Multi-view-Model Risk Assessment in Cyber-Physical

Production Systems Engineering

Stefan Bifﬂ

1 a

, Arndt L

uder

3 b

, Kristof Meixner

2 c

, Felix Rinker

2 d

Matthias Eckhart

2 e

and Dietmar Winkler

2 f

Institute of Information Systems, TU Wien, Vienna, Austria

CDL for Security & Quality Improvement in the Production System Lifecycle, TU Wien, Vienna, Austria

Institute of Ergonomics, Manufacturing Systems and Automation, Otto-von-Guericke University, Magdeburg, Germany

Keywords:

Model-based Risk Assessment, Multi-view Modeling in Systems Engineering, Cyber Physical Systems.

Abstract:

The engineering of complex, ﬂexible production systems, Cyber Physical Production Systems (CPPSs), re-

quires integrating models across engineering disciplines. A CPPS Engineering Network (CEN), an integrated

multi-domain multi-view model, facilitates the assessment of risks to CPPS and product designs, i.e., risks

stemming from several engineering disciplines. However, traditional risk assessment, e.g., Failure Mode and

Effect Analysis (FMEA), provides informal cause-effect hypotheses, which may be hard to test without inter-

disciplinary links through the CEN to CPPS data sources. This paper aims to improve the effectiveness of

model-based cause identiﬁcation and validation for risks to CPPS functions that come from modeling in sev-

eral CPPS disciplines by introducing the CPPS Risk Assessment (CPPS-RA) approach for representing FMEA

cause-effect hypotheses and linking them to a CEN. These links provide the basis to specify CPPS engineer-

ing and operational data required for hypothesis testing. We evaluate the CPPS-RA approach in a feasibility

study on a representative use case from discrete manufacturing. In the study context, domain experts found

the CPPS-RA meta-model sufﬁciently expressive and the CPPS-RA method useful to validate FMEA results.

1 INTRODUCTION

Industry 4.0 demands digitized industrial produc-

tion calling for Cyber-Physical Production Systems

(CPPSs). CPPSs use modern manufacturing methods

and latest information technology to adapt to different

conditions and interact with their environment. These

CPPSs have to fulﬁll requirements regarding prod-

uct quality, functional safety, and information secu-

rity (Henning, 2013). CPPS engineering involves sev-

eral engineering disciplines, such as mechanical, elec-

trical, and software engineering, which design and use

heterogeneous models and tools. Risk management in

CPPS engineering, such as the Failure Mode and Ef-

fects Analysis (FMEA) approach (DIN60812, 2015),

is well supported in single engineering disciplines,

https://orcid.org/0000-0002-3413-7780

https://orcid.org/0000-0001-6537-9742

https://orcid.org/0000-0001-7286-1393

https://orcid.org/0000-0002-6409-8639

https://orcid.org/0000-0001-5125-4391

https://orcid.org/0000-0002-4743-3124

but challenging to conduct across disciplines and may

miss cross-discipline impacts when using discipline-

speciﬁc, isolated models.

CPPS quality managers want to effectively and

efﬁciently identify factors potentially leading to spe-

ciﬁc quality risks. However, knowledge on causes and

impact relationships may come from different disci-

plines with their views on the system (Meier et al.,

2019). Traditionally, quality managers do not use

multi-view models for conducting risk assessments,

making the results hard to validate, use in advanced

analyses, replicate, and improve.

Identifying and assessing causes for risky effects

is hard as (a) product failure modes may depend on

several CPPS engineering disciplines, and (b) the het-

erogeneous models, data, and tools used are hard to

integrate. These issues require an approach for multi-

view modeling (Atkinson et al., 2015) that consid-

ers risks and their causes in CPPS Engineering Net-

works (CENs), i.e., integrated multi-domain multi-

view models. Model-based risk assessment that re-

lies on single-discipline models (Liu et al., 2013) does

not link hypotheses to multi-disciplinary CPPS engi-

Bifﬂ, S., Lüder, A., Meixner, K., Rinker, F., Eckhart, M. and Winkler, D.

Multi-view-Model Risk Assessment in Cyber-Physical Production Systems Engineering.

DOI: 10.5220/0010224801630170

In Proceedings of the 9th International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2021), pages 163-170

ISBN: 978-989-758-487-9

163

neering models and data. Data collection and analysis

without hypotheses on cause-effect relationships of-

ten yield invalid cause-effect correlations and costly,

but ineffective, changes to product and CPPS designs.

This paper focuses on functional risks represented

in and possibly resulting from modeling in several

CPPS disciplines, omitting information security risks

that assume intentional wrongdoing. We elicited re-

quirements for risk assessment (cf. Section 3) with

CPPS engineers and introduce the use case Screwing

System to illustrate challenges and core concepts. We

investigate multi-view modeling for CPPS Risk As-

sessment to provide the basis for deﬁning and analyz-

ing cause-effect relationships, in particular causes of

risks to assets, across disciplines. In particular, we in-

vestigate (1) what data elements are required to repre-

sent cause-effect relationships in a CEN and (2) how

domain experts explore a CEN to identify and assess

possible cause-effect relationships.

We introduce the CPPS Risk Assessment (CPPS-

RA) approach to elicit candidates for cause-effect hy-

potheses, in the multi-disciplinary CPPS engineering

context. To this end, we introduce the CPPS-RA

meta-model with core concepts for integrated multi-

disciplinary engineering views for Risk Assessment

and the CPPS-RA method to explore potential causes

for risks in a multi-view graph. We describe the con-

ceptual, technical design of prototype tool support for

the CPPS-RA method, integrating engineering data

based on AutomationML (AML) (IEC 62714, 2018).

We evaluate the CPPS-RA approach in a feasibility

study with the use case Screwing System from car

manufacturing that is representative for discrete man-

ufacturing processes and assets. For an extended re-

port and further details, refer to (Bifﬂ et al., 2020).

The remainder of the paper is structured as fol-

lows: Section 2 summarizes related work on multi-

view modeling and risk assessment CPPS engineer-

ing. Section 3 introduces the research questions and

approach. Section 4 introduces the representative use

case Screwing System from the real-world CPPS en-

gineering context – car manufacturing. Section 5 de-

scribes the CPPS-RA approach, the meta-model, and

method steps. Section 6 reports on a feasibility study

of the CPPS-RA approach. Section 7 discusses the

results of the feasibility study regarding the require-

ments and the research questions. Section 8 con-

cludes and motivates future work.

2 RELATED WORK

This section reports on multi-view modeling and risk

management in CPPS engineering.

2.1 Multi-view Modeling in CPPS Eng.

CPPS life cycle digitization (Henning, 2013) is a

trend to reduce costs and make production more ﬂex-

ible. Engineering process digitization supports this

goal by improving process effectiveness and efﬁ-

ciency (Bifﬂ et al., 2017). A major challenge is the ex-

change of engineering data. As the processes include

multiple domains and models, data exchange requires

the effective and efﬁcient collection, integration, se-

lection, and transformation of scattered and heteroge-

neous information.

Multi-view models (Atkinson et al., 2015) fos-

ter the collaboration in such multi-disciplinary en-

vironments. The engineering domain experts take

decisions following their habits and represent the

results of these decisions in Domain-Speciﬁc Lan-

guages. This results in CPPS Engineering Networks

(CENs), where Domain-Speciﬁc Languages express

(discipline-internal) data models related to a single

discipline and (discipline-crossing) data models re-

lated to several disciplines as a basis for the digitiza-

tion of engineering data logistics (L

uder et al., 2019).

Risk management in CPPS engineering processes

is essential (Foehr, 2013; Hopkin, 2018). While engi-

neers ensure the quality within their discipline, there

are limited capabilities for risk representation and

evaluation involving several disciplines. The consid-

eration of cross-discipline dependencies is renowned

within CPPS engineering but hampered by data col-

lection issues. Winzer et al. (Sitte and Winzer, 2010)

presented an approach for matrix-based modeling of

discipline-internal and discipline-crossing dependen-

cies between system components. Foehr extended

the approach with quality management strategies for

a multi-model representation of quality dependen-

cies crossing different disciplines like quality man-

agement and product & system design (Foehr, 2013).

A precondition for these methods is a sufﬁciently

integrated multi-view system model, which is costly

and error-prone to create from implicit knowledge. A

multi-view system model over multi-domain elements

with domain-speciﬁc links (Atkinson et al., 2015) can

be represented in AML-based engineering data logis-

tics, enabling common graph search algorithms.

2.2 Risk Assessment in CPPS

Engineering with FMEA

Risk assessment in CPPS engineering focuses on

identifying and analyzing product, process, and re-

source risks that might lead to defective products

caused by inaccurate or defective processes or re-

sources, omitting intentional wrongdoing. Risk as-

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

164

sessment builds the basis for the risks mitigation

to prevent defects and avoid the recurrence of de-

fects (Hopkin, 2018). In CPPS engineering, the

FMEA approach is a common approach. It aims at

systematically identifying CPPS assets, system ele-

ments related to the System under Inspection (SuI),

possible Failure Modes that may lead to unintended

Effects, and (root) Causes for effects, as basis for

risk mitigation (DIN60812, 2015; Stamatis, 2019) (cf.

Table 1 for FMEA concepts). For more details on

FMEA refer to (Bifﬂ et al., 2020).

