Download full-text PDF

Enterprise Thinking for Self-aware Systems

Article (PDF Available) inIFAC Proceedings Volumes 51(11) · June 2018with112 Reads
DOI: 10.1016/j.ifacol.2018.08.414}
The paper aims to provide high-level guidance for architects of cyber-physical enterprises such that the nature of interactions within it as a system can be largely self-determined based on system self awareness and dynamic self-configuration, and a set of foundational guiding principles, rather than being pre-defined by an external designer or architect. The paper investigates the suitability of typical development life cycles and architectural challenges in the context of dynamic cyber-physical systems intending to utilize the power of the Internet of Things, and then goes on to define desired attributes of such systems, which need to guide suitable core architectural choices. Application of the findings is exemplified through a case study, followed by synthesis of issues and implications for further research.
Enterprise Thinking for Self-aware Systems
Pat Turner*
Peter Bernus**
Ovidiu Noran**
*Architecture Services Pty Ltd (ASPL)
**IIIS Centre for Enterprise Architecture Research and Management,
Griffith University {P.Bernus, O.Noran}
Abstract: The paper aims to provide high-level guidance for architects of cyber-physical enterprises such
that the nature of interactions within it as a system can be largely self-determined based on system self-
awareness and dynamic self-configuration, and a set of foundational guiding principles, rather than being
pre-defined by an external designer or architect. The paper investigates the suitability of typical
development life cycles and architectural challenges in the context of dynamic cyber-physical systems
intending to utilize the power of the Internet of Things, and then goes on to define desired attributes of
such systems, which need to guide suitable core architectural choices. Application of the findings is
exemplified through a case study, followed by synthesis of issues and implications for further research.
Keywords: Internet of Things, Systems of Systems, Self-aware systems, Service Oriented Enterprise
Architectures; Enterprise System Engineering; Self-organization
This paper examines the architectural consequences of the
recently acquired ability to deploy a variety of a very large
number of sensors and actuators on all levels of systems,
and the ability to establish 'grounded connectivity'
(explained below) of systems to their environment. For the
purpose of this paper, the term 'system' will be used to
describe a technical or socio-technical system, or systems-
of-systems (SoS). In this context, an 'enterprise' is an
undertaking embodied in a Socio-technical System of
Systems. The subject of this paper is how to architect the
Enterprise such that the nature of interactions within the
enterprise as a system could be largely self-determined
based on system self-awareness and a set of foundational
guiding principles, rather than being pre-defined by an
external designer or architect.
Architecting systems so that they manifest a high level of
self-awareness, whilst ensuring compliance to
foundational design principles, poses a significant number
of quantitative and qualitative challenges to the Designer.
There are a variety of unique reasons and characteristics of
self-aware systems that invalidate some of the assumptions
that are true in traditional systems architectures and can no
longer be relied-on by associated systems engineering and
enterprise architecture practices.
The system integrity assumption: normally, a system's
architecture establishes a boundary, so that the interaction
between the system and its environment is controlled in
order to ensure system integrity. What is inside this
boundary belongs to the system and is designed by the
system's architect; and what is outside, is interacted with,
but belongs to the environment.
In the case of Sensor-based Networks and emerging
Internet of Things networks (IoT) this defined boundary is
becoming increasingly fluid because at any moment in
time what can / cannot be considered part of the system
might change (due to lost connectivity, malfunction,
overload, maintenance, incomplete configuration, and so
on, or due to the system actively but temporarily co-opting
external services).
Due to the number of sensors, actuators and interactions
many of these dynamic configuration changes must be
fully automated, i.e., Machine to Machine networks
(M2M) may completely remove the human actor from
direct involvement in the required decisions, and as a
result at this level of granularity and aggregation
subsystems need to be self-governing. This requires that
subsystems be allowed to dynamically change their
configurations without the need for human intervention to
fulfil the functional and non-functional requirements of the
System. Clearly, the boundaries of this self-determination
need to be set on the architectural design level, and the
adherence to them be monitored by the system itself (thus
becoming self-aware).
The fluidity of a system’s boundary causes additional
complexity problems for management and control, over
and above the complexity problems inherent in the
organization of the system itself. Consequently, new risks
emerge and a higher level design is needed to address
© Turner, Bernus, Noran 2018
Copyright. Citation Information: Turner, P., Bernus, P., Noran, O. (2018). Enterprise Thinking for
Self-aware Systems. IFAC PapersOnLine 51-11 (2018) 782–789
The practical consequence for managers and architects is
the need to learn new design patterns, organisational
design rules and methods to use them in strategic
transformations, and the management of the systems life
cycle in such transformation needs new insight as well.
Assumptions about the Systems life cycle and its stages: In
contrast to the typically assumed DesignBuildUse
Retire stages of a system's life (called life history stages in
Enterprise Architecture (ISO15704, 2005) and life cycle
stages in Systems Engineering (ISO15288, 2008)), the
types of systems that we today envisage i.e., systems that
exploit the opportunities offered by sensing and acting on
a much more granular level than before are in fact
evolving systems. Such systems change and grow
organically, and the DesignBuildUseRetire sequence
assumption no longer paints a very realistic picture, and
this has consequences for how to manage change,
innovation, portfolios, programmes and projects, and the
associated transformations of the enterprise.
In particular, the Design and Build stage would better be
described as a stage of directed evolution, with part of the
Build activities being performed during the Operation of
the system. Operation involves i) all mission fulfilment
activities of the system (its use’), ii) all management and
control activities of the system (including strategic- &
tactical management, and operational & real time
management these latter two include dynamic self-
In other words, the Operation stage (i.e., the time interval
during which the system operates) also involves
transformational activities / processes, such as minor (or
major) changes to the system itself, and this includes
(re)design, (re)build as well as possible decommissioning
of parts of the system itself.
Following Bertalanffy's General Systems Theory (1968),
such systems are homeostatic open systems (NB
although Bertalanffy limited his discussion to biological
organisms, the analogy stands for organisations as well),
i.e., in spite of being in constant flux (old parts being
expelled and new parts acquired), systems tend to maintain
identity and equilibrium (to be self-perpetuating).
However, on a longer time-scale such a system is also self-
evolving, i.e., it also has the property of a complex
adaptive system (Miller & Page, 2007), which learns, and
to an extent directs its own destiny, orchestrating the
directed evolution of the parts, or of the whole.
(Sometimes such systems may also be autopoietic, i.e.
self-reproducing (Maturana & Varela, 1980)).
One may argue that these are not new properties of
systems, so the problem is old, and therefore perhaps
existing theories of systems design and of management &
control are readily applicable to our cyber-physical
systems. Unfortunately, one must realise that these
properties of enterprises do not become the source of a
substantial challenge unless the rate of change with which
the enterprise must evolve and adapt itself to the
environment reaches a critical threshold; therefore,
solutions to the design as well as management & control
problems do not necessarily exist in current practices.
For example, supply chains have evolved over time, and
traditional management methods (together with solutions
offered by information and communication technology)
have achieved continuous improvement in supply chain
performance. Nevertheless, the development of supply
chains has followed a DesignBuildUse paradigm of
development. This paradigm assumes that there is time to
source information, verify stakeholder requirements,
analyse their concerns, etc. so as to finally come up with a
solution, build it, and utilize it. However, when it comes to
dynamic, on-demand optimization and (re)configuration of
supply chains, the paradigm has limits due to the speed at
which human architects can devise and developers build a
solution. Therefore, we argue that the designbuild (and
release to operation) activities must be automated so as to
achieve the desired level of dynamicity, and must be
performed ‘on the fly’, i.e., during Operations.
A specific problem explored in this paper (as part of the
'architectural challenges section) is the effects of
automation on systemic properties, and what architectural
measures are necessary to achieve and preserve them. This
is a timely question because the rapid development in
automation technology (robotics and various AI
techniques) seems to leave behind the theory needed to
support good architectural decisions that utilize them.
The introduction argued that there is a need for automating
part of the dynamic Design Build activities of the
enterprise. This does not mean that high level automation
is going to do away with the need for architecting; rather,
it is the focus of architecting that will change.
For example, instead of the architect designing a solution
to optimally configure systems into a system of systems,
the architect will need to design a system that has a
dynamic self-configuring function, such that the SoS keeps
dynamically configuring itself (taking into account factors
such as changing optimum criteria on various horizons,
availability of resources, recognition of opportunities and
market trends, and so on).
Automated dynamic configuration / reconfiguration of
systems has existed for a long time, using various AI
techniques, but currently this ability only exists in contexts
with well-defined boundaries: e.g. in a factory workshop
AGVs, robots, and machine tools can create a fit-for-
purpose configuration; in a hospital a team is assembled
for a complex operation, etc.
In a bounded context, the manageability and controllability
of the system may be guaranteed by design. However, if
the context becomes fully open, then significant challenges
appear around the ability to adhere to desired architectural
design principles for generating on-demand service
models. For example, questions arise around long term
survivability, validity, currency of operations, trust,
availability, and so on (further discussed in Section 3).
© Turner, Bernus, Noran 2018
3.1. Minimize or Curb Complexity
The solution must minimize or curb the complexity of the
SoS (including the complexity of the fundamental parts of
the system, and that of the dynamically generated parts).
Ideally, the solution would have a layered architecture,
whereupon the complexity of one layer should not be
visible from the layer above, thereby stopping or reducing
complexity escalation. For our purposes, we say that the
system is complex if it cannot be predicted to always
satisfy its requirements. (Being complex is not to be
confused with being complicated: in a complicated system
the number of elements of the system, and the number of
their connections & interactions may be high, but when
implemented, the system is known to always be able to
satisfy its requirements.)
