Engineering design under uncertainty is no longer a blind spot: a new methodology developed at MIT systematically incorporates uncertainty into every step of the co-design of complex technical systems – from unmanned aerial vehicles and autonomous vehicles to air traffic and regional transport networks. Instead of relying on idealized component specifications or superficial "best/worst case" estimates, the approach models entire distributions of outcomes and their interdependencies and displays clear trade-off maps that link performance, cost, mass, and mission constraints.

Why this is important for autonomous systems and digitized mobility

Whether it's a delivery drone that has to fly through wind and rain, a robot that combines imperfect sensors with variable algorithms, or an infrastructure network where multiple operators share the same track, the overall system behavior is formed at the intersection of many uncertain parts. In practice, no component operates "exactly to spec," and the environment introduces additional variability. Traditional planning and optimization methods therefore often underestimate risk and overestimate system robustness. The new method explicitly breaks down all known and unknown sources of variation – from manufacturing tolerances and battery aging to meteorological conditions and variable loads – and combines them into a single, coherent representation of risks and benefits.

From boxes and arrows to compositional mathematics

The starting point is co-design: a complex problem is broken down into modules, "boxes" that represent sensors, actuator assemblies, power sources, control algorithms, or mission constraints. The modules are then "reassembled" so that the global optimum (or a set of Pareto-optimal solutions) can be found in a reasonable amount of time. The novelty in this variant is the introduction of an uncertainty model into each module. Instead of a single deterministic number, each box carries intervals, probability distributions, or parametric models that can be learned from data over time. The foundation is compositional mathematics, which allows the rules of composition and monotonic relationships between objectives (e.g., greater range ⇢ more battery mass ⇢ higher cost) to be preserved regardless of how the modules are permuted.

A practical consequence: the designer is not forced to choose between a simplified sensitivity analysis and a costly Monte Carlo "brute-forcing" of the system. Instead, they get a formalism that "knows" how uncertainty propagates through the network of modules, how trade-offs change when a battery or perception assembly is replaced, and how decisions are optimized for a target level of risk.

What the engineer actually gets: risk-aware trade-off maps

Instead of a single point or two extremes, the outputs are trade-off maps: expected performance values, quantiles (e.g., 5% and 95%), feasibility probability contours, and thresholds beyond which the system enters "risky waters." Such maps enable decisions that are aligned with the application context. In aviation, where safety is the primary criterion, a higher cost will be accepted if it drastically reduces the probability of failure. In logistics, provided the risks are quantified, a cheaper solution with a controlled risk of short downtimes in extreme conditions might be chosen.

Case study: choosing perception and batteries for a UAV in variable weather

In a demonstration example for an unmanned aerial vehicle (UAV), the modular co-design combines perception subsystems – stereo vision, LiDAR, and radar – with energy configurations, where the mission imposes constraints (range, payload, flight endurance, mass, budget). For the sensors, a "fixed accuracy" is not assumed; instead, distributions of detection capability depending on fog, rain, and low light are incorporated. For the batteries, instead of a single capacity figure, distributions of capacity and internal resistance, degradation over cycles, and temperature dependence are taken into account. The results are graphs that show how the probability of successful mission completion changes with flight time, meteorological conditions, and the choice of sensors and power supply.

This approach also yields unexpected insights. In scenarios with smaller payloads, where the emphasis is on low TCO, technologies like NiMH sometimes result in a lower expected lifetime cost due to their purchase price and simpler handling, despite their lower energy density. As the payload increases, Li-polymer (LiPo) or Li-ion typically take precedence due to their better Wh/kg ratio and ability to handle higher current pulses. The framework does not declare an "absolute winner" but instead shows for each payload and environmental condition what the probability of feasibility is and what the expected cost and range are.

An example of a precise decision: for a payload of around 1.75 kg, the trade-off maps might show that a certain battery configuration has a noticeable probability of infeasibility due to mass and discharge current limitations. Instead of a "yes/no," the manager gets a clear, numerical measure of risk and can weigh switching to another chemistry or redefining the mission (shorter range, a different level of redundancy).

From individual components to a "system of systems"

The reusability of the models makes the framework suitable for teams where everyone is responsible for their own "box": one team maintains the perception system, another the power system, and a third the planning and control. Because the mathematics is compositional, modules can be changed without violating global guarantees about monotonicity and constraints. This reduces the coupling between teams – a key feature when a project scales to larger systems like air networks or integrated transport ecosystems where multiple actors (e.g., railway companies) share infrastructure and have partially conflicting objectives.

How it looks in practice: operational steps

1. Modeling modules with uncertainty. For each block, utility and cost functions are defined, along with the type of uncertainty (interval, distribution, parametric model). If experimental data is available, the parameters are learned; otherwise, the starting point is informed bounds and conservative assumptions.


2. Composition and constraints. The blocks are connected into a co-design network that respects mission constraints (maximum mass, budget, target detection reliability levels, consumption limits).


