No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Model-Based Systems Engineering for AI-Based Systems
Abstract
In recent years, there has been significant progress in Artificial Intelligence (AI), leading to an increasing interest for integration of AI-based functions into newly developed systems. AI promises several benefits, amongst others, beyond the state-of-the-art functions and performance. However, the use of AI-techniques also introduces new challenges regarding safety and security of systems and their certification. These challenges mostly originate from the "black box nature" of complex AI algorithms. To tackle the challenges, safety of the AI-based systems has to be addressed throughout the entire development and life cycle of the system. The adaption of existing methods to the development of AI-based systems is necessary. An established method for the development of complex systems is Model-Based Systems Engineering (MBSE), which offers several advantages for the systems engineering process. In this paper three application examples of how MBSE can support the engineering process of AI-based systems are presented using an application use case: An AI-based threat localization system. First, a systematic development framework is used to design and model the AI-based system. Second, it is demonstrated how safety analysis can be integrated into a model of the system to identify potentially hazardous scenarios, which could arise, for example, due to erroneous predictions by an AI. For the analysis, an approach called Model-Based STPA is utilized which is based on the System-Theoretic Process Analysis. Third, it is demonstrated how MBSE can help in performing scenario-based safety assessment. From the operational domain model, executable configurations are generated to run scenario-based test cases.
... As a result a framework was developed which demonstrates the process from ConOps to ODD description with included scenario-based testing of the operational scenarios. Throughout the engineering process Model-Based System Engineering (MBSE) is used in order to handle engineering complexity [10] [11]. ...
In the project RESILIENZ at the German Aerospace Center, a systematic approach for combining operational scenarios from Concept of Operations (ConOps) to capture specific operational ranges and limitations, is investigated. Based on an exemplary aviation use case-collision avoidance-, the corresponding ConOps is defined and used as a basis to derive the Operational Design Domain (ODD). Since ODD is one of the pillars for developing safe AI-based systems this enables meeting high-level system requirements and in the future resilience for failure tolerant AI systems. In this paper, a model-based system engineering framework is introduced in which scenarios are generated from the ConOps description in a highly automated way. In total 50 scenarios were generated and evaluated. This dataset of the operational scenario can be used for testing the initial ODD coverage. The framework in this paper ensures a systematic and highly automated approach from describing the ConOps towards deriving and testing an ODD in the aviation domain.
... The scenarios represent different situations with foreign aircraft used for testing. The detailed use case is explained in [7]. A method for iterative scenario-based testing of AI-based systems is presented in the scope of this work. ...
Virtual testing using simulation will play a significant role in future safety validation procedures for automated driving systems, as it provides the needed scalability for executing a scenario-based assessment approach. This article combines multiple essential aspects that are necessary for the virtual validation of such systems. First, a general framework that contains the vital subsystems needed for virtual validation is introduced. Secondly, the interfaces between the subsystems are explored. Additionally, the concept of model fidelities is presented and extended towards all relevant subsystems. For an automated lane-keeping system with two different definitions of an operational design domain, all relevant subsystems are defined and integrated into an overall simulation framework. The resulting difference between both operational design domains is the occurrence of lateral manoeuvres, leading to greater demands of the fidelity of the vehicle dynamics model. The simulation results support the initial assumption that by extending the operation domain, the requirements for all subsystems are subject to adaption. As an essential aspect of harmonising virtual validation frameworks, the article identifies four separate layers and their corresponding parameters. In particular, the tool-specific co-simulation capability layer is critical, as it enables model exchange through consistently defined interfaces and reduces the integration effort. The introduction of this layered architecture for virtual validation frameworks enables further cross-domain collaboration.
Testing and validation of the functionalities and safety of automated vehicles shifted from a distance-based to a scenario-based method in the past decade. A number of domain-specific languages and systems were developed to support scenario-based testing. The aim of this paper is to review and compare the features and characteristics of the major scenario description languages and systems (SDLS). Each of them is designed for different purposes and with different goals; therefore, they have their strengths and weaknesses. Their characteristics are highlighted with an example nontrivial traffic scenario that we designed. We also discuss some directions for further development and research of these SDLS.
