System-of-Systems Resilience Analysis and Design Using Bayesian and Dynamic Bayesian Networks

Abstract

A System-of-Systems (SoS) is characterized both by independence and by inter-dependency. This inter-dependency, while allowing an SoS to achieve its objectives, also means that failures can cascade throughout the SoS. An SoS needs to be resilient to deal with the impact of complex internal and external environments. In this paper, we propose a resilience analysis method of an SoS based on a hierarchy structure. Firstly, we establish a hierarchy structure, which is ranked from high to low as capability level, activity level and system level. Then, Bayesian Networks (BNs) and Dynamic Bayesian Networks (DBNs) are used to analyze the resilience of the SoS. A resilience-based system importance metric is introduced, which is used in the budget allocation optimization problem during the development domain of an SoS. This paper proposes a mathematical programming model aimed at optimizing SoS resilience by optimally using budget to the subsystem. The application of the proposed approach is demonstrated using a case study: a Next Generation Air Transportation setting. The study results provide evidence that the proposed inter-dependency analysis based on Bayesian theory and the SoS resilience design approach can assist SoS system engineers in increasing expected SoS resilience during the development domain.

1. Introduction

With the rapid development of network and information technology, the interconnection and interoperability between systems are becoming closer and closer. Heterogeneous component systems, which are independent of operation and management, are related, interact and coordinate with each other, and can feature capabilities that single system does not have [1]. This kind of integrated large-scale system is the current research hotspot in the field of systems engineering, which is called System-of-Systems (SoS). The SoS can be found in various domains, such as communication networks, the national transportation system, the ballistic missile defense system, and the national airspace system [2,3,4]. Different fields have different definitions of the SoS. For example, He et al. [5] defined the combat SoS as a higher level, larger scale, and more closely coordinated combat system composed of different subsystems that can independently perform a certain combat mission. Hynes et al. [6] defined the economic SoS as an enormous system composed of various links, levels and fields of economic activities, which affect, depend on each other, and develop together. Shen et al. [7] believe that the comprehensive transportation SoS refers to a transportation network formed during the process of socialized transportation, which is characterized by division of labor, organic integration, connectivity, and reasonable layout. Shpak et al. [8] defined the enterprise management SoS as a set of systems that coordinate, control, and optimize various internal works of the enterprise in order to achieve the established goals. As a kind of complex large-scale engineering system, the operation cycle of the SoS is long, and the external environment is complex and changeable. In addition, the system inter-dependency in the SoS is intricate. All of the above factors can lead to development failures of the SoS. Therefore, it is necessary to analyze and evaluate the SoS’s resilience.

The word resilience originated from the Latin word “resiliere”, which means to “bounce back” [9]. Several definitions of resilience have been offered. Many are similar, though many overlap with a number of already existing concepts such as robustness and restorability, among others. But resilience is different from those concepts. Robustness refers to the ability of a system to survive in abnormal and dangerous situations, while recoverability focuses more on the ability of the system to quickly recover to a normal state after being damaged [10,11]. Resilience can be considered as the combination of the above two abilities, referring to the ability of a system to reduce losses while quickly restoring to a normal state after being attacked [12]. As a new subject, SoS has a wide range of application prospects. The increase in the scale of the SoS leads to the gradual increase in the difficulty of its stable operation, while the resilience of the SoS can ensure the degraded operation in the case of capabilities loss and quickly recovery from impaired state.

Some scholars offer a general definition of resilience which spans multiple domains. For example, Pregenzer [13] defined resilience as “the ability of system to maintain its vital functions while absorbing persistent and unpredictable changes”. Allenby [14] defined resilience as “the ability of system to maintain its function and structure in the face of internal and external changes”. Haimes [15] defined resilience as “the ability of system to withstand significant damage within an acceptable range and recover within an acceptable range of time and cost”. For different subjects and application fields, the concept of resilience also has certain differences. Scholars have given a variety of definitions of resilience for different fields. Sheffi [16] defined the resilience of an enterprise as the ability to maintain or restore a stable state, which enables the enterprise to continue to function normally after being damaged. From the perspective of ecosystem resilience, Adger [17] defined social resilience as “the ability of a group to cope with external pressures and disturbances caused by social, political, and environmental changes”. Rose et al. [18] analyzed the major impacts of natural disasters and man-made operations on the economy, and they described economic resilience as “the ability of enterprises and regions to avoid possible losses”. Wears et al. [19] gave a definition of resilience in engineering: the ability of a system to adjust its functional state in the face of interference or unpredictable changes. The military field also attaches great importance to the study of resilience. Lan et al. [20] believed that the resilience command information system referred to the system that can still adjust its own state to complete the specified mission in the face of external environment changes.

Resilience analysis is the basis of resilience design and optimization. Analysis methods of resilience are mainly divided into three categories: qualitative, semi-quantitative, and quantitative methods. The qualitative analysis method is also called non-data analysis, and the qualitative analysis method of resilience is mainly used to build the conceptual framework. Speranza et al. [21] developed a conceptual framework to analyze the resilience of human livelihoods. The framework proposed three dimensions of resilience: buffer capacity (the change system can withstand), self-organization capacity (new structures emerge from existing social structures), and learning (adaptability). Semi-quantitative resilience analysis methods usually consist of a series of questions, which aim to analyze the characteristics of different resilient systems, such as redundancy and resource satisfaction. For example, Cutter et al. [22] identified 36 resilience variables for communities to cope with natural disasters, including redundancy, resource abundance and robustness, etc. These 36 variables were further subdivided into five categories: infrastructure, institutions, economy, society, and social capital. The quantitative analysis method is mainly used to put forward the specific index and method of calculating the resilience of the system (or SoS). Existing research methods for the quantitative analysis of system resilience mainly fall into two categories. One is by measuring the ability of the system (or capabilities of SoS). The other is to study how the structure of a system (or SoS) affects its resilience. We broadly characterize these general measures as deterministic and stochastic, each of which has been used to describe static and dynamic system behavior. The difference between the deterministic and stochastic methods is whether uncertainty is incorporated into the measure. Bruneau et al. [23] proposed a typical deterministic method to analyze resilience. They defined four dimensions in the resilience triangle model: robustness, rapidity, resource abundance, and redundancy. Meanwhile, they proposed a static index for analyzing social resilience. BN also has a wide range of applications in resilience analysis. Yodo [24] developed a resilient supplier selection method based on the BN. Niamat et al. [25] used the BN to study and analyze the resilience of Washington’s power infrastructure.

Due to the inter-dependency between the constituent systems of an SoS, it is difficult for SoS system engineers to manage SoS capabilities in operational and development domains. These complex inter-dependencies among the constituent systems can be attributed to four attributes: (1) the heterogeneity of constituent systems, (2) the distributed nature of these systems, (3) uncertainty about the future state of the SoS, and (4) SoS hierarchy [26]. In order to analyze the complex inter-dependency of the SoS, it is necessary to understand how to model them. A hierarchy structure is a typical characteristic of an SoS which is designed to meet complex and advanced functional requirements [27,28]. The hierarchy structure of the SoS can help SoS system engineers understand the relation between SoS capabilities and its constituent systems. Therefore, three different levels are used to represent the structure of the SoS: the higher-level nodes are used to describe the capabilities of the SoS, those in the middle level denote the activities needed to realize the capabilities, and the ones in the lower level designate the constituent systems needed to complete those activities. We use the BN to analyze the relationship between levels and establish a static analysis model for SoS capabilities. Furthermore, the DBN is used to obtain the process of SoS capabilities changing over time, and a resilience analysis index based on the evolution process of SoS capabilities is proposed. In addition, we also analyze the impact of different systems on the resilience of the SoS, which can be used as a basis for the allocation of budget in development domains. A mathematical programming model aimed at optimizing SoS resilience by optimally using the budget of the subsystem is proposed. At last, the Next Generation Air Transportation setting is used to demonstrate the resilience analysis and design approach proposed in this paper. Continuously rising demand in the National Airspace System (NAS) is one of the major contributing factors that aggravate system-wide congestion and delays. Therefore, mitigating congestion at the NAS has become one of several priorities for the Federal Aviation Administration (FAA). To solve this, the FAA proposed new operating concepts and technologies to achieve the Next Generation Air Transportation System (NextGen) [29]. The analysis and design of NextGen’s resilience are of great significance for improving the whole navigation capacity.

The rest of the paper is organized as follows: Section 2 introduces the hierarchy structure of the SoS. Section 3 is dedicated to reviewing the basics of the BN and DBN. In Section 4, we propose a resilience metric and a resilience-based system importance metric. Section 5 presents a mathematical model aimed at optimizing SoS resilience. A Next Generation Air Transportation setting is exhibited in Section 6 to illustrate the resilience analysis and design approach. Finally, discussion and conclusions are given in Section 7 together with the proposed future work.

2. Hierarchy Structure of an SoS

2.1. Hierarchical Representation of an SoS

As introduced in the previous section, managing the development and evolution of SoS capabilities remains a challenge due to the complex inter-dependency between constituent systems. Uncontrolled propagating effects through the complex inter-dependency may lead to the severe failure of dependent systems within the SoS. For example, in early 2001, the disruption of electric power in California affected oil and gas productions, refinery operations, and the pipeline transport of gasoline [30,31].

The success of SoS development can be determined by the degree to which it meets the desired objectives. Therefore, the first phase of any SoS development activity is to define an appropriate objective. Once the SoS system engineers have defined the objectives of the SoS, the next step is to identify the activities required to meet the objectives, and the completion of these activities depends on the collaboration of a single or multiple constituent systems within the SoS. During this process, SoS system engineers can put forward a lot of alternatives to develop the SoS. The main task for SoS system engineers is to choose the best one which can effectively achieve SoS capabilities and resilience under multi-party constraints [32,33,34,35].

One of the common features of different SoSs is their hierarchy [36,37,38]. Therefore, we represent the SoS hierarchically with three distinct levels: entities in the highest level represent the capabilities of the SoS, those in the middle level denote the activities to achieve those capabilities, and the ones in the lowest level designate the constituent systems within the SoS needed to complete those activities. The hierarchical representation also helps us to understand how the changes of physical systems influence the capabilities of the SoS. Figure 1 shows a hierarchical abstraction of the desired SoS capability, the activities that must be met to achieve this capability, and the physical systems needed to complete those activities. Color represents different levels: blue (SoS capability level), green (activity level) and orange (system level). The arrows represent the inter-dependency between nodes within the SoS. The ellipses around the collection of nodes and the lines from the ellipses to the node at the next higher level mean that the nodes in the ellipses are required to achieve the node at the next higher level.

The hierarchical representation of an SoS, as shown in Figure 1, relates the overall objectives of the SoS at the higher levels to the material features at the lower levels by “Why, What, How” relationships indicating how higher levels are achieved, what higher levels consist of, and why lower levels exist [39]. “Why” answers the question “Why should we do this?”. The highest level serves as the “Why” for the lower level. The activity level answers “How” the capability level is accomplished by the activities, which can then be broken down into specific physical systems. The system level describes “what” we need to complete the activities.

The littoral combat ship (LCS) is used as an example to demonstrate the hierarchical representation process of an SoS [40]. The LCS is the first vessel in the new surface ship family of the US Navy. The LCS system is designed to counter growing potential threats in the littoral zone such as coastal mines, quiet diesel submarines, and terrorists on small, fast, and armed boats [41,42]. The LCS is an SoS composed of independent, heterogeneous and evolving subsystems, nested in a hierarchy structure, so decomposing the LCS into hierarchy helps to better understand it. Figure 2 shows the decomposition of the LCS. The first step is to determine the objective of the LCS, which is defined by the combat mission it is currently performing. We assume that the objective of an LCS is to find and destroy enemy targets. Then, by asking “How”, the capabilities of the LCS can be decomposed into three specific activities (mine warfare, anti-submarine warfare and anti-surface warfare). It includes six different systems: Armed Helicopter for Surveillance and Attack Missions (MH-60R), Helicopter for Airborne Mine Counter-Measure Missions (MH-60S), Unmanned Air Vehicle (UAV), Unmanned Surface Vehicle (USV), Remote Mine Hunting System (RMS) and the LCS. A complete hierarchy of LCS allows SoS system engineers to find the relationship between capabilities, activities and constituent systems effectively.

2.2. Challenges of Inter-Dependency Analysis of the SoS under Uncertainty

One of the difficulty of inter-dependency analysis of the SoS is estimating the properties of the constituent systems (e.g., failure probabilities). Due to the lack of information of nascent systems, it is a challenge to analyze the structure and capabilities of an SoS using probabilistic methods. In this case, expert opinions can be used to estimate the properties of constituent systems. The probability related to the measure of belief in a proposition, or more generally, to a lack of complete knowledge, is called subjective probability [43]. On the other hand, the probability estimated by using historical data is called frequentist probability [44]. SoS system engineers may need to integrate two probabilities to estimate properties more accurately. Therefore, we need to find a method that supports the use of subjective and frequentist probabilities.

In the past, significant progress has been made on the inter-dependency analysis of the SoS. A Markov chain where the transition probabilities are defined as the dependency strengths between systems was used to design an SoS with significant inter-dependency between constituent systems [45]. Functional Dependency Network Analysis was developed to evaluate the effect of topology and possible degraded functioning of one or more systems on the operability of each system in the network [46]. However, none of the above methods can effectively handle the challenges of applying expert opinions and dynamically updating the system over time. Therefore, a Bayesian Network method is proposed to provide a formal framework for tackling the challenges discussed above. There are four reasons to choose the BN for inter-dependency analysis:

• It allows an intuitive and visual representation of inter-dependency in the SoS and provides a way for fusing field data, statistical analysis results, simulation outputs, analytical equations, and expert opinions in one summary model;
• It takes into account the uncertainty state of the constituent system, which also influences the completion of activities and achievement of SoS capabilities;
• It can fuse new observations with prior information to update the state of the system in real time;
• Uncertainty of the SoS can be explicitly calculated through the system state values and by propagating the uncertainty through the network.

3. Bayesian and Dynamic Bayesian Networks

3.1. Bayesian Network

Bayesian Networks (BNs), also known as directed acyclic graph models or Bayesian belief networks, are developed on the basis of Bayesian theory and are probability graph models [47]. The Bayesian theory can be simply expressed by the following formula:

$$P\left(A\right|B)={\displaystyle \frac{P\left(B\right|A\left)P\right(A)}{P\left(B\right)}},$$

(1)

where $P\left(A\right|B)$ is the belief for hypothesis A upon observing evidence B. $P\left(B\right|A)$ is the probability that B is observed if A is true, and $P\left(B\right)$ is the probability that the evidence occurs. $P\left(A\right|B)$ is known as posterior probability and $P\left(A\right)$ is called prior probability [48].

BN can investigate the properties of a conditional probability distribution of a set of random variables according to the topology of the probability graph. One of the advantages of the BN is the ability to represent joint probabilities $P(Y_1,Y_2,\dots ,Y_n)$ using the conditional probabilities of all variables $(Y_1,Y_2,\dots ,Y_n)$:

$$P(Y_1,Y_2,\dots ,Y_n)=P\left(Y_1\right|Y_2,\dots ,Y_n)P\left(Y_2\right|Y_3,\dots ,Y_n)\dots P\left(Y_{n-1}\right|Y_n)P\left(Y_n\right).$$

(2)

In practical applications, nodes in the BN may not only be influenced by their parent nodes but also by certain potential factors. The NoisyOR function relaxes the assumption that a variable will be recorded as a True state only if a parent is in the true state [49]. The NoisyOR function introduces a new parent node named the “leak” node, which means that there are some hidden nodes can make child node appear as true. For example, there are n factors $(A_1,A_2,\dots ,A_n)$ that affect the appearance as true of node Z, and the probability of Z being true is $w_i$ if and only if $A_i$ is true, i.e., $w_i=P(Z=True|A_i=True,A_j=False,\mathrm{for}\mathrm{each}\mathrm{j}\ne \mathrm{i})$. If when all parent nodes of Z are false, the probability of node Z being true is l, and the NoisyOR function of Z can be written as

$$NoisyOR(A_1,w_1,A_2,w_2,\dots ,A_n,w_n,l).$$

(3)

The conditional probability distribution of Z can be calculated using the NoisyOR:

$$P(Z=false|A_1,A_2,\dots ,A_n)=(1-l)\prod _{i=1}^n[1-w_i],$$

(4)

$$P(Z=true|A_1,A_2,\dots ,A_n)=1-P(Z=false|A_1,A_2,\dots ,A_n).$$

(5)

3.2. Dynamic Bayesian Network

BN can be used to analyze static systems or SoSs, which is not the case in a dynamic and continuously changing world, but it does not consider the effects of time on the system state and SoS structure. In general, the resilience of an SoS tends to be a process rather than a state which raises a requirement for a tool that can account for the changes of SoS states over time, such as Dynamic Bayesian Networks (DBNs). DBNs are BNs that connect different variables and adjacent time slices, and they can be seen as a model that combines the BN with a dynamic state and structure [50]. A DBN considers the interrelationship between the external influencing factors and the internal factors of an SoS, it can reflect the probabilistic dependency between nodes, and it describes the change in the nodes’ states over time. It is an extension of the BN by adding the time dimension. Therefore, DBNs have a wider range of application than general BNs. A DBN is an acyclic graphical model for statistical processes. The joint probability of the variables under the continuous time steps can be calculated using the following formula:

$$P\left(Z_t\right|Z_{t-1},Z_{t-2},Z_{t-3},\dots ,Z_1)=\prod _{i=1}^{N}P\left(Z_t^i|Pa\left(Z_t^i\right)\right),$$

(6)

where $Z_t^i$ is the $i^{th}$ node in the $t^{th}$ time step. $Pa\left(Z_t^i\right)$ are the parent nodes of Z, which can be in the same or the previous time steps.

We assume that the structure of DBN will not change over time, so the variables in the DBN remain unchanged. Therefore, the probability distribution of variables over all time steps can be obtained by expanding the DBN as follows:

$$P\left(Z_{1:T}\right)=\prod _{t=1}^T\prod _{i=1}^{N}P\left(Z_t^i|Pa\left(Z_t^i\right)\right).$$

(7)

Hulst et al. [51] put forward an extension of the original DBN, which introduced nodes connected only to the first and last time step of the DBN. These nodes are called anchor nodes and terminal nodes.

• Anchor node (A): a node outside the temporal plate of a DBN that only affects the nodes in the first time step;
• Terminal nodes (T): a node outside the temporal plate of a DBN that only affects the nodes in the last time step.

