by Arthur Ed LeBouthillier

This article was published in the August 1999 issue of Ther Robot Builder.

In the movie 2001: A Space Odyssey, the spacecraft embodying HAL was essentially a large robot. It was composed of an artificial intelligent component, HAL, and the spaceship itself with all of its automatic effector systems. HAL, although a fictional program, represented an entity which was aware both of itself and events surrounding it. When there were hardware problems in the spacecraft, HAL was able to identify these problems, solve them him- or it-self or alert the crew to solve them.

With its New Millennium Remote Agent (NMRA), NASA is heading in the direction of providing
similar capabilities for future autonomous spacecraft. The New Millennium Remote Agent was designed as an autonomous control and planning system enabling autonomous robotic spacecraft for space exploration. It eventually flew on the Deep Space One spacecraft and successfully demonstrated its capabilities in several tests, some of which are still
ongoing. Such highly autonomous systems are vital for future space exploration because they reduce the cost of exploration while enhancing capabilities. They reduce costs because they require fewer ground-based operators, who would be required for the duration of missions which could last years, and because they allow the spacecraft to be more robust to failure because they are able to continue operating even after system failures. They are also important because they allow more autonomous spacecraft to operate at once because they require
lower bandwidth to control; they do not require minute instructions for the every operation but can
be given more abstract commands which are executed by the spacecraft. This is deemed to be
important in the years to come because of limitations in the bandwidth of the Deep Space
Network at the same time that the number of operations is expected to increase dramatically. As
roboticists, it is important to review the New Millennium Remote Agent (NMRA) architecture
since it provides an example of an advanced robot control architecture from which we can learn.

Deep Space One

The Deep Space One spacecraft, although utilizing many cutting-edge technologies, represents a typical spacecraft in its functional layout. It has a control system based on a radiation-hardened version of the IBM 6000 RISC processor with 128 Megabytes of RAM and 16 Megabytes of EEPROM. It has many interacting systems such as an unconventional  ion thruster system, a conventional attitude control system, several scientific instruments,  a communication system which maintains communications with Earth-based controllers and several navigation sensors to identify its orientation and location in space.

All of these components operate under strict energy budgets because all power is derived from solar cells or on-board fuel. Almost all systems have a minor amountof functional redundancy allowing reduced operation should some part of them fail. Operating the system despite failures is one of the major jobs of the Remote Agent.

Running on the spacecraft’s computer is the Vx- Works Real-time Operating system. Operating in this operating environment are a number of standard software components used for controlling the spacecraft’s attitude and thrust systems and the Remote Agent. The Deep Space One spacecraft was not designed to work solely with the Remote Agent, so it maintains a complete operating suite of software for navigation as well as navigational control.

The Remote Agent

The Remote Agent interfaces to the spacecraft control system similarly to how the standard Earth-based control system. Rather than receive direct motor-control messages from Earth, the Remote Agent deduces its activity from the goal database and performs the control duties. It essentially becomes an independent onboard mission control system to navigate and control the spacecraft in accordance with its mission directives. These mission directives can be uploaded from Earth. This saves an enormous amount of communication bandwidth since high-level abstract commands are sent instead of raw control data.

The Remote Agent (RA) consists of three major functional elements distinct from the normal control software of the Deep Space One spacecraft: the Mission Manager which performs planning and scheduling, the Reactive Executive which carries out the direct control tasks and the Mode Identification and Reconfiguration (MIR) system which performs model-based reasoning about the condition of the spacecraft, allowing it to reconfigure and control itself despite numerous faults. It is this last component that makes the Remote Agent somewhat unique in robotic control systems. The MIR system allows the RA to reason about the status of various systems and reconfigure its reactive mechanisms to continue working despite system failures.

