This application of SRI's procedural
reasoning technology demonstrates the real-time management of
the Reaction Control System (RCS) on the NASA space shuttle. Procedures for
monitoring as well as diagnosing and recovering from failures are
automatically selected and applied to help keep the RCS working within
required specifications.
Domain
The space shuttle's Reaction Control System (RCS) provides propulsive
forces from a collection of jet thrusters to control the attitude of the
spacecraft. There are three RCS modules, two aft and one forward (upper
right). Each module (upper left) contains a collection of primary and
vernier jets, a fuel tank, an oxidizer tank, and two helium tanks.
Propellant flow, both fuel and oxidizer, is maintained by pressurizing the
propellant tanks with helium. The helium supply is fed to its associated
propellant tank through two redundant lines, designated A and B. A number
of pressure and temperature transducers are attached at various parts of
the system for monitoring. Each RCS module receives both manual and
automatic commands via the shuttle's general-purpose computers (GPCs).
Valves in an RCS module are controlled from a panel of switches (upper
left) that can be set to OPEN, CLOSE, or GPC for computer control.
Talkbacks on the panel provide sensory feedback on the position of the
valves. The problem is to automate the malfunction procedures that diagnose
and reconfigure this subsystem.The space shuttle's Reaction Control System
(RCS) provides propulsive forces from a collection of jet thrusters to
control the attitude of the spacecraft. There are three RCS modules, two
aft and one forward (upper right). Each module (upper left) contains a
collection of primary and vernier jets, a fuel tank, an oxidizer tank, and
two helium tanks. Propellant flow, both fuel and oxidizer, is maintained
by pressurizing the propellant tanks with helium. The helium supply is fed
to its associated propellant tank through two redundant lines, designated A
and B. A number of pressure and temperature transducers are attached at
various parts of the system for monitoring. Each RCS module receives both
manual and automatic commands via the shuttle's general-purpose computers
(GPCs). Valves in an RCS module are controlled from a panel of switches
(upper left) that can be set to OPEN, CLOSE, or GPC for computer control.
Talkbacks on the panel provide sensory feedback on the position of the
valves. The problem is to automate the malfunction procedures that diagnose
and reconfigure this subsystem.
Application
The construction of this application began with a translation of the
procedures from NASA's RCS malfunction handling manual into PRS procedures.
This was facilitated by PRS's graphical procedure editor and by the strong
similarity between PRS's procedural representation (lower left) and that
utilized by NASA. Both index procedures by those conditions under which
they should be considered for application and utilize a graphical
representation, resembling a flowchart, to capture the coordinated
sequences of tests and actions that should be performed. Next, PRS's
procedure library was augmented with procedures to
directly communicate with the shuttle's computer and thereby indirectly
with the astronauts and the shuttle's sensors and actuators. During
operation the status of valves, switches, and transducers is periodically
posted to PRS's database of facts and beliefs (lower
right). In response, PRS searches its procedure library for procedures
whose cue and preconditions are satisfied
by PRS's current facts, beliefs, and goals. PRS executes eligible
procedures asynchronously based on their priority, resource requirements,
and resource availability. Execution progresses through the
plot of a procedure, beginning with the evaluation of its
starting node; if evaluation succeeds, one of its siblings is selected for
evaluation; if that sibling does not succeed, another is selected for
evaluation; this continues until a successful sibling is found, in which
case execution continues from it, or the procedure ends in failure. Since
the evaluation of any node may post new facts or goals, other RCS testing,
monitoring, diagnosis, and recovery procedures may be triggered in
response.
Performance
This system was successfully tested against the NASA Johnson Space Flight
Center's RCS simulator as well as against live telemetry data from a
shuttle flight. It successfully monitored and responded to RCS events in
real time by rapidly applying monitoring and recovery procedures as
dictated by the dynamics of the situation and the operational policies of
NASA. This application of PRS includes approximately 60 procedures
extracted from NASA's RCS malfunction handling manual, another 60
procedures to interface with the shuttle's computer, and a few metalevel
reasoning procedures that implement policies for dynamically selecting
procedures for execution when multiple ones are eligible.