figure a

How can we ensure product safety in a world of products with ever increasing complexity? This question arises when designing lightweight structures and sustainable systems. The question also comes up when implementing methods and technologies for controlled production quality. Mastering uncertainty is central to all these topics and requires contributions from engineering, mathematics and law. This book provides answers on how to master uncertainty in the life cycle of products from the design phase via the production phase to the usage phase. These answers are consolidated in strategies to master the uncertainty of a possible product usage, even if partly unknown at the beginning of a new engineering design.

Invitation to visit the building devoted to mastering uncertainty

We do not intend to represent a definition, a method, or a technology for their own sake. On the contrary, the building presented here, consisting of the fundamental floor, middle and top floor, inspires the visitor how to master uncertainty in his or her specific task. The craftsmen who built this house come from the fields of engineering, mathematics and law. Together they have pursued the goal of further developing systematic engineering design. To master uncertainty, we always focus on the function and quality of the product or system, i.e. its essence from the application perspective.

On the fundamental floor we submit data, models and structures. Here we lay the conceptual basis and define consistent uncertainty classes. On the middle floor we introduce methods and technologies to identify, evaluate and counteract uncertainty. On the top floor we introduce the strategies (i) robustness, (ii) flexibility, (iii) resilience. All three strategies contribute to mastering uncertainty.

In order not to develop a method for its own sake, we have tested all tools, i.e. definitions, technologies and strategies on the three technical systems that we have developed, manufactured and used over the last twelve years. The systems are active and semi-active systems. So, flexibility is achieved by the smart systems Active Air Spring and 3D Servo Press. All research and its presentation focus on a load-bearing example system, which is a lightweight structure. We invite you as our readers to be guests in our house and hope that you will profit from your visit.

The chapter’s structure

Section 1.1 outlines the motivation and Sect. 1.2 the concept of holistic control of uncertainty over the product life phases. In Sect. 1.3, the focus is on the source and quality of models. Section 1.4 provides reflections on the sources and quality of data. Section 1.5 deals with the structures composed out of components. In Sect. 1.7, a broad motivation for mastering uncertainty is presented. The chapter closes with an overview of the book’s chapters and the three demonstrator systems designed, manufactured and tested at the Technische Universität (TU) Darmstadt during the last twelve years.

1.1 Motivation

Back in the year 2008, an interdisciplinary group of about ten researchers designed a research program on the topic of this book: Mastering Uncertainty in Design, Production and Usage of Load-Bearing Structures in Mechanical Engineering. This led to the Sonderforschungsbereich 805 (SFB, Collaborative Research Centre), which was funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) in three phases of four years each, from 2008 to 2021. About 60 doctoral students have completed their research work during this time. The researchers, all members of the TU Darmstadt, have come from fields as diverse as production engineering, structural mechanics, fluid power, applied mathematics including nonlinear and discrete optimisation, statistics, and law. The research topic as such is truly interdisciplinary, which is also reflected in the topics of this book.

The topic from a society point of view is motivated by an increasing number of product recalls in the automotive industry. In the era from 1990 to 1995, the number of vehicles recalled annually in the US market rose from 5 million to 20 million. In the year 2014, 64 million vehicles were recalled contrasting 17 million vehicles sold, see Fig. 1.1. Hence, for every vehicle that entered the US market in 2014, four vehicles were recalled for lack of safety [10, 28]. In the same year, 1.5 million vehicles were recalled and 3 million vehicles sold within Germany [41, 46].

Fig. 1.1
figure 1

Vehicle recalls in the US (left) and Germany (right) in 2014 [28]

Recalls are made on the basis of the Product Safety Act [7]: a recall is required if the product causes a sudden and for the user unforeseen serious danger. The decision is based on the likelihood of failure during the product’s lifetime combined with the severity of possible personal injury [11]. In 2014, the recall of vehicles on the German market was in 70% of the cases due to mechanical safety problems and in 20% due to faults in the mechatronic system, including servo-hydraulics [46].

Product safety is equally a strong motivation for mastering uncertainty in the capital goods industry, in mechanical and plant engineering, and in the aerospace industry. Mainly the following three reasons led to the recalls mentioned:

  1. (i)

    A conflict of objectives between effort and availability, while, at the same time, the future product usage is still uncertain, i.e. the design target is moving.

  2. (ii)

    Increased demands on cross-company quality assurance due to the shift in value creation to globally developing and producing suppliers with the difficulties of communication and interfaces.

  3. (iii)

    Increased development speed as a result of global competition.

As a reaction to the increasing speed of development, systems are more and more being developed virtually. This increases the demands on mastering the uncertainty in the models during the product life cycle. All of the above-mentioned points form the current boundary conditions under which safety-relevant load-bearing structures—whether passive, semi-active or active—are developed, produced and used today. At the same time, the importance of product safety law is growing. It is to be expected that complexity will increase even further, as self-adaptive systems gain in importance in the future.

After one decade of research within the SFB 805, the Boeing 737 MAX accident shows that today the mastering of uncertainty in all product life phases is more relevant than ever: on 29 October 2018, a Boeing 737 MAX airliner crashed because of a newly introduced pitch control system. In retrospect, the crash had five causes: firstly, insufficient testing of the newly introduced autonomous pitch control system; secondly, insufficient training of the pilots; thirdly, sensor failure; fourthly, the override control of the pilots by the software; fifthly, the lack of visual feedback to the pilots [40]. The crash of the Boeing 737 MAX in its consequence is an extreme but at the same time typical example of unmastered uncertainty.

