Planning with Diversified Models for Fault-Tolerant Robots

Planners are central to the notion of complex autonomous systems. They provide the flexibility that autonomous systems need to be able to operate unattended in an unknown and dynamically-changing environment. However, they are notoriously hard to validate. This paper reports an investigation of how redundant, diversified models can be used as a complement to testing, in order to tolerate residual development faults. A fault-tolerant temporal planner has been designed and implemented using diversity, and its effectiveness demonstrated experimentally through fault injection. The paper describes the implementation of the fault-tolerant planner and discusses the results obtained. The results indicate that diversification provides a noticeable improvement in planning reliability with a negligible performance overhead. However, further improvements in reliability will require implementation of an on-line checking mechanism for assessing plan validity before execution. Introduction Planning shows promising success as a central decisional mechanism in complex autonomous systems, both in space exploration and in experimental studies. However, the dependability of planners remains a stumbling block to real life utilization. Indeed, how can we justifiably trust such mechanisms, whose behavior is difficult to predict and validate? Autonomous systems strive to accomplish goals in open environments. The space of possible execution contexts is thus, in essence, infinite, and cannot be exhaustively tested during validation. Testing and other validation techniques are nevertheless necessary in order to obtain planners that are as bug-free as possible. However, we believe that such validation techniques must be complemented by a fault-tolerance approach aimed at making planners resilient to residual bugs. We propose in this paper a fault tolerance approach focused on development faults in planner knowledge. The approach uses redundant diversified planning models. Copyright © 2007, American Association for Artificial Intelligence (www.aaai.org). All rights reserved. First, we introduce basic concepts of dependability and dependability issues relative to planning. Second, we present fault tolerance techniques that may be applied to planning mechanisms and the implementation of a fault tolerant planner for an autonomous system architecture. Third, we introduce the validation framework that we developed to assess performance and efficacy of our fault tolerance approach. Finally, we present our experimental results. Dependability and Fault Tolerance Dependability is a major concern in computing systems controlling critical structures such as railroads, planes and nuclear plants. We introduce here basic dependability concepts extracted from (Avizienis et al. 2005). We then discuss validation and other dependability issues relative to planning. Dependability basic concepts The dependability of a computing system is its ability to deliver service that can justifiably be trusted. Correct service is delivered when the service implements the system function, that is what the system is intended to do. Three concepts further describe this notion: the attributes of dependability, the threats to dependability, and the means by which dependability can be attained (Figure 1). Dependability encompasses numerous attributes. Depending on the application intended for the system, different emphasis may be put on each attribute. We focus particularly on reliability (the continuous deliverance of correct service for a period of time) and safety (the absence of catastrophic consequences on the users and the environment) of a system. The threats to a system’s dependability consist of failures, errors and faults. A system failure is an event that occurs when the delivered service deviates from correct service. An error is that part of the system state that can cause a subsequent failure. An error is detected if its presence is indicated by an error message or error signal. A fault is the adjudged or hypothesized cause of an error. Here, we focus particularly on development faults: faults that are unintentionally caused by man during the development of the system. } } INTEGRITY MAINTAINABILITY