A resilience assessment framework for complex engineered systems using graphical evaluation and review technique (GERT)

System resilience characterizes the capability of maintaining the required functionality under disruptions, which is of great significance in evaluating the productivity and safety of complex engineered systems. Although most studies conduct resilience assessment from qualitative and quantitative perspectives, system functionality that reflects functional requirements for complex engineered systems needs to be elaborated. In addition, given that complex engineered systems achieve dynamic performance during disruptions, measuring the actual performance under uncertainty is imperative. To this end


Introduction
The development of complex engineered systems has received growing attention in recent years.Engineered systems like aircraft, manufacturing systems, industrial processes, and electronic equipment have increased in complexity due to intricate interactions between components [1].Component states vary in the dynamic environment.Engineered systems suffer performance degradation and improvement due to the cascading effects of components [2].Furthermore, they are susceptible to external and internal disruptions, like technological issues, natural disasters, and intentional attacks [3].System performance is uncertain when such disruptions occur at random.Disruptive events lead to the failure of components and then affect the overall system because of the dependency between components.
Engineered systems include interconnected and interacted components with stochastic dynamics, which are called complex engineered systems [4].Components operate in different ways, and they are not organized by a central authority.Complex engineered systems are usually of high coupling and intractability.Given such characteristics, cause or failure-based thinking should be renovated to ensure both the productivity and safety of complex systems.System resilience plays a significant role in evaluating complex engineered systems [5].It characterizes the capability of maintaining the required functionality and recovering quickly under disruptions while acknowledging intrinsic uncertainty within a system [6].Resilience assessment has been carried out from both qualitative and quantitative perspectives.The resilience of complex engineered systems is a multifaceted capability, which can be described as anticipative capacity, absorptive capacity, adaptive capacity, and restorative capacity [7].A resilient engineered system can anticipate emergencies, absorb the negative effect of disruptions, adapt to disruptive situations, and restore to a sub-optimal state.In addition, system resilience is modeled as a time-varying function to reflect the dynamic performance of engineered systems.System impact and total recovery effort are considered to analyze critical factors of resilience measurement [8].However, the current research on functionality analysis and resilience-based performance evaluation is limited.
Functionality indicates the capability and the quality of providing the required functions [9].Complex engineered systems have various functions to complete the desired tasks [10].System requirements are shown when specifying task objectives.Only after that, functions that the system needs to implement can be identified.System requirements drive the desired functionality within the system.Different functions are requisite according to diverse task requirements.In general, functions are divided into primary functions and sub-functions.The former is implemented at the system level, while the latter is achieved by one or several components.Successful implementation of primary functions depends on the support of the corresponding sub-functions.The relationship between primary functions and sub-functions should be investigated, which facilitates figuring out the implementation of functions.Moreover, as the reliability of components is indeterminate under disruptions, it is difficult to determine whether the functions are implemented safely and efficiently.
Considering the changing environment, the actual performance of complex engineered systems is measured under uncertainty [11].Complex engineered systems achieve dynamic performance while implementing different functions according to task requirements.Their performance may degrade due to disruptive events and improve through adaptive and restorative actions.It is uncertain which components and functions are disabled resulting from the negative effect of disruptive events [12].As a consequence, the Bayesian network is deemed a powerful tool for dealing with uncertainty issues.It illustrates the relationship among interacting variables by a directed acyclic graph.Unfortunately, the Bayesian network requires listing all potential situations, which is hard for engineered systems with complicated structures.
In order to address these issues, a quantitative framework for the resilience assessment of complex engineered systems is developed in this paper.It not only carries out detailed functionality analysis but also evaluates the actual performance under uncertainty.The developed framework comprises three phases, functionality analysis, performance evaluation, and resilience assessment.Firstly, a functional tree is constructed to show the relationship between functions after identifying the overall objective of complex engineered systems.Secondly, Graphical Evaluation and Review Technique (GERT) reflects system performance in the changing environment.There are many uncertain factors in complex engineered systems under disruptions.Finally, resilience assessment is carried out in terms of anticipation, absorption, adaptation, and restoration abilities of a system.System resilience is a multifaceted capacity to be described with four capacities.Our major contributions are summarized as follows.
(1) System functionality is analyzed to determine functional requirements for complex engineered systems.In resilience engineering, preserving or enhancing critical system functionality is vital rather than maintaining the system configuration.The overall objective, primary functions, and sub-functions are determined according to task requirements.The components that support the corresponding functions are also identified.The relationship between functions is illustrated using a functional tree.(2) GERT method is employed to evaluate the actual performance of complex engineered systems under uncertainty, where system performance is used to measure functionality implementation.The implementation of various functions is represented in different situations by probabilistic branches and network logic.With limited information, system performance is quantified through the transfer function.
(3) The resilience of complex engineered systems is assessed in terms of anticipation, absorption, adaptation, and restoration.System resilience is multifaceted and should be characterized by more than one metric.Four capacities are measured to reflect system resilience during the whole operation process.
The remainder of this paper is organized as follows.Related works are reviewed in Section 2. Section 3 specifies the problem definition.The resilience assessment framework is developed in Section 4. Section 5 verifies the effectiveness of the developed framework through a case study.Finally, Section 6 concludes this paper.

