8 minute read time.

How Loss-Driven Systems Engineering (LDSE) can revolutionise approaches to safety and loss.

What is Loss Driven Systems Engineering?

Safety is an essential guiding concept underpinning the engineering of all transport systems. This can be understood as the absence of unreasonable risk of harm to the health of people. With the surge in connected systems since 2010, the related concept of security (especially cybersecurity), has come sharply into focus. Broadly, cybersecurity addresses the absence of unreasonable risk of compromise of online properties and assets.  Confidentiality, integrity, availability, being especially important. In transport systems, the impact of security on safety is often the primary consideration, but other potential losses should also be of concern (e.g., financial, operational, privacy).

A growing chorus of systems engineers are questioning the wisdom of treating safety, security and related areas separately. This is recognised by the International Council on Systems Engineering’s  (INCOSE) ‘Loss-Driven Systems Engineering (LDSE)’ initiative, presented by Brtis et al. in a special issue of INSIGHT. LDSE is an approach that seeks “value adding unification of the SE specialty areas that address potential losses associated with systems”. It is closely related to engineering approaches that seek to develop systems that exhibit abstract concepts such trustworthiness. Loss-driven specialty areas include resilience, safety, security, operational risk, environmental protection, quality, dependability and availability. 

Since the start of the century, functional safety has become a primary concern across transport domains, prompted by the rapid increase in electronic and software components in vehicle systems and functions. Functional safety refers to the contribution to the overall safety of a system of systems behaviours, in response to inputs or component failures. It is well supported by standards in all the transport industries. By contrast, recognition of the importance of engineering for functional security throughout the lifecycle is lagging. It is being addressed by LDSE and emerging standards such as NIST 800- 160 Vol 1, Rev 1. 

A more recent safety development is Safety of The Intended Functionality (SOTIF). This is a response to the increase in vehicle automation, particularly relating to Advance Driver Assistance Systems (ADAS) in automotive. In contrast to functional safety, which considers the causes of unsafe behaviour in malfunctions, SOTIF considers unsafe behaviour caused by incorrect or incomplete specification of the intended functionality. The first major standard for SOTIF covering road vehicles (ISO 21448) was released in 2022. This challenges engineers to consider interactions between vehicles and their environment where, “proper situational awareness is essential to safety and where such situational awareness is derived from complex sensors and processing algorithms”. SOTIF is also relevant in other transport modes and loss-driven areas related to situational awareness. 

Source: Kamil Pietrzak on Unsplash

Why does LDSE matter?

Nobody wants their travel or transport experience to be marred by losses; therefore safety is obviously a key consideration for all transport system users. Much progress has been made over the last century in both the prevention of accidents and the mitigation of harm when accidents occur. The USA ‘s National Safety Council (NSC) reports that between 1913 and 2020 motor-vehicle deaths per 10,000 registered vehicles, decreased 95%, but this does not take into account usage (i.e., deaths per passenger mile). A 2013 study showed personal vehicles are by far the most dangerous transport type, accounting for 94% of US transportation fatalities (deaths of pedestrians and cyclists represent 15% of all highway fatalities).

According to the same source, commercial aviation was the safest mode of travel in the United States, with 0.07 fatalities per billion passenger miles (excluding suicide and terrorism). Travellers on buses, the next safest mode, experienced 0.11 deaths/billion passenger miles, while those on trains have a risk of 0.14. By contrast, car, truck and SUV occupants experience 7.3 deaths/billion passenger miles, and motorcyclists 212. 

Cybersecurity losses are now high on the transport agenda due to their increasing impact on safety. Privacy, financial (theft) and operational availability are also significant. A lesser-known aspect of cybersecurity is its potential for catastrophic risk. Traditional failures typically emerge gradually, allowing time to introduce actions such as vehicle recalls. By contrast, in a worst-case scenario, a cyberattack could simultaneously and catastrophically affect multiple fleets of vehicles all around the world, without warning. This could cause enormous loss of life and widespread disruption. 

Modern transport systems have significant connectivity and advanced functionality that mean a traditional reactive approach to losses is no longer viable. If losses are only identified when systems are in service, then the risk of a major incident is greatly increased, as is the cost of fixing the problem. An integrated approach to LDSE therefore focuses efforts on solving problems as early as possible in the lifecycle. This can result in systems that address possible losses before the system is even built, and even give them the capability to actively identify emerging threats in service that were unknown at design time. Such an approach not only improves safety, but also other desirable outcomes, including reduced costs, improved quality, increased explainability, and simplified compliance. 