Model-based FMEA approaches (Kaiser et al.,

2003; Liu et al., 2013) link effects through model con-

nections to cause candidates, but typically for single-

discipline models that do not represent risky depen-

dencies across disciplines. For more details on model-

based FMEA refer to (Bifﬂ et al., 2020).

To address limitations of FMEA based on single-

discipline models, this paper builds on CENs, in-

tegrated multi-domain multi-view CPPS engineering

models, to represent and analyze cause-effect graphs

linking cause candidates to risky effects under inves-

tigation, including cross-discipline dependencies.

3 RESEARCH QUESTIONS AND

APPROACH

In the past, we conducted workshops with senior do-

main experts from a major CPPS integrator based

in Europe, aiming to improve the quality of their

CPPS engineering processes. A major concern was

resolving issues with ineffective improvement activ-

ities. These issues resulted from invalid cause-effect

correlations coming from machine learning projects

on engineering data, that lacked links between engi-

neering data and cause-effect arguments.

The domain experts provided the following re-

quirements Rx for risk assessment.

R11. Representation of FMEA elements as a

basis for reasoning on causes and effect considera-

tions when conducting a FMEA. R12. Representa-

tion of the CPPS Engineering Network (CEN) to facil-

itate reasoning on connections in an integrated multi-

view CPPS engineering model, e.g., an integrated Au-

tomationML model (IEC 62714, 2018), for describ-

ing causes and effects across engineering disciplines.

R21. Representation of causes and hypotheses to al-

low capturing informal causes early during FMEA

and facilitate reﬁning them to formal cause represen-

tations, linked via a hypothesis to an effect, as a basis

for advanced risk analyses. R22. Mapping of causes

and effects to elements in the CEN to root the risk

assessment in the CPPS design, as a foundation for

realistic analyses with CPPS data. R3. Representa-

tion and assessment of pathway from causes to effects

in the CEN, to validate the FMEA results, comparable

to an attack graph in CPPS security.

From these requirements, we derived the follow-

ing research questions (RQs).

RQ1. CPPS-RA Meta-model. What data ele-

ments are required to represent cause-effect relation-

ships in a CPPS Engineering Network (CEN) as a ba-

sis for risk assessment across discipline boundaries?

To address RQ1, this paper introduces the CPPS-RA

meta-model to represent data elements and relation-

ships required for conducting a FMEA with links to a

CEN. The design of the meta-model is based on the

standards underlying the FMEA method (DIN60812,

2015) and CPPS engineering data representation and

exchange (Drath et al., 2008; Sitte and Winzer,

2010). Further, we compared the meta-model design

to FMEA applications in CPPS engineering (H

oﬁg

et al., 2019) to facilitate a conceptualization consis-

tent with these applications.

RQ2. CPPS-RA Method. How can domain ex-

perts explore an integrated CPPS Engineering Net-

work (CEN) to identify and assess possible cause-

effect relationships for a failure mode/effect, even

across discipline boundaries? To address RQ2, this

paper introduces the CPPS-RA method for identifying

model elements to elicit and formalize cause-effect

hypotheses that guide data selection and analysis. The

CPPS-RA method reﬁnes the FMEA’s cause analysis

step by guiding experts to iteratively explore a CEN.

It enables selecting effects, identifying assets poten-

tiality causing the effect, and building a cause-effect

pathway across discipline boundaries in the CEN to

substantiate a testable hypothesis. The risk analy-

sis results provide the foundation for risk-based test

scenarios and hypothesis-guided data collection and

analysis.

For evaluation regarding the requirements Rx, we

conducted a feasibility study with use case Screwing

System from car manufacturing, building on a CEN

(Bifﬂ et al., 2019; L

uder et al., 2019). CPPS do-

main experts among this paper’s authors conducted

the CPPS-RA method. They discussed the results

with senior domain experts from car manufacturing

to compare the characteristics of CPPS-RA with those

of their traditional method for risk assessment to an-

alyze the strengths and limitations of the CPPS-RA

approach.

Multi-view-Model Risk Assessment in Cyber-Physical Production Systems Engineering

165

Position

Screw &

Engine

Screw

Car Body

with Engine

Positioning

Cell

Car Body

Fasten

Screw

Screwing

Cell

Screwer Drive

Screwing

Joint

Stiffness

Screw

Gripper

Valve

Jaw 1

Jaw 2

Cable

Mechanic

Motion

energy

Mechanic

Engine

Stable

Energy

Chain

[...]

