Richard M. Murray

Richard M. Murray (California Institute of Technology)

Campus PI

Michel D. Ingham

Michel D. Ingham (Jet Propulsion Laboratory)



  • Richard Camilli (WHOI)
  • Tara Estlin (JPL)
  • Masahiro Ono (JPL)
  • Brian Williams (MIT)
  • Catharine McGhan, CMS postdoctoral fellow, Caltech (co-located at JPL)
  • Tiago Vaquero, CMS postdoctoral fellow, Caltech (co-located at MIT)
  • Eric Timmons, PhD research assistant, MIT (supported through the WHOI-MIT Joint Program)
  • Cheng Fang, PhD Student, MIT, 2015 intern at JPL
  • Riashat Islam, University College London undergraduate, 2015 SURF fellow
  • Sandra Liu, Caltech undergraduate, 2015 SURF fellow and 2016 SURF fellow (applied)


As a follow-on to our recently-completed KISS-funded study on "Engineering Resilient Space Systems", we will carry out a two-year Technical Development Study that will take the critical initial steps in the development of highly-resilient spacecraft. This effort will develop an innovative software architecture that will endow spacecraft with unprecedented levels of resilience, and then demonstrate how it can reduce risk and cost through capabilities such as unattended, long-distance traverses. This effort builds on and supports research efforts at Caltech, JPL, MIT and the Woods Hole Oceanographic Institution (WHOI). To achieve these objectives, we will mature and integrate key technologies in (i) goal-directed and risk-aware execution/decision-making, (ii) correct-by-construction control policy synthesis, and (iii) model-based systems engineering approaches that facilitate development of the underlying models used in these technologies. Another key technology contribution will be the development of a rigorous architectural analysis framework, enabling system designers to perform tradeoffs between key characteristics (e.g., flexibility versus reaction time) associated with the allocation of capabilities to the different layers of our architecture (deliberative, habitual, and reflexive-analogous to human behavior).

To illustrate the breadth of applicability and versatility of our Resilient Spacecraft Executive architecture, we will deploy and demonstrate it on two very different platforms representing compelling Earth-based analogues of space systems:

  • an autonomous underwater vehicle (AUV) testbed, as an analogue for deep-space missions with long communication time latencies that will operate in unknown/uncertain environments, e.g., Europa Clipper, Trojan Tour and RendezVous (TTRV);
  • a surface rover testbed, as an analogue to surface missions with long-distance traverses, e.g., the 2020 Mars Surface Mission (MSM) or other future Mars Sample Return (MSR) missions.

While layered architectures already exist in many past and current flight software and autonomy frameworks, key distinctions and innovations in our proposal are:

  1. Our architecture's emphasis on risk-awareness, which is critical to manage the unprecedented amount of uncertainty in the environments to be explored in future missions. Such uncertainty introduces significant risk and precludes any guarantees of correct behavior, even though we are employing formally correct-by-construction policies. Endowing our architecture with the ability to explicitly assess risk and make decisions based on risk fills this resilience gap.
  2. Our architecture's leveraging of sequencing and control policies that are "correct by construction" in both the habitual and deliberative layers. The use of model-based policy synthesis addresses the current challenge of assuring correctness of the system behavior in the face of growing complexity.
  3. Our use of onboard deliberative reasoning, which enables the system to manage a space of possible executions that is far too large to be completely covered by design-time control policies and that is subject to light-time delays that preclude effective ground-based deliberation and planning for many future mission scenarios.
  4. Our development and use of formal architectural analysis to perform tradeoffs and to insure correctness of capabilities that are distributed between deliberative, habitual and reflexive layers. This will result in systems with flexibility to adapt to their uncertain environments and potential mission changes.

The long-term goal of this project is to develop a resilient, risk-aware software architecture for onboard, real-time autonomous operations that is intended to robustly handle uncertainty in spacecraft behavior within hazardous and unconstrained environments, without unnecessarily increasing complexity. This architecture, the Resilient Spacecraft Executive (RSE), serves three main functions:

  1. adapting to component failures to allow graceful degradation,
  2. accommodating environments, science observations, and spacecraft capabilities that are not fully known in advance, and
  3. making risk-aware decisions without waiting for slow ground-based reactions.

This architecture is composed of four main parts: deliberative, habitual, and reflexive layers, as well as a state estimator that interfaces with all three (Figure 1). We use a risk-aware goal-directed executive within the deliberative layer to perform risk-informed planning, to satisfy the mission goals (specified by mission control) within the specified priorities and constraints. Other state-of-the-art algorithms to be integrated into the RSE include correct-by-construction control synthesis and model-based estimation and diagnosis.

Figure 1. Resilient Spacecraft Executive Architecture. The left side shows the state measurement block where raw data from the sensors is processed, while the center block includes analysis and learning capabilities. The right side is the decision and control block where risk-aware decision-making is made; this includes the deliberative, habitual, and reflexive layers.

During the first year of the effort (Oct 2014-Oct 2015), an initial software implementation of the original proposed architecture was developed.  The architecture consists of three layers of abstraction and planning: the reflexive layer (RL) represents that low-level feedback control operations, the habitual layer (HL) is responsible for risk-bounded planning and execution, and the deliberative layer (DL) performs risk-aware planning.  The demonstration of RSE capability in year 1 was the use of RSE to command a rover's movement in JPL’s high-fidelity rover simulation environment, called ROAMS; JPL's pSulu planner (derived from a hybrid planner originally developed at MIT) was used to plan in the presence of positional uncertainty (DL), and an off-the-shelf planner (RRT*) was used for trajectory planning (HL) and power usage checks, and a PID controller was implemented at the lowest level to compute the body frame velocity commands to send to the simulated rover (RL).

