Insight: ATRIUM -- Architecting Under Uncertainty for ISO 26262 compl

```html

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Business Continuity Management (BCM), identifies a critical parallel between automotive functional safety architecture and ISO 22301 compliance: organizations that fail to formally manage the assumptions behind their architectural decisions — whether designing fail-safe systems for autonomous vehicles or building Business Continuity Plans (BCP) — will face the same outcome when those assumptions collapse under real-world pressure. The ATRIUM process, validated at Scania CV AB, one of Europe's largest heavy vehicle manufacturers, demonstrates that systematic assumption management is not optional; it is the hidden foundation of any credible resilience framework.

About the Authors and This Research

This paper was co-authored by Naveen Mohan, Per Roos, and Johan Svahn, and presented at the IEEE Annual Systems Conference (SYSCON 2017). As of publication, the paper has been cited 8 times. Naveen Mohan holds an h-index of 3 with 30 cumulative citations; Per Roos holds an h-index of 2 with 45 cumulative citations. Both researchers have sustained focus on embedded systems safety architecture and functional safety standard compliance.

What distinguishes this research from purely theoretical work is its industrial grounding. The ATRIUM process was not developed in a laboratory — it was conceived, tested, and institutionalized at Scania CV AB, one of the largest heavy commercial vehicle manufacturers in Europe, in the context of a real engineering project for highly automated driving functions. The research team worked directly within Scania's development process, confronting the messy realities of incomplete legacy system documentation, evolving cross-functional requirements, and regulatory compliance pressure under ISO 26262. The paper ultimately describes how ATRIUM was institutionalized at Scania — meaning the organization adopted it as a standard practice — a benchmark that very few academic proposals achieve.

A transparent note for readers: this paper's primary standard is ISO 26262, the automotive functional safety standard, not ISO 22301, the international standard for Business Continuity Management Systems (BCMS). Winners Consulting Services Co. Ltd. selected this paper because the core problem it solves — how to make consistent, auditable architectural decisions when critical information is unavailable — is structurally identical to what Taiwan enterprises face when building BCM frameworks, setting RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets, and preparing for ISO 22301 certification audits. The cross-domain transfer analysis that follows is the editorial contribution of Winners' BCM consulting team.

The Core Insight: When Assumptions Collapse, Plans Fail

Bottom line first: The ATRIUM study proves that the quality of a safety or resilience architecture is determined not by the quality of the decisions made, but by the quality of the assumptions those decisions rest upon — and whether those assumptions are formally managed.

ISO 26262 requires engineers to define Preliminary Architectural Assumptions (PAA) during the Functional Safety Concept (FSC) sub-phase, in order to allocate Functional Safety Requirements (FSRs) to system components. The challenge is fundamental: in the early design phases, many critical inputs simply do not exist. Legacy system capability boundaries are unknown. New technology failure modes are unverified. Cross-departmental requirements are still being negotiated. Engineers at Scania were making PAA decisions under genuine uncertainty — and without a consistent process for doing so.

The research team found that Scania's pre-ATRIUM approach lacked a unified method for generating and managing the PAA. Different engineers made inconsistent assumptions about the same system boundaries. The rationale behind architectural decisions was captured informally, if at all. When compliance auditors or new team members needed to understand why a particular safety requirement was allocated to a particular system component, the answer was difficult or impossible to reconstruct. This is not a niche engineering problem — it is the same challenge that appears in every ISO 22301 BCP audit where the evaluator asks: "Why is your RTO for this critical process set at 4 hours? What evidence supports that figure?"

Core Finding 1: Assumption Management as a First-Class Compliance Artifact

ATRIUM's most foundational contribution is elevating "assumptions" from an informal engineering habit to a formally managed artifact. The process requires practitioners to explicitly state: what the assumption is, what information it is based on, and under what conditions it must be revisited. The Scania case study showed that after ATRIUM adoption, teams could refine the PAA faster and more consistently, and every decision point had a traceable documentation chain. Auditors could reconstruct the complete decision logic without interviewing the original design engineers. This is precisely what ISO 22301 Clause 8.3 (Business Impact Analysis) and Clause 8.4 (Business Continuity Strategies) demand — that every critical decision in a BCP be traceable, justified, and auditable. Organizations that skip the assumption layer fail this test routinely.

Core Finding 2: Legacy System Integration Cannot Be Deferred

ATRIUM's second major finding is that legacy systems must be formally incorporated into safety architecture from the earliest design phases. At Scania, the highly automated driving function had to coexist with existing Electronic Control Units (ECUs) designed for earlier-generation vehicles. These legacy components had safety characteristics that were not designed with the new system in mind — yet their capabilities and limitations were unavoidable inputs to any realistic PAA. ATRIUM provided a formal mechanism for capturing "known characteristics" and "unknown risks" of legacy systems as explicit, documented assumptions within the architecture framework. For Taiwan enterprises building BCM frameworks, this maps directly to a chronic blind spot: legacy ERP systems, outdated IT infrastructure, and process steps that exist only in the tacit knowledge of senior employees are frequently absent from BCP documentation — and are precisely the elements that cause plans to fail during actual disruptions.

Three BCM Implications for Taiwan Enterprises

Bottom line first: The most dangerous gap in Taiwan enterprise BCM is not the absence of a plan — it is the presence of a plan built on undocumented, unvalidated assumptions.

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) has observed the following three patterns consistently across BCM engagements with Taiwan enterprises:

Pattern 1: RTO/RPO figures are set without documented assumptions. In most Taiwan enterprises, Recovery Time Objectives and Recovery Point Objectives are determined through management intuition or IT department estimates, rather than through quantified BIA methodology. More critically, the assumptions embedded in these figures — "assumes the backup data center restores connectivity within 4 hours," "assumes the critical supplier can deliver substitute materials within 24 hours" — are never formally recorded. When these assumptions fail during an actual incident, the entire BCP collapses. ATRIUM's assumption management methodology provides an immediately transferable solution framework.

Pattern 2: ISO 22301 BIA documentation does not reflect actual business architecture assumptions. If the prioritization, critical resource identification, and dependency analysis in a BIA report are built on outdated or unverified assumptions, the document will fail the "consistency between documentation and operational reality" test in ISO 22301 certification audits. The Scania case demonstrated that after ATRIUM-style assumption tracking was implemented, documentation quality improved significantly,