Figure 3a depicts an unexpanded DBN with anchor and terminal nodes, where the nodes in the temporal plate (dashed box) represent variables whose states are constantly changing over time, and nodes $A,C,T$ represent static variables. A solid line between nodes represents the causal relationship of two variables. Moreover, a dashed line shows the casual relationship of two nodes between different time steps, where the number “1” indicates that this node only affects its child node in the next time step. Figure 3b,c show a second-order DBN and an expanded DBN where the variables that are inside the temporal plate are connected with one another through temporal lines and appear in each time step. In the case, the joint probability distribution of the DBN across time steps can be expressed as follows:

$$P(A,U_{1:T},C,T)=P\left(A\right)P\left(C\right)\prod _{i=1}^N\left\{P\left(U_1^i|Pa\left(U_1^i\right),A,C\right)\right\}\prod _{t=2}^T\prod _{i=1}^N\left\{P\left(U_t^i|Pa\left(U_t^i\right),C\right)\right\}P\left(T\right|Pa\left(T\right)),$$

(8)

where $U^i$ are the variables in the temporal plate, $Pa\left(U_t^i\right)$ are the parent nodes of $U_t^i$, N is the number of variables in $Pa\left(U_t^i\right)$, and T represents the number of time steps.

As mentioned above, one main characteristic of a DBN is that variables are connected through different time steps, which provides a basis for us to analyze the change process of SoS capabilities. Figure 4 shows how to obtain the change process of capability using DBNs as well as the stages of absorption, adaptation, and restorability for an SoS to take effect in the process. In Figure 4, when t = 0, it represents the initial state of an SoS. The first step (t = 1) is dedicated to observing the impact caused by the attack on the SoS capability. In the second time step, the absorption and adaptation of the SoS play a role in reducing the loss of the SoS capability. At time n, the SoS capability drops to a minimum level, and immediately, the restorability comes into play; the SoS capability begins to recover gradually and return to the initial state at the $T^{th}$ time step. At this point, we obtain the whole change process of the SoS capability, which helps us analyze the resilience of an SoS in the next step.

4. Resilience Metric and Resilience-Based System Importance

4.1. Resilience Analysis Metric

When designing the resilience of an SoS, it is necessary for SoS system engineers to quantitatively analyze the resilience state of different design schemes in order to make the best design decision. Therefore, the analysis of SoS resilience is the basic part of SoS resilience design.

According to the description of Figure 4, the change process of SoS capability can be mainly divided into four stages: namely, the initial stability stage, the decline stage, the recovery stage and a new stability stage. The role of resilience is mainly reflected in the decline and recovery stage. As a consequence, the existing metrics of resilience usually focus on the above two stages. Bruneau et al. [23] defined resilience as the ability of an SoS to absorb the impact of an attack and recover quickly after a reduction in capability. As shown in Figure 5, Bruneau defined the value of resilience as the area of the shadow region between the actual SoS capability and the expected SoS capability:

$$R{L}_s={\int }_{t_1}^{t_3}[C\left(t_1\right)-C\left(t\right)]dt,$$

(9)

where $t_1$ refers to the time when the attack occurs, $t_3$ is the time when SoS capability is fulled restored, $C\left(t\right)$ is the capability of SoS at time t, and $C\left(t_1\right)$ indicates the expected SoS capability. Bruneau assumed that the capability of the new stability stage was the same as in the initial stability stage, i.e., $C\left(t_1\right)=C\left(t_3\right)$.

Based on the method of Bruneau, Cimellaro [52] proposed a measure of resilience using the integral of SoS capability across the change process:

$$R_s={\int }_{t_1}^{t_3}C\left(t\right)dt.$$

(10)

However, the above methods do not consider the impact of the time span during which the SoS capability is not in the expected state on the resilience analysis. For example, for two different SoS design schemes (A and B), we assume that the capability reduction and recovery are both linear processes, and schemes A and B have the same minimum capability after being attacked, but scheme A requires a longer recovery time. According to the definition of resilience, it is clear that the resilience level of scheme B is better than that of scheme A, but it is calculated that scheme A is greater than scheme B using the method of Cimellaro. We introduce the recovery time into the method of Cimellaro, and the SoS resilience based on the change process of capability can be calculated as follows:

$${\mathbb{R}}_{SoS}={\displaystyle \frac{{\int }_{t_1}^{t_3}C\left(t\right)dt}{t_3-t_1}}.$$

(11)

4.2. Resilience-Based System Importance

The reliability system importance metric measures the amount by which the failure of a system can affect the reliability of an SoS [53]. Based on the reliability context, the resilient-based system importance (RSI) is defined as the amount by which the resilience of an SoS is reduced by a system’s failure [54]. A prerequisite for calculating the RSI is a resilience metric which has been proposed in Section 4.1.

Let ${\mathbb{R}}^{+i}$ be the resilience of the SoS when the $i^{th}$ system is available and ${\mathbb{R}}^{-i}$ when it is not. Then, the RSI of the $i^{th}$ system is the difference between ${\mathbb{R}}^{+i}$ and ${\mathbb{R}}^{-i}$, and it is a positive value. The following Algorithm 1 explains the steps to calculate the value of RSI.

Algorithm 1 Resilience-based System Importance Algorithm.

Input: the $i^{th}$ system of SoS Output: $RS{I}_i$   1: Calculate the resilience of the $i^{th}$ system (${\mathbb{R}}^{+i}$)   2: Calculate the resilience of the $i^{th}$ system (${\mathbb{R}}^{-i}$)   3: Calculate the resilience-based system importance $RS{I}_i$ ($RS{I}_i$ = ${\mathbb{R}}^{+i}$ − ${\mathbb{R}}^{-i}$)   4: Return $RS{I}_i$

SoS system engineers want to maximize the resilience of a new SoS, but it conflicts with the realities of constrained environment such as tight budgets. Before designing the proposed SoS resilience, SoS system engineers must understand the relationships between resilience optimization and resource allocation by conducting a trade-off analysis between these two. With continuing budget cuts, it is hard for SoS system engineers to make such a choice, but RSI can help solve this problem. If the system has a higher RSI, then the more budget it should receive for designing a resilient SoS. Therefore, we design a budget allocation model based on RSI:

$$B_i={\displaystyle \frac{RS{I}_i}{{\displaystyle \sum _{j=1}^N}RS{I}_j}}·B,B_i\le B_{max}$$

(12)

where B is the total budget limit for designing a resilient SoS, $B_i$ is the budget allocated to the $i^{th}$ system, $B_{max}$ is the maximum budget needed to optimize the system, and N denotes the number of systems needed to be optimized in the SoS.

5. Design Resilience under Budgetary Constraint

In a complex SoS, each system has its own absorption and recovery functionalities in the face of a development failure. Therefore, we analyze the functionality curve of a single system, and on this basis, establish the system functionality optimization model.

