Amedeo Avogadro

        VeriFIM study

Verification of Failure Impact by Model-checking

Funded by	European Space Agency (ESA)
Grant n.	TEC-SWE/09-259/YY
Duration:	from June 2010 to December 2011
Partners:	Thales Alenia Space, Torino, Italy
	Univ. of Piemonte Orientale, Alessandria, Italy
	ESA-ESTEC, Noordwijk, Netherlands

Goal

The project's goal is to build an FDIR (Failure Detection, Identification and Recovery) engine for an autonomous spacecraft, using probabilistic techniques based on Bayesian Belief Networks models (statement of work).

Participants

                                                   

Thales Alenia Space	Univ. of Piemonte Orientale	ESA-ESTEC
Andrea Guiotto (unit coordinator)	Luigi Portinale (unit coordinator)	Yuri Yushtein
Stefano Di Nolfo	Andrea Bobbio	(study supervisor)
	Daniele Codetta-Raiteri
	Roberta Terruggia

Publications

D. Codetta-Raiteri, L. Portinale
"Dynamic Bayesian Networks for Fault Detection, Identification, and Recovery in Autonomous Spacecraft"
IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 45(1), pages 13-24, IEEE, January 2015

A. Bobbio, D. Codetta-Raiteri, L. Portinale, A. Guiotto, Y. Yushtein
"A Unified Modelling and Operational Framework for Fault Detection, Identification, and Recovery in Autonomous Spacecrafts"
In "Theory and Application of Multi-Formalism Modeling", pages 239-258, IGI-Global, October 2013.

D. Codetta-Raiteri, L. Portinale, S. Di Nolfo, A. Guiotto, Y. Yushtein
"A unified modelling and operational framework for Fault Detection, Identification and Recovery in autonomous spacecrafts"
Proceedings of the Workshop on Research and Use of Multiformalism Modeling Methods (WRUMMM), pages 24-31, London, UK, September 2012.

D. Codetta-Raiteri, L. Portinale, A. Guiotto, Y. Yushtein
"Evaluation of anomaly and failure scenarios involving an exploration rover: a Bayesian network approach"
Proceedings of the International Symposium on Artificial Intelligence, Robotics and Automation in Space (iSAIRAS), ESA, Turin, Italy, September 2012.

A. Guiotto, L. Portinale, D. Codetta-Raiteri, Y. Yushtein
"ARPHA: an innovative on-board FDIR reasoning engine for autonomous systems"
Proceedings of Data Systems in Aerospace (DASIA), ESA, Dubrovnik, Croatia, May 2012.

D. Codetta-Raiteri, L. Portinale, S. Di Nolfo, A. Guiotto
"ARPHA: a software prototype for fault detection, identification and recovery in autonomous spacecrafts"
Acta Futura, vol. 5(15), pages 99-110, ESA, January 2012.

L. Portinale, D. Codetta-Raiteri
"Using Dynamic Decision Networks and Extended Fault Trees for Autonomous FDIR"
Proceedings of the International Conference on Tools with Artificial Intelligence (ICTAI), pages 480-484, IEEE Computer Society, Boca Raton, USA, November 2011.

L. Portinale, D. Codetta-Raiteri
"ARPHA: an FDIR architecture for autonomous spacecrafts based on Dynamic Probabilitstic Graphical Models"
Proceedings of AI in Space, ESA, Barcelona, Spain, July 2011.

D. Codetta-Raiteri, L. Portinale
"ARPHA: an FDIR architecture for Autonomous Spacecrafts based on Dynamic Probabilistic Graphical Models"
Technical Report TR-INF-2010-12-04-UNIPMN, Dip. di Informatica, Univ. del Piemonte Orientale, December 2010.

Study framework

Study Organization
Verification of Failure Impact by Model Checking (VeriFIM) is a European Space Agency research  study - contract No. 4200023090 - coordinated by Thales Alenia Space Italia (TAS-I) with Università del Piemonte (UNIPMN)  as subcontractor and Thales Alenia Space France (TAS-F) as consultant.
TAS-I as the Prime Contractor has taken care of the overall technical coordination and harmonization of the project. Moreover, TAS-I has performed the selection of the case study, the specification of system requirements, the SW specification elicitation, the SW integration in the on-board infrastructure, the validation, the evaluation and characterization of the approach.
UNIPMN has performed technology survey of state of the art in the model-based and knowledge based approaches. It has built the on-board model of ARPHA (DBN). It has designed and developed ARPHA algorithms and functions and has implemented and delivered the ARPHA prototype. It has supported to performance evaluation.
 TAS-F has supported the ARPHA system requirements elicitation and has provided a diagnosability approach to model used by ARPHA.

Study motivations
Currently employed FDIR operation is based on the design-time analysis of the faults and failure scenarios (e.g. FMEA, FTA) and run-time observation of the system operational status (health monitoring). It has the main objectives to timely detect the faults and to initiate the corresponding predefined recovery actions. If no corresponding action could be found, FDIR proceeds by executing the recovery actions to put the spacecraft into a known safe configuration and transfers control to the Ground operations for troubleshooting and planning the recovery actions.
This approach is not always adequate for an autonomous system for the following reasons:
- Partial observability of system and environment does not allow for a certain identification of system status
- Tradition FDIR cannot provide and utilize prognosis for the imminent failures
- Automated FDIR procedures cannot leverage specific course of recovery based on the evaluation of causal knowledge of system and environment status
- It is impossible to estimate the impact of the occurred faults and failures on the operational capabilities of the system
- Reaction time does not always allow to wait a Ground recovery

Study Objectives
The global objective of this study is to demonstrate that integration of innovative technologies (i.e. model-based autonomy, run-time Dependability and Safety analysis, causal modelling, probabilistic calculus, Knowledge-Based Systems) in a unified modelling and autonomous reasoning framework may increase the achievable level of autonomy. The main focus is on the autonomous anomaly resolution and prognostic pro-active FDIR capabilities.
The global objective comprises the following sub-objectives:
1. Evaluation and justification of an integrated and unified use of causal probabilistic techniques and Knowledge-Based approaches, suited for on-board automated analysis, to increase the space systems level of autonomy in terms of anomaly resilience and autonomous recoverability;
2. Definition of an integrated modelling framework for specification of the models suited for on-board autonomous reasoning to infer system Health, Dependability and Safety status and prognosis, and (preventive) anomaly resolution approaches;
3. Development of an on-board software prototype, the Anomaly Resolution and Prognostic Health management for Autonomy (ARPHA), implementing the required autonomous reasoning and inference techniques, based on the use of probabilistic calculus approaches;
4. Demonstration of the approach on case studies involving autonomous on-board systems and evaluation of the experimental results in terms of applicability, scalability, and performance;
5. Evaluation of adequacy of the approach and developed technology for use in the context of critical on-board space systems

Conclusions
The developed approach provides a unified modeling and autonomous framework that integrates an high level modeling formalism (Dynamic Fault Tree - DFT), a low level modeling formalism (Dynamic Bayesian Network - DBN) and an inference oriented formalism (Junction Tree - JT). The on-board analysis of the JT conditioned by the sensors data and the recovery actions, allows evaluating the system current and future state, and the recovery policies if necessary, in automatic way, without the assistance of the ground control. This approach increases the achievable level of autonomy. The developed prototype ARPHA represents an on-board software FDIR component suited for use in the existing spacecraft system architectures. It can perform on-board diagnosis, prognosis and recovery inference.  ARPHA is able to verify the failure impact on the future state of the system.
Environmental aspect of space mission can be modeled in the DBN used by ARPHA to perform inference. It is possible to take in account the failure causes, by inserting them in the utility function used to select recovery. ARPHA can evaluate the failure impact on the currently executing plan as well.
The developed ARPHA prototype has been evaluated on the space embedded target (running under RTEMS on the LEON3 processor). The obtained performance data shows ARPHA usability in the context of the current space applications and available on-board computers.