Hence, there is a growing need to master uncertainty in all phases of the product life cycle by

  1. (i)

    laying a solid foundation of classification, definitions and metrics of uncertainty;

  2. (ii)

    assessing and developing methods and technologies for quantification, evaluation and master uncertainty;

  3. (iii)

    developing and validating strategies to master uncertainty.

The three points form the blueprint of our specific approach on mastering uncertainty. They are addressed in detail in Chap. 3.

1.2 Holistic Control of Uncertainty over the Phases of the Product Life Cycle

Figure 1.2 shows the broken out bushing in the bicycle of the author of this chapter. The failure occurred during a downhill run in the Odenwald. Due to the failure, the wheel guiding and wheel damping functions were completely lost, the wheel being blocked. The rider remained unharmed. The bicycle’s usage can be described by factors, such as geography, speed, damper setting, rider’s weight, maintenance condition and others.

Fig. 1.2
figure 2

Broken bushing support of the author’s mountain bike. The failure occurred during a downhill run in the Odenwald

But not only the usage has to be evaluated: in order to avoid such a failure, the uncertainty over all phases of the product life cycle including product design must be viewed holistically. The failure of the load-bearing structure can have its causes in unmastered uncertainty in one, two or all three phases (A) product design, (B) production or (C) usage, cf. Fig. 1.3. Within this book, we exclude the phases resources and reuse. We are aware that sourcing and recycling are important topics but they are not what we want to focus on.

Fig. 1.3
figure 3

A product or system design, B production, C usage; all phases are interconnected by the flow of physical goods and data, information and money

The phases of the product life cycle are, on the one hand, interconnected by the flow of material or physical products. On the other hand, the phases are interconnected by the flow of data, as well as information including the flow of costs and profits [21]. Although the separation of the product life cycle including product design in phases is common [8, 29, 42], methods and strategies for the holistic, cross-phase mastering of uncertainty have not yet been developed and validated. The following hypothesis can therefore be formulated:

Uncertainty can be mastered, if uncertainty is described, quantified and evaluated in all phases of the product life cycle; further, if it is reacted to and learnt from experience, and if follow-up processes are anticipated.

A process is seen here in a general sense. It may be a production process with an input and output of a physical material flow. It may also be the usage of a component of a load-bearing structure, such as a suspension strut, or a system being composed of many such components.

Following the chain from sourcing to production, to usage and reuse, it is evident, that the uncertainty of a specific product property propagates downstream. Provided this process is unmastered, an accumulation of uncertainty from process step to process step can occur. The task is to master a possible accumulation of uncertainty or even reduce the uncertainty along the process chain. Therefore, the product stress and strength or changes in load and system degradation should be quantified and evaluated in the usage phase, and fed back to the design and production phase. This is the outer closed control loop of mastering uncertainty. For subordinate control loops and complete transparency, the uncertainty should be described, quantified and evaluated after each process step in all phases. The feedback loops are ideally closed across all phases, sketched in Fig. 1.3.

Classic approach to master uncertainty by safety factors

Trained engineers are used to safety factors. A safety factor serves to absorb all uncertainties of the design, production and usage phase. For example, a lack of knowledge about the product usage typically leads to oversized systems. This is understandable, since the function of the product is of primary importance for its use. How the “quality” of this function is fulfilled ranks second. Oversizing may not necessarily be a shortcoming for the customer. However, it leads to the fact that design, production and usage are not sustainable. That this is quite serious can be seen from a simple number. In order to operate fluid systems in Europe in the year 2014, the estimated energy amount of 900 TWh was required [32].

The spatial separation of “generation” and use of (electrical) energy was pushed forward in the 19th century by Werner von Siemens. We will concentrate here only on the consumption side: the electrical energy that drives the fluid systems in use is provided by the output of about 100 large thermal power plants. It is estimated that 40 power plants alone could be saved by sustainable planning and operation of the fluid systems [32]. The driven machines on the consumption side serve the functions of cooling, heating, ventilation, transport, mixing, dosing as well as the power transmission from and through liquids and gases. The example drastically illustrates the effect of oversizing. In the Anthropocene, saving energy in the use of energy consuming systems should be our priority. The good news is that sustainable systems design is promoted by the methods presented in this book, among others.

Fig. 1.4
figure 4

Generic probability density function of properties \(\theta \) of production \(p(\theta _\mathrm {P})\) of the strength \(\theta _\mathrm {P}\) and usage \(p(\theta _\mathrm {U})\) of the stress \(\theta _\mathrm {U}\) with mastered uncertainty in (a) design (A) and production (B) and (b) usage (C) [15]

Accounting for uncertainty by safety factors is illustrated in Fig. 1.4. If we think of a load-bearing system, the function is described by a load history resulting in the system’s stress. Here, the stress of the system shall be smaller than the strength of the system; otherwise there would be a failure. This happened to the Tay Rail Bridge on the night of the 28 December 1879 in a strong winter storm, only 19 months after its opening. Theodor Fontane then wrote his ballad ‘The Bridge by the Tay’ with the line “A bauble, a nought, what the hand of man hath wrought!” (in German “‘Tand, Tand ist das Gebilde von Menschenhand”’), cf. quotation at the beginning of this chapter. Fontane, as a representative of society, criticises the unrestrained uncertainty in this poem. In fact, the wind load and, thus, the stress during the usage phase was underestimated in the planning [22].

