One of the primary uses for model-based systems engineering (MBSE) is the design of complex cyber-physical systems and systems of systems. Autonomous transportation certainly qualifies for that description. MBSE replaces the traditional document-based system engineering process with linked models to represent and analyze systems. The use of MBSE with aircraft and spacecraft is the subject of another FAQ on ‘How do the military and aerospace use MBSE?’. This FAQ focuses on the use of MBSE with autonomous automobiles and ships.
MBSE is defined by the International Council on Systems Engineering (INCOSE) as the formalized use of modeling to develop and maintain system requirements, design, analysis, verification, and validation. Its applicability extends from the conceptual design phase, through development, and to all phases of a product or system life cycle, including end of life. MBSE is often implemented using the Object Management Group (OMG) systems modeling language (SysML), a general-purpose graphical modeling language for the development of complex systems that include electric, electrical, mechanical, software, and other elements (Figure 1). Some of the benefits of using MBSE include:
- Standardizes the methods for developing, capturing, and managing system requirements, architecture, and design.
- Provides a framework to identify and analyze the system environment in terms of a ‘system of systems.’
- Numerous digital models combine into a ‘digital twin’ of the system and serve as a single point of ‘truth’ for diverse engineering teams and enable detection of defects earlier in the development process.
- Digital threads contain the life history of the digital twin, including all changes, and facilitate interaction between various engineering disciplines and teams.
- Supports the exploration of multiple solution options with minimal investment of time and resources.
MBSE for ADAS resilience
Using MBSE for autonomous vehicles provides the ability to give guarantees about system behavior and resilience while reducing or replacing the use of in-vehicle testing by combining rigorous modeling and extensive digital simulations. Resilience is important for all types of autonomous vehicles and is the system’s ability to cope with unexpected and/or uncertain operational disruptions. These vehicles operate in complex environments with a multitude of sensors such as cameras, radars, lidars, and ultra-sonic sensors used to enable situational awareness, plus inertial measurement sensors, global positioning systems, and digital maps to determine where the vehicle is located within the environment and its direction and speed of movement. Each of these sensing technologies has limits related to operating range, accuracy, and resolution and are subject to various sources of interference.
MBSE methodologies have been applied to specific aspects of designing resilient systems, such as:
- Using resilience contracts for system decision making
- Using comprehensive simulation-based testing methods to verify the system’s ability to handle all known scenarios and to validate the system against potential unknown scenarios.
Designing by contract (DbC) uses formal, precise, and verifiable specifications for systems and sub-systems. DbC assumes that all components meet all the preconditions specified for a given operation. The resilience contracts used with autonomous vehicles in MBSE also incorporate partially observable Markov decision processes (POMDP), enabling modeling potential uncertainty in the sensing data and the environment.
ISO 26262 is widely used in the automotive industry to help prevent malfunctions that result from random hardware failures or failures of system components. It does not directly address issues of sensing technology limitations for accessing the state of a system’s environment. The uncertainty and limitations inherent in the sensing data can result in a system failure and accident, even if no ‘failures’ occur as defined by ISO 26262. ISO PAS 21448, Safety of the Intended Functionality, was developed to address these specific issues.
ISO PAS 21448, as used in MBSE, addresses what type and how much testing is needed to have high confidence that ADAS implementations with inherent sensing technology limitations will operate as expected. There are three aspects of the ISO PAS 21448 approach:
- First, identification of possible hazards of an ADAS function.
- Second, confirmation that the system can avoid those hazards under know scenarios.
- Third, confirmation that the residual risk associated with unknown scenarios is acceptable.
MBSE is particularly useful for the third aspect of ISO PAS 21448 implementation. Using the digital twin, MBSE supports extensive modeling and simulation that can provide robust testing faster and for lower cost and increased confidence in resilient operation, compared with traditional in-vehicle testing of actual hardware. MBSE simulations can implicitly include resilience contracts for decision-making in the ADAS functions, enable simulation methods to verify that the system works as intended in all known scenarios, and can validate the system against potential unknown scenarios.