When will automated vehicles come onto the market? This question has puzzled the automotive industry and society for years. The technology and its implementation have made rapid progress over the last decade, but the challenge of how to prove the safety of these systems has not yet been solved. Since a market launch without proof of safety would neither be accepted by society nor by legislators, much time and many resources have been invested into safety assessment in recent years in order to develop new approaches for an efficient assessment. This paper therefore provides an overview of various approaches, and gives a comprehensive survey of the so-called scenario-based approach. The scenario-based approach is a promising method, in which individual traffic situations are typically tested by means of virtual simulation. Since an infinite number of different scenarios can theoretically occur in real-world traffic, even the scenario-based approach leaves the question unanswered as to how to break these down into a finite set of scenarios, and find those which are representative in order to render testing more manageable. This paper provides a comprehensive literature review of related safety-assessment publications that deal precisely with this question. Therefore, this paper develops a novel taxonomy for the scenario-based approach, and classifies all literature sources. Based on this, the existing methods will be compared with each other and, as one conclusion, the alternative concept of formal verification will be combined with the scenario-based approach. Finally, future research priorities are derived.
The growing adoption of Distributed Energy Resources (DER) in low-voltage distribution grids calls for new feedback control algorithms that rely on quasi-real-time data collected by remote sensors. The design and evaluation of such algorithms necessitates a prudent and comprehensive approach since these algorithms require a tight integration of power and communication systems. A simple link failure or a sophisticated cyberattack launched against the grid's monitoring, communication , and control infrastructure could rapidly grow out of control, making the grid unstable. We investigate the design and implementation of a high-fidelity smart grid simulation platform which integrates a network simulator and a power flow simulator using the Mosaik co-simulation framework. The platform allows for evaluating the performance of new control algorithms and understanding dynamics of modern distribution grids. Example case studies are presented to validate the proposed platform.
Soft systems methodology (SSM), an analytic method commonly employed in engineering and business research, produces models focused on human activities and relevant structures used to explain complex, engineered systems. The original version of SSM involves seven stages; five address real-world aspects and observable data, while two stages leverage a systems thinking viewpoint. This approach allows the development of a simplified depiction of complex systems representative of the multi-perspective lenses used to comprehend the systemic complexity of a problem and provide a clearer picture to analysts and decision makers. This bibliometric meta-analysis of 286 relevant publications in engineering, business, and other social sciences fields explores the historic impacts of SSM on academic research and systems thinking in relevant publications that described or employed SSM for research from 1980–2018. This study produced descriptive narrative outcomes and data visualizations including information about top SSM authors, author citation impacts, common dissemination outlets for SSM work, and other relevant metrics commonly used to measure academic impact. The goal of this piece is to depict who, what, why, when, and where SSM had the greatest impact on research, systems thinking, and methodology after nearly 40 years of use, as we look towards its future as a methodological approach used to comprehend complex problem situations.
The latest version of the ISO 26262 standard from 2016 represents the state of the art for a safety-guided development of safety-critical electric/electronic vehicle systems. These vehicle systems include advanced driver assistance systems and vehicle guidance systems. The development process proposed in the ISO 26262 standard is based upon multiple V-models, and defines activities and work products for each process step. In many of these process steps, scenario based approaches can be applied to achieve the defined work products for the development of automated driving functions. To accomplish the work products of different process steps, scenarios have to focus on various aspects like a human understandable notation or a description via state variables. This leads to contradictory requirements regarding the level of detail and way of notation for the representation of scenarios. In this paper, the authors discuss requirements for the representation of scenarios in different process steps defined by the ISO 26262 standard, propose a consistent terminology based on prior publications for the identified levels of abstraction, and demonstrate how scenarios can be systematically evolved along the phases of the development process outlined in the ISO 26262 standard.
While any simulation study starts with a scenario, scenario development is usually conducted in an unstructured and ad hoc manner. In order to streamline scenario development, a formal approach is envisioned in the research flight simulator facility of German Aerospace Center (DLR), namely Air Vehicle Simulator (AVES). System Entity Structure (SES) which is a high level ontology that was introduced to specify a set of system structures and parameter settings is proposed as the foundations. The paper outlines a model-based methodology for scenario development. SES is exploited for metamodeling in order to capture all possible elements of a scenario that can be simulated in AVES. Then a scenario modeling methodology is built upon this metamodel.
