360 likes | 478 Views
Robust Hybrid and Embedded Systems Design. Jerry Ding, Gabe Hoffmann, Haomiao Huang, Vijay Pradeep, Jonathan Sprinkle, Steven Waslander, Edward Lee, Shankar Sastry, Claire Tomlin. MURI Review Meeting
E N D
Robust Hybrid and Embedded Systems Design Jerry Ding, Gabe Hoffmann, Haomiao Huang, Vijay Pradeep, Jonathan Sprinkle, Steven Waslander, Edward Lee, Shankar Sastry, Claire Tomlin MURI Review Meeting Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems Berkeley, CA September 6, 2007
Requirements specification Function modeling and simulation SW/HW architecture modeling and simulation Systems design Code generation and verification Allocation and scheduling analysis Our MURI…. “Top down meets bottom up” Verification methods and tools at each layer Automatic generation of verified code Automatic generation of test suites for each layer Tools and testbeds for low level software analysis In this talk: Reachable sets for verifying hybrid control protocols Quadrotor testbed: control and software architecture Outline
Reachable sets for verifying control protocols: aerial refueling example human pilot δ = Long. Tolerance for Catching Boom ΔW = Lat. Tolerance for Catching Boom Target Set for Refueling human operated boom 1 δ ΔW 7 4 2 5 3 3 Boeing 6
Formation Transition Language Fallback 1 Move Right Move Back Move Forward Move Back Move Left Move Forward Fallback 4 Fallback 5 Fallback 2 Fallback 3 {x∈G67} Stationary 7 Break Away Stationary 1 FB {x∈G12} FB Rejoin Stationary 2 FB = Fall back command Precapture Gij= Target Set of Manuever from Stationary i to Stationary j Stationary 6 {x∈G45} FB FB Stationary 5 {x∈G56} Break Away Stationary 3 {x∈G23} Stationary 4 (Fueling) Postcapture or Fuel Wave Off FB FB Capture {x∈G34}
Reachable sets for Formation Transition Generate state-based reachable sets which can be used to verify that taking a certain action is or is not safe Flare vs. TOGA maneuver: Vehicles/personnel are prevented from transitioningin unsafe situations Intersection calculations areextremely fast (milliseconds)
Reachable Sets for Individual Transitions Targets are small sets of states around the way points Reachable Set for Precapture Time Horizon: 10s http://www.cs.ubc.ca/~mitchell/ToolboxLS/index.html
Simulation of Capture Sets Complete refuel sequence with capture sets for all maneuvers User input specifies transitions between waypoints Capture sets can be used to minimize allotted time for each maneuver In event of waveoff, UAV attempts to go back to previous waypoint Capture set gives information about whether UAV can return to previous waypoint within a given time horizon
Unsafe Sets for Individual Transitions During any formation transition, need to prevent UAV from entering into collision with tanker Unsafe set is set of states that can reach an unsafe zone within a given time horizon • Unsafe zone is set of locations within a certain radius of the tanker • Provides information on which maneuver should be executed to prevent collision Unsafe Set for Capture Time Horizon: 5s
Simulation of Multiple Reachable Sets UAV starts in unsafe zone for capture Want to reach capture zone without any collisions Red: Unsafe Move Forward Yellow: Unsafe Capture Capture Zone Desired Trajectory Magenta: Unsafe Left Turn Green: Capture Reachable Set
Simulation of Multiple Reachable Sets Visualization of unsafe sets together with capture sets allows for construction of a sequence of safe maneuvers to enter capture zone
Synthesizing MATLAB scripts After attaching semantics to the Formation Transition Language, we will be able to synthesize the MATLAB scripts, based on generalizations of the prototypes which we’ve built by hand. Then, “fallback” states can change, based on the model built, not the static code.
