Resilient Design of Product Service Systems with Automated Guided Vehicles

: Automated guided vehicles undertake complex transportation tasks, for instance, in production and storage systems. In recent years, an increased focus on sustainability has occurred as the effects of ongoing climate change have become more apparent. Engineers are searching intensively for ways to design technical systems that are not only environmentally sustainable, but are also resilient to the challenges of the changing climate and other environmental conditions. The production of automated guided vehicles requires considerable resources; therefore, a long operation time is desirable for overall sustainability. The performance of transportation tasks requires certain processes, such as control, path planning, coordination/synchronization, and maintenance and update processes—the latter are also very important for a long operation time. This article proposes understanding these processes as services and to explore product service systems with automated guided vehicles. Due to their complexity, the efﬁcient and safe operation of such systems can be at risk because of several factors, such as component faults, external attacks and disturbances. For several years both resilient control and resilience engineering have been researched as possible remedies. An extension of these two concepts to the early stages of system development processes and including the system’s hardware is proposed in this article. This extension is referred to as resilient design. A primary purpose of resilient design is sustainability through extended usability and planned updates. The main intention of this article is to provide a comprehensive understanding of resilient design through application to product service systems with automated guided vehicles. The basis for this contribution is an extensive literature review and detailed system analyses on different levels. The main research results include novel application modes for product development methods. The explanation of the results is supported by means of an illustrative example based on a product service system with automated guided vehicles.


Introduction
Due to increased competition and product variety, many producing companies have sought to expand the flexibility of their production and logistics systems.Automated guided vehicles (AGVs) represent a central component of such systems [1].AGVs can be a promising component of flexible manufacturing systems (FMSs), but the design of FMSs and the planning of processes within these FMSs can be extremely challenging [2].Additionally, the enormous complexity of today's technical systems can lead to compromised reliability, leading to potentially disastrous failure modes and various kinds of safety issues [3].Taking the risks involved into consideration, traditional approaches of risk assessment and risk reduction do not appear to be adequate.Promising approaches introduce the concept of resilience into the system engineering discipline, i.e., the capability of a system to anticipate potential disruptions and to establish appropriate response behavior [4].An innovative methodology for thinking about reliability and safety has been proposed in recent years, referred to as "resilient engineering", and has attracted widespread interest [3].Häring describes the main objective of resilience engineering as facilitation of the capability of a technical system to operate in an acceptable manner in the presence of a risk event [5].Current research has also focused on quantitative assessment approaches, such as metrics for measuring resilience [4], principal component analysis and numerical taxonomies [3].An important part of resilience engineering is resilient control.Resilient control strategies seek to mitigate influences from unexpected events in order to maintain the overall function of technical systems; in this case the performance may be reduced [6].Set-based attack detectors can be applied for the detection of injection attacks and can be combined with set-theoretic controllers in an attack-resilient control scheme [7].In order to enable replay attack resilient control, the detection of replay attacks can be achieved using frequency-based signatures [8].The main focus of both resilience engineering and resilient control is on the later stages of system development processes.Issues such as the geometry and material of the technical system under consideration are the main area of interest.Consequently, this article proposes to add to these two concepts with a concept of resilient design, which is primarily based on the general principle of adaptability.Resilient design seeks to create technical systems which are able to adapt to changing environmental conditions that can be caused by, amongst others, climate change or natural disasters.The main purpose of resilient design is to support system and design engineers in the development of more resilient technical systems.Design can be understood as the process of creating the information which allows the production and operation of a technical system (see [9]).In this context, resilient design can be defined as the process of creating the information which allows the safe and efficient production and operation of a technical system even if certain risks are present.To date, only a few scientific endeavors have focused on resilient design; a review of initial research initiatives can be found in [10].Of note are studies concerning resilient design for increasing the sustainability of consumer products [11].El-Halwagi et al. pointed out that a comparatively large amount of research has addressed the resilience of the infrastructure, but that a very small amount of work has targeted other fields, such as manufacturing processes.These authors also list the integration of design, operation and control for resilience as a critical research need and a promising direction [10].Haug, on the other hand, has highlighted the importance of resilient design with regard to sustainable engineering and sees optimization of the useful life of a technical system as the primary objective [11].In the area of supply chain resilience, the central objective is taken to be improved adaptability of the supply chain in the event of unexpected events [12].Weisz [13] sees designing for climate change as a central objective and understands systems thinking as a central component of resilient design, as only interdisciplinary approaches that take account of constant change appear to be suitable.It can be assumed that resilient design will prolong the operation time of an AGV, will reduce operation risks (which may reduce efficiency and, amongst others, destroy resources), and will contribute to sustainable engineering.This article proposes to broaden the perspective, considering a technical system, e.g., an AGV, together with the services that allow the safe and efficient operation of the AGV.The focus is on a combination of the product AGV with necessary and optional services for its operation and extension of its operation time through maintenance and updating.A combination of products and services is commonly referred to as a product service system (PSS).There are many fields of research that address important aspects of PSSs with AGVs.Notable current reviews concern model predictive control [14], risks related to such systems [15], integration with the Internet of Things (IoT) [16], digital twins for production logistics [17], and smart warehouse operation management [18].However, it can be concluded that an in-depth investigation of the early stages of resilience engineering of systems that combine products and services has not so far been carried out.It is important to note that risks for the safe, efficient and sustainable operation of PSSs with AGVs can come from different sources.The most prominent sources are faults, tolerances, disturbances, aging and wear, as well as attacks (Figure 1).All the different factors listed in Figure 1 have the potential to decrease the performance, longevity and sustainability of a PSS with AGVs or even to turn the PSS into a system which is dangerous to itself, its environment and to human beings.It is definitely desirable to support system engineers and design engineers to reduce the susceptibility of a PSS with AGVs to these influences.

