On-board Timeline Validation and Repair: A Feasibility Study M. Fox and D. Long Department of Computer and Information Sciences University of Strathclyde, Glasgow, UK L. Baldwin and G. Wilson and M. Woods SciSys Ltd, Clothier Road, Bristol, UK D. Jameux European Space Agency (ESA) European Space Research and Technology Centre Noordwijk, The Netherlands R. Aylett Herriot-Watt University, Edinburgh, UK Abstract We report on the progress and outcome of a recent ESA- funded project (MMOPS) designed to explore the feasibility of on-board reasoning about payload timelines. The project sought to examine the role of on-board timeline reasoning and the operational context into which it would fit. We framed a specification for an on-board service that fits with exist- ing practices and represents a plausible advance within sen- sible constraints on the progress of operations planning. We have implemented a prototype to demonstrate the feasibility of such a system and have used it to show how science gath- ering operations might be improved by its deployment. Introduction Communication to distant landers is restricted, both by availability of a communication window and by the time it takes for a signal to pass from transmitter to receiver. This makes it essential to construct plans for the activities of a distant spacecraft, often spanning several hours or days of otherwise unsupervised activity. As has frequently been ob- served, plans rarely survive contact with reality unscathed. Plans must be constructed using predictions about the out- come of activities of the spacecraft and also predictions of the behaviours and reactions of the surrounding environ- ment. These predictions can diverge from the actual be- haviours when a plan is executed. In typical currently de- ployed systems, plan failure will (depending on the severity of the failure) lead to the spacecraft entering a safe mode and awaiting further instructions, having aborted execution of the remainder of the plan. This response shares an important characteristic with the models on which the plans are based from the outset: they are conservative. That is, both the pre- dictions about the activities of a spacecraft and the response to failures in those predictions act to limit and constrain the science gathering operations of the spacecraft. To illustrate this conservatism, consider that it is now estimated that So- journer spent at least 50% of its time idle, awaiting further instructions, either because it had completed its planned ac- tivities and had nothing left to execute, or because it had entered safe mode following a failure in some activity. Even the immensely successful Mars Exploratory Rovers (MER) mission has been extremely cautious: the original planned mission lifetime for the rovers was only 90 sols, yet they have now been active for more than 850 sols. Even so, they have travelled no more than 7 kilometers in the nearly three years of mission activity. Despite great improvements in the support technology for the planning of MER operations (Ai- Change et al. 2003), plans remain conservative and plan ex- ecution failures have caused many days of lost science gath- ering over the lifetime of the mission. In this paper we describe the Mars Mission On-board Planning and Scheduling (MMOPS) project, in which we explored the construction of a prototype system that would help to address the loss of science caused by conservative mission planning and plan failure. Our prototype has been constructed to work with the Beagle 2 (Blake et al. 2004) hardware (see Figure 1), since the on-board software (OBS) and simulator were already available to the team. As part of the project, we have also considered the use of our approach for a mobile lander, such as the planned ExoMars rover. Our approach has been to design a system that could be deployed on-board a remote spacecraft, granting the craft some measure of autonomy. Other space missions have also explored this possibility, with some success (Chien et al. 2004; J¨ onsson et al. 2000). In our work we have not at- tempted to construct a system in which planning is devolved to the on-board system. Instead, it remains under the control and supervision of the ground operations personnel. The on-board system is designed to manipulate plans (timelines) constructed on the ground, handling three problems that we consider to be central to execution issues on spacecraft: • Plan failure isolation. When a plan contains an activity that fails, or that it is predicted will fail, the first concern is to isolate the consequences of that failure and to protect execution of the remainder of the plan. • Over-subscription. When a plan contains more activities than it is predicted that there are resources available to support, activities must be removed from the timeline in order to bring it back within safe bounds. This situation includes both consumable resources such as power and fixed resources such as instruments. • Under-subscription. Either as a consequence of failure isolation, or conservative estimates for plan execution, if it is predicted that more resource will be available than was expected before plan execution began, this resource can be absorbed to perform additional activities. We call these additional activities opportunities and they are de-