Loss-Driven Systems Engineering in transport

Complexity in vehicles and transport systems is increasing significantly, thanks to connectivity and digital transformations. Building an LDSE capability that can cope with this requires a wide-ranging commitment to systems and enterprise engineering practices that go well beyond managing risk. Even the latest domain standards often do not adequately address systems matters, and few explicitly require a broader systems approach.

Transport industries have, at least in part, recognised these shortcomings. In automotive, the Chief Scientist of Vehicle Resilience Technologies at leading UK research establishment, HORIBA MIRA, said in 2021:

“The automotive industry’s safety-based engineering tradition will not scale to meet the demands of cybersecurity… new [regulatory] obligations require a step-change in systems and processes to manage ongoing assurance activity.”

The necessary techniques to expedite Model-Based Systems Engineering (MBSE) and LDSE are becoming established. Prominent among them are Systems Theoretic Process Analysis (STPA) and Goal Structured Notation (GSN). STPA is a hazard identification method that combines system engineering and control systems theory to help identify unsafe interactions among components that have not failed. GSN replaces text documents used to show the elements of an argument and the relationships between those elements. Modelling frameworks have also begun to incorporate new loss perspectives, such as the Security perspective in the Unified Architecture Framework. Language libraries are also emerging that support integrated modelling of loss analysis, notably OMG’s Risk Analysis and Assessment Language (RAAML) Beta. RAAML provides an integrated common language for multiple important risk modelling techniques. These include traditional approaches, like Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA), as well as systems approaches, such as STPA and GSN.

The Future Significance of LDSE for transport

STPA, and its extensions for other loss-driven areas, has started to become established practice in aerospace and at big automakers. The results achieved through the systematic study of control loops on a sound systems theoretic basis are transformative for complex systems and this approach can no longer be considered optional. There is much more to be done to establish STPA as standard practice across supply chains and at the systems of systems level.

MBSE will facilitate the adoption of STPA by helping to manage and navigate the complex systems under study. Collaboration will become increasingly important as more functions are distributed across multiple systems parts. Modelling initiatives such as the RAAML libraries and SysML V2 , with its native API support, will provide the necessary support for data sharing to support collaboration. LDSE areas, such as safety and security, are traditionally considered as emergent, non-functional properties of systems. However, in the modern age, LDSE must also considers active, behavioural features of systems that address potential losses proactively. In much the same way as functional safety and SOTIF have become established norms, we are now at the start of the transition to functional security and security of the intended functionality. In turn, this will inform a broader functional approach to addressing losses. 

Safety assurance, particularly for automated transport systems, is another area where complexity is exploding, and a systems approach is now essential. A recent UK government-funded report by a consortium of leading universities and manufacturers, found the economic potential for automated transport is enormous, but safety remains the biggest challenge. A key finding of the report is that cross-industry collaboration is essential, particularly in the sharing of methods and data across the transport ecosystem. It also demonstrates the need to coordinate research, initiatives, and government programmes across each domain. Important factors in achieving this are the establishment of common principles and vocabulary within a universal framework that can be used to communicate how safety is assured to all stakeholders in each transport domain.

Source: Adam Birkett on Unsplash

Challenges

The accelerating trends of autonomy, connectivity, electrification and shared mobility are creating complexity on a scale never seen before by humanity. The scale of this challenge has, or soon will, surprise many industry players, particularly incumbents. Enterprises often fail to recognise the essential need for a systems approach. Even when they do, they lack the collective experience and resources required to bring about the fundamental organisational changes.

Engineers must balance the safety benefits of artificial intelligence (AI)-powered features such as automated steering, with the new risks introduced. AI decision making is difficult to explain, and it is impossible to replicate the full range of scenarios a vehicle may encounter, so imperfect simulation plays an increased role in verification and validation (V&V). A rush to restructure large amounts of legacy code introduces its own risks. The reengineering required presents huge technological challenges and demands significant restructuring of businesses. 

Selling these realities to program owners is a challenge that must not be underestimated, and practitioners must consider that existing management teams with little background in software engineering may be ill equipped. 

Share your thoughts!

How is Loss Driven Systems Engineering making transport safer? 

How big a change is the move to a Loss Driven Systems Engineering in transport? 

What is the future of this approach within transport?

Contributing Authors: Matthew Clarke, Stephen Powley, John Kelly, Iain Cunningham, Vanessa Mascall, Andy Harrison, Dr. Andrew Hussey, Gareth Topham, Dr. Raj Takhar, Dr. Michele Fiorini, Jana Skirnewskaja, Kareem Drysdale, IET Transport Panel Ecosystems Challenge Group. Partner organisation: INCOSE UK

#thewholesystem