- Email: [email protected]
Enterprise Thinking for Self-aware Systems
Bergamo, Italy, June 11-13, 2018 Proceedings,16th IFAC Symposium on Information Control Problems in Manufacturing Information Control in Manufacturing Bergamo, Italy, JuneProblems 11-13, 2018 Available online at www.sciencedirect.com Bergamo, Italy, June 11-13, 2018 Proceedings,16th IFAC Symposium on Information Control Problems in Manufacturing Bergamo, Italy, June 11-13, 2018
ScienceDirect
Enterprise Thinking for Self-aware Systems IFAC PapersOnLine 51-11for (2018)Self-aware 782–789 Enterprise Thinking Systems Enterprise Thinking for Self-aware Systems Enterprise ThinkingPatfor Self-aware Systems Turner* Peter Bernus** Pat Turner* Pat Turner* Ovidiu Noran** Peter Bernus** Peter Bernus** Ovidiu Noran** Ovidiu Noran** Pat Turner* *Architecture Services Pty Ltd (ASPL) [email protected] Bernus** **IIIS Centre forServices Enterprise Architecture Research and Management, *Architecture PtyPeter Ltd (ASPL) [email protected] *Architecture Pty Ltd (ASPL) [email protected] Ovidiu Noran** Griffith University {P.Bernus, O.Noran}@griffith.edu. **IIIS Centre forServices Enterprise Architecture Research and Management, **IIIS Centre forUniversity Enterprise Architecture Research and Management, Griffith {P.Bernus, O.Noran}@griffith.edu. Griffith Services University O.Noran}@griffith.edu. *Architecture Pty{P.Bernus, Ltd (ASPL) [email protected] **IIIS Centre for Enterprise Architecture Research and Management, Abstract: The paper aims to provide high-level guidance for architects of cyber-physical enterprises. We Griffith University {P.Bernus, O.Noran}@griffith.edu. propose suchhigh-level systems should be for largely self-determined, based on system selfAbstract:that Theinteractions paper aimswithin to provide guidance architects of cyber-physical enterprises. We Abstract: The paper aimsre-configuration, to provide guidance architects of based cyber-physical enterprises. We awareness and dynamic with should the architecture evolving onbased a set on of foundational propose that interactions within suchhigh-level systems be for largely self-determined, system selfpropose that interactions within such systems should be largelyevolving self-determined, based system selfprinciples, rather than being pre-defined bywith an external designer. We investigate the of typical awareness and dynamic re-configuration, the architecture based on asuitability set on of foundational awareness and dynamic re-configuration, the architecture set of foundational Abstract: paper aims to pre-defined provide guidance for architects of based cyber-physical enterprises. We development life cycles and identify high-level architectural challenges inevolving the context of on dynamic cyber-physical principles, The rather than being bywith an external designer. We investigate theasuitability of typical principles, rather pre-defined by an of external designer. investigate the suitability of typical propose interactions within systems should be largely self-determined, based system selfsystems that utilize thebeing power ofsuch the Internet Things. Desired systemic attributes are on defined, which development life than cycles and identify architectural challenges in We the context of dynamic cyber-physical development life and suitable identify architectural challenges inevolving the context of on dynamic cyber-physical awareness and dynamic re-configuration, architecture based a of set of foundational are necessary forcycles making corewith architectural choices. The application findings is systems that utilize the power of the Internet ofthe Things. Desired systemic attributes arethe defined, which systems that utilize the power of the Internet of Things. Desired systemic attributes are defined, which principles, rather than being pre-defined by an external designer. We investigate the suitability of typical exemplified through a case study, a synthesis of issues, andchoices. implications further research. are necessary for making suitable core architectural The for application of the findings is are necessary forcycles making suitable core architectural choices. application of the findings is development life and identify architectural challenges in theThe context of dynamic cyber-physical exemplified through a case study, a synthesis of issues, and implications for further research. Keywords: Internet of Things, Systems of Systems, Self-aware systems, Service Oriented Enterprise © 2018, IFAC (International Federation of Automatic Control) Hostingsystemic by Elsevier Ltd.research. All rights reserved. exemplified a case study, synthesis ofofissues, andDesired implications for further systems thatthrough utilize the power of athe Internet Things. attributes are defined, which Architectures; Enterprise SystemSystems Engineering; Self-organization Keywords: Internet of Things, of Systems, Self-aware systems, Service Oriented Enterprise are necessary for making suitable core architectural choices. The application of the findings is Keywords: Internet of Things, of Systems, Self-aware systems, Service Oriented Enterprise Architectures; Enterprise SystemSystems Engineering; Self-organization exemplified through a case study, a synthesis of issues, and implications for further research. Architectures; Enterprise System Engineering; Self-organization Keywords: Internet of Things, Systems of Systems, Self-aware systems, and Service Enterprise system's architect; whatOriented is outside, is interacted with, 1. INTRODUCTION Architectures; Enterprise System Engineering; Self-organization but belongs to the environment. system's architect; and what is outside, is interacted with, 1. INTRODUCTION system's architect; and what is outside, is interacted with, This paper examines the architectural consequences of the but belongs to the environment. 1. INTRODUCTION In the caseto of Sensor-based Networks and emerging but belongs the environment. recently acquired ability deploy a variety of a veryoflarge This paper examines the to architectural consequences the Internet of Things networks (IoT) this defined is In the case of Sensor-based Networks andboundary emerging This paper examines theactuators architectural consequences oflarge the system's architect; and what is outside, is interacted with, number of sensors and all levels systems, recently acquired ability to deployon a variety of aofvery In the case of Sensor-based Networks andboundary emerging 1. INTRODUCTION becoming increasingly fluid because at any moment in Internet of Things networks (IoT) this defined is recently acquired to deployon a variety ofconnectivity' aofvery large but belongs to the environment. and theof ability to 'grounded number sensorsability and establish actuators all levels systems, Internet of increasingly Things networks (IoT) this defined boundary is time what can / cannot be considered part of the system becoming fluid because at any moment in number sensors and actuators on all levelsconnectivity' of systems, This paper examines the architectural consequences of the (explained below) of systems to their environment. For and theof ability to establish 'grounded becoming increasingly fluid because at any moment in In the case of Sensor-based Networks and emerging mightwhat change to belost connectivity, time can /(due cannot considered part ofmalfunction, the system and theacquired to systems establish 'grounded recently ability to deploy a variety ofconnectivity' abe very large purpose ofability this paper, the term 'system' will used to (explained below) of to their environment. For the time what can /(due cannot belost considered part ofmalfunction, the system Internet ofmaintenance, Things networks (IoT) this defined boundary is overload, incomplete configuration, and so might change to connectivity, (explained below) of systems to their environment. For the number of sensors and actuators on allsystem, levels systems, describe a technical or socio-technical or purpose of this paper, the term 'system' will of be systemsused to might change (due to lost connectivity, malfunction, becoming increasingly fluid because at any moment in on, or due to the system actively but only temporarily cooverload, maintenance, incomplete configuration, and so purpose this paper, the term 'system' willconnectivity' be systemsused to and the of to establish 'grounded of-systems (SoS). In context, ansystem, 'enterprise' is an describe a ability technical or this socio-technical or overload, maintenance, and coso time canthe / cannot be considered parttemporarily of the system opting external services). on, orwhat due to systemincomplete actively butconfiguration, only describe a technical or socio-technical system, or systems(explained below) of systems to their environment. For the undertaking (SoS). embodied in acontext, Socio-technical System of of-systems In this an 'enterprise' is an on, or due to the system actively but only temporarily comight change (due to lost connectivity, malfunction, opting external services). of-systems (SoS). In ofthis 'enterprise' is the an purpose of this paper, the 'system' will be used to Systems. The subject thisterm paper isan how to architect Due toexternal themaintenance, number of sensors, actuators and interactions undertaking embodied in acontext, Socio-technical System of opting services). overload, incomplete configuration, and so undertaking embodied in a Socio-technical System of describe a technical or socio-technical system, or systemsEnterprise such that the nature of interactions within the many of these dynamic configuration changes must cobe Systems. The subject of this paper is how to architect Due to the number of sensors, actuators and interactions on, or due to the system actively but only temporarily Systems. ofthis this paper isan how to architect the Due toautomated, thethese number of sensors, actuators and interactions of-systemsThe (SoS). context, 'enterprise' is the an enterprise as asubject system could beof largely self-determined fully e.g., Machine to Machine networks Enterprise such thatInthe nature interactions within many of dynamic configuration changes must be opting external services). Enterprise such that the in nature interactions within the many automated, ofmay thesecompletely dynamic configuration changes mustfrom be undertaking embodied a Socio-technical System of based on system self-awareness and a set self-determined of foundational (M2M) remove the human actor enterprise as a system could beof largely fully e.g., Machine to Machine networks enterprise as asubject system bebeing largely self-determined fully toautomated, e.g., Machine to decisions, Machine networks Systems. The of could thisthan paper isahow to foundational architect Due the of actuators and interactions guiding rather pre-defined by the an direct involvement in sensors, the required and as a based onprinciples, system self-awareness and set of (M2M) maynumber completely remove the human actor from based ondesigner system self-awareness andinteractions a set of foundational (M2M) may completely remove thedecisions, human actor Enterprise such that the nature within many dynamic changes mustfrom external or architect. result –involvement atthese this level granularity and aggregation guiding principles, rather than of being pre-defined by the an direct of in of theconfiguration required and asbe–a guiding principles, rather than being pre-defined by an direct involvement in the required decisions, and as enterprisedesigner as a system could be largely self-determined fully automated, Machine to Machine networks subsystems toe.g., be of self-governing. Thisaggregation requires that–a external or architect. result – at need this level granularity and Architecting systems so that theyand manifest a high level of external or architect. result – at this level of granularity and aggregation based ondesigner system self-awareness a set of foundational (M2M) may completely remove the human actor from subsystems need be allowed to dynamically to be self-governing. Thischange requirestheir that– self-awareness, whilst ensuring compliance to Architecting systems so thatthan theybeing manifest a high level of subsystems need to be self-governing. This requires that guiding principles, rather pre-defined by an direct involvement in the required decisions, and as configurationsbewithout the to needdynamically for human intervention toa subsystems allowed change their Architecting systems so that ensuring they manifest a high level of foundational design principles, poses a significant number self-awareness, whilst compliance to subsystems be allowed to dynamically change their external designer or architect. result – at this level of granularity and aggregation fulfil the functional andthe non-functional requirements of the configurations without need for human intervention to– self-awareness, ensuring compliance to of quantitative and whilst qualitative challenges to the Designer. foundational design principles, poses a significant number configurations without the need for human intervention to subsystems need to be self-governing. This requires that System. Clearly, the boundaries of this self-determination fulfil the functional and non-functional requirements of the foundational design principles, poses a significant number Architecting systems so that they manifest highDesigner. level of There are a variety unique reasons and characteristics of quantitative and of qualitative challenges toa the fulfil the functional and non-functional requirements oftheir the subsystems be allowed to dynamically change need to be set on the architectural design level, and the System. Clearly, the boundaries of this self-determination of quantitative and whilst qualitative challenges to Designer. self-awareness, ensuring to self-aware that invalidate some thethe assumptions There are asystems variety of unique reasons andofcompliance characteristics of System. Clearly, of this self-determination configurations without the need for human intervention to adherence toset them be monitored by the System itself need to be onthe theboundaries architectural design level, and(thus the There are a variety of unique reasons and characteristics of foundational design principles, poses a significant number that are truesystems in traditional systems some architectures but can no self-aware that invalidate of the assumptions need to be set on be the architectural design level, and the fulfil the functional and non-functional requirements of becoming self-aware). adherence to them monitored by the System itself (thus self-aware systems invalidate some of to thethe assumptions of and that qualitative challenges Designer. longer relied-on by associated systems engineering thatquantitative arebe true in traditional systems architectures but canand no adherence to themthe beboundaries monitored by the System itself (thus System. Clearly, of this self-determination becoming self-aware). that are true in traditional systems architectures but canand no There are a variety of unique reasons and characteristics of enterprise architecture practices. The fluidity ofona the system’s boundary causes additional longer be relied-on by associated systems engineering becoming self-aware). need to be set architectural design level, and the longer be relied-on by practices. associated and self-aware systems that invalidate systems some of engineering the assumptions complexity problems for management and control, over enterprise architecture The fluidity of a system’s boundary causes additional adherence to them be monitored by the System itself (thus The system integrity assumption: normally, abutsystem's enterprise architecture practices. The fluidity of acomplexity system’s boundary causes additional that are true in traditional systems architectures can no and above the problems inherent in the complexity problems for management and control, over becoming self-aware). architecture establishes a boundary, so thatengineering the ainteraction The system integrity assumption: normally, system's complexity problems for management and control, over longer be relied-on by associated systems and organization of the system itself. Consequently, new risks and above the complexity problems inherent in the The system integrity assumption: normally, ainteraction system's between the system and environment controlled in architecture establishes a its boundary, so thatisthe and above the complexity problems inherent in risks the enterprise architecture practices. The fluidity of a system’s boundary causes additional emerge and a higher level design is needed to address organization of the system itself. Consequently, new architecture establishes boundary, so thatisthe interaction order to the ensure system integrity. What iscontrolled inside this between system anda its environment in organization of the system itself. Consequently, new risks complexity problems for management and control, over them. and a higher level design is needed to address emerge between system its environment isiscontrolled in The system integrity assumption: a system's boundary belongs toand the system andnormally, is designed by this the order to the ensure system integrity. What inside emerge and the a higher level design is needed to address and above complexity problems inherent in the them. order to ensure system integrity.and What is inside architecture establishes a boundary, so that the interaction boundary belongs to the system is designed by this the them. organization of the system itself. Consequently, new risks boundarythe belongs the its system and is designed by the between systemtoand environment is controlled in 795 Copyright © 2018 IFAC emerge and a higher level design is needed to address order to ensure system integrity. What is inside this Copyright © 2018 IFAC 795 them. boundary© to (International the system and is designed by the 2405-8963 2018, IFAC Federation of Automatic Control) Copyright ©belongs 2018 IFAC 795Hosting by Elsevier Ltd. All rights reserved. Peer review under responsibility of International Federation of Automatic Control. 10.1016/j.ifacol.2018.08.414 Copyright © 2018 IFAC 795
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
The practical consequence for managers and architects is the need to learn new design patterns, organisational design rules, and methods to use them in strategic transformations. Also, the management of the system’s life cycle in such transformation needs new insight as well.
783
environment reaches a critical threshold; therefore, solutions to the design as well as management & control problems do not necessarily exist in current practices. For example, supply chains have evolved over time, and traditional management methods (together with solutions offered by information and communication technology) have achieved continuous improvement in supply chain performance. Nevertheless, the development of supply chains has followed a Design–Build–Use paradigm of development. This paradigm assumes that there is time to source information, verify stakeholder requirements, analyse their concerns, etc., so as to finally come up with a solution, build it, and utilize it. However, when it comes to dynamic, on-demand optimization and (re)configuration of supply chains, the paradigm has limits due to the speed at which human architects can devise and developers build a solution. Therefore, we argue that the design–build (and release to operation) activities must be automated so as to achieve the desired level of dynamicity, and must be performed ‘on the fly’, i.e., during Operations.
Assumptions about the System’s life cycle and its stages: In contrast to the typically assumed Design–Build–Use– Retire stages of a system's life (called life history stages in Enterprise Architecture (ISO15704, 2005) and life cycle stages in Systems Engineering (ISO15288, 2008)), the types of systems that we today envisage – i.e., systems that exploit the opportunities offered by sensing and acting on a much more granular level than before – are in fact evolving systems. Such systems change and grow organically, and the Design–Build–Use–Retire sequence assumption no longer paints a very realistic picture. This has consequences for how to manage change, innovation, portfolios, programmes and projects, and the associated transformations of the enterprise. In particular, the Design and Build stage would better be described as a stage of directed evolution, with part of the Build activities being performed during the Operation of the system. Operation involves i) all mission fulfilment activities of the system (its ‘use’), ii) all management and control activities of the system (including strategic- & tactical management, and operational & real time management – these latter two include dynamic selfconfiguration).
A specific problem explored in this paper (as part of the 'architectural challenges’ section) is the effects of automation on systemic properties, and what architectural measures are necessary to achieve and preserve them. This is a timely question because the rapid development in automation technology (robotics and various AI techniques) seems to leave behind the theory needed to support good architectural decisions that utilize them. 2. ARCHITECTURAL CHALLENGES OF DYNAMIC CYBER PHYSICAL SYSTEMS
In other words, the Operation stage (i.e., the time interval during which the system operates) also involves transformational activities / processes, such as minor (or even major) changes to the system itself, and this includes (re)design, (re)build as well as possible decommissioning of parts of the system itself.
The introduction argued that there is a need for automating part of the dynamic Design – Build activities of the enterprise. This does not mean that high level automation is going to do away with the need for architecting; rather, it is the focus of architecting that will change.
Following Bertalanffy's General Systems Theory (1968), such systems are ‘homeostatic open systems’ in spite of being in constant flux. (NB although Bertalanffy limited his discussion to biological organisms, the analogy stands for organisations as well.), This includes old parts being expelled and new parts being acquired, while systems tending to maintain identity and equilibrium (to be selfperpetuating).
For example, instead of the architect designing a solution to optimally configure systems into a system of systems, the architect will need to design a system that has a dynamic self-configuring function, such that the SoS keeps dynamically configuring itself (taking into account factors such as changing optimum criteria on various horizons, availability of resources, recognition of opportunities and market trends, and so on).
However, on a longer time-scale such a system is also selfevolving, i.e., it also has the property of a complex adaptive system (Miller & Page, 2007), which learns, and to some extent directs its own destiny, orchestrating the directed evolution of the parts, or of the whole. (Sometimes such systems may also be autopoietic, i.e. self-reproducing (Maturana & Varela, 1980)).
Automated dynamic configuration / reconfiguration of systems has existed for a long time, using various AI techniques, but currently this ability only exists in contexts with well-defined boundaries: e.g. in a factory workshop AGVs, robots, and machine tools can create a fit-forpurpose configuration; in a hospital a team is assembled for a complex operation, etc.
One may argue that these are not new properties of systems, so the problem is old, and therefore perhaps existing theories of systems design and of management & control are readily applicable to our cyber-physical systems. Unfortunately, one must realise that these properties of enterprises do not become the source of a substantial challenge unless the rate of change with which the enterprise must evolve and adapt itself to the
In a bounded context, the manageability and controllability of the system may be guaranteed by design. However, if the context becomes fully open, then significant challenges appear around the ability to adhere to desired architectural design principles for generating on-demand service models. For example, questions arise around long term survivability, validity, currency of operations, trust, 796
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018 784
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
availability, and so on (further discussed in Section 3).
combination of services upon services exploiting core IoT products & services. We know that often a simple combination of services that are 'out there' may create an initially successful and innovative service offering, but ensuring the above systemic properties this can become problematic, as business architects must need guidance how to address the design of complex service systems in a situation where they have limited control over underlying 3rd party services (Rabelo, Noran & Bernus, 2015).
3. DESIRED ATTRIBUTES OF CYBER PHYSICAL SYSTEMS AND CORE ARCHITECTURAL DESIGN PRINCIPLES 3.1. Minimize or Curb Complexity The solution must minimize or curb the complexity of the SoS (including the complexity of the fundamental parts of the system, and that of the dynamically generated parts). Ideally, the solution would have a layered architecture, whereupon the complexity of one layer should not be visible from the layer above, thereby stopping or reducing complexity escalation. For our purposes, we say that the system is complex if it cannot be predicted to always satisfy its requirements. (Being complex is not to be confused with being complicated: in a complicated system the number of elements of the system, and the number of their connections & interactions may be high, but when implemented, the system is known to always be able to satisfy its requirements (Schwaninger, 2009).)
The problem is also relevant for providers of the underlying core services (e.g., IoT infrastructure services), because their success depends on the end users' ability to successfully use the infrastructure service over a long period of time. Given that infrastructure providers are few and end users are many, it is in the provider's interest to pro-actively develop architectural guidelines of use to help successful service composition and to establish an ecosystem that nurtures service innovation (Rabelo, Bernus & Romero, 2015). 3.3 Viability and Self-awareness
The architectural complexity-reduction of systems of systems using so-called ‘Axiomatic Design’ (Kandjani & Bernus, 2011) has several practical consequences, including the dismissal of the methodological approach that first creates a functional specification and only then maps it to a design solution. Even common iterative development- and project knowledge management approaches are unsuitable – such as agile development or DevOps – unless they apply the kind of iteration called ‘zig-zagging’ (which method is a consequence of axiomatic design). The techniques are easy for design teams to acquire, although in practice they are often ignored due to historical rather than technical reasons.
A fundamental 'ility' that needs to be singled out in this context is viability, which is the property of the system to self-preserve and remain in homeostasis, but at the same time co-evolve with its environment (Kandjani et al, 2014). According to Viable Systems Theory (VSM) (Beer, 1972; Hoverstadt, 2008) a viable system should be composed from viable systems. This property is essential for the long term survival and success of any larger system (such as an ecosystem, or a network of companies), and even for virtual ‘service entities’ created using the pool of competencies of contributors – where the horizons of management & control functions of these entities must match the horizons of their expected lifetime.
3.2 'Ilities'
By investigating the management and control functions of viable systems (See Fig.1.), and the above considerations, it follows that the SoS in question needs to maintain selfawareness on each level of aggregation. Self-awareness is defined here as the ability of the system to perceive itself in its environment, distinguishing the self from the environment and identifying the (dynamic / changing) relationships between the self and the environment, as well as with the constituents of the environment, including other systems. The authors prefer to extend this definition with the ability of controlled self-determination and negotiation, i.e., the ability to decide a course of action compatible with internalized principles and with agreed-on 'social contracts' between the SoS and other systems.
The architectural solution suitable as a foundation for creating cyber-physical systems must display a number of systemic properties ('ilities'), and the adopted architecture needs to ensure that these properties hold recursively for the systems of systems of systems etc..., (where the lowest level system is no longer a SoS). In this sense the lowest level systems are 'organisms', and all other systems above are 'organizations'. This requirement originates from the fact that in a SoS the design authority or architect of lower level systems is normally independent of the design authority / architect of the SoS. Thus, the services of the envisaged cyber physical systems are to be composed (on a particular SoS level) out of services provided by systems that were independently designed. Therefore, we need extra measures to ensure that service availability, trustability, accountability, security, scalability, manageability, longevity, maintainability, reliability, and quality on the SoS level are achieved and maintained (just to name a few important examples), and to keep complexity at a manageable level, this must preferably be achieved 'by design'.
Our system of interest (the SoS) has functions to provide services or to produce goods, but also must have functions to monitor the ability of the system to perform the function now and in the future (such as through monitoring the performance of the self and monitoring the environment). This is not usually the case with lower level granularity systems, and can cause unpredictability and brittleness on the SoS level. Details of the requisite functions of self-awareness relevant for the problem at hand will be discussed in
For example, a major challenge is innovation based on the 797
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
GRAI Grid (Doumeingts et al, 1980))
Section 4, but clearly, self-awareness & viability are necessary to ensure system homeostasis (maintaining all necessary 'ilities' discussed above), but when deemed necessary then self-evolve. When the SoS is a company for example, this self-awareness can be achieved by the human actors (of management & control) on each level of aggregation. With cyber-physical systems we must consider how to achieve self-awareness of these systems relying on little or no human participation.
Self-awareness on the real time and operational level: On the real time level, it is necessary to (for example) identify faults (of the self, or of external services), identify cyberattacks, or any other situation that demands action that flows as fast as the events of the process dictate, i.e., in a synchronous manner. This needs the constant evaluation of data streams and the interpretation of these to create timely situation awareness. Sensor networks and actuators create an opportunity to provide the necessary data to support this function, although this ability may also enable new forms of cyber-attacks that create fake data, or in a home automation/security application situation misidentification may result in the system attacking itself or the owner/s.
The proposal here is that the SoS in question, on any level of aggregation, is best thought of as a hybrid (humanmachine) system, as opposed to the traditional systems engineering view that divides the human and the machine early in the design, separately considering the organization of the system (which is automated) and the organization of humans (who are the ‘users’). The authors see no a-priory reason to separate human and artificial agents from the outset; in fact, this can cause significant challenges (e.g. if some agent functions cannot be automated then the architectural solution breaks down).
Due to human limits to act fast enough, self-aware behaviour on the real time- and operational levels must be completely or highly automated – which is a distinguishing trait of cyber-physical systems. For example, it is of critical concern that even at the operational (executable code) level some level of situation awareness (as an internal control) is still required. If not present, an ‘atomic service’ is open to compromise and may be executed in an improper fashion by an illegitimate 3rd party. Current systems do not have this ability, therefore cyber attacks that enter on a very low level may remain unnoticed. Building situational awareness (and the ability to respond to known and unknown situations based on available and newly arriving data in real time) is a candidate for handling constantly emerging Cyber Threats.
The advantage of this approach is twofold: a) we are not constrained by design to only implementing management functions that can be automated at any one time, and b) we do not separate the system along a boundary between two parts with substantial coupling (human-to-machine). The reader may remark that this approach is tantamount to architecting the cyber physical system as a multi-agent system. However, while the multi-agent systems community has been concentrating on fully automated individual- and cooperative agents, such as robot swarms, this approach chooses to not constrain these agents a priory to full automation, because that would be a preconceived implementation decision. The removal of this constraint allows for an independent evolution of agents that changes the level of automation in time but still preserves an architectural identity (style), and with that, longevity. Thus, by default the system always has a complete scope and all necessary levels of management and control, but as the system evolves, the level of automation changes (while preserving system identity).
Self-awareness on the tactical level: This level deals with identifying trends (in production, product, market, competition, resources, etc.), monitoring system health, pro-actively scheduling targeted activities, optimizing plans and schedules, scheduling maintenance, optimizing resources and switching resources / services if needed. Data streams from sensor networks may support better decision making, but a correctly implemented situation identification should also pinpoint any additional dataneeds required for situation disambiguation. Given the time horizon of tactical management, there is the option to choose a desired level of automation, and decide to automate some functions but not others, in order to satisfy some criterion other than functionality, such as investment efficiency / ROI. Nevertheless, considering the larger size of the decision space of cyber-physical systems, a higher than usual level of automation will likely be needed. For example, previously the rapid reconfiguration of a supply chain for a size-one-lot was outside the capability of supply chain management. However, with high automation level, and visualization for human decision making such optimizations will be in reach.
MissionI(productI&IserviceIstrategyI[I/O])I ResourceI&ICapabilityIstrategyI/IpolicyI
• •
Transforma onalIplanI&IgovernanceI Por olioI&IProgrammeImanagementI • •
IIIIISchedulingI&IOpera onalIControlI ResourceI&IProduc onIOp miza onI
StrategicII
• •
Tac calII
Iden tyI Rela onshipsI
ControlI&I feedbackI
AuditI&IAlertsI
EnvironmentI
OverallIManagementI • •
785
Opera onsI LocalIManagementI
Self-awareness on the strategic level: This level is observing internal trends vs. external trends (Kandjani et al, 2011), identifying strategically relevant situations (and, similar to the tactical level, identifying additional dataneeds necessary for situation disambiguation). This level is planning strategic action with respect to the goals of the
LocalIOpera onsI LabelsIofImanagementIfunc onsI‘x’IareItoIbeIreadIasI‘DecideIonIx’II
Figure 1. Recursive Management & Control functions of a viable system (a unified structure based on Beer’s VSM (1975) and 798
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018 786
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
self, or modifies the goals themselves.
of the Design–Build–Use (operate) paradigm, rather than on demand dynamic architecture. This seems to be caused by 1) the low level of automation of self-configuration on the enterprise level, 2) unsatisfactory amount of decisionsupport information, and 3) trust issues.
Essentially, on a high level of aggregation (company and above) this function is traditional strategic management (albeit with better decision support). The function manages the system’s identity and mission, its role in the ecosystem, relationships to internal/external stakeholders, etc.
This is not to say that all companies or networks etc. do abide by this recursive management rule, and therefore those organizations may be viable on the level of the whole, but without their constituents being viable systems themselves. Relaxing the viability criterion (relative to the ideal case) increases the complexity of the SoS's management and control, because higher levels must take over part of the management of the contributing lower levels. With the expected explosion in the number of system constituents (due to the IoT) this may no longer be acceptable as management and control models can hit a complexity barrier. Thus, the sub-optimal but tolerable compromise in traditional systems may no longer be acceptable in the new dynamics of cyber physical systems.
On a medium level of aggregation, this function may monitor the health of an alliance vs. future needs and act before the alliance or the satisfaction of contractual obligations noticeably deteriorate. On low levels of aggregation this management & control function might be absent. Situation awareness on all levels A recurring theme on all levels discussed above is situation awareness (coupled with fast decision making ability) for effective and efficient action. The conditions of this to materialize are facilitated by the technological affordances of cyber physical systems (large number of intelligent sensors), machine learning / pattern recognition algorithms, and various data analytics techniques. However, highly automated situation awareness and supporting decision making requires a new form of intelligence: situated reasoning (Devlin, 1995; Goranson & Cardier, 2013), in order to create a fast and continuous narrative of the facts uncovered by the variety of data sources.
3.6 Reference Models, Guidelines, Techniques and Principles It is not enough to develop a generic reference model that guides the choices for the dynamic architecture of future cyber physical enterprises. It is also necessary to develop methodological guidelines and techniques that inform the architecting processes (some of which are to be automated). It is fair to expect that traditional enterprise architecting and systems engineering methods need either extensions or specific practically usable guidelines & techniques to address the above-discussed challenges.
This is a missing technology element (as of today), with only experimental implementations in existence and substantial research and development (R&D) implications. Situated reasoning and context level data analysis should go hand in hand: the analytics of large amounts of data can facilitate correct situation identification, but situated reasoning can identify the need for data that are not available at present, but could be used for situation disambiguation before a correct decision can be taken (Bernus & Noran, 2017).
One particular reference model that gained currency is the three-level preparedness-building paradigm (Afsarmanesh & Camarinha-Matos, 2005): Level 1 comprises a Virtual Enterprise Breeding Environment (VBE), which is the Ecosystem of players of an industry either locally or globally. Level 2 is populated with Enterprise Networks (ENs), which are a formal structure (originated from the Ecosystem), comprised of Ecosystem players that qualify to become members and subscribe to a set of shared rules & reference models (e.g. for interoperability), shared work practices & tools – including rules for service composition and management. Level 3 contains Virtual Enterprises (VEs) / Virtual Organizations (VOs) created by the Network in the form of temporary alliances to respond to some service need or opportunity.
3.5 Recursive architecture The rules of combination apply recursively, i.e., creating viable self-aware systems out of viable self-aware systems requires that each system's management (on every level) must have certain minimal functionality. This requirement is already evident in companies (where the company is an organization that consists of divisions (down to departments and groups etc.), all of which are themselves organizations. However, the rule does not stop at the company boundary: exactly the same rules apply to networks of companies, alliances, and various forms of virtual organizations in the supply chain.
In practice this has been implemented before, but only for individual service types, not individual service instances; with the ability of dynamic configuration the envisaged highly automated cyber physical systems could step over this barrier (within the framework of the above paradigm).
The ability to create a virtual service of manufacturing enterprise (and its embodiment as a virtual organization) has been on the agenda of industries for at least two decades (Goranson, 1999; Camarinha-Matos & Afsarmanesh, 2003). However, practical applications (Bernus, Noran & Riedlinger, 2002; Bernus, Molina & Noran, 2015; Vesterager et al, 2001; Pereda & Molina, 2013; Molina, Velandia & Galeano, 2007; Rabelo, Camarinha-Matos & Vallejos, 2001) remained on the level
4. CASE STUDY 4.1. The Telstra IoT Platform At this point, one may ask: how do the discussed core Design Principles align with the realities of emerging machine-to-machine (M2M) IoT networks? What is the 799
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
relationship between the expressed design principles and the currently available or emerging IoT infrastructure services?
787
devices there are effectively no other constraints on the use of the IoT network to deliver or receive services. The IoT network itself does not impose additional security or encryption standards – it is relying on native Device or Application level security constraints to enforce data and customer privacy standards. Also, while the Telstra IoT is an open mobile / wireless network relying on 3rd party providers and products to enforce security, users may choose to configure a virtual private network (VPN) that imposes Enterprise level security across all elements of the System (Telstra, 2015; Telstra, 2014.p57).
To attempt to answer such questions, this section briefly discusses a case study specific to the Australian context, namely the Telstra IoT network launched in July 2017 (Telstra, 2017), in fact the first commercial IoT PaaS. The discussion is based on Telstra’s Wireless Application Development Guidelines, IoT Platform Technical User Guide, and IoT Platform and Solutions Data Sheet (Telstra, 2014; 2016; 2017).
An important functionality required from all IoT devices approved for use is the ability to remotely update device firmware (‘firmware over the air’ (Gascón et al, 2011)). 4.2. Analysis of the IoT Platform – what it is and is not? The IoT platform as a service briefly described in 4.1 provides an infrastructure and environment, based on which end users can develop innovative solutions / services, using the ability to connect to a wide range of devices deployed in the field. The design principles discussed in Section 3 only have limited applicability regarding the platform itself, but as discussed in 4.3 will be very important for systems built on top of such a platform. (Nevertheless, some of the design principles still apply to the IoT platform itself.) (1) Self-awareness. There is no evidence of in-built selfawareness in the IoT network or approved products. The devices that meet required standards to operate in the mobile/wireless network are commercial products using protocols for interoperability, and these do not support the functionality required for self-awareness. The consequence is that self-organization of sensors and actuators is not yet possible, effecting overall availability and integrity of a sensor network (see ‘ilities’ below).
Figure 2. Telstra IoT offering (components) and their possible use by businesses (Source,1 used with permission)
New customers signing up for the Telstra branded IoT solution are buying pre-designed products and services bundled for use across the 4G mobile and wireless network, as a secure public Cloud infrastructure partitioned logically (built on top of Telstra’s physical Cloud Data Storage service).
(2) ‘Ilities’. Due to space limitations, Availability & Reliability are singled out here as examples, although other ilities would have similar status in terms of architectural treatment. The IoT network operator (Designer) cannot take full responsibility for end-user performance measures (even though built-in functionality exists to optimize the network’s performance). However, if the network was considered a SoS, then dynamic reconfiguration (allocation of functions to physical devices / processors etc.) could help further optimize network performance under less than ideal circumstances (such as connectivity loss, node failure, etc.). Another crucial ‘ility is Trustability. It is not entirely clear what is the trust-status of co-operating devices across the IoT network, or what are their limits of ‘fair use’ (e.g., what differentiates a large scale legitimate business use from a denial of service attack). Co-users of the IoT network (even if on separate VPNs) are in competition for resources (bandwidth, support and latency), especially in areas of congestion and cross-network dependencies that are outside their control. The current support arrangements and commercial contracts on offer do not discuss the
IoT customers are offered a Cloud based Dashboard (CRM- like UI) to monitor run-time data streaming from each of their configured Devices on the IoT network as well as some remote site control for these devices from the Dashboard console accessible via Phone, Tablet or Laptop. Telstra provides design recommendations for applications development based on the IoT network (Telstra, 2014), a list of best practices for optimizing performance / resource usage (for example how to optimize data transfer, reduce unnecessary signalling, achieve resilience when network conditions change, etc.). Apart from needing to operate on the existing Telstra mobile (wireless) network and spectrum and adhering to these high level technical recommendations, and utilising approved Telstra network routers and IoT end point 1
https://www.telstra.com.au/business-enterprise/solutions/internet-of-things 800
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018 788
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
likelihood of cross network impacts of one service upon another, or sharing services across various eco-systems (sub-networks) that may arise across the IoT network.
components within the Master Control of the selfaware System itself (e.g., the Intelligent House (Swetha et al, 2017)). Whilst M2M Networks allow for open communications among devices and components, and remote control / management of these devices via console and dashboard UIs, this is not the same as having a commonly understood master controller environment with shared business logic and processes. What are the Social and Cognitive conditions (perhaps answered by Psychology, Behavioural Science, and Economics) that enable Human Actors / Agents to adapt to or be comfortable with such integration over which they have very limited control?
(3) Viability. End-users have fundamental interest in being able to rely on the IoT platform’s longevity – to protect investment and be able to plan to evolve the capabilities built in this way. For example, for a system built on the IoT platform to have long term viability (the ability to sustain itself and evolve as necessary on a longer time horizon) could be addressed in the future by architectural patterns that allow aggregating services into hybrid (human-machine) systems, thereby allowing the level of automation to change as needs and technologies develop, without fundamental architectural change being necessary. The question is ultimately also connected to complexity reduction (using the already mentioned techniques of axiomatic design (Suh, 2005; Kandjani & Bernus, 2011), which is essentially a technique to eliminate all unnecessary dependencies form a system of systems). Thus end users are well-advised to use the respective techniques to protect themselves from changes in the underlying infrastructure. Paradoxically, if the IoT Network actively supports openness and the ability to migrate to other platforms, this may increase end-user trust and become an attractive feature of the IoT platform. (4) Recursive architecture. The IoT platform provider is not responsible for the architectural decisions made by end users, who may build services on top of which other end users build other services, and so on. However, the abovementioned architectural patterns and reference models for all end users, if applied on all levels of aggregation could help end users build higher level SoS that bear the characteristics of the underlying services (and vice versa).
Figure 3. A citizen transitioning across multiple Service Systems of Systems
Seamless transition between multiple self-aware Systems – maintaining state across multiple private and public cloud networks: effectively the human and multiple mobile devices will be moving through a range of self-aware and intelligent environments, vehicles, systems and eco-systems; their safe and effective passage and harmonious interactions will be dependent upon the safe and secure communication of key data including identity, personal preferences, security settings and master profiles. For example, Figure 3 shows a citizen traversing the landscape of multiple independent service systems of systems (that may or may not have been implemented on top of the same IoT platform) ‘Do No Harm’ - If agreed Principles and Standards around data sharing, retention and privacy have not been agreed to or enforced then how can more evolved Principles and Standards such as Do No Harm be agreed and enforced? The current answer is that they cannot and this question is still open even in terms of who is responsible for defining these. On the basis of some of the key issues outlined above, the authors believe that there is an urgent need for a coherent set of Patterns, Methods and Principles that architects of cyber physical systems can use to secure all desired systemic properties of these open and evolving systems.
5. ISSUES AND IMPLICATIONS FOR FURTHER RESEARCH The preliminary investigation of the emergent IoT networks in Australia reveals significant issues and implications to be explored as part of future research, e.g.: How ‘aware’ one wants the System-of-systems to be? Does self-awareness imply complete independence and autonomous decision-making? Can an intelligent House make its own decisions, re-calibrate its service levels and operations? Within what boundaries and broader ecosystem and Owner imposed constraints must this self-awareness and independence operate? Owner vs Eco-System – a self-aware House will have immediate conflicts of Authority and Control impacting its day to day operations. Who has ultimate authority over the self-aware House? Is there a set of broader Meta Ecosystem requirements that all subsystems must comply with (e.g., Public Safety, Law and Order, Power Outages Disaster and Emergency Relief)?) When can the role of the Owner and Control of the Dwelling be over-ridden by a higher Authority? Integration of Control – It is clear that emerging IoT networks do not yet have integrated Control Systems that allow for “plug and play” of any 3rd party
Additionally, Methods and Technologies need to be developed that would be applicable on all levels of System Composition to implement highly automated situational 801
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
789
VE infrastructure. Computers in Industry 51 (2):139-163 Devlin, K.J. (1995) Logic and Information. Cambridge U Press. Gascón, D, Bielsa, A., Genicio, F., Yarza, M. (2011). Over the Air Programming with 802.15.4 and ZigBee - OTA. Libelium. http://www.libelium.com/over_the_air_ programming_OTA_802.15.4_ZigBee/ (Retrieved Oct 2017) Goranson, H.T. (1999) The Agile Virtual Enterprise: Cases, Metrics, Tools. Westport, CT : Quorum Boks. Goranson, H.T., Cardier, B. (2013) A two-sorted logic for structurally modelling systems. Progress in Biophysics and Molecular Biology. 113(2013):141-178 Hoverstadt, P. (2008). The Fractal Organization: Creating sustainable organizations with the Viable System Model. Hoboken : Wiley. Intel (2007) Intel Active Management Technology System Defense and Agent Presence Overview. Intel Corporation. ISO 15288 (2008). Systems and software engineering – System life cycle processes. ISO 15704 (2000;2005). Industrial automation systems – Requirements for enterprise-reference architectures and methodologies; (Amd1 2005). Kandjani, H., Bernus, P. (2011). Engineering Self-Designing Enterprises as Complex Systems Using Axiomatic Design Theory. IFAC Papers On Line. Elsevier. pp11943-11948. Kandjani, H., Tavana, M., Bernus, P., Nielsen, S. (2014). Co-Evolution Path Model (CePM): Sustaining Enterprises as Complex Systems on the Edge of Chaos. Cybernetics and Systems: An International Journal. 45(7):547–567 Maturana, H.R., Varela, F.J. (1980). Autopoiesis and Cognition: the Realization of the Living. Reidel. Miller, J.H., Page, S.A. (2007). Complex adaptive systems: an introduction to computational models of social life. Princeton, NJ :Princeton University Press. Molina, A., Velandia, M., Galeano, N. (2007). Virtual Enterprise Brokerage: A Structure Driven Strategy to Achieve Build to Order Supply Chains. International Journal of Production Research. 45(7): 3853–3880 Pereda, F.J., Molina, A. (2013). Model driven architecture for engineering design and manufacturing. IFAC-Papers Online, Vol.6. Part 1. pp400 – 407. Rabelo R.J., Camarinha-Matos L.M., Vallejos R.V. (2001). Agent-based brokerage for virtual enterprise creation in the moulds industry. IFIP AICT 56:281-290. Rabelo, R.J., Bernus, P., Romero, D. (2015). Innovation Ecosystems: A Collaborative Networks Perspective. in Luis M. Camarinha-Matos, Frederick Benaben, Willy Picard (Eds) Risks and Resilience of Collaborative Networks. IFIP AICT 463:323-336 Rabelo, R.J., Noran, O., Bernus, P. (2015). Towards the Next Generation Service Oriented Enterprise Architecture. In Sylvain Halle and Wolfgang Mayer (Eds) Proc. IEEE 19th EDOCW. IEEE Xplore: 91100. Schwaninger, M. (2009). Complex versus complicated: the how of coping with complexity. Kybernetes. 38(1/2):83-92 Suh, N. (2005). Complexity: Theory and Applications. Oxford U Press. Swetha, S. Suprajah, S. Vaishnavi Kanna, S. Dhanalakshmi, R. (2017). An Intelligent Monitor System for Home Appliances Using IoT. Int Conf Technical Advancements in Computers and Communications (ICTACC’17). IEEEXplore. 106-108. Telstra (2014). Telstra Wireless Application Development Guidelines. V7.1 #AOF-4270 , Telstra Corporation. Telstra (2015). M2M VPN Solution Service #.DS012 JUN2015. Telstra Co. Telstra (2016). Telstra IoT Platform for Connected Device Management and Application Development – IoT Platform Technical User Guide V.1.0# G190 OCT16. Telstra Co. Telstra (2017). Telstra’s IoT Platform and Solutions Data Sheet #DS165JUL17, Telstra Corporation. Vesterager, J., Bernus, P., Pedersen, J. D., Tølle, M. (2001). The what and why of a Virtual Enterprise Reference Architecture. in E-work and E-commerce. Novel solutions and practices for a global networked economy. IOS Press. pp846–852. Von Bertalanffy, L. 1968. General System theory: Foundations, Development, Applications. New York: George Braziller.
awareness (Goranson & Cardier, 2013; Bernus et al, 2016; Bernus & Noran, 2017). This Technology is emergent: it does exist but requires further research and development. Another open question is whether there exist inherent risks of cyber-physical systems becoming fully self-aware at all levels. Whilst the authors have not yet identified any emerging IoT or M2M networks that operate at this level, it is predictable that this level of self-awareness will be reached at some point in time. The authors propose to give self-awareness to the System for a range of reasons including viability to ensure the System’s long term survivability (including its resources and components), the endurance of its underlying commitments, the goals of the system, as well as all the other ilities. These are all highly desirable but bring with them the ability to be compromised in new ways: The System loses Trust in the Owner, The System loses Trust in itself, The System begins enacting or formulating Rules or Behaviours not foreseen by the original Designers or resulting in unintended Outcomes not predicted in the original Design. 6. CONCLUSION Management and business owners need to be familiar with the architectural patterns, reference models, methods and techniques that relate to cyber-physical systems, because creating dynamic configuration capability that goes beyond the current bounded level creates optimization opportunities and new innovation for business. Opportunities include more dynamic supply chain, less waste, ability to serve a market that was previously not reachable, etc. However, existing methods of designing and building systems need to be adjusted for the successful application of the new enabling technologies (the IoT, Sensor Networks, various AI techniques, etc.). ACKNOWLEDGEMENTS The authors would like to acknowledge the research grant (Strategic Advancement of Methodologies and Models for Enterprise Architecture) provided by Architecture Services Pty Ltd (ASPL Australia) in supporting this work REFERENCES Afsarmanesh, H., Camarinha-Matos, L.M. (2005). A framework for management of Virtual Organization Breeding Environments. IFIP IACT 186. Springer Beer, S. (1972). Brain of the Firm. London : Penguin. Bernus, P., Goranson, T., Gotze, J., Jensen-Waud, A., Kandjani, H., Molina, A., Rabelo, R.J., Romero, D., Saha, P., Turner, P. (2016) Enterprise engineering and management at the crossroads. Computers in Industry. 79 (2016):87-102. Bernus, P., Noran, O. (2017). Data Rich – But Information Poor. In L.Camarinha-Matos, H.Afsarmanesh and R.Fornasiero (Eds.) Collaboration in a Data Rich World. IFIP AICT 506. Springer. 206214. Bernus, P., Noran, O., Riedlinger, J. (2002). Using the Globemen Reference Model for Virtual Enterprise Design in After Sales Service . In I.Karvoinen et al (Eds). Global Engineering and Manufacturing in Enterprise Networks (Globemen), VTT Symposium Series 224. Helsinki : VTT. pp 71-90. Camarinha-Matos, L.M., Afsarmanesh, H. (2003). Elements of a base 802
ScienceDirect
Enterprise Thinking for Self-aware Systems IFAC PapersOnLine 51-11for (2018)Self-aware 782–789 Enterprise Thinking Systems Enterprise Thinking for Self-aware Systems Enterprise ThinkingPatfor Self-aware Systems Turner* Peter Bernus** Pat Turner* Pat Turner* Ovidiu Noran** Peter Bernus** Peter Bernus** Ovidiu Noran** Ovidiu Noran** Pat Turner* *Architecture Services Pty Ltd (ASPL) [email protected] Bernus** **IIIS Centre forServices Enterprise Architecture Research and Management, *Architecture PtyPeter Ltd (ASPL) [email protected] *Architecture Pty Ltd (ASPL) [email protected] Ovidiu Noran** Griffith University {P.Bernus, O.Noran}@griffith.edu. **IIIS Centre forServices Enterprise Architecture Research and Management, **IIIS Centre forUniversity Enterprise Architecture Research and Management, Griffith {P.Bernus, O.Noran}@griffith.edu. Griffith Services University O.Noran}@griffith.edu. *Architecture Pty{P.Bernus, Ltd (ASPL) [email protected] **IIIS Centre for Enterprise Architecture Research and Management, Abstract: The paper aims to provide high-level guidance for architects of cyber-physical enterprises. We Griffith University {P.Bernus, O.Noran}@griffith.edu. propose suchhigh-level systems should be for largely self-determined, based on system selfAbstract:that Theinteractions paper aimswithin to provide guidance architects of cyber-physical enterprises. We Abstract: The paper aimsre-configuration, to provide guidance architects of based cyber-physical enterprises. We awareness and dynamic with should the architecture evolving onbased a set on of foundational propose that interactions within suchhigh-level systems be for largely self-determined, system selfpropose that interactions within such systems should be largelyevolving self-determined, based system selfprinciples, rather than being pre-defined bywith an external designer. We investigate the of typical awareness and dynamic re-configuration, the architecture based on asuitability set on of foundational awareness and dynamic re-configuration, the architecture set of foundational Abstract: paper aims to pre-defined provide guidance for architects of based cyber-physical enterprises. We development life cycles and identify high-level architectural challenges inevolving the context of on dynamic cyber-physical principles, The rather than being bywith an external designer. We investigate theasuitability of typical principles, rather pre-defined by an of external designer. investigate the suitability of typical propose interactions within systems should be largely self-determined, based system selfsystems that utilize thebeing power ofsuch the Internet Things. Desired systemic attributes are on defined, which development life than cycles and identify architectural challenges in We the context of dynamic cyber-physical development life and suitable identify architectural challenges inevolving the context of on dynamic cyber-physical awareness and dynamic re-configuration, architecture based a of set of foundational are necessary forcycles making corewith architectural choices. The application findings is systems that utilize the power of the Internet ofthe Things. Desired systemic attributes arethe defined, which systems that utilize the power of the Internet of Things. Desired systemic attributes are defined, which principles, rather than being pre-defined by an external designer. We investigate the suitability of typical exemplified through a case study, a synthesis of issues, andchoices. implications further research. are necessary for making suitable core architectural The for application of the findings is are necessary forcycles making suitable core architectural choices. application of the findings is development life and identify architectural challenges in theThe context of dynamic cyber-physical exemplified through a case study, a synthesis of issues, and implications for further research. Keywords: Internet of Things, Systems of Systems, Self-aware systems, Service Oriented Enterprise © 2018, IFAC (International Federation of Automatic Control) Hostingsystemic by Elsevier Ltd.research. All rights reserved. exemplified a case study, synthesis ofofissues, andDesired implications for further systems thatthrough utilize the power of athe Internet Things. attributes are defined, which Architectures; Enterprise SystemSystems Engineering; Self-organization Keywords: Internet of Things, of Systems, Self-aware systems, Service Oriented Enterprise are necessary for making suitable core architectural choices. The application of the findings is Keywords: Internet of Things, of Systems, Self-aware systems, Service Oriented Enterprise Architectures; Enterprise SystemSystems Engineering; Self-organization exemplified through a case study, a synthesis of issues, and implications for further research. Architectures; Enterprise System Engineering; Self-organization Keywords: Internet of Things, Systems of Systems, Self-aware systems, and Service Enterprise system's architect; whatOriented is outside, is interacted with, 1. INTRODUCTION Architectures; Enterprise System Engineering; Self-organization but belongs to the environment. system's architect; and what is outside, is interacted with, 1. INTRODUCTION system's architect; and what is outside, is interacted with, This paper examines the architectural consequences of the but belongs to the environment. 1. INTRODUCTION In the caseto of Sensor-based Networks and emerging but belongs the environment. recently acquired ability deploy a variety of a veryoflarge This paper examines the to architectural consequences the Internet of Things networks (IoT) this defined is In the case of Sensor-based Networks andboundary emerging This paper examines theactuators architectural consequences oflarge the system's architect; and what is outside, is interacted with, number of sensors and all levels systems, recently acquired ability to deployon a variety of aofvery In the case of Sensor-based Networks andboundary emerging 1. INTRODUCTION becoming increasingly fluid because at any moment in Internet of Things networks (IoT) this defined is recently acquired to deployon a variety ofconnectivity' aofvery large but belongs to the environment. and theof ability to 'grounded number sensorsability and establish actuators all levels systems, Internet of increasingly Things networks (IoT) this defined boundary is time what can / cannot be considered part of the system becoming fluid because at any moment in number sensors and actuators on all levelsconnectivity' of systems, This paper examines the architectural consequences of the (explained below) of systems to their environment. For and theof ability to establish 'grounded becoming increasingly fluid because at any moment in In the case of Sensor-based Networks and emerging mightwhat change to belost connectivity, time can /(due cannot considered part ofmalfunction, the system and theacquired to systems establish 'grounded recently ability to deploy a variety ofconnectivity' abe very large purpose ofability this paper, the term 'system' will used to (explained below) of to their environment. For the time what can /(due cannot belost considered part ofmalfunction, the system Internet ofmaintenance, Things networks (IoT) this defined boundary is overload, incomplete configuration, and so might change to connectivity, (explained below) of systems to their environment. For the number of sensors and actuators on allsystem, levels systems, describe a technical or socio-technical or purpose of this paper, the term 'system' will of be systemsused to might change (due to lost connectivity, malfunction, becoming increasingly fluid because at any moment in on, or due to the system actively but only temporarily cooverload, maintenance, incomplete configuration, and so purpose this paper, the term 'system' willconnectivity' be systemsused to and the of to establish 'grounded of-systems (SoS). In context, ansystem, 'enterprise' is an describe a ability technical or this socio-technical or overload, maintenance, and coso time canthe / cannot be considered parttemporarily of the system opting external services). on, orwhat due to systemincomplete actively butconfiguration, only describe a technical or socio-technical system, or systems(explained below) of systems to their environment. For the undertaking (SoS). embodied in acontext, Socio-technical System of of-systems In this an 'enterprise' is an on, or due to the system actively but only temporarily comight change (due to lost connectivity, malfunction, opting external services). of-systems (SoS). In ofthis 'enterprise' is the an purpose of this paper, the 'system' will be used to Systems. The subject thisterm paper isan how to architect Due toexternal themaintenance, number of sensors, actuators and interactions undertaking embodied in acontext, Socio-technical System of opting services). overload, incomplete configuration, and so undertaking embodied in a Socio-technical System of describe a technical or socio-technical system, or systemsEnterprise such that the nature of interactions within the many of these dynamic configuration changes must cobe Systems. The subject of this paper is how to architect Due to the number of sensors, actuators and interactions on, or due to the system actively but only temporarily Systems. ofthis this paper isan how to architect the Due toautomated, thethese number of sensors, actuators and interactions of-systemsThe (SoS). context, 'enterprise' is the an enterprise as asubject system could beof largely self-determined fully e.g., Machine to Machine networks Enterprise such thatInthe nature interactions within many of dynamic configuration changes must be opting external services). Enterprise such that the in nature interactions within the many automated, ofmay thesecompletely dynamic configuration changes mustfrom be undertaking embodied a Socio-technical System of based on system self-awareness and a set self-determined of foundational (M2M) remove the human actor enterprise as a system could beof largely fully e.g., Machine to Machine networks enterprise as asubject system bebeing largely self-determined fully toautomated, e.g., Machine to decisions, Machine networks Systems. The of could thisthan paper isahow to foundational architect Due the of actuators and interactions guiding rather pre-defined by the an direct involvement in sensors, the required and as a based onprinciples, system self-awareness and set of (M2M) maynumber completely remove the human actor from based ondesigner system self-awareness andinteractions a set of foundational (M2M) may completely remove thedecisions, human actor Enterprise such that the nature within many dynamic changes mustfrom external or architect. result –involvement atthese this level granularity and aggregation guiding principles, rather than of being pre-defined by the an direct of in of theconfiguration required and asbe–a guiding principles, rather than being pre-defined by an direct involvement in the required decisions, and as enterprisedesigner as a system could be largely self-determined fully automated, Machine to Machine networks subsystems toe.g., be of self-governing. Thisaggregation requires that–a external or architect. result – at need this level granularity and Architecting systems so that theyand manifest a high level of external or architect. result – at this level of granularity and aggregation based ondesigner system self-awareness a set of foundational (M2M) may completely remove the human actor from subsystems need be allowed to dynamically to be self-governing. Thischange requirestheir that– self-awareness, whilst ensuring compliance to Architecting systems so thatthan theybeing manifest a high level of subsystems need to be self-governing. This requires that guiding principles, rather pre-defined by an direct involvement in the required decisions, and as configurationsbewithout the to needdynamically for human intervention toa subsystems allowed change their Architecting systems so that ensuring they manifest a high level of foundational design principles, poses a significant number self-awareness, whilst compliance to subsystems be allowed to dynamically change their external designer or architect. result – at this level of granularity and aggregation fulfil the functional andthe non-functional requirements of the configurations without need for human intervention to– self-awareness, ensuring compliance to of quantitative and whilst qualitative challenges to the Designer. foundational design principles, poses a significant number configurations without the need for human intervention to subsystems need to be self-governing. This requires that System. Clearly, the boundaries of this self-determination fulfil the functional and non-functional requirements of the foundational design principles, poses a significant number Architecting systems so that they manifest highDesigner. level of There are a variety unique reasons and characteristics of quantitative and of qualitative challenges toa the fulfil the functional and non-functional requirements oftheir the subsystems be allowed to dynamically change need to be set on the architectural design level, and the System. Clearly, the boundaries of this self-determination of quantitative and whilst qualitative challenges to Designer. self-awareness, ensuring to self-aware that invalidate some thethe assumptions There are asystems variety of unique reasons andofcompliance characteristics of System. Clearly, of this self-determination configurations without the need for human intervention to adherence toset them be monitored by the System itself need to be onthe theboundaries architectural design level, and(thus the There are a variety of unique reasons and characteristics of foundational design principles, poses a significant number that are truesystems in traditional systems some architectures but can no self-aware that invalidate of the assumptions need to be set on be the architectural design level, and the fulfil the functional and non-functional requirements of becoming self-aware). adherence to them monitored by the System itself (thus self-aware systems invalidate some of to thethe assumptions of and that qualitative challenges Designer. longer relied-on by associated systems engineering thatquantitative arebe true in traditional systems architectures but canand no adherence to themthe beboundaries monitored by the System itself (thus System. Clearly, of this self-determination becoming self-aware). that are true in traditional systems architectures but canand no There are a variety of unique reasons and characteristics of enterprise architecture practices. The fluidity ofona the system’s boundary causes additional longer be relied-on by associated systems engineering becoming self-aware). need to be set architectural design level, and the longer be relied-on by practices. associated and self-aware systems that invalidate systems some of engineering the assumptions complexity problems for management and control, over enterprise architecture The fluidity of a system’s boundary causes additional adherence to them be monitored by the System itself (thus The system integrity assumption: normally, abutsystem's enterprise architecture practices. The fluidity of acomplexity system’s boundary causes additional that are true in traditional systems architectures can no and above the problems inherent in the complexity problems for management and control, over becoming self-aware). architecture establishes a boundary, so thatengineering the ainteraction The system integrity assumption: normally, system's complexity problems for management and control, over longer be relied-on by associated systems and organization of the system itself. Consequently, new risks and above the complexity problems inherent in the The system integrity assumption: normally, ainteraction system's between the system and environment controlled in architecture establishes a its boundary, so thatisthe and above the complexity problems inherent in risks the enterprise architecture practices. The fluidity of a system’s boundary causes additional emerge and a higher level design is needed to address organization of the system itself. Consequently, new architecture establishes boundary, so thatisthe interaction order to the ensure system integrity. What iscontrolled inside this between system anda its environment in organization of the system itself. Consequently, new risks complexity problems for management and control, over them. and a higher level design is needed to address emerge between system its environment isiscontrolled in The system integrity assumption: a system's boundary belongs toand the system andnormally, is designed by this the order to the ensure system integrity. What inside emerge and the a higher level design is needed to address and above complexity problems inherent in the them. order to ensure system integrity.and What is inside architecture establishes a boundary, so that the interaction boundary belongs to the system is designed by this the them. organization of the system itself. Consequently, new risks boundarythe belongs the its system and is designed by the between systemtoand environment is controlled in 795 Copyright © 2018 IFAC emerge and a higher level design is needed to address order to ensure system integrity. What is inside this Copyright © 2018 IFAC 795 them. boundary© to (International the system and is designed by the 2405-8963 2018, IFAC Federation of Automatic Control) Copyright ©belongs 2018 IFAC 795Hosting by Elsevier Ltd. All rights reserved. Peer review under responsibility of International Federation of Automatic Control. 10.1016/j.ifacol.2018.08.414 Copyright © 2018 IFAC 795
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
The practical consequence for managers and architects is the need to learn new design patterns, organisational design rules, and methods to use them in strategic transformations. Also, the management of the system’s life cycle in such transformation needs new insight as well.
783
environment reaches a critical threshold; therefore, solutions to the design as well as management & control problems do not necessarily exist in current practices. For example, supply chains have evolved over time, and traditional management methods (together with solutions offered by information and communication technology) have achieved continuous improvement in supply chain performance. Nevertheless, the development of supply chains has followed a Design–Build–Use paradigm of development. This paradigm assumes that there is time to source information, verify stakeholder requirements, analyse their concerns, etc., so as to finally come up with a solution, build it, and utilize it. However, when it comes to dynamic, on-demand optimization and (re)configuration of supply chains, the paradigm has limits due to the speed at which human architects can devise and developers build a solution. Therefore, we argue that the design–build (and release to operation) activities must be automated so as to achieve the desired level of dynamicity, and must be performed ‘on the fly’, i.e., during Operations.
Assumptions about the System’s life cycle and its stages: In contrast to the typically assumed Design–Build–Use– Retire stages of a system's life (called life history stages in Enterprise Architecture (ISO15704, 2005) and life cycle stages in Systems Engineering (ISO15288, 2008)), the types of systems that we today envisage – i.e., systems that exploit the opportunities offered by sensing and acting on a much more granular level than before – are in fact evolving systems. Such systems change and grow organically, and the Design–Build–Use–Retire sequence assumption no longer paints a very realistic picture. This has consequences for how to manage change, innovation, portfolios, programmes and projects, and the associated transformations of the enterprise. In particular, the Design and Build stage would better be described as a stage of directed evolution, with part of the Build activities being performed during the Operation of the system. Operation involves i) all mission fulfilment activities of the system (its ‘use’), ii) all management and control activities of the system (including strategic- & tactical management, and operational & real time management – these latter two include dynamic selfconfiguration).
A specific problem explored in this paper (as part of the 'architectural challenges’ section) is the effects of automation on systemic properties, and what architectural measures are necessary to achieve and preserve them. This is a timely question because the rapid development in automation technology (robotics and various AI techniques) seems to leave behind the theory needed to support good architectural decisions that utilize them. 2. ARCHITECTURAL CHALLENGES OF DYNAMIC CYBER PHYSICAL SYSTEMS
In other words, the Operation stage (i.e., the time interval during which the system operates) also involves transformational activities / processes, such as minor (or even major) changes to the system itself, and this includes (re)design, (re)build as well as possible decommissioning of parts of the system itself.
The introduction argued that there is a need for automating part of the dynamic Design – Build activities of the enterprise. This does not mean that high level automation is going to do away with the need for architecting; rather, it is the focus of architecting that will change.
Following Bertalanffy's General Systems Theory (1968), such systems are ‘homeostatic open systems’ in spite of being in constant flux. (NB although Bertalanffy limited his discussion to biological organisms, the analogy stands for organisations as well.), This includes old parts being expelled and new parts being acquired, while systems tending to maintain identity and equilibrium (to be selfperpetuating).
For example, instead of the architect designing a solution to optimally configure systems into a system of systems, the architect will need to design a system that has a dynamic self-configuring function, such that the SoS keeps dynamically configuring itself (taking into account factors such as changing optimum criteria on various horizons, availability of resources, recognition of opportunities and market trends, and so on).
However, on a longer time-scale such a system is also selfevolving, i.e., it also has the property of a complex adaptive system (Miller & Page, 2007), which learns, and to some extent directs its own destiny, orchestrating the directed evolution of the parts, or of the whole. (Sometimes such systems may also be autopoietic, i.e. self-reproducing (Maturana & Varela, 1980)).
Automated dynamic configuration / reconfiguration of systems has existed for a long time, using various AI techniques, but currently this ability only exists in contexts with well-defined boundaries: e.g. in a factory workshop AGVs, robots, and machine tools can create a fit-forpurpose configuration; in a hospital a team is assembled for a complex operation, etc.
One may argue that these are not new properties of systems, so the problem is old, and therefore perhaps existing theories of systems design and of management & control are readily applicable to our cyber-physical systems. Unfortunately, one must realise that these properties of enterprises do not become the source of a substantial challenge unless the rate of change with which the enterprise must evolve and adapt itself to the
In a bounded context, the manageability and controllability of the system may be guaranteed by design. However, if the context becomes fully open, then significant challenges appear around the ability to adhere to desired architectural design principles for generating on-demand service models. For example, questions arise around long term survivability, validity, currency of operations, trust, 796
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018 784
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
availability, and so on (further discussed in Section 3).
combination of services upon services exploiting core IoT products & services. We know that often a simple combination of services that are 'out there' may create an initially successful and innovative service offering, but ensuring the above systemic properties this can become problematic, as business architects must need guidance how to address the design of complex service systems in a situation where they have limited control over underlying 3rd party services (Rabelo, Noran & Bernus, 2015).
3. DESIRED ATTRIBUTES OF CYBER PHYSICAL SYSTEMS AND CORE ARCHITECTURAL DESIGN PRINCIPLES 3.1. Minimize or Curb Complexity The solution must minimize or curb the complexity of the SoS (including the complexity of the fundamental parts of the system, and that of the dynamically generated parts). Ideally, the solution would have a layered architecture, whereupon the complexity of one layer should not be visible from the layer above, thereby stopping or reducing complexity escalation. For our purposes, we say that the system is complex if it cannot be predicted to always satisfy its requirements. (Being complex is not to be confused with being complicated: in a complicated system the number of elements of the system, and the number of their connections & interactions may be high, but when implemented, the system is known to always be able to satisfy its requirements (Schwaninger, 2009).)
The problem is also relevant for providers of the underlying core services (e.g., IoT infrastructure services), because their success depends on the end users' ability to successfully use the infrastructure service over a long period of time. Given that infrastructure providers are few and end users are many, it is in the provider's interest to pro-actively develop architectural guidelines of use to help successful service composition and to establish an ecosystem that nurtures service innovation (Rabelo, Bernus & Romero, 2015). 3.3 Viability and Self-awareness
The architectural complexity-reduction of systems of systems using so-called ‘Axiomatic Design’ (Kandjani & Bernus, 2011) has several practical consequences, including the dismissal of the methodological approach that first creates a functional specification and only then maps it to a design solution. Even common iterative development- and project knowledge management approaches are unsuitable – such as agile development or DevOps – unless they apply the kind of iteration called ‘zig-zagging’ (which method is a consequence of axiomatic design). The techniques are easy for design teams to acquire, although in practice they are often ignored due to historical rather than technical reasons.
A fundamental 'ility' that needs to be singled out in this context is viability, which is the property of the system to self-preserve and remain in homeostasis, but at the same time co-evolve with its environment (Kandjani et al, 2014). According to Viable Systems Theory (VSM) (Beer, 1972; Hoverstadt, 2008) a viable system should be composed from viable systems. This property is essential for the long term survival and success of any larger system (such as an ecosystem, or a network of companies), and even for virtual ‘service entities’ created using the pool of competencies of contributors – where the horizons of management & control functions of these entities must match the horizons of their expected lifetime.
3.2 'Ilities'
By investigating the management and control functions of viable systems (See Fig.1.), and the above considerations, it follows that the SoS in question needs to maintain selfawareness on each level of aggregation. Self-awareness is defined here as the ability of the system to perceive itself in its environment, distinguishing the self from the environment and identifying the (dynamic / changing) relationships between the self and the environment, as well as with the constituents of the environment, including other systems. The authors prefer to extend this definition with the ability of controlled self-determination and negotiation, i.e., the ability to decide a course of action compatible with internalized principles and with agreed-on 'social contracts' between the SoS and other systems.
The architectural solution suitable as a foundation for creating cyber-physical systems must display a number of systemic properties ('ilities'), and the adopted architecture needs to ensure that these properties hold recursively for the systems of systems of systems etc..., (where the lowest level system is no longer a SoS). In this sense the lowest level systems are 'organisms', and all other systems above are 'organizations'. This requirement originates from the fact that in a SoS the design authority or architect of lower level systems is normally independent of the design authority / architect of the SoS. Thus, the services of the envisaged cyber physical systems are to be composed (on a particular SoS level) out of services provided by systems that were independently designed. Therefore, we need extra measures to ensure that service availability, trustability, accountability, security, scalability, manageability, longevity, maintainability, reliability, and quality on the SoS level are achieved and maintained (just to name a few important examples), and to keep complexity at a manageable level, this must preferably be achieved 'by design'.
Our system of interest (the SoS) has functions to provide services or to produce goods, but also must have functions to monitor the ability of the system to perform the function now and in the future (such as through monitoring the performance of the self and monitoring the environment). This is not usually the case with lower level granularity systems, and can cause unpredictability and brittleness on the SoS level. Details of the requisite functions of self-awareness relevant for the problem at hand will be discussed in
For example, a major challenge is innovation based on the 797
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
GRAI Grid (Doumeingts et al, 1980))
Section 4, but clearly, self-awareness & viability are necessary to ensure system homeostasis (maintaining all necessary 'ilities' discussed above), but when deemed necessary then self-evolve. When the SoS is a company for example, this self-awareness can be achieved by the human actors (of management & control) on each level of aggregation. With cyber-physical systems we must consider how to achieve self-awareness of these systems relying on little or no human participation.
