You are on page 1of 27

Metadata of the chapter that will be visualized in

SpringerLink
Book Title Applied Cyber-Physical Systems
Series Title
Chapter Title Principle oI Active Condition Control: Impact Analysis
Copyright Year 2013
Copyright HolderName Springer Science¹Business Media New York
Corresponding Author Family Name Carbone
Particle
Given Name 1ohn N.
SuIIix
Division
Organization Raytheon Tactical Intelligence Systems Garland
Address Garland, TX, 75040, USA
Email jcarbone¸raytheon.com
Author Family Name Schagaev
Particle
Given Name Igor
SuIIix
Division Faculty oI Computing
Organization London Metropolitan University
Address London, N7 8DB, UK
Email i.schagaev¸londonmet.ac.uk
inIo¸it-acs.co.uk
Abstract This paper develops a conditional reliability model Ior an operational liIecycle oI a periodically used
vehicle such as aircraIt, considering the option oI real-time update oI aircraIt conditions and related Cyber
Physical System (CPS) Iramework Ior real-time collection, processing, analysis, and actionable control.
The eIIiciency oI maintenance is analysed. Paradigm oI active conditional control timing (ACT) is
introduced, aiming an overall improvement in reliability. The eIIect oI active condition control is estimated
taking into account (a) awareness oI possible Iaults during the aircraIt mission and (b) periods oI
maintenance sequences over liIe cycle. Shown is that active conditional control supported by maintenance
procedures could substantially improve aircraIt mission reliability.
Keywords (separated by '-') LiIe cycle - Mission reliability - Active conditional control
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
1
Chapter 15
2
Principle of Active Condition Control:
3
Impact Analysis
4 Igor Schagaev and John N. Carbone
5 The Cycles of Maintenance
6 Existing regulations require that maintenance for aircraft should be performed
7 periodically according to the schedule defined using manufacturer data. Mainte-
8 nance periods are accompanied by intermediate checks based on the actual load
9 and annual checks [1–4]. Unfortunately, as outlined by [5–8], only a small pro-
10 portion of world aircraft fleet are maintained according to this schedule.
11 The lack of an effective policing of maintenance and safety requirements in
12 aviation is a major contributory factor for poor safety and thus provides little
13 benefit for aviation [9, 10]. When safety checks are mandatory and performed by
14 an independent body a certificate for permitted vehicle use is issued. Regretfully,
15 the coverage of checking is highly unlikely to be considered as complete [11],
16 making risk of aircraft use substantial and unavoidable.
17 Even properly maintained aircraft on the ground does not guarantee reliability and
18 safety of an aircraft during flight. Until now neither control nor flight safety man-
19 agement system has taken into account an information about faults that the aircraft
20 may already have; does not prove or monitor quality of maintenance, does use in real
21 time structural models of aircraft and does check deviations that are developing. This
22 creates a situation where the decision to use the aircraft for the next flight is taken
23 almost voluntarily, based more or less on trust. Note that the quality of certification
24 depends heavily on human factors (existing qualification, training, integrity etc.).
25 The ‘‘Observer’’ publication (21st Aug 2005: ‘‘Airline pilots ‘lack basic skills’’’)
26 revealed that the risks associated with poor training are real concern in the CA
27 segment). In turn, recent accidents: June 2009 (A330 AirFrance), November 2010
I. Schagaev
Faculty of Computing, London Metropolitan University, London N7 8DB, UK
e-mail: i.schagaev@londonmet.ac.uk; info@it-acs.co.uk
J. N. Carbone (&)
Raytheon Tactical Intelligence Systems Garland, Garland, TX 75040, USA
e-mail: jcarbone@raytheon.com
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 1/24
S. C. Suh et al. (eds.), Applied Cyber-Physical Systems,
DOI: 10.1007/978-1-4614-7336-7_15,
Ó Springer Science+Business Media New York 2013
1
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
28 A380, Boeing 747 (Quantas), 2012 complete mishap with A380 wings show that
29 neither design of aircraft nor their control systems are satisfactory reliable.
30 Two idealistic approaches that might improve maintenance and aviation safety
31 have been pursued so far: (a) changing human nature by special training and
32 retraining (i.e. unfounded optimism) or, (b) changing the world (i.e. improving the
33 quality of maintenance and upgrading landing strips to airfields with proper
34 maintenance facilities), making maintenance obligatory—neither is realistic nor
35 feasible.
36 What is possible? An answer is in a designing a CPS system that is able to
37 perform high quality analysis of aircraft conditions using accumulated and current
38 flight (or mission) data from aircraft devices and knowledge of aircraft structure.
39 Existing and new information technologies might be extremely helpful to imple-
40 ment this goal by making device and software for this kind of monitor. The results
41 of this real time monitoring of conditions, when necessary, could supply relevant
42 information about the current state of an aircraft for flight crew on board and
43 operators, maintenance team, insurers and designers on ground. This allows cor-
44 rect decisions and ‘‘prescribing’’ procedures for aircraft maintenance. Above all,
45 this analysis can run continuously on board and request recovery or servicing when
46 necessary during and after flight.
47 The concept of preventive maintenance [10] has been known amongst aviation
48 academics for a long time, but was never actually implemented [7]; two accidents
49 with Rolls Royce engines with two days of 4th and 5th of November 2010
50 manifest the lack of knowledge and ability to apply them to keep required level of
51 reliability for aircraft engines. To some extent preventive maintenance is pro-
52 gressing in the automotive sector, mostly for aggregation of information of wear of
53 parts and the amount of vehicle use [6], but, again, volume of recalled cars due to
54 poor reliability for Toyota, Mercedes and other brands exceeds hundreds of
55 thousands every year, manifesting that existing concepts of preventive mainte-
56 nance and quality of design are not sufficient or efficient.
57 The approach proposed here is called principle of active condition control
58 (PACC), concept of active system safety was registered 20/09/2010 by European
59 OHIM, No 008895674 and patented [14]. At the same time, no matter how good
60 principle was introduced without implementation it has largely rhetoric value. To
61 be implemented PACC must include model of aircraft feasible for real-time
62 application, special on-board hardware and system software. This includes con-
63 tinuous, detailed dependency capture and analysis during development cycle,
64 combined with PACC aircraft model, and combined with real-time analytic
65 focused aggregation and processing of real-time aircraft data. Note that a pilot
66 can’t be involved in handling critical conditions—processes and complexity of
67 control systems as well as aircraft designs do not leave a room for manoeuvre:
68 humans become a weakest link and can’t be considered as an element of active
69 conditional control approach. This system has to monitor aircraft (or vehicle)
70 conditions, call it active condition control monitor (ACCM). To have any credi-
71 bility, ACCM itself must be ultra reliable in three ways:
2 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 2/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
72 1. Always be available, even though the aircraft itself may not be serviced to
73 schedule.
74 2. Always offer safe and relevant actionable advice based on the current condi-
75 tions, using previous flight data, current flight data and trustworthy analysis.
76 3. Present an action plan to conserve or improve conditions by avoiding risk,
77 which is credible in its own right and transparent and clear to the operators,
78 crew and other relevant institutions.
79 80 There are some challenges regarding determination of conditions of aircraft
81 during flight: the amount of flight data available is approaching hundreds of mega-
82 bytes, the complexity of fault free models of aircraft is growing, whilst while mod-
83 elling of deterioration of aircraft conditions is an order of magnitude more complex.
84 But PACC has no palliatives: it only has abilities to determine a vehicle
85 conditions and to react timely on their deterioration lowering the risk of use.
86 Secondly, the reliability of the existing parts of the aircraft will not be improved
87 in the foreseeable future; in fact, they will gradually degrade due to aircraft aging
88 and exploitation. In turn, complexity of modern aircraft complicates an overall
89 reliability improvement.
90 Thirdly, the reliability of any safety and reliability control system must itself be
91 extremely high (‘‘who watches the watchers?’’) and faults possible in it should be
92 isolated in terms of impact on aircraft operation. This kind of systems has to
93 function over the whole life cycle of aircraft, without maintenance (‘‘zero main-
94 tenance’’ approach was proposed by author of this paper in 2007 [15]).
95 So far, ‘common sense’ suggests an improvement of reliability and safety level
96 using the aircraft’s actual use and then advising on reliability and safety of its
97 future use. This introduces the need of the continuous and instantaneous assess-
98 ment of the aircraft reliability. Thus, to implement active conditional monitoring
99 one has to use current and accumulated flight data and create a model of aircraft,
100 capable of assessing point availability in real time. Additionally, to produce a
101 quality real-time result a CPS system framework must be instituted to reliably
102 handle the vast information ingest and data interchange. Simultaneously, the
103 framework must analytically process fast enough to provide a productive instan-
104 taneous assessment of the situation and thus an actionable predictive human usable
105 result. Using this might improve mission reliability, i.e. the probability of
106 successful completion of the flight. Above all, it is necessary to predict potential
107 risks/faults and anticipate corrective or preventative action to improve/maintain
108 safety of operation and its successful completion.
109 Information Content Management and Active
110 Conditional Control
111 Modelling dependencies of vast arrays of components within an aircraft for PACC
112 is arduous and complex. Here we discuss how PACC can be applied to existing
15 Principle of Active Condition Control: Impact Analysis 3
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 3/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
113 designs and discuss the added benefits of planning for PACC from the beginning
114 of a new design cycle to achieve optimal performance. Hence, how much
115 knowledge is enough knowledge? What threshold of knowledge must be achieved
116 about a system or a set of its components to make an informed PACC decision?
117 How coupled or decoupled is the existing design? These are questions which have
118 discrete answers when discussed within discrete contexts. For example, a system
119 might have a functional requirement to include an oil pump. The pump will be
120 rated as viable to a certain amount of use/miles/flight hours etc. and hence, due to
121 the imperfect nature of reality, has a set of design parameters which provide
122 information about a range of usage as opposed to an exact time. The oil pump is
123 also a core sub-component of a larger system which has its own range(s) and set of
124 independence and inter dependencies. Historically, Complexity Theory [16]
125 provides solutions to minimizing information content and understanding design
126 ranges, functional requirements, dependencies, design parameters, & constraints,
127 as well as, the coupling and decoupling within a design. PACC takes advantage of
128 complexity theory by maximizing effectiveness thru minimizing the amount of
129 information content, as shown in Fig. 15.1, necessary to understand a situational
130 range and to solve the right problem. If PACC planning is performed early during
131 the beginning of a design cycle, an optimized model is produced a priori, and
132 hence PACC has a more accurate model as initial input. This minimizes the time
133 and analysis required to implement PACC for a given design.
134 Preventive Maintenance Versus Active Conditional Control
135 Current monitoring and maintenance systems do not provide in-depth knowledge of
136 aircraft conditions; they suffer from latent (hidden) faults and therefore do not
137 prevent or reduce the degradation of safety. In principle, any conditional moni-
138 toring system is implementing generalised algorithm of fault tolerance (GAFT) as
139 introduced in [12], (see Fig. 15.1). In such systems, steps A, B, D, and E in
140 Fig. 15.2 are not implemented in real time of mission. It is clear though that real
141 time implementation of GAFT is essential for the purpose of active condition
142 control. PACC implementation includes a use of several types [12] of redundancies
FR
dr
u
p.d.f.
f(FR)
dr
l
System
Range,
p.d.f. f(FR)
Design
Range
|sr|
Common
Range, A
C
|dr| Fig. 15.1 Information axiom
minimizing information
content [17]
B
&
W
I
N
P
R
I
N
T
4 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 4/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
143 deliberately introduced in the system for implementation of steps of the algorithm
144 Fig. 15.2. However, the choice of redundancy limits the design process when new
145 features of an object are pursued.
146 The obvious question is: how active conditional control affects reliability and
147 scheme of maintenance of an object? A simple answer is identification of condi-
148 tion or state and actions to tolerate/reduce consequences makes possible to avoid
149 risky developments and, therefore, reduce harm and increase safety. An analysis of
150 the potential for reliability gain from PACC implementation is the goal of this
151 work.
152 The primary functions of ACCM are the evaluation of conditions and when
153 necessary execution of preventive maintenance. Maintenance here is considered in
154 a broad sense including PACC implementation of maintenance-on-demand during
155 and after flight as well as an increase of quality of periodic maintenance.
156 An aircraft is an object, with cyclic operation that in principle includes pre-
157 ventive maintenance procedures. In practice it is hardly the case. The approach to
158 periodic maintenance of aircraft is based on assumptions (which are sometimes
159 quite naive and over-optimistic) about the guaranteed high quality of maintenance.
160 Even when this periodic maintenance does take place the resulting state of an
161 aircraft is very difficult to analyse. Additionally, flight information, estimation of
162 condition of aircraft, its main structural elements as a system does not correspond
163 to before, during, and after flights periods.
164 Preventive maintenance for aircraft, as well as for other complex technological
165 objects with safety–critical functionality, was introduced in the early 1960s [10].
166 A simple Google search yields 1.3 million references for preventive maintenance.
167 Aviation-related preventive maintenance is discussed at least 96 K references.
168 At the same time, theory of preventive maintenance is mentioned in less than 100
169 references.
170 A possible reason for this gap difference is in the fuzziness of the meaning of
171 ‘‘preventive maintenance’’ and the justification of its proper application. Usually
172 those who use the term consider ‘‘preventive maintenance’’ from the position
173 of business school courses for managers of airports and aircraft service centres.
LOOP
A: Evaluate the conditions and processes in the system that create or might create a reduction of
the current or future safety or other properties (diagnosis and prognosis).
B: Decide about trends in the system in terms of condition change (and level of danger/risk)
using discrete, semantically driven or probabilistic models of the system (or combinations of
them).
C: Determine of the reasons (or faults, or event) that cause a detectable reduction or
deterioration of conditions or safety level.
D: Analyse the possible reactions and options available, including full or incomplete recovery
(management of system deficiency).
E: Form the set of actions to restore and/or recover conditions (or safety).
F: Estimate of the level of safety achieved (restored and/or recovered).
END
Fig. 15.2 The algorithm to implement PACC
15 Principle of Active Condition Control: Impact Analysis 5
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 5/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
174 The real meaning of the theory of preventive maintenance unfortunately is not
175 widely understood or well explained.
176 To the best knowledge of the author, Prof. A.Birolini [3] developed the most
177 comprehensive analysis of preventive maintenance with rigorous check of required
178 assumptions. An objective of this work is to apply this approach in the aviation
179 domain, assuming real-time checking of the aircraft condition and ability of pre-
180 diction of conditions deterioration.
181 The preventive maintenance might increase confidence about the aircraft’s
182 current state. To achieve this one requires the development of an aircraft model as
183 well as model for estimating an impact of fault on the system. One has to take into
184 account an estimation of efficiency of this implementation.
185 Challenges in the area of preventive maintenance are:
186 • Dependence of the periods of preventive maintenance on parameters and data.
187 • Role of checking and testing coverage on quality parameters.
188 • Development of generalised model including these two factors.
189
190 The last bullet point deals with efficiency of processing of flight data and
191 evaluation of system condition pre, during, and post mission. Then preventive
192 maintenance development is based upon:
193 • Introducing of PACC.
194 • Development of a model for preventive maintenance based on conditional
195 probability.
196 • Reasoning and inference about assumptions of preventive maintenance.
197 • Analysis of main factors that influence on the period of preventive maintenance.
198 • Evaluation of an impact that PACChas on the policies of preventive maintenance.
199
200 Some criteria for judging PACC success are:
201 • How big is a gain of PACC in comparison with classic preventive maintenance?
202 • Can PACC allow varying periods of maintenance as a function of a condition of
203 an aircraft proven/evaluated/estimated during flight, using flight data processing?
204 • Can PACC’s real-time ingest and analysis, provide finer grained fidelity to
205 in-flight system health inferenceing and to post flight cause-effect analysis?
206 • What level of mission reliability can realistically be achieved?
207
208 It is certain that full coverage of all possible faults of the complex systems
209 cannot be achieved in practice. It is also certain that 100 % level of confidence of
210 estimations of aircraft conditions cannot be guaranteed. So, how far can we go
211 here? Can we provide clear and substantial coverage of faults and define trends
212 especially the most dangerous ones that lead to accidents? How does a PACC
213 implementation define or change the period of preventive maintenance? Can PACC
214 support required maintenance by location of possible faults, and does it reduce the
215 overall inspection time? It is at least intuitively clear that implementation of PACC
216 increase flight safety and aircraft reliability. However, justification of the gain
217 might be required to achieve economic efficiency of a PACC implementation.
6 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 6/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
218 PACC, Conditional and Preventive Maintenance
219 Preventive maintenance estimations deal with processes of system degradation due
220 to wear and tear, i.e. due to ageing of materials and the effects of utilisation.
221 Purpose of conditional maintenance is to detect hidden faults and to anticipate
222 latent faults to avoid their occurrence in a timely way and thus avoid actual fault
223 impact on the system. The so-called latency of the fault is a phenomenon of the
224 possible trend of a parameter, which is related to a fault (or faults). Latency also
225 might have another reason, caused by erroneous decoding of a fault. This happens
226 when the aircraft or vehicle is used in limited modes of flight and/or recorded
227 parameters and variables are not representative, etc.
228 Let us consider an aircraft as a repairable structure with periodic maintenance at
229 T
PM
, 2T
PM
,…; at t = 0 consider the aircraft as new. Initially we analyse the
230 aircraft reliability assuming that the elapsed time of periodic maintenance is
231 negligible in comparison with the time of aircraft operation—(quite a realistic
232 assumption as *300 flight hours correspond to *0.5 h of maintenance in com-
233 mercial aviation, further (CA).
234 Further research might introduce a non-negligible period of maintenance (PM).
235 There are other factors that influence reliability: repair time, incomplete coverage
236 of testing and quality of maintenance. It might be interesting to investigate more
237 advanced features and assumptions derived for PACC implementation for an
238 aircraft implementation such as sensitivity to coverage of testing, reduction of
239 maintenance time due to real time (RT) processing of flight data and growth of
240 maintenance quality. Recent papers [12, 13] cover the role of malfunctions in
241 reliability of the system and initiates research in this direction. Other promising
242 research areas in reliability modelling are:
243 • The impact of the volume of data on quality of evaluation of vehicle condition.
244 • Time of processing of flight (current) data.
245 • Reliability vesus models available (‘‘are the structure models available good
246 enough?’’).
247 • The impact of flight data on safety (‘‘how much we need to know to be safe?’’).
248 249 In data dependencies further areas of required research are:
250 • The relationship between accumulated and current flight data to define
251 condition.
252 • Data integrity in the long term (distillation of flight data trends).
253 • The efficiency of data access for evaluation of conditions according to PACC.
254 255 Organizationally, a better policy of maintenance can be developed if the funda-
256 mental model includes in its implementation plan, the introduction of support for
257 unavoidability of maintenance procedures and spreading the cost of maintenance.
258 Both features should be considered for maintenance policies with and without PACC
259 implementation. This research is also might be helpful in convincing insurance
260 companies to revisit current policies existing at the aircraft and similar markets.
15 Principle of Active Condition Control: Impact Analysis 7
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 7/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
261 Conditional Maintenance
262 Let us assume that maintenance takes negligible time, relative to the operational
263 life of the aircraft. Four options are possible here:
264 1. PM is not performed and the aircraft is considered as good as new.
265 2. PM is not performed and the aircraft is considered as non-suitable for further
266 flights (e.g. because some resource necessary for flight is exhausted).
267 3. As a result of testing procedures the aircraft is considered not to be flight
268 worthy (due to insufficient test completeness or test trustworthiness) and PM is
269 not performed.
270 4. The aircraft is considered to be potentially not flight worthy and PM is per-
271 formed instead of a full-scale repair.
272
273 The fourth assumption is now explored. Ideal maintenance assumes that at
274 times 0, T
PM
, 2T
PM
,… the system (aircraft) is ‘as good as new’. The reliability
275 function for the aircraft without preventive maintenance is:
276
R t ð Þ ¼ 1 ÀF t ð Þ for t [0; R 0 ð Þ ¼ 1 ð15:1Þ
278 278 where F(t) is the distribution function of the failure-free operating time of a single
279 item structure and, for simplicity, it is assumed that it is represented by the
280 exponential distribution F(t) = 1-e
-kt
in the period t, and k is constant. Intro-
281 ducing conditional maintenance changes the form of the reliability function for the
282 aircraft as follows:
283
R
PM
t ð Þ ¼ R
n
T
PM
ð ÞR t ÀnT
PM
ð Þ for nT
PM
\ t n þ1 ð ÞT
PM
and n ¼ 0; 1; 2; . . .
ð15:2Þ
285 285 R(t) and R
PM
(t) give the probability for no failures (faults) in the period (0, t),
286 without and with ideal maintenance.
287 If an aircraft is considered as a system without maintenance and repair then its
288 reliability in its simplest form (assuming a constant failure rate k) can be presented
289 by the reliability function given by (15.3):
290
RðtÞ ¼ e
Àkt
ð15:3Þ
292 292 R(t) per Eq. (15.3) is depicted in Fig. 15.3, with k = 0.3 and time parameter
293 t = [0…10]. Figure 15.2 solid line is R(t), dashed line is threshold R
o
. Threshold
294 0.2 was chosen very low to increase visibility. The dot-and-dash line marks the
295 point where R
o
is reached the system condition when aircraft or system should be
296 put out of service.
297 The threshold R
o
(straight line) represents the minimum level of system reli-
298 ability required to continue safe operation. For this example, R
o
= 0.2 (chosen
299 particularly low to increase visibility), the reliability approaches the threshold R
o
300 at time 5.4. Aircraft in modern management schemes should be serviced when
301 aircraft condition reaches a certain level. This approach is known as conditional
8 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 8/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
302 maintenance. Usually evaluation of conditions of aircraft after maintenance is
303 overoptimistic and assumes, in particular, that maintenance fixes all possible faults
304 in the aircraft. This makes it possible to set maintenance procedures periodically,
305 at times when the model shows that reliability is reaching the point when main-
306 tenance is necessary and considering an aircraft as good as new after maintenance.
307 Note that assumptions of ideal conditional maintenance and threshold level of
308 reliability allowed are combined to define the size of intervals between mainte-
309 nance activities. Existing practice tends to set maintenance intervals to be equal.
310 Formally, the reliability function R
PM
(t) with ideal conditional maintenance is
311 based on the following assumptions:
312 Assumption 1 100 % coverage i.e. maintenance restores the system completely
313 Assumption 2 The interval between two successive maintenances is constant: T
PM
314 Assumption 3 Maintenance is produced instantly and does not delay the usage
315 schedule
316 In such a situation, it is possible to consider a mission reliability MR(t) as
317 reliability function between two successive periodic maintenance actions, i.e. with
318 t starting by 0 at each maintenance phase. For the case of constant failure rate k
319 this leads to (see Fig. 15.3).
320
MRðtÞ ¼ e
ÀkðtÀnT
PM
Þ
; for nT
PM
\t n þ1 ð ÞT
PM
; n ¼ 0; 1; 2; . . . ð15:4Þ
322 322 323 It is also possible to consider MR
n
(t) and assign the mission reliability to the
324 corresponding mission. As stated above, it is assumed that periodic ideal condi-
325 tional maintenance restores the system to the state ‘as good as new’. The approach
326 is well known in aviation and other safety critical industries as it enables reliability
327 theory to be applied for estimation of conditions of the system over life cycle of
328 operation. Note here that this kind of reliability models is quite optimistic and can,
329 at best, be used as a guide: firstly intervals between maintenance inspections are
R(t)
Threshold: R
O
Time when R(t) reaches R
O
Fig. 15.3 Reliability
function R(t) for the case of
constant failure rate k
B
&
W
I
N
P
R
I
N
T
15 Principle of Active Condition Control: Impact Analysis 9
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 9/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
330 rarely equal because aircraft are now used heavily e.g. in chain flights, with
331 interval between flights less than 1.5 h; secondly, commercial aviation suffers
332 from sporadic and far from perfect maintenance; thirdly as shown in [1] and above,
333 the quality of regular maintenance across all segments of aviation is far from ideal.
334 The main causes for this are a) the maintenance personnel, and b) lack of objective
335 models to define conditions of aircraft. Additionally, latent aircraft faults often
336 exist quite a long time: from some minutes up to several years see for example
337 recent case with A380 multiple wing defects). Therefore, more realistic assump-
338 tions are required for estimation of mission reliability.
339 Figure 15.4 presents a mission reliability function with ideal periodic mainte-
340 nance, where the solid curve is the mission reliability function, the dashed bottom
341 line is the acceptability threshold, and the dot-and-dash line indicates the perfectly
342 reliable state of the system, i.e., 100 % reliable. It is assumed full coverage of ideal
343 maintenance that returns the system to the state ‘as good as new’, and maintenance
344 periods are: T
PM
, 2T
PM
,…,nT
PM
.
345 Conditional Maintenance with Incomplete Coverage
346 Regretfully, the optimism of existing declarations about the quality of maintenance
347 and complete coverage of the system faults has short lived: in November 2010
348 alone aircraft accidents with A380 and Boeing 747 and A380 2012 multiple wings
349 mishaps show that coverage is far from required level. Denote coverage as a,
350 a \1. The mission reliability function assumptions are formally presented below
351 for the case of maintenance with incomplete coverage:
352 Assumption 1 Coverage is not 100 %. Coverage percentage is 100 a%, where
353 0 \a \1, and is assumed to be constant over all maintenance actions
354 Assumption 2 Maintenance is instantaneous and doesn’t delay aircraft schedule
355 Assumption 3 A threshold MR
0
of acceptable mission reliability is given (fixed)
356 Assumption 4 T
PM
is a function of several variables, including a, k and MR
0
MR(t)
Threshold: R
O
Perfectly reliable state: R=1
Fig. 15.4 Mission reliability
with ideal preventive
maintenance
B
&
W
I
N
P
R
I
N
T
10 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 10/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
357 Mission reliability is then calculated according to:
358
MRðtÞ ¼ a
j
e
Àk tÀ
P
n
i¼0
T
PM
ðiÞ

for
X
n
i¼0
T
PMðiÞ
\t
X
nþ1
i¼0
T
PMðiÞ
; T
PMð0Þ
¼ 0 n ¼ 0; 1; 2. . .
ð15:5Þ
360 360 361 The resulting mission reliability curve for this case is presented in Fig. 15.5.
362 Equation (15.5) is in particular true for a & 1. Note that system is as good as new
363 after the n-th PM and that as well a n restart by 0 at each corrective maintenance
364 yielding system as good as new. It is now assumed that maintenance takes place
365 when the system (an aircraft) reaches the threshold reliability i.e. when:
366
MR t ð Þ ¼ MR
0
ð15:5aÞ
368 368 369 This case has some theoretical interest, as it might be useful to analyse the role
370 of all the variables that define behaviour of period of maintenance T
PM
.
371 Calculating T
PM
(i), for i = 1,2,…,n, and taking into account the role of the
372 other variables such as MR
0
, a and k; then T
PM
(i) is given as:
373
T
PM
ðiÞ ¼
1
k
ln
a
iÀ1
MR
0
; i ¼ 1; 2; . . . ð15:6Þ
375 375 376 This model is more realistic, enabling to schedule maintenance when the sys-
377 tem (aircraft) reaches the threshold of acceptable mission reliability. Observe here
378 that the interval between successive maintenance inspections T
PM
(i) is shrinking
379 significantly along life cycle of aircraft operation. The relative decrease can be
380 evaluated by the rate of decrease of DT
PM
(i):
381
MR
O
MR(t)
Perfectly reliable state: R=1
Fig. 15.5 Conditional
periodic maintenance with
incomplete coverage
B
&
W
I
N
P
R
I
N
T
15 Principle of Active Condition Control: Impact Analysis 11
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 11/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
DT
PMðiÞ
¼
T
PMðiÞ
ÀT
PMðiþ1Þ
T
PMðiþ1Þ
ð15:6aÞ
383 383 or, by the function of the interval index:
384
DT
PM
¼
T
PMðiÞ
ÀT
PMðiþ1Þ
i
ð15:6bÞ
386 386 387 Figure 15.5 presents the function of mission reliability for the case of periodic
388 maintenance with incomplete coverage. The solid curve is the mission reliability
389 curve, the dashed line is the threshold, and the dot-and-dash line indicates the
390 perfect reliable state of system, i.e. as if 100 % reliable. It is assumed that while
391 the threshold is reached, maintenance is carried out. But for this example, because
392 of incomplete coverage, the mission reliability of the system cannot return to
393 100 % after maintenance, and the amplitude of recovery of conditions after iter-
394 ations of maintenance gradually degrades over time.
395 The actual condition of aircraft varies between thresholds MR
o
and MR(t)
396 between two successive maintenances. When mission reliability approaches MR
o
it
397 should be grounded in the interests of safety. Maintenance period shown with
398 picks defined by T
PM
, 2T
PM
, 3T
PM
,… etc.
399 Maintenance with Implementation of PACC
400 PACC introduces a new CPS process in aircraft management: on-line checking of
401 the aircraft’s condition. On-line checking is a process of real-time (during the
402 flight) checking of the aircraft’s main elements, including hardware (in general),
403 electronics and pilot. The aim of checking is detection of degradation or change in
404 behaviour and, when possible, recovery of the suspected element or subsystem,
405 conserving the system’s reliability and safety. When recovery is not possible the
406 preventive nature of PACC aims to reduce the level of danger, risk etc.—aiming
407 for graceful degradation of an object or service quality to the object’s users.
408 The Process of Checking and the Process of Maintenance are independent in
409 principle; thus they can be considered as concurrent processes as well as sequential
410 ones. The checking or maintenance activities can be started when required, when
411 possible or just when convenient. The main idea here is to carry out checking well
412 in advance when mission reliability MR(t) is higher than threshold reliability MR
0
,
413 making degradation of the aircraft conditions during flight less probable.
414 When applied together the processes of checking and conditional maintenance
415 may increase the reliability of the system. The gradient of this change is a function
12 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 12/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
419 419 419 419 of the quality of checking (coverage) and the quality of maintenance.
420 For consistency of analysis of the impact of PACC implementation we intro-
421 duce following conditions:
422 • A constant failure rate.
423 • Maintenance is not ideal and coverage is less than 100 %.
424 • Minimum acceptable reliability threshold is introduced as before.
425 426 Some other assumptions relate to the checking process. Formally, the mission
427 reliability function for preventive maintenance with an introduced online checking
428 process is based on the following assumptions:
429 Assumption 1 Coverage of maintenance is not ideal. Coverage of maintenance is
430 a
M
100 %, where 0 \a
M
\1, and a
M
is assumed as a constant
431 Assumption 2 Threshold MR
0
exists for MR (t)
432 Assumption 3 Online checking process is introduced. The period for checking is
433 T
PC
and T
PC
is a constant
434 Assumption 4 The system can dynamically scale. Thousands of checks may have
435 to occur within different time intervals. The resource processing pool is tuned via
436 scalable processes to keep T
PC
a constant per each required check
437 Assumption 5 After each online checking, the confidence about the system’s
438 conditions is increased, therefore MR(t) is also increased, and this confidence is
439 a
C
100 %, while 0 \a
C
\1 and a
C
is a constant
440 Assumption 6 The period between two successive maintenance inspections is
441 T
PM
(i). T
PM
(i) is a variable, actually a function of i, R
0
, a
C,
a
M
, k and T
PC
442 The mission reliability function (rigorously speaking conditional probability of
443 absence a failure in the previous checking period as it is clarified below) for an
444 aircraft is then calculated according to:
445
MRðtÞ ¼ MR
i
a
n
c
e
Àk tÀnT
PC
ð Þ
; for n T
PC
\t n þ1 ð ÞT
PC
; n ¼ 0; 1; 2; . . . ð15:7Þ
447 447 448 For MR(t) in Eq. (15.7) n stands for the n-th on-line checking period. For a new
449 system, MR
0
= 1. MR
i
follows from Eq. (15.5) as
450
MR
i
¼ a
i
M
; i ¼ 0; 1; 2 ð15:7aÞ
452 452 where i corresponds to the ith maintenance period, MR
i
denotes the initial value of
453 mission reliability at the beginning of a maintenance period, MR
i
a
n
c
denotes the
454 initial value at the beginning of an online-checking period respectively. Note that
455 n in Eq. (15.7) start at 0 at each maintenance period;
456 When the mission reliability of an aircraft reaches the threshold MR
o
it should
457 be grounded awaiting for preventive maintenance, so:
458
MR
i
MR
0
ð15:7bÞ
15 Principle of Active Condition Control: Impact Analysis 13
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 13/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
460 460
461 From a practical point of view, the online checking period should be constant,
462 as per Assumption 3 above, and the checking procedure should start at the
463 beginning of the following period. Suppose initially that checking takes no time,
464 and maintenance will be carried out instantly. Even if time delay due to the
465 checking process has to be considered, we still assume that the maintenance is
466 carried out only at the end of the following online-checking period. Let index n be
467 the serial number of an online-checking period, and index i be the serial number of
468 a maintenance period. The online-checking period T
PC
and the maintenance period
469 T
PM
(i) relates as:
470 • The online-checking period T
PC
is a constant, the maintenance period T
PM
(i) is a
471 variable.
472 • T
PM
(i) contains a certain number of T
PC.
473 474 With these assumptions mission reliability per Eq. (15.7) is shown on Fig. 15.5.
475 Figure 15.6 is an example of a mission reliability function under conditional
476 maintenance with on-line checking, where the solid curve is the mission reliability
477 curve, the dashed line is the threshold, and the dot-and-dash line indicates the
478 perfect reliable state of system, i.e., 100 % reliable. As shown on Fig. 15.6, once
479 an on-line checking period arrives, the latest system states are measured and
480 analysed.
481 After each online-checking process the latest system states are available and,
482 therefore, the awareness and confidence about the system both recover a little bit
483 (subject to no faults being detected), so does the mission reliability curve. When
484 the mission reliability reaches the threshold, maintenance is carried out just as with
485 preventive maintenance in Fig. 15.5. The rate of mission reliability degradation is
486 a topic for further investigation, searching for the ways to slow down a system
487 degradation using ICT technologies.
488 When no maintenance is scheduled for a long time (the actual situation in
489 commercial and general aviation) the mission reliability of an aircraft will reach
Perfectly reliable state:
MR(t)
Threshold:
Fig. 15.6 Preventive
maintenance with on-line
checking
B
&
W
I
N
P
R
I
N
T
14 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 14/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
490 the threshold MR
o
. The rate of mission reliability with on-line checking in fact
491 decreases slightly faster, due to added unreliability of checking system itself.
492 Checking with subsequent maintenance, on the contrary, increases mission reli-
493 ability. The gap of confidence between a point in time before checking and after
494 the checking will from now on be referred as a corridor of mission reliability.
495 The Mission Reliability Corridor: Introduction
496 and Definitions
497 The basic model of a mission reliability corridor d is defined using practical
498 assumptions and a set of scenarios as in the previous sections.
499 Suppose no serious system faults occur, and then the mission reliability corridor
500 is defined as the safe operational area where the curve is normally expected to stay
501 under the online-checking scheme. The corridor defines the value that mission
502 reliability curve could reach in each on-line checking period, and, therefore,
503 corridor effectively helps to decide when to carry out maintenance in order to
504 avoid violating the given threshold. On the other hand, the ‘width’ of the mission
505 reliability corridor will help to define the requirements for software and hardware
506 of the system that perform conditional control. Prediction or estimating of system
507 condition depends on volume of data, complexity of a model used and perfor-
508 mance of hardware, all integrated into allowable or not time delays. The corridor is
509 plotted in Figs. 15.7, 15.8, 15.9, 15.10, and 15.11 and represented as dotted lines.
510 Definition 1 In each online checking period, the width of the corridor d is a
511 constant and time independent. During the n-th online checking process a mission
512 reliability corridor d(n) is a function of n with width and given as:
513
dðnÞ ¼ MRðnT
PC
Þ ÀMRððn þ1ÞT
PC
Þ ð15:8Þ
515 515
516 Clearly the corridor under this definition becomes too conservative at the end of
517 each online checking period; the cause is that the amplitude of coverage by on-line
518 checking shrinks as time goes on, as illustrated in Fig. 15.7.
519 In other words, the upper boundary dU(n) and the lower boundary dL(n) of the
520 mission reliability corridor in Fig. 15.7 are given respectively given as:
521
d
U
ðnÞ ¼ MRðnT
PC
Þ ð15:8aÞ
523 523
524
525
d
L
ðnÞ ¼ MR ðn þ1ÞT
PC
ð Þ ð15:8bÞ
527 527 528 In Figs. 15.7, 15.8, 15.9, 15.10, and 15.11, the solid plot line is the mission
529 reliability curve, the dashed line is the threshold level, and the dot-and-dash line is
530 the initial reliability level. The dotted lines around mission reliability curve show
531 the corridor, and the vertical dotted lines indicate online-checking periods.
15 Principle of Active Condition Control: Impact Analysis 15
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 15/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
532 Definition 2 A time-varying corridor with the width d varies over time within
533 each online checking period. For the n-th online checking process d(t) is given as:
534
dðtÞ ¼ MR nT
PC
ð Þa
tÀnT
PC
ð Þ=T
PC
C
1 Àe
ÀkT
PC
À Á
; nT
PC
t\ n þ1 ð ÞT
PC
ð15:9Þ
536 536
537 Actually, MR nT
PC
ð Þa
tÀnT
PC
ð Þ=T
PC
C
in Eq. (15.9) defines the upper limit of the cor-
538 ridor at time t. Assume a hypothetic systemwith mission reliability of the same value
539
at the upper limit of the corridor at time t, then MR nT
PC
ð Þa
tÀnT
PC
ð Þ=T
PC
C
1 Àe
ÀkT
PC
À Á
is
540 the mission reliability after an online checking period T
PC
. The width of the corridor
541 d at time t, d(t) equals the difference between the upper limit of the corridor at time
542 t and the reliability of a systemat time t ? T
PC
. It is evident that the width of corridor
543 varies over time.
MR(t)
Upper boundary of
reliability corridor
Lower boundary of
MR corridor
Threshold: R
O
Perfectly reliable state: R=1
Fig. 15.7 Mission reliability
corridor as a function of
number of iterations
0 5 10 15 20 25 30 35 40
0
0.2
0.4
0.6
0.8
1
MR(t)
Threshold:
Perfectly reliable state:
Upper boundary
of MR corridor
Lower boundary
of MR corridor
Fig. 15.8 Mission reliability
corridor as a function of time
B
&
W
I
N
P
R
I
N
T
B
&
W
I
N
P
R
I
N
T
16 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 16/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
MR(t)
Threshold: R
O
Perfectly reliable state: R=1
Upper boundary of
MR corridor
Lower boundary of
MR corridor
β
T
PC
Fig. 15.9 On-line checking
performance requirement—b
gap
MR(t)
Upper boundary of mission
reliability corridor
Threshold: MR
O
Lower boundary of
reliability corridor
T
PC
Perfectly reliable state: R=1
Fig. 15.10 Mission
reliability with calculation
after the checking period
R(t)
Threshold: MR
O
Perfectly reliable state: R=1
Upper boundary of MR
corridor
Lower boundary of MR
corridor
T
PC
Fig. 15.11 Mission
reliability with checking for
reaching boundary
B
&
W
I
N
P
R
I
N
T
B
&
W
I
N
P
R
I
N
T
B
&
W
I
N
P
R
I
N
T
15 Principle of Active Condition Control: Impact Analysis 17
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 17/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
544 The corresponding corridor of the reliability curve is illustrated in Fig. 15.8.
545 Note that it shrinks with the amplitude of coverage by on-line checking.The width
546 of the reliability corridor in Fig. 15.8 is given as follows:
547
dðtÞ ¼ R nT
PC
ð Þa
tÀnT
PC
ð Þ=T
PC
C
1 Àe
ÀkT
PC
À Á
; nT
PC
t\ n þ1 ð ÞT
PC
: ð15:9aÞ
549 549 550 In other words, the upper boundary d
U
(n) and the lower boundary d
L
(n) of the
551 mission reliability corridor in Fig. 15.8 are given respectively as:
552
d
U
ðtÞ ¼ R nT
PC
ð Þa
tÀnT
PC
ð Þ=T
PC
C
; nT
PC
t\ n þ1 ð ÞT
PC
ð15:9bÞ
554 554
555
556
d
L
ðtÞ ¼ R nT
PC
ð Þa
tÀnT
PC
ð Þ=T
PC
C
e
ÀkT
PC
; nT
PC
t\ n þ1 ð ÞT
PC
ð15:9cÞ
558 558 559 Clearly, this corridor is much less conservative than introduced by Definition 1.
560 Defining the Frequency of the On-line Checking Process
561 Assumption 1 Online checking process starts at the beginning of each period of
562 use.
563 Figure 15.9 illustrates impact of time required for real time data processing on
564 mission reliability, where the dotted lines are used to indicate each on-line
565 checking period, which in this case is set as 2-time-units long. Because the
566 measurement and analysis of the latest system states can not be completed
567 immediately at the beginning of each on-line checking period, the awareness and
568 confidence about the system are not improved until these data are available, and
569 therefore there is a delay b on the coverage of the mission reliability curve in each
570 online checking period. So b is the time required for data processing, which may
571 vary, and has an upper bound b
max
, i.e., b B b
max
. The worst case should be:
572
b
max
¼ T
PC
ð15:10Þ
574 574 575 The question is, what is the influence of a data processing delay on the
576 definition of the corridor, i.e. the impact of b
max
on d(t), assuming the second
577 definition of a corridor is adopted? When b
max
is taken into account, d(t) should be
578 calculated by:
579
dðtÞ ¼ MR nT
PC
ð Þa
tÀnT
PC
ð Þ=2T
PC
C
1 Àe
À2kT
PC
À Á
; nT
PC
t\ n þ1 ð ÞT
PC
ð15:11Þ
581 581 582 Compared with ‘‘T
PC
’’ in Eq. (15.9), ‘‘2T
PC
’’ in Eq. (15.11) embodies the
583 maximum delay due to online data processing, in the case that b
max
is almost out of
584 synchronization with T
PC
in its period.
18 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 18/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
585 Avoiding R
0
Being Violated in the Corridor When
586 Delay Occurs
587 Implementation of principle of active conditional control requires that mission
588 reliability should not fall below the threshold R
0
even in when b
max
is taken into
589 account. This could be achieved in one of three methods:
590 Method 1. Within each online checking process, when data processing is fin-
591 ished, check whether the mission reliability is below the threshold R
0
. In this case,
592 due to the delay caused by data processing, the threshold could be violated.
593 Figure 15.10 shows that when online checking is carried out at time 30 the mission
594 reliability is above the threshold but then goes below the threshold when the online
595 checking process is finished at time 32.
596 Method 2. In each online checking process, check whether the bottom line of
597 the corridor is below the threshold R
0
, i.e.:
598
MR
I
a
nÀn
AM
ð Þ
C
a
rem t;T
PC
ð Þ
C
ÀdðtÞ R
0
ð15:11bÞ
600 600 where the first term of the relation defines the top of the corridor, and ‘‘rem’’
601 signifies the remainder after dividing t by T
PC
. The result of applying this method
602 is illustrated in Fig. 15.11. The maximum delay, i.e. T
PC
, is taken into account
603 when defining the width of corridor in (Eq. 15.11) so that the mission reliability is
604 always within a corridor even when there is data processing delay. Consequently,
605 the mission reliability in Fig. 15.11 never reaches the lower threshold because
606 maintenance is carried out in time before the bottom of corridor touches the
607 threshold.
608 Method 3. Define a buffer zone, i.e. [MR
0
, R
B
] then in each online checking
609 process, check whether the mission reliability is within the buffer zone, i.e.,
610
MR n þ1 ð ÞT
PC
ð Þ MR
0
þ MR
B
ð15:11cÞ
612 612 613 The result of introducing a buffer zone is illustrated in Fig. 15.12, where the
614 buffer zone is represented as the area between the dashed line and the dot-and-dash
615 line. Due to the delay caused by online data processing there is a possibility that
616 the reliability will ‘enter’ the buffer zone. Once this happens, maintenance must be
617 carried out in order to avoid the reliability going further below the threshold.
618 Maintenance Versus PACC
619 Previous sections show that preventive maintenance with PACC is more efficient
620 than known conditional or preventive maintenance approaches. The quantitative
621 analysis might help to see how much. Comparisons might be performed using time
622 between two successive maintenance sessions, the lifespan of the system under a
623 certain maintenance strategy, and how many times maintenance is carried out
15 Principle of Active Condition Control: Impact Analysis 19
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 19/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
624 during the life time of system. But here we propose an integration of mission
625 reliability over a given time period, i.e. the volume of the area encircled by the
626 mission reliability curve and the reference axes. A main reason for this index is to
627 compare schemes of conditional control and preventive maintenance as introduced
628 above.
629 The integration values of mission reliability under conditional maintenance and
630 preventive maintenance with PACC are calculated by Eqs. (15.12), (15.13)
631 respectively:
632
V
CM
T
1
ð Þ ¼
Z
T
1
0
MR
CM
ðtÞdt; ð15:12Þ
634 634
635
636
V
PM
T
2
ð Þ ¼
Z
T
2
0
MR
PM
ðtÞdt; ð15:13Þ
638 638 where MR
CM
(T) and MR
PM
(T) are given by Eqs. (15.3) and (15.5).
639 Then efficiency of the preventive maintenance with PACC over conditional
640 maintenance can be assessed as:
641
y T
1
; T
2
ð Þ ¼
V
PM
T
2
ð Þ ÀV
CM
T
1
ð Þ
V
CM
T
1
ð Þ
ð15:14Þ
643 643 644 Let us assume T
1
= T
2
. This means we compare the mission reliability of
645 system with preventive maintenance with PACC with the one with conditional
646 maintenance in a same period of time. Figure 15.13 gives an example of such a
647 comparison, where T
1
= T
2
= 40.
648 For Eqs. (15.12) and (15.13): V
CM
(40) = 15.5961, V
PM
(40) = 18.5084 and
649 Y(40) = 0.1867.
MR(t)
Perfectly reliable state: R=1
Upper boundary of MR
corridor
Lower boundary of MR
corridor
T
PC
RO +RB
Buffer zone: MRB
Threshold: MRO
Fig. 15.12 Mission
reliability with checking
within a buffer zone
B
&
W
I
N
P
R
I
N
T
20 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 20/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
650 V
PM
(40) [V
CM
(40) means that in the specified 40 unit time period the system
651 under preventive maintenance with PACC has a higher reliability, in other words,
652 the efficiency of preventive maintenance using PACC is about 20 % better com-
653 pared with conditional maintenance. Accordingly Fig. 15.13 preventive mainte-
654 nance with PACC could increase period between two sequential maintenance
655 sessions, therefore overall cost of maintenance for a vehicle reduces.
656 Let T
1
and T
2
be the lifespan of the system under preventive maintenance with
657 PACC and conditional maintenance, respectively. Then the value of y in
658 Eq. (15.14) can be used to assess how much extra reliability the adoption of
659 preventive maintenance has created relative to a conditional maintenance scheme.
660 Comparison of the left and right boxes of Fig. 15.14 shows that the conditional
661 maintenance system will no longer be able to recover after point 44.6 in time,
662 while under the preventive maintenance with PACC, the critical time is 129.1. One
663 can then easily deduce from Eqs. (15.12) and (15.13) that:
Perfectly reliable state: R=1 Perfectly reliable state: R=1
Threshold: MR
O
MR(t)
Threshold: MR
O
MR(t)
Fig. 15.13 Efficiency of conditional and preventive maintenance with PACC
Perfectly reliable state: R=1 Perfectly reliable state: R=1
Threshold: MR
O
Threshold: MR
O
MR(t)
MR(t)
Fig. 15.14 Comparison of efficiency of conditional and preventative maintenance with PACC
B
&
W
I
N
P
R
I
N
T
B
&
W
I
N
P
R
I
N
T
15 Principle of Active Condition Control: Impact Analysis 21
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 21/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
664
V
CM
44:6 ð Þ ¼ 16:6707; V
PM
129:1 ð Þ ¼ 50:2670
666 666 and
667
V
PM
129:1 ð Þ ÀV
CM
44:6 ð Þ ð Þ=V
CM
44:6 ð Þ ¼ 2:0153
669 669 670 Thus, the efficiency of preventive maintenance is improved by over 200 %
671 compared with conditional maintenance. Figure 15.14 shows the result in a more
672 intuitive way.
673 The indexes defined in Eqs. (15.12), (15.13) and (15.14) can be extended to
674 compare preventative maintenance with the classical reliability function. It is
675 worth to compare them at first within the same time period, as illustrated in
676 Fig. 15.14:
677
V
CRF
40 ð Þ ¼3:3336; V
PM
40 ð Þ ¼ 18:5084; and
V
PM
40 ð Þ À V
CRF
40 ð Þ ð Þ= V
CRF
40 ð Þ ¼ 4:5521
679 679 680 Let us estimate gain in mission reliability for the systems with implemented
681 active conditional control against the standard system for the whole period of
682 functioning. The classical mission reliability function reaches the threshold at the
683 time 5.4 (Figs. 15.15 and 15.16). When preventive maintenance with PACC is
684 applied the mission reliability declines to lower bound much slower—after the
685 time 129.1, and then one has:
686
V
CRF
5:4 ð Þ ¼ 2:6739;
V
PM
129:1 ð Þ ¼ 50:2670 and V
PM
129:1 ð Þ ÀV
CRF
5:4 ð Þ ð Þ=V
CRF
129:1 ð Þ ¼ 17:7991
688 688
689 Figure 15.16 illustrates the significant advantage in mission reliability when
690 preventive maintenance with PACC is applied in comparison with the system
691 described by classic mission reliability.
Perfectly reliable state: R=1
Threshold: MR
O
Threshold: MR
O
MR(t)
Time when MR(t) decreases to MR
O
MR(t)
Fig. 15.15 Comparison of the CLASSIC reliability function and preventative maintenance with
PACC
B
&
W
I
N
P
R
I
N
T
22 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 22/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
692 Conclusions
693
694 • The Principle of Active Conditional Control has been analysed in terms of the
695 mission reliability gain for aircraft maintenance. The Classical, Conditional and
696 Preventative approaches to maintenance have been compared quantitatively.
697 • Principle of Active Conditional Control assumes continuous application of
698 knowledge of aircraft structure and results of flight data aiming to improve
699 safety and mission reliability of aircraft, the quality of maintenance and
700 reducing the cost.
701 • Implementation of this principle enables the monitoring of reliability in real
702 time of aircraft application and offers 20–25 % growth of mission reliability.
703 • Mapping between flight information and aircraft safety or mission reliability, the
704 role and structure of information as well model of aircraft and impact of flight
705 conditions are subject of a special integrated research.
706 • To benefit from proposed approach an aircraft (as well as any other safety
707 critical real-time system) should be designed introducing principle of active
708 conditional control from the conceptual draft of a system, benefitting from
709 knowledge about dependencies between aircraft elements and subsystems.
710 • Aviation is the most complex area for the application of technological advances:
711 complex and long working periods, an extremely wide range of operation
712 conditions, multi-disciplinary skills needed from personnel involved. Therefore
713 the Principle of Active Conditional Control and its implementation must
714 become the subject of future multidimensional research to improve aviation
715 safety and efficiency.
716
717 Acknowledgements Author thanks a reviewer of the paper for comments and detailed
718 arguments this helps to improve paper.
Perfectly reliable state: R=1
Threshold: MR
O Threshold: MR
O
MR(t)
MR(t)
Time when R(t) decreases to MR
O
Fig. 15.16 Classical reliability function versus preventative maintenance
B
&
W
I
N
P
R
I
N
T
15 Principle of Active Condition Control: Impact Analysis 23
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 23/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
719 References
720 1. Annex 1 - ‘‘Description of Work’’, Version 3.1, dd. 12/11/2004, for ONBASS. PF6:
721 ‘‘Integrating and strengthening the Europe-an Research Area, Thematic Priority:
722 Aeronautics and Space, Contract No.: AST4-CT-2004-516045
723 2. Appendix F http://science.ksc.nasa.gov/shuttle/missions/51-l/docs/rogers-commission/
724 Appendix-F.txt
725 3. A.Birolini, Reliability Engineering, 6
th
Edition, Springer Verlag, 2010.
726 4. CAD 418 Condition Monitored Maintenance: an Explanatory Handbook http://
727 www.cad.gov.hk/english/pdf/CAD418.pdf
728 5. Galie T, Roemer M, Gregory M, J. Kacprzynski J, Byington C, Prognostic Enhancements to
729 Diagnostic Systems for ImprovedCondition-BasedMaintenance 1http://www.dtic.mil/cgi-bin/
730 GetTRDoc?AD=ADA408880&Location=U2&doc=GetTRDoc.pdf
731 6. Huang Gary K, Lin Kuen Y, A Method for Reliability Assessment of Aircraft Structures
732 Subject to Accidental Damage, depts.washington.edu/amtas/publications/presentations/
733 Lin_AIAA_4-05.pdf
734 7. Kingsley-Jones Max, Reliability lessons learned. In-Service Report:A340-500/600 Flight
735 International, 3-9 May 2005 pp34-39
736 8. Middleton D.H. Aircraft Maintenance Management Part 3, Aircraft Engineering and
737 Aerospace Technology, Year: 1993 Volume: 65 Issue: 2 Page: 6 – 9, ISSN: 0002-2667,
738 DOI:10.1108/eb037340, Publisher: MCB UP Ltd
739 9. Part VI - General Operating and Flight Rules Canadian Aviation Regulations 2009-2
740 Standard 625 Appendix B - Maintenance Schedules http://www.tc.gc.ca/civilaviation/
741 regserv/affairs/cars/part6/standards/a625b.htm
742 10. Summerfield J.R A Model for Evaluating Fleet of Transport Aircraft, Logistic Department
743 The RAND Corp 12 Jan 1960 http://www.rand.org/pubs/papers/2009/P1882.pdf
744 11. Schagaev I., Concept of Dynamic Safety for Aviation ISSC 1998, Seattle, USA.
745 12. Schagaev I., Redundancy Classification and Its application for FT Computer System Design
746 IEEE TESADI-01, Arizona, Tucson, October 2001.
747 13. Schagaev I., Reliability of Malfunction Tolerance, Proc. of the International Multi-conference
748 on Computer Science and Information Technology, pp. 733–737, ISBN 978-83-60810-14-9
749 14. http://www.it-acs.co.uk/files/GB2448351B.pdf
750 15. http://www.it-acs.co.uk/files/new_challenges.pdf
751 16. Suh, N., Complexity Theory and Applications, Oxford University Press, 2005
752 17. Lee, T., Axiomatic Design & Complexity Theories: Information Axiom, Lecture 2006 AQ1
24 I. Schagaev and J. N. Carbone
Layout: T1 Standard SC Book ID: 308189_1_En Book ISBN: 978-1-4614-7335-0
Chapter No.: 15 Date: 25-4-2013 Page: 24/24
A
u
t
h
o
r

P
r
o
o
f
U
N
C
O
R
R
E
C
T
E
D
P
R
O
O
F
Author Query Form
Book ID : 308189_1_En
Chapter No.: 15
1 3
the language of science
Please ensure you fill out your response to the queries raised
below and return this form along with your corrections
Dear Author
During the process of typesetting your chapter, the following queries have
arisen. Please check your typeset proof carefully against the queries listed
below and mark the necessary changes either directly on the proof/online
grid or in the ‘Author’s response’ area provided below
Query Refs. Details Required Author’s Response
AQ1 No query.
A
u
t
h
o
r

P
r
o
o
f
MARKED PROOF
Please correct and return this set
Instruction to printer
Leave unchanged under matter to remain
through single character, rule or underline
New matter followed by
or
or
or
or
or
or
or
or
or
and/or
and/or
e.g.
e.g.
under character
over character
new character
new characters
through all characters to be deleted
through letter or
through characters
under matter to be changed
under matter to be changed
under matter to be changed
under matter to be changed
under matter to be changed
Encircle matter to be changed
(As above)
(As above)
(As above)
(As above)
(As above)
(As above)
(As above)
(As above)
linking characters
through character or
where required
between characters or
words affected
through character or
where required
or
indicated in the margin
Delete
Substitute character or
substitute part of one or
more word(s)
Change to italics
Change to capitals
Change to small capitals
Change to bold type
Change to bold italic
Change to lower case
Change italic to upright type
Change bold to non-bold type
Insert ‘superior’ character
Insert ‘inferior’ character
Insert full stop
Insert comma
Insert single quotation marks
Insert double quotation marks
Insert hyphen
Start new paragraph
No new paragraph
Transpose
Close up
Insert or substitute space
between characters or words
Reduce space between
characters or words
Insert in text the matter
Textual mark Marginal mark
Please use the proof correction marks shown below for all alterations and corrections. If you
in dark ink and are made well within the page margins.
wish to return your proof by fax you should ensure that all amendments are written clearly