2.3

State of the art

Future ECS-based systems need to be connected, intelligent, highly automated, and even autonomous and evolvable. This implies a huge variety of challenges, including: how to specify their behaviour in an open environment in terms that can be used as requirements for implementation and validation; how to validate autonomous systems at all; how to test them (critical situations are rare events, and the number of test cases implied by the open-world-assumption is prohibitively large); and how to ensure safety and other system quality properties (security, reliability, availability, trustworthiness, etc) for updates and upgrades.

With the increased functionality of ECS and with the increasing demands on testing and validating them, engineers need tool support to enable them to design, build, test and validate, produce and maintain such complex system; these tools need to be integrated into seamless design flows (frameworks) such that the effort and the cost associated with these tasks ideally stays constant even though functionality and validation demands increase. New functionality of ECS that cannot be handled by currently available tools requires new methods which, when successful, lead to additional design and validation tools. New technologies – or technologies that are new to ECS, like chiplets – often don’t have sufficient tool support, let alone tools integrated into frameworks.

Model-based Systems Engineering (MBSE) technologies will be disrupted by the latest AI technologies (e.g. generative AI and agentic AI), increasing the design and verification productivity by at least an order of magnitude. For ECS design, HW–SW-codesign is still limited by the capabilities of individuals. AI technologies will make collective expertise and collective data of whole industries available for an individual ECS design challenge. There are two scenarios to be addressed: (1) ECS design built upon commercial off-the-shelf (COTS) electronic components; and (2) ECS design down to new IC design. From an architecture design perspective, HW–SW-codesign requires virtual platform (VP) ready models for all COTS components to support architecture exploration and verification, as well as early SW development. For the latter, one VP-ready model of design IP is required for architecture exploration and verification, as well as early SW development. VPs integrated with established CI/CD pipelines for SW development ensure productivity and correctness of the development process.

To foresee the physical implementation of new ICs in this early design stage of ECS, VPs need to be extended with additional attributes beyond functionality alone – such as timing performance, energy metrics, lifetime metrics, etc. AI technologies will ensure optimised architectures and take on the cumbersome generative tasks of engineers. Such capabilities are expected to be a copilot-type of assistance for engineers in the first phase, but will become more autonomous in mid-term future ECS design. Functional integration technologies like chiplets open a new dimension of challenges in architecture exploration beyond conventional PCB design leveraging COTS components.

As with the architecture phase, the implementation phase of ECS will also be disrupted by AI technologies. AI-enabled design of functional models for SW and HW is already state-of-the-art. Copilots are widely used in SW development and have already begun to enter into RTL design. The democratisation of IC design for ECS is the systematic enablement for design of optimised architectures and complete functional models of ICs. The downstream design flow steps for physical implementation require deep physical awareness of manufacturing processes, which is standardised for PCB-based HW and enabled by the EMS ecosystem, but is highly sophisticated for IC and deeply embodied in business models with foundries and IDMs as core stakeholders maintaining process technology a IP.

The Virtual Design Platform initiative at the European level is building the interface between proprietary process technology, open-source design IP, open-source EDA tools primarily addressing functional design and proprietary design IP and proprietary EDA tools, especially addressing the physical implementation phase of the design. Innovation is required at the interface to ECS system design through more complete, efficient and innovative design IP, as well as AI-enabled innovation for system design down to RTL as the formal specification for ICs for fully automated physical implementation, production and subsequent testing.

A rich and trustworthy ecosystem of design IPs, models, data and tools requires Digital Thread technologies governing and ensuring collaboration, as well as supporting design of compliant and certification-ready ECS products.

Both technology push that enables new functionalities and – even more – market pull (i.e. the demand for new functions in products) – are extremely high in ECS. This is why design methods often lag behind current development methods. This holds even more for validation tools, where there a prominent examples – like showing safety for systems with functions based on AI – for which even the methods used are not yet complete, let alone their implementation in appropriate tools. This leads to the absurd situation that although the technologies needed for specific functions are available and even though the market demands these functions, engineers cannot deliver them at all, or not in the required quality (i.e. safety) or not at an affordable price (because the effort, and thus the cost, for the manufacturer to build and validate these systems is too high.

“Closing the loop” – i.e. collecting relevant data in the operation phase, analysing it (using AI-based or other methods) and feeding it back into the development phase (using digital twins, for example) – is the focus of this research topic. It is closely related to the major challenges “Continuous integration and deployment” and “Lifecycle management” in Chapter 1.3, which examines the software part of ECS, and Major Challenges 1, 2 and 4 in Chapter 2.4.

Closing the loop includes data collected during the production and operation of the system on all levels of the hierarchy, from new forms of misuse and cyber-attacks or previously unknown use cases and scenarios at the system level, to malfunctions or erroneous behaviour of individual components or modules. Analysing this data leads to design optimisations and development of updates, eliminating such errors or implementing extended functionality to cover “unknowns” and “incidents”. On the one hand, this continuous development allows for shared learning, where in a system family (like a fleet of highly automated cars) all systems can be optimised based the experience of each single member of the family. Combined with a strong monitoring concept – i.e. where unknown scenarios and unknown use cases are detected before they actually arise and where corresponding safety measures like minimum risk maneuvers or evasive actions can be triggered – this ‘learning in the field’ concept can achieve significant advancements in safety assurance cases of such systems (online validation and verification).

All of these aspects must be supported within holistic design flows (frameworks) that also must support:

• Supply-chain-awareness: From requirements to optimised system architecture considering supply chain leveraging seamless digital twin from component to design to manufacturing to operation.
• Complete traceability of products and processes in virtual engineering, supporting sensitivity analysis and robustness investigation, included in the optimisation process and the system monitoring process.
• Design for optimised manufacturing and operation; awareness of physical effects and interferences; awareness of complete lifecycle, including energy, resource, CO2-footprint, recycling, circular economy.
• Consistent methods and new approaches for (multi-level, multi-paradigm) modelling, analysis, verification and formalisation of ECS's operational reliability and service life.
• Open (and inner) source in HW and SW for complete product lifecycle.

For EDA, an open-source EDA flow is a composable, licence-free toolchain that carries a design from requirements, RTL or schematics through verification, synthesis, place-and-route, sign-off checks, and tape-out, using community-maintained tools and open PDKs where available. A typical digital flow combines HDL linting and formatting (e.g. SystemVerilog front-ends and linters), simulation (cycle-accurate and event-driven), and formal verification, then proceeds through logic synthesis, static timing analysis, and physical implementation, including automated floorplanning, clock-tree synthesis, placement, routing, extraction, and timing closure. Sign-off-quality checks are achieved through DRC/LVS and basic IR-drop analysis, with standard data formats (Verilog, Liberty, LEF/DEF, GDSII/OASIS, and SDF/SPEF) ensuring interoperability. Analog and mixed-signal flows leverage schematic capture, SPICE-class simulators, layout editors, and LVS/PEX to integrate custom blocks with digital SoCs. The strength of this approach includes transparency, extensibility, reproducibility (via containers and pinned tool versions), and scalable compute without per-seat licences – making it ideal for education, research, early feasibility, and cost-sensitive production at mature nodes. Current limitations include partial SystemVerilog/UVM support, constrained DFT/ATPG capabilities, variable PDK coverage (stronger at mature nodes), and evolving sign-off fidelity for advanced effects (electromigration/IR, variability, and thermal), which may necessitate targeted use of commercial tools.

Open Source is the predominant strategy for design IPs (e.g. RISC-V) and the early stages of the chip design flow addressing the capturing of the design intent, functional architecture exploration, functional modeling down to RTL and functional verification, as well as relevant Digital Twin technologies. These are the fundamental stages for the democratisation of the semiconductor value chain for any potential user/customer not being an expert in chip design. Later stages for physical implementation are deeply interlinked with semiconductor manufacturing process technologies and orders of magnitude more complex than the functional stages of the chip design flow. Semiconductor process technologies are under full control of quite a closed ecosystem of foundries, IDMs and EDA companies with significant continuous investment ensuring guaranteed quality of chips produced. Nevertheless, any open source initiative is highly relevant for research developing the resource pool for chip design experts and ECS design experts.

Operational efficiency improves when the open-source flow is wrapped in CI/CD and DevOps practices – i.e. if the loop is ‘closed’: Every commit triggers lint, synthesis, and regression simulations; nightly or gated builds run place-and-route with timing/DRC/LVS checks; artifacts (netlists, constraints, Liberty, LEF/DEF, and GDS) are versioned; and benches, tool images, and PDKs are managed as code for reproducibility. AI can prioritise regressions, cluster failures, and guide floorplan/placement decisions or test selection, provided MLOps safeguards ensure datasets, models and metrics are tracked. Governance is essential: no internal data shoulld be entered into external services or public repositories; run flows on approved on-premises resources, enforce IP sanitisation, and maintain auditable SBOMs for toolchains and PDKs.

As non- (or partly-) technical Challenges, all data collection activities described in this chapter also need to comply to privacy regulations (e.g. the General Data Protection Regulations GDPR of the EU) as well as in a way that protects the Intellectual Property (IP) of the producers of the systems and their components.

Design processes for ECS must be expanded to enable virtual engineering on all hierarchy levels (i.e. from transistor level “deep down”, up to complete systems and even System of Systems, cf. “Efficient engineering of embedded software” in Chapter 1.3 and “SoS integration along the lifecycle” in Chapter 1.4 for more details of this software-focused challenge, especially with respect to SoS). This requires model-based design methods, including advanced modelling and specification capabilities, supported by corresponding modelling and specification tools. Furthermore, it is important to create reusable, validated and standardised models and model libraries for system behaviour, system environment, system structure with functional and non-functional properties, SoS configurations, communication and time-based behaviour, as well as for the human being (operator, user, participant) (cf. Chapter 1.4 and the following key focus area “Advancing System and component design (methods and tools)).

Central to this approach are “digital twins”, which capture all necessary behavioural, logical and physical properties of the system under design in a way that can be analysed and tested (i.e. by formal, AI-based or simulation based methods). This allows for optimisation and automatic synthesis (see also Major Challenge 1 and 2 in Chapter 2.4, ‘virtual prototypes’ in appendix A – for example, of AI- supported, data-driven methods to derive (model) digital twins.

Supporting methods include techniques to visualise V&V and test efforts (including their progress), as well as sensitivity analysis and robustness test methods for different parameters and configurations of the ECS under design. Test management within such virtual engineering processes must be extended to cover all layers of the design hierarchy, and be able to combine virtual (i.e. digital twin and simulation-based) and physical testing (for final integration tests, as well as for testing simulation accuracy).

To substantially reduce design effort and costs, a second set of supporting methods deals with the automated generation of design artefacts such as identification and synthesis of design models, automatic scenario, use-case and test vector generation, generative design techniques, design space exploration, etc. Typically, these build upon AI-supported analysis of field data.

Last, but not least, virtual validation and testing methods must be enhanced considerably to achieve a level of realism and accuracy (i.e. conformity to the physical world) that enables their use in safety assurance cases and thus fully enables the shift from physical testing to virtual testing. This includes overcoming limitations in realism of models and simulation accuracy, as caused for example by sensor phenomenology, vehicle imperfections like worn components, localisation and unlimited diversity in traffic interactions. Digital Twin technologies built upon comprehensive modelling and high-performance simulation technologies at subsystem and system level should replace costly and time-consuming physical testing still widely used today. Of course, models have to be validated against the physical implementation of the system, and – especially on the system level – simulation environments have to be validated against the real, physical world, not only with respect to correctness but also completeness.

System and component design, validation and test methods have to be continuously advanced and extended to keep up with the new functionalities of and new technologies used for ECS. Currently, advancement in the following topics is needed urgently to realise the potential that these new functionalities and technologies can bring:

• Model-based design technologies
• Model creation/elicitation, modelling techniques, modelling tools, model libraries, using explicit models as well as data-driven models.
• (AI-based) Model identification, synthesis, improvement and parameterisation with measurement data.
• Techniques and tools to model behaviour, timing, functional and non-functional properties of: (a) components; (b) systems; (c) environment/real world; and (d) test-cases/scenarios (physical rule-based as well as data-driven).
• Executable models of sensors (including accuracy, confidence, etc).
• Test Management on all hierarchy layers
• Automatic generation of test cases on all hierarchy layers (from physical sensor input via bitvectors up to concrete test scenarios for systems).
• Means to efficiently process and analyse dynamic test results (traces, observations , loggings, etc) to derive tangible knowledge for design improvements.
• Augmented and virtual reality in design, development, manufacturing and maintenance processes.
• System Level Design for new System Architectures. The increasing diversity of OEMs and the complexity of modern E/E architectures demand a paradigm shift in system-level design. Traditional methods fall short in enabling seamless architecture exploration, HW/SW co-design, and mixed-signal modelling. A holistic design approach is needed – one that supports flexible adaptation to OEM-specific needs, integrates verification early in the process, and enhances quality, reusability, and development efficiency through consistent, tool-supported methodologies.
• Monitoring Techniques
• V&V extended by life-time monitoring of security and reliability aspects.
• Methods and tools for (automatically generated) monitoring of systems (based on their digital twins), including monitoring for anomaly detection (for both security and safety).
• Highly efficient digital signal processing
• The growing complexity of modern sensor systems in the automotive and other domains demands highly efficient and scalable digital signal processing solutions. There is a clear need to develop a concept for architecture-independent, open-platform-based digital signal processing. This includes exploring how standardised, reusable DSP components and safety-compliant development and validation methodologies could be realised in a cohesive and adaptable framework. Measures for handling uncertainty in perception should be considered.
• Design and V&V for emerging technologies and technologies newly introduced into ECS design, including neuromorphic technologies, quantum technologies, chiplet technologies, flexible electronics, textile electronics, magnetic sensors, spintronic systems, etc.

In addition, there are two research topics requiring special attention. The first is the handling of uncertainty. The higher level of automatism – up to autonomy – of systems like cars and other transportation systems, medical machinery, production plants and many others, implies that the level of uncertainty that the system has to cope with also increases and has to be handled. This is mainly the case in perception, where the system ‘observes’ its surroundings with sensors. Despite long known and used techniques such as sensor fusion, there is always an inherent level of uncertainty as to the accuracy of the sensor data, which leads to ‘ghost artefacts’ – i.e. detection of objects that are nor there in reality, and non-detection of objects that are. The other source of uncertainty is typically in prediction, where the system needs to predict how its surroundings will evolve over time to adjust its own behaviour accordingly. A key research topic here is therefore the advancement of design methods and V&V techniques for handling these uncertainties, where recent approaches implementing and guaranteeing bounds of these uncertainties and have shown early success.

Second, the usage of Artificial Intelligence in Design and Validation promises a high potential for cost- and effort-efficiency, in a similar way as the use of AI in the systems themselves promises an increase in functionality of these systems (see the following key focus area).

The employment of AI-based methods and tools in all its facets – ML, AI, GenAI/LLM, Agentic, etc, promises huge increases in efficiency and effectiveness of engineering tasks on all levels of the design hierarchy, from Systems-of-Systems down to EDA.

Large Language Models are one of the most promising areas of generative AI. Theoretically LLMs can include the complete (published) knowledge on engineering tasks so that a designer should be able to automatically use this knowledge in their design. The idea is that once generative AI has learned enough structures and their functionalities, it should in principle be able to systematically assemble these structures at the transistor level, but also on higher levels such as systems— almost akin to formulating sentences – to realise certain functionalities. Therefore, EDA tools and similar design tools should have an interface to LLMs so that LLM output can be imported into the tools. LLMs should also be able to control tools and find the optimal parameter settings, and even solutions, for a given problem.

• The leading paradigms for AI-enabled design are replacing the intelligence of individuals with the collective intelligence of a relevant design community, including all published history.
• Replacing partly optimised design with systematically and holistically optimised design.
• Increasing R&D productivity by orders of magnitude.
• Full traceability and audit-complaint results.

This results in calls for action on the following priorities:

• Open-source high-quality training data for research on AI-enabled tools for ECS design.
• Multi-modal AI models supporting specific ECS engineering modalities beyond text-only, such as timing diagrams, schematics, etc.
• ECS design-specific benchmarks to assess the quality of AI-enabled design.
• Technologies ensuring completeness and correctness of AI-enabled design.
• Integration of AI (including generative AI) and AI-based tools into engineering and development processes on all levels of the design hierarchy to shorten development time, including metrics for the quantification of covered design space, etc.
• The key technologies here are Virtual Integration Platforms, Digital Twins and Digital Threads (see also Major Challenge 3 below), combined with ML/AI/GenAI/Agentic/AI-enabled Design Frameworks.
• Usage of AI and AI-based tools for V&V and development tasks.
• AI support for model identification, synthesis, improvement and parameterisation with measurement data (c.f. model-based design technologies above).
• Usage of AI techniques in Design and Validation imposes the additional challenge that these have to be either supervised (i.e. they need to be able to explain to their user, why and how they achieved the results they produced) or have to be validated themselves (‘Who validates the validator?’).

Integration of new V&V methods

The required changes of current design processes identified above, as well as the need to handle the new systems capabilities, also imply an extension of current V&V and test methods. First, safety cases for autonomous systems need to rely on an operational design domain (ODD) definition – i.e. characterisation of the use cases in which the system should be operated, as well as a set of scenarios (specific situations that the system might encounter during operation) against which the system has actually been tested. It is inherently impossible for an ODD to cover everything that might happen in the real world; similarly, it is extremely difficult to show that a set of scenarios cover an ODD completely. Autonomous systems must be able to detect during operation whether they are still working within their ODDs, and within scenarios equivalent to the tested ones. V&V methods have to be expanded to show correctness of this detection. Unknown or new scenarios must be reported by the system as part of the data collection needed for continuous development. The same reasoning holds for security V&V: attacks – regardless of whether they are successful or not – need to be detected, mitigated, and reported on. cf. Chapter 1.4 and Chapter 2.4)

Second, the need to update and upgrade future ECS-based systems implies the need to be able to validate and test those updates for systems that are already in the field. Again, corresponding safety cases have to rely on V&V methods that will be applied partly at design-time and partly at run-time, thereby including these techniques into continuous development processes and frameworks. For both of these challenges, energy- and resource-efficient test and monitoring procedures will be required to be implemented.

Third, V&V methods must be enhanced to cope with AI-based ECS (i.e. systems and components, in which part of the functionality is based upon Artificial Intelligence methods). This includes, among others, adding quality introspection techniques to AI-based algorithms – i.e. to Deep-Neural Networks (DNN) – and/or on-line evaluation of ‘distance metrics’ of input data with respect to test data, to enable computation of confidence levels of the output of the AI algorithm (compare to ‘Explainable AI’ in Chapter 2.1) as well as extending Systems Engineering methods – i.e. assurance case generation and argumentation lines – that leverages the added introspection techniques to establish an overall safety case for the system. In addition, generative AI methods based on LLMs or similar AI methods produce results based upon static dependencies and statistical heuristics. ‘Hallucionations’ – i.e. results that are possible but not aligned with factual reality – have to be identified and coped with, both to guarantee correctness and to avoid dependencies to (possible IP-protected) data used for learning.

Major Challenge 2: Enabling Competitive and Sustainable Design for Sustainability

Lifecycle-aware design optimisation is a collective term for procedures and methods that aim to design sustainable ECS. It comprises

• ‘Design for producability’ for designing ECS that can be produced resource-efficiently (i.e. with low consumption of energy and other resources), Note that this topic comprises a lot more than only thinking about production materials and changing them in a sustainable way. For example, in the Electric-/Electronic Architecture of cars, the recent change from using point-to-point communication lines between different computational units to installing more and more communication busses (i.e. common communication lines used by many computational units) resulted not only in using less copper wires, but also in a fundamental shift in communication patterns and protocols that influenced the complete design of the application software.
• ‘Design for recycling/reuse’, which is mostly concerned with the materials.
• ‘Design for reparability’, which comprises both architectural methods that enable or ease reparability of a system as well as design and management of spare parts.

All of them essentially face the same challenges, namely:

• Specification techniques for the corresponding requirements (of producibility, recycling/reuse and reparability).
• Requirement capturing.
• Implementation techniques for these requirements.
• Validation/Test methods for these requirements.
• Conflict resolution techniques for requirement (i.e. how to handle a situation in which, e.g., a safety requirement conflicts with a producibility requirement).

Especially for requirement capturing and validation methods, these techniques profit from data collection during production and operation, as described in Major Challenge 1 under “Lifecycle aware holistic design flows”, which enables a continuous design flow also for these aspects of the system.

Updates, with respect to the property to be ‘updateable’, has the potential of significantly increasing the lifetime of a product and thus increase its sustainability. An ‘Update’ of an ECS is a change in the functionality and/or in the realisation (implementation) of some functionality of an ECS. Updates can be done by exchanging components or modules of a (sub-)system and by exchanging (parts) of the software running on it. The former requires physical access to the product, which can be done during regular or additional maintenance services, while the latter can also be done ‘over the air’ only. There are three reasons for updates. The first is error correction, i.e. when an hitherto unknown functional error or a security hazard is detected, it can be corrected via an update. The second is performance or usability optimisation and variation. If a function in an ECS can be implemented in different ways – for example, engine control in a car can be done ‘smoothly’ or ‘sportively’ or in many other ways – then a change in the implementation can be realised by updates. Updates initiated by one of these two reasons alhave ready had a highly positive impact on sustainability. However, the main benefit for sustainability stems from the third reason for updates, which is adding functionality to an ECS already in use, thus avoiding replacement of the product in favour of ‘newer, better versions’. The main challenges for updates are, first, ensuring quality of the updated system. Taking safety as the major quality of an ECS again, it is difficult to analyse and guarantee all the existing safety properties of a system for the new, updated system, seeing that the updated system is already in operation and thus no longer available for physical tests. The second challenge lies in the fact that there are typically many – sometimes even thousands – of variants of a product in operation, and the update has to fit all of them and quality has to be assured for all of them. The third challenge mostly concerns over-the-air software updates, for which safe and secure deployment has to be guaranteed.

Testing and validation of ECS used to be a very energy consuming task, with hundreds and thousands of physical tests taking place not only with the final product (or a prototype thereof), but also with all subsystems, components and modules of the system. The setup, maintenance and operation of the various test environments were also highly resource-intensive. With the shift to virtual engineering, including the use of digital twins and virtual testing (c.f. Major Challenge 1), many physical tests can be avoided. However, the number of physical tests needed is still fairly large, and reducing their energy and resource consumption is still an important topic. In addition, virtual engineering itself requires energy for all the computers, servers, and simulation suites that are needed for it. Any technique that lowers power consumption for computers, servers, and clouds is therefore also beneficial here, as are methods that reduce the number of test cases needed for showing quality attributes.

The potential application area for ultra-low power electronic systems is very high due to the rapidly advancing miniaturisation of electronics and semiconductors, as well as the ever-increasing connectivity enabled by it. This ranges from biological implants, home automation, the condition-monitoring of materials to location-tracking of food, goods or technical devices and machines. Digital products such as radio frequency/radio frequency identification (RF/RFID) chips, nanowires, high-frequency (HF) architectures, SW architectures or ultra-low power computers with extremely low power consumption support these trends very well (see also appendix A on RISC-V). Such systems must be functional for extended periods of time with a limited amount of energy.

The ultra-low power design methods comprise the areas of efficiency modelling and low-power optimisation with given performance profiles, as well as the design of energy-optimised computer architectures, energy-optimised software structures or special low-temperature electronics (c.f. chapters 1.1, 1.2 and 1.3). Helpful here are system-level automatic DSE (design space exploration) approaches able to fully consider energy/power issues (e.g. dark silicon, energy/power/performance trade-offs) and techniques. The design must consider the application-specific requirements, such as the functional requirements, power demand, necessary safety level, existing communication channels, desired fault tolerance, targeted quality level, and the given energy demand and energy supply profiles, energy harvesting gains and, last but not least, the system’s lifetime.

Exact modelling of the system behaviour of ultra-low power systems and components enables simulations to compare and analyse energy consumption with the application-specific requirements so that a global optimisation of the overall system is possible. Energy harvesting and the occurrence of parasitic effects must also be taken into account.

Major Challenge 3: Managing complexity

Safety Assurance Cases are a commonly and successfully used method to show that a certain product possesses certain qualities (e.g. safety). Corresponding arguments for other qualities (like security, dependability, etc) are also being used.

Safety Assurance Cases consist of a set of Safety Cases or Safety Arguments. ISO 26262 states that “the purpose of a safety case is to provide a clear, comprehensive and defensible argument, supported by evidence, that an item is free from unreasonable risk when operated in an intended context’. According to the CAE principle, Safety Arguments comprise Claims, i.e. that the system fulfills a certain safety related requirement, and Arguments, i.e. an explanation – or proof – why a claim (or sub claim) is valid. Arguments, in turn, comprise sub-claims – for which in turn an argument is needed – or evidence, i.e. an analysis or test results or other findings from the implemented system that support the (sub-)claim.

Safety Assurance Cases remain a valid means for showing safety (or other qualities) of an ECS-based product. However, the following non-trivial extensions to the method are needed to be able to handle modern and future ECS-based products:

• ODD behaviour competencies: To construct safety cases, both the operational context as well as the functionality of the system needs to be specified. While there has been considerable advancement in describing operational context by ODDs (Operational Design Domains), including first standardisation activities, there still is a lot of room for further improvement. Behaviour Competencies, which are used to formally describe the systems functionality, are still further behind. Together these two concepts need to be extended by means to describe reduced functional behaviour and minimal risk manoeuvers.
• Handling of unknowns: Both the definition of the operational context as well as the functionality of the system will contain uncertainties and unknowns (c.f. Handling of Uncertainties in Major Challenge 1). To include these in the safety argument, statistical reasoning and/or three-valued logics need to be used.
• Quality metrics and guarantees: For highly automated (up to autonomous) systems, which may have part of their functionality implemented by Artificial Intelligence, it is sometimes infeasible to collect the evidence needed to support a certain (sub-)claim. For example, in the automotive sector for autonomous driving, test driving the number of miles required is infeasible. Sometimes, on the other hand, we do not even know what quality to measure or what guaranteed performance would be evidence to support a certain (sub-)claim. Again, as an example, for AI-based object detection we cannot infer how much training and how many tests are required to guarantee this property. The challenge here is to find quality Metrics and Guarantees that: (a) are sufficiently strong to support the safety argument; and (b) can be measured or analysed with the needed efficiency.

Design efficiency is a key factor for keeping and strengthening engineering competitiveness. Design and engineering in the virtual world using simulation techniques require increasingly efficient modelling methods of complex systems and components. Virtual design methodology will be boosted by these research topics:

• XIL-testing (X-in-the-loop, with X=model, system, software, hardware,.. incl. mixed-modes.
• XIL simulation techniques and tools, speed up of simulation, accuracy of simulation, multi-domain co-simulation.
• Efficient modelling, test and analysis for reliable, complex systems on different abstraction levels.
• Evaluation of architecture and design of the ECS SW/HW with real tests.

A second way to manage complexity is the complexity-related reduction of effort during the engineering process. Complexity generates most effort in test, and V&V, ensuring compatibility and proper behaviour in networking ECS. Consistent hierarchical design and architectures, and tool-based methods to design those architectures automatically, are needed. Advanced test methods with intelligent algorithms for test termination, as well as automated metrics for testability and diagnosis (including diagnosis during run-time), must be developed and installed. This includes the following research topics:

• Recommender-based guidance in V&V process for complex ECS systems.
• Automated generation of test cases from models/digital twins of ECS systems.
• Test coverage calculation by means of models and testcases (coverage-driven V&V).
• Minimising effort for V&V based on models, AI techniques.
• Advanced test methods, intelligent concepts for test termination, automated metrics/tools for testability, diagnosis, and extraction of diagnostic information.
• Methods and tools for consistent, hierarchical design, V&V and test.
• Energy- and resource-efficient test procedures and equipment.

Complexity, and also future complexity, is mainly influenced by the Architecture. Future architectures must support complex, highly connected ECS that use advanced computational methods and AI, as well as machine learning, which lead to a change of ECS over lifetime. Especially for AI (cf. Chapter 2.1), this includes support for V&V of the AI method, for shielding mechanisms and other forms of fault/uncertainty detention with respect to prevention of fault propagations, and for advanced monitoring concepts that allow deep introspection of components and modules as well as hierarchical ‘flagging’, merging and handling of monitoring results and detected anomalies. For this, reference architectures and platform architectures are required on all levels of the design hierarchy (for the system and SOS levels, see also the challenges “Open SoS architecture and infrastructure”, “SoS interoperability” and related challenges in Chapter 1.4 on System of Systems).

An additional focus of Architecture exploration and optimisation must be architectures that ease the necessary efforts for analysis, test, V&V and certification of applications. Hierarchical, modular architectures that support a divide-and-conquer approach for the design and integration of constituent modules with respect to subsystems have the potential to reduce the demand for analysis and V&V (“correct by design” approach). As integration platforms, they have to ensure interoperability of constituent ECS. For the Architecture exploration and optimisation itself, AI-based methods are needed to achieve a global optimum. Overall, holistic design approaches and tools for architectures of multi-level/multi-domain systems are the goal.

Apart from the benefits that reference architectures and platforms have at a technological level, they are also important economically. As integration platforms for solutions of different vendors, they serve as a focal point for value chain-based ecosystems, enabling Digital Threads for data exchange along those value chains. Once these ecosystems reach a certain size and market impact, the platforms can serve as the basis for corresponding “platform economies” (cf. Major Challenge “Open SoS architecture and infrastructure” in Chapter 1.4). Thus, the following research topics are key:

• Architecture exploration and optimisation, including multi-aspect optimisation (e.g. safety, security, comfort, functionality,…) and AI based optimisation methods.
• Architectures supporting advanced computation methods (AI, advanced control, etc).
• Methods and architectures for SDVs (software defined vehicles): The evolution toward SDVs introduces complex demands on SoC architectures, driven by diverse processor IP and stringent requirements for safety, scalability, and long-term viability. However, current design methodologies fall short in addressing these challenges holistically, and there is a pressing need for systematic evaluation methods and structured architecture exploration. The envisioned development framework aims to enable SDV-optimised SoC designs, foster standardisation within the RISC-V ecosystem, and integrate fault-tolerant mechanisms to ensure functional safety in future automotive applications.
• Architectures and tools for non von-Neumann and neuromorphic computing.
• Architectures supporting self-awareness, health and environment monitoring on all levels of the design hierarchy.
• Platform and middleware architectures, also for extremely distributed, multi-layered SoS and IoT applications.
• Reference architectures for continuous system improvement, i.e. across evolving system generations.
• Architectures for V&V and certification, including automatic evaluation of computation and deployment decisions (i.e. on chip, edge, fog, cloud).
• Modular and evolvable/extendable architectures (supporting traceability of evolution, also supporting modular updates, replacement and recycling for a circular economy.
• (SW-HW) architecture mapping (including resource mapping and tracing (communication, scheduling, etc), such as requirement matching and tracing.
• Methods and tools to support Design and Validation for new Architectures, e.g.:
• The transition to electric mobility demands compact and highly efficient 48V E/E architectures at the ASIC level. However, existing solutions are not yet sufficient to fully address challenges such as thermal management, EMC, and subsystem integration. There is a need to explore and develop robust, system-oriented design strategies that could meet the performance, efficiency, and reliability requirements of future vehicles. The aim is to investigate how optimised power management and communication architectures might form the basis for scalable platforms and the integration of emerging technologies.

All the above topics need to be examined and developed in conjunction with corresponding changes in design and validation tools (‘Design for Target Architectures’, ‘Design for (virtual) platforms’) to leverage the complexity reduction they offer.

Major Challenge 4: Managing diversity

The area of multi-objective optimisation of components, systems and software running on SoS comprises integrated development processes for application-wide product engineering along the value chain (cf. Part 1 and appendix A on RISC-V). It also concerns modelling, constraint management, multi-criteria, cross-domain optimisation and standardised interfaces. This includes the following research topics:

• Consistent and complete Co-Design and integrated simulation of IC, package and board in the application context.
• Methods and tools to support multi-domain designs (i.e. electronic/electric and hydraulic, Mechatronics Integration, MEMS,…) and multi-paradigm designs (different vendors, modelling languages, …) and HW/SW co-design.
• Advanced Design Space Exploration and iterative Design techniques, including multi-aspect optimisation (performance vs. cost vs. space vs. power vs. reliability).
• Modular design of 2.5 and 3D integrated systems and chiplets and flexible substrates.
• Integration of III-IV materials and MEMS (c.f. 1.1 and 1.2).

The area of modelling, analysis, design, integration and testing for heterogeneous systems considering properties, physical effects and constraints comprises the following methods and tools, which all need to take into account aspects of chiplet technology:

• Methods and tools for the design, modelling and integration of heterogeneous systems (including chiplet technology).
• Hierarchical methods for hardware/software co-simulation and co-development of heterogeneous systems (multi-scale, multi-rate modelling and simulation).
• Modelling methods to take account of operating conditions, statistical scattering and system changes.
• Hierarchical modelling and early assessment of critical physical effects and properties from SoC up to system level.
• Analysis techniques for new circuit concepts and special operating conditions (voltage domain check, especially for startup, floating node analysis ...).

The area of automation of analogue and integration of analogue and digital design methods comprises the following research topics:

• Metrics for analogue/mixed signal (AMS) testability and diagnostic efficiency (including V&V & test).
• Harmonisation of methods and tooling environments for analogue, RF and digital design.
• Automation of analogue and RF design – i.e. high-level description, synthesis acceleration and physical design, modularisation and the use of standardised components.

The area of connecting the virtual and physical worlds of mixed domains in real environments is about the following research topics:

• Advanced analysis considering the bi-directional connectivity of the virtual and physical world of ECS and its environment (including environmental modelling, multimodal simulation, simulation of (digital) functional and physical effects, emulation and coupling with real, potentially heterogenous, hardware, and integration of all of these into a continuous design and validation flow for heterogeneous systems, cf. Major Challenge 1 and 2 above).
• Novel More-than-Moore design methods and tools.
• Models and model libraries for chemical and biological systems for advanced/emerging technologies such as for spintronics, photonics, etc.