5.1. Single System Functionality Curve

Systems are the constituent units of an SoS, and they are also the lowest level representation of the SoS capabilities in a hierarchy structure. Therefore, it is of great significant to analyze the functionality curve of each system to understand the overall SoS capabilities. The functionality of a system is the level at which the system performs its assignment. For example, the functionality of a water transmission pipeline is the amount of flow that it carries. Like the capabilities of SoS, two characters that influence system functionality after an attack are absorption and rapid recovery (Figure 6a), where absorption can reduce the negative effects of the attack and rapid recovery can reduce the time required for system recovery. Keeping all other factors fixed, a system with less effects and recovery time can provide more resilience. In this section, we build a system optimization model under budgetary constraints, in which we study different outcomes of optimization schemes on a single system. We will use the following notation:

• $L_i$: The maximum of loss in the functionality of the $i^{th}$ system;
• $T_i$: Recovery time of the $i^{th}$ system;
• $a_i$: Improvement in the absorption of the $i^{th}$ system (in percent);
• $r_i$: Improvement in the recovery time of the $i^{th}$ system (in percent);
• $B_i$: The total budget limit for the $i^{th}$ system.

The functionality of each system is normalized by dividing the real functionality $f_i$ by the expected functionality $E\left(f_i\right)$, yielding a value between 0% and 100%. When the value of functionality is 100%, it indicates that the system operates normally or provides extremely high resilience. Different optimization schemes on a single system can result in different outcomes for improving absorption and rapid recovery. The smallest $a_i$ and $r_i$ are both 0, meaning that $L_i$ and $T_i$ remain unchanged.

For the convenience of calculation, we assume that the system functionality can be estimated by two line segments, $l_1$ and $l_2$ (Figure 6b). Several main elements are required to determine the calculation formula of the system functionality, such as $t_1$, $t_2$, $t_3$ and $L_i$. Then, at any time t, the functionality of the $i^{th}$ system can be calculated as

$$f_{i,t}=\left\{\begin{array}{c}1-{\displaystyle \frac{L_i}{t_{i,2}-t_{i,1}}}t+{\displaystyle \frac{L_i{t}_{i,1}}{t_{i,2}-t_{i,1}}},t_{i,1}\le t\le t_{i,2}\hfill \\ {\displaystyle \frac{L_i}{t_{i,3}-t_{i,2}}}t+1-{\displaystyle \frac{L_i{t}_{i,3}}{t_i,3-t_{i,2}}},t_{i,2}\le t\le t_{i,3}\hfill \\ 1,0\le t\le t_{i,1}ort\ge t_{i,3}\hfill \end{array}\right.$$

(13)

5.2. System Functionality Optimization under Budgetary Constraint

According to Equation (12), the budget amount for the $i^{th}$ system can be determined by its RSI. For a certain linear functionality function and budget limit $B_i$ of the $i^{th}$ system, the new maximum of loss in the functionality $L_{i,new}$ and recovery time $T_{i,new}$ are as follows:

$$\begin{array}{cc}\hfill & L_{i,new}=L_i(1-a_i),\mathrm{and}{T}_{i,new}=T_i(1-r_i).\hfill \end{array}$$

(14)

Inspired by the resilience index, we are of the opinion that the optimization goal is to allocate the budget to the systems and to determine the absorption and recovery enhancements in such a way that a minimum loss of functionality overall is achieved in the process. In this study, we consider that reducing the loss of functionality is as important as the recovery time. On this basis, we establish a general nonlinear optimization model of the system functionality under the following budgetary constraint:

$$\begin{array}{cc}\hfill & max{F}_i={\int }_{t_1}^{t_3}{f}_i\left(t\right)dt,\hfill \\ \hfill & {\beta }_{i,L}{a}_i+{\beta }_{i,T}{r}_i\le B_i,\hfill \\ \hfill & L_i(1-a_i)\le L_{Accept},\hfill \\ \hfill & T_i(1-r_i)\le T_{Accept},\hfill \\ \hfill & i\in [1,N];T_{Accept},L_{Accept}\ge 0;0\le a_i,r_i\le 1,\hfill \end{array}$$

(15)

where N is the number of systems, while ${\beta }_{i,L}$ and ${\beta }_{i,T}$ are the budgets required to optimize the functionality loss and recovery time of the $i^{th}$ system, respectively. $L_{Accept}$ and $T_{Accept}$ are the minimum acceptable level of the functionality loss and recovery time.

In order to solve the model more conveniently and expand its application, the optimization scheme and the amount of budget consumed are represented discretely. In the first step, for a system that needs to be optimized, there are multiple schemes $P_i=(s_{i,1},s_{i,2},s_{i,3},\dots ,s_{i,n},T_{Accept},L_{Accept})$, where each scheme is composed of three parameters: $a_{i,j}$, $r_{i,j}$ and $c_{i,j}$, i.e., $s_{i,j}=(a_{i,j},r_{i,j},c_{i,j})$. For all the systems, the optimization scheme $s_{i,j}=(0,0,0)$ is included, indicating that the system has not been optimized. The goal of the optimization problem is to select the optimal scheme in $P_i$. When the scheme and budget consumption are represented discretely, the system functionality optimization model under budgetary constraints is modeled as follows:

$$\begin{array}{cc}\hfill & max{F}_{i,j}={\int }_{t_1}^{t_3}{f}_{i,j}\left(t\right)dt,\hfill \\ \hfill & \sum _j({\beta }_{i,L}{a}_{i,j}+{\beta }_{i,T}{r}_{i,j})x_{i,j}\le B_i,\sum _j{x}_{i,j}=1,\hfill \\ \hfill & L_i(1-a_{i,j})x_{i,j}\le L_{Accept},\hfill \\ \hfill & T_i(1-r_{i,j})x_{i,j}\le T_{Accept},\hfill \\ \hfill & i\in [1,N],j\in [1,n];T_{Accept},L_{Accept}\ge 0;0\le a_{i,j}, r_{i,j}\le 1,\hfill \end{array}$$

(16)

where j represents the $j^{th}$ scheme in $P_i$, while n is the number of available schemes for the $i^{th}$ system. $x_{i,j}$ is a binary variable; it is 1 if the $j^{th}$ scheme is selected. Next, we will introduce the whole process of SoS resilience analysis and design through a Next Generation Air Transportation System (NextGen) case.

