Resilient Product Development - A New Approach for Controlling Uncertainty

By combining the established development method according to VDI guideline 2206 and the new approach of resilience, resilient product development makes it possible to control uncertainty in the early development phases. Based on the uncertainty that can occur in a classical product development process, such as uncertainty due to (i) the transition from function to building structure, (ii) interaction of modules and (iii) planning uncertainty, we first discuss the limits of existing product development guidelines and introduce the concept of resilience. The basic idea is that a resilient process can control uncertainty through the four resilience functions (i) monitoring, (ii) responding, (iii) learning and (iv) anticipating. We apply this new approach to the product development of the actuators of the active airspring of the TU Darmstadt. The active air spring can be used to increase driving comfort in a vehicle or, for example, to minimize kinetosis during autonomous driving.


Motivation
In order to develop, produce and use products more cost-effectively and efficiently, they must be considered in all phases of the product life cycle, from development, procurement, production, sales market, use to recycling [1]. In particular, the transition from one product life phase to another is difficult because there are often no consistent models of the product across the phase boundaries. Uncertainty arises in the product development process (i) during the transition from the functional to the building structure, (ii) through ignored or unknown interactions of modules or (iii) during planning. One approach to control this uncertainty is the Resilient Product Development (RPD) presented here. It bases on the VDI guideline 2206 [2] and extends it by elements from agile hardware development [3]. The principle of resilience originates from psychology and has been researched in the Collaborative Research Centre in the context of load-carrying systems in mechanical engineering since 2017. The basic idea is that a resilient system or a resilient process can control uncertainty through the four resilience functions (i) monitoring, (ii) responding, (iii) learning and (iv) anticipating. After the presentation of the RPD, its application in the development of an active air spring is shown and discussed critically. The active air spring of the TU Darmstadt is an active system that combines the advantages of the air spring with those of an active system and can be used to reduce oscillations in a vehicle.

Product Development Models
In the industrial context, the process models from VDI guidelines 2221 and 2206 for applied product development are widely used and are regarded as the industry standard. The workflow of the development and design process is described in general form in VDI guideline 2221 "Systematic approach to the development and design of technical systems and products". The design process is only roughly structured. A complex overall problem is dealt with in four main phases: (i) Planning and clarifying the task, (ii) conceptualizing, (iii) designing and (iv) elaborating. However, it is not always possible to separate the individual phases. To this end, VDI 2221 defines work sections as guidelines for a procedure in practice with broad applicability in different industries. For an operative application, therefore, a company-specific adaptation and design of the contents is necessary. The workflow is structured in a linear sequence of work steps, as Figure 1(b) shows, but depending on the development project, work steps can also be carried out only partially or several times iteratively [4].
(a) V model from the macro level of VDI 2206.
(b) Procedure model from VDI 2221. The development of mechatronic products is supported methodically and holistically by VDI Guideline 2206 "Design methodology for mechatronic systems". This product development model distinguishes between the micro and macro level. The problem-solving cycle at the micro level for processing subtasks consists of five steps: situation analysis or adoption of goal, analysis and synthesis, evaluation, decision and planning for the further procedure or learning. Furthermore, the early phase of development with the focus on system design is of interest, whereby the developer is stimulated to a holistic view. This macro level follows the V model from Figure 1(a), which consists of the steps system design, domain-specific design and system integration. The solution concept begins with the definition of the requirements, is first broken down into sub-functions and then integrated into the system solution. Before each integration step, an assurance of properties, i.e. the comparison between the target state, which was defined during system decomposition, and the actual state, is provided. The macro cycle, like VDI guideline 2221, allows an iterative procedure whereby the product of a cycle does not necessarily have to be the final product, but the degree of maturity increases with each iteration cycle [2].
