certes pertorbacions com podrien ser les fluctuacions tèrmiques o els efectes magnètics a l’interior del satèl·lit. Aquestes pertorbacions són monitoritzades pel Subsistema de Diagnòstic. El Subsistema de Diagnòstic Magnètic és un dels seus mòduls i és un sistema crític, perquè el soroll magnètic representa un 40% del soroll total. Amb la finalitat d’estimar la contribució del soroll magnètic, el Subsistema de Diagnostic Magnètic ha de (1) estimar les propietats magnètiques de les masses de prova, i.e., el seu moment magnètic remanent i la seva susceptibilitat, i (2) estimar el camp magnètic i el seu gradient a la posició de les masses de prova. Així doncs, aquest subsistema integra dues bobines per generar camps magnètics a la posició de les masses. Aquests camps magnètics exciten la resposta dinàmica de les dues masses. Finalment, amb el processament de les excursions cinemàtiques proporcionades per l’interferòmetre podem estimar les característiques magnètiques amb una precisió de l’1%. D’altra banda, el Subsistema de Diagnòstic Magnètic també integra 4 magnetòmetres triaxials. No obstant, el camp magnètic i el seu gradient ha de ser mesurat a la posició de les masses de prova i les lectures dels magnetòmetres no estan situades en aquestes posicions. Per tant, cal implementar un sistema d’interpolació. Aquest problema presenta una dificultat especial perquè els magnetòmetres estan situats lluny de les masses de prova (més de 20 cm) i perquè només hi ha mesures magnètiques per realitzar una interpolació de primer ordre. Aquest mètode dóna resultats inacceptables, per tant en aquesta tesi presentem i validem un mètode d’interpolació alternatiu basat en xarxes neuronals. En demostrem la seva robustesa i exactitud en diferents casos i remarquem la importància de disposar d’una extensa campanya de tests magnètics. Sota aquests supòsits, estimem el camp magnètic i el seu gradient amb un error inferior al 10%. Finalment, l’estimat de la contribució del soroll magnètic en la mesura de l’acceleració diferencial de les dues masses de prova es pot determinar amb una exactitud del 15%. Aquest resultat suposa una millora de la qualitat d’estimació en un ordre de magnitud en comparació a estudis previs

Towards Real-Time, On-Board, Hardware-Supported Sensor and Software Health Management for Unmanned Aerial Systems

For unmanned aerial systems (UAS) to be successfully deployed and integrated within the national airspace, it is imperative that they possess the capability to effectively complete their missions without compromising the safety of other aircraft, as well as persons and property on the ground. This necessity creates a natural requirement for UAS that can respond to uncertain environmental conditions and emergent failures in real-time, with robustness and resilience close enough to those of manned systems. We introduce a system that meets this requirement with the design of a real-time onboard system health management (SHM) capability to continuously monitor sensors, software, and hardware components. This system can detect and diagnose failures and violations of safety or performance rules during the flight of a UAS. Our approach to SHM is three-pronged, providing: (1) real-time monitoring of sensor and software signals; (2) signal analysis, preprocessing, and advanced on-the-fly temporal and Bayesian probabilistic fault diagnosis; and (3) an unobtrusive, lightweight, read-only, low-power realization using Field Programmable Gate Arrays (FPGAs) that avoids overburdening limited computing resources or costly re-certification of flight software. We call this approach rt-R2U2, a name derived from its requirements. Our implementation provides a novel approach of combining modular building blocks, integrating responsive runtime monitoring of temporal logic system safety requirements with model-based diagnosis and Bayesian network-based probabilistic analysis. We demonstrate this approach using actual flight data from the NASA Swift UAS

Director's Discretionary Fund Report for Fiscal Year 1997

This technical memorandum contains brief technical papers describing research and technology development programs sponsored by the Ames Research Center Director's Discretionary Fund during fiscal year 1997 (October 1996 through September 1997). Appendices provide administrative information for each of the sponsored research programs