6. Numerical Example and Results

The United States Federal Aviation Administration (FAA) controls the world’s largest air traffic control system. The system controls nearly 50,000 flights a day, covering an area of nearly $7.61\times {10}^7{\mathrm{km}}^2$, which is equivalent to 15% of the earth’s surface area. Continuously rising demand in the National Airspace System (NAS) is one of the major contributing factors that aggravate system-wide congestion and delays. To solve this, the FAA proposed new operating concepts and technologies to achieve the NextGen.

6.1. Hierarchical Representation of the NextGen

In order to solve the problem of traffic congestion and delay, FAA proposed the development of the NextGen project in 2004. The vision of the NextGen is to build a near and midterm SoS developed by the FAA to increase the traffic capacity of the airspace system, improve flight efficiency, enhance system predictability, enhance navigation capacity, improve resilience and improve the safety of air transportation.

However, complex interdependencies between the new technologies and its constituent systems create challenges when assessing the impact of the technologies and systems on the NextGen. We use a hierarchical representation to understand how the activities and new technologies affect the capability of the NextGen. The hierarchy of the NextGen is decomposed into three levels: capability, activity and technology (composed by systems). In this paper, we focus on the reduction in flight delay. Thus, we define the NextGen capability as “provide service with lowest delay” and can measure the capability of the NextGen by estimating the percent of ideal delay reduction obtained. The capability of the NextGen can be achieved by implementing three activities: departure delay reduction, airborne delay reduction and taxi-in delay reduction. Each activity is satisfied by a set of NextGen technologies (Figure 7). Each new NextGen technology can be achieved by completing a set of acquisition programs or optimizing existing systems (

Table 1. Required systems to achieve the NextGen technologies.

Symbols of Systems	System Name	Supported Technologies
$P_1$	Free flight traffic management	$T_4$
$P_2$	Airport surface detection equipment	$T_1$,$T_7$
$P_3$	En route automation modernization	$T_3$,$T_4$,$T_6$
$P_4$	Next Generation air-to-ground communication	$T_3$–$T_7$
$P_5$	Standard terminal automation replacement	$T_2$,$T_5$
$P_6$	Airport surveillance radar	$T_2$,$T_7$
$P_7$	Aviation surface weather observation network	$T_2$
$P_8$	Integrated terminal weather system	$T_2$,$T_5$
$P_9$	Instrument flight procedures automation	$T_3$,$T_5$,$T_6$
$P_{10}$	Terminal automation modernization replacement	$T_2$,$T_5$
$P_{11}$	Automatic dependent surveillance broadcast	$T_1$,$T_3$–$T_7$
$P_{12}$	Traffic flow management infrastructure	$T_1$–$T_7$
$P_{13}$	System-wide information management	$T_3$,$T_4$,$T_7$
$P_{14}$	En route control center system modernization	$T_3$,$T_4$
$P_{15}$	Airport movement area safety system	$T_1$
$P_{16}$	Traffic management advisor	$T_1$–$T_7$
$P_{17}$	Precision runway monitor	$T_2$,$T_7$
$P_{18}$	En route communication gateway	$T_3$,$T_4$

).

6.2. Using BN to Evaluate the Capability of NextGen

Assessing the impact of new technologies and systems on the capability of the NextGen requires a modeling and simulation tool. In this study, GeNIe3.0 software is used to model the BN of the NextGen. The advantage of GeNIe3.0 is that it can intuitively display the established BN, and moreover, support to model the DBN. Two of the busier airports are selected for this simulation: Atlanta International Airport (AIA) and Chicago O’Hare International Airport (CIA). AIA and CIA are used as the departure and arrival airports, respectively. The proposed BN focuses on quantifying the impact of various factors on the arrival delay. The conditional probability in the BN can be obtained through the parameter learning function of GeNIe3.0, and the relationship between the new technologies and the constituent systems is represented by the NoisyOR function, as shown in Equation (17) [29,49].

$$\begin{array}{cc}\hfill & P(T_1=Unavailable)=NoisyOR(P_2,0.14,P_{11},0.18,P_{12},0.15,P_{15},0.21,P_{16},0.1,0.1),\hfill \\ \hfill & P(T_2=Unavailable)=NoisyOR(P_5,0.05,P_6,0.1,P_7,0.07,P_8,0.16,P_{10},0.12,P_{12},0.19,P_{16},0.11,P_{17},0.1,0.07),\hfill \\ \hfill & P(T_3=Unavailable)=NoisyOR(P_3,0.17,P_4,0.1,P_9,0.13,P_{11},0.1,P_{12},0.15,P_{13},0.08,P_{14},0.13,P_{16},0.2,P_{18},0.1,0.03),\hfill \\ \hfill & P(T_4=Unavailable)=NoisyOR(P_1,0.1,P_3,0.15,P_4,0.1,P_{11},0.08,P_{12},0.13,P_{13},0.11,P_{14},0.2,P_{16},0.1,P_{18},0.12,0.05),\hfill \\ \hfill & P(T_5=Unavailable)=NoisyOR(P_4,0.15,P_5,0.10,P_8,0.20,P_9,0.08,P_{10},0.07,P_{11},0.12,P_{12},0.13,P_{16},0.08,0.06),\hfill \\ \hfill & P(T_6=Unavailable)=NoisyOR(P_3,0.08,P_4,0.15,P_9,0.17,P_{11},0.20,P_{12},0.05,P_{16},0.10,0.10),\hfill \\ \hfill & P(T_7=Unavailable)=NoisyOR(P_2,0.12,P_4,0.13,P_6,0.05,P_{11},0.08,P_{12},0.19,P_{13},0.15,P_{16},0.13,P_{17},0.14,0.08).\hfill \end{array}$$

(17)

We set two states for the NextGen capability and three activities: on time or delay, and the punctuality rate of flights is used to represent the capability of the NextGen. Figure 8 shows the analysis result of the NextGen capability. As can be seen, when all systems are available, the punctuality probabilities of the three activities are 90%, 92%, and 91%, respectively, and the probability that a flight arrives on time is 84%.

In addition, we can use the detected evidence to update the probability distribution in the BN. For example, if it is known that technologies $T_3$ and $T_4$ are unavailable, the probability distribution of the NextGen capability is shown in Figure 9. Due to the unavailability of $T_3$ and $T_4$, the delay probability of the airborne process decreases from 92% to 63%, and the NextGen capability decreases from 84% to 76%.