In summary, the two VDI guidelines describe standardized procedures for conventional product development. By generalizing the individual processing steps, these can be used universally in many industries. However, neither guideline takes account of uncertainty in the product development process. The conventional methods presented were used in the development of the first prototype of the active air spring -except in the design phase [5]. An analysis of the product development process has revealed three sources of uncertainty in this approach, namely (i) uncertainty in the transition from function to building structure, (ii) uncertainty due to knowingly or unknowingly neglected interaction of modules and (iii) uncertainty in the planning of the product development.
Accordingly, there is a need to provide developers with tools and methods to deal with this uncertainty in the product development process. This will be discussed below. First, however, the three types of uncertainty mentioned are examined in detail.
Uncertainty due to the transition from the function structure to the building structure The function structure formulates functional relationships of a system. For this purpose, the overall function is broken down into sub-functions, which each have defined input and output variables. The function structure is usually not unique, since the sub-functions can be combined in different ways. In Figure 2(a), this is shown as an example for a conventional spring damper. When creating the function structure of a system, a distinction must be made between the essential and the non-essential. This abstraction and the subsequent transfer into the building structure creates uncertainty. The reason for this is that abstraction means neglecting -knowingly or unknowingly -parts of reality. There is no clear representation of the function structure on the building structure and thus several implementation options. Possible strategies for implementation are function integration and separation of functions. The difficulty of the transition from the function structure to the building structure becomes apparent in the example of the active air spring damper. The function structure of the implemented system, Figure 2(c), is much more complex than the general function structure of an active suspension system shown in Figure 2(b). Consequently, a system evaluation must be carried out based on the building structure, as it is not very meaningful on the basis of the function structure.
Uncertainty due to module interaction Mechatronic systems consist of four components: (i) the basic system, (ii) sensors, (iii) actuators and (iv) information processing. These are connected via material, energy and information flows. According to VDI guideline 2206, this structure is to be understood as a basic module and is referred to as a mechatronic function module. Complex mechatronic systems usually consist of the coupling of several function modules [6]. This is done on the one hand through the mechatronic functional structure and on the other hand through the mechanical support structure. For example, the spring damper system is a functional module of the mechatronic system "passenger car". Since development is often domain-specific, system and module boundaries, as well as input and output variables, must first be defined for the development process. For this purpose, the modules are cut out of the overall system as shown in Figure 3. The input and output variables (flows) at the module interfaces are usually simplified and interactions between the modules are unknowingly neglected or knowingly. This leads to uncertainty, as the relevant reality is not fully represented by the model horizon. For example, the disregarded temperature increase of one module can influence the function of another.
Uncertainty in the planning of the product development Complex and time-consuming development processes encourage uncertainty in planning. For example, requirements defined at the start of a project and development goals may change. In project management, we speak of moving targets. Possible reasons for this are changed customer wishes or changed boundary conditions, which result from the assurance of properties. If developing capital goods, moving targets play an even greater role -in particular, time-varying return on investment, exchange rate risks and variable energy and raw material prices. They lead to uncertainty in the capital value as well as in "levelized cost of X" or change stakeholder expectations.

