Advanced Reliability Modeling: Proceedings of the 2004 Asian International Workshop (AIWARM 2004), Hiroshima, Japan, 26 - 27 August 2004

Advanced Reliability Modeling

This page intentionally left blank

Proceeding sof the 2004Asina International Wrokshop (AIWARM 2004)

Advanced Reliability Modeling 26 - 27 August 2004

Hiroshima, Japan

edited by

Tadashi Dohi H iroshirna University, Japan

Won Young Yun Pusan National University, Korea

N E W JERSEY

-

LONDON

-

r pWorld Scientific SINGAPORE

-

BEIJING.

SHANGHAI

-

H O N G KONG

- TAIPEI

* CHENNAI

Published by

World Scientific Publishing Co. Re. Ltd. 5 Toh Tuck Link, Singapore 596224 USA ofice: 27 Warren Street, Suite 401402, Hackensack, NJ 07601

UK ofice: 57 Shelton Street, Covent Garden, London WC2H 9HE

British Library Cataloguing-in-PublicationData A catalogue record for this book is available from the British Library.

ADVANCED RELIABILITY MODELING Proceedings of the 2004 Asian International Workshop (AIWARM 2004)

Copyright 0 2004 by World Scientific Publishing Co. Re. Ltd. All rights reserved. This book, or parts thereoJ may not be reproduced in any form or by any means, electronic or mechanical, including photocopying, recording or any information storage and retrieval system now known or to be invented, without written permission from the Publisher.

For photocopying of material in this volume, please pay a copying fee through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, M A 01923, USA. In this case permission to photocopy is not required from the publisher.

ISBN 981-238-871-0

Printed in Singapore by World Scientific Printers ( S ) Pte Ltd

Preface

Computers control many artificial systems in use today. Even in a highly information oriented society, system failure causes of significant problems. To prevent accidents due to system failure, which are caused by uncertain events, the systems must be evaluated sufficiently from various points of view such as reliability, performance, safety and so on. Of these, system reliability is considered the most important factor, and the reliability modeling approach plays a central role in protecting our safe social life. The Asian International Workshop on Advanced Reliability Modeling (AIWARM) is a symposium for the dissemination of state-of-the-art research and practice in reliability engineering and related issues in the Asian area. The aim of the workshop is to bring together researchers, scientists and practitioners from Asian countries to discuss the state of research and practice when dealing with reliability issues at the system design (modeling) level, and to jointly formulate an agenda for future research in this emerging area. The theme of AIWARM 2004, held in Hiroshima, Japan, August 26-27, 2004, is the Advancement of Reliability Modeling in the Asian Area. This book contains 78 rigorously refereed articles presented at AIWARM 2004. These articles cover the key topics in reliability, maintainability and safety engineering and provide an in-depth representation of theory and practice in these areas. The contributions are arranged in alphabetical order based on the surname of the first author. We believe the articles of this book will introduce readers to significant and up-to-date theory and practice in reliability modeling. This book should also be of interest and importance to the practitioners such as system designers and engineers, as well as to researchers such as applied mathematicians, statisticians, and graduate students interested in reliability, maintainability and safety engineering.

V

vi

AIWARM 2004 is sponsored by Hiroshima Shudo University, Japan, the Chugoku-Shikoku Branch of The Operations Research Society of Japan, the Electric Technology Research Foundation of Chugoku, Japan, and the Trouble Analysis and Reliability Research Center (PNU), Korea. This workshop is held in cooperation with the IEEE Hiroshima Chapter, Japan, the IEEE Reliability Society Japan Chapter, Japan, the IEICE Technical Group on Reliability, Japan, The Operations Research Society of Japan, The Korean Reliability Society, Korea, and the Structural Safety and Reliability Project Research Center of Hiroshima University, Japan. We, the editors, would like to express our sincere appreciation to the Program Committee members and to the Local Organizing Committee members as well as to all the contributors to this book. Especially, we are indebted to Honorary General Chair, Professor Naoto Kaio, Hiroshima Shudo University, Japan, Program Co-Chairs, Professor Mitsuhiro Kimura, Hosei University, Japan, and Professor Min Xie, National University of Singapore, Singapore. Our special thanks are due to Professor Hiroyuki Okamura and Dr. Koichiro Rinsaka, Hiroshima University, Japan, for their continual support. Finally, we would like to thank Chelsea Chin, World Scientific Publishing Co., Singapore, for her warm and patient help.

Tadashi Dohi, Hiroshima University, Japan W o n Young Yun, Pusan National University, Korea Editors 63 General Co-Chairs of A I W A R M 2004

Contents

Preface T. Dohi and W. Y. Yun

V

Genetic Search for Redundancy Optimization in Complex Systems M. Agarwal and R. Gupta

1

Upper and Lower Bounds for 3-dimensional &wit hin-consecutive- (r1,ra,r3)-out-of- (nl,n2 ,n3):F System T. Akiba and H. Yamamoto

9

How Can We Estimate Software Reliability with a Continuous-state Software Reliability Model? T. Ando and T. Dohi

17

A Study on Reliable Multicast Applying Convolutional Codes over Finite Field M. Arai, S. Fukumoto and K. Iwasaki

25

Reliability Design of Industrial Plants using Petri Nets M. Bertolini, M . Bevilacqua and G. Mason

33

Optimal Burn-in Procedures in a Generalized Environment J . H. Cha and J. M i

41

Performing the Soft-error Rate (SER) on a TDBI Chamber V . Chang and W. T. K. Chien

49

vii

viii

Enhancement of Reliability and Economy of a Thermal Power Generating System Through Prediction of Plant Efficiency Parameters A . Chatterjee, S. Chatterjee and I. Mukhopadhyay Optimal Burn-in Time for General Repairable Products Sold Under Warranties Y. H. Chien and S. H. Sheu Determining Optimal Warranty Periods from the Seller’s Perspective and Optimal Out-of-warranty Replacement Age from the Buyer’s Perspective Y. H. Chien, S. H. Sheu and J. A . Chen Warranty and Imperfect Repairs S. Chukova and Y. Hayakawa Acceptance Sampling Plans Based on Failure-censored Step-stress Accelerated Tests for Weibull Distributions S. W. Chung, Y. S. Seo and W. Y. Yun Availability for a Repairable System with Finite Repairs L. Cui and J. Li A New Approach for the Fuzzy Reliability Analysis in Case of Discrete Fuzzy Variable Y. Dong, Z. Ni and C. Wang Fuzzy Reliability Analysis of Complex Mechanical System Y . Dong, Z. Ni and C. Wang

57

65

73

81

89

97

101

109

Optimal Release Problem Based on the Number of Debuggings with Software Safety Model T. Fujiyoshi, K. Tokuno and S. Yamada

117

Operating Environment Based Maintenance and Spare Parts Planning: A Case Study B. Ghodrati and U. Kumar

125

ix

Discrete-time Spare Ordering Policy with Lead Time and Discounting B. C. Giri, T. Dohi and N . Kaio

133

SNEM: A New Approach t o Evaluate Terminal Pair Reliability of Communication Networks N . K. Goyal, R. B. Misra and S. K . Chaturvedi

141

Robust Design for Quality-reliability via Fuzzy Probability H. Guo

149

Interval-valued Fuzzy Set Modelling of System Reliability

157

R. Guo Fuzzy Set-valued Statistical Inferences on a System Operating Data R. Guo and E. Love

165

A Software Reliability Allocation Model Based on Cost-controlling C. Huang, R. Z. X u and L . P. Zhang

173

Reliability of a Server System with Access Restriction M. Imaizumi, M. Kimura and K . Yasui

181

Continuous-state Software Reliability Growth Modeling with Testing-effort and Its Goodness-of-fit S. Inoue and S. Yamada

189

Analysis of Discrete-time Software Cost Model Based on NPV Approach K. Iwamoto, T. Dohi and N . Kaio

197

Reducing Degradation Testing Time with Tightened Critical Value J. S. Jang, S. J. Jang, B. H. Park and H. K . Lam

205

An Optimal Policy for Partially Observable Markov Decision Processes with Non-independent Monitors L. Jan, T. Mashita and K. Suzuki

213

X

Mathematical Estimation Models for Hardware and Software Fault Tolerant System P. Jirakittayakorn, N. Wattanapongsakorn and D. Coit Analysis of Warranty Claim Data: A Literature Review M. R. Karim and K. Suzuki

22 1

229

Simulated Annealing Algorithm for Redundancy Optimization with Multiple Component Choices H. G. Kim, C. 0. Bae and S. Y. Park

237

Estimation of Failure Intensity and Maintenance Effects with Explanatory Variables J. W. Kim, W. Y. Yun and S. C. Han

245

Economic Impacts of Guard Banding on Designing Inspection Procedures Y. J . Kim and M. S. Cha

253

The System Reliability Optimization Problems by using an Improved Surrogate Constraint Method S. Kimura, R. J. W. James, J. Ohnishi and Y . Nakagawa

261

Efficient Computation of Marginal Reliability Importance in a Network System with k-terminal Reliability T. Koide, S. Shinmori and H. Ishii

269

Reliability and Risk Evaluation of Large Systems K. Kolowrocki

277

An Optimal Policy to Minimize Expected Tardiness Cost Due to Waiting Time in the Queue J . Koyanagi and H. Kawai

285

Reliability of a k-out-of-n System with Repair by a Service Station Attending a Queue with Postponed Work A. Krishnamoorthy, V. C. Narayanan and T. G. Deepak

293

xi

Reliability Evaluation of a Flow Network with Multiple-capacity Link-states S. M. Lee, C. H. Lee and D. H. Park

301

A Random Shock Model for a Continuously Deteriorating System K . E. Lam, J . S. Baek and E. Y. Lee

309

Improvement in Bias and MSE of Weibull Parameter Estimators from Right-censored Large Samples by Using Two Kinds of Quantities C. Liu and S. Abe

317

Software System Reliability Design Considering Hybrid Fault Tolerant Software Architectures D. Methanavyn and N . Wattanapongsakorn

325

Software Reliability Prediction using Neural Networks with Linear Activation Function R. B . Misra and P. V. Sasatte

333

Block Burn-in with Minimal Repair M. H. Nu, S. Lee and Y. N . Son

341

Five Further Studies for Reliability Models T. Nakagawa

347

Note on an Inspection Density T. Nakagawa and N . Kaio

363

An Improved Intrusion-detection Model by Profiling Correlated Access Data H. Okamura, T. Fukuda and T. Doha

371

Dependence of Computer Virus Prevalance on Network Structure - Stochastic Modeling Approach H. Okamura, H. Kobayashi and T. Dohi

379

xii

Optimal Inspection Policies with an Equality Constraint Based on t h e Variational Calculus T. Ozaki, T. Dohi and N . Kaio

387

Optimal Imperfect Preventive Maintenance Policies for a Shock Model C. H. Qaan, K. Ito and T. Nalcagawa

395

Determination of Optimal Warranty Period in a Software Development Project K. Rinsaka and T. Doha

403

Optimal Inspection-warranty Policy for Weight-quality Based on Stackelberg Game -Fraction Defective and Warranty Cost H. Sandoh and T. Koide An Automatic Defect Detection for C++ Programs S. Sarala and S. Valli

411

419

Approximation Method for Probability Distribution Functions by Coxian Distribution Y. Sasalci, H. Imai, I. Ishii and M. Tsunoyama

427

Tumor Treatment Efficacy by Fractionated Irradiation with Genetic Radiotherapy T. Satow and H. Kawai

435

Computation Technology for Safety and Risk Assessment of Gas Pipeline Systems V. Seleznev and V. Aleshin

443

Joint Determination of the Imperfect Maintenance and Imperfect Production t o Lot-Sizing Problem S. H. Sheu, J. A . Chen and Y.H. Chien

45 1

Optimum Policies with Imperfect Maintenance S. H. Sheu, Y.B. Lin and G. L. Liao

459

xiii

Optimal Schedule for Periodic Imperfect Preventive Maintenance S. W. Shin, D. K. Kim and J. H. Lam

467

Reliability Analysis of Warm Standby Redundant Structures with Monitoring System S. W. Shin, J. H. Lim and D. H. Park

475

User Reception Analysis in Human Reliability Analysis K. W. M. Siu

483

Evaluation of Partial Safety Factors for Establishing Acceptable Flaws for Brittle Piping A . Srividya, R. Rastogi and M. J. Sakhardande

49 1

Automatic Pattern Classification Reliability of the Digitized Mammographic Breast Density T. Sumimoto, S. Goto and Y. Azuma

499

X-ray Image Analysis of Defects at BGA for Manufacturing System Reliability T. Sumimoto, T. Maruyama, Y . Azuma, S. Goto, M. Mondou, N . Furukawa and S. Okada

507

Analysis of Marginal Count Failure Data with Discarding Information Based on LFP Model K. Suzuki and L. Wang

515

On a Markovian Deteriorating System with Uncertain Repair and Replacement N . Tamura

523

Software Reliability Modeling for Integration Testing in Distributed Development Environment Y. Tamura, S. Yamada and M. Kimura

531

Performance Evaluation for Multi-task Processing System with Software Availability Model K. Tokuno and S. Yamada

539

xiv

Quality Engineering Analysis for Human Factors Affecting Software Reliability in the Design Review Process with Classification of Detected Faults K . Tomitaka, S. Yamada and R. Matsuda

547

Construction of Possibility Distributions for Reliability Analysis Based on Possibility Theory X. Tong, H. Z. Huang and M. J. Zuo

555

A Sequential Design for Binary Lifetime Testing on Weibull Distribution with Unknown Scale Parameter W. Yamamoto, K . Suzuki and H. Yasuda

563

The Generally Weighted Moving Average Control Chart for Detecting Small Shifts in the Process Median L. Yang and S. H. Sheu

569

Safety-integrity Level Model for Safety-related Systems in Dynamic Demand State I. Yoshimura, Y. Sato and K . Suyama

577

Warranty Strategy Accounts for Products with Bathtub Failure Rate S. L. Yu and S. H. Sheu

585

Calculating Exact Top Event Probability of a Fault Tree T. Yuge, K . Tagami and S. Yanagi

593

A Periodic Maintenance of Connected-(r,s)-out-of-(m,n):F System with Failure Dependence W. Y. Yun, C. H. Jeong, G. R. K i m and H. Yamamoto

60 1

Estimating Parameters of Failure Model for Repairable Systems with Different Maintenance Effects W. Y. Yun, K . K . Lee, S. H. Cho and K . H. N a m

609

xv

Reliability and Modeling of Systems Integrated with Firmware and Hardware T. Zhang, M. Xie, L. C. Tang and S. H. Ng

617

Author Index

625

This page intentionally left blank

GENETIC SEARCH FOR REDUNDANCY OPTIMIZATION IN COMPLEX SYSTEMS

MANJU AGARWAL AND RASHIKA GUPTA Department of Operational Research, University of Delhi Delhi-110007, INDIA E-mail: manju-agarwalQyahoo.com Genetic Algorithms (GA’s) have been recently used in combinatorial optimization approaches to reliable design, mainly for series-parallel systems. This paper presents a GA for parallel redundancy optimization problem in complex systems. For highly constrained problems, infeasible solutions may take a relatively big portion of the population and in such cases feasible solutions may be difficult to find. For handling constraints penalty strategies are very effective as a certain amount of infeasible solutions are kept in each generation, so that, genetic search is enforced towards an optimal solution from sides of, both, feasible and infeasible regions. In this paper an adaptive penalty strategy is proposed, which makes use of feedback obtained during the search along with a dynamic distance metric and helps the algorithm to search efficiently for final, optimal or nearly optimal solution. Some numerical examples illustrate the effectiveness of the proposed algorithm.

1. Introduction

Redundancy allocation problem is a nonlinear integer-programming problem and has been thoroughly studied and discussed in the literature with both enumerativebased methods and heuristic-based methods. This type of problem is of combinatorial nature and NP-hard. In recent works major focus is on the development of heuristic and metaheuristic algorithms for redundancy allocation problems for system reliability improvement. Genetic Algorithms (GA’s), one of the metaheuristic techniques, seek to imitate the biological phenomenon of evolutionary production through parent-children relationship and can be understood as the intelligent exploitation of a random search. This technique was initially developed by Holland [6]. The references [4, 51 provide a good description of GA’s. GA’s have been applied in combinatorial optimization techniques and designed to solve a variety of reliability optimization problems. While the papers [l,8, 12, 14, 161 have applied GA mainly to series-parallel and parallel-series systems, [2, 3, 7, 101 have applied GA to find a reliable network design. This paper focuses on solving highly constrained redundancy optimization problems in complex systems with genetic search using an adaptive penalty function approach. The effectiveness of the adaptive penalty approach developed in this re1

2

search is demonstrated on complex system structures from literature with linear as well as nonlinear constraints. 2. Notations n m

k xi x xf xu 1% u,,

Number of subsystems Number of constraints Number of constraints violated Redundancy at subsystem i

(x1,x2,...x,) Best feasible solution yet obtained Best infeasible solution yet obtained Lower limit of subsystem i Upper limit of subsystem i

Resource j consumed Resource j available S j ( X ) - bj Subsystem i reliability System reliability a t x System reliability at x f System reliability a t xu Penalized system reliability a t x

3. Statement of the Problem

The problem of finding optimal redundancy levels ( X I , x2, . . .x,) for maximizing system reliability subject to constraints can be described as follows:

Maximize : R s ( x ) subject t o : gj(x) 5 b j , j = 1 , 2 , . . . m.

xi 2. 1, integers , i = 1,2;..n.

(1) It is assumed that, the system and all its subsystems are s-coherent, all component states are mutually s-independent, and system reliability R s ( x ) is known in terms of Ri(xi). 4. Adaptive Penalty Function

GA’s perform a multiple directional search by maintaining a population of potential solutions. The central problem of applying GA’s to the constrained optimization is how t o handle constraints. For handling constraints, penalty function method has found great application in the field of GA’s [4,151 since it keeps a certain amount of infeasible solutions in each generation so that genetic search is enforced towards an optimal solution from sides of, both, feasible and infeasible regions. Penalty functions can be classified as: - Static, Dynamic and Adaptive. The reference [13] has given a good comparison of six penalty function strategies applied to continuous optimization problems in GA’s. However, there are no general guidelines on designing penalty functions since constructing an efficient penalty function is quite problem-dependent . The adaptive penalty function used to solve the redundancy allocation problem is presented in (2) below

3 The function Rp(z) learns to adapt itself based on the severity of the constraints and the system reliability of a particular problem instance. The metric

(k- calculates the ratio of the number of constraints violated to the total number \

,

evaluationsum

of constraints. The distance metric defined as j=1

of the ratios of magnitude of constraint violation to the resource available incorporating the dynamic aspect, and increases the severity of the penalty for a given distance as the search progresses, where X is a positive constant, taken as 0.03, 1- R s ( x ) takes and g is the generation number. The adaptive term exp

(R,(z")

-

Rfbf)

)

care of the maximum possible improvement in the current solution with respect to the difference between the system reliabilities of the best infeasible and feasible solutions yet obtained. The sensitivity of the adaptive penalty is studied for different values of K as 0.5, 1.0, 2.0, 3.0, and 4.0. When &(xu) 5 R f ( z f )then penalty is not imposed on the infeasible solutions. Moreover, the impact of the adaptive penalty is such that the infeasible solutions giving less reliability are penalized more and so the search is made on the promising infeasible solutions. 5. Genetic Algorithm

The major steps involved in GA are: 1) Chromosome representation; 2) Generation of initial population ; 3) Evaluation of fitness of chromosomes; 4) Selection of parent chromosomes for crossover; 5 ) Generation of offsprings by the crossover operation; 6) Mutation operation on chromosome; 7 ) Selection of best chromosome from the population for the next generation according to the fitness values. Steps 4) to 7 ) are repeated until termination criteria is met. A. Chromosome Representation We use integer value encoding which is more efficient for combinatorial problems and each possible solution or encoding is a vector representation x = ( ~ 1 ~ x. .2.,zn). B. Initial Population A fixed number of chromosomes are randomly generated to form an initial population. C. Fitness The penalized objective function value is taken to be the fitness value of the chromosome. D. Genetic Operators i Crossover: - The crossover rate, p,, is taken as 0.4 for all the system structures computed. The population is arranged from the fittest chromosome to the least fit chromosome and a random number p is generated from interval [0, 11 for each of the population member. A chromosome is selected as a parent only if p 5 p,. One-cut-point crossover method is used to mate the parents and cut position is

4

generated randomly from the interval [l,n ] . ii Mutation: - The mutation rate, p,, is taken as 0.3. Random number p is generated for each gene from interval [0, 11. If p 5 p , then the gene is randomly flipped to another gene from the corresponding set of alternatives.

E. Selection All the population members and the children produced after the genetic operations are arranged in descending order of fitness and the p o p ulation size chromosomes are selected for the next generation. 6. Test Problems and Results

The test problems studied are 5 unit (Bridge Structure), 7, 10 and 15 unit complex structures with linear constraints (Kim and Yum [9]) and a 4-stage series system with non-linear constraints (Kuo et al. [ l l ] , pp. 69-70). The objective is to maximize the reliability of the system subject to various constraints. In total 9 sets of problems with different combinations of constraints are studied. While for test problems of size 4, 5, 7 and 10, population size is taken to be 15 and number of generations 1000, for 15-unit structure population size and number of generations are taken as 50 and 1500, respectively. Ten GA trials for each system are then made for different values of K = 0.5, 1.0, 2.0, 3.0, 4.0. To carry the sensitivity analysis of the adaptive penalty function with respect to 6,we compute for each value the best feasible solution and average reliability obtained in 10 GA trials. Also, the standard deviation and percent coefficient of variation of the average reliabilities obtained for each generation in 10 GA trials are computed. The value of K giving the average reliability with least coefficient of variation is taken to be the best value of n for that particular problem. 6.1. 5, 7, 10 and 15 Unit Structures with Linear Constraints for Different Combinations of Problem Parameters

The problem is as defined in (1) with linear constraints gj(z) = b j , j = 1,2;..m and is varied for n = 5, m = l (Bridge Structure). n = 7, m= 1, 5, bj = ‘small’, ‘large’. n = 10, m= 1, 5. n = 15, m= 1.

Figure 1.

7 Unit Structure

Cy=lcji(zi) 5

5

Figure 2.

10 Unit Structure

Figure 3.

15 Unit Structure

This results in 8 sets of test problems. For each set 10 GA runs are performed for each of the 5 values of K and variation in the average reliability is studied. Data for the structures is generated randomIy as described below [9]: Component cost cji = random uniform deviate from ( 0 , loo), Component rel. in subsystem i, ~i = random uniform deviate from (0.6, 0.85), b j = wj Cy=lcji , where wj = random uniform deviate from (1.5, 2.5) for ‘small’ b j and from (2.5, 3.5) for ‘large’ b j . To have an idea of the computations, Table 1 contains results obtained for 7 x 5 ‘large’ b j , 10 x 5 and 15 x 1 structures. It tabulates the best feasible solution and average reliability obtained in 10 GA trials. Also the standard deviation and percent coefficient of variation of the average reliabilities for each generation in 10 GA trials are given. The ideal value of K for each test problem is highlighted.

table1 ComparisonTablefor710and15UnitStructures4

15x1

0.5 1.o 2.0 3.0

0.912058 0.914283 0.891940 0.909330

0.854986901 0.828742878 0.862362945 0.873000625

0.028445537 0.047884535 0.019145562 0.025273055

3.32701442 5.77797243 2.22015387 2.89496413

4.0

0.913974

0.877274465

0.009701171

1.10583079

6

I Figure 4. Comparison of Average Reliabilities for each Generation in 10 Trials Corresponding to Different Values of K. for 10x5 Structure

For 10 x 5 structure Figure 4 graphically refiects the variation in average reliability obtained in 10 GA trials per generation and hence the effect of the penalty function on the solution quality and speed of evolution convergence. During computations it is observed that in comparison to K = 4.0 when the convergence is more from the infeasible region side resulting in less variation and high average reliability, K = 0.5 and 1.0 impose more penalty causing larger variation in average reliability which improves only gradually from the feasible region side. 6.2. ,$-Stage Series System with Non-Linear Constraints This system is the one presented in [ 111, and is a special case for allocation of discrete component reliabilities and redundancy model. Table 2 shows the variation in the average reliability for different values of K . Table 2.

Comparison Table for 4-Stage Series System

6.3. Comparison of G A with Heuristic

Further t o test how good is our GA, all the test problems are solved by Kim and Yum 191 heuristic algorithm (KYA), which perhaps seems to be the best heuristic

7 proposed in the literature. In KYA the search is made not only in the feasible region but also into the bounded infeasible region making an excursion, which eventually returns to feasible region with possibly improved solution. Table 3 shows the optimal/ nearly optimal solutions obtained by KYA and proposed GA. By KYA each test problem is solved for 10 randomly generated initial solutions and the best is selected to be the optimal/ nearly optimal solution. It can be noticed that for two systems, 7x1 ‘small’ bj and 7x5 ‘small’ b j , GA gives better solution than KYA.

table3.ComparisonofoptionalSolutionsObtsained

4x3 Non-linear constraints

GA KYA GA

(2,3,3,4,3,3,1,1,1,2,1,1,1,1,1) (3,3,5,3) (3,3,5,3)

0.914283 0.944447 0.944447

792

7 . Conclusion The results of GA have been very encouraging. It is a promising optimization method for solving redundancy allocation problems for complex systems, although computing time is more as compared to the other heuristics proposed in the literature. The search towards an optimal solution is enforced form sides of, both, feasible and infeasible regions and, is much superior t o the strategy of allowing only feasible solutions. The infeasibility of the solutions is handled by a dynamic-adaptive distance based penalty function, which helps the search to proceed efficiently for final optimal /nearly optimal solution. The effectiveness of the adaptive penalty function is studied and shown graphically on the solution quality as well as the speed of evolution convergence for several highly constrained problems. The investigations show that this approach can be powerful and robust for problems with large search space, even of size and difficult-to-satisfy constraints.

8

References 1. D. W. Coit, A. E. Smith and D. M. Tate, “Adaptive Penalty Methods for Genetic Optimization of Constrained Combinatorial Problems.” INFORMS Journal of Computing, vol. 8, pp. 173-182, (1996). 2. D. L. Deeter and A. E. Smith, “Heuristic Optimization of Network Design Considering All Terminal Reliability”, I n N . J. Mcafee (editor) Proceedings Annual Reliability and Maintainability Symposium, Philadelphia, PA, 13-16 Jan 1997, pp. 194-199, (1997). 3. B. Dengiz, F. Altiparmak and A.E. Smith, “Local Search Genetic Algorithm for Optimal Design-of Reliable Networks”, IEEE Trans. on Evolutionary Computation, vol. 1, pp. 179-188, (1997). 4. M. Gen and R. Cheng, Genetic Algorithms and Engineering Design, John Wiley and Sons, Inc., New York, (1997). 5. D. E. Goldberg, Genetic Algorithms in Search, Optimization and Machine Learning, Reading MA: Addison-Wesley, (1989). 6. J. Holland, Adaptation in Natural and Artificial Systems, University of Michigan Press, (1975). 7. Y. C. Hsieh, T. C. Chen and D. L. Bricker, “Genetic Algorithms for Reliability Design Problems”, Technical Report, Dept. of Industrial Engineering, University of Iowa, (1997). 8. K. Ida, M. Gen and T. Yokta, “System Relaibility Optimization of Series-Parallel Systems Using a Genetic Algorithm”, IEEE Runs. on Reliability, vol. 45, pp. 254-260, ( 1996). 9. J. H. Kim and B. J. Yum, “A Heuristic Method for Solving Redundancy Optimization Problems in Complex Systems”, IEEE Tmns. on Reliability, vol. 42, no.4, pp. 572-578, (1993). 10. ‘A. Kumar, R. M. Pathak and Y. P. Gupta, “Genetic-Algorithm-Based Reliability Optimization for Computer Network Expansion”, IEEE Trans. on Reliability, vol. 44, pp. 63-72, (1995). 11. W. Kuo, V. R. Prasad, F. A. Tillman and Ching-Lai Hwang, Optimal Reliability Design - Fundamentals and Applications, Cambridge University Press, (2001). 12. S. R. V. Majety and J. Rajgopal, “Dynamic Penalty Function for Evolutionary Algorithms with an Application t o Reliability Allocation”, Technical Report, Dept. of Industrial Engineering, University of Pittsburgh, Pittsburgh, PA, (1997). 13. Z. Michalewicz, “Genetic Algorithms, Numerical Optimization, and Constraints”, Proceedings of Sixth International Conference on Genetic Algorithms, pp. 151-158, (1995). 14. L. Painton and J. Campbell, “Genetic Algorithms in Optimization of System Reliability”,IEEE Tmns. on Reliability, vol. 44, pp. 172-178, (1995). 15. A. E. Smith and D. W. Coit, Handbook of Evolutionary Computation, Section C 5.2, “Penalty Functions”, Joint Publication of Oxford University Press and Institute of Physics Publishing, (1995). 16. T. Yokta, M. Gen and K. Ida, “System Reliability of Optimization Problems with Several Failure Modes by Genetic Algorithm”, Japanese Journal of Fuzzy Theory and Systems, ~01.7,no.1, pp. 117-135, (1995).

UPPER AND LOWER BOUNDS FOR 3-DIMENSIONAL R-WITHINI Z ~n3):F , SYSTEM CONSECUTIVE-(rl, r2, Q)-OUT-OF-(IZ~, TOMOAKI AKIBA' Deparhent of Information Management Engineering, Yamagata College of Industty & Technology, 2-2-1 Matsuei, Yamagata, Yamagata, 990-2473, Japan HISASHI YAMAMOTO Deparhent of Production Information System, Tokyo Metropolitan Institute of Technology, 6-6 Asahigaoka, Hino, Tokyo, 191-0065, Japan As a 2dimensional k-within-consecutive-r-out-of-n:Fsystem, for example, there are connected-(r, s)-out-of-(m, n):F lattice system and 2dimensional k-within-consecutive-(r, s)-out-of-(in, n):F system. For these systems, the calculation method for reliability and, upper and lower bounds, have been studied by many researchers. Furthermore, several reports have been proposed for the reliability of more multi-dimensional systems. In this study, we consider 3dimensional k-within-consecutive-r-out-of-n:F system, called the 3dimensional k-within-consecutive-(rl, r2, r3)-out-of-(nI, n2, n3):F system. This system consists of nlxn2xn3 components, which are arranged like a ( n , , n2, n3) rectangular solid. This system fails if and only if there is an (r,,r?, r3) rectangular solid in which k or more components fails. In this system, although an enumeration method could be used for evaluating the exact system reliability of very small-sized systems, that method needs much computing time when applied to larger systems. Therefore, developing upper and lower bounds is useful for evaluating the reliability of large systems, in a reasonable time.

1

Introduction

The consecutive-k-out-of-n:F systems have been extensively studied since the early 1980s. This type of system can be regarded as a one-dimensional reliability model and can be extended to two- or three- or d-dimensional versions ( d z 2). The purpose of this paper is to review the studies of multi-dimensional consecutive-k-out-of-n:F systems. There are a few papers about 3-dimensional systems, whose reliability is equal to the probability that a radiologist might not detect their presence of a disease (Salvia and Lasher[ I]), as described in section 1. We have not yet obtained the efficient algorithm for system reliabilities for the complexity of these systems. For the first time, Psillakis and Makri[7] analyzed 3-dimensional linear consecutive-k-out-of-r-from-n:F systems by a simulation method. Boushaba and Ghoraq41 proposed upper and lower bounds and a limit theorem for this system, based on Koutras, Papadopoulos and Papastavridis[S]. Godbole, Potter and Sklar[2] proposed upper bound for the reliability of a d-

Corresponding author, Presenter 9

10

Y

a

: component works

#l : component fails

Figure 1: Example of failure of 3-dimensiona.l k-withincomecutive(rl, r2, q)-out-of-(n,, n2, n3):F system and component axis

dimensional linear consecutive-k-out-of-n:F system. For a 3-dimensional kwithin-consecutive-(rl, r2, r3)-out-of-(n1, 122, n3):F system (denoted as k/(rl, r2, r3) /(nl, n2, n3):F system throughout this paper), which is a three-dimensional version of 2-dimensional rectangular k-within-consecutive-(r, s)-out-of-(m, n):F system. In this study, we consider 3-dimensional k-within-consecutive-r-out-of-n:F system, called the k/(rl, r2, ~3)/(nl,122, n3):F system. In this system, although an enumeration method could be used for evaluating the exact system reliability of very small-sized systems, that method needs much computing time when applied to larger systems. Therefore, developing upper and lower bounds is useful for evaluating the reliability of large systems, in a reasonable time. 2

M(r1, rz, r3) /@I, nz, n3):F system

2.1. Definition of the system

k/(rl, r2, r3)/(n1, n2, n3):F system consists of nlxn2xn3 components, which are arranged like a (nl, n2, n3) rectangular solid. This system fails if and only if there is a (rl, r2, r3) rectangular solid in which k or more components fails as shown in Figure 1. In this study, we denote, by component (h, i , j ) , the component located on h-th point in the nl axis, i-th point in the n2 axis and j-th point in the n3 axis, with reliabilityphiiand failure probability qhij = 1 - p h i i , for h = 1, 2, ..., nl, i = 1, 2 , ..., 112 and j = 1 , 2,..., n3, as shown in Figure 1.

11

Salvia and Lasherr 13 etc. gave the following examples to illustrate where such multi-dimensional models may be used, the presence of a disease is diagnosed by reading an X-ray. Let p be the probability that an individual cell (or other small portion of the X-ray) is healthy. Unless diseased cells are aggregated into a sufficiently large pattern (say a k x k square), the radiologist might not detect their presence. In medical diagnostics, it may be more appropriate to consider a three-dimensional grid in order to calculate the detection probability of patterns in a three-dimensional space. The other example, k/(rl,r2, y3)/(nl, n2, n3):F system can be applied to the mathematical model of a three-dimensional flash memory cell failure model. 2.2.

Theorem In this section, we propose upper and lower bounds for the reliability of a

kl(rl, r2, r3)/(nl, n2, n3):F system in this section. For this, we introduce some notations. First, we define some sets of components in the system for h = 1 , 2,. . ., nl, i = 1,2 ,..., n 2 , j = 1 , 2,..., n3, CA(h, i , j ) : set of all components in a solid with components ( 1 , 1 , l ) , (nl, 1 , l ) , (1, n2, 11, ( n l , n2, I), (1, 1 , j ) , ( n ~1,j), , ( n ~i-l,j), , ( A , i , j h ( 1 , i , j h (1, n2,j-1) and (nl,n2,j-1) as its apices, CSl(h, i , j ) : set of all components in a ( r l , r2, r3) rectangular solid as a part of CA(h, i , j ) with components ( h , i , j ) as its upper right deep apex, CS2(h, i , j ) : set of all components in a (71, r2) matrix as a part of CSl(h, i, j ) with components (h-rl+l, i-r2+1,j), (h, i-r2+1,j), (h-rI+l, i , j ) and ( h , i, j ) as its apices, CS3(h,i , j ) : set of all components in a ( r , ,r3) matrix as a part of CSl(h, i , j ) with components (h-rl+l, i,j-r3+l), (h, i,j-r3+1), (h-rI+l, i , j ) and (h, i, j ) as its apices, CS4(h,i , j ) : set of all components in a (r2, r3) matrix as a part of CSl(h, i , j ) with components (h, i-r2+1,j-r3+l), (h, i,j-r3+l), (h, i-r2+1,j) and (h, i, j ) as its apices, CC(h,i , j ) : set of all components in a solid as a part of CA(h, i, j ) with components (h-2rl+2, i, j ) , (h-rl, i, j ) , (h-r~,i-r2, j ) , (h+l, i-r-2, j ) , (h+l, i-1, j ) , (h+l, i, j - l ) , (h+rI-l, i, j - l ) , (h+rl-l, i, j-r3+1), (h-2rl+2, i, j-r3+l), (h-2r1+2, i-r2+2, j-r3+1), (h+rl-l, i-r2+2, j-r3+1), (h-2r1+2, i-r2+2,j) and (h+r~-l,i-r2+2, j ) as its apices, CGl(h, i , j ) : set of all components in a (rl-1, r2-1, r3-l) rectangular solid as a part of CSI(h,i , j ) with components (h-1, i-1,j-1) as its upper right deep apex, CG2(h, i , j ) : set of all components in a ( ~ 2 - 1 , r3-1) matrix as a part of CSl(h, i , j ) with components (h, i-1, j - l ) , (h, i-r2+1, j - l ) , (h, i-r2+1, j-r3+l) and (h, i-l,j-r3+l) as its apices,

12

CG3(h, i , j ) : set of all components in a ( ~ ~ - 1r3-l) , matrix as a part of CSl(h, i, j ) with components (A-1, i, j-l), (h-rl+l, i, j-l), (h-rl+l, i, j-r3+1) and (A-1, i,j-r3+l) as its apices, CGd(h, i , j ) : set of all components in a (rl-l, r2-1) matrix as a part of CSl(h, i , j ) with components (h-1, i-1, j ) , (h-rl+l, i-1, j ) , (h-r,+l, i-r2+l, j ) and (A-1, i-rZ+l,j) as its apices, CGs(h, i , j ) : set of r2-1 components as a part of CSl(h, i , j ) with components (h, i-1 ,j ) , (h, i-2,j),. ..,(A, i-r2+1 ,j), CG6(h, i , j ) : set of r3-1 components as a part of CSl(h,i, j ) with components (h, i, j - 1), (h, i, j-2), ..., (h, i, j-r3+ 1), CG7(h,i,j) : set of rl-1 components as a part of CSl(h, i, j ) with components (A-1, i , j ) , (h-2, i , j ),..., (h-rI+l, i,j). For the simple expression of theorems and equations, the virtual components should be stated: component (h, i, j ) with component reliability 1 , for ( h , i, j ) E { ( h , ~ ) ~ l ~ ~ ~ ~ ~ ~ lFurthemore, s ~ s n we ~ ~ denote l ~ some events, which occur on the above sets. For h = 1,2,...,nl, i = 1,2,...,n2 and j = 1,2)...)n3, s, : event that “k or more components fail in CS,(h, i, j),, and “at least one it

component fails in CS2(h,i,j),, and “at least one component fails in C&(h, i, j),, and “at least one component fails in CS4(h,i,j),,. For h = r l , rl+l,..., nl, i = r2, r2+1,..., n2 an d j = r3, ?-+I,.. ., n3, Glu : event that all components function in CC(h, i , j ) , Ghi, : the whole event for h = r,, i = r2 , j = r3; the event that less than k components fail in C G , ( h , i , j ) n CG,(h,i,j)UCG,(h,i,j)UCG,(h,i,j) for h z q , i = q , j = q , the event that less than k components fail in CG, ( h, i, j) n CG,(h,i,j)UCG,(h,i,j)UCG,(h,i,j) for h = q , i * q , j = r 3 , the event that less than k components fail in C G , ( h , i , j ) n CG,(h,i,j)UCG,(h,i,j)UCG,(h,i,j) for h = q , i = % , j * q , the event that less than k components fail in CG,(h,i,j)fl CG,(h,i,j)UCG,(h,i,j)UCG,(h,i,j) for h = q , i z r , , j z q , the event that “less than k components fail in C G , ( h , i , j ) n CG,(h,i,j)U CG,(h,i,j)U CG5(h,i,j),,and “less than k components fail in CG, (h,i,j) fl CG,(h,i,j) U CG,(h,i,j) U CG,(h,i,j),, for h = 5 , i z r2 , j z 5 , the event that “less than k components fail in C G , ( h , i , j ) n CG,(h,i,j)U CG,(h,i,j)U CG,(h,i,j),,and “less than k components fail in CG,(h,i,j)nCG,(h,i,j)UCG,(h,i,j)UCG,(h,i,j),,for h # q , i=r,, j z q , the event that “less than k components fail in C G , ( h , i , j ) n CG,(h,i,j) UCG,(h,i,j)UCG,(h,i,j),, and “less than k components fail in CG, (h,i,j ) r l CG3(h,i,j)U CG,(h,i,j) U CG,(h,i,j),, for h + q , i * r2 , j = q ,

13

the event that “less than k components fail in CG,(h,i,j ) n CG,(h,i, j ) U CG4(h,i,j ) U CG5(h,i,j),,and “less than k components fail in CG,(h,i,j)nCG,(h,i,j)UCG,(h,i,j)UCG,(h,i,j),, and “less than k components fail in CG, (h,i,j)nCG3(h,i,j)U CG4(h,i,j)U C G 7 ( h , i , j ) , , for h * q , i # r 2 , j * r 3 , E,,] : event that “k or more components fail in CSl(h, i, j),, and “event G h , ] occurs,,. By using the above notations, our proposed upper and lower bounds for the reliability of a k/(rl, r2, r3)/(nl,122, n3):F system for non-i.i.d. case are given in Theorem 1.

Theorem 1: Upper bound UB and lower bound LB for the reliability of a k/(rl, r2, r3)/(n,,n2, n3):F system are given as follows. ~~

h-l

r-l

j-l

Theorem 1 can be proven with the similar manner to Yamamoto and Akiba[3]. In the i.i.d. cases, Corollary 1 gives the upper and lower bounds with no description of s h u , Ghij and ‘ h i j . For integers 11,12, we define 0

(3)

otherwise.

Corollary 1: Letp be a component reliability. (1) Lower bound LB, is given as

where

u(v - l)(w - 1) +(

t

)+((

( 2 ) Upper bound UBpis given as

u - l)v(w - 1)

t

)+((

u - l)(v - 1)w t

)

14

k ( r 3 - 1) r(r2 - I>r3 (r[- 1)r2r3 #G(h,i,j ) =. rlr2r3- rI ' 1 r2r3

- '2

rl r2r3

- '3

rlr,r3- 1

and

(h=rl,i=r2,j#r3), ( h = r, ,i * r,, j = r3), (h#rl,i=r,,j=r3), ( h = r,,i * r,, j + r3), (h*rl,i=r2,j*r3), (h#rl,i#r2,j=r3),

(8)

otherwise,

is given as followsFor

And N E ( i ; h , i , j )is given as follows. N , (t;h,i,j ) = N , (t;h,i,j ) + N , ( t - 1;h,i,j ) .

(11)

Excepttherangeof obtainedsimilarly

In addition, the upper and lower bounds for the reliability of a system can be calculated by using the reliability of a small 3-dimensional system(for example, k / ( r l , r2, r3)/(r1,122, n3):F system) in the same idea as Akiba, Yamamoto and Saitou[6].

15

Table 1 : Upper and lower bounds for the reliability ofW(rl, r2, r3)/(n,,n2, n3):F system nl

n 2

n ,

rI

r ?

r l

k

p

i

UB

Upper and Lowr bounds LB difference

10

10

10

2

2

2

2

0.99000i

0.435143

0.359604

0.075539

10

10

10

2

2

2

2

0.99500;

0.791924

0.772025

0.019899

10 10

10 10

10

2 2

2 2

2 2

2 3

0.99900; 0.95000;

0.989817

0.989604

0.328108

0.030590

0.00021 3 0.2975 18

10

10

10

10

2

2

2

3

0.97000;

0.667639

0.446764

0.220875

10

10

10

2

2

2

3

0.99000;

0.974983

0.968562

0.00642 1

50

50

50

2

2

2

2

0.99900;

0.219270

0.2 1 1320

0.007950

50

50

50

2

2

2

2

0.99950;

0.680828

0.677669

0.003 159

50

50

50

2

2

2

2

0.99990;

0.984578

0.984541

0.000037

50

50

50

2

2

2

3

0.99500;

0.571939

0.527560

0.044379

50

50

50

2

2

2

3

0.99700;

0.879611

0.870148

0.009463

50

50

50

2

2

2

3

0.99900;

0.994963

0.994826

0.000137

100 100 100

2

2

2

2

0.99980;

0.602586

0.601092

0.001494

100 100 100 100 100 100 100 100 100

2 2 2

2 2 2

2 2 2

2 2 3

0.99990; 0.99999; 0.99500;

0.880757 0.998728

0.880483 0.998728

0.000274 0.000000

0.010209

0.005 199

0.005010

100 100 100

2

2

2

3

0.99700f

0.348706

0.318570

0.030 136

100 100 100 100 100 100

2

2

2

3

0.99900i

0.959341

0.958235

0.001 106

2

2

2

3

0.999103

0.970102

0.969367

0.000735

2.3. Evaluation

In Table 1, we shows the results of numerical experiments in i i d . cases. We calculated the upper and lower bounds for the reliabilities of a k/(rI,r2, ?-3)/(n1, 122, n3):F system. We calculated upper and lower bounds for the following systems with the identical component reliability. For the system sizes, each of nl, n2 and 123 takes the values of 10, 50 and 100. As the sizes of the rectangular solid which leads to system failure each of YI, r2 and ~3 takes the value of 2. As the numbers of failure components which leads to system failure, k = 2, 3 . From Table 1, we found the following within the range of our experiments, the difference between lower bound LB and upper bound UB becomes small when component reliabilities are close to one.

3

Conclusion

In this study, we propose the upper and lower bounds for reliabilities of a 3dimensional k-within-consecutive-(r,, r2, r3)-out-of-(n n2, n3):F system. As results, we found the following within the range of our experiments, the

16

difference between ow proposed lower bound LB and upper bound UB becomes small when a system is large and component reliabilities are close to one.

References A. A. Salvia and W. C. Lasher, 2-dimensional consecutive-k-out-of-n:F models, IEEE Transactions on Reliability, 39, 382-385 (1990). A. P. Godbole, L. K. Potter and J. K. Sklar, Improved upper bounds for the reliability of d-dimensional consecutive-k-out-of-n:F systems, Naval Research Logistics, 45, 2 19-230 (1998). H. Yamamoto and T. Akiba, Evaluating methods for the reliability of a large 2dimensional rectangular k-within-consecutive-(r, s)-out-of-(m, n):F system(submitted) M. Boushaba and N. Ghoraf, A 3-dimensional consecutive-k-out-n: F models, International Journal of Reliability, Quality and Safety Engineering, 9 , 193-198 (2002). M. V. Koutras, G. K. Papadopoulos and S. G. Papastavridis, Reliability of 2dimensional consecutive-k-out-of-n:F systems, IEEE Transactions on Reliability, 42, 658-661 (1993). T. Akiba, H. Yamamoto and W. Saitou, Upper and lower bounds for reliability of 2dimensional-k-within-consecutive-(r, s)-out-of-(m, n):F system, Reliability Engineering Association of Japan, 22, 99- 106 (2000). (in Japanese) Z. M. Psillakis and F. S. Makri, A simulation approach of a d-dimensional consecutive-k-out-of-r-from-n:F system, Proceedings of the Third TASTED International Conference of Reliability, Quality Control and Risk Assessment, 14-19 (1994).

HOW CAN WE ESTIMATE SOFTWARE RELIABILITY WITH A CONTINUOUS-STATE SOFTWARE RELIABILITY MODEL ?*

T. A N D 0 AND T. DOH1 Department of Information Engineering, Hiroshima University 1-4-1 Kagamiyama, Higashi-Hiroshima 739-8527, Japan E-mail: [email protected]

During t h e last three decades the stochastic counting (discrete-state) process models like non-homogeneous Poisson processes have described the software reliability growth phenomenon observed in t h e testing phase, and gained t h e popularity to explain the software debugging process. O n the other hand, the continuous-state process models based on the Brownian motion processes have a n advantage in terms of the goodness-offit test based on the information criteria, like AIC and BIC. T h e most critical point for the continuous-state process models is t h a t t h e software reliability can not b e well defined in their modeling framework. T h e purpose of this paper is t o answer the titled question, t h a t is, we propose two methods t o define quantitatively the software reliability and the MTBSF (mean time between software faults) for a continuous-state software reliability model.

1. Introduction Since reliable computer systems strongly depend on the reliability of both hardware and software systems, the reliability assessment of software systems is quite important. To assess the software reliability in the testing phase before release, the stochastic models called the software reliability models (SRMs) have been developed during the last three decades. Among them, the stochastic counting (discrete-state) process models like non-homogeneous Poisson processes (NHPPs) can describe the software reliability growth phenomenon observed in the testing phase, and gain the popularity to explain the software debugging process. Goel and Okumoto and Yamada et al. propose the seminal N H P P models with the exponential and the S-shaped mean value curves. The main reason that a huge number of N H P P models have been developed in the literature is due to the simple structure of NHPPs, that is, the N H P P is one of the most simple marked point processes with timedependent mean value. As a remarkable property, it is known that the N H P P is a specific stochastic counting process with the same variance as the mean value function. *This work is supported by the grant 15651076 (2003-2005) of Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Exploratory Research.

17

18 The equivalence between mean and variance for the data generated from a stochastic counting process can be statistically tested. Ando et al. apply some hypothesis testing methods of NHPPs in Cox and Lewis [a] to the real software fault-detection time data, and empirically conclude that the NHPP is not always suitable to represent the software debugging phenomenon. Also, they develop the Markov diffusion processes with mean reversion and use them instead of the typical NHPP models 3 , '. The continuous-state SRM is first introduced by Yamada et al. '. More precisely, they model the dynamic behavior of the number of remaining faults in the software debugging phase by a multi-plicative linear stochastic differential equation, say, the geometric Brownian motion. This model is extended by and Yamada et al. by introducing the time-dependence strucKimura et al. ture in the infinitesimal mean. As shown by Ando et ak. and Yamada et al. ', the continuous-state SRMs have an advantage in terms of the goodness-of-fit test based on the information criteria, like AIC (Akaike information criterion) and BIC (Bayesian information criterion). The most critical point for the continuous-state process models is that the software reliability can not be well defined in their modeling framework. In fact, all the literature mentioned above fail to discuss the software reliability as a probability that the software will operate as required for a specified time in a specified environment. For continuous-state SRMs, strictly speaking, the software reliability can not be defined consistently, because the state representing the number of detected faults can take real (non-integer) values and can decrease with positive probability. Neverthless, the continuous-state SRMs have attractive characteristics in terms of the goodness-of-fit test. This point would resemble the applicability of any time series analysis technique to predict the number of remaining faults in the software. To this end, the continuous-state SRMs poorly explain the software debugging processes, but can provide the better prediction performance than the existing NHPP models. In.this paper, we propose two methods to define quantitatively the software reliability and the MTBSF (mean time between software faults) for a continuousstate software reliability model. Applying some results on the first passage problem for the geometric Brownian motion process; we define the software reliability and the MTBFS in the reasonable way. 2. Non-homogeneous Poisson Process Models Let X ( t ) be a stochastic process and denote the number of software faults detected up to time t. The stochastic process X ( t ) is said the NHPP if the probability mass function is given by

where A(t) = E [ X ( t ) ]is the mean value function and E denotes the mathematical expectation operator. Goel and Okumoto assume that the expected number of software faults detected per unit time is proportional to the expected number of

19 remaining faults. ‘That is, letting X(t> be the intensity function of the NHPP, it is assumed that X(t) = dh(t) - b{a - A(t)),

dt

where a (> 0) and b (> 0) are the expected initial number of software faults and the fault detection rate per unit time, respectively. Solving the above ordinary differential equation with the initial condition A(0) = 0 yields

~ ( t=)a ( 1 - exp{-bt)).

(3)

Yamada et al. take account of the delay effect between the fault detection phase and the fault isolation phase, and develop the delayed S-shaped SRM with the mean value function:

~ ( t=)a ( 1 - (1+ bt)exp{-bt)).

(4)

In this way, by making the deterministic debugging scenario on the mean value function, we can develop many kinds of NHPP-based SRMs. As the authors point out in the literature [I], the hypothesis that the software debugging process can be described by an NHPP is rather questionable, because the NHPP is a simple but a specific stochastic counting process with the same variance as the mean value function. 3. Continuous-State Software Reliability Model

Yamada et al. propose a continuous SRM from the different point of view. Given the constant (not mean) initial fault contents a0 (> 0), they assume that the number of remaining software faults at time t , S ( t ) = a0 - X ( t ) , is described by

d S ( t ) - -bS(t), dt

--

S(0) = ao.

(5)

In actual cases, the progress of the testing procedures is influenced by various uncertain factors. If the fault detection rate b is irregularly influenced by random factors such as the testing effort expenditures, the skill of test personnel and the testing tools, it can be also regarded as a stochastic process depending on time. Hence, it is assumed that Eq.(5) is extended as the stochastic differential equation:

+

{(t))S(t) dt with a time-dependent noise ( ( t )that exhibits an irregular fluctuation. Yamada et al. make its solution a Markov process and regard the noise factor as { ( t )= r y ( t ) , where u (> 0) is a scale parameter (constant) representing a magnitude of the irregular fluctuation and { r ( t )t, 2 0 } is a standardized Gaussian white noise. Substituting { ( t )= q ( t ) into Eq.(6), we obtain the following stochastic differd S-( t ) - - ( b

ential equation of It6 type:

dS(t)= - ( b

U2

-

-)S(t)dt 2

+ uS(t)dB(t),

(7)

20 where { B ( t ) t, 2 0} is a one-dimentional Wiener (standard Brownian motion) process. The Wiener process is a Gaussian process with the following properties: (i) Pr{B(O) = 0) = 1, (ii) E[B(t)]= 0; (iii) E[B(t)B(t’)] = min(t,t’). By the use of the well-known ItB’s formula (see [ 5 ] ) ,it is straightforward to solve the stochastic differential equation in Eq.(7) with the initial condition S ( 0 ) = a0 as follows.

S ( t ) = uoexp{-bt

-

uB(t)}.

(8)

This stochastic process is called the geometric Brownian motion process or the lognormal process, and is often used to describe the stock price dynamics in financial engineering ’. From the Gaussian property for B ( t ) , the transition probability distribution function of the process S ( t ) is given by the lognormal distribution:

where

a(.) denotes the standard

normal distribution function:

From Eq.(9) and the property of Brownian motion process, the number of software faults experienced by time t is given by X ( t ) = a0

-

S ( t ) = uo(1- exp{-bt

+ aB(t)}),

X(0) = 0

(11)

with

provided that b > a2/2. Then, the mean and the variance of X ( t ) are easily derived by E[X(t)] = a0 (1 - exp{

-

(b

-

“2) t } )

+

respectively. 4. Software Reliability Measures The software reliability is defined as the probability that the software will operate as required ( i e . , without fail) for a specified time in a specified environment. For non-decreasing stochastic counting processes like NHPPs, the software reliability can be defined by R ( t ) = Pr{X(t) = 0 I X ( 0 ) = 0). On the other hand, strictly speaking, it is impossible for continuous-state models to define the software reliability consistently. In this section, we approximately give two definitions of the software reliability for continuous-state SRMs as follows.

21 (1) Definition Z: R l ( t ) = Pr{X(t) < 1 I X ( 0 ) = O } = Pr{S(t) > a0 - 1 I S ( 0 ) =

ao), (2) Definition 2: & ( t ) = Pr{supo,,5tX(T) X(0) = 01,

< 1 I X ( 0 ) = 0)

=

Pr{Tl < t

I

where

Tj = inf{t 2 0 : X ( t ) 2 j

1 X ( 0 ) = 0)

(15)

is the first passage time of the stochastic processes X ( t ) to the arbitrary level j (< ao). Since Definition 1 indicates that the reliability function is approximated by the survivor function, it is seen immediately that

For Definition 2; on the other hand, we have to solve the first passage problem on the geometric Brownian motion process. From the strong Markov property of the geometric Brownian motion process, we can derive the following renewal-type equation:

where f(.) and ator, i.e.

'*' are the density function of Ti and the Stieltjes convolution operA * B(t)=

Jo'

A(t - z ) d B ( Z )

for two continuous functions A ( t ) and B ( t ) with positive support, respectively. By taking the Laplace transform in the both sides of Eq.(17), we have

Next, we consider the MTBSF (mean time between software faults). In order to avoid any trouble on the definition of MTBSF, Yamada et al. 6 , apply unusual measures called instantaneous MTBSF and cumulative MTBSF. Let A X @ )be the increment of cumulative number of software faults detected during the time interval [t,t At]. Since the fault-detection time per fault is approximately given by A t / A X ( t ) ,taking the limitation yields At dt 1 lim At+o AX(t) dX(t) dX(t)/dt'

+

~

~

which is called the instantaneous TBSF and means the instantaneous time interval when a software fault is detected at time t . Then the MTBSF is defined as

[

MTBSF, ( t ) = E d X ( i ) / d t ]'

22 Unfortunately, since it is difficult to take the expectation of Eq.(22), the MTBSF is further approximated by MTBSFi(t)

1 M

= {u(b-

g)exp{-(b-

g)t}}-'.

(22)

E[dX( t )/dtI

Similar to the instantaneous MTBSF, if t / X ( t )is regarded as the fault-detection time by time t , then the cumulative MTBSF is defined by

From the same reason of analytical treatment as the instantaneous MTBSF; we obtain the approximate formula: MTBSF,(t)

t

-- t{ao(l -exp{-(bE[X(t)l

;)t})}-'.

(24)

If the underlying stochastic process X(t) is a renewal process which includes the homogeneous Poisson process, the above two definitions are appropriate to represent the mean values of fault-detection time interval and its cumulative value. The main reason to apply such unusual measures is that the probability distribution of fault-detection time interval for the NHPP with bounded mean value function is improper, i.e. there exists a mass part of the distribution at infinity and the corresponding mean value diverges. Fortunately, it is easy for the continuous-state SRM in Eq.(ll) to obtain both measures based on Definition 2. More precisely, the mean time between j-th software faults and ( j 1)-th one is defined without approximation by

+

MTBSF,(j) = E[T,] =

( j = 1 , 2 , . . . , uo - 1)

(25)

from Eq.(19). Also the arithmetric mean of MTBSF to the j-th detected faults is regarded as a counterpart of the cumulative MTBSF, and is given by MTBSF,(j) = MTBSFi ( k ) / j .

xi=,

5. Numerical Illustrations

We compare the software reliability measures using the real software fault data observed in actual testing process. Two dada sets; DS-#l (109) and DS-#2 (317) are used, where the number in the brackets denotes the number of software faultdetection time data measured as CPU time. For instance, in DS-#l, we estimate the model parameters using 109 fault-detection time data and estimate MTBSFi(t), MTBSF,(t) at CPU time t = 49171 (80% point of total data), and MTBSFi(j), MTBSF,(j) for j (= 110, 111, 123, 136,137)-th detected fault. Figure 1 illustrates the befavior of software reliability as a function of testing time, where NHPP (Exp) and NHPP (S-shape) denote the exponential NHPP and the delayed S-shaped NHPP SRMs, respectively. For continuous-state SRM, we apply the usual maximum

23

DS#I

DS-#2

Figure 1. Behavior of estimated software reliability iunctions.

likelihood method and estimate a0 = 139.27 (667.56), b = 3.10 x (1.62 x lop5) and 0 = 1.84 x (6.08 x lop4) with DS-#l (DS-#2). On the other hand, we for the exponential have a = 118.32 (330.79) and b = 5.17 x l o p 5 (7.97 x NHPP and a = 110.56 (318.89) and b = 1.27 x 10V4 (1.82 x for the delayed S-shaped NHPP with DS-#I (DS-#a). From these figures, the software reliability is underestimated for both definitions when the continuous-state SRM is assumed. For DS-#l (DS-#2), we calculate the AIC and the BIC as AIC = 446.77 (1269.12) and BIC = 454.76 (1280.37) for the continuous-state SRM. In the cases of the exponential NHPP and the delayed Sshaped NHPP SRMs, we have AIC = 1503.79 (3489.30), B I C = 1509.18 (3496.82) and AIC = 1590.28 (3551.74), BIC = 1595.67 (3559.26) with DS-#I (DS-#2), respectively. This result implies that the reliability function based on the continuousstate SRM is more reliable, because both information criteria are considered as approximate forms of a distance between the real and the supposed probability distributions. As is expected intuitively, Definition 2 is more optimistic than Definition 1, and is plausible from its physical meaning. Figure 2 plots MTBSFs, where 'real' means the actual fault-detection time interval data, and the cumulative MTBSF is calculated as the moving average From the figures, it is seen that the instantaneous MTBFS of MTBSF,(j). (MTBSF,(t) in Eq.(22) in the initial phase overestimates but approaches to the real MTBFS (MTBSF,(j) in Eq.(25)) as the testing time goes on. On the other hand, the cumulative MTBSF (MTBSF,(j)) behaves similar to the approximate one (MTBSF,(t) in Eq.(24)) in the wide range. Table 1 presents the comparison results between MTBSF,(t) (MTBSF,(t)) and MTBSF,(j) (MTBSF,(j)). Comparing MTBSF,(t) with MTBSF,(j) for arbitrary j , the former underestimates (overestimates) the MTBSF for smaller (larger) j . Also, if we apply the cumulative MTBSF in Eq.(24), it tends to be underestimate the actual cumulative MTBSF.