Research Scope and Questions
The primary objective of the article is to provide a comprehensive understanding of resilient design through the application of PSSs with AGVs as a foundational framework.The research endeavour is embedded in the design research methodology (DRM) proposed by Blessing and Chakrabarti [19], which distinguishes four stages of research.The four main research phases are described together with appropriate methods and results in Figure 2. The research described in this paper focuses on clarification of the challenges, necessities and potential of resilient design of PSSs with AGVs and proposes novel application modes for product development methods (similar to research project type 5, see [19]).The focus is on the first three research phases, as shown in Figure 2. Three main research questions can be formulated:

•
How can the concept of resilient design support system engineers and design engineers in the development of product service systems with automated guided vehicles?• How can early system concepts and decisions, as well as geometrical, material and structural aspects, enable the safe, efficient and sustainable operation of technical systems under certain influences and prolong the operation duration?• How can the concept of resilient design be combined with resilience engineering and resilient control and how may it support both concepts?
It is important to note that PSSs with AGVs are a novel area of investigation for resilient design so far not covered by other studies.PSSs with AGVs are a combination of a rather conventional product with services which can enhance the usability and the sustainability of the product.Therefore, such systems illustrate many aspects of resilient design.The key challenges in achieving sustainability and resilience in AGV systems can be found in the issues that product designers need to predict for the different use cases during the operation (which are closely connected with the services), including the need to balance the wear of the different components and the need to define a modular design which facilitates repairability and updating.For improved sustainability, an extension of the lifetime of AGVs through maintenance and updating is essential.In the early stages of design, product designers need to concentrate wear in the parts which can be easily exchanged and need to allow for the exchange of IT parts together with the possibility to add further or improved sensors and actuators.A central contribution of this paper is the proposal of novel modes of application of product development methods which support designers to address these challenges.The main purpose of this article is to provide a comprehensive understanding of resilient design based on the example of PSSs with AGVs.This is reflected in the structure of the paper.Section 3 explains product service systems (PSSs) and presents a model of the development and operation of PSSs.The different sources of risks are elucidated in Section 4. Section 5 presents a model of resilient design which is based on earlier models of resilience engineering.The model serves as the basis for detailed discussion in Section 6.This discussion is accompanied by an illustrative example in Section 7, and concluded in Section 8.A summary and future outlook are provided in Section 9.

Development, Production and Operation of PSSs with AGVs
This section serves as a basis for the later discussion and explains the concept and relevance of PSSs and a life-cycle model of PSSs with AGVs.

Product Service Systems
A prominent application of AGVs is the transport of items within a production or storage system.Essentially, the customers of an AGV want a transportation task to be carried out.Therefore, a combination of the product AGV with certain services, such as control services or maintenance services, may be advantageous, both for the producer of an AGV and the operator of a production or storage system.A key advantage of this kind of combination can be a concentration of knowledge and experience.Such combinations can be referred to as product service systems (PSSs) and have been studied for several years.An early definition of PSSs was already given in 1999 by Goedkoop et al.: a product is a tangible entity manufactured to be sold; a service is an activity carried out for others; a system is a collection of elements and their relations; consequently, a product service system (PSS) can be defined as a marketable set of product(s) and service(s) capable of jointly fulfilling the need(s) of user(s) (see [20]).Current research is focused on the validation of PSSs [21] and on exploring value proposition design approaches [22].PSSs with AGVs combine the tangible product AGV with services which allow, support or prolong the operation of the AGV or a fleet of AGVs.The operator of a production or storage facility essentially receives the solution to a transportation problem.The necessary and optional services can range from simple control tasks over path planning and coordination/synchronization to maintenance, or even system update and replacement.Figure 3 shows the main elements of a PSS with AGVs, with the physical products on the left side and the services on the right side.