Conclusion
The two guidelines presented are fundamental for product development. However, they do not provide methods for controlling uncertainty in the product development process. In particular, the linear procedure of VDI guideline 2221 offers limited possibilities for such methods to be supplemented. In contrast, methods for controlling uncertainty can be integrated easily and directly into the macro cycle of VDI guideline 2206 at the various module levels. Another advantage of this guideline is the consideration of the disciplines of mechanics, electronics and information processing in the product development process.

90
Uncertainty in Mechanical Engineering III (a) Function structure of the conventional suspension.
(b) General function structure of an active suspension.
(c) Simplified function structure of the active air spring damper with regeneration. Fig. 2: The function structures describe the energy flow of the spring damper systems. Energy is changed, channeled, stored or connected and a distinction is made between mechanical, electrical, hydraulic and dissipated energy.

Methodical Control of Uncertainty in Product Development
Consequently, the question arises as to how the product development process can be extended in accordance with VDI guideline 2206 in order to be able to methodically control uncertainty in development. Therefore, we present methods that can be used for this purpose in the next section.
In order to minimize uncertainty in the transition from the abstract function structure to the building structure, holistic methods are suitable. In the Collaborative Research Centre 805, the Technical Operations Research (TOR) and Multi-Pole Systems Analysis (MPSA) methods are used in particular. Although these methods are not used in this publication, they are briefly presented in the following section for the purpose of comprehensiveness.
TOR follows the use of discrete optimization methods for system design. This approach covers two aspects: On the one hand, a system analysis can exploit greater optimization potential. On the other hand, a holistic control of uncertainty requires an examination of the interactions between the components of the system. However, this increased potential is countered by an increased degree of complexity. Through the application of operations research methods, optimal system structures are found from a variety of possible system variants with the help of mathematical methods [7].
The MPSA allows the description of systems with several inputs and outputs and their interaction using mathematical multipole formalism. A system is described by the three properties system function, system boundary and system topology. The MPSA is carried out in four steps. The first step, the system synthesis, gives a superior picture of the system. In the next step, the system analysis under uncertainty, white box models are derived. Then the stochastic optimization is performed and in the last step, the MPSA is completed with a sensitivity analysis [8].
For the description, evaluation and control of model uncertainty in the context of model verification and validation, standardized procedures -by Oberkampf [9] or the Guide for Verification and Validation in Computational Solid Mechanics of the American Society of Mechanical Engineers [10] for example -are known. The same applies to the analysis of uncertainty in the early stages of the development process with a focus on external sources of uncertainty, such as the influence of the market, legislation, and so on [11,12]. However, the focus of this publication is a method for controlling uncertainty at the module boundaries due to interactions of a mechatronic system and its concrete application.
The principle of resilience offers a promising approach for controlling uncertainty due to unknown interaction of modules. Originally, this comes from developmental psychology and has been considered in a safety-related context since approximately 2010 [13]. In the Collaborative Research Centre 805, the resilience principle was applied to systems and processes in mechanical engineering. According to Hollnagel [14] resilience is the intrinsic property of a system or process to adapt to a fault before, during and after it. This means, that the required functions can be maintained in both foreseeable and unforeseeable usage or application. A resilient system also enables a given minimum level of functional fulfilment in the event of malfunctions or failure of system components, e.g. carrying a load with reduced insulation. Furthermore, resilient systems can "survive" under constantly changing, unpredictable environmental conditions. The basic principle here is a high degree of adaptability of the system to its environment. An example of a resilient system is the Festo Motion Terminal VTEM. The use of intelligent software ensures that the system functions independently of the hardware tubing [15]. Resilience is achieved by the four system functions monitoring, responding, learning and anticipating.
These can be transferred to hardware development, as shown in Figure 4. In order to ensure the functions of the product to be developed, a transition from the development to the usage phase is necessary. Functional testing under realistic conditions is referred to as monitoring. In the next step, the results are fed back into development from usage and the product design is revised if necessary. This process is represented by the Resilience function responding. The paradigm "fail fast" can be

92
Uncertainty in Mechanical Engineering III used to describe this procedure, which originates from electronics. According to Gray [16] a fail-fast module works correctly or stops. At the same time, the results flow into the continuous improvement of the models, which represent the behavior and functions of the product virtually. The model adaptation is described using the learning function. In the next step, the improved models are used to predict the desired behavior of the product and to adapt the design again. This circle is passed through until the actual properties meet the target properties sufficiently well. New about the method -compared with the conventional VDI guideline 2206 -is that the focus is on assuring the properties of the product and thus controlling uncertainty at module interfaces. This property assurance is carried out in fine-grained form and the entire product development process is subordinated to it. The procedure follows Ehrlenspiel's [17] solution strategy "First the most effective". In order to consider planning uncertainty in product development, agile development methods are widely used in the field of software development. These methods are intended to increase the flexibility and transparency of the development process and at the same time shorten it in order to minimize risks [18]. The agile manifesto of 2001 [19], in which four values and twelve working principles are defined, forms the basis for all agile approaches. The basic idea is that when developing soft criteria such as communication, consideration for participants and flexible action are at least as important as formal foundations (standardized process, documentation, etc.). One of the most popular process models of agile software development is Scrum [14]. With Scrum, the development is divided into increments, so-called sprints. In general, they are four weeks long. Within a sprint, an interdisciplinary and selforganized team implements all product features that were defined before the sprint. At the end of each sprint there is a working system or subsystem. Especially this fact makes it difficult to transfer Scrum from software development one to one into hardware development and use it there [3,20,21]. On the one hand, it is difficult to produce a working prototype within a sprint. On the other hand, the staffing of the development team, especially in the development of mechatronic systems, is a challenge due to the required expert knowledge from the different domains. Schmidt describes this as the limitation of physicality [3].
So-called hardware-in-the-loop (HiL) experiments, in which individual real components or systems are coupled with a virtual system in real time, provide a remedy [22]. In this way, the interaction between component and system can be investigated at a very early stage of development. In order to increase resilience in product development, unpredictable properties can be discovered, their effects described and taken into account in the further process. In this way, uncertainty at the interface between product development and use can be countered in particular.

Applied Resilient Product Development using the Example of the Active Air Spring
The resilient product development presented in the previous section is now applied in the following using the active air spring developed at the Institute of Fluid System since 2008 within the scope of the Collaborative Research Centre 805 as an example. First, the principle of the active air spring is presented, then the product development steps and methods are considered and finally, the advantages and disadvantages of this product development are listed.

