Collaborating Remote Autonomous Vehicles - System Architecture

Peter Henderson

29 August 2010

Copies of this generated document are available at

The system of systems described in this document is a network of RAVs (Remote Autonomous Vehicles) organised into collaborating Groups. The internal structure of the RAV is the subject of a separate document (although, section 3 qv includes a summary). Individual RAVs can be instructed to carry out tasks, which they will do autonomously. Groups of RAVs can also be instructed to carry out tasks, which they will do autonomously and collaboratively. Instructions are relayed to individual RAVs and Groups from Ground Control.

RAVs can join and leave groups, when instructed to do so. RAVs may fail, and so disaapear from Groups without notice. Groups can communicate with each other in much the way that RAVs can communicate with each other and hence collaborate on larger tasks.

This system description is based on the WAVE m3 metamodel. Consequently it contains details of the major components and their interfaces. It also contains descriptions of the requirements that components are required to meet. Finally, it contains claims (that components will meet the requirements placed upon them) along with arguments supporting these claims. It is this provision of claims and their supporting arguments that distinguishes an m3 description from a more conventional system description. The level of abstraction used here is that considered appropriate to a system architect who presents their proposal in a rigorous and clearly argued form but one which can be comprehended by a generalist in a few hours.

The emphasis on components and interfaces is because this is an Open Architecture in the sense that it contains sufficient information that conforming components can be procured from independent suppliers who have obeyed the rules of the Open Interfaces.

Copies of this generated description are available at The internal architecture of a typical RAV is described in a separate document, which is available at


This is the description of top level of RAVSoS, The RAV "System of Systems".


It is a System of Systems (SoS) because it is a collection of collaborating components, rather than simply that is contains components that are themselves systems.

A RAV is conceived of as an autononous vehicle (on land or in the air) that is used to search large areas. The search will be carried out collaboratively with other vehicles under instructions from a controller. Reliability of performance is ensured by having RAVs share data and communications responsibilities so that if individual RAVs fail the mission will not itself fail. This reliability requirement is the subject of the main supporting argument presented in this document.

A System of Systems can be expected to have emergent properties. For example, the rules that RAVs use to divide up a task given to a Group, might give the appearance of intelligent decision making where none was actually programmed. The rules might have been something like - map the area you are in and when you have finished move to an area that hasn't been mapped yet by anyone else. The emergent behaviour might be to create a force which (apparently intelligently) moves to cover a large area in a disciplined way and returns to cover for failed colleagues.

The initiative for giving tasks to RAVs and Groups is taken by GroundControl, by sending messages. RAVs coordinate their activities by taking the initiative to send messages to each other. Typically they will relay copies of instructions and data to each other, so that if one fails, others can complete its tasks.

The intention is that Groups behave more or less as more sophisticated RAVs. Consequently, the interfaces to Groups and RAVs will be rather similar. It is desirable that RAVs can be supplied by different suppliers. Hence their individual behaviours, and their behaviours as sensed via their interfaces, will be clearly and openly defined.

CONTAINS RAV (qv) ; Group (qv) ; GroundControl (qv) ;

IMPLEMENTS RAVSoS-Requirement-Dependability (qv) ;

2 GroundControl

GroundControl sends messages (commands and requests) to RAVs. These messages are of the form "Go to location A and carry out the following instructions", "Send me all the data you have about X", etc. These messages are sent to interfaces with individual RAVs. Groups are virtual, rather than physical, so messages to Groups will be sent to individual RAVs with the intention that these messages will be shared with other Group members.


REQUIRES Interface-GC-RAV (qv) ; Interface-GC-Group (qv) ;

IMPLEMENTS GroundControl-Requirement-RequestsDataFrequently (qv) ;


This is the description of Component RAV. It is a summary. The internal structure of a typical RAV is decribed elsewhere (

The basic behaviour of the RAV is to carry out complex instructions autonomously and in collaboration with other RAVs. On its own, the RAV can make its way to specified destinations and carry out tasks for which it has been equipped (such as mapping). On its own, the RAV can avoid collisions and other obstacles, finding a sensible route to its destination. In collaboration with other RAVs, it can carry out more complex tasks (such a mapping a large area). These collaborative tasks are enabled by direct communication between RAVs. A RAV will be instructed to join a Group for the purposes of collaborative tasks. A RAV may be a member of more than one Group (or a member of none).

An individual RAV will receive instructions from GroundControl over the interface Interface-GC-RAV. As a member of a Group, a RAV may also receive instructions from GroundControl over the interface Interface-GC-Group. In practice, GroundControl will interact only with a subset of the members of a Group and rely upon these members to share the information with other members of the Group. The reliabilty of the Group to complete a given task is dependent on the effectiveness of this sharing of information implemented by the RAV.