MotorDrive

Gear

Transformer

Cable

Mechanic

Car Body with

screwed on Engine

System

under

Inspection

Screwing force (SF)

Cause

S2 S2

Motor

Bit

Gear

Transformer

Legend:

PPR

Mechanic

Electrical

Function

MPFQ

Function

Asset

Process

Asset

Resource

Asset

Link Types:

Process-

Resource

Product-

Process

Product

Asset

Cause:

Asset Types:

Exploration step:

Legend:

PPR

Mechanic

Electrical

Function

MPFQ

Function

Asset

Process

Asset

Resource

Asset

Link Types:

Process-

Resource

Product-

Process

Product

Asset

Cause:

Asset Types:

Exploration step:

Figure 1: Multi-view sample from the CPPS Engineering Network (CEN) in the use case Screwing System.

4 USE CASE SCREWING SYSTEM

This section introduces the use case Screwing Sys-

tem from the car manufacturing industry as an illus-

trative example for position and joining tasks. Such

screwing systems contain 50 to 200 assets inter-

linked in various ways. The corresponding CPPSs

are engineered using 15 to 35 different views, cov-

ering several engineering disciplines. Thus, engineer-

ing a screwing system requires multi-domain models,

where common concepts represent shared, i.e., multi-

view, assets. These assets are conceptual joining

points between the discipline-speciﬁc views, result-

ing in interlinked views within the multi-view model.

The use case covers a screwing system that screws

an engine block to a car body. This process is crit-

ical as it directly affects the car’s safety and usabil-

ity. The correct position and stiffness of the screwing

joints concern a signiﬁcant risk in car manufacturing.

A loose screw joint on an engine block can lead to

cracks in the car body that weaken the car’s structural

strength and violate safety regulations.

Figure 1 depicts a section of the aggregated CPPS

engineering data model reached by the engineering

of the screwing system exploiting the engineering

Table 1: Key concepts for Risk Assessment with FMEA in

a CEN (cf. the meta-model in Figure 2).

Concepts Concept Descriptions

SuI System under Inspection, an Asset; e.g., a

function asset like screw joint stiffness.

Failure Mode x of the SuI, e.g., low

screwing force, leading to an effect.

Effect xx, e.g., a loose screwing joint.

A; A

, A

Asset; a Function (F), Product or Material

(P), Process (P’), Resource (R) Asset in a

CEN.

, A

) A Link of type t between two Assets, A

and A

, e.g., a MPFQ relation, or mechan-

ical, electrical, or information interface.

) Cause C

associated to asset A

, e.g., a

wrong param. value leading to a FM.

, C

) Hypothesis, linking effect E

to a set of

causes C

, ..., C

via a pathway of assets

and links in the CEN.

data logistics. The model shows relevant elements of

the exemplary CPPS and is based on the engineering

views of product engineering, quality management

(MPFQ) (Foehr, 2013), and functional, mechanical,

and electrical engineering. Table 1 summarizes the

key concepts for FMEA in a CEN. For more details

on the use case, refer to (Bifﬂ et al., 2020).

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

166

We build on the Screwing System use case to illustrate

examples for the CPPS-RA approach.

5 CPPS RISK ASSESSMENT

APPROACH

This section introduces the CPPS-RA meta-model

and method steps, and the conceptual design of a pro-

totype to automate parts of the method.

5.1 CPPS Risk Assessment Meta-model

The CPPS-RA meta-model focuses on the connec-

tion of core concepts for FMEA, a CPPS Engineer-

ing Network (CEN), and hypotheses that link effects

to causes in the CEN, even across discipline bound-

aries. The meta-model abstracts concepts and rela-

tionships from the FMEA standard (DIN60812, 2015)

and previous work on ontologies and meta-models for

applying FMEA to hypothesis building in speciﬁc ar-

eas (H

oﬁg et al., 2019).

Figure 2 shows the core concepts of the CPPS-RA

meta-model divided into three areas: 1. FMEA con-

cepts (in violet), 2. CEN concepts (in green), and 3.

Cause-Effect Hypothesis concepts (in light-blue). All

data elements have a unique identiﬁer and can have

properties, e.g., for annotations. For details on the

meta model concepts refer to (Bifﬂ et al., 2020).

LinkLink

RiskRisk

EffectEffect HypothesisHypothesis

Failure ModeFailure Mode CauseCause

0,n

1,n

concerns

0,n

1,n

concerns

0,n

from

0,n

from

0,n

1,n

has

0,n

1,n

has

0,n

explains

0,n

explains

0,n

concerns

0,n

concerns

0,n

concerns

0,n

concerns

System under

Inspection

System under

Inspection

AssetAsset

0,n

1,n

causes

0,n

1,n

causes

0,n

1,n

has

0,n

1,n

has

0,n

has impact on

0,n

has impact on

Function requirement

Occurrence

Severity

0,n

depends on

Type

0,n

concerns

0,n

concerns

Relevance

Link

Risk

Effect Hypothesis

Failure Mode Cause

0,n

1,n

concerns

0,n

from

0,n

1,n

has

0,n

explains

0,n

concerns

0,n

concerns

System under

Inspection

Asset

0,n

1,n

causes

0,n

1,n

has

0,n

has impact on

Function requirement

Occurrence

Severity

0,n

depends on

Type

0,n

concerns

Relevance

Figure 2: CPPS-RA core concepts meta-model (see con-

cepts in Table 1).

5.2 CPPS Risk Assessement Method

The CPPS-RA method follows three steps:

Step 1. FMEA: Identify risk and informal cause

candidates. In this step, the quality manager (QM)

and the domain expert (DE) follow the FMEA pro-

cess with a speciﬁed goal and scope to deﬁne the SuI

and identify and prioritize candidate failure modes,

effects, and risks. For a selected effect E, the QM and

DE build on engineering knowledge in the project to

elicit, e.g., with Fault Tree Analysis, a list of informal

cause and hypothesis candidates, such as ”Effect E

may be caused by Causes C

and C

.”

Step 2. CPPS-RA with CEN exploration. In this

step, the QM and DE iteratively explore the CEN (see

Section 5.3) linking informal cause candidates C

assets A

. The CEN can, e.g., be modeled in AML fol-

lowing the CPPS-RA meta-model (see Section 5.1).

These links serve as the basis for formalizing causes

and identifying possible pathways between the causes

and the selected effect, which consists of assets A

and technical links L

, A

). Based on formalized

causes, cause-effect pathways, and informal hypothe-

sis candidates, the QM speciﬁes hypotheses H

linked

to CEN asset data elements as the foundation for test-

ing these hypotheses with CPPS data.

Step 3. Collect and analyze data based on CPPS-

RA results. In this step, a data analyst uses the CPPS-

RA results, i.e., the hypotheses linked to CEN assets,

to deﬁne data elements for collection and analysis.

Based on the collected data, the analyst can test the

hypotheses with CPPS engineering and operation data

and report hypothesis test results. Finally, the QM and

DE can interpret the CPPS data as a strong foundation

to address likely causes for important risks.

For an extended report on CPPS-RA method steps

refer to (Bifﬂ et al., 2020).

5.3 CPPS Eng. Network Exploration

Figure 3 shows the steps 2.x of the CPPS-RA method

in IDEF0 notation to iteratively explore likely causes

with limited resources for risk assessment. Starting

point is an effect with an informal cause candidate,

such as ”effect loose screw may come from wrong

parameter setting in screwer motor control.”

Step 2.1 Explore CEN In this step, the QM and

DE identify assets that are relevant to represent infor-

mal cause candidates. Typically, the DE will start in

the CEN from the asset that represents the SuI and

iteratively explore assets in the neighborhood. There-

fore, the DE follows selected links between assets,

e.g., mechanical or communication links, potentially

related to the effect type. The step results in a set of

links between causes and assets and their possibly up-

dated/added representing domain knowledge relevant

for the cause-effect argumentation.

Figure 1 shows an abstract CEN from the use

case with assets linked by different link types. These

Multi-view-Model Risk Assessment in Cyber-Physical Production Systems Engineering

167

Updated/added information on assets and links in CPPS Eng. Network

Causes linked

to assets

Step 2.1

Explore CPPS

Engineering

Network (CEN)

Step 2.1

Explore CPPS

Engineering

Network (CEN)

Step 2.2

Analyze Cause

Candidates and

Pathways

Step 2.2

Analyze Cause

Candidates and

Pathways

Step 2.3

Build hypothesis

linked to CEN

Step 2.3

Build hypothesis

linked to CEN

Informal cause

candidates

Causes linked

to CEN and

to effect

Selected effect

Causes linked to assets in CPPS Eng. Network

Cause-Effect Pathways

Hypotheses

linked to CEN

CPPS-RA

tool

CPPS Eng.

Network Model

Domain

Expert

(DE)

Domain

Knowledge

Quality

Manager

(QM)

FME A

DIN EN 60812

Predicate

Logics

AutomationML

IEC 62714

Fault Tree

Analysis

IEC 60300-1

W3C

Ontology

Standards

CPPS-RA

Meta Model

Informal hypothesis candidates

Updated/added information on assets and links in CPPS Eng. Network

Causes linked

to assets

Step 2.1

Explore CPPS

Engineering

Network (CEN)

Step 2.2

Analyze Cause

Candidates and

Pathways

Step 2.3

Build hypothesis

linked to CEN

Informal cause

candidates

Causes linked

to CEN and

to effect

Selected effect

Causes linked to assets in CPPS Eng. Network

Cause-Effect Pathways

Hypotheses

linked to CEN

CPPS-RA

tool

CPPS Eng.

