Page - 12 - in Proceedings of the OAGM&ARW Joint Workshop - Vision, Automation and Robotics

As we directly observe the component we can detect that the component is faulty if the observation indicates a fault. • If a topicm is observed with the help of a time-out observer (obstimeout(m)) we state the following logical formula. ¬obstimeout(m)→AB(m) As we only observe a topic we can only state that the topic is abnormal and use the structure to determine which component caused this fault. • If a topicm is observed with the help of an HZ observer (obshz(m)) we state the following logical formula. ¬obshz(m)→AB(m) As we only observe a topic we can only state that the topic is abnormal and use the structure to determine which component caused this fault. • If a topicm is observed with the help of a time-stamp observer (obstimestamp(m)) we state the following log- ical formula. ¬obstimestamp(m)→AB(m) As we only observe a topic we can only state that the topic is abnormal and use the structure to determine which component caused this fault. • If two topicsm1 andm2 are observed with the help of a timing observer (obstiming(m1,m2)) we state the following logical formula. ¬obstiming(m1,m2)→ (AB(m1)∨AB(m2)). If the timing of the two topics does report an error one of the topics need to cause the fault. As we only observe that at least one of the topics need to be abnormal we need to use the structure to determine which component caused this fault. • Ifa topicm isobservedwith thehelpofascoreobserver (obsscore(m)) we state the following logical formula. ¬obsscore(m)→AB(m) As we only observe a topic we can only state that the topic is abnormal and use the structure to determine which component caused this fault. • If two topicsm1 andm2 are observed with the help of a movement observer (obsmovement(m1,m2)) we state the following logical formula. ¬obsmovement(m1,m2)→ (AB(m1)∨AB(m2)∨ AB(movement)) The formula states that if the movement is observed to be faulty then either one of the topics is abnormal or the movement relation is not valid. The movement relation may not be valid as we may observe the difference between the IMU and the odometry. If the robot now slips the odometry and the IMU do no longer agree but none of the components is faulty. Instead, the model of the environment imposing that these two sources of information are redundant does not longer hold. With the logical formulas from above, the model of the system is described. Furthermore, the link between the observations and the model of the system is defined through the logical formulas from above. With the help of this logical formula, one can derive which set of AB(n) predicates is consistent. This set represents the software components which need to be faulty to explain the observed faults. As we are interested in the most likely explanation we follow the idea of Occams razor and search for a minimal set of AB(n) predicates which are consistent. To find this minimal set we use a minimal hitting set algorithm. The algorithm uses a sat solver to derive if a set ofAB(n) predicates is consistent. If the set of predicates is consistent the algorithm has found a diagnosis. Otherwise, the algorithm uses the predicates AB(n) which are part of the conflict in the checked set of AB(n) predicates to choose the next AB(n) to add to the set to avoid this conflict. Due to this conflict-driven search, the algorithm can derive a minimal set in an efficient manner [5]. To perform the necessary calculations of the algorithm we use the implementation of [9]. V. RULE ENGINE After detecting a fault and identifying the faulty compo- nents the robot needs to react to this fault. To deal with faulty components the robot needs either to perform a repair action [3] or change the configuration of the robotic system [4] to deal with this problem. In either case, it takes some time to deal with the fault properly. This can cause the robot to operate in an unknown state in an unsafe manner. Thus, the robot needs first to react swiftly to bring the robotic system in a known a safe state. This imposes that the robotic system will not harm itself or its environment. Additionally, often such a reaction is sufficient as some faults cannot be fixed by the robot itself, e.g. a broken wheel. To allow the robot to perform a fast reaction we propose a simple but powerful rule engine. The simplicity of the rule engine is not only due to the simple model how the robot should react but also due to the limited reasoning which is performed to choose the reaction. This restricts the possible reactions of a robot but allows to perform the reactions fast without a large computation overhead. The reaction triggered by the rule engine is a kind of reflex of the robot. Thus, only preventing it from further harm if possible. To perform the reaction, the rule engine uses a setObs of the observations made so far. The set is updated with each incoming observation to ensure that only one observation per component/topic for a specific type is present. This update also ensures that only the newest information is used. To trigger the rules an additional set is used, the set PosAb of components which are possibly faulty. The set defines those components which are part of a minimal diagnosis. Thus, if one has two diagnoses {{m1},{m2}} the set of possibly faulty components consist of the elements of both diagnosis ({m1,m2}. This set simplifies reasoning as one 12