Self-awareness on the real time and operational level: On the real time level, it is necessary to (for example) identify faults (of the self, or of external services), identify cyberattacks, or any other situation that demands action that flows as fast as the events of the process dictate, i.e., in a synchronous manner. This needs the constant evaluation of data streams and the interpretation of these to create timely situation awareness. Sensor networks and actuators create an opportunity to provide the necessary data to support this function, although this ability may also enable new forms of cyber-attacks that create fake data, or in a home automation/security application situation misidentification may result in the system attacking itself or the owner/s.
The proposal here is that the SoS in question, on any level of aggregation, is best thought of as a hybrid (humanmachine) system, as opposed to the traditional systems engineering view that divides the human and the machine early in the design, separately considering the organization of the system (which is automated) and the organization of humans (who are the ‘users’). The authors see no a-priory reason to separate human and artificial agents from the outset; in fact, this can cause significant challenges (e.g. if some agent functions cannot be automated then the architectural solution breaks down).
Due to human limits to act fast enough, self-aware behaviour on the real time- and operational levels must be completely or highly automated – which is a distinguishing trait of cyber-physical systems. For example, it is of critical concern that even at the operational (executable code) level some level of situation awareness (as an internal control) is still required. If not present, an ‘atomic service’ is open to compromise and may be executed in an improper fashion by an illegitimate 3rd party. Current systems do not have this ability, therefore cyber attacks that enter on a very low level may remain unnoticed. Building situational awareness (and the ability to respond to known and unknown situations based on available and newly arriving data in real time) is a candidate for handling constantly emerging Cyber Threats.
The advantage of this approach is twofold: a) we are not constrained by design to only implementing management functions that can be automated at any one time, and b) we do not separate the system along a boundary between two parts with substantial coupling (human-to-machine). The reader may remark that this approach is tantamount to architecting the cyber physical system as a multi-agent system. However, while the multi-agent systems community has been concentrating on fully automated individual- and cooperative agents, such as robot swarms, this approach chooses to not constrain these agents a priory to full automation, because that would be a preconceived implementation decision. The removal of this constraint allows for an independent evolution of agents that changes the level of automation in time but still preserves an architectural identity (style), and with that, longevity. Thus, by default the system always has a complete scope and all necessary levels of management and control, but as the system evolves, the level of automation changes (while preserving system identity).
Self-awareness on the tactical level: This level deals with identifying trends (in production, product, market, competition, resources, etc.), monitoring system health, pro-actively scheduling targeted activities, optimizing plans and schedules, scheduling maintenance, optimizing resources and switching resources / services if needed. Data streams from sensor networks may support better decision making, but a correctly implemented situation identification should also pinpoint any additional dataneeds required for situation disambiguation. Given the time horizon of tactical management, there is the option to choose a desired level of automation, and decide to automate some functions but not others, in order to satisfy some criterion other than functionality, such as investment efficiency / ROI. Nevertheless, considering the larger size of the decision space of cyber-physical systems, a higher than usual level of automation will likely be needed. For example, previously the rapid reconfiguration of a supply chain for a size-one-lot was outside the capability of supply chain management. However, with high automation level, and visualization for human decision making such optimizations will be in reach.
MissionI(productI&IserviceIstrategyI[I/O])I ResourceI&ICapabilityIstrategyI/IpolicyI
• •
Transforma onalIplanI&IgovernanceI Por olioI&IProgrammeImanagementI • •
IIIIISchedulingI&IOpera onalIControlI ResourceI&IProduc onIOp miza onI
StrategicII
• •
Tac calII
Iden tyI Rela onshipsI
ControlI&I feedbackI
AuditI&IAlertsI
EnvironmentI
OverallIManagementI • •
785
Opera onsI LocalIManagementI
Self-awareness on the strategic level: This level is observing internal trends vs. external trends (Kandjani et al, 2011), identifying strategically relevant situations (and, similar to the tactical level, identifying additional dataneeds necessary for situation disambiguation). This level is planning strategic action with respect to the goals of the
LocalIOpera onsI LabelsIofImanagementIfunc onsI‘x’IareItoIbeIreadIasI‘DecideIonIx’II
Figure 1. Recursive Management & Control functions of a viable system (a unified structure based on Beer’s VSM (1975) and 798
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018 786
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
self, or modifies the goals themselves.
of the Design–Build–Use (operate) paradigm, rather than on demand dynamic architecture. This seems to be caused by 1) the low level of automation of self-configuration on the enterprise level, 2) unsatisfactory amount of decisionsupport information, and 3) trust issues.
Essentially, on a high level of aggregation (company and above) this function is traditional strategic management (albeit with better decision support). The function manages the system’s identity and mission, its role in the ecosystem, relationships to internal/external stakeholders, etc.
This is not to say that all companies or networks etc. do abide by this recursive management rule, and therefore those organizations may be viable on the level of the whole, but without their constituents being viable systems themselves. Relaxing the viability criterion (relative to the ideal case) increases the complexity of the SoS's management and control, because higher levels must take over part of the management of the contributing lower levels. With the expected explosion in the number of system constituents (due to the IoT) this may no longer be acceptable as management and control models can hit a complexity barrier. Thus, the sub-optimal but tolerable compromise in traditional systems may no longer be acceptable in the new dynamics of cyber physical systems.
On a medium level of aggregation, this function may monitor the health of an alliance vs. future needs and act before the alliance or the satisfaction of contractual obligations noticeably deteriorate. On low levels of aggregation this management & control function might be absent. Situation awareness on all levels A recurring theme on all levels discussed above is situation awareness (coupled with fast decision making ability) for effective and efficient action. The conditions of this to materialize are facilitated by the technological affordances of cyber physical systems (large number of intelligent sensors), machine learning / pattern recognition algorithms, and various data analytics techniques. However, highly automated situation awareness and supporting decision making requires a new form of intelligence: situated reasoning (Devlin, 1995; Goranson & Cardier, 2013), in order to create a fast and continuous narrative of the facts uncovered by the variety of data sources.
3.6 Reference Models, Guidelines, Techniques and Principles It is not enough to develop a generic reference model that guides the choices for the dynamic architecture of future cyber physical enterprises. It is also necessary to develop methodological guidelines and techniques that inform the architecting processes (some of which are to be automated). It is fair to expect that traditional enterprise architecting and systems engineering methods need either extensions or specific practically usable guidelines & techniques to address the above-discussed challenges.
This is a missing technology element (as of today), with only experimental implementations in existence and substantial research and development (R&D) implications. Situated reasoning and context level data analysis should go hand in hand: the analytics of large amounts of data can facilitate correct situation identification, but situated reasoning can identify the need for data that are not available at present, but could be used for situation disambiguation before a correct decision can be taken (Bernus & Noran, 2017).
One particular reference model that gained currency is the three-level preparedness-building paradigm (Afsarmanesh & Camarinha-Matos, 2005): Level 1 comprises a Virtual Enterprise Breeding Environment (VBE), which is the Ecosystem of players of an industry either locally or globally. Level 2 is populated with Enterprise Networks (ENs), which are a formal structure (originated from the Ecosystem), comprised of Ecosystem players that qualify to become members and subscribe to a set of shared rules & reference models (e.g. for interoperability), shared work practices & tools – including rules for service composition and management. Level 3 contains Virtual Enterprises (VEs) / Virtual Organizations (VOs) created by the Network in the form of temporary alliances to respond to some service need or opportunity.
3.5 Recursive architecture The rules of combination apply recursively, i.e., creating viable self-aware systems out of viable self-aware systems requires that each system's management (on every level) must have certain minimal functionality. This requirement is already evident in companies (where the company is an organization that consists of divisions (down to departments and groups etc.), all of which are themselves organizations. However, the rule does not stop at the company boundary: exactly the same rules apply to networks of companies, alliances, and various forms of virtual organizations in the supply chain.
In practice this has been implemented before, but only for individual service types, not individual service instances; with the ability of dynamic configuration the envisaged highly automated cyber physical systems could step over this barrier (within the framework of the above paradigm).
The ability to create a virtual service of manufacturing enterprise (and its embodiment as a virtual organization) has been on the agenda of industries for at least two decades (Goranson, 1999; Camarinha-Matos & Afsarmanesh, 2003). However, practical applications (Bernus, Noran & Riedlinger, 2002; Bernus, Molina & Noran, 2015; Vesterager et al, 2001; Pereda & Molina, 2013; Molina, Velandia & Galeano, 2007; Rabelo, Camarinha-Matos & Vallejos, 2001) remained on the level
4. CASE STUDY 4.1. The Telstra IoT Platform At this point, one may ask: how do the discussed core Design Principles align with the realities of emerging machine-to-machine (M2M) IoT networks? What is the 799
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
relationship between the expressed design principles and the currently available or emerging IoT infrastructure services?
787
devices there are effectively no other constraints on the use of the IoT network to deliver or receive services. The IoT network itself does not impose additional security or encryption standards – it is relying on native Device or Application level security constraints to enforce data and customer privacy standards. Also, while the Telstra IoT is an open mobile / wireless network relying on 3rd party providers and products to enforce security, users may choose to configure a virtual private network (VPN) that imposes Enterprise level security across all elements of the System (Telstra, 2015; Telstra, 2014.p57).
To attempt to answer such questions, this section briefly discusses a case study specific to the Australian context, namely the Telstra IoT network launched in July 2017 (Telstra, 2017), in fact the first commercial IoT PaaS. The discussion is based on Telstra’s Wireless Application Development Guidelines, IoT Platform Technical User Guide, and IoT Platform and Solutions Data Sheet (Telstra, 2014; 2016; 2017).
An important functionality required from all IoT devices approved for use is the ability to remotely update device firmware (‘firmware over the air’ (Gascón et al, 2011)). 4.2. Analysis of the IoT Platform – what it is and is not? The IoT platform as a service briefly described in 4.1 provides an infrastructure and environment, based on which end users can develop innovative solutions / services, using the ability to connect to a wide range of devices deployed in the field. The design principles discussed in Section 3 only have limited applicability regarding the platform itself, but as discussed in 4.3 will be very important for systems built on top of such a platform. (Nevertheless, some of the design principles still apply to the IoT platform itself.) (1) Self-awareness. There is no evidence of in-built selfawareness in the IoT network or approved products. The devices that meet required standards to operate in the mobile/wireless network are commercial products using protocols for interoperability, and these do not support the functionality required for self-awareness. The consequence is that self-organization of sensors and actuators is not yet possible, effecting overall availability and integrity of a sensor network (see ‘ilities’ below).
Figure 2. Telstra IoT offering (components) and their possible use by businesses (Source,1 used with permission)
New customers signing up for the Telstra branded IoT solution are buying pre-designed products and services bundled for use across the 4G mobile and wireless network, as a secure public Cloud infrastructure partitioned logically (built on top of Telstra’s physical Cloud Data Storage service).