3. Trade-off analysis. Expected values, quantiles, and feasibility probabilities are calculated, along with mapping the sensitivity to changes in assumptions (e.g., colder weather, stronger wind, a different task profile).


4. Iterations and "what-if" scenarios. Since the system is modular, it is possible to quickly replace a block (LiPo → NiMH, stereo → radar) and re-evaluate the risks and benefits without breaking the entire structure.

What this method changes compared to classic tools

• More than edge cases: instead of focusing on "best/worst case," the entire spectrum of outcomes is considered.


• Integration with learning: parametric models allow for incremental updates as soon as new data arrives from the field, so the design "smartly" adapts over time.


• Scalability through composition: modularity and monotonic relationships prevent state-space explosion when expanding the system.


• Transparent trade-offs: decision-makers receive numerically grounded "heat maps" of risks and rewards, instead of black-and-white recommendations.

Applications: from the drone industry to railway networks

In the automotive and aviation industries, formal uncertainty modeling helps to detect risky combinations earlier and build a case for more expensive but more robust solutions where safety and reputational risk are priceless. In human-centric robotics – for example, in "last mile" delivery – the same framework helps to balance TCO and reliability under conditions of variable demand and weather. In public transport and railways, it opens up the possibility of coordinated co-design of fleets and schedules within a shared infrastructure, with explicit quantification of the risks of delays and congestion.

What about batteries: a realistic comparison from an engineering perspective

A typical engineering discussion about drone batteries often veers towards "datasheet" properties (specific energy, maximum current, mass). But in real missions, especially in the cold and under high loads, performance "breathes." Li-polymer (LiPo) offers higher energy density and better discharge rates – a plus for fast maneuvers and larger payloads – but requires discipline in protection, storage, and state-of-charge monitoring. NiMH is bulkier and has a lower energy density, but it is often simpler to handle, more resistant to low temperatures, and initially cheaper. If the total cost of ownership is optimized at the system level, considering the number of cycles and load distributions, it may turn out that NiMH, in the segment of smaller payloads and conservative flight profiles, shows a lower expected TCO, while LiPo dominates in scenarios where maximum range or power is the priority.

Metrics that make sense to optimize

Instead of a single "sacred" metric, this methodology allows for the simultaneous optimization of multiple objectives under uncertainty:

• Expected range and flight duration with quantiles (e.g., 5% and 95%) to plan for reserves and "bad days."


• Total Cost of Ownership (TCO) over the lifespan: purchase price, replacement, service, degradation, and the consequences of failures.


• Probability of feasibility – what is the chance that a combination of sensors, battery, and a given payload will satisfy the mass and consumption constraints at all.


• Robustness to environmental conditions – how performance varies with wind, rain, fog, and temperature.

How to read the "trade-off maps"

Imagine the goal: to carry a payload of 1.75 kg. Instead of "YES/NO," the map shows areas with a low probability of infeasibility, transition zones, and domains with a high chance of failure. Such a representation allows one to consciously accept small risks where the benefits are large (significantly greater autonomy, lower mass), or to avoid configurations that are sensitive to minute changes in temperature and wind. This transforms an engineering decision from guesswork into a measured, transparent trade-off with risk.

The role of verification and safety guarantees

For domains where safety is paramount – road autonomy, aviation, robotics near humans – the compositional approach naturally integrates with formal verification and "contract-based" design. Each module can declare guarantees (e.g., maximum actuator current, minimum detection accuracy) and assumptions about the environment; the framework then checks whether these guarantees are compatible at the system level given the specified uncertainty distributions. This is how verifiable safety arguments are built that are understandable to both regulators and the industry.

Software and accessibility for teams

Although the theoretical basis is abstract, the idea is to offer libraries that hide the mathematical details. Through "adapters" for sensors, batteries, and control algorithms, teams can quickly assemble architectures, swap modules, and obtain new trade-off maps without rewriting code. This is particularly useful when multiple components are being worked on in parallel – the framework guarantees that modules can be changed without violating global constraints and that risk measures are consistently propagated through the system.

Broader implications: towards standards for learning-enabled systems

As learning-enabled components (LECs) are increasingly incorporated, it is necessary to formally frame their uncertainties as well. Compositional co-design with uncertainty allows risk metrics and guarantees to be "propagated" from the module to the system. This creates a common language for defining thresholds of acceptable risk and transparent processes for demonstrating safety.

What's next

Further development is heading in two directions. The first is computational efficiency: accelerating the solving of multi-dimensional trade-offs and improving scaling for large-scale problems. The second is multi-agent scenarios: situations where multiple companies co-design interoperable subsystems with different objectives and budgets – for example, regional transport ecosystems where railway companies share the same infrastructure but optimize for different performance indicators.

Date note: this text was prepared on October 03, 2025, and is aligned with the latest publicly available information on co-design under uncertainty and demonstrations on unmanned aerial vehicles.