AeroSense, April 2002 1

System Health Tracking and Safe Testing

André Bos, Arjan van Gemund

Jonne ZuttDelft University of Technology

AeroSense, April 2002 2

Contents

The role of diagnosis in autonomous systemsHealth tracking Diagnosis as health tracking Modeling

Safe testingFuture work

AeroSense, April 2002 3

The role of diagnosis in autonomous systems

Accomplish mission goals without human intervention even in a harsh environment Harsh environment: system failures Without human intervention: identify,

isolate, and cope with system failures automatically

Graceful degradation

AeroSense, April 2002 4

Accomplishing mission goals

Missiongoals

State(tj)

State(t0)

ActionActionActionAction ... Action

planResources(fuel, system

components,…)

Healthstate

AeroSense, April 2002 5

Architecture

S/C

FDI

Health mode

TC TM

Planning/recoveryand safety validation

Missiongoals

Safe plan

AeroSense, April 2002 6

Diagnostic system requirements

Dynamic and hybrid systemsAccumulating faultsTest vector generate to further isolate faulty componentsEasy to modelSingle model (if possible) to support diagnostic reasoning, test vector generation, planning, and simulation

AeroSense, April 2002 7

Health tracking

Dynamic and hybrid systemsVariables: U - Inputs: close

shutter, switch-on lamp,…

X - State: shutter position, lamp current

Y - Observables

dx/dt H

))(()(

))(),(()1(

tXHtY

tUtXFtX

AeroSense, April 2002 8

Health tracking (cont.)

Extend behavioural description: X to include fault

states F, H to

accommodate for fault state behavior.

Note: non-deterministic system

))(()(

))(),(()1(

tXHtY

tUtXFtX

))('(')(

)|)(),('(')1('

tXHtY

PHtUtXFtX

AeroSense, April 2002 9

Example system S/R latch

Set

Reset

Set

Out

time

Set

Out

time

Error can be detectedonly here

AeroSense, April 2002 10

UpTime model-based approach (1)

UpTime design system to construct model-based diagnosis systems.Based on our experience of constructing a model-based diagnosis system for the GOME instrument (ERS-2 satellite).

AeroSense, April 2002 11

UpTime model-based approach (2)

Component-based.

Coarse formalism Finite Domain

constraints.

Finite state machine to capture dynamics.

Simplified behavioral description.dU dI E.g.: If I goes up,

pressure difference goes up.

Each component:dx/dt h

AeroSense, April 2002 12

UpTime: Component description

Behavioral description Finite State

Machine. Inter and intra

state equations.

Both nominal and fault state changes.

cl

st-cl

op

st-op

switch

in = cl, st = op : next st := clin = cl, st = st-op: next st := st-op…state = op: dI = 0state = cl: dI dUstate = stuck-open: dI = 0…

AeroSense, April 2002 13

UpTime: algorithm (3)

Likelihood trajectory determined using: A priori likelihood

state transition per component.

The number of output variables explained.Time

State

AeroSense, April 2002 14

sone

Example system S/R latch

Set

Reset

Set

Out

time

Set

Out

time

Likelihood 0.195563

All Components okay

Likelihood 0.083813

#S1_AB

Likelihood 0.083813

#S1_AB

Likelihood 0.000838

#S2_AB

AeroSense, April 2002 15

Safe-testing

Test vectors: As system is only

partially observable, use test vectors to discriminate between possible (health) states.

Be careful, test vectors may induce errors.

load

PossibleShortage

fault

AeroSense, April 2002 16

Hazard conditions (1)

Hazard conditions describe conditions that should not happen.Same language and model as used for diagnostic system.Conditions on the state of the S/C.

AeroSense, April 2002 17

Hazard conditions (2)

Battery: Not directly connected to

ground. Need extra variables to

describe “connectedness” behavior.

Not always possible to give hazard conditions per component.

load

PossibleShortage

fault

AeroSense, April 2002 18

Test action

Test action must: Discriminate between possible

trajectories. Must not violate any hazard condition.

AeroSense, April 2002 19

Checking a test action

…Si-1

Si

Si

Si+1

Si+1

…

…

Si+k

Si+k

Effect of test action

AeroSense, April 2002 20

Future work

Model-based approach: Domain

dependent: model of the S/C

Domain independent: Reasoning methods: diagnosis testing

Target system

System model

Safety conditions,

mission goals,...

S/W generator

Diagnostic reasoner

Simulator

Planning system

AeroSense, April 2002 21

Example

Time

State

Set switch closedBoth S2 ok and S2 stuck open predict output high

Set

Reset

S2 stuck open

S2 ok

Set switch releasedS2 ok: predicts output remains highS2 stuck open: predicts output low