Study of different load dependencies among shared redundant systems

Abstrat. The paper presents features and implementation of a sharedredundant approah to inreasethe reliabilityof

networkedontrolsystems.Commonapproahesbasedonredundantomponentsinontrolsystemusepassiveorativeredundany.

Wedealwithquasi-redundantsubsystems(sharedredundany)whereasbasifeaturesareintroduedinthepaper. Thistypeof

redundanyoersseveralimportantadvantagessuhasminimizingthenumberofomponentsaswellasinreasingthereliability.

The example of a four-rotor mini-heliopter ispresented in order to show reliability improvingwithout using any additional

redundantomponents.Themainaimofthispaperistoshowtheinueneoftheloadinreasingfollowingdierentsenarios. The

resultsouldhelptodeterminetheappliationswherequasi-redundantsubsystemsareagoodsolutiontoremaininasigniant

reliabilitylevelevenifritialfailureappears.

Keywords: sharedredundany,dependability,networkedontrolsystems

1. Introdution. Tobeableto obtainrelevantresults ofreliability evaluations for omplexsystems, it

isneessaryto desribethe maximumof spei dependenieswithin thestudied system andtheirinuenes

on the system reliability. Dierent methods or approahes for ontrol systems' reliability improvement are

developed in order to be applied to spei subsystems or to deal with dependeniesamong subsystems. A

lassialtehniqueonsists in designingafault-tolerantontrol [1℄where themain aimis toproposearobust

ontrol algorithm. Guenab andothers in [2℄ dealwiththis approahand reonguration strategyin omplex

systems,too.

On the other side is the design of reliable ontrol arhitetures. Probably the most used tehnique is

to onsider the redundant omponents whih enlarge the system struture and its omplexity too. Ative

and passive redundany is the simplest way howto improve dependability attributes of the systemssuh as

reliability, maintainability, availability, et [3℄. However, as it wasmentioned the ontrol struture turns to

be moreomplexdue to aninreasingnumberof omponentsaswell asthenumberof possibledependenies

amongomponents,itisin partiulartheaseforNetworkedControlSystems[4℄[5℄.

The paper introdues omplex networked ontrol arhiteture based on asade ontrol struture. The

asade struture was hosen purposely due to its advantages. This struture is widely used in industrial

appliationsthankstopositiveresultsforqualityofontrolwhiharealreadydesribedandgenerallyknown[6℄.

Ontheothersideitoerssomepossibilitiesofsystemreliabilityimprovement. Therearepotentiallyredundant

omponentssuhasontrollers(primary,seondary). Ifmorethanonenetworkisimplementedweouldonsider

them aspotentiallyredundant subsystems too. Finally if thephysial system allowsit, it is possibleto take

protfromsensors. Theasadestrutureandotherfeatures areintroduedin moredetails inthethirdpart.

Thepaperisorganisedasfollows. Afterbringinglosertheresearhbakground,thesharedredundanyis

introdued. Theontrollersandnetworksarepresentedinmoredetailsinordertoshowsomedependenieswhih

ouldbeappearedwhenasharedredundanyapproahisimplemented. Inthenextpartarepresentednetworked

topologiesonsideredasasadeontrol(CC)strutureofthe4-rotormini-heliopter(drone)model[7℄. Using

Petri netswerepreparedthe modelsof theintroduedquasi-redundantomponentsaswell asdrone'sontrol

struture. A simple model of the two quasi-redundant subsystems is evaluated. Finally, are proposed the

simulationresultsofthementionedsimpletwoomponentsmodelaswellasthemodeloftheomplexdrone's

struturewithshortonlusion.

2. Researh Bakground. Control arhiteture design approah was taken into aount by Wysoki,

Deboukand Nouri[8℄. Theypresentsharedredundanyaspartsofsystems(subsystems)whih ouldreplae

anothersubsystem in aseof itsfailure. This feature is onditionedwith thesame orsimilar funtion of the

subsystem. Wysoki et al. introdue the sharedredundant arhiteture in four dierent examplesillustrated

onX-by-Wire"systemsusedinautomotiveappliations. Presentedresultsshownadvantagesofthisapproah

inontrolarhiteturedesign.

The shared redundany approah involves the problemati of a Load Sharing [9℄. Thus, some of the

omponents take part of the load of the failed omponents in order to let the system in funtional mode.

∗

LaboratoireGIPSA-Lab(GIPSA-LabUMR5216CNRS-INPG-UJF)BP46,F-38402SaintMartind'HèresCedex,Frane

†

ConsiderationoftheloadsharinginmehanialomponentsispresentedbyPozsgaiandothersin[10℄. Pozsgai

andothers analyzethistypeofsystemsandoermathematialformalismfor simplesystem1-out-of-2and

1-out-of-3. Alsotherearesomemathematialstudies[9℄ofseveralphenomenaappearedonthiseldofresearh.

Bebbingtonand othersin[9℄analyzeseveralparametersofsystemssuhassurvivalprobabilityofloadshared

subsystems.