The MIT team has been developing two main risk-aware planning components of the executive:

  1. an activity planning component, and
  2. a path planning component.

The risk-aware activity planning component consists of a risk-sensitive activity planner that accounts for temporal disturbances while generating plans that satisfy the given mission goals and constraints on operational risk (called chance constraints). The current planner incorporates probabilistic models of activity delay, which it employs within a risk-aware temporal consistency checker to allow the planner to explicitly evaluate the uncertainty in action duration. The risk-aware path planning component consists of a global path planner and a kino-dynamic path planner that allows a vehicle to traverse an environment with bounded risk on obstacle collision.  Preliminary implementations of the risk-aware goal-directed executive, consisting of the two aforementioned components, an activity dispatcher and a state estimator, have been integrated with the habitual and reflexive layers.

Figure 2. WHOI glider deployment (at the surface, prior to descent).
Photo credit: SOI/Logan Mock Bunting.

The integrated system, and components thereof, have been demonstrated in a set of simulated Mars rover scenarios and in a real Autonomous Underwater Vehicle (AUV) deployment (Figure 2). The AUV deployment was performed during a technology validation cruise onboard the R/V Falkor at the Scott Reef lagoon in the Timor Sea, from March 24 to April 6, 2015. In this demonstration, MIT and WHOI team members deployed the risk-aware goal-directed executive prototype, with a simplified version of both planning components, as a decision support system for a Slocum glider. The operators used the executive to plan a series of observations of target regions in between surfacing for data communication and plan underwater paths for the observations. The executive then generated mission scripts that were directly executable by the glider. To the best of our knowledge, a Slocum glider has never been used inside a reef before, due to the challenges present in that environment.

We have also worked on the implementation of the risk-aware planning algorithms on the ground-based platforms.  The open-source Robot Operating System (ROS) middleware software was used for integrating the software with the rover hardware platform.  We performed a successful demonstration of resilient risk-aware autonomy capabilities in the ROAMS simulation in May 2015, and on an ATRV Jr. rover in the Mini Mars Yard in October 2015.

For the second year of the effort (since October 2015), our work has shifted to the determination and implementation of code structures and algorithms necessary to support analysis and verification of the entire architecture. The code has been initially reconfigured into a common format, restricting the communications flow to a common API and clarifying the internal composition of each module; we now also use a state-machine-like structure to control the program flow in each of the three main code modules, corresponding to the three layers in the architecture. This state machine format will allow the use of planning tools to verify that the program flow will handle the given constraints and system uncertainty under any circumstances given. The code is currently undergoing a conversion from using the ROS communication base and separated code to using ROS-native code in a common template. This will enable autocoding support for algorithm selections made using an existing SysML model from the year 1 effort. Support for the Gazebo simulation environment has recently been integrated into RSE for rover models, allowing the easy integration of potentially many different types of robot models into RSE for testing – for example, AUV support using UWSim with Gazebo is already well underway.

Figure 3.  Demonstration of resilient risk-aware autonomy capabilities at JPL’s Mini Mars Yard with the ATRV Jr. in May 2015.

We are also expanding our work on architecture analysis tools and techniques for the deliberative and habitual layer, and habitual and reflexive layer, respectively. Work on the characterization of situations like deadlock, via an abstract problem formulation that takes advantage of the new internal structure of the RSE modules (e.g., the internal state machines), is still ongoing. There is also work underway towards the characterization of what we term 'total system stability', the determination of what constraints should be imposed upon and between the various architectural modules to ensure that goals will be accomplished according to

  1. the operator goals and constraints,
  2. the various types of risk for a given scenario and robot platform, and
  3. the assumptions imposed by these choices and the choice of algorithms at each level of the architecture and the level of abstraction at each decision-making layer.

Finally, we are working towards a more extensive deployment on the WHOI gliders with the full executive capability, currently scheduled for April 2016.

Project team at WHOI with Alvin 2, the WHOI submersible in August 2015

Figure 4. Project team at WHOI with Alvin 2,
the WHOI submersible in August 2015.

Status of Collaborations (Campus/JPL/External)

The team is distributed across four institutions: Caltech, JPL, MIT and WHOI.  Project meetings are held every other week, alternating locations between campus and lab (MIT and WHOI researchers participate via WebEx).  Caltech postdoc Catharine McGhan has an office on campus and on lab, allowing her to spend her time in either location.  In addition to bi-weekly project meetings, there are frequent meetings between Caltech and JPL researchers, as well as between MIT and WHOI researchers.  The team also held a two day retreat in August 2015 at the Woods Hole Oceanographic Institution (WHOI) in Massachusetts.

Caltech postdoc Tiago Vaquero has an office at MIT, allowing him to collaborate closely with the MIT researchers. He has been working on integrating the algorithms and components from previous work at MIT and also helping with the implementation of the risk-aware goal-directed executive prototype.

The MIT team has frequent interactions with WHOI, including implementation of the prototype versions of the software on WHOI underwater vehicles.