This paper presents a detailed look at how unmanned ground vehicles (UGVs) fail in the field using information from ten studies and 15 different models in Urban Search and Rescue or military field applications. One explores failures encountered in a limited amount of time in a real crisis (World Trade Center rescue response). Another covers regular use of thirteen robots over two years. The remaining eight studies are field tests of robots performed by the Test and Evaluation Coordination Office at Fort Leonard Wood. A novel taxonomy of UGV failures is presented which categorizes failures based on the cause (physical or human), its impact, and its repairability. Important statistics are derived and illustrative examples of physical failures are examined using this taxonomy. Reliability in field environments is low, between 6 and 20 hours mean time between failures. For example, during the M1 PANTHER II study[6] 35 failures occurred in 32 days. The primary cause varies, one study showed 50% of failures caused by effectors, in another 54% of failures occurred in the control system. Common causes are: unstable control systems, platforms designed for a narrow range of conditions, limited wireless communication range, and insufficient bandwidth for video-based feedback.

There is an increasing need for advanced autonomy in complex embedded real-time systems such as robots, satellites, or UAVs. Still, the growing complexity of the decision capabilities of these systems raises a major problem: how to prove that the system is not going to end in a dangerous state (for itself or for humans)? How to guarantee that the robot will not grab a sample on the ground with its arm, while moving (which could supposedly break the arm)? How to make sure that the satellite RCS jets are not fired when the camera lens protection is off? How do we make sure that a service robot for elderly people is not moving faster than 20cm.s −1? This paper presents some recent developments of the LAAS architecture for autonomous systems. In particular, we specify the role of the Execution Control level of this architecture. This level has a fault protection role with respect to the commands issued by the decisional level, which are transmitted to the system (through the functional level). It acts as a real-time “safety bag ” 1, to make sure that the commands issued are consistent with the current state of the system and with a formal model of the acceptable states. To implement this component, we present a new approach and a new tool inspired by the model checking domain. We introduce a new language (EX o GEN) to specify the model of acceptable and required states of the system (valid contexts for requests to functional modules and resources usage). This language is compiled offline in an OBDD (Ordered Binary Decision Diagram) like structure which is then used online to check the specified constraints in real-time. This tool is seamlessly integrated in the LAAS architecture and relies on the other tools used to build autonomous systems (G en oM, OpenPRS, etc). We have deployed it on a number of robotics platforms (ATRV and XR4000 robots). We show that such an approach allows us to improve the runtime dependability of the system at a minimal acceptable cost (compared to the possible loss of the complete system), but could also be extended to check more complex temporal properties of the system off line.

Autonomous robots are complex systems that require the interaction/cooperation of numerous heterogeneous software components. Nowadays, robots are critical systems and must meet safety properties including in particular temporal and real-time constraints. We present a methodology for modeling and analyzing a robotic system using the BIP component framework integrated with an existing framework and architecture, the LAAS 1 based on G en oM. The BIP componentization approach has been successfully used in other domains. In this study, we show how it can be seamlessly integrated in the preexisting methodology. We present the componentization of the functional level of a robot, the synthesis of an execution controller as well as validation techniques for checking essential “safety” properties.

This paper presents some recent developments of the LAAS architecture for autonomous mobile robots. In particular, we specify the role of the Execution Control level of this architecture. This level has a fault protection role with respect to the commands issued by the decisional level, which are transmitted to the real system (through the functional level). We introduce a new approach and a new tool inspired from the model checking domain. We present a new language to specify the model of acceptable and required states of the system (valid contexts for requests to functional module and resources usage). This language is compiled in an OBDD (Ordered Binary Decision Diagram) like structure which is then used online to check the specified constraints in real-time. Such model checking approach could be extended to check o# line more complex temporal properties of the system.

This paper presents some recents developments of the LAAS architecture for autonomous systems. In particular, we clarify and specify the role of the Execution Control level of our architecture. This level has a fault protection role with respect to the command issued by the decisional level, which are transmitted to the real system (through the functional level). To implement this Execution Control level, we propose an approach and a tool inspired from the model checking domain. We present a new language, used to specify the model of acceptable and required states of the system (valid contexts for requests to functional module and resources usage). The model written in this language is then compiled in an OBDD (Ordered Binary Decision Diagram) like structure which is used online to check in real-time the constraints and the rules specified. Such model checking approach, used in a synchronous context, provides critical dependable properties. Moreover, these approaches can be further used to check off line more complex temporal properties of the system.

The verification and validation of autonomy software is widely believed to be a challenging unsolved problem. To a certain extent this is true, but in this paper I argue that the problem is not nearly as severe as seems to be widely perceived. Many of the perceived hard problems in autonomy software V&V also exist for traditional software, and can be solved using many of the same methods and techniques used for traditional spacecraft software. In particular, the problem of intractably large state spaces exists for any non-trivial software system. This problem can be addressed for autonomy software in the same way that it has been addressed for traditional software: by decomposing the large state space into a tractable number of equivalence classes that exhibit qualitatively identical behavior, each one containing a large number of states. 1.

Model-checking verification systems can return counterexample traces when desired properties are shown to be violated. Unfortunately, it can be very difficult to determine how to repair a system design from a counterexample trace. In this paper, we describe an automatic technique for extracting repair candidates from counterexample traces, in the context of an on-the-fly algorithm for timed automaton controller synthesis (reactive planning). By mapping a counterexample trace back into a set of search stack entries (forming a nogood ), we identify decisions that may be causing the verification failure. These nogoods allow us to use backjumping search in the controller synthesis. Backjumping search is guaranteed to visit fewer nodes than conventional chronological backtracking search, and in many problems visits far less. We present data to show that, in large controller synthesis problems, backjumping may provide substantial speedup by removing large portions of the search space, without sacrificing completeness.

This Report includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate this Report. This restriction does not limit the right of the Government to use information contained in this Report if it is proprietary data contained herein, if obtained from another source without restriction. The data subject to this restriction are contained in all sheets of this Report. The proprietary data contained herein, if disclosed to the public, would affect ISR’s competitive position in obtaining business; therefore, it is considered to be exempt from public release under the Freedom of Information Act (5 USC §552, as amended), paragraph (b)(4). IVVNN-LITREV-F002-UNCLASS-111202

This paper presents the LAAS architecture for autonomous mobile robots and some recent developments to improve the dependability of the system. In particular, this paper focuses on the role of the Execution Control level of this architecture. This level has a fault protection (safety bag) role with respect to the commands issued to the functional level which is connected to the physical devices. These commands come either from the decisional level, or from the functional level itself. We introduce a new approach and a new tool inspired from the model checking domain. We present a new language to specify the model of acceptable and required states of the system (valid contexts for requests to functional module and resources usage). This language is compiled in an OBDD (Ordered Binary Decision Diagram) like structure which is then used online to check the specified constraints in realtime. Such a model checking approach could be extended to check off line more complex temporal properties of the system.