This is indicated in Fig. 1.4a where there is an overlap between the probability density function \(p(\theta _\mathrm {U})\) of the stress \(\theta _\mathrm {U}\) in the usage phase with the probability density function \(p(\theta _\mathrm {P})\) of the strength \(\theta _\mathrm {P}\) in production. Both are influenced by the system’s design and production.

In the framework of stochastic uncertainty, cf. Chap. 2, the density function of the feature \(\theta \) has mean \(\overline{\theta }\) and standard deviation \(\sigma ({\theta })\). Hence, mastering uncertainty in the design and production phase, Fig. 1.4a, may be reached by increasing \({\overline{\theta }}_\mathrm {P}\) and/or reducing \(\sigma ({\theta _\mathrm {P}'}) < \sigma ({\theta _\mathrm {P}})\).

Knowing the uncertainty of stress and strength enables potential savings in mass, energy or other metrics that measure effort. Mastering uncertainty in the usage phase, Fig. 1.4b, may be reached by limiting \({\overline{\theta }}_\mathrm {U}\) and/or reducing \(\sigma ({\theta _\mathrm {U}'}) < \sigma ({\theta _\mathrm {U}})\). This may be reached by adapting semi-active components or using active components.

In response to the Tay Bridge disaster, the second bridge of the railway line on the east coast of Scotland, the Forth Bridge, opened in 1890, and was significantly oversized. Thanks to new production methods—smaller fluctuations of semi finished and final products by quality control—and the avoidance of oversizing, it can be assumed that only half of the steel used would be needed today.

1.3 Components are Represented in Models

The basis of decisions made by humans or machines is information derived from a representation of a process, i.e. a model [19, 25]. Each model serves the purpose to represent the relevant part of reality and derive specific information out of the model. Hence, there are no general, purpose-free models. Since models are the prerequisite for evaluating the propagation of uncertainty in process chains, designing and optimising robust systems and selecting suitable process chains or structures from the solution space, a careful inspection of models is needed. This is even more important, as models connect data and structures, as will be seen, cf. Chap. 2.

The object to be represented by a model is a component or process of a technical system. In mechanical engineering, we distinguish between physical and software components. Each fulfils a sub-function of a system. Functions can be combined to form a module, an assembly, a sub-process chain or a single process. In the following, we use the representative term component.

A model represents only a part of the relevant reality. The model may even cover a part of the unreality. The data are embedded into the models. This is illustrated by the schematic Fig. 1.5: Data are linked to the models. Therefore, they are represented as a subset of the model. The boundary between relevant reality and the model is called model horizon [18]. The part of relevant reality not represented by the model is ignorance.

Fig. 1.5
figure 5

Euler diagram to clarify relevance, ignorance, model and model horizon: socio-technical reality is separated in relevant and irrelevant reality. This separation is task-dependent. Humans or machines generate representations of this relevant reality, i.e. they model the relevant reality. It is not possible to completely model the relevant reality. The uncovered part of the relevant reality is named ignorance. The boundary between the model and the relevant reality is named model horizon. Data are formed by the values of parameters and process variables. Modelling only a part of the relevant reality is summarised by “there’s more to the picture than meets the eye” [48]

The model horizon is concisely described by the trained engineer and later philosopher Wittgenstein “The limits of my language mean the limits of my world” [47]. This does not mean, that every model has to be written in the mathematical language. Experience and implicit knowledge, which are often the basis of intuition, can also be regarded as a model. In fact, engineering design and production is often based on intuition. Intuition should therefore not be confused with ignorance.

The physicist and philosopher Heinrich Hertz, judged models with respect to their conciseness and simplicity. Hertz [19] demands that a model should be

  1. (i)

    consistent, in a logical sense;

  2. (ii)

    correct, i.e. the model implementation is done properly, and the model provides an appropriate map of the technical system;

  3. (iii)

    concise, i.e. it should contain as few empty relations and assumptions as possible.

The latter requirement is known as the principle of simplicity. In the following, we shed some light on the three requested features of a model: consistency, correctness and conciseness.

Firstly, a model is considered (i) consistent with a theory framework if the model is free of contradictions to the knowledge represented by that framework. Simple examples illustrate the demand for consistency and the difference between consistency and correctness: a polynomial model or a neural network, both data-driven models, can certainly represent measurement data, such as a stress-strain relation of an elastomer or an adsorption isotherm of a gas and its adsorption material. Therefore, most engineers refer to the two models as correct or verified because they represent reality in a sufficient precision. The correctness may be quantified by the confidence and prediction levels of the model. In order for the models to be consistent with a more general theory framework, both models shall be consistent with the second law of thermodynamics [17]. If this demand for consistency is ignored, model uncertainty can be dramatic when the models are applied outside their calibration range. Vice versa, consistency reduces model uncertainty. Axiomatic i.e. deductively derived models are consistent per se, cf. Fig. 1.6. Consistency of data-driven models is improved by Bayesian inference using prior knowledge, see Fig. 1.6. A prominent example for this is Kalman filtering first used in the Apollo program 60 years ago for trajectory prediction [2, 23].

Fig. 1.6
figure 6

Mapping of the real or cyber world to the world of intuition, inspiration, ideas, theories and knowledge by analysis and synthesis

In today’s language, consistency and verification are used synonymously. In the context of this book we follow this common usage in Chap. 2 and beyond, knowing that Hertz and empiricists like Hume or Popper understand the process of verification differently.

Secondly, it is important to stress, that from Hertz’s point of view, widely used verification and validation processes address only the second of Hertz’s demands, the (ii) correctness. Design engineers on the one hand and scientists on the other hand use the term verification in the above mentioned sense. If it is about the engineering design process of a product (physical or cyber), then verification is the examination of the specification-compliant implementation and work of models, methods and technologies.

For the empiricists it is about the ‘truth’ of models. According to Karl Popper, the ‘truth’ of physical models is in principle not generally verifiable: the hypothesis-model, i.e., the model “all swans are white” is falsified by the proof that black swans actually exist.

Here, too, there is an ambiguity: when scientists speak of the validity of a model, they evaluate the ‘truth’ of the model by comparing the model prediction with reality. According to Popper, this can only be done for a limited empirical context. This narrower concept of truth has proved extremely successful in the natural and engineering sciences since Galileo Galilei. This concept of ‘truth’ is a very successful concept.

Therefore, natural scientists should rather stick to the concept of verification in order to have a clear language, but we will not change this. For designers the language is clearer. When design engineers talk about product validation, they have acceptance in mind. They ask: Does a product fulfill its purpose and is it accepted? This means the product is useful.

Thirdly, the requirement for the (iii) conciseness or simplicity of a model has so far been underestimated when dealing with uncertainty. Two models serving the same purpose may both be equally consistent and equally valid but may differ in the number of assumptions needed to form the model [19]. To quote the medieval philosopher William Occam [30], a father of modern epistemology: “frustra fit per plura, quod potest fieri per pauciora”, i.e.

it is unnecessary to let something happen by several [factors], which can also happen with few [factors].

This applies to axiomatic models, but also to data driven models [1]. The principle of simplicity is known as Occam’s razor in philosophy of science [30].

Scientists tend to model more and more nuances. Engineers tend to get lost in the details of a design. That is because it’s easy to be complex but it’s difficult to be easy. By doing so, there is a danger of losing the essence of a technical system out of focus. This implies the function, the effort to gain this function, the availability of the system and the system’s acceptability.

Why is simplicity so important in the context of mastering uncertainty? Each unnecessary assumption or relation is a source of uncertainty. This becomes relevant for forecasts or extrapolation, when a model is to be applied outside its calibration range. This is important in the context of resilience, as a strategy to master uncertainty, cf. Sect. 6.3. Resilient systems are capable to anticipate downstream processes.

Today Occam’s razor serves as guiding principle for axiomatic and more and more for data driven models [24].

In summary, simplicity, i.e. conciseness and also consistency reduce uncertainty, whereas the correctness of a model does not per se reduce uncertainty. This is relevant if models are to be used for forecasting, forward control, model prediction or anticipation of downstream processes.

What are the sources of our models?

In the above, we have used the terms axiomatic and data-driven models. The former is seen here not only for first principles, but also as a synonym for the state of knowledge, ideas and theories, which are independent of a specific application or even context.

As Fig. 1.6 schematically shows, the sphere of intuition, inspiration, ideas, theories and knowledge is filled by an upstream pipe, the analysis, formed out of (i) measurements done in the real or cyber world, (ii) aggregation of the measurements, (iii) induction of general relations, by possibly using prior knowledge. This prior knowledge may be accessible by the Bayesian inference or other means deducted from the sphere of ideas, cf. Sect. 5.3. The philosophic problem of induction discussed above is in the engineering science only of minor relevance.

Today, this upstream pipe is very successfully used in data-driven modelling or black box modelling, e.g. in industrial image processing. The great success, ease of use and low threshold of expertise lead us to consider such models as a panacea. They work successfully when, for example, image data are available in abundance.

The focus here is on overcoming uncertainty. The question arises whether data driven models are sufficient to enable the design process. It is inherent in the innovation process that the technical system is only just emerging. Therefore, only a limited amount of data can be collected in the early phase. Consequently, the situation of small data instead of big data is typical for the composition and operation of innovative technical systems. The models required by the engineers are therefore initially white box models deducted or adopted from a general theory, knowledge or experience. In summary, the synthesis of physical or cyber products is always triggered by an intuition. In the context of Sustainable Systems Design, this idea is motivated from a society need. The consequent methodological system design has a deduction phase (iv) and a composition phase (v). In the deduction phase component models are derived. Those component models are composed i.e. connected forming a system fulfilling the society needs ideally sustainable.

The upper sphere shown in Fig. 1.6 is not homogeneous.“I believe in intuition and inspiration. [...] Inspiration is more important than knowledge.” [45]. Thus, Einstein is consistent with David Hume, who considered the interplay between ratio and inspiration: “Reason is, and ought only to be the slave of the passions.” The engineer, the homo faber, needs both inspiration and knowledge in an outbalanced interplay.

Sometimes prior knowledge may be used. This may be supplied from another context or a physical model test, cf. Sect. 4.3.6. As often, there is no black or white. Today the combination of both, upstream and downstream modelling approaches is common. The results are so-called grey box models, where grey is a mixture of the white axiomatic models with the black, i.e. data driven models. It remains a task integrating implicit knowledge into grey box models.

“All models are wrong, some are helpful”

is a quote from Box [4]. Models are inherently uncertain as Fig. 1.5 indicates. With regard to model uncertainty, cf. Sect. 2.2, models may have either an unsuited structure to model the relevant part of the reality or model parameters may be uncertain. It is evident that model uncertainty, due to an unsuited model structure, cannot be mastered by mastering the uncertainty of the model parameters. This is indicated by the Euler diagram shown in Fig. 1.5. Nevertheless, many engineers still cling to their familiar models, even if a model is unsuitable. By calibrating the model parameters, originally axiomatic models are degenerated to data-driven models without being recognised as such by the user. A wrong model structure is not helpful.

For example, an unsuitable structure may be given when trying to model a diffusion problem with an elliptic partial differential equation, if a parabolic equation is suitable. An unsuitable structure may also be present when a journal bearing is modelled using the Reynolds’ equation of lubrication theory, even if the product of Reynolds’ number \(\text {Re}\) and relative clearance \(\psi \) is greater than one. In this case the inductance within the bearing itself is a relevant part of reality. This inductance is ignored in classical lubrication theory, which is part of most engineering education. Dimensionless model parameters, such as the product of Reynolds’ number and relative clearance \(\psi \, \text {Re}\), are often weights of the different terms of a model resulting from a dimensional analysis.

To sum up, it is often the engineer’s experience and his or her ability to evaluate the applicability of a model.

1.4 Data and Data Sources

Data are connected to physical or cyber components, which in turn are mapped to the models. This is the one side of the system. The other side is the structure with its individual components.

The data addressed here can be the value of any model parameter or any measurement signals gained from a process. There are three main data sources:

  1. (i)

    the process itself,

  2. (ii)

    a representative process,

  3. (iii)

    the archived data.

For sources (i) and (ii), the data may come from (a), a sensor in the real (physical sensor) or cyber world (simulation data), or (b), a soft sensor. A soft sensor combines a model with a physical sensor to derive data that are not physically accessible with limited effort [16]. Provided the process itself delivers signals by means of integrated sensors, cf. Sect. 4.2.2.

A representative process (ii) is firstly a sample test, where the sample’s properties are assumed representative for all similar parts; it is secondly a physical model test, where the model may be a scaled prototype. Performing a sampling inspection is common in quality assurance. Testing a downscaled physical model is common in turbo-machinery, aerospace and marine industry [38]. The necessary scaling methods are based on the Bridgman postulate [5] and the Buckingham Pi-theorem [6]. In both cases, the data are gained offline of the relevant process. This might have the advantage that measurement uncertainty is reduced. But any offline test must take into account physical dissimilarity. This dissimilarity may be treated by scaling methods, which are a source of uncertainty [20, 43], cf. Sect. 4.3.6.

The archived data (iii) can be quality-assured, i.e. findable, accessible, interoperable, reusable (FAIR). This requires data governance and curation. The storage has to take place in such a way that the raw data are linked to their metadata in a machine-readable form [13]. Often archived data are not FAIR. Archived data are also fuzzy data remembered by an engineer or worker.

Data quality has two sides [13]: firstly, formal data quality achieved by following the FAIR-principles, and secondly, content quality. Since uncertainty is associated with trust in data [14, 15], formal data quality should not be ignored: the higher the formal data quality, the more the data is trusted. A detailed view on data quality is given in Sect. 2.1.

Two or more data sources can be used simultaneously to derive information. This data fusion will lead us to a concept called data-induced conflicts, which will be discussed in Sect. 4.2. It is a concept that allows to assess confidence in data sources but also model uncertainty.

1.5 Component Structures

Structures consist of components, physical components and/or cyber components, i.e. algorithms in the form of software. Having treated component models and data, we come to the system level represented by the term structure.

In the classical engineering design [29], the system’s function is usually the starting point from where a system’s functional structure with related sub-functions is derived, cf. Sect. 3.3. The system’s function structure is independent of a product, process or system realisation. After the decision on the integration or separation of the functions into individual physical or cyber components, the functional structure of the system is mapped to the components. These form the real system.

The decision about the integration or separation of the functions is guided by the mastering of the internal and external complexity. This decision process is the foundation of modular design, which allows an economic scaling. An illustrative example of modular design obtained by intelligent function integration and function separation is shown in Fig. 3.19.

With respect to the system’s function and quality, a quantitative evaluation of the system’s uncertainty is only possible at the system level; we evaluate the system’s uncertainty with respect to effort, availability and acceptability, frequently being only possible at the component level. Structural uncertainty, cf. Sect. 2.3, therefore results from the fact that a multitude of possible functional structures can be found for a system’s function that is still subject to uncertainty; and in turn a multitude of component structures can be realised for each functional structure. This results in a combinatorial explosion of the solution space [39], which is only partially comprehensible and assessable for humans. The unnoticed part of the solution space remains in the area of ignorance due to this structural uncertainty [33].

For example, the difference between data, model and structure is exemplified by the design task of a hydrostatic transmission sketched in Fig. 1.7. Figure 1.7a shows a double-acting piston, whose force-displacement curve has to be controlled by a structure or system formed out of the sketched components, i.e. the hydraulic valves. Figure 1.7b shows the load history, which may be uncertain. The system’s function is described by such a load history.

Fig. 1.7
figure 7

a Design task of a hydrostatic transmission with minimal particle wear. The pressure source of a pump (high pressure) and the tank (atmospheric pressure) is to be connected by a so far unknown structure of hydraulic valves with a double-acting hydraulic cylinder; when the pump is connected to the left volume and the tank to the right volume, the cylinder extends; b the function is described by a load history; the control valves shall be selected from a field of possible hydraulic valves; the right half of the valves allow the pressure drop to be adjusted. The representation of the possible hydraulic valves implies that any structural solutions S are possible [44]

Each valve is a component being described by a functional relation of input u, output z and model parameters m: \(f(u,z,m,\dots )+\delta f = 0\). Here, the model f of the valve arises from a differential-algebraic system of equations, and \(\delta f\) is the residuum between model and reality. The operational inputs u determine the valve position, density, pressure difference and particle concentration. The parameters m include the maximal valve opening and diameter. The output is given by the wear history. Thus, the time-varying flow-characteristic and at the same time, the evolution or wear due to particle erosion are described, cf. Sect. 3.3. Hence, the wear for an arbitrary load history and structure is given [44].

Fig. 1.8
figure 8

Design for a ignored structural uncertainty, b minimal wear; the availability with respect to wear due to particle erosion is increased by a factor of 16 [44]

The system is composed of different admissible components schematically collected in the design space as sketched in Fig. 1.7. The design space with admissible structures all fulfilling the demanded function is so large that it cannot be explored manually. The different design solutions S all differ in the system’s degeneration due to particle wear.

If only one solution out of the design space is selected and the countless other solutions are ignored, we call this form of uncertainty firstly structural uncertainty and secondly ignorance. Only if an optimal structure \(S_{\text {opt}}\) is selected, here Fig. 1.8b, with regard to minimal particle erosion, we speak of mastered structural uncertainty. Figure 1.8a shows the usual design using a standard 4/3 directional control valve with the optimal structure \(S_{\text {opt}}\) showing minimal wear as in Fig. 1.8b.

Data uncertainty \(\theta = \overline{\theta } + \delta \theta \) and model uncertainty \(f(u,z,m, \dots ) + \delta f = 0\) have to be encountered in the structural uncertainty. They propagate into the structure S. There are some examples in this book how this is achieved by means of robust optimisation, see for example Sect. 6.1.1.

1.6 Sustainable Systems Design—The Extended Motivation for This Book

In Sect. 1.1 the topic ‘mastering uncertainty’ is motivated solely by product safety. As Figs. 1.2 and 1.3 exemplify, product safety is determined mainly by its load-bearing capacity, i.e. the system’s function. A broader scope of the process chain, system or structure will guide us to an extended motivation to master uncertainty. For this reason, we first discuss the relations of function, effort, availability and acceptability.

Towards optimal quality subject to functionality

The design variants are denoted by x. The system’s function and additional constraints are given by relations of the type \(g(x) \le 0\), cf. Fig. 1.9. An example of such a constraint is e.g. seen in Fig. 1.7b. At this point, the discussion about structural uncertainty shows that the design variants x differ for each structure S. Hence, the paradigm ‘form follows function’ created by the American architect Louis Sullivan, at the beginning of the 20th century, is not an objective, it is a constraint. The missing objective is ‘less but better’ created by Rams and Klatt [35]. The renowned German designer Dieter Rams having worked many years for the company of Braun, demanded in the mid of the 20th century: ‘Weniger, aber besser’! This is the missing objective. In the optimisation, we are not only looking for better quality measured in effort, availability and acceptability, but Pareto optimal quality. Hence, the two paradigms ‘form follows function’ and ‘less but better’ are evolving into ‘towards optimal quality subject to functionality’. The union of both paradigms is the guiding principle when designing, manufacturing and operating systems under uncertainty. The achievement of ‘optimal quality with consideration of functionality’ is what we call ‘Sustainable Systems Design’.

Fig. 1.9
figure 9

Equivalence of a the Sustainable Systems Design and b the constrained optimisation problem

What is our understanding of function and quality?

The objectives are (i) minimise effort \(F_{1}\), (ii) maximise availability \(F_2\), and (iii) maximise acceptability \(F_3\). The three objectives are often conflicting. Hence, the multi-criterial decision problem \(\min \,[F = \{ F_{1}, -F_2, -F_3\} ]\) leads to a Pareto set of optimal solutions [12]. The selected optimal solution always depends on the ranking of the three objectives (i) effort, (ii) availability, (iii) acceptability.

Linguistically, the system’s function is described by verbs, such as to carry, store or transport. The function is mostly further specified by a load spectrum or load history. The objective function is determined by the quality of how the function is fulfilled. Here, quality symbolises the adverb to a verb, namely a function, like for example efficient transport. The adverb, i.e. the quality, characterises the three aspects of effort, availability and acceptability.

  1. (i)

    Effort is measured, for example, by the total cost of ownership. Sometimes only the material or energy consumption are measured. In the usage phase of lightweight structures, the weight is the determining factor for the effort.

  2. (ii)

    Availability can be measured, for example, by the sum of the mean time between two failures and the repair time relative to the total time. Alternatively, the anticipated remaining service life can also be specified. For this purpose, an assumption regarding future usage and an ageing model are necessary. A general ageing model is presented in Chap. 3.

  3. (iii)

    From the three measures of the objective function, the acceptability is the most difficult measure. Acceptability has two sides, a formal and an informal side:

    A formal aspect of acceptability, presented in Sect. 5.1 lies in the conformity with regulations, such as the Product Safety Act [7]. Formally, acceptability can also be achieved through a regulation. For example, an ordinance can be the function of an electronic stability control system (ESP) mandatory for vehicles. For formal acceptability, the politically consented society needs are cast into regulations. Either products have to meet the regulations or the regulations demand defined technologies.

    The counterpart to the formal side of acceptability is the informal acceptability gained through positive user experiences. The user may be a consumer in the consumer goods market, but also a company in a business-to-business market. This user experience has many facets and it would go far beyond the scope of this book to fully immerse into this field. Schmitt coined the term perceived quality in this context [37]. Instead, we focus on the facet product quality being important for informal acceptability.

It is obvious that the higher the experienced quality of a product and the lower the effort measured against the costs, the higher the acceptability. The quality is measured on the one hand by the expected functional performance given by the deviation \(\delta g = g_\text {s} - g\) from the expectation, cf. the 3rd case study in Chap. 3, and on the other hand by the expected effort \(F_{1}\) and by the expected availability \(F_2\). As Fig. 1.10 shows, \(g_\text {s}\) is the specified function and g is the realised function.

Customer expectations must match the quality promise. This is either explicitly given by the manufacturer or it must be consistent with the usual market quality. If necessary, the quality is also defined in regulations, see Sect. 5.1. Here, too, it can be seen that the various aspects of a product depend on each other: formal and informal acceptability overlap in parts.

Fig. 1.10
figure 10

Sustainable Systems Design presented as a closed loop, indicating the localisation of model uncertainty, structural uncertainty and data uncertainty, which is dealt with in Chap. 2. The process of system specification between different stakeholders is a source of uncertainty, which is discussed in Sect. 5.1.1

The schematic representation of the constrained optimisation problem as a closed control loop helps identifying the different uncertainty sources, Fig. 1.10: model uncertainty, structural uncertainty and data uncertainty, which is dealt with in Chap. 2. The dynamic process of system specification between different stakeholders is a source of uncertainty, which is discussed in Sect. 5.1.1.

Sustainable Systems Design is model-based: the system function g and system quality F is evaluated on the basis of models. The recognition, evaluation and mastering of model uncertainty, cf. Sect. 2.2, is thus one core of this book. By integration of functions or separation of functions, by combination of materials and components often more than seven competing systems fulfil the same specific function \(g_\mathrm {s}\). The number seven is known to be the limit on human capacity for processing information [26]. Roughly speaking, all other possible variants remain in the field of ignorance for people in system design. This structural uncertainty can only be controlled by algorithms discussed in this book. For this, rules of the game and system boundaries have to be set. This must be recovered by the stakeholders. In order to quantify the system quality in the evaluation step, metrics for effort, availability and acceptability are necessary. The evaluation of the function and quality requires models, see Chap. 3. Secondly, weighting factors \(w_i\) are necessary. In the evaluation step, Pareto surfaces can be presented.

Fig. 1.11
figure 11

Improvement of system performance by an active component, here the Active Air Spring introduced in Sect. 3.6.2. A compact car is driving over a country road at a speed of 70 km/h. The standard deviation of the body acceleration is plotted versus the time-averaged actuating power in W and the standard deviation of the relative wheel load. The white circle is the reference for the vehicle with a passive suspension system [36]

As good as it gets—orientation helps mastering uncertainty

The demand to improve quality beyond an existing Pareto surface requires an extended playing field or altered rules of the game. This is achieved by new technologies. A Pareto line for a chassis design using an Active Air Spring as component is shown in Fig. 1.11. The effort \(F_1\) in the example of an active chassis may be defined by the power consumption. The acceptability in the example \(F_3\) is given by the functional quality of the suspension system. The sub-functions are isolating the body and reducing wheel load fluctuation, i.e. to foster driving safety. As seen in the figure, the position of the Pareto line is determined by the available power of the active component. However, there is often a technology-independent, i.e. asymptotic Pareto boundary. The question ‘what can be achieved in the optimal case, if there is no limitation, for example to the power?’ can often be answered.

In engineering sciences, this asymptotic Pareto line or surface is determined by physical laws. The most prominent Pareto surface is the Carnot efficiency of a thermal power plant. Due to the second law of thermodynamics only the fraction \(1-T_1/T_2\) of the input heat flux \(\dot{Q}\) may be transferred into mechanical power \(P_\mathrm {S}\). The knowledge of this asymptote i.e. Pareto surface motivated engineers to increase the combustion temperature \(T_2\) more and more (\(T_1\) is the ambient or cooling temperature). This triggered the development of high temperature material. For wind power [3] and water power [31, 34] we have similar upper limits independent of the system design and operation. For ‘energy production’ a clear asymptotic upper limit can often be given. These upper limits have names like Carnot law or Betz law. For active systems, i.e. energy consuming systems, it is also possible to specify Pareto limits. Often these are much more complicated to find and are unfortunately still hardly used in industry for orientation.

Even for an ideal, active system, which consumes whatever energy, the goals can still be contradictory. Figure 1.11 shows a energy consuming system. Design solutions that lie at the asymptotic Pareto boundary are reference solutions of the ‘as good as it gets’-type.

Pareto surfaces and asymptotic Pareto boundaries offer an orientation for designers that should not be underestimated. Not every case requires an optimal solution. However, the aim should be to know the distance from the optimal solution. This helps to counteract the often prevailing lack of orientation.

The need for deep diving is expressed by the British designer Jonathan Ive at the beginning of this century: “you have to deeply understand the essence of a product in order to be able to get rid of the parts that are not essential” [9]. The essence is the system’s function g and the system quality F seen from the user’s perspective. The way to sustainability is cleared by optimal quality subject to functionality.

1.7 Outlook on the Following Book Structure

Mastering uncertainty in the phases design, production and usage does not only refer to the system’s function but also to (i) effort, (ii) availability, and (iii) acceptability, as depicted in Fig. 1.9. Hence, product safety stands next to other motivations all covered in this book from a specific point of view:

  1. (i)

    Ensuring product safety,

  2. (ii)

    realising lightweight structure and Sustainable Systems Design,

  3. (iii)

    controlling production quality.

The schematic Fig. 1.11 shows that mastering uncertainty may lead to resource savings. This is immanently important for lightweight structures where the weight is to be minimised for a given load-bearing function. The example sketched in Fig. 1.8 is an example of a Sustainable Systems Design under uncertainty, where the wear was minimised. In production, the control of uncertainty can save costs by making processes more flexible and adaptive. In Sustainable Systems Design, the control of uncertainty leads to robust or even resilient systems.

The three floors of mastering uncertainty in mechanical engineering

We organise this book with a picture of a truss structure, shown in Fig. 1.12. The truss structure has three floors. These are, firstly, the fundamental floor built from terms and definitions, secondly, approaches to uncertainty quantification on the one hand and methods and technologies on the other hand, and thirdly, strategies to master uncertainty.

Fig. 1.12
figure 12

Framework of mastering uncertainty presented in this book mapped on a truss structure

The fundamental floor (I) is formed by the motivation as well as the reflection on data and models given in this chapter, the lower left bar in Fig. 1.12. At the beginning of our research more than ten years ago, it became clear that for mastering uncertainty a definition of uncertainty classes is important. Only when things are defined by name do they become tangible. The motivation and discussions in this chapter and Chap. 2 describe the classification of uncertainty into stochastic uncertainty, incertitude and ignorance by the first classifier and into data, model and structural uncertainty by the second classifier. This results in the matrix of uncertainty classes, shown in Fig. 2.2. With the first three bars and chapters the foundation is given for a solid middle floor. Chapter 3 provides our specific approach on mastering uncertainty. Within Chap. 3, we introduce three technical systems created, tested, and verified in the context of mastering uncertainty. The first system is a load-bearing structure representing a generic light weight structure called Modular Active Spring-Damper System; the second system is the Active Air Spring – a technology which is ideal to prevent kinetosis when driving autonomously; the third system is the 3D Servo Press allowing flexible production and a closed-loop control of the product properties. These three systems, all developed manufactured and validated from scratch at TU Darmstadt during the previous decade, form the heart of the book. They will be highlighted from different perspectives. The central bar Chap. 3 is connected via the two supports to the state of the art mechanical engineering, applied mathematics and law. The engineering view differs significantly in method and language from the mathematical view. This is no drawback but makes the book interesting to read—so we hope.

The middle floor (II) is formed first by Chap. 4 and then by Chap. 5. Chapter 4 deals with the methods to analyse, quantify, evaluate uncertainty in single processes and their propagation in process chains. Sections  4.1 and 4.4 are devoted to the identification and visualisation of uncertainty. Section 4.2 deals with the methodology of ‘data-induced conflicts’ for the identification of data and model uncertainty. Section 4.3 provides insight into model uncertainty from different perspectives: optimal design of experiments with respect to the evaluation of model uncertainty, model uncertainty related to hardware-in-the-loop testing, as well as scaling under uncertainty. In summary, Chap. 4 provides the basis for the identification and quantification of uncertainty in mechanical engineering. Chapter 5 deals for the first time with the mastering of uncertainty itself by introducing methods and technologies to master uncertainty. This includes the management of product safety from a regulatory perspective, Sect. 5.1. Design methods to master uncertainty are discussed in Sect. 5.2. Active and semi-active processes are often needed to react to changes in the usage and production phases. A controlled process chain, i.e. a system is described in Sect. 5.3, active components and single processes are discussed in Sect. 5.4.

The top floor (III) is devoted to strategies of uncertainty mastering. This floor builds on floors (I) and (II). We discuss three strategies: robustness Sect. 6.1, flexibility Sect. 6.2, and resilience Sect. 6.3. Progress in discrete and nonlinear robust optimisation methods is presented together with robust production processes and development methods for a robust system.