The architectural complexity-reduction of systems of
systems using so-called ‘Axiomatic Design’ (Kandjani &
Bernus, 2011) has several practical consequences,
including the dismissal of the methodological approach
that first creates a functional specification and only then
maps it to a design solution. Even common iterative
development- and project knowledge management
approaches are unsuitable such as agile development or
DevOps unless they apply the kind of iteration called
‘zig-zagging’ (which method is as a consequence of
axiomatic design). The techniques are easy for design
teams to acquire, although in practice they are often
ignored due to historical rather than technical reasons.
3.2 'Ilities'
The architectural solution suitable as a foundation for
creating cyber-physical systems must display a number of
systemic properties ('ilities'), and the adopted architecture
needs to ensure that these properties hold recursively for
the systems of systems of systems etc..., (where the lowest
level system is no longer a SoS). In this sense the lowest
level systems are 'organisms', and all other systems above
are 'organizations'.
This requirement originates from the fact that in a SoS the
design authority or architect of lower level systems is
normally independent of the design authority / architect of
the SoS. Thus, the services of the envisaged cyber physical
systems are to be composed (on a particular SoS level) out
of services provided by systems that were independently
designed. Therefore, we need extra measures to ensure that
service availability, trustability, accountability,
security, scalability, manageability, longevity,
maintainability, reliability, and quality on the SoS level
are achieved and maintained (just to name a few important
examples), and to keep complexity at a manageable level,
this must preferably be achieved 'by design'.
For example, a major challenge is innovation based on the
combination of services upon services exploiting core IoT
products & services. We k now t ha t often a simple
combination of services that are 'out there' may create an
initially successful and innovative service offering, but
ensuring the above systemic properties this can become
problematic, as business architects must need guidance
how to address the design of complex service systems in a
situation where they have limited control over underlying
3rd party services (Rabelo, Noran & Bernus, 2015).
The problem is also relevant for providers of the
underlying core services (e.g., IoT infrastructure services),
because their success depends on the end users' ability to
successfully use the infrastructure service over a long
period of time. Given that infrastructure providers are few
and end users are many, it is in the provider's interest to
pro-actively develop architectural guidelines of use to help
successful service composition and to establish an
ecosystem that nurtures service innovation (Rabelo,
Bernus & Romero, 2015).
3.3 Viability and Self-awareness
A fu ndamenta l 'ility' that needs to be singled out in this
context is viability, which is the property of the system to
self-preserve and remain in homeostasis, but at the same
time co-evolve with its environment (Kandjani et al, 2014).
According to Viable Systems Theory (VSM) (Beer, 1972;
Hoverstadt, 2008) a viable system should be composed
from viable systems. This property is essential for the long
term survival and success of any larger system (such as an
ecosystem, or a network of companies), and even for
virtual ‘service entities created using the pool of
competencies of contributors where the horizons of
management & control functions of these entities must
match the horizons of their expected lifetime.
By investigating the management and control functions of
viable systems (See Fig.1.), and the above considerations,
it follows that the SoS in question needs to maintain self-
awareness on each level of aggregation. Self-awareness is
defined here as the ability of the system to perceive itself
in its environment, distinguishing the self from the
environment and identifying the (dynamic / changing)
relationships between the self and the environment, as well
as with the constituents of the environment, including
other systems. The authors prefer to extend this definition
with the ability of controlled self-determination and
negotiation, i.e., the ability to decide a course of action
compatible with internalized principles and with agreed-on
'social contracts' between the SoS and other systems.
Our system of interest (the SoS) has functions to provide
services or to produce goods, but also must have functions
to monitor the ability of the system to perform the function
now and in the future (such as through monitoring the
performance of the self and monitoring the environment).
This is not usually the case with lower level granularity
systems, and can cause unpredictability and brittleness on
the SoS level.
Details of the requisite functions of self-awareness
relevant for the problem at hand will be discussed in
Section 4, but clearly, self-awareness & viability are
© Turner, Bernus, Noran 2018
necessary to ensure system homeostasis (maintaining all
necessary 'ilities' discussed above), but when deemed
necessary then self-evolve. When the SoS is a company for
example, this self-awareness can be achieved by the
human actors (of management & control) on each level of
aggregation. With cyber-physical systems we must
consider how to achieve self-awareness of these systems
relying on little or no human participation.
The proposal here is that the SoS in question, on any level
of aggregation, is best thought of as a hybrid (human-
machine) system, as opposed to the traditional systems
engineering view that divides the human and the machine
early in the design, separately considering the organization
of the system (which is automated) and the organization of
humans (who are the users). The authors see no a-priory
reason to separate human and artificial agents from the
outset; in fact, this can cause significant challenges (e.g. if
some agent functions cannot be automated then the
architectural solution breaks down).
The advantage of this approach is twofold: a) we are not
constrained by design to only implementing management
functions that can be automated at any one time, and b) we
do not separate the system along a boundary between two
parts with substantial coupling (human-to-machine).
