Model Checking Autonomy Models for a Martian Propellant Production Plant

Expanded exploration of our Solar System will require more sophisticated autonomous assets to be developed and deployed. Model based Autonomous control system is a primary technology solution to this problem. A critical factor in the successful operations of these systems is to ensure that the models behave correctly. The Kennedy Space Center (KSC) has been pursing in conjunction with Ames Research Center the application of model-checking techniques for an Intelligent Systems Software for an In-Situ Resource Utilization (ISRU) plant for future manned Mars missions. Model checking is a formal technique which can exhaustively evaluate a finite state model for satisfiability of a logical property. The main goal of our current model checking effort is to develop tools and methodologies for efficient evaluation and certification of future Livingstone modeling applications which are declarative in form. As a result of this investigation a potential new re-usable specification pattern was derived which allows one to check a model for the existence of correct variable dependencies within the model. Introduction – The human exploration of Mars has the potential to re-ignite public interest in the space program. As NASA moves towards the completion of the International Space Station, work is underway to prepare mankind for the next step in the exploration and colonization of our solar system. The Kennedy Space Center (KSC) has been pursing in conjunction with Ames Research Center application of Intelligent Systems Software to an In-Situ Resource Utilization (ISRU) plant based on the Reverse Water Gas Shift reaction (RWGS). This plant, built in KSC's Applied Chemistry Laboratory, is capable of producing a large amount of Oxygen with a small quantity of seed Hydrogen. In a human Mars mission, this plant would be required to operate for 500 or more days without human intervention. KSC has considerable experience applying intelligent systems to launch processing operations. This experience is being used to apply Model-Based Reasoning technologies to the control of the ISRU plant. The heart of the RWGS intelligent system is a high-level system model of the test bed written in the Livingstone modeling language. These models are used by intelligent control agents for test-bed state identification and mode recovery operations. The decision to use model-based technology as part of the overall control software approach adds complexity to the task of not only code design and development but also in its verification and validation. Part of the RWGS V&V process being employed on these models is to use analytical methods and tools, in particular the use of temporal logic and model checking. The models are encoded as finite-state machines which makes them amenable to verification and validation using modelchecking tools. Desired properties which the software models should exhibit are represented by temporal formulas. The task of the model-checker is to see if the model satisfies the temporal formula. Currently, analytical verification and debugging of RWGS Livingstone models employs a model checking tool called SMV as the preferred tool of choice due to its ability to explore entire state spaces efficiently (which is one of the raison-d’être of the model checking approach in addition to its relative amount automation). This paper reviews the results of this analytical effort so far at KSC. This paper will approach the model checking task in a layered approach beginning first with a discussion of the Kennedy Space centers Spaceport Engineering concept. The next section will begin the describing the application by describing a manned Mars Mission model which includes an in-situ autonomous propellant production plant This will be followed by a description of KSC’s Reverse water Gas Shift prototype which serves as a technology testbed for the application of In-situ resource utilization and autonomous control. The next section will discuss the method of autonomous control using the Ames’ Model-Based Autonmous control System called Livingstone (a fuller treatment of this topic can be read in Larson & Goodrich [ 3 ], from which these particular sections are based on). The rest of the paper deals with the practical issues encountered using modelchecking techniques to evaluate the Livingstone RWGS models. KSC Spaceport Engineering Concept Historically the Kennedy Space Center has been one of the planet’s pre-eminent launch sites with over fifty years of experience launching both manned and unmanned space vehicles. Over this past half century it has been found that the majority of life cycle costs at a launch site are attributable to operations and support activities (e.g. launch vehicle and payload assembly, integration, test &Checkout, fueling etc.). Due to the complexity (and sometimes hazardous) operations of launching a mass into space a large complement of skilled technical personnel are required for a safe and successful launch. A key goal of the agency is to provide more efficient exploitation of space by reducing the costs of accessing space. Given the current labor intensive approach to launch site operations greater degrees of automation must be employed to increase operational efficiencies. To that end KSC is focusing on developing automated launch site technologies which not only help to reduce cost and enhance safety but also to develop technology that will be applicable across programs and environments (including extra-terrestial launch sites ). Dr. Zubrin, in his book The Case for Mars [ 1 ], calls for the use of indigenous resources to lower the mass that must be carried to Low Earth Orbit. This concept, called In-Situ Resource Utilization (ISRU), has been captured in NASA’s new design reference mission which envisions an initial deployment of a robotic fuel production facility and depot two years prior to a manned landing. Figure 1 shows a graphic summary of this mission concept. There are considerable advantages to using indigenous resources. One of the most significant drivers for the size of a Mars exploration launch vehicle is the amount of mass you need to carry to Mars and back. Calculations show that for every The Reverse Water Gas Shift (RWGS) is one potential solution for the production of propellants on Mars. The reaction works as follows: Martian atmospheric carbon dioxide is combined with hydrogen (brought from earth) in the following reaction. CO2 + H2 = CO + H2O DH = +9 kcal/mole The water vapor produced, condensed and collected in various water trap tanks and is electrolyzed, the oxygen is stored and the hydrogen is recovered and re-circulated into the input stream. Since all the hydrogen is reused, the import requirements from earth are small. A schematic of the prototype is shown in figure 2 . Manned Mars mission profiles call for ISRU systems to operate unattended on the Mars surface for two years or more without human intervention. During such a long period it is certain that some subsystem and measurement failures will occur. Satellites in earth orbit are designed for such lifetimes; but the Mars mission will not enjoy the luxury of round-the-clock human operators who are in constant contact with the vehicle . The task of the autonomous system is to be truly fault-tolerant by taking corrective action without ground intervention. This requires the ability to continuously adapt to degraded sensor environments as well as automated planning for resource and redundancy management. Opportunity 1 (2011): 3 flights