MBSE is a lifetime tool
In addition to uncertainties related to sensors and other elements in ADAS functions, those functions can evolve due to over-the-air system updates. This is another area where MBSE shines. Many of the enhancements to ADAS functions take the form of software changes and upgrades. The increasing use of cloud computing on automotive platforms is another area where MBSE can help. Even after a vehicle has been built and delivered, software upgrades plus access to cloud computing can result in increased system complexity and changes in system boundaries. MBSE can support the entire life cycle of a vehicle. The utility of the digital twin and the simulations it enables continue to provide resilience and flexibility until end of life (Figure 2).
The methods of field upgrades for vehicles have increased in complexity. Until recently, it was necessary to bring the vehicle back to the dealer to install an upgrade. For aftermarket features from third-party suppliers, ensuring compatibility and suitability of any upgrades could be particularly challenging. With MBSE and digital twins, comprehensive simulations can assure robust operation of upgrades regardless of the source and when or where the upgrade occurs in the vehicle life cycle.
Docking ships with MBSE
A system for the autonomous docking of ships involves interconnections and dependencies with external systems and is a system of systems (SoS). The ship itself is the system of interest (SoI) in this MBSE implementation, and its design must consider the existence and interaction with the external systems. In applications like this, it’s necessary to consider the usage of the autonomous functions and their interactions in the initial modeling stages of MBSE. Operational features and their relationships within the SoS become important model elements. The SoI cannot be modeled or designed adequately without explicitly including external systems within the SoS.
The relationship between the SoI architecture and the operational architecture SoS can be depicted as a layered model (Figure 3). The MBSE model can also consider that various systems in the SoS and the SoI may be in different stages of development, each with its own ‘V model’. In this scenario, the operational views and interactions are of particular interest and can be structured to enable reuse in future generations of autonomous docking and other similar systems.
While autonomous docking involves SoS modeling, a hybrid control model for an underwater autonomous vehicle (UAV) intended for operation in the open ocean can be built for the SoI only using a combination of discrete models, continuous models, and their interaction in a hybrid dynamic system (HDS), as modeled using hybrid automata (HA). HA is a mathematical method for precisely modeling systems that combine digital computational processes with analog physical processes. It’s a state machine with a finite set of continuous variables whose values are described by a set of ordinary differential equations. This combined specification of discrete and continuous behaviors enables complex systems such as UAVs to be modeled and analyzed. The resulting dynamic model for controlling the UAV must consider the six possible motions of sway, surge, roll, heave, yaw, and pitch as defined by the Society of Naval Architects and Marine Engineers (Table 1).
As in the case of the autonomous docking system, the MBSE models, in combination with the model-driven architecture (MDA), SysML, extended/unscented Kalman filter (EKF/UKF) algorithms, and HA, can be reused for designing other UAV controllers. The resulting SoI includes dynamic models of UAV control combined with customized MDA elements composed of a platform-specific model (PSM). The resulting planar trajectory-tracking controller can be designed and evaluated through simulations using the digital twin. Two benefits of this approach include:
- MBSE with MDA elements were combined to optimize lifecycle support and flexibility of the UAV controller.
- The modular design of the UAV controller enables customization and reusability across various UAV designs.
MBSE brings significant value across the design spectrum for autonomous transportation. It can be used to increase the resilience of these systems. In the case of automobiles, it can help designers meet the requirements of ISO PAS 21448 in addition to ISO 26262. MBSE can ensure those vehicles continue to meet the requirements for resilience and robust operation throughout the entire life cycle. For autonomous land vehicles and ships, MBSE supports modeling of complex SoS environments and delivers solutions that can be customized and reused across various systems.
A MBSE Application to Controllers of Autonomous Underwater Vehicles Based on Model-Driven Architecture Concepts, MDPI applied sciences
A Model-Driven Realization of AUV Controllers Based on the MDA/MBSE Approach, Journal of Advanced Transportation
An MBSE Approach for Development of Resilient Automated Automotive Systems, MDPI systems
Applying Model-Based Systems Engineering to the Development of Autonomous Vessel Functions, International Design Conference
Manage the Complexity in Modern Auto & Vehicle Development with Model Based Systems Engineering, Siemens
Product Definition Drives Integrated MBSE, CIMdata