A common systems architecture for

autonomous vehicles

Dr Charles Patchett, Technology Expert

Moving into a new era

1898 1958 2018

The meaning and case for autonomous operations

Architecting the common system

Introduction

Autonomy and automation

•Does not think or reason

•Makes no decisions independently

•Acts according to an pre-programmed agenda (or mode) when

instructed or pre-tasked

•Control is by an on/off switch (somewhere)

•Is conceptually, information limited

An automatic system

Autonomy and automation

• Should think or reason

• Should make decisions

• Acts independently according to an agenda

• Control can be adaptive and variable and is generally not switched

• Is conceptually, information rich

• Behaviours are driven by its beliefs

A simple and practical definition is:

‘An autonomous system is one that independently makes decisions

from choice’

An automatic system

Autonomy and automation

In short, they are very much different in:

• Concept

• Software implementation

• Their associated human relationship and interaction

However, they do have many things in common and are not necessarily in competition with each other.

Ideally they should be complementary

Motivation for autonomy

• They do not suffer from memory loss, lack of

concentration, or boredom.

• They can react extremely fast to recover situations.

• They do not take chances nor do they wilfully violate

regulations or dodge safety procedures

• They can be forced to objectively re-evaluate situations

– no human type “confirmation bias”

• They can attend to a variety of situations virtually

simultaneously – no human type “framing bias” or

fixation

Positive aspects of autonomous systems

Motivation for autonomy

• Certification

• No process yet in place, and requires more (but not much) research

• Determinism may preclude learning and be a bar to complex

behavioural responses

• Inappropriate System Responses

• Rule based errors due to incorrect beliefs or lack of appropriate rules

• Human Machine Interaction

• New models required before operator acceptance

• Social, Ethical and Legal Issues

• Who actually is in charge and therefore responsible

Limitations of autonomous systems

Models of decision making

Sense Act Reactive (hardwired) Decision Making

single rule

Multi Attribute Utility Theory

(Maximised Expected Value)

Plan Alternatives

+ Expected Utility

( = Po * Plan Value)

Act

Decide

Orientate

Observe

Klein’s Recognition Primed

Decision Making Recognised

Situation Act

best action

selected

Boyd’s OODA Loop

Models of decision making

Information

Control

Decision

These models can be seen to be a specific implementation of a general cycle of

Information – Decision – Control

operating over the contexts of objectives, consequences and constraints.

Architecting the system

The first robotic system design was the Sense - Plan – Act

Architecture which comprised:

• a sensing system

• a planning system

• an execution system

It failed due to the one way flow of control (as per normal

programming conditionals) and underestimating the non-trivial

problems of world modelling and planning.

The first departure was the Subsumption Architecture of Rodney

Brookes

Architecting the system

Introduction of the Beliefs, Desires

and Intentions (BDI) concept and the

basis for Intelligent Agent Systems

The Procedural Reasoning System of Georgeff, Rao and Ingrand

Architecting the system

Feedback

Sequencer

Controller

Planning Layer

Control Data

Comprising three components:

• A fast reactive feedback control layer – the skill

level or controller

• A deliberative layer – the planner or deliberator

• A connecting layer – the sequencer, executive or

manager

The (now) standard three-layer robotic architecture

Architecting the system

Sensing the environment

The Three Layer architecture does not formally include

generation and maintenance of knowledge or the

environment. For simple environments, this is OK.

The air and ground environments though are complex,

procedural and uncertain. This requires that considerable

modelling is achieved to understand it.

The source of information: the world model A world model takes information from sensors, databases and other

internal and external sources, such as comms and aggregates, abstracts

and aligns them to higher levels of cognition in order to deliberate about

the status of our progress towards our objectives.

In short, it provides situational awareness.

Mica Endsley’s view of situational awareness is a continual process of:

Perception

Comprehension

Projection

From the world model we can then act or deliberate about what to do

now, or plan to do in the future.

Basic Data Items from Sensors, Comms and Databases

Increasing Abstraction

Increasing Aggregation

Increasing Cognition

Factual Levels

Highest Cognitive

Level

Knowledge Levels

Belief

Levels

Information Space

Reactively

Fired Rules

Deliberatively

Fired Rules

Decision/Action Space

Rule Firing

The information pyramid of cognition

Architecting the system

General system requirements

• To be capable of certification by design. This turn requires:

– It to be capable of being assessed and tested for safety.

– It to have repeatable, deterministic and safe responses to external and internal input.

– The use of robust and rugged hardware running high integrity software in real time.

– Adequate redundancy for safety and mission critical components and

processes.

– Handling of safety-critical functions which must fail safe and be

incapable of operating when not required.

• To have low volume, cost and power needs.

• To conform to appropriate standards

• To be highly integrated, modular and efficient

• To be obsolescent proof for software re-use

Architecting the system

Putting it all together

• By accepting those modifications above as suggested by

consideration of TLAs, and including an information collection and

processing layer

• Make clear provision for mission and safety critical control

functions for acceptable levels of safety

• Utilise accepted system design guidelines and standards

• Make provision for the variable (0 – 100%) and adaptive human

control of the system by authorisation in accordance with a defined

protocol (such as the PACT levels)

• Partitioning the system into independent decision modules

overseen by a “Master Executive”

A common vehicle functional architecture

Enhancing your capability virtualengineeringcentre.com

vec@liverpool.ac.uk

@VEC_VE