A Redundancy Notebook

o ~RADCs'Tf-77-2h?
A REDNWSCY NOTEBOO
_4 4
Apparoed for publit rele~as; ditettbut1im unl~nted.
I tKME AM OMVLOPAtWT CEK4TE

Air Forn Sdemi Comwu~d
Odffins Air Form Same. Now Yfork 13441
This report has been reviewed by the UN Information Office (01) and
is relesble e i the Astiomal Techbmcol I•mratlon Service M ). At IYAT
It will be rel rsable to the general publi•, inelSaing foreign uatious.
IUWY -7 has been

4 eviwvd and Is approved for publicatlaxk.
DWIDD r MM33
Chieo, f*1lability Brench
JOBUR J. 3M25?C
Chief, lelatbility and Compatibility Divisitn
Acting Chief, Plans Office
If your addreas has changed or If you wish to be removed from the NADC
"nailing list, or if the addresse. is no longer employed by your organisation,
ploeat-notify UADC (333?), Griffit. APB NY 13441. This will assist us in
saintaining a current mailing list.
Do not return this copy. Retain or destroy.

SCURITY CI.A*,II4CATiON OF THIS PAGE (When Daleta Entered,
REPORT DOCUMENTATION PAGE READ INSTRUCTIONS
BEFORE COMPLETrNn FORM
I. 1 EPOT
ER NIR 2. GOVT ACCESSION NO. 3. RILCIPIEoT'S CATA'..OG NUMBER
1, W 77l) S. TYPE OF REPORT & PERIOD COVERED
I, /" -- ' 'In-House Report

LAI •DUZNDANCY NOTEBO J 6. PERFORMING ORO. REPORT NUMBER
_ _ _ _ _ _ _ _ N/A
7. AUTHOR(e) S. CONTRACT OR GRANT NUMIER(e)
N/
4 Jerome/ýKlion
S. PERFORMING ORGANIZATION NAME AND ADDRESS I0. PROGRAM ELEMENT, PROJEC7, TASK
Rome Air Development Center (RDRT) NIU1
Griffiss AFB NY 13441 J" " 7/a F=

II. CONTROLLING OFFICE NAME AND ADDRESS 12. REPORT DATE
Rome Air Development Center (RBRT) Deqg.77

NUMR 0Il •
AFB NY 13441
[
Griffiss
I. MONITORING AGENCY NAME & ArIDRESS(If difierll i

frow Controlling Office) 15. SECURITY I In_ro t)
Same
SUNIaCLA~SIFED-
ISa. DECL ASSI FI CATI ON/DOWN-GRADING
SCHEDULE
It. DISTRIBUTION STATEMENT (of shid Report)
Approved for public release; distribution unlimited.
17. DISTRIBUTION STATEMENT (of tlie obstract entered In Block 20, If different from Report)
Same 0
1I. SUPPLEMENTARY NOTES
None
1S. KEY WORDS (Continue on rever.e side if necessary end Identify by block number)
Reliability
Electronics
Redundancy
A SSRACT (Continu oan revero e side If necesesry end ident.ty by block nurnbir)
The objective of the report is to present in a coherent fashion the information
and tools necessary for the evaluation of most types of redundancy design
configurations with which a reliability engineer is faced. The report contains
a number of alternative evaluation approaches, both classical and unique.
Closed form results and algorithms are derived for the evaluation of the
reliability of various types of redundant configurations.
DD 1oA. 1473 EDITION OF I NOV 0S IS ODSOLE•i UNCLASSIi;*)

SECURITY CLASSIFICATION OF THIS PAGE (When Deie Igntered)
TABLE OF CONTENTS
Page
Chapter
1. Introduction and Background I
2. Models for Non-Repairable Systems 7
2. 1 Full on Redundancy (Single Survivor) 7
2.2 Full on Redundancy (D Survivors) 10
2.3 Full on Redundancy (Statc Transition Model) 10
2.4 Standby Redundancy (Single Survivor) 11
2.5 Standby Redundancy (D, Survivors) 14
2.6 Standby Redundancy (With Switching) 16
3. Repairable Systems 22
3.1 Analysis of a Singlc Unit 22
3.2 Combined Units Approach 28
3.3 Markovian Approach (Full on Redundancy) 29
3.3.1 Markovian Approach For Availability Measures 31
3.3.2 Markovian Approach For Reliability Measures 33
3.4 Markovian Approach (Stanvlby Redundancy) Availability Measures 35
3.4.1 Markovian Approach For R ]liability Measures 37
3.5 State Expectation/Transition Model 38
3.5.1 Full on Redundancy 38
3.5.2 Standby Redundancy 42
3.6 System Failure Rate Approach 44
3.7 Systems Periodically Maintained 50
3.8 Impact of Redundancy on Maintainability 52
3.3.1 Impact of Redundancy on Mean Time to Repair 52
3.8.2 Effect on Total Maintenance Time 53
3.9 Efficient levels of Redundancy 54
• ~~~~~.......
. ... . . . . .. .
iti
Appendices
A Derivation of MTBF Relationship 57
B Markovian Analysis 59
iv
LIST OF TABLES
TABLE PAGE
1.1 Summary of Redundancy Topics 2
LIST OF FIGURES
FIGURE
1.1 Two Redundant Units 5
1.2 Three Series Units 5
2.1 L Redundant Subsystems in Series 7
2.2 X*M Relationships for Full On Systems 9
2.3 X-M Relationsbips for Full On Subsystems 12
2.4 Switched-in Redundancy Example 13
2.5 X.M Relationship for Standby Redundancy 15
2.6 Comparison of Standby and Full on Redundancy 16
3.1 State Space 'iiagin-'is for Reliability and Availability 30
3.2 Truth Table for A Rt-lundant System 31
3.3 Division of Equipnaent A Into Any Number of Modules 55
3.4 Reliability Improvement as a Consequence of Partitioning 56
"4,V
I
CHAPTER 1
INTRODUCTION AND BACKGROUND
1.1 The subject of redun,::ncy has been a popular topic for papers on reliability since the late 1950's.
Most pro~,ably Von Neumann's contributions in the 1940's relative to the application of Majority
Voting schemes to computers provided the nucleus for much of this work (although his original efforts
were not concerned primarily with improving electronic hardware reliability). Although many authors
wrote on the more simplistic features of redundancy, three stand out as those who are referenced
frequently in papers by other authors: Balaban (4)*, Moskowitz (28), and Kneale (25). They wrote
primarily about unittended redundant systems, for the most part ignoring the effect of sensing and
switching elements. The impact of such factors was considered later by such people as Grisamore (11)
and Aroian (2). In all of these, the figures of merit of concern were Reliability, expressed as the
[ probability
First Systemthat the systems would remain operational over a given period of time, and Mean Time to
Failure.
"In
the early 1960's, interest began to center on formulations for redundant systems which were
,' maintained. At this time, the traditionai reliability figures of merit were augmented by an additional
figure of merit called Availability. During this era the primary tool used was the Markovian process.
The foremost pioneer investigators in the arei of maintained systems were Barlow and Hunter (6),
who introduced what is now Known as the Availability measures (both time dependent and limiting)
for full on systems. Shortly thereafter, Epstein awid Hosford (17) for the first time defined the
reliability, probability of no system failure over a oeriod of operating time, and mean time to first
failure of both full and standby redundant configurations. Later Dick (12) defined the Availability
figures of merit for a group of two unit redundant systems uader different operational scenarios.
The Markovian Procedure was in general rather cumiersome to use and as a consequence, in the
years that followed, approximation procedures were a topic of quite a few papers; for examnple,
McGregor (27), Applebaum (1), and Einhom (16). Dick (13) was the first to develop a rather simple
approach to evaluate the mean time to first failure of a full on redundant system.
The purpose of this report is twofold:
(a) to present the information and tools necessary to evaluate most of the' types of
redundancy problems with which a reliability engineer is faced;
(b) to present new simplified approaches to redundancy analyses which provide time savings
compared to tie classical methods.
As indicated previously, many papers have been published about redundancy. Most are repetitiois,
except for minor variations. Those that are nox repetitious are published in various reports or
symposium proceedings, widely separated by years.
To the typical analyst charged with the evaluation of the reliability of a redundant method, this
presents serious problems. What is required, and part of the subject to which this document pertains,
is a survey of the basic redundancy literature to make available in a single document, information such
that the vast majority of redundancy design applications encountered can be evaluated.
For the most part, the most widely used and strongest evaluation techniques available are complex
and time-consuming to apply (especially for repairable redundant networks). This document contains
unique evaluation approaches and/or results which are in many instances less complex and less
time-constrming than the traditional approaches.
A summary of the subjects covered in this thesis is shown in Table 1. 1.
1.2 Background
In order
systems to cope
have been with the military
compelled technological developments of the past fih -n years, electronic
to expand in b~oth sitze and complexity at a rapid ,.Ite. Of equivalent
importance to the need for this growth has been the coincidental need for greater system reliability and
maintainability. As military and space requitements necessitate the construction of even more
complex systems, the contemporary philosophies of reliability and maintainability will become
inadequate for the successful performance of mission objectives. The most severely affected systems
will be those on which maintcnance cannot be performed, such as satellite-borne ;ystems, and
TABLE 1.1
A SUMMARY OF REDUNDANCY TOPICS
NON-REPAIRAI3LE SYSTEMS REPAIRABLE SYSTEMS
Full on Redundancy Full on Redundancy
- Traditional Approach
I
o Markovian Approach
&State Analysis Approach , Combined Unit Approach
• Expectation/Transition Approach
System Failure Rate Approach
Standby Redundancy o Periodically Maintained
* Traditional Approach Systems
Perfcct Switching * Impact of Redundancy on
Imperfect Switching Maintainability
Efficient Levels of Redundancy Standby Redundancy
- Markovian Approach
• Expectation Transition Model
strategic military systems where the luxury of even a small down time cannot be afforded. At this
time, the only recourse to such situations is the creation of components of increased reliability or the
application of redundancy.
In order to increase the reliability of complex electronic systems, a constant effort is made to
improve the reliability of the component parts comprising s.,ch systems. The rate of improvement of
component part reliability, however, lies significantly below the rate of increase of system
complexity. In addition, it must be realized that the attainment of l0Vk reliability for a component
part is impossible. The only recourse then is redundancy (the addition of duplicate elements).
Redundancy may be achieved in many ways. Each has its advantages (reliability gain) and its
diadvantages (the number of duplicative elements required which impact on total system weight.
cost, volume). The purpose of this report is to explain the rationale for each type of redundancy
considered and to develop means of evaluation such that the reliability potential of each may be
assessed and tradeoffs made.
1.2.1 Measures of Reliability
The following reliability measures will be used in this study. (1) Mean Time to Failure M4; (2)
Probability of Failure free operation for specified time t, denot, d by R(t); (3) P(t), the probability that
a system will be functioning at time t. For the non-maintained system R(t) P(t) and for the
maintained system R(t) $ P(t).
The following reldtionships exist:
M= f t W(t)dt (1.1)
0
where W(t) denotes the failure density function.

Now:
•wWt= dR(t)(12
d- (1.2)
dt
2
Hence:
M- t dR(t) dt (1.3)
0 dt
Integrating by parts:
M- t R(t) ] + f'R(t)dt (X.4)

0 0
Now O'R(O) 0 and

t
- f h(x)dx
Jim t R(t)- Jim t e
t-_ _ 0
where h(x) denotes the hazard rate, i.e. h(x) - W(x)

Hence: R(x)
M1= f R(t)dt (1.5)

• 0
1.2.2 Definition of R(t):

Since the expression for R(t) is a probabilistic function, its fonnulation will involve the
B combination of probabilities (Reliabilities) of success, or survival (over a given period of time), for all
the units making up the system in question. Where redundancy does not exist, the failure of any one
unit results in system failure and R(t) is comprised of the product of the reliabilities (probabilities of
,airvival for a given period of lime) of all units comprising the system.
R(t) 4-•
rR(t), (1.6)
When the system is composed of redundant units, numerous possibilities for system survival exist
(with no redundancy the system can survive only if no units fail in the given period of time), hence
R(t) must be defined in terms of complex combinations of probabilities rather than as a simple
product. For this reason, the following section on simple probability theory will serve as necessary
background for the definition of R(t).
1.2.3 Probability Basics

I - Given t'•,' mutually exclusive events A and B, the probability of either occurring is the sum of their
probabilit c-,
PCA+B)= P(A) + P(B)
3
This follows from the fact that, in general, if we have K mutually exclusive events B,, B 2, B3 .. Bk,
then:
P (BI+B 2 .. Bk) E P(B )

i-i
If two events exist that are not mutually exclusive (say A and B), the probability of one or more
occurring is:
P(A+B)- P(A) + P(B) - P(AB)
For three such events:
P(A+B+C)- P(A) + P(B) + P(C) - P(AC) - P(AB) - P(BC)
+ P(ABC)
Generalizing to K non-mutually exclusive events Bp, B 2 ... BK, the probability of one or more of
the events occurring may be defined as:
K
P(B, + B, ... B) I P(B,) - P(BB 2)
- P(BB 3) - .... P(BK.IE,) + P(BIB2 B 3)

+ P(BIB2 B4 ) + P(BK.2 BK:.BK) + .....
+(-l) K-1 P(B,B, ... BK) .....
If events A,, A2 , A, . . .A are independent and the probability of occurrence of all events is
desired, the probability that all occur P(AA2A3 . . AK) may be calculated as:
P(A,Aj ... AK; = P(A)
Equating the term, event, with either a failure or a success and the probability of an event with the
probability of failure or the probability of success, the relationship between R(t) and probability
theory is immediately evident.
1.2.4 The Block Diagram

In order to complete the picture for evaluation of R(t), the concepts of probability must be applied
to the system block diagram. From the reliability block diagram, and the definition of each block's
reliability (probability of survival fer a given period of time) an expression defining system reliability
may be developed.
Figure 1. 1 shows such a block diagram made up of two units, A and .3. The system will operate
successfully if either unit A or unit B or both units are operative and will be considered as failed if
I4
both A and B fail.
Let us consider the event that A survives a period of operation and define the probability of such an
event as R(tA).
Let us consider the event that B survives a period of operation and define the probability of such an
event as R(to).
Note that the survival or failure of either A or B does not and will not affect the survival or failure of
the other, hence A and B are considered independent.
Note also that just Ubecause unit A survives, unit B does not have to fail and vice versa (both units
can fail or survive); hence the events are not mutually exclusive.
Therefore, the probability of system survival is equal to the probability that A or B or both survive.
P(A+B)- P(A) + P(B) - P(AB)

or R(t)" R(tA) + R(tB) - R(tA).R(tB)
Figure 1.2 shows a block diagram made up of three units: A,B, and C in series. The system will
operate successfully only if all three units are operative. The system will fail as soon as one of the
three fails.
Let us consider the events that A, B, and C survive a period of operation and define respectively the
probability of such an event for each R(tA), R(t9),.R(ti).
A I
rigure 1.1 Two Redundant Unit,
Figure 1.2 Three Series Units

i . :-. 5,
P(A, B, C") P(A)'P(B).P(C)
or p.(t)us R(tA).R(tB)R(tc)
1,2.5 Types of Redundancy:

The dscussioens that follow will concern themselves with two basic classes of Redundant Systems:
A. Systems which are redundant and which are non-maintained (failed units of a redundant
complex are not repa red or replaced). THis situation is commor, to unattended applications,
i.e., an unmanned field site, a satellite etc.
B. Systems which are redundant and maintained (failed units of a redundant comple. are
repaired Pnd replaced). This situation is common to attended applications, i.e., manned site.
For each class several types or varieties of redundancy are considered. In all cases we will assume
that the un;ts have times to failure bv.ving an exponential distribution described by the probability
density funct;'a:
r(t,X)- e- t t '. 0
X > 0
X- failure rate of unit
t- operating time in question, and
R(t)- f1r(t,X)dt- e-Xt- probability that unit will not fail

t
during operating time t. I
6J
"-I
I
~1
CHAPTER 2
RFUABILITY MODRS FOR NON-REPAMRABLE SYSTEMS
2.1. Full on Redundancy (Single Unit Necess'ry For Survival)
The most widely discussed form of reundancy for a situation not invoiving repair has been a
eries arrangement of a number of (N) redundan elements as shown in Figure 2.1. In this type of
recmdarcy, adi LeN units are continuously energized,* and it is assumed that so long as at least one.
unit is functioning properly on ,.ach of the L cascaded subaiystems, the system as a whole will operate
successfully. The reliability of such a redundant system is obtiined as follows:
Let: I.,
L number of cascaded subsystems composing the system.
N= number of continuously energized units comprising each subsystem.
X= failure rate of each redundant unit.
(For convenience, N cnd X are taken to be the same for all units comprising the system).
- Hence the tersa FulA on Redundancy.
p '
0 il
Hpve!2.1l .LRdiundavid Stbsystogiio ill So~ries
I7
We assume that the failure rate of each unit is given by an exponential distribution with parameter
A. Then we have:
- The reliability oi' any unit (i) equal R(t,) e".

- [The probability of any unit failing in time t)= I-ev.
- The probability of all N units in a subsystem failing in time t) 0 -e'"P.
- The pr•bability of at leaut one unit in a given subsystem surviving = [ !I-([.-e"a)N].
thus given by:
The probability of all L subsystems having at lesst one operating unit is
Sg~~(t)•[-(1€•)1 (2.1)
As shown earlier, the mean time to failure is J g R(t)dt. Therefore, the system meun time to
first failure is:
M- f{3.- (.-.e- )N)Ldt (2.2)

0
simple
After some manipulations, (see Appendix A), this expression reduces to the following
L k+1 L kN
M- 1/X E (-1) k Q i/s (2.3)
k-1 s==
The quantity of interest, XM, where:
MTBF of the s.steLm

MTBF of a unit
ii; thus given by:
L (-I) k-1kl ()
XM,- Ek kN
Es~ i/s (2.4)
k-1 S=1
N and L are shown ir.

"Themean times to failure of redundant systems which selected values ofsystem mean life over
Figure 2.2. As can be noted from this figure, order of magnitude increases in
element mean life are not possible unless extremely large values of N are employed. of N parallel
composed
A Special case is considered when L= i. This defines a single subsystem
that the relationship depicting reliability is:
(redundant) units. It follows from Equatl in (2.1)
SR(t)- I- (.-e-t) N (2.5)
I
L8
- m-2------'-- - - -
I
L
I
O14
10
NI
I
NL =ThtaI number of components in system. A factor of uvement of redundarnt
I
-Jstem mean Ilf over simplex system mean life may be found by multiplying the value
determined for AM by L. X= failure rate of a single system element: M system mean
life
FIgure 2.2. AM Relationships For FuN On Sytens
I wi¶h corresponding meantime to first failure:
N
= 1/\ : 1/ 1/\+ i./2) + 1/3) +... 1/NX(2.6)
jy6 2
I
Note that when N- 2, the familiar 2 unit redundancy example, we have:
-3
2X.
SThe above equations provide a means to develop the R(t) relationship for a system containing L
subsystems each with a different number of units N in parallel. Thus:
L N
R(t)- 11 [1- (1-e-xt ] (2.7)
with corresponding mean time to first failure given by:
L
X
M- f II [i- (1-e"t) Idt (2.8)
0 i-i
2.2 Binomial Redundancy (multiple operating units required); Full on Redundancy

considered as a large subsystem composed of N fully energized parallel units and requires a minimum
of D(DoCN) operating units (non-failed units) in order to operate.
IN This type of a system may be described probabilistically by the binomial distribution:
R(t)- Z (kN)(e Xt) k(l-e )N- k (2.9)

k D
with correspontding mean time to first failure given by:
N
M- f R(t)dt- 1/X E 1/k (2.10)
0 k=D
2.3 State Transition Model: Full on Redundancy

An alternate means of developing the reiationship for mean time to first failure is to consider the
concept of system states and tbe concept of transition from one state to another.
The system starts out initially with N units operating. Since we are not considering the concept of
repair in this plrticular situation, the system will expcrience a unit failure and be reduced to (N-1)
opcrting units; will eventually experience a second unit failure aud be reduced to (N..2) operating
units, etc., until only D units are operating. The next failure which occurs ,esults in only (D-l) units
operating and will caue the system to fail.
Let F6. (k = 0,1 .... N-D + 1)repreent the state that the sy: ;•;m has (N-k) units operating. Since
this is a non-rernihiable system, the system will transition from state EaN.to state Each state has
E
an average time to transition into the next possible state (E,_,, to T3 ..,) given by:
10
i ~~~M(NkN._) il/(N-k)
Xi= failure rate of each unit.

Since the transitions must occur in sequence, the mean time to transition from state E,, to k, is given
by:
N-D N-D
- I/X(N-k)
k-O (N-k/N-k-i) k-O
N
- z/x Z 1/k
k-D
and which corresponds to equation (2.10).

Nomalizing as before yields:
N
"XM- E 1/k (2.11)
: k-D
Figure 2.3 shows a plot of reliability improvement for this type of redundancy.
2.4 Standby Redundancy (sirigle unit necessary for survival)

A second type of redundant system which possesses a similar configuration to the system
pieuiously described, but employs switched-in redundancy is that illustrated in Fiiruar 2.4.
In this instance only one clement of each of the cascaded subsystems is activated at a time. Upon
failure of this element, the next element of the subsystem will automatically be switchcd into
operation. Until such a switch occurs, the standby clemewt is not energized and hence a failure rate
A= 0 is assumed. In order to hypothesize an alpper bound for the reliability of such a system, the V
failure rate of the switching device will be equated to 0.
In this model, the successive failures form a Poisson process with rate X. Then the reliability of the
system will be given by: N--I
R~t)- % p(r,t)
r-O
rn0 r!
where P(r,t) Probability of r failures in time t and Xt represents the number of failures expected in
tie time period t, ond N the number of redundant uuits composing each subsystem.
Since:
0~r:
0
11
* . -
we have the mean time to first failure as before,
M fe R(t) dr
0
N-I e -. t (,t)r
f•E -- dt
0 r-O r!
N-i
- r I/X
r-O
- N/X (2.13)
10-..... .... ....

. .. ... . .
2 7~
A, -
. ----
.6-- - -,............
S0.1
1 2 4 6 10 20 100
N = number of units in a subsystem

= fXlafre rate of any active subsystem unit
D =- number of units necessary for subsystem operation
Figure 2.3 XM Relationships for Full an Subsyrfems
12
I'- --
I'
and
AM- N. (2.14)
The reliability of a system composed of I. such subsystems may be shown to be:
Ri't) [-tEX (XI-" (2.15)

j. r=O 1.!
The mean time to first failure of such a system is given by:
N-i r L
M- 0 00 R(t)dt= f _ (At),X dt (2.16)
)0 0 r-;* r!
hii
II
I' I
I.I
swtrel I
I.II
Figure 2.4. Switched-In Redundancy Examnple
13
A general evaluation of this equation for various ya~ues of L and N is difficult. However, if a
specific value of N is stipulated, an explicit form can be obtained for any valhe of L by a scrics
expansion.
Let N= 2, then:
N-I (Xt)r L
M- f, Jdt
0 r-O r!
0 (X1)r)L
a ',t -- -) dt
0 rO0 r!
fCO- Lt(U + Xt)L dt

0
L
e (L) (-Lt)r dt
e r-O r
0
L L
L M _- _ ___(2.17)
r-O AL(r+l) (L-r)!
where the last equation is obtained by integration by parts.

A plot of improvement of N= 2 appears in Figure 2.5. In ordcr to more easily evaluate the o'ders of
improvement in meat, life reali, 'A in this type of redund:micy, a comparison on a subsystem level is
made in Figure 2.6 of this concept of redundancy, vs. the concept depicted in Figure 2.3.
As may be noted from Figure 2.6, greater increases in magnitude in system mean life over element
mean life may be realized by utilizing this concept rather than the full on redundancy concept
previously described.
Examining this redundant design caretully, it becomes obvious that sensing devices; arc necessary
to detect each failure, and switching mechanisms are rn'qtircd, to activate and deactivate elements. In
practical situations, the present limits on the reliability of conventional sensing and switching devices
limit the reliability potential of the scheme.
2.5 Standby Redundancy: D operating Units Necessary for Survival.

Another form of binomial redunancy may be encountered when the system (subsystem) is
composed of N identical units. A subset of I) units out of N is chosen to formi a working system
(subsystem). Elements of the working system (subsystem) which fail may be replaced. The units
which are not a part of the working system arc assumed to be standby units and have a failure rate Xý:
0. It is assumed that failure-free switching, sensing, and interconnection nifthods are utilized in order
to determine an upper bound reliability for this system type.
In this type of redundant system, since 1) units are always working, the failures of this subsystem
fonm a Poisson process with rate XD. Then the" system reliability will be the probability that the system
has a maximum riumiber (N-D) of failures in the time period t, i.e.:
14
"I
N-D
R(t)- E P(N(t)- k)
k-O
N-D -DXt k
k-O k:
- b• N-D (Dt kc (2.18)

k-O k.
where\
WrN(t)= the number of failures in the time period t.
*• N= total number of elements composing the system.
D= number of elements necessa•y for the system to operate.
* A= failure rate of ea',, operating element.
_ n -- 4_ ..
0.1..
1 10 100
NIL
NL = total number of units In system

S~A figure of improvement of redundant system mean life over simplex system mean life
, ~may be found by multiplying the value determined for \M by L. X-- failure rate of a single
S~system unit: M = system mean life.
Figure 2.5. XM Relationship for Standby Redundancy
t 15
iI
2.6 Reliability of Parallel Units when the Reliability of Switching is Considered.
In the previous sections, we have discussed the reliability of non-repairable redundant systems,
ignoring the failure rate of any sensing or switching mechanisms. As such, the previous evaluation
and analysis procedures should be considered as providing an upper bound for system reliability.
Various ways have been suggested through which the failure rates of sensing and switching devices
can be accounted for in the analysis of redundant systems. These range from simply adding a failure
rate inWcrement equal to the failure rate of a switching and sensing device to the failure rate of one or
more redundant units, to analysis procedures which take into account the operational modes of the
sensing and switching device. The following is an example of the latter (for a two-unit redundant
system) which pro%ides information on how such an analysis may be performed, and also provides
some insig..t into the complexities of the rnalysis.
Consider units A and B conprcted in a standby parallel configuration. If either A or B is functioning
and properly connected, the required system function is realized. The sensor/switch S provides the
necessary connection, disconnection function.
If A fails, S senses this failure, and if S is operating properly it switches to B. The system
composed of A,B, and S operates as follows:
100 _
AM
.8 . .. -
0.---4
12 4 6 10 20 100
N
N number o; redundant units in a subsystem
A failure rate if any active subsystem
MIV mean IPle (4 a subsystem
Figure 2.6 Comparison of Standby a.id Full On Redundancy
16
a. If S operates properly, it checks A. If A has failed, it turns on B. S is then in a fail sfe position.
The system operates until B fails.
b. S fails (and no switch possible) while A is operating. The system operates until A fails.
c. S fails in a way that a switch to B is mandated, while A is still capable of operating. 3 is energized
"Wandte system operates until B fails.
P d. S fails while A is still operating. It fails in such a way that A and B are unable to operate mid the
system fails.
Let P,(t), Pb(t), P,(t), and P,(t) denote the probability that the system fails at time t according to the
above events, a,b,c, and d, respectively. Then, noting that the above events are all mutually exclusive
at t, we have the probability of failure at t:
PF(t)- Pa(t) + Pb(t) + Pý(:) + Pt(t)
Let the density functions of time to failure for A,B,S, be exponential and let A and B have identical
density functions.
f(t)- Xe-Xt for A and B
and
g(t) = AO e -Ad for S
Note that (b), (c) and (d) indicate three different modes of possible failure predicated on the single
mailure density function. In order to cope with this, define:
P,-- probability when S fails, the switch stays on A

P= probability when S fails, the switch goes to B
P3=fprobability when S fails, the switch makes A & B inoperative.
The events described by P,, Pz, P3 are also mutually exclusive and exhaustive and:
P I + P2 + P 3 1i
We will now develop probabilistic relationships for P,(t), Pb(t), P (t) and P4(0):
let: a
t,- the time at which S fails.

t- t-the
the time
time at which A
B fails.
fails.
Noting that: La
P(ta)" 1- f 8(t5 ) dt
01
17
-probability that S does not fail before t.,
/, P(ts),-1- fa f (tae. dt
/0
3 probability that A doesn't fail before t., wc have:
t t-t
P (r),, ." b P(ta) f (ta) f(t) dt dtr.
~sf~1oa a Wm I~ a a a bb a b
This follows from:
WCt-t b)- / Pý"a fa ta.) dta

ta /
a
- probability that A fails before S failgZi, O, t-%,],
t
f W(t-tb)fb(tb) dtb- probability that B fails
tb in [O,t] after the switch
was made upon the failure of
A.
By the assumption of exponenti&- failure, we have:
P.(t) [1 - e"' - - WA -c
(c"' (2.19)
Using the memoryless property of the exponential distribution, it can be seen that A has the same
density as before, after S fails.
"Ihen we have:
t t-x
Pb(t)SPI X'f,- It6-0 P(t) g(t) fa(x) dt dx.
i "• tJ l~•3g•JWm•th~s••t'.a lav~..taitt .. • O•.,•t- •_• ..a .•. B_ . .. . ' .. _

This follows from the following:
t-x
W(t--x)- f P(t%-) g(ti) dt
tgaO
= probability that S fails before A fails

in [ot-Xj
and it follows:
t
Pb (t) P1 -O
$W(t-x) fa(x) dx- probability that A fails
X=O
in [O,tj aftez S fails.
Similarly we have:t
vo(t)-v2 t~r tf ) b()dt dt
etS%
t.,.O t8 -o
and
t
Pd~t);P 3 f
t i0
P(tS )g(t) dt .
The &3sumption of the exponential density gives:
P,()-P. -- -c (+X 0 )t (2.20)
00 *
-I -t le-A e (+Xo 0)t1 (2.21)
Pi(t)i P3 e (X ... e
X+Xo
Pdt) e(--XtP.-- 19 I1
From the above results the system reliability can be obtained as follows:
R(t)- 1- PF(t) = 1-Pa(t)-Pb(t)--Pc(t)-Pd(t)
- A [e.At
+ e-()+Xo)t]
- P 1
0 0
0 o
-X+X )tX
3 -9-0 e- (X+N 0)t] (2.22)

~3X+xo
If n5 0, Pi + Pi I (fail safe provisions built into syst!m such that a switc:hlinse failure cannot
cau system to directly fail.) I
I
R-) R-At +t e (- e- (2.23)
o
M o R(t) dt + (2.24)
0 0 0 (X
0o+X)
20
-\A1~~
Note dtat by (2.23) and (2.24)
ila R(t) lin eAt +- a-At (1-.-A 0)

AA->o *->O A0
-e + lir [hie + (2.25)
-(1 + At) a-At
lim H lim 1+L A

•o> a
o.-o . o lo (0~l
0A->
0 A A.- (A+A)
M =- . + lim - o
A' A 0 O ~gX)
+
(2.26)
2
A
which are identical to (2.12) and (2.13), respectively, for a two-unit standby vftndint sybtefl.
21
"~l9dUWA
CHAPTER 3
RELIABILITY OF REPAIRABLE SYSTEMS

The previous section was concerned with the reliability of redundant systems which were not
maintained; that is, the assumption was made that the redundant configuration was maximally operative at
time zero and no unit repairs were performed until the system failed. At that time, all the units were
repaired or replaced and the system put in a maximum operative condition again. This section makes the
assumption that as units of a redundant system fail, they may be repaired. In particular, we will assume
that the 'Ime to failure of each unit and the time to repair of each unit follow exponential density functions.
r(t) = Xe for time to failure

g(t) = AC -" for time to repair
X = failure rate
S= repair rate
In the pCevious section we were concerned only with two reliability figures of merit: (1) Reliability
cxpresseA as a probability P(t) which denotes either the probability of operating satisfactorily over a period
of time (0,T) or the probability that the system will be operating satisfactorily at the end of a period of time
(0,T), T. (2) Reliability expressed as mean time to first system failure M. Since the concept of maintained
systems torcce a change in the operational scenario, the figures of merit of interest.are somewhat modified
and augmented. Thv figures of merit with which we will be concerned will be as follows:
(1) Reliability cxpqtnd ;as the probability that the system will be operative at any time t, P(t).
(2) System mean time to iiix-t fiailur; M (detined in the sanic way as in the non-repairable case), and
system steady state mean time to failure M,.
(3) The expected fractional amount of time that the system will be functional during a period of time
(AT)- (Note that this figure of merit could be applied to the non-repairable case, however, it is
rarely used and it is not as meaningful as it is in the repairable case).
(4) Reliability expressed as the probability that the system will not fail during the time period (0,T).
It i., interesting to note that while (1) and (3) are mathematically different, both are commonly referred
to as "Availability" (actually while the development of both measures is different and their "time
oriented" forms are different, their limiting cases are identical.)
In general, the procedure which must be followed in the analysis ai,d evaluation of a repairable
redundant system is the definition of its relevant system states followed by an analysis of possible
transitions. This means that the system can be in any one of various states E0 , E,, E2 .... .E,.For example,
a single unit has two possible states (i) operating and (2) failed. A two-unit redundant system as in Figure
3.1 has three possible states: (1) both units on, (2) one unit on, one unit failed, (3) both units failed.
Further, the system can pass from adjacent state to adjacent state at rates defined by the state's failure and
repair rates. (For purposes of clarity, let us define adjacent state as that state accessible to another state by
a single repair or a single failure. For example, in the case of tie two redundant units in Figure 3. 1, the
Plate of both.units on is not adjacent to the state of both units failed - the state of both units on is adjacetm to
the state of one unit on, one unit failed). It is impossible to pass from one state to anoti-er unless a chain
path of adjacent states is established. Given such rules, many means arc available to anilyze redundant
repairable systems; some are more complex than others. This section will discuss several of these means.
3.1 Analysis of a Single Unit.

To start, we will discuss the reliability of a single unit. As will be seen later, the reliability
expressions for a single unit can serve as time saving building blocks for the definition of the
reliability expressions for complex redundant repairable systems.
Consider a unit having a failure rate X ap I a repair rate t.
Let P., (t) denote the probability of a unit i ing in state j at time t given it was in state i at t= 0.
0 = an operating state (an up state)
22
? -
I"'
1 a failed state (a down state)
,j= 10
[then:
P 00(t+A0t)- P (unit is operating at t+At, given
it was up at t- 0)
- P(unit doesn't fail ini(t,t+At)I unit is up At t,
given it was up at t- 0).P (unit ia up at t, given
I it
at t,
was up at t= 0)
+ P(a repair is
completed in (t,t+At)t unit is down
given it was up at t- 0),P(unit is down at t,
given up t- 0)
- (I-xAt) Poo(t) + Pat Pol(t)

W
Using:
Poo(t) + P M(t)- i,
Poo(t+At)- (.-xAt)Poo(t) + PAt(l- P (t))
P (t+At) - P (t) dP 0 (t)
00 00 S-P- (X+11) PooWt)- 0
At 00dt
Solving this differential equation yields:
P0 W= P''A• + Ke-(x)+lJ )t
Using P,(O)= 1, then K=A/A+i ),

Then:
0P(t)= P + ,• e("+•)t
23
shion the xrpmssion for P,.,) can be derived using P,0 , (I.., unit
a si
amilar
in dow" at t-O) then
K-
Thur:
-• pi
(A (3.2)
SinCe P,(t)• I-PO(t) and Pj(t)= I-PI't)

k - (3.3)
C(O (3.4)
a tIm
of a constant term (x-i.) or .- adlarge.
The.rlationships (3.1 ) to (3.4) are composed tihne period in time gets arbitrarily
which vaies with time (Ke - ). As the
Vic get-
,
get:e-( X,+)t o
and: POW [ai 0 1 (041 _A11j 3.5
P+ E2nd P, (t ) (3.6)
unit will he operating at any arbitrary

These denote the limiting probability that the that the relationships above indicatC
point in time distant from tv-). it will be noted
from t=O, the on: inai state of the unit is
that as the time of interest t bcc,,mcs distant of the transition probability Vjjt) is
of no consequence. The stochlastic behavior (ýk.6) above ate defined as Availability given
shown in Figure 3.2. Eqrliovs (3.5) and
by:
2
-A---- (3"•/)
where: J. = meantime to repair of the unit
meantime to failure of the unit. SM
Equations (3.1) to (3.4) define the time dependent Availability of a unit, P(t). The
conicept of expectation indicates that:
T
fP(t) dt (3.8)
0
defines the mean up or operational time, over a period of time (0,T) rcolizing a unit
can fail, be repaired, fail again, etc. It then follows that thc expected fraction of time
that the unit will be operating during the interval (0,T) is givenj by:
T
E(F)-T f0 P(t) dt (3.9)
From equation (3.1):
I T 0+11) t
000 D 'T0
22 (3.10)
A+11 rxj) 'Ap
which denotes the expected fractional amourit of time that the unit is on in the interval
(0,T) given that the unit is operating at t-=0. Similarly from equation (3.2):
25
T
1.0 T 10 .)dt
0
2 e- ) (3.11)
X+ T(X+) 2 T(X+)2
which denotes the expe'cted fractional amount of tinmc that the unit is on in the interval (0,T) given that
the unit is down at t=0.
Both relationships (3.10) and (3.11) are composed of a constant term K+'f and terms which vary
with the time interval in question. As the time period (0,T) gets arbitrarily large, these equations
reduce to the limiting case such that the expected fractional amoint of time that the unit is on during a
very large period of time is:
E (F),'bEIo(F)= PJ (3.12)
0o •+
I+-
Again, it will be noted that the relationships above indicate that as the time of intmejet t becomes
distant from t-0, the original state of the unit is of no consequence. Note that relationship (3.12) is
identical to relationship (3.7). Hence Availability is defined as either:
(a) The expected fractional amount of time that the unit is operating over an arbitrarily long
period of time.
(b) The probability that the unit is operating at any point in time distant from t=0.
In either case, then
P+X M+R
The fact that availability can have a dual defini'ion is obvious when definition (a) is considered first,
for if a unit can be expected to be operational P percent of the iinc and is capable of numerous repairs
and failures, then it follows that at any random point in time the probability is P percent that the unit is
operating.
Relationship (3.7) was developed using a differential equation and assumptions relating to the
distributions of repair and failure times. It need not be developed by that means, using such
assumptions. It may be developed quite simply and non-parametrically as follows:
Let:
T ý the interval of time in question
"TO==
the time during the interval that the unit is operating
T,= the time during .-, interval that the unit L downti
Then:
T (definition (a) of availability)
But:
"26
--- j
tt
T- T + T'
TO 1
0- number-of failures expected in operating time T 0
"T1 R' titae that the unit is down over interval in question
T 0
0A- T R(3-3
0 M
which is identical
to (3.7)
Herce the limiting relationship for Availability is non-parametric.
There will be situations where evaluation requires the use of one or more of the measures
previously discussed. tn summary, the most important arc repeated and delined below:
(a) P oo(t)= -_._ + t
00 +)j A+Pi
The prcbability a unit will be operating satisfactorily at a given point in time, given that the unit
was operating satisfactorily at t-O.
(b) E OO(F)-" +'+ .x.. - AL e-

T( ,+p)2 T(X+ e)
tihe expected fractional amount of time that the unit is on in the interval (0,T), given that the unit is
operating at t--- 0.
(c) A---- M
jiL M4-R
The probability a unit
fractional amount of timewill he olprating at a random point in time, distant from tý:O:,or
that the unit is on during ,an Ihe expectet
arbitrarily long time interval
(0,T).
27 ti to
3.2 The. Combined Units Approach: (Full on Redundancy)
This can be. considered one of the most basic approaches in existence. It starts with the definition of
PrO(t) or Availability, for a singl unit and treats these as basic probabilities of Eurviva|, as discussed in
Chapter 1 (in a reliability block diagram).
Take, for example, a two-unit pcra•iei system as in Figure 1. 1. Both units are identical and
originally operable (on at t- 0) and both are operating simultaneously. If one of the units fails, repairs
are begun on it and the other unit performs the function. As soon as the failed unit is repaired, it is
returned to operation. At the first instant of time when both of the units are failed, the system has
failed.
The probability that Unit A is operating at t= P,(t)
The probability that Unit B is operating at t= PoO(t)
The probability that either A or B or both are operating at t is the Availability of the system P(t).
P(t)- P 0o( ) + P 0 o(t) - ( )2

00(00 00 ()
- 2 P 0 0 (t) - P (t)2
+ (~A X~t
1
~ )~ -. (ji+A)t
e - +4
which when expanded and combined reduces to:
P --2AE A2e-2(A+P)t + 2A 2 e-(X+1)t (314)
Note that as t gets arbitrarily largc (3. 1) reduces to:

P(t) . 2 + 2yeA te
( )2 "ys2em (3.15)
* 2"
i ,
S ., •,2~e•_.e~t~ i • •.,.• • .
:r
which is the limiting availability for the two-unit redundant case. To show this directly define as
before:
probability that unit A and
Therespectively:
as unit B will be operating at u mradom point in time. distant ftm t=- 0,
A 1- and B -A--
The probability that either A oý B or both are operating at tbe same random point in time is:
A sy -A + AB
AA,+
-tel AA
A -u + .J p .. _
._-+ 2
whict reduces to:
A p4 2Ap (3.16)
ayst'em (.X+) 2
This is identical to (3.15).

In general, this approach is one of the simplest to use when an evaluation of either the limiting or
the time dependent availability of a system or subsystem is required (mean time to first failure or
Probability of no system failure over time t cannot be evaluated using this approach).
The following formula may be utilized to determine the system or subsystem redundancy and
general philosophy of operation as discuscd in the beginning of this section.
Let X, time dependent or limiting availability of any unit.
1, Ni N JC.xNj-
Systera Availabil.ity II
i-1. . N (l xi)N i
-- (3.17)
J,-D i
where:
L-- nunvber of subsystems in serics
i=- defines the ith subsystem
D:--- minimum number of working units required for the ith subsystem to operate
N1= total number of parallel units comprising the ith subsystem.
3.3 The Markovian Approach (For Full on Redundancy)
Of all the approaches to the analysis of repairable redundant configurations, the Markovian is the
most powerful. It is particularly appropriate to the analysis of redundant systems and through its
application to sucn characteristics as:
•Availability (time dependent and limiting)
* Mean Time between system failure
Reliability (we saw ealier a simple Matkovian approach analysis for a non-repairable system).
29
A redundant repairable system composed of N units has 2 8 potential states. Each time a different
combination of units is failed and operating a new state is defined. This means for every single repair
action completed, the system enters a new state. Likewise, for each failure which occurs, the system
enters a new state. The repairs and failures which occur cause the transitions from one state to the
next. The rates of transition (the failure rates, and repair rates) from one state to the next are
determined by the failure rate and repair rate characteristics of the current state and also the
probability of more than one transition occurring simultaneously is zero.
In order to apply the procedure, all possible system states must be identified and probabilistic
equations developed describing such states. The easiest way to define and write the probabilistkc
relations of the states is to draw a state space diagram or a truth table. The diagram shows vieually the
evolution of different system states possible end the means of transition, if any, between states, either
by failure or repair. Because small increments of time are considered in the analysis, the probability of
a double transition is considered to be zero. The truth table (Figure 3.2) shows the results of the space
diagram in tabultr form. Examples of both will follow.
The definition of:
(A) Availability (time dependent, and the limiting case)
(B) Reliability and Mean time to system failure
require the utilization of slightly different constraints and formulation of slightly different sets of state
equations. The primary difference lies in the fact that if we 'wish to determine the probability that at
any time the system is in any state K (necessary to determine Availability) we must allow for a
transition from a systerm failed state to an operating state. In the event we wish to determine the
reliability (the probability of no system failure in an interval (0,T)) that i&,the probability that the
system remains in the set of non failed states during the interval (0,T),
Rt)- Z R (t) 0 - Set of all non failed
a -Rt states.
or the mean time to failure of the system, we must structurc our state equations such that there is no
transition from a failed state.
The space diagram for a two-unit system (both units operating simultaneously, only one of which is
required for systems operation) is shown in figure 3.1. As can be seen, the possible states aue:
a) Unit A and Unit B are both operating (State 2)
b) One unit is in a failed state (repairs are being nmde) and the other is successfully operating
(State 1)
c) Both units are failed (State 0)
The truth table can be tabulated as in Figure 3.2.
Values of the X's and A's define transition probabilities between adjacent states. The arrows indicate
which direction the transitions take.
2 o1' Availability Measures 0 2 e 0
State Space Diagram For Reliability And Mean Time To Failure Measures
Figure 3.1
30
STATE A B SYSTEM
2 1 1 Operating
1 0 1 Operating
1 10 Operating
0 0 0 Failed
Truth Table For A Redundant System'
Figure 3.2
3.3.1 Markovian Ai
(Full on Redundancy)
The following set of state equations may be developed
Cas)
h for Availability Measures (Time Dependent and Limiting
I
!
P2(t+A.)- P (unit A and B are both operating at t+At)
= P (neither A nor B fail in (t,t+At) l both units
are operating at t)'P(both un'.ts &re operating at t)
+ P (the repair of A(B) is completed in (t,t+&t) I

B(A) is operating at t).P(B(A) is operating at t)
- (I-2XAt) P 2 (t) I-pAt P.(t) (3.18)
Simnilarly, we have:
Pljt~)-2XAt P2 (t) + L- Xj)t lt vtP~) (.9
P
P~x~)t +P P P1 (t)-X~2ptt 0 (t)t (31.19)
II 0 1 ~ l 0 C)(.0
31 ~
4
where:
P (t) + P (t) + P 2 Ct) 1 (3.21)
Expanding and rearranging the state equations as follows:
P(t:•-At) - P 2 (t) P
lip 2AP 2 (t) (3.22)
&t dt
P 1 (t+At)- Pl(t) dP 1 (t)

-(A+)P,(t)
At dt
+ 2AP 2(t) + 2pPo(t) (3.23)
P00(t+At) - P 0 t) dP 0 (t)
0 0 XP (t) - 2P W(t)
At dt
(3.24)
Taking Laplace transfrmns and realizing that:
P2 (O), 1., P]M(f)- 0, P 0 (O)- 0
(initial conditions if we assume all units operative at t= 0). Il
.s P2(8)- 1- PPI(B) - 2XP 2 (s)

S Pi(a)y-(-) P + 21 P2 (a) + 21P0(s)
a PO(0)- XPI(a) -2p P0(a )
32
._ _ _* - - -
i-~~________
Solution of these simultaneous equations and finding the inverse transformation (as shown in
Appendix B) results in:
2
P~)
i2o~) •)2e-2(A'+l)t 2 •' e-(l+I)t
P(t)- I- P((-
0 X2- + 2X 2 -e- (3.25)
and taking the limiting case (letuing t -, oo)
Pt2+24 (3.26)
0•+0) 2
Note that results (3.25) and (3.26) are identical to results (3.14) and (3.15) and (3.16) which came
about as a consequence of an entirely different approach to the probleIr (an approach which wag
considerably less involved than the classical Markovian approac' discussed previously).
3.3.2 MarkovianApach for Reliability Measures and Mean Time to System Failure
(Full on operation)
The following set of state equations may be developed (derivation similar to previous, except
netice that once a unit reaches a failed state P0() it is not allowed to pass to a working state
P,(t)).
P 2 (t+At)- P (t) (1-2AQt) + P (t)iAt (3.27)
P1 (tH-At)- ,' 2 (t) 2AAt + P 1 (t) (1-(,+p.t)At) (3.28)
P (t+At)- P1 (t).at + P 0 (t) (3.29)
P 2(t) +. P1(t) + Po~t)- - (3.30)
33
__ _ _ __ _ _ __ _ _ __ _
As before manipulation of the state equations results in the differential equations:
dP Wt
-2 2?.P Wt + liip M (3.31)
dt21
dP Mt
dt ' 2X. P2 Wt -;~~ (3.32)
dtI
Taking Laplace transforms and realizing that:
PP() =1. PA(O) = 0,P-4O) 0

(initial conditions if we assume all units operational at t=z 0) we obtain:
I- (a+2X) P 2 a iI() (3.34)
0- 2XP 2 (s) - (X+1148) p1 (a) (3.35)
0- SP 0 (a) - 1LP I(a) (3.36)
(ina manner similar to Appendix B). The same argument of the previous %ectionrerults ill:
-2 a
2 2.
22 2 3Y)
as beforv:
2A.2
34
1114
1111m
I-I
- ~ ~~~ -- ~ .~- -- .. 'wWS . ... FYI"--
(assuming the system at t= 0 hadt both units in satisfactory operation). Note that if A= 0 (that
means non-repairable system)
-,- ~~M
M =.,=1
2(3.39)
which is exactly the value which would have resulted from relationship (2.6) for 2 units in a
non-repairable system, and if IL= 0 relationship (3.37) reduces to:
"R(t)- 2e eXt-e-2xt (3.40)
which is exactly the value which would have resulted from relationship (2.7) for 2 units in
a non-repairable system.
3.4 The Markovian Approach For Stand-by Redundancy, Markovian Approach for Availability Masures
(Time Deendent and Limiting Case) (System in Stand-by Conditions)
In this situation our intent is to setup the probability state equations relevant to the case where the
redundant configuration has one unit in actual operation and the other uniis are in stand-by (such units
Sare.not energized) and have failure rates - 0. The unit in operation operates until it faiis, at which
time one of the stand-by units begins operation, and repairs are begun on the failed unit. When the
failed unit has been repaired, it becomes a stand-by unit. When a failure occurs when no repaired (or
good) stand-by units are available, the system fails.
As before, an exr•npie is presented as to how such a problem is solved. We take again a two-unit
redundant system and define its respective states.
(1) Unit A and Unit B, both are operable - one is ope!rating (State 2)
(2) One unit is in a failed state (repairs are being made) and the other is operable (State 1)
(3) Both A and B are in a failed state (State 0). Then we have the following state equations:
P2 (t+A)' P 2 (t) (1-xAt) + P (t)int (3.41)
PI(t+At)= P 2()xAt + Pl(1)(1-(ý+1)At)
+ P 0 (t)2pAt (3.42)
FP ct+At)= P 1 Ct) AAt + P 0 Wt) (1-200/t) (3.43)
35
• - '- • r¸, ,f• , S-. .. .•L • - :• • .• • • • • .•q r• • • " • r . ' • \ --- .'.. "• ••- w.,w
.-" 7a sr-
• rr •..,y'; , I;
Expadin and rearanging the equations:
d'-'T- " •aP 1(t) " AP2(t)
dP1 ( t)
"- dq--" "()+) P (t) + AP2 (t) + 2UPO(t)

dt 1o2 0
0 NP1 (t) -. 2uP 0 (,
4t
TafIt Laplace transforms and solving' for.
P(t)m 1- p- W3
81 b2 6s2(0
a a QX+3M) ý 4i
I '22+ 2
Note as t gets arbitrarilxy large:
2
P~t)- A- 21 A(3.45)
36
.7M M
3.4.1 Markovian Approach for Reliability and Mean Time to Failure Measures
(System in Stand-by operation)
Assume a redundant stand-by configuration and operating philosophy is described in the
* previous section. Agaiin, the primary objective is to develop the probability state equations
* representing the system, its operational philosophy and the measures to be evaluated.
As before an example is presented as to how such a problem is solved. We take again a
two-unit system and define its possible states:
(1) One unit is operating and has a failure rate= X, a second unit is capable of
operation but is not energized and has a failure rate= 0. (State 2)
(2) One unit is in a failed state (repairs are being made) and the other is successfully
operating (State 1)
(3) Both units are failed (incapable of operation due to malfunction) (State 0).
Note as previously stated, that in order to evaluate Reliability or Mean Time to Failure, the
state equations can permit no transition from a failed state. As before, state equations are
developed.
P 2 (t+At)- P 2 (t)(I.-XAt) + P1 (t) PAt (3.46)
PI(t÷At)- P 2 (t)Wxt + P1 (t) [i- (X+I)At] (3.47)
P0 (t+At)- PI(t)XAt + P0 (t) (3.48)
After solving the equations finding the inverse transformation and performing manipulation
r t r t
r e - re1
1 R( 2
r _ (3.49)
where:
r1 r2 -(p+2),) _I /(,+ )2) 4

2
Again, since r, r2 < 0 and r, > 2r, wc have:
IV i7
M I
r2 t r t
•
M R(t)dt- fa- 2 -- dt
0 0 r -r
1 2
SrI 2 dt
f rt r2 r t
(rl-r 2) 0
r (r 7,.1) + r, r
r!r 2
I !2
(3.50)
Note if the system is non-repairable, ft= 0, then
M-X (3.51)
which is identical to the result of Equation (2.14) for a two unit non-repairable system.
By this tim. it is clear that the Markovian approach is capable of evaluating all of the
reliability messurs requi'ed. However, it is also clear that this approach is rather cumbersome
and time-consuming, esp,'cially when more than two units are redundant or when the units have
dift.rent values of A and p.. Note also th the Markovian approaches discussed are designed to
evaluate specific configurations/opcratisial scenarios, ard not to provide closed form
relationships, relating failure and repair rates of units, number of units in a subsystem and
anm r of stbsystems to system reliability. The next two sections provide discussions of two
apprraches mhich are capsule ,of making the analysis of repairable subsystems less
cum crson an(] time-consuming than those dis,:usscd and have the additional characteristic of
being it cli,, :d form or algorithmic form such that a single equation, or procedure is capable of
evaluating any numbetr of units in par. el.
3.5 StatecFxpectation/Transiton Model (for Reliability and Mean time to failure)

3.5.1 Full on redundancy
While the other approacties (V , assed to evaluate the reliability of redundant systems were
classical, the following must k- considered unique. It uses as a foundation the basics of a
Markoviar process but treats and combines thee into an expectation model.
Given a system comprised of L operating redundant identical units (each with identical
values of Xand 1t, in addition all failures and repairs of units take on an exponncttial density as
defined previously.) Assume that D units (D<L) as a minimum must be operating in order for
the systemo to function. The system then ihas a number of pi ws.iblc operating states.
38
~ ~ ~ .~.... -.
State Defined as
0 L units operating
1 L-1 units operating Satisfactory opeiating states.
2 L-2 units operating
N D unit%operating
N + I D- 1 urats operating - a system failure
wi As indicated previously transitions can take place only between adjacent atates. That is,
given the system is in state of j,(j>0), the system can Iext y.o to either state (j + 1) or ( - 1), no
other. This follows from the flow chart,
STATE STATE STATE STATE
0 i2 M
Naturally, for example, when 2 of L units are failed the next transition must be either to 1 of L
units failed (indicating a repair) or 3 of !. units failed (indicating a failure).
It is also clear that immediately before the system fails (rcachcs state (N + 1))thli system
must be in state (N).
Each state has associated with it unique failure ratL XJ, and repair tate IA,, computed as:
X - (L-J)X J s N [N i.; the ,;tat(! number asnociated
with D units operating]
LI. JV (assumes that as soon as a

r unit fails repair is begun).
39 w
Since we are dealing with exponential dansity functions for repair and failure:
Expected time in state j before transition
E() )(3.52)
Probability of going to state (j + I) on the next transition, given you are in state j at the present
time. (Thi,. of course, signifies an additional failure)
x~j+.j(3.53)
Probability of going to state (j-l) on the next transition, given you are in state j. (This of
course signifies a repair)
"* P(J-1/j)- •]--- (3.54)
P(J.-1/J) + P(J+1/j)- 1
Given the chalrvteristics above and using expectation, the expected length of time to go from
state j to state (j+ I),ECj+ /j), can b, fonntlated.
iii FJ+l/.1)= P(J+I/J) •E(J)+- ?(,-1/J) [E(j) + E(.I/J-l)
+ P(J1J)•j
i
Rearraging nd groupinlg terms
P(.I+IlJ) • E(,J). + P(J-1/j) [E.(j) + F(jl/_•.)fl

E(J+l1/j)- _-_-
1-P(J-I/J)
Substituting (3.52) - (3.54) into the above:
J-1
n-K
40
It is obvious t',at in order to fail (assuming the units of the system were al! operating at t- 0)
the system must gracefully degrade; that is, from state 1 it must eventuolly go to state 2, from
state 2 it must eventually go to state 3, etc., and the average time for such graceful degradation
from state j to (j+ 1) (tLking into account transitions fromj to (0-i))is accounted for by (3.55)
N
E E(j+1/j)- M (3.56)
that is, the sum of the expected times to transition from state j to (j+ 1), from (j+ 1) to (j+2),
etc., is the expected time to go from state 0 to state (N4-1), which is the mean time to system
?
failure. Repeated use of (3.55) in (3.56) leads to:
N
M- E E(J+I/J)
N J-1 H n .5
N
+ (h".+1(
J-0 j - K..0 An
n-K
I :.For examplc, take a two-unit redundant system as before (each unit having identical failure and
repair rates X, and g) and apply (3.57). The result is:
. -- (3.58)
2A
the same result as iion. (3.38) which evaluated the two unit system using a conventional
•.. Markovian Process.
As can be observed, this procedure is significantly simpler to apply tC.at any of the others
discussed and less time-consuming (due solely to the fact that application of (3.57) is all that is
IT •'required). Its drawbacks arc (1) while the mean time to failure of the system may be derived, its
reliability exprcsscd as the Probability of no system failure in time t cannot tb: determined; and
(2) it is capable of handling only redundant systems comprised of units with identical failure
and repair rates.
41
3.5.2 Stand-b Redundancy
The concepts of the previous section can be used to develop a relationship for mean time to
* failure for a system employing stand-by redundancy.
Given a system comprised of L redundant, identical units (each with identical valu"s of X,
and ;L. In addition, all failure and rpairs of units take on an exponential densiky as defined
previously). Assume that D units (D<L) must operate at all times in order foW the system to
operate. All other units are rot energized and have K- 0. They remai, enerwgizCd until a failure
occurs and only then is one energized. A repair action is immediately started on the failed unit.
The systcm fails when one of the D operating units fails and no energized unit is available to
take its place (all (L-D) units under repair when a failure occurs). The system has a numbAer of
possible states:
State Defined as
o D Units operating, (L-D) energized, 0 under pair
I D Units operating, (L-D- 1)energized, 1 under repair
2 D Units operating, (L.D-2)ewrgized, 2 under repair
N D Units operating, 0• (L-D) under repair

N+1 D- 1 Units operating -- Failure
Again, transition can take place only among Pldjaceni states. That is, given the system is in
state j 0j>0), the system can next go to either state (j+ 1)or (0-I). io others. (See flowchart of
last section).
Naturally, for example, when 2 of L units are underpoing repair (are failed) the next i
tramnsition must be either to 1 of L units undergoing relairs (one unit repai.Md) or 3 of L units
undergoing repairs (an other operating unit failed).
It is also clear that immediately before the syatem )ails (reaches state N+ I) ) the system
must be in state (N).
i
Each state (j) has associated with it a failure rate of X), a4-a re-pair rate of f.
For stand-by redundancy
Xj,= D. Jr-N
,j= j1A (assumes that as soon as a unit fails, repairs are begun).
Since we are dealing with exponentiol density functions for :epeirs prA failure:
Expected time in state j before transitiot
E( D j (3.59)
Probability of going to state (j+ 1) on the next transition, given you are in state j at the
present time. (Signifies an additional failure)
DXi+ I.A) (3.60)
42
I 'I
Probability of going :a state (1-l) on the next transition, given you are in state j (signifies a
F repair)
I - P(j-I./j)s ).
SD(3.61)
I P(j-1/j) + F(j+i/j)-. 1
The expected length of time to go from state j to state (j+ 1), E(j+ l/j), is formulated:
E(J-I/J)- P(i+/J) E(j + P(J-1/j) [E(j )+ E(J/+-1)

4. J.
Sbtttn(35)-(. int1) the-Iabove. rerupn an iplfig
E(J+IIJ)- 1-" 4. E(J/J-) (3.62)
It is obvious that in order to fail (assuming the units of the system would all be in an operable
condition at t.-- 0) the system must gradually degrade; that is, from say state I must eventually
go to stite. 2, before going to state 3. And the average time for such a degradation from state j to
state 0+ 1) (taking into account ,ransitions from j to j.- 1)) -s accounted for by (3.62).
Therefore:
N
Z E(j+1/j)- M (3.63)
J-s0
that is, the sum of the expected times to go from statej to j+ 1, from (j+ 1) to 0+2) etc. is the
. "xpextedtime to go from state 0 to state (N+ 1), the mean time to failure of the system.
Repeated use of (3.62) in (3.63) leads to:
I iX M=XI EO+ /j) .X :4 1 ~ 4
j-.'
0.-I - D K (3.64)
7rDX
43
JI
(L-D+ 1) L-D J- n=K+l

1-4.N
XD j.i i-o (M)
For cxample, take a two-unit redundant system in standby (each unit having identical failure
and repair rates Xp) and apply (3.64). The result ir.:
2 (,3.65)
the same as the result from (3.50) which directly evaluated the two w*it standby system using a
conventional Markovian Process.
As can be seen, this procedute. like the preceding, has advantages of simplicity and time
over the classical method to evaluate the mean time to failure of Rstandby system. Its
drawbacks are (1) while the mean time to failure of the system may be dcrive•i, its reliability
expressed as the probability thrt the system will operate over an interval of iime (O,T) with no
failure cannot be determined; mid (?) it is capable pf handling only redu|i'lant systems
comprised of units with idepacal fiilure and repair rates.
3.6 Sy!stem Failure Rate Aproch (For Full on Oeraticns)

In the previous section, concepts pertaining to transition rates (failure and repair rates) between
adjacent states were used as the foundatic" on which an evaluation technique was based. In this
section we will discuss an evaluation technique based on thr concept of System Failure Rate
associated with each system state1
Let us first define:
(1) System State - The description of the syscem- operating condition in terms of how many units
are operating and how many arc in a failed state.
The following is a list of the possible states for a parallel system comprised of L units.
States Description of State
0 L Units operating, 0 failed
I (L-1) Units operating, 1 failed
2 (L-2) Units operating, 2 failod
3 (L-3) Units olperating, 3 failed
A (L-N) Units operadin#, N failed

N+I (L-N.I) Units operating, (N+1) failed
We bear in mind that transitions can take place only between adjacent states (more than one failure
at one time has a probability = 0; more than one repair u; ",he time has a probability = U; a failure and
a repair manifesting themselves simultaneously has a probabi!-ty= 0). That is the system which if in
state j (j>0) can go either to state (j+ 1)or state (j-l). Further, assoming that the systtn is in state 0,
at t= 0, in order for the system to fail (reach a failed state, say (N+ 1)) it must ai some time go froi:J
state 0 to state 1, from state I to state 2, from state 2 to state 3, etc, eic.
Fumiher, if one defines:
F(j+ lI/j), the expected tihe to go from state j to state (j+ I), them:
44
![
t W !..
N
E E(J+I/J)- H- Haan time to system failure.
i-a
(2) System Substate - A Suhitate of a system state. Many system states as defined above (X units
operating, Y failed) may occur in a different number of ways (for example, take a two-unit redundant
system comprised of Unit A and Unit B. Unit A may be operating and Unit B failed, or Unit B may be
operating and Unit A failed. Both are different substates belonging to the system state, one unit
operating, one unit failed) each way in which the system state might occur is called a substate.
(3) Border Sthie - A substate of a system state where the next unit failure will causc a system failure.
Examples:
(1) A three-unit redundant system, a minimum of any 2 units must be operating in order for the
system to operate. In this casc, the border states would be aty 2 units operating, one unit
failed. Three border states would result.
(2) A four-unit redundant system, a minimum of one unit must be ope.2ting in order fo" the
system to operate. In this case a border state would be any one nwiit operating, 3 units failed.
Four border states would result.
(4) Limiting Availability =--
Defined and derived earsier as a non-parametric measure which indicates: the proportion of time that a
unit is operating (or up), given its average failure and repair rates, X and g; or the probability that a unit is
operating at a random point in time, given its average failure and repair rates A and /.
In a system comprised of L parallel units application of the Limiting Availability figure of merit can
determine the proportion of the time that the system is operating or the proportion of time that the
3ystern is in a given, state.
Example: A three-unit Redundant System made up of units A, B, and C, (A minimum of one unit is
required for satisfactory operation).
Let A, indicate Unt A is on
A, indicate Unit B is Failed .:
Bf, indicate Unit B i, On
B, indicate Unit B is Failed
C, indicate I Jnit C is On
Cp indicate Unit C is Failed
t TheA system
aoIC a can be in any one of the following states:
ABpC, Border State

AJB)OCO
AIBoC, Border State
AL',Cim Border State
ABP4 Failed State
Let:
AA. A,, A, repre!sent the Availability of A, B andC 'xcspectivciy.
Let:
45
(l-AA, (1-Am), (l-Ac) represent the Unavailability of A, B & C (This represents the proportio,.
cf time that A, B, or C is in a failed state (undergoing repair), or the probability that A, B or C is in a
failed state (mndergoing repair), at a random point in time).
Using the fundamentals of probability, we can now model each state and determine the proportion
of time that a system is in any particular state. Taking the last example:
State Proportion of time in state Border state

3
A0 Bo Co 4 ABAC - No
A0 B0 CF AAB(l-AC) No
AO BF cO AA(l-AB)Ac -- No
A F CF AA(I-AB)(-Ac) .a4-*
u Yes
AF Bo CO
0 ~~ A2(v
(,L•AA)ABAc
~ -(_+__)__-
F • No
N
AF 10 Cy Cb.AA) AB(1-AC) (1I+A•3i' Yes

Alp BF C0 CL! 4 (l1AB)Ac Yes
73
AF BF Cp (J.,AA)(1-AB)(1-AC) " (u+jj Failed
TOTAL- 11
The primary concept to grasp in the application of this evaluation technique is the fact that the system has a
failure rate equal to zero while it is in every state except a Border State; that is, the system can fail directly
only from a Border State; it can not fail directly from any other state. The system failure rate A., in a
Border State is the sum of the failure rates of the operating units in that Border State.
D
Am- s .
i-i
Ap= failure rate of a Border State

A = failure rate of the ith operating unit (non failed unit) in the Border State.
D= Miniirnn number of units required for successful system operation.
If one were to associate with each Border State, the Product of the Proportion of time in that state (A,,) and
the Sum of the Failure rates of the operating units in that state (A,) and an arbitrarily long system
operational period T the (Note T includes the time that the systi n is operating satisfactorily and the time
the systrm is down for repair) term:
46
K.
- - ,.
j AM 1
Bi T I
would represent the expected number of failurts crnticipated from Border state i over an arbitrarily
long period of time T.

If one were to sum this result for all Border States, K, making up system state N (recalling system
state N+ • is a failed state).
the number of failures expecte. in System

: STL operational time T from Border States. (3.66)
(Recall failures can occur only from Border States, therefore all system failures occur from Border
States).
If one were to sum the substate availabilities (Ap) of all the svates in which the system satisfactorily
operates (including Border States) and multiply that sum by the same arbitrarily long period of time T
N z
T F 7E A - the total time that the system is (3.67)
i") i-1i
operating satisfactorily.
Ao= 1ce availability of substate i associated with system state j.

7, = Number ef substates associated with system state j.
The ratio of (3.66) to (3.67) is:
number of failures expeted or

T0-otal eiýaThng time
N Z
.- 0"-.iA . - Average time to system failure
K (3.68)
I AB An, measured iteady state - Ms
This measures the actual perceived average time to system failure over thi, life use of the system. It
is important to note (fat since we are using state N as a minimum operating state, the model indicates
that as !,oia as the system fails, it enters state (N+ 1). The system is then operational again as soon as
repair puts it into State N. Each cycle of operation-failure for the system (after the first systzm failure)
then starts in State N and ends in State (N+ 1).
The average time to failure (Mj)is in riality, the mean time to go front state N to state (N+ I) or
E(N+ I/N).
h'lrefrorc, (3.68) mnoy be rewritten as:
47
N z.
E E A.£
J-0i- E(N+I/N)- M (3.69)
r•AL
Takng a two-unit red(I.an sysm a an ex=4-A (X, anL of 11 units idcaW l) and ,wyjag
(3.69)
E ) E(2/1).(3.70)
which is idetlical to the r t which would occur when equation (3.55) of the previou. section is
appbd to evalum F(N+ I/N).
For the next step, define a new criteria for system failure follows: if a minimum of D operating
units oat of L were originally necessary for system operation, assume now that a minimum of (D+ I)
opating units out of L is required for system operation. Determine new values of A,,, A,, as before
an apply equation (3.69) once more uiking N=(N-l). By changing the failure criteria from D) to
(D+1) the application of (3.69) really evaluates the expected time to go from state (N-i) to state N
E(N!IN-I1)
Repetition o f the above a number of timcs until the boundary state shifts fr, m N to 1 (scc state chart at
beginning of section) results in the following summation:
N
E E(J+l/j)= M- Mean time to failure for the
j-O
system assuming all units
were operable at t- 0.
M Z
or: J-N+l i-i
48
o~
N 7 i-A7,
M_ E j-1o -1
,1 (3.71)
V-9 K,?l ATi
vi
"Forex"mple, take a two-unit system with identical values of A and / with operational scenario as
before:
M= E(N+I/N) + E(N/N-I)= E(2/1) + E(1/0)
From (3.70), E (2/1)
pJ+)2
2
2X
2
E(110)- .)_1 (3.72)
I2 1 +31
2A
2 2A-2 -
which is identical to (3.58) which was derived using the expectat'.onltransition approach.
In the event that all units have identical values of 1z and A (3.63) reduces to:
N
E (Li) A
MS= (- D+J
) (NB1 (3.73)
A~j= Availability of any substate in state j

A.k= A,,(i+ 1), A, (i+2) ........ A,
A,= Availabi!ity of any border state (all border states have same availability if all units identical).
In the event that all units have identical values of A and ; (3.71) reduces to:
N-'vL
N 0 r A (N-v-i ) (3.74)
49
A
Ar)= Availability of any substate in system state (N-v)
I~v
iiK
A failure rate of the ith operating unit in state (N-v).

For the two-unit redwudant example previously described:
a 2)L2
M. A+3X2
2A
which of course duplicates the results of (3.72)

As can be seen, this procedure like the preceding, has the advantages of simplification and time
over the classical methods to evaluate the mean time to failure of a full-on system. It has one
advantage over the previous expectation transition, combination method in that it is capable of
handling systems of parallel units of different values of X and A,. Its shoitcoming is that the reliability
of the system expressed as the probability that the system will operate over an interval of time (0,T)
with no failure, cannot be determined.
3.7 Systems Periodically Maintained

In previous sections, we have considered systems which were not maintained, and systems which
were maintained immediately after foilure. In this section, we will consider redundant systems which
are only periodically maintained (a system is placed in operation, then left unattended; evcry T hours a
main'cnance team visits the system and repairs all unit failures). Let
f(t) = density function of failure for the redundant system.

ThenT
TeR(T) =1 - f f(t)dt = probability that the system will be on at the end of T.
0
If the system is still operating at T, then the operating time for system is T. If the system fails at t in
(0,T), then the operating time for system is t. Therefore, the avxcrage unin'tmmpted operating time of a
system in (0,T), MK, is given by
MT - TR(T) + ftf(t)dt
f0
TR(T) + t(l-R(t))10- J(1-R(t))dt

R(t)dt
0
50
-- A
It is possible for a system to fail before the first cycle (0,T) is c3nplete or it is possible that the system
will not fail until the Nth cycle is complete. Therefore, if we had a large number of such systems (X)
in the field and intended to so maintain these over a long period:
R(TI) = proportion of systems surviving the first cycle with no failure
R(T) 2 = proportion of systems surviving 2 cycles with no failure
R(T)3 = proportion of systems surviving 3 cyc!es with no failure
R('Fr Proportion of system surviving the first N cycles with no failure. Thert•ore, of the original X
systems
Cycle No.
1 X systems would operate uninterruptably for an average of M, hours each before failure
2 R(T)X systems would operate uninterruptably for an additional MT hours.
3 R(T) 2X systems would operate unintcrruptably for an additional M, hours.
SN R(T)N''I X systems would operate uninterruptably for an additional Mr hours.

And the average uninterrupted opetating time to first failure per system is
N-i
KrT[I +(EX[R (T- ]
Mil
But
N-1
+I - a progression of the form
a, ar, ar ....arn
with sum:
51
Lm
i~i- ---. ~
- =
Since:
( 1 SN "R(=•) as N gets arbitrarily
large. Hence:
Average uninterrupted operating time to first failure M,
T
t "R(tdt
0
3.8 I tof Redundanc on Maintainabilily

The analysis of redundant systems is almost always concerned with the impact of that decision on
reliability or mean time to failure. It is seldom related to impact on maintainability and mean time to
xepair1R andcritically.
total maintenance hours required (which impacts support cost)..Yet, redundancy impacts
these areas The following sections quantitatively destcribe such effects.
3.8.1 Redundancy impact on Mean Time to Repair (Full on Redundancy)

Take a system composed of L units, D of which have to operate in order for the system to
function satisfactorily. Recalling the notation of the last section define those states in which the
system is considered failed. This would be states:
N4 1 When (D-1) units arc operating, (I-D+ 1) under repair

N + 2 When (D-2) units are operating, (I-D+2) under repair
L When 0 units are operating, L under repair.

Define the substates associated with each state (Z,) and the availability of each substate Aj
(where A,= the availability of the ith substate associated with each system state j) Through
knowledge of the availability components of such stetes and substates, we will form the ratio:
~xpected time the system is in a failed state

Expected niumber of transitions from an operational state to a failed state (Failures)
=the expected time that the (3.75)

system is in failed state
From (3.67), the number of failures expected in T:
52
K
=T E.ABi 1Bj
-ti-
L z
.. Z A - average system down time (3.76)
+ J-N+1 i.4
K
E -%i 'Bi
.fi
when all units have identical values of A, and 1A the average system down time
D L
M: F.( -i A s (S+i)
•.i-i __ _ _ _ _ _
For example, for a 2 unit parallel system with equal values of X ad

dA. the average system
down time
2 2
3.8.2 Redundancy effect on Total Maintenance Time (Full on Redundancy)

Let:
(I-A )= Proportion of time unit is under repair (assumcs repair starts as soon as unit fails).
T(I-A ,)= Expected time unit is under repair (over a long time interval 0,1).
Oiven L redundant units
L
T E; (1--Ai) 'Total maintenance time expended (3.77)
i-i
on "ystern
If all units have identical values of X, and 1L(3.77)rcduces to
Total maintenance time expended (3.78)

11+ X,
on sysateam
53
I
A
Cormparing the above with a simplex system with total maintenance time expenditure of:
AT
It is clear that with every unit added to increase reliability maintenance time increases proportionately.
3.9 Efficient levels of Redundancy

The question arises as to what degree redundancy should be applied.
Should it better be agplied at the system level, subsystem level or the unit level? There is, of
course, no general answer to this question. Much depends on the nature of the application at hand. In
some instances, due to practicality, cost or the engineering nature of the system itself, only one course
of action is possible. In the event, however, that no constraints are evident on the level of redundancy,
which level should be chosen?
Assume that the system in question is denoted as A in Figure 3.3. A may be partitioned at will into
(L) modules, all having identical failure rates X,and the total failure rate of A= Lk. It is necessary to
improve the reliability of A and the only available means to realize this improvement is through the
application of redundancy. How does the level of redundancy chosen affect reliability?
Let us assume that due to reasons of economy only one redundant unit can be considered. Shall we
(1) make system A redundant with System B (Its redundant entity)?
(2) break up System A into 1. modules? break up system B into L modules and make each module
of B redundant to its corresponding A module? And, if we choose the latter, what is the sensitivity of
rcliabiliy to the partitioning scl(.e chosen?
Using (2.3) the mean time to firt failure (M) of the system described equal to
1
L (I)K+1 2K 1
K-i K! (L--K) S-1
Since in this case N= 2

where: L= number of nodules the system can be broken down to
X= failure rate of each module
Aom=LX= failure rate of the single syscem
mean time between failure of the single system.
X6 AL
The above equation may be written as:
L L ( +1 ' 2K
0 ,K-L K! (L-K2 S.-i
Treating L in the above as a variable and. X,as a cor.stant, M cani be evaluaited as a function of tie
degree of partitioning practiced (the value of L).
:54
' I
qI
Assuming that for each module, formed connectors and perhap even buffers or trarnsducers must
be added such that the failure rate increases as the number of modules increases,
L L K+1 L 2K I
pK - K t T- '.T.
R-1 S-s
where p- prtortionste iucrease in single module failure rate as a consequence of redundancy

application.
Forp= 0 am p= .1
M is MloWd in Figure (3.4) As a function of (QM).
iI END
tI
I3DUIU.LDUJL MODUIX
12 L
- I j
ii I
i•gSure 3.3 Division of Equipment A Into Any Number oi Modules
55
I.
kA
!4i.
4812 16 20
L =# of Modules the equipment is partitioned into

A,-Failure rateJNModule
Rdiahiflt improvement As A Consequence of PartlItwning

Figure 3.4
56
APPENDIX A
From (2.2) we have:
M [" (f - e[0 ) ]- dt (Al)

0
i~t:
S~pu e-At
Then (Al) is transformed into:
1 f dp
Rec:allng the specizal case of the binomial series:

pp
1 ' [I- (I-p)NJL (A2)
and equating ( 1 -p)" x, (A2) is transformed into:
• ! f! •:(k) (--)k (I-P)k dp

'• •,0 pk-0
S~(A3)
( k I -A
,- I f I d p + 1 - L' (k-
1Lk kN - k
Now: integrating by parts yields:
0f p dp-- ý
9,-1 a1 * 0 -p
57
'I
(A3) ca, *ptefore be expresied as:
L . N~
M- " (.) (- 1)• E.

k I kSi ,
which implies (2.3)
/'~
58
APPENDIX B
Taking Laploe transforns of equations (3.18) to (3.20) and defining initial conditions yields:
I
1- (2X.+S) p2 (a) - ip 1(s)

0- - (s+9-I+) pl(s) + 2P12(s) + 2pPo((s)
0- Xp(a) - (s421A) po( )
the above simultaneous equations can be easily solved for p0(s)
•. PO~~~(s)
(+w9-A-) LS+2(p+X,)..
which implies
VO -- -2 + 2 -2(X4-ji) t 2A2 e- (p)t

2 22
Noting that
p (W= P 2 (t) + P 3 (t)w 1 - 0(t)

we have (3.25).
t
59
-
BIBLIOGRAPHY
1. Applebaum, "Steady State Reliability of Systems of Mutually Independent Subsystems" IEi'E

Transactions on Reliability, March 1965.
2. Aroian, "The Reliability of Items in Sequence with Sensing & Switchin'g", Redundancy Techniques
for Computing Systems, Sparton, 1962.
3. AlIlen, "Comparisons of Two Practical Redundancy Models," 1964, National Winter Symposium on
Mil. Electronics.
4. Balaban, "Some Effects of Redundancy on System Reliability," Res. and Dev. Reliability, 1961.
5. Balaban, "Reliability of Switching Mechanisms," Air Foce -Contract, AF 30(602)2!43, 1960.
6. Barlow and Hunter, "Mathematical Models for .:ystem Reliabiliky," Sylvania Techtologist, Jan.
1960.
7. Benning, "Reliability Production Formulas for Standby Redundant Structures," IEEE Transactions
on Reliability, Dec. 1967
8. CEiR Corporation, "Reliability Techniques Applied to Electronic Systems," Company Publication,
June, 1963.
9. Chow, "Reliability of Some Redundant Systems with Repair," IEEE Transactions on Reliability,
Oct. 1963.
10. Courrant, "On Orbit Maintained vs Redundancy Tradeoff Study," 9th Annual West-Coast Reliability
Symposium.
11. de Pian and Grisamore, "Reliability Using Reýunancy Concepts," IRE Reliability Transactions,
April, 1960.
12, Dick, "Reliability of Repairable Complex Systems," 5th National Ionvention on MIL - Electronics.
13. Dick, "The MTBF and Availability of Complex Redundant Systems," 1903 Conference on
Electronic Reliability.
14. Dolazza, "System State Analysis ant Flow Graph Diagrams ;n Reliability," IEEE Transactions on
Reliability, Dec. 1966.
15. Dostert, "Applications of Von Neumann Redundancy Techniques to the Reliable Design of Digital
Circuits," RADC Report 167-1-293, 1962.
16. Einhorn, "Reliability Production for Degradable and Non-Degradable Systems," Air Force Contract,
(FJDTOR-63-642)
17. Epstein & Hosfoid, "Reliability of Some Two Unit Redundant Systems," 6th National Symposium
on Reliability.
18. Epstein et al., "Reliability with Allowable Downtimes," 1969 R & M Annals of Assurance Sciences.
19. Feller, "Probability Theory and its Applications," Wiley, 1950.
20. Flagle etal., "Operations Research and System Engineering," John Hopkins Press, 1960.
21. Hall et.al., "Reliability of Non-Exponential Rcdundant Systems," 1966 Annual Symposium on
Reliability.
22. Hocl, "Introduction to Math. Statistics," Wiley, 1954.
23. James et.al., "Redundancy and the Detection of First i'ailurcs," IRE Transactions on Reliability,
Oct. 1962.
24. Kletsky, "Se.f Repairing Machines," RADC Report TR-61-91 A- 1931.
25. Kneale, "Reliability of Parallel Systems with Repair and Switch.;," 7th Symposium on Reliability
and Quality Control.
26. Mann et.al, "Methods for Statistical Analyses of Reliability and Life Data," Wiley, 1974.
27. McGregor, "Approximation Formulas for Reliability with Repair," IEEE Transactions on
Reliability, Dec, 1963.
60
28. Moskowitz, Fred, "x .e Narre and Behavior of Redundancy Networks and Ftwctions" RADC
Report, PADC-TR-,O-4, 1960, AD # 237916
29. Pukite, "System Reliqbility Analyses," Honeywell Tech. Report M-417.
30. Sa,-,ty, "Mathematical Methods of Operations Research," McGraw-Hill, 1959.
"31. Tiger & Smith, "Methodology for System Reliability Analyses," 8th Symposium on Reliability and
Quality Control.
32. Walker, "'art Reliability vs. Redundancy Tradeoffs," 1Ith Natior.al Symposium on Reliability. I
I
II I4
61
iI
i611
-I
MISSION
Rom Air A veiopwet C'enwe
"Wile4
and dortLAo
Arai*~ of jAfnTd w
lxt*Jligmc* ft ietmimzal toke
intoa
rtawla &ramio
Are o~os~o~ko , satceftwidtic gao ka anid aw*mtls,

mujrmill~aw of wo~md mad ttcwpocw zbiwfta' lJtw1lgaw
dabsi *D.Uoftioi and &wmdling, Infomtiston 85y*'w- trQLmo~on),"
urimbwc' propmgatom, swlld &tat*oalwm,~. j.Lc4-A~vs
~A*pew mane.1&tmwic roiaW1AttV, =dzaait lle~~ty 4Wi
mi*.ty.

A Redundancy Notebook

Uploaded by

Copyright:

Available Formats

A Redundancy Notebook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Redundancy Notebook

Uploaded by

Copyright:

Available Formats

o ~RADCs'Tf-77-2h?

Apparoed for publit rele~as; ditettbut1im unl~nted.

I tKME AM OMVLOPAtWT CEK4TE

IUWY -7 has been

Acting Chief, Plans Office

Do not return this copy. Retain or destroy.

1, W 77l) S. TYPE OF REPORT & PERIOD COVERED

I, /" -- ' 'In-House Report

Rome Air Development Center (RDRT) NIU1

Griffiss AFB NY 13441 J" " 7/a F=

Rome Air Development Center (RBRT) Deqg.77

I. MONITORING AGENCY NAME & ArIDRESS(If difierll i

It. DISTRIBUTION STATEMENT (of shid Report)

Approved for public release; distribution unlimited.

1I. SUPPLEMENTARY NOTES

DD 1oA. 1473 EDITION OF I NOV 0S IS ODSOLE•i UNCLASSIi;*)

1.1 Summary of Redundancy Topics 2

where W(t) denotes the failure density function.

M- t R(t) ] + f'R(t)dt (X.4)

Now O'R(O) 0 and

where h(x) denotes the hazard rate, i.e. h(x) - W(x)

M1= f R(t)dt (1.5)

1.2.2 Definition of R(t):

1.2.3 Probability Basics

P (BI+B 2 .. Bk) E P(B )

P(A+B)- P(A) + P(B) - P(AB)

For three such events:

P(A+B+C)- P(A) + P(B) + P(C) - P(AC) - P(AB) - P(BC)

- P(BB 3) - .... P(BK.IE,) + P(BIB2 B 3)

+(-l) K-1 P(B,B, ... BK) .....

P(A,Aj ... AK; = P(A)

1.2.4 The Block Diagram

P(A+B)- P(A) + P(B) - P(AB)

rigure 1.1 Two Redundant Unit,

Figure 1.2 Three Series Units

1,2.5 Types of Redundancy:

X- failure rate of unit

t- operating time in question, and

R(t)- f1r(t,X)dt- e-Xt- probability that unit will not fail

Hpve!2.1l .LRdiundavid Stbsystogiio ill So~ries

- The reliability oi' any unit (i) equal R(t,) e".

M- f{3.- (.-.e- )N)Ldt (2.2)

The quantity of interest, XM, where:

MTBF of the s.steLm

ii; thus given by:

N and L are shown ir.

SR(t)- I- (.-e-t) N (2.5)

I wi¶h corresponding meantime to first failure:

with corresponding mean time to first failure given by:

2.2 Binomial Redundancy (multiple operating units required); Full on Redundancy

R(t)- Z (kN)(e Xt) k(l-e )N- k (2.9)

with correspontding mean time to first failure given by:

2.3 State Transition Model: Full on Redundancy

Xi= failure rate of each unit.

and which corresponds to equation (2.10).

2.4 Standby Redundancy (sirigle unit necessary for survival)

10-..... .... ....

N = number of units in a subsystem

The reliability of a system composed of I. such subsystems may be shown to be:

Ri't) [-tEX (XI-" (2.15)