Process Map of PSSs with AGVs
Several stages in the life-cycle of PSSs with AGVs can be distinguished.Often, these stages are carried out by different people or even enterprises.Different models, methods and processes are applied and it is difficult to provide a simple overview.A straightforward model for the life-cycle of a PSSs with AGVs is proposed in this paper, as shown in Figure 4. Two main sections of this PSSs with AGVs life-cycle model are based on the wellknown V-model, which was, amongst others, proposed in the VDI (Verein Deutscher Ingenieure -The Association of German Engineers) guideline 2206 [23,24] for the development of cyber-physical systems.It is important to note that, both in product development and in production development, iterative cycles are possible; this is indicated by the verification arrow pointing to the left side.In this model, the product development cycle is shown before the production development cycle.It is important to note that the model is intended to be understood as a logical model and that both cycles can and should be carried out simultaneously.It is also important to note that the main focus of this model is on the early stages and that the system operation stage is only represented in one field-this stage may have the longest duration and can require the largest resources, but is already covered by resilience engineering and resilient control.

Resilience with Regard to Faults
In most research communities, faults are understood as unintended deviations from a nominal behaviour [25].In a technical system, faults can appear in the form of sensor faults, actuator faults, process faults, processing unit faults and communication faults.There is now a general consensus that faults are inevitable in complex technical systems and that measures to accommodate these faults are essential [6].In this area, a large body of research has been carried out that covers fault-tolerant control (FTC) [26] and fault-tolerant design (FTD) [27].

Resilience with Regard to Disturbances
During the manufacturing and operation of technical systems, disturbances, such as vibrations, cannot be avoided, because certain influences, such as imbalances or electrical fluctuations, cannot be completely prevented.These disturbances cause differences between the actual operation and quality of technical systems and their theoretical operation and quality (see [28]).In general, a distinction between different kinds of causes of disturbances should be made in systems development [28] (in the operation stage, certain strategies, such as the employment of a back-up system, may require no distinction between these kinds of causes).One possible distinction is a distinction between matter, energy and signal, as is also proposed for the functional domain in systematic design science [29].A typical example for a disturbance caused by matter is an imperfect surface which will lead to vibration when relative motion is necessary.An example of a disturbance caused by energy is fluctuation in the voltage of a power supply.A sensor communication line subjected to electric radiation is an example for a disturbance caused by a signal.Figure 5 summarizes common sources of disturbances.The design of products which display little sensitivity concerning disturbances is commonly referred to as robust design.Arvidsson and Gremyr define robust design as a methodology that aims to achieve insensitivity to noise factors in a systematic manner [30].
Mathias et al. emphasize that consideration of robustness has to start right at the beginning of the design process [31].It can be concluded that a rich body of research covering robust design already exists; until now, little effort has been made to integrate these aspects into a broader understanding of the resilience and sustainability of technical systems.

Resilience with Regard to Tolerances
Robust design, as described in the preceding section, can make a product's functional performance insensitive to uncertainties such as disturbances; Zhang et al. proposed an extension towards tolerances [32].Feng et al. pointed out that robust tolerance design is an important technique that may result in continuous quality improvements of products and also processes [33].In general, a tolerance describes the admissible or existing deviation of a characteristic of a technical product.The most well-known tolerances are dimensional tolerances of mechanical components, but shape and position tolerances can also play an important role.It is important to note that the documentation of tolerances in technical drawings is currently undergoing a change towards integrated geometrical product specification (GPS); this system for work-piece geometry specification represents an improved engineering tool [34].Zhang et al. propose a robust tolerance design approach for modelling the relationships among functional performance, cost, design parameters and tolerances [32].Based on this research, Thomitzek et al. proposed a method for examining the effects of product tolerances on subsequent process steps and final product characteristics in order to predict beneficial tolerance ranges.These ranges were intended to be used to select manufacturing processes with just the required accuracy, since unnecessarily high precision usually causes high acquisition costs without beneficial effects, while low precision leads to insufficient product performance [35].Frequently, a systematic goal of handling unavoidable tolerances is seen as an integral part of robust design; it is, consequently, also reasonable to view it as an integral part of the more universal concept of resilient design.

Resilience with Regard to Aging and Wear
Wear in technical systems is usually present at only a few surfaces, but may lead to failure of the complete system and to the need for early replacements if wear happens at components which cannot be easily replaced.Wear in technical systems occurs frequently at surfaces with relative movement but also at interface surfaces with high electrical currents and within conductors with high electrical currents.Aging and wear can also be caused by chemical processes, such as corrosion and oxidation.Common causes for aging are pulsating loads and pulsating pressures.Similar to disturbances and tolerances, aging and wear can severely alter product performance.Aging and wear can lead to unscheduled downtime in technical systems and to early replacement of the system.Prevention of these downtimes is the main purpose of so-called predictive maintenance.However, predictive maintenance requires in-depth knowledge of the current state of the system components in terms of wear and aging.A considerable body of research has focused on estimating the remaining useful life (RUL) of system components [36].In PSSs with AGVs, the knowledge of the RUL can be used for planning predictive maintenance activities, but also for controlling the system in a manner that will prolong the operation time of the complete system.This is possible, for instance, if redundant elements receive less operational load [9].As the operation time of a technical system is expanded, such capabilities can also be understood as aspects of resilience.Such possibilities are only present for certain system configurations.It is reasonable to integrate the issues of aging and wear, as well as options for reducing their consequences, into a holistic resilient design-this may contribute greatly to sustainable engineering.