The Mission Manager

The Mission Manager is responsible for creating short-term plans based on long-term mission goals. It does this with a Planner/Scheduler (PS) which is able to reason about time and resource constraints and generate a flexible time-constrained plan for execution by the Reactive Executive.  The Remote Agent is not launched with a detailed list of operations to occur at specific times, but is given a list of goals from which a sequence of commands must be generated by the Mission Manager. The Mission Manager determines the goals which have
to be achieved over a period of a week or two and passes them to its Planner/Scheduler. The plan produced by the Planner/Scheduler constrains the types of activities that must be performed at specified times but does not detail how those activities will be carried out. They  state such thingsas requirements for star measurements to establish the spacecraft location and a rough time at which they are to occur, when engines are to be turned on for desired orientations and directions, and what activities scientific instruments should engage in. The plans are not specific step-by-step action lists, but rather represent behavior envelopes for the Reactive Executive. The planner does this using fairly-standard AI reasoning and planning techniques which consider time constraints, goal priorities and resource limitations. Action planning and resource allocation are considered simultaneously in the generation of the plans so that considerations of the effects of actions on resources can be part of the planning process. A final part of each plan details the next time that planning should occur. This allows the Mission Manager/Planner
Scheduler to be shut down when it is not needed.

The Reactive Executive

It is the job of the Reactive Executive to take the plans produced by the Mission Manager and turn them into specific instrument control activities. It performs process synchronization, process
dependency management, hardware reconfiguration and runtime resource management and executes fault-recovery procedures. It is able to execute and manage multiple activities  simultaneously and invokes the Mission Manager’s planner and the Mode Identification facilities to help it perform these duties. The Reactive Executive generates the specific control signals that control the spacecraft hardware by taking into account its knowledge of the state of various instruments and devices (i.e. current status and known problems of hardware), the goals it has for them, and the rough times activities should occur. When failures occur in the execution of a process, the executive first invokes the MIR system to attempt recovery and then can invoke the planner to generate new plans. The Reactive Executive is based on a classical reactive execution system called RAPS. This event and goal-driven system helps ensure quick reaction
loops by limiting deductive reasoning in the execution of tasks. However, this limits the ability
of the executive to handle complicated problems.

To handle this, the Reactive Executive requests problem solutions from a reasoning system called Livingstone which monitors system status and informs the executive of deduced solutions. Working in conjunction with Livingstone, the executive is able to robustly react to unforeseen problems by choosing an alternative execution behavior. This ability to quickly reconfigure in the face of problems makes the executive extremely robust.

Livingstone, the Mode Identification and Reconfiguration System One of the most unique features of the Remote Agent is its ability to resolve system problems through a model-based reasoning system. Livingstone, also known as the Mode Identification and Reconfiguration (MIR) system, eavesdrops on command sent by the executive to the hardware, monitors sensor signals and deduces the current actual configuration of spacecraft systems; it then reports the actual status of the spacecraft to the executive. Livingstone maintains a complex model
of all hardware systems and their internal states and keeps track of state changes and commands. In a spacecraft, weight restrictions of do not allow sensing all system conditions and so some conditions can only be deduced indirectly from their effects on other sensors.
One of Livingstone’s job is to deduce the status of non-sensored conditions based on its system model and senses. It does this by maintaining state models of each piece of equipment and their interactions and deducing that certain sensory data implies a certain system state. If this state is different from expected states, it reports these anomalies to the executive. Another major job of Livingstone’s is to help the executive solve problems. If the executive is informed of a problem and doesn’t have an immediate solution to work around it, it will request a solution from Livingstone. Livingstone will reason about the various pieces of equipment, their status and interactions and try to deduce a new set of actions that would lead to a solution of a problem.
Livingstone does its job by an extensive concurrent state-machine model of all hardware. Each hardware device is modeled as a state  machine and all interactions between machines are observed and modeled. This model is able to identify the current actual mode, identify anomalous behaviors, and the models can be used to deduce solutions to identified
problems. For example, if a thrust engine valve appears stuck in the off position, Livingstone could recommend alternate valve configurations to produce the desired thrust; if a particular device does not work because it is appears stuck, Livingstone might suggest that the executive try again. This is a powerful capability which enables the Deep Space One spacecraft to identify and overcome temporary and permanent malfunctions in its equipment.

Summary

The Remote Agent  represents the state of the art in autonomous spacecraft systems which demonstrates principles and techniques which can be applied to earth-bound robotic systems.