Slide 1 mous Landing and Hazard Avoidance Technology Human-Interactive Autonomous Flight Manager for Precision Lunar Landing Lauren J. Kessler Laura Major Forest [email protected] [email protected]
Slide 1 Autonomous Landing and Hazard Avoidance Technology
Human-Interactive Autonomous Flight Manager for Precision Lunar Landing
Lauren J. Kessler
Laura Major Forest
Slide 2 Autonomous Landing and Hazard Avoidance Technology
Agenda
• ALHAT Overview
• Background
– Definitions
– Landing architecture for Apollo
– Autonomy Roadmap
• Initial Architecture & Design
– Functions
– Architecture
• Autonomy
• Human Insertion
• Conclusions
Slide 3 Autonomous Landing and Hazard Avoidance Technology
ALHAT Project Overview
• Autonomous precision Landing and Hazard detection and Avoidance Technology (ALHAT)
• Lunar descent and landing GNC technology development project
• The Project includes:– Definition, design,
development, test, verification, validation and qualification of an integrated GNC lunar descent and landing system to TRL 6 capable of supporting lunar crewed, cargo, and robotic missions
Deorbit Burn
Coast Arc
Ha = ~100 kmHp = ~18.5 km
Powered Descent PhaseStarts at ~18.5 km altitude
Landing
Powered Descent Phase
X
X
Braking burn -reduce velocity from orbital speeds
Pitch over – Pitch over and throttle down
Pre-BurnPlanning
Orbit/Deorbit
Lunar Orbit Phase
Transfer Orbit Phase
Terminal descent –descend vertically to landing site
Slide 4 Autonomous Landing and Hazard Avoidance Technology
ALHAT System Level 0 Requirements
1. Landing LocationThe ALHAT System shall enable landing of the vehicle at any surface location certified as
feasible for landing.2. Lighting Condition
The ALHAT System shall enable landing of the vehicle in any lighting condition.3. Landing Precision
The ALHAT System shall enable landing of the vehicle at a designated landing point with a 1 sigma error of less than 30 meters
4. Hazard Detection and AvoidanceThe ALHAT System shall detect hazards, 30 cm and larger objects and slopes 5 degrees and
greater, and provide surface target re-designation. 5. Vehicle Versatility
The ALHAT System shall enable landing of crewed (humans on board), cargo (human scale without humans onboard) and robotic (smaller exploration vehicles without humans onboard) vehicles.
6. AutonomyThe ALHAT System shall have the capability to operate autonomously (without command and
control intervention from sources external to the vehicle).7. Crewed Vehicle
The ALHAT System shall accept supervisory control from the onboard crew.8. Interoperability
The ALHAT System shall be interoperable with other elements of the Constellation Architecture.
9. StandardsThe ALHAT System will adhere to the applicable set of measurement units, data and data
exchange protocols defined by the Constellation Program.
Slide 5 Autonomous Landing and Hazard Avoidance Technology
AFM Task Motivation
• [A]LHAT– Put some definition, thought, and FY07 planning towards the “A”
in ALHAT (A=autonomous)• Desire is to formulate and document an understanding
WRT– Defining an overall role of the autonomous flight manager (AFM)– Defining a top level design architecture appropriate to ALHAT
needs • What is an appropriate split between the AFM and Guidance?• What is an appropriate split between the AFM and HDA?• What is the functional division between the AFM and the human?
– Suggesting a top level implementation architecture appropriate to ALHAT needs
Slide 6 Autonomous Landing and Hazard Avoidance Technology
Background
Slide 7 Autonomous Landing and Hazard Avoidance Technology
ESMD Requirements
• There is a desire for increasing levels of operational autonomy capabilities in order to prepare for exploration beyond the Moon
• However, there is also a requirement for manual intervention of automated functions critical to mission success and crew safety
NASA Autonomy definition: Independence from Mission Control (Earth)
Exploration Systems Mission Directorate; ESMD-RQ-0011 Preliminary (Rev. E) Exploration Crew Transportation System Requirements Document (Spiral 1); Effective Date: 24 Mar 2005. Page 31 of 45.
Slide 8 Autonomous Landing and Hazard Avoidance Technology
Level of AutomationApollo
• The importance of choosing the correct level of automation was recognized in the development of the Apollo program.
• Balance between overloading the astronauts and providing enough information and tasking so they are prepared for decision making if necessary.
Human control in a lunar lander Highly automated lunar lander
Slide 9 Autonomous Landing and Hazard Avoidance Technology
1 2 3 4 5 6 7 8 9 10
all human no humancomputer suggests one alternative computer executesautomatically, theninforms the human
Parasuraman, Sheridan, Wickens."A Model for Types and Levels of Human Interaction with Automation." IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans, Vol. 30, No. 3., 2000.
BackgroundSheridan’s Levels of Automation
• The roles of the computer and the human depend upon – Frequency of operator interaction
– Complexity of operator interaction
• Autonomy Must be Capable of Interacting Flexibly with Humans
Slide 10 Autonomous Landing and Hazard Avoidance Technology
Functional Flow of Apollo Astronauts and System
Crew inputGN&CVehicle
Draper, C.S., Whitaker, H.P., Young, L.R. “The Roles of Mend and Instruments in Control and Guidance Systems for Spacecraft.” 15th International Astronautical Congress, Poland, 1964.
Slide 11 Autonomous Landing and Hazard Avoidance Technology
Apollo Function Allocation
• Sensor functions– Terrain Relative Navigation (TRN)
• Landmark tracking to confirm location (during PDI)
– Hazard Detection and Avoidance (HDA)
• Determine if there are hazards in the landing zone via the reticle on the window
• Scheduling functions– Astronauts gave the commands to
change modes, start accepting radar data, etc
• Monitoring and diagnosis– Astronauts constantly checked fuel
levels, attitude, velocity, etc• Manual control
– Semi-automated or fully manual
Nevins, J.L., “Man-Machine Design for the Apollo Navigation, Guidance, and Control System-Revisited.” NASA report, January 1970.
Klump, A.R., “A Manually retargeted automatic descent and landing system for LEM.” Report-539, March 1966.
• Traditional GN&C functions– Navigation
• Current vehicle location– Guidance
• Maneuver commands required to achieve guidance target condition
– Command examples: rate of descent, attitude, etc
– Control• Control actuation commands
– Command examples: nozzle position, engine throttle, etc
Role of Computer SystemRole of Computer System Role of AstronautsRole of Astronauts
Slide 12 Autonomous Landing and Hazard Avoidance Technology
Types of Astronaut Input
• Management by Interruption– Guidance mode control
• Via the DSKY
– Changes to Guidance target conditions (P64)• Designate a new landing aim point (via rotational hand controller)
– Inputs to Control (P66 – “semi-auto mode”)• Crew controlled the attitude to maneuver the vehicle by commanding the
nozzles in the form of an angular acceleration command signal • Altitude or altitude rate were held constant by the computer, the crew
could change these through the Rate of Descent switch
– Vehicle commands (P67 - “full manual mode”)• Crew controlled engine throttle manually• Attitude was controlled by the Digital Autopilot• This mode was rarely used because of the high workload required
Nevins, J.L., “Man-Machine Design for the Apollo Navigation, Guidance, and Control System-Revisited.” NASA report, January 1970.
Klump, A.R., “A Manually retargeted automatic descent and landing system for LEM.” Report-539, March 1966.
Slide 13 Autonomous Landing and Hazard Avoidance Technology
AFM Requirements
Slide 14 Autonomous Landing and Hazard Avoidance Technology
ALHAT Program
• GN&C System Functions– Determine current navigation state– Determine vehicle commands needed to reach next state target
condition
• Hazard Detection and Avoidance Functions– Detailed sensor input on landing site– Algorithms determine the characteristics of the landing site
• Identified Autonomy Need– Mission management tasks to:
• Replace heavy ground involvement during Apollo
• Reduce onboard crew workload and error probability
Slide 15 Autonomous Landing and Hazard Avoidance Technology
Need for Autonomous Flight Manager
• Apollo design resulted in high crew workload and room for human error:– Landing footprint capability was primarily a mental calculation and rough estimate – Astronauts had to rely on memory stores developed through extensive training
for vital information – No relative size indicators…astronauts reported significant difficulty sensing sink
rates and lateral motion – Limited redesignation options due to LM window constraints
• New Landing Requirements:– Lower risk– Challenging terrain (close to an asset or feature)– Higher precision– Tighter budget
• Need for lower cost training
• Technology improvements enable automating many of the tasks required by Apollo astronauts to help in achieving the new requirements:
– Example technologies that have paved the way:• Flight management systems & autopilots• Autonomous vehicles (e.g., UUVs)• NASA technologies
Slide 16 Autonomous Landing and Hazard Avoidance Technology
Autonomy Requirements
• Autonomously provide adaptive behavior for unmanned operations…– Handle the dynamic nature of the missions within the boundaries of the
pre-mission planning
– Un-assisted by earth-based support
• …while allowing human-interaction in manned operations – Without a separate, unique software solution
– In accordance with the Human Rating Requirements
• Allow for manual intervention of safety critical functions
Slide 17 Autonomous Landing and Hazard Avoidance Technology
ComputerComputer
Proposed Level of Autonomy
Human Operator
ControllerDisplay
ActuatorSensor
Task
Human Operator
ControllerDisplay
ActuatorSensor
Task
Human Operator
ControllerDisplay
ActuatorSensor
Task
Human Operator
ControllerDisplay
ActuatorSensor
Task
Human Operator
Display
ActuatorSensor
Task
Manual Control Fully Automatic
•Required for robotic missions•Disallowed for crewed flights (HRR)
•Design target for crewed flights
Supervisory Control
Minor loops closed by computer
Major loops closed by computer
ComputerComputer
Supervisory control: the human operator has the authority to inhibit and/or override any
safety-critical automated function of the descent and landing system
Slide 18 Autonomous Landing and Hazard Avoidance Technology
Types of Autonomy
• Premise– Autonomous systems are an aid to humans rather than a replacement
– Focuses on the attributes of planning, perception, adaptation, learning and diagnosis
• Types of Autonomy– Scripted
• Systems that are essentially autopilots• Perform preplanned scripts of actions based on anticipated events
– Supervised• Allows for an evolving mission sequence
– Intelligent• Allows for an evolving mission objective• Intended to execute abstract human directives• Accommodates (adapts) to unplanned events
Slide 19 Autonomous Landing and Hazard Avoidance Technology
ALHAT Autonomy ChallengeProposed Level of Autonomy
• Implement at the supervisory level– Dovetails with the goal of Human-supervisory control
• ALHAT System exchanges data with the landing vehicle’s cockpit• Helps the ALHAT System to achieve the low level of risk required for a crewed vehicle • Onboard human supervisory awareness is directly supported by the ALHAT System design
– Does not try to tackle the higher complexity and abstraction of evolving mission objectives
– Allows for real-time human insertion (in the crewed and cargo missions) while being flexible enough to replace the human (in robotic missions), with pre-planned decision rules.
Types of Autonomy:
ScriptedPerform preplanned
scripts of actions based on anticipated events
SupervisedAllows for an evolving
mission sequence
IntelligentAllows for an evolving
mission objective
Slide 20 Autonomous Landing and Hazard Avoidance Technology
ALHAT Function Allocation
• Approval of specific scheduling functions
– Example: Begin de-orbit• Supervise the ALHAT closed loop
tasks– Monitor the following and diagnose
any deviations from expectations:• Vehicle behavior, trajectory,
surface landmarks, landing zone hazards, vehicle health and status
• Redirect AFM– If there are unexpected deviations
or changes to the mission goals, the crew can redirect the vehicle
• Input new target conditions• Modify buffer on vehicle tolerances• Issue an abort
• Traditional GN&C functions• Sensor functions
– TRN & HDA
• Scheduling functions– GN&C mode changes
– Sensor data acquisition
• Monitoring and diagnosing– AFM will compare current state against
predicted state along the trajectory (including human input, health & status)
– AFM will determine if state deviations require re-planning of landing sequence
• Re-planning– AFM will adjust target conditions to
create a new feasible plan (when triggered by diagnosis)
Role of Computer SystemRole of Computer System Role of AstronautsRole of Astronauts
Slide 21 Autonomous Landing and Hazard Avoidance Technology
Functional Role of AFM
AFMAFM
Optional manual control commands
Optional actuation commands
Constraint changes, overrides, target conditions, etc
Optional guidance commands
Target conditions
Maneuver commands
Crew
Vehicle
Control System
Guidance & Navigation
System
ALHAT
Slide 22 Autonomous Landing and Hazard Avoidance Technology
AFM Architecture
Slide 23 Autonomous Landing and Hazard Avoidance Technology
Autonomy Software ArchitectureBased on Sense-Act-Think Paradigm
PlanImplementation
SituationAssessment
PlanSelection
PlanExecution
and Control
PlanGeneration
Diagnosis
Monitoring
Coordination
Internal