Resilience with Regard to Attacks
Over the last year, an enormous number of cyber-attacks endangering technical systems were reported, for instance, the computer worm Stuxnet [37].Several studies investi-gated the nature of such attacks [38].For a full understanding of these attacks a systemic view is appropriate (Figure 6).The view depicted in Figure 6 (based on earlier considerations and depictions [38,39]) was expanded to include PSSs with AGVs.Visible on the bottom of Figure 6 is the PSS with AGVs.This system receives actuator commands, e.g., drive motor or steering motor commands that are generated by a control system.The AGVs send sensor readings, e.g., from their odometers, ultrasonic sensors or cameras, to the control system.Usually, these data are also sent to a diagnosis system, the main objective of which is the detection of faults.Today, distributed systems are common for several reasons [40].The network connection between the elements listed above can be used by an adversary either to disclose data or, even worse, to inject wrong or altered data.An attack carried out by the adversary will only be successful if knowledge concerning the PSS with AGVs is available to the adversary.Taking the aspects mentioned into consideration, a three-dimensional model can be derived (Figure 7).The view depicted in Figure 7 (based on earlier considerations and depictions [38,39]) was expanded to include PSSs with AGVs.Disclosure resources refer to the possibilities of an attacker learning something about the system, i.e., to receive sensor information, while disruption resources refer to the possibilities to change something in the system, i.e., to send information to actuators or to alter information for actuators.It is obvious that approaches which aim at eliminating disclosure resources and other ways to gain system information, such as espionage, and at eliminating disruption sources, will increase resilience.Further considerations concern the system and component design [40], which should, consequently, also be integrated in a holistic resilient design.

Model of Resilient Design
This section introduces a model of resilient design which is based on the spiral model of resilience engineering.The main purpose of resilience engineering is the development of capabilities of technical systems to either prevent disruptive events (DEs), to be protected from these DEs, to be able to respond to these DEs, or to be able to recover from these DEs [5].A central element of resilience engineering is the performance of risk analyses-these are also included in the proposed spiral model of resilient design (Figure 8).The starting point of this model is assessment of the initial requirements concerning PSSs with AGVs.It is assumed that an initial set of requirements is already available at the start of a project (e.g., as given by a customer).From this point, the PSSs with AGVs design is developed up to its release.The different stages are based on models which describe the level of abstraction of technical systems: functional architecture, physical architecture, domain specific design and integration [23,29].In each stage, different aspects ("requirements management", "identifying risks and assessing sustainability", "development and test", as well as "plan the next iteration") are carried out.It is important to note that the model shown in Figure 8 is another representation of the two V-model loops in Figure 4.
However, both representations focus on different aspects of the process and both have their specific merits.A discussion of the main elements of resilient design follows the spiral model shown in Figure 8.

Resilient Design on Different Levels
This section contains a detailed presentation and discussion of approaches on different levels according to the spiral model of resilient design shown in Figure 8.

Resilient Design-Requirements Management
The core idea behind requirements management is that the conscious handling of the objectives of a PSS can prevent important functionalities, processes and characteristics from not being realized, and that possibilities for extending the life-time are enhanced.It is mandatory to include sustainability objectives in the requirements, and the longer-term consequences, as well as the systemic nature of sustainability requirements, has to be considered [41].Requirements management can be understood as a systematic approach for managing requirements in order to identify the relevant requirements, to achieve consensus, to understand and document the wishes and needs of the stakeholders, as well as to manage the requirements for minimizing the risk that a system will not fulfill these wishes and needs [42].This can be applied to both the physical and virtual parts of a PSS with AGVs; in fact, both parts should be managed in close coordination.Several techniques can be applied for identifying the requirements, for instance, stakeholder analyses, user stories and prototypes [43].Several taxonomies have been proposed for the classification of requirements [42].For the documentation of requirements, it is, furthermore, sensible to link the requirements to the structures of the technical system and its accompanying processes [42].These aspects are summarized in Figure 9.In general, for complex PSSs, it is appropriate to distinguish levels of requirements.A sensible distinction starts at high-level stakeholder requirements and goes down to concrete component requirements, both for physical and virtual (process/service) components.This can be depicted in the form of a V-model (see [23]); one possibility is shown in Figure 10 (based on an illustration by L. Bus, Eccam s.r.o, Praha, Czech Republic [44]).
As with all design tasks, it is very important for effective resilient design to ensure early and intensive clarification of requirements on all levels, as shown in Figure 10.Additionally, in all stages of resilient design, resilience and sustainability verification is sensible.For this endeavour, metrics for measuring resilience [4], as well as principal component analysis and numerical taxonomies [3], can be applied.To conclude, requirement management for resilient design is characterized by the inclusion of resilience and sustainability objectives and by verification on all levels of product concretisation to ensure the fulfillment of these objectives.