We also analyze the impact of different new technologies on the percentage of arrival delay reduction. As shown in the Figure 10, the larger the value of the Y-axis, the better the new technology is on reducing the arrival delay. $T_2$ and $T_7$ have the greatest impact, so they should be prioritized for construction. On the contrary, $T_3$ and $T_4$ have less impact and should be considered to be constructed last when budget and time are insufficient.

Using the method proposed in this study, we can analyze how the sequence of technologies failures affects the NextGen capability, as shown in Figure 11. We first order the failures of technologies from the least pivotal to the most pivotal to determine the best-case capability decline pattern. Doing the converse yields the worst-case pattern. In the worst case, the NextGen capability decline is fast first and then slow, while the best case is the opposite. The general case is between the worst and best cases.

6.3. Using DBN to Analyze the Resilience of NextGen

In this section, a resilience analysis model of the NextGen based on DBN is established. In order to analyze the resilience of the NextGen more specifically, we make the following assumptions:

(1)

The development failures of system $P_{11}$, $P_{12}$, $P_{16}$ lead to the reduction in the functionalities at the same time step T in the temporal plate;

(2)

The functionalities of the system $P_{11}$, $P_{12}$, $P_{16}$ decline to the minimum and then recover slowly; the functions of their functionality have been known.

Based on the above assumptions, Figure 12 presents the network structure using the GeNIe3.0. A color code is used to distinguish the variables in the DBN. Nodes that are outside the box are static systems, which means that their functionality remains unchanged. Nodes in the temporal plate are dynamic, and their functionality will change over time steps. The failure variable interferes at the first time step. Using the DBN shown in Figure 12, we can obtain the dynamic change process of the NextGen capability (Figure 13). Based on the resilience analysis metric proposed in Section 4, the resilience result of the NextGen is 0.696.

In addition, we also analyze the impact of different degrees of development failures on NextGen resilience; the results are shown in Figure 14 and

Table 2. The impact of different degrees of development failure on the NextGen resilience.

Failure Degree	Capability Loss (${\int }_{{\mathit{t}}_1}^{{\mathit{t}}_3}\mathit{C}\left(\mathit{t}\right)\mathit{d}\mathit{t}$)	Recovery Time (${\mathit{t}}_3-{\mathit{t}}_1$)	Resilience
Nonserious failure	8.75	12	0.729
Moderate failure	9.74	14	0.696
Severe failure	10.16	16	0.635

. It can be seen that the higher the degree of system development failure, the worst the resilience of the NextGen. Therefore, reducing the capability loss and recovery time under various failure degrees can effectively improve the SoS resilience.

6.4. Resilience Design under Budget Constraint

We perform our resilience design method on the above NextGen case. By following the steps in Section 4.2, we calculate the ${\mathbb{R}}^{+i}$ and ${\mathbb{R}}^{-i}$ of each system. Algorithm 1 outputs the RSI as in Figure 15. An absence of system $P12$ has the highest impact on the resilience of the NextGen, and the absence of system $P_1$ has the lowest effect.

SoS system engineers can determine the budget allocation through the $RS{I}_i$ of the system $P_i$. And then, the allocated budget can be used to optimize the system functionality, so as to achieve the purpose of designing the SoS resilience. For each system $P_i$, its $f_{i,j}\left(t\right)$, ${\beta }_{i,L}$, ${\beta }_{i,T}$, $L_{Accept}$ and $T_{Accept}$ are all known, as shown in

Table 3. Known parameters of system $P_i$ in the NextGen.

System	${\mathit{L}}_{\mathit{i}}$	${\mathit{T}}_{\mathit{i}}$	${\mathit{\beta }}_{\mathit{i},\mathit{L}}\left(\mathit{\$}1000\right)$	${\mathit{\beta }}_{\mathit{i},\mathit{T}}\left(\mathit{\$}1000\right)$	${\mathit{L}}_{\mathit{Accept}}$	${\mathit{T}}_{\mathit{Accept}}$
$P_1$	40%	10	4.23	3.52	40%	7
$P_2$	60%	10	7.71	6.53	40%	7
$P_3$	50%	10	6.25	7.45	40%	7
$P_4$	70%	10	6.23	6.54	40%	7
$P_5$	60%	10	5.22	5.58	40%	7
$P_6$	60%	10	7.23	9.37	40%	7
$P_7$	50%	10	6.65	7.16	40%	7
$P_8$	50%	10	6.17	5.11	40%	7
$P_9$	50%	10	5.64	6.22	40%	7
$P_{10}$	50%	10	6.20	5.43	40%	7
$P_{11}$	70%	10	7.25	9.41	40%	7
$P_{12}$	70%	10	9.71	7.28	40%	7
$P_{13}$	60%	10	8.28	7.50	40%	7
$P_{14}$	40%	10	5.79	6.37	40%	7
$P_{15}$	40%	10	4.24	4.44	40%	7
$P_{16}$	70%	10	3.23	5.62	40%	7
$P_{17}$	60%	10	4.82	6.97	40%	7
$P_{18}$	40%	10	6.29	5.25	40%	7

. In order to discretize the optimization schemes and for the convenience of calculation, we assume that the values of $a_i$ and $r_i$ can only be taken from $(0,10\%,20\%,\dots ,90\%,100\%)$.

Now, the parameters for the optimization problem under budgetary constraints are ready. Firstly, we apply these parameters and optimize the budget allocation for a budget limit of $800,000. We take system $P_6$ as an example to demonstrate the budget allocation process. The $RSI$ of $P_6$ is 0.103 and the sum of the $RS{I}_i$ of all systems is 1.457; then, the total budget that $P_6$ receives can be calculated as $B_6=\$\mathrm{800,000}\times 0.103÷1.457=\$\mathrm{56,555}$. The optimization model of $P_6$ under budgetary constraints is established as follows:

$$\begin{array}{cc}\hfill & max{F}_{6,j}={\int }_{t_1}^{t_3}{f}_{i,j}\left(t\right)dt,\hfill \\ \hfill & \sum _j({\beta }_{6,L}{a}_{6,j}+{\beta }_{6,T}{r}_{6,j})x_{6,j}\le B_6,\sum _j{x}_{6,j}=1,\hfill \\ \hfill & 0.6\times (1-a_{6,j})x_{6,j}\le 40\%,\hfill \\ \hfill & 10\times (1-r_{6,j})x_{6,j}\le 7,\hfill \\ \hfill & j\in [1,n];0\le a_{i,j},r_{i,j}\le 1,\hfill \end{array}$$

(18)

Other systems can establish their own optimization models according to this. Solving the optimization models yields the solution in

Table 4. Optimal scheme for the budget limits of $800,000.