Network Model

Domain

Expert

(DE)

Domain

Knowledge

Quality

Manager

(QM)

FME A

DIN EN 60812

Predicate

Logics

AutomationML

IEC 62714

Fault Tree

Analysis

IEC 60300-1

W3C

Ontology

Standards

CPPS-RA

Meta Model

Informal hypothesis candidates

Figure 3: CPPS-RA Step 2: CEN Exploration (IDEF0).

links represent the model views, e.g., mechanical net-

works, and quality-process networks (see Section 4

and links in Figure 1). The network also allows an-

notating impact pathways between assets, e.g, S0 to

S5. CPPS resources are linked to other resources and

sub-resources via mechanical, electrical, and commu-

nication interfaces building a resource network. The

network includes automation devices that are often

causes of engineering errors and failures.

For the iterative exploration, the asset neighbor-

hood can be deﬁned by a neighborhood function

(starting asset, link types to use, stopping condition,

e.g., number of steps, or condition of the asset found,

e.g., asset type automation device). These functions

enable systematically exploring asset neighborhood

following the CEN to identify assets and paths likely

to lead to a speciﬁed effect. Alternatively, the DE can

identify relevant asset instances in the CEN and try to

ﬁnd relevant paths between these asset instances.

The effective and efﬁcient iterative exploration

of large or complex CENs requires tool support to

browse, search, and visualize the integrated multi-

view model. Typical CEN browser functions for

CPPS-RA include: Overview of related assets, brows-

ing assets and their relationships, ﬁltering assets and

relationships according to neighborhood functions,

and annotating the relevance of assets and links, e.g.,

for specifying a cause-effect relationship.

Step 2.2 Analyze cause candidates and cause-

effect pathways. In this step, the QM and DE ana-

lyze causes linked to CEN elements to deﬁne at least

one Cause-Effect Pathway that links the effect E to

one or more causes, as a foundation for substantiat-

ing cause constructs with data from CPPS engineering

results. A Cause-Effect Pathway consists of links be-

tween causes, causes and assets, and between assets,

including the SuI.

Step 2.3 Build hypothesis linked to the CEN. In

this step, the QM speciﬁes a formal hypothesis based

on the set of causes linked the CEN and the Cause-

Effect Pathway. The hypothesis consists of the effect,

e.g., E

, and the list of causes linked to the CEN, e.g.,

, C

. Figure 1 shows a Cause-Effect Pathway that

links causes C

and C

to, e.g., effect E

by refer-

ring to assets and technical links in the CEN. If there

is more than one cause in a hypothesis, the hypothe-

sis requires a function that speciﬁes the relationship

of the causes to the effect, by default a logical AND

function, e.g., H

ANDC

). Therefore, the hy-

pothesis is well deﬁned and linked to CPPS data ele-

ments, as the basis for data collection and hypothesis

testing (see Section 5.2, Step 3).

CPPS-RA Conceptual Prototype. For details on

the conceptual prototype, refer to (Bifﬂ et al., 2020).

The CPPS-RA conceptual prototyping results pro-

vided a solid basis for the evaluation of the method

and for the discussion with domain experts to guide

further prototype development priorities.

6 FEASIBILITY STUDY

We evaluated the CPPS-RA method’s feasibility with

the representative Screwing System use case (cf. Sec-

tion 4) from CPPS engineering. The study built on a

CEN that contains function, product, process, and re-

source assets and selected links between the assets,

e.g., functional and qualitative interfaces (cf. Fig-

ure 1). CPPS domain experts among the authors

of this paper conducted the CPPS-RA method steps.

They discussed the results, focusing on the effect

loose screwing joint, with three senior domain experts

from car manufacturing to compare the characteristics

of CPPS-RA and their traditional method for risk as-

sessment.

In the following, we summarize the discussion of

the main results of the CPPS-RA method steps.

Results of Step 1: Identify risk and informal

cause candidates. For the risk loose screwing joint,

the domain experts identiﬁed insufﬁcient screwing

force or wrong screw positioning as informal cause

candidates.

Results of Step 2.1: Explore CPPS Engineer-

ing Network. The domain experts reviewed CEN el-

ements relevant for insufﬁcient screwing force and

structured their CEN exploration as exploration steps,

. They characterized the steps by the set of starting

elements, neighbourhood functions to select further

elements, and termination rules that limit the search

scope (see Figure 1 for examples of exploration steps,

labeled S

). For more details on the exploration re-

sults, refer to (Bifﬂ et al., 2020).

Results of Step 2.3: Build hypothesis linked to

the CEN. The domain experts used a simple restricted

language to express their hypotheses based on cause

candidates linked to CEN elements (see Table 1), e.g.,

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

168

H(E

; C

or C

), where E

represents the effect

loose screw joint in car body position X, C

is weak

screwing force of Screwer S, and C

is a wrong pa-

rameter setting in Transformer T.

As a result, the domain experts could collect evi-

dence on these causes by checking the associated en-

gineering plans or by collecting data from a simula-

tion or an operational CPPS.

7 EVALUATION AND

DISCUSSION

This section discusses the results of the feasibility

study regarding requirements, research questions, and

research limitations.

7.1 Evaluation

We evaluated the research results in a feasibility study

with domain experts regarding the requirements Rx

(cf. Section 3). We investigated common use cases

for automotive component assembly processes to bet-

ter understand the knowledge that domain experts re-

fer to when discussing risk assessment scenarios. We

discussed assembly steps, associated assets, and links

from the automotive domain similar to the use case

Screwing System (cf. Section 4, Figure 1). Further-

more, we compared the CPPS-RA method with their

traditional risk assessment approach, the discussion

of causes for an effect using the discipline-speciﬁc

models. These models are typically integrated men-

tally by the domain experts who rely on considerable

implicit domain knowledge.

In Table 2, columns list the risk assessment ap-

proaches and the rows list the requirements (Rx, cf.

Section 3). The table cells show the evaluation results

based on a 5-point Likert scale. The signs + (++)

indicate the risk assessment approach to satisfy the

requirements (very) well, O indicates partial fulﬁll-

ment, and − (−−) indicate (very) low fulﬁllment of

the requirement by the risk assessment approach.

The representation of the cause-effect pathway in

the CEN is a good foundation for selecting data for

advanced analyses as the CEN data elements are re-

lated to measurable data points during testing, simu-

lation, and operation of the CPPS. For more details on

the evaluation refer to (Bifﬂ et al., 2020).

7.2 Discussion

The main result of RQ1 on what data elements are

required to represent cause-effect relationships in a

CEN as a foundation for CPPS risk assessment are

Table 2: Capabilities of risk assessment approaches in

CPPS engineering.

Requirement

Approaches

Traditional CPPS-RA

R11. FMEA concepts + +

R12. CEN concepts − ++

R21. Causes and Hy-

potheses

− +

R22. Mapping Causes

& Effects to CEN

− +

R3. Cause-Effect Path −− +

CPPS-RA meta-model elements that represent core

concepts of FMEA, the CEN, and Cause-Effect hy-

potheses, including links between these concepts.

The meta-model introduced in Section 5.1 addresses

the requirements Rx elicited from practitioners (cf.

Table 2).

The main outcome of RQ2 on how a domain

expert can explore a CPPS Engineering Network

to identify and assess candidate cause-effect rela-

tionships for a failure mode/effect is the CPPS-RA

method. The method allows exploring a CEN to iden-

tify and annotate assets and links related to a cause-

effect pathway that links likely causes to an FMEA ef-

fect. The CPPS-RA method introduced in Section 5.2

addresses the applicable requirements R22 and R3. In

the feasibility study (see Section 6), domain experts

found the results of the CPPS-RA method understand-

able and applicable to a typical use case in car manu-

facturing.

Limitations. The feasibility study focused on a

single use case in a large car manufacturing company.

This may introduce bias due to the speciﬁc selection

of model types in the CPPS engineering network, the

types of effects and causes considered, as well as the

roles or individual preferences of the domain experts.

The evaluation highlighted that the proposed repre-

sentation of domain expert knowledge and the CPPS-

RA method for risk assessment in discrete manufac-

turing are promising. However, they should be evalu-

ated in further studies with several engineering orga-

nizations and use cases. For details on lessons learned

and limitations refer to (Bifﬂ et al., 2020).

8 CONCLUSION AND FUTURE

WORK

The assessment of risks in CPPS engineering usually

requires input from several engineering disciplines. In

this paper, we built on a CEN, a multi-domain multi-

view CPPS engineering model, to assess risks to the

Multi-view-Model Risk Assessment in Cyber-Physical Production Systems Engineering

169

CPPS and products.

We introduced the CPPS-RA approach for link-

ing effects and causes to assets in a multi-view CEN

to validate informal Cause-Effect hypotheses and ex-

plore potential causes for risks to the CPPS and prod-

ucts, even across discipline boundaries. The CEN

model elements provide the foundation for specifying

the engineering and operational data required for test-

ing the hypotheses. We deﬁned the CPPS-RA meta-

model to represent core concepts for integrated CPPS

engineering views for risk assessment. We evaluated

the CPPS-RA approach in a feasibility study with a

conceptual prototype with the use case Screwing Sys-

tem, which is representative for discrete manufactur-

ing.

The CPPS-RA approach provides the following

beneﬁts: (1) Causes linked to CPPS engineering data

elements in a CEN facilitate the automated evalua-

tion of hypotheses based on data, even across disci-

pline boundaries; and (2) the CEN allows validating

the cause-effect pathway, i.e., to what extent a CEN

element linked to a cause is connected to the CEN el-

ement linked to an effect.