Background
Complex engineered systems are subject to various disruptive events, resulting in performance degradation and complete failures.Such disruptions happen with increasing frequency in a high-risk operational environment.Resilience engineering has attracted much attention from researchers and practitioners.System resilience is defined as a system's capability of anticipating, absorbing, adapting to and recovering from disruptive situations.Complex engineered systems are expected to prepare for and effectively respond to disruptions.However, to some extent, researchers and practitioners focus too much on identifying the causes of accidents to prevent them.Resilience engineering aims to build a systemic ability to handle disruptions while co-existing with failures.
The concept of resilience is investigated from a qualitative perspective.Specifically, researchers and practitioners have presented several indicators of system resilience.Shirali et al. [13] explored the resilience definition considering safety culture and organizational factors.Safety culture factors involving schedule delays, safety committees, meeting effectiveness, safety education, worker's involvement, competence, safety training, primarily depended on managers' attitudes.Cai et al. [14] suggested that availability was regarded as a metric to assess the resilience of complex engineering systems.System structure was one of the critical factors affecting resilience, which could not be overlooked in resilience measurement.Cai et al. [15] introduced absorptive capacity, adaptive capacity, restorative capacity to describe the resilience capability of engineered systems.Resilience assessment was based on absorptive and restorative capacities, and adaptive capacity was deemed an enhancing parameter to characterize resilience.However, these capacities are insufficient to describe the actual performance of complex engineered systems during the operation process.Cai et al. [7] stated that anticipative capacity was a key attribute in enhancing resilience under disruptions.Anticipation refers to the capacity to predict and prepare for unexpected events, achieved through risk assessment, emergency plans, and maintenance.We follow the same idea to describe system resilience with four capacities: absorptive capacity, adaptive capacity, restorative capacity, and anticipative capacity.
There are multiple studies addressing resilience quantification with different approaches.Wu et al. [16] showed an annual composite resilience metric using the compound Poisson process.A cascading failure model was established in order to identify the failure propagation pattern.Wu et al. [17] discussed system resilience as a time-varying function.Disruptive events, component restoration, and resilience strategy directly affected resilience analysis.Given that more than one performance measure was considered during resilience assessment, Specking et al. [18] carried out multiple objective decision analyses to assess resilience employing two methods.The first method quantified system resilience in the value hierarchy, and mission resilience was calculated in the second method.From this, an extension was proposed for complex engineered systems by Zarei et al. [19].A decision-making framework for resilience assessment was proposed to address possible failure modes along with the increasing complexity of engineered systems.A fuzzy hybrid multicriteria decision-making (MCDM) technique was employed to determine the weights of metrics and rank the performance of components.In addition, the resilience assessment of complex engineered systems proceeds with simulation experiments.Zarei et al. [20] implemented a fault scenario-based simulation to simulate system response to disruptive events.A scoring function was shown to estimate the expected cost of fault response.Patriarca et al. [21] concentrated on resilience assessment at a technical level using a simulation model.System performance was improved within the specific recovery time when there was an adverse event impairing the system.Unfortunately, simulation results cannot reflect the actual performance of the system.
To this end, Tong et al. [22] applied the functionality curve of the system to quantify resilience, emphasizing the adaptation and recovery process.System functionality changes over time due to the negative effect of disruptions.It is not fully achieved until the system repairs all failures [23].Moslehi and Reddy [24] characterized the resilience of complex engineered systems based on functionality loss.A complex engineered system was required to implement several functions for task completion.Although focusing on functionality analysis, the implementation of multiple functions and the relationship between functions were not illustrated.Moreover, the variability of system functionality leads to uncertainty in performance evaluation.The complexity of the system itself and the dynamic environment make it difficult to measure the actual performance of complex engineered systems [25].Hurford et al. [26] balanced stakeholder interests for the system after uncertainty identification.Multiple facets of system performance were supposed to be expressed in the context of complexity.Madni and Sievers [27] introduced a contract-based approach to deal with uncertainty during task achievement.Probabilistic modelling and testing were combined to promote system verification.Zhang et al. [28] introduced a non-linear function to depict restorative actions during resilience measures, where absorptive and restorative capacities were refined at the component level.Dynamic Bayesian network is a powerful tool for uncertainty issues [29,30].It conducts probability analysis that describes causal dependency among interacting variables using nodes and links.However, the change in variable states cannot be quantified.The GERT method makes up for the deficiency, where the transfer function is used to express variability between nodes.
The current approaches have made great contributions to the resilience assessment of complex engineered systems, but there are insufficiencies in functionality analysis and performance evaluation.Given that a complex engineered system aims to achieve multiple functions according to task requirements, the implementation of various functions and the relationship between functions need to be elaborated.On the other hand, the actual performance of complex engineered systems should be quantified under uncertainty.Bayesian network is limited in describing an engineered system with a complicated structure in a dynamic environment.For example, a satellite comprises an antenna, transponder, software, solar panel, and battery, where components cooperate to perform all kinds of functions.Functionality such as data transmission and data processing need to be implemented, but it is uncertain when to perform these functions.The system state is difficult to be determined without understanding functionality implementation.Resilience assessment would be inaccurate when the result of performance evaluation is inconsistent with the actual situation.