External
ACTUATION
Systemto be
Controlled
SENSING
• Monitor – Validates best estimates of the sensed
data– Monitors operation of the system being
controlled• Diagnoser
– Analyzes “difference vector” identified by the monitor
– Determine root cause & impact on capabilities of system being controlled
• External Coordination Module– Provides interface between system being
controlled and other control elements – e.g. humans, other systems
Draper’s implementation: All-Domain Execution and Planning Technology (ADEPT)
• Planner– Creates plan and modifies current plan when necessary (triggered by Diagnoser)– Can generate multiple plans, especially in a decision support role for human interaction
• Execution– Interprets the current plan– Issues commands to
• subordinate planning level• physical system to be controlled
Slide 24 Autonomous Landing and Hazard Avoidance Technology
Hierarchical DecompositionOverview
Temporal Decomposition– Simplify implementation of solution to real-
time, closed-loop planning problems– Higher levels create plans with greatest
temporal scope, but low level of detail in planned activities
– Lower levels’ temporal scope decreases, but detail of planned activities increases
HierarchyHierarchy Planning HorizonPlanning HorizonSolution DetailSolution Detail
Lowest
Highest
Longest
Shortest
Lowest Level
SituationAwareness
Planning & Execution
Intermediate Levels
SituationAwareness
Planning & Execution
Highest Level
SituationAwareness
Planning & Execution
Functional Decomposition– Each level of the planning hierarchy is
decomposed into key functional components
– Inputs and outputs– Connectivity/relationship– Constraints (e.g. performance,
operational)• Check progress
against plan
Monitoring
Diagnosis Plan Generation & Selection
Plan Execution
• Translate plan into executable command
• Produce new mission plan
• Re-plan if needed• Elevate issue to
higher level (if required)
Slide 25 Autonomous Landing and Hazard Avoidance Technology
Activity HierarchyExample
• A mix of time-based decomposition & functional decomposition
DeOrbitBurn Coast PreDescentPlan
Orbit
Startup Transit PreBurnPlan Abort
TransferOrbit PoweredDescent EndMission
Abort
Abort
Shutdown
BreakingBurn PitchOver TerminalDescent
Mission
Slide 26 Autonomous Landing and Hazard Avoidance Technology
Trajectory Monitoring & Planning
• The execution of the precision landing sequence will be governed by the use of state “corridors”– Union of a family of possible state trajectories with associated
guidance target conditions – State includes such things as velocity, attitude, fuel usage,
position, etc.– Developed far in advance of the mission
• If there are deviations outside the nominal corridor, then AFM re-planning is triggered– Re-planning consists of selecting new target conditions relative
to preplanned state corridor options
Slide 27 Autonomous Landing and Hazard Avoidance Technology
Nature of Pre-calculated Trajectory Corridors
• GN&C analysis and trade studies will be used to determine corridor approach and target conditions, including:
– How the trajectory corridors will be defined:
• Pre-calculated, or predict-ahead, or combination
– The hard target conditions used to define the phase transitions:
• e.g. altitude, velocity, attitude, fuel state…
• The AFM will not select from an infinite amount of options, only the set of contingencies will be considered
– Defining the corridors up-front …• Reduces required on-board computing• Narrows the V&V of the re-planning options to data developed far in
advance of the mission
Slide 28 Autonomous Landing and Hazard Avoidance Technology
AFM Astronaut Insertion
Slide 29 Autonomous Landing and Hazard Avoidance Technology
Types of Astronaut InputInto AFM
• Management by Interruption (changes to the target conditions)– Crew can update the conditions used by the AFM based on the
evolving mission, within specified bounds (e.g., input a new landing aimpoint)
• Management by consent (Authority to Proceed)– Execution will not occur unless the crew consents to a proposed
action (e.g., de-orbit burn)
• Management by exception (time-outs)– Execution will occur within a specified timeframe if the crew does
not prevent the AFM from proceeding (e.g., phase change out of a non-sustainable orbit)
Slide 30 Autonomous Landing and Hazard Avoidance Technology
Specific Crew Interaction with ALHAT SystemCalled out by the Level 0 Comments
1. Landing site re-designation
2. Adjustments to the descent and landing planning constraints
3. Mission phase initiation and approval
4. Abort decisions
5. Fault identification and recovery
1. Landing site re-designation
2. Adjustments to the descent and landing planning constraints
3. Mission phase initiation and approval
4. Abort decisions
5. Fault identification and recovery
• Management by interruption (changes to target conditions)
• Management by interruption (changes to target conditions)
Types of Human Insertion
Specific Crew Interactions with ALHAT
• Management by consent (Authority to Proceed)
• Management by exception (time-outs)
• Management by consent (Authority to Proceed)
• Management by exception (time-outs)
Slide 31 Autonomous Landing and Hazard Avoidance Technology
Crew Landing Site Re-designationExample
Fuel Reserve
1
2
3
4
5
Additional time
required
00:00
00:09
00:10
00:20
00:16
00:18
1989
1978
1976
1964
1969
1966
0
10
6
19
18
11
Distance to closest
hazard
1
2
3
4
5
Fuel Reserve
1
2
3
4
5
Additional time
required
00:00
00:09
00:10
00:20
00:16
00:18
1989
1978
1976
1964
1969
1966
0
10
6
19
18
11
Distance to closest
hazard
1
2
3
4
5
1
2
3
4
5
Additional time
required
00:00
00:09
00:10
00:20
00:16
00:18
1989
1978
1976
1964
1969
1966
0
10
6
19
18
11
Distance to closest
hazard
1
2
3
4
5
• HDA sensors & algorithms will identify hazardous regions• AFM will determine alternate landing sites and present the top 5 alternate
options with key information about each option– Crew will not have to integrate data across multiple instruments to determine key
decision criteria• During landing, the crew can redesignate to any of the alternate landing
sites– New landing aimpoint will become an input to the AFM
Notional display for terminal descent
Slide 32 Autonomous Landing and Hazard Avoidance Technology
Crew Landing Site Re-designation Low level Insertion into AFM
DeOrbitBurn Coast PreDescentPlan
Orbit
Startup Transit PreBurnPlan Abort
TransferOrbit PoweredDescent EndMission
Abort
Abort
Shutdown
BreakingBurn PitchOver TerminalDescent
Mission
• The constraints of the lowest level controller are updated based on crew input
– This is handled similar to something in the environment causing a local re-plan New landing
aimpoint
Slide 33 Autonomous Landing and Hazard Avoidance Technology
Crew Landing Site Re-designation High Level Insertion into AFM
DeOrbitBurn Coast PreDescentPlan
Orbit
Startup Transit PreBurnPlan Abort
TransferOrbit PoweredDescent EndMission
Abort
Abort
Shutdown
BreakingBurn PitchOver TerminalDescent
Mission
New landing aimpoint
• If human change is outside the capability of the planner, the activity will require re-planning from its parent
Slide 34 Autonomous Landing and Hazard Avoidance Technology
Conclusions
• New landing and safety requirements necessitate an additional technology to handle mission planning and monitoring activities– GN&C will provide the detailed maneuver and control commands– AFM will update GN&C target conditions as necessary
• AFM must provide mechanism for human redirection and interruption– Real-time autonomy architecture will need to support human
insertion at multiple levels and quickly adapt to human input– Design of AFM architecture and Crew Interface design are tightly
coupled
• Technology development to mature AFM to TRL6 will continue as part of the ALHAT program
Slide 35 Autonomous Landing and Hazard Avoidance Technology
References
Slide 36 Autonomous Landing and Hazard Avoidance Technology
References
• Parasuraman, Sheridan, Wickens."A Model for Types and Levels of Human Interaction with Automation." IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans, Vol. 30, No. 3., 2000.
• Exploration Systems Mission Directorate; ESMD-RQ-0011 Preliminary (Rev. E) Exploration Crew Transportation System Requirements Document (Spiral 1); Effective Date: 24 Mar 2005. Page 31 of 45.
• Draper, C.S., Whitaker, H.P., Young, L.R. “The Roles of Men and Instruments in Control and Guidance Systems for Spacecraft.” 15th International Astronautical Congress, Poland, 1964.
• Sheridan, T.B. Humans and Automation: System Design and Research Issues, 2002• Boff, K.R. Ch. 40, Handbook of Perception and Human Performance, Moray, 1986.• Nevins, J.L., “Man-Machine Design for the Apollo Navigation, Guidance, and Control
System-Revisited.” NASA report, January 1970.• Klump, A.R., “A Manually retargeted automatic descent and landing system for LEM.”
Report-539, March 1966.• Card, S. K., Moran, T. P., & Newell, A. (1983). The psychology of human-computer
interaction. Hillsdale, NJ: Lawrence Erlbaum Associates.• Ricard, M., Kolitz, S., “The ADEPT Framework for Intelligent Autonomy”, presented at
NATO Research and Technology Organization Workshop on Intelligent Systems for Aeronautics, April 2002.