A Systems-Theoretic Framework For Safety-Driven Development of System Architectures

• dc.contributor.advisor: Leveson, Nancy G.
• dc.contributor.author: Poh, Justin Wei Siang
• dc.date.issued: 2025-02
• dc.date.submitted: 2025-02-12T20:36:21.104Z
• dc.identifier.uri: https://hdl.handle.net/1721.1/158793
• dc.description.abstract: Modern complex systems are increasingly expected to exhibit emergent properties such as safety and security even as they become more complex, interconnected, and reliant on software than ever before. Because of this evolution in the characteristics of these systems, the methods available today for developing system architectures no longer provide systems engineers with adequate design support. As a result, it is becoming increasingly challenging for systems engineers to develop system architectures that exhibit emergent properties like safety. This thesis addresses this problem by developing a safety-driven architecture development framework that enables the design of emergent properties such as safety into a system architecture from the beginning. The key idea is that the results from a hazard analysis process known as Systems Theoretic Process Analysis (STPA) should drive design decisions. The framework therefore starts with an initial STPA analysis of the system to determine how unsafe or undesirable behavior could occur. Structured and systematic processes are then provided to help systems engineers use the STPA results to develop the required control behavior of the system and explore possible system architecture options to implement that control behavior. This framework therefore enables systems engineers to make more informed early architectural design decisions driven by safety considerations. This framework is applied to an Urban Air Mobility (UAM) case study to demonstrate that it provides the necessary design support to enable the development and refinement of an air traffic management (ATM) architecture for UAM. When creating a system architecture, assumptions may also need to be made to mitigate the inherent uncertainties and lack of detailed information about the system at that early stage of design. However, these assumptions are used as the basis for design decisions, and it is important that they remain valid to avoid flaws in the architecture arising when underlying assumptions become invalid. Thus, this thesis also develops and demonstrates a supporting framework to help identify these underlying assumptions and ensure they remain valid both during system development and after the system is placed into operation. Modern complex systems are increasingly expected to exhibit emergent properties such as safety and security even as they become more complex, interconnected, and reliant on software than ever before. Because of this evolution in the characteristics of these systems, the methods available today for developing system architectures no longer provide systems engineers with adequate design support. As a result, it is becoming increasingly challenging for systems engineers to develop system architectures that exhibit emergent properties like safety. This thesis addresses this problem by developing a safety-driven architecture development framework that enables the design of emergent properties such as safety into a system architecture from the beginning. The key idea is that the results from a hazard analysis process known as Systems Theoretic Process Analysis (STPA) should drive design decisions. The framework therefore starts with an initial STPA analysis of the system to determine how unsafe or undesirable behavior could occur. Structured and systematic processes are then provided to help systems engineers use the STPA results to develop the required control behavior of the system and explore possible system architecture options to implement that control behavior. This framework therefore enables systems engineers to make more informed early architectural design decisions driven by safety considerations. This framework is applied to an Urban Air Mobility (UAM) case study to demonstrate that it provides the necessary design support to enable the development and refinement of an air traffic management (ATM) architecture for UAM. When creating a system architecture, assumptions may also need to be made to mitigate the inherent uncertainties and lack of detailed information about the system at that early stage of design. However, these assumptions are used as the basis for design decisions, and it is important that they remain valid to avoid flaws in the architecture arising when underlying assumptions become invalid. Thus, this thesis also develops and demonstrates a supporting framework to help identify these underlying assumptions and ensure they remain valid both during system development and after the system is placed into operation.
• dc.publisher: Massachusetts Institute of Technology
• dc.type: Thesis
• dc.description.degree: Ph.D.
• dc.contributor.department: Massachusetts Institute of Technology. Department of Aeronautics and Astronautics
• dc.identifier.orcid: https://orcid.org/0000-0003-1142-6851
• mit.thesis.degree: Doctoral
• thesis.degree.name: Doctor of Philosophy