| Summary: | Systems of Systems (SoS) are formed from existing elements, often developed independently, which are brought together to achieve a common goal. SoS have a number of characteristics (such as local autonomy and heterogeneity) that make their emergent behaviour hard to predict. Interaction between systems can lead to unsafe conditions, and potentially to accidents. Given that the component systems within a SoS already exist, traditional design-based mitigation (at the component system level) cannot be relied upon as the primary means of addressing the hazardous situations emerging through system interaction. Instead, attention must be focused upon the operational policy that governs the safe integration and collective use of these systems, i.e. the safety policy for the operation ofthe SoS. Safety policy can be expressed through high-level guiding principles as well as low-level permissions and obligations on agent behaviour - where agents within a SoS can be viewed as any autonomous decision-making entity. This thesis presents a systematic approach to policy derivation based upon structured hierarchical goal decomposition. The approach utilises the controlled expression of safety policy goals, a defined collection of decomposition tactics, and patterns of policy decomposition. Policy decomposition relies upon contextual models that represent system capabilities, as well as their interaction with each other and the environment. In this thesis, three models are defined to support policy decomposition: a model of domain information, an agent model derived from system descriptions, and a causal model that captures inter-agent influences. Explicit failures, as well as more subtle system interactions, can undermine the assumptiOIis on which a safety policy is derived. This thesis develops a structured model of agent failure based upon an extension to the Observe-Orient-Decide-Act cycle of agent behaviour. Building upon this model, the thesis defines a process that can be used to help improve the robustness of a safety policy to failure. The derivation of safety policy is itself fallible. This thesis identifies fallacies of reasoning that can be present in policy decomposition, serving as a checklist to evaluate any given policy. The derivation of policy may also result in conflicting policy rules. This thesis identifies the forms of policy conflict that can emerge and suggests resolution strategies. The ideas contained within this thesis are illustrated by means of a case study derived from the civil aerospace Rules of the Air as well as by a running example from the defence domain. Both of these examples form part of the evaluation of this thesis.
|
|---|
