by Jakob Axelsson
The introduction of systems-of-systems (SoS) necessitates the revision of common practices for safety analysis. In the case of vehicle platooning, for instance, this means that an analysis has to be carried out at the platoon level to identify principles for the safety of the SoS, and these principles then have to be translated to safety goals and requirements on the individual trucks.
Figure 1: In the case of truck platooning, an analysis has to be carried out at the platoon level to identify principles for the safety of the SoS, and then these principles have to be translated to safety goals and requirements on the individual trucks.
The term systems-of-systems (SoS) started to become relevant some 20 years ago, and accelerated as a research area around 10 years ago. Although some people tend to take SoS as a synonym for large and complex systems, the research community has arrived at a fairly precise characterization of the term: in an SoS, the elements, or constituent systems, exhibit an operational and managerial independence, meaning that they can operate outside the SoS context, and have different owners. They choose to collaborate in order to achieve a common goal, manifested as an emergent property of the SoS, i.e. a property that does not exist in any of its parts in isolation. A recent literature review [1] shows that the field, so far, has been dominated by US researchers focusing on military and space applications. Key topics include: architecture, communications, interoperability, modelling and simulation, and also a number of properties where dependability attributes, such as safety, play an important role.
From its origins in the government driven sectors, SoS are now spreading to civilian and commercial usage. One example of this is the current efforts in vehicle platooning (see Figure 1), where a lead truck is followed by a number of other trucks that are driven more or less autonomously at a very short distance between each other. The trucks communicate using short-range radio to synchronize their movements to keep the right distance.
The motivator for platooning is primarily to improve fuel consumption by reducing aerodynamic drag, which is good both for the economy of the truck operator and for the environment. However, due to the automation and the short distances between the trucks, safety becomes an issue. Clearly, the platoon is an SoS, since each truck can also operate outside the platoon, and the trucks have different producers and owners.
The automotive industry has a long tradition in improving safety, and the best practices have recently been standardized as ISO 26262. In this standard, hazards are classified at different safety integrity levels based on the associated risk, and this classification is then used to derive requirements on components and on the product life-cycle processes. The focus in applying the standard is for a vehicle manufacturer to ensure that their product is safe to use.
However, when the product is to become a part of an SoS, carrying out the safety analysis on the product alone is not sufficient. As stated in [2], safety is an emergent property that has to be dealt with at the level of the SoS. In the case of the vehicle platoon, this means that an analysis has to be carried out at the platoon level to identify principles for the safety of the SoS, and then these principles have to be translated to safety goals and requirements on the individual trucks.
The challenge in this lies in the SoS characteristics of operational and managerial independence. Since no one owns the platoon, all safety requirements have to be agreed upon by potential participants, who must then take measures to implement these requirements in their products while making the best trade-offs with other requirements on the individual trucks not related to their use in the platooning SoS.
At SICS, we are investigating suitable safety analysis techniques for SoS. The first application is platooning, in co-operation with the Swedish truck industry. The approach is based on systems thinking, applied to safety as described in [3]. In the process, appropriate feedback loops are identified to devise a safety scheme based on constraining the behaviour of the constituent systems, i.e. the trucks in the platoon. In this process, additional requirements on the technical implementation can be identified, including new sensors and added communication between the constituent systems. The result is a set of safety goals and requirements on each constituent system, which can then be implemented using ISO 26262 and other standard procedures.
References:
[1] J. Axelsson: “A systematic mapping of the research literature on system-of-systems engineering”, in proc. of IEEE Intl. Conf. on Systems-of-Systems Engineering, 2015.
[2] N. Leveson: “The drawbacks in using the term ‘system of systems’”, Biomedical Instrumentation & Technology, March/April 2013.
[3] N. Leveson: “Engineering a safer world”, MIT Press, 2012.
Please contact:
Jakob Axelsson
SICS Swedish ICT
Tel: +46 72 734 29 52
E-mail: