View other issues


Goal-Oriented Reasoning about Systems of Systems

by Christophe Ponsard, Philippe Massonet and Jean-Christophe Deprez

Reasoning about Systems of Systems has proved difficult, not only because it is difficult to combine heterogeneous system models, but more fundamentally because of complex interactions that make it difficult to exactly predict the emerging behaviour. Goal-oriented requirements engineering techniques can help to drive the analysis and design of systems-based techniques, combining semi-formal reasoning with more focused quantified analysis carried out through the filter of specific goals.

A System of Systems (SoS) can be defined as “an integration of a finite number of constituent systems which are independent and operatable, and which are networked together for a period of time to achieve a certain higher goal” [1]. Such higher level goals are key properties either explicitly sought when designing SoS such as airport systems (e.g. smooth management of passenger and aircraft flows), emergency disaster recovery systems (e.g. fast evacuation and securing a disaster area), defence systems (e.g. coordinate land/airborne/ naval forces to achieve mission), or manufacturing complex systems (especially in circular economy and Industry 4.0 contexts) [2].

The interacting systems comprising an SoS may be very different in nature, each being described, analysed, and simulated using specific languages/techniques/tools - for example, differential equations (control systems), graph theory (e.g. road networks), Petri Nets (resources, workflows). This heterogeneity makes it difficult to build a full-scale and fine grained SoS-level model.
An alternative approach is to focus on properties. Over the years, Goal Oriented Requirement Engineering (GORE) has developed powerful notations, methods and tools [2] that can be applied to this area by:

  • Connecting SoS goals with properties of the interacting systems based on a rich and possibly quantified/formalized relations such as refinement, contribution, obstacle or conflict.
  • Recognizing organizational-level patterns across those systems such as case-based delegation, rely/guarantee, chain of command, etc.
  • Enabling hazard/impact analysis and run-time monitoring from the evolving ecosystem in order to ensure the continuity of global SoS goals.
  • Or conversely ‘slicing’ on specific SoS goal to conduct a focused analysis on composite systems involved in achieving that given SoS goal..

For example, an emergency disaster recovery system cannot rely on an existing state emergency system to deliver care to injured people, owing to inadequate numbers of trained staff to deal with the potential volume of patients (Figure 1). The existing infrastructure should be able to globally adapt its operation mode to cope both with the emergency, and with a flow of critically injured patients coming from other areas. This requires a special plan to summons medical staff and reschedule hospital operation in an area relevant to the assessed importance of the disaster (city; district; nation-wide; or possibly international - in the case of big earthquakes, for instance). Figure 1 illustrates an excerpt of a SoS model built with the Objectiver tool. Starting from strategic SoS goals (in blue at the top), major obstacles are identified (in red) and specific goals are then added to mitigate them (in blue at the bottom), along with extra systems able to cope with them in the global SoS (yellow filled elements transitively connected to orange ones). For example, the police to maintain order on the roads or defence in a specific support role to repair damaged infrastructure.

Figure 1: An example of an emergency disaster recovery system of systems.
Figure 1: An example of an emergency disaster recovery system of systems.

Starting from this global SoS goal-model, it is then possible to analyse how the satisfaction of goals can be achieved by carrying out a focused analysis on the relevant systems for each goal, possibly driven by specific scenarios (a typical case are SEVESO risk-class sites). This can be achieved using generic models (e.g. road intervention times can be predicted based on road graph models taking into consideration known congestion issues) or specific models (e.g. hospital capacity is related to a specific mobilization plan). In addition to what-if scenarios, such models can also support decision making at intervention time.

Our current work is precisely to extend GORE notation to better cope with SoS concepts, in particular to abstract away complexity and retain the capacity to zoom into each system, which in turn can appear as a collection of collaborating entities (which may be systems, humans playing a specific role, or software/hardware components). We are currently focusing on SoS in the emergency crisis domain and Industry 4.0 sectors, respectively in the scope of the REDIRNET and SimQRI projects where specific tools are being developed.

REDIRNET - Emergency Responder Data Interoperability Network:
SimQRI - Simulative quantification of procurement induced risk consequences and treatment impact in complex process chains:
Objectiver tool:

[1] M. Jamshidi: “System of Systems Engineering”, Wiley, 2009.
[2] R. Berger: “INDUSTRY 4.0, The new industrial revolution - How Europe will succeed”, 2014.
[3] A. van Lamsweerde: “Goal-Oriented Requirements Engineering: A Guided Tour”, Fifth IEEE International Symposium on Requirements Engineering, 2001.

Please contact:
Christophe Ponsard
CETIC, Belgium
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.