The RAV supplies interfaces that allow it to communicate with Ground Control and with other RAVs. All messages between Ground Control and the RAV are requests from Ground Control. That is, only solicited information is communicated to Ground Control. We describe this by saying that the initiative to communicate is taken by Ground Control. The initiative to communicate with another RAV is taken by the RAV. This message will be of the form "Here is some data, let me know if you have received it". In order that this RAV can initiate a communication, it requires access to the RAV-RAV interface of the other RAV.

IS CONTAINED IN RAVSoS (qv) ; Group (qv) ;

REQUIRES Interface-RAV-RAV (qv) ;

SUPPLIES Interface-GC-RAV (qv) ; Interface-GC-Group (qv) ; Interface-RAV-RAV (qv) ;

IMPLEMENTS RAV-Requirement-SharesDataFrequently (qv) ; RAV-Requirement-SeeksFullKnowledge (qv) ;

IS OBJECT OF Claim-RAV-implements-SharesData (qv) ; Claim-RAV-implements-RequestsData (qv) ;

4 Group

This is the description of Group, a collaborating set of RAVs. It is in the nature of this system to be collaborative, or to be a system-of-systems. This collaborative nature is manifested in the behaviour of Groups.

A Group of RAVs is established by Ground Control, by instructing individual RAVs to join a Group. On joining a Group, a RAV is able to establish one to one communication with all other members, although in practice it may only communicate with a subset of its co-members. A RAV may be a member of zero, one or more Groups at any time.

Instructions to a Group are sent by Ground Control to one or more members of the Group using the GC-RAV interface. Ground Control relies on the RAV-RAV communication to distribute these instructions among members of the Group. The Group communications are secured using a variant of Secure Conversation. This ensures integrity, confidentiality and authenticity.

Reliability of the Group to complete a task, notwithstanding arrivals and departures (in particular, failures) of individual members is a major requirement. This requirement is guaranteed by the autonomous behaviour of individual members and by the reliable, secure and timely exchange of information among members. Group members may be engaged in a number of tasks simultaneously, especially if they are members of more than one Group. Conflicts between these tasks are resolved autonomously by individual RAVs.

The reliability requirement is the subject of Claim-Group-implements-Dependability qv.

Group implements the GC-Group interface only virtually. The interface is supplied by individual members of the Group.



SUPPLIES Interface-GC-Group (qv) ;

IMPLEMENTS Group-Requirement-Dependability (qv) ;

IS OBJECT OF Claim-Group-implements-Dependability (qv) ;

5 Interface-GC-Group

This is the description of Interface-GC-Group.

Entities that supply this interface must be able to interpret messages intended for Groups of which they are members. Such messages include task descriptions which are documents understood by individual RAVs. Tasks may be specialised to RAVs of particular types, such as those equipped with particular instruments.

A typical task description message (which is an XML document) might tell a Group to go to a particular location and to survey a particular area. On receiving such a message over this interface, or over a RAV-RAV interface, each individual RAV will then transmit the message to other members of the Group. Established message sharing algorithms ensure that this information reaches all connected RAVs, is not duplicated and that eventually all members of the Group know which other members have received it.

Other messages from Ground Control to Groups include housekeeping messages (e.g. bulk data requests, software upgrades) but in general such requests are sent to individual RAVs for security reasons.

IS REQUIRED BY GroundControl (qv) ;

IS SUPPLIED BY RAV (qv) ; Group (qv) ;

6 Interface-GC-RAV

This is the description of Interface-GC-RAV.

An individual RAV will receive instructions from GroundControl over the interface Interface-GC-RAV. As a member of a Group, a RAV may also receive instructions from GroundControl over the interface Interface-GC-Group.

This interface must be able to interpret messages directed to individual RAVs from Ground Control. Such messages include descriptions of individual tasks to perform but also instructions to join or leave a particular Group. Some security configuration is established by communications directly with Ground Control.

Task descriptions are XML documents in a format defined elswhere, but generally include commands of the form "Go to location X and collect data on Y" or "Join Group Z and engage in the tasks that the Group has been given".

IS REQUIRED BY GroundControl (qv) ;


7 Interface-RAV-RAV

This is the description of Interface-RAV-RAV.

RAVs communicate with each other for the purposes of collaborating on a task and for reliability. When required to do something, as a member of a Group, a RAV will share that request with other members of that Group in a timely manner. As a matter of course a RAV will copy data it has collected to other RAVs in the same Group to ensure that that data has the greatest chance of reaching Ground Control when it is requested. So for example, a Group that is surveying an area will each have a fairly complete picture of the survey to date, at any time. Ground Control can request that data from any member, or indeed from many members, and use these almost complete descriptions to form a more complete and more consistent picture.

All communication is secured by a variant of Secure Conversation, so that only participants allowed to know information will be able to interpret what they are given. They may of course pass it on. Secure Conversation guarantees the integrity and authenticity of a message as well as its confidentiality.