Problem definition
A complex engineered system comprises many components to implement the desired functionality, where components cooperate to achieve complicated behaviors.Typical examples of complex engineered systems include aircraft, manufacturing systems, industrial processes, and electronic equipment.They are vulnerable to disruptive events such as natural disasters, intentional attacks, and technological failures.Due to the interdependency and interactions between components, these systems suffer performance degradation and complete failures.
The term functionality refers to the capability and the quality of providing the required functions.A complex engineered system is supposed to implement functionality to achieve system objectives.It usually carries out more than one function according to task requirements.Given that different functions execute various tasks, functions are divided into primary functions and sub-functions.Primary functions are provided by the whole system, and a few components are responsible for one sub-function.Generally speaking, a primary function is implemented with the support of several sub-functions.It is imperative to determine the dependency between primary functions and subfunctions.In this way, system functionality can be illustrated in detail when complex engineered systems work.
System resilience refers to the capability of maintaining the required functionality and recovering quickly under disruptions.It is a multidimensional concept that reflects system performance during the actual operation, described in various aspects.A resilient complex engineered system can anticipate adverse events, absorb the negative effect of disruptions, adapt to the disturbed condition, and restore to a sub-optimal state.However, complex engineered systems obtain dynamic performance in the changing environment, especially in disruptive situations.
The actual performance of complex engineered systems is difficult to be evaluated in resilience analysis.System performance varies with disruption and the system's ability to respond.On the other hand, implementing multiple functions exacerbates the uncertainty in performance evaluation.Which functions implemented together cannot be determined when the current task is accomplished.Complex engineered systems are significantly affected due to the negative effect of disruptive events.Some components are destroyed and operate abnormally, making sub-functions and primary functions disabled.
Concerning the resilience assessment of complex engineered systems, the most promising approach is to analyze functionality at a system level and evaluate performance quantitatively.After being identified, primary functions and sub-functions are depicted in a hierarchal structure.The relationship between functions is expressed as well.In addition, system performance is measured under uncertainty.Several types of functions are implemented with certain probabilities based on task requirements.Given the unknown reliability of components, the contribution of functions to system performance varies in different situations.

The developed framework
This section develops a resilience assessment framework for complex engineered systems.It determines system functionality supported by various functions and evaluates the actual performance under uncertainty.Four metrics are employed to quantify system resilience before, during and following events.Fig. 1 shows the developed framework consists of three phases, including functionality analysis, performance evaluation, and resilience assessment.Firstly, the overall objective of a complex engineered system is determined before a variety of functions required by the system are identified.A functional tree is employed to present the complicated relationship between functions.Moreover, the actual performance of the system is evaluated under uncertainty during disruptions.To quantify functionality implementation, system performance is used to describe the process of task accomplishment.Given that the effect of disruptive events on the system and the implementation of functions are uncertain, system performance is measured using the Graphical Evaluation and Review Technique (GERT).Last but not least, resilience is defined as a system's capability of anticipating, absorbing, adapting to and recovering from disruptive situations.The resilience of complex engineered systems is too multifaceted to be defined by a simple metric.These four capabilities describe system resilience comprehensively.They can also be viewed as the four general stages in that a system undergoes a disruptive condition.The proposed metrics are designed to assess these four capabilities by modeling the system performance variation subject to a disruption.