(2) ‘Ilities’. Due to space limitations, Availability & Reliability are singled out here as examples, although other ilities would have similar status in terms of architectural treatment. The IoT network operator (Designer) cannot take full responsibility for end-user performance measures (even though built-in functionality exists to optimize the network’s performance). However, if the network was considered a SoS, then dynamic reconfiguration (allocation of functions to physical devices / processors etc.) could help further optimize network performance under less than ideal circumstances (such as connectivity loss, node failure, etc.). Another crucial ‘ility is Trustability. It is not entirely clear what is the trust-status of co-operating devices across the IoT network, or what are their limits of ‘fair use’ (e.g., what differentiates a large scale legitimate business use from a denial of service attack). Co-users of the IoT network (even if on separate VPNs) are in competition for resources (bandwidth, support and latency), especially in areas of congestion and cross-network dependencies that are outside their control. The current support arrangements and commercial contracts on offer do not discuss the
IoT customers are offered a Cloud based Dashboard (CRM- like UI) to monitor run-time data streaming from each of their configured Devices on the IoT network as well as some remote site control for these devices from the Dashboard console accessible via Phone, Tablet or Laptop. Telstra provides design recommendations for applications development based on the IoT network (Telstra, 2014), a list of best practices for optimizing performance / resource usage (for example how to optimize data transfer, reduce unnecessary signalling, achieve resilience when network conditions change, etc.). Apart from needing to operate on the existing Telstra mobile (wireless) network and spectrum and adhering to these high level technical recommendations, and utilising approved Telstra network routers and IoT end point 1
https://www.telstra.com.au/business-enterprise/solutions/internet-of-things 800
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018 788
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
likelihood of cross network impacts of one service upon another, or sharing services across various eco-systems (sub-networks) that may arise across the IoT network.
components within the Master Control of the selfaware System itself (e.g., the Intelligent House (Swetha et al, 2017)). Whilst M2M Networks allow for open communications among devices and components, and remote control / management of these devices via console and dashboard UIs, this is not the same as having a commonly understood master controller environment with shared business logic and processes. What are the Social and Cognitive conditions (perhaps answered by Psychology, Behavioural Science, and Economics) that enable Human Actors / Agents to adapt to or be comfortable with such integration over which they have very limited control?
(3) Viability. End-users have fundamental interest in being able to rely on the IoT platform’s longevity – to protect investment and be able to plan to evolve the capabilities built in this way. For example, for a system built on the IoT platform to have long term viability (the ability to sustain itself and evolve as necessary on a longer time horizon) could be addressed in the future by architectural patterns that allow aggregating services into hybrid (human-machine) systems, thereby allowing the level of automation to change as needs and technologies develop, without fundamental architectural change being necessary. The question is ultimately also connected to complexity reduction (using the already mentioned techniques of axiomatic design (Suh, 2005; Kandjani & Bernus, 2011), which is essentially a technique to eliminate all unnecessary dependencies form a system of systems). Thus end users are well-advised to use the respective techniques to protect themselves from changes in the underlying infrastructure. Paradoxically, if the IoT Network actively supports openness and the ability to migrate to other platforms, this may increase end-user trust and become an attractive feature of the IoT platform. (4) Recursive architecture. The IoT platform provider is not responsible for the architectural decisions made by end users, who may build services on top of which other end users build other services, and so on. However, the abovementioned architectural patterns and reference models for all end users, if applied on all levels of aggregation could help end users build higher level SoS that bear the characteristics of the underlying services (and vice versa).
Figure 3. A citizen transitioning across multiple Service Systems of Systems
Seamless transition between multiple self-aware Systems – maintaining state across multiple private and public cloud networks: effectively the human and multiple mobile devices will be moving through a range of self-aware and intelligent environments, vehicles, systems and eco-systems; their safe and effective passage and harmonious interactions will be dependent upon the safe and secure communication of key data including identity, personal preferences, security settings and master profiles. For example, Figure 3 shows a citizen traversing the landscape of multiple independent service systems of systems (that may or may not have been implemented on top of the same IoT platform) ‘Do No Harm’ - If agreed Principles and Standards around data sharing, retention and privacy have not been agreed to or enforced then how can more evolved Principles and Standards such as Do No Harm be agreed and enforced? The current answer is that they cannot and this question is still open even in terms of who is responsible for defining these. On the basis of some of the key issues outlined above, the authors believe that there is an urgent need for a coherent set of Patterns, Methods and Principles that architects of cyber physical systems can use to secure all desired systemic properties of these open and evolving systems.
5. ISSUES AND IMPLICATIONS FOR FURTHER RESEARCH The preliminary investigation of the emergent IoT networks in Australia reveals significant issues and implications to be explored as part of future research, e.g.: How ‘aware’ one wants the System-of-systems to be? Does self-awareness imply complete independence and autonomous decision-making? Can an intelligent House make its own decisions, re-calibrate its service levels and operations? Within what boundaries and broader ecosystem and Owner imposed constraints must this self-awareness and independence operate? Owner vs Eco-System – a self-aware House will have immediate conflicts of Authority and Control impacting its day to day operations. Who has ultimate authority over the self-aware House? Is there a set of broader Meta Ecosystem requirements that all subsystems must comply with (e.g., Public Safety, Law and Order, Power Outages Disaster and Emergency Relief)?) When can the role of the Owner and Control of the Dwelling be over-ridden by a higher Authority? Integration of Control – It is clear that emerging IoT networks do not yet have integrated Control Systems that allow for “plug and play” of any 3rd party
Additionally, Methods and Technologies need to be developed that would be applicable on all levels of System Composition to implement highly automated situational 801
IFAC INCOM 2018 Bergamo, Italy, June 11-13, 2018
Pat Turner et al. / IFAC PapersOnLine 51-11 (2018) 782–789
789
VE infrastructure. Computers in Industry 51 (2):139-163 Devlin, K.J. (1995) Logic and Information. Cambridge U Press. Gascón, D, Bielsa, A., Genicio, F., Yarza, M. (2011). Over the Air Programming with 802.15.4 and ZigBee - OTA. Libelium. http://www.libelium.com/over_the_air_ programming_OTA_802.15.4_ZigBee/ (Retrieved Oct 2017) Goranson, H.T. (1999) The Agile Virtual Enterprise: Cases, Metrics, Tools. Westport, CT : Quorum Boks. Goranson, H.T., Cardier, B. (2013) A two-sorted logic for structurally modelling systems. Progress in Biophysics and Molecular Biology. 113(2013):141-178 Hoverstadt, P. (2008). The Fractal Organization: Creating sustainable organizations with the Viable System Model. Hoboken : Wiley. Intel (2007) Intel Active Management Technology System Defense and Agent Presence Overview. Intel Corporation. ISO 15288 (2008). Systems and software engineering – System life cycle processes. ISO 15704 (2000;2005). Industrial automation systems – Requirements for enterprise-reference architectures and methodologies; (Amd1 2005). Kandjani, H., Bernus, P. (2011). Engineering Self-Designing Enterprises as Complex Systems Using Axiomatic Design Theory. IFAC Papers On Line. Elsevier. pp11943-11948. Kandjani, H., Tavana, M., Bernus, P., Nielsen, S. (2014). Co-Evolution Path Model (CePM): Sustaining Enterprises as Complex Systems on the Edge of Chaos. Cybernetics and Systems: An International Journal. 45(7):547–567 Maturana, H.R., Varela, F.J. (1980). Autopoiesis and Cognition: the Realization of the Living. Reidel. Miller, J.H., Page, S.A. (2007). Complex adaptive systems: an introduction to computational models of social life. Princeton, NJ :Princeton University Press. Molina, A., Velandia, M., Galeano, N. (2007). Virtual Enterprise Brokerage: A Structure Driven Strategy to Achieve Build to Order Supply Chains. International Journal of Production Research. 45(7): 3853–3880 Pereda, F.J., Molina, A. (2013). Model driven architecture for engineering design and manufacturing. IFAC-Papers Online, Vol.6. Part 1. pp400 – 407. Rabelo R.J., Camarinha-Matos L.M., Vallejos R.V. (2001). Agent-based brokerage for virtual enterprise creation in the moulds industry. IFIP AICT 56:281-290. Rabelo, R.J., Bernus, P., Romero, D. (2015). Innovation Ecosystems: A Collaborative Networks Perspective. in Luis M. Camarinha-Matos, Frederick Benaben, Willy Picard (Eds) Risks and Resilience of Collaborative Networks. IFIP AICT 463:323-336 Rabelo, R.J., Noran, O., Bernus, P. (2015). Towards the Next Generation Service Oriented Enterprise Architecture. In Sylvain Halle and Wolfgang Mayer (Eds) Proc. IEEE 19th EDOCW. IEEE Xplore: 91100. Schwaninger, M. (2009). Complex versus complicated: the how of coping with complexity. Kybernetes. 38(1/2):83-92 Suh, N. (2005). Complexity: Theory and Applications. Oxford U Press. Swetha, S. Suprajah, S. Vaishnavi Kanna, S. Dhanalakshmi, R. (2017). An Intelligent Monitor System for Home Appliances Using IoT. Int Conf Technical Advancements in Computers and Communications (ICTACC’17). IEEEXplore. 106-108. Telstra (2014). Telstra Wireless Application Development Guidelines. V7.1 #AOF-4270 , Telstra Corporation. Telstra (2015). M2M VPN Solution Service #.DS012 JUN2015. Telstra Co. Telstra (2016). Telstra IoT Platform for Connected Device Management and Application Development – IoT Platform Technical User Guide V.1.0# G190 OCT16. Telstra Co. Telstra (2017). Telstra’s IoT Platform and Solutions Data Sheet #DS165JUL17, Telstra Corporation. Vesterager, J., Bernus, P., Pedersen, J. D., Tølle, M. (2001). The what and why of a Virtual Enterprise Reference Architecture. in E-work and E-commerce. Novel solutions and practices for a global networked economy. IOS Press. pp846–852. Von Bertalanffy, L. 1968. General System theory: Foundations, Development, Applications. New York: George Braziller.
awareness (Goranson & Cardier, 2013; Bernus et al, 2016; Bernus & Noran, 2017). This Technology is emergent: it does exist but requires further research and development. Another open question is whether there exist inherent risks of cyber-physical systems becoming fully self-aware at all levels. Whilst the authors have not yet identified any emerging IoT or M2M networks that operate at this level, it is predictable that this level of self-awareness will be reached at some point in time. The authors propose to give self-awareness to the System for a range of reasons including viability to ensure the System’s long term survivability (including its resources and components), the endurance of its underlying commitments, the goals of the system, as well as all the other ilities. These are all highly desirable but bring with them the ability to be compromised in new ways: The System loses Trust in the Owner, The System loses Trust in itself, The System begins enacting or formulating Rules or Behaviours not foreseen by the original Designers or resulting in unintended Outcomes not predicted in the original Design. 6. CONCLUSION Management and business owners need to be familiar with the architectural patterns, reference models, methods and techniques that relate to cyber-physical systems, because creating dynamic configuration capability that goes beyond the current bounded level creates optimization opportunities and new innovation for business. Opportunities include more dynamic supply chain, less waste, ability to serve a market that was previously not reachable, etc. However, existing methods of designing and building systems need to be adjusted for the successful application of the new enabling technologies (the IoT, Sensor Networks, various AI techniques, etc.). ACKNOWLEDGEMENTS The authors would like to acknowledge the research grant (Strategic Advancement of Methodologies and Models for Enterprise Architecture) provided by Architecture Services Pty Ltd (ASPL Australia) in supporting this work REFERENCES Afsarmanesh, H., Camarinha-Matos, L.M. (2005). A framework for management of Virtual Organization Breeding Environments. IFIP IACT 186. Springer Beer, S. (1972). Brain of the Firm. London : Penguin. Bernus, P., Goranson, T., Gotze, J., Jensen-Waud, A., Kandjani, H., Molina, A., Rabelo, R.J., Romero, D., Saha, P., Turner, P. (2016) Enterprise engineering and management at the crossroads. Computers in Industry. 79 (2016):87-102. Bernus, P., Noran, O. (2017). Data Rich – But Information Poor. In L.Camarinha-Matos, H.Afsarmanesh and R.Fornasiero (Eds.) Collaboration in a Data Rich World. IFIP AICT 506. Springer. 206214. Bernus, P., Noran, O., Riedlinger, J. (2002). Using the Globemen Reference Model for Virtual Enterprise Design in After Sales Service . In I.Karvoinen et al (Eds). Global Engineering and Manufacturing in Enterprise Networks (Globemen), VTT Symposium Series 224. Helsinki : VTT. pp 71-90. Camarinha-Matos, L.M., Afsarmanesh, H. (2003). Elements of a base 802