24 MTBSF

I

m S F

,wo - MTBSFi(t) ' MTBSFc(t)

- MTBSF4)

0

DS-#I

50

IW

IS0

Figure 2.

2M)

250

DS#2

Faults

3W

No Faults

Behavior of estimated MTBSFs

Table 1. Comparison of MTBSFs. DS

- #1

DS

(109)

MTBSFi(t = 49171)

3356.69

MTBSF,(t = 49171) MTBSF,(j = 10) MTBSF,(j = 11)

691.04

MTBSF,(j = 23) MTBSF,(j = 136) MTBSFi(j = 137) MTBSF,(j = 137)

1119.59 1159.89 2042.05 11692.50 18535.60 3523.37

-

#2 (317)

MTBSF,(t = 39862) MTBSF,(t = 39862) MTBSF,(j = 318) MTBSF,(j = 319)

534.88

MTBSF,(j = 357) MTBSF,(j = 396)

201.03

MTBSF,(j = 397) MTBF,(j = 397)

229.37

197.95 177.38 177.89 228.52 200.88

References 1. T. Ando, T. Dohi and H. Okamura, Continuous software reliability models: their validation, effectiveness and limitation, under submission. 2. D. R. Cox and P. A. Lewis, Statistical Analysis of Series of Events, Methuen, London, 1966. 3. A . Goel and K. Okumoto, Time-dependent error-detection rate model for software reliability and other performance measures, IEEE Trans. Reliab., R-28, pp. 206-211, 1979. 4. M. Kimura and S. Yamada, Software reliability management technique and their tool, In Handbook of Reliability Engineering (H. Pham, Ed.), Chapter 15, pp. 265-284, Springer-Verlag, London, 2003. 5. B. Oksendal, Stochastic Differential Equations, Springer-Verlag, Berlin, 1992. 6. S. Yamada, M. Ohba and S. Osaki, S-shaped reliability growth modeling for software error detection, IEEE Trans. Reliab., R-32, pp. 475-478, 1983 7. S. Yamada, M. Kimura, H. Tanaka, and S. Osaki, Software reliability measurement and assessment with stochastic differential equations, IEICE Trans. Fundamentals (A), E77-A, pp. 109-116, 1994. 8. S. Yamada, A. Nishigaki, and M. Kimura, A stochastic differential equation model for software reliability assessment and its goodness-of-fit, Int 'I J . Reliab. Applic., 4, pp. 1-11, 2003.

A STUDY ON RELIABLE MULTICAST APPLYING CONVOLUTIONAL CODES OVER FINITE FIELD

M. ARAI, S. F U K U M O T O , AND K. IWASAKI Graduate School of Engineering, Tokyo Metropolitan University 1-2 Minami-osawa, Hachioji, Tokyo 192-0397, Japan E-mail: { arai, fukumoto, iwasaki} @eei.metro-u.ac.jp We apply (n,k,m) convolutional codes in which elements in generator matrices are the ones over a finite field to Hybrid ARQ combining with retransmission mechanisms, and evaluate the number of transmitted packets and the number of transmissions. We assume star topology and independent model for a transmission model, and compare two retransmission strategies: (1) one which has been applied with Reed-Solomon code, and (2) one which choose transmitted packets considering the constraint length m. We use m ) and (6,3, m ) convolutional codes to observe the efcomputer simulation for (14,7, fects of four parameters, that is the number of receivers, constraint length m, packet loss probability, and redundancy at initial transmission P F , to the number of transmissions and transmitted packets. Simulation results showed that the number of transmitted packets can be reduced by the retransmission mechanism which consider m. Also, a P F which minimize number of transmitted packets exists for given packet loss probability, number of receivers, and constraint length.

1. Introduction

Packet loss recovery is one of the important techniques to improve reliability of the communications over the Internet [l-31. While automatic repeat request (ARQ) scheme have widely applied to the Internet, many studies have also been done for forward error correction (FEC) and Hybrid ARQ, that combines the concepts of ARQ and FEC [4,5]. In the Hybrid ARQ, a receiver tries to recover lost information packets using received redundant packets at first. When some packets are not recovered, the receiver requests a sender to retransmit information or redundant packets. Reliable multicast is expected as one of the most attractive area to apply Hybrid ARQ [5-71. By applying Hybrid ARQ t o reliable multicast, it is possible t o reduce the numbers of transmitted packets, supressing state explosion according to increased number of receivers [7]. Many researches have focused on the application of ( n ,k) Reed-Solomon (RS) codes as FEC. The scheme in which logical hierarchy is introduced t o the receivers has also been investigated, that aims to reduce the total number of transmitted packets by local recovery and retransmission [8,9]. We have proposed a Hybrid ARQ scheme that combines ( n ,n - 1,m) convolutional codes with retransmission of redundant packets [lo]. In ref. [lo],we applied 25

26 the convolutional codes whose generator matrices consist of elements 0 and 1, resulting in large number of retransmitted packets. On the other hand, we have also proposed an FEC scheme that applies ( n ,k , m ) convolutional codes in which elements of generator matrices are the ones over finite fields [ll]. This scheme can easily arrange such generator matrices that can recover k lost packets by randomlychosen k redundant packets, as same as the RS codes. It also shows higher recoverability of packets than RS codes under the same values of n and k , when packet loss probability is low. Therefore, by applying it to reliable multicast communications combining with appropriate retransmission schemes, the number of transmission and transmitted packebs is expected to be further reduced. In this paper we apply ( n ,k , m ) convolutional codes over a finite field to reliable multicast, and evaluate the number of transmission and transmitted packets. We assume star topology with independent packet loss model, and investigate two retransmission strategies, We use computer simulations to estimate the number of transmissions and packets for (14,7,m ) and ( 6 , 3 ,m ) convolutional codes, under the given parameters such as constraint length m, packet loss probability, the number of receivers, and proactivity factor that indicates the redundancy on the initial transmission. 2. Packet loss recovery using ( n ,k , m ) convolutional codes and transmission model

2.1. Packet loss recovery using ( n ,Ic, m) convolutional codes Here we briefly explain packet loss recovery using (n,k , m) convolutional codes. Encoding and decoding strategies are described in detail in refs. [10,11]. The sequence of information packets that a sender generates is divided into groups each of which consists of k packets. Let u, = [UQ u , , ~. . . u,,k] denote the i-th group, where u , , ~is an information packet. For each group u,, a code group W, = [w,,~ U,J . . . u,,,] that consists of n packets, that is, k information and ( n - k ) redundant packets, is generated as:

where g ( D ) is the k by k matrix, and each element in g ( D ) is a polynomial of delay operator D for the degree of at most m. For example, a polynomial gp'(D) can be expressed as:

where m is a parameter called constraint length. Generation of the code group is performed in parallel for each q bits in the packets. That is, regarding coefficients and each q bits in the packets as elements over the finite field GF(2'?),every q bits in a redundant packet is generated from Eq.(l). In this paper q is set to 8.

gki

27 The sender transmits a part of or all of the packets in the generated code groups. We assume that the received packets at the receivers contain no bit-errors, and that the receivers can locate the positions of the lost packets. Then, Eq. (1) also holds at the receivers, while lost packets are regarded as unknown values. Eq. (1) contains ( n - k ) equations. Thus, when L code groups v1, . . . , v~ are transmitted continuously, L . ( n- k ) equations holds. Receivers tries to recover lost packets by solving these simultaneous equations. 2.2. nansmission model Figure 1 shows the assumed transmission model. We apply star topology [5-61. There are R receivers, and communication links between the sender and receivers is independent from each other. We also assume that each packet transmitted from the sender might be lost independently on the link by fixed packet loss probability P [5,7-91. 3. receive and recover

1. generate nL packets L

2 send LkPF packets redundant packets

A

2 \

U 5

\ \

\

4 notice elR

A

3. receive and recover

Figure 1. Transmission model.

The sender is going to transmit k L information packets. While the sender generates n L packets by using convolutional codes, k L information packets and a part of L . ( n - k ) redundant packets are sent at the initial transmission. We introduce a parameter called proactivity factor, that is noted as P F , to determine which redundant packets are sent. P F is the redundancy at the initial transmission, that is, the ratio of the number of initially transmitted packets to the number of information packets [S]. Receiver T (1 5 T 5 R ) tries to recover lost information packets by using received information and redundant packets. If one or more packets cannot be recovered, the receiver notifies the number of unrecovered information packets in i-th code group,

28 ei,r (1 5 i 5 L ) , to the sender, requesting retransmission. According to the applied retransmission strategies described in the following section, the sender determines which packets are retransmitted, and it transmits the same set of packets to every receivers. Request and retransmission are repeated until all receivers receive or recover all information packets. 3. Retransmission strategy We deal with two retransmission strategies. Retransmission strategy 1 is similar to the one that have been applied to RS-code-based Hybrid ARQ [5,6]. Retransmission strategy 2 chooses transmitted packets in consideration of the constraint length m that is the parameter for convolutional codes.

3.1. Retransmission strategy 1 Algorithm for selecting transmitted packet using Retransmission strategy is as follows, where c, is the number of redundant packets already transmitted in the code group v, and ez,r is the number of information packets that the receiver T cannot receive or recover. (1) set i to 1. (2) calculate E, as the maximum of ez,r among 1 5 T 5 R. (3) if (c, E,) 5 ( n - k ) , transmit E, redundant packets in v, and increase c, by E,. (4) if ( c , E,) > ( n - k ) , transmit k . PF packets u , , ~.,. . , u,,k p . ~and set c, to k . ( P F - l ) , similarly to the initial transmission. ( 5 ) increase i by 1, and repeat above 2 to 4 until i > L.

+

+

3.2. Retransmission strategy 2 The selection algorithm for this strategy is as follows, where ci is a counter that memorizes the number of redundant packets which are going to be sent in v,. (1) set T = 1, i = 1, and c> = 0 (1 5 j 5 L ) . (2) if ez,r > 0, decrease ei,T by ci, ldots, c’,+,. (3) if e,,r i 0, check whether j exists that satisfies 0 5 j 5 m and ( c ~ +c:+~) +~ 5 ( n - k). if j exists, one redundant packet that is not sent yet is marked as the one going to be sent, increase c ; + ~by one, decrease ez,r by one, and repeats 3. (4) if ez,r > 0 and above j is not exists, transmit k.PF packets w i , ~ ., . . , u i , k . p ~ , set ci to k c o t ( P F - l), and reset c: to c,. ( 5 ) repeat above 2 to 4 for all code groups, that is 1 5 i 5 L. (6) reset i to 1, and repeat above 2 to 5 for all receivers, that is 1 5 r 5 R. ( 7 ) send the packets that is going to be sent, and update ci according to the sent packets.

29 Figure 2 shows an example of retransmitted packets using Retransmission strategies 1 and 2 with (6, 3, 1) convolutional code, R = 3, P F = 413, and L = 4. A rectangle with cross at receivers means a packet which is not recovered. At the sender, packets drawn with solid line are sent at the initial transmission, and the ones with dotted line are not sent. Packets with bold line is chosen to be sent by Retransmission strategy 1, and the ones as the ones painted gray is for Retransmission strategy 2. receiver 1

sender

Figure 2.

Example of packets transmitted at a retransmission

For the three unrecovered packets in the center code group, that is, v 3 , of receiver 1, Retransmission strategy 2 sends three redundant packets in 2r3 and v4. Thus, the number of retransmitted packets becomes 5 , reduced in comparison with Retransmission strategy 1 that needs to send 7 packets. 4. Evaluation of number of transmissions and packets We used computer simulation to evaluate two retransmission strategies. Evaluation measure was average number of transmissions and forward bandwidth required for all receivers to receive or recover all information packets, which are obtained from 1000 trials. The forward bandwidth was calculated as the ratio of total number of transmitted information and redundant packets divided by k L , the number of information packets. Figures 3 shows the measurement results for the number of transmissions and forward bandwidth under the condition that p = 0.05, L = 20, and R = 1000. Applied codes were (14, 7, 0), (14, 7 , 3), and (14, 7, 6) convolutional codes. The x-axis is proactivity factor P F , which was set to 1, 817, 917, . . . , or 2. (14, 7 , 0) convolutional code is equivalent to (14, 7) RS code, and results were the same for Retransmission strategies 1 and 2 with (14, 7 , 0) convolutional code. For the Retransmisssion strategy 1, the constraint length m has little effect for

30

+

m = 3, strategy 2 m = 6, strategy 2

1w PF

(a) number of transmissions

12

14

16

-w 18

PF

(b) forward bandwidth

Figure 3. Effects of P F to (a) the number of transmission and (b) forward bandwidth for (14, 7, 0), (14, 7, 3), and (14, 7, 6) convolutional codes, where R = 1000 and p = 0.05.

the number of transmissions when m is greater than 0. On the other hand, for the Retransmission strategy 2, the number of transmission for lower P F showed significant increase as m increases. (14, 7, 0) convolutional code showed almost the same value for two strategies. In comparison with Retransmission strategy 1 under the same m of (14,7, m) convolutional codes, Retransmission strategy 2 shows lower forward bandwidth. The figure also indicates the existence of optimal P F value that minimizes forward bandwidth. However, the optimal P F for Retransmission strategy 1 is not always the same as for Retransmission strategy 2. When (14, 7, 6) convolutional code is applied with Retransmission strategy 1, forward bandwidth was minimized to 1.33 at P F = 9/7. A lost information packet can be recovered by redundant packets in the succeeding m code groups. Then, when m and P F are small, transmitted redundant packet sometimes may not contribute for recovery. This is considered as the reason of existence of minimum and local minimum for forward bandwidth. Figure 4 shows the measurement results for the number of transmissions and forward bandwidth with (14, 7, 0), (14, 7, 3), and (14, 7, 6) convolutional codes under p = 0.05 and P F = 8 / 7 . The x-axis is the number of receivers R. The number of transmissions at Retransmission strategy 2 rapidly increases as m and R increases. Retransmission strategy 2 intends to reduce transmitted packets as much as possible, without considering packet loss probability. Therefore, lost redundant packets at retransmissions sometimes make lost information packets unrecoverable, resulting in repeated retransmissions. On the other hand, larger m improves forward bandwidth under the same value of R. Figure 5 shows the measurement results of forward bandwidth when Retransmission strategy 2 is applied with (14, 7, 6) convolutional code under R = 1000 and packet loss probability in the range of 0.01 to 0.1. For a given P F , forward

31 m=O m

l.M

1.m

-

1

(a) number of transmissions

. . . . ~~

m =6,strategy 1 ....

m = 6, strategy 1

R

~

= 3, strategy 1

rn = 3, strategy 2

~~

+

1w

10

d 1Mo

R

(b) forward bandwidth

Figure 4. Effects of R t o the number of transmissions and forward bandwidth for (14, 7, 0), (14, 7, l ) , (14, 7, 3 ) , and (14, 7, 6) convolutional codes, where P F = 8/7 and p = 0.05.

bandwidth became lower as the packet loss probability decreases. For a given packet loss probability, optimal P F value that minimizes forward bandwidth existed, while optimal value differs depending on the loss probability. Figure 6 shows the measurement results for the number of transmissions and forward bandwidth with (6, 3, O), (6, 3, 3), and (6, 3, 6) convolutional codes under p = 0.05 and R = 1000. Similarly to the results with (14,7, m ) convolutional codes, (6,3, m ) convolutional codes had the optimal P F , and Retransmission strategy 2 showed superior forward bandwidth than strategy 1 when m was greater than 0. (6,3, m ) convolutional code generally showed higher forward bandwidth than (14,7, m ) convolutional codes under the same values of m and P F . 5. Conclusions In this paper we applied ( n ,k , m ) convolutional codes over a finite field to reliable multicast, and evaluated the number of transmission and transmitted packets. We considered two retransmission strategies. We used computer simulations for (14,7, m ) and ( 6 , 3 ,m) convolutional codes, under the given parameters constraint length, packet loss probability, the number of receivers, and proactivity factor. Simulation results showed the existence of PF that minimizes the number of transmitted packets under given parameters. Retransmission strategy 2 showed smaller number of transmitted packets than Retransmission strategy 2, while the number of transmission increased.

References 1. C. Perkins, 0. Hodson, and V. Hardman, "A survey of packet-loss recovery techniques for streaming audio," IEEE Network Magazine , Sep./Oct. 1998.

32 2.m

p=O.lO 1.m

-

p = 0.08

I

~

------

p =0.06

~

~

p = 0.04

5

140 -----...-....2,’.’,’

..... .

,_

.,,

..----’

m = 6 . strategy 1

m = 3, strategy 2

I

1W’ 1

12

14

16

18

2

PF

Figure 5. Effects of PF and packet loss probability to forward bandwidth for Retransmission strategy 2 with (14, 7, 6) convolutional codes, where R = 1000.

m = 6, strategy

1w

1

12

14

16

2 - -*18

2

PF

Figure 6 Effects of PF to forward bandwidth for Retransmission strategy 2 with ( 6 , 3, 0), (6, 3, l), (6, 3, 3), and (6,3,6) convolutional codes, where R = 1000 andp = 0.05

2. H. Liu, H. Ma, M. El Zarki, and S. Gupta., ”Error control schemes for networks: An overview”, ACM Mobile Networks & Applications, Vol. 2, No. 2, pp. 167-182. 1997. 3. M. Yajnik, S. Moon, J. Kurose, and D. Towsley, ”Measurement and Modeling of the Temporal Dependence in Packet Loss,” Proc. of IEEE INFOCOM ’99, pp. 94-99, Nov. 1996. 4. L. Rizzo, ”Effective Erasure codes for reliable computer communication protocols,” Computer Communication Review, Vol. 27, No. 2, pp. 167-182, Oct. 1997. 5. J. Nonnenmacher, E. Biersak, and D. Towsley, ”Parity-Based Loss Recovery for Reliable Multicast Transmission,” IEEE/ACM Trans. Networking, Vol. 6, No. 4, pp. 349-361, Aug. 1998. 6. D. Rubenstein, J. Kurose, and D. Towsley, ”Real-Time Reliable Multicast Using Proactive Forward Error Correction,” Proc. of IEEE NOSSDAV’98, Jul. 1998. 7. C. Metz, ”Reliable Multicast: When Many Must Absolutely Positively Receive It,” IEEE Internet Computing, Vol. 2, No. 4, pp. 9-13, JuLAug. 1998. 8. R. Kermode, ”Scoped Hybrid Automatic Repeat Request with Forward Error Correction (SHARQFEC),” Proc. of ACM SIGCOMM’98, pp. 278-289, Oct. 1998. 9. J. Nonnenmacher, M. S. Lacher, M. Jung, E. Biersack, and G. Carle, ” H o w Bad is Reliable Multicast without Local Recovery?,” Proc. of IEEE INFOCOM’98, pp.972979, Apr. 1998. 10. A. Yamaguchi, M. Arai, S. Fukumoto, and K. Iwasaki, ”Fault-Tolerance Design for Multicast Using Convolutional-Code-Based FEC and Its Analytical Evaluation,” IEICE Trans. Info. & Sys., Vol. E85-D, No. 5 , pp. 864-873, May 2002. 11. M. Arai, S. Fukumoto, and K. Iwasaki, ” A Study on Extention of Coefficients for (n, k, m) Convolutional-Code-Based FEC,” 2nd Euro-Japanese Workshop on Stochastic Risk Modeling for Finance, Insurance, Production and Reliability, pp. 32-41, Sep. 2000.

RELIABILITY DESIGN OF INDUSTRIAL PLANTS USING PETRI NETS MASSIMO BERTOLINI Dipartimento di Ingegneria Industriale, Universita degli Studi di Parma. Viale delle Scienze, 181/A - 43100 Parma (ITALY) MAURIZIO BEVILACQUA Dipartimento di Ingegneria delle Costruzioni Meccaniche, Nucleari, Aeronautiche e di Mefallurgia, Universita degli Studi di Bologna, sede di Forli, Via Fontanelle 40 - 47100 Forli (ITALY) GIANLUIGI MASON Dipartimento di Ingegneria Industriale, Universita degli Studi di Parma, Viale delle Scienze, 181/A - 43100 Parma (ITALY)

This paper describes a reliability analysis tool for design or revamping of industrial plants. The methodology is based on Failure Modes, Effects and Criticality Analysis (FMECA) and stochasticevents simulation analysis through Petri nets. The input data for the analysis are collected by applying a FMECA technique to the industrial plants both in the design and in the revamping stage, obtaining useful information of events probability, occurrence and effects. The following step, i.e. the simulation of the system operation using Stochastic Petri Nets (SPN), makes it possible to calculate some important reliability parameters of the industrial plant, evaluating their change depending on maintenance policies on plant items. In particular, the effects of preventive maintenance on system reliability have been analysed using Petri Nets, allowing the costsibenefits analysis. The proposed methodology has been applied to the Integrated Gasification and Combined Cycle (IGCC) plant of API oil refinery in Falconara Marittima (Ancona, Italy), providing results that are consistent with the experimental reliability data, thus proving to be an effective decision-support tool for Reliability Engineering.

1

Introduction

Reliability analysis is an essential step in design, revamping and management of any industrial plant. Several techniques and tool can be used for this aim, such as the Fault Tree Analysis (FTA), Failure Modes, Effects and Criticality Analysis (FMECA) and HAZard and Operability study (HAZOP). These techniques are developed in order to collect reliability information on the system, such as system availability, mean time between failures (MTBF) and mean time to repair (MTTR). This kind of information, useful during the plant normal operation, is really essential during its revamping or redesign, in order to save time and money, since the knowledge of the critical elements of the system at the beginning of the development process assures easier and cheaper changes in plant redesign. The concept of Design For Reliability (DFR) is especially important in case of complex and expensive products; in such a situation the know how of maintenance procedures in similar machines or plants provides a great advantage to

33

34 the maintenance staff. This practical knowledge is generally fixed in the FMECA, an effective methodology to assess the critical elements of a machine or a plant. FMECA technique, initially introduced as a tool for failure analysis during product development process [7], was afterwards used to develop a Total Productive Maintenance (TPM) plan, according to the rules of the Reliability Centered Maintenance (RCM) [4]. Other interesting contributes for design reliability analysis can be found in [ 2 ] , [6], [8], where the FMECA is associated with the Quality Function Deployment (QFD). The authors propose a sequential utilization of FMECA and QFD in order to improve customer satisfaction through the development of a product that can satisfy customer requirements of quality and robustness, according to the Total Quality Management (TQM) philosophy. This paper presents a reliability analysis methodology for the design or revamping of industrial mechanical plants. The methodology uses Failure Modes, Effects and Criticality Analysis (FMECA) and stochastic-events simulative analysis. In the first step of the procedure, the input data for the analysis are collected through the application of FMECA technique to the industrial plants both in the design and in the revamping stage, obtaining useful information on events probability, occurrence and effects. In the second step, the behaviour of the system is simulated using Stochastic Petri Nets. The analysis is focused on the effective critical points of a plant or a machine rather than on customer requirements. Moreover the effects of preventive maintenance on system reliability can be analysed using Petri Nets, making possible to perform a costshenefits analysis by evaluating the specific maintenance policy effects on reliability parameters. The paper is organized in the following way: an overview of FMECA methodology and Petri Nets is firstly presented, with a latter analysis methodology description. Finally a case study is described, with the application of the tool to the Integrated Gasification and Combined Cycle (IGCC) plant in the API oil refinery in Falconara Marittima (Ancona, Italy).

2

Overview of FMECA methodology

The Failure Modes Effects and Criticality Analysis (FMECA) method [7] is probably the most famous technique for defining procedures to assess products/processes identification of potential failures. FMECA is characterized by a bottom-up approach. It breaks down any system (product and/or production process) into its fundamental parts to find all the potential failure modes and their effects. The analysis of the failure modes of a given production process provides important information on: 1. the subsystems and parts of the system in a hierarchical arrangement (functional analysis of the production plant); 2. any “failure” or generic “malfunctioning”, with a list and a description of all the potential failure modes for the process/product being analysed; 3. the probability, severity and detectability of each failure mode;

35 the Criticality Analysis (CA), which ranks all the failure modes in order of importance. Where the risks are higher, it becomes necessary to propose corrective actions, checking the effectiveness of any of these actions and making sure that the criticality analysis is accordingly revised.

4.

3

Petri Nets

Petri Nets (PN), developed by Carl Petri in his Ph.D. thesis, are a useful tool for analysing and modelling the dynamic behaviour of complex systems with concurrent discrete events. PN were first used by electronic and informatics engineers, for example to model microprocessor architecture [ 11. A PN model is graphically represented by a directed bipartite graph, consisting of two kinds of nodes, called places and transitions, drawn as circles (places) and boxes (transitions). Places can contain tokens, drawn as black dots, while transitions are labelled with their temporal delay D (stochastic or deterministic). Places and transitions are linked by weighted arcs. From a modelling point of view, places represent conditions and transitions represent events. A transition is characterised by a certain number of input places, describing the conditions to be verified for the firing of the transition, and a certain number of output place, representing the effects of the firing. Various PN applications in several industrial engineering fields are described in scientific literature; in particular Schneeweiss [ 5 ] describes several Petri Nets application for Reliability Modelling. For a detailed description of PN building and modelling tools the reader can refer to [11 PI. 4

The FMECA-Petri Nets approach to reliability design

The FMECA-Petri Nets methodology here described is developed to predict the reliability parameters of a complex system and to simulate the preventive maintenance policy effects on system av '

Figure 1 PN representlng an and

FMECA technique is firstly used to collect data on system failure modes and on failure criticality; from a system availability point of view a failure is considered critical

36 if it causes a system breakdown. The followed data are collected for each system component: 1. Mean Time Between Failure (MTBF), for corrective and preventive maintenance conditions; 2. Mean Time To Repair (MTTR); 3. Preventive maintenance implementation parameter (maintenance time interval and maintenance action); 4. System status during maintenance (oddown). The collected data are used in the Petri nets simulation software to evaluate system reliability parameters. For the development of the PN every critical element previously identified is considered as an item subject to failures that can be repaired (as good as new) depending on its MTBF and MTTR (mean values of stochastic timed transitions with negative exponential distribution). Those transitions are linked to two places, representing the state of down and up of the whole system. Figure 1 shows the case of a machine with five different failure modes. Each firing of a failure event removes a token from the on condition place and adds a token to the off condition place. The PN behaviour is symmetric for the repair event. The on-time and down-time of the system can then be easily evaluated adding a time counter represented by a test arc, a deterministic timed transition t with unit delay and a place that collects tokens representing time units, sent by the transition t, as shown in Figure 2.

Another place is finally introduced in the net, to count the number of occurred failures. As can be seen from Figure 3, each failure is linked to a place to which a token is sent when a failure occurs.

Figure 3. Failure counter

37 Once the Petri Net design is completed, it is possible to obtain the desired reliability parameters, identified by: 1. TU = up time of the machine; 2 . TD = down time of the machine; 3. TU + TD = T = total time of simulation; 4. N = total number of occurred failures. The following parameters will be obtained

TU MTBFp=1. MTBFp = MTBF of the machine N . TD MTTRp=2 . MTTRp = MTTR of the machine N . 3.

Ap = Availability

Figure 4. PN simulating preventive maintenance.

When considering the case of preventive maintenance simulation, the principle of net building is the same as before, with the addition of preventive actions. Petri Nets are modified adding new transitions to represent those activities, as shown in Figure 4. MTBF values without preventive maintenance are used instead of the previous MTBF values, while MTTR values doesn’t change. The behaviour of the repaired elements is assumed to be as good as new. The described models have been applied to the feed pumps of Gasification Unit of Integrated Gasification and Combined Cycle (IGCC) plant in API oil refinery in Falconara Marittima (Ancona, Italy).

1.1. The Integrated Gasification and Combined Cycle Plant case study API oil refinery of Falconara Marittima has recently introduced an innovative IGCC plant that allows the recovery of high sulphurous residual deriving from refinery cycle, in order to produce syngas to be used as fuel to obtain electric power and steam. The plant is divided in two sections: 1. SMPP (Syngas Manufacturing Process Plant): section where the residual is gasified and syngas is obtained (Texaco technology).

38 2.

CCPP (Combined Cycle Power Plant): co-generation section where electric power is produced in a combined cycle power plant. The introduction of this innovative plant provides several advantages, such as, lower pollution, because the previous thermo electrical power plant was shut down and higher profits, because several kinds of crude oils can know be processed, and the electrical power produced is sold to national electrical net (286 MW) and the generated steam is used to serve refinery utilities. The object of our analysis is one of the most important parts of the plants, both from an economic and a technical point of view: the feed pumps of the Gasification Unit in the IGCC section.

Figure 5. Charge pump scheme ~

The group of feed pumps consists of three alternative volumetric pumps, in a 2-outof-3 layout; this layout was chosen because of the economic and technical importance of this system. These pumps work in very severe conditions, because of the high density (982 kg/m3) and viscosity (148 cSt) of the fluid pumped at high pressure (80 bar) and temperature (271°C). Each pump is a complex machine made of several auxiliary systems, as represented in Figure 5.

Table 1 . Example of breaking down according to FMEA methodology

39 Every pump was broken down into 90 elements, according to FMEA practice. Among those 90 elements, 30 critical ones were found, and the input data were collected as previously described. Table 1 and Table 2 report some data collected. Table 2. Example of data collecting

The three nets representing each of the pumps have then been linked together in order to study the availability of the whole 2-out-of-3 system, as shown in Figure 6. The Petri Net model to evaluate the preventive maintenance policy effect was built according to the same rules previously introduced. The three nets representing the single pumps have then been linked together as described before.

1.2. Final results

I

I

Figure 6. Linking the three nets.

The simulation analysis has been carried out according to the general procedure describedin Law and Kelton [3]. The final results presented in Table 3 have been obtained by simulating the system operation for a five year period. The Petri nets simulation output data are characterized by a confidence level of 95%. It should be noted that the results are very close to the limited and uncompleted experimental data available collected in the last two years. The MTBF values are high: this is due to the very severe operating conditions of the pumps. On the other hand MTTR values are very low because of the extreme importance of the machines from a technical and economical point of view: repair operations are always made on time with great accuracy. The derived availability values are very high as logic consequence of the fact that MTTRs are very lower than MTBFs.

40

table1.Finalresulsts MTBF MTTR Pump availability System availability

5

Results of PN for reliability analysis 756,87 [hour] 1 1,04 [hour]

Results of PN for preventive maintenance analysis 778,82 [hour] 10,48 [hour]

Experimental data 785,57 [hour] 10,08 [hour]

98,50 %

98,60%

98,70 %

99,80 %

99,90%

99,90 %

Conclusion

The use of Petri Nets for Reliability Modelling proved to be a very useful tool, providing several interesting information and thus completing the output of a Project FMECA. System reliability can be evaluated during the design stage or after modifying some parts of the system; preventive maintenance operations can be simulated in order to support maintenance planning, making possible to evaluate how changes in maintenance scheduling can modify system reliability and availability. The methodology proposed here can be applied to a wide range of industrial plants, helping the designer to gain useful information from existing reliability know-how and to consolidate them in a well defined design process scheme. References

1. 2. 3. 4. 5.

6. 7.

8.

Ajmone Marsan M., Balbo G., Conte G., Donatelli S., Franceschinis G., Modelling with Generalized Stochastic Petri Nets, John Wiley & Sons, Torino, Italy, (1994). Ginn D.M., Jones D.V., Rahnehat H., Zairi M., The “QFD/FMEA interface”, European Journal of Innovation Management, 1 (I), 7-20, (1998). Law Averill M., Kelton W. David, Simulation Modeling & Analysis. McCraw-Hill, New York, USA, (1991). Rausand M., Reliability Centered Maintenance. Reliability Engineering and Systems Safety, 60, 121-132, (1998). Schneeweiss W. G., Petri Nets for Reliability Modeling, LiLoLe-Vevlag GmbH (Publ. Co. Ltd.), Hagen, Germany, (1999). Tan C.M., Customer-focused build-in reliability: a case study, International Journal of Quality & Reliability Management, 20 (3), 378-397, (2003). US Military Standard, MIL-STD- 1629A, Procedures for performing a failure mode, effect and criticality analysis. Department of Defense, USA, (1 980). Yang K., Kapur K.C., Customer Driven Reliability: Integration of QFD and Robust Design, Proceedings Annual Reliability and Maintainability Symposium, (1997).

OPTIMAL BURN-IN PROCEDURES IN A GENERALIZED ENVIRONMENT

JI HWAN CHA Division of Mathematical Sciences Pukyong National University Busan, 608-737, KOREA E-mail: [email protected] JIE MI Department of Statistics Florida International University Miami, FL 33199, USA E-mail: [email protected] Burn-in procedure is a manufacturing technique that is intended to eliminate early failures. In the literature, assuming that the failure rate function of the products has a bathtub shape the properties on optimal burn-in have been investigated. In this paper burn-in problem is studied under a more general assumption on the failure rate function of the products. An upper bound for the optimal burn-in time is presented under the assumption of eventually IFR. Furthermore, it is also shown that a nontrivial lower bound for the optimal burn-in time can be derived if the underlying lifetime distribution has a large initial failure rate.

1. Introduction

0 0

0 0 0

0 0

0

ACRONYMS AND ABBREVIATIONS Cdf cumulative distribution function DIB bathtub shape FR failure rate (function) initially decreasing and eventually increasing failure rate (function) IDEI FR pdf probability density function r.v. random variable sstatistical(1y) Sf survivor function NOTATION

0 0

X h

lifetime of a component, X 2 0; a r.v. burn-in time 41

42

lifetime of a component survived burn-in time b, Xb 2 0; a r.v. Xb pdf, Cdf, Sf of X f(t), F(t),F ( t ) 0 r(t) F R of X the first and second infancy points 0 t,, t,, the first and second wear-out points 0 t*, t** the first and second change point, respectively, when the FR is DIB 0 tl, t2 $ r(u)du;cumulative F R 0 A(t) mean residual life function of a component with burn-in time b 0 p(b) 0 T given mission time

0 0

Burn-in is a method used to eliminate the initial failures in field use. To burn-in a component or system means to subject it to a period of use prior t o the time when it is to be actually used. Due t o the high F R in the early stages of component life, burn-in procedure has been widely accepted as a method of screening out failures before systems are actually used in field operations. An introduction to this important area of reliability can be found in Ref. 6 and Ref. 7. It is widely believed that many products, particularly electronic products or devices such as silicon integrated circuits, exhibit DIB FRs. Hence many researches on burn-in have been done under the assumption of DIB FR. See, for example, Refs. 3-5, 9-12 and 14-16. Recently, there have been many researches on the shape of FRs of mixture distributions. For instance, in Refs. 1, 2 and 8, the shape of FRs of mixture distributions which is not of the typical DIB are investigated. Ref. 13 considered optimal burn-in under the assumption of eventually IFR. In this paper, we consider optimal burn-in under an initially decreasing or/and eventually increasing FR, which includes DIB F R as a special case. We derive a sharper upper bound for optimal burn-in than that obtained in Ref. 13 under the assumption of eventually IFR, and a lower bound assuming that the F R is initially decreasing.

Definition 1.1. A FR r ( x ) is eventually increasing if there exists 0 5 xo < 00 such that r ( x ) strictly increases in z > 2 0 . For an eventually increasing FR r ( x ) the first and second wear-out points t* and t**are defined by t* = inf{t 2 0 : r ( x ) is nondecreasing in z 2 t} t** = inf{t 2 0 : r ( x ) strictly increases in z 2 t}. Obviously 0 5 t* 5 t** 5 zo < 00 if r ( z ) is eventually increasing. In particular, if r ( z ) has a bathtub shape with change points t1 b}.

T h e n the set B1 i s not e m p t y and bl = inf B1 is a n upper bound for optimal b u m - i n t i m e b*, that is, b* 5 bl < co, where b* satisfies ,u(b*) = maxbzo p ( b ) . Proof. Since the FR is eventually increasing, it is true that, for each z r ( z ) - r ( t )5 0 for all

> t*,

t > z,

and, for each z > t”,there exists t’ E [z, m) such that r ( z ) - r ( t ) < O for all

t > t’.

These imply that s,”(r(z) - r ( t ) ) exp{ - A ( t ) } d t < 0 for all z > t*,and thus t* E Hence the set B1 is not empty. Observe that ‘f b > bl p’(b) = r ( b ) exp{A(b)}

IM exp{-A(t)}dt

-

1

< exp{A(b)} J’ r(t)exp{-A(t)}dt

-

1

M

= 0.

b

b

B1.

44

This means that p(b) is strictly decreasing in b > bl. Therefore we conclude that b' 5 b l . QED Note that if r(0) > l/(J,"exp{-h(t)}dt) = 1/E[X], then p ' ( 0 ) > 0. Hence a sufficient condition for a positive burn-in(i.e., b* > 0) is r(0) > l / E [ X ] . Corollary 2.1. Suppose that the FR r(t) is eventually increasing. Then the optimal burn-in time b* 5 t*. Proof. It is true that t* E B1. Hence b' 5 b l 5 t* holds. QED The above result of Corollary 2.1 has been also given in Theorem 1 of Ref. 13. The following result gives a lower bound for optimal burn-in when the FR is initially decreasing. Theorem 2.2. Suppose that (i) the FR r(t) is both initially decreasing and eventually increasing(IDEI); (ii) r* = supt2t**r(t) < r(0); (iii) r ( t ) is continuous on (O,t,,]. Let

Bz

= {b : g1(z) =

LW

(r(x) - r ( t ) ) exp{-A(t)}dt

> 0, f o r all

z

< b}.

Then the set B2 is not empty and optimal burn-in time satisfies b2 5 b* 5 b l , where bz SUP B2. Proof. Define set A = {t : r(t) = r*,O 5 t 5 t**}. Note that r(0) > r* 2 r**= r(t**) and r(t) is continuous on (O,t,,], so the set A is not empty and we can further define to = sup{t : r ( t ) = r*,0 5 t 5 t,,}. Then, for each z < to,

> 2, [to, m) such that, for each z < to, r ( z ) - r(t) 2 0 , V t

and there exists t" E

r ( x ) - r ( t ) > 0 , V t > t". These imply that L m ( r ( x ) - r(t))exp{-h(t)}dt

> 0,V

z

< to,

and thus t o BZ. Hence the set Bz is not empty. Observe that 'd b < b2, p'(b) = r(b) exp{h(b)}

> exp{h(b)} = 0.

J'

W

exp{-R(t)}dt

-

1

r(t) exp{-h(t)}dt

-

1

b

b

This means that p(b) is strictly increasing in b < bz, and therefore we have b* 2

b2.

45

Corollary 2.2. Suppose that the same conditions in Theorem 2.2 are true. T h e n optimal burn-in time satisfies t o 5 b* 5 t*, where t o = sup{t : r ( t ) = r*,O 5 t 5

t**}. Proof. It follows from Corollary 2.1 that b" 5 t'. From the proof of Theorem 2.2 it holds that t o E Bz and thus t o 5 t z 5 b*. The desired result thus follows. QED 3.

The Probability of Performing Given Mission

In field operation a component is usually used t o accomplish a task or mission. Let T be a given mission time. Then the probability that a component, which has survived burn-in time b, accomplishes the mission is given by :

+ +

p ( b ) = P(X6 > T ) = P ( X > b T ~ X > b) = exp{-[h(b T ) - A(b)]}. Theorem 3.1. Suppose that the F R r ( t ) is eventually increasing. Let B3

= { b : g z ( x ) = r ( z )- r ( z + T ) 5 0 , f o r all x > b a n d , f o r s o m e b' s u c h that b < b'

I m,

r ( x )- r ( x

+ T ) < 0 for all b < x < b'}.

T h e n the set B3 is not empty and b3 = inf B3 i s a n upper bound for optimal burn-in t i m e b', that is, b* 5 b3 < 00, where b* satisfies p ( b * ) = maxb2o p ( b ) . Proof. Let the set

t = max{t*,t** - 7 ) . Then it can be shown that t E B3, which implies that B3

is not empty. Observe that

p'(b) = ( r ( b ) - r ( b

+

7 ) )e x p { - [ h ( b

+

T)-

h ( b ) ] }I 0 ,

for all b > b3 and there exists bk > b3 such that the above inequality strictly holds for b3 < b < b i . These imply that p ( b 3 ) > p ( b ) , for all b > by. Therefore we can conclude that b* 5 b3. QED

If r ( 0 ) > b* > 0.

r(T)

then p'(0)

> 0. Hence r ( 0 ) > r ( T ) is a sufficient condition for

Corollary 3.1. Suppose that the F R r ( t ) is eventually increasing. T h e n optimal burn-in t i m e satisfies b* 5 t, where t = max{t*, t**- T } .

Proof. It is true that t E B3. Hence b* I b3 5 t holds. QED The above result of Corollary 3.1 has been also given in Theorem 2 of Ref. 13.

46

Theorem 3.2. Suppose that (a) the FR r ( t ) is both initially decreasing and eventually increasing(IDEI); (ii) r* = supt2t**r ( t ) < r ( 0 ) ; (iii) r ( t ) is continuous on (O,t,,]. Let B4

= {b : g 2 ( 2 ) = r ( z )- r ( z + r ) 2 0 ,

for all z < b and, for some b" such that 0 5 b" < b, r ( z )- r ( z r ) > 0 f o r all b"

+

< z < b}

Then the set B4 is not empty and optimal burn-in time satisfies b4 5 b" 5 b3, where b4 = supB4. In particular, if t* < t,, and t,, - t* > r , then optimal burn-in tame b* can be any value in [t*,t,, - r ] . Pro0f. By the same arguments stated in the proof of Theorem 2.2, we can define t o = sup{t : r ( t ) = r*,O 5 t 5 t,,}. Then t" = min{to,t,) E B4, hence the set B4 is not empty. Observe that p'(b) = ( r ( b )- r ( b

+

7)) exp{-[A(b

+r )

-

A(b)]j 2 0 ,

for all b < b4 and there exists bk < b4 such that the above inequality strictly holds for bk < b < b4. This means that p(b4) > p(b) for all b < b4. Therefore we can conclude that b* 2 b4. Now suppose that t* < t,, and t,, - t* > r . Then it is true that p'(b) > 0 for all 0 5 b < t*, p'(b) = Ofor all t* 5 b 5 t,, - r , and p'(b) < 0 for all b > t,, - r. These imply the desired result. QED Corollary 3.2. Suppose that the same conditions in Theorem 3.2 are true. Then optimal burn-in time satisfies t" 5 b* 5 t, where t" E min{to,t,} and t o E sup{t :

r ( t ) = r*,O 5 t 5 t,,}. Proof. From the proof of Theorem 3.2, it is true that t" E

B4.

Hence t" 5 b* 5 t holds.

QED 4. Illustrative Example

In this section a numerical example is considered for illustration. Example 4.1. Suppose that the FR of the component is given by :

i

-(t (1/4)(t

r ( t )=

-

+ 2, if o 5 t 5 2, 3)2 + 3/4, if 2 5 t 5 4, +

-(1/4)(t - 5)2 5/4, if 4 5 t 5 6, (1/4)(t - 7)2 3/4, if 6 5 t 5 9,

+

4 - (9/4)exp{-(t

-

g)}, if 9 5 t.

The graph for the FR is presented in the Figure 1. Then the FR is eventually increasing with two wear-out points t* = t** = 7.0. We consider optimal burn-in time b* which maximizes p(b).

47

2

4

6

8

1

0

1

2

Figure 1. Failure Rate Function

L

5

6

X

7

Figure 2. Graph for gi(x)

To find the upper bound obtained in Theorem 2.1, the graph of gl(z) for 0 5

x 5 7.0 is obtained and is presented in the following Figure 2. From the above graph of gI(x), the upper bound bl is given by 2.32, which is much sharper than t* = 7.0. Therefore to find optimal burn-in time, it is sufficient to consider only b 6 [0,2.32]. However note that g l ( b ) > ( ( T ]+ E[K(T,T);Y; 5 T ] 1

+ (C3 + C4)(-P - 1))GT(T)+

= {[c4I).+(

1'

a(T-y,~)dGT(y).

(10)

Thus a ( T ,T ) satisfies a renewal-type equation

1'

+ a ( T - y,~ ) d G , ( y ) . (11) for which L ( T , T )= {[C4+ v ( T ) ]+ (C3 + Cd)(l/p - l)}GT(T). The solution is a ( T ,T ) = L(T, T )

Differentiating (12) with respect to

T

yields

4.3. Rebate policy

In the rebate policy, for the general repairable product, all type I failures in the warranty period [0,T] are rectified (through minimal repair actions) by the manufacturer free of cost, and the buyer is refunded a proportion of the sales price C, when the type I1 failure occurs for the first time. The amount of rebate, R ( t ) ,is a function of the type I1 failure time t . This study assumes that R(t) is a linear function o f t , i.e., R(t) =

Iccp(l - %), for 0 5 t 5 T , for t > T,

(14)

where 0 < Ic 5 1, 0 5 Q 5 1. Two special forms of (14) are the lump sum rebate policy ( a = 0) and pro rata rebate policy ( a = 1, Ic = 1).

70 The expected warranty cost for the general repairable product sold under this policy can be given by 1 a ( T , . r )= ( T . ~ ( T ) x) -{ ~( C ~ + C ~ ) ( - - ~ ) . T . [ ~ ( T ) - ~ ( P

+

k . C p * {T * G(T)- (1 - a ) . T . E(T T ) - a .

Differentiating (15) respect t o

a ’ ( T ,7) = (T . G(.))-l

T

yields

1-

+

G(T t ) d t } .

-

(15)

x

5. Optimization M o d e l

Let C ( T , T )denote the expected total cost per unit sold, for a general repairable product with burn-in time T and warranty period T ; and let C(T)represent the corresponding cost without burn-in. Then

C ( T ,7) = V ( T ) + a ( T ,T ) .

(17) Notably, c(T)< limT+,+C ( T , T ) ,this is due to the fixed setup cost of burn-in C1 > 0. If C1 = 0, then C ( T )= lim,,,+ C(T,T). Thus for a specified warranty period T , the objectives of the manufacturer are: 0

0

To determine the optimal burn-in time T * to minimize C ( T ,T ) when burn-in is used. To compare C ( T , T * )with C(T). If C(T,T*) > C(T),then the optimal policy is to have no burn-in, while if C(T,T*) < C(T),then the optimal burn-in time is given by T * .

Differentiating (17) with respect to condition for minimum cost:

T

C’(T,T ) = .I(.) Sufficient conditions for

T*

and equating it to zero yields a necessary

+ a ’ ( T ,7) = 0.

(18)

to be optimal are (i) it should satisfies (18) and (ii)

C’I(T,T*)> 0.

(19)

Since C ( T , T )+ 00 as T -+ 00, T * is always finite. If (18) has no solution, then = 0 (i.e., no burn-in). The optimal T * can be found by solving (18) or by directly minimizing (17) using numerical methods. Theorem 5.1 and Theorem 5.2 give conditions for T * to be zero or nonzero, and these conditions help in computing T * . In these theorems .isatisfies h(?) = h(.i T ) .

T*

+

Theorem 5.1. For a failure-free policy with warranty period T ,

71 0 0

r* = o if h(0) 5 h ( T ) . A suficient condition for r* > 0 is: 1 ) h(O) > {Cz+[(Co+Ci)pfC3(1-p)+C4]h(T)}/C4forthe renewing

policy; 2) h(O) > ~ ~ ~ ~ o + c l + c 4 ~ + ( c 3 + c 4 ) ( ~ - 1 ) 1 ~ S ( T ) + C 2 [ 1 [(Co+ +V(~ c1+C4)+(C3 C4)( - 1)]C(T)-[C,(1-p) (CO+C1)p] [l+v(T)] } >0 f o r the non-renewing policy.

+

0

;

+

If r* > 0 and rm < 00, then r* < .i5 rm.

Theorem 5.2. For a rebate policy with warranty period T , 0

r* = 0 i f the following I ) or 11) hold. I ) a = 0 and h ( 0 ) 5 h ( T ) ; or 0 < a 5 1, h(0) 5 h ( T ) and h(0) 5 G ( T ) / { p .J z E ( t ) d t } . 11) D < O , where D = [ ( C 3 + C 4 ) ( 1 - p ) + k . C p . ( 1 - a ) p ]. T . ? ? ( T ) + a . k . C p . p . S z E ( t ) d t - [ ( C o + C l ) p + C 3 ( 1- p ) ] T .

+

0

+

+

A suficient condition f o r r* > 0 is h ( 0 ) > (C2 . T [(C3 C4)(l- p ) Cp . (1 - a ) p ] . T . h ( T ). G(T) a . k . C p . G ( T ) } / D> 0. If r* > 0 and r, < co, then r* < .i5 rm.

+ lc .

i) r* < .iL r, i f a = 0; ii) r* < rm if 0 < a 5 1.

Remark 5.1. The above above results yield the following observations: (i) The optimal burn-in time r* depends on 0 0 0

0

product failure characteristics length of warranty period cost parameter probability of failure type I1

(ii) The burn-in is beneficial (i.e., r* > 0) if 0

0

(iii)

The initial failure rate (i.e., h(0))is large. This confirms the intuitive result that burn-in is only useful for products with a high infant mortality rate. Failures during the warranty period are costly. This is the case where C4 is large (failure-free policy) or Cp is large (rebate policy). It can be proved that r* increases as C4 increases (failure-free policy) or C, increases (rebate policy).

is always less than T ~ this ; is to be expected since one would never burn-in beyond the end of the infant mortality period.

T*

72 6. Numerical Example

Jensen and Petersen [‘I and Nguyen and Murthy [2] presented an example of a bathtub-shape failure, where product failure time is assumed t o have a mixed Weibull distribution, i.e., -

~ ( t=)0 .e ( - ~ l @ l ) + (1- 0) . e ( - X 2 . t P 2 )

(20)

with A1 , A2 > 0 , 0 < PI < 1, P 2 > 1 and 0 I 8 5 1. This model can be interpreted intuitively as representing a mixture of two kinds of units, with proportion 6 of defective units and proportion 1 - 8 of normal units. For the present example, 8 = 0.1, A1 = 4, A2 = 0.08, PI = 0.5 and P 2 = 3. Moreover, the cost parameters are Co = 5, Cl = 0.2, C2 = 5/unit of time, C3 = 2, C4 = 10 and C , = 20. The type I1 failure probability is p = 0.2. The warranty policies considered are defined as follows: 0 0 0 0

Policy I: Failure-free renewing policy; Policy 11: Failure-free non-renewing policy; Policy 111: Rebate policy with a = 0 and k = 1; Policy IV: Rebate policy with a = 1 and k = 1.

Figure 2 shows T * versus T . As T -+ 0, then intuitively T * + 0 since less saving is obtained by burn-in; also as T + M, then T * -+ 0, since in this case burn-in worsens the product. Thus, as T increases from 0 to infinity, T * increases and then decreases, as illustrated. I

“ “ ‘ 7

I

1

iY

.-

1

.

To study the variation in the magnitude of saving in the expected total cost with changing T , the following is defined: S ( T )= [C(T)- C(T,T*)]/C(T). Figure 3 shows S ( T ) versus T . Clearly, S ( T ) has a maximum value and is negative for small or large T . This is due to the fixed burn-in cost CI > 0. If Cl = 0, then S(T) is always positive, and S ( T ) -+ O+ as T -+ 0 or T + 00. Acknowledgments The authors like to thank the referees for their valuable comments and suggestion.

References 1. 2. 3. 4.

F. Jensen and N. E. Petersen, Wzley, New York, (1982). D. G. Nguyen and D. N. P. Murthy, IIE Trans. 14, 167 (1982). W. R. Blischke and D. N. P. Murthy, Marcel Dekker, New York, (1994). J. H. Cha, J. Appl. Prob. 37,1099 (2000); 38, 542 (2001); 40, 264 (2003).

DETERMINING OPTIMAL WARRANTY PERIODS FROM THE SELLER’S PERSPECTIVE AND OPTIMAL OUT-OF-WARRANTY REPLACEMENT AGE FROM THE BUYER’S PERSPECTIVE

Y. H. CHIEN* Department of Statistics, National Taichung Institute of Technology, 129 Sanmin Road, See. 3, Taichung, Taiwan E-mail: [email protected]. tw S. H. SHEU Department of Industrial Management, National Taiwan University of Science and Technology, 43 Keelung Rd., Section 4., Taipei 107, Taiwan E-mail: shsheu @im.ntust. edu.tw

J. A. C H E N Department of Business Administration, Kao Yuan Institute of Technology, 1821, Chung-Shan Rd., Lu-Chu Hsiang, Kaohsiung, Taiwan E-mail: [email protected]. tw

This paper considers a general repairable product sold under a failure-free renewing warranty agreement. In the case of a general repairable model, there can be two types of failure: type I failure (a minor failure), which can be rectified by minimal repairs; and type I1 failure (a catastrophic failure), which can be removed only by replacement. After a minimal repair, the product is operational but the failure rate of the product remains unchanged. The aim of this paper is to determine the optimal warranty period and the optimal out-of-warranty replacement age, from the perspective of the seller (manufacturer) and the buyer (consumer), respectively, while minimizing the corresponding cost functions. Finally, a numerical example is presented.

1. Introduction

Warranties for durable consumer products are common in the marketplace. The primary role of a warranty is to offer a post sale remedy for consumers when a product fails to fulfill its intended performance during the warranty period. Bischke and Murthyg defined a warranty as a contractual obligation incurred by a manufacturer, in connection with the sale of a product, under which the manufac‘Mr. Chien is the corresponding aurthor, he is a Assistant Professor in the Department of Statistics at the National Taichung Institute of Technology.

73

74

turer is required to ensure proper functioning of the product, during the warranty period. Failure-free and pro rata rebates are two common types of warranty policies. A failure-free policy obligates the manufacturer t o maintain the product free of charge, during the warranty period, while a pro rata rebate policy obligates the manufacturer to refund a fraction of the purchase price if the product fails within the warranty period. Failure-free policies can be further divided into two categories: renewing and non-renewing. 0

0

Renewing policy: if a product fails within the warranty time, the product is replaced and a new warranty issued. In effect, the warranty begins anew with each replacement. Non-renewing policy: replacements of a failed product do not alter the original warranty.

Manufacturers offer many types of warranties t o promote their products. Thus, warranties have become an important promotional tool for manufacturers. Warranties also generally limit the manufacturer's liability for out-of-warranty product failure. The discussion of various issues related t o warranty policies can be found in Murthy3, Blischke and Murthy5, Murthy and Blischke' and Mitra and Patankar'. Although warranties are used by manufacturers as a competitive strategy t o boost their market share, profitability and image, they are by no means cheap. Warranties cost manufacturers a substantial amount of money. From a manufacturer's perspective, the cost of a warranty program must be estimated precisely and its effect on the firm's profitability must be studied. J a et a1.l' estimated the warranty costs during the life cycle of a product in order t o create a fund for warranty reserves. They considered a failure-free non-renewing warranty policy for products with age-dependent minimal repair costs, derived the s-expected warranty costs and warranty reserves, and demonstrated the feasibility of using cost information to determine warranty length. Yeh and Loll investigated preventative maintenance warranty policies for repairable products. When the length of a warranty period was pre-specified, the optimal number of preventive maintenance actions, corresponding maintenance degrees, and the maintenance schedule were jointly determined. In this paper a general repairable product, sold under warranty, is considered. We have adopted a failure-free renewing warranty policy and an out-of-warranty preventative replacement policy. In this general repairable model, when the product fails a t its age of use t , type I failure occurs with a probability of q ( t ) = 1 - p ( t ) and type I1 failure occurs with a probability of p ( t ) , 0 5 p ( t ) 5 1. Type I failure is assumed to be minor, and can thus be corrected by minimal repair, while type I1 failure is catastrophic, and can only be restored by replacement. Minimal repair means that the repaired product is returned in the same condition as it was, i.e., the failure rate of the repaired product remains the same as it was just prior t o failure. We have assumed that all failures are instantly detected and repaired.

75 From a seller's (manufacturer's) and buyer's (consumer's) perspective, our goal is to determine, respectively, the optimal warranty period and the optimal out-ofwarranty replacement age, which will minimize the corresponding cost functions. 2. Optimal warranty period from the seller's perspective In this section, the problem of determining the optimal warranty period, which minimizes the cost function, is considered from the seller's (manufacturer's) perspective. A failure-free renewing warranty policy was adopted for this investigation, in which minimal repairs or replacement takes place according to the following scheme: if the product-failure within the warranty is minor (type I failure), then the manufacturer conducts minimal repairs; if the product-failure within the warranty is catastrophic (type I1 failure), then the product is replaced and a new warranty is issued. Both minimal repairs and replacement are free of charge to the consumer, but incur costs of c1 and c2, respectively, t o the manufacturer. The cost function consists of the maintenance expense due to product-failure within the warranty period, and the amount gained due to offering the length of the warranty period so forth. Let the random variable Y denote the waiting time t o the first type I1 failure of a new product; the survival function of Y is then given by -

G ( t ) = p ( y > t ) = ,-.fo'p(U)P(U)dU.

(1)

Let h(W) be the total maintenance cost (including minimal repair and replacement) per unit sold for products with warranty period W . The parameter r j - 1 is defined as the number of replacements until the first product's surviving warranty, without type I1 failure, is obtained. Then the random variable Q clearly has a geometric distribution given by

P(rj = Ic)

=

[G(W)]"'C(W),k

2 1.

{x,

Furthermore, let i 2 l} be an i.i.d. sequence of random variables distributed according to G, in which case the random cost h ( W ) is clearly given by

x:zi

where by convention s 0 when q = 1. Since r j is also a stopping time with respect t o the a-field {a(Yl,Yz,.. . , Yn),n 2 l} ; then, by Wald's identity, the mean cost Eh(W)is given by

The cost structure which we consider here contains two parts. The first part is still the mean cost Eh(W). The second part, which is the gain part, is proportional to the length of the renewing warranty period. As mentioned in section 1, warranty can be regarded as an important competitive strategy, used by manufacturers, t o

76 boost their market share, profitability and image. Therefore, if we denote the gain as proportionality constant by K > 0, then the gain due t o the warranty is given by K . W . Thus the cost function considered is this section has the following form:

Differentiating (4) with respect t o W yields

where

+p (-w ) r ( w[cl) . G(W)

lw

+

q ( u ) r ( u ) d u cz . G(W)]

It is easy to check that cp’(W) > 0 if p ( t ) and r ( t ) are increasing, and limw,m p ( W ) = 00. Therefore, the following result is obtained. Theorem 2.1. Suppose the functions r and p are strictly increasing. T h e n for the cost function C,(W) given in (4), if [c1 . q(0) c2 .p(O)]r(O)< K , then the optimal warranty period W *(> 0 ) is unique and finite; otherwise, W * = 0 .