Future Work. Combination of model- and data-

driven CPPS risk assessment. Building on the CPPS-

RA results of hypotheses linked to a CEN, we plan

to explore the combination of model- and data-driven

CPPS analysis based on data from CPPS engineering

and operation.

Security and Countermeasures. Going beyond

product quality concerns, we plan to combine the risk

assessment regarding functional quality and informa-

tion security aspects with iterative cause-effect anal-

ysis to address the risk for large CPPSs that are part

of the critical infrastructure. We plan to extend the

CPPS-RA approach to represent countermeasures that

address weaknesses of assets or links to mitigate risks

to a CPPS or product. For more details on future work

refer to (Bifﬂ et al., 2020).

ACKNOWLEDGEMENTS

The ﬁnancial support by the Christian Doppler Re-

search Association, the Austrian Federal Ministry for

Digital and Economic Affairs and the National Foun-

dation for Research, Technology and Development is

gratefully acknowledged.

REFERENCES

Atkinson, C., Tunjic, C., and M

oller, T. (2015). Fundamen-

tal realization strategies for multi-view speciﬁcation

environments. In 2015 IEEE 19th Int. Enterprise Dis-

tributed Object Computing Conf., pages 40–49.

Bifﬂ, S., L

uder, A., and Gerhard, D., editors (2017). Multi-

Disciplinary Engineering for Cyber-Physical Produc-

tion Systems. Springer.

Bifﬂ, S., L

uder, A., Meixner, K., Rinker, F., Engelbrecht,

C., Eckhart, M., and Winkler, D. (2020). Multi-View-

Model Risk Assessment for Positioning and Joining

Simulation (Case Study). Technical Report CDL-SQI

2020-05 CDL-SQI-2020-05, CDL-SQI, Institute for

Information Systems Engineering, TU Wien. https:

//qse.ifs.tuwien.ac.at/cdl-sqi-2020-05/.

Bifﬂ, S., L

uder, A., Rinker, F., Waltersdorfer, L., and Win-

kler, D. (2019). Engineering data logistics for agile

automation systems engineering. In Sec. and Quality

in Cyber-Physical Sys. Eng., pages 187–225. Springer.

DIN60812 (2015). Din en 60812:2015-08: Failure mode

and effects analysis (fmea).

Drath, R., Lueder, A., Peschke, J., and Hundt, L. (2008).

Automationml-the glue for seamless automation engi-

neering. In Emerging Tech. and Factory Automation.

ETFA 2008. IEEE Int. Conf., pages 616–623. IEEE.

Foehr, M. (2013). Integrated consideration of product qual-

ity within factory automation systems. dissertation,

Otto v. Guericke Universit

at, Germany.

Henning, K. (2013). Recommendations for implement-

ing the strategic initiative INDUSTRIE 4.0. acatech–

National Academy of Science and Engineering.

oﬁg, K., Klein, C., Rothbauer, S., Zeller, M., Vorderer,

M., and Koo, C. H. (2019). A meta-model for process

failure mode and effects analysis (pfmea). In 2019

24th IEEE Int. Conf. on Emerging Tech. and Factory

Automation (ETFA), pages 1199–1202. IEEE.

Hopkin, P. (2018). Fundamentals of Risk Management: Un-

derstanding, Evaluating and Implementing Effective

Risk Management. Kogan Page, 5th edition edition.

IEC 62714 (2018). Engineering data exchange format for

use in industrial automation systems engineering –

automation markup language. Int. Standard, Second

Edition, Int. Electrotechnical Commission, Geneva, 2.

Kaiser, B., Liggesmeyer, P., and M

ackel, O. (2003). A new

component concept for fault trees. In Proc. Wsh. on

Safety critical sys. and sw.-Volume 33, pages 37–46.

Liu, H.-C., Liu, L., and Liu, N. (2013). Risk evaluation

approaches in failure mode and effects analysis: A lit-

erature review. Expert sys. with app.s, 40(2):828–838.

uder, A., Pauly, J.-L., Rinker, F., and Bifﬂ, S. (2019).

Data exchange logistics in engineering networks ex-

ploiting automated data integration. In IEEE ETFA,

pages 657–664. IEEE.

Meier, J., Klare., H., Tunjic., C., Atkinson., C., Burger.,

E., Reussner., R., and Winter., A. (2019). Single

underlying models for projectional multi-view envi-

ronments. In Proc. MODELSWARD, pages 119–130.

SciTePress.

Sitte, J. and Winzer, P. (2010). Demand-compliant design.

IEEE Trans. on Systems, Man, and Cybernetics-Part

A: Systems and Humans, 41(3):434–448.

Stamatis, D. (2019). Risk Management Using Failure Mode

and Effect Analysis (FMEA). Quality Press.

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

170