Functionality analysis
Functionality analysis is fundamental to understanding functional requirements for complex engineered systems.Basic functions that support system operation are identified before mapping to physical components.Functionality analysis is performed at different levels, such as sub-subsystem and system levels.It usually starts with obtaining system objectives according to task requirements.All indispensable functions and components are listed, while no indispensable function and components are included.Functional architecture is eventually specified, describing the relationship between functions and components.
A complex engineered system aims to provide the required functionality under disruptions.A series of activities are performed when it is confronted with various tasks.To be specific, different functions are implemented according to task requirements.To achieve the objective of a task, an engineered system is generally equipped with primary functions and sub-functions.Primary functions are implemented at the system level, which is provided by the whole system.Whereas several components collaborate to support one sub-function.Multiple subfunctions facilitate the implementation of one primary function.
It is imperative to determine the relationship between primary functions and sub-functions for the purpose of analyzing system functionality.Therefore, functional tree [31] represents complex engineered systems from the functional perspective.The effect of component behaviors on system functionality is also reflected through various branches.There are four basic elements: the overall objective, primary functions, sub-functions, and components.Primary functions deriving from the overall objective are decomposed into sub-functions.Aiming at functionality analysis, primary functions are complex and need to be split into simple sub-functions.Moreover, necessary components are identified to perform the corresponding sub-functions.The reliability of necessary components directly impacts the proper implementation of sub-functions.Primary functions are further influenced due to the dependency between functions.Functionality analysis for a complex engineered system is carried out by following six steps.
Step 1: Determine system boundary System boundary is regarded as an interface between the complex engineered system and the environment.The components make up the complex engineered system within the system boundary, which cooperate to achieve complicated behaviors.The residual components belong to other systems in the environment.System boundary allows all systems to coexist in the environment and develop their independence.Through interacting with the environment, a complex engineered system transforms materials and information into the desired output, such as services and products.Step 2: Determine the overall objective of the system Objectives are supposed to comprehensively reflect the required results achieved by the system.The overall objective of a complex engineered system is to accomplish specific tasks successfully.The quality of task accomplishment is also mentioned in task requirements.Concerning different tasks, the complex engineered system is equipped with several objectives.It shows diverse performance to achieve overall objectives during the operation process.It is necessary to describe overall objectives quantitatively, which lays the foundation for identifying indispensable functions of the system.
Step 3: Identify the system functions needed for this objective System functionality refers to the capability of the system that exchanges resources with the environment.To be specific, it executes a series of processing activities after obtaining material, energy, and information from the environment.The desired output is produced in a timely and effective manner.The implementation of functions depends on system structure, where the complex engineered system with intricate structure tends to have advanced functions.A complex engineered system implements several functions to achieve the overall objective.A single function cannot satisfy strict task requirements.
Step 4: Identify sub-functions of the primary function In a complex engineered system, functions are classified into two forms: primary and sub-functions.Primary functions are directly correlated to the overall objective of the system.Sub-functions aim to support the smooth implementation of primary functions.Several subfunctions are integrated into one primary function to achieve system objectives.The relationship between primary functions and subfunctions needs to be established.In addition, primary functions are performed by the entire system, while one or several components provide sub-functions.
Step 5: Identify the association of system components with these subfunctions System components are vulnerable to various disruptions, resulting in performance degradation and complete failures.Their behaviors determine the implementation of the corresponding sub-functions.The collection of components to perform a sub-function is identified in this step.In practice, the reliability of components is calculated based on the Fig. 2. Functional tree.
S. Geng et al. observed data.Whether these sub-functions are implemented is therefore demonstrated.Furthermore, practitioners and researchers understand the degree of functionality implementation according to theoretical knowledge and personal experience.
Step 6: Organize the identified functions in a hierarchical structure The identified functions involving primary functions and subfunctions are listed in a hierarchical structure, as shown in Fig. 2. The functional tree has three basic elements, such as the overall objective, all indispensable functions, and components.The highest level places the overall objective of the complex engineered system.Primary functions and sub-functions are organized at the second and third levels.The components related to sub-functions are set at the lowest level.In this way, system functionality and the relationship among objectives, functions, and components are elaborated using a functional tree.

Performance evaluation
System performance describes the process of task accomplishment, which is employed to reflect functionality implementation.Components exhibit dynamic behaviors during the operation process, leading to the varying performance of complex engineered systems.They suffer performance degradation due to disruptive events and performance improvement caused by adaptation and recovery actions.These actions aim to help systems resume normal operation after disruptions, including reorganizing system structure, adjusting operational strategies, and maintenance.Given the interdependency between components, the failure of a component may affect other components.A complex engineered system performs multiple functions using the related components.Implementing functionality is uncertain when the complex engineered system is threatened by disruptions.It is indeterminate whether primary functions and sub-functions are implemented and meet task requirements.
System performance must be quantified before the resilience assessment of complex engineered systems.Performance evaluation aims to provide researchers and practitioners with insight into implementing the required functionality.Functionality variability is one of the insights that are generated.The changes in function implementation tend to impair the actual performance of the system.In regard to the changing performance, Graphical Evaluation and Review Technique (GERT) [32] is employed to measure the actual performance under uncertainty.
GERT is a powerful uncertainty analysis tool, allowing probabilistic representation of functionality implementation.On the basis of functionality analysis, a stochastic network model is constructed with a view to probability and consequence.Probability branches in modeling make it possible to perform various functions in different situations.The system's dynamic characteristics are expressed as well.A function is performed with uncertainty, and a probability distribution depicts the extent to which it is implemented.The order in which functions are implemented is described using network logic.Therefore, the actual performance of the complex engineered system is quantified with limited information.It is worth noting that GERT is applied to situations where the functionality is the sum of the corresponding functions.
GERT models a complex engineered system as a directed graph, denoted by nodes, arrows, and transfer flows.Various functions are represented by nodes, and arrows express the connectivity between functions.Transfer flow describes functionality variability between two nodes, shown by a transfer function.Fig. 3 shows the basic elements of a GERT network.i and j are sequence numbers of nodes.W ij indicates the transfer function between node i and node j.
The transfer function is defined to measure functionality increase in the complex engineered system.Executing a node brings about the corresponding increase in functionality.The transfer function demonstrates functionality implementation with probability, which is calculated using the moment generating function.Moment generating function describes variables that follow a certain probability distribution, facilitating to obtain transfer function.Let p ij and M ij (s) be transfer probability and moment generating function from node i to node j.Moment generating function is described by where functionality increases and the probability density function of functionality increase from node i to node j are represented by F ij and f(F ij ).A transfer function is the product of moment generating function and transfer probability, Due to the multiple functions provided by the system, there are more than two nodes in a GERT network.The equivalent transfer function is required to describe the entire network.According to the type of structure, the GERT network is divided into two categories, series network and parallel network.
• Series network Fig. 4 shows three nodes in series in the GERT network.Functionality increase from node i to node k is the sum of functionality increase of three nodes.Nodes are independent of each other, and the failure of one node disables the entire network.Thus, the equivalent transfer probability is p N (s) = p ij (s)p jk (s).Moment generating function from node i to node k is M N (s) = M ij (s)M jk (s) based on the elementary properties of moment generating function.The equivalent transfer function of the series network is • Parallel network Parallel network indicates only one transformation can be executed if functionality increases between nodes and has two options, as shown in Fig. 5.In other words, . There are two transfer flows from node i to node j in Fig. 4, denoted by W 1 ij (s) and W 2 ij (s).The equivalent transfer function of the parallel network is The transfer function is W N (s)| s=0 = p N if s = 0. Then the expectation of functionality increase is expressed by Fig. 3. Basic elements of a GERT network.
∂ ∂s Functionality increase is used to characterize the dynamic performance of complex engineered systems in a GERT network.Transfer probability reveals the possibility of function implementation.Whether one function is entirely performed is also elaborated, where functionality increase is described as a variable with certain probability distribution in different situations.
A complex engineered system has multiple functions to accomplish the required tasks.The overall objective, primary functions, and subfunctions are described by a function tree.To describe the actual performance of the system, a function tree is converted into a GERT network.Based on the functional tree in Fig. 2, the GERT network for the complex engineered system is obtained.Suppose each primary function has two sub-functions.Fig. 6 shows the process of functionality increase while completing a task.Node 1 and node 8 denote the overall objective and task accomplishment, respectively.Primary functions 1 and 2 are represented by node 2 and node 3. Sub-function 1.1, 1.2, 2.1, and 2.2 are described by node 4, node 5, node 6, and node 7. From node 1 to node 8, the system determines the overall objective, implements all indispensable functions, and eventually accomplishes the task.Node 4 and node 5 are serial-parallel.It is likely to implement more than one sub-function for task accomplishment.Transfer functions with certain distribution are used to reflect functionality increase between nodes.
As for the complex engineered system, functionality increase during task accomplishment is represented by the expectation of W N (s), Furthermore, the standard deviation is used to assess the uncertainty of the functionality performance,

