Strand 2 - Dependable Systems of Systems
Complex “systems of systems” (SoS) are being assembled and expected to work effectively together even though they were not, and could not have been, designed as a whole. The growth of SoS is perhaps most obvious in military scenarios where combinations of forces from different countries may need to be established rapidly and flexibly, requiring interoperability of various systems. This growth is also evident in civil systems, e.g. air traffic management (ATM), where the composition of the ground based and airborne systems is evolving continually.
There are a number of significant challenges in attempting to establish dependable SoS, including the following:
- Ensuring safety and security of SoS – most safety mechanisms in systems are concerned with managing known (predicted) failure modes of equipment to avoid hazards. With SoS of systems, the hazardous states are likely to arise from interactions of normal functions, as well as failures, thus ways need to be found of circumscribing normal (designed in) behaviour.
- Hazard and Safety analysis of SoS – normal safety analysis techniques are not sufficient to deal with SoS, as they assume that the system boundary and environment is known. Similar problems exist with adaptive systems, e.g. neural networks which learn whilst the system operates, as the safety analysis techniques assume that all behaviour is known at design time. Safety analysis techniques which apply to detailed designs and implementations should still be applicable, but those which deal with hazard identification and system integration will need to change.
- Dependability cases for SoS – as well as posing challenges for system design and safety analysis there are difficulties in arguing safety for emerging classes of system. There are several key issues. First, what are the risk acceptance criteria for SoS? Can we show, for example, that a safety policy reduces risk as low as reasonably practicable? Second, how can risk be measured? Risk assessment normally involves quantification, based on probabilities of events. How can we determine probabilities for adaptive systems? Third, if the structure of the system is not constant (a dynamically changing SoS) how is the safety case kept “in step” with the scope of the SoS?
Little existing work has been performed with regard the safety analysis and justification of such systems. Therefore, the strand will ultimately be seeking to define new methods and techniques. However, the intention at first is to closely scrutinise related fields (in particular, work on security policy and agents) for any techniques and principles that may be usefully brought to bear on the problem.