	${\mathit{P}}_1$	${\mathit{P}}_2$	${\mathit{P}}_3$	${\mathit{P}}_4$	${\mathit{P}}_5$	${\mathit{P}}_6$	${\mathit{P}}_7$	${\mathit{P}}_8$	${\mathit{P}}_9$	${\mathit{P}}_{10}$	${\mathit{P}}_{11}$	${\mathit{P}}_{12}$	${\mathit{P}}_{13}$	${\mathit{P}}_{14}$	${\mathit{P}}_{15}$	${\mathit{P}}_{16}$	${\mathit{P}}_{17}$	${\mathit{P}}_{18}$
${\mathit{RSI}}_{\mathit{i}}$	0.020	0.087	0.067	0.110	0.083	0.103	0.053	0.083	0.080	0.083	0.127	0.140	0.090	0.040	0.027	0.130	0.103	0.030
${\mathit{B}}_{\mathit{i}}*$	10.98	47.60	36.61	60.41	45.77	56.56	29.30	45.77	43.94	45.77	69.57	76.89	49.43	21.97	14.65	71.40	56.75	16.48
${\mathit{a}}_{\mathit{ij}}$	0	20%	20%	60%	50%	30%	10%	10%	40%	10%	50%	30%	20%	0	0	60%	50%	0
${\mathit{r}}_{\mathit{ij}}$	30%	40%	30%	30%	30%	30%	30%	70%	30%	70%	30%	60%	40%	30%	30%	30%	30%	30%
${\mathit{C}}_{\mathit{ij}}*$	10.56	41.54	34.85	57.00	42.84	49.80	28.13	41.94	41.22	44.21	64.48	72.81	46.56	19.11	13.32	66.24	53.01	15.75

* The units of $B_i$ and $C_{i,j}$ are both $1000.

. We calculate the initial resilience metric of the NextGen in the case of Table 3, and the result is 0.51. The optimal investment in Table 4 with a total cost of $743,372 improves the resilience level to 0.72.

To find out the effect of different budget limits on the resilience, further experiments are made on different budget scenarios. We choose the values of $400,000, $600,000, $800,000, $1,000,000, $1,200,000 and $1,400,000 for the budget limit. For all these budgets, we find the corresponding improvement in the NextGen resilience (Figure 16).

As can be seen from Figure 16, before the budget constraint reaches a certain threshold, the resilience is proportional to the amount of budget, and the greater the budget constraint, the better the resilience of the NextGen. For the budgets of $1,200,000 and $1,400,000, the optimal scheme yields the same amount of investment ($1,101,480), and the optimal solution remains the same. Hence, the highest budget needed to enhance the resilience of the NextGen is $1,101,480.

7. Discussion and Conclusions

The interaction among the constituent systems within an SoS induces interdependencies that are critical to achieving the SoS capability. This system interdependency can also lead to cascading failures in the SoS. In order to better analyze the complex interdependency within an SoS, we formulate a general hierarchy structure to fuse information from the system level to SoS capability level via the activity level. Then, the SoS capability at a certain moment is analyzed through the BN with certain conditions on constituent systems. A DBN is a BN extended with additional mechanisms that are capable of modeling influences over time. It extends the classical BN by adding the time dimension. Based on its features, we used a DBN to obtain the dynamic change process of the SoS capability. The resilience metric suggested by Cimellaro was adopted and optimized, and a metric was introduced to measure the resilience-based system importance, which was used in the budget allocation optimization problem. The mathematical programming formulation was introduced to allocate a budget to systems while maximizing the resilience of the SoS within the budget. We adopted a novel method to reduce computational complexity by discretizing the optimization schemes. The optimal scheme determined the optimal level of enhancement in the system’s absorption and recovery time.

We applied our resilience analysis and design method on a Next Generation Air Transportation (NextGen) case and discussed the effects of different budget limits on the resilience of the NextGen. In the NextGen SoS, SoS system engineers can use the proposed method to evaluate the impact of combined NextGen technologies on the performance of the air transportation system. This method also enables the identification of the criticality of a NextGen technology in terms of performance improvement and the determination of the development order of the NextGen technologies, which reduces the risk of mission failure. Cost–benefit analysis provides a feasible design space given the cost and resilience improvement constraints, which allows SoS system engineers to select the best SoS design scheme for the given conditions.

The purpose of the case study is a demonstration of the proposed approach in a useful context. We are not making any validated, novel conclusions about the real NextGen decision-making problem due to the challenges regarding the lack of required information and very large research scope. But it does not mean that the case study of the NextGen is useless. On the contrary, the case study shows the benefits of using the proposed approach: to quantify propagating effects within an SoS, to analyze the capability and resilience level of the SoS, to identify the criticality of constituent systems, to analyze all possible resilience design schemes and select the optimal one, and to calculate the highest budget needed to enhance the resilience of an SoS. To analyze the case study, we use notional values for the input information and make many assumptions. Once the actual NextGen decisionmakers know the required inputs and their assumptions, they can use the approach proposed in this paper on their problems. So, this research provides a good guidance and reference for SoS system engineers to design a resilience SoS.

There are a number of limitations in the proposed resilience analysis and design approach. Firstly, the development and analysis process of BNs and DBNs involves a lot of subjectivity, which is unavoidable because one of the main characteristics of BNs is to replace missing data with expert knowledge. Another limitation is that as the size of the analyzed system or SoS and the number of components increase, the computational complexity of the BN and DBN increases exponentially while also involving more subjectivity. In addition, a BN is a directed acyclic graph, which limits the possibility of modeling the interdependence between two variables in real life. Finally, when modeling the DBN, determining which variables will affect other variables at another time step may be challenging.

This research is data-driven, and the computational complexity increases exponentially with the increase in the scale of the SoS. Therefore, more research is needed to develop faster and more efficient algorithms and to reduce the computational complexity. Design space exploration may be one of the research directions to address this issue. Additionally, we defined resilience metrics based on the robustness and recoverability viewpoints. SoS resilience can have other definitions according to different viewpoints: flexibility, redundancy and resourcefulness. They can also be core attributes of the SoS resilience. Hence, more work is needed to quantify other SoS attributes and incorporate them into the resilience analysis framework based on which more comprehensive resilience analysis metrics will be proposed. Finally, external environmental factors may lead to a sustained evolution of SoS capabilities/requirements. Thus, more research is needed to to develop a means that can consider SoS evolution issues.