a common systems architecture for autonomous …...a common systems architecture for autonomous...
TRANSCRIPT
A common systems architecture for
autonomous vehicles
Dr Charles Patchett, Technology Expert
Moving into a new era
1898 1958 2018
The meaning and case for autonomous operations
Architecting the common system
Introduction
Autonomy and automation
•Does not think or reason
•Makes no decisions independently
•Acts according to an pre-programmed agenda (or mode) when
instructed or pre-tasked
•Control is by an on/off switch (somewhere)
•Is conceptually, information limited
An automatic system
Autonomy and automation
• Should think or reason
• Should make decisions
• Acts independently according to an agenda
• Control can be adaptive and variable and is generally not switched
• Is conceptually, information rich
• Behaviours are driven by its beliefs
A simple and practical definition is:
‘An autonomous system is one that independently makes decisions
from choice’
An automatic system
Autonomy and automation
In short, they are very much different in:
• Concept
• Software implementation
• Their associated human relationship and interaction
However, they do have many things in common and are not necessarily in competition with each other.
Ideally they should be complementary
Motivation for autonomy
• They do not suffer from memory loss, lack of
concentration, or boredom.
• They can react extremely fast to recover situations.
• They do not take chances nor do they wilfully violate
regulations or dodge safety procedures
• They can be forced to objectively re-evaluate situations
– no human type “confirmation bias”
• They can attend to a variety of situations virtually
simultaneously – no human type “framing bias” or
fixation
Positive aspects of autonomous systems
Motivation for autonomy
• Certification
• No process yet in place, and requires more (but not much) research
• Determinism may preclude learning and be a bar to complex
behavioural responses
• Inappropriate System Responses
• Rule based errors due to incorrect beliefs or lack of appropriate rules
• Human Machine Interaction
• New models required before operator acceptance
• Social, Ethical and Legal Issues
• Who actually is in charge and therefore responsible
Limitations of autonomous systems
Models of decision making
Sense Act Reactive (hardwired) Decision Making
single rule
Multi Attribute Utility Theory
(Maximised Expected Value)
Plan Alternatives
+ Expected Utility
( = Po * Plan Value)
Act
Decide
Orientate
Observe
Klein’s Recognition Primed
Decision Making Recognised
Situation Act
best action
selected
Boyd’s OODA Loop
Models of decision making
Information
Control
Decision
These models can be seen to be a specific implementation of a general cycle of
Information – Decision – Control
operating over the contexts of objectives, consequences and constraints.
Architecting the system
The first robotic system design was the Sense - Plan – Act
Architecture which comprised:
• a sensing system
• a planning system
• an execution system
It failed due to the one way flow of control (as per normal
programming conditionals) and underestimating the non-trivial
problems of world modelling and planning.
The first departure was the Subsumption Architecture of Rodney
Brookes
Architecting the system
Introduction of the Beliefs, Desires
and Intentions (BDI) concept and the
basis for Intelligent Agent Systems
The Procedural Reasoning System of Georgeff, Rao and Ingrand
Architecting the system
Feedback
Sequencer
Controller
Planning Layer
Control Data
Comprising three components:
• A fast reactive feedback control layer – the skill
level or controller
• A deliberative layer – the planner or deliberator
• A connecting layer – the sequencer, executive or
manager
The (now) standard three-layer robotic architecture
Architecting the system
Sensing the environment
The Three Layer architecture does not formally include
generation and maintenance of knowledge or the
environment. For simple environments, this is OK.
The air and ground environments though are complex,
procedural and uncertain. This requires that considerable
modelling is achieved to understand it.
The source of information: the world model A world model takes information from sensors, databases and other
internal and external sources, such as comms and aggregates, abstracts
and aligns them to higher levels of cognition in order to deliberate about
the status of our progress towards our objectives.
In short, it provides situational awareness.
Mica Endsley’s view of situational awareness is a continual process of:
Perception
Comprehension
Projection
From the world model we can then act or deliberate about what to do
now, or plan to do in the future.
Basic Data Items from Sensors, Comms and Databases
Increasing Abstraction
Increasing Aggregation
Increasing Cognition
Factual Levels
Highest Cognitive
Level
Knowledge Levels
Belief
Levels
Information Space
Reactively
Fired Rules
Deliberatively
Fired Rules
Decision/Action Space
Rule Firing
The information pyramid of cognition
Architecting the system
General system requirements
• To be capable of certification by design. This turn requires:
– It to be capable of being assessed and tested for safety.
– It to have repeatable, deterministic and safe responses to external and internal input.
– The use of robust and rugged hardware running high integrity software in real time.
– Adequate redundancy for safety and mission critical components and
processes.
– Handling of safety-critical functions which must fail safe and be
incapable of operating when not required.
• To have low volume, cost and power needs.
• To conform to appropriate standards
• To be highly integrated, modular and efficient
• To be obsolescent proof for software re-use
Architecting the system
Putting it all together
• By accepting those modifications above as suggested by
consideration of TLAs, and including an information collection and
processing layer
• Make clear provision for mission and safety critical control
functions for acceptable levels of safety
• Utilise accepted system design guidelines and standards
• Make provision for the variable (0 – 100%) and adaptive human
control of the system by authorisation in accordance with a defined
protocol (such as the PACT levels)
• Partitioning the system into independent decision modules
overseen by a “Master Executive”
A common vehicle functional architecture