Resilient Design-Identifying Risks and Assessing Sustainability
One major step in resilient design is the identification of risks and the concurrent assessment of sustainability (see Figure 8).Risks can be connected with faults, tolerances, disturbances, aging/wear or attacks.Several methods and tools can be applied for the systematic identification of risks.In most companies, quality guidelines require the application of failure mode and effect analyses (FMEA), at least for physical products.In general, this method (similarly, fault tree analysis (FTA)) can be applied to the virtual components of a PSS with AGVs.A control process of an AGV could be influenced by an external attack and an investigation of the resulting consequences could be sensible and fruitful.Frequently, safety guidelines require risk analyses, e.g., the machinery guideline ISO 12100 [45].Again, these analyses are currently centered around the physical components, but could, in theory, be expanded to the processes within PSSs with AGVs.In such analyses, with or without methodical support, a distinction between inductive and deductive reasoning is possible [5]; inductive reasoning explores in which way bottom-level components or processes can deviate from the nominal behavior, whereas deductive reasoning explores how the top level system may fail and which risks may have caused this failure.It is likely that a combination of both types of reasoning will lead to an exhaustive appraisal of possible risks.Some identified risks will lead to more dangerous events and others to less dangerous events or even to only small deviations from the nominal behavior.Similarly, some consequences of risks will appear rather often, while the appearance of other events is very unlikely.Consequently, it is sensible for prioritization of risks to be based on an assessment scheme similar to FMEA (see, e.g., [46]).In this kind of scheme, three components are multiplied in order to calculate a priority number (see [47]): • Severity (S): severity assesses the possible effects of a certain risk on the PSS with AGVs, the PSS's operators and the PSS's customers.Severity can be quantified on a 10-point scale from 1 (no effect) to 10 (hazardous effect).• Occurrence (O): occurrence assesses the probability of consequences from a certain risk.Occurrence can be quantified on a 10-point scale from 1 (risk consequence very unlikely, no failure history) to 10 (risk consequence almost certain).• Detection (D): detection assesses the probability to detect a risk consequence before it has an effect (during all system life phases from concept over design, testing, production, end-of-line-testing, and operation to recycling (see Figure 4)).Detection is quantified on a 10-point scale from 1 (proven detection means for detection already available in the concept phase) to 10 (no detection means available).
In addition to FMEA and FTA, further methods can be adopted to identify possible and probable risks, such as event tree analysis (ETA), failure modes, effects and criticality analysis (FMECA) [48], and combinations of FTA and FMEA [49].Still, the identification and prioritization of risks is an essential step in resilient design that requires both methodical support, as mentioned above, and experienced engineers.Additionally, effective and efficient knowledge management can be an issue and challenge.For the assessment of sustainability, a large body of knowledge is available (for an overview of relevant research consult, e.g., [50][51][52]).Awan et al. [52] point out that a promising future research direction, especially concerning manufacturing firms, is consideration of the interests of external stakeholders and adoption of the view of these stakeholders.For the producers of AGVs, integration of the processes for operation, maintenance and updating can be valuable for ensuring the interests of external stakeholders are included.Schöggl et al. [51] conclude that the application of integrated sustainability assessment methods could be applied to foster strategic decision-making processes from a sustainability perspective, which is also reflected in the model in Figure 8.They also conclude that it appears vital to strive for an integration of material, strategic and consumer perspectives, because, only by a combination of these three perspectives, may the principles of sustainability be accomplished [51].