3. SharedRedundany. Speikindofredundantsubsystemswhihhavesimilarfeaturessuhasative

redundanyhowevergivesussomeadditionaladvantageswhihwillbeintroduedinfurthertext. Thiskindof

spares representsanother typeofredundantomponentswhihare notprimarydeterminedasredundantbut

theyare ableto replaesomeothersubsystems ifit isurgentlyrequired. This typeofredundany isreferred

assharedredundany [8℄orquasi-redundany [11℄. Dueto itsimportantadvantagesitisusefultodesribethis

kind of spares in order to show several non-onsideredand non-evaluated dependenies whih ould havean

inuenetothesystemreliability. Identiationanddesriptionofthisinueneshouldnotbeignoredinorder

toobtainrelevantresultsofthereliabilityestimationofthesystemswhihinvolvethiskindofspares.

As it was mentioned above, the shared redundany (SR) mentioned by Wysoki and others in [8℄ is in

further text taken into aount in the same meaning as a quasi-redundant (QR) omponent. Thus,

quasi-redundantomponentsarethepartsof thesystemwhih followtheirprimarymission whentheentiresystem

is in funtional state. However, when some parts of the system fail then this funtion ould be replaed by

anotherpartwhih followsthesameorasimilar mission,thusby quasi-redundantpart. Thequasi-redundant

omponentsarenotprimarydetermined asativeredundantsubsystembeauseeahonehasitsownmission

whihmustbeaomplished. Only in aseoffailureit ouldbeused. InNCSappearsthequestionoflogial

reonguration of the system when the data ow must behangedin order to replae the funtionality of a

subsystembyanotherone. Forexample,somenewnodeswill losethenetworkonnetionandthesystemhas

toavoidthestatewhenpaketsaresenttoanodewhihdoesnotexist. Thus,themainfeaturesoftheshared

redundanyouldbesummarizedasfollows:

"Quasi-redundantomponentisnotonsideredasprimaryredundantomponentsuhastheativeorthepassive

redundantomponents."

Generallyinnetworkedontrolsystems,threekindsofquasi-redundantomponents(subsystems)ouldbe

onsidered:

•

QRontrollers.

•

QRnetworks.

•

QRsensors.

Hene,aneessarybutnotsuientonditionisthataontrolstruturewhereSRouldbeonsideredhas

tobeomposedatleastoftwoabovementionedsubsystems(ontrollers,networks,atuators). Thesubsystems

shouldhavesimilarfuntionalityoronstrutioninordertobeabletoreplaethemissionofanotheromponent.

Inaseofquasi-redundantomponentsthere areseverallimitations. Inorderto takeprotofquasi-redundant

networks,itisneessarytoonnetallnodesinallonsideredQRnetworks. Thus,inaseofdierentnetworks

theomponentsshouldhaveimplementedallneessaryommuniationinterfaes. InaseofQRontrollersthe

hardwareperformanehasto allowimplementingmorethanoneontrol task.

Third mentionedomponentsaresensors. Considerationof thesensorsasQRomponentshasimportant

physial limitations. Inorder to be ableto replaeasensor formeasuringaphysial valueX by anotherone

formeasuringYitisneessaryto usemulti-funtional"smartsensors.Weansupposethat someombination

of the physial values an not be measured by using one sensor dueto the inability toimplement the required

funtionalityinone hardwareomponent.

Other limitation is the distane between failed sensor and its QR sensor whih ould have a signiant

inuenetothepossibilityofitsreplaing. Generally,implementationoftheQRsensorswithinontrolsystem

strutureouldbemorediultthantheappliationoftheSRapproahonontrollersornetworks.

There areseveral naturallysuitableontrol strutureswhih ouldimplementthe sharedredundany

ap-proah withoutother modiations suh as asadeontrol struture (Fig. 3.1). This struture is often used

in industrial appliations thanks to its important features whih improvethe quality of ontrol. With using

asade aontrol struture there are several onstraints[8℄. The main ondition requires that theontrolled

system must ontain a subsystem (seondary subsystem FS(s)Fig. 3.1) that diretly aet to the primary

Fig.3.1. Mainstrutureoftheasadeontrol

Fig.3.2.NCCSwithtwonetworksandalternativenetworkonnetions

Usually for seondary subsystems there is a ondition of faster dynamis than primary proess. This

onditionmust notbefullled [8℄;inthis ase,somemodiationsofonventionalasadestruture(Fig. 3.1)

andontrollawsmustbeprovided.

3.1. Quasi-redundantontrollers. Intheprevioustext,severalsuitableontrolstrutureswerebriey

introdued. Asitwasshowntheontrollersoveredbythesestruturesouldbeonsideredasquasi-redundant

omponentsbydefault. Thus,thehardwareofbothomponentsouldbesharedinordertoimplementashared

redundantapproah.

Let'sonsider the networkedasadeontrolsystem shown in gure3.2. Thesystem isomposedof ve

main omponents (Sensor

S1

,

S2

, ontrollers

C1

,

C2

and atuator

A

) and two networks. Theommuniation

ow among omponents is determined by its asade ontrol struture. Thus, sensor

S1

sends a measured

valuetoontroller

C1

(Master), theontroller

C2

(Slave) reeivesthevaluesfrom thesensor

S2

aswellasthe

ontroller

C1

inorder toomputeanatuatingvaluefortheatuator

A

.

Eahpartofthesystem(omponentsandnetworks)presentsindependentsubsystem. However,when

quasi-redundant omponents are studied, the system is not onsidered as omposed of independent omponents.

Depending on the performane parameters of the used hardware equipment in the ontrol loop, a spei

inueneonthesystemreliabilityshouldbetakenintoaount. Thussomedependeniesshouldnotbeignored

in the dependability analysis. In the NCCS shown in Fig. 3.2 we ould onsider ontrollers

C1

and

C2

as

the quasi redundant subsystems (omponents). Both QR ontrollers have a primary mission whih should

be followed. Thus, aontroller

C1

ontrols outer ontrol loopand ontroller

C2

stabilizes inner ontrol loop.

Howeverinaseoffailureofoneofthem,weouldonsidertheseondoneasakindofspare.

As it wasmentioned previously, the ontrollers follow theirprimary mission stabilization orperformane

optimization of the ontrolled system. Therefore, in regards to the similar hardware, it allows sharing the

omputingapaityandexeutingdierenttasks. Thus,inordertoimplementtheSRapproah,bothontrollers

havetoenapsulatebothontroltasksfortheouterandtheinnerontrolloop(seetheasadeontrolstruture

ingure3.1).

Fig.3.3. Possiblesenariosforquasi-redundantontrollers

aswellasseondarysubsystems. Inthisaseweansupposetwosenarios.

The rst one supposes that the ontroller is able to exeute all the neessary tasks within the required

sample periods (Fig. 3.3a). Thus, nodelays orotherundesirable onsequenesare expeted. Inthis asethe

behaviorofthequasi-redundantomponentissimilarasin theaseofativeredundantomponents. Thus,in

theaseoffailureof oneoftheomponents,theseondtakesareaboutitsmission untilitsfailure.

Figure 3.3b showsa seond ase when time to exeute both neessarytasks is greater thanthe required

sampling period. Thus, the ontroller will ause the delays whih have signiant inuene to the system

stability[12℄[13℄. Therefore,thisdelayouldbeknownwhihallowsitspartiallyompensatingbyusingseveral

methods [14℄. Thus, weansuppose that thesystemdestabilizationwillnotourimmediatelyafter therst

delayand weare abletoompensateitforsometime interval. Thus, quasi-redundantontrollerdoesnotfail

immediatelybut itsreliabilitydereased.

Thereareseveralsituationswhenthissenarioouldbeonsidered.Inritialsystemswherethefailureofan

importantomponentouldauseundesireddamagesorotherdangerousonsequenes,thesharedredundany

approah ouldhelp to alloatesometime intervalin order tomaintain thesystemin asafestate. Thus, the

SRapproahanbeasignianttehniquetoseurethesystembefore adamagerisk.

3.2. Quasi-redundant networks. The seond partof the NCS whih ould be taken into aount as

SRsubsystemsarenetworks. Let'ssupposeasystemwithtwonetworks(Fig.3.2)whereallomponentsould

ommuniate(onnet)onthesenetworks(

N1

and

N2

)ifitisneeded. InthisaseweanapplytheSRapproah

onthissystem.

Consideredfuntionalityof the quasiredundantnetworks is asfollows. Both networks transmitrequired

datanetwork

N1

transmitdatafrom

S1

to

C1

andfrom

C1

to

C2

suhasnetwork

N2

from

S2

to

C2

andfrom

C2

to A.Thus bothnetworks areativeandalloatedduring thesystemmission. Thesameasin theaseof

QRontrollers: when anetwork failed,theseond oneantakeitsloadafterasystemreonguration. Thus,

allrequireddataaresentthroughtheseond network. Hene,twosimilarsenariosaswiththeontrollertask

exeution ould bedesribed. The amount of transmitted data on the network with a speied bit rate has

logiallyinueneontheprobabilityoffailureofthenetwork(ofoursethisdependsonthenetworktypeand

other parametersmentioned). This inuene ouldbeignored whenthe network performaneparametersare

suient. However,wean suppose that theprobabilityof network failure isinreasing simultaneouslywhen

thenetworkloadinreases.

Theharateristibetweennetwork loadingandits bit ratedepends on thenetwork typeand havetobe

measuredinrealnetworkonditionsin ordertodeterminethetypeofdependenylinearornonlinear.

Notonlythenetworkbitrateanbeimportanthoweverothernetworklimitationssuhasmaximalnumber

of nodesonneted tothe network,et. All limits ofthe QRsubsystemsanreate dependenieswithdiret

inueneonthesystemreliability. Primary,weouldonsiderthesedependeniesasundesirablebutinaseof

ritialfailuresthisSRapproahgivessometimetosavethesystem.

WhenNCSwithanSRapproahareanalyzed,thisharateristishouldbeinludedinthepreparedmodel

andfurtherevaluatedin ordertodetermineitsinuenetothereliabilityofthewholeNCS.

Fig.3.4. Possiblefailurerateurvesforthesubsystem

S

2

duringitsmission

However,there areseveral importantsenarioswhenthe reliabilityof thesystemould be dereasedin order

topreventdangerousonsequenesorotherundesirableevents.

These senarios ould appear when someonditions ould not be fullled (insuient exeution time or

networkbitrate)butthesystemneedsometimein ordertotakeasafestate. Hene,itisneessarytoidentify

anddesribetheinuene ofthese dependenieswhih leadstomorerelevantresults. Thus, preventfromtoo

pessimistiortoooptimistiresultsofthereliabilityanalysisoftheonsideredsystems. Thedependeniesould

bedistinguishedasfollows:

•

ativeredundantdependeny,

•

singlestephangeofthenominalfailurerate

λ

n

∈ h

0; 1

i

inreasedonebyaonstantvaluestepload

hange,

•

timedependhangeof thenominalfailure rate

λ

n

-funtional dependeny-theloadof thesubsystem

ishangedwithtimepassedfromspearedsubsystemfailure,

1. linear,

2. nonlinear.

Let's assume that the destabilization of the system does not our immediately after the rst delay on

thenetwork aused by insuient ontroller's hardware ornetwork's parameters. Thus, the quasi-redundant

ontrollerdoesnotfailimmediatelybutin thisaseitsfailurerateinreaseswhihorrespondonsequentlyto

adereasedreliability.

Thus,inaseoftheativeredundantdependenywesupposethataquasi-redundantsubsystemhassuient

apaitiesinordertofollowitsprimarymissionaswellasthemissionofthefailedsubsystem(orsubsystems).

A singlestephange of thenominal failure rate ofthe subsystem isonsidered in the aseof subsystems

wherethefailurerateofthequasi-redundantsubsystemishanged(inreased)onebyaonstantvalue(Fig.3.4)

during its life time. Thus, the new inreased failure rate

λ

′

remains onstantduring further life time of the

subsystem. For example,let's suppose aNCS with twoEthernet networks where one of them hasfailed and

onsequently the systemis reongured and all nodes (omponents) start to ommuniate through the

non-failednetworkwhihhasasuientbit rateapaityinorderto transmitalltherequireddata. However,the

amount of data has beeninreased whih onsequentlyinreases the probability of pakets' ollisions(under

theassumptionof alassialCSMA/CDprotool,for instane). Thus, theprobabilityoffailure (failurerate)

hasbeeninreaseduptothenewvalue

λ

′

.

Athirdaseonsidersthehangeofthenominalfailurerate

λ

n

whihdependsonthetimepassedfromthe

momentofthefailureuntilurrenttimeoftheworkingofthequasi-redundantsubsystemwhihenapsulatesthe

exeutingneessarytasks(own tasksaswellas tasksofthefailedsubsystem). Thus,afuntionaldependeny

has to be onsidered. This dependeny of the hange of the failure rate

λ

n

ould be desribed by a linear

or nonlineardependeny/ funtion. We ouldstudy the previousexampleof the systemwith twonetworks.

However,in this asethebit rate oftheseond (non-failed) networkis notsuient. Consequently delaysin

datatransmissionaswellasotheronsequentialundesirable problemssuh assystemdestabilizationmightbe

aused. Weansupposethat thenon-failed networkwill failin sometime. Thus,thenominal failure rate

λ

n

oftheseond network isnowtimedependentandis linearlyornonlinearlyinreaseduntil thesystemfailure.

Mentionedexampleswithrelatedequationsarefurtherdisussedinmoredetails.

Let'ssuppose that the reliability ofthe system

R

(

t

)

, probability of thefailure during time interval

h

0;

t

i

,

(suhasthenetworksinthepreviousexamples)whereasthesubsystem

S1

willfail atrstandthenthe

quasi-redundantsubsystem

S2

willfollowbothmissions (

S1

and

S2

). Ingure3.4 areshowntwoabovementioned

senarioswhenthenominalfailurerate

λ

n

ofthesubsystemisinreasedbyaonstantvalueorbyavaluewhih

ouldbedesribedas alinearornonlinearfuntion(funtionaldependenies).

Atrstinreasingthefailurerate

λ

n

onetimebyaonstantvalue(seeFig.3.4)willbedealt. Itorresponds

tothereliabilityredutionofthequasi-redundantsubsystem

S2

byinreasingthefailurerate,duringitsmission,

from its nominal value

λ

n

upto new

λ

′

. Consequently, thesystem will followits primary mission thanks to

theQRsubsystem

S2

butitsfailure rateisalreadyinreasedandonsequentlytheprobabilityoffailure of

S2

is higher. The dierene betweennominal

λ

n

andinreased

λ

′

failure rate will be alled derease fator

d

R

.

Thus,thementionedonstantvalueisharaterizedbythedereasefator

d

R

oftheQRsubsystemandanew

hangedfailurerate

λ

′

atthefailtime

t

f

isgivenbythefollowedsimpleformula:

λ

′

=

λ

n

+

d

R

(3.1)

ThefailurerateinreasesonlyonetimebythespeiedvalueandtheQRsubsystem

S2

withanewonstant

failurerate

λ

′

willfollowbothmissionsofitsownmissionand missionofthefailedsubsystem

S1

.

Theseondaseshowningure3.3onsidersthereliabilityredutionwherethefailurerate

λ

n

isinreased

duringtheworkingofthesubsystem

S2

byaspeieddereasefator. Thishangeofthenominalfailurerate

dependsontimewhereaswithtimeextendingthefailurerateofthe

S2

isgotnearto1(systemfailed). Thus,a

dereasefuntion

f

d

R

(

t

)

isrepresentedbyalinearornonlinearharateristianddependsontherealsubsystem

whihisonsideredasquasi-redundant. Thus,aninreasedfailurerate

λ

′

ofthesubsystem

S2

dependsontime

tandisgivenbythefollowingformula:

λ

′

(

t

) =

λ

n

+

f

d

R

(

t

)

(3.2)

As it was mentioned, the derease funtion

f

d

R

(

t

)

an be represented by a simple linear funtion, for

example,

λ

′

(

t

) =

λ

n

+

d

R

10

−

3

(

t

+ 1

−

t

f

)

(3.3)

where

t

+ 1

allowshangingthenominalfailure rate

λ

n

atthemomentofthefailureattime

t

f

.

Ontheothersideanonlinearexponentialfuntionanbeonsideredasfollows:

λ

′

(

t

) =

λ

n

+

e

d

R

(

t−t

f

)

(3.4)

where

λ

′

is the valueof the inreased failure rate,

λ

n

is the nominal failure rate of theomponent,

t

f

is

thetimeofthefailureoftheomponent,

d

R

isthedereasefatorwhihhasadiretinueneontheinreased

failurerate.

3.4. Appliation to a mini-drone heliopter. TheNCCstrutureisapplied fortheontrol ofafour

rotorsmini-heliopter(Drone,Fig.3.5). Theproposed ontrol strutureforthis realmodel isasfollows. The

NCCarhitetureisomposedofoneprimaryontroller(Master)andoneseondaryontroller(Slave),thirteen

sensors,fouratuatorsandtwoommuniationnetworks.

The Master is designed for attitude stabilization (ontrol) through Slave ontroller for angular veloity

ontrolforeahpropeller. Theaimoftheontrolistostabilize oordinatesoftheheliopter[10℄.

The ontrollersare used as quasi-redundant omponents within the presented networkedasade ontrol

system (further only NCCS). They use the sameontrol algorithm (propeller's angular veloity ontrol) but

withdierentinputdata(setpoint,systemoutput,et.)

Hene,in aseof failure, oneof them ouldretransmit alltherequireddata to anotherone,whereas

pre-programmedontrolalgorithmshouldomputetheatuatingvalue. Thus,thefailedontrollerisreplaedbya

seondonewhihstartstoomputetheatuatingvalue.

Otherquasi-redundantparts ofthisontrolstruturearenetworks(Fig.3.6). Asintheaseofontrollers,

one of the networks an ompensate another one after a system reonguration. Usually, two networks are

primary designeddue to redutionamountof transmitted data. However, in aseof network failure all data

ouldberetransmittedthroughtheseond one.

The desribed approah for subsystem's failure ompensation by usingthe sharedredundany requires a

logial reonguration of the NCCS. Thus, in ase of failure the hardware onguration is non-touhed but

Fig.3.5.Casadeontrolstrutureofamini-heliopterwithonenetwork

Fig.3.6. Casadeontrolstrutureof amini-heliopterwithtwonetworks

4. Simulation and results. All thepresentednetworkedontrolarhitetures(Fig. 3.5,3.6)were

mod-elledbyusingPetrinets. Thistoolwashosenthankstoitsabilitytomodeldierenttypesofomplexsystems

and dependenies within them. Toprovide the reliability analysis,the Monte Carlo simulation (further only

MCS)method wasused. Themultiple simulationsofthemodelled arhiteture[1℄areprovidedto obtainthe

reliabilitybehaviorofthebasitwoquasi-redundantomponents(forexampletwoontrollersinCCSstruture).

Modelofthesystemoversthesimulationoftherandomeventsofthebasiomponentsofthesystemsuhas

sensors,ontrollersandatuatorsaswellasthenetwork'srandomfailures. Softwareusedformodelpreparation

isCPNToolswhihallowmultiplesimulationofthemodelinordertoobtainstatistiallyrepresentativesample

oftheneessarydatatodeterminethereliabilitybehaviorofthestudiedmodel.

As it was mentioned, the simulation of the simple two quasi-redundant omponents with all onsidered

hanges ofthefailure rate(single,linear,nonlinear)wasprovided. Thus, newfailure rate

λ

′

ofthenon-failed

omponentisomputedbyusingequation(3.1),(3.3)and(3.4).

This hange ould be alled as single hange beause the omponent's failure rate is hangedonly one

duringtheQRomponent'slifetime. Bothomponentshaveequalnominalfailurerate

λ

n

= 0

.

001

.

Fewexamplesoftheinueneofthesinglestephangeofthefailureratebythespeieddereasefator

d

R

tothereliabilitybehaviorareshowningure4.1. Weanseethereareveurves.Twonon-dashedurvesshow

Fig.4.1. Inueneof theinreased failure rateof theomponentby a onstantdereasefator

d

R

tothereliabilityof the

systemomposedoftwoquasi-redundantomponents

Table4.1

MTTFFofSimulatedControlStruturesWithDierentDereaseFators

Dereasefator

d

R

MTTFF-Drone(Fig.3.5) MTTFF-Drone(Fig.3.6)

0

55(+11%)

58(+22%)

2

∗

10

−

3

54(+9%)

56(+17%)

10

−

2

53(+7%)

54(+13%)

59

∗

10

−

2

50

.

5(+2%)

49(+3%)

0

.

999

49

.

6

47

.

6

omponents withoutredundant relationrst urve from the bottom). These twourvesdetermine borders

wherethereliabilityofthestudiedsystemanbehangeddependingonthevalueofthedereasefator

d

R

.

Asweanseefromgure4.1,asingleinreasingofthenominalfailurerate

λ

n

ofthenon-failedomponents

bythesamevalueaswasnominalfailurerate

λ

n

upto

λ

′

= 0

.

002

(

d

R

= 0

.

001

)auseasigniantredutionof

thereliability.

Table4.1showseveralvaluesofthelifetime(parameterMTTFF)forthestudiedsystem.Eahtable(Table

4.1, 4.2, 4.3) showsthelife timeof the studied omponentsasativeredundant subsystems

(

d

R

= 0)

and as

independent subsystems

(

d

R

= 0

.

999)

. From thevalue of the derease fator

d

R

= 0

.

01

the life time of the

systemsigniantlyimproves(

18%

andmore). Theresultsofthelinearandnonlinearfailurerateinreasingare

shownintables4.2and4.3. Inalltablesarenotedtheperentualvalueoftheinreasedlifetimeorresponding

tothedereasefator.

Table4.1 shows the MTTFF parameters of both omplex mini-heliopter strutures. In the rst drone

struture (Fig. 3.5) two quasi-redundant ontrollers are onsidered. In the seond struture (Fig. 3.6) two

groupsofquasi-redundantsubsystemsareonsideredandsimulatedtheontrollersandthenetworks.

Inallsimulatedsystemswasobservedtheinueneofthesinglestepofthefailureratebyavaluespeied

bythedereasefator

d

R

. Thesameasintables4.14.3,thereareshownthelifetimeofsystemorresponding

todierentdereasefators

2

.

10

−

3

,

10

−

2

,

59

.

10

−

3

. Weanseethatinreasingtheomponent'snominalfailure

rate

λ

n

byadereasefatorequalto

59

.

10

−

3

,whihrepresentsapproximately

59

timeshigherthefailurerate,

hasasigniantinueneto dereasingthelife time ofthe system. Theresultsarealittlebit betterthanin

theaseofthesystemwithoutredundantomponents

(

d

R

= 0

.

999)

,butweouldseethat theyarealmostthe

same.

Thedrone'sstrutureomposesoftwenty(twenty-onestruturewithtwonetworks)omponentsthirteen

sensors(

3

gyro-meters,

3

magneto-meters,

3

aelerometers,

4

rotors'angularveloitysensors),twoontrollers,

fouratuatorsandone(two)networks. Duetothehighratioofindependentomponentsandsharedredundant

omponentswithinthedrone'sstruture(

18

independentand

2

quasi-redundantFig.3.5)thereisadierene

betweenlife timesforminimaland maximal

d

R

issigniantlysmaller(about

11%

and

22%

)thanin thease

Table4.3

MTTFFoftheTwoQuasi-RedundantWithLinearInreasingoftheFailureRate

λ

n

= 10

−

3

At. red.

d

R

= 10

−

3

_d

R

= 10

−

2

d

R

= 10

−

1

Noredundany

(

d

R

= 0

MTTFF[Tu℄ 1503(+300%) 1153(+231%) 812(+63%) 611(+22%) 499

subsystemthan in thedrone'sase. As itwasmentionedabovethis isaused bythe dierenein omplexity

betweenbasianddrone'sNCCarhiteture. Inaseofomparisonbetweentwodronesstrutures(Fig.3.5,3.6)

theresultsarebetterforarhiteturewithtwonetworkswhihisomposedoftwoquasi-redundantsubsystems

ontrollers(Master,Slave)andnetworkswhenthedereasefatorissmallerthan

59

.

10

−

3

. Theinreasingofthe

nominalfailureratebythedereasefatorgreaterthan

59

.

10

−

3

signiantlydereasesthelifetimeofthedrone.

Ontheotherside,eveniftheontrollerloadingwillhangeitsfailurerateapproximatelytentimes

(

d

R

= 10

−

2

)

thesystem'slife timeisabout

7%

longerthanin theaseofthesystemwithoutasharedredundantapproah

implementation.

4.1. Reliability approximation. Inpreviousartilestateswefousedon thedesriptionof the

depen-denies among QR omponents and their inuene to the nal reliability of the systems. The aim of this

researh is to propose a simple analytial method whih desribes the reliability behavior of the shared

re-dundant subsystems withdynamially hanged failurerate. Hene, in nextstates weintrodue ananalytial

equationwhihallowsapproximatingthereliabilityofthetwoomponentsystem. Ofourse,aquasi-redundant

approahisonsidered. Thus,anallysimplemethodforthedependabilityanalysisisproposedasanextension

of theommon known methods for the dependability analysis. The proposed method forreliability behavior

approximationsupposesthat bothquasi-redundantomponentshavethesameorsimilarnominal failure rate

wheredierenesaresmallandouldbeignored. Asitwasmentionedabove,thesystemomposedoftwoQR

omponentsisonsidered. Inthisasestudy,weintrodueonlytheresultsforreliabilityapproximationwhere

asinglestephangeof the failurerate (furtheronly FR) is onsidered. ThisFR behavioris desribed in the

previouspartof the artile(3.3) byequation 3.1. Thus, let's supposetwo QRomponentswith thenominal

failure rate

λ

n

and dene thederease fator

d

R

, then the reliability

R2

qr

(

t

)

behavior of the QRsubsystem

omposedofbothomponentsanbedesribedasfollows:

R2

qr

(

t

) = 1

−

2

Y

i

=1

(1

−

e

−

(

λ

_n

+

k

_i

d

_R

)

t

)

(4.1)

where

k

i

istheapproximatedoeient.

The parameterderease fator

d

R

and approximated oeients of equation 4.1 are shown in table 4.5.

Ineah row ofthe table is shown thederease fator with the orresponding valueof the oeients

k1

and

k2

. Thetable showsseveraldierentvaluesofthedereasefatorwhereasnon-mentionedvaluesanbeeasily

approximatedbyusinganappropriatemethod.

Themaximalerroroftheapproximationgivenbytheparametersoftheequation4.2islessthan1

R2

λ

n

(

t

) = 1

−

2

Y

i

=1

(1

−

e

−

(

λ

_n

+

dR

2

)

t

)

(4.2)

where

d

R

isthedereasefatorand

λ

n

thenominalfailurerateoftheQRomponents. Itisneessarytoexplain

that theerror ofall theapproximationsonvergeto thehighest mentionedlimits(1% fortable's oeients)

Table4.4

MTTFF oftheTwoQuasi-RedundantWithExponentialInreasingoftheFailureRate

λ

n

= 10

−

3

At. red. (

d

R

= 0

)

d

R

= 10

−

3

_d

R

= 10

−

2

d

R

= 10

−

1

Noredundany

MTTFF[Tu℄ 1503(+300%) 902(+80%) 676(+35%) 537(+8%) 499

Table4.5

ParametersofEquation4.1foraSingleStepFRChange

Dereasefator

d

R

k

1

k

2

λ

n

0

.

44

0

.

52

2

λ

n

0

.

39

0

.

395

3

λ

n

0

.

28

0

.

393

4

λ

n

0

.

198

0

.

434

5

λ

n

0

.

154

0

.

46

6

λ

n

0

.

13

0

.

4653

7

λ

n

0

.

11

0

.

46

8

λ

n

0

.

099

0

.

471

9

λ

n

0

.

09

0

.

46

10

λ

n

0

.

081

0

.

463

20

λ

n

0

.

0445

0

.

38

30

λ

n

0

.

0296

0

.

377

40

λ

n

0

.

0225

0

.

385

50

λ

n

0

.

0182

0

.

3518

70

λ

n

0

.

0133

0

.

3284

80

λ

n

0

.

011625

0

.

32475

100

λ

n

0

.

0094

0

.

3332

4.2. MTTFparameterapproximation. Eahquasi-redundantsubsystemdoesnotexeedthelimitsof

thebound oftheminimal (

M T T Fmin

) andmaximal timelife (

M T T Fmax

)of thequasi-redundantsubsystem.

The parameter

M T T Fmax

represents the maximal time life of the QR subsystem whih ould be obtained

when the onditionsare equal to the onditions of thesubsystem with ative redundant omponents. Thus,

the nominal failure rate of the non-failed omponent is not hanged when its load has been inreasedthe

ase when thederease fator is equalto zero. Thelowest life time limitould bedened by theparameter

M T T Fmin

whih haraterizesthe subsystem omposed of the independent omponents. Thus, when one of

the omponents fails the system is onsidered as failed. In term of the derease fator, it is equal to 1 or

(

1

−

λ

n

)for asinglestepFRhange. Let'ssuppose thesystemlife time limitedbythebound dened bythe

MTTFparametersuhas

h

M T T Fmin

;

M T T Fmax

i

. Thesetwoparametersouldbefoundbysolvingthesimple

followingequations[15℄:

M T T Fmin

=

Z

∞

0

n

Y

i

=1

R

i

(

t

)

dt

(4.3)

and

M T T Fmax

=

Z

∞

0

(1

−

n

Y

i

=1

(1

−

R

i

(

t

)))

dt

(4.4)

where

R

i

(t)isthereliabilityofeahomponent.

Inthenalpartoftheresultspresentationwedesribedthelife timeinreasingofthetwoomponentQR

subsystem withregardto thelife timeparameter

M T T F

min

whereasvariousvaluesof thedereasefator

d

R

areonsidered. Weonsideritasasimpleandfastmethodforlifetimeapproximation. Theresultsareshownin

table4.5. Asinthepreviouspartofthisasestudy,weonsideronlytheinueneofthesinglestepinreasing

ofthenominalfailure rateto thenallife timeofthetwoomponentsQRsystemharaterizedbyitsMTTF

parameter. Inthe rstline, thefailure rate ofthenon-failed QR omponentharaterizedbythe multiple of

thenominal failurerate

λ

n

. Theseond lineshowstheorrespondingMTTFparameterperentageredution

withinthelimitsdenedbytheabovementionedintervalofthemaximalandminimallifetimes(MTTF).The

MTTFvaluesintrodued intable 4.5arerounded,henethemethoderrorisabout

+

/

−

2

forthemultiple of

fator,theapproximatederrorisabout

+

/

−

1

ofvaluesshownin thetable. Thus,in theaseofverysimilar

analysis resultof onsidered omplexstruturesit is neessaryto prepare theexatmodel in order to obtain

amoreexatMTTFparameterredution. This method ouldbeused forthe QRsubsystemswith thesame

failurerateorforthesystemwhendiereneamongthenominalfailurerate

λ

n

oftheomponentsisverysmall

andanbeignored. IntheaseofanominalFRsmallerthan

10

−

2

,theinreasedvalue100.

λ

n

shouldrepresent

approximately0.1 whereasthe errorould behigher. Then, it ould beuseful that the valueof nominal FR

determinedforatimeintervalTtransformstothegreatervalueforashortertimeinterval(unit).

5. Conlusion. Thepapershowstheinueneofadditionalreliabilitydereasingofthequasi-redundant

omponent to entire reliability ofthe studied system. Thedesriptionof this dependeny is gettingloserto

show thebehaviorof thesystemreliabilitywhen ashared redundanyapproahis implemented. Theresults

shown in tables 4.14.3 ould be very helpful in order to approximate the life time of the quasi-redundant

subsystemsunder dierentonditionsofthefailurerateinreasing. Thepresentedasadeontrolarhiteture

is suitable for a shared redundany approah implementation and ould be applied to similar systems. For

example, Steer-by-Wire ontrol [16℄ of two front wheels in a ar, et. In addition the paper has shown the

onventionalasade ontrolstruture within onditionsof networkedontrolsystemsasnaturallysuitableto

protfromquasi-redundantsubsystemsasnetworks,ontrollersandpotentiallysensorsifthephysialproess

allowsit. Despiteof someonstraintsforusingthis typeofontrol,theasadearhitetureis widelyusedin

industrialontrolappliations. Hene,onlythereongurationalgorithmshouldbeimplementedtotakeprot

fromquasi-redundantsubsystems.

Thease study presentedin parts 4.1 and 4.2 (results setion) extends the eld of ommon methods for

reliabilityapproximation. Equations(4.1,4.2)areonsideredassimpleand fastanalytialmethod inorderto

evaluatethereliabilityofthesystemswhihoverstwo-omponentQRsubsystemswithsinglestepFRhange.

Themainadvantagesofthequasi-redundantomponentsouldbesummarizedasfollows:

•

The system is omposed only of neessary omponents (parts) for following the primary mission of

thesystemwhereashighersystemreliabilityisensuredwithoutusing anyadditionalativeredundant

omponents.

•

Following the rst point we ould suppose less number of omponents used for saving the ontrol

mission. Thus,theeonomiaspetouldbesigniant.

•

Preventionofthesystem'sritialfailure whenaQRsubsystemhasnosuienthardwareapaities.

REFERENCES

[1℄ J.T.Spooner,K.,M.Passino,Fault-TolerantControlforAutomatedHighwaySystems,inIEEETransationsonvehiular

tehnology,vol.46,no.3,1997,pp.770785.

[2℄ F.Guenab,D.Theilliol,P.Weber,Y.M.Zhang,D.Sauter,Fault-tolerantontrolsystemdesign:Areonguration

strategybasedonreliabilityanalysisunderdynamibehaviouronstraints,in6thIFACSymposiumonFaultDetetion,

2006,pp.13871392.

[3℄ J.C. Laprie, H.Kopetz, A.Avi

˘

z

ienis,Dependability: Basi Coneptsand Terminology, Chapter1,Springer-Verlag/ Wien,ISBN:3-211-82296-8,1992.

[4℄ A.Mehraoui,Z.H.Khan,J.-M.Thiriet,S.Gentil,Co-designforwirelessnetworkedontrolofanintelligentmobile

robot, inICINCO09International Conferene on InformatisinControl, AutomationandRobotis(ICINCO), Italie

(2-5July2009),pp.318324ISBN:978-989-674-000-9.

[5℄ R.Ghostine,J.-M.Thiriet,J.-F.Aubry,M.Robert,AFrameworkfortheReliabilityEvaluationofNetworkedControl

Systems,in17thIFACWorldCongress,July611,2008pp.68336838.

[6℄ C. Brosilow, J.Babu,TehniquesofModel-BasedControl,PrentieHall,2002,h.10.

[8℄ J.Wysoki,R.Debouk,K.Nouri,Sharedredundanyasameansofproduingreliablemissionritialsystems,in2004

AnnualSymposiumRAMSReliabilityandMaintainability,2004,pp.: 376381.

[9℄ M.Bebbington,C-D.Lai,R. Zitikis,ReliabilityofModuleswithLoadSharingComponents,inJournalofAplied

Math-ematisandDeisionSienes,2007.

[10℄ P.Pozsgai,W.Neher,B.Bertshe,ModelstoConsiderLoad-SharinginreliabilityCalulationandSimulationofSystems

ConsistingofMehanial Components, inIEEEProeedings annualreliabilityand maintainabilitysymposium,2003,

pp.:493499.

[11℄ J.Galdun,J.Ligus,J-M.Thiriet,J.Sarnovsky,Reliabilityinreasingthroughnetworkedasadeontrolstruture

onsiderationofquasi-redundantsubsystems,inWorldIFACCongress,Seoul,SouthKorea,2008.

[12℄ J. Galdun, R. Ghostine, J. M. Thiriet, J. Ligus, J. Sarnovsky,Denition and modelling of the ommuniation

arhiteturefortheontrolofa heliopter-drone,in8thIFACSymposiumonCostOrientedAutomation,2007.

[13℄ J.Ligusova, J.M. Thiriet, J.Ligus, P.Barger,Eetof Element's Initializationin Synhronous Network Control

SystemtoControlQuality,inRAMS/IEEEonfereneAnnualReliabilityandMaintainabilitySymposium,2004.

[14℄ S.I.Niolesu,StabilitésystèmesàretardAspetsqualitatifssurlastabilitéetlastabilisation,Diderotmultimedia,1997.

[15℄ I.Stary,Spolehlivostsystému,(inCzeh),CVUT,Prague,ISBN80-01-01756-7,1998.

[16℄ G.Leen,D.Heffernan,ExpandingAutomotiveEletroniSystems,inComputerIEEE,Vol.35,2002,pp.8893.

Editedby: JanuszZalewski

Reeived: September30,2009