Another example: Analysis of Traffic Alert and Collision Avoidance System (TCAS) NASA
Requirements specification Function modeling and simulation SW/HW architecture modeling and simulation Systems design Code generation and verification Allocation and scheduling analysis Our MURI…. “Top down meets bottom up” Verification methods and tools at each layer Automatic generation of verified code Automatic generation of test suites for each layer Tools and testbeds for low level software analysis In this talk: Reachable sets for verifying hybrid control protocols Quadrotor testbed: control and software architecture Outline
Quadrotor testbed: control and software architecture • Stanford Testbed of Autonomous Rotorcraft for Multi-Agent Control (STARMAC) • Autonomous UAVs • Onboard computation & sensors • State and environment estimation • Attitude, altitude, position and trajectory control • 4 flightworthy vehicles • More are being made • Testbed goals • Quadrotor UAV design • Cooperative multi-agent control • Mobile sensor networks
STARMAC Electronics System LIDAR URG-04LX 10 Hz ranges RS232 115 kbps PC/104 Pentium M1GB RAM, 1.8GHz Est. & control WiFi 802.11g+ ≤ 54 Mbps USB 2 480 Mbps Stereo Cam Videre STOC 30 fps 320x240 Firewire 480 Mbps RS232 GPS Superstar II 10 Hz UART 19.2 kbps Stargate 1.0 Intel PXA25564MB RAM, 400MHz Supervisor, GPS WiFi 802.11b ≤ 5 Mbps CF 100 Mbps UART115 Kbps UART IMU 3DMG-X1 76 or 100 Hz UART 115 kbps Robostix Atmega128 Low level control Ranger SRF08 13 Hz Altitude I2C 400 kbps PPM100 Hz Analog Ranger Mini-AE 10-50 Hz Altitude Beacon Tracker/DTS 1 Hz ESC & Motors Phoenix-25, Axi 2208/26 Timing/Analog
STARMAC Network Wifi Netgear Rangemax 802.11g+≤ 54 Mbps Ethernet 100 Mbps Control Laptop Computer Pentium Core Duo1 GB RAM, 2.16 GHz Running Labview and ssh sessions GroundGPS Superstar II RS232 19.2 kbps
STARMAC Quadrotor Helicopter Low Level Control Processor Robostix Carbon Fiber Tubing Fiberglass Honeycomb High LevelControl Processor Stargate SBC or PC/104 Plastic Tube Straps GPS Superstar II BrushlessDC Motors Axi 2208/26 Sonic Ranger SRF08 Inertial MeasurementUnit (IMU) 3DMG-X1 Electronic Speed Controller Phoenix 25 Battery Lithium Polymer LIDAR Hokuyo URG-04LX Stereo Vision Videre Systems Small Vision System
Quadrotor Helicopter Actuation • Two pairs of counter rotating blades provide torque balance • Angular accelerations and vertical acceleration are controlled by varying the propeller speeds. Yaw Torque Roll/Pitch Torque Total Thrust
Interfaces STARMAC Code Architecture signal serial UDP Fcn call Sensor Processing Estimator COMM CLASS Controller Planner LIDAR Enviro GPS GPS comm LIDAR Lidar comm Real TimeController GPS Calc State Estimator ROBO Robo comm GND comm GND GUI & Storage any GUI (10 Hz) all Flyers Flyer comm Logging all
Other Testbed Applications Decentralized Collision Avoidance Information Seeking Target Localization
Decision Authority Language The decision authority language can be specified as a series of handshakes between the UAV and the human operators
Simulation of Latencies and Waveoff MATLAB simulation environment Plots trajectories of tanker and UAV Updated in real-time at 1 second intervals Allows fault injection by user UAV executes fallback immediately upon fault 1. Regular run, without faults Green: TankerRed: UAV
Simulation of Latencies and Waveoff Separate waveoff for tanker and ground operators Latencies simulated as delay between waveoff and UAV confirm Fallback executed only when UAV confirms Latencies currently hard coded 2. Tanker waveoff during “precapture” Green: TankerRed: UAV
Simple Illustration of Reachable Sets It has been shown (Mitchell, et al. 2005) that the reachable set is the solution to the Hamilton-Jacobi PDE: • The level set function Φ(x,t) defines implicitly the boundary of the reachable set at time t • In general, the solution is difficult to obtain analytically • A numerical toolbox for MATLAB is available to approximate the solution (Mitchell 2002-2007) • http://www.cs.ubc.ca/~mitchell/ToolboxLS/index.html
Simulation of Capture Sets In event of waveoff, UAV attempts to go back to previous waypoint Capture sets gives information about whether UAV can return to previous waypoint within a given time horizon
Dynamics • Not analogous to a pendulum • Equations of motionlargely decoupled * ignoring blade flapping effects
Low Level Control • Event Driven • Real-time execution based on • Known transmission / receipt rates • Measurement of code chunk execution times Algorithm Initialize hardware Loop Wait for termination of IMU data collection Retrieve A/D measurements Retrieve ultrasonic measurement, reinitiate Compute control inputs for each motor Set motor control inputs in PWM hardware Initialize transmission of status End
Low Level Control “Threads” • Main (76 Hz) • Interface for all threads • Computes control inputs • Controls hardware • PWM Control • I2C Communication (initiate ultrasonic measurements, retrieve results) • A/D Conversion • Digital I/O • Stargate Receive (10 Hz) • Parses control packets • IMU Receive (76 Hz) • Parses IMU data • Computes checksum (using ring buffers) • Stargate Send (76 Hz) • Buffered transmission of low level control status • IMU Send (irregular) • Buffered transmission of data requests (only needed to initiate continuous data)
Timeline • Timing is based on IMU measurements • Main requires additional timing considerations for • A/D • I2C • Control bytes from SG RX are used as they arrive Main (this is an asynchronous event) SG RX IMU RX SG TX IMU TX
Inputs to Atmega128 • IMU (3DMGX1) • Packet 0x31 • UART serial communication • Continuous at 76 Hz (or 100 Hz), after initialized • Header byte, 11 data fields with 16 bit entries, 16 bit checksum • Ranger (SRF08) • I2C serial communication • Polled at 13 Hz • Range return values, no checksum • Stargate or PC104 • UART serial communication • Continuous at 10 Hz • TSIP (Trimble standard interface protocol) command packets • ID byte • 4 command bytes
Atmega128 Outputs • IMU (3DMGX1) • UART serial communication • Initialize continuous data with 1 command • Ranger (SRF08) • I2C serial communication • Poll at 13 Hz • Command to initiate measurement • Stargate or PC104 • UART serial communication • Send at 76 Hz (timed by IMU) • TSIP (Trimble standard interface protocol) status packets • ID byte • ~30 data bytes
Functionality to Develop • Heart beat / Watchdog functionality • Real time guarantees • Interrupt driven I2C, A/D • Ultrasonic timing measurement