+

+

c2 . p ( t ) ] r ( t ) can be considered as the s-expected Remark 2.1. [cl . q ( t ) marginal maintenance cost function of the failure-free renewing policy. Therefore, Theorem2.1 shows that it is not worth providing a product warranty (i.e., W * = 0) when the marginal maintenance cost of the product’s initial use is high, especially when [ C I . q(o) cz .p(O)]r(O)2 K .

+

3. Optimal out-of-warranty replacement age from the buyer’s perspective

The cost structure considered in this section is described as follows. The consumer has purchased products sold under a failure-free renewing warranty. Within the warranty period W , the manufacturer must maintain the products, free of failure. Although the maintenance is free, the consumers will experience inconvenience or loss incurred by the product failure. That is, any failure of a product within the warranty period not only results in the seller’s cost to provide the maintenance but also in a cost to the consumer (e.g., handling cost, shortage cost, system down cost, waiting cost, etc.). Therefore, we have assumed that csl and cs2 are the costs incurred by the consumer resulting from type I and type I1 failures, respectively. We have assumed that c,1 < c , ~ .The aim of this section is to determine the optimal out-of-warranty replacement age, which minimizes the expected total cost per unit time over the life cycle, for each product purchased by consumer.

77 Using similar arguments to those in section 2, the expected total cost incurred by the consumer during the warranty period can be expressed as follows.

And, for each product purchased, the expected total time for the renewing warranty to last is

Out of warranty, all the repair and replacement costs due to product-failure is incurred by the consumer. A preventative out-of-warranty replacement policy is now considered, in which minimal repairs or replacement takes place according to the following scheme. Out of warranty, a product will be completely replaced whenever it reaches the use time T (i.e., the product with age of use W T ) at a cost cT1 (planned replacement). If the product fails at time of use y E (0, T ) , then it will either be replaced, with a probability of p ( W y) (type I1 failure) at a cost c , ~(unplanned replacement), or it will undergo minimal repairs, with a probability of q(W y) = 1 - p ( W y) (type I failure) at a cost c,. We have assumed that c,1 < c , ~ .After a complete out-of-warranty replacement (i.e., planned or unplanned), the procedure is repeated (i.e., the consumer will be assumed to have purchased a new and identical product after a complete replacement). Sheu4 considered such a preventative replacement model. Therefore, per unit purchased, the total cost incurred out-of-warranty, by the consumer, can be expressed as follows.

+

+

+

+

rYw

where YW = (Y - W ) I {Y > W } . Then ,the expected total cost incurred by the consumer out-of-warranty is

=

(C(w))-l x { (csl + c,) +(GZ

+

'

/ww +T q ( u )T (u)C(u )d u

-G(W

C ~ Z ) @(W)

+ T ) ]+ cr1

'

G(W

+T)}.

Moreover, the expected total operating time for a product out-of-warranty is

(10)

78 Hence, by Eqs. (7) and (lo), the expected total cost incurred by the consumer, from the time a product was purchased to the out-of-warranty replacement, can be expressed as

t(cs1

+ cm)

'Iw

+

. [G(W)- G(W + T ) ]+ c,i . G ( W + T ) } .

W+T

+ ( ~ 2 GZ)

q(u)r(u)Wdu -

(12)

and by Eqs. (8) and (ll),the corresponding expected total operating time per unit purchased is

Therefore, by Eqs. (12) and (13), the expected total cost per unit time over the life cycle for each product purchased is given by W+T

G ( T ; W ) = (/

-

'1

W

~ ( u ) d u ) -xl

{Cs1

0

+(C,l

+ cm)

+(c,z

+ C,Z)

+

q(u)r(u)G(u)du c s z .G ( W )

W+T '

/w

q(u)r(u)Wdu

. [E(W)- E(W

+ T ) ]+

.G(W + T ) } .

(14) In this case, differentiating C 2 ( T ; W ) with respect to T , we see that dCz(T;W)/BT = 0 if and only if

0=lW-

+

+

C,I

+

G(u)du x {(csl cm)q(W T ) r ( W T )

+ csz)p(W+ T ) r ( W + T ) c,1 . p ( W + T ) r ( W + T ) } rW+T +[(c,2 + cs2) c,11 [p(W+ T ) r ( W + T ) p ( u ) r( u ) ]G ( u ) d u } +(c,z

-

-

'

{Iw

-

theorem3.1 letthefuncions r andpabe continuous. Then,if

and either (a) r and pr are increasing with r unbounded and (cTZ+ c S z ) > cT1+ ( C s 1 + c,), or (b) [(c,2 C,Z) - c,~]pr (c,i c,)qr increases to +co,there exists

+

+

+

79 at least one finite T' which minimizes the cost function in Eq. (14). Furthermore, i f any of the functions in (a) or (b) are strictly increasing, then T* is unique. Proof. If the conditions of the theorem are satisfied, then the right-hand side of Eq.(15) is a continuous increasing function of T which is negative (by Eq. (16)) at T = 0 and tends to +co as T --+ +co. Hence there is at least one value 0 < T* < co which satisfies Eq.(15). Since C;(T;W ) has the same sign change pattern (-, 0, +), it follows that C2(T;W ) has a minimum at T'. Under the strict increasing assumption, the right-hand side of Eq. (15) is strictly increasing, therefore T* is unique.

0

+

+ +

+

+

+

Remark 3.1. {(csl c,)q(W t ) [ ( C ~ Z c , ~ )- c,l]p(W t ) } r ( W t ) can be considered as the s-expected marginal cost function of the age-replacement out-ofwarranty policy, and note that

=

{ (csl + c m ) 4 W )+ [(c,z + c S d - c , ~ l p ( W ) ) r ( W ) lim { (csi Cm)s(W t ) [(GZ csz) - c, l] p ( w t ) } r ( W t ) , T-0

+

+ +

+

+

+

which represents the marginal cost of the product at its initial out-of-warranty use. And the term

csl .

so q(u)r(u)=(u)du+ W

C,Z

+

-

. G ( W ) c1, . G ( W )

c(u)du is the cost per unit time for the product within the warranty. Therefore, Theorem3.1 indicates that Eq. (16) is the necessary condition to continue using the product outof-warranty (i.e., T* > 0). 4. A numerical example In this numerical analysis we consider the product with a Weibull distribution, one commonly used in reliability studies. The p.d.f. of the Weibull distribution with shape parameter P and scale parameter I9 is given by

with the parameters of the distribution being chosen as P = 3.3, 0 = 10122 so that the expected life, p , and the standard deviation, u,are 9080 hours and 3027 hours respectively, as in the case in Barlow and Proschan'. The following data are used for the other parameters: c1 = 100, c2 = 1000, c , ~= 5000, c , ~= 10000, cs2 = 5, c,g = 20 and c , = 1000. The type I1 failure probability function is considered as p(y) = 1 - 0.8 * e-O.lY. Using these data we first solve the optimal warranty period W' which was considered in section 2, then based on W * we solve the optimal replacement out-of-warranty age T* which was considered in section 3. The results obtained for different levels of the gain proportional constant K are summarized in Table 1. From the numerical results, we can derive the following remarks:

80 Table 1.

Optimal solution

W*

T*

0.01

2225.01

5715.21

0.025

3313.98

4532.67

0.05

4479.53

3147.05

0.075

5343.11

2002.59

0.1

6055.01

995.76

0.2

8184.61

0.00

K ~

(i) From the seller's (manufacturer's) perspective, the optimal warranty period W * intuitively increases as the gain proportionality constant K increases. (ii) From the buyer's (consumer's) perspective, the optimal replacement out-ofwarranty age T" decreases to 0 as the warranty period W" provided by the seller increases. This is to be expected since the longer the warranty period, the larger the out-of-warranty product failure rate; a t this point, it would not be worth continuing t o use the out-of-warranty product.

Acknowledgments The authors like t o thank the referees for their valuable comments and suggestion.

References 1. R. E. Barlow and F. Proschan, Mathematical Theory of Reliability, Wiley, New York (1965). 2. S . M. Ross, Applied Probability Models with Optimization Applications, Sun Francisco, Calzfornia: Holden-Day(l970). 3. D. N. P. Murthy, Eng. Optim. 15, 280 (1990). 4. S. H. Sheu, Microelectrics Reliab. 31, 1009 (1991). 5. W. R. Blischke and D. N. P. Murthy, Eur. J . Operational Res. 62, 127 (1992). 6 . D. N . P. Murthy and W. R. Blischke, Eur. J . Operational Res. 62, 261 (1992). 7. D. N. P. Murthy and W. R. Blischke, Eur. J. Operational Res. 63, 1 (1992). 8. A. Mitra and J. G. Patankar, Int. J. Production Economics 20, 111 (1993). 9. W. R. Blischke and D. N. P. Murthy, Warranty Cost Analysis, Dekker, New York (1994). 10. S . S . Ja, V. G. Kulkami, A. Mitra and J. G. Patankar, IEEE Trans. Reliab. R50, 346 (2001). 11. R. H. Yeh and H. C. Lo, Euro. J. Operational Res. 134, 59 (2001).

WARRANTY AND IMPERFECT REPAIRS

S. CHUKOVA School of Yathemntical and Computing Sciences, Vzctoria University of Wellington, PO Box 600, Wellington, New Zealand E-mail: Stefanka. [email protected] Y. HAYAKAWA School of International Liberal Studies, Waseda University, 1:7-14-4F Nisha- Waseda, Shinjuku-ku, Tokyo 169-0051, Japan E-mad: yu. [email protected] A brief introduction to concepts and problems in warranty analysis is presented. The degree of warranty repair over the warranty period have an impact on the expected warranty costs and influences consumers’ expenses over the post-warranty usage period of the product. Some techniques and approaches for modeling imperfect repairs are reviewed. A particular model is used to illustrate the impact of the degree of repair on warranty servicing costs.

1. Introduction All products are subject to failures. A failure can be due to a manufacturing defect or to the wearout of the product. Usually the repairs due to manufacturing defects are covered by warranty assigned to the product a t the time of its sale. Extended warranties, which nowadays are quite popular with the consumers, may also cover repairs caused by the wearout of the product. Warranty provides indirect information about the quality of products, and it may influence competition in the marketplace. This is why the length of warranty coverage has generally increased over the years. For example, warranties for automobiles are now 3 years/36,000 miles, or more for some models, compared to only 1 year/12,000 miles twenty years ago. Warranty repairs can affect the overall reliability of the product. The influence of the repair on the lifetime of the product is measured by the degree of the repair. Naturally, a “higher” degree of warranty repair adds to the total warranty costs. At the same time an improvement of the product during the warranty repair decreases the future warranty costs by increasing the product reliability and by reducing the number of failures within the warranty period. In this paper we focus on imperfect warranty repairs and their impact on ex81

82 pected warranty costs. Section 2 is a short introduction to warranty analysis. Section 3 briefly reviews tools and approaches for modeling imperfect repairs. In section 4 an example is given to illustrate the impact on expected warranty costs of imperfect repairs under a renewing free replacement warranty policy. 2. Product Warranty

A product warranty is an agreement offered by a producer to a consumer to repair or replace a faulty item, or to partially or fully reimburse the consumer in the event of a failure. Warranty may depend on one parameter (usually time) or more than one parameters (e.g., time and usage for automobiles). Thus, warranty could be onedimensional or multi-dimensional. Multi-dimensional warranty is usually defined by the geometric measure of the region of coverage. The form of reimbursement of the customer on failure of an item or dissatisfaction with service is one of the most important characteristics of warranty. The most common forms of reimbursement and warranty policies are reviewed in Blischke and Murthy’. Despite the fact that warranties are so commonly used, the accurate pricing of warranties in many situations can be difficult. This may seem surprising since the fulfillment of warranty claims may represent a substantial liability for large companies. For example, according to the 2002 General Motors annual report, the company had net profits of US$1.7 billion and sales of 8.4 million units. The estimated future warranty and related costs on these units was put at US$4.3 billion, substantially more than profits. Underestimating true warranty cost results in losses for a company. On the other hand, overestimating them may lead to uncompetitive product prices and unduly negative reports to stockholders. As a result the amount of product sales may decrease. The data relevant to the modeling of warranty costs in a particular industry are usually highly confidential. Much warranty analysis, therefore, takes place in internal divisions in large companies. The common warranty parameters of interest to be analyzed and evaluated are the expected total warranty cost over the warranty period, as well as for the lifecycle of the item. These quantities reflect and summarize the financial risk or burden carried by buyers, sellers and decision makers. The evaluation of the parameters (e.g., the warranty period, price, etc.) of the warranty program can be obtained by using appropriate models, from the producer’s, seller’s, buyer’s as well as decision maker’s point of view. Their values result from the application of analytical or approximation methods, often combined with an optimization problem. Due to the complexity of the models, it is almost always necessary to resort to numerical methods, since analytical solutions exist only in the simplest situations. A general treatment of warranty analysis is given in Blischke and Murthy’, Chukova, et aL6. Murthy and Djamaludin13 provides a recent extensive literature review of the field. A pictorial representation of the classification of the mathematical models in warranty analysis is given in Fig.1. A version of this classification can be found in Chukova4.

83

1

MATHEMATICAL MODELS IN WARRANTIES

NONREPAIRABLE ITEMS

REPAIRABLE ITEMS

I

COMPLEX ITEMS

Figure 1. Mathematical Models in Warranties

3. Imperfect Repairs

The evaluation of the warranty cost or any other parameter of interest in modeling warranties depends on the failure and repair processes and on the assigned preventive warranty maintenance for the items. The repairs can be classified according to the degree to which they restore the ability of the item to function (Pham and Wang"). The post-failure repairs affect repairable products in one of the following ways 0

0

(a) Improved Repair. A repair brings the product to a state better than when it was initially purchased. This is equivalent to the replacement of the faulty item by a new and improved item. (b) Complete Repair. A repair completely resets the performance of the product so that upon restart the product operates as a new one. This type

84

0

0

0

0

of repair is equivalent to a replacement of the faulty item by a new one, identical to the original. (c) Imperfect Repair. A repair contributes to some noticeable improvement of the product. It effectively sets back the clock for the repaired item. After the repairs the performance and expected lifetime of the item are as they were at a n earlier age. (d) Minimal Repair. A repair has no impact on the performance of the item. The repair brings the product from a 'down' to an 'up' state without affecting its performance. (e) Worse Repair. A repair contributes to some noticeable worsening of the product, It effectively sets forward the clock for the repaired item. After the repairs, the performance of the item is as it would have been at a later age. ( f ) Worst Repair. A repair accidentally leads to the product's destruction.

What could be the reason for imperfect, worse or worst repair? Some possible reasons are (see also Brown and Proschan3 and Nakagawa and Yasui14): incorrect assessment of the faulty item; while repairing the faulty part, damage is caused to the adjacent parts or subsystems of the item; partial repair of the faulty part; human errors such as incorrect adjustment and further damage of the item; replacement with faulty or incompatible parts, and so on. The type of the repair which takes place depends on the warranty reserves, related costs, assigned warranty maintenance, reliability and safety requirements of the product. The existence of an extended warranty or any additional agreements in the warranty contract may influence the degree of the repair to be performed on the faulty item under warranty. Mathematically the degree of repair can be modeled through different characteristics of the lifetime distribution of the item, for example, the mean total time to failure, failure rate function or cumulative distribution function (Chukova et d 5 ) .More sophisticated techniques involving stochastic processes to model the virtual age of the product and its dependence on the degree of repair are also of researcher's interest (Lam'', Lindqvist12, Pham and Wang", Wang and Pham17). Moreover with respect to the length of the repair two scenarios are possible, namely instantaneous repairs and repairs with deterministic or random duration (Chukova and Hayakawa7, Chukova and Hayakawa'). 4. Example 4.1. The Age-Correcting Repair Model Let the initial lifetime, X , of a new product sold under warranty, be a continuous random variable with probability cumulative distribution function (c.d.f.) F ( z ) ( F ( 0 )= 0 and F ( z ) < 1 for all z 2 O), probability density function (p.d.f.) f(z), failure rate function X(z), cumulative failure rate function A(z), and survival func-

85 tion F ( z ) . We model the imperfect or worse repairs using the failure rate function of the lifetime of the product. Let 6i denote the lack of perfection of the ith repair. Then

TO= 0,

+ hixi,

(1) are the values of the virtual age of the product immediately after the ith repair. If 6, = 1 the ithrepair is a minimal one, whereas if 6i > 0 and 6i < (>)1the ith repair is imperfect (worse) one. The extreme case of 6i = 0 corresponds to a complete repair. The model described in (1) is Kijima’s Model I (see Kijima”). We consider this model with the assumption that 6, = 6 # 0, and refer to 6 as an age-correcting factor. If 6 < 1 it is an age-reducing factor, and if 6 > 1 it is an age-accelerating factor. In warranty it is natural to assume that 0 < 6 < 1, which corresponds to reliability improvement of the product. With no failures in [0, u), u > 0 the product would have the original failure rate function X(z) for z E (0, u).Referring to Fig.2a and Fig.2b, the first age-reducing repair occurs at an instant u. After the repair, the product is improved and its performance is as it was earlier, when the age of the product was bu. At calendar age u,which is the time of the first repair, the virtual age of the product is 6u.From time u onwards, until the next repair, the performance of the product is modeled by modified original failure rate function A(z - (u- bu)). Assume that the next failure is at the calendar age u zi. The instantaneous repair improves the performance of the product and its virtual age is 6u 6v. Physically, between the two consecutive failures, the product experiences age accumulation, say u,but due to the age-correcting repair, its virtual age accumulation is 6v. The failure rate function of the lifetime of the product maintained with age-correcting repairs is a modification of X(z), as shown in Fig. 2. For any particular product in a homogeneous population this function will have its jumps whenever an age-correcting repair occurs. Therefore, future failures may reduce (or prolong) the increments in virtual age by the factor 6. Hence, its virtual failure rate will be compressed (or stretched) compared to the original failure rate. Following the ideas in Nelson15, for a population of products (with i.i.d. lifetimes) maintained under age-correcting repairs with identical age-correcting factors, the population failure rate is obtained by averaging the possible individual failure rates of all products. The failure rate for this population is the virtual failure rate of one randomly selected product maintained under age-correcting repairs. We denote it by X*(z), where 1c is a calendar age. It reflects the overall slow-down or acceleration of the aging process for an “average” product from the population. See Dimitrov, et al.’ for details on this model. 5 T, 5 . . . of times representing Consider the sequence 0 = TO5 TI 5 Tz 5 the virtual age of the product after the nth repair. Let {N,”, t 2 0) be the counting process corresponding to { T n } ~ = o . From Theorem A.4 (pp. 380) in Block, et aL2, it follows that {N,“, t 2 O} is a non-homogeneous Poisson process (NHPP) with a leading Ti

= T,-1

+

i = 1,2,

+

86

function

where A ( t ) = - log(] - F ( t ) )is the leading function of the NHPP associated to the process of instantaneous minimal repairs. A(x)

A(X) 0.6-

1.5

0.5

1.25

0.4

1 0.75

0.3

0.5

0.2

0.25

0.1

6u$,u+vP6

Fig.2a

8

X

u+v

Original and individual virtual failure rates under age-reducing factor 6 = .6.

Fig.2b

Original and individual virtual failure rates under ageaccelerating factor 6 = 1.2.

For 6 = 0, equation (2) is not valid because it reflects the failure rate immediately after an age-reducing repair only. Equation (2) shows that the transformation between the calendar and the virtual time scales is t" + t"/b. In other words, the virtual lifetime T , and the calendar lifetime X multiplied by 6 are equal in d distribution, i.e., T = 6 X . Therefore, when the product is at calendar age x, its virtual age measured at the calendar age scale is 62. Thus (see Dimitrov, et aLg for details) X*(x) = X(6x)

and A*(x) =

1 -

6

A(&)

for x 2 0, 6 > 0.

Denote by C, (u, 6) the cost of an age-reducing repair of factor 6 at calendar age u of the product and by a constant Cm(u)= Cm the cost of a minimal repair of the product. Let

Cr(u,6)= Co(1-

(3)

where A4 is a limiting age after which the product can not be sold and Co is the price of a new item. 4.2. Costs Analysis: Renewing Warranty

Here and onwards the time scale is the calendar age time scale. Under the agereducing repair model, we focus on the cost analysis of a renewing free replacement warranty of duration T . Then (see Dimitrov, et aLg for details) the following is true.

a7

The expected warranty cost Cw(t0,T ,6) associated with a product sold at age t o under a renewing free replacement warranty of duration T and maintained under age-reducing repairs of factor 6, satisfies the integral equation

J to

with the boundary condition Cw(to,O,6 ) = 0. Consider products with the Weibull lifetime distribution, i.e., X E Weibull(p, a ) and A(%)

=

P

(z) P

0-1

, A(%) =

(:)a,

z

2 0. Taking into account (3), equation

(4) becomes

Cw ( t o , T, 6) =

Dr

T

Fig.3a

Cw(0,T ,6) with fixed values of 6.

Fig.3b

Cw (0, T ,6) with fixed T .

F i g . 3 ~,,,S as a function of T .

Here and onwards the product's life time is assumed to be Weibull(a = 1.5, A4 = 4, CO = 100 and Cm = 15. Fig.3a illustrates the dependence of Cw(0,T ,6) on the warranty period T , under age-reducing repairs of factor 6, where 6 assumes the values 1.0, 0.85, 0.67, 0.4 and 0.2. We observe that the expected warranty cost Cw(0, T, 6) is an increasing function of T . Using numerical optimization and the dependence of C w ( 0 ,T ,6) on 6 shown in Fig.3b we observe that Cw(O,3,6) has a maximum at 6,, = ,67757. The existence of 6, was to be expected due to the renewing warranty scenario and the fact that the lifetime distribution is an IFR distribution. The length of the renewing warranty coverage is a function of the reliability of the product, namely small values of 6 lead to shorter warranty coverage. On the other hand, due to (3), the cost per repair at time u , C,(u,b), is a decreasing function of 6. F i g . 3 ~ for T E [0,3]. In other words it gives the "worst" represents the values of b,, = 2) and the values of the remaining parameters are

88 value of the age-reducing factor as a function of t h e length of t h e warranty period. It is interesting to observe that t h e range of , , ,a is very small for quite a large range of 5"-values. The illustrations a r e for a new product t o = 0. However, equation ( 5 ) allows one to s t u d y the dependence of the warranty cost on the selling age t o .

References 1. Blischke, W.R. and Murthy, D.N.P. Product Warranty Handbook. Marcel Dekker, 1996. 2. Block, H.W., Borges W., and Savits, T.H. Age-dependent minimal repair. Journal of Applied Probability, 22:370-385, 1985. 3. Brown, M. and Proschan, F. Imperfect repair. Journal of Applied Probability, 20:851859, 1983. 4. Chukova, S. On taxonomy of mathematical models in warranty analysis. In Vandev, D., editor, Proceedings of Statistical Data Analysis'96, pages 124 - 133, Sozopol, Bulgaria, 12 - 17 September 1996. 5. Chukova, S., Arnold, R., and Wang, D. Warranty analisys: An approach to modelling imperfect repairs. International Journal of Production Economics, 2004 (to appear). 6. Chukova, S., Dimitrov, B., and Rykov, V. Warranty analysis. a survey. Journal of Soviet Mathematics, 67(6):3486-3508, 1993. 7. Chukova, S. and Hayakawa, Y. Warranty cost analysis: Non renewing warranty with non-zero repair time. Applied Stochastic Models in Business and Industry, 20( 1):59-71, 2004. 8. Chukova, S. and Hayakawa, Y. Warranty cost analysis: Renewing warranty with nonzero repair time. International Journal of Reliability, Quality and Safety Engineering, 2004 (to appear). 9. Dimitrov, B., Chukova, S., and Zohel, K. Warranty costs: An age-dependent failure/repair model. Naval Research Logzstic Quarterly, 2004 (under review). 10. Kijima, M. Some results for repairable systems with general repair. Journal of Applied Probability, 26:89-102, 1989. 11. Lam, Y . Geometric process and replacement problem. ACTA Mathematicae Applicatae Sinica, 4(4):366-377, 1988. 12. B. Lindqvist. Repairable systems with general repair. In Proceedings of European Safety and Reliability Conference, pages 1-2, Munich, Germany, 13 - 17 September 1999. 13. Murthy, D.N.P. and Djamaludin, I. New product warranty: A literature review. International Journal of Production Economics, 79(2):236-260, 2002. 14. Nakagawa, T. and Yasui, K. Optimum policies for a system with imperfect maintenance. I E E E Transaction o n Reliability, R-36/5:631433, 1987. 15. Nelson, W. Graphical analysis of system repair data. Journal of Quality Technology, 20:24-35, 1988. 16. Pham, H. and Wang, H. Imperfect maintenance. European Journal of Operational Research, 94:425-438, 1996. 17. Wang, H. and Pham, H. A quasi renewal process and its applications in imperfect maintenance. International Journal of Systems Science, 27: 1055-1062, 1996.

ACCEPTANCE SAMPLING PLANS BASED ON FAILURE-CENSORED STEP-STRESS ACCELERATED TESTS FOR WEIBULL DISTRIBUTIONS* SANG WOOK CHUNG’ and YOUNG SUNG SEO Department of Industrial Engineering, Chonnam National University 300 Yongbong-dong, Buk-gu, Gwangju 500-757, Korea WON YOUNG YUN Department of Industrial Engineering, Pusan National University 30 Jangieon-dong, Geumjeong-gu, Busan 609- 735, Korea

This paper considers the design of the acceptance sampling plans based on failure-censored stepstress accelerated tests for items having Weibull lives The accelerated life tests assume that 1) a linear relationship exits between the log Weibull scale parameter and (transformed) stress, ii) the Weibull shape parameter is constant over stress, and iii) the parameters involved are estimated by the method of maximum likelihood The sample size and the lot acceptability constant are determined satisfying the producer’s and consumer’s risks, and the accelerated life test is optimized to have a minimum sample size by minimizing the asymptotic variance of the maximum likelihood estimator of the test statistic The proposed sampling plans are compared with the sampling plans using constant stress accelerated tests

1

Introduction

It is essential from the consumer’s point of view that a product perform the required function without failure for the desired period of time. The lifetime of a product is therefore one of the most important quality characteristics. Life-test sampling plans are commonly used to determine the acceptability of a product with respect to lifetime. The design of the life-test sampling plans has been considered by several authors. Fertig and Mann” discussed sampling plans for the Weibull distribution using best linear invariant estimators. Kocherlakota and Balakri~hnan’~ considered one- and two-sided sampling plans for the exponential distribution. SchneiderZ0 discussed failure-censored sampling plans for the lognormal and Weibull distributions using maximum likelihood estimators (h4LEs). Balasooriya6 considered failure-censored sampling plans for the exponential distribution under the circumstances where items are to be tested in sets of fixed size. Balasooriya and Saw,’ Balasooriya and Balakrishnan,’ and Balasooriya et al.’ considered sampling plans for the exponential, lognormal, and Weibull distributions based progressively failure-censored data, respectively. Many modern high-reliability products are designed to operate without failure for a very long time. Life testing for these products under use conditions takes a lot of time to This study was financially supported by Chonnam National University in the program, 2002.

89

90 obtain reasonable failure information. In this situation sampling plans based on such life tests are impractical. Introducing accelerated life tests (ALTs) in life-test sampling plans can be a good way to overcome such difficulty. Wallace" stressed the need for introducing ALTs to the future plans of MIL-STD-781. ALTs are used in many contexts to obtain information quickly on the lifetime distribution of products. Test items are subjected to higher than usual levels of stress to induce early failures. The test data obtained at accelerated conditions are extrapolated by means of an appropriate model to the use conditions to obtain an estimate of the lifetime distribution under the use conditions. In ALTs, the stress can be applied to test items in various ways. In a constant stress ALT the stress applied to the items is constant during the test duration, and in a step-stress ALT the stress changes either at a fixed time or on the occurrence of a fixed number of failures. Nelson (Ref. 18, Chap. 6) and Meeker and Escobar (Ref. 16, Chap. 20) provide references and planning methods for constant stress ALTs. Some work on planning step-stress ALTs can be found in Miller and Nelson,I7 Bai et u I . , ~ Bai and Kim,3 Chung and Bai," and Alhadeed and Yang.' Sampling plans based on ALTs have been explored in previous work. Yum and Kimz2developed failure-censored constant stress ALT sampling plans for the exponential distribution. HsiehI3 extended the work of Yum and Kimz2 and obtained sampling plans that minimize the total censoring number. Bai et ~ 1 considered . ~ the design of failurecensored constant stress ALT sampling plans for the lognormal and Weibull distributions. Under the constraint that the tests at high and low stress levels have equal expected test times, Bai et a1.' considered failure-censored constant stress ALT sampling plans for the Weibull distribution. Chung et al." considered the design of failure-censored step-stress ALT sampling plans for the lognormal distribution with known scale parameter. This paper considers the design of the acceptance sampling plans based on failurecensored step-stress ALTs for items having Weibull lives. The sample size and the acceptability constant are obtained which satisfy the producer's and consumer's risks. The accelerated life test is optimized to have a minimum sample size by minimizing the asymptotic variance of the test statistic. The proposed sampling plans are compared with the sampling plans using constant stress ALTs. 2

TheModel

2.1. Assumptions At any stress x , the lifetimes of the test items follow a Weibull distribution with shape parameter 7 and scale parameter B(x) = exp(w, + w,x) ; i.e., the log lifetimes follow a smallest extreme value distribution with location parameter p(x) = log[B(x)] = w, + w,x and scale parameter 0 = 1/ 7 . 2. The Weibull shape parameter 7 is constant over stress. 3. The cumulative exposure model" holds for the effect of changing stress. 4. The lifetimes of test items are statistically independent. 1.

91

2.2. Standardized Model For convenience, define the standardized stress as 5 = (x - x, ) /(xH - x, ) , where x, and x, are the prespecified design and high stresses, respectively. For the design stress x = x, , 5 = 5, = 0, for the low stress x = x, , 5 = tL(0 < 5 , ~ < 1) , and for the high stress x = x , , 5 = 5, = 1 . The location parameter p(x) of log lifetime distribution of test items at stress x can be rewritten in terms of 5 as p(5) = ya + y , 5 , where yo = w, + w , x , = p(x,) and y, = w,(x, -x,) = ,u(x,)-,u(xD). Note that p, = p(x,) = P(5, ) = y o .

2.3. Test Procedure Low-to-high (LH) mode test procedure 1 . n items are first run simultaneously at 5, . 2. When the nq, items have failed at m , the expression is derived as

Equations (1 5a) and (15b) are the basis expressions of the membership function of the fuzzy safe event for a given s. The more concrete expressions of the membership function of the fuzzy safe event are given in this paper when the membership functions of fuzzy strength are commonly used linear distribution and normal distribution. For the membership function of linear distribution and normal distribution, please refer to reference [14]. When the membership function of fuzzy strength is a commonly used linear distribution, based on Eqs. (1 5a) and (15b), the more concrete expression of the membership function of the fuzzy safe event can be obtained as

114

When the fuzzy strength is a normal distribution, the expression is obtained as

4. An Example

The diameter of a transmission axis is d = 20mm . Assuming shear fatigue strength z of material is a fuzzy variable whose membership function is a normal distribution, and its membership function is given by 2-45

~ ( 2=)exp[-(-)*]

5

MPa

0 ~ , the allowed torsion angle of the axis is Shear elasticity modulus is G = 8 ~ 1 MPa [q]= 2.5" /m . If the torsion T of the axis is a normal distribution, its mean and the standard deviation are 5 ~ 1 N.mm 0 ~ and 5x10' N.mm individually, let us estimate the reliability of the axis. The expression of calculating the torsion angle ( '/m) of axis is as follows.

The expression of torsion cut stress (MPa) of axis is given by 16T ad3

s=--

The torsion of the axis is a random variable of normal distribution, so the torsion angle and the torsion cut stress of the axis are also random variables subjected to a normal distribution. In consideration of rigidity condition of the axis, generalized stress is the calculated torsion angle and generalized strength is the allowed torsion angle. When the calculated torsion angle is only a bit bigger than the allowed torsion angle, it is difficult to judge whether the rigidity condition can be satisfied or not. Based on the fact, taking a, = 2.5 '/m , a , = 1 . 2 a, ~ = 3 '/m , we can obtain the membership function of the fuzzy safe event describing whether rigidity is reliable just as Eq. (5) and Fig. 1. We use the

115

simulation approach to estimate the reliability of rigidity based on Eqs.(S) and (7). A computer program was written to estimate it. When the number of simulation is 1000 0, we obtain rigidity reliability R = 0.958 6 . In consideration of intensity condition of the axis, generalized stress is the calculated torsion cut stress and generalized strength is the shear fatigue strength of material. According to the membership function of the shear fatigue strength, we can obtain the membership function of the fuzzy safe event describing intensity safe according to Eq. (1 7). Based on Eqs.( 17) and (7), a computer program was written to simulate intensity reliability, and we obtain R = 0.998 6 when the number of simulation is 1000 0. The fuzzy reliability of the axis can be regarded as a series system consisting of rigidity fuzzy reliability and intensity fuzzy reliability, Because rigidity fuzzy reliability and intensity fuzzy reliability in this example are relative, and it is nearly impossible to obtain the membership function of the fuzzy safe event of the series system from the membership functions of the fuzzy safe event of rigidity and intensity, the above digital simulation must be used to estimate the synthesis fuzzy reliability of the axis. A computer program was written to estimate it. When the number of simulation is 1000 0, we obtain reliability R = 0.958 5 . The simulation shows that reliability of the axis mainly depends on reliability of rigidity.

5. Conclusions In engineering design, random variables and fuzzy variables that describe uncertainty information from different point of view exist in common. If the uncertainty information is based on a mass of data, random variables should be used to describe it. If the uncertain information is based on the experience and judgment, fuzzy variables should be used to describe it. In this paper, after building the membership function of the fuzzy safe event of each failure mode based on the fuzzy probability theory, by applying Zadeh intersection operator of fuzzy set, we put forwards the digital simulation method to estimate the reliability of mechanical system which contains two different kinds of membership functions, i.e., the membership function to describe the process that happens gradually or the fuzziness that is difficult to judge the state of failure, and the membership function of fuzzy safe event which is derived from the known fuzzy information, such as fuzzy variables to describe fuzzy uncertainty of variable value in engineering design. This approach is an extension of the traditional digital simulation for system reliability. That is to say, when we simulate the fuzzy reliability of mechanical system, we replace the characteristic function of each general event by the membership function of each fuzzy safe event. Of course, in the practical use of the above simulation approach, any safe event can be a general event or a fuzzy event. This paper mainly discusses the method to obtain the membership function of fuzzy safe event when stress is a random variable and strength is a fuzzy variable. It is easy to

116

know that membership functions of fuzzy failure events can also be obtained by similar analysis, and then the failure probability of mechanical system can be simulated in this case. When stress is a fuzzy variable and strength is a random variable, the same approach given in the paper can be taken to obtain the membership functions of fuzzy safe events or fuzzy failure events, and to estimate the reliability or the failure probability of mechanical system. References

Dong, Y.G. and Tao, G.S., “Random stimulation of fuzzy reliability for mechanical system,” Journal of H e f i University of Technology, Vol. 22, No. 5, pp. 40-43 ( 1 999). 2. Dong, Y.G., “Study on Method of Fuzzy Reliability Design as Discrete Fuzzy and Random Variables,” Mechanical Design and Research, No. I , pp. 17-18 (1999). 3. Dong, Y.G., “Study on Fuzzy Reliability Design Approach while Fuzzy Strength is in the Form of constant Stress,” Mechanical Science and Technology, Vol. 18, No. 3, pp.380-382 (1999). 4. Dong, Y.G., “Study on Fuzzy Reliability Design Approach while Fuzzy Strength is in the Form of Random Stress,” Machine Design, Vol. 16, No. 3 , pp.11-13 (1999). 5 . Dong, Y.G., Chen, X.Z, Zhu, et al., “A Study of Mechanical Reliability Design With Fuzzy Information and Application,” Journal ofApplied Sciences, Vol. 18, No. 2, pp, 148- 152 (2000). 6. Dong, Y.G., Chen, X.Z, et al., “Reliability Simulation with Fuzzy Information,” Mechanical Science and Technology, Vol. 19, No. 3, pp. 381-382 (2000). 7. Dong, Y.G., Zhu, W.Y, et al., “Studying on a calculating method of machine fuzzy reliability,” Journul ofsystems Engineering, Vol. 15, No. I , pp. 7-12 (2000). 8. Dong, Y.G., “Fuzzy reliability Design with Fuzzy Variable and Random Variable,” Chinese Journal of Mechanical Engineering, Vol. 36, No. 6, pp.25-29 (2000). 9. Dong, Y.G., Chen, X.Z, et al., “Mechanical Reliability Design with Fuzzy and Random Stress,” Mechanical Science and Technology, Vol. 19, No. 6, pp. 891 -892 (2000). 10 Dong, Y.G., 2001 “Mechanical Design with Fuzzy Reliability,” Beijing, Mechanical Industry Press (2001). 11 Dong, Y.G., Chen, X.Z., et al. “ Fuzzy Reliability Theory Application in Reliability Analysis of Mechanism Movement, ” Journal of Applied Sciences, Vol. 20, No. 3, pp.316-320 (2003). 12. Dong, Y.G., Chen, X.Z, et al. Simulation of Fuzzy Reliability Indexes, KSME International Journal, 2003, Vol. 17, No. 4, pp492-500 (2003). 13. Huang, K.Z., Mao, S.P., “Random Method and Fuzzy Mathematics Application,” Shanghai, Tongji University Press (1987). 14. Wang, C.H., Song, L.T., “Methodology of Fuzzy Mathematics,” Beijing, China Architecture (e Building Press (1988). 15. Yang, L.B. and Gao, Y.Y., “Fuzzy Mathematics Theory and Application,” Guangzhou, South China University & Technology Press (1 992). 1.

OPTIMAL RELEASE PROBLEM BASED ON THE NUMBER OF DEBUGGINGS WITH SOFTWARE SAFETY MODEL

TOMOAKI FUJIYOSHI Course of Social Systems Engineering, Graduate School of Engineering, Tottori University Minami 4.101, Koyama-cho, Tottori 680-8552, Japan E-mail: 99t'[email protected] KOICHI TOKUNO AND SHIGERU YAMADA

Department of Social Systems Engineering, Faculty of Engineering, Tottori University, Minami 4-101, Koyama-cho, Tottori 680-8552, Japan E-mail: { toku,yamada} @sse.tottori-u. ac.jp

In this paper, we discuss the optimal software release problem based on the number of debuggings, using the Markovian software safety model. First, we formulate the total expected software cost occurring in the testing phase and the warranty period after release and discuss the optimal software release problem based on the cost criterion. Furthermore, we treat the problem considering both cost and safety requirement simultaneously. We investigate the optimal software release policies for the problems. Finally, we present several numerical examples of the policies.

1. Introduction One of the applications of the software reliability growth is the optimal software release p r ~ b l e m . ~Most , ~ , ~of the past studies have considered only the developer-oriented measures such as the software reliability and the mean time between software failures. However, software availability and ~ a f e t ybegin ~ , ~ to be noticed; these are the quality characteristics from user's viewpoint. In this paper, we discuss the optimal software release problem considering safety requirement, using the Markovian software safety model.8 Section 2 states the software safety model used here. Section 3 formulates two optimal software release problems. One is the problem based on the cost criterion. Analyzing the cost factors occurring in the testing and the operation phases, we give the total expected software cost as the function of the number of debuggings performed in the testing phase. The other is the problem evaluating both software cost and software safety criteria simultaneously. Section 4 derives the optimal software release policies for finding the optimum number of debuggings and the mean of the optimum release time. Section 5 presents several numerical examples of the optimal software release 117

118 policies and examine the relationship between the optimum number of debuggings t o release and the evaluation criteria.

2. Software Safety Model

Figure 1

A sample state transition diagram of X ( t )

The following assumptions are made for software safety modeling:

A l . When the software system is operating, it falls into an unsafe state a t random, and the time interval t o be in an unsafe state is also random.

A2. The debugging activity is performed when a software failure occurs. This is performed perfectly with the perfect debugging rate a (0 5 a 5 1) and imperfectly with b(= 1 - a ) . A3. One fault is removed when the debugging activity is perfect and software reliability improves. The next time interval of software failure-occurrence when n faults have already been corrected follows the exponential distribution with mean l / A n . A, is a non-increasing function of n. A4. If the debugging activity is perfect, the system also improves in safety with the probability p (0 5 p 5 1) and does not improve with the probability q(= 1 - p ) . When n faults are corrected, the time to fall into an unsafe state follows the exponential distribution with mean 1/19,. We call 0, the software unsafety rate. On is a non-increasing function of n. On the other hand, imperfect debugging does not affect software safety improvement or

119 degradation. The time interval when the system is in an unsafe state follows the exponential distribution with mean l / q . The state space of the process { X ( t ) ,t 2 0} representing the state of the software system a t the time point t is defined as follows:

Wn : the system is operating safely, U, : the system falls into an unsafe state. Figure 1 illustrates a sample state transition diagram of X ( t ) . The metrics of software safety can be obtained as

BiP =

k=i n

Equation (1) represents the probability that the system is operating safely a t the time point, t , given that the 1-th debugging was completed a t time point t = 0. The reliability function and the expectation of random variable X1 (1 = 1 , 2 , . . . ) representing the time interval between the (1 - 1)-st and the 1-th software failureoccurrences are given by 1-1

= Pr{X1 > t>= C

~ l ( t )

i=O

respectively.

(2)

120 The expected number of debugging activities performed in the time-interval = 0, is given by

( O , t ] , given that the I-th debugging activity was completed at time point t

A&

M ( t ; I )= U

'20

( a! ) u " b ' - ' ~ Gz,n(t),

(4)

n=z+l

2=0

where Gi,n(t) is the distribution function of random variable S2,n (i 5 n) representing the transition time of { X ( t ) , t 2 O} from state W, t o state W, and given bY

3. Optimal Software Release Problem

3.1. Cost-Optimal Software Release Problem In order t o formulate the optimal software release problem based on the cost criterion, we introduce the following cost parameters: cl: debugging cost per fault in the testing phase (cl > 0), c2: testing cost per unit time (c2 > 0), c3: debugging cost per fault in the warranty period T,(> 0) of the operation phase (c3 > c1 > 0 ) .

Suppose that we release a software system after 1 debuggings are performed in the testing. Then the total expected software cost arising in the testing phase and the warranty period in the operation phase is given by

+ ~2

1

WC(l)= c ~ I

E[Xj] + c~M(T,;1 ) .

j=1

Therefore, the positive integer 1 = 1* minimizing WC(1)in Eq.(6) is the optimum number of debuggings. Then the mean of the optimum software release time T* can be calculated by

3.2. Cost-Safety-Optimal Software Release Problem We discuss the optimal software release problem evaluating both software cost and safety criteria simultaneously. Consider the decision policy on the optimum number of debuggings to be performed by the release minimizing WC(I)in Eq.(i') subject

121

t o the condition that S(t;1) in Eq.(1) satisfies the safety objective, SO. Then we can formulate the following optimal software release problem:

minimize W C (1 ) subject to mjnS(t; I ) 2 SO (0 < SO< 1)

1

'

(8)

We call this problem a cost-safety-optimal software release problem.

4. Derivation of Optimal Software Release Policy 4.1. Cost-Optimal Software Release Policy The first and the second deference equations of Eq.(6) are given by

1) respectively. D(1) > 0 holds for arbitrary positive integer 1 since E[Xl] and Md(Tw; are monotonically increasing functions of the number of debuggings, 1. Thus, Z(1) is the monotonically increasing function of 1. Therefore, the behavior of WC(1) depends on the sign of Z(1). That is, if Z ( 0 ) < 0, then there exists the minimum integer 1 = 12 holding Z(1) 2 0, and 1 = lz satisfies both inequalities WC(1 1) 2 WC(1)and WC(1)< WC(1 - 1) simultaneously. Accordingly, I* = 12 is the optimum number of debuggings. On the other hand, if Z ( 0 ) 2 0, then WC(1)is a monotonically increasing function of 1 since Z(1) 2 0 for any positive integer 1, and the optimum number of debuggings is 1* = 0. We have the following policy for the cost-optimal software release problem:

+

/Optimal software release policy I] Let lz (1 5 lz < cm)be the minimum integer 1 holding Z(1) 2 0. (1.1) If Z ( 0 ) < 0, then the optimum number of debuggings t o release is I* = l z . (1.2) If Z ( 0 ) 2 0, then the optimum number of debuggings t o release is I* = 0. Then the mean of the optimum release time T* is given by

122 4.2. Cost-Safety-Optimal Software Release Policy

As t o the behavior of S ( t ;1) with respect t o t , S ( t ;1) takes the minimum value at the neighborhood of the time origin t = 0, say t o , and then increases monotonically in [to,m). Furthermore, S(m; 1) = 1 for any positive integer 1 if 0, is a decreasing function of n. On the other hand, as to the behavior of S ( t ;I ) with respect t o I , S ( t ;I ) is the increasing function of 1. Therefore, if min S ( t ;0) < SO,then there exists the minimum integer 1 = 1s satisfying min S ( t ;1) 2 So and the safety requirement is satisfied for 1 2 Is. Accordingly, the problem can be interpreted as one for finding the integer 1 minimizing WC(1)in the range [ls,m). Using the discussion in Sec. 4.1 also, we have the following policy for the cost-safety-optimal software release problem:

[Optimal software release policy I 4 Let 12 (1 5 L z < m) and 1s (1 5 1s < m) be the minimum positive integers 1 holding Z(1) 2 0 and min S(t;I ) 2 SO,respectively, and suppose that 0 < SO< 1. t

(11.1) If Z ( 0 ) < 0 and ininS(t; 0) t to release is I* = 12. (11.2) If Z(0) < 0 and inin S ( t ;0) t

2 So, the optimum number of

the debuggings

< SO,the optimum number of the debuggings

t o release is 1" = max{lz, Is}. (11.3) Z (0) 2 0 and min S(t;0) 2 SO,the optimum number of the debuggings t o t release is I* = 0. (11.4) Z(0) 2 0 and min S ( t ;0) < SO,the optimum number of the debuggings t o release is 1* = 1s. Then the mean of the optimal release time T* is given by

5. Numerical Examples We show numerical illustrations for the optimal software release policies discussed above, where we apply A, 3 Dun (D> 0 , 0 < v < 1) and 0, = E ( p f q ) n ( E > 0 , 0 < f 5 1) t o the hazard rate and the software unsafety rate, respectively. Tables 1 and 2 summarize the optimum number of the debuggings, I * , the mean of the optimum software release time, E[T*],and the total expected software cost, W C ( l * )for , various values of the perfect debugging rate, a , for [Optimal software release policy I] and [Optimal software release policy 111, respectively. Here we consider the following cost-safety-optimal software release problem:

+

minimize WC(1) subject to minS(t; 1) t

2 0.99

(12)

123 These tell us that improving the debugging ability reduces the software cost rapidly and speeds up the optimum release time efficiently when the perfect debugging rate is low. Figure 2 displays the behaviors of WC(1)and min S ( t ;1) in the case of a = 0.9. t

From Fig. 2, the number of debuggings minimizing WC(1)is 12 hand, the minimum number of debuggings satisfying minS(t; I )

14, on the other 2 0.99 is 1s = 19.

=

t

Therefore, the optimum number of debuggings to release is 1* = max{lz,Is} = max{ 14,19} = 19 from (11.2). That is, we need to perform the additional 5 debuggings (or fault-detections) from the number of debuggings minimizing WC(I). Then we can estimate that the release time is extended by 1.9 times of the time minimizing WC(1)and that the software cost increases by 30%.

Table 1. Optimum number of debuggings l', E[T*], and WC(Z*) for [Optimal software release policy I]. (c1 = l.0,cz = 0.1,cs = 20,D = 0.1,~ = 0.8,Tw = 1500)

Table 2. Optimum number of debuggings 1 * , E[T*], and WC(1*) for [Optimal software release policy 111. ( ~ = 1 1 . 0 ,= ~O ~ . l , ~ 3= 20,D = 0 . 1 ,= ~ 0.8,= ~ 0.8,f = 0.8,E = 0.02, 11 = O.l,Tw = 1500,so = 0.99)

~~

a

1*

ElT*l

WC(1*)

0.9

14

717.1

218.53

0.8

16

874.4

254.83

0.7

18

984.3

304.09

0.6

21

1188.1

367.59

0.5

26

1630.2

461.62

0.4

33

2222.5

606.94

0.3

44

3079.7

855.89

0.2

67

5056.7

1369.51

0.1

137

11382.3

2955.09

a

1*

E[T*]

WC(1*)

0.9

19

2056.4

0.8

22

2710.3

283.10 356.14

0.7

25

3163.3

418.41

0.6

30

4347.5

551.51

0.5

36

5473.7

693.51

0.4

45

7189.1

910.26

0.3

60

10086.6

1277.39

0.2

91

16753.4

2091.66

0.1

182

35393.4

4430.61

6. Concluding Remarks

In this paper, we have discussed the optimal software release problems based on the number of debuggings using a Markovian software safety model. We have formulated the software cost model considering the maintenance expenses in the testing phase and the warranty period after release. Furthermore, we have discussed the problem incorporating safety requirement and the cost criterion simultaneously. We have investigated the optimal release policies t o find the optimum number of debuggings and the mean of the optimum release time and presented several numerical examples of the policies. To establish a method for deciding cost parameters remains in the future study.

124

5

s

=0.99.. 0.98 0.97 0.96~ 0.95 C 0.94 0.930.92.

10

15

i20

25

the number of debugging{ 5 10 15 q.0. . . - 2 5

6..'-

Lm

*i% .. Figure 2 . Behaviors of W C ( I )and minS(t;l)

(CI =

1.0.~ =~ O.l,c3 = 20,D = 0 . 1 , = ~ 0.8,= ~

0.8,a = 0.9,f = 0 . 8 , ~= 0.1, E = 0.02,Tw = 1500,So = 0.99).

Acknowledgements T h i s work was supported i n part by the Saneyoshi Scholarship Foundation, J a p a n , a n d Grants-in-Aid for Scientific Research (C)(2) and Young Scientists (B) of the Ministry of Education, Culture, Sports, Science and Technology of Japan under G r a n t Nos. 15510129 a n d 16710114, respectively.

References 1. M. R. Lyu (ed.), Handbook of Software Reliability Engineering, IEEE Computer S e ciety Press, Los Alamitos, CA (1996). 2. S. Yamada, Software reliability models, Stochastic Models in Reliability and Maintenance, Springer-Verlag, Berlin, 253 (2002). 3. S. Yamada and S. Osaki, Optimal release policies with simultaneous cost and reliability requirements, European J. Operational Research 31,46 (1987). 4. H. Pham and X. Zang, A software cost model with warranty and risk cost, IEEE Trans. Comp. 48, 71 (1999). 5. M. Xie and B. Yang, A study of the effect of imperfect debugging on software development cost, IEEE Trans. Software Eng. 29, 471 (2003). 6. N. G. Leveson, Safeware-System Safety and Computers-, Addison-Wesley Publishing, Massachusetts (1995). 7. K. Tokuno and S. Yamada, Stochastic software safety/reliability measurement and its application, Ann. Software Eng. 8 , 123 (1999). 8. K. Tokuno and S. Yamada, Markovian software safety measurement based on the number of debuggings, Proc. 2nd Euro- Japanese Workshop o n Stochastic Risk Modeling for Finance, Insurance, Production and Reliability, 494 (2002).

OPERATING ENVIRONMENT BASED MAINTENANCE AND SPARE PARTS PLANNING: A CASE STUDY BEHZAD GHODRATI, UDAY KUMAR Division of Operation and Maintenance Engrneering LuleB University of Technology SE 971 85 LuleB - SWEDEN B e h x d (;hoJi~~.lt~ $iiu w , Cdav A i i ~ ~ r kand Dt!SX') is significant at 10% p-value.

To satisfy the proportionality assumption of the hazard rates, the plots of the logarithm of the estimated cumulative hazard rates against time should be simply shifted by an additive constant a, the estimate of the regression parameter a of the covariate which is taken as strata [8]. Therefore, the plots should be approximately parallel and separated appropriately corresponding to the different values of the regression parameter a, if the proportionality assumption is correct as is seen in Fig. 4 [lo]. Survival Plot

Survival Plot

OVLOAD

OUST .......... . ... . ~

Time

-.

-

~

Tlme

Figure 4. Graphical test for proportionality assumption of the hazard rates

While using the assumptions of the exponential reliability model for this item the mean time to failure (MTTF) is 10000 (manufacturer recommendation) hour and:

131

This failure rate is constant with this approach. In this case study the operators are not permitted to pickup overload, but dust is excessive in the place of operation (mine). Under this condition the actual hazard (failure) rate is estimated as: h(t,z)= le-4 x exp(-1.15x (-1) - 0.748x 1 )=1.495e-4 The expected number of failures (required replacement) in one year (two working shifts per day) when Ilh(f,z) = 6690 hours is considered to be the MTTF of bearings with a 90% confidence of availability is equal to:

0.90 = exp(-l.495e N

=3

- 4 x 5400 x 2) x

(1.495e - 4 x 5400 x 2)x x=o

X!

(unit/loader/year)

In the ideal circumstance, where no covariate existing, the required number of replacement (spare bearing) is equal to:

0.90 = exp(-le N

=2

- 4 x 5400 x 2) x

(le-4~5400~2)~ x=o X!

(unit/loader/year)

This difference between number of replacement with and without considering the effect of operating environment might not seem important for one loader in one year. However, it is important in spare parts inventory management while considering a loader fleet (of 14 loader) in the mine. Further, some times the company faces with downtime of loaders due to shortage in availability of required spare parts, and this is because of the manufacturerhpplier’s recommended less number of required spare parts to be kept in stock. In most cases the manufacturer is not aware of the environmental factors and as such has not considered these issues in the estimation of the number of required spare parts (like in this case). So, to avoid downtime regarding the unavailability of spare parts, it is suggested that the mine company should take the operating environment factors into consideration while estimating the spare parts need. 4

Conclusion

The reliability investigation of the system may be helpful in arriving at the optimum number of spare parts (for scheduled and preventive maintenance) needed for fulfillment of the tasWgoals. The operating environment of systemlmachine has a key role in system output and its technical characteristics such as reliability are part of that criticality. Forecasting required supportlspare parts based on technical characteristics and the system-operating environment is an optimal way to prevent unplanned disruptions or stoppages. Then the operating environment should be highlighted while spare parts forecasting, calculation, and inventory management is in the process.

132 References 1. Al-Bahli, A.M. (1993), “Spares Provisioning Based on Maximization of Availability per Cost Ratio”, Computers in Engineering, Vol. 24 No. 1, pp. 81-90 2. Bendell, A., Wightman, D.W. and Walker, E.V. (1991), “Applying Proportional Hazards Modeling in Reliability”, Reliability Engineering and System Safety, Vol. 34, pp. 35-53 3. Billinton, R. and Allan, R.N. (19831, “Reliability Evaluation of Engineering Systems: Concepts and Techniques ”, Boston, Pitman Books Limited 4. Blanks, H.S. (1998), “Reliability in Procurement and Use”, England, John Wiley and Sons Ltd. 5. Cox, D.R. (1972a), “Regression Models and Life-Tables”, Journal of the Royal Statistical Society, Vol. B34, pp. 187-220 6. Ghodrati, B. (2003), “Product Support and Spare Parts Planning Considering System Reliability and Operation Environment”, Licentiate Thesis, LuleA University of Technology, Sweden 7. Ireson, W.G. and Coombs, C.F. (1988), “Handbook of Reliability Engineering and Management”, New York, McGraw-Hill Book Company 8. Kalbfleisch, J.D. and Prentice, R.L. (1980), “The Statistical Analysis of Failure Time Data”, New York, John Willey and Sons Inc. 9. Kumar, D. (1993), “Reliability Analysis Considering Operating Conditions in a Mine”, Licentiate thesis, Luleh University of Technology, Lulek Sweden 10. Kumar, D. and Klefsjo, B. (1994a), “Proportional Hazards Model - an Application to Power Supply Cables of Electric Mine Loaders”, International Journal of Reliability, Quality and Safety Engineering, Vol. 1 No. 3, pp. 337-352 11. Kumar, D. and Klefsjo, B. (1994b), “Proportional Hazards Model: a Review”, Reliability Engineering and System Safety, Vol. 44 No. 2, pp. 177-188 12. Kumar, D., Klefsjo, B. and Kumar, U. (1992), “Reliability Analysis of Power Transmission Cables of Electric Mine Loaders Using the Proportional Hazard Model”, Reliability Engineering and System Safety, Vol. 37, pp. 217-222 13. Kumar, U. (1989), “Reliability Investigation for a Fleet of Load-Haul-Dump Machines in a Swedish Mine”, Reliability Engineering and System Safety, Vol. 26 pp. 341-361 14. Kumar; U.D., Crocker, J., Knezevic, J., El-Harm, M. (2000), “Reliability, Maintenance and Logistic Support A Life Cycle Approach”, Kluwer Academic Publishers; USA 15. Markeset, T. and Kumar, U. (2003), “Design and Development of Product Support & Maintenance Concepts for Industrial Systems”, Journal of Quality in Maintenance Engineering, Vol. 9 No. 4, pp. 376-392 16. Rigdon, S.E. and Basu, A. (2000), “Statistical Methods for the Reliability of Repairable Systems”, New York, John Wiley & Sons Inc. 17. Sheikh, A.K., Younas, M. and Raouf, A. (2000), “Reliability Based Spare Parts Forecasting and Procurement Strategies”, in Ben-Daya, M., Duffuaa, S. 0. and Raouf: A . (eds.) Maintenance, Modeling and Optimization, pp. 81-108, Kluwer Academic Publishers, Boston 18. SYSTAT 10.2 (2002), Statistics Software, Richmond, CA, USA ~

DISCRETE-TIME SPARE ORDERING POLICY WITH LEAD TIME AND DISCOUNTING

B.C. GIRI AND T. DOH1 Department of Information Engineering, Hiroshima University 1-4-1 Kagamiyama, Higashi-Hiroshima 739-8527, Japan E-mail: dohi &el. hiroshima-u. ac.jp N. KAIO Department of Economic Informatics, Hiroshima Shudo University 1-1-1 Ozukahigashi, Asaminamiku, Hiroshima 731-3195, Japan E-mail: kaio Qshudo-u. a c j p The paper considers an order-replacement model for a single-unit system in a discrete time circumstance. The expected total discounted cost over an infinite time horizon is taken as a criterion of optimality and the optimal ordering policy is obtained by minimizing it. The existence and uniqueness of the optimal ordering policy are verified under certain conditions. The model is further extended to include a negative ordering time.

1. Introduction The impact of catastrophic failure of any complex system may be large in terms of both safety and finance. A planned maintenance can reduce the risk of potential failure, promote a longer life for the system and decrease aggregate costs for repair and maintenance. In many practical situations, it may be difficult to perform repair of a failed unit or the cost of repair of a failed unit may be exceptionally high. In such cases, disposing the old unit after a critical age or at failure and replacing it by a new one may be a viable option. For example, consider the electronic systems where the maintenance is usually performed through disposal and replacement of a subassembly or component because the electronic components are virtually impossible to repair in a cost-effective manner. During the past three decades, various maintenance policies have been proposed and studied in the literature. Most of these policies are based on the assumption that a spare unit is immediately available whenever a replacement is needed. However, in practice, this assumption may not be true in all circumstances. A significant time lag between placement of an order for a spare and the instance of its supply/delivery can be observed due to unwanted reasons. So, the determination of the optimal ordering policy under such a time lag or lead time is quite appropriate. Osakil was the first who considered a single-item order-replacement model with lead time.

133

134 After his seminal work, several researchers investigated order-replacement models with a positive lead time from various view points. We refer the readers to the articles by Dohi and his c o - a ~ t h o r sfor ~ >comprehensive ~ review and bibliography of the relevant literature. However, most of the order-replacement models developed in the literature are based on continuous time framework. But, there are many practical situations where system lifetime can not be measured in calendar time. For example, consider the failure of a digital weapon system where the number of rounds before failure is more important than the age of the failure. In such a case, system lifetime should be regarded as a discrete random variable. Unfortunately, enough research has not been carried out on discrete-time order replacement models. Kaio and Osaki4 first considered an order-replacement model in discrete time setting and obtained the optimal ordering policy minimizing the average cost rate in the steady state. Later, the same authors5 analyzed the model by taking account of the minimal repair. In this article, we develop a discrete-time order-replacement model with discounting. Two deterministic ordering lead times are considered; one is €or regular (preventive) order and another is for expedited (emergency) order. We take the regular ordering time and the inventory time limit for the spare as two decision variables and characterize the optimal ordering policy under certain conditions. We also extend the model to include the negative (regular) ordering time. 2. Model Development 2.1. Nomenclature

N : discrete random variable denoting failure time; p ( n ) , 1/X (> 0) : probability mass function, mean of N ; P ( n ) : cumulative distribution function of N ; L1 (> 0) : constant lead time for an expedited (emergency) order; Lp (> 0) : constant lead time for a regular (preventive) order; no ( 2 0) : regular ordering time for a spare (decision variable); n1 ( 2 0) : inventory time limit for a spare (decision variable); c, (> 0) : shortage cost per unit time; Ch (> 0 ) : inventory holding cost per unit time; c1 (> 0) : fixed expedited ordering cost; cp (> 0) : fixed regular ordering cost; +(.) : survivor function of +(.) ie.,$(.) = 1 - ?I(.); b ( 0 < b < 1) : discount factor 2.2. Model Description Consider a single-unit system which is subject to random failure; each failed unit is scrapped without repair and each spare is supplied by order with a deterministic lead time. For a discrete time index n = 0 , 1 , 2 , . . ., suppose that the original unit begins operating at time n = 0. If it does not fail before a predetermined time no E [0, ca) then a regular (preventive) order for a spare is made at time no and after a lead time La, the spare is delivered. If the original unit fails in the time interval [no,no+Lp] then the delivered spare takes over its operation at time no+Lz. If the unit does not fail until time n = no Lp then the spare is put into inventory

+

135 and the original unit is replaced by the spare when it fails or passes an inventory time limit n 1 E [0, m) after the spare's arrival, whichever occurs first. On the other hand, if the original unit fails before the time no, an expedited (emergency) order is made immediately at the failure time and the spare takes over its operation when it is delivered after a lead time L1. In this case, the regular order is not made.

2.3.

Assumptions

(i) The system failure is detected immediately. (ii) The spare in inventory does not fail or deteriorate. (iii) The time interval between two successive replacements or dispositions of the unit is one cycle. (iv) The planning horizon is infinite. 2.4.

Model Formulation

By discrete probability argument, the expected discounted cost for holding inventory in one cycle is given by no+Lz+nl-l

H ( n 0 ,n1) = C h b n o f L Z

c

n-no-Lz-1

{ =

biP(.)

is0

n=no+Lz

2

+

n=no+Lz+nl

b'p(n)}, j=O

Similarly, the expected discounted costs for shortage and ordering per cycle are

and no-1

00

n=O

n=no

respectively. Hence, the expected total discounted cost per cycle is vb(no,n1) =

+

+

O(n0) S(n0) H(no,n1).

Just after one cycle, the expected unit cost is discounted as

n=no+Lz+n~

Thus, when a unit starts working at time n = 0, the expected total discounted cost over the time horizon [0, m) is 00

TCdno,n 1 > =

&(no,n1){&(no,

= Vb(no,n1)/&(no, n1).

k=O

Our objective is to find the optimal pair (n:,n;) minimizing TCb(n0,n l ) .

(3)

136 3. Analysis

We first obtain the following result which will be useful t o reduce the above twodimensional optimization problem into a simple one-dimensional one.

Theorem 1: For an arbitrary regular ordering time no, if (1 - b)TCb(no,n l ) 2 then the optimal inventory time limit is infinite i.e., n; + 00, otherwise n; = 0.

ch

Therefore, following Theorem 1, we need t o obtain the optimal regular ordering time n;Junder two extreme situations: (i) n; + co and (ii) n; = 0. 3.1.

The case of n;

+ 00

When nl + 00, the expected total discounted cost over an infinite time span is TCb(no,m) = Vb(no,m) /%(no,co) where, from equations (1) and (2), m

m

n-no-L2-1

Define the numerator of the difference of TCb(n0,m)with respect to no, divided by the factor (1 - b)bnOP(no), as WbW(n0).Then

( 112)} + + bL;

(c,

ch)bL'R(no)

-

(1- b)cz

where r ( n ) = p ( n ) / p(n) and R(n) = { P ( n+ Lz) - P ( n ) }/ P(n). In fact, ~ ( n ) is not the failure (hazard) rate of the discrete failure time distribution. In discrete time setting, the failure rate can be defined as p ( n ) / p ( n- l),see Barlow et aL6.

Lemma 1: The function R(n)is increasing (decreasing) provided that the function ~ ( nis)increasing (decreasing).

To characterize the optimal regular ordering policy, we make the following plausible assumptions:

(A-1) (A-2)

c1

+ c, x;'i1bz > cz +

C,

f Ch

C,

L2-l 62 , Cjc0

> (1 - b)TCb(nO,n l ) for all 720, 7%1E

[o, 00).

Theorem 2: (1) Suppose that the function r ( n ) is a strictly increasing under assumptions (A-1) and (A-2).

137 (i)

If Wbm(0) < 0 and wbm(m) > 0, there exists at least one (at most two) optimal ordering time n: (0 < n$ < m) satisfying Wbm(nz - 1) < 0 and wbm(nc) 2 0 The upper and lower bounds of the corresponding minimum expected total discounted cost are as follows:

urn(.; where

- 1)

[ {

Urn(.)

= r ( n ) c1

-(1

-

-

< TCb(n(;,m) 5 Um(n;),

r2)}+ +

( I

c~ - cs bL;

(c,

b)cz - C h b L 2 ] / [(l - b)b%(n)

(7) Ch)bL2R(n)

- .(n)

(bL1

-b 9 ] .

(ii) If Wbm(0) 2 0, the optimal ordering time is ni = 0 which means that ordering for the spare a t the instant of operation of the original unit is optimal. (iii) If Wbm(0) 5 0, then nc + m which means that ordering for the spare at the instant of failure of the original unit is optimal.

(2) Suppose that r ( n ) is a decreasing function of n under assumptions (A-1) and (A-2). Then, the optimal regular ordering time is either n: = 0 or ni + 00.

Proof: Using Lemma 1 and assumptions (A-1) and (A-2), it can be shown that Awb,(no) > 0 for all no E [0, co). This implies that the function TCb(n0,m) is strictly convex in no. Therefore, if Wbm(0) < 0 and Wbm(O3) > 0, then Wbm(no) changes sign from negative to positive only once. Hence, there exists at least one (at most two) optimal ordering time n$ (0 < n: < 03) satisfying wbm(?%;) - 1) < 0 and wbm(nG)2 0. If Wbm(o) 2 0 under assumptions (A-1) and (A-2) then the function TCb(n0,m) is an increasing function of no, and the optimal ordering time is clearly n: = 0. Conversely, if wbm(m)5 0, then the TCb(n0,m) is a decreasing function of no. Therefore, nc 3 m. The proof of the second part of the theorem (when r ( n ) is decreasing) is trivial. Thus the proof of the theorem is completed.

3.2. The case of n: = 0 When the original unit is replaced/exchanged by the spare one as soon as the spare is received by a regular order, irrespective of the state of the original unit, the expected total discounted cost over an infinite span is TCb(no,o)= &(no,O)/ &-(no,o), where no-1

m

n=O

n=no

n=no

j=O

nn-1 n=O

n=no

no-1 L I - 1

n=O

I

i=O

138

Define t,he function

Then, the following theorem corresponding to Theorem 2 can be obtained.

Theorem 3: (1) Suppose that r ( n ) is a strictly increasing function of n under assumption (A-1). (i)

If WbO(0) < 0 and Wbo(03) > 0 then there exists at least one (at most two) optimal ordering time nT, (0 < n;) < cm) satisfying WbO(n;)- 1) < 0 and WbO(n;)) 2 0. The lower and upper bounds of the corresponding minimum expected total discounted cost are given below:

Uo(ni - 1) < TCb(ni,0) 5 ~ O ( $ J ) , where

[ {

Uo(n) = r ( n ) c1 - cg - c s

r')}+

( 1 bL;

(11) c,b%(n)

(ii) If WbO(0) 2 0, then the optimal ordering time is n;l = 0; otherwise, n;l + 03.

(2) Suppose that r ( n ) is a decreasing function of n. Then, under assumption ( A - l ) , the optimal regular ordering time is either n;l = 0 or n;l + 00.

Proof: The proof is similar to that of Theorem 2. So it is omitted for brevity. Remark 1: Based on the results given in Theorem 2 and Theorem 3, the optimal ) be determined by comparing TCb(n;),O)with TCb(n;), cm). pair ( n ; ) , n ;can Remark 2: It can be shown that the long-run average cost in the steady state C(no,n l ) is the limiting value of the annualized total discounted cost as the discount factor b + 1, Le., b-1

(1 - b ) . TCb(no,n l )

(13)

4. Model with Negative Ordering Time

A negative ordering time can be included in our model by choosing the initial time point before 0. Of course, the idea of negative ordering time is applicable to the regular order only in the case of n; = 0. There is no meaning of considering negative 00. See Kaio and Osaki7, for the negative ordering ordering time in the case of n; policy in continuous time setting.

-

139 Suppose that the first regular order for the spare is made at time no where -Lz 5 no 5 0 and the original unit begins operation after a time interval -no; the spare is delivered at time no Lz. In this case, suppose that p ( n ) = 0 for n = - L z , -La 1,.. . , - 1 , O . Then, the expected total discounted cost TCb(n0,0) is still valid for no (-& 5 no 5 0 ) . We have, from equation (11), WbO(-LZ) = - b L 2 & ( - L z , 0 ) = -cz < 0. Hence, the optimal regular ordering time can be characterized as given in the following theorem:

+

+

Theorem 4: (1) Suppose that r ( n ) is strictly increasing for non-negative n, under assumption (A-1). If W b O ( 0 ; ) ) > 0 then there exists at least one (at most two) optimal ordering time n; ( - L z < n: < CCI) satisfying WbO(12; - 1) < 0 and WbO(n6) 2 0. The upper and lower bounds of the corresponding minimum expected total discounted cost are identical to those obtained in equation (11). (ii) If wbO(0O)5 0 , then ng + 00.

(i)

(2) Suppose that r ( n ) is decreasing for non-negative n, under assumption (A-1). (i)

If WbO(0) > 0 then there exists a t least one (at most two) optimal negative ordering time M (-L2 < M < 0) satisfying wbO(hf- 1) < 0 and WbO(M) 2 0. The bounds of the corresponding minimum expected total discounted cost are obtained as:

ut(&I- 1) < TCb(hf,O)5 U & ( M ) , where

+ L2)

U & ( n )= [c,bLZP(n

-

(14)

(1 - b ) ~/ ] [(I - b)bL2].

Furthermore, if WbO(0O) 2 0, then n; = hf and if Wbo(c0) < 0 then n; = M or n; + 00. (ii) If WbO(0) 5 0 then n; + 00.

Proof: The theorem can be proved in the same line as that of Theorem 2 or Theorem 3. Hence it is omitted for brevity. 5. Numerical Example Suppose that the lifetime of the unit obeys the discrete Weibull distribution:

and the parameter values of the model are: rn = 2, c1 = 60, c~ = 20, L1 = 1, LZ = 5, c, = 12, ch = 5, b = 0.85. For the model with non-negative ordering time, Table 1 shows that when the failure rate is high it is desirable to place the regular order in the early stage and keep the spare in inventory; when the failure rate is low, delay in regular ordering is enviable. Table 1 further shows that a negative regular ordering

140 time can reduce substantially the expected total discounted cost in the steady state when the failure rate is high.

Table 1. Dependence of the optimal ordering policy on the failure parameter q. -

Non-negative ordering time TCb(n;,O) n; TC,(nc,cm) 56.5725 56.8392 55.2667 55.4834 53.5651 53.6906 51.6851 51.5089 49.1873 49.4293 46.4079 46.5312 42.8000 42.9647 38.6601 38.8361 33.2735 33.2757 24.2105 24.4587 Y

nT,

4

0.90 0.91 0.92 0.93 0.94 0.95 0.96 0.97 0.98 0.99 -

0 1 1 1 1 2 2 2 3 6

I

1

I

Nega ve ordering time n; -2

1 6

. 31.6833 31.3242 30.6942 29.9621 29.1891 28.3725 27.5094 26.5969 25.6317 24.2105

I

t regular ordering time no E [-5, m) 6. Concluding Remarks In this paper, we have developed a discrete-time order replacement model for a single-unit system with ordering lead time and discounting. The expected total discounted cost has been taken as a criterion of optimality because it allows us t o put emphasis on the present term behavior of the system. Further, the behavior of the system in distant future can be realized by the limiting value of the annualized total discounted cost when b tends to 1. As a future research effort, it would be interesting to develop a generalized discrete-time order-replacement model with discounting, randomized lead times and/or minimal repair.

References 1. S. Osaki, A n ordering policy with lead time, Int. J. Sys. Sci. 8 , 1091 (1977). 2. T. Dohi, N. Kaio and S. Osaki, On the optimal ordering policies in maintenance theory - survey and applications, Appl. Stoch. Models B Data Analysis 14, 309 (1998). 3. N. Kaio, T. Dohi and S. Osaki, Preventive maintenance models: replacement, repair, ordering and inspection, Handbook of Reliability, edited by H. Pham, Springer-Verlag, 349 (2003). 4. N. Kaio and S. Osaki, Discrete-time ordering policies, IEEE Trans. Rel. R-29 (5), 405 (1979). 5. N. Kaio and S. Osaki, Discrete time ordering policies with minimal repair, RAIROOpns. Res. 14, 257 (1980). 6. R. E. Barlow, A. W. Marshall and F. Proschan, Properties of probability distributions with monotone hazard rate, Annl. Stat. 34,375 (1963). 7. N. Kaio and S. Osaki, Optimal ordering policies with two types of randomized lead times, Comp. Math. Appl. 19, 43 (1990). .

I

SNEM: A NEW APPROACH T O EVALUATE TERMINAL PAIR RELIABILITY OF COMMUNICATION NETWORKS N. K. GOYAL Reliability Engineering Center, IlT Kharagpur, West Bengal, INDIA - 721302

R. B. MISRA Reliability Engineering Center, IIT Kharagpur, West Bengal, INDIA

~

721302

S . K. CHATURVEDI Reliability Engineering Center, lIT Kharagpur, West Bengal, INDlA - 721302 This paper presents a method to evaluate terminal pair reliability of complex communication networks using a new approach SNEM. The algorithm SNEM (Source Node Exclusion Method) first reduces a given network t"o its non-series-parallel form and then breaks the network by excluding the source node from rest of the network to obtain its sub-nehvorks. The reliabilities of these sub networks are computed thereafter by the recursive application of SNEM. The proposed approach is quite simple in application and applicable to any general networks, i.e., directed and undirected. The method does not require any prior information such as path (or cut) sets of the network and their preprocessing thereafter or perform complex tests on networks to match a predefined criterion. The proposed method has been applied on a variety of network and found to be quite simple, robust, and fast for terminal pair reliability evaluation of large and complex networks.

1.

Introduction

In the design of communication networks, reliability has emerged as an important parameter due to the fact that failure of these networks affects its user adversely. The interest in area of reliability evaluation is quite evident from the numerous formulations of the network reliability problems and the articles, which have been appearing in the literature for the past couple of decades, thereby evolving various methodologies, techniques and algorithms to tackle these problems in an efficient and effective manner. The reasons of the proliferation of interests and such articles appear to be a better understanding of the theoretical nature of the network reliability problems on variety of networks. Among the various formulations, the most familiar network reliability problem involves the computation of probability that the two specified communication centres in a network could communicate with each other. These formulations model the network by a probabilistic graph comprising n number of nodes (communicable centres) and b number of branches (connecting links) and assume the statistical independence of the failure of the connecting links. This problem is known as (s-t) reliability or two-terminal reliability in the reliability parlance. The survey of the literature indicates that the approaches, which have been used to compute the two-terminal reliability, includes serial-reduction and parallel combination, event space enumeration, path (cut) sets unionization, pivotal decomposition using 141

142

keystone components and transformation techniques etc. Therefore, the whole spectrum of methodologies could broadly be classified into two paradigms, viz. 1 . The paradigm in which one of the prerequisite is - the enumeration of all possibilities through which the two specified nodes can communicate (or not communicate) with each other. Some of the recent developments in this area can be seen in [I] 2. The paradigm that does not require knowledge of path (or cut) sets in advance. [2111 However, the common feature in both of the paradigms is-whatever solution techniques we use, it turns out to be highly recursive in nature. The approach presented in this paper is also not an exception. Misra [I21 presented an efficient algorithm to compute the reliability of seriesparallel (SP) networks and suggested that it could be used for a general network after shorting and opening of pivotal branches. However, the responsibility of selecting a pivotal branch solely lies on the analyst. Moreover, the method applies to the networks that contain the bi-directional elements. Park and Cho [7] suggested an algorithm based on the recursive application of pivotal decomposition using keystone components combined with series reduction and parallel combination. Nakazawa [ 131 recommended a technique for choosing the keystone element. Hansler [14] studies the reliability in which all links were bi-directional. The application of factoring theorem to reliability evaluation can be seen in [6-91. The present paper deals with the computation of (s-t) reliability and presents an approach, which belongs to the second paradigm, i.e., non-path (cut) sets based techniques. Some of the salient features, which make it different from the existing approaches, are: No pre-requisite to determine the path (or cut) sets and their preprocessing thereafter to get them in certain order as is desirable in the sum-of-disjoint (SDP) form based approaches. Compared to SDP based approaches, it solves the problem with lesser number of multiplications, thereby provides reduced round off error. It doesn’t require any overheads such as search criteria for a key or pivotal element. This is important because any search or testing conditions takes more computational time. It doesn’t burden computer memory, as the data to be processed is only the weighted connection matrix of the network under consideration whereas the connection matrices of the sub networks, extracted from this main matrix, are used in subsequent calculations to compute overall two-terminal reliability. The connection matrix representation of a network is the simplest approach as compared to other representations because of the computational ease and flexibility it provides. Moreover, the sub matrices existence would be temporal till they serve their purpose. It enables this method to run even on a desktop PC for quite large networks.

Assumptions 1. A communication Network is modeled by a probabilistic simple graph. 2. The nodes of the network are perfectly reliable.

143

3 . The network and its branches have only two states (i) working or (ii) failed. 4. The branch failures are statistically independent. Notation n -Number of nodes in the network. b -Number of branches in the network. N, - ith node of any network, where 1 5 i 5 n L, - Reliability of ith link in any network, where 1 5 i 5 b. L, - Unreliability of ith link in any network, where 1 5 i 5 b. R, - Reliability of network from N, as source node and N, as the terminal node. u- Union. n- Intersection. [C] - Weighted connection matrix. Each entry C (i, j) in [C] denotes the reliability of link connected from node N, to NJ. If there were no link from node N, to N,, then its value would be 0. Acronyms Non Series-Parallel Sum of Disjoint Product The proposed method (Source Node Exclusion Method) Series-Parallel Series-Parallel Reduction

NSP SDP SNEM SP SPR 2.

The Proposed Approach

We consider a general network as shown in Fig. 1. Let the source node s is connected to rest of the network via r links, viz., (L,, Lz...L,), which are terminating to various nodes, viz., N1, N2...N,, of the network. Then we can express the (s, +reliability of the network as: 4 . 1

i = 1, 2,

= ( ~ , n R. , ), U ( L , n R , , ) u . . . u ( L , n R , , , )

(1)

...r, is the reliability between node N, (as new source node) and t of the n

Rest of the Network Figure 1: A general communication network

sub network resulted by omitting the source node s from rest of the network.

144

Equation ( 1 ) contains two type of terms, viz., (i) sub network reliability terms (Rl,l, ...,Rr,l), which are dependent on each other, and (ii) link reliability terms (L,, ..., Lr), which are independent to each other as they are not part of the rest of the network. Links are also independent to the sub network reliability terms. To explain the above points, let us consider the first two terms of equation (1). This can be expanded as: (L, n4,,) u ( L , nR,,)

-

nc) (1, nRi., nL2n%)+ ( L ,

4,

= (L, n

+

R,.,)

=L, n(L,n~.,)+(L,nR,,)+(L,nR,.,nL,nH,)

(2)

=L2"(L,nRi.,)+L,n(R,.,+l.,nR,.,nR,)

= L, n ( L l n R , , ) + L , n ( R 2 . ,u ( L , n R , . , ) ) = I,, * R i O + L, *(Ruu(L,*Ri.,))

*(4

Where, R,,l, for i = 1, 2, ...r, is the reliability between i" node N, (as the new source node) and node t of the sub network, which is the result of deleting the source node s from rest of the network. Therefore, expanding equation (1) in its entirety, we obtain the expression as given in equation (3): R,.,= (L, nRl.,)u ( L 2n R 2,) u...u ( Ln K r )

_ _

= L,

*{...*(G*tL, * Ri.,) + L 2 *(R,,, u ( L , * Ri.,)))...l+...L,-l *(JL., u

(L:*R,-z.,)U-.u(&

(3)

*%))I+L, *(R,,, U ( L i *R,. i.OU...U(Li *Rn.O)

In other words, the proposed method SNEM (Source Node Exclusion Method) solves any network by recursively breaking and solving the resulting SP-sub networks to compute the overall (s, t) reliability. We illustrate the application of the above formulation and the steps to follow for computing the (s, t)-reliability of the network by taking networks of 5 nodes and 8 links as shown in Fig. 2.

Illustration Consider the network of Fig. 2(a) with the source node and destination node as 1 and 5, respectively. Firstly, we obtain the number of sub network, which would be equal to the number of links emerging out from the node N,, i.e., three in this case. The sub network of Fig. 2(b) turns out to be a simple series parallel network with the new source node as N1. Its reliability is evaluated as R2.5'=0.9587. Second sub network in Fig. 2(c) is obtained from 2(b) by connecting the link LI to node 3 instead of node 1. However, this sub network turns out to be a non-series parallel network with its source node, 3. Therefore, we break it further as shown in Fig. 2(e) and 2(f), respectively. Now, its reliability is evaluated from the reliability of its sub networks. These two sub networks turns out to be simple SP networks with source nodes, 2 and 4 respectively. The reliabilities of these series parallel networks are evaluated as R2.5''= 0.951 and &.s''= 0.9676, respectively.

145

Figure2. (a) Network of 5 nodes and 8 links with its 5 associated sub networks Fig. 2(b) to 2(f)

Now we can express and compute the reliability of the sub network of Fig. 2(c) as: R3,5‘= (R2.5“*(LI+z *L4)* z)+L5*&.5”= 0.9598. The third and last sub network, we obtain from Fig. 2(b) by connecting the node 4 with node 2 and 3 via links, L, and Lz. The source node for this network is node 4. The reliability of network of Fig. 2(d) is evaluated as &,5‘= 0.9675. Now, we can express and compute the overall (s, t)-reliability from the reliability of its sub networks (R2,5’, R3,5’,&,5’) as: R1,5 = ((Rz,s’*LI)* 7;;+LZ*R3.5’)*(l-L3)+L3*R,,,’ = 0.9657

3.

Implementation

We have implemented the proposed method by using the weighted connection matrix of the probabilistic graph. The flow chart of Fig. 3 implements the proposed method SNEM whereas Fig. 4 is meant for the procedure SPR.

146

For each non zero entn J in [V]. Do

Exit

C1ll.k) =O,forall k 3

Get. Next nan-zero entn 1 in [Vl

Figure3. Flow chart - SNEM (Source Node Exclusion Method)

4.

Results and discussions

We have implemented the proposed method in Matlab and have applied it to a variety of test networks taken by the earlier researchers [l]. The results obtained by applying the proposed method are shown in Table 1 . The computed value of the reliability is matching exactly with the results obtained in [l]. Some of the points worth noting are:

147

Is Type Undirectional’J

matri\ [Cl I

I

I

Recursivel! find nodes which have indegree and outdegree equal to I and apply wries prollel reductions to modih- /(-1

Figure4. Procedure - SPR (Series Parallel Reductions) on weighted connection matrix [C]

1.

2.

For network of Fig. 2 (a), the number of multiplication performed are 24 as compared to the SDP based approach which uses path sets and involves 58 multiplications; Compared to the algorithms based on factoring theorem, this method generates lesser number of sub-graphs. For the network of Fig 2 (a), it would generate eight series-parallel sub-graphs corresponding to 3 bidirectional links. However, the proposed algorithm generates only four series-parallel sub-graphs. Besides, the present algorithm has the added advantage of being applicable to both directed and undirected networks; and doesn’t require to find a pivotal elements in the graph, which itself is a trivial task.

It can be observed from the table I, that the time taken for small to medium sized networks is less than a second. However, for the network of 21 nodes 33 (21n331) links the execution time is about one minute only whereas it has been few hours as reported in [I]. Although, comparing algorithms on the basis of execution time is not considered to be the correct approach unless the algorithms are implemented by the same and an unbiased programmer and in the same environment, which takes care of the factors such as the skill of programmer, hardwarekoftware platform, processor speed etc. However, the difference in execution time is quite significant.

148 Table 1 : Results of application of method to various networks taken from [I]. (The method is implemented using MATLAB 6.5 on PC with Pentium-I11 processor and 128 ME RAM and Win 2000 operating system) Network Name 1. 51181 2. 6n91 3. 711151 4. lln211 5. 811121 6. 8n121 7. 711121 8. 8n131 9. 1611301 10. 911141 I I . 1311221 12.2011301 13.2111331

Network Type Undirected Undirected Directed Directed Undirected Undirected Undirected Undirected Directed Undirected Undirected Undirected Undirected

Reliability 0.99763 164000 0.97718440500 0.99776822031 0.997 10478I97 0.98406815298 0.9751 1589739 0.99749367367 0.99621 749334 0.99718629078 0.974 I4541477 0.98738996728 0.99712039875 0.97379846832

CPU Time (in sec) 0.01000 0.02000 0.02000 0.02200 0.02000 0.02000 0.02000 0.03000 0.10000 0.03000 1.27200 55.5500 67.9000

5. Conclusion SNEM is found to be very versatile and easily amenable to computer implementation. The proposed method has been applied well to both the directed and undirected topologies of various networks. It computes the (s, t)-reliability of communication networks with less memory requirements and at reduced round off errors.

References 1.

2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

S. K. Chaturvedi and K. B. Misra, Int. Jour. ofQuality and Reliability Management, 9,237 (2002) N. Deo and M. Medidi, IEEE Trans. on Rel., R-41,201 (1992) F. Beichelt and P. Tittman, Microelectronics andreliability, 31, 869 (1991) 0. R. Theologou and J. G. Carlier, IEEE Trans. on Rel., 40,210 (1991) F. Beichelt and P. Tittman, optimization, 20,409 (1990) L. B. Page and J. E. Perry, ,IEEE Trans. on Rel., R-38,556 (1989) K. S. Park, B. C. Cho, IEEE Trans. on Rel., 37, 50 (1988) R. K. Wood, IEEE Trans. on Rel., R-35,269 (1986) R. K. Wood, Networks, 15, 173 (1985) A. Satyanarayan and M. K. Chang, Networks, 13, 107 (1983) J. P. Gadani and K. B. Misra, , IEEE Trans. on Rel., R-31,49 (1982) K. B. Misra, IEEE Trans. on Rel., R-19, 146 (1970) H. Nakazawa, ,IEEE Trans. on Rel., R-25,77 (1976) E. Hansler, IEEE Trans. on Comm., COM-20,637 (1 972)

ROBUST DESIGN FOR QUALITY-RELIABILITYVIA FUZZY PROBABILIW HUIXIN GUO Department ofMechanical Engineering, Hunan University ofArts and Science Changde, Hunan, China Emai1:[email protected] The purpose of this paper is to desczibe a robust design method for quality reliability with fuzzy design target. Fuzzy number was used to express the design target of product’s quality with fuzzy character, and its membership functions in mmmon use were given. The robustness of a design solution was studied using the theory of fuzzy probability. To maximize the fuzzy probability of quality design was proposed as a robust design criterion, and its validity and practicability were validated. The controlling effect of this criterion on the mean and variance of quality index is similar to the effect of Taguchi’s signa1.t.o-noise ratio. This criterion is well adaptable to the different choice of the membership functions, and can effectively controls the direction a t which the mean on quality index approaches to the nominal target. A robust optimal design example of a circuit was presented, and it shows that its solution is better than traditional robust design methods.

1

Introduction

Robust design of product quality aims at high quality and low cost based on the consideration of product performance, quality and cost. Taguchi method[’] is a representative of traditional robust design methods. Taguchi’s quality loss function developed a school of his own, and this method was ingenious and was easily popularized. In practical application, its effect was notable, but it required of the monotony of mathematical modellzl. Because the operations of square and logarithm were adopted in the calculation of the signal-to-noise ratio (S/N) , this requirement could not be satisfied. The orthogonal table was adopted in the calculation of S/N, and the departure levels of controllable factors and noise factors were discrete. But the quality index of a real product was usually continuous, so only the approximate optimal solution was gained, therefore the calculation formula of S M defined by Taguchi needs to be improved. In the engineering model of robust design based on the random optimum rnethodsl3-41, the sensitive index (SI) of the quality index was introduced, but Taguchi‘s quality loss function was used more commonly. As to “nominal is better” design target, the robust design criterion was as follows: ( ; - y o ) * + r :+ min (1)

-

Among related Formula, y w a s the quality character index of a product, y was its mean, and D; was its variance. Through the Formula (I), robust design makes

5

* This work is supported by Scientific Research Grant (03A031) of Hunan Provincial Education Department of China.

149

150 approach to the nominal target value yo and makes its variance smaller as best one can. But after the operations of square and sum in the Formula (11, it was difficult to predict its mathematical character. At the convergence point of the robust optimal design, the combinations of and 0; might be completely different. Moreover, by approaches to yo could not be effectively the Formula (l),the direction at which controlled, and the designer’s desirability, making approach to yo from the left or right direction, could not be realized. In this paper, a robust design criterion via fuzzy probability was put forward, and its validity, adaptability and practicality were well studied. Compared with the traditional robust design criterion Formula (11, it has special advantages.

7

7

2 The fuzzy mathematical description of product quality index 2.1 m e expression of qualityindexin fuzzy number PAY)

PAY,

1

Yo-&

Yo

m+4v

(a) Triangle distribution

yo-& (b)

Yo

m+4v

.

Normal distribution

T (c) Echelon distribution Figure 1

(d) The geometry meaning of the fuzzy robust design criterion

The membership functions of fuzzy design target

In Figure l(d, yo was the nominal target value of quality index y, its tolerance was +Ay Thus that the design quality y w a s a high quality was a fuzzy subset in the value region of JS expressed in a real fuzzy number noted as A, and the subjection degree of y to the ideal design was pJy) . Obviously, pJyo) = 1 . When ly yo I l a y , there w a s p J y ) = O . When l y y , ll, the fuzzy distribution curve was down-protruding; when h ( o r kz) B could not be used as a restriction condition. As to a

5

155 certain 8,the membership function shown in the Figure l(c) had a potentiality to obtain a better design with larger tolerant error. Moreover, to determine the tolerant error h a y w a s related to the defect rate in the product quality design. In the scheme 1-5 of the Table 1, pJy) was all chosen as the symmetry distributing, so the direction of +yocould not be controlled.

5

The application example of fuzzy robust design

The robust design aims to high quality reliability and low cost. In the example 1, the making cost of the product was not considered. Now suppose that the making cost of the resistance or inductance was a function of its standad deviation:

Thus in the Figure 2, the circuit's robust optimum design model based on the cost and quality was as follows:

xT = (xI,x2,X, ,x, ) = (E,z,AR,AL) 0.09+0.0003

min ( s.t.

''

J","P A Y ) f ( Y ) d y

1

10.15

1 J 9.85 f ( y ) d y - 11 s 0.0001; 1 < xI I 2 0 ; 0.003 I x2 10.045; x, 2 0; x, 10

Like the design example 1, the different ~JJJ)was adopted in determining the robust optimum design. The different robust design solutions were shown as the Table 2. Table 2. The robust optimum design parameters and its comparison

I

Scheme serial numbers Former scherne'4' Scheme 1 Scheme 2 Scheme 3 Scheme 4 Scheme 5 Scheme 6 Scheme 7 Scheme 8 Scheme 9

-

L

AR

u

11.110 11.9487 11.9474 11.9487 11.9398 11.9397 11.9397 11.9511 11.7550 11.9552

0.012 0.0030 0.0030 0.0030 0.0030 0.0030 0.0030 0.0030 0.0030 0.0030

0.299 0.1050 0.1050 0.1050 0.1050 0.1050 0.1050 0.1051 0.1056 0.1050

0.0015 0.002141 0.002139 0.002136 0.002053 0.002052 0.002051 0.002108 0.002019 0.002025

R

Y 10.0031 9.9998 9.9999 9.9982 10.0056 10.0056 10.0056 9.9962 9.9940 9.9929

0: 0.04065 0.1540~10.2 0.1539~10.2 0.1537x10* 0.1507~10.2 0.1503~10'2 0.1507~10.2 0.1526~10'2 0.1502~10~2 0.1488~10.2

In Table 2, the schemes 1-3 adopted the membership functions such as the Formulae (2),(3),(4) respectively, and the Formula (2) was chosen b=&=l.As to the Formula (3), choose k=$Ay? =0.005 . The robust design solutions in the scheme 1-3 were basically accordant, and it showed that the fuzzy robust design criterion was well adapted to the different choice of pJy) and the design schemes were all superior to

156 the former scheme[d, then it embodied the validity of the fuzzy robust design criterion. Comparing the schemes in the Table 2 with the schemes in the Table 1, the resistance and inductance had the more reasonable tolerant error because the making cost was considered. When pJy) was adopted shown as the Figure l(a) and ki=l,kzeki, the schemes such as 4, 5, 6 corresponded to kz=1/2, 1/3, 114 respectively. And then, the left side of pJy) was linear, the curve in the right side protruded upwards, it showed that the designer considered that the current value was good in [lo, 10.151 (or the practical product required). This time, the mean on the current approached to the nominal target value 10Afrom the right side. If choosing kz=l and ki&, the schemes such as 7, 8, 9 corresponded to k1=1/2,1/3,1/4 respectively, then the right side of pAy) was linear and the curve in left side protruded upwards; It showed that the designer considered that the current was good in [9.85, 101. This time, the mean on the current approached to the nominal target value 10A from small direction namely from the left on the design side. So the designer could control the direction that the mean quality index approached t o the nominal target value fa through suitably choosing the This was an advantage that the non-symmetry membership function of traditional robust design criterion did not have. Using this advantage, designer could make the distributing of the design quality index yeven more accorded to the practical need. This character could be clearly explained by the construction of Formula (5) and its geometry meaning

PAY).

6

Conclusion

A new robust design criterion via fuzzy probability was put forward in this paper. The controlling this criterion on the mean and variance of quality index is similar to the effect of Taguchi’s signal-to-noiseratio. And that it could effectively control the fashion, approaches to the design target JQ, by which the design quality characteristic index was an advantage that present robust design criterions did not have. Moreover, the principle in this paper still could be generalized and applied to study the robust design of product having “smaller is better” or “larger is better” character.

Reference 1. Taguchi G. Introduction to Quality Engineering: Designing Quality into Products and Processes. Asian Productivity Organization, Tokyo, 1986 2. Wilde D J. Monotony Analysis of Taguchi’s Robust Circuit Design Problem, Tran. of the ASME. J. of Mech. Design, 1992.114 : 616-619 3. Parkinson A. Mechanical Design Using Engineering Models, R a n . of the ASME. J. of Mech. Design, 1995.117 : 48-54 4. CHENG Lizhou, Robust Design, Beijing: Mechanical Industry Publishing House, 2000 5. Zadeh L A. Outline of New Approach to Analysis of Complex Systems and

Decision Process. IEEE Transactions on Systems, Man and Cybernetics, 1973, SMC-3(1): 28-44.

INTERVAL-VALUED FUZZY SET MODELLING OF SYSTEM RELIABILITY RENKUAN GUO Department of Statistical Sciences, University of Cape Town, Private Bag Rhodes Gijis, Rondebosch 7707, Cape Town, South Africa Email:[email protected]

System reliability modeling in terms of fuzzy set theory is basically utilizing the Type I fuzzy sets, where the fuzzy membership is assumed as point-wise positive function ranging on [O,l] Such a practice might not be practical because an interval-valued membership may reflect the vagueness of system better according to human thinking patterns In this paper, we explore the basics of the Interval-valued fuzzy sets theory and illustrate its application in terms of an industrial example

1

Introduction

System operating and maintenance data are often imprecise and vague. Therefore fuzzy sets theory (Zadeh, [7]) opened the way for facilitating the modeling fuzziness aspect of system reliability. A fundamental issue is the treatment of membership function because fuzzy set as an extension of classical set in terms of extending the (0,l) two-valued indicator function characterizing a crisp set into a membership function ranging on interval [0,1] which characterizes a fuzzy set. Most of the fuzzy reliability modeling efforts is assuming a membership function, which could be regarded as a point estimate of the degree of belief of belongingness relation, for the reflection of vague nature of system operating and maintenance data. However, it may be more logical and practical to assume an interval-valued membership grade, which could be regarded as an intervalvalued estimate of the degree of belief of the subordination relation because as a general and natural human thinking pattern, the degree of fuzziness appears as an interval-valued number on [0,1]. In other words, it is natural to use a special class of type I1 fuzzy sets interval-valued fuzzy set (IVFS) (Zahed, [S]) to describe the fuzzy aspect of system reliability. Section 2 contains the elementary concept and operations on IVFSs. Furthermore, the relation between IVFS and rough set (Pawlak, [5]) and thus the IVFS decomposition theorem is established in section 3. In Section 4, the probability of IVFS is defined. In Section 4 a stress-tension style reliability model is proposed for analyzing the state of a repairable system. Section 5 is used to illustrate reliability analysis details in terms of an industrial example - cement roller data (Love and Guo, [4]). Section 6 gives a few comments on the IVFS system reliability analysis. 157

158 2

Interval-Valued Fuzzy Set

1.1. Concept of Interval- Valued Fuzzy Sets

Definition 1. A closed interval 5 A a' a" ,a',a" E R , and a' 5 a' is called realvalued interval number. If a',a" EGO,;], i a ' , a g is called an interval number on unit interval or simply interval number. Let 0,1] = { a= [a', a"]10 I a / 5 au 5 1 then it is the collection of all interval numbers (on unit interval [O,l]). +. Definition 2. Let set U denote a discourse. An interval-valued fuzzy set (IVFS) /f is a mapping from u to I[[0,1] :

p j :U?rI"O,l] For

(1)

VU E u , ii/j(+[P;(U),P:(u)]

(2)

where,

pi :U+[O,l]

and

pi :U+[O,l]

(3)

such that,

o I p I , ( u ) I p ; ( u ) 5 1 for

VUEU

Therefore, an IVFS is characterized by an interval-valued membership function denoted as,

membership

Figure 1. Membership ofan IVFS

(4)

,iij,

159

Atanassov [2] proposed concept of intuitionstic fuzzy set (IFS), which is equivalent to an IVFS. Mapping

+)Al-P&)-V&)

(6)

defines the depth of the degree of vague uncertainty of an IVFS and therefore,

n A pll - p -/ A

(7)

A

1.2. A Geometric Interpretation Agustench, Bustince and Mohedano [I] gave a geometric interpretation of an IVFS, which clearly identifies the triangle OAB (red-colored) within the unit-cube under the coordinate system

(p A' ,p;, z) (i.e., lower-membership p j - horizontal axis (purple/

colored), upper membership grade

p i - green-colored axis, the depth of vagueness

/

z = p; - p a - vertical axis) the projection space. In other words, an IVFS is a mapping from U to the triangle OAB.

If we only look at

(D, ; (u ) ,p i (u ) ),then a curve defined inside the triangle OAB

[(O,O),(l,l),(O,l)] on the bottom will characterize an IVFS. It is needless to say that the geometric interpretation should help us a better understanding and thus specification of an IVFS in practice.

160

1.3. Basic Operations on IVFSs

2,B 6 (u)

Let E be two interval fuzzy sets on discourse U. The three _bas& operations: union, intersection and complement operations of interval fuzzy sets A, , are defined as: : (i) Union of A and

B

(ii) Intersection of

2 and 8 :

+ .

(iii) Complement of

A: =(u,P2

(.)I

E

u}

p2 ( u >2 [1- p; ( u ) ,I - p; ( u ) ]

1

Other operations, say, t-norm and t-conorm will not be mentioned here for briehess but are critical in IVFS inferences. 3

Decomposition of an IVFS

The critical role of fuzzy set decomposition in fuzzy mathematical theory is that it links a fuzzy set to the common (crisp) set. For the Type I fuzzy set case the decomposition takes a form of

where

A, = { u E UI& ( u ) 2 A], V A E [O,']

.(12)

The key issue here is that in the case of IVFS, the membership is an interval a E 1 11 . Therefore, the decomposition should not be performed by line-cut (Type I fuzzy set) but by an interval-cut, in other words, it is necessary to investigate the set

yo,

{ pj ( u ) 2 Z), vx =[A!,A"]E 1[o, I]

161

that is,

and,

(15) = [u' E ulp;,(u' ) I A') and 2" -level cut set can be used to characterized the interval-valued cut set, denoted as:

+.

Theorem: An interval-valued fuzzy set

A can be represented as:

2=

u 14,

Xd[O,l]

where

14,A [A'.A,/, A"'A,,, ] Proof: In terms of the construction definitions,

It is obvious that the interval A,, can be treated as an lower approximation to the set A, and the interval A,,, can be treated as the upper approximation - to the set A, . Notice that A,, A, _C A,,, . It is reasonable to argue that the A -cut sets induces rough set in the sense of Pawlak [5]. This linkage may also promote a better understanding of the concept of an IVFS and even help to specify the interval-valued membership more intuitively. 4

The Probability of an IVFS

The probability of (Type I) fuzzy event

2 on I/, A E ( u ), is,

Pr[A]=E,,[P,(X)]= I , P a ( U ) q U ) In the context of IVFS, the relation between the interval-valued membership probability of the interval-valued fuzzy set will maintain a similar form:

(20) and the

162

-

II

This expression will give a probability interval for the IVFS A 5

.

An IVFS Reliability Model of Repairable Systems

5.1. A Virtual Allowable Capacity Model for Repairable System A basic idea of the reliability model proposed here is essentially taking from that of the traditional stress-tension modelling of an engineering structure. If we treat a repairable system as a virtual engineering structure, then the system parameters, the maintenance parameters and its operational environment parameters together can form a virtual allowable capacity, denoted as C,, which would restrain or control the system functioning state. The virtual allowable capacity plays a role similar to the stress level in the stress-tension model, which will determine a virtual allowable operating time, denoted as T,. On the other hand, the system functioning or operating causes system wear-out and increases its failure hazard. Therefore, the actual system functioning plays a role similar to the tension level, denoted as T. The limiting state equation of the reliability of functioning system is:

Z=T,-T

(22)

Furthermore it is assume that the limiting state Z is normally distributed random variable. It is intuitive to say that both To and Tare random and fuzzy in nature. The failure of the system is assumed to be an interval-valued fuzzy event with membership function:

5.2. The Cement Roller Example A set industrial data, e.g., Love and Guo [4]-a set of operating data extracted from a Canadian cement plant is used. Guo and Love [ 3 ] performed a fuzzy analysis on the same data in terms of fuzzy logical function method for obtaining the point-wise relative membership grades pi.a( u ) . For illustration purpose, we convert p:;, (u ) into interval-valued memship grades ,,?if( f a ) by assigning the depth of vagueness ~ 0 . at1

p:., (U)=0.5 and n=O at p:,

(U )=O

or 1.O.

For a recorded failure (or PM) time, the corresponding the allowable time satisfies

- 1 p (b - ( t ) = 1 --to that is. the allowable time

Therefore the virtual system state:

- - z=ta-t For failure times, fntax=maX{tlxl,. .., f31~31}=147, while for the censoring (PM) times, tnlax=)7laX(tl(l-ICI),..., t3,(1-~31))=217.Then ,iicL ( u ) , and interval-values are


01 [58 8,71 7361

[-85,451 [-41 2,-28 2641

[26 46,32 341

[-88 54,-82 661

[I69 26,177 941

[-47 74,-39 061

85

1

I

100

1

0 556

115

I

08

[0 630,O 7011 [ 1 000,l 0001 [0 512,O 6001 [0 780.0 8201

02

[0 180,O 2201

0 217 -

[-I02 9,-93 3451

164 2.5

I

0429

[0 386.0 4721

[77 616,90 2581

[52 616,65 2581

50

1

0429

[0 386,O 4721

[77 616.90 2581

[27 616,4O 2.581

From the table, it is easy to notice that most of the failure cases (.,=I), the Z -values observed are negative, which indicates the system falls in failure and damaged state, while quite a few of the censoring cases, the Z -values observed are positive, which indicates the system is still in "reliable" and "safe" state. The signs of these "observed" z -values confirm that the membership degree of the allowable capacity, &.m (U ) ,make sense. The mean and standard deviation of the interval-valued normal random variable z can be accordingly estimated as m =[-I 8.744,-8.8531 and 0=[65.886,66.458]

-

respectively. The fact that i%2 0 clearly indicates the system requires PM. System data t, can be used to fit Weibull distributions for further conventional reliability analysis. Concluding Remarks

6

In this paper, we briefly discuss the concept of IVFS and argue its necessity to use IVFS idea for the modeling system reliability. We could simply use the method by Wu [I IVFS to conduct fuzzy inference on the system reliability directly. However, the virtual operational state of an operating system gives another inside of the operating system state. Using IVFS to analyze the system state seems more meaningful. For simplification reason, we skip quite many computation details by just refer to our previous work, Guo and Love 131. As a matter of fact, it is more realistic to calculate the interval-valued membership grades and then use the logical function idea to have the IVFS membership grades for the system state. References 1.

2. 3. 4. 5. 6. 7. 8.

E. Agustench, H. Bustince and V. Mohedano, Mathware & Soft Computing 6, 267 (1999). K. Atanassov. FSS 20, 87 (1986). R. Guo and C.E. Love. Int. J. R. Q. S. Eng. Vol 10, No 2, 131 (2003). C.E. Love, and R. Guo, Q. R. Eng Int. Vol. 7 , 7 (1991). Z. Pawlak. Int. J. Comput. Inf Sci. 341 (1982). Wu, Wangming. Principles and Methods of Fuzzy Reasoning, ( I 994). Zadeh, A. L. Fuzzy sets, Information and Control 8, 338 ( 1 965). Zadeh, A. L. IEEE Trans. System. Man Cybernet. 3,28 (1973).

FUZZY SET-VALUED STATISTICAL INFERENCES ON A SYSTEM OPERATING DATA RENKUAN GUO Department of Statistical Sciences, University of Cape Town, Private Bag, Rhodes ’ Giji, Rondebosch, Cape Town South Africa E-mail: rguo@iais. uci.ac.za

ERNIE LOVE Faculty of Business Administrations, Simon Fraser University Burnaby, BC, V5A IS6, Canada E-mail: [email protected]

In this paper the characters and mathematical foundation of set-valued statistics - random set and the falling shadow function is briefly reviewed. We further discuss the procedure of fuzzy set-valued inference based on sampled data information proposed by Chen [2]. An industrial data is used to illustrate the prediction of system failure time based on covariate information.

1

Introduction

Using covariate information for predicting a system behavior is a well-known research topic in reliability engineering, e.g. Love and Guo [4] and Guo and Love [3]. In classical probability and statistics, what is obtained from each statistical experimental trial (or run) is a deterministic point on the phase space (which is the set of possible observations sample or elementary space). Such a statistical methodology is therefore is called apointwise statistics. However, in the great amount of the management and production practices, particularly, these involving human psychological measurements, what we faced are no longer some isolated points. The obtained information from each experiment is usually a common subset or a fuzzy subset of the phase space. Classical statistics often ignored the whole interconnections between points therefore ignored an fact that the viewpoint of whole is an fundamental criterion for human being to perform partitions, selections, orderings and decision-makings. In set-valued statistics the outcome of each experiment is a subset of a certain discourse and therefore the classical statistical methodologies no longer apply. As an extension to classical statistics the set-valued statistics will greatly expand the scope of applications. In general, the theory of random set and the falling shadow of random set is the foundation of set-valued statistics. Section two is used to investigate the basic features of set-valued statistics. In Section three the fuzzy set-valued inference is reviewed and in Section 4 an industrial data is used to illustrate the idea. A few remarks are given in section 5. 165

166

2

Fuzzy Statistical Model

2.1. Fuuy Statistical Experiment The best way to understand the characters of set-valued statistics is to compare it to the classical statistics. The table 1 gives a systematic comparison between them.

Space

Fixed Varying

Table 1 Comparisons Between Cla Classical statistical model Elementary space R, containing all the relevant factors and thus being an extremely high-dimensional Cartesian product space An event A C R A variate w on a, once w is fixed, then all the factors are fixed at their specific state level respectively

cal and Fuzzy Statistical Model Fuzzy statistical model A discourse U

A fixed element uu E U

-

a

on U a varying set A' IS formed by constructing an uncertain partition about A fuzzy concept

-

a ,,each ., fixing of A' implies a definite partition for a ,which represents an approximation to the extension of a , Condition

A certain condition S

A certain condition S

2.2. Duality Between Two Models Assume that P(U )is the collections of all the subsets of domain U and called the power set of U. It is obvious to see that any set A c U will be an element of the power set, i.e., A E P(U ) . For 'du E U , define set A {B :B E P ( U ) ,B 3 u } which is the super filter of set-algebra P . For any given u, can be regarded as the subset of i.e., C P(u). Thus a fuzzy statistical model on a discourse can be converted into a classical statistical model on the discourse P ( U ). For a given discourse U and its power set P ( U ) , define a set class : u E U } and let b' be a o-algebra containing i.e., C b' . Therefore, ( P ( U ) b') , is a measurable space. Actually, a measurable mapping from probability space (G,A,f') into measurable b') is called random set on U , i.e., [ :0 -+

(u)

P ( u ) , r,

{r?,

P(u).

[-'(B)={w

E[(W)€

r,

r,

u

6(rU), (P(u),

B,'dBEB}EA

(1)

Intuitively, a random set [ can be defined as a mapping from sample space 0 to a subset b ' o f P ( U ) w h i c h satisfies that each pre-image of [ ( w ) i.e., w E 0 is a possible experiment outcome whose occurrence is associated with a probability measure. 2.3. Falling Shadow Function

Term "falling shadow" is proposed by Wang [ 5 ] , basing on an image of a cluster of cloud on the sky throwing shadow on the ground. Mathematically, assume that [ is a random

167

u

u,

set on discourse . For \y'u E E< U ) = P [ w :[ ( w ) 3 U ] is called the falling shadow function. For a fixed u E , E< uo) is called the falling shadow value of [ at u,, . Notice that &< ( u ) = PPw : = ( u ) and therefore E< is a real . E< is not only used to describe random set to a certain degree function defined on but also can expressed as the membership function of the corresponding fuzzy subset on

u t(4) r,] 5

u

-

U.

Assume that A is a fuzzy concept which can be represented by a fuzzy subset of . A { B :B E P(u), B 3 u } is the coll_ections of all random sets which contain u E U and also represent the fuzzy concept A , b'B,, = [(w,, ) E . The associated probability 4 o f (( w , ) represents the degree of confidence for set B,, to describe fuzzy concept . Then the probability of , E< ( u ) , can be regarded as the membership of fuzzy set at u and denoted as (U ) .

u r,

r,

A

3

r,

A

Fuzzy Set-Valued Statistical Inference

Chen and Chen [ 2 ] developed a concrete model summarized in Chen and - Guo [l]. Assuming that X and Y are two related discourses, the implication relation R from X to Y can be represented by the falling shadow: 1

n

in terms of n independent experimental sample of random sets

{ &,R2,..., Rn}, R, E .F (Xx Y ) ,i = I, 2,. ..,n For given

(3)

'' F ( x ) ,

in terms of reasoning compositional rule

B'=A*oR

(4)

is obtained as the fuzzy inference conclusion. In order to continuously modify the original implication relation (no matter of prior nature or sampling one) R by utilizing the data-based inference conclusion progressively, define,

Rn+l= A*x B*

(5)

PR,,+,(x, Y >= Pd' (x>A PR' (Y>,\y'(x,Y >E (Xx y>

(6)

which has a membership function

Then a fuzzy set-valued inference model with self-learning has a modified implication relation A*, with a membership function

168

However, sometimes the samples obtained in terms of statistical experimentation are not subsets on X Y but the point (x, y ) on X Y . Particularly, when a problem involves many factors and thus the form of the random sample is multi-dimensional data (x1,x2,.. * X, ,y ) . Therefore, it is necessary to extend the above model. Let us consider an n-fold I-order, (n,!)- implication fuzzy inferen_ce.-Assumip that Xand Yaretworelatedrealsets. A ~ { A l , A 2 , . - . , A m } a n d B 4 { B , , B 2 ; - . , B k are two fuzzy normal convex partitions on X and Y respectively. In general A and are prior type of fuzzy partitions based on features of a real problem. Assuming that n independent random samples,

x

x

I

observeddata

onfuzzysetsof partionsA andB respectively, where

{a}:=,

on fuzzy partitions Therefore the two group of fuzzy sets (s,}" and @ of X and Y respectively, where sample'=k are obtained. Fuzzy implication is defined as a fuzzy relation from A and B ,where r E [0,1] is relation R = r inteTreted as the ( Y ) akgree xk of truth that if " x is " then " y is 3, ". Let the it row vector

A and

x

2,

of R be denoted as i.e.,

I?, = (q,,c2,.

* *,

qk ) being regarded as the fuzzy subsets on IB ,

-

Thus R, is understood as the random set falling shadow estimate from the sample of random sets of the fuzzy subset group

{P,I

XI €

4 , ( x , , Y , ) E S,I

2,

€

{1,.*.,n}}

(12)

If A is a common partitio! of X,i.e., all the E A are clear subsets, the above-stated meaning of constructing-R, in terms of falling shadow is obvious. However, when A is a fuzzy subset, " x I E A, " can not simply use "yes" or "no" to describe it, but it is

169

4.

usually to be described by the degree of X/ E The membership p - (x/)is just the 3 quantity reflecting the degree of X/ E Therefore, a linear estimator IS constructed for

4.

R1 .

2 2

QIhPI2

- a R, =

I=I

.

9

...

,

"I,

/=I

As to computation details, for a given sample S, in terms of (6.65), two matrices can be

where

Let

P

xu,,

,then in terms of (6.66), the fuzzy implication relation

/=I

For given x E

x , it is obtained, *

*

G* = (aI,a2 ,..-,(I.,*)

EF ( A )

a,*=PA, ( x ) , i = I,...

Therefore in terms of reasoning compositional rule

7m

(18)

170

=(P,',W',...,P,')t~(~) - Let y,,y 2 , ..,yk be the kernels of Bl,B 2 , ...,Bk respectively, then clr* o R = P *

*

is the inferential conclusion. 4

Failure Time Prediction

It is in general to accept that if the failure time of a repairable system can be reasonably predicted then a timely repair action can be taken so that the loss of non-operation would be minimized. In order to forecast the system failure time t, it is reasonable to take covariate D as the forecasting factor based on the analysis results by Love and Guo [3]. Table 2 Covariate D and Failure Times

{k,,2,'-4 ,-A1}

x

The fuzzy partition A = ,A3 on the discourse of covariate D and B, ,B3,B4 on the discour_e Y of - failure time T the fuzzy partition B = respectively. The membership functions of fuzzy subsets A, and B, are defined as follows:

1 x18.5

[

0 otherwise

1i

X-8.5 8.5 5 x 5 11 2.5 13.5-x 11 < x < 13.5 2.5 0 otherwise

x-11 1 1 5 x 5 13.5 0 ~113.5 2.5 X-13.5 16-x 13.5 5 x 5 16 1 3 . 5 < ~ < 1 6 pLi = 2.5 2.5 1 otherwise 0 otherwise and

171

405 y i 8 0

1 yI40

80 < y ~ , ~ of schemes to minimize damages by crack attacks, imposing access restriction on servers has been proposed.’ This paper considers a stochastic model where a server system with access restriction: To protect from crack attacks which are performed by a part of clients, after a server stores the state of the resource, a server executes the request processing. When a server executes the request processing, a part of control function of a server can not be used with some probability by illegal code which contains the request processing. In this case, some parts of memory and files are destroyed and errors of a resource occur according to a certain probability distribution. To prevent from such errors, a server restores the state of the resource after a server completes the request processing at m times. The mean time t o complete the request processing at m times is analytically derived. Further, an optimal policy which maximizes the expected profit is discussed. Finally, a numerical example is given. 2. Model

A web server executes various requests from clients. The request files are HTML files, binary files, files which are generated by CGI program, and so on. To protect from crack attacks which are performed by a part of clients, a server stores the state of the resource, restricts the access, and executes the request processing. Further, there are a buffer overflow attack which hijacks the control of a server and an attack to execution environment such as a n environment variable of a server. By these attacks, when the argument of a program is changed, attackers may be able to come t o execute any commands. Most of attacks are caused by programming errors of servers.z We consider the Internet based system with the following assunptions: (1) After a server begins to operate, stores the initial states of memory and register, and restricts the access itself, a server waits requests from clients. The time for restriction of the access has a general distribution A ( t ) with finite mean a, requests occur according to a n exponential distribution B ( t ) with finite mean l / b and the time for request processing has an exponential distribution D ( t ) with finite mean l l d . (2) When a server executes the request processing, a part of control function of a server can not be used with probability p ( 0 < p < 1) by illegal code which contains the request processing. This state is detected by an operating

183

system after a server executes the request processing. In this case, a server keeps to accept requests and executes processing as a part of control function which can not be used. If a server can not use a part of control function, some parts of memory and files are destroyed by illegal access from outside, and errors of a resource occur according to an exponential distribution F ( t ) with finite mean 1/X. These errors are immediately and certainly detected. In this case, a server is maintained and restarts again from the beginning of system operation. The time from occurrence of errors to restart has a general distribution V ( t )with finite mean v. If errors do not occur, a server continues to execute the request processing. (3) To prevent from errors, a server executes the restoration processing to an initial state of the resource, after a server completes the request processing at m times. Under the above assumptions, we define the following states of the system: State 0: System begins t o operateD State 1: Request processing starts. State 2k: Request processing starts as a part of control function of a server which can not be used by illegal code where k ( k = O , l , . . . ,m - 1)denotes the number where a server completes the request processing in State 1. State 3: Server completes the request processing at m times. State 4: Errors of a resource occur. The system states defined above form a Markov renewal process where State 3 is an absorbing state. Transition diagram between system states is shown in Figure 1. Let Q i , j ( t ) ( i = 0, 1 , 2 k 1 4 ; j= 0 , 1 , 2 k , 3 , 4 )( k = 0, l , . . .,m-1) be one-step transition probabilities of a Markov renewal process and $(s) be the Laplace-Stieltjes , $(s) = e P t d @ ( t )for R e ( s ) > 0. Then, (LS) transform of any function @ ( t )i.e., by the similar method of and from Appendix A, we have

som

First, we derive the mean time !(m) from the beginning of system operation until a server completes the request processing at m times. Let H 0 , 3 ( t ) be the

184

Figure 1. Transition diagram between system states

first-passage time distribution until from state 0 to state 3. Then, we have m-1

H0,3(t)

Qo,l(t)

* Q 1 , 3 ( t ) + Q o , I ( ~ )* C Q 1 , ~ r* Q 2 k , 3 ( t ) k=O m-1

+Qo,i(t)

* C Q 1 , 2 k ( t ) * &2,,4(t) * Q4,0(t) * H 0 , 3 ( t ) . k=O

Taking the LS transforms on both sides of (7) and arranging them, we have

Thus, the mean time t ( m ) until a server completes the request processing at m times is

[ ( m )= lim

-dh0,3(s)

ds ’ a+~($+a)+(;+V)[Cy~((l-p)”(l-zm-k)l

S+O

-

1-

cp?;(l

3

- p)”(l

~

zm--k )

(9)

where z = b(X)d(X) and 0 < z < 1. Next, we derive the expected number of occurrence of errors. The expected number M ( t ) of occurrence of errors until a server completes the request processing

185

at the m times during ( 0 ,t] is given by the following equation: m-1

M ( t ) = &o,l(t) *

&1,Z,(t)

* &Zk,4(t) * [I f &4,0(t) * h f ( t ) ] .