Resilience assessment
System resilience is defined as a system's capability of anticipating, absorbing, adapting to, and recovering from disruptive situations.It is a multidimensional concept to describe complex engineered systems.Although complex engineered systems suffer performance degradation caused by various disruptive events, they are supposed to sustain normal operation by adjusting functions prior to, during and following events.Specifically, anticipation is imperative to avoid system damage before disruptions when complex engineered systems are equipped with predictive capability.Complex engineered systems need to absorb the adverse effect and adapt to the dynamic environment during disruptions.Absorption enables systems to resist the influence of disruptive events and operate robustly.Systems are also reconfigured for the purpose of adaptation to unexpected events.Last but not least, restoration necessitates the ability to sustain a sub-optimal state after disruptions.Therefore, system resilience is described from the perspectives of anticipation, absorption, adaptation, and restoration abilities.
Quantifying four capacities is essential to assess the resilience of complex engineered systems.General metrics for system resilience focus on the change in the actual performance under disruptions [33].This paper measures the difference between the actual performance and target performance to evaluate each capacity.There are different target performances for four capacities due to task requirements.Let P(D 1 ), P(D 2 ), P(D 3 ), and P(D 4 ) be target performance for anticipation, absorption, adaptation, and restoration.P(t) is the actual performance of the complex engineered system, which is obtained as the expectation of functionality increases in the GERT network.The initial performance of the system is P(t 0 ), where t 0 is the start time for system operation.At time t r , anticipative resilience (R 1 ), absorptive resilience (R 2 ), adaptive resilience (R 3 ) and restorative resilience (R 4 ) are expressed by R 1 , R 2 , R 3 and R 4 are from zero to one.A large value of a single capacity is obtained when the difference between the actual performance and target performance is small.A larger value indicates that the system presents better resilience in terms of respective capacity.For example, the system has perfect anticipative capacity if it gains R 1 with one.A complex engineered system is considered resilient once achieving outstanding performance in four capacities.Fig. 6.GERT network for a complex engineered system.
S. Geng et al.

Resilience analysis
Given that system resilience is reflected in various aspects, an overall assessment of how well a complex engineered system does on resilience is not provided.The developed framework aims to characterize system resilience with four capacities and expand the system potential for resilient performance.The capacities of a complex engineered system are graphically represented by a radar chart.A radar chart [34] comprises several equi-angular spokes, with each spoke depicting one capacity.The length of a spoke illustrates the value obtained for the capacity.The longer the spoke, the better the capacity.Fig. 7 shows the resilience of a complex engineered system with regard to anticipation, absorption, adaptation, and restoration.There are two radar charts that describe system responses to different disruptions.Compared to disruption 2, the system performs better absorptive and adaptive capacities while presenting poor anticipative capacity under disruption 1.Therefore, the system should improve predictive capability and take appropriate actions in advance for disruption 1.As for disruption 2, more activities are required to guarantee that the system can absorb the negative effect of the disruption and adapt to the disturbed condition.The radar chart is a scenario-based method that reflects anticipation, absorption, adaptation, and restoration abilities.As for a particular scenario, a radar chart is generated based on the actual performance of the system.System resilience is compared through multiple radar charts when there is more than one scenario.Note that the proposed framework assesses system resilience under a single disruption.