The reader may remark that this approach is tantamount to
architecting the cyber physical system as a multi-agent
system. However, while the multi-agent systems
community has been concentrating on fully automated
individual- and cooperative agents, such as robot swarms,
this approach chooses to not constrain these agents a
priory to full automation, because that would be a pre-
conceived implementation decision. The removal of this
constraint allows for an independent evolution of agents
that changes the level of automation in time but still
preserves an architectural identity (style), and with that,
longevity. Thus, by default the system always has a
complete scope and all necessary levels of management
and control, but as the system evolves, the level of
automation changes (while preserving system identity).
Figure 1. Recursive Management & Control functions of a viable
system (a unified structure based on Beer’s VSM (1975) and
GRAI Grid (Doumeingts et al, 1980))
Self-awareness on the real time and operational level: On
the real time level, it is necessary to (for example) identify
faults (of the self, or of external services), identify cyber-
attacks, or any other situation that demands action that
flows as fast as the events of the process dictate, i.e., in a
synchronous manner. This needs the constant evaluation of
data streams and the interpretation of these to create timely
situation awareness. Sensor networks and actuators create
an opportunity to provide the necessary data to support this
function, although this ability may also enable new forms
of cyber-attacks that create fake data, or in a home
automation/security application situation misidentification
may result in the system attacking itself or the owner/s.
Due to human limits to act fast enough, self-aware
behaviour on the real tim e- and operational levels must be
completely or highly automatedwhich is a distinguishing
trait of cyber-physical systems.
For example, it is of critical concern that even at the
operational (executable code) level some level of situation
awareness (as an internal control) is still required. If not
present, an ‘atomic service is open to compromise and
may be executed in an improper fashion by an illegitimate
3rd party. Current systems do not have this ability,
therefore cyber attacks that enter on a very low level may
remain unnoticed. Building situational awareness (and the
ability to respond to known and unknown situations based
on available and newly arriving data in real time) is a
candidate for handling constantly emerging Cyber Threats.
Self-awareness on the tactical level: This level deals with
identifying trends (in production, product, market,
competition, resources, etc.), monitoring system health,
pro-actively scheduling targeted activities, optimizing
plans and schedules, scheduling maintenance, optimizing
resources and switching resources / services if needed.
Data streams from sensor networks may support better
decision making, but a correctly implemented situation
identification should also pinpoint any additional data-
needs required for situation disambiguation.
Given the time horizon of tactical management, there is
the option to choose a desired level of automation, and
decide to automate some functions but not others, in order
to satisfy some criterion other than functionality, such as
investment efficiency / ROI. Nevertheless, considering the
larger size of the decision space of cyber-physical systems,
a higher than usual level of automation will likely be
needed. For example, previously the rapid reconfiguration
of a supply chain for a size-one-lot was outside the
capability of supply chain management. However, with
high automation level, and visualization for human
decision making such optimizations will be in reach.
Self-awareness on the strategic level: This level is
observing internal trends vs. external trends (Kandjani et
al, 2011), identifying strategically relevant situations (and,
similar to the tactical level, identifying additional data-
needs necessary for situation disambiguation). This level is
planning strategic action with respect to the goals of the
self, or modifies the goals themselves.
© Turner, Bernus, Noran 2018
Essentially, on a high level of aggregation (company and
above) this function is traditional strategic management
(albeit with better decision support). The function manages
the system’s identity and mission, its role in the ecosystem,
relationships to internal/external stakeholders, etc.
On a medium level of aggregation, this function may
monitor the health of an alliance vs. future needs and act
before the alliance or the satisfaction of contractual
obligations noticeably deteriorate.
On low levels of aggregation this management & control
function might be absent.
Situation awareness on all levels A recurring theme on all
levels discussed above is situation awareness (coupled
with fast decision making ability) for effective and
efficient action. The conditions of this to materialize are
facilitated by the technological affordances of cyber
physical systems (large number of intelligent sensors),
machine learning / pattern recognition algorithms, and
various data analytics techniques. However, highly
automated situation awareness and supporting decision
making requires a new form of intelligence: situated
reasoning (Devlin, 1995; Goranson & Cardier, 2013), in
order to create a fast and continuous narrative of the facts
uncovered by the variety of data sources.
This is a missing technology element (as of today), with
only experimental implementations in existence and
substantial research and development (R&D) implications.
Situated reasoning and context level data analysis should
go hand in hand: the analytics of large amounts of data can
facilitate correct situation identification, but situated
reasoning can identify the need for data that are not
available at present, but could be used for situation
disambiguation before a correct decision can be taken
(Bernus & Noran, 2017).
3.5 Recursive architecture
The rules of combination apply recursively, i.e., creating
viable self-aware systems out of viable self-aware systems
requires that each system's management (on every level)
must have certain minimal functionality. This requirement
is already evident in companies (where the company is an
organization that consists of divisions (down to
departments and groups etc.), all of which are themselves
organizations. However, the rule does not stop at the
company boundary: exactly the same rules apply to
networks of companies, alliances, and various forms of
virtual organizations in the supply chain.
The ability to create a virtual service of manufacturing
enterprise (and its embodiment as a virtual organization)
has been on the agenda of industries for at least two
decades (Goranson, 1999; Camarinha-Matos &
Afsarmanesh, 2003). However, practical applications
(Bernus, Noran & Riedlinger, 2002; Bernus, Molina &
Noran, 2015; Vesterager et al, 2001; Pereda & Molina,
2013; Molina, Velandia & Galeano, 2007; Rabelo,
Camarinha-Matos & Vallejos, 2001) remained on the level
of the Design–Build–Use (operate) paradigm, rather than
on demand dynamic architecture. This seems to be caused
by 1) the low level of automation of self-configuration on
the enterprise level, 2) unsatisfactory amount of decision-
support information, and 3) trust issues.
This is not to say that all companies or networks etc. do
abide by this recursive management rule, and therefore
those organizations may be viable on the level of the
whole, but without their constituents being viable systems
themselves. Relaxing the viability criterion (relative to the
ideal case) increases the complexity of the SoS's
management and control, because higher levels must take
over part of the management of the contributing lower
levels. With the expected explosion in the number of
system constituents (due to the IoT) this may no longer be
acceptable as management and control models can hit a
complexity barrier. Thus, the sub-optimal but tolerable
compromise in traditional systems may no longer be
acceptable in the new dynamics of cyber physical systems.
3.6 Reference Models, Guidelines, Techniques and
It is not enough to develop a generic reference model that
guides the choices for the dynamic architecture of future
cyber physical enterprises. It is also necessary to develop
methodological guidelines and techniques that inform the
architecting processes (some of which are to be
automated). It is fair to expect that traditional enterprise
architecting and systems engineering methods need either
extensions or specific practically usable guidelines &
techniques to address the above-discussed challenges.
One particular reference model that gained currency is the
three-level preparedness-building paradigm (Afsarmanesh
& Camarinha-Matos, 2005): Level 1 comprises a Virtual
Enterprise Breeding Environment (VBE), which is the
Ecosystem of players of an industry either locally or
globally. Level 2 is populated with Enterprise Networks
(ENs), which are a formal structure (originated from the
Ecosystem), comprised of Ecosystem players that qualify
to become members and subscribe to a set of shared rules
& reference models (e.g. for interoperability), shared work
practices & tools including rules for service composition
and management. Level 3 contains Virtual En terpr ises
(VEs) / Virtual Organizations (VOs) created by the
Network in the form of temporary alliances to respond to
some service need or opportunity.
In practice this has been implemented before, but only for
individual service types, not individual service instances;
with the ability of dynamic configuration the envisaged
highly automated cyber physical systems could step over
this barrier (within the framework of the above paradigm).
4.1. The Telstra IoT Platform
At this point, one may ask: how do the discussed core
Design Principles align with the realities of emerging
machine-to-machine (M2M) IoT networks? What is the
relationship between the expressed design principles and
© Turner, Bernus, Noran 2018
the currently available or emerging IoT infrastructure
To atte mpt t o a nsw er su ch questi ons, th is sectio n b rie fly
discusses a case study specific to the Australian context,
namely the Telstra IoT network launched in July 2017
(Telstra, 2017), in fact the first commercial IoT PaaS. The
discussion is based on Tel st ra ’s Wireless Application
Development Guidelines, IoT Platform Technical User
Guide, and IoT Platform and Solutions Data Sheet (Telstra,
2014; 2016; 2017).
Figure 2. Telstr a IoT offering (components) and their possible
use by businesses (Source,1 used with permission)
New customers signing up for the Telstra branded IoT
solution are buying pre-designed products and services
bundled for use across the 4G mobile and wireless
network, as a secure public Cloud infrastructure
partitioned logically (built on top of Telstra’s physical
Cloud Data Storage service).
IoT customers are offered a Cloud based Dashboard
(CRM- like UI) to monitor run-time data streaming from
each of their configured Devices on the IoT network as
well as some remote site control for these devices from the
Dashboard console accessible via Phone, Tablet or Laptop.
Tel stra provides design recommendations for applications
development based on the IoT network (Telstra, 2014), a
list of best practices for optimizing performance / resource
usage (for example how to optimize data transfer, reduce
unnecessary signalling, achieve resilience when network
conditions change, etc.).
Apart from needing to operate on the existing Telstra
mobile (wireless) network and spectrum and adhering to
these high level technical recommendations, and utilising
approved Telstra network routers and IoT end point
devices there are effectively no other constraints on the use
of the IoT network to deliver or receive services.
The IoT network itself does not impose additional security
or encryption standards it is relying on native Device or
Application level security constraints to enforce data and
customer privacy standards. Also, while the Telstra IoT is
an open mobile / wireless network relying on 3rd party
providers and products to enforce security, users may
choose to configure a virtual private network (VPN) that
imposes Enterprise level security across all elements of the
System (Telstra, 2015; Telst ra, 2014.p57).
An important functionality required from all IoT devices
approved for use is the ability to remotely update device
firmware (‘firmware over the air’ (Gascón et al, 2011)).
4.2. Analysis of the IoT Platform what it is and is not?
The IoT platform as a service briefly described in 4.1
provides an infrastructure and environment, based on
which end users can develop innovative solutions /
services, using the ability to connect to a wide range of
devices deployed in the field. The design principles
discussed in Section 3 only have limited applicability
regarding the platform itself, but as discussed in 4.3 will
be very important for systems built on top of such a
platform. (Nevertheless, some of the design principles still
apply to the IoT platform itself.)
(1) Self-awareness. There is no evidence of in-built self-
awareness in the IoT network or approved products. The
devices that meet required standards to operate in the
mobile/wireless network are commercial products using
protocols for interoperability, and these do not support the
functionality required for self-awareness. The consequence
is that self-organization of sensors and actuators is not yet
possible, effecting overall availability and integrity of a
sensor network (see ‘ilities’ below).
(2) Ilities’. Due to space limitations, Availability &
Reliability are singled out here as examples, although
other ilities would have similar status in terms of
architectural treatment. The IoT network operator
(Designer) cannot take full responsibility for end-user
performance measures (even though built-in functionality
exists to optimize the network’s performance). However, if
the network was considered a SoS, then dynamic
reco nfiguration (allocation of functions to physical devices
/ processors etc.) could help further optimize network
performance under less than ideal circumstances (such as
connectivity loss, node failure, etc.).
Another crucial ‘ility is Trustability. It is not entirely clear
what is the trust-status of co-operating devices across the
IoT network, or what are their limits of ‘fair use’ (e.g.,
what differentiates a large scale legitimate business use
from a denial of service attack). Co-users of the IoT
network (even if on separate VPNs) are in competition for
resources (bandwidth, support and latency), especially in
areas of congestion and cross-network dependencies that
are outside their control. The current support arrangements
and commercial contracts on offer do not discuss the
likelihood of cross network impacts of one service upon
© Turner, Bernus, Noran 2018
another, or sharing services across various eco-systems
(sub-networks) that may arise across the IoT network.
(3) Viability. End-users have fundamental interest in being
able to rely on the IoT platform’s longevity to protect
investment and be able to plan to evolve the capabilities
built in this way. For example, for a system built on the
IoT platform to have long term viability (the ability to
sustain itself and evolve as necessary on a longer time
horizon) could be addressed in the future by architectural
patterns that allow aggregating services into hybrid
(human-machine) systems, thereby allowing the level of
automation to change as needs and technologies develop,
without fundamental architectural change being necessary.
The question is ultimately also connected to complexity
reduction (using the already mentioned techniques of
axiomatic design (Suh, 2005; Kandjani & Bernus, 2011),
which is essentially a technique to eliminate all
unnecessary dependencies form a system of systems).
Thus end users are well-advised to use the respective
techniques to protect themselves from changes in the
underlying infrastructure. Paradoxically, if the IoT
Network actively supports openness and the ability to
migrate to other platforms, this may increase end-user trust
and become an attractive feature of the IoT platform.
(4) Recursive architecture. The IoT platform provider is
not responsible for the architectural decisions made by end
users, who may build services on top of which other end
users build other services, and so on. However, the above-
mentioned architectural patterns and reference models for
all end users, if applied on all levels of aggregation could
help end users build higher level SoS that bear the
characteristics of the underlying services (and vice versa).
The preliminary investigation of the emergent IoT
networks in Australia reveals significant issues and
implications to be explored as part of future research, e.g.:
How awareone wants the System-of-systems to
be? Does self-awareness imply complete independence
and autonomous decision-making? Can an intelligent
House make its own decisions, re-calibrate its service
levels and operations? Within what boundaries and
broader ecosystem and Owner imposed constraints
must this self-awareness and independence operate?
Owner vs Eco-Systema self-aware House will have
immediate conflicts of Authority and Control
impacting its day to day operations. Who has ultimate
authority over the self-aware House? Is there a set of
broader Meta Ecosystem requirements that all sub-
systems must comply with (e.g., Public Safety, Law
and Order, Power Outages Disaster and Emergency
Relief)?) When can the role of the Owner and Control
of the Dwelling be over-ridden by a higher Authority?
Integration of Control It is clear that emerging IoT
networks do not yet have integrated Control Systems
that allow for plug and play” of any 3rd party
components within the Master Control of the self-
aware System itself (e.g., the Intelligent House (Swetha
et al, 2017)). Whilst M2M Networks allow for open
communications among devices and components, and
remote control / management of these devices via
console and dashboard UIs, this is not the same as
having a commonly understood master controller
environment with shared business logic and processes.
What are the Social and Cognitive conditions
(perhaps answered by Psychology, Behavioural
Science, and Economics) that enable Human Actors /
Agents to adapt to or be comfortable with such
integration over which they have very limited control?
Figure 3. A citizen trans iti oni ng a cros s mu ltip le S ervice Systems
of Systems
Seamless transition between multiple self-aware
Systems maintaining state across multiple private
and public cloud networks: effectively the human and
multiple mobile devices will be moving through a
range of self-aware and intelligent environments,
vehicles, systems and eco-systems; their safe and
effective passage and harmonious interactions will be
dependent upon the safe and secure communication of
key data including identity, personal preferences,
security settings and master profiles. For example,
Figure 3 shows a citizen traversing the landscape of
multiple independent service systems of systems (that
may or may not have been implemented on top of the
same IoT platform)
‘Do No Harm’ - If agreed Principles and Standards
around data sharing, retention and privacy have not
been agreed to or enforced then how can more evolved
Principles and Standards such as Do No Harm be
agreed and enforced? The current answer is that they
cannot and this question is still open even in terms of
who is responsible for defining these.
On the basis of some of the key issues outlined above, the
authors believe that there is an urgent need for a coherent
set of Patterns, Methods and Principles that architects of
cyber physical systems can use to secure all desired
systemic properties of these open and evolving systems.
Additionally, Methods and Technologies need to be
developed that would be applicable on all levels of System
Composition to implement highly automated situational
awareness (Goranson & Cardier, 2013; Bernus et al, 2016;
© Turner, Bernus, Noran 2018
Bernus & Noran, 2017). This Technology is emergent: it
does exist but requires further research and development.
Another open question is whether there exist inherent risks
of cyber-physical systems becoming fully self-aware at all
levels. Whilst the authors have not yet identified any
emerging IoT or M2M networks that operate at this level,
it is predictable that this level of self-awareness will be
reached at some point in time.
The authors propose to give self-awareness to the System
for a range of reasons including viability to ensure the
System’s long term survivability (including its resources
and components), the endurance of its underlying
commitments, the goals of the system, as well as all the
other ilities. These are all highly desirable but bring with
them the ability to be compromised in new ways:
The System loses Trust in the Owner,
The System loses Trust in itself,
The System begins enacting or formulating Rules or
Behaviours not foreseen by the original Designers or
resulting in unintended Outcomes not predicted in the
original Design.
Management and business owners need to be familiar with
the architectural patterns, reference models, methods and
techniques that relate to cyber-physical systems, because
creating dynamic configuration capability that goes
beyond the current bounded level creates optimization
opportunities and new innovation for business.
Opportunities include more dynamic supply chain, less
waste, ability to serve a market that was previously not
reachable, etc. However, existing methods of designing
and building systems need to be adjusted for the successful
application of the new enabling technologies (the IoT,
Sensor Networks, various AI techniques, etc.).
The authors would like to acknowledge the research grant
(Strategic Advancement of Methodologies and Models for
Enterprise Architecture) provided by Architecture Services
Pty Ltd (ASPL Australia) in supporting this work
Afsarmanesh, H., Camarinha-Matos, L.M. (2005). A framework for
management of Virtual Organization Breeding Environments. IFIP
IACT 186. Springer
Beer, S. (1972). Brain of the Firm. London : Penguin.
Bernus, P., Goranson, T., Gotze, J., Jensen-Waud, A., Kandjani, H.,
Molina, A., Rabelo, R.J., Romero, D., Saha, P., Turner, P. (2016)
Enterprise engineering and management at the crossroads. Computers
in Industry. 79 (2016):87-102.
Bernus, P., Noran, O. (2017). Data Rich But Information Poor. In
L.Camarinha-Matos, H.Afsarmanesh and R.Fornasiero (Eds.)
Collaboration in a Data Rich World. IFIP AICT 506. Springer. 206-
Bernus, P., Noran, O., Riedlinger, J. (2002) Using the Globemen
Reference Model for Virtual Enterprise Design in After Sales Service
. In I.Karvoinen et al (Eds). Global Engineering and Manufacturing in
Enterprise Networks (Globemen), VTT Symposium Series 224.
Helsinki : VTT. pp 71-90.
Camarinha-Matos, L.M., Afsarmanesh, H. (2003). Elements of a base
VE infrastructure. Computers in Industry 51 (2):139-163
Devlin, K.J. (1995) Logic and Information. Cambridge U Press.
Gascón, D, Bielsa, A., Genicio, F., Yarza, M. (2011). Over the Air
Programming with 802.15.4 and ZigBee - OTA. Libelium.
programming_OTA_802.15.4_ZigBee/ (Retrieved Oct 2017)
Goranson, H.T. (1999) The Agile Virtual Enterprise: Cases, Metrics,
Tools. Westport, CT : Quorum Boks.
Goranson, H.T., Cardier, B. (2013) A two-sorted logic for structurally
modelling systems. Progress in Biophysics and Molecular Biology.
Hoverstadt, P. (2008). The Fractal Organization: Creating sustainable
organizations with the Viable System Model. Hoboken : Wiley.
Intel (2007) Intel Active Management Technology System Defense and
Agent Presence Overview. Intel Corporation.
ISO 15288 (2008). Systems and software engineering System life cycle
ISO 15704 (2000;2005). Industrial automation systems Requirements
for enterprise-reference architectures and methodologies; (Amd1
Kandjani, H., Bernus, P. (2011). Engineering Self-Designing Enterprises
as Complex Systems Using Axiomatic Design Theory. IFAC Papers
On Line. Elsevier. pp11943-11948.
Kandjani, H., Tavana, M., Bernus, P., Nielsen, S. (2014). Co-Evolution
Path Model (CePM): Sustaining Enterprises as Complex Systems on
the Edge of Chaos. Cybernetics and Systems: An International
Journal. 45(7):547567
Maturana, H.R., Varela, F.J. (1980). Autopoiesis and Cognition: the
Realization of the Living. Reidel.
Miller, J.H., Page, S.A. (2007). Complex adaptive systems: an
introduction to computational models of social life. Princeton, NJ
:Princeton University Press.
Molina, A., Velandia, M., Galeano, N. (2007). Virtual Enterprise
Brokerage: A Structure Driven Strategy to Achieve Build to Order
Supply Chains. International Journal of Production Research. 45(7):
Pereda, F.J., Molina, A. (2013). Model driven architecture for
engineering design and manufacturing. IFAC-Papers Online, Vol.6.
Part 1. pp400 407.
Rabelo R.J., Camarinha-Matos L.M., Vallejos R.V. (2001). Agent-based
brokerage for virtual enterprise creation in the moulds industry. IFIP
AICT 56:281-290.
Rabelo, R.J., Bernus, P., Romero, D. (2015) Innovation Ecosystems: A
Collaborative Networks Perspective. in Luis M. Camarinha-Matos,
Frederick Benaben, Willy Picard (Eds) Risks and Resilience of
Collaborative Networks. IFIP AICT 463:323-336
Rabelo, R.J., Noran, O., Bernus, P. (2015) Towards the Next Generation
Service Oriented Enterprise Architecture. In Sylvain Halle and
Wolfgang Mayer (Eds) Proc. IEEE 19th EDOCW. IEEE Xplore: 91-
Suh, N. (2005). Complexity: Theory and Applications. Oxford U Press.
Swetha, S. Suprajah, S. Vaishnavi Kanna, S. Dhanalakshmi, R. (2017).
An Intelligent Monitor System for Home Appliances Using IoT. Int
Conf Technical Advancements in Computers and Communications
(ICTACC’17). IEEEXplore. 106-108.
Telstra (2014). Telstra Wireless Application Development Guidelines.
V7.1 #AOF-4270 , Telstra Corporation.
Telstra (2015). M2M VPN Solution Service #.DS012 JUN2015. Telstra
Telstra (2016). Telstra IoT Platform for Connected Device Management
and Application Development IoT Platform Technical User Guide
V.1.0# G190 OCT16. Telstra Co.
Telstra (2017). Telstra’s IoT Platform and Solutions Data Sheet
#DS165JUL17, Telstra Corporation.
Vesterager, J., Bernus, P., Pedersen, J. D., Tølle, M. (2001) The what and
why of a Virtual Enterprise Reference Architecture. in E-work and E-
commerce. Novel solutions and practices for a global networked
economy. IOS Press. pp846852.
Von Bertalanffy, L. 1968. General System theory: Foundations,
Development, Applications. New York: George Braziller.
© Turner, Bernus, Noran 2018
Bringing Enterprise Architecture in the Board Room...
The Operator 4.0 is a smart and skilled operator who performs not only - ‘cooperative work’ with robots - but also - ‘work aided’ by machines as and if needed - by means of human cyber-physical sys…" [more]
Conference Paper
Full-text available
August 2018
    The need for business agility in order to cope with the increasing rate of changes brought by disruptive technologies and paradigms is more stringent than ever; unfortunately however, it also encounters many hurdles. To start with, typical strategic transformation planning featuring successive specify-design-implement phases is no longer suitable, as the resulting sequentially staged processes... [Show full abstract]
    Conference Paper
    Full-text available
    August 2017
      The article describes the missing link between the information type and quality required by the process of decision making and the knowledge provided using the recent developments of ‘big data’ technologies, with emphasis on management and control in systems of systems and collaborative networks. Using known theories of decision making, the article exposes a gap in present technology arising... [Show full abstract]
      Conference Paper
      Full-text available
      August 2018
        Technical advances in Information and Communication Technology have enabled the collection and storage of large amounts of data, rising hopes of digitalising and thus potentially improving decision making and related support systems. Unfortunately however, the pre-existing gap between required decision making knowledge and the useful information provided by current technologies appears to... [Show full abstract]
        Conference Paper
        Full-text available
          In today’s dynamic and volatile global environment, established legacy concepts such as Virtual Organisations (VOs) need to be evolved to enhance their agility in order to promptly adapt to changes. This paper proposes the use of the Sensing Enterprise concept and properties, supported by the paradigms of the Internet of Things, Cyber-Physical Systems and Future Internet Enterprise Systems, as... [Show full abstract]
          Discover more