(10)

k=O

The LS transform m(s)of M ( t ) is

Thus, the expected number M ( m ) of occurrence of errors until a server completes the request processing at the m times is given by

XFG1(l- p)kp(l - z7n-k)

M ( m ) f lim m(s)= s+o

1 - C r G l ( 1 - p)kp(l

- zm-k

1

( m= 1 , 2 , . . ' ) .

(12)

3. Optimal Policy We obtain the expected cost and discuss an optimal policy which maximizes it: Let c1 be the cost for occurrence of errors, c2 be the profit for execution of request processing. Then, we define the expected profit C ( m ) ( C ( m )2 0) until a server completes the request processing at m times as

C ( m )= czm - clM(m),

We seek an optimal m* which maximizes C ( m ) .We put formally that A(m) = l/ C (m) and seek m* which minimizes A(m). From the inequality A(m+l)-A(m) 2 0, we have P(l [l - c;=o(l

-

z ) C b o ( l - p)"m-k

- p)kp(l - zm+l-k )][1-

Zy!)l(l -p)"(l

> -c2 - zm-k)]

-

c1

( m = 1, 2, . . .).

(14)

Denoting the left side of (14) by L(m),we have

Hence, if L ( m )> L ( m - l),then L ( m ) is strictly increasing in m from L(1). Thus, we have the following optimal policy: (1) If L(1) < cz/cl and L(m)> L ( m - l ) , then there exists a finite and unique minimum m*(> 1) which satisfies (14). (2) If L(1) 2 cz/c1 and L(m)> L ( m - l),then m* = 1.

186 Table 1. Optimal number m* to maximize C ( m ) .

500

1000

1500

4. N u mer ic al E x a m p l e

We compute numerically the optimal number m* from (14): Suppose that the mean time l / d for request processing is a unit of time in order to investigate the relative tendency of performance measures. It is assumed that the mean time for restriction of the access is a /( l/d ) = 1, the mean time to request occurrence is (l/b)/(l/d) = 10, the mean time to error occurrence is (l/A)/(l/d) = 100 1500, the mean time from occurrence of errors t o restart again is v/(l/d) = 1, the probability that a part of control can not be used is p = 0.05 0.20, the profit for execution of request processing is a unit of profit and the cost rate of occurrence of errors is c1/c2 = 10 100. Table 1 gives the optimal execution number m* which maximizes the expected profit. For example, when p = 0.05, (l/A)/(l/d) = 1000 and q/cZ = 20, the optimal number is m* = 160. This indicates that m* increases with (l/A)/(l/d), however, decreases with p and c1/cz. This can be interpreted that when the cost for occurrence of errors is large, m* decreases with c 1 / c ~ ,so that errors should not occur. Table 1 also presents that m* depends little on p when p is large. N

N

N

5 . Conclusions

We have investigated the stochastic model where a server system with access restriction and have discussed the optimal policy which maximizes the expected profit until a server completes the request processing at m times. LFrorn the numerical example, we have shown that the optimal execution number increases with the mean time to occurrence of errors, however, decreases with the probability that a part of control can not be used and the cost for occurrence of errors. It would be very important to evaluate and improve the reliability of a server

187

system. The results derived in this paper would be applied in practical fields by making some suitable modification and extensions. Further studies for such subject would be expected.

appendix A.Derivation of mass function q the mass functionq t from state i at time o to state j at time t are given by the follinge2quaqtions;ow

&2,,4(t)

=

J

c

t m-1-k

0

[ ~ ( z*)D ( % ) I (*~[)I - ~ ( z* )~ ( z ) l d ~ ( z ) ,

j=o

Q4,0(t) = V ( t ) , (A.5) where the asterisk mark denotes the Stieltjes convolution, ~ ( ~ )denotes ( t ) the ifold Stieltjes convolution of a distribution a ( t ) with itself, i.e., a ( i ) ( t )= c ~ ( ~ - ' ) ( t ) * a ( t ) , a ( t )* b ( t ) = J; b(t - u)da(u).

References 1. M. Imaizumi, M. Kimura and K. Yasui, Reliability Analysis for an Applet Execution Process, The Transactions of the Institute of Electronics, Information and Communication Engineers of Japan, J87-A, 375-381 (2004). 2. K. Kenichi and S. Chiba, A Secure Mechanism for Changing Access Restrictions of Servers, The Transactions of Information Processing Society of Japan, 42, 1492-1502 (2001). 3. K. KouheiCG. Mansfield, Illegal Access Detection on the Internet, The Transactions of the Institute of Electronics, Information and Communication Engineers of japan, J83-B, 1209-1216 (2000). 4. M. Asaka, T . Onabuta, T. Inoue, S. Okazawa and S. Goto, Remote Attack Detection Method in IDA: MLSI-Based Intrusion Detection with Discriminant Analysis, The Transactions of the Institute of Electronics, Information and Communication Engineers of Japan, J85-B, 60-74 (2002). 5. Y. Takei, K. Ohta, N. Kato and Y. Nemoto, Detecting and Tracing illegal Access by using Traffic Pattern Matching Technique, The Transactions of the Institute of Electronics, Information and Communication Engineers of Japan, J84-B, 1464-1473 (2001). 6. S. Osaki, Applied Stochastic System Modeling, Springer-Verlag Berlin (1992). 7. K. Yasui, T. Nakagawa and H.Sando, Reliability Models in Data Communication Systems, Stochastic Models in Reliability and Maintenance(edited by S. Osaki), SpringerVerlag, Berlin, 281-301 (2002).

This page intentionally left blank

CONTINUOUS-STATE SOFTWARE RELIABILITY GROWTH MODELING WITH TESTING-EFFORT AND ITS GOODNESS-OF-FIT*

s. INOUE+ AND s. YAMADA Department of Social Systems Engineering, Faculty of Engineering, Tottori University, 4-101 Minami, Koyama-cho, Tottori-shi, Tottori 680-8552, JAPAN E-mail: { ino, yamada} @sse.tottori-u.ac.jp

We propose a continuous-state software reliability growth model with testing-effort and conduct its goodness-of-fit evaluation. A testing-effort is well-known as a key factor being related to the software reliability growth process. We also discuss a parameter estimation method for our model. Then, several software reliability assessment measures are derived from the probability distribution of its solution process, and we compare our model with existing continuous-state software reliability growth models in terms of goodness-of-fit by using actual fault count data.

1. Introduction

A software reliability growth model (SRGM)4,9,10has been utilized to assess software reliability of the products quantitatively since 1970’s. Continuous-state space SRGM’s are proposed to assess software reliability for large scale software systems. Tanaka et a1.’ have discussed a framework of the continuous-state space software reliability growth modeling based on stochastic differential equations of ItG type, Yamada et aL8 have compared the continuous-state space SRGM with the nonhomogeneous Poisson process models. However, these continuous-state space SRGM’s have not taken testing-effort into consideration. The testing-effort5 such as number of executed test-cases, attained testing-coverage, and CPU hours expended in the testing phase is well-known as one of the most important factors being related t o the software reliability growth process. Under the above background, there is necessity t o discuss a testing-effort *This work is partially supported by the Japan Society for the Promotion of Science, Grant-in-Aid for Scientific Research (C)(2). Grant No. 15510129. ?The first author is financially supported by the Sasakawa Scientific Research Grant from the Japan Science Society, Grant No. 16-064.

189

190

dependent SRGM on a continuous-state space for t,he purpose of developing a plausible continuous-state space SRGM. This paper discusses continuous-state space modeling with the testing-effort factor by applying methematical technique of stochastic differential equations of ItG type. Concretely, we extend a basic differential equation describing the behavior of the cumulative number of detected faults to stochastic differential equations of It'd type considering with the testing-effort, and derive its solution process which represents the fault-detection process. Then, we discuss parameters estimation methods for our models. Finally, several software reliability assessment measures are derived by utilizing a probability distribution of the solution process, and we compare our model with existing continuous-state software reliability growth models in terms of goodness-of-fit by using actual fault count data. 2. Continuous-state space SRGM In this section we discuss a framework of continuous-state space software reliability growth modeling. Letting N ( t ) be a random variable which represents the number of faults detected up t o time t , we can derive the following linear differential equation from the common assumption for software reliability growth modeling6:

where b ( t ) indicates the fault-detection rate at testing time t and is assumed to be a non-negative function, and a the initial fault content in the software system. Eq.(l) describes the behavior of the decrement of the fault content in the software system. Especially, in the large-scale software development, a fault-detection process in an actual testing phase is influenced by several uncertain testing factors such as testing-skill, debugging environment, and so forth. Accordingly, we should take these factors into consideration in software reliability growth modeling. Thus, we extend Eq.(l) to the following equation: d N-( t ) - { b ( t )

dt

+ E(t)}{a

-

N(t)},

where [ ( t ) is a noise that exhibits an irregular fluctuation. For the purpose of making its solution a Markov process, [ ( t )in Eq.(2) is given as E(t) = a y ( t )

(a > 01,

(3)

where (T indicates a positive constant representing magnitude of the irregular fluctuation and y a standardized Gaussian white noise. We transform Eq.(2) into the following stochastic differential equation of It'd type3: 1 d N ( t ) = { b ( t ) - - a z } { a - N ( t ) } d t+ a { a - N ( t ) } d W ( t ) , 2

(4)

191

where W ( t ) is a one-dimensional Wiener process which is formally defined as an integration of the white noise y(t) with respect to time t. The U’iener process W ( t ) is a Gaussian process, and has the following properties: (a) Pr[W(O) = 0] = 1, (b) E[W(t)l = 0, (c) E[W(t)W(t’)]= min[t, t’], where Pr[ ‘1 and E[ .] represent the probability and expectation, respectively. Next, we derive a solution process N ( t ) by using the ItB’s formula. The solution process N ( t ) can be derived as

Eq.(5) implies that the solution process N ( t ) obeys a geometric Brownian motion3. And the transition probability distribution of the solution process N ( t ) is derived as

consequently, by the properties (a)-(c) and the assumption that W ( t )is a Gaussian process. a(.) in Eq.(6) indicates a standardized normal distribution function defined as exp(--)dy. Y2 2

@(z)= -

(7)

By giving an appropriate function by which the software reliability growth process is characterized t o b ( t ) in Eq.(5), we can derirve several SRGM’s. 3. Software Reliability Growth Modeling with Testing-Effort 3.1. Modeling

For the purpose of developing an SRGhil with the testing-effort, we characterize b ( t ) in Eq.(5) as follows:

b(t) = bT(t) = r . s(t)

(0

< T < l),

(8)

where T represents the fault-detection rate per expended testing-effort at testing time t and s ( t ) 3 d S ( t ) / d t in which S ( t ) is the amount of testing-effort expended by arbitrary testing time t . Thus, based on the framework of continuous-state space modeling discussed in the previous section, we can obtain the following solution process:

[

N ( t ) = N T ( ~=) a 1 - exp

{

--T

Jot

= a [1- exp { - r S ( t )

I1

s(7)d.r - oW(t) -

o W ( t ) } .]

(9)

192

The transition probability distribution function of the solution process in Eq.(9) can be derived as

We should specify the testing-effort function s ( t ) in Eq.(8) to utilize the solution process N T ( ~in) Eq.(9) as an SRGM.

3.2. Testing-effortfunction We need t o specify a suitable function for the s ( t ) in Eq.(8). In this paper we describe a time-dependent behavior of testing-effort expenditures in the testing by using a U’eibull curve function5, i.e., s ( t ) = apmtm-’ exp{ -pt”}

(a > 0, p > 0, m > 0),

(11)

then,

S ( t )=

l

S ( T ) ~ T=

a [I - exp{-Ptrn}] ,

(12)

where a is the total amount of expended testing-effort expenditures, p the scale parameter, and m the shape parameter characterizing the shape of the testingeffort function. The Weibull curve function has a useful property t o describe the time-dependent behavior of the expended testing-effort expenditures during the testing in the followings. When m = 1 in Eqs.(ll) and (12), we can obtain the exponential curves. And when m = 2, we can derive Rayleigh curves. Thus, we can see that the Weibull curve function is a useful one as a testing-effort function which can grasp the time-dependent behavior of the expended testing-effort expenditures flexibly. 4. Estimation Methods of Unknown Parameters

We discuss methods of parameter estimation for the testing-effort function in Eq.(ll) and the solution process in Eq.(9), respectively. We suppose that K data pairs ( t j , g j , n j ) ( j = 0 , 1 , 2 , . . . , K ) with respect to the total number of faults, n j , detected during the time-interval (0, t j ] , and the amount of testing-effort expenditures, g j , expended at t j are observed.

4.1. Testing-effortfvnction For a parameter estimation method for the testing-effort function in E q . ( l l ) , we apply a method of least squaresg. First, we can obtain a natural logarithm for E q . ( l l ) as follows: logs(t) = l o g a + l o g p + l o g m + ( m - l ) l o g t - p t ” .

(13)

193

Then, the sum of the squares of vertical distances from the data points to the presumed values is derived as K

S(% P, m) = c { l o g Y j

(14)

-

j=1

p,

by using Eq.(13). The parameter estimates 6, and 6 which minimize S ( a , 0,rn) in Eq.(14) can be obtain by solving the following simultaneous equations:

as as - a s aa ap -dm = 0.

- ---

(15)

4.2. Solution process

Next, we discuss a parameter estimation method for the solution process in Eq.(9) by using a method of maximum-likelihood. Let us denote the joint probability distribution function of the process NT(t) as

P(tl7 nl;t2, n 2 ; .

'

'

; t K ,n K )

Pr[NT(tl)5 nl~NT(t2)5 n 2 , ' " N d t K ) 5 nKINT(0) = 01,

(l6)

and also denote its density as

Since NT(t) in Eq.(9) has a Markov property, we can constract the following logarithmic likelihood function L consequently for the observed data pairs ( t j , n j ) ( j= 0,1,2,..* , K ) : L = logp(tl7nl;t 2 , n2; ' . . ; t K , n K ) K

K

= -)log(a-nj)-KlogO--log27r2 j=l

1 -log(tj-tj-l) 2

We can obtain the maximum likelihood esitmates C, ?, and a^ by solving the following simultaneous likelihood equations numerically:

5. Software Reliability Assessment Measures

We discuss instantaneous MTBF (mean time between software failures or faultdetections) and cumulative MTBF which have been used as the substitutions for the MTBF. First, an instantaneous MTBF is approximately given by

194

0

4

2

6

8 10 12 14 16 18 20 22 24 26 28 30 32 34 35 35 40 TeDIlW Time (number d mamhr)

Figure 1. The estimated testing-effort function.

1400 1300

1

5 3

P

1200 1100 1000 900

800 700

6

600 500

2: 0

_

_

_

_

_

^

^

200 100 0 0

Figure 2.

2

4 6

8 10 12 14 16 18 20 22 24 26 26 30 32 34 35 35 40 TestngTms (number d -ha)

The estimated expected number of detected faults.

We need t o derive E[iV~(t)lwhich represents the expected number of faults detected up to arbitrary testing time t to obtain E[diV~(t)] in Eq.(20). By noting that the Wiener process W ( t ) N ( 0 , t ) , the expected number of faults detected up t o arbitrary testing time t is obtained as

-

- ( r S ( t ) - -a%) 2

I1

.

Then, since the Wiener process has the independent increment property, W ( t )and dW(t)are statistically independent with each other, and E[dW(t)] = 0, E [ d N ~ ( t ) l in Eq.(20) is finally derived as 1 1 E[dN~(t)l= a{rs(t)- -02}exp{-(rS(t) - -a2t)}dt. 2 2 Thus, the instantaneous MTBF in Eq.(20) can be obtained as

(22)

195

TeSfinp lime (number d months)

Figure 3.

The estimated instantaneous and cumulative MTBF’s, respectively.

The cumulative MTBF is approximately derived as

6. Model Comparisons

In this section we show the results of goodness-of-fit comparisons between our model and other continuous-state space SRGM’s’l such as exponential, delayed S-shaped, and inflection S-shaped stochastic differential equations in terms of the mean square errors (MSE)’ and Akaike’s Information Criterion’. As t o the goodness-of-fit comparisons, we use two actual data sets2 named as DS1 and DS2, respectively. DS1 and DS2 indicate an S-shaped and exponential reliability growth curves, respectively. Table 1 shows the results of model comparisons. We can see that our model improves a performance of the MSE and the AIC compared with other continuousstate space SRGM’s discussed in this paper, especially for DS1. 7. Numerical Examples

We show numerical examples by using testing-effort data recorded along with detected fault count data collected from the actual testing. In this testing, 1301 faults are totally detected and 1846.92 (testing hours) are totally expended as the testing-effort within 35 months2 Figure 1 shows the estimated testing-effort function Z ( t ) in Eq.(ll) in which the parameter estimates Ei = 2253.2, p^ = 4.5343 x lop4, and f i = 2.2580. Figure 2 shows the estimated expected number of detected faults in Eq.(21) where the parameter estimates in g [ N ~ ( tare ) ] obtained as ii = 1435.3, F = 1.4122 x and 6 = 3.4524 x 10W2. Furthermore, Figure 3 shows the time-depedent behavior of the estimated instantaneous and cumulative MTBF’s in Eqs.(20) and (24), respectively. From Figure 3, we can see that the software reliability decreases in the early testing period, and then, the software reliability grows as the testing procedures go on.

196 Table 1. T h e results of model comparisons. Proposed model MSE

AIC

Exponential SDE model

Delayed S-shaped SDE model

Inflection S-shaped SDE model

DS1 DS2

1367.63

22528

1370.8

1332.34

6018.65 36549

6550.37 1986.8

DSl

306.15

DS2

125.51

325.32 125.18

315.98 131.65

318.57 126.47

(SDE : stochastic differential equation)

8. Concluding Remarks

In this paper we have dicussed a continuous-state space SRGM with testingeffort by using mathematical technique of stochastic differential equations and its parameters estimation methods. Then, we have presented numerical illustrations for the software reliability assessment measures and also conducted goodness-of-fit comparisons by using actual data sets. Further studies are needed t o evaluate for our model by using more observed data.

References 1. H. Akaike, “A new look at the statistical model identification,” IEEE Trans. Auto. Cont., AC-19, pp. 716-723 (1974). 2. W.D. Brooks and R.W. Motley, “Analysis of Discrete Software Reliability Models,” Technical Report RADC-TR-80-84, Rome Air Development Center, New York (1980). 3. B. Bksendal, Stochastic Differential Equations An Introduction with Applications. Springer-Verlag, Berlin (1985). 4. S. Yamada and S. Osaki, “Software reliability growth modeling Models and applications,” IEEE Trans. Soft. Eng., SE-11, pp. 1431-1437 (1985). 5. S. Yamada, H. Ohtera, and H. Narihisa, “Software reliability growth models with testing-effort,” IEEE Trans. Reliab., R-35,pp. 19-23 (1986). 6. J.D. Musa, D. Iannio, and K. Okumoto, Software Relaability :Measurement, Prediction, Application. McGraw-Hill, New York (1987). 7. H. Tanaka, S. Yamada, S. Kawakami, and S. Osaki, “On a software reliability growth model with continuous error domain - Application of a linear stochastic differential equation -,”(in Japanese), Trans. IEICE, J74-A, pp. 1059-1066 (1991). 8. S. Yamada, M. Kimura, H. Tanaka, and S. Osaki, “Software reliability measurement and assessment with stochastic differential equations,” IEICE Trans. Fundamentals., E77-A, pp. 109-116 (1994). 9. K. Pham,Software Reliability. Springer-Verlag, Singapore (2000). 10. S. Yamada, “Software reliability models,” in Stochastic Models in Reliability and Maintenance ($3. Osaki, Ed.), Springer-Verlag, Berlin, pp. 253-280 (2002). 11. S. Yamada, A. Nishigaki, and M. Kimura, “A stochastic differential equation model for software reliability assessment and its goodness-of-fit,’’ Intern. J. Reliab. and Applic., 4, pp. 1-11 (2003).

ANALYSIS OF DISCRETE-TIME SOFTWARE COST MODEL BASED ON NPV APPROACH*

K . IWAMOTO~,T. DOHI+ AND N. K A I O ~ t Department of Information Engineering, Hiroshima University 1-4-1 Kagamiyama, Higashi-Hiroshima 739-8527, JAPAN Department of Economic Informatics, Hiroshima Shudo University 1-1-1 Ozukahigashi, Asaminamiku, Hiroshima 731-3195, JAPAN E-mail: [email protected]/[email protected]

This article concerns the determination problem of the optimal rejuvenation schedule for an operating software system subject to the software aging phenomenon. Especially, we focus on the discrete-time operating environment and derive the optimal software rejuvenation time which minimizes the expected total discounted cost over an infinite time horizon, based on the familiar net present value (NPV) approach. Further, we develop a statistical algorithm to estimate the optimal software rejuvenation time from the complete sample of failure time data.

1. Introduction When software application executes continuously for long periods of time, some of the faults cause software to age due to the error conditions that accrue with time and for load. Software aging will affect the performance of the application and eventually cause it to fail. Software aging has also been observed in widely-used software like Internet Explorer, Netscape and xrn as well as commercial operating systems and middleware. A complementary approach to handle software aging and its related transient software failures, called software rejuvenation, are becoming quite popular [6, 71. Software rejuvenation is a preventive and proactive solution that is particularly useful for counteracting the phenomenon of software aging. It involves stopping the running software occasionally, cleaning its internal state and restarting it. Cleaning the internal state of a software might involve garbage collection, flushing operating system kernel tables, reinitializing internal data structures, and hardware reboot [6]. Huang et al. report the software aging phenomenon in real telecommunications billing application, where over time the application experiences a crash or a hang failure, and propose to perform rejuvenation occasionally. More specifically, they

’

*This work is supported by the grant 15651076 (2003-2005) of Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Exploratory Research, and the Research Program 2004 under the Institute for Advanced Studies of the Hiroshima Shudo University, Japan.

197

198

model the degradation process as a two-step process. From the clean state the software system jumps into a degraded state from which two actions are possible: rejuvenation with return to the clean state or transition to the complete failure state. They propose a continuous-time Markov chain with four states and derive the steady-state system availability and the expected cost per unit time in the steady state. Dohi e t al. extend the original Huang et al. model to semi-Markov models and develop a non-parametric algorithm to estimate the optimal software rejuvenation schedule from the complete sample of failure time. Recently, Aung and her co-author reconsider the ogtimal software rejuvenation based on the concept of survivability. This article treats a software rejuvenation model similar to the one considered by Dohi et al. under a different operation circumstance. Here, we model the dynamic behavior of telecommunication billing applications by using a discrete-time Markov process (DTMP), and determine the optimal software rejuvenation schedule in discrete-time setting. The discrete-time rejuvenation models are analyzed by Dohi et al. 5 , where the expected cost per unit time in the steady state is used as a criterion of optimality. In this article, we discuss the optimal software rejuvenation time which minimizes the expected total discounted cost over an infinite time horizon. The idea on discounted cost is introduced in the literature [4] based on the familiar net present value (NPV) approach. We take account of the both aspects: discrete-time operation environment and discounted cost, in modeling the software cost model with rejuvenation for the telecommunications billing application. Further, we develop a statistical algorithm to estimate the optimal software rejuvenation time from the complete sample of failure time data. Then the statistical device called the modified discrete total time on test (MDTTT) transform and its numerical counterpart will be used. 2. Discrete Software Cost Model Consider the discrete time software model with rejuvenation similar to the one discussed in Dohi e t al. in discrete time. Define the following four states. State 0; highly robust state (normal operation state), State 1; failure probable state, State 2; software rejuvenation state from failure probable state, State 3; failure state. Figure 1 illustrates the transition diagram for the DTMP under consideration. Suppose that the software system is started for operation at time n = 0 and is in the highly robust state (State 0). Let Z be the random time to reach the failure-probable state (State 1) from State 0. Let Pr{Z 5 n } = Fo(n), ( n = 0 , 1 , 2 , . . . ) , having p.m.f. fo(n)and mean po (> 0). Just after the current state transits to State 1, a system failure may occur with a positive probability. Let X be the time to failure from State 1 having c.d.f. Pr{X 5 n } = F f ( n ) , p.m.f. f f ( n )and mean pf (> 0). If the failure occurs before triggering a software rejuvenation, then the recovery operation is started immediately. The time to complete the recovery operation Y is also a positive random variable having c.d.f.

199

Figure 1. Transition diagram of DTMP.

Pr{Y 5 n } = F a ( n ) and mean pa (> 0). Without any loss of generality, it is assumed that after completing recovery operation the system becomes as good as new. On the other hand, the rejuvenation is performed at a constant time interval measured just after entering State 1. The time to invoke the software rejuvenation is given by the integer value no which is the decision variable, and the c.d.f. of the time to complete software rejuvenation are given by F,(.n) with p.m.f. fc(n)and mean pc (> 0). In this article we call no ( 2 0) the sofiware rejuvenation schedule. After completing the rejuvenation, the software system becomes as good as new, and the software age is initiated at the beginning of the next highly robust state. Let cs and cp be the recovery cost from system failure per unit time and the rejuvenation cost per unit time, respectively. Also we define the discrete time discount factor cy E ( 0 , l ) to formulate the NPV of the expected cost function. We make the following two assumptions:

The assumption (1)implies that the probability generating function of recovery time is strictly larger than that of preventive rejuvenation time. Also the assumption ( 2 ) says that the expected discounted cost of recovery operation is strictly larger than that of preventive rejuvenation. These assumptions can be intuitively validated from the economical point of view.

3. NPV Approach We formulate the expected total discounted cost over an infinite time horizon. Focusing on the probabilistic behavior of one cycle (from State 0 to State 0 next), we

200 obtain the present value of mean unit cost after one cycle and the expected total discounted cost for one cycle by

z=O s=O z=no+l

k=l

respectively. Then the expected total discounted cost over an infinite time horizon is given by

Then the problem is to seek the optimal software rejuvenation schedule ng which minimizes TC(n0). It is evident that lima+l(l - a)TC(no)is reduced to the expected cost per unit time in the steady state in [5]. Taking the difference of TC(n0)with respect to no, define the following function: -

4no) =

S(no)va(no + 1) - $(no+ l)Va(no) ano+lFj(nO)

7

(4)

where the discrete failure rate r ( n ) = f f ( n ) / F f ( n -1) is assumed to be a monotone function of n and in general F ( . ) = 1 - F ( . ) . Two special cases in the expected total discounted cost, no = 0 and no 00,are the following: --f

and

The following result gives the optimal software rejuvenation schedule minimizing the expected total discounted cost.

Theorem 3.1. (1) Suppose that the failure time distribution is strictly I F R (increasing failure rate) under the assumptions (1) and (2).

(i) I f q ( 0 ) < 0 and q(m) > 0 , then there ezist (at least one, at most two) optimal software rejuvenation schedules n(; (0 < n;t < co) satisfying q(n6 - 1) > 0

201

and q(nE) 5 0 . Then, the corresponding expected total discounted cost over an infinite time horizon TC(n(;)is given by TCk(nG)5 TC(n6)< TCk(nG f I),

(7)

where

(ii) If q ( 0 ) 2 0, then the optimal software rejuvenation schedule is nc = 0 , i.e. it is optimal to trigger the software rejuvenation just after entering the failure probable state. Then, the minimum expected total discounted cost is given in Eq.(5). (iii) If q ( m ) 5 0, then the optimal software rejuvenation schedule is n; + m, i.e. it is optimal not to carry out the software rejuvenation. Then, the minimum expected total discounted cost is given in Eq. (6). (2) Suppose that the failure time distribution is DFR (decreasing failure rate) under the assumptions ( 1 ) and (2). Then, the expected total discounted cost TC(no)is a concave function of no, and the optimal software rejuvenation schedule is n(;= 0 or n; + m. 4. Statistical Estimation Algorithm

Dohi et al. define the discrete total time on test (DTTT) transform of the discrete probability distribution FJ ( n )by

where F;'(p) = min{n : F f ( n ) > p } - 1 and p j = E,"==,q(n). On the other hand, in this article we define the modified discrete total time on test (MDTTT) transform by

where G - l ( p ) = min{no : 1 - cP°Ff(no)> p } - 1 if the inverse function exists. cu"Ff(z) and lima-l &(p) = + ( p ) . In a fashion Then it is evident that ra = similar to the case of DTTT transform in Eq. (9), it can be shown that F f ( n ) is IFR (DFR) if the function & ( p ) is concave (convex) in p E [0,1]. After some algebraic manipulations, we obtain the following useful result to interpret the underlying optimization problem minosno<mTC(n0)geometrically.

xr=o

202 Theorem 4.1. Obtaining the optimal software rejuvenation schedule no* minimizing the expected total discounted cost TC(n0) is equivalent t o obtaining p* ( 0 5 p* 5 1) so as to

where cs

< czo EL,

{ a ( l - c ) - b ( l - c ) } / { ( l - a ) ( a d - bc)7,}, = a / ( a d - bc) - 1, a = Q k + + " f a ( Y ) f o ( zb) ,= .PC,"=, ~ k + " f c ( s ) f o ( z c) l= CEO ~ y + + " f a ( Y ) f O (and z)>d = C O : CzO ~ Y + + " f C ( S ) f O ( ~ ) . =

c:, ego c:=, ,:c

Theorem 4.1 is the dual of Theorem 3.1. From this result, it is seen that the optimal software rejuvenation schedule no* = G-l ( p * ) is determined by calculating the optimal point p*(O 5 p* 5 1) maximizing the tangent slope from the point (-0, - Y , (6, = 0). And n, = C,"=, 6, is the number of automobiles that fail in the warranty period, nc = CLl(l- 6,)D, is the number of automobiles without failure in the warranty period but for which mileage N (1 - 6,)( 1 - 0,)is the number of was determined through follow-up, and nl = Cz=l automobiles without failure that have not been followed up in the warranty period. The estimator is 8 ' in G, at which L' in (1) is maximized. Kalbfleisch and Lawless [9] proposed likelihood-based methods for the analysis of field-performance studies with particular attention centered on the estimation of regression coefficients in parametric models. They developed the idea of Suzuki [4] for the analysis of warranty data with missing covariate information and proposed

231 the pseudo-likelihood,

L#

=

L1 1 [el ] Uf(Z2)

(F(2j))”’

.

+

This result from the fact that, in equation (l), 1 nl/n, converges t o p* = (l/N) Di, the percentage of products, e.g., automobiles, followed up; where Di = 1 if the i-th product is followed up; otherwise, D, = 0 (i = 1 , 2 , . . . ,N ) . Hu and Lawless [lo] also apply this approach to the covariate analysis using estimating functions. More general types of pseudo-likelihood methods and their asymptotic properties when covariate information is missing are investigated by Hu and Lawless

EL=,

[Ill.

3. Age-based claims analysis The age-based (or age-specific) analysis of product failure data has engendered considerable interest in the literature (Kalbfleisch, et al. [5];Kalbfleisch and Lawless [7]; Lawless [2]; Karim, et al. [la, 131). Kalbfleisch, et al. [5] assumed that if N, cars are put into service on day x, nxtl be the number of claims at age t and with a reporting lag 1 for cars put into service on day x, then nztl Poisson(p,tl), where the mean of the Poisson is pxtl = N,Xtfl, where At is the expected number of claims for a car at age t and f i is the probability that the repair claim enters the database used for analysis 1 days after it takes place. The data comprise the claim frequencies n,tl, where x t 1 5 T (T is the current date), and give rise to the likelihood N

+ +

Lawless and Kalbfleisch [14] reviewed some issues in the collection and analysis of warranty data and showed that if the Nx’s and the number nxt of age t claims on units which entered service on day x are known, the estimate of At is given by

+

since E(nxt)=N,Xt, (0 5 z t 5 T ) . Estimate in (4) can also be obtained from the likelihood (3) if the probability of reporting lag fi is ignored or known. Kalbfleisch and Lawless [7] and Lawless [2] give a comprehensive review of some methods for age-based analysis of warranty claims and costs, and the estimation of failure distributions or rates. They defined the moment estimate for the expected number of claims for a unit at age a , i ( u ) as

where n T ( u )= CzztnT(d,a)is the total number of age a claims reported up to day T , n T ( d , a ) is the total reported number of claims at age u for those units sold

232 on day d. @ ( a ) = CzGt N ( d ) F ( T- d - a ) , where N ( d ) 2 0 denotes the number of units sold on day d, F ( r ) = f(0) f(1) . . . f ( r ) and f(r)=Pr(a claim is reported r days after).

+

+

+

4. Aggregated warranty claims analysis

Sometimes manufacturers have warranty claims data only in aggregate form and they analyze claim rates for their products by using these aggregated data. Trindade and Haugh [15] discussed the complexities involved in statistically estimating the reliability of computer components from field data on systems having different total operating times for the systems at any specific reference time of analysis. In a related paper, Baxter [16] describes a method of estimation from quasi life tables where no observations of the lifetimes of individual components have been recorded; rather the numbers of components which fail between successive equally-spaced time points are recorded. In relation with the method of Baxter [16], Tortorella [17] studied a problem arising in the analysis of field reliability data generated by a repair process. The author constructed a pooled discrete renewal process model to estimate the reliability of a component and use a maximum likelihood-like method to estimate the parameters. 5. Marginal counts of claims analysis Due to the diffuse organizations of service departments or repair service networks and to reduce the data collecting and maintenance costs, Karim, et al. [la, 131 and also Suzuki, et al. [18] suggested a minimal database for product warranty data combining information from different sources for particular time periods. For example, they suggested to use the monthly sales amounts, Ny, y = 1,2,. . . ,Y , provided by the sales department, and the number of claims registered for a given month, r J ,j = 1 , 2 , . . . ,T, provided by the service department. Suppose { r y t } be the number of products sold in the yth month which failed after t months (at age t ) for t = 0,1,. . . ,min(W - 1,T - y), where T (T 2 Y ) is the number of observed months, W is the length of the warranty period, and min(1.Y)

y=max( 1,j- W+1)

be the count of failures occurring in the j t h month. { r j } is called the marginal count failure data. Karim et al. [la, 131 used a nonhomogeneous Poisson process to model the failure counts for the repairable products and assumed that for each sales month y, y = 1 , 2 , . . . , Y , the ryt, t = 0,1, . . . ,min(T - y, W - 1) are independently distributed as Poisson distributions with mean NY&,that is, ryt N

Poisson(N,&)

(6)

233 where At is the mean number of failures at age t per product. Under model ( 6 ) , { r j } ,j = 1,2,.. . ,T , are independently distributed according to Poisson with mean rn3 - C y=max(l,j-W+l) mWd Ny&,. Therefore, the observed data log likelihood is

c T

logL(A,;rj)

=

{-mj

+ T j log (rnj) - log(rj!)}.

(7)

j=1 The unconstrained MLE of (7) gives

At

is derived by directly maximizing the log likelihood

I TlINl,

if t = 0, min(Y-l,t)

(Tt+l

- C,=l

(8) ,+l~t-y)

/ N ~if, t = 1,2,.. . ,T

-

1.

Karim et al. [12] and Karim and Suzuki [19] also derived the constrained MLE of At via the Expectation-Maximization (EM) algorithm and discussed the properties of the estimators.

6. Warranty claims analysis by using covariates Sometimes expected claims may depend on factors such as manufacturing conditions or the environment in which the product is used (Lindley and Singpurwalla [LO]; and Li [all). The Poisson model ( 6 ) could be extended in the usual way to allow the covariate analysis. Suppose that there is a vector of covariates z associated with different groups of products that were produced in different time periods or operated in different seasons. The expected number of claims at age t entering service on month y, {ryt},can be conveniently modeled in the log linear form

where p is a vector of regression parameters. From model (9), Karim and Suzuki [22]considered two models: Model M 1 for the effects of operating seasons and Model M 2 for the effects of manufacturing characteristics, where z specifies respectively different operating seasons and different production periods. Model M 1 included the model presented in Karim et al. [12] as a special case when ,Bs = 0, ‘ds,s = 1,2,.. . , 5’. Also if we put S = 2, log(p1) = v and ,B2 = 0, Model M 1 becomes the model discussed in Karim and Suzuki [23] where they assumed only two different seasons in a year and the effect of the environment El is to either increase or decrease the parameter A t by a common positive factor 7. Model M 2 becomes the model presented in Karim et al. [13]to detect change-point .

7. Two dimensional warranty There are situations where several characteristics are used together as criteria for judging the warranty eligibility of a failed product. For example, for automobiles,

234 sometimes warranty coverage has both age and mileage limits, whichever occurs first, more specifically the 5-year-50,000-mile protection plan. Moskowitz and Chun [24] suggest a Poisson regression model for tweattribute warranty plan. They assumed that the number of events ni under the tweattribute warranty policies is distributed as a Poisson

where the parameter pi = f ( X i , p )with i = 1,2,. . . ,m, and ni = 0,1, . . . ,co,is a regression function of the age and usage amounts and ,B is the coefficient vector of the regression model. Lawless, et al. [25] discussed methods to model the dependence of failures on age and mileage, and to estimate survival distributions and rates from warranty claims data using supplemental information about mileage accumulation. Singpurwalla and Wilson [26] propose an approach for developing probabilistic models in a reliability setting indexed by two variables, time and a time-dependent quantity such as amount of use. They used these variables in an additive hazard model. Suzuki [27] considers the lifetime estimation measured in mileage considering age as a concomitant variable. Given the concomitant variable, the random variable of interest is assumed t o have a normal distribution. Independently of Suzuki [27], Phillips and Sweeting 1281 deal with the analysis of exponentially distributed warranty data with an associated variable having a gamma distribution as a concomitant variable.

8. W a r r a n t y

costs

analysis

There is an extensive volume of literature on the analysis of warranty costs. Robinson and McDonald [6] review the statistical literature on warranties relating t o the cost of warranty, the advertising value of a warranty, the warranty as a product attribute, dealer relations, customer satisfaction, and reliability. Blischke and Scheuer [29] analyzed p r e r a t a and free replacement warranty policies from both the buyer's and the seller's points of view. Blischke and Scheuer [30] provide further application of renewal theory to the analysis of the free replacement warranty from the seller's points of view. Nguyen and Murthy [31, 321 present a general model for repairable products for estimating both the warranty cost for a fixed lot size of sales and the number of units returned for repair in any time interval during their life cycle. Nguyen and Murthy [33] later reviewed free warranty policies for nonrepairable products and derived the expected total cost to the consumer and the expected total profit to the manufacturer over the product life cycle. More information on the analysis of warranty costs are also given in Mamer 134, 351, Matthews and Moore [36], Balcer and Sahin 1371, Frees [38],Blischke and Murthy [39], Sahin and Polatogu [40], Vintr [41] and Murthy and Djamaludin [8].

235 9. Sales lag and reporting lag analysis There are few literatures on the analysis of sales lag. Majeske, et al. [42] and Lu [43] discussed the importance of the estimation of sales lag. Karim and Suzuki [44] modeled the warranty claims to estimate the parameters, the age-based expected number of claims and the probability of sales lag, where the dates of sale of the products are unknown. They proposed a model based on follow-up information on the dates of sale to provide unique solutions for the parameters. In a series of papers by Kalbfleisch and Lawless and their collaborators discussed the methods for the analysis of reporting lag. References include Kalbfleisch and Lawless [45, 71, Kalbfleisch et al. [5], and Lawless [46, 21.

10. Forecasts of warranty claims Like expected warranty costs, forecasts of warranty claims are also important to the manufacturers. Articles by Robinson and McDonald [6],Kalbfleisch et al. [5],Chen, et al. [47]and Lawless [2] deal with methods for forecasting warranty claims. Meeker and Escobar [48] (Chap. 12) and Escobar and Meeker [49] explained methods for computing predictions and prediction bounds for the number of failures in a future time interval. 11. Concluding remarks

This review pointed out why field performance data, especially warranty claims data, is important and given a survey of the literature pertaining to the analysis of such data. The emphasis is given on the analysis of minimal databases, constructed by combining information from different sources. The research to be applicable for those who are responsible for product reliability and product design decisions in manufacturing industries. Since the literature on product warranty data is vast, more work on this problem is needed and expect to be performed in future by the authors. References 1. K. Suzuki, M. R. Karim and L. Wang, Handbook of Statistic: Advances in Reliability, eds. N. Balakrishnan and C. R. Rao, Elsevier Science, Vol. 20, 585 (2001). 2. J. F. Lawless, International Statistical Review, 66 No. 1, 41 (1998). 3. K. Suzuki, Journal of the American Statistical Association, 80, 68 (1985a). 4. K. Suzuki, Technometrics, 27,263 (1985b). 5. J. D. Kalbfleisch, J. F. Lawless and J. A. Robinson, Technometrics, 33,273 (1991). 6. J. A. Robinson a n d G. C. McDonald, In Data Quality Control: Theory and Pragmatics. Eds. G. E. Liepins and V. R. R. Uppuluri. New York: Marcel Dekker (1991). 7. J. D. Kalbfleisch and J. F. Lawless, In Product Warranty Handbook, Eds. W.R. Blischke and D.N.P. Murthy. New York: Marcel Dekker (1996). 8. D. N. P. Murthy and I. Djamaludin, Int. J. Production Economics, 79,231 (2002) 9. J. D. Kalbfleisch a n d J. F. Lawless, Technometrics, 30, 365 (1988).

236 X. J. Hu and J. F. Lawless, Biometrika, 83, 747 (1996). X. J. Hu and J. F. Lawless, Canadian Journal of Statistics, 25, 125 (1997). M. R. Karim, W. Yamamoto and K. Suzuki, Lifetime Data Analysis, 7,173 (2001a). M. R. Karim, W. Yamamoto and K. Suzuki, J. of the Japanese Society for Quality Control, 31, 318 (2001b). 14. J . F. Lawless and J . D. Kalbfleisch, In Survival Analysis: State of the Art. (J. P. Klein and P. K. Goel, eds.), Kluwer Academic Publishers, 141 (1992). 15. D. C. Trindade and L. D. Haugh, Microelec. Heliab., 20, 205 (1980). 16. L. A. Baxter, Biometrika, 81, No. 3, 567 (1994). 17. M. Tortorella, Lifetime Data: Models in Reliability and Survival Analysis, N. P. Jewel1 et al. (eds.), Kluwer Academic Publishers, pp. 331 (1996). 18. K. Suzuki, W. Yamamoto, M. R. Karim and L. Wang, In Recent Advances in Reliability Theory - Methodology, Practice and Inference, eds. N. Limnios and M. Nikulin, Birkhauser: Boston, pp. 213 (2000). 19. M. R. Karim and K. Suzuki, Znt. Journal of Statistical Sciences, 2, 1 ( 2 0 0 3 ~ ) . 20. D. V. Lindley and N. D. Singpurwalla, J. Appl. Prob., 23, 418 (1986). 21. L. Li, Lifetime Data Analysis, Vol. 6, 171 (2000). 22. M. R. Karim and K. Suzuki, Znt. J . of Reliability and Application, 4, 79 (2003a). 23. M. R. Karim and K. Suzuki, J . of the Indian Statistical Association, 40, 143 (2002). 24. H. Moskowitz and Y. H. Chun, Naval Research Logistics, 41, 355 (1994). 25. J. F. Lawless, X. J. Hu and J. Cao, Lifetime Data Analysis, 1,227 (1995). 26. N. D. Singpurwalla and S. P. Wilson, Adv. Appl. Prob., 30, 1058 (1998). 27. K. Suzuki, Rep. Stat. Appl. Res, 40, 10 (1993). 28. M. J. Phillips and T. J. Sweeting, J. of the Royal Statistical Society B, 58, 775 (1996). 29. W. R. Blischke and E. M. Scheuer, Naval Research Logistics Quarterly, 22, 681 (1975). 30. W. R. Blischke and E. M. Scheuer, Naval Research Logistics Quarterly, 28, 193 (1981). 31. D. G. Nguyen and D. N. P. Murthy, IIE Transactions, 16, 379 (1984a). 32. D.G. Nguyen and D.N.P. Murthy, Naval Research Logistics Quarterly, 31,525 (1984b). 33. D. G. Nguyen and D. N. P. Murthy, Operations Research, 22, No. 2, 205 (1988). 34. J. W. Mamer, Naval Research Logistics, 29, 345 (1982). 35. J. W. Mamer, Management Science, 33, No. 7, 916 (1987). 36. S. Matthews and J . Moore, Econornetrica, 55, 441 (1987). 37. Y. Balcer and I. Sahin, Operations Research, 34, 554 (1986). 38. E. W. Frees, Naval Research Logistics Quarterly, 33, 361 (1986). 39. W. R. Blischke and D. N. P. Murthy, Product Warranty Handbook (editors). New York: Marcel Dekker (1996). 40. I. Sahin and H. Polatogu, Quality, Warranty and Preventive Maintenance, Boston: Kluwer Academic Publishers (1998). 41. Z. Vintr, Proceedings Annual Reliability and Maintainability Symposium, 183 (1999). 42. K.D. Majeske, T.L. Caris and G. Herrin, Znt. J. of Production Economics, 50, 79 (1997). 43. M. W. Lu, Quality and Reliability Engineering International, 14, 103 (1998). 44. M. R. Karim and K. Suzuki, Pakistan Journal of Statistics, 20(1), 93 (2004). 45. J. D. Kalbfleisch and J. F. Lawless, Statistica Sinica, 1 , 19 (1991). 46. J. F. Lawless, Canadian Journal of Statistics, 22, No. 1, 15 (1994). 47. J. Chen, N. J. Lynn and Singpurwalla, In Product Warranty Handbook, Eds. W. R. Blischke and D. N. P. Murthy. New York: Marcel Dekker (1996). 48. W. Q. Meeker and L. A. Escobar, Statistical Methods for Reliability Data, John Wiley & Sons, Inc., New York (1998). 49. L. A. Escobar and W. Q. Meeker, Technometrics, 41, 113 (1999).

10. 11. 12. 13.

SIMULATED ANNEALING ALGORITHM FOR REDUNDANCY OPTIMIZATION WITH MULTIPLE COMPONENT CHOICES HO-GY UN KIM Dept. of Information & Industrial Engineering, Dong-Eui University, 995 Eomgwangno, Busanjin-gu Busan, 614-714,Korea CHANG-OK BAE ' SUNG-YOUNG PARK Dept. of Information & Industrial Engineering, Dong-Eui University, 995 Eomgwangno, Busanjin-gu Busan, 614- 714, Korea

This paper considers the series-parallel redundant reliability problem where each subsystem has multiple component choices. The subsystems are characterized by their reliability and resources such as cost and volume. If resource constraints comprise nonlinear functions, the problem becomes an NP-hard problem of combinatorial optimization problems. In this paper, a simulated annealing (SA) algorithm which determines the maximal reliability of series-parallel system configuration subject to the resources is proposed. To show its effectiveness, several test problems are experimented and the results are compared with those of previous studies.

1

Introduction

In general, two methods are used to improve the system reliability: (1) to increase the component reliabilities, and (2) to provide component redundancies. Using the methods also causes any increment of additional resources such as cost, weight, volume, etc. Therefore the design engineer has to decide suitable component reliabilities and redundancy levels. Redundancy optimization is to determine the optimal redundancy level of components in system subject to several resource constraints. Tillman et a[.'' considered only one component in each subsystem for the redundancy optimization. However, for more realistic system design, variety of different component types should be considered. In this paper, we consider the series-parallel redundant reliability problem where each subsystem has multiple component choices. The subsystems are characterized by their reliability and resources. Some heuristics for the redundancy optimization problem have been developed. Chern & Jan3 has dealt with a redundancy optimization for a series system where more than one component types were allowed for each subsystem. Fyffe et ul.' proposed a dynamic programming approach with a Lagrangian multiplier for searching optimal solution of the problem with two resource constraints. Nakagawa & MiyazakiI4 used surrogate constraints algorithm for the problem with two resource constraints. Sung & Cho" used branch-and-bound method based on the reduced solution space for the problem considered with only budget constraints and tested randomly generated numerical examples to show its efficiency. Hsieh' used a linear approximation for the

237

238 problem with two resource constraints and compared its performance with former studies. Ramirez-Marquez & C o d 6 proposed a heuristic approach to minimize system cost for the problem that is the multi-state series-parallel system. The heuristic methods have disadvantages that there exists no way to improve a solution at local optima and they should be properly developed for each problem characteristic. Therefore metaheuristics such as GA (genetic algorithm), SA (simulated annealing) and TS (Tabu search) are used to search the optimal solution of the ~ , & Smith6 and Yokota combinatorial optimization problems. Painton & C a m ~ b e l l ' Coit ei ~ 1 . ' used ~ GA to search optimal solution of the problem and showed that GA provides better solutions. Ida et a/.'' also used GA for the problem with several failure modes. More related papers are referred to the excellent survey paper by Kuo & Prasad". While several studies have used GA for the optimal reliability design, there are a few studies using SA algorithm. Angus & Ames' used SA algorithm to find the optimal redundancy levels minimizing system cost subject to reliability constraints. Ravi et al." considered the optimal redundancy levels maximizing system reliability subject to cost, mentioned that SA has advantages for the weight, and volume constraints. Kuo et application of the complex discrete optimization problems, but no many studies on the optimal reliability design exist. For the redundancy optimization with multiple component choices, GA is only used. In this paper, an SA algorithm is presented to search the optimal solution of the problem. To show its effectiveness, several test problems chosen from the previous studies are evaluated. This paper is organized as follows. In Section 2, redundancy optimization problems and some notations are briefly explained; in Section 3, the concept of the SA algorithm and its parameters are described; in Section 4, numerical examples chosen from previous studies are solved and discussed. Finally, conclusions and further studies are provided in Section 5.

2

Redundancy Optimization Problem

General formulation of the series-parallel redundant reliability problem with multiple component choices and some notations for the problem are as follows: Maximize R, = f ( x , l k , ) subject to g ( x , l k , )I b

rn : number of subsystems R, : system reliability R, : reliability of subsystem i (i = 1,2;..,m) X I : = (x,, , X d .> X , k , ) x , :~number of the kth component used in subsystem i ( k = 1 , 2 ; . . , k , ) k, : numder of component choices for subsystem i q,,k: failure probability of type k component in subsystem i g, :j" constraint function 9..

W the upper limit on the weight of the system C: the upper limit on the cost of the system (x, ) : total weight of subsystem i C, (x, ) : total cost of subsystem i b : the upper limit on the resource of the system

239

Due to the solution's nature representing integer variables, the problem is an integer programming problem. If resource constraints are constituted of nonlinear functions, the problem will be a nonlinear integer programming problem. Chern4 determines the computational complexity of problems for series-parallel redundant systems and proved that these types are an NP-hard problem of combinatorial optimization problems. In this paper, an SA algorithm is used to search an optimal solution of the problems and some numerical problems chosen from previous studies are experimented.

3

SA algorithm

Metaheuristic methods are developed to make up for the weak points of the heuristic methods to search near optimal solution. Although these methods are developed with different characteristics, many optimization and decision-making fields have used them because they have simple concepts and excellent searching performance for the solution space. The field of optimal reliability design is as well. SA that is one of the metaheuristics is presented by Kirkpatrick et ul." and Cerny' as alternative of local search and it has been successhlly applied to many combinatorial optimization problems. SA is an approach to search the global optimal solution that attempts to avoid entrapment in poor local optima by allowing an occasional uphill move to inferior solutions. In this paper, an SA algorithm which determines the maximal reliability of series-parallel system with multiple component choices subject to the resources is proposed. To apply the SA algorithm for the problem, the representation of solution and the energy function are to be determined and initial solution, initial temperature, cooling rate and stopping criterion are to be initialized.

3.1. Znitiulization Step A solution of the problem should represent the redundancy levels and the component choices of each subsystem. Figure 1 shows the representation of the solution that has m subsystems in series. Each subsystem is constituted several digits that is equal to the number of component types and each digit represents parallel redundancy level of the component. For example, the subsystem 1 has four types of component(kl=4) and 2 components of the third type are connected in parallel.

240 Subsystcm 1

Subsystem 2

Subsvstcm m

......

0

1

... 0

Figure I . Solution representation of the problem

The energy function E that is an evaluation function of the performance of the SA used the objective function of the problem and its value will be zero if it violates the constraint functions. The initial solution is randomly generated. In the initialization step, single component choice in each subsystem is allowed to get a feasible solution more easily. The initial solution is evaluated by the energy function, and then the value of the energy function becomes ones for both the current solution (XC)and best solution (&). Initial and final values of the control parameter temperature referred to as To and TF, respectively, are specified. The length of iterations for each level of the current temperature, T,, referred to as L , is set y times of neighborhood size. This paper uses To = 50, TF= 1 and y = 0.01. 3.2. Generation Step of a Feasible Neighborhood Solution An efficient scheme to generate a neighborhood solution should be developed for enormous solution space. A two-step generating scheme is proposed to generate a feasible neighborhood solution from the current solution. (1) Step 1 (painvise-swapping scheme): Two positions are randomly chosen and their elements are exchanged if both are not zeros. In the case that this process sequentially generates infeasible solutions five times, go to Step 2. Figure 2 shows an example of a system consisting of 14 subsystems with three or four choices at each subsystem. Subrvrtrm 1

n

n

z

o

Subrrstrm 2

3

n

o

Suhrvstem 14

....

n

i

n

o

....

2

1

0

0

Figure 2. A case of the pairwise-swapping scheme.

(2) Step 2 (resource-based scheme): For two positions randomly chosen as in Step 1, one component is added to the current solution if resources are available. Otherwise, it is subtracted. When resources are not available and the value of the position is zero, it keeps the value of the position is zero(s). This scheme is applied to the system consisting of 14 subsystems in Figure 3.

241

"

0

3

0

3

0

....

0

1

I

0

,I

(I

0

1

"

3

(I

/I

....

0

1

0

n

3.3. Evaluation Step for Acceptance of Neighborhood Solution If the energy function value of the neighborhood solution is more than that of the current solution (EN Ec), the neighborhood solution will replace the current solution. Then compare this neighborhood solution's energy function value with that of the best solution found thus far (En). If EN> En, then replace the best solution with EN. Otherwise, if EN < Ec then whether or not to accept the neighborhood solution is determined by the acceptance probability P(A) = exp(-AEIT), where hE = Ec - EN is referred to as the difference between the energy function values of the current solution and the neighborhood solution. 3.4. Zncrement Step of Iteration Counter

Increase the iteration counter, N, by one. And then return to Generation Step of a neighborhood solution. If the value of N is greater than or equal to the maximum number of iterations for each temperature level (L),proceed to Cooling Schedule Step.

3.5. Cooling Schedule and Stopping Step The temperature is adjusted by its cooling rate a. This is calculated by Tc = aTc-1 (C = 1, 2, .. .). If the new value of Tc is greater than or equal to the stopping value of TF(if Tc = TF) then reset N to one and return to Generation Step of a Feasible Neighborhood Solution. Otherwise, stop. This paper uses a = 0.98. 'able 1. Cc

jonent data for the example. ( -

P 1

2 3 4 5 6 7 8 9 10 11 12 13 14

0.90 0.95 0.85 0.83 0.94 0.99 0.91 0.81 0.97 0.83 0.94 0.79 0.98 0.90

-

llpon

choic -

hoice - C W P

subsystem

0.94

1 1

3 4 2 3 4 0.90 0.99 0.95 2

0.99

5

3 4 4 3 3 4

4 10 5 6 3 4 8 7 9 5 6 5 5 7

_ .

0.9 1 0.93 0.87 0.85 0.95 0.97 0.94 0.9 1 0.96 0.90 0.96 0.85 0.97 0.95 -

ioice 3

-

P 0.95

W -

5

0.92

4

0.96

4

0.91

8

0.90

I

0.99 -

9

6

6

242

4

Numerical Experiments

To evaluate the performance of the SA algorithm, some numerical experiments are conducted. 4.1. Examples

The example used in this paper is taken from the example of Fyffe et al.*. The problem has 14 subsystems in series and each has three or four component choices. The objective of the problem is to maximize the system reliability subject to two resource constraints such as cost(G130) and weight(F190). Table 1 shows component data of the experiment for the problem. The problem (P) is as follows:

s.t.

2C,(x,) 0). Let Gt be the network obtained by the 2-th reduction from Gt-l where G o = G. Then, Eq. (2) shows that R a , ( G t ) = C2tRpt-l(Gt-1) where C2t is the multiplicative factor of the t-th reduction and kt is the target nodes in Gt. The following is a lemma with respect to MRI of edges that remains in reduced networks.

273 Lemma 3.2. If- a n- edge ei E G does not reduced by T recursive reductions, namely ei remnins in G I , Gz, . . . , GT, it holds that (6)

We define r, and f i t as the smallest t where edge e, belongs in Gt and respectively. The above two lemmas prove the following theorem.

n,=,O,, t

Theorem 3.1. If the T-th reduction reduces GT-I to GT by replaczng e z , e y E G T - ~wzth e,, zt hold that & R - KT ( G T )+ f i T e I p T ( ( e z , ap, % R ~ ~ ( G T ) + oT a@p = , IKT -

otherwzse.

Theorem 3.1 derives the following corollaries with respect to the three reductions shown in figure 1.

Corollary 3.1. I n case that the T - t h reductzon zs parallel reductzon, zt holds that OT-1

n , q y I K T (ez 7 GT) z f

-

OT--l

n,d,T(e,, GT) if i e I k T (e,, G T )

= 2, = Y,

(8)

otherwzse.

Corollary 3.2. I n case that the T - t h reduction is parallel reduction, it holds that

'kT,(eZ,GTi)

=

{

PI-

_RT,

%p n,

KT

X

(e,,GT)

I KT - ( e-, , G T )

F I k T(ei, GT)

ifi=x; ifi=y, otherwise.

(9)

274 3.2. Non-Separable Decomposition Non-separable decomposition decomposes a network into its non-separable components. A non-separable component of a network is a subset of the network without cut-nodes. A cut-node is a node whose removal makes a network disconnected. Non-separable decomposition is executed in O(lV1 lE1)15. If target network G is decomposed L non-separable components G I , G z , . . . ,G L , then

+

L

where is a set of target nodes with cut-nodes in Gl. The following theorem has been proved with respect to MRI with non-separable decomposition.

Theorem 3.2. Let network G have L non-separable components G I , G z , . . . , GL. For e, E G p , it holds that

where

Kz is the target nodes with cut-nodes in Gz.

Theorem 3.2 enables us to compute MRI in an original network using MRI in nonseparable components.

3.3. Extended Factoring Theorem for M R I Computations The factoring theorem effectively reduce task to compute network reliability. The next theorem shows an extended factoring theorem for MRI computations.

Theorem 3.3. Let ei, e j be edges in network G. Then, it holds that

Theorem 3.3 factors G into G * ei and G - ei in computations of RI. Even if we cannot apply any network transformations to G, the theorem decompose G into two smaller networks, which creates new possibilities of applications of network transformations.

3.4. Procedure for C C M R I with k-Terminal Reliability Figure 2 shows a procedure to solve CCMRI with k-terminal reliability using the proved theorems. In the first phase, steps 1 through 3, target network G is decomposed into its L non-separable components. Next, steps 4 through 7 recursively

275 procedure CCMRI(G,K ) input: network G = (V,E ) and target nodes K C V output: Z K ( G )= { I G (1G(2), ~ ) , . . . ,IG(m)} and R(G) begin 1. for a = 0 , 1 , . . . ,m do x, := 1 end for; 2. decompose G into L non-separable components G I ,G2,. . . , G L ; 3. for 1 = 1,2, . . . , L do 4. GO:= Gi, KO:= h : i , t := 0, !& := 1; while a network reduction can be applied to Gt do 5. Gt+l := Gt reduced by a network reduction whose multiplicative factor is 0; 6. ht+1:= Gfit, t := t 1 end while; 7. 8. if I,,(.,Gt) can be cQmputed obviously then compute I,,(.,&); 9. else 10. call CCMRI(ct * e,, K’) and CCMRI(Gt - e,, K ) for an edge e, E G t ; ( e ,Gt) using Theorem 3.3 end for; 11. for all e in Gt do compute 12. compute R(G1) using Eq. (1) end if; while t > 0 do 13. for all e,, reduced edges by the t-th reduction, do 14. compute I k T z( e 5 ,Gt-1) using Theorem 3.1 end for; 15. A

A

-

-

+

16. compute R(Gb-1) by Eq.(2), h := h - 1 end while; 17. xo := xoR(G0); 18. for all e, in GOdo x, := I R ~ ( ~ ~ , G O ) / R end ( G Ofor; ) 19. end for; 20. returnZK(G) = { x ox 1 , x 0 ~ 1 , . ., . x ~ x and ~ }R(G) =no; end procedure. Figure 2. Procedure for CCMRI with k-terminal reliability

applies network reductions to each non-separable component and compute 0,. If G t is enough simple such as a single edge, I k , (., G t ) and R,qI( G t ) are computed in step 8. Otherwise, Gt is factored into two smaller networks to compute them. for e, E G, are computed from step 13 Then, Rgl (G,) and 7rz = I k I (e,, Gl)/Rkl(Gi) to step 16. Step 17 computes R K ( G ) .Finally, for e, E G p , I K ( e , , G ) is computed from Eqs. (11) and (12) as follows:

= RK(G)I~[*(~,,G~*)/R,,.(G~*) = nor,.

The following theorems have been proved with respect to computational complexity of the proposed procedure.

Theorem 3.4. The tzme complexaty of procedure C C M R I ( G ,K ) as O ( r T ( G ) )where rT(G) zs the tame complexzty to compute R K ( G ) . Theorem 3.5. The space complexzty of procedure C C M R I ( G , K ) zs O ( m r s ( G ) )

276 where r s ( G ) is the space complexity t o compute R K ( G ) . Especially, the proposed procedure executes CCMRI in polynomial time if the network reliability of a target network is computable in polynomial time by using the network transformations shown in Fig. 1. Practical computing time is expected t o be improved such as the result in our last research".

References 1. K. K. Aggarwal, Y. C. Chopra, and J. S. Bajwa, newblock Microelectronics and Reliability, 22, 347 (1982). 2. M. 0. Ball, C. J. Colbourn, and J. S. Provan, Handbook of Operataons Research and Management Science: Network Models, Elsevier, Amsterdam, 673 (1995). 3. R. E. Barlow and F. Proschan, Statistical Theory of Reliability and Life Testing, Holt, Rinehart, Winston (1975). 4. Z. W. Birnbaum, Multivariate Analysis 11, Academic Press, 581 (1969). 5. P. J. Boland and E. El-Neweihi, Computers and Operations Research, 22, 455 (1995). 6. C. J. Colbourn, Cornbinatorics of Network Reliability, Oxford University Press (1987). 7 . B. Dengiz, F. Altiparmak, and A. E. Smith, IEEE Trans. Rel., 42, 17 (1993). 8. S. J. Hsu and M. C. Yuang, IEEE Tkans. Rel., 50, 98 (2001). 9. S. Kiu and D. F. McAllister, IEEE Trans. Rel. 37,433 (1988). 10. T. Koide, S. Shinmori, and H. Ishii, IEICE Trans. Fundamentals, E87-A, 454 (2004). 11. F. H. Lin and W. Kuo, Journal of Heuristacs, 8 , 155 (2002). 12. F. Moskowitz, AIEE Trans. Commun. Electron. 39,627 (1958). 13. D. R. Shier, Network Reliability and Algebraic Structures, Oxford University Press (1991). 14. I. M. Soi and K. K. Aggarwal, IEEE Trans. Rel., 30,438 (1981). 15. R. E. Tarjan, SIAM J . Comput. 1, 146 (1972). 16. A. N. Venetsanopoulos and I. Singh, Problems of Control and Information Theory, 15,63 (1986).

RELIABILITY AND RISK EVALUATION OF LARGE SYSTEMS

KRZYSZTOF KOLOWROCKI Department of Mathematics, Maritime University Morska 81-87, Gdynia, 81-225, Poland

The paper reviews the state of the art on the application of limit reliability functions to the reliability evaluation of large systems The results developed by the author and his research group are especially highlighted Two-state and multi-state large systems composed of independent components are considered The main emphasis is laid on multistate systems with degrading components due to the importance of such an approach in safety analysis, assessment and prediction and operation processes effectiveness analysis of real technical systems

1

Introduction

A lot of technical systems belong to the class of complex systems. It is concerned with the large number of components they are built of and with their complicated operating processes. This complexity very often causes the system reliability and safety evaluation to become difficult. As a rule these are series systems composed of large number of components. Sometimes the series systems have either components or subsystems reserved and then they become parallel-series or series-parallel reliability structures. We meet large series systems, for instance, in piping transportation of water, gas, oil and various chemical substances. Large systems of those kinds are also used in electrical energy distribution. A city bus transportation system composed of a number of communication lines each serviced by one bus may be a model series system, if we treat it as not failed, if its all lines are able to transport passengers. If the communication lines have at their disposal several buses we may consider it either as a parallel-series system or an “m out of n” system. The simplest example of a parallel system or an “m out of n” system may be an electrical cable composed of a number of wires, which are its basic components, whereas the transmitting electrical network may be either a parallel-series system or an “m out of n”-series system. Large systems of those types are also used in telecommunication, in rope transportation and in transport using belt conveyers and elevators. Rope transportation systems like port elevators and ship-rope elevators used in shipyards during ship docking and undocking are model examples of series-parallel and parallel-series systems. Taking into account the importance of the systems’ safety and systems’ operating process effectiveness it seems to be reasonable to expand the two-state approach to the multi-state approach in their reliability analysis. The

277

278 assumption that the systems are composed of multi-state components with reliability states degrading in time without repair gives the possibility of more precious analysis of their reliability, safety and operational processes effectiveness. This assumption allows us to distinguish a system reliability critical state which exceeding is either dangerous for the environment or does not assure the necessary level of its operational process effectiveness. Then, an important system reliability characteristic is the time to the moment of exceeding the systems reliability critical state and its distribution called the system risk function. This distribution is strictly related to the system multi-state reliability function that is a basic characteristic of the multi-state system. In case of large systems, the determination of the exact reliability functions of the systems and the system risk functions leads us to a very complicated and often useless for reliability practitioners . formulae. One of the important techniques in this situation is the asymptotic approach to system reliability evaluation. In this approach instead of the preliminary complex formula for the system reliability function, after assuming that the number of system components tends to infinity and finding the limit reliability of the system, we obtain its simplified form. 2

The State of The Art

The mathematical methods used in the asymptotic approach to the system reliability analysis of large systems are based on limit theorems on order statistics distributions considered in very wide literature. These theorems have generated the investigation concerned with limit reliability functions of the systems composed of two-state components. The main and fundamental results in this subject, which determine the three-element classes of limit reliability functions for homogeneous series systems and for homogeneous parallel systems have been established by Gniedenko. These results are also presented, sometimes with different proofs, for instance in [I]-[ 1 I]. The generalisations of those results for homogeneous “m out of n” systems have been formulated and proved by Smirnow, who has fixed the seven-element class of possible limit reliability functions for these systems. Some partial results obtained by Smirnow, additionally with the solution of the speed of convergence problem may be found in other publications. The same as for homogeneous series and parallel systems classes of limit reliability functions have been fixed for homogeneous series-parallel and parallel-series systems by Chernoff and Teicher. Their results were concerned with so called “quadratic” systems only. They have fixed limit reliability functions for the homogeneous series-parallel systems with the number of series subsystems equal to the numbers of components in these subsystems and for the homogeneous parallel-series systems with the number of parallel subsystems equal to the numbers of components in these subsystems. These results may also be found for instance in 141- [ 5 1.

279 Generalisations of the results on limit reliability functions of two-state homogeneous series and parallel systems for these systems in case they are nonhomogeneous are mostly considered in the author’s works. More general problem is concerned with fixing the classes of possible limit reliability functions for so called “rectangular” series-parallel and parallel-series systems. This problem for the homogeneous series-parallel and parallel-series systems of any shapes, with different number of subsystems and the numbers of components in these subsystems, have been progressively solved in the author’s works. The main and new result of these works was the determination of seven new limit reliability functions as well for homogeneous series-parallel systems as for parallel-series systems. This way, new ten-element classes of all possible limit reliability functions for these systems have been fixed. Moreover, in these works it has been pointed out that the kind of the system limit reliability function strongly depends on the system shape. These results allow us to evaluate reliability characteristics of homogeneous series-parallel and parallel-series systems with regular reliability structures, i.e. systems composed of subsystems having the same numbers of components. The extensions of these results for non-homogeneous series-parallel and parallel-series systems have been formulated and proved successively in the author’s works. These generalisations additionally allow us to evaluate reliability characteristics of the series-parallel and parallel-series systems with non-regular structures, i.e. systems with subsystems having different numbers of components. In some of the mentioned works as well as the theoretical considerations and solutions and the numerous practical applications of the asymptotic approach to real technical system reliability evaluation may also be found. More general and practically important complex systems composed of multistate and ageing in time components are considered among other in [4]-[5].An especially important role in the evaluation of technical systems reliability and safety and their operating process effectiveness plays defined in these works large multi-state systems with degrading components. The most important results being the generalisations of the results on limit reliability functions of two-state systems dependent on transferring them to series, parallel, “m out of n”, series-parallel and parallel-series multi-state systems with degrading components are given in the newest author’s works. Some of these publications also contain practical applications of the asymptotic approach to the reliability evaluation of various technical systems [4]-[5]. The results concerned with the asymptotic approach to system reliability analysis have become the basis for the investigation concerned with domains of attraction for the limit reliability functions of the considered systems [I],[6]-[7]. In a natural way they have caused the investigation with the speed of convergence of the system reliability function sequences to their limit reliability functions. These results have also initiated the investigation on limit reliability functions of “m out of n”-series, series-“m out of n” systems [lo]-[1 11, systems with hierarchical reliability structures [ I]-[3] and the investigations on the

280 problems of the system reliability improvement and optimisation [8]-[9] as well. All these problems are completely presented in [ 121. 3 The Book “Reliability of Large Systems” The aim of this book [12] is to deliver the complete elaboration of the state of art on the method of asymptotic approach to reliability evaluation for as wide as possible range of large systems. Pointing out the possibility of this method extensive practical application in the operating processes of these systems is also an important reason for this book. The book contains complete current theoretical results of the asymptotic approach to reliability evaluation of large two-state and multi-state series, parallel, “m out of n”, series-parallel, parallelseries systems together with their practical applications to reliability evaluation of a wide range of technical systems. Additionally some recent partial results on asymptotic approach to reliability evaluation of “m out of n”-series, series-“m out of n” and hierarchical systems, the result application to large systems reliability improvement and to large systems reliability analysis in their operation processes are presented in the book. The following construction of the book has been assumed. In chapters concerned with two-state systems the results and theorems are presented without the proofs but with exact reference to the literature where their proofs may be found. Moreover, the procedures of the results practical applications are described and applied to the model two-state systems reliability evaluation. In chapters concerned with multi-state systems the recent theorems about their multi-state limit reliability functions are formulated and shortly justified. Next, the procedures of the result applications are presented and applied to real technical systems reliability and risk evaluation. Moreover, the possibility of the computer aided reliability evaluation of these systems is suggested and its use is presented. The book contains complete actual solutions of the formulated problems for the considered large systems reliability evaluation in the case of any reliability functions of the system components. The book consists of Introduction, 8 Chapters, Summary and Bibliography. In Chapter 1 that follows the Introduction, some basic notions necessary for further considerations are introduced. The asymptotic approach to the system reliability investigation and the system limit reliability function are defined. In Chapter 2 two-state homogeneous and non-homogeneous series, parallel, “m out of n”, series-parallel and parallel-series systems are defined. Their exact reliability functions are also determined. Basic notions of the system multi-state reliability analysis are introduced in Chapter 3. Further the multi-state homogeneous and non-homogeneous series, parallel, “m out of n”, series-parallel and parallel-series systems with degrading components are defined and their exact reliability functions are determined. Moreover, the notions of the multi-state limit reliability function of the system,

281

its risk function and other multi-state system reliability characteristics are introduced. Chapter 4 is concerned with limit reliability functions of two-state systems. Three-element classes of limit reliability functions for homogeneous and nonhomogeneous series systems are fixed. Some auxiliary theorems that allow us to justify facts on the methods of those systems reliability evaluation are formulated and proved. The chapter also contains the application of one of the proven facts to the reliability evaluation of a non-homogeneous gas pipeline that is composed of components with Weibull reliability functions. The accuracy of this evaluation is also illustrated. Three-element classes of possible limit reliability functions for homogeneous and non-homogeneous parallel systems are fixed as well. Some auxiliary theorems that allow us to justify facts on the methods of those systems reliability evaluation are formulated and proved. The chapter also contains the application of one proved fact to the reliability evaluation of a homogeneous energetic cable used in the overhead electrical energy distribution that is composed of components with Weibull reliability functions. The accuracy of this evaluation is illustrated in the table and figure. The class of limit reliability functions for a homogeneous “m out of n” system is fixed and the “16 out of 35” lighting reliability is evaluated in this Chapter. The Chapter contains also the results of investigations on limit reliability functions of two-state homogeneous and non-homogeneous series-parallel systems. Apart from formulated and proved auxiliary theorems that allow us to justify facts on the methods of those systems reliability evaluation their ten-element classes of possible limit reliability functions are fixed. In this Chapter, in the part concerned with applications there are two formulated and proved facts that determine limit reliability functions of series-parallel systems in the cases they are composed of components having the same and different Weibull reliability functions. On the basis of those facts the reliability characteristics of the homogeneous gas pipeline composed of two lines of pipe segments and the nonhomogeneous water supply system composed of three lines of pipe segments are evaluated. The results of investigations on limit reliability functions of two-state homogeneous and non-homogeneous parallel-series systems are given in this Chapter as well. Theorems, which determine ten-element classes of possible limit reliability functions for those systems in the cases they are composed of identical and different components, are formulated and justified. Moreover, some auxiliary theorems that are necessary in practical reliability evaluation of real technical systems are formulated and proved. In the part concerned with applications one fact is formulated and proved and then applied to evaluation of the reliability of a model homogeneous parallel-series system. The generalisations of the results of Chapters 4 on limit reliability functions of two-state systems consisting in their transferring to multi-state series, parallel, “m out of n”, series-parallel and parallel-series systems are done in Chapters 5 . The classes of all possible limit reliability functions for these systems in the cases when they are composed of identical and different in the reliability sense components are fixed. The newest theorems that allow us to evaluate the

282 reliability of large technical systems of those kinds are formulated and proved in this Chapter as well. Apart from the main theorems fixing the classes of multistate limit reliability functions of the considered systems some auxiliary theorems and corollaries allowing their direct applications to reliability evaluation of real technical objects are also formulated and proved. Moreover, in this Chapter there are wide application parts depending on the results applying to the evaluation of reliability characteristics and risk functions of different multi-state transportation systems. The results concerned with multistate series systems are applied to the reliability evaluation and risk function determination of homogeneous and non-homogeneous pipeline transportation systems, the homogeneous model telecommunication network and the homogeneous bus transportation system. The results Concerned with multi-state parallel systems are applied to reliability evaluation and risk function determination of an energetic cable used in the overhead electrical energy distribution network and to reliability and durability evaluation of the three-level steel rope used in the rope transport. Results on limit reliability functions of a homogeneous multi-state “m out of n” system are applied to durability evaluation of a steel rope. Model homogeneous series-parallel system and homogeneous and non-homogeneous series-parallel pipeline systems composed of several lines of pipe segments are estimated as well. Moreover, the reliability evaluation of the model homogeneous parallel-series electrical energy distribution system is performed. Chapter 6 is devoted to the multi-state asymptotic reliability analysis of the port and shipyard transportation systems. Theoretical results of this Chapter and Chapter 5 are applied to the reliability evaluation and the risk functions determination of some selected port transportation systems. The results of the asymptotic approach to reliability evaluation of non-homogeneous multi-state series-parallel systems are applied to the transportation system used in the Baltic Grain Terminal of the Port of Gdynia for transporting grain from its elevator to the rail carriages. The results of the asymptotic approach to the reliability evaluation of the non-homogeneous multi-state series-parallel systems are applied to the piping transportation system used in the Oil Terminal in Debogorze. This transportation system is destined for taking the oil from the tankers that deliver it to the unloading pier located at the breakwater of the Port of Gdynia. The results of the asymptotic approach to reliability evaluation of non-homogeneous multi-state series-parallel and series systems are applied to the transportation system used in the Baltic Bulk Terminal of the Port of Gdynia for loading bulk cargo on the ships. The results of this Chapter and Chapter 5 are also applied to reliability evaluation and risk function determination of the shipyard transportation system. Namely, the results of the asymptotic approach to reliability evaluation of homogeneous multi-state parallel-series systems are applied to the ship-rope transportation system used in the Naval Shipyard of Gdynia for docking ships coming for repair. The performed reliability analysis of the considered systems in this Chapter is based on the data concerned with the

283 operation processes and reliability of their components coming from experts, from component technical norms and from their producer’s certificates. In Chapter 7 the classes of possible limit reliability functions are fixed for the considered systems in case their components have exponential reliability functions. Theoretical results are represented in the form of the very useful guide containing algorithms placed in the tables and giving sequential steps of proceeding in the reliability evaluation in each of possible cases of the considered system shapes. The application of these algorithms for reliability evaluation of the multi-state non-homogeneous series transportation system, the multi-state model homogeneous series-parallel, the multi-state nonhomogeneous series-parallel pipeline transportation system and the multi-state non-homogeneous parallel-series bus transportation system is illustrated. The evaluation of reliability functions, risk functions, mean values of sojourn times in subsets of states and mean values of sojourn times in particular states for these systems is done. The calculations are performed using the computer programme based on the algorithms allowing automatically evaluating the reliability of large real technical systems. In Chapter 8 the open problems related to the topics considered in the book are presented. The domains of attraction for previously fixed limit reliability functions of the series, parallel, “m out of n”, series-parallel and parallel-series systems are introduced. More exactly, there are formulated theorems giving conditions which reliability functions of the components of the system have to satisfy in order that the system limit reliability function is one of the function from the system class of all limit reliability functions. Some examples of the result application for series systems are also illustrated. Practically very important problem of the speed of convergence of system reliability function sequences to their limit reliability functions is investigated as well. There is presented an exemplary theorem, which allows estimating the differences between the system limit reliability functions and the members of their reliability function sequences. Next, an example of the speed of convergence evaluations of reliability function sequences for a homogeneous series-parallel system is given. Partial results of the investigation on the asymptotic approach to reliability evaluation of “m out of n”-series, series-“m out of n” and hierarchical systems and on system reliability improvement are presented. These result applications are illustrated graphically as well. The analysis of large systems reliability in their operation processes is given at the end of this Chapter. The book is completed by the Summary that contains the evaluation of the presented results, the formulation of open problems concerned with large systems reliability and the perspective of further investigations on the considered problems. All problems described generally in the paper will be presented in details during the AIWARM Workshop.

284

References 1. A. Cichocki, D. Kurowicka and B. Milczek, Statistical and Probabilistic Models in Reliability, Ionescu D. C. and Limnios N. Eds. Birkhauser, Boston, 184 (1998). 2. A. Cichocki, Applied Mathematics and Computation 120, 55 (2001). 3. A. Cichocki, PhD Thesis, Gdynia Maritime University-Systems Research Institute Warsaw (2003). 4. K. Kolowrocki, International Journal of Pressure Vessels and Piping 80, 59 (2003). 5. K. Kolowrocki, International Journal of Reliability, Quality and Safety Engineering 10, No 3, 249 (2003). 6. D. Kurowicka, Applied Mathematics and Computation 98, 6 1 (1998). 7. D. Kurowicka, PhD Thesis, Gdynia Maritime University-Delft University (2001). 8. B. Kwiatuszewska-Sarnecka, Applied Mathematics and Computation 123, 155 (2001). 9. B. Kwiatuszewska-Sarnecka, PhD Thesis, Gdynia Maritime UniversitySystem Research Institute Warsaw (2003). 10. B. Milczek, Applied Mathematics and Computation 137, 161 (2002). 1 1. B. Milczek, PhD Thesis, Gdynia Maritime University-System Research Institute Warsaw (2004). 12. K. Kolowrocki, Reliability of Large Systems, Elsevier (2004).

AN OPTIMAL POLICY TO MINIMIZE EXPECTED TARDINESS COST DUE TO WAITING TIME IN THE QUEUE

JUNJI KOYANAGI AND HAJIME KAWAI Tottori University, Koyama Minami 4-101, Tottori City, Tottori, Japan We consider a discrete time queueing system. The service time and the interarrival time have geometric distributions. We assume that there is a single decision maker (DM) who has a task (Task A (TA)) which need to be processed by the server of the queueing system and another task (Task B (TB)) which is processed outside the queue and need a constant time. While processing TB, DM observes the queue at every unit time and can interrupt T B to join the queue, but DM cannot process T B while in the queueing system. After TA is finished, DM resumes TB. There is a deadline to process both tasks and if the both tasks are finished beyond the deadline, a tardiness cost is incurred. We aim at minimizing the tardiness cost and show the properties of the optimal policy.

1. Introduction

In queueing theory, it is usually assumed that customers arrive at the queue without their decisions. In a paper dealing with a decision problem by a customer, Nam proposed the system in which the customer decides whether t o join the queue5. When the customer arrives, he/she observes the queue length and compares the waiting cost with the service merit. If the service merit is larger than the waiting cost, the customer joins the queue. When the arrival rate is high (but smaller than the service rate), the queue length becomes long, but the arrival will stop when the service merit becomes smaller than the expected waiting cost. Then the queueing system behaves as a queueing system with finite capacity. Though the arrival stops when the queue length becomes this threshold, Naor showed that it is better t o stop the arrival, from the view point of social optimal control, before the queue length becomes the threshold. One way to stop the arrival before the threshold is to incur the admission fee t o the customers, which decreases the service merit. Naor showed that the socially optimal control is attained by the individually optimal control by charging the suitable admission fee. Mandelvaum and Yechiali deal with a model where one customer called smart customer can decide whether to enter the queue or leave the system'. As an additional action, the smart customer can defer the decision outside the queue observing the queue length and paying the waiting cost smaller than the waiting cost in the queue. The authors showed that the optimal policy has the following structure. When the queue length is short, smart customer should enter the system. When the queue length is middle, he should defer the decision and when it is long, he

285

286

should leave. We can find many other models dealing with a decision problem in a queueing system in Hassin and Haviv4. In a usual decision problem, the customer’s decision depends on the queue length only. We have studied some models where the number of decisions is finite or stochastic, therefore, the decision is affected by the queue length and the number of decisions. In our models the number of decisions is considered as the number of steps of the task (TB) which is processed outside the queue. We consider a decision maker (DM) with a task (TA) served in the queueing system who wants to minimize the waiting time in the queue. At every step of TB, DM decides whether to interrupt T B and enter the queue. If DM chooses to enter the queue, he resumes T B after TA is finished. If DM finishes T B before entering the queue, DM must enter the queue and wait for the service. One example of this problem is a repair problem of a machine with two functions. Consider a job which needs a hardcopy of thumbnail images of many photos. There is a printer which can be used as a scanner and we can use only this printer for the job. However, the print function is found to be broken, but the scan function can be used. If we bring the printer to the repair factory with a queue of other devices which need to be repaired, we must wait until the repair is completed and we cannot use the scan function while the printer is in the factory. Since print function is needed after all photos are scanned, we can postpone the repair and scan photos before the repair. Then the problem is when to bring the printer to the factory. We consider a cost which depends on the time needed to process both TA and TB. In previous papers, we considered the expected time for TA and T B as the cost in the continuous time system’ and we also considered the probability not to finish TA and T B by the deadline in a discrete time system3. In this paper, we consider the tardiness cost in a discrete time system and show the switch curve structure of the optimal policy. 2. Model We consider one decision maker (DM) who has two tasks TA and TB. TA is processed in a discrete time queueing system. The arrival and the end of the service happens at every unit time with constant probability, the end of the service happens with probability q and the arrival does with probability p ( p < q ) . The end of the service happens just before the arrival. The other taqk T B needs b units of time and Dhil observes the queueing system at every unit time for processing T B and decides whether to join the queue. Two tasks should be finished within b 1 time and if the two tasks are finished after b 1 time, a tardiness cost is incurred. Then the cost is incurred as follows (Fig. 1).

+

+

(1) Suppose that DM processes T B for m(< b ) units of time. (2) After m units of time is spent for TB, DM observes queue length i and decides to join the queue.

287 ( 3 ) If X time is needed for i + 1 customers (including DM), DM processes the rest of TB which needs b - m time after TA is processed in the queue. (4) In the above situation, the tardiness cost becomes m&x{O, X - I}. Therefore, if the time in the queue is less than (or equal to) 1, no cost is incurred.

cost

~

I

I

I

I

I

I

I

I

v

I

I

I

I

*time

Figure 1. The tardiness cost

To minimize the tardiness cost, DM chooses an action between two actions a t each time epoch: action A is t o join the queue; action B is to process T B for one unit of time. If DM chooses action B, DM makes a decision again after one unit of time until T B is finished. We define (i,m,1)as the system state where i is the queue length, m units of time has been spent in TB, and 1 is the maximum time in the queue without the tardiness cost. For the optimality equations, we define the following functions. (1) A(i,m, 1 ) is the expected cost when DM chooses action A while in (i, m, I ) . (2) B(i,m,1) is the expected cost when DM chooses action B while in (i,m,I) and behaves optimally thereafter. ( 3 ) V ( i ,m, 1) is the optimal expected cost for (i, m, I ) . The queueing system is a discrete time system and at most one customer arrives or leaves in one unit of time. Therefore, if action B is taken, the state transition from (i,m,1) isrestricted to ( i - l , m + l , l ) , (i > 0), ( i , m + l , I ) or ( i + l , m + l , l ) . With these state transition, we have the following optimality equations. a

A(i,m, 1) =

(:)

qk-' (1 - q)'-'(i

+1

-

k)

k=O

B(i,m,l) = q ( l - p ) V ( i -

l,m+1,1)+(qp+(l -q)(1-p))V(i,m+l,l)

+ (1- q)pV(i + 1,m + 1,I )

(i > 0)

V(i,m,1) = m i n { A ( i , m , 1 ) , B ( i , ~ , I ) } ,V(i,b,1) = A(i,b,I) The expression of A(i,m, 1 ) is obtained as follows.

(2) (3)

288

(1) DM chooses to join the queue in (i,m,I), then DM becomes (i+l)st customer in the queue. (2) During 1 time, k customers are served; the distribution of k is binomial with success probability q. (3) If k >_ i + 1, no cost is incurred because TA is finished within I , otherwise (i 1- k ) / q is the expected cost.

+

Note that -4(i,m, I) is independent of m. 3. Analysis

Let us define the policy that DM takes action B in (i,m,I) and takes action A after one unit of time irrespective of the queue length. If DM takes this policy, the expected cost C ( i ,m, I ) becomes

C(i,m,I) = q ( l - p ) A ( i - l , m + l , I ) + ( q p + ( l - q ) ( l - p ) ) ~ 4 ( i , m + 1 , 1 )

+ (1- q ) p i l ( i + 1,m + 1,I)

(4)

Note that C ( i ,m, I ) 2 B ( i ,m, I) by definition. Since while in (i, b, I), DM must take action A, we first examine the optimal policy in ( i , b - 1 , I ) . In ( i , b - l , I ) , B ( i , b - 1,l) = C(i,b- 1 , I ) holds because he must take action A after one unit of time if he takes action B. From (l),we have

.4(i + 1, m, I) = A(i,m, I)

+

i+l

(:)

q"'(1

- Q)'-'

(5)

k=O

By using ( 5 ) , 2

c ( ~ , b - l , I ) ~ - 4 ( i , ~ - l , I ) - q ( l - (p; ) q) k~- l ( l - q ) z - k k=O

= il(i,b - 1 , I )

Let us define S ( i ) by the second term of (6), that is, i

S ( i ) r (p-q)C ( ; ) q " ' ( l - y ) ~ - k + + p ( i ~ l ) Q ~ ( l - 4 ) ~ - i(7) . k=O

If S ( i ) is positive, then C ( i ,b - 1,I ) 2 A(i,b - 1,I) and action A should be taken in (i, b - 1 , l ) . We have the following lemma.

Lemma 3.1. The followang properties hold for S ( i ) .

289

+

(1) For i 2 2 p(1 (2) For i + 2 < p ( l

+ l ) , S ( i ) is decreasing in i. + I), S ( i ) is positive.

Proof.

S ( i ) - S ( i + 1) = ( q - p )

-p From this, S ( i ) 2 S ( i

(.

2+1

)qyl - qy-i-1 + p ( i

(7

qZ+I(l

+

-

f Jqyl

- qy-2

qy-a-1

(8)

+ 1) holds if

(Q - P )

(2

1

1) + P U - 4 ) (i:

1) L P,(,

f 2).

(9)

Then we obtain

i

+ 2 L p ( l + 1).

(10)

This completes the proof of Lemma 3.1 (1). Next, we prove Lemma 3.1 (2). Assume that p

S(i)

=.(k

(;)qk-l(l-q)l-k+

k=O

a k=O

1+1

k=O i

We prove that

i

k=O

by induction. For i = 0, it holds because 1+1

2

- m(1 ( q-+ql1 21-l)

>o.

(

> (i + 2)/(1+ l ) , then

i + l)q"(l-q)'-"J

290 Now, we assume that

and prove (11). From (13)

i-1

2q c ($-1(1-

q ) V

k=O

Then we have

From the above inequality, we obtain

1 + 1k=O i-1 k=O

Substituting (14) to the left side of (11)

291

The last inequality holds because

This completes the proof of Lemma 3.1 (2). 0

+

Lemma 3.1 indicates that if B(i,b - I, I ) 5 A(i, b - 1,I ) , then i + 2 2 p ( l 1) and B ( j ,b - 1,Z)5 A(j, b - 1,I ) for j 2 i . Therefore, as queue length i increases in ( i ,b - I,I), the optimal action changes from A to B if it changes, and never changes from B to A. We showed that the threshold policy is optimal when the last decision (TB has been processed for b - 1 units of time.) by Lemma 3.1. For ( i ,m, I), we have the following lemma.

Lemma 3.2. For B(i,m, 2 ) and V(i,m, l ) , it holds that B ( i , m - 1,I) 5 B ( i ,m, 1 ) and V ( i ,m - 1,I) 5 V ( i ,m, I ) . Proof. By definition, V ( i ,b,l) = A(i, b, I) and V ( i ,b holds that A(i,m,I)= A(i,m - 1,l) by (1). Thus

-

1,l) 5 -4(i,b - 1,I). It also

V ( i ,b - 1,I) 5 A(i, b - 1,I ) = -4{i1b, I ) = V(i, b, I).

(16)

ItiseasytoshowthatifV(i,rn-1,l)5 V(i,m,Z), thenB(i,m-2,I) 5 B ( i , m - 1 , l ) and V(i,m - 2,I) 5 V ( i , m - 1 , I ) . Thus, by induction Lemma 3.2 holds. This completes the proof of Lemma 3.2. 0

k

Lemma 3.2 shows that if B(i,m, I) 5 *4(ilm, I), then B(i,k , I) 5 A(i,k , 1) for 5 m. Thus, as the time spent in TB increases, the optimal action changes from

B to A if it changes, and never changes from A to B. Lemma 3.3. If A(i,m,l) 5 B(i,m,Z) for 0 5 i 5 I,, B ( i ,m - 1 , l ) holds for 0 5 i 5 I , - 1

then i l ( i , m - 1,Z) 5

Proof. Since the queue length i changes at most once, for 0 5 i 5 Im - 1, B ( i , m - 1,I) = C ( i , m - 1,l). By definition, C ( i , m - 1 , l ) = C ( i , m , I ) and C(i,m,I) 2 B ( i , m , l ) hold. Thus .4(2,m - 1,I ) = -4(i,m, 1 ) 5 C(i, m ,I) = C(i,m - 1 , l ) = B(i,m - 1 , I ) holds for 0 5 i 5 I , - 1. This completes the proof of Lemma 3.3. 0 With the help of these lemmas we have the following theorem about the properties of the optimal policy.

Theorem 3.1. Let I , = max{ilA(i, m, I) 5 B ( i ,m, l ) } . (1) F o r 0 5 i

5 I,, the optimal action i s action A.

292 [2) I , is increasing and increases at most once as m increases, i.e., Im-1

5 Im 5 Im-1

+ 1.

By this theorem t h e optimal policy h a s t h e structure shown in Fig. 2. References 1. A. Mandelbaum and U. Yechiali, Optimal entering rules for a customer with wait option at an M f G I 1 queue, Management Science, 29-2, 174-187 (1983) 2. J. Koyanagi and H.Kawai, An optimal join policy t o the queue in processing two kinds of jobs, Proc. of the Int. Conf. Applied Stochastic System Modeling, 140-147 (2000). 3. J. Koyanagi and H.Kawai, A maximization of the finishing probability of two jobs processed in a queue Proc. of the 32nd I S C I E International Symposium o n Stochastac Systems Theory and Its Applications, 171-176 (2001). 4. R. Hassin and M. Haviv, To queue or not to queue, Kluwer Academic Pubishers, Boston (2003). 5. P. Naor, On the regulation of queue size by levying toll, Econometrica, 37, 15-24 (1969).

Optimal policy

A A A

A A A

A A A

A A A

A A A

A A A

A A A

A A A

A A A

A A B

A B B

A A A A A

A A A A A

A A A A A

A A A A A

A A A A A

A A A B B

A A B B B

B B B B B

B B B B B

B B B B B

B B B B B

0

5

A B B

A B B

A B B

A B B

A B B

B B B B B

B B B B B

B B B B B

B B B B B

10

Figure 2. T h e structure of the optimal policy

i

RELIABILITY OF A k-OUT-OF-n SYSTEM WITH REPAIR BY A SERVICE STATION ATTENDING A QUEUE WITH POSTPONED WORK

A. KRISHNAMOORTHY*AND VISWANATH C. NARAYANAN,t Department of Mathematics, Cochin University of Science and Technology, Kochi 682 022, Kerala, India E-mail: [email protected]

T. G. DEEPAK* Regional centre M. G. University, Kochi 682024 India

In this paper the reliability of a repairable k-out-of R. system is studied. Repair times of components follow a phase type distribution. In addition the service facility offers service to external customers which on arrival are directed to a pool of postponed work if the service station is busy. Otherwise the external customer is taken immediately for service. Service times of components of the system and thatof the external customers have independent phase type distributions. At a service completion epoch if the buffer has less than L customers, a pooled customer is taken for service with probability p , 0 < p < 1 If at a service completion epoch no component of the system is waiting for repair, a pooled customer, if any waiting, is immediately taken for service. We obtain the system state distribution under the condition of stability. A number of performance characteristics are derived. A cost function involving L , M , y and p is constructed and its behaviour investigated numerically.

1. Introduction

In this paper we consider the reliability of k-out-of-n system with repair by a single repairman facility which also provides service to external customers when the components of the system are all functional. We assume that the k-out-of-n system is COLD. A k-out-of-n system is characterized by the fact that the system operates as long as there are at least k operational components. The system is COLD in the sense that operational components do not fail while the system is in down state (number of failed components at that instant is n - k 1). Using the same analysis as employed in this paper, one can study the WARM and HOT systems also (a k-out-of-n system is called HOT system if operational components continue

+

*Research supported by NBHM (DAE, Govt. of India) t CSIR Research fellow

293

294

to deteriorate at the same rate while the system is down as when it is up. The system is WARM if the deterioration rate while the system is up differs from that when it is down). A repair facility consisting of a single server, repairs the failed components one at a time. The life-times of components are independent and exponentially distributed random variables with parameter X / i when i components are operational. Thus on an average X failures take place in unit time when the system operates with i components. The failed components are sent to the repair facility and are repaired one at a time. The waiting space has capacity to accommodate a maximum of n - k 1 units in addition to the unit undergoing service. Service times of main customers (components of the k-out-of-n system) follow phase distribution and are independent identical for &ll components. In addition to repairing failed components of the system, the repair facility provides service to external customers. However these customers are entertained only when the server is idle (no component of the main system is in repair nor even waiting). These customers are not allowed to use the waiting space at the repair facility. So when external customers arrive for service (arrival process forms a Poission process) when the server is busy serving a component of the system or an external customer, they are directed to a pool of infinite capacity. We stress the fact that at the instant when an external customer undergoes service, suppose a component of the system fails, the latter's repair starts only on completion of service of the external customer. That is, external customers are provided non-emptive service. The service times of external customers are zid rvs following a phase-type distribution. Postponement of work is a common phenomena. This may be to attend a more important job than the one being processed at present or for a break or due to lack of quorum (in case of bulk service) and so on. Queueing systems with postponed work For details regarding is investigated in Deepak, Joshua and Krishnamoorthy queues with postponed work refer to the above and references therein. k-out-ofn system is investigated extensively (see Krishnamoorthy et a1 and references therein). The objective of this paper is to maximize the system reliability. This paper is arranged as follows. In section 2 the problem under investigation is mathematicaly formulated. Section 3 deals with the stability of the system. Stationary distribution of the system is studied in section 4 and some system performance measures are given. In section 5, a cost function is constructed and some numerical illustrations provided.

+

'.

2. Mathematical modelling We consider a k-out-of-n cold system in which the components have exponentially distributed lifetimes with parameter $, when there are i operational components. There is a single server repair facility which gives service to failed components (main customers) and also to external customers. The external customers arrive according

295 to a Poisson process of rate 6. Repair times of main and external customers follow PH-distribution with representations S1) of order ml and (p2,S2) of order m2, respectively. $' and S: are column matrices such that

(a,

S z e + ~ = O , i=1,2. Let Yl(t)be the number of external customers in the system including the one getting service, if any, and Yz(t)be the number of main customers in the system including the one getting service, if any, at time t. If an external customer, on arrival, finds a busy server and that Y2(t) < M (A45 n - k l),it joins a pool of infinite capacity with probability 1; on the other hand if Yz(t)2 M then with probability y it joins the pool or leaves the system forever.

+

If 0 < Y2(t)_< L - 1, ( L I M ) , at a service completion epoch, then with probability p a pooled cnstomer, if there is any, is given service. If Yz(t)= 0 at a service completion epoch then with probability 1 a pooled customer, if any, gets service. If Y2(t)> L - 1 at a service completion epoch, then with probability 1 a main customer gets service. If K ( t ) = Yz(t)= 0 then an external customer arriving at time t is taken for service. Define 0 1

if a main customer is getting service at time t if an external customer is getting service at time t

Let Y4(t)denote the phase of the service process at time t. NOW X ( t ) = (Yi(t), Yz(t), Y3(t), Y4(t)) forms a continuous time Markov chain which turns out to be a level independent quasi birth and death process with state space, U E o I ( i ) where the levels I(i) are defined as = { ( 0 , j I 10 , j a ) : 1 5 j l I n - k 1,1 I j , I ml} u (0) qi) = { ( i , j l , O , j Z ) : 1 I jl I n-k 1,1 I j , I ml} u { ( i , j l , l , j Z ) : 0 L jl I n - k + l , l I j z Im,} where ( 0 ) denotes the state corresponding to k;(t) = % ( t ) = 0. Arranging the states lexicographically we get the infinitesimal generator Q of the process X ( t ) as,

V)

+

+

296 with

0

1

297

3. Stability condition Theorem 1. The steady state probability vector ri of the generator matrix A = A0 A1 Az which is partitioned as r = ( ~ ( o )r(l), , . . . ,~ (- nk + 1)) is given b y X r ( 0 ) = (r(0)e)Pz(XI 1 - h(X) 1 ~ ( i=)(r(0)e)pz(XI - Sz)-’BolRf for 1 5 i 5 L - I 1 - h(X) 1 ~ ( i=) (r(0)e)D ~ ( X-I s ~ ) - ~ R ~B- ~ R~; - ~f+ o r’L 5 i 5 n - IC 1 - h(X) X 7r(n- k 1 ) = (r(0)e)pz(xr - s ~ ) - ~R ~B - ~~ R~ ; - ~ +R3’ - ~ 1 - h(X)

+ +

+

where h(X) = ,&(XI - SZ)-’$?’ Bol = [0,XIm2]

[ s1 s“1, z S,”Pl

C1

=

e(qPl,pPz), CZ = e(P1,O) where ‘e’ is a column vector of 1’s

+

of order (ml mz) x 1 The quantity r ( 0 ) e is obtained from the normalizing condition r e = 1. The system will be stable if and only i f , x A o e < r A z e .

Proof. The equation 7rA = 0 is equivalent to the system

+ X I ) + 7r(l)BlO = 0 T(O)BOl + T(1)Bll + n(2)Bz1= 0 Xr(i 1) + 7r(i)B11 + r(i + 1)BZl = 0 X r ( i 1) + r(i)Blz+ ~ (+ iI)& = 0 r(O)(Sz s:pz -

-

and Xx(n - k )

(1)

-

+ r(n

-

k

+ 1)B13= 0

(2)

5i5 L -1 ;L 5 i 5 n - k ;2

(3) (4) (5)

298 Post multiplying each of these equations by e we get for 1 5 i 5 n - k

X T ( ~- 1)e = r(i)Bloe

+1

Now (1) can be written as 4O)(Sz,- XI) ~ ( 0 ) S ; p z T ( I ) B l o e p z = 0 ie., r(O)(Sz- X I ) ~ ( o ) $ ? P z XT(O)ePZ = 0

+

+

+

+

+

+ ~ ( 0 ) s := [ T ( O ) S+~X ~ ( 0 ) e ] h ( X )

ie., ~ ( 0 = ) ~ ( 0 ) [ S gXe]/3z(XI-

x

) (T(0)e)Substituting in (6) we get ~ ( 0 = ,&(XI - S 2 ) - l . 1 - h(X) computation we also get, ~ ( 1=) (T(O)e)&,&(XI - Sz)-'BoiRi where Blo =

[ s: ] P2

Bzl =

[ 4s:P1ps:hj

B2z =

0 0 Proceeding similarly the theorem follows.

[ s?pl 0

After some

01 0

Note: The invertibility of the matrix XC1 + B11 follows from its property of being irreducibly diagonally dominant. 4. Stationary distribution Since the model is studied as a QBD Markov Process, its stationery distribution (if it exist) has a matrix geometric solution. Under the assumption of the existence of the stationary distribution, let the stationary vector x of Q be partitioned by the levels into subvectors x, for i 2 0. Then x,'s are given by x, = zlRZ-'

for i

22

where R is the minimal non-negative solution to the matrix quadratic equation

R2A2 The vectors

50,x1

+ RA1 + A.

= 0.

are obtained by solving the equations

zoBo +

= 0,

+

+

~ o B i X I [ A ~ RAz] = 0

subject to the normalizing condition xoe + x1(1 - R)-'e = 1. To complete the R matrix numerically we used the logarithmic reduction algorithm (see Latouche and Ramaswami 3 , Neuts 4).

4.1. S y s t e m p e r f o r m a n c e m e a s u r e s (1) System reliability which is defined as the probability that there is at least k operational components is given by 81 = r ( 0 ) e o

+ ~ ( 1 ) ( 1R)-'el -

299 where eo is a column vector whose last ml entries are 0’s and all other entries are 1’s and el is a column vector whose last ml mz entries are 0’s and all other entries are 1’s. (2) Probability that system is down 82 = 1 - 81. (3) Expected number of pooled customers

+

n-ktl

03

i=l

cc n - k t l

ml

jl=O

i=l

j,=1 j 2 = 1

m2

j2=1

(4) Expected loss rate of external customers

+

where ez is a column vector whose first 1 ( M - l)ml entries are 0’s and all other entries are 1’s and e3 is a column vector whose first mz + (hi1 l ) ( m l mz) entries are 0’s and all other entries 1’s. (5) Expected number of transfers from the pool when there is at least 1 mai customer present, per unit time

+

cc

L

cc L - l

ml

m2

where q ( k ) is the kth entry of the column matrix S!, i = 1,2. 5. A cost function and numerical illustrations Let C1 be the cost per unit time incured if the system is down, C2 be the holding cost per customer per unit time, C3 be the cost due t o loss of 1 customer and C, profit obtained by serving an external unit when there is at least one main customer present. We construct a cost function as

C = 82C1

+ 83Cz + 84C3

- 05C4

By varying over parameters that are crucial and fixing the rest we plot different graphs.The graphs support what is intuitively believed. For the following graphical representations the following parameters are common: n = 30, k = 10, X = 1, 6 = 1.1 -4.0 0.2 -3.38 0.5 Pz = [0.45 0.551. S1 = 0,5 -4,4]1 PI = [0.4 0.61, SZ = 0.2

[

[

Concluding remarks

In this paper we analysed the reliability of a k-out-of-n system. Condition for the system stability is established and various performance measures of the system obtained. A cost function is studied numerically. Numerical results show that the cost function is convex in L ( M ) when the rest of the parameters are kept fixed.

300

Figure 1. y = 0.5, M = 18, p = 0.7, C I = 10000, CZ = 1, Cs = 2, C4 = 3. (a) shows that a s L increases the system reliability decreases. (b) shows a profitable value of L for the cost function.

Figure 2. y = 0.5, L = 6, p = 0.8, CI = 1000, Cz = 20, C3 = 20, C4 = 40. (a) shows that as the level M increases the system reliability decreases first but it soon reaches a stage after which the decrease in reliability is negligibly small. Also (b) suggests that looking at the cost function we can find a profitable value of M .

This suggests t h a t a global optimal value of L exists which minimizes t h e expected t o t a l system running cost. As expected, system reliability decreases with increasing values of L , A4 a n d p . B y the same procedure we can s t u d y t h e warm a n d hot systems. References 1. T. G. Deepak, V. C. Joshua and A. Krishnamoorthy, Queues with postponed work, To appear in TOP. 2. A. Krishnamoorthy, P. V. Ushakumari and B. Lakshmy, k-out-of-n system with repair; the N-Policy, Asia Pacific Jl. OR, 19, 47-61, (2002). 3. G. Latouche and V. Ramaswami, Introduction t o Matrix Analytic Methods in Stochastic Modelling, SIAM, (1999). 4. M. F. Neuts, Matrix-geometric methods in stochastic models-An algorithmic approch, John-Hopkins Univ. Press (1981).

RELIABILITY EVALUATION OF A FLOW NETWORK WITH MULTIPLE-CAPACITY LINK-STATES

SEUNG MIN LEE Department of Statistics, Hallym University Chunchon 200-702, Korea E-mail: smleel Oha1lym.ac.kr

CHONG HYUNG LEE Department of Computer, Konyang University Nonsan 320-711, Korea E-mail: chleeOkonvang.ac. kr DONG HO PARK Department of Statistics, Hallym University Chunchon 200-702, Korea E-mail: dhparkBhallym.ac.kr Many real-world complex systems such as computer communication networks, transport systems of a large town and hydraulic systems which carries gas or fluid through pipeline networks can be regarded as flow networks. T h e reliability of such a flow network is defined as the probability of transmitting the required amount of flow successfully from the source node to the terminal node, and can b e computed in terms of composite paths each of which is a union of simple paths of the network. This paper proposes a method to evaluate the reliability of a n undirected flow network with multiple-capacity link-states. T h e proposed method is based on the expanded minimal paths defined in the text, which are generated from the given set of minimal paths of the network, and the composite paths are then generated in terms of those paths.

1. Introduction

In real fields, flow networks with multiple-capacity link-states are considered more practically and reasonably than flow networks with binary-capacity link-states. Generally, a flow network is modeled as a graph G(V,E ) which V and E represent a node set and a link set, respectively. In flow network with multiple-capacity linkstates, links have multi-states, and different capacities are assigned to each state of links. Therefore, a flow network with multiple-capacity link-states is the network considering both connectivity and an amount of flow transmitted from source to terminal. Also, maximum capacity flow is considered when a flow is transmitted. Many researchers have considered the performance index or the reliability as measures for evaluating the performance of flow networks with multiple-capacity

301

302 link-states when minimal paths or minimal cuts are known. Performance index is the expected value of source to terminal capacity divided by maximum source to terminal capacity. Ref [lo] suggest the method to evaluate performance index on flow network with multiple-capacity link-states and use the expanded minimal paths ( e m p ) representing all permutation of link states with non-zero capacity in each minimal path. But [9] presents the counter example that the method of [lo] are incorrect in some cases. Ref [3], [4], [5], [6], [7], [la] and [13] use minimal paths to evaluate network reliability, and ref [2], [3], [4], [8] and [13] use minimal cuts. Among these papers, [7], [8] and [la] consider the multiple-capacity link-states as well as node failures. Ref [13] suggest the algorithms which find all minimal paths vectors and all minimal cut vectors transmitting the required flow d, refered to as d-MPs and d-MCs, but [2] and [6] point out that the algorithm of [13] has many superfluous steps in finding all d-MCs and d-MPs, respectively, because the algorithm have to transform the original network to series-parallel network when the original network is not series-parallel network. Ref [6] use the flow conservation law to present a more efficient algorithm which can apply a directed flow network with multiple-capacity link-states. The papers, such as [2], [6], [7], [8], [ll],[12] and [13], basically follow multi-state structure model. Therefore, in these papers, link states and the values of system structure function of multi-state structure model are treated as link capacities and a maximum flow transmitted from source to terminal, respectively. That is, link capacities take only non-negative integer values with any upper limit. and minimal path vectors transmitting a required flow are obtained for evaluating network reliability. In this paper, we consider an undirected flow network with multiple-capacity link-states consisted of undirected links, and the flow network do not follow the multi-state structure model. Thus we do not use minimal path vectors but the union of minimal path sets for evaluating network reliability. For finding unions of minimal paths, we basically follow the method given in [5] which consider an undirected flow network with binary-capacity link-states. For considering multiplecapacity link-states, expanded minimal paths representing all permutation of link states are used. Section 2 gives acronyms, notations and assumptions, and an efficient algorithm is described in Section 3. Section 4 gives a numerical example to illustrate the method.

2. Acronyms, notations and assumptions

Acronyms and notations mP minimal path composite path which is union of paths CP ep, emp expanded path and expanded minimal path, respectively F E M P set of failure e m p

303 AFEMP N A F EM P ecp, seep P

C w >x, Y,

p,

CZ W(C) W-ALL Milnin

1.1 u=v

set of additive failure e m p set of non-additive failure e m p expanded cp and success expanded cp, respectively mp CP

link state vector of its corresponding path expanded m p with x current expanded cp with z maximum capacity flow of the (sub)network induced by C = W-({all links with their maximum states in the network}) a required flow transmitted from source node t o terminal node number of elements of . ui= w i for all i and IuI = Iv1

Assumptions 1. The nodes are perfect and each has no capacity limit. 2. The links are s-independent and have multi-states with known state probabilities. 3. All links are undirected and each link flow is bounded by the link capacity. 4. The network is good if a specified amount of flow can be transmitted from the source node to the terminal node. 5. The m p of the network, considering connectivity only, is known. 3. Algorithm

In a network with multiple-capacity link-states, we need information which link is functioning in a state. To obtain this information, at initialization, the proposed method generates expanded minimal paths ( e m p ) for representing all permutation of link states with non-zero capacity in each minimal path. For example, let ( A ,B ) be a m p and link A and B have two states and three states containing state 0, respectively. Then, the e m p of ( A , B )are obtained as (A1,Bl)and ( A l ,B2). Our algorithm focus on how t o find efficiently the expanded composite paths, union of expanded paths ( e p ) consisted of e m p and subpaths of e m p ( s e m p ) , transmitting a required flow. To do this, we present methods which make a comparison of e m p or s e m p given in Sec. 3.1, and check and remove redundancy given in Secs. 3.2 and 3.3. 3.1. Comparison of expanded paths

Let G, and GS, be e m p or s e m p . Two G, and GS,, are equal when G = G' and x = y, and the union of G, and G;, G, U GS,, are obtained by G U G' with the link state vector which consists of the link state of uncommon links and the larger state of common links in G and G'. Also, the difference of G, and GS,, G, - GS,,

304 is a s e m p of G, on GI, and is consisted of the expanded links on G, except the same expanded links in both G, and GI. For example, ( A l ,B2) U (A2,C2) and ( A l , B 2 ) - ( A l , C 2 )are (A2,B2,C2) and (B2),respectively. Also, ( A l , B 2 ) - ( A l , C 2 ) and ( A l ,B2) - ( A l ,D 2 ) are equal because of the same s e m p , ( B 2 ) ,are obtained. Let all links in G be in G’. Then, G, is said to be a subset of G&if all elements of y - x for common links are not negative, and it is denoted by G, c G&. Also, G, is said t o be a proper subset of G I if all elements of y - x are not negative for common links as G c G’ and G # G‘, or at least one positive and 0’s as G = G‘. For example, both ( A l ) and ( A 1 , B l )are subsets of ( A l ,B l ) , ( A l ) is a proper subset of ( A l ,B1) but ( A l ,B1) is not. Also, ( A l ,B I )is a proper subset of ( A l ,B2), ( A * ,B1) and ( A 2 ,B2). But ( A 2 , B l )is not a proper subset of ( A l ,B2). 3.2. Algorithm

Basically, the proposed algorithm add a n e m p or a s e m p , one by one, t o current expanded cp until a success expanded c p transmitting a required flow from source node t o terminal node is obtained. For determination of e m p t o add t o current expanded cp, the emp’s having lower states among the same mp’s are considered as candidates. Among all candidates, we select one candidate giving maximal increase on maximum capacity flow. Let FEMP be the set of failure emp’s which can not transmit a required flow and AFEMP be the set of additive failure emp’s which are candidates added t o current ecp, union of e m p . Also, NAFEMP be the set of non-additive failure e m p . Therefore, FEMP is consisted of AFEMP and NAFEMP. At initialization, we expand all m p that each of links in a m p obtains all permutations of link states with non-zero capacity, and the e m p which all elements in a link state vector are 1’s are considered as candidates added t o current ecp. Set the emp’s in the set of additive failure e m p (AFEMP) and others in the set of non-additive failure e m p (NAFEMP), and set FEMP by {emp’s in AFEMP : emp’s in NAFESP}. The ecp transmitting a required flow from source node to terminal node is refered t o as success ecp (secp). Let P, be the e p which gives the maximal increase on maximum capacity flow among AFEMP, C, be a current ecp, and ELGEMP be a set of e p preventing the generation of a secp containing the obtained secp. That is, we can obtain minimal secp by the use of ELGEMP, efficiently. Set C, = 8 and ELGEMP = 8. If WALL< Wmin,STOP. Otherwise, find P, in AFEMP. Case 1. W ( C , u P,) 2 Wmin Record C,UP, as a secp, and search for next secp with C, and FEMP = FEMP{P,}. Remove Pi in NAFEMP if P, c Pi and set ELGEMP = ELGEMP U P,. Case 2. W ( C , u P,) < Wmin Update C, = C, UP, and FEMP = FEMP - {P,}, and apply M1-M3, given in subsection 3.3, t o FEMP for efficient searching secp.

305 Case 3. There is no choice : Retreat to the step where the last ep was added to generate, C,, at which time, C, = CA,U (last ep) for some CL,. Remove Pi in NAFEMP if P, C Pi and set ELGEMP = ELGEMP u P,. Remark. At the end of the Case 1-3, decide P, from the remaining ep's in AFESP and compute W ( C zU P,) for searching another new seep. According to the computation, select a Case 1 or 2. 3.3. Some methods raising computational efficiency This subsection suggest some methods which raise the computational efficiency by removing the possible redundancy are given in the following.

M1. Among ep in FEMP, the ep which are equal are removed except the one. M2. The proper subsets among ep in FEMP are candidates added to a current cp,

c,. M3. Let P, and Pi be in FEMP and ELGEMP, respectively. Remove P, satisfying P~-C,CP,-C,. In our algorithm, M1 and M2 reduce the number of remaining ep in FEMP and candidates t o add to current ecp, C,, respectively. Through M3, we can prevent the generation of a new seep, C, U ( e p in FEMP), containing the obtained seep before making a new seep. 4. An example

We consider the multi-state flow network with undirected links. All links have three states, and their capacities and state probabilities are given in Figure 1. Let Wmin = 8. In this network, we have 4 minimal paths: ( A ,B ) , ( A ,El D ) , (C, D ) and (C,E , B ) . As the minimal paths are expanded, the number of ep corresponding to ( A , B ) ,( A ,E , D ) , (C,D ) and (C,E , B ) have 4,4, 8, 8, respectively. We present one part of the whole procedure. Let the current ecp, C,, be ( A l , B2),and FEMP and ELGEMP corresponding the ecp be ~ ( ~ ~ , ~ ~ ) , ( A ~ ) , ( ~ 1 ,: ~(l~ )1 ,1 (~ ~~ l) , 1 ~ ( ~ 1 ~) 1 ~ 1 ) ( ~ l , ~ 2 ) r ( ~ 2 , ~ 1 ~ , ( ~ 2 , ~ 2 ) , ( ~ 2 , ~ l , ~ 1 ) ,(-421 ~ A 2 ~, 2~ ,1 ~, 1~ )2 1) (1 A 2 > ~ 2

( C l , E z ) ,(C2,E1),(C2,E2)} and 8, respectively. Since W((A1,B2))< 8, Case 2 is considered.

