Application of Correct-by-Construction Principles for a Resilient Risk-Aware Architecture

In this paper we discuss the application of correct-by-construction techniques to a resilient, risk-aware software architecture for onboard, real-time autonomous operations. We mean to combat complexity and the accidental introduction of bugs through the use of verifiable auto-coding software and correct-by-construction techniques, and discuss the use of a toolbox for correct-by-construction Temporal Logic Planning (TuLiP) for such a purpose. We describe some of TuLiP’s current functionality, specifically its ability to model symbolic discrete systems and synthesize software controllers and control policies that are correct-by-construction. We then move on to discuss the use of these techniques to define a deliberative goal-directed executive capability that performs risk-informed action-planning – to satisfy the mission goals (specified by mission control) within the specified priorities and constraints. Finally, we discuss an application of the TuLiP process to a simple rover resilience scenario

Towards Architecture-wide Analysis, Verification, and Validation for Total System Stability During Goal-Seeking Space Robotics Operations

In this paper we discuss the beginnings of an attempt to define and analyze the stability of an entire modular robotic system architecture – one which includes a three-tier (3T) layer breakdown of capabilities, with symbolic, deterministic planning at the highest level. We approach the problem from the standpoint of a control theory outlook, and try to formalize the issues that result from trying to quantitatively characterize the overall performance of a well-defined system without a need for exhaustive testing. We start by discussing the concept of bounded-input bounded-output stability, giving examples where the technique might not be sufficient to guarantee what we term “total system stability” due to complications associated with the levels of abstraction between the modules and components that are being chained together in the architecture. We then go on to discuss necessary conditions that may fall out of this naturally as a result. We further try to better-define the input and output constraints needed to guarantee total system stability, using an assumption-guarantee-like contractual framework that sits alongside the architecture; the requirements then may have influence across multiple modules, in order to keep consistency. We also discuss how the structure of the architectural modules may help or hinder the process of capability characterization and performance analysis of each module and a given architecture configuration as a whole. We then discuss two overlapping methods that, combined, should allow us to analyze the effectiveness of the architecture, and help towards verification and validation of both the components and the system as a whole. Demonstrative examples are given using a specific architectural implementation called the Resilient Spacecraft Executive. In future work, we hope to define both necessary and sufficient conditions for total system stability across such a system architecture for robotics useQC 20201124</p

Towards Architecture-wide Analysis, Verification, and Validation for Total System Stability During Goal-Seeking Space Robotics Operations

In this paper we discuss the beginnings of an attempt to define and analyze the stability of an entire modular robotic system architecture - one which includes a three-tier (3T) layer breakdown of capabilities, with symbolic, deterministic planning at the highest level. We approach the problem from the standpoint of a control theory outlook, and try to formalize the issues that result from trying to quantitatively characterize the overall performance of a well-defined system without a need for exhaustive testing. We start by discussing the concept of bounded-input bounded-output stability, giving examples where the technique might not be sufficient to guarantee what we term "total system stability" due to complications associated with the levels of abstraction between the modules and components that are being chained together in the architecture. We then go on to discuss necessary conditions that may fall out of this naturally as a result. We further try to better-define the input and output constraints needed to guarantee total system stability, using an assumption-guarantee-like contractual framework that sits alongside the architecture; the requirements then may have influence across multiple modules, in order to keep consistency. We also discuss how the structure of the architectural modules may help or hinder the process of capability characterization and performance analysis of each module and a given architecture configuration as a whole. We then discuss two overlapping methods that, combined, should allow us to analyze the effectiveness of the architecture, and help towards verification and validation of both the components and the system as a whole. Demonstrative examples are given using a specific architectural implementation called the Resilient Spacecraft Executive. In future work, we hope to define both necessary and sufficient conditions for total system stability across such a system architecture for robotics use