Although the importance of scenarios in modeling and simulation has long been well known, there still exists a lack of common understanding and standardized practices in simulation scenario development. This paper proposes a Domain-Specific Language (DLS) to provide a standard scenario specification that will lead to a common mechanism for verifying and executing aviation scenarios, effective sharing of scenarios among various simulation environments, improve the consistency among different simulators and simulations, and even enable the reuse of scenario specifications. Following DSL design practices, the proposed Aviation Scenario Definition Language (ASDL) will provide a well-structured definition language to formally specify complete aircraft landing scenarios. In order to capture the necessary constructs for a simulation scenario, Simulation Interoperability Standards Organization (SISO) Base Object Model (BOM) is adopted as the baseline metamodel. This baseline is extended using the fundamentals of aircraft landing that cover all the domain-related concepts and terminology as constructs. By taking a formal approach in defining aviation scenarios, ASDL aims at providing consistency and completeness checking, and model-to-text transformations capabilities for various targets in the aviation scenario definition domain. The results of this work will be used to develop a graphical modeling environment and automatic means to transform scenario models into executable scenario scripts. The work presented here is the first stepping stone in formal scenario definition in aviation domain.
The competition for market entry in emerging segments such as Urban Air Mobility highlights the need for efficient and flexible development processes. This is accompanied by the trend towards software-intensive avionics systems due to the requirement for complex and computationally expensive algorithms. Considering the successful application of agile developments in the software domain, one might conclude that the agile paradigm would be the perfect fit to address these issues. However, for highly safety-critical domains such as aviation, multiple conflicts with the agile paradigm exist. Especially the constraint to follow rigorous and well documented processes contradicts the ideas of agile. To bridge this gap, a comprehensive and well documented, but still flexible process is necessary. Accordingly, this paper proposes a first step towards such an agile safety-guided design, by combining Model-Based Systems Engineering with the System-Theoretic Process Analysis. Particularly, focus is placed on enabling an iterative safety-guided design by providing functionality to track design changes to the corresponding safety artifacts. This automated functionality is enabled by a formalized execution of the safety analysis. At first glance, formalization sounds like a contradiction to the agile paradigm. However, we argue that formality and agility are not necessarily contradicting each other. Our theory is that moving the focus of formality from the human activities to the assisting functionality even increases overall agility. The iterative safety-guided design and resulting identification of safety improvements is demonstrated with examples of a flight assistance system.
Urban Air Mobility introduces safety-related challenges for future avionics systems. The associated need for increased autonomy demands novel functions based on highperformance algorithms. To provide such functionality in future air vehicles of all sizes, the trend is towards centralized and powerful computing platforms. That turns avionics into a complex, integrated, and software-intensive aircraft system. Simultaneously, this increases the need for adapted safety analyses. The System-Theoretic Process Analysis is a promising approach to analyze the safety of software-intensive systems. It enables consideration of interaction and specification issues additional to component failures. However, even when using state-of-the-art analyses such as STPA, claiming the sufficiency of the safety analysis efforts is a challenging tasks for systems with everincreasing complexity. To address this issue, this paper extends the coverage analysis concepts known from the software development to safety analyses. This is achieved with the utilization of failure graphs, i.e., formalized analysis summaries that can be automatically created during the safety analysis. Failure graphs have two advantages: they provide the possibility for visual analysis state indication and can be used to calculate various statistical metrics. Thereby, they allow to improve the knowledge about the depth, breadth, and state of the safety analysis. Both visual and statistical consideration complement each other to enhance the safety analysis coverage assessment for future avionic systems. To show all capabilities, the analysis of a flight assistance system serves as demonstrator.
View Video Presentation: https://doi.org/10.2514/6.2022-2103.vid Developing safety-critical AI-based systems is an emerging challenge in aviation. Amongst others, the recent concept paper of the European Union Aviation Safety Agency (EASA), "First usable guidance for Level 1 machine learning applications", provides invaluable insights to tackle this challenge. It particularly highlights the importance of synthetic data for training, validation and testing as a means of complementing real-world data for completeness and representatives. The primary source of synthetic data is simulations. The literature recognizes simulation not only as a crucial data source but an effective method for verification. This paper uses EASA guidance as a baseline to propose a simulation-based data generation process for AI-based airborne systems.
Emerging segments such as Urban Air Mobility require new safety-critical avionic systems. The complexity of these avionic systems has ever been increasing, but even more rapidly in the last two decades in form of the number of components, functions, and interactions. At the same time, demanding time-to-market requirements have to be adhered to by development companies. To cope with these challenges, agile development approaches are required that guarantee safety-by-construction. This paper presents an endeavor to tackle these challenges by holistic utilization of Model-based Systems Engineering, System-Theoretic Process Analysis, and formal methods. The approach is demonstrated in a use-case that analyzes a simplified Collision Avoidance System architecture. Results show that the presented approach is able to improve the development by automating and validating error-prone tasks of the safety assessment.
Emerging segments such as autonomous driving require new by-wire system architectures for steering and braking. These system architectures are highly safety-critical and currently not commonly used in the automotive industry. This results in challenges for traditional development approaches. One issue is that a well-thought-out architecture selection is already required in early phases of development. Within this paper, a concept is proposed to help consideration of safety in this timely architecture selection, using a safety trade-off concept. An early consideration of system architecture safety is achieved by utilization of a formalized System-Theoretic Process Analysis on a Systems Modeling Language model. This underlying system model was developed with a Model-based System Engineering approach. Additionally, it is explained how classical safety considerations and safety principles can be integrated into this safety trade-off. Finally, the approach is demonstrated in an architecture comparison for a simplified Steer-by-Wire architecture. Results show that it is possible to find relevant safety requirements and use them to compare solution architecture candidates.
One approach to designing decision-making logic for an aircraft collision avoidance system frames the problem as a Markov decision process and optimizes the system using dynamic programming. The resulting collision avoidance strategy can be represented as a numeric table. This methodology has been used in the development of the Airborne Collision Avoidance System X family of collision avoidance systems for manned and unmanned aircraft, but the high-dimensionality of the state space leads to very large tables. To improve storage efficiency, a deep neural network is used to approximate the table. With the use of an asymmetric loss function and a gradient descent algorithm, the parameters for this network can be trained to provide accurate estimates of table values while preserving the relative preferences of the possible advisories for each state. By training multiple networks to represent subtables, the network also decreases the required runtime for computing the collision avoidance advisory. Simulation studies show that the network improves the safety and efficiency of the collision avoidance system. Because only the network parameters need to be stored, the required storage space is reduced by a factor of 1000, enabling the collision avoidance system to operate using current avionics systems.
Advances in artificial intelligence (AI) will transform modern life by reshaping transportation, health, science, finance, and the military. To adapt public policy, we need to better anticipate these advances. Here we report the results from a large survey of machine learning researchers on their beliefs about progress in AI. Researchers predict AI will outperform humans in many activities in the next ten years, such as translating languages (by 2024), writing high-school essays (by 2026), driving a truck (by 2027), working in retail (by 2031), writing a bestselling book (by 2049), and working as a surgeon (by 2053). Researchers believe there is a 50% chance of AI outperforming humans in all tasks in 45 years and of automating all human jobs in 120 years, with Asian respondents expecting these dates much sooner than North Americans. These results will inform discussion amongst researchers and policymakers about anticipating and managing trends in AI. This article is part of the special track on AI and Society.
This unique text/reference provides a comprehensive review of distributed simulation (DS) from the perspective of Model Driven Engineering (MDE), illustrating how MDE affects the overall lifecycle of the simulation development process. Numerous practical case studies are included to demonstrate the utility and applicability of the methodology, many of which are developed from tools available to download from the public domain.
Topics and features:
• Provides a thorough introduction to the fundamental concepts, principles and processes of modeling and simulation, MDE and high-level architecture
• Describes a road map for building a DS system in accordance with the MDE perspective, and a technical framework for the development of conceptual models
• Presents a focus on federate (simulation environment) architectures, detailing a practical approach to the design of federations (i.e., simulation member design)
• Discusses the main activities related to scenario management in DS, and explores the process of MDE-based implementation, integration and testing
• Reviews approaches to simulation evolution and modernization, including architecturedriven modernization for simulation modernization
• Examines the potential synergies between the agent, DS, and MDE methodologies, suggesting avenues for future research at the intersection of these three fields
Distributed Simulation – A Model Driven Engineering Approach is an important resource for all researchers and practitioners involved in modeling and simulation, and software engineering, who may be interested in adopting MDE principles when developing complex DS systems.