For example, a RAV may publish its survey data to other Group members,encrypted only for integrity and authenticity, so that they can read the data and use it for their own decision making (such as which subareas to concentrate on themselves). However, if a RAV has confidential data to communicate and hasn't been asked for this by Ground Control, it can communicate it to other RAVs for relay to Ground Contol, should they be asked, encrypting this message so that the relaying intermediary cannot read it or tamper with it.



8 RAVSoS-Requirement-Dependability

This is the description of RAVSoS-Requirement-Dependability. Once a Group has been instructed (by Ground Control) to carry out a task, it will do that as long as at least one member remains, and the information that it gathers will be available at Ground Control within a reasonable time. This requirement depends upon Ground Control requesting data sufficiently often and the Group being able to take on the work of failing members.

DERIVES Group-Requirement-Dependability (qv) ; GroundControl-Requirement-RequestsDataFrequently (qv) ;


9 Group-Requirement-Dependability

This is the description of Group-Requirement-Dependability. Once a Group has been instructed to carry out a task, it will do that as long as at least one member remains. This requirement depends upon each member publishing its data at a sufficient frequency that its failure loses only a small amount. It also depends upon each member accepting responsibility for the entire task which means that it seeks to collect all the data that it can from other members and to fill in gaps in its knowledge autonomously.

DERIVES RAV-Requirement-SharesDataFrequently (qv) ; RAV-Requirement-SeeksFullKnowledge (qv) ;

IS DERIVED FROM RAVSoS-Requirement-Dependability (qv) ;


IS SUBJECT OF Claim-Group-implements-Dependability (qv) ;

10 RAV-Requirement-SharesDataFrequently

This is the description of RAV-Requirement-SharesDataFrequently. In anticipation of its own failure a RAV will make its data publicly available to other RAVs in this Group.

IS DERIVED FROM Group-Requirement-Dependability (qv) ;


IS SUBJECT OF Claim-RAV-implements-SharesData (qv) ;

11 RAV-Requirement-SeeksFullKnowledge

This is the description of RAV-Requirement-SeeksFullKnowledge. In anticipation of others failure a RAV will seek to copy data from other RAVs to make a complete picture for itself. Where data is not forthcoming a RAV will seek to complete its knowledge autonomously.

IS DERIVED FROM Group-Requirement-Dependability (qv) ;


IS SUBJECT OF Claim-RAV-implements-RequestsData (qv) ;

12 GroundControl-Requirement-RequestsDataFrequently

This is the description of GroundControl-Requirement-RequestsDataFrequently. Since the initiative for collecting data from a Group is with Ground Control, then it must request that data frequently and redundantly in order that it can optimally respond to failure of individual RAVs.

IS DERIVED FROM RAVSoS-Requirement-Dependability (qv) ;

IS IMPLEMENTED BY GroundControl (qv) ;

13 Claim-Group-implements-Dependability

This is the description of Claim-Group-implements-Dependability. A Group as described here implements the dependability requrement, that it carries out its tasks despite the failure of some members.

HAS AS SUBJECT Group-Requirement-Dependability (qv) ;

HAS AS OBJECT Group (qv) ;

IS SUPPORTED BY Argument-supporting-GroupClaimDependabilty (qv) ;

14 Claim-RAV-implements-SharesData

This is the description of Claim-RAV-implements-SharesData. A RAV will frequestly publish its data, thus making it available to other Group members, so that if it fails the information that it has gathered will not be lost (because copies will be available with other RAVs).

HAS AS SUBJECT RAV-Requirement-SharesDataFrequently (qv) ;


IS DEPENDED ON BY Argument-supporting-GroupClaimDependabilty (qv) ;

15 Claim-RAV-implements-RequestsData

This is the description of Claim-RAV-implements-RequestsData. A RAV, participating in a Group, will frequently request data from other members of the Group, in order to protect against the failure of other members.

HAS AS SUBJECT RAV-Requirement-SeeksFullKnowledge (qv) ;


IS DEPENDED ON BY Argument-supporting-GroupClaimDependabilty (qv) ;

16 Argument-supporting-GroupClaimDependabilty

This is the description of Argument-supporting-GroupClaimDependabilty. The claim supported by this argument is that a Group is dependable, in the sense that it will complete its task despite the loss of some members.

A Group can be depended upon because it members each seek to fulfill the given task and to keep each other informed about their progress. Each RAV will make its own data available to other members of the Group. Each RAV will request copies of data from others sufficiently frequently that each RAV will have most of the entire picture at any point in time. Thus, if a RAV fails, most of its historically collected data is not lost. Further, since each RAV seeks to establish a complete picture, then failure of a RAV will mean that others seek to collect data that it would otherwise have collected.

SUPPORTS Claim-Group-implements-Dependability (qv) ;

DEPENDS ON Claim-RAV-implements-SharesData (qv) ; Claim-RAV-implements-RequestsData (qv) ;