Resilient Design of Functional and Logical Architectures
On the functional level, the most important means of increasing resilience are based on resilience mechanisms (Figure 11).From the functional point of view, the simplest mechanisms are passive mechanisms, which do not rely on anomaly detection and which do not alter the system's behavior.One example is brake pads with a life-time wear reservoir.Certain mechanisms do not rely on anomaly detection, but use a control cycle which seeks to change system behavior in a manner that leads to achievement of given targets.In control engineering, this mechanism is referred to as robust control [53].Using this kind of mechanism, it is possible to achieve controlled systems which are insensitive to parameter variations, external disturbances and model mismatches [53].Even higher improvement potential is associated with active mechanisms.In this case, a diagnosis system detects anomalies and allows changes to the system's structure and behavior.One example is active fault-tolerant control (see, e.g., [25].For this kind of mechanism, analytical models of sub-systems of the PSS are usually required.Complex, multi-domain simulation models which allow bidirectional data exchange are referred to as digital twins [54].The application of digital twins can support many features which increase the resilience of PSSs and can enable service of PSSs with AGVs, such as scheduling and synchronization [55].On the functional level, several modelling methods have been proposed, especially in the domain of physical technical systems [47,56].It is one of the central observations of this paper that these kinds of models are appropriate for modelling PSSs as well.This will be demonstrated with two kinds of function models: relation-oriented and flow-oriented function models.A relation-oriented function model is shown in Figure 12.The blue box on the left side of Figure 12 describes the syntax of this kind of function modelling (based on [57]), while, on the right, an example of resilient design is shown.Figure 12 describes resilient design by means of the application of fail-safe pin coupling.Such couplings are designed in a special way which assures torque transfer even if internal flexible elements are destroyed.In this case, additional vibrations will be the result of damaged elastic elements.These vibrations can be used to detect the fault before serious consequences occur.However, in automated systems, no human being may be able to detect these vibrations.One possibility would be dedicated vibration sensors, but these can lead to increased system complexity and cost.One promising possibility could be motor current signal analysis (MCSA), as shown in Figure 12.This kind of analysis has been intensively researched; an example is that of hypergraph neural networks [58].Another form of function model-a flow oriented function model-is depicted in Figure 13.The blue box on the left side of Figure 13 describes the syntax of this kind of function modelling.The syntax is based on the function model as proposed by Ehrlenspiel and Meerkamm [59].Operations, e.g., changes of an operand, are shown as arrows and are usually described with a verb and a noun.In this syntax the state of operands is also included, for instance, the state before and after an operation.The different kinds of flow of operands can be distinguished (see also [29,56]): matter, energy and signal.The signal flow reflects the main parts of services.Additionally, auxiliary flows of operands can be connected via auxiliary states.For auxiliary states, three kinds can be distinguished: condition states, process states and additional states.Condition states describe states of operands which are necessary for the realization of an operation.Process states describe states of auxiliary operands which are influenced by an operation.Additional states are sometimes necessary to describe equivalence relations.In the proposed syntax, actors can also be shown in order to increase clarity and faciliate understanding of the function model; actors are function carriers, i.e., entities which realize an operation.The example given describes the transportation task within an PSS with AGVs, together with the accompanying service synchronization.It is clear how the PSS synchronization control system can provide synchronized movement commands, but it needs position information from the AGVs.By means of function models, it is possible to describe the connection between physical system elements and services, and, through this, to support engineers in the endeavor of resilient design.

Resilient Design of Abstract Physical Architectures
In general, five perspectives of abstract physics can be distinguished: a phenomenonoriented perspective, a behavior-oriented perspective, an interface-oriented perspective, a logic-oriented perspective, and a control-oriented perspective [60].An overview of these perspectives in relation to the model of resilient design depicted in Figure 8 is given in Figure 14.Most of the perspectives shown in Figure 14 are closely connected with physical products.However, the behavior-oriented perspective, that contains linear and nonlinear equations and differential equations as well as numerical behavior models [60], can also be applied for PSSs (and, therefore, for PSSs with AGVs), because the time/velocity/acceleration perspective can also be important for the analysis and optimization of services.One obvious example would be the synchronization of multiple AGVs in a narrow corridor of a storage building; for this kind of limited space coordination, detailed knowledge of the current and actual velocities would be very helpful.Zheng et al. proposed using certain optimization methods for the joint optimization of the multiple domains of an autonomous system for finding an optimal architecture for both hardware and software [61].Several researchers have proposed multi-domain co-simulation methods which are based on the functional mock-up interface (FMI) standard (e.g., [62,63]).For this level of abstraction, it can be concluded that co-simulation of the behavior of technical systems, together with the accompanying services, would be a promising approach, but that further research is needed to exploit this possibility.In this context, co-simulation is understood as the concurrent and interdependent simulation of the behaviour of a technical system in different domains.Other promising approaches, which are frequently also referred to as co-simulation, are the concurrent simulation of different entities, e.g., robotic arms, as well as the combination of different simulation tools [64], and connection with human machine interfaces (HMIs), such as virtual reality (VR) [65].For the purpose of resilient design, all kinds of concurrent and interdependent simulation approaches can be considered relevant, as they have the potential for deeper investigation of system behaviour.Additionally, combined verification processes are possible, thus allowing verification matching for PSSs.
Another perspective that is interesting in the context of PSSs, is the control-oriented perspective, which employs actor-process-sensor models and state-space representations [60].For PSSs with AGVs, advantageous services would ensure that, in the case of AGVs with different states of charge (SOC) or states of health (SOH), the operation load is distributed on the different AGVs in an optimum manner.In earlier research, cooperative redundant AGVs were the focus of investigation and a health-aware model predictive control scheme was developed which was able to balance the operation load-the activities-of AGVs dependent on their SOC and/or SOH [66]. Figure 15 shows an exemplary result.In this example, the battery of AGV 1 would have both a higher (better) SOC and SOH.Therefore, most transportation activities would be assigned to this AGV by the task-scheduling service.The control-oriented perspective can be important and fruitful for the optimization of services within an PSS with AGVs.
Finally, the logic-oriented perspective may also be helpful for system and design engineers aiming at realizing more resilient PSSs with AGVs.By applying techniques such as FTA (see also Section 6.2), reliability and safety analyses can be carried out; this is possible for both physical products (AGVs) and virtual products (services), because the logical domain is not limited to one of these domains.