TU Darmstadt's Active Air Spring
The active air spring is an active system that combines the advantages of air suspension, such as level control or the load-independent body natural frequency, with those of an active system that can actively reduce oscillations and has a flexible working range. For example, it can be used to minimize kinetosis during autonomous driving. The resulting compression force of the air spring is where p denotes the air spring pressure, p a the ambient pressure and A L the load-carrying area of the air spring.
There are two ways to design an active air spring: firstly, the air spring pressure can be adjusted independently of the air spring deflection, and secondly, the load-carrying area can be adjusted. A design evaluation shows that a controlled adjustment of the pressure, e.g. by increasing or decreasing the air spring volume, is too slow to achieve the required actuating frequencies of 5 Hz. Adjusting the load-carrying area, on the other hand, is better suited for adjusting the axial force. For this purpose, we developed an air spring piston at TU Darmstadt, whose radius r P can be adjusted hydraulically with four segments evenly distributed around the circumference [23,24,25], Figure 5.
In order to maximize the actuating force and minimize the power requirement, we use a doublebellows air spring with a circular load-carrying area and two adjustable pistons ( Figure 5, right). To increase the total load-carrying area, the upper actuator extends and the lower one retracts simultaneously. The two actuators are connected hydraulically to a double-acting cylinder. By moving the cylinder, one pressure chamber is enlarged and one chamber is reduced in size -one actuator retracts and the other extends. The hydraulic system is dry, as the chambers are closed and leakage-free. The cylinder is driven hydraulically or electromechanically. The concept enables regeneration of the energy released when an actuator is retracted automatically, as depicted in the function structure, Figure  2(c). This energy is fed directly to the extending actuator and only differential forces have to be applied by the drive.
The actuating force of the functional prototype of the active air spring is +-1000 N at a static load of 2850 N. The system is partially supporting and the load is adjusted by varying the air spring pressure and individualizing the controller according to the resilience principle "one size fits all".
Applied product development The active air spring consists of various modules. Among the most important are the passive basic system, the active rolling pistons, the drive, the power supply as well as the sensors and the control, as shown in Figure 6. The entire system was developed at module level in a macro cycle using the RPD. The aim was to consider the interaction of the individual modules at an early stage of development. The overall function of the complex "active air spring" system was decomposed into sub-functions and the most important sub-function -the supply of external energy to adjust the load-carrying area of the air spring -was processed first. The modules were tested and evaluated under realistic conditions.
The core elements of the active air spring are the two active rolling pistons, each with a diameter that can be adjusted using four linearly movable segments. These actuators are a completely new development since no actuators available on the market meet the requirements. On the one hand,

94
Uncertainty in Mechanical Engineering III actuating forces in the order of 10kN are required with a relatively small travel of +-3mm and a minimum actuating frequency of 5Hz. On the other hand, the actuators must be so compact that they can be integrated into the air spring rolling piston. In addition, the torques of approximately 70Nm, which are induced by the rolling bellows rolling on the segments, must be withstood. The most important characteristics of the actuators were determined from generic theoretical preliminary investigations for active vertical dynamic oscillation reduction on a virtual quarter vehicle. First, the oscillation reduction that can be achieved with an ideal active chassis was determined using mathematical optimization methods [26,24,27]. This ideal system represents a limit which, according to the motto "It doesn't get any better!", cannot be undercut by any real system. From the requirement to improve driving comfort with the active air spring, the required actuating force and frequency could be determined from the preliminary investigations.
In a concept study, various electrical, mechanical, pneumatic and hydraulic actuator concepts were then examined. It has been shown that a hydraulic actuator best meets the requirements due to its high power density. To withstands the torque, the segments are guided by two piston rods which run in sliding bushes. The pressure chamber is sealed at the segments with a diaphragm. This sealing concept was chosen because, in contrast to conventional ring seals, diaphragms are in principle conditionally leak-free and well suited for short-stroke applications [28]. The concept of the actuator is shown in Figure 6 in the upper left.
Based on this concept, a first prototype of the actuator was produced -the linear actuator Figure  7, left). Once more, the prototype of the actuator was examined experimentally in generic preliminary tests. The aim was, on the one hand, to verify the functionality for use in the active air spring and, on the other hand, to determine important parameters (effective pressure area, friction forces, etc.) in the test. Due to the sealing principle used and the sliding bushes running in oil, a gear efficiency of over 90% was achieved with this actuator principle [23]. The results from the usage phase were fed back into the development phase and the first prototype of the active rolling piston was developed -this corresponds to the resilience monitoring function. This was also first characterized experimentally in component tests. Of particular interest was above all, whether the outer clamping of the diaphragm can withstand the loads. If the linear actuator is still flat, the active unwinding piston must be angled for space reasons, as shown in Figure 7. The first clamping plate design was still one-piece and the lateral clamping rods were semicircular. Due to leakage problems detected in the test, the clamping plates were modified. After "failing fast" the resilience function responding was used to solve the problem. On the one hand, they were split and on the other hand, wedge-shaped clamping bars were used to achieve a higher lateral surface pressure. Due to the rapid transition from the development phase to the usage phase, the problem was easily solved and the further product development process was not negatively affected. After successful testing in the air spring, the design of the upper active rolling piston was transferred to the lower one. With the knowledge acquired, the behavior of this actuator could already be anticipated so well in product development that no design changes were necessary.
Hardware-in-the-loop (HiL) tests were carried out to investigate and evaluate the interactions of the active air spring with the oscillating overall system at an early stage of development under realistic conditions. In these tests, the air spring is coupled to a virtual quarter vehicle, which is simulated in parallel in a real-time simulation environment from dSPACE, Figure 8. The deflection of the air spring calculated in the real-time simulation is transmitted to the testing machine, which adjusts it using an internal control system. The measured axial force response F is fed back into the simulation (closed loop simulation). The controller is mapped also in the simulation model. The HiL tests make it possible to examine the active air spring in different test scenarios by varying the virtual system parameters (different loads, excitations, etc.) or the controller. These results can be fed back directly into the development phase. This leads to a significant reduction of the development time and costs, compared to tests with a real system.

96
Uncertainty in Mechanical Engineering III   [24,27,26]. Figure 9 shows the frequency responses for body acceleration and wheel load fluctuation, calculated from the HiL test results for driving on the federal highway in different configurations. These two parameters are a metric for driving comfort and safety. In addition to the designed controller with preview, a second controller configuration was used to reduce low-frequency oscillations causing kinetosis. This frequency-specific weighting of the body acceleration was taken into account already in the controller design in the form of weightings according to VDI standard 2057 [29]. In comparison to the passively operated air spring, it is clear that the acceleration of the body in the natural frequency is reduced in active operation. This mitigates the incidence of kinetosis. The average power requirement for the configuration with preview is approximately 100 watts. These different controller designs would not have been possible without a quick transition to HiL tests.

Conclusion and Outlook
The procedure models of VDI guidelines 2221 and 2206 can be used in many industries by generalizing the individual processing steps, but do not offer methods for controlling uncertainty in the product development process. These include uncertainty due to (i) the transition from function to building structure, (ii) module interaction and (iii) planning uncertainty.
In order to minimize uncertainty in the transition from the abstract function structure to the building structure, holistic methods such as TOR or MPSA can be used. To handle planning uncertainty, elements from agile software development can be used to make the product development process more flexible and transparent. To mitigate the disadvantages of physical constraints in agile hardware development, methods such as HiL, which enable the transition from physical to virtual products, are useful.
However, the focus of this study was the control of uncertainty due to knowingly or unknowingly neglected interactions of modules. This occurs when the modules for domain-specific development are "cut out" from the overall system and input and output variables are defined at the interfaces in the form of energy, material and information flows. This uncertainty can be controlled methodically with the resilient product development, which is based on the procedure model of VDI guideline 2206. For this purpose, the principle of resilience, with the four functions of monitoring, responding, learning and anticipating, was transferred to the product development process. The functions of the product can be ensured by a transition from the development phase to the usage phase at an early stage of the product development process and by feeding back the experimental results by making any necessary adjustments to the development. This can be summarized as monitoring and responding. The results are used for learning, for example through a model adaptation of the existing simulation models. With these improved models, the actual behavior of the product can be predicted and its design adapted. This process is described by the resilience function anticipate. These steps are carried out until the actual properties meet the target properties sufficiently well.
This method was used in the development of the actuators of the active air spring. The active air spring of the TU Darmstadt is a partially supporting active system that combines the advantages of air suspension with those of an active system. The active air spring can be used to increase driving comfort and minimize kinetosis, for example during autonomous driving. The core elements of the active air spring are the hydraulic actuators. They are integrated into the air spring's rolling piston to change their diameter during operation at actuating frequencies of up to 5Hz. The RPD was used successfully in this completely new development. In particular, through constant monitoring and responding, deviations of the actual and desired condition during usage were detected and the design was adapted already in the early development phase. This could be shown by the example of the clamping of the sealing membrane.
In the next step, the air spring is to be additionally equipped with pneumatic damping. It then becomes an active air spring damper. The advantage of frequency-specific pneumatic damping [30] over conventional hydraulic damping is, that the actuator does not have to work against a "stiff" damper in the case of high-frequency excitations. At the same time, the investigation and detailing of the RPD as a method for controlling uncertainty in product development is to be pursued further. Of particular interest is whether it can be applied to other problems, such as the development of capital goods.