Case study
Satellite networks are regarded as significant infrastructure to provide users with communication services.They are superior to terrestrial networks since they rely on satellite communication without the support of ground infrastructure.Satellites move in orbits and support remote communication without any ground station.For instance, emergency information about rescue is passed through satellite networks when natural disasters destroy ground infrastructure, including data receiving stations and gateway stations.According to orbit altitude, satellites are classified into three forms, geostationary earth orbit (GEO), medium earth orbit (MEO), and low earth orbit (LEO).GEO satellites fly at an altitude of 36,000 km, and their travel speed is the same as the rotation of the Earth.They generally provide low-speed data transmission, such as broadcast TV and weather data.MEO satellites are capable of flying at 5000 km to 2000 km and are used to support data connection with high bandwidth.LEO satellites operate at 500 km to 1200 km, which makes communication generate relatively low delay and cost.LEO satellites employ frequency reuse, multiple access, and spot beam technology to satisfy users' rapid communication needs.
With the advantages of global coverage and flexible deployment, LEO satellites have attracted more attention from researchers and practitioners recently.A low-orbit communication satellite flying at an altitude of 780 km in space is an example of complex engineered systems.Generally speaking, it travels 13.4249 revolutions per day and covers the earth with a diameter of about 4800 km.The satellite collaborates with 71 satellites to form a satellite network, offering users various communication services, such as voice communication, email sending, video conference, and web browsing.It has 960 channels for Kband transmission to communicate with users and satellites.
All communication services are provided by satellites in operation.The prerequisite for service provision is that the satellites operate well and can achieve the required functionality.Note that a satellite has finite energy and always requires available energy to maintain operation.As for a service request from users or satellites, the satellite executes a series of processing activities when there are available channels for data transmission.Then it makes routing decisions that transmit communication data to neighbor satellites or users.Data processing and transmission are completed with the support of independent components on a satellite.There are five components to make up a satellite, including an antenna, transponder, software, solar panel, and battery [35].These components play different roles in functionality implementation during service provision.Sending and receiving signals are executed by antennas, and a transponder is used to receive data.Software is responsible for multiple processing activities like transparent forwarding, baseband processing, and resource allocation.The satellite harvests energy from the sun using solar panels and stores energy in a battery.
Satellites are susceptible to unexpected events like natural disasters and intentional attacks, causing performance degradation and communication interruption.It is quite necessary to assess the resilience of a satellite system, and figuring out the capability of the satellite to deal with disruptive events.In this section, the proposed framework is employed to carry out resilience assessment of the satellite.Satellite functionality is analyzed using a functional tree in Section 5.1.In Section 5.2, the actual performance of the satellite is measured under uncertainty, where various functions are implemented with determinate and indeterminate probability.The resilience assessment result is also obtained at a particular time.Four capacities of the satellite resilience, including anticipation, absorption, adaptation and restoration, are measured in Section 5.3.

Functionality analysis
A communication satellite performs multiple activities during service provision.The vital task of the satellite is to transmit a certain amount of data to other satellites or users.Apart from that, data processing and nominal operation should not be ignored.Communication data is sent only after it has been processed on the satellite.The satellite is required to ensure normal operation, whether it receives service requests.It is worth noting that all activities do not co-occur.Activities are performed according to task requirements and satellite reliability.Various functions, including primary and sub-functions, are required to carry out the related activities.The implementation of functions is uncertain due to the negative effect of disruptions.Moreover, it is not clear which sub-functions support a primary function.The relationship between functions is complicated.To this end, a functional tree is applied to analyze functionality to understand functional requirements for the satellite.As for the satellite, functionality analysis consists of seven steps as follows.
Step 1: Define system boundary A satellite comprises five components: an antenna, transponder, software, solar panel, and battery.Specifically, an individual component supports one or more functions.Without these components, the satellite cannot implement the required functionality to satisfy task requirements.Other satellites belonging to the satellite network are in the environment and keep interacting with the satellite during service provision.
Step 2: Determine the overall objective of the satellite Satellite networks can achieve rapid communication between users.They are particularly critical for users who live in remote areas, where ground communication infrastructures like data receiving stations and gateway stations are often inadequate.The overall objective of the satellite is to provide communication services, including voice communication, email sending, video conference, and web browsing.
Step 3: Identify the satellite functions needed for this objective The satellite is required to be equipped with multiple functions to complete the overall objective.First, communication data is transmitted to other satellites or users when the satellite maintains normal operation.In addition, the satellite needs to perform a series of processing activities before sending communication data.Finally, the satellite always supports nominal operation regardless of service requirements.
Step 4: Identify sub-functions of the primary function In order to transmit the required data, the satellite carries out data receiving and sending.Various processing activities like transparent forwarding, baseband processing, and resource allocation are performed according to service requirements.Different types of data need to experience diverse processing activities.Some only conduct transparent forwarding, while others require three processing activities.As for nominal operation, the satellite goes through energy harvest and consumption.
Step 5: Identify the association of satellite components with these sub-functions All components are of great value to achieve the required functionality under disruptions.An antenna is used for data receiving and sending.Furthermore, the signal is received from other satellites through a transponder.All processing activities depend on the support of software.Solar panels collect energy from the sun, and the available energy is stored in the battery.
Step 6: Organize the identified functions in a hierarchical structure After the above analysis, the objective of the satellite, system functions, and components are described in a hierarchical tree structure.Fig. 8 shows that the overall objective, primary functions, sub-functions, and related components are set in a particular order.Service objective is set at the highest level while components are placed at the lowest level.Primary functions and sub-functions are expressed at the second and third levels.

Performance evaluation and resilience assessment at a particular time
The satellite provides multiple functions according to service requirements.Data transmission, data processing, and nominal operation may not be performed simultaneously.Disruptive events exacerbate the uncertainty in functionality implementation as they will likely destroy components.System performance varies partially as a result of the interactions between components.Therefore, there is a wide spectrum of the potential implementation of primary functions and sub-functions.The actual performance of the satellite is challenging to be reflected.Aiming at addressing the issue, GERT is employed to evaluate the performance of the satellite under uncertainty.
The time for service provision in second is used to measure task accomplishment.In order to complete the required communication service, it takes time to transmit and process data while maintaining nominal operation.Elementary activities such as data receiving and sending are carried out with the support of components.A functional tree involving all elements related to satellite functionality can be converted into a GERT network, as shown in Fig. 9. Service objective is represented by node 1, and task accomplishment is denoted by node 12. Node 2, node 3 and node 4 are primary functions.That is, data transmission, data processing and nominal operation, respectively.Subfunctions data receiving, data sending, resource allocation, baseband processing, transparent forwarding, energy harvest and energy consumption are described by node 5, node 6, node 7, node 8, node 9, node 10 and node 11.Satellite increases functionality from node 1 to node 12 when providing a communication service.Transfer probability and moment-generating function describe the possibility and implementation of functions.The time spent on implementing various functions can be calculated with limited information.
The complicated relationship between functions is described with probability in the stochastic network.All components are in good condition at the beginning of the operation and then some components break down due to internal and external disruptions.In the meantime, every service requires the satellite to perform different functions.Considering the reliability of components and the implementation of functions, there are determinate and indeterminate transfer probabilities in the GERT network for the satellite.
It is generally assumed that a satellite with great performance is regarded as a resilient system.However, time consumption is not suitable for resilience assessment.After calculating the time spent on service provision using the GERT network, system performance is expressed as the speed at which the satellite completes communication services.Service speed is the ratio of the amount of data to the consumed time.Fast service speed means the satellite completes the required service efficiently.Suppose 10 packets be transmitted by the satellite.Let the Fig. 9. GERT network for the satellite.initial performance be 3 packets/sec.The target performance for anticipation, absorption, adaptation and restoration are set as 3.22 packets/sec, 3.18 packets/sec, 3.25 packets/sec, and 3.16 packets/sec, respectively.
The total time for task accomplishment is the expectation of W N (s), that is T = ∂WN(s) ∂s | s=0 = 3.869 seconds.A communication service from users requires the satellite to transmit 10 packets.System performance is the ratio of the number of packets to the total time, P = 10 3.869 = 2.58 packets/sec.With determinate probability, the resilience of the satellite is calculated in terms of anticipation, absorption, adaptation, and restoration.
The results show that the satellite presents strong restoration capability but poor adaptation capability.The desired performance is regained after disruptions through the backup setting.When the satellite is destroyed, resulting from the negative effect of disruptions, it is replaced directly by a backup satellite.Unfortunately, satellite failure cannot be detected immediately since the backup satellite checks the health condition of the working satellite at regular intervals.The satellite takes time to adapt to the changing environment and then take resilience actions.
(2) Indeterminate probability Another case is that transfer probability is indeterminate when there is limited observation data.As for a satellite without monitoring equipment, it is difficult to specify the state of components.What is worse, given that various communication services require the satellite to present different functions, the implementation of functions is uncertain.Transfer probability between functions is not bound to a particular value.It can be regarded as following a uniform distribution.Therefore, the probability range represents the actual implementation of functions in the GERT network, as shown in Table 2.
The equivalent transfer function of the GERT network is calculated 50 times employing Monte Carlo simulation.Then the time for service provision and the performance of the satellite are obtained, as shown in Fig. 10.It is found that the consumed time follows normal distribution N (3.876, 0.00016), where the standard errors of the mean and standard deviation are 0.0018 and 0.0013.The performance of the satellite is subject to N(2.580, 7.006e − 05 ).The standard errors of the mean and standard deviation are 0.0012 and 0.0008.The values of standard errors are small that the time for service provision and the performance of the satellite can be considered normal distributions.
According to resilience formulas, resilience values in terms of anticipation, absorption, adaptation, and restoration are calculated.These capacities satisfy normal distributions N(0.787, 7.785e − 06 ), N (0.800, 7.785e − 06 ), N(0.777, 7.785e − 06 ) and N(0.807, 7.785e − 06 ).The standard error of the mean and standard deviation are no more than 0.0004.The satellite also performs well in restoration capacity and possesses poor adaptation capability under the circumstance of indeterminate probability.Unlike the case with determinate probability, four capacities are measured with probability distribution.Transfer probability is represented by intervals rather than constants.In this way, it gives a more detailed description when there is limited data about the operation condition of the satellite.Fig. 11