306 LinWCapaJProb. 0 0.05 A 5 0.35

B

E

S

c

2

0.2

4

0.6

4

0

0.1

3

0.3

0.3

D

t

2

0.1

4

0.87

Figure 1. Bridge Network

Case 2. We update the current ecp, C,, with (C1,Dl) which gives maximal increase on MCF amongallepin AFEMP. Then, C, = ( A l , B a , C 1 , 0 1 ) ( =( A l , B 2 ) U ( C 1 , 0 1 ) ) and W ( C z ) is 7. Also, FEMP = FEMP - { ( C l , D l ) } . Check M1 if there are equal in FEMP, and one ( E l ) and one (E2) are removed from AFEMP and NAFEMP, respectively. Also, by updating FEMP by using of M2 and M3. (C2)) and NAFEMP = NAFEMP - { ( 0 2 ) , ( C 2 ) ) . AFEMP = {(A2), ( E l ) ,(Dz), Case 1. The MCF of the union of C, and the ep, ( A z ) , is larger than Wmin. Thus, record the union, (A2,B2,Cl,D1), as a secp. Delete ep which contain ( A ? ) from NAFEMP and update ELGEMP = ELGEMP U I ( & ) } = { ( A 2 ) } . Case 3. Search for next secp with current C, and ep in AFEMP. As the MCF of the union of the current ecp and any one ep in AFEMP is 7, and is less than Wmin7 we update the current ecp with El to find next secp. Then, the current ecp and FEMP are (Al, B 2 ,C1, D 1 ,E l ) and FEMP - { ( E l ) } ,respectively. Applying M1-M3 to FEMP, we obtain AFEMP = { ( C 2 ) ,( E 2 ) ,( 0 2 ) ) and NAFEh4P = { ( C 2 , 0 2 ) ,( E 2 , 0 2 ) > (C2,E d ) . Case 1. The MCF of the union of C, and the ep, (Cz), is larger than Wnain. Thus, as a secp. Delete ep which contain (C2) record the union, (Al,B2,Cz,D1,El), from NAFEMP and update ELGEMP = ELGEMP U ( ( ( 7 2 ) ) = { ( A 2 ) (C2)). ,

We omit the remaining procedure. In the following we obtain two more secp, (Al, B2, c2,0 2 ) and ( A 2 ,B2, 0 1 , E l ) . All 4 secp is also minimal secp. By using the reliability evaluation method of [l]with all minimal secp, the

307 network reliability, R, is obtained as:

The probability p l , means P{state of link 1 2 state j of link l } where 1 = A , B , C, D ! E and j = 1 , 2 . Then, the reliability is 0.46647 according to the probabilities in Figure 1.

5. Conclusion This paper proposes a method to evaluate the reliability of an undirected flow network with multiple-capacity link-states. The proposed method is based on the expanded minimal paths which are generated from the given minimal paths of the network. Throughout the proposed method, efficient reliability evaluation is possible because redundancy in the procedure of obtaining expanded composite paths can be redueced. References 1. T. Aven; Reliability evaluation of multistate systems with multimode components, IEEE Transactions on Reliability, 34:473-479 (1985). 2 . C. C. Jane, J. S. Lin and J. Yuan, Reliability Evaluation of a limited-flow network in terms of minimal cuts, IEEE Transactions on Reliability, 42,354-361 (1993). 3. J. C. Hudson and K. C. Kapur, Reliability analysis for multistate systems with multistate components, IZE Transactions, 15,127-135 (1983). 4. J. C. Hudson and K. C. Kapur, Reliability bounds for multistate systems with multistate components, Operations Research, 33, 153-160 (1985). 5 . S. M. Lee and D. H. Park. An efficient method for evaluation of network reliability with variable link-capacities, IEEE Transactions on Reliability, 50,374-379 (2001). 6. J. S. Lin, C. C. Jane and J. Yuan, On reliability evaluation of a capacitated-flow network in terms of minimal pathsets, Networks, 25, 131-138 (1995). 7. Y. K. Lin, A simple algorithm for reliability evaluation of a stochastic-flow network with node failure: Computers B Operations Research, 28,1277-1285 (2001). 8 . Y. K. Lin: Using minimal cuts to evaluate the system reliability of a stochastic-flow network with failures a t nodes and arcs, Reliability Engineering B System Safety, 75: 41-46 (2002). 9 . R. Schanzer, Comment on : Reliability modeling and performance of variable linkcapacity networks! IEEE Transactions on Reliability, 44,620-621 (1995). 10. P. K. Varshney, A. R. Joshi and P. L. Chang, Reliability modeling and performance evaluation of variable link capacity networks, ZEEE Transactions on Reliability, 43, 378-382 (1994). 11. W.C. Yeh, A simple algorithm t o search for all d-MCs of a limited-flow network, Reliability Engineering B System Safety, 71,15-19 (2001). 12. W. C. Yeh, A simple algorithm to search for all d-MPs with unreliable nodes, Reliability Engineering B System Safety, 73,49-54 (2001). 13. J. Xue; On multistate system analysis, IEEE Transactions on Reliability, 34,329-337 (1985).

This page intentionally left blank

A RANDOM SHOCK MODEL FOR A CONTINUOUSLY DETERIORATING SYSTEM

KYUNG EUN LIM; JEE SEON BAEK AND EUI YONG LEE D e p a r t m e n t of Statistics, Sookmyung Women’s University,

Seoul, 140-742, Korea E-mail: [email protected]

A random shock model for a system whose state deteriorates continuously is introduced. It is assumed that the state of the system is modeled by a Brownian motion with negative drift and is also subject t o random shocks. A repairman arrives according to a Poisson process and repairs the system if the state has been below a threshold since the last repair. Explicit expression is deduced for the stationary distribution of the state of the system. An optimization is also studied. Keywords: Brownian motion, random shock, first passage time, stationary distribution.

1. Introduction

We consider a random shock model for a system whose state deteriorates continuously. It is assumed that the state of the system is initially p > 0 and, thereafter, follows a Brownian motion with drift ,u < 0, variance u z > 0 and reflecting barrier at p. ,D is assumed to be the perfect state of the system. It is also assumed that shocks arrive at the system according to a Poisson process of rate v > 0. Each shock instantaneously decreases the state of the system by a random amount Y , where Y is a non-negative random variable with distribution function G. It is further assumed that the system is checked by a repairman who arrives at the system according to another Poisson process of rate X > 0. If the state of the system has been below a threshold a (0 5 a 5 p ) since the last repair, he instantaneously increases the state of the system up to p, otherwise, he does nothing. We, in this paper, obtain the stationary distribution of the state of the system by establishing the Kolmogorov’s forward differential equations and by making use of a renewal argument. A diffusion model for a system subject to continuous wear is introduced by Baxter and Lee(1987, 1988). They obtain the distribution of the state of the system and study an optimal control of the system. Lee and Lee(1993, 1994) extend the earlier analysis to the system whose state decreases by random shocks. The present model is for the system subject to both continuous wear and random shocks. Let { X ( t ) , t2 0} be the state of the system at time t in our model. To obtain the stationary distribution of { X ( t ) , t2 0}, we divide the process { X ( t ) , t2 0} into the following two processes: Process { X , ( t ) , t 2 0} is formed by separating from

309

31 0 the original process the periods in which the state of the system moves from to a and by connecting them together. Process { X ; ( t ) , t 2 0} is formed by connecting the rest of the original process together. 2 0}, in section 3, In section 2, we derive the stationary distribution of {Xl(t),t the stationary distribution of { X ; ( t ) ,t 2 0}, and finally, in section 4,the stationary distribution of { X ( t ) ,t 2 0) by combining the results obtained in sections 2 and 3. In section 5 , after assigning several costs to the system, we show that there exists a unique X which minimizes the long-run average cost per unit time. 2. Stationary distribution of X,(t)

Let Fl(z, t) = P{X1( t )5 x} denote the distribution of X1 ( t ) . Note that {Xl( t ) ,t 2 0} is a regenerative process. Let Tl(zo,a)= inf{t > OlXl(t)5 a} be the first passage time t o state less than or equal to a with X l ( 0 ) = 20 ( a 5 20 5 8 ) and define

with

h(u) =

1,ulx 0, otherwise.

Then, w(z, 20) is the expected period where X1 (t) is less than or equal to x during T1(zo,a).Since { X , ( t ) , t 0) is a regenerative process, the stationary distribution of X 1 ( t ) is given by

>

We, for the convenience of calculation, consider X,(t)- a instead of X,(t), since w(x, 2 0 ) = w(z - a , 20 - a ) and E[Tl(zo, a)]= E[Tl(zo- a , O)]. With this consideration, we obtain the formulas of w(x, 2 0 ) for 0 5 x,xo 5 8 - a and of E[T1(zo, O)] for 0 5 50 5 - a. Notice that until the state of the We first derive the formula of EIT1(zo,O)]. system reaches 0, Xl(t)can be expressed as

Xl(t) = Z ( t ) - S ( t ) , where { Z ( t ) , t 2 0) is a Brownian motion starting at xo with parameters p < 0 and o2 > 0, and { S ( t ) , t 2 0), S ( t ) = CE(i’Yi,is a compound Poisson process with { N ( t ) , t 2 0} being a Poisson process of rate v and K’s being 2.2.d. random variables having the distribution function G. Again, for the convenience of calculation, let { Z’(t),t 2 0} be a Brownian motion starting at 0 with - p > 0 and n2 > 0, and define a new process

X l ( t ) = Z‘(t) + S ( t ) .

31 1 Then, by symmetry, it can be easily seen that the first passage time of X,(t) to state 0 is equal in distribution to that of X ; ( t ) to state XO, say TI(0,xo):

Ti(0,XO)=

L

inf{t : X ; ( t ) 2 Q } , if X ; ( t ) 2 20 , for some t 2 0 if ,Y;(t) < xo , for all t 2 0.

Since T;(O,xco)is a Markov time, an argument similar to that of Karlin and Tayis given by lor(1975, pp. 361-362) shows that the Laplace transform of T;(O,zo) E[e-vT;( 0 4 0 ) ] = e--uxo,

(1)

3.'

where u is related t o 71 by equation 71 = u p + - v(1 - m c ( u ) ) with m ~ ( u= ) E [ e U y ]the , moment generating function of Y . By differentiation, we can show that

Now, we derive w ( x ,X O ) by establishing a backward differential equation. Suppose that X l ( 0 ) = x0, 0 5 xo p - a. Conditioning on whether a shock occurs or not during [0, At] gives that


0

+A

-

Y 5 0,

where Y is the amount of a shock and A = Z(At) - Z ( 0 ) Hence, we have for 0 5 20 5 p - a ,

w(z,z,) = (1 - vAt)E

1

[ i A t m w+t w ( x , z o + A) + vAtO(At)

L

J

Taking Taylor series expansion on w ( x ,xo + A) with respect to A, rearranging the equation and letting At -+ 0 yield

Then,

W ( X , 20) satisfies

the following renewal type equation:

Lemma 2.1.

with boundary conditions w ( x ,0 ) = 0 and & W ( X , ~ ~ ) l =~ 0 , ~where = ~H ( x- 0 )~= - %dt, and p = urn with G, being the equilibrium distribution of G .

s,"' h(t)dt,K ( x o )= s,' $G,(t)

312

Proof. Integrating both sides of equation (2) with respect t o xo with boundary condition w(z,O) = 0, we have

(4) If we integrate equation (4)again with respect t o renewal type equation.

20,

then we obtain the given

It is well known [see, for example, Asmussen(l987, p.113)] that the unique solution of the renewal type equation in Lemma l is

where M ( q ) = Cr=o I d T L(20). ) Here, Id") denotes the n-fold Stieltjes convolution of K with K(O)being the Heaviside function. To get & w ( z , z ~ ) l , ~ = o , we differentiate equation (5) with respect t o zo and put zo = p - a with boundary condition aaz o ~ ( ~ , ~ : o ) l z o == 3 -0,a then

2

3

--'W(z,

[J:-"

3x0

3.

+

~ h . l ( x o ) l s o = 8 - a - t H ( t ) d t H(P - a ) ]

~ o ) l r o = o=

f f 2 h I ( / ?- a )

Stationary distribution of X,(t)

Note that in our model the state of the system can cross a down either through a continuous path or by a shock. Hence, we first obtain the distribution of L(z0,a ) = a - Xl(T1(zo,a)),given that X l ( 0 ) = zo, a 5 xo 5 p. We, for the convenience of calculation, consider X , ( t ) - a instead of X l ( t ) , since L(z0 - a,O) = L(z0,a). With this consideration, we obtain the formula for the distribution of L(z0,O)for 0 5 zo 5 - a. Let f i ( ~ o , O )= P r { L ( q , O )> 1}, 1 2 0. Then, 8(zo,O) satisfies the following renewal type equation:

B

Lemma 3.1.

with boundary conditions 8 ( 0 , 0 ) = 0 and & f i ( ~ o , O ) l ~ ~ = ~=- 0~ , where Gl(z) = P [ G e (x + I ) - Ge ([)I. Proof. Conditioning on whether a shock occurs or not during time interval [0,At] gives that

+ +

if no shock occurs E [ f i ( z o 4 011, E[Pi(zo+A-Y,O)], ifashockoccursandzo+A-Y > O Pr(z0 A - Y 5 - l ) , if a shock occurs and zo A - Y 5 0.

+

313

Hence, we have, for 0 Pl(x0,O) =

5 xu 5 /3 - a ,

(1 - Yht)E[P[(Z:o + A,O)] + vhtPr(x:o+ A - Y 5 - I ) +vAtE[Pl(x, A - Y,0)12,+ A - Y > O]Pr{z, + A - Y > 0)

+

+ o(At).

Taking Taylor series expansion on fi (zo+A, 0), rearranging the equation, letting At + 0 give

20

S ( ~-O Y,O)dG(y).

fv

Integrating the above equation twice with respect to identity on the way: Y

l z o ( l - G(t

+I))&

=v

20,while

using the following

lzo+l(l -

G(Y))dY

= p[Ge(zo +I) - Ge(l)]= Gi(zo),

we can derive the given renewal type equation for Pl(xo,0). W The renewal type equation in Lemma 3.1 has the unique solution as follows:

Differentiating the above equation with respect t o xu and using the boundary condition &Pl(xo, O)lzo=fi-a = 0, we have

M’(P - a

3 8x0

- ~ ~ ( ~ o , ~ ) l z o = o=

-

+

t ) G ~ ( t ) d t Gl(/3 - a ) ]

M(B - a)

Now, let F2(x,t)= P ( X , ( t ) 5 x} denote the distribution function of X 2 ( t ) . Notice that until the repairman arrives, X,(t) = Z ( t )- S ( t ) . Hence, we can deduce an expression for F2(2, t ) when -m < x 5 ,L? by an renewal argument. Conditioning on whether a repair during (0, t] gives that t

F2(x,t)= E [ V ( x , t ) P r { E X> t } + X i

s:-z

+

V(x,t-u)Pr{EX > t - u } d u ] ,

where V ( x , t ) = B ( x v,t)dC(y,t), B ( z , t ) = P r { Z ( t ) 5 x}, C ( x , t ) = P r { S ( t ) 5 x}, and the renewal function of the exponential distribution with rate X > 0 is At. The distribution of the compound Poisson process is well known [see, Tijms(1986, pp.37-38)]. Moreover, an argument similar to that of Cox and Miller

314 (1965, pp.223-224) shows that

+

(20

-pt

- p ) e z ~9 { 1 - 2pt so + p t + p

42opt - ( Z 4exP{ -

20

- pt)2

2u2t

where @(z)is the standard normal integral. Therefore, by making use of the key renewal theorem, the stationary distribution of X 2 ( t ) is given by F2(z) = X

4.

Lrn

V ( x ,u)e-’”du.

A formula for F(x)

We know that the points where the actual repair occurs form an embedded renewal process in { X ( t ) , t2 O}. Let T* be the generic random variable denoting the time between successive renewals. Then

where EXis an exponential random variable with rate A.

Proposition 4.1. F ( x ) is given b y the following weighted average of F l ( x ) and F 2 (x):

Proof. Suppose that we earn a reward at rate of one per unit time when processes { X ( t ) t, 2 0 } , { S l ( t ) ,t 2 0) and {X,(t),t 2 0) are less than or equal to x 5 p, we see by the renewal reward theorem [Ross(l996, p.133)] that

F(x)=

E(reward during a cycle T*)

E(T*)

+

- E(reward during a cycle Tl(P,a)) E(reward during a cycle E X ) -

-

E(T*) E[Tl(8,a ) ] E(reward during TI (8,a ) ) E ( E X ) E(reward during EX) E(T*) E[Tl(PI all E(T*) E(EX ) urn-p X(P - a ) F2(x). X(8 - a ) um - p F1(x) X(P - a ) + vm - p

+-.

+

+

315 5.

Optimization

Let c1 denote the cost per visit of the repairman, let c:! denote the cost to increase the state of the system by a unit amount and let cgdenote the cost per unit time of the system being in states below a threshold a. We calculate C(X), the expected long-run average cost per unit time for a given arrival rate X and a given threshold a . To do this, we define a cycle, denoted by T * ,as the interval between two successive repairs. Then, by the renewal reward theorem [see, Ross(l996, p.133)], C(A) is given by C(X) =

E[total cost during a cycle] E[length of a cycle]

- E[N]Cl -

+ E[X’(T*)]c*+ i c 3 1

E[T*I

where E ( N ) is the expected number of visits of the repairman during a cycle and E [ X ‘ ( T * )is ] the expected amount of repair. Note that T’ can be expressed as T’ = T l ( P , a ) E X ,where Tl(p,a) is the first passage time from /3 to a and E X is an exponential random variable with rate A. Then,we can show that

+

and

E ( N ) = XE[T*]=

A(/?

- a ) + vm - p vm-p

E[X’(T*)] can be calculated by using the argument in section 2 as follows:

E[X’(T*)= ] E [ Z ’ ( T *+ ) S(T*)]

+

= E [ E [ Z ’ ( T * ) S(T*)IT*= t ] ] = (vm - p ) E ( T * )=

+

X(D - a ) vm - /I X

Therefore, C(X) = X C l

+ (vm - p)c2 + A(/?

vm-p -

a ) + vm - p

c3.

Differentiating the above equation with respect to X gives

a ax

-C(X)

= [A(/?

-

a ) + vm - p12c1 + (a - P)(vm - p)c3 [X(D - a ) vm - p]2

+

Lemma 5.1. If c1 2 s c 3 , then C(X) achieves its minimum value (vm- p ) + ~ c g , at X = 0 , otherwise there exists a unique X*(O < X < co) which minimizes C(X).

316 Proof. Suppose that c1 2 &Q,

then limA(X) 2 0. X+O

Further,

A'(X) = 2(,f?- LY)[X(P- LY)

+

- p]c1 2 0.

Hence, A(X) 2 0 for all X 2 0 and C(X) is minimized at X = 0. Suppose, now, that c1 < z c z , then limA(X) < 0. Since A(X) is an increasing X+O

function with lim A(X) = co, there exists a unique X*(O

A(X*) = 0.

w

x+m

Figure 1 illustrates an example of C(X) when

c1

2


T,,j = T

+ l , +~2,. . . , n ) ,

(3)

among the sample of size n have not yet been obtained. Moreover, putting

X

X

= In T ,

Xi = In Ti (i = 1 , 2 , . . . ,n) ,

(4)

distributes obviously as

G(z) = 1 - exp[- exp{Jz 317

-

@}] (0 = In 7 ) ,

(5)

31 8 to generate the smallest r data

and the remaining ( n - r ) ones Xj(>

xr;j = T + 1,r + 2 , . .

’

,n ).

(7)

As for the parameter estimation problems from the right-censored large samples given above, we should remark the following three points: (i) LSE in Section 2.2 and MLE in Section 2.3 are obviously applicable to our data; however, in cases of large n and smaller r , IBIASI and M S E of the estimators may frequently become very large; (ii)BLUE for 1/[ and 2-point Estimator discussed in Ref. [l,31 for small samples can not be applied now since for larger samples the numerical tables to construct the optimal estimators have not yet been known; (iii)the complete sample methods MME in Section 2.5 as well as MPM in Section 2.4 can approximately be utilized by supplying certain predicted values given in Section 2.1 for unknown data. Finally, we may conclude that the modified parametric moment estimators (MPM) proposed by us in Ref. [3] is almost unbiased and most desirable for wide range of large samples with such size as n 2 30 and r / ( n 50) 2 0.25. Moreover, LSE’s defined in Section 2.2 may be better for samples with n 2 30 and r / ( n 50) < 0.25 because of the small M S E and of simplicity of the methods, although the biases are not necessarily small, as seen in Table 1. We will show which of the estimators and the data-types among the several ones is more desirable than the others through the discussions in the sequel.

+

+

2. Various Estimators for Weibull Parameters

Let us estimate the shape parameter 6 of the Weibull distribution by using Monte Carlo simulation under the setting [ = 1.0, q = 10.0. The simulation is performed through N = 20000 samples iteratively for each of the sample sizes n = 30,50,100; r = 5,10, .. . ,n.In order t o compare the simulation results of /BIAS1 and M S E each other among , (i)the known conventional methods of analyzing right-censored data given in Formula (2) or (6), and, (ii) the proposed methods of treating hypothetical complete samples:

-

-

XI < X 2 < . . . < X , < X T + l < “ ‘ < X n,0r

-

-

T~ o )

-0.0030 -0.0327 0.0264 -0.0528 0.0323

323 Table 1 ~~~~

n

r

D

50 40 0 1 3 5 45 0 1 3 5 50 0

-

LSE(iK) LSE(EJ) MLE(~J) B I A S I S M S E I ~ BIASIS MSEIE2 BIAS16 M S E I S -0.0572 -0.0486 -0.0526 -0.0573 -0.0544 -0.0506 -0.0518 -0.0538 -0.0547

0.0323 _0.0245

0.0263 0.0286 0.0268

o.oa25 0.0233 0.0243 0.0214

-0.0738 -0.0615 -0.0644 -0.0683 -0.0696 -0.0640 -0.0647 -0.0662 -0.0687

0.0348

0.0263 0.0280 0.0302 0.0291

0.0245 0.0251 0.0261 0.0235

>(

100 5

0 1 3 5 10 0 1 3 5 __ 20 0 1 3 5 30 0 1 3 5 40 0 I 3 5 50 0 I 3 5 60 0 1 3 5 70 0 1 3 5 80 0 1 3 5 90 0 1 3 5 100 0

-

>(

(Continued).

__

0.0414 0.0840 -0.0098 -0.0141 -0.0597 -0.0127 -0.0899 -0.0976 -0.0723 -0.0307 -0.0845 -0.0969 -0.0672 -0.0324 -0.0701 -0.0836 -0.0612 -0.0331 -0.0590 -0.0715 -0.0556 -0.0332 -0.0506 -0.0613 -0.0508 -0.0335 -0.0446 -0.0530 -0.0466 -0.0342 -0.0407 -0.0466 -0.0428 -0.0347 -0.0379 -0.0416 -0.0395 -0.0358 -0.0368 -0.0384 -0.0384

0.6140 0.5428

0.5343 0.5479 0.1744

0.1338 0.1569 0.171 1 0.0794

0.0526 0.0698 0.0817 0.0525

0.0331 0.0440 0.0530 0.0391

0.0242 0.0314 0.0380 0.0307

0.0193 0.0240 0.0288 0.0249

0.0161 0.0192 0.0225 0.0206

o.0140 0.0159 0.0181 0.0171

0.0126 0.0137 0.0150 0.0141

0.0116 0.0121 0.0127 0.0111

-0.0131 0.0828 -0.0106 -0.0147 -0.0969 -0.0156 -0.0915 -0.0990 -0.0983 -0.0354 -0.0874 -0.0996 -0.0882 -0.0384 -0.0741 -0.0873 -0.0790 -0.0399 -0.0639 -0.0760 -0.0712 -0.0406 -0.0563 -0.0666 -0.0646 -0.0414 -0.0511 -0.0591 -0.0590 -0.0425 -0.0479 -0.0534 -0.0540 -0.0433 -0.0459 -0.0491 -0.0496 -0.0447 -0.0454 -0.0467 -0.0476

0.5414 0.5415

0.5336 0.5472 0.1670

0.1332 ~

0.1568 0.1709 0.0817

0.0526 0.0702 0.0820 0.0555

0.0334 0.0446 0.0537 0.0418

0.0248 0.0321 0.0388 0.0332

0.0200 0.0248 0.0297 0.0270

0.0169 0.0200 0.0234 0.0224

0.0149 0.0168 0.0191 0.0187

0.0136 0.0146 0.0160 0.0154

0.0127 0.0131 0.0137 0.0122

0.0420 0.0182 -0.0007 -0.0182 0.0356 0.0142 0.0063 -0.0048 0.0292 -0.0036 0.6575 0.1133 0.0126 0.0103 0.2460 0.0174 -0.0718 -0.0765 0.1070 0.0040 -0.0693 -0.0793 0.0676 0.0059 -0.0547 -0.0685 0.0485 0.0081 -0.0412 -0.0572 0.0377 0.0104 -0.0291 -0.0462 0.0305 0.0120 -0.0185 -0.0354 0.0248 0.0123 -0.0094 -0.0249 0.0211 0.0125 -0.0011 -0.0140 0.0175 0.0101 0.0043 -0.0035 0.0142 -0.0023

0.0236 0.0214

o.0208 0.0234 0.0190 0.0174

0.0169 0.0174 0.0149

MPM(E5 B IASIE M S E I S

MME(E+) BIASIS MSEIS2

-0.0059 o.0201 -0.0242 0.0204 -0.0411 0.0238

0.0785 0.0290 0.0416 o.0220 0.0106 0.0250

-0.0098 0.0164 -0.0175 0.0164 -0.0283 0.0174 -0.0273 0.0133

0.0753 0.0262 0.0567 o.0207 0.0316 0.0188 0.0378 0.0197

0.1004 0.5618 0.0008 0.5529 -0.0015 0.5617

0.1494 0.5614 0.0528 0.0531 0.5366

0.0058 0.1387 -0.0825 0.1644 -0.0873 0.1758

0.0509 0.1365 -0.0360 0.1532 -0.0357 0.1605

-0.0074 o.0540 -0.0800 0.0742 -0.0900 0.0864

0.0361 o.0530 -0.0403 0.0690 -0.0436 0.0768

-0.0055 0.0335 -0.0654 0.0463 -0.0791 0.0573

0.0381 0.0336 -0.0304 0.0444 -0.0383 0.0525

-0.0033 -0.0520 0.0318 -0.0677 0.0411

0.0238

0.0409 0.0247 -0.0200 0.0315 -0.0324 0.0398

-0.0011 0.0184 -0.0400 0.0230 -0.0568 0.0303

0.0443 o.0201 -0.0095 0.0233 -0.0263 0.0312

0.0005 -0.0295 0.0169 -0.0462 0.0224

0.0146

0.0473 o.0170 0.0011 0.0174 -0.0193 0.0243

0.0008 -0.0206 0.0128 -0.0358 0.0164

0.0118

0.0490 0.0148 0.0120 0.0131 -0.0107 0.0184

0.0009 = -0.0125 0.0100 -0.0252 0.0119

0.0508 0.0137 0.0241 o.0106 0.0010 0.0132

0.0131 1.6797 0.5776

0.5663 0.5751 0.2733

0.1422 0.1666 0.1781 0.0785

0.0552 0.0744 0.0867 0.0430

0.0343 0.0462 0.0572 0.0286

0.0244 0.0316 0.0409 0.0211

o.0190 0.0228 0.0301 0.0163

0.0151 0.0168 0.0221 0.0128

0.0122 0.0127 0.0161 0.0105 0.0102

0.0100 0.0117 0.0085 0.0082

0.0080 0.0084 0.0066

Note: K = 1 ( D = 0), K = 3 ( D > 0 ) ; J = 0 ( D = 0), J = 2 ( D > 0)

o.0079

-0.0015 -0.0072 0.0079 -0.0149 0.0085 -0.0138

o.0062

0.5298

0.0486 0.0124 0.0351 0.0096 0.0171 o.0091 0.0194 0.0096

324

table2. Statyicaltestsstatictics on tyhe differences

[(IC)

LSEK

LSEj

MLE MPM

[(l)

BIAS/[

LSEj MLE MPM MME MLE MPM MME MPM MME MME

1.553+02 -1.41E+02 -7.423+01 -1.973+02 -1.51E+02 -9.13E+01 -2.02Ef02 6.203+02 -3.033+02 -4.423+02

M S E / ~ -2.433+01 -6.15E+00 6.94Et00 -2.03Ef01 -1.60E+00 1.13E+01 -1.65E+01 2.92E+01 -3.83E+01 -3.673+01

BIAS/[ 1.49E+02 -1.433+02 -9.233+01 -2.02Ef02 -1.523+02 -1.06E+02 -2.063+02 7.32Et02 -3.353+02 -4.683+02

MSEI[~ -2.80E+01 -1.94Ef00 7.343+00 -1.31E+01 2.91E+00 1.20Ef01 -9.lOE-tOO 2.733+01 -2.96Ef01 -3.00Ef01

BIAS/< 1.42Et02 -1.323+02 -9.953+01 -1.823+02 -1.41E+02 -l.llE+02 -1.873+02 8.523+02 -3.043+02 -3.923+02

M S E I ~ -3.423+01 8.333+00 1.44E+01 -5.14E+00 1.35Et01 1.93E+01 -4.50E-01 2.31E+01 -2.71Et01 -2.69E+01

LSE(&) ( D = 1 or 3) is preferable for p 5 0.15; LSE(&) ( D = 1 or 3) is most desirable for 0.15 < p < 0.25; MPM(5.f) ( D = 1) is most desirable for p 2 0.25 ; MLE(&) is most desirable for complete samples with n = r . (iii) Except for the cases of n = T , the data-type D = 0 is never recommended in Table 1. (iv) It is important to utilize the most desirable method and the most appropriate data-type, which correspond to figures with (single or) double undeslines of the smallest M S E in Table 1. For example, in the case of ( n , r ) = (50,20), LSE(&) (D = 1) is most desirable to realize BIAS(&) = -0.0385, M S E ( & ) = 0.0503. On the other hand, even if (n,r ) = (100,30), by using the non-desirable conventional estimator LSE(&) ( D = 0) we get BIAS(&) = -0.0882, M S E ( & ) = 0.0555, which is inferior to the former case given above. Thus, the merit of the larger number of observation of (n,r ) = (100,30) is lost by the inappropriate choices of the method & and the data-type D = 0. In other words, by using our proposal in Table 1 one can perhaps reduce the ”costs” of data-gathering very much. (v) For comparison of our results in Table 1 with the other previous studies, numerical tables for BIAS and M S E of the estimator of the scale parameter ( from right-censored large samples have few been published in the literature. Ref. [6] has shown some graphical representation, which i s inconvenient for the numerical comparison. References 1. 2. 3. 4. 5.

C. Liu and S. Abe, J1.Rel. Eng. Ass. Japan. Vo1.26,No.l, 77-99 (2004). C. Liu and S. Abe, Proc. ICRMS’2001. Vol.1, 115-122 (2001). C. Liu and S. Abe, i n preparation. (to be submitted to J1.Rel.Eng.Ass. Japan).

S . Abe, Abstracts of 1991 Autumn Meeting of ORS. Japan. 94-95 (1991). A. Clifford Cohen, TRUNCATED AND CENSORED SAMPLES, MARCEL DEKKER,INC. 121-123 (1991). 6. T. Ichida and K.Suzuki, ISBNd-8171-3103-9. Japan. 197-241 (1984).

SOFTWARE SYSTEM RELIABILITY DESIGN CONSIDERING HYBRID FAULT TOLERANT SOFTWARE ARCHITECTURES DENVIT METHANAVYN Faculty of Computer Engineering, King Mongkut 's University of Technology Thonburi, Bangkok, 10140, Thailand NARUEMON WATTANAPONGSAKORN Faculty of Computer Engineering, King Mongkut 's University of Technology Thonburi, Bangkok, 10140, Thailand

Fault-tolerant technique is an effective approach to achieve high system reliability. This paper proposes six hierarchical fault-tolerant software reliability models with multi-level of Recovery Block (RB) modules, multi-level of N-Version Programming (NVP) modules and combinations of RB and NVP modules called hybrid fault-tolerant architectures. These system reliabilities and costs are evaluated at various degrees of failure dependencies, and then compare with those of the classical RF3 and NVP models. Reliability results with s-independent failure assumption are compared with those considering failure dependency assumption. System cost for each model is evaluated as well.

1

Introduction

Many critical systems, such as power plant control, flight control, transportation and military system need high reliability. Fault-tolerant technique is commonly applied to achieve system design objectives reliability and safety in operation. Several techniques have been proposed for structuring hardware and software systems and providing fault tolerance. For software fault tolerance usually requires design diversity and decision algorithm. Therefore software variants and adjudicator are main components for redundant computations to gain high reliability in software system. The first software fault tolerant technique is Recovery Block (RB), and then is NVersion Programming (NVP). These classical techniques have some differences in term of judging results to be final output. For RB, adjudicator is called acceptance tester, which acts as a computation module and checks results of all software variants, so the tester needs to be complexly design and do iteration work. For NVP, adjudicator is called voter, which acts as a comparator of all software variants and choose majority results as output, so voter can guarantee to pass the correct output using majority voting. Two classical models were combined to generate hybrid fault-tolerant techniques such as Consensus Recovery Block (CRB), N-Self Checking Programming (NSCP) to enhance system reliability of the original RB and NVP. In Previous work, J.B. Dugan, et al [ l ] proposed a quantitative comparison of RB and NVP schemes in 1993 considering related faults such as probability of failure between two software variants and among all software variants. In I996 Wu, et al [2]

325

326 proposed hybrid software fault-tolerant models which nested RE3 with NVP and embedded RE3 within NVP. They provided system reliability comparison for these architectures without considering related faults. In 1997 F.D. Giandomenico, et a1 [3] evaluated schemes for handling dependability and efficiency of Self-Configuring Optimal Programming (SCOP) scheme which accepted consistent result, NVP with tiebreak and NVP schemes. In 2002, S.P. Leblance and P.A. Roman [4] proposed a simple approach to estimate the reliability of software system that composed of a hierarchical of modules with s-independent of software failure assumption. There are many literatures on new fault-tolerant software architectures developing as well as software system reliability optimization [5, 7, 81. However, none of them provide reliability and cost evaluation of hierarchical or hybrid software systems considering failure dependencies or related faults in the software variants. In this work, we extend the work of Wu, et a1 [2] by considering failure dependencies in software system reliability analysis using sum-of-disjoint products. We consider hierarchical fault-tolerant schemes of multi-level of RBs, multi-level of NVPs and hybrid RE3 -NVP. These system reliabilities and costs are evaluated at various degrees of related failures and then compare with those of the traditional RE3 and NVP models. Assumptions and Notations used though out this paper are as follows. Assumptions: 1. Each software variant has 2 states: functional or fail. There is no failure repair for each variant or system 2. Reliability of each software variant is known. 3. Related fault between software variant(s) and adjudicator does not exist. Notations: Probability of failure of each software variants. PV Reliability of each software variants; Qv = 1 - Pv Qv Probability of failure from related fault between two software variants, PRV QRV = 1 - PRV Probability of failure from related fault among all software variants. PULL QRALL= 1 - PULL Probability of failure of an adjudicator (tester or voter), Qv = 1 - PV PD PDEP(X) Probability of failure of system considering related faults, QDEC(X)= 1 - PDEP@) 2

Research Background

2.1

Fault Tolerant Techniques

Software Fault Tolerance usually requires design diversity. For design-diversity, two or more software variants are designed to meet a common service specification and provided for redundant computations. The variants are aimed at delivering the same

327 service, but implemented in different ways. Since at least two variants are involved, tolerance to design faults necessitates an adjudicator that determines a single error-free result based on the results produced by multiple variants. Several techniques have been proposed for structuring a software system, and providing software fault tolerance. Classical techniques are such as Recovery Block, N-Version Programming which are discussed below, and hybrid architecture techniques are such as N-Self Checking Programming, Consensus Recovery Block and Acceptance Voting. Recovery Block (M) [ 5 ] is the first scheme developed for achieving software fault tolerance. Variants are organized in a manner similar to standby sparing used in hardware. RB performs run-time fault detection by augmenting any conventional hardwarelsoftware error detection mechanism with an acceptance test applied to the results of execution of one variant. If the test fails, an alternate variant is invoked after backward error recovery is performed. N-Version Programming (NVP) [6], which directly applies the hardware N-Modular Redundancy to software. N versions (variants) of a program are executed in parallel and their results compared by an adjudicators. By incorporating a majority vote, the system can eliminate erroneous results and pass on the presumed-correct results. 2.2 Reliability Analysis

In software system, faults can be divided into two modes: one is s-independent fault and the other one is related fault. These faults affect directly to the system reliability. Related faults result from design specification fault which is common to all software variants, or from dependencies in the separate designs and implementations. SIndependent faults are simply those that are not related. 2.2.1

Considering S-Independentfaults

The prob. of failure of the RE3 scheme (PRB)with s-independent faults is as follows [7]. Pm = I - R N ; R N

r-'

1

=P(Yi)+,Z II P ( X k ) P(Yi) 1=2 k=2

P(Yi)= ( ~ - P v ~ ) ( ~ - P D ) ~ P ( X p v~( i)-=~ ) ( l - p D ) + ( I - p V ( j - I ) ) p D

P(YJ is probability of tester accepts corrects result while P(XJ is for tester rejects correct output or tester accepts incorrect result. N is the number of software variants. The prob. of failure of the NVP scheme (Pwp) is as follows [2].

The first term is prob. of failure in case of all software variants produce incorrect result. The second term is when only one variant produces correct output. Again N is the number of s o h a r e variants.

328 2.2.2

Considering Relatedfaults

The probability uf failure of RB and NVP schemes considering related faults [l, 81 can be represented by sum-of-disjoint products [9]. The prob. of failure of the RE3 scheme with two software variants is as follows. P(=*)=

2 PRALL +PDQRALL +PRVQRALLQD+PVQRALLQDQRV

(3)

The prob. of failure of the RB scheme with three software variants is as follows.

The prob. of failure of the NVP scheme with three software variants is as follows. 2

3

2

3

2

Pv Q RALLQDQRV + PvQ RALLQDQRvQv

+

3

3

(5)

PVQ RALLQD Q,Qv

Reliability Models of Hierarchical Fault -Tolerant Software System

Hierarchical fault-tolerant software system consists of multi-level of fault-tolerant modules. At the lower level, RB or NVP modules are used. Each output from the lowerlevel modules will be sent to the upper-level module to perform similar process again and then release the finalized output. The probability of failure of the hierarchical fault-tolerant system can be considered as two parts. The first part is from the lower-level modules considering failure dependencies [l, 81. The latter is from the upper-level module where failure dependencies across the lower-level fault-tolerant modules are assumed negligible. Hence, s-independent assumption is applied at this upper-level. The probability of failure of each lower-level module is applied as a software failure probability used in the upperlevel module. 3.1 Hierarchical Fault- Tolerant Model 3.1. I

RBiRBj

RBiRBj consists of i lower-level RB modules each consisting of j software variants and a tester, and one upper-level RB module which uses i outputs from the lower-level to test for the final output. Example of FU32RB3 as shown in Figure 1.

329

1 - 1

IW

pi

I

p2

I Figure 2. NVP3RB2

Figure 1. RB2RB3

3.1.2

NVPiRBj

NVPiRBj consists of i lower-level RE3 modules each consisting of j software variants and a tester, and one upper level NVP module which uses i outputs from the lower-level to vote for the final output. Example of NVP3RB2 is shown in Figure 2. 3.1.3

RBZRB3NVP3

RB2RB3NVP3 consists of two lower-level modules; one is RB (with two variants and a voter) and the other is NVP (with three variants and a tester), and one upper-level RE3 module which uses two outputs from the lower-level to test for the final output, as shown in Figure 3. I -

I I-

I 1 -

Irnl

1 - 1 p2

h

Figure 3. RB2RB3NVP3

3.1.4

I

-6-

IW

I

p3

f

I

Figure 4. NVP3NVP3

NVPiNVPj

N V P i N V . consists of i lower-level NVP modules each has j software variants and a tester, and one upper-level NVP module which uses i outputs from the lower-level to vote for the final output, as shown in Figure 4.

3.2 Proposed Reliability Analysis Models The probability of failure of hierarchical fault-tolerant system can be obtained by finding probability of failure of the lower-level modules using Eqs. (3), (4) and (5). For the upper-level modules, we use Eqs. (1) and (2) to analyze the system reliability.

330

the pfobabilityof failureofRB2RB3,RB2RB3NVP3ANDNPV3 schewmeare shownrespectively

4

Experimental Result

The following example illustrates our proposed reliability models comparing with the classical reliability models and other hybrid models [2]. Table 1 presents the input dataset of prob. of failures. Dataset 1 has PULLand PRVequal to zero, assuming that no error in specification and no single error to activate failure of two software variants. Other datasets have varying values for PULLand PRv,referenced from [ 11 and [3]. Table 1. Input data: prob. of failures

Table 2. Input date: cost values

Table 2 presents costs of a software variant, a tester and a voter used in the system cost analysis. It is assumed that the voter has less cost when compare with acceptance tester according to [2, 71. A software variant cost is considered equal to the cost of an acceptance tester. This is because the tester needs to do computation to check output of each variant. A voter has less cost than a tester’s cost because the voter doe not have to know the correct result but instead using an algorithm to find majority result. So, its cost can be less than the cost of a variant and the cost of a tester. Table 3 provides reliability and cost evaluations of FU3, NVP, hierarchical RB, hierarchical NVP and hybrid RB-NVP models assuming s-independent of software failures. The m o d k number 3 to 10 each consists of six software variants but different in the number and allocated positions of adjudicators. The models number 1, 2, and 11 each has 2, 3, and 9 software variants, respectively. From our analysis, the model which gives the highest reliability is FU32RI33 at the cost of 90.

331 The top 3 in the reliability rank each consists of RB modules in its hierarchical structure. With less number of software variants and at lower system costs, less number of faults can be tolerated and lower system reliabilities are obtained, as shown with RB2, RB3 and NVP3. Table 3. Reliability and cost evaluations with s-independent assumption

Table 4 presents reliability and cost evaluations of the proposed models together with traditional RB and NVP models considering related faults in software variants. Dataset 1 has P R A Land ~ P R equal ~ to zero. The results with dataset 1 of both Table 3 and Table4 are compared. With input dataset 2, the result shows that RB3RB2 gives the highest system reliability compared with other models. With input dataset 3, the result shows that RB2RB3 gives the highest system reliability while RB3RB2 ranks the second. Dataset 4 has lower value of PD then dataset 3; the results show RB3RB2 gives the highest system reliability. NVP3NVP3 and NVP3 models give lowest reliabilities compared to other models. The cost of each model is the same as analyzed with sindependent failure assumption, shown in Table 3. Table 4.Reliability and cost evaluations with related fault

332 5

Conclusion

In this research, we proposed six hierarchical fault-tolerant software models that consist of multi-level RBs, NVPs, or combinations of RB(s) and NVP(s) (called hybrid structures). We also provide reliability and cost evaluations with those of the classical RB and NVP models. Reliability results with s-independent failure assumption are compared with those considering failure dependency assumption. System cost for each model is evaluated as well. The proposed hierarchical fault-tolerant models of RB provide higher reliability than those of the classical models and the hybrid models. However, if we consider in cost, the proposed hierarchical models cost more than the others are as well. While the proposed NVP models give less reliability compare with those of other models. In summary, we can rank the models from the highest to the lowest in terms of reliability: Hierarchical RB Model > Hybrid RB-NVP Model > Classical RB Model > Classical NVP Model > Hierarchical NVP Model In terms of system cost, from the most to the least expensive: Hierarchical NVP Model ? Hierarchical RB Model ? Hybrid RB-NVP Model > Classical NVP Model > Classical RB Model

References

1. 2.

3.

4. 5. 6. 7. 8. 9.

J.B. Dugan, F.A. Patterson-Hine, Simple Models of Fault Tolerant Software, Proceedings Annual Reliability and Maintainability Symposium, 354 (1993). J. Wu, E.B. Fernandez, and M. Zhang, Design and Modeling of Hybrid FaultTolerant Software With Cost Constraints, J. System Software Vol. 35, 141 (1996). F.D. Giandomenico, A. Bondavalli, J. Xu and S. Chiaradonna, Hardware and Software Fault Tolerance: Definition and Evaluation of Adaptive Architectures in A Distributed Computing Environment, Proceedings of ESREL 97 Int. Conference on Safety and Reliability, 582 (1997). S.P. LeBlance, P.A. Roman, Reliability Estimation of Hierarchical of software system, 2002 Proceeding of Annual Reliability and Maintainability Symposium. 249, 368 (2002). R.K. Scott, J.W. Gault and D.F. McAllister, Fault-Tolerant Software Reliability Modeling, IEEE Transaction on Software Engineering Vol. 13,582 (1987). A. Avizienis, The N-version approach to fault-tolerant software, IEEE Transaction on S o f i a r e Engineering Vol. 12, 1491 (1985). 0. Berman, U.D. Kumar, Optimization models for recovery block schemes, European Journal ofOperationa1 Research Vol. 115,368 (1999). J.B. Dugan, M.R. Lyu, System Reliability Analysis of an N-version Programming Application, IEEE Transaction on Software Engineering Vol. SE3,103 (1993). M. Veeraraghavan, K.S. Trivedi, An Improved Algorithm for the Symbolic Reliability Analysis of Networks, IEEE Transaction Vol. 4, 34 (1 990).

SOFTWARE RELIABILITY PREDICTION USING NEURAL NETWORKS WITH LINEAR ACTIVATION FUNCTION R.B. MISRA Reliability Engineering Center, Indian Institute of Technology Kharagpur, Kharagpur, (w.B.) 721302 India P. V. SASATTE Reliability Engineering Center, Indian Institute of Technology Kharagpur, Kharagpur, (W.B.) 721302 India In the past the neural network models were used for software reliability prediction In various experiments it has been found that neural network prediction results are better than the conventional statistical models but main drawback of the neural network approach is that one cannot extract the knowledge stored in parameters (weights of connecting links) of the neural networks that are directly related to software reliability metrics like the number of faults remaining in software This paper presents a new neural network model to overcome drawback of the earlier neural network models The proposed neural network model uses a linear activation function and input to the neural network is transformed using an exponential function This transformation helps to express the neural network results in terms of software reliability metrics like the number of faults remaining in software Applicability of the proposed approach for software reliability prediction is shown with the help of real software project data

1.

Introduction

In this new era, software systems are widely utilized in various areas, which include home appliances, communication systems, safety critical systems, etc. Most of these applications require reliable sofiware. Many Software reliability models have been developed during last three decades [ 11. These models provide quantitative measure of software reliability. These are of help to investigate the reliability improvements during software testing phase. On the basis of reliability growth a software developer can allocate resources for software testing efficiently. Conventional software reliability models are based on statistical theory and show better accuracy for fitting software failure data. However, no single model is able to provide an accurate prediction for all software project data [ 2 , 3 ] . In an adopted standard practice, best software reliability model is identified among the available software reliability models. In the process, software failure data collected during testing phase is divided into two subsets. First subset is used for parameter estimation of the model and second subset is used to analyze predictive quality of the software reliability models. In an analysis, the software reliability model whose prediction results are better than rest of the models is selected for further software reliability analysis. The conventional statistical approach has two main drawbacks [4]: 1) There is uncertainty about the model’s (which is selected as a best after comparing with rest of the models) predictive capability. Further, at some point during testing, the model, which gives better prediction compared

333

334 to others, doesn’t necessarily provide the same throughout the testing phase. 2) In early stage of testing it is difficult to select best software reliability model, since one cannot obtain sufficient failure data for the purpose. In the past recent years, the neural networks have become a popular approach for solving nonlinear problems. It finds solution for curve fitting problem in terms of multiparameters instead of two or three parameters as used in the statistical models. Problem solution in terms of multi-parameters makes the neural network more flexible and efficient. Karunanidhi [4] introduced the neural network for modeling software failure process and he used the trained neural network for prediction of future software failure behavior. Karunanidhi found that the neural network model shows better accuracy for prediction of software failure behavior than the conventional statistical models. Further various neural network models were presented for software reliability prediction and most of the neural network models provide better prediction results than the convention statistical models [4-91. However, main drawback of all neural network proposed earlier for software reliability prediction [4-91 is that one cannot extract the knowledge stored in parameters (weights of connecting links) of the neural networks that are directly related to software reliability metrics like the number of faults remaining in software. Software reliability metrics are useful in quantitative software reliability analysis. In this paper a new neural network model is presented. It overcomes drawbacks of both conventional statistical models and existing neural network models used for software reliability prediction. It provides better prediction results and values of some software reliability metrics parameters like the number of faults remaining in software. The proposed neural network model is applied to real software project data and comparison of results is carried out with conventional statistical models Notations: i = Interval numbermata point number in data set = 1,2,3,. . ..j.. .k..l.. .n t = Execution time T = Total execution time m(t) = Actual cumulative failures by time t n = Number of data points in a software failure data set N(t) = Expected cumulative failures by time t a = Total number o f faults present in the program at the beginning of the testing q = Number of data points in an extracted subset used for neural network training 2.

Neural Network Model

2.1. Earlier work

In last decade Karunanidhi [4] introduced the neural networks for software reliability prediction. The neural network architecture used by Karunanidhi was input layer, output

335 layer and one hidden layer. The input and output to the neural network were execution time and the number of cumulative faults respectively as shown in Figure 1.

Neural Networks Execution time

Cumulative faults

u Figure 1. Neural network model

Karunanidhi used the sigmoid activation function for the neural network training. Output of the neural network with the sigmoid activation function is limited between the values 0.0 to 1.0. However in software reliability prediction problem output value (cumulative faults) always lies out of this range. Thus, it is necessary to scale output of the neural networks over the scale 0.0 to 1.0. This scaling needs information regarding the total number of cumulative faults detected at the end of testing phase. During testing phase this value is not available and therefore scaling of output is not possible. Although the prediction results of neural networks with sigmoid activation function are better than conventional statistical models the scaling problem has been not addressed yet [5]. Karunanidhi [ 5 ] suggested a new method to overcome scaling problem, in which a clipped linear function was used in output layer as an activation function instead of the sigmoid function. The advantage of this method is that, it can predict positive values in any unbounded region and therefore scaling of output is not required. However, results obtained with this approach were worse than some statistical models for some of the software project data. In Ref. [7] the GMDH (group method of data handing) network, which is adaptive machine learning, is applied for software reliability prediction during testing phase. The GMDH network is based on the principle of heuristic self-organization. Advantage of this approach is that it overcomes problem of determining a suitable network size in the use of multi layer perceptron neural network and its prediction results were found better than the conventional models. Recently, a modified Elman recurrent neural network [9] is presented for software reliability prediction. The predictive performances of the Elman recurrent neural network were found better than conventional nonhomogeneous Poisson process (NHPP) models. Above discussion provides evidence about neural network’s ability in identifying trends in software failure process and prediction of future software failure behavior. Most of the neural network approaches described above shows better prediction results than the conventional statistical models but the main drawback of the neural network approach is that the results obtained with neural networks can’t be expressed in terms of software

336 reliability metrics like the number of faults remaining in software. These software reliability metrics are useful in quantitative analysis of software reliability data. 2.2. Proposed Neural Network Model A multi-layer feed forward neural network is being considered in this study and back propagation algorithm is used for neural network training. The neural network architecture used is input layer, output layer, and one hidden layer. The proposed model uses the linear activation function and therefore its results are less subjected to the architecture of neural networks, training mode, number of hidden layer, and number of connecting links in each layer. The neural network is trained with execution time as an input and the number of cumulative failures observed as the target output. In the proposed model it is assumed that if testing is continued for infinite time then all faults in the software will be detected. On the basis of assumption input to the neural network is transformed using an exponential function. The transformed input is given by Transformed Input

= t’ =

1- exp (-t/T)

(1)

This transformation helps to reduce the neural network training error. Another important benefit of this transformation is that user can relate the knowledge stored in parameters of the neural network to the software reliability metrics like number of faults remained in software. Behavior of the proposed model with transformed input is shown in Table 1 and explained as: At the beginning of the testing, execution time is zero i.e. transformed input is also zero. According to the assumption, at infinite time of testing, faults detected in testing must be equal to total faults in software. If user uses input to the neural network without transformation then at infinite time, ‘infinity’ value becomes input to the neural network and neural network cannot produce output for input ‘a’.However, if input is transformed then it becomes ‘ 1 ’ instead of ‘CO’and the neural network can provide output for ‘ 1 ’ . The output of the neural network for transformed input ‘l’is ‘total number of faults present in software at the beginning of the testing’.

2.2.1. Assumptions: 1.

At infinite time, all faults in software are detected. Table 1. Neural Network Model Behavioi

Input = Execution Time or CPU time

Transformed Input

Cumulative faults

t’ = I-exp(-tR)

‘t’

At beginning of testing t=O At infinite time t =cc

0

m(t = 0)

1

m(t = -) = Total faults in software

=0

337 2.2.2. Selection of training data Set In the proposed model, subsets are extracted from the data set reserved for the neural network training rather than training the neural network with all data reserved for it. The neural network is trained for all extracted subsets. The neural network data fitting performance for each subset is evaluated using the measure ‘Data Fitting Error’. The subset, for which the neural network gives minimum ‘Data Fitting Error’, is selected. The neural network trained with this subset is used for prediction of software failure behavior. The ‘Data Fitting Error’ is given as Data Fitting Error =

‘

4

The subsets are obtained as Let, p = data set number of the subsets extracted form training data q = data points in a data set used for training do while

p = l = d a t a s e t = ( { i , t & m ( t ) } f o r i = l , 2 ...n) for successive subset, remove first data point {i ,t & m(t)} from earlier dataset q2 3

First subset comprises ‘n’ data points, while every successive subset comprises one data point less than earlier one and last subset comprises last 3 data points of training data set. The minimum data points in a dataset used for the neural network training are restricted to three. This restriction is imposed to avoid the neural networks from random guessing because the neural network prediction without proper training is random guess [4]. 3.

Prediction Results

A Software failure data collected from TROPICO system software is used to test applicability of the proposed neural network approach [lo]. In this study failure data obtained during testing phase (failure data of 300 days) is reserved for neural network training and remaining failure data (failure data of last 510 days) is used to check adequacy of proposed model. A procedure to find out optimal number of data points in a training set is applied as described in earlier section and neural network is trained with it to predict for failures in last 510 days. Plot of TROPICO system failures with neural network prediction for last 510 days is shown in Figure 2. If the neural network’s prediction is examined in two sections then for first 300 days (from 300 days to 600 days) the prediction is almost same as the actual failures occurred, for next 210 days (from 600 to 810 days) the predicted value is lower than the actual value.

338

3.1 Estimation of the Remaining Software Faults

As described earlier, input to the neural network is assigned ‘1’ to estimate the ‘total number of faults present in the program at the beginning of the testing’. Predicted total number of faults present in the program at the beginning of the testing ( ‘ u ’ ) by the neural network is 457. The residual faults in software is estimated by subtracting faults found by time ‘t’ from ‘total number of faults present at the beginning of the testing. After 300 days of testing 297 faults were found and therefore residual faults in software after 300 days are 160. 4.

Model Comparisons

In this section neural network prediction results are compared with some commonly used statistical models [l I]. The models used for comparison are exponential NHPP, S-shaped NHPP model, Generalized Poisson model, Schick-Wolverton, and Schneidewind’s Model. The criteria used in this study to judge the performance of the model is Prediction Error [ 101, A Prediction error measures how close the predicted cumulative number of failures to the actual failures occurred.

Prediction Error =

(3)

I=/

k- j+l

The software failure data used in earlier section for neural network prediction is used in here for prediction of last 510 days failure with the help statistical models. First thirty data points are used for the conventional statistical model fitting and parameter estimation Figure 3 shows plot of predicted failures vs. testing time for the proposed neural network model and some of the statistical models used in this study whose prediction results are better than rest of the statistical models. Among compared models,

339 exponential NHPP and Generalized Poisson model Predicts higher value of cumulative failures as compared to actual failures occurred in that interval. On the other hand, Sshaped NHPP model and proposed neural network model Predicts lower value of cumulative failures as compared to actual failures occurred in that interval. The proposed model’s prediction curve is more close to the actual one as compare to rest of the models. 750 +Neural 650

Network

+Exponential *Generalized

NHPP Poisson

*

.d

c d 7

450

E

J

350

250

1 31

41

51

61

71

81

Failure Interval

Figure 3 Software failure predictions by models

The performance of the model used in the study is judged using the measure ‘Prediction Error’. The comparison results are shown in Table 2. It is found that, Sshaped NHPP model turns out to be the best among the statistical models. From Table 2, it is clear that the proposed neural network model provides significantly better prediction results as compared to the conventional models in terms of low prediction error. Table 2. Comparison of prediction

Model S-shaped NHPP model Generalized Poisson model Exponential NHPP model Neural Network

5.

Prediction Error

105.9 16.54

Conclusion

In this study, new neural network model is presented for software reliability prediction. The proposed model uses the linear activation function and therefore its results dependency on the architecture of neural networks, training mode, number of hidden

340

layer, and number of connecting links in each layer is less. This feature makes the proposed model robust and simple for implementation. Applicability of the proposed neural network model for quantitative software reliability analysis is shown with real software project data and results are compared with conventional approaches used for software reliability prediction. It is noted that the neural network model turned out to be the best in terms of low prediction error as compared to existing models and therefore provides a better alternative for software reliability analysis. Acknowledgments

This work is supported by MHRD, New Delhi (India) under the Hybrid System Safety Analysis [HYB] Project References 1. M. Lyu, (Editor), Handbook of Software Reliability Engineering, McGraw-Hill, (1 996). 2. Y. K. Malaiya, N. Karunanidhi and P. Verma, IEEE International Computer Software Applications Conference. 7 (1 990). 3. A.A Abdel-Ghaly, P.Y. Chan, B. Littlewood and J. Snell, IEEE Transactions on Software Engineering. 16 (4), 458 (1 990). 4. N. Karunanithi, D. Whitley, and. Y. K. Malaiya, IEEE Transactions on Software Engineering. 18 (7), 563 (1992). 5. N. Karunanithi, and Y. K Malaiya, International Symposium on Software Reliability Engineering. 76( 1992). 6. R. Sitte, IEEE Transactions on Reliability. (48) 3, 285 (1999). 7. T. Dohi, S. Osaki and K.S Trivedi, International Symposium on Software Reliability Engineering. 40 (2000). 8. K. Y. Cai, L. Cai, W. D. Wang, Z. Y. Yu and D. Zhang, Journal of Systems and Software. (58) I , 47(2001). 9. S. L. Ho, M. Xie and T. N Goh, Computers d Mathematics with Applications. (46) 7,1037 (2003). 10. M. R. B. Martini, K. Kanoun and J. .M. De Souza, IEEE Transactions on Reliability. 39(3), 369 (1990). 1 1. A. P. Nikora, Computer Aided Software Reliability Estimation (CASRE) User's Guide Version 3.0, (1 999).

BLOCK BURN-IN WITH MINIMAL REPAIR MYUNG HWAN NA Department of Statistics, Chonnam National University, 300 Yongbong-dong, Gwangju, 500-757, Korea SANGYEOL LEE Department of Statistics, Seoul National University, San 56-1 Sillim-dong, Seoul, 151-742, Korea YOUNG NAM SON Department of Computer Science and Statistics, Chosun University, 375 Seoseok-dong, Gwangju, 501 -759, Korea Burn-in is a method to eliminate early failures. Preventive maintenance policy such as block replacement with minimal repair a t failure is often used in field operation. In this paper, the burn-in and maintenance policy are taken into consideration a t the same time. The optimal burn-in time is obtained in an explicit form. 1. Introduction

Let F ( t ) be a distribution function of a lifetime X. If X has density f ( t )on = f ( t ) / F ( t ) where , F ( t ) = 1- F ( t ) is the survival function of X . Based on the behavior of failure rate, various nonparametric classes of life distributions have been defined in the literature. The following is one definition of a bathtub-shaped failure rate function which we shall use in this article.

[o, co),then its failure rate function h(t) is defined as h ( t )

Definition 1. A real-valued failure rate function h(t) is said to be bathtubshaped failure rate with change points tl and t 2 , if there exist change points 0 5 tl 5 t 2 < co,such that h ( t ) is strictly decreasing on [ O , t l ) , constant on [tl,t 2 ) and then strictly increasing on [ t z , co). The time interval [0,t l ] is called the infant mortality period; the interval [ t l ,t z ] , where h(t) is constant, is called the useful life; the interval [ t z ,co) is called the wear-out period. Burn-in is a method used to eliminate early failures of components before they are put into field operation. The burn-in procedure is stopped when a preassigned reliability goal is achieved. Since burn-in is usually costly, one of the major problem is t o decide how long the procedure should continue. The best time t o stop the burn-in process for a given criterion is called the optimal burn-in time. An introduction to this context can be found in Jensen and

341

342 Petersen (1982). In the literature, certain cost structures have been proposed and the corresponding problem of finding the optimal burn-in time has been considered. See, for example, Clarotti and Spizzichino (1991), Mi (1994), Cha (2000), and Block and Savits (1997) for a review of the burn-in procedure. In this paper, we propose block burn-in with minimal repair. Our strategy is a modified version of Cha’s (2000) model since we consider additively the time for burn-in when we obtain the cost function. Cha (2000) showed that the optimal burn-in time b* must occur before the change point tl of h(t) under the assumption of a bathtub-shaped failure rate function. But in our model, the optimal burn-in time is given by an explicit form. Also, it is shown that optimal burn-in time decreases as the cost for burn-in increases, as the minimal repair cost during burn-in increases, or as the minimal repair cost in field operation decreases. 2. Block Burn-in Strategy

We begin to burn-in a new component. If the component fails before a fixed burn-in time b, we repair it minimally, and continue the burn-in procedure for the repaired component. After the burn-in time b, the component is to be put into field operation. For a burned-in component, block replacement policy with minimal repair at failure will be adopted. Under this replacement policy, the component is replaced by a burned-in component at planned time TI where T is a fixed positive number, and is minimally repaired at failure before a planned replacement. The cost for burn-in is assumed to be proportional to the total burn-in time with proportionality constant cg. Let c1 and c2 denote the costs of a minimal repair during burn-in period and in field operation, respectively. We assume that c1 < c2; this means that the cost of a minimal repair during a burn-in procedure is lower than that of a minimal repair in field operation. Let c, be the cost of a planned replacement. The total expected cost in the interval [0, b T ] is the sum of the expected burn-in cost, cob c1 h(t)dt, and the expected replacement cost, c, cz h(t)dt. The expected length of the interval is b T . Thus, the total expected cost per unit time C(b,T) is given by

+

+ s,””

C(b,T)=

cob

+

si

+

+ c1 s,” h(t)dt + c, + cz s,”” h(t)dt b+T

(1)

We will consider the problem of finding the optimal burn-in time b* and the optimal age T * such that

C(b*,T*)= min C(b,T). b/O,T>O

343 Throughout this paper, we assume that the failure rate function h ( t ) is differentiable and bathtub-shaped with change points tl and t2.

3. Optimal Burn-in Time For a given b

2 0, first, we can determine Tt

as a function of b satisfying

C(b,T z ) = min C(b,T ) . TZO

Note that d -C(b,T) dT

=

(b

cob

+T)2

-

+ c, + s,” h(t)dt c1

c2

where

+

qb(T) = ( b f T ) h ( b T ) -

rT

h(t)dt.

Hence, dC(b,T ) / d T = 0 if and only if the following equation (2) holds.

(b

+ T ) h ( b+ T )

Since qL(T)= ( b

1

b+T

-

h(t)dt =

cob

+ c, + c1 s,” h(t)dt c2

b

+ T)h’(b+ T ) , decreasing on [0,tl - b ) , constant on [tl - b,t2 - b ) , increasing on [t2 - b, m).

Now we need a following partition of interval [0,m)

Note that for any b E A2, the equation (2) has a unique solution which we denote by T; and C ( b , T ) has minimum at T;. For b E A3, C(b,T) has minimum at T; = 0 or the solution of equation (2). Also note that for any given b E A l , d C ( b ,T ) / d T < 0 for all T 2 0 and C(b,T ) is strictly decreasing. Thus C(b,T ) has minimum at Tz = 00.

344

Therefore, we can define

{ b L 0 : T l = m } ,B2 = { b 2 0 : 0 < Tl < co}, and

Bi

B3

= { b 2 0 : Tl = 0).

Then, min

b>O,T>O

C ( b ,T ) = min

{

min C ( b ,m), min C(b,T,*), min C ( b ,0 ) be B P

bEBi

bEB3

Before we state main theorem, we need the following lemma.

Lemma 1. There exists b: such that C ( b i , O ) = co

+ c l h ( b i ) 5 C ( b ,0 ) = b (cob + c

1 l h(t)dt

+ c r ) for all b L 0,

where bi is either the unique solution of (3) or equal to 00 according to whether (3) has a solution or not:

bh(b) -

Jlub

h(t)dt = -.C r C1

(3)

Define s1 and s2 be the solutions of the following equation if they exist

h ( t ) = -, CO c2 - c1

(4)

where 0 5 s1 5 tl 5 t2 5 s2. If h(0) < C O / C ~- c1 and h(00) > C O / C ~- c1, then let s1 = 0 and s2 = co,respectively. The following is the main result of this paper.

Theorem 1. If none of s1 and s2 exists or if sl+T:l > s2 and ~ 2 h ( s l + T : ~>) co clh(b;), the optimal burn-in time b* and the corresponding optimal age T* = Tl* is given by b* = b; and T" = T$ = 0,

+

otherwise

b* = s1 and T* = TS*,> t 2 - s1. Remark 1. None of s1 and s2 exists means that h ( t ) > C O / ( C ~ - c1) for all t 2 0. Remark 2. From (4) Theorem 1 indicates that optimal burn-in time gets smaller as C O , the cost for burn-in, or c1, the minimal repair cost during burnin, becomes higher, or as c2, the minimal repair cost in field operation becomes lower.

345

Acknowledgement This research was supported in part by KOSEF through Statistical Research Center for Complex Systems a t Seoul National University.

References

[l] Barlow, R. E. and Proschan, F. 1965, Mathematical Theory of Reliability. Wiley, New York. [2] Block, H. and Savits, T . 1997, Burn-In, Statistical Science, 12, 1, pp. 1-19.

[3]Cha, J . H. 2000, On a Better Burn-in Procedure, J. of Applied Probability, 37, 4, pp. 1099-1103. [4] Clarotti, C. A and Spizzichino, F. 1991, Bayes burn-in decision procedures,

Probability an the Engineering and Informational Science, 4, pp. 437-445. [ 5 ] Jensen, F. and Peterson, N. E. 1982, Burn-in, John Wiley, New York. [6] Mi, J. 1994, Burn-in and Maintenance Policies, Adv. Appl. Probability, 26,

pp. 207-221.

This page intentionally left blank

FIVE FURTHER STUDIES FOR RELIABILITY MODELS

T. N A K A G A W A

Department of Management and Information Systems Aichi Institute of Technology 1247 Yachigusa, Yagusa-cho, Toyota 470-0392, Japan E-mail: [email protected] This paper surveys my five recent studies; (1) reliability of complexity, (2) reliability of scheduling, (3) expected number of failures, (4) sequential maintenance policies, and (5) service reliability. Some results might not be useful to actual fields, however, these would certainly offer interesting topics to researchers and practicians.

1. Introduction

This paper surveys my five recent studies in which some results have been already obtained, and further studies are now continued and expected in near future. Section 2 defines the complexities of systems as the number of paths and the entropy. There exist many problems on complexity which have to be solved theoretically and practically. For example, we have t o show how to define the complexity of more complex systems. Section 3 defines the reliability for a job with scheduling time as the probability that it is accomplished successfully by a system. This would be modified and be extended, and could be applied to many fields of actual scheduling problems. Section 4 obtains the time that the expected number of failures is k and the distribution of H ( X ) when Pr{X t } = 1 - e--H(t).This would give theoretically interesting topics of expected number of events in stochastic processes. Section 5 proposes the sequential maintenance policies where the preventive maintenances are made successively. This is one of modified and extended models of periodic and age replacements. Finally, Section 6 defines service reliability on hypothetical assumptions. This would trigger t o begin theoretical studies of service reliability.


c1. Then, the expected cost until the completion of work is

C ( L )= c1 Pr{S 5 L } + cf Pr{S > L } + S L = ClW(L) C f [ l - W ( L ) ]+ S L .

+

(3.2)

Since C(0) = c f and C(m) = m, there exists a finite scheduling time L* (0 5 L* < m) which minimizes C ( L ) .

351 We seek an optimal time L* which minimizes C ( L ) . Differentiating C ( L ) with respect t o L and setting it equal to zero, we have w ( L ) = s / ( c f - c1) where w ( t ) is a density of W ( t ) . In particular, when W ( t )= 1 - e-wt,

Therefore, we have the following result: (i) If w > s / ( c p - c1) then there exists a finite and unique L* (0 < L* which satisfies (3.3). (ii) If w 5 s / ( c f - c1) then L* = 0.

< co)

3.3. Parallel system Consider the scheduling problem how many number of units for a parallel redundant system is appropriate for the work of a job with scheduling time S [8]. Suppose that an n-unit parallel system works for a job with scheduling time S with W ( t ) = Pr{S I t } where = 1 - W , whose operating cost is ns. It is assumed that n units are independent and have an identical failure distribution F ( t ) . If the work of a job is accomplished when at least one unit is operating, it needs cost c1, and if the work is accomplished after all n units have failed, it needs cost c f where c f > c1. Then, the expected cost of n-unit parallel system is

C ( n )= c1

+ (cp - c1)

IW-

+

W ( t ) d [ F ( t ) l n ns

( n = 0 , 1 , 2 , . . .).

Since C(0) = c f and C(w) = co,there exists a finite number n* (0 which minimizes C ( n ) . iFrom the inequality C ( n 1 ) - C ( n )2 0, we have

(3.4)

I n* < co)

+

whose left-hand side is strictly decreasing to 0. Therefore, we have the following result: (i) If J," F(t)dW(t) s / ( c f - c1) then n* = 0. (ii) JOwF(t)dW(t) > s / ( c f - c1) then there exists a unique minimum n* (1 I n* < co) which satisfies (3.5).

Example 3.1. When W ( t )= 1 - e-wt and F ( t ) = 1 - e P x t , equation (3.5) is

352 If w / ( w + A) > s / ( c f - c1) then there exists a positive number n* (1 5 n* < m). Table 3.1 gives the optimal number n* of units for s / ( c f - c1) and A/w. Table 3.1. Optimal number n* of units Sl(Cf

- Cl)

0.1 0.05 0.01

9

4 12

2 11

4. Expected Number of Failures

We are greatly interested in the expected number of failures during ( O , t ] . When failures occur a t a non-homogeneous Poisson process with an intensity function h ( t ) , the expected number of failures is H ( t ) = Jih(u)du which is called cumulative hazard function. When units are replaced immediately upon failures, i.e., failures occur at a renewal process with distribution F ( t ) , the expected number of failures is M ( t ) which is called renewal function. This section obtain (1) the time that the expected number of failures is k and ( 2 ) the distribution Y = H ( X ) when Pr{X _< t } = l - e - H ( t ) , and investigates their reliability quantities. Further, we apply these quantities to maintenance models.

4.1. Expected number (1) Poisson process Suppose that the failure times x k ( k = 1 , 2 , . . . ) of a unit occur a t a nonhomogeneous Poisson process with an intensity function h ( t )and N ( t ) is the number of failures during (0,t ] . Then, we have the following results [9, 101:

and the mean time t o the k-th failure is

Let z we have

k

be the time that the expected number of failures is k . Then, from (4.2),

353

JXk Xk-1

Xh

h(t)dt = 1 or

h(t)dt = k

(k

=

1 , 2 , . . .).

(4.5)

In particular, when F ( t ) is IFR,

we have that X k 5 % k , and we use it as a n estimator of the mean time to the next failure. For example, when a unit fails at time t , the mean time t o the next failure is about l / h ( t ) . Further, from Theorem 4.4 of [7, p.271, when F is IFR, F ( p ) 2 e-l. Thus,

H ( p ) I H(Zl), i.e., /I 5x11

(4.8)

where 2 1 is called characteristic lzfe and represents the life time that about 63.2 % of units has failed until time 2 1 . Example 4.1. When F ( t ) = 1 - exp(-Xtm), i.e., H ( t ) = A t m , Xk = ( k / X ) m ( k = I , 2, ’ . .) and p = (l/A)mr(ll / m ) . Therefore, we evidently have that (i) 5 1 < p for 0 < m < 1, (ii) z1 = p for m = 1 and (iii) x1 > p for m > 1. = x 1 , p from (4.7) and E ( X j ) from (4.3) Table 4.1 gives x k , :k when for m = 2 and X = 0.01.

+

c:=,

Table 4.1. Comparisons of times of expected number

j=1

1

2 3 4 5 6 7 8

9 10

10.00 14.14 17.32 20.00 22.36 24.49 26.46 28.28 30.28 31.62

10.00 15.00 18.33 21.06 23.43 25.56 27.52 29.34 31.04 32.65

8.86 14.50 17.95 20.74 23.15 25.31 27.29 29.12 30.84 32.46

8.86 13.29 16.62 19.39 21.81 23.99 25.99 27.85 29.59 31.23

354 (2) Renewal process Suppose that failures occur a t a renewal process with distribution F ( t ) . Then, we have the following results [7]: Pr{N(t) = k> = ~ ( ~ ) -( ~t () ~ + ‘ ) ((IC t )= 0 , 1 , 2 , . .

c

(4.9)

w

E { N ( t ) }=

F ( k ) ( t )= M ( t ) ,

(4.10)

k=l

E{X1 + X 2 + . . . + X k } The time

Xk

(4.11)

= kp.

that the expected number of failures is k is given by

M ( x k ) = k , i.e.,

LXk

m(t)dt = k

( k = 1 , 2 , . . . ).

Example 4.2. W h en F ( t ) = l-(l+Xt)e-Xt, M ( t ) = X t / 2 - ( 1 - ~ ” ~ ) / 4 , p and xk is a unique solution of the equation

and x1 => p

(4.12) = 2/X

= 2/X.

4.2. Distribution of H ( X )

The failure time X of a unit has a general distribution F ( t ) = 1 - e--H(t) where H ( t ) is continuous and strictly increasing from 0. Then, Y 3 H ( X ) , which is the expected number of failures until unit’s own life, has the following distribution Pr{Y 5 t } = Pr{H(t) 5 t } = Pr{X 5 H-’(t)} = 1 - exp[ - H ( ~ - ’ ( t ) ) ] = 1 - e-t,

i.e., Y has an exponential distribution with mean 1. Conversely, when Pr{Y 5 t } = 1 - ePt, the distribution of X

(4.13)

= N-’(Y)

Pr{X 5 t> = Pr{H-l(Y) 5 t } = Pr{Y 5 ~ ( t )=}1 - e-H(t).

is (4.14)

Example 4.3. An optimal checking time T* of periodic inspection policy when F ( t ) = 1- ecXt is given by a unique solution of the equation [lo]: XCl

eXT - (1 +AT) = -, c2 where c1 = cost of one check and c2 be the loss cost for the time elapsed between failure and its detection per unit of time. Further, since et N 1 t + t2/2 for small t , we have approximately

+

355

Thus, defining that n(t)= tion times are given by

d-

is the inspection rate, approximate inspec-

which agrees with asymptotic inspection intensity [lo, 111. Example 4.3. A optimal PM (preventive maintenance) time T* of periodic replacement with minimal repair a t failures is given by a solution of the equation [71: T h ( T ) - L'h(t)dt = -, c2 c1 where c1 = cost of minimal repair and c2 = cost of replacement a t time T In particular, when F ( t ) = 1 - exp(-Atm) ( m > I),

X(m - l)(T*)m=

s. c1

Thus, defining that n(t)= ( m - l)X(t)(c1/~2)is the PM rate of a Weibull distribution, optimum PM times are given by

In this case,

where xk is given in Example 4.1.

5. Sequential Maintenance Policies Suppose that a unit has t o operate for an infinite time span. Then, it may be wise t o maintain preventively a unit frequently with its age or the increase of its failure rate. Barlow and Proschan [7] computed the optimal planned times of sequential age replacement for a finite span, using dynamic programming. Further, they showed the optimal inspection policy where checking times are sequent,ially computed from one equation. Nakagawa [ 12, 131 introduced imperfect maintenance

356 and derived optimal sequential policies where the preventive maintenance (PM) is made a t successive times according to the age and failure rate of a unit. This section proposes the sequential maintenance policies where the PM times are successively determined one after another by knowing the previous PM time. We derive optimal sequential maintenance times of periodic and age replacements. 5.1. Periodic maintenance We consider two periodic maintenance policies for a unit in which (1) the PM is done a t planned times and only minimal repair a t failures are made between planned maintenances, (2) the PM is done at some number of failures and minimal repair is made between planned maintenances. (1) Periodic maintenance with minimal repair A unit begins to operate a t time t = 0. The PM of a unit is done a t planned times T k ( k = 1 , 2 , . . . ). When a unit fails, only minimal repair is made between planned maintenances. This is called periodic replacement with minimal repair at failures. Then, the expected cost rate, which is the total expected cost per planned time T I , is [7]

(5.1) where c1 = cost of minimal repair and c2 = cost of maintenance a t time T k . An optimal time T: which.minimizes C(T1),when the failure rate is strictly increasing, is given by a unique solution of the equation:

Tlh(T1)-

1"

C2

h(t)dt = c1

+

Next, the PM is done at time TI T2, given that the P M was done a t time TI. Then, the expected cost rate during the interval (TI,TI T2) is

+

s,

Ti +Tz

C(T21Tl)=

c1

+

h(t)dt c2 (5.3)

T2

Differentiating C(T21T1)with respect to T2 and setting it equal to zero implies

+ + + T k , given that it was

Generally, when the PM is done a t time TI T2 . . . done a t time T2 . . . T k - 1 , the expected cost rate is

+ + +

357 Ti+Tz+. +TI

h(t)dt

+ cz

( k = 1 , 2 , ' . .), (5.5) Tk where To = 0. Differentiating C(Tk lT1, T2,. . . ,Tk-1) with respect to Tk and setting it equal to zero,

C(Tk IT1 TZ, . . . Tk-1 ) 1

Tkh(T1

1

=

+ T2 + . . . + T k ) -

J

Ti+T2+ +Th

c2

h(t)dt = - ( k = 1 , 2 , . . .).

Ti+Tz+

+TALI

c1

(5.6)

Example 5.1. Suppose that F ( t ) = 1 - exp(-Xtm)(m > 1), i.e., h ( t ) = Xmtm-l. Then, an optimal T;*is from (5.2),

(5.7) and from (5.4),

(Ti

+ Tz)m-l[(m 1)Tz -

-

TI]

+ T;" = -.Xc2C l

(5.8)

Letting Q(Tz(T1)be the left-hand side of (5.8), it can be easily seen that Q(OITl) = 0, Q(colT1)= co and

(5.9) Thus, there exists a finite and unique T,'(0 < T,' < co) which satisfies (5.8). Further, we easily have that T,' 2 T; for 1 < m 5 2 and T,' < T; for m > 2. Generally, from (5.6),

+ + Tk)"-l

(TI . . .

[mTk -

(TI + . . . + T k ) ] + (TI+ . . .

+T

c2

~ - I=) ~ .

(5.10)

XCl

There exists a finite TL (0 < TL < co) which satisfies (5.2), and T;*= T,* = . . . = TL for m = 2. (2) Maintenance at N-th failure The P M is done a t Nl-th failure (N1 = 1 , 2 , . . . ) and only minimal repair is made between planned maintenances. Then, the expected cost rate per the mean time to Nl-th failure is from [lo, 141,

358 where p j ( t ) C(N1) 2 0,

= ( [ H ( t ) ] J / j ! } e (~j ~=( 0~ ,)1 , 2 , . . .). 1

From inequality C(N1 + 1) -

N1-1

- 1

It has been shown that there exists a unique minimum which satisfies (5.12) if it exists, when h(t) is strictly increasing. Next, when the PM is done at N1 N2 . . . Nk-th failure, given that it was done at N1 NZ . . . Nk-l-th fa,ilure, the expected cost rate per this interval is

+ + +

+ + +

6. Service Reliability

The theory of software reliability [I51 has been highly developed apart from hardware reliability, as computers have widely spread on many sides. From similar points of view, the theory of service reliability begins to study slowly: Calabria et al. [16] presented the case study of service dependability for transit systems. Masuda [I71 proposed some interesting methodologies of dealing with service from the point view of engineering, and of defining service reliability by investigating its qualities. However, a reliability function of service reliability has not been established yet theoretically. This section tries to make a theoretical approach to define service reliability and to derive its reliability function on one’s way of thinking. 6.1. Service reliability 1

It is assumed that service reliability is defined as the following two independent events: Event 1: Service has N ( N = 0, I, 2 , . . . ) faults at the beginning, which will occur successively, and its reliability improves gradually by removing them. Event 2: Service goes down with time due to faults which occur randomly. Firstly, we derive the reliability function of Event 1: Suppose that N faults occur independently according t o an exponential distribution (1 - e-’It) and are removed. We define the reliability as e - ( N - k ) p l t when k (Ic = 0, 1,2, . . . , N ) faults have occurred at time t . Then, the reliability of Event 1 is given by

359

=

(1 - e-Xlt + e - ( ' l + P I ) t ) N

(N= 0 , 1 , 2 , . . .),

(6.1)

It is evidently seen that Rl(0) = Rl(oo)= 1. Differentiating R l ( t ) with respect to t and setting it equal to zero, we have

Thus, R l ( t )starts from 1 and takes a minimum at tl = (l/p1) ln[(XI + p l ) / X 1 ] , and after this, increases to 1. In general, service has a preparatory time to detect faults, like a test time in software reliability. Thus, it is supposed that service starts initially after a preparatory time t l . Putting t = t tl in (6.1), the reliability of Event 1 is

+

) e-(Xl+Pl)(t+tl) Rl(t) = [l - e- X l ( t + t ~ +

IN .

(6.3)

If the number N of faults is a random variable which has a Poisson distribution with mean 0, Rl(t) is

Next, suppose that faults of Event 2 occur according to a Poisson distribution with mean X 2 , and its reliability is defined by e - ' P z t . Then, the reliability of Event 2 is given by

which is strictly decreasing from 1 t o 0. Therefore, when both Events 1 and 2 consist independently in series, we give service reliability as

R(t) = R l ( t ) R 2 ( t )

= exp{-Oe- X l ( t + t l ) [ l

- e-Pl(t+tl)

]

-

A t ( l - e-"")}.

(6.6)

360 6.2. Service reliability 2 Even if we give service reliability in (6.6), it would be actually meaningless because it has five parameters. Thus, simplifying R ( t ) in (6.6), we define service reliability as

k(t)= (1 - (ye-pl')e--/lz' (0 < a < 1). (6.7) It is evident that k(0)= 1 - a , k(w)= 0, and differentiating k(t)with respect to t and setting it equal to zero, e -'llt

-

1

P2

a P1 + P2

Therefore, we have the following results:

+

(i) I_fa > p2/(p1 p2) then R(t) starts from 1 - a and takes a maximum R(t1) = [~i/(Pi +~2)]e--/l~ at~ti' = (-l/pi) 1n{p2/[a(pl + p 2 ) ] } , and after this, decreases to 0. (ii) If a I p2/(p1 p2) then k(t)decreases strictly from 1 - a t o 0.

+

Figure 6.1 shows k(t)for a

> p2/(pl + p 2 ) .

Figure 6.1.

R(t) for 01

> p2/(p1 + p 2 )

6.3. R e m a r k s

We have derived theoretically two reliability functions of service reliability under hypothetical assumptions. The reliability function R(t)in (6) has many parameters to estimate and is not effective to actual models. The reliability function generally increases firstly and becomes constant for some interval, and after that, decreases

361 gra.dually, i.e., it draws a n upside-down b a t h t u b curve [18]. T h e reliability function i n Figure 6.1 draws generally such a curve. A reliability function of service would be investigated from many kinds of service ways a n d b e verified to have a general curve such as a b a t h t u b one i n reliability theory.

References 1. J. Pukite and P. Pukite, Modeling for Reliability Analyszs, Institute of Electrical and Electronics Engineering, New York (1998). 2. P. K. Lala, Self-checking and Fault-Tolerant Digital Design, Morgan Kaufmann, San Francisco (2001). 3. M. M. Waldrop, Complexity, Sterling Lord Literistic Inc., New York (1992). 4. T. Nakagawa and K. Yasui, Quality in Maintenance Eng., 9, 83 (2003). 5. T. Nakagawa and K. Yasui, Math. and Comp. Modelling, 38, 1365 (2003). 6. T . Nakagawa and S. Osaki, IEEE Trans. Reliability, R-24, 300 (1975). 7. R. E. Barlow and F. Proschan, Mathematical Theory of Reliability, John Wiley & Sons, New York (1965). 8. M. Pinedo, Scheduling Theory, Prentice Hall, New Jersey (2002). 9. T. Nakagawa and M. Kowada, Eur. J . Oper. Res., 12, 176 (1983). 10. T . Nakagawa, Maintenance and Optimum Policy, Handbook of Reliability Engineering (ed. H. Pham), Springer-Verlag, London, 367 (2003). 11. N. Kaio and S. Osaki, d . Oper. Res. SOC.,40, 499 (1989). 12. T. Nakagawa, J . of Appl. Prob., 23, 563 (1986). 13. T. Nakagawa, Imperfect Preventive Maintenance Models, stochastic Models in Reliability and Maintenance (ed. S . Osaki), Springer-Verlag, Berlin, 125 (2002). 14. T.Nakagawa, J . Oper. Res. SOC.Japan, 24, 325 (1981). 15. H. Pham, Software Reliability, Springer-Verlag, Singapore (2000). 16. R.Calabria, L. D. Ragione, G. Pulcini and M. Rapone, Pro. Ann. Relib. and Maintainability Symp. 366 (1993). 17. A. Masuda, J . Relzab. Eng. Assoc. Japan, 237 (2002). 18. J. Mie, IEEE Trans. Reliability, 44, 388 (1995).

This page intentionally left blank

NOTE ON AN INSPECTION DENSITY

T.NAKAGAWA Department of Management and Information Systems, Aichi Institute of Technology, 1247 Yachigwa Yagwa-cho, Toyota 470-0392, Japan E-mail: [email protected]

N. KAIO Department of Economic Informatics, Hiroshima Shudo University, 1-1 Ozukahigashi, Asaminami-ku, Hiroshima 731-3195, Japan E-mail: [email protected]

It has been generally well-known t h a t it would b e practically sufficient to calculate t h e approximate checking times for a n optimal inspection policy. Using an inspection density proposed by Keller, this paper suggests two approximate inspection policies and compare them numerically with t h e optimal one. Further, such a n inspection density is applied to t h e finite interval case, the inspection model with imperfect preventive maintenance and the checkpoint scheme for a database recovery.

1. Introduction

It would be greatly important forever since early times to inspect and detect any failures of units such as standby generators, computers, airplanes, plants and defense systems, and so on. Barlow and Proschan (1965) summarized the schedules of inspections which minimize the expected costs. After that, many papers have been published and were surveyed extensively in Kaio and Osaki (1984), Valdez-Flores and Feldman (1989), and Hariga and Al-Fawzan (2000). On the other hand, Keller (1974) defined n ( t )to be the density of the number of checks at time t , and showed a n easy method of computing approximate checking times. Kaio and Osaki (1984, 1988, 1989) investigated and compared in detail some nearly optimal inspection policies, and concluded that there are not significant differences among them and Keller’s computational method is the simplest. This paper summarizes the known properties of an inspection density and adds some new results. Using such properties for a sequential inspection policy, we get two approximate checking times and compare them numerically. Further, we show that an inspection density can be easily applied to the finite interval, the imperfect preventive maintenance and the checkpoint scheme.

363

364 2. Inspection Intensity

Define that a smooth density n ( t )is the number of checks per unit of time, which is called inspection density (Keller, 1974). Then, we investigate the properties of a function n(t): (1)iFrom the definition of n ( t ) , n(7-)d7represents the number of checks during the interval (0, t]. If a unit is checked at successive times 0 = x o < x1 < . . . < X k < . . . then we have the relation

Ji

JOXk

( k = O , 1 , 2 , . . . ).

n(7)d7=k

(2) iFrom the property ( I ) , we easily have

I:*"

n(.r)d7.=1

( k = O , 1 , 2 ) . . . ).

Thus, if n ( t )is a n increasing function o f t then

and

which gives the upper bound of xk+l for given x k . Further, if x1 is given then the next checking times are approximately computed by the recursive equation

Conversely, if n(t)is a decreasing function o f t then

+

(3) Suppose that the next checking time from any time t is t x. Then, since t is arbitrary, we put formally that the number of checks during ( t ,t x ] is l / 2 , i.e.,

+

Using the Taylor expansion in (7),

So that, we have approximately

x=-

1 2n(t)'

i.e., the next checking time from any time t is about 1/2n(t). Similarly, using the Taylor expansion in (2), it is shown that the next checking time when a unit was checked at time x k is about l / n ( x k ) , which is also derived from ( 5 ) .

365 3. Approximate Inspection Time

An operating unit fails according t o a failure density f ( t ) and distribution F ( t ) . Then, the failure rate is X(t) = f ( t ) / F ( t )and the cumulative hazard is A(t) = X(r)d r , where F ( t ) = 1 - F ( t ) , i.e., F ( t ) = e-n(t). It is assumed that a unit is checked at successive times 0 = 20 < z1 < . . . < %k < . . . and its failure is always detected only through checks. Let c1 be the cost for one check and c2 be the cost per unit of time for the time elapsed between failure and its detection at the next check. Then, using the above properties, we derive approximate checking times. Supposing that the next checking time is t + z when a unit fails at time t, the expected cost is, from (8),

Denoting that

Q ( n ( t ) )= cln(t)F(t)

+c2f ( t ) 2n(t) '

and differentiating Q(n(t))with respect to n(t)and setting it equal to zero, we have

It is easily shown that if X(t) is increasing or decreasing then nl(t) is increasing or decreasing, respectively. Therefore, the approximate checking times are, from (1) and (lo),

I**4 7

I

C2X(t)

dt = k

( k = 1,2, . . . ).

(1) Suppose that a unit is checked at periodic times kx ( k = 1 , 2 , .. . ) and the failure time is exponential, i.e., F ( t ) = 1 - e P X t . Then, the expected cost is, from Barlow and Proschan (1965),

Differentiating with respect to x and setting it equal to zero, we have XCl

(1 +Ax) = -. c2 Hence, a n optimal time x*,which minimizes C(z) in (12), is given by a finite and unique solution of equation (13). Further, since ea M 1 a a2/2 for small a, a solution t o (13) is approximately

+ +

Thus, replacing formally X by X(t) and

d-

by n l ( t ) , (14) agrees with (11).

366 ( 2 ) We can extend the above results as follows: We have approximately exz = 1 Ax (Ax)’/2 E where E 2 ( A z ) ~ / ~ .Substituting this into (13) and solving its equation for x imply

+ +

+

:/

x=

(1

-

z).

Further, putting that in (15),

we have

LFrom the above discussions, denoting a n inspection density by

the approximate checking times are given by

Table 1 gives three checking times of Barlow’s method, Keller’s method in (ll), the approximate method in (17), and the resulting expected costs C for k = 1 , 2 , . . . ,15 when F ( t ) = 1 - e--(t/400)2, c1 = 20 and c2 = 1. Unfortunately, the expected cost of the approximate method in this case is not less than that of Keller’s method, however, the checking times are approaching t o those of Barlow’s method as the checking number becomes large. It would be more necessary t o verify the usefulness of approximate methods from several practical points of views. 4. Inspection Time for a Finite Interval

A unit has to be operating for a finite interval (0, S],i.e., the processing time of a unit is given by some specified value S (0 < S < m). Then, the total expected cost during the interval (0, S] is, from (9)

Differentiating C ( n ( t ) )with n ( t )and setting it equal to zero, we have (10).

367 Table 1. Checking times x k of Barlow’s method, f k of Keller’s method, ? k of approximate method, and resulting costs C when F ( t ) = 1 - e - ( t / 4 0 0 ) 2 c1 , = 20 and c2 = 1

215

Barlow’s method 220.2 328.8 418.6 498.2 571.1 638.9 702.9 763.6 821.7 877.5 931.1 982.7 1032.2 1079.2 1123.0

xk

Keller’s method P k 193.1 306.5 401.7 486.6 564.6 637.6 706.6 772.4 835.5 896.3 955.1 1012.1 1067.6 1121.7 1174.5

We compute approximate checking times xk (k number N where X N = S. At first, we put that

=

i5k

188.31 297.06 387.57 467.90 541.40 609.85 674.36 735.66 794.30 859.66 905.03 957.66 1008.74 1058.43 1106.86

1 , 2 , . . . ,N ) and checking

and [XI = N , where [XI denotes the greatest integer contained in X . Further, we put that AN = N I X , i.e.,

and we define a n inspection density as

Using (19), we compute checking time xk which satisfies

LXk

n(t)dt = k

(k

=

1,2,.. ., N ) .

(20)

Then, the total expected cost is

+

Next, we put N by N 1 and do a similar computation. At last, we compare l), and choose the small one as the total expected cost.

C ( N ) and C ( N

+

368 Table 2. Checking times x h , expected costs C and approximate checking times i k

N 1

2 3 4 5 6 7 8 9 10 11 12 -

4 198.4 315.0 412.7 500.0

C 98.4 -

500 5 171.0 271.4 355.7 430.9 500.0

101.0

?k

175.9 310.6 411.9 500.0

100.0

S 1000 12 190.8 302.9 396.9 480.7 557.9 630.0 698.1 763.1 825.5 885.5 943.6 1000.0 116.4

11 202.2 320.9 420.6 509.5 591.2 667.6 739.8 808.7 874.8 938.4 1000.0 116.2

il,

242.2 357.1 451.8 536.0 613.2 685.5 753.8 819.0 881.5 941.7 1000.0 116.4

Consider a numerical example when S = 500, 1000 and the other parameters are the same as those of Sec. 3. Then, since n ( t ) = &/(800&), N = 4 and AN = 24/25 for S = 500. In this case, checking times are

( k = 1,2,3,4).

=k

Further, when N = 5, AN = 6/5 and checking times are ( k = 1,2,3,4,5).

k

Table 2 shows the checking times and the resulting costs for S = 500, 1000. LFrom this Table, the optimal checking numbers are N * = 4, 11 for S = 500, 1000, respectively. It is noted that the checking times are almost nearly those in Table 1 for S = 1000. Further, the approximate checking numbers ? k are computed recursively by giving that xk+l = in (5). The expected cost is a from 2 k + l = x k little greater than that of the case of N = 4 and 11, however, these checking times are almost the same as the optimal ones. Thus, if S is large, it would be sufficient to compute checking times x1,22,. . . , xk recursively from equation

+ 9,

by setting that xk+l

=

s

s.

5. Imperfect Preventive Maintenance

Nakagawa (1980, 1984, 1988) considered the maintenance policy in which an operating unit is checked and maintained preventively at times xk ( k = 1 , 2 , .. . ) and the failure rate after maintenance reduces to aX(t) (0 < a 5 1) when it was X ( t )

369 before maintenance. We apply an inspection density to the inspection model with preventive maintenance. Since the failure rate is a"'X(t) for xk-1 < t 5 x k , the approximate checking times are, from (ll),

Next, consider a system with two types of units where unit 1 is like new after every check, however, unit 2 does not become like new and is degraded with time (It0 and Nakagawa, 1995). That is, the system has the failure rate X ( t ) = Xl(t ~ - 1 ) X z ( t ) for xk-1 < t 5 xk. In this model, the approximate checking times are

+

6. Checkpoint Scheme In a database system, constitutions and recovery techniques of files play an important role. Fukumoto, et al. (1992) discussed checkpointing policies for rollbackrecovery which is one of the most general file recovery techniques. When files on a main memory are lost in failure, we reprocess transactions from the latest checkpoint instead of the starting point of the system operation. Checkpoints are respecified time points at which the information of the files is collected in a stable secondary storage. It is important to decide an effective checkpointing policy. Fukumoto, et al. (1992) developed the checkpointing policy as the extension of the inspection one with the inspection density. The following checkpointing and checkpoint are corresponding to inspection and t o checking time, respectively. Model is presented as follows: The kth checkpointing is instantaneously executed a t the checkpoint xk (k = 1 , 2 , 3 , .. . ; xo = 0). The rollback-recovery is executed instantaneously, the recovery action is always complete and the system is restarted immediately. One cycle is defined as the .interval from the start of the system operation t o the restart on the recovery completion, and the cycle repeats itself continually. Furthermore, each parameter is defined as follows: A, is the arrival rate of an update transaction which is reprocessed in rollback-recovery, ps is the processing rate for transactions, where p = X,/ps 5 1, and a, is the ratio of the overhead for checkpointing t o the overhead for reprocessing of the update transactions. The cost attendant on checkpointing is c,, the cost for checkpointing per unit of time is k,, the cost attendant on rollback-recovery is c, and the cost for rollback-recovery per unit of time is k,. We have the expected cost of one cycle by

where n(t)is the checkpointing density in ( l ) , K , have

= k,a,p,

K,

E k,p.

Similarly, we

370 7. Conclusions We have derived two approximate checking times, using the inspection density proposed by Keller, and compared them numerically with the optimal one. Further, we have shown that this method is easily applied t o the finite interval, the imperfect preventive maintenance and the checkpoint scheme. This is very simple and would be easily brought into practice for any inspected systems. It is of great interest that Keller introduced the smooth function for checking times with discrete number. As further studies, it could arouse a high interest in reliability theory to define replacement and preventive maintenance rates, using the notion of an inspection density.

References 1. R. E. Barlow and F. Proschan, Mathematical Theory of Reliability, John Wiley & Sons, New York (1965). 2. S. Fukumoto, N. Kaio and S. Osaki, Optimal checkpointing policies using the checkpointing density, J . of I n f o m a t i o n Processing, 15,87-92. (1992). 3. M. Hariga and M. A. Al-Fawzan, Discounted models for the single machine inspection problem, in M. Ben-Daya, S. 0. Duffuaa and A. Raouf (2000), Maintenance, Modeling and Optimization, Kluwer Academic Publisher, Massachusetts, 215-243 (2000). 4. K. Ito and T. Nakagawa, A n optimal inspection policy for a storage system with three types of hazard rate functions, J. of the Operations Research Society of Japan, 38, 423-431 (1995). 5. N. Kaio and S. Osaki, Analytical considerations of inspection policies, in S. Osaki and Y. Hotoyama (1984), Stochastic Models in Reliability Theory, Springer-Verlag, Berlin 53-71 (1984a). 6. N. Kaio, and S. Osaki, (1984b), “Some remarks on optimum inspection policies”, ZEEE l3-ansactions on Reliability, Vol. R-33, pp. 277-279. 7. N. Kaio and S. Osaki, Inspection policies: Comparisons and modifications, R . A . Z. R. 0. Operations Research, 22, 387-400 (1988). 8. N. Kaio and S. Osaki, Comparison of inspection policies, J. of the Operational Reserach Society, 40, 499-503 (1989). 9. J. B. Keller, Optimum checking schedules for systems subject to random failure, Management Science, 21, 256-260 (1974). 10. T. Nakagawa, Replacement models with inspection and preventive maintenance, Microelectronics and Reliability, 20, 427-433 (1980). 11. T. Nakagawa, Periodic inspection policy with preventive maintenance, Naval Research Logistics Quartevly, 31,33-40 (1984). 12. T. Nakagawa, Sequential imperfect preventive maintenance policies, I E E E Ransactions o n Reliability, R-37,295-298 (1988). 13. T. Nakagawa, S. Mizutani and N. Igaki Optimal inspection policies for a finite interval, The Second Euro-Japanease Workshop on Stochastic Risk Modelling for Finance, Insurance, Production and Reliability, in S. Osaki and N. Limnios (2002), Chamonix, 334-339 (2002) 14. C. Valdez-Flores and R. M. Feldman, A survey of preventive maintenance models for stochastically deteriorating single-unit systems, Naval Logistics Quarterly, 36,419-446 (1989).

AN IMPROVED INTRUSION-DETECTION MODEL BY PROFILING CORRELATED ACCESS DATA

H. OKAMURA, T. FUKUDA AND T. DOH1 Graduate School of Engineering, Hiroshima University, 1-4-1 Kagamiyama, Hagashi-Hiroshima 739-8527, JAPAN E-mail: { okamu, dohi} Orel.hiroshima-.u.ac.jp In this paper, we develop an intrusion-detection (ID) model which statistically detects malicious activities by profiling access data. In the proposed model, we consider two kinds of statistics; long-term profile and short-term profile, which are constructed from audit records of accessing network. In particular, taking account of the correlation of metrics in profiles, we improve the accuracy of detecting malicious activities such as DoS attack. In numerical experiments, our model is evaluated by comparing the ID model in which the correlation of profiles is not considered through actual audit records.

1. Introduction This paper describes statistical intrusion-detection (ID) models' to detect malicious activities by profiling access data. Statistical ID models are constructed with the aim of statistical detection of anomaly on audit records. Many malicious activities such as denial-of-service (DoS) attack and port scanning always leave traces on the network traffic. Even unknown malicious activities leave traces on the network traffic with no exception, because they are usually performed through the Internet. Thus the ID models which detect anomaly statistically from audit records will be useful t o unknown malicious activities. In the statistical ID models, the detection of anomaly is performed by comparing the stationary behavior of audit records with recent sampling records. That is, we test whether the recent records are sampled from the stationary probability distribution for audit records. The stationary distribution is usually unknown and is substituted by empirical distribution, i e . , the frequency table of received audit records. The frequency table is called the long-term profile. On the other hand, the recent records also generate a frequency table, which is called the short-term profile. In the statistical ID models, the detection of anomaly is, in short, to compare the long-term profile and the short-term profile which are generated from audit records. Ultimately, ID models can be classified by the ways of generating and comparing profiles. In this paper, we first introduce an existing method of generating profiles and point out a theoretical problem for the existing method. More precisely, taking account of the correlation of several profiles, we improve the accuracy of detecting

371

372 malicious activities such as DnS attack. Furthermore, the comparison method of profiles is also improved in viewpoints of statistical analysis. In numerical experiments, we evaluate the accuracy of detectionability for the proposed models by comparing through actual audit records. 2. Statistical ID Model 2.1. Generating profiles

Profiles are historical records on network ports of targeted hosts and can be regarded as frequency tables in traditional statistical analysis. That is, during pre-specified time interval, when the audit records are received, we count the frequency in the corresponding class of audit range. For instance, consider the profile on the number of inbound packets with three classes of range [0, loo), [loo,200) and [20O, co). When an audit record on the number of inbound packet exhibits 5 5 , the frequency in the first class, which has the range [0,loo), increases. However, in the case of usual frequency tables, the frequency table will overflow, because the frequency does not decrease. Iguchi and Goto’ thus use the method of generating profiles which is based on the NIDES statistical component developed by SRI International3. The method is efficient in terms of memory used. More specifically, let p , denote the profile gerierated from the first i audit records. Given the frequency vector f,+l on the (i 1)-st record, the profile is updated in the form:

+

Pz+1

+

= ffP, fz+l3

(1)

where 0 < a: < 1 is the decay rate for the profile. This formula provides the weighted mean of audit records, and a: is often called the aging rate. Essentially, in the algorithm, the memory required is only the current profile p , and, in addition, the profile will not overflow if the sequence of audit records is stationary. Iguchi and Goto’ consider the profiles on network ports, and select the following metrics t o detect malicious activities from the audit records. 0 0

0

0

Total duration time of a connection Total numbers of inbound/outbound packets received/sent through a connection Total numbers of inbound/outbound bytes received/sent through a connection Overall bytes per packet rate inbound/outbound through a connection

The terms inbound/outbound mean respective directions from the targeted host. Of course, these are representative metrics to characterize the activities on network. Iguchi and Goto’ generate the profiles under the condition that all the metrics are independent. However, in fact, we observe several strong correlations between total number of inbound packets and total numbers of inbound bytes. In this point, the existing method does not function well, and should be improved from the statistical

373 points of view. As a result, we expect to guarantee the high accuracy in detecting malicious activities. Consider the profiles with correlation of metrics. Suppose that there are m kinds of metrics on an audit record. The problem in Iguchi and Goto' method is caused by using the frequency vector fz+l. That is, the assumption that the frequency is given as a vector violates the correlation of metrics in the profiles. Therefore, we assume that the frequency of metrics is given by a multidimensional matrix with m dimensions (m-dimensional tensor). By using the improved frequency matrix, we can generate the profiles with the correlation. Let F , and P , denote the frequency and profile matrices which are multidimensional matrices with m dimensions, respectively. Similar to the frequency vector, we count the frequency in the corresponding class of audit range. In the existing argument, profiles are generated for respective metrics and an audit recored is classified into a class in the corresponding profile by the metric. To the contrary, in our model, the audit records are classified by taking account of all the metrics. For example, suppose that an audit record with 50 inbound packets and 2000 inbound bytes and that the profile are divided into the classes, the ranges [O, loo), [loo, 200) and [200, a)on the number of packets, and the ranges [O, 1000), [lOOO, 5000), [5000,m) on the number of bytes. Then the corresponding class for 50 inbound packets and 2000 inbound bytes is the class of [0, 100) packets and [1000,5000) bytes. On the update of profiles, we propose the following two formulas: 0

0

Time-independent method: Similar t o Eq. (l),update the profile with the decay rate 0 < a < 1.

Time-dependent method: The profile is updated by the decay rate e d t . That is,

where fl (> 0) is the continuous decay rate and t is the elapsed time from the last update. These formulas also provide the weighted mean of the audit records, so that the memory required is less and the profile does not overflow. Although the two formulas are quite similar, the difference is remarkable when the audit recored is not received for long time. Lastly, we describe the long-term and short-term profiles. In the generating methods which use the decay rate, the difference between the long-term and shortterm profiles appears in the decay rate. If the decay rate takes a large value, the recent audits are highly weighted. This indicates that the generating profile with high decay rate is regarded as the short-term profile. Thus, to generate both longterm and short-term profiles, we assume that a1 < as and f l l > ,&, where cq and

374 ,@ are corresponding to the long-term profile, and a, and profile.

ps are to the short-term

2.2. Statistical detection of anomaly

To compare the long-term and short-term profiles, the traditional statistical test is performed. For example, in Iguchi and Goto’, they adopt the well-known chi-square test. The chi-square test can be summarized as follows. Let 1 = ( 1 1 , . . . , In) and s = ( ~ 1 ,. .. , s,) be the long-term and short-term profiles for a metric with n classes, respectively. Then the chi-square statistic is given by

where n

This represents the squared error between the original sample and its expected value. In the traditional way, the hypothesis test is performed. First, we set the null hypothesis: 0

Ho: The long-term and short-term profiles are the frequency tables which are generated from the same probability distributions.

Under this hypothesis, it is well known that x i given by Eq. (4) follows the chisquare distribution with n - 1 degrees of freedom. When the test is significant at 0.05, we compare x i with ~’(n1,0.05),where ~’(n1,0.05) is the 0.95 percentile on the chi-square distribution with n - 1 degrees of freedom. If x i < ~ ’ ( n 1,0.05), then Ho is accepted, otherwise, Ho is rejected, z.e. the anomaly is detected. However, it is difficult to select the appropriate significance for the detection of anomaly. Thus we use the so-called pvalue instead of the level of significance. The p-value is defied as the probability that the null hypothesis is rejected, and therefore provides the probability of anomaly. Furthermore, since we take account of the correlation of metrics in the model, the chi-square statistic is just a little bit different from Eq. (4). Let L and S be the long-term and short-term profiles which are multidimensional matrices with m dimensions, respectively. The i-th metric is divided into n,classes , respectively. In our and the elements of L and S are given by lZl, and szl, modeling framework, the chi-square statistic is given by ,,?,,

375 where

Finally, the pvalue, which is the probability of anomaly, is given by

where I?(.) is the standard gamma function. In Eq. (8),the parameter f denotes the degrees of freedom and is derived by f = (nl x . . . x n,) - 1. 3. Evaluation Test

In this section, we evaluate the detectionability of malicious activities based on the statistical ID model through the actual access data. The access data is collected by an I P transaction audit tool called Argus". The targeted host is installed in the Department of Information Engineering, Hiroshima University, Japan. The audit records are collected from 9/2/2003 to 10/1/2003. The total number of records is 27291. We select the following four metrics: The numbers of inbound/outbound packets received/sent through a connection The numbers of inbound/outbound bytes received/sent through a connection In this experiment, we make the following scenario: 0

Scenario: A malicious user sends a lot of misused packets instantaneously to the mail server. That is, the host undergoes DoS attack.

Figure 1 depicts the records observed during the audit period. In particular, this shows the numbers of inbound and outbound packets for each audit record. In the figure, a pattern of DoS attack appears in the period from the 16303-rd record to the 20685-th record. To detect the DoS attack by the statistical ID model, we first define the ranges of classes for the metrics. Both the numbers of packets and bytes are divided into three classes. On the numbers of inbound/outbound packets, we have [0, lo), [lo, 20) and [20,03). On the numbers of inbound/outbound bytes, the classes are given by [0, lOOO), [lOOO, 3000) and [3000, m). Thus, in our model, there are 34 classes due to the combination of them. Profiles are generated by the two methods: time-independent method (Method I) and time-dependent method (Method 11). To evaluate the improvement on accuracy, we compare our methods with the existing aArgus Open Project - the network audit record generation and utilization system, http://ww.qosient.com/argus/

376

Figure 1. The numbers of inbound and outbound packets.

Figure 2.

The probability of malicious activities in Method I

detection method by Iguchi and Goto’ (Method 111). In Method 111, we use Eq. (1) to update the profiles. Also, in Methods I, I1 and 111, the decay rates are given as follows. 0 0 0

Method I: cq = 0.9999 and a, = 0.9998 and 0,= 1.2 x lop4 M e t h o d 11: /3l = 3.0 x M e t h o d 111: Q I= 0.99990 and a , = 0.99988.

Figures 2-4 demonstrate the probabilities of anomaly in Methods I, 11 and 111, respectively. In these figures, x-axis and y-axis denote the number of an audit record and the probability of anomaly, respectively. When the probability of anomaly is higher, the probability that the host undergoes the malicious activities is also higher. In the experiments, if the probabilities of anomaly are 1 during the period of DoS attack and are equivalent to 0 in the other period, the best detection could be achieved. In this point, we find that Method I1 can execute the most accurate detection. In order to evaluate the accuracy quantitatively, we introduce the falsepositive and false-negative probabilities for three methods. The false-positive and

377

Figure 3.

The probability of malicious activities in Method 11.

Figure 4.

The probability of malicious activities in Method 111.

false-negative probabilities are defined as follows. 0

0

False-positive probability: This is the probability of misleading the decision that the host undergoes malicious activities but the host does not undergo malicious activities actually. False-negative probability: This is the probability of misleading the decision that the host does not undergo malicious activities but the host undergoes malicious activities actually.

In our experiments, the false-positive probability is estimated by the time average on the probabilities of anomaly during the period in which the host does not undergo the DoS attack. On the other hand, the false-negative probability cannot be directly computed from the probabilities of anomaly. Thus we consider the true-positive probability, which is defined as the probability of the correct decision when the host actually undergoes malicious activities. The true-positive probability is given by the time average on the probabilities of anomaly during the DoS attack. Finally, the false-negative probability is calculated by 1 - (true-positive probability). Table 5

378 Figure 5. The

false-positive and false-negative probabilities

Method I Method I1 Method I11

false-Dositive mob. 0.1215 0.0222 0.1275

for three methods.

false-negative mob. 0.0613 0.0442 0.3475

presents the false-positive and false-negative probabilities for three methods. From this table, we also find that Method I1 gives the most accurate results in terms of detectionability of the anomaly. Furthermore, Method I11 provides the low accuracy of detection. Therefore, we conclude that the detection of anomaly can be improved by considering the correlation of metrics. 4. Conclusions

In this paper, we have considered the statistical ID models t o detect malicious activities based on the profiles of network ports. In particular, taking account of the correlation of several metrics in profiles, we have improved the accuracy of detecting anomaly. In numerical experiment, our methods are compared with the existing method. As a result, t h e profiles which are generated with the correlation of metrics can provide more accurate detection of anomaly, so that it can be concluded that our model i s effective t o detect malicious activities on network. In future, we will develop the method t o generate the profiles which include the information of accessing ports. Moreover, the Bayesian network will be applied to the detection methods by considering many factors which are caused by malicious activities.

Acknowledgments This research was partially supported by the Ministry of Education, Science, Sports and Culture: Grant-in-Aid for Young Scientists (B), Grant No. 15700060 (20032004) and Exploratory Research, Grant No. 15651076 (2003-2005).

References 1. D.E. Denning, An intrusion-detection model, IEEE Transaction o n Software Engineering, SE-13, pp. 222-232, 1987. 2. M. Iguchi and S. Goto, Detecting malicious activities through port profiling, IEICE Transaction o n Information and Systems, E82-D, pp. 784-792, 1999. 3. H.S. Javitz and A. Valdes, The NIDES statistical component: description and justifi-

cation, Technical Report, SRI International, California, 1994.

DEPENDENCE OF COMPUTER VIRUS PREVALENCE ON NETWORK STRUCTURE - STOCHASTIC MODELING APPROACH

H. OKAMURA, H. KOBAYASHI AND T. DOH1 Department of Information Engineering, Graduate School of Engineering, Hiroshima University, 1-4-1 Kagamiyama, Higashi-Hiroshima 739-8527, JAPAN E-mail: { okamu, dohi}Orel.hiroshima-2l.ac.jp Computer virus prevalence is a severe problem in the Internet. Recently, several researchers devote to analyze the phenomenon of computer virus prevalence. Kephart and White (1991, 1993) propose the concept of Kill Signal which means a warning signal of influence of computer viruses, and analyze the temporal behavior of computer virus prevalence by using ordinary differential equations. However, the deterministic model based on differential equations cannot distinguish the difference of computer virus prevalence depending on network structures with terminals. In this paper, we develop a stochastic model to evaluate the computer virus prevalence. The proposed model focuses on the infection of computer virus for each terminal, and can evaluate dependence of viral prevalence on network structures. We reveal quantitatively characteristics of network structures on computer virus prevalence.

1. Introduction

The Internet plays an important role in information technology. Because of growth of the Internet, we can communicate easily with a number of users in the Internet. On the other hands, the Internet gives us some social problems. Among them, the computer virus prevalence is the most severe problem. Since the damage caused by the computer virus is growing day by day, its activities are becoming more and more malicious, such as a Denial of Service attack, etc. In the research area on computer virus prevalence, there are two main topics: security issue and assessment. The objectives of security issue are, in short, to develop the security system which can prevent the influence of computer virus and to reduce the damage caused by computer virus. Okamoto and Ishida' develop an anti-virus system which can remove the computer virus autonomously. Badhusha et aZ.* discuss the effectiveness of updating virus pattern files in an anti-virus system. On the other hand, in the area of assessment of computer virus, several researchers devote t o analyze the phenomenon of computer virus prevalence. Thimbleby et aL3 develop a computer virus model based on Turing machine, and describe the characteristics of the computer virus qualitatively. Kephart and White4i5 propose that the concept of Kill Signal, which means a warning signal of influence of com-

379

380 puter viruses. They analyze the temporal behavior of computer virus prevalence by using a deterministic model based on ordinary differential equations. Similar analyses based on differential equations are made by Kephart6 and Toyoizumi and Kara7. They also propose the various types of computer virus model. For instance, Toyoizumi and Kara7 introduce the idea of predators which can combat malicious computer viruses. The analysis based on differential equations is essentially deterministic. In fact, since the computer virus prevalence involves some uncertain factors arising in their prevalence and removal, the deterministic models have a limitation to describe the behavior of computer virus prevalence. The computer virus model, taking account of the probabilistic behavior, are developed by Wang et aL8 , Billings et al.' , Wierman et aZ.1° and Kobayashi e t d.". Wang et aL8 simulate the computer virus prevalence and evaluate the security policy based on the simulation. Also, Kobayashi et al." propose a stochastic model based on the continuous-time Markov chain to represent the computer virus prevalence, and characterize the quantitative properties of computer viruses by measures derived from the model. However, in both deterministic and stochastic models mentioned above, the difference of viral prevalence depending on network structures of terminals cannot be represented due to the assumption that any terminal connects t o all the terminals. In this paper, we develop a stochastic model t o evaluate computer virus prevalence. The proposed model focuses on the infection of virus for each terminal, and can investigate the dependence of viral prevalence on network structures. Based on the proposed computer virus model, we reveal quantitatively characteristics of network structures on computer virus prevalence. 2. Computer virus model

2.1. Kephart and White ( K W ) model Kephart and White4,5 develop a computer virus model based on ordinary differential equations, and introduce the concept of Kill Signal (KS). KS can be regarded as a warning signal for influence of computer virus. For example, consider the situation where a terminal is infected with the computer virus. When the terminal cleans and removes the computer virus, the terminal is never infected with the same virus in general, that is, it has immunity t o the computer virus. Also, when the computer virus is removed, the infected terminal sends warning signals to its neighbors. If the neighbors have been already infected with the computer virus, the computer viruses can be removed after receiving the warning signal. Kephart and White5 define KS as the immunity t o computer virus and, at the same time, the warning signal on influence. Let n ( t ) and m(t)denote the number of infected terminals and the number of the terminals with KS at time t , respectively. Kephart and White5 describe the temporal behavior of viral prevalence by the following differential equations:

Mi)Pn(t){K- n ( t ) - m ( t ) } - bn(t) - PