Mission success with components not as good as new

ELSEVIER

0951-8320195)00127-1

Reliability Engineering and System &tlFO' 52 (1996) 45-53 © 1996 Elsevier Science Limited Printed in Northern Ireland. All rights reserved 0951-8320/96/$15.()0

M i s s i o n s u c c e s s with c o m p o n e n t s not as g o o d as n e w Winfrid G. Schneeweiss Computer Engng, Fern University, D-58084 Hagen, Germany (Received 29 May 1995: accepted 8 November 1995)

It is shown how the probability of mission success can be determined for cases of components which are not as good as new at the beginning of a mission and are not repaired during the mission. After a short definition of the appropriate conditional distribution functions of components lives, a few typical examples of plausible missions for redundant systems are discussed. Among these are such that are time-critical or--concerning flights--space-critical. Since only (advanced) probabilistic reasoning is used, there are no limitations as to the types of life distributions. © 1996 Elsevier Science Limited.

1 INTRODUCTION

be useful in real life. (Clearly, m o d e r n engineering systems tend to be c o m p o s e d of m a n y components. But we feel that even 'small' systems are not fully understood at this time.) The rest of this p a p e r is organized as follows. In Section 2 the conditional distribution-density of a c o m p o n e n t ' s life, which has been active for to units of time on mission start, is derived and discussed. In Sections 3 and 4, systems or, rather, missions tolerating 1 and 2 faulty components, respectively, are investigated. In Section 5 a general approach, also useful for bigger systems, is outlined. (Sections on conclusions, an appendix and the list of references follow.)

In introductory textbooks, a3 traditionally, only the cases of non-repaired or of regularly repaired to as-good-as-new c o m p o n e n t s Ca ..... 6",, are considered. The systems are supposed to be 'useful' from some initial time to the m o m e n t of investigation or to any future time, as far as a stationary state could be maintained. Additionally, sometimes also cases of (mostly short) r a n d o m demands are m o d e l e d ) It appears that the case of relatively short missions without possibilities for repairs (except for the switching-in of spares) with c o m p o n e n t s of different age at mission start has not yet been studied to appropriate depth a n d / o r generality. Yet such missions, typically flights of aircraft or discontinuous production processes, possibly with engines of different age, are not so exceptional. This is true even when considering a few related concepts in Ref. 8. Interesting ideas on the classification of life distributions in the context of aging can be found in Ref. 9. In Ref. 10 aging is discussed for repaired and maintained systems. It should be noted that in the systems to be discussed here, the redundancy structure, i.e., the kind of fault tolerance and the kind of standby, i.e., hot or cold standby, are not the only characteristics of major importance. Rather, the specific mission profile will attract foremost attention. Clearly, the spectrum of mission profiles that are going to be discussed here is limited. Yet there is some hope that some not only meaningful but really important examples were chosen, which would need only minor adjustments to

2 LIFE T I M E D I S T R I B U T I O N UNIT

OF A ' U S E D '

Let the (cumulative) distribution function, F,., of the life (time), Li, of c o m p o n e n t i, Ci, be the probability

(P) Fg(t) ~ P(L, <- t),

(1)

with f ( t ) the associated probability density function (pdf), and F~---1 - F, the survivor function. Then, if at some initial (zero) point of counting time of usage ('mission' time) C~ has already been used for to~ units of time, the pdf of time to failure at t (counted from mission start) is

f(t, toi) = f ( t + t,,i)/~(t,,i). 45

(2)

W. G. Schneeweiss

46

(Here t is the time counted from mission start, but it could be termed ‘residual’ lifetime as well.“) This is clear by the definition of conditional probability: P(aJb)

- P(a n b)lP(h)

(3)

for events a = {f,,, + t < L, 5 f,,, + I + At}, h where both P(alb) and P(a 1’7b) have been At, and the passage At+ 0 has been Notice that here CIfl b = (I and that the condition % I0

J(t,t,,,)dt

= {L, > for}, divided by performed. normation

= 1

3 SYSTEMS WITH MISSIONS TOLERATING SINGLE FAULT AT LEAST PARTLY

In this section we discuss systems, where mission failure is due to the failure of, at most, two components. This means that strict single-fault tolerance is not always guaranteed. In order not to overburden this section, we restrict the presentation to systems with 2 and 3 components where the traditional classification of the m-out-of-n:G system type will not always make sense.

(4) 3.1 Two-components

is fulfilled. 2.1 Exponential

case of pdf of ‘used’ Ci

As a typical characteristic life, eqn (2) yields for

of exponentially

distributed

f;(r)=AXexp(-Ar) the well-known .f;(G)

systems

with redundancy

3.1. I Living up to the end of mission time As an introductory example we study the ‘classical’ 1-out-of-2:G case, where at least one component has to be ‘alive’ from t = 0 to t = r,, when the mission ends. Then for

(5) 1. hot standby, by elementary probabilistic reasoning (product rule and law of total probability) the probability of mission success is

‘memorylessness’ = A X exp[ ~ A([ + to,)I/exp(

- A&,,)

= A X exp( - At) = ,i(t).

(6)

Hence, in this paper, only the non-exponential is of real interest as far as the to, are concerned. inspect a very simple example! 2.2 Rectangular

A

case Let us

= ~,Kdo,)

case of pdf of ‘used’ Ci

In the case that J(t) = c; 0 5 t 5 l/c (and 0 elsewhere), we have by (2) J(nt,t,,;) = c/( 1 - a,,,); 0 5 t 5 1 /c ~ t 0,.

(7)

Note that in cases of a (deterministic) mission time T,,,,,F ,(T,,,,,t(),) = P{C, survives the mission}. Hence, for any fault tolerant n components system, mission success probability, PM, is in case of 1. hot standby:

+

I’!, .fi (t,t,,,)F?(Thl,t,,2)df 9 I0 (10)

where the last form is useful for comparison with the following, 2. cold standby of CJ for C,, where the typical convolution is well known:‘~3 pu.c = %MJOl) 111 + .fi(t,t,,,)%(T~ I0

- t,roz)dt.

(11)

In the case where a switch (C,) for activating the standby component C7 (at t) has to survive the first t units of mission time, clearly, instead of (11):

I

x [l + F;(TM,t,,,)/F,(T,,t,,,)] + ..., (8) where the dots represent terms concerning cases of certain multiple components failures, 2. cold standby, with C ,,..., C,,, the components used initially: ,,z P,,,.<= n %,,t,,,) ,=I ,,1

j(r,r,,,)...dt +c I=I I(I,)

+...;

m
(9)

where the integral (with limits to be discussed below) covers the cases of failure of C,.

In the sequel we assume that switches are ideally reliable; otherwise see Ref. 3. Now we discuss a few plausible cases of constraints. 3.1.2 Finishing work W Now, imagine the system has to do a (fixed) amount of work, i.e., produce a quantity W of goods, calculate a file W of useful data, etc. Let w, be the working

47

Mission success

capacity, i.e., work performed per unit of time, by Ci. Then, if parallel work of both components makes sense, the probability of mission success is determined as follows. 1. For hot, 'collaborating' standby, for a minimal mission time T,,, defined by ( w , + w2) T,,, = W ~ T,,,- - - W

(13)

W1 -F W2

we have as the probability of mission success (in case of no or at most a single failure prior to T,,,, respectively): = FI ( T.,, to l )F2( T.,, to2)

PM.h

+ f T;. {fl(t,t,,,)F2[t + o~2(t),to2] )

(14)

+ f2(t, to2)Fl[t + a,(t),t,H]}dt,

where the functions a~(t) follow from constraint of finishing W, i.e., from

the (15)

t(w, + we) + ai(t)w, = W,

since up to t the system's work intensity is Wl + w2, and thereafter it is w~. Specifically, for insertion in (14): al(t)=---

W - w2t

1 + w2 t ~ t + a , ( t )

W1

WI

WI /

(16)

w(

o~2(t)=--W2

1+

w,]t~

W t +

,~2(t)

-

-

-

wit

-

W2

W2 /

(17) Note that t + ai(t) is the minimum life time of Ci. It is found to be the rest of the work (to be done by (7,.) divided by the work intensity of Ci. Inside of the integration interval (0, T,,) the argument t + ai(t) of Fi cannot become negative, since T,,, < W / W l , W/w2, where the t + a~(t) = O. 2. For cold standby, where C~ 'tries' to do W alone such that w~ TM -- W:

C •/0

PM.h = [~'(T,,,,to)]2 + 2 fOTmf(t,t,,)F(2T,,, - t,t,,)dt,

(19)

2. cold standby, by (18): P,,,., = F(2T,,,,t0) -2 7;,,

+

f(t, to)F(2T,, - t, to)dt.

(20)

3

Notice that, in the above, the notion of hot standby is, perhaps, not adequate. One could also speak of a 2-phased mission with 2 and 1 component(s) working in the first and second phase, respectively. Now it is shown that there are meaningful examples of T,, and ai(t) of (14) to be defined different from (13) and (15), respectively. 3.1.3 Aircraft landing at a 'safe' place (This was discussed amply, even though with minor errors, in Ref. 5.) Imagine that at any moment t of a flight with a 2-engines aircraft (being a 1-out-of-2:G system with hot standby) the distance D(t) to the nearest 'safe" landing place (auxiliary runway) is known. Then, similar to (14), with TM for the nominal mission time flown at speed vM, and vi for the speed flown with engine i only, mission success probability is: PM.h = F, ( TM,to, )F2( TM,to2) r

+I

T~t

a<}

{ft(t,t,,,)F2[t + D(t)/v2, t.2]

+ f2(t, to2)F~[t + D ( t ) / v , ,to,]}dt.

(21)

In the 'uncomfortable' case of only the starting and the regular destination airports being "safe' we have, disregarding winds: D(t) = min{vMt, vM T M --

V M t },

(22)

and for a correct flight, i.e., for one reaching its destination (even though not on time), simply

\W 1

+

1. hot standby, by (14), (17):

fj(t, to,)F2

--

w,,,to2)dt,

W2

(18)

where, obviously, W - w~t is the rest of the work left to C2 on an (early) failure of C~ at t. Even though the integrands of (18) and of the first line of (14) are the same, the times for work completion are different; viz., on a failure of C~ at t: t + a2(t ) for hot standby, and 2t + ol2(t ) for cold standby. With equal (identical) components, all of them run for to units of time before mission start, we have the following plausible results. For

D(t) = VMTM -- VMt.

Notice that our world wide experience of many flights shows that, except in cases of war or massive terrorism, the last PM.h is almost 1. 3.1.4 Finishing work timely It sometimes happens that on a component failure the rest of the work cannot be done quickly enough, such that work W is finished too late. Specifically, let Tma x > Tm

(23)

where 75,,, is defined by (13), be the maximum time

48

W. G. S c h n e e w e i s s

allowed for the mission, but at least one c o m p o n e n t failure must not occur too early, lest the surviving c o m p o n e n t C~ would fail to finish W timely. Extending (23) we choose W T,,, - - -

2W < T,,~ < - -

W] + W 2

- 2T,,,.

In case of cold standby, assuming that T,...... > W / w ~ , such that C~ can finish W on time, if it lives long enough, by (18):

(23a)

W 1 + W2

+

T,....... < T,,, makes no sense, since then W cannot be done. For T,....... >2T,,, there is no very strict time constraint, since we would allow for m o r e than 100% extra time. Now, by (14), with OZl(t) from (16), c~2(t) from (17): PM.,, = F',(T,,,,to,)~'z(T,,,,t02)

+

f li,,

fj (t, t o l ) ~ [ t + a2(t),to2]dt

max{O, Ii~ 2}

+

f2(t, to2lFl[t

(24t

+ o~,(tl,t,,ldt,

max{O. 7;,,.1}

where T,,,.~ is defined by (25)

T,,,., + .,(T,,,.,) = T,..~,

- T,.~,× ~ T,,,,~ -

W - wl Tm,~

WI

,

Ti;,,2 _

Tm.2 -

(28)

W

-

W2Tmax > 0

(29)

follows from the fact that the sum of the arguments in the integrand, viz. t + ( W - w~t)/w2, must not surpass T,....... For t = 0 it equals W / w 2 > T, ....... ; for t > 0 it decreases until it equals T,...... at T,',,.2, remaining below T,...... thereafter. Check: in (25) and (29) both factors of the integrands have arguments, such that for any (allowed) t the joint work p e r f o r m e d is W. F u r t h e r m o r e , it is readily verified that for T,..... > W / w l , we have T,',,.2< W / w l . For equal components, when Wl = w2 = w, we have for hot standby: see (13), (25), (26): P M •h = [F(T,,,,t0)]-9

(26)

fff

f ( t , to)F(2T,,,

t, to)dt.