Resilience assessment of the satellite
The resilience assessment of the satellite is based on the data about operation conditions.The actual performance of the satellite is quantified with determinate probability during the whole operation process.The curves of satellite performance are gained as well, as shown in Fig. 12.Four capacities describe the actual performance of the satellite, but they are described differently, resulting from measurement at different time periods.Anticipative capacity is reflected during the whole operation process while the remaining capacities are at a particular stage.Once the satellite anticipates a disruption, it adjusts operation strategies to improve its robustness.Compared to the performance without anticipation, effective strategies make the satellite perform better during the disruption, such as slowing the decline in satellite performance and achieving a more optimal state through resilient actions.There is a downward trend in satellite performance at the stages of measuring absorptive and adaptive capacities.The satellite tries to minimize the negative effect of disruptions by implementing processing activities.Due to using backup components, satellite performance rises gradually from the perspective of restoration.Fig. 13 shows satellite performance during the whole operation process.The red solid line and red dotted line indicates the actual performance with anticipation and the performance without anticipation.It is worth noting that anticipative capacity is measured during the whole operation process.The difference between satellite performance with anticipation and without anticipation highlights the importance of anticipative capacity.The green line, blue line, and orange line represent absorption, adaptation, and restoration, respectively.Satellite performance, a system-level property, is used to quantify these resilience capacities at different stages.We can observe the change of absorption and adaptation successively after disruptions.Restoration capacity cannot be reflected before taking effective recovery actions.
According to formula ( 6)-( 9), we assess the resilience of the satellite in terms of anticipation (R 1 ), absorption (R 2 ), adaptation (R 3 ), and restoration (R 4 ).When the satellite presents absorptive, adaptive, and restorative capacities, packet transmission speed is reduced or increased in response to disruptive events.As for anticipative capacity, there are two different cases when the satellite predicts a disruption that has a negative impact on performance.In the first case, transmission speed is increased in order to compensate for the potential reduction caused by the disruption.In the second case, the satellite applies the defense mechanism that refuses to transmit data, protecting it from disruption.The value of R 2 is the biggest among the four values of these capacities, whereas R 3 and R 4 achieve the smallest value.Two radar charts describe the resilience of the satellite in terms of anticipation, absorption, adaptation, and restoration, as shown in Fig. 13.It can be inferred from Fig. 14(a) that the satellite presents strong absorptive capacity, absorbing the adverse effect of disruptions.However, it makes relatively poor adaptation to the changing environment.The satellite is greatly affected once neighbor satellites are damaged as it cannot communicate with others.In addition, recovery actions need to be further improved,  which enables the satellite to maintain a sub-optimal state after disruptions.Improving the reliability and maintainability of the satellite is beneficial to enhance adaptive and restorative capacities.In addition, anticipative capacity has a direct effect on the remaining capacities.Fig. 14(b) shows the resilience of the satellite when the satellite presents poor anticipative capacity.Besides anticipation, absorption, adaptation, and restoration obtains lower value.It is because great anticipation provides the opportunity to adapt to, and restore from disruptions efficiently.

Conclusion
Resilience assessment is of great significance in evaluating complex engineered systems.Complex engineered systems generally implement multiple functions to accomplish the desired tasks.This requires detailed analysis to establish the relationship between functions.In addition, due to the negative effect of disruptions, it is difficult to determine whether the functions are implemented safely and efficiently.The actual performance of complex engineered systems should be measured under uncertainty.Given these factors, this paper develops a quantitative framework to conduct resilience assessment of complex engineered systems.The proposed framework consists of three phases, functionality analysis, performance evaluation, and resilience assessment.System functionality is analyzed by a functional tree, where the overall objective, primary functions, and sub-functions are elaborated.The GERT method is employed to address the uncertainty in system performance through probabilistic branches and network logic.On that basis, system resilience as a multifaceted capability is quantified in terms of anticipation, absorption, adaptation, and restoration.The developed framework can describe system functionality in detail according to task requirements.System performance is also measured with limited information considering uncertain factors.Four metrics are employed to assess system resilience in all aspects.The developed framework is used for systems with clear functionality requirements.Primary functions and sub-functions are listed when analyzing a particular system.
For future research direction, operational data should be analyzed to facilitate resilience assessment.Some engineered systems are equipped   with sensors that collect data in real-time.Valuable information is selected to measure system performance after data processing.Moreover, appropriate restorative actions need to be determined for disruptions.Different types of disruptions that have diverse effects on system performance are also worth investigating.

Declaration of Competing Interest
The research being report in this paper titled "A resilience assessment framework for complex engineered systems using Graphical Evaluation and Review Technique (GERT)" was supported by Nanjing University of Aeronautics and Astronautics and Delft University of Technology.The authors of this paper have the IP ownership related to the research being reported.The terms of this arrangement have been reviewed and approved by the university in accordance with its policy on objectivity in research.

Fig. 10 .
Fig. 10.The time for service provision and the performance of the satellite.

Fig. 12 .
Fig. 12.The actual performance of the satellite.

Fig. 13 .
Fig. 13.Satellite performance during the whole operation process.

S
.Geng et al.

Table 1
Transfer functions with deterministic probability.

Table 2
Transfer function with indeterminate probability.