Resilient Design of Structure, Geometry and Material
At a concrete level, certain design decisions are possible which will increase resilience.One underlying principle is separation.A possible measure for prolonging the operation time could be a concentration of wear to certain components, which can easily be exchanged during maintenance.The same principle can also be applied to the control service.AGVs can dispose of their own dedicated control system; thus, the possibily of influence from outside (e.g., from external attacks) would be limited.Another underlying principle could be limitation.This principle can be applied to the velocity of the AGVs.It is frequently sensible to limit this velocity on a local, low-control level and to allow changes only via a key protected special setting mode.Yet another underlying principle is protection.On AGVs, elastic bumpers can be present which protect features, e.g., sensors.A well-known resilience principle is redundancy.On the top level of PSSs with AGVs, the resilience can be increased if more than one AGV is present which can perform a given task.On lower levels, redundancy can also be realized by means of multiple sensors or multiple actuators.Other principles are sensor overlap and over-actuation [9].Sensor overlap means that, due to their placement, sensors measure the same regions of a phenomenon; differences between the sensor readings will then indicate a fault in at least one of the sensors.This information can be used, e.g., to replace the sensor information with information from a virtual sensor or to bring the system to a safe shut-down.Either stronger actuators than necessary or more actuators than necessary are implied by the principle of over-actuation.It is obvious that the chances to accommodate the consequences of certain risks are better if the actuators are not loaded to their full extent in normal operation.
Additionally, on this concrete level, multiple algorithms, methods and tools in the general area of robust design and robust control can be applied (see Sections 4 and 6.3).A summary is shown in Figure 16.To conclude, the main possibilities for achieving sustainability and resilience on the most concrete level can be found in balancing wear of the different components, the definition of modular design, which eases repairability and updating, and approaches to eliminate the consequences of anomalies.It is important to note that the most important causes for lifetime limitations of AGVs are wear and outdated IT solutions.Product designers need to concentrate wear in parts which can be easily exchanged and need to allow exchange of IT parts, together with creating the possibility to add further or improved sensors and actuators.

Illustrative Example
This section explains certain aspects of the resilient design of PSSs with AGVs.This discussion is based on a case study consisting of a system of automated forklifts in a warehouse (Figure 17).Forklift AGVs are intended to transport goods on pallets, such as household appliances from a production outlet (shown in the foreground of Figure 17), to high-rise shelves in a warehouse, and, from these shelves, to a delivery station (not shown).Most often, the company which operates the warehouse would buy AGVs and would be responsible for the operation of these AGVs.For a PSS with AGVs, a separate organisation would be responsible for the complete transportation process, i.e., the procurement of AGVs, the control and synchronization of the AGVs, as well as the maintenance and even replacement of these AGVs.This complete responsibility may lead to a holistic view, thus fostering resilient design and sustainable engineering.As mentioned above, resilient design starts with conscious clarification of the requirements, an initial risk analysis, and an initial sustainability assessment.As was previously elaborated, several factors need to be considered for resilient design.In the example given, a checklist can be helpful which lists common sources of disturbances in a warehouse environment, common causes of faults, and common possibilities for attacks.An initial risk analysis can be carried out in a top-down manner, e.g., by employing fault tree analysis (FTA).The knowledge gained can subsequently be used to develop resilient functional and logical architectures.For the given case, active fault tolerant control can be implemented, both in the central control and synchronization unit, and on the local AGV.In this case, certain faults, such as a sensor fault in one of the AGVs, can be accommodated and the performance of the PSS with AGVs can still be within acceptable limits.Another example for resilient design on this level can be wear detection of a clutch by means of MCSA (see Section 6.3).More concrete than the functional and logical architecture is the abstract physical architecture.In the given case, resilient design of the abstract physical structure can be focused on the behaviour of the AGVs.A profound knowledge of this behaviour can result from detailed simulations, such as of the acceleration behaviour and directional stability for surfaces with reduced friction coefficients.On the same level, the control-oriented perspective may lead to a health-aware control design (see Section 6.4), which optimises the PSS with AGVs output in the case of aging.Similarly, in a PSS with AGVs, additional operational load can be assigned to an AGV which is already scheduled for maintenance or even replacement.A good example for resilient design on the most concrete level-the level of structure, geometry and materials-would be limitation of the maximum speed of automated forklifts, which cannot be changed remotely by some kind of external attack.

Conclusions
The presented research findings provide answers to the research questions formulated in Section 2: • How can the concept of resilient design support system engineers and design engineers in the development of product service systems with automated guided vehicles?A general model of resilient design, repeated risk analyses and sustainability assessments, as well as several methods on different levels of system concretization, were developed in this research initiative and can support system engineers and design engineers in this endeavour.The primary objectives of this paper were, on the one hand, to provide a comprehensive understanding of resilient design through application to PSSs with AGVs as a foundational framework, and, on the other hand, to develop, demonstrate and explain novel modes of application of product development methods which can support designers during the implementation of resilient design.In contrast to other research initiatives, the research described focused on the concept of resilient design, which expands resilient control and resilience engineering to the early stages of system development.Resilient design aims to enhance sustainability by enabling extended usability and planned updates.Concrete product development methods on different levels of product abstraction were proposed to support resilient design of PSSs with AGVs.PSSs with AGVs were chosen as an example, because these systems are appropriate to elaborate many aspects of resilient design since these systems are a combination of a rather conventional product with services, which can enhance the usability and the sustainability of the product.