(30)

For cold standby, (29) is useless, since for Wl = w2, by (30), T,;,.2 diverges. Only (20) makes sense, where T,..... is irrelevant. 3.2 T h r e e - c o m p o n e n t s

W 2 Tma x

,to2 dt,

W'~

;"

and for i = 2, by (17), i.e., for C~ failing first, --

---

WI - - W2

+ 2

W2

W

fl(t, tol

where

such that for i = 1, by (16), i.e., for C2 failing first, W - w2 T,,,.I

a 1,;, ~

systems with redundancy

(27)

Wt

Clearly, for positive T,,,.1 the last integral in (25) makes sense only as long as T,,,.~ < T,,,. Check: by (27) and (13) T m ( w I q- w 2 1 - - 1421T m a x

U n d e r the same circumstances as in the introduction of Section 3.1 (see (10) and (11)) we have in the 2-out-of-3 case for 1. hot standby, calculations: ~,2

by

p.,.,, -- 7,(T~,t,,1)72(T~,,t,,2)

elementary

probability

+ F1(T~,to1)23(TM,t,,.,)

'/~m, 1 --

W2

+ 72(TM,t,,2)F~(TM,t,,3) -- 2F,(TM,to,)72(TM,t,,2)FffTM,to~),

= T,,, + wl (T,,, - Tma~) < T,,,

(27a)

W2

by (23), q.e.d. (The p r o o f of T,,,.2 < T,,, is obvious from the above.) Basically, T,,,.t and T,,,.2 m a k e sense only for positive values. Since by (15) c~(t) is m o n o t o n o u s l y falling, we would have by (26) for 0 < t < T,,,.~: t + a~(t) > T, ....... violating the time constraint, such that the lower integration limits in (25) must not be 0 as in (14). H o w e v e r , by (24), T,,,.~ or T,,,.2 can also be negative, in which case 0 should be the lower integration limit.

(31)

2. cold standby of one c o m p o n e n t , (C3), for any of the other two: PM.,. = F, ( TM, to, )72 ( TM, to2 )F3 ( TM, t,,3)

+

•s0

[f,(t,t,,,)72(TM,t,,2)

+ f2(t,t,,2)P,(TM,t,,1)]V~(G4

- t, to3)dt.

(32)

Further mission types can be studied along the guidelines of Section 3.1. Details cannot be d e v e l o p e d here for lack of space.

Mission success

49

the following holds respectively.

4 SYSTEMS WITH MISSIONS TOLERATING D U P L E X FAULTS AT LEAST PARTLY

Now we turn to systems and/or missions, where, at least partly, two failed components can be tolerated. We will describe this fact in the headlines of the subsections as 'rich' redundancy. Again, for lack of space, not all example missions can be studied equally thoroughly for all systems. 4.1 Three component systems with rich redundancy; the 1-out-of-3:G case

hot

and

cold

standby,

1. For hot standby (see (19)): P . h = [F(T,,,,to)] 3 + 3 fOTmfCt, to)[F(t

f17;,,

-~- ol3(t),to)]2dt

lc,~(t)

+ 6Jo f(t, to)J °

f ( t + t',to)

× ~F[t + t' +/33(t,t'),to)]dt'dt,

(38)

where c~3(t ) is found from

4.1.1 Living up to T,,, In the 1-out-of-3:G case we have, similar to the first paragraph of Section 3.1, as probabilities for mission success, for

for

[3t + 2a3(t)]w = W ~ ce3(t) --

W 2w

3 t 2

(39)

and 133 (t, t') is found from [3t + 2t' +/33(t,t')]w + W

1. hot standby:

W /33(t,t') = - - - 3t - 2t'. w

PM.,, = 1 -- F, CTM,to, )F2CTM,to2)~( TM,to3), (33) 2. cold standby with C~ as the primary component and C2 as the first used spare:

PM., = F, CTM,to,) + fJoT'flCt,to,)F2(TM - t, to2)dt + f r"flCt, to.) for"-'f2(t',to2)

(Note that the case of the second failure occuring later than t + a3(t) would be covered by the first integral.) 2. For cold standby (see (20)): PM., = F(3T,,,,to) + f~iw;"f Ct,t,,)FC3T,,, - t)dt

X F3(TM - t - t',to3)dt'dt.

(34)

+ li3z"f(t, to)liT;"-'f(t',to)

The first integral models the case of only CI failing (at t). The last integral models the case of both C~ and C2 failing (at t and t + t ' , respectively).

X FC3T,,, - t - t')dt'dt.

If a switch (C4) has to survive the switching operations for activating spares, then

4.1.3 Aircraft landing at a 'safe' place

P.,,. = L ( r ~ , t o , ) +

PM,, = [~'(TM,t,,)] 3 + 3jo fCt, to)[F(t + D(t)/v',t,,)]2dt

a(}

+ Jo f'Ct't°')Jo

~(t,t,.lP4(t,t,,~)P~(rM

- t,t,,2)dt

f2Ct',toz)F4Ct + t',toa)

× E+( TM - t - t',to3)dt'dt.

(35)

Let us again assume that an amount W of work is fully parallelizable, such that, similar to (13), the minimum mission time T,, is defined by (36)

In the rest of this subsection we limit our discussion to the (often found) case of identical components, since otherwise we simply get too long formulas; see the Appendix for deterrent examples. Then, with (37) changed to 3T,,, = W / w , (37)

(41)

From (73) (in the Appendix):

+6

4.1.2 Finishing work W (at all)

(w, + w~ + w3)T,,, = W.

(40)

foTWf(t, to)J~D(t)/v' ° f(t

+ t',to)

× F(t + t' + [D(t) - v't'l/v",to)dt'dt,

(42)

since at t + t' the distance to a safe place is D ( t ) v't', which must be covered with the third (the last operative) engine at speed v". (The speed with 2 operative engines is v'.) 4.2 Four component systems with rich redundancy; the 2-out-of-4:G case

Again we keep to systems with equal components. An indication of how voluminous formulae for the general case (of different components) become is presented in the Appendix.

50

W. G. Schneeweiss

4.2.1 Living up to T,,, By (64) PM.,, = 1 - [F(TM,to)] 4 - 3[F(TM,t,,)]3F(Tm,to),

(43)

Again, the last (duplex) integral covers the cases, where also the first spare component fails (at t + t'), but one component does not fail (up to 2T,,,).

and by (65)

PM,<. = [f~(TM,to)]2 + 2F(TM,to)J,, f(t,t,,)F(TM - t,t,,)dt +

2j,,

f(t,t,,)F(TM - t,t<,)

f ( t + t',t,,)

4.2.3 Aircraft landing at a safe place Similar to the equally named paragraph of Section 4.1 we have (for the 2-out-of-4:G case) fl:,, r-/ D(t) \ q2 PM.h = [F(TM,to)]4 + 4Jo f(t, to)[ F l t + ~ 7 - , t o ) ] dt

× F(TM - t - t',to)dt'dt __

+ 2F(TM,t,,IL

(llw

7;,, t

f 1 ~.~

f(t,t,,)£

f(t',to)

× fZ(TM -- t - t',to)dt'dt.

(44)

The last (duplex) integral covers the case where also the first spare component fails (at t + t'). Notice that spare components that are never used do not show up in PM.,. 4.2.2 Finishing w o r k W Similar to the equally named paragraph of Section 4.1 we have for 4wT,, = W and fully parallelizable work, which is subdivided equally amongst all active components, for 1. hot standby: t" w P~t ,, = [F(Ta4,to)] 4 + 4 f(t,t,,)[F(t + eQ(t),to)]3dt

+ 12o

+

,,,,,,)

× [F(t + t' + ~4(t,t'),to)]2dt'dt,

(45)

where oQ(t) is defined via [4t + 30g4(/)]w = W ~ ol4(t ) -

W 3w

4

3

t

(46)

and/34(t,t') is defined via [4t + 3t' + 2134(t,t')]W = W ~ / 3 4 ( / , / ' ) -

W 2w

fD(t)/v'

+ 12j,, f(t.t.)j,,

2t-

3 t' (47) 2 '

2. cold standby:

X

t + t' +

f(t + t',t,,)

--

,t,,

1]

(49)

where the last coefficient, 12, results from the fact that for any of the 4 first failures there are 3 "choices' of a second failure.

5 SYSTEMS WITH A FEW M O R E COMPONENTS

(Notice that in this section the aspect of 'used' components is irrelevant; hence we use simplified notation, i.e., no t,,is.) An important generalization of the above concerns the number of components. Complex engineering systems can have many more than just 2,3 or 4 of them. With such 'bigger' systems the following procedure is suggested. 1) Determine, e.g., via the success tree, the set of 'good' elementary states, i.e., states where the binary state of each component is fixed. 2) Note_ the success tree's Boolean function q~(X~,...,X,,), where Xi = 1 for the faulty 6", and X~-= 1 - X , , in its canonical DNF (disjunctive normal or sum-of_-products f o r m ) ] i.e., as the sum of its minterns, ~coNr-. 5.1 Example: 2-out-of-3 system

2 7;.

PM.,. = [F(2T,,,,to)] 2 + × F(2L,

~12 l;,,

+ 2

2F(2T,,,,to)

j]1

f(t, to)

From the obvious DNF

- t,t,,)dt

Xm,c~ : X I X 2 v X I X 3 v X2X~ v =- O R

[*27;. t f(t,t,,)F(2T,,, - t, to)j ° f ( t + t,,t,,)

~)2 7;,,

+ 2~'(2T,,,,to) × F(2T,,,

f2 7;,, t f(t, to)Jo f(t',to)

- t - t',t.)dt'dt.

we can find by numerous methods 7 the CDNF X2,u3 = X , X 2 X 3 + X , X 2 X 3 + X , X2X3 + X , X 2 X 3 .

x F(2T,,, - t - t',t,,)dt'dt

(50)

(51)

3) Write down the expected value of ¢ ( , N F ( t ) . equals P{~ct),,,:(t) = 1}. Notice in this context that

(48)

E[Xi(t)]

P{Xg(t) = 1} = F,(t).

It

(52)

Mission success For s-independent Xi(t), Xj(t) .... :

51

1. hot standby

E[X~(t)Xj(t), ...] = Fi(t)Fj(t)....

~DII

(53)

= Fl(T, to,)Fz(T, to2) +

This concerns, in general, hot standby. For cold standby of Cj for Ci use

E[X~(t)Xj(t)] =

f ( r ) F j ( t - r)dr.

(54)

Notice that here

+

fOf2f2(t, to2)Fl[y~(t),to,]dt,

= o,

(58)

2. cold standby

PM,c = F,(T, to,) +

E[x~(t)x,.(t)l

fl(t, to,)F2[Y2(t),to2]dt

fl(t, to,)

y(t),to2 dt,

(59)

(55)

since Cj cannot fail prior to C~.

5.2 Example: 2-out-of-3 system with C3 as standby

where T, t~, t2, T, T1, "Y2 are mission specific parameters and linear time functions, respectively. Only in the case of work W to be done under further constraints, the lower integration limit could also be positive in certain cases.

By (54) we have from (52) for hot standby; see (32):

P2,~13.,,(t) = t:. (t)F2(t)F~(t) + F, (t)F2(t)E~(t) + F,(t)F2(t)F3(t) + F,(T)F2(t)F3(t).

(56)

By (65) we have for a cold standby of C3 for C~ or C2; see (43):

F2,~t3.,.(t) = fz,(t)F2(t)F3(t) + F2(/) fl(z)F3(t - z)dr + F,(t)

f,

f2(r)~(t-

r)dr.

Notice that the sum of the (first) arguments in the integrands is, usually, the minimum of mission duration. In case of a fallible switch (C3) for activating the spare component the integrands were expanded by F3(t,t3) --- P{C3 survives up to t}. With cases of two tolerated failures, formulas for mission success probability, PM, typically contain integrals of the kind

(57)

(Due to (56), the last term of (52) does not contribute

to f~,~.,..) 4) Modify the result of 3) in order to comply with the given constraint(s). Constraints can lead to the omission of terms and/or to variations of the integration intervals as well as to changes of argument values of integrands. Notice that here, in general, complex creative engineering effort has to be invested.

6 CONCLUSIONS It could be shown that fairly sophisticated constraints concerning minimum demands on non-repaired systems' performance, typically also such that partly interfere with fault tolerance can be modeled at full generality as to the life distributions of system components. Due to lack of space here, only the simplest redundant system, i.e., the duplex system, could be investigated at great detail. (For systems with more components and/or a higher degree of fault tolerance the study of sample cases revealed no principal difficulties to be faced when entering more sophisticated analyses for them.) In the 1-out-of-2:G case the general form of the probability of mission success was, generally, found to be for

foTf(t, to,) foa~"fj(t + t',t,,j)...dt'dt

(60)

f)Tf(t, toilJ(~(t) ° fj(t',t,,j)...dt'dt,

(61)

and/or

depending on hot or cold standby, respectively. Typically, for work, W, to be done, especially a distance, D, to be covered the corresponding time needed had to be determined. For work and distance this was accomplished by devision with the appropriate work intensity and speed (velocity), respectively. In cases where a certain amount, W, of work has to be done, the classical redundancy concept becomes somewhat blurred, since with hot standby it would appear uneconomical not to use the spares too to do some 'work'. Hence in these cases the concept of a multi-phased mission with no redundancy, but with degrading phases, might be more appropriate) However, except perhaps for the problem of parallelizability of programs for multiprocessor systems, the random event of mission success can always be defined clear enough in order to calculate its probability, PM. In many cases an at least approximate integration of the integrals will not be difficult for short mission lengths. For long-duration missions a more 'expensive' knowledge of the components' life distributions will be needed.

W. G. Schneeweiss

52

We have refrained from numerical examples in a paper of some length, feeling that the readers who have to solve practical problems, say, evaluate (11) for a given pair of distributions of components lives with pdfs f~(t) and f2(t), respectively, would be able to do the necessary integrations at least numerically, typically using general purpose tools like M A T H E M A T I C A . We feel that the integrals offer the right type of general insight into the final steps towards a numerical result.

4-~ 1;4.fi(t, to3)P,

t+

J{}

O(t),tol)[T2(t-]- D(t) Pl,2

f,(t,t,,,)l,

+

XE,(t + t' + D(t)-

/

\

)

,to2 d t

Vl, 2

f (t + U3

v2.3t' ,to3)dt'dt

~7~"fl(t,t{,1)~}D(t)/I'~3,r3(t+ t r ,t,}3)

_HjO

REFERENCES

D(I)

+ t' +

1. Henley, E. & Kumamotu, H., Probabilistic Risk Assessment, IEEE Press, New York, 1992. 2. Shooman, M., Probabilistic Reliability: An Engineering Approach, Krieger, Melbourne, USA, 1990. 3. Schneeweiss, W., Zuverlaessigkeitstechnik, yon den Komponenten zum System (Reliability Technology, from the Components to the System), Datakontext, Koeln, Cologne, 1992. 4. Schneeweiss, W., Mean time to finish a randomly disturbed two-phase mission. IEEE Trans. Reliab., 44 (1995) 310-314. 5. Schneeweiss, W., On flights ending correctly or at least safely. In Proc. ESREL'93, Elsevier, Amsterdam, 1993, pp.479-485. 6. Smotherman, M. & Geist, R., Phased missions effectiveness using a non-homogeneous Markov reward model. Reliab. Engng System Safetv, 27 (1990) 241-255. 7. Schneewiess, W., Boolean Functions with Engineering Applications and Computer Programs, Springer, Berlin, New York, 1989. 8. Bryson, M. & Siddiqui, M., Some criteria for aging. J. Ant. Stat. Assoc., 64 (1969) 1472-1483. 9. Abouammoh, A., Abdulghani, S. & Qamber, I., On partial orderings and testing of new better than renewal used classes. Reliab. Engng System Safety, 43 (1994) 37-41. 10. Vesely, W., Incorporating aging effects into probabilistic risk analysis using a Taylor expansion approach. Reliab. Engng System Safety, 32 (1991) 315-337. APPENDIX

f ]w +

-

f2(t, to2) I

a{}

f,(t + t',to,)

J{}

XFs(t + t' + D(t)

-

vl,3t'

U3 £D(t)/ul 3

~7k!

+Jo f2(t't°2)l, xf:l (t + t' + D(t)

,to3)dt'dt

f~(t + t',to3) -

vl,3f

UI (O(t)/ul,2

~1~

+~,,

V2,3t' ,t{}e)dttdt

V2 (D{t)/vl/,

f,(t, to3)l }

f,(t +

,tol )dt'dt

t',t,}l)

- vl.2t' ,t.2)dt'dt xF2(t + t' + D(t) v~ +

f,(t, to3)

.~(t + t',t,,2)

,s(I

,t,,~ dt'dt.

X f~, t + t' +

(62)

Vl

The case of a certain asymmetry of redundancy, where 1-out-of-3:G means only the case where C3 is the last working engine (presumably the central one), is easily modeled by omitting amongst the last 6 terms those 4 where C3 fails prior to mission end, i.e., those containing f~.

Examples of cases of non-identical components

1 A 1-out-of-3:G engines aircraft landing at a 'safe' place Similar to the 1-out-of-2:G case treated in Section 3.1, we have with vi and vi.j for the aircraft speed when only engines i and i together with j are working, respectively:

PM,h = F, ( TM,/ol )F2 ( TM,to2)F3( TM,to3)

V2,3

Here we have as mission success probability for 1. hot standby

PM.,, = 1 -- F,( TM,t,,~)Fz( TM,t,,2)E~(T,,t,,3)Fn( T~,t,,4) -- FI( TM,tol)F2( TM,to2)F3( TM,to3)F4( TM,t04) - F, (TM,t{,)F2( TM,to2)F3(TM,to3)F4( T~, t,,4)

+ ~'~' f,(t, to,)F2 ( t+ D(t) ,t,n ) F3 ( t+ D(t),to3)dt -'{}

2 A 2-out-of-4:G system with rich redundancy and different components (living up to TM)

U2,3

/

- Fl (TM, to, )f'2( T~4,toE)F3(TM, to3)F4(f~t, to4) -- F I

+

-'(}

f2(t, to2)F, ,t +

Vl,3

,to,

UI,3

/

(TM, to. )F2(TM,to2)E~(T~, to3)F4(TM,to4), (63)

53

M i s s i o n success . cold standby, where C3 and

C 4 are

spares, with

× F4(T,,, - t - t',to4)dt'dt

C3 always used first: _

p..~. = F,(TM.t,,,)~'~CTM,t,,~)

(7~-:

(7;+,

+ Fz(TM,t02))o

fl(t, tol)Jo

f 7"w

__

+ F2(TM,t,,z)jo

fl(t, t m ) ~ + C T M - t, to3)dt

× F4(TM - t - t',to4)dt'dt

+ F,(TM,to,)

f2(t, toe)E+(TM - t, to3)dt

+ FI(TM,tOl)Jo

+

~

f3(t',to.0

7~

f2(t, toe)Jo

f+(t',t03)

(7:~t-t

fl(t, tm)Tr3(TM - t, to3))o

f2(t + t',to2)

× F4(TM - t - t',to4)dt'dt.

(64)

-10

X F ' 4 ( T M - t - t',to4)dt'dt +

fot~'

f2(t, to2)F3(TM - t, to3)~7;'-'fl(t + t',tm)

Mind that the last two terms are not forgottent They concern the case of a failure of a primary component, CI or C2, followed by that of the standby, C3, replacing it.