Summary and Outlook
PSSs with AGVs combine automated technical systems for the transportation of goods with services that support the operation of these systems.This paper investigated possibilities to support design, process and control engineers to design PSSs with AGVs which are more resilient with regard to certain risks and may operate for a longer time, thus contributing to sustainability engineering.These possibilities can be referred to as resilient design and can be characterised as representing a holistic approach that takes into account various aspects of design, which can lead to improvement in safety, efficiency and sustainability.At the center of the research is a model that enables distinguishing certain levels of abstraction and underlines the importance of the continuous identification of risks and the assessment of sustainability.The main sources of risks are faults, disturbances, tolerances, aging and wear, as well as external attacks.At the different levels of abstraction, concrete measures to increase resilience by means of design were explained.The research described in this paper can be understood as providing an initial explanation and structure; the collection of approaches is not yet complete.These results are based on an extensive literature review, but, additionally, novel application modes for product development methods are proposed.Further scientific activity is needed for full exploration of the given scientific area:

•
Further research is needed in the field of product-service co-simulation, i.e., regarding combined, modular multi-domain simulations that can include all aspects of the accompanying services.
• Further research is needed to expand the existing possibilities for resilient design, i.e., with respect to the means to design products which are insensitive to unavoidable influences, such as disturbances or tolerances.• Further investigations would be sensible which explore possibilities for the inclusion of aging and wear in the early stages of product and process design.

•
Investigations of the integration of advanced control techniques, such as machine learning algorithms or adaptive control strategies, to enhance the resilience and performance of AGVs in changing environmental conditions, are needed.• Investigations of innovative approaches for predicting and mitigating the effects of component failures, external attacks and disturbances on AGV systems, considering both preventive and reactive measures, would be sensible.

•
Investigations of the implementation of predictive maintenance strategies and realtime updating processes to optimize the operational lifetimes of AGVs while minimizing downtime are required.

•
Investigations regarding evaluation of the effectiveness of resilience engineering principles in enhancing the sustainability and resilience of AGV systems under various environmental challenges are sensible.

•
Investigations of the optimization of hardware design, such as energy-efficient components and materials, to further improve the sustainability and performance of AGVs in dynamic operational environments, are needed.
Additionally, the effectiveness of the proposed methodical approaches in real-life product development processes needs to be addressed.It is important to note that evaluation of the impact of methodical approaches is challenging [67]; one crucial issue is the problem that direct attribution of beneficial effects to a single approach is nearly impossible [68].A possible research strategy, which can allow assessment of effectiveness, is a combination of qualitative interviews with responsible engineers and the use of process indicators.

Figure 1 .
Figure 1.Prominent Aspects of Resilient Design-Sources for Risks.

Figure 3 .
Figure 3. Elements of a PSS with AGVs.

Figure 4 .
Figure 4. Life-cycle of PSSs with AGVs with Important Steps in Product Development, Production Development and Operation.

Figure 5 .
Figure 5. Examples for Sources of Disturbances.

Figure 6 .
Figure 6.Systemic Model of an External Attack.

Figure 7 .
Figure 7. Three Dimensions for Assessing the Severity of an External Attack.

Figure 8 .
Figure 8. Spiral Model of Resilient Design.

Figure 9 .
Figure 9. Central Aspects of Requirements Management.

Figure 16 .
Figure 16.Approaches to Reduce or Eliminate the Consequences of Anomalies on the Most Concrete Level.

Funding:
Parts of the described research were funded by the Carl Zeiss Foundation under the auspices of the project AI-based Digital Twin (KI-basierter digitaler Zwilling (KIDZ)).Institutional Review Board Statement: Not applicable.Informed Consent Statement: Not applicable.
• How can early system concepts and decisions, as well as geometrical, material and structural aspects, enable the safe, efficient and sustainable operation of technical systems under certain influences and prolong the operation duration?Concrete examples were given in the preceding sections with regard to how methods and solution elements can enable the safe, efficient and sustainable operation of a PSS with AGVs under certain influences.Early consideration of wear and aging can facilitate review of exchangeable components, which may prolong the operation time of the whole AGV and, consequently, may improve its sustainability.•Howcan the concept of resilient design be combined with resilience engineering and resilient control and how may it support both concepts?Combination with resilient control can be achieved by concentrating on the control perspective of the abstract physical architecture.Resilient design extends resilience engineering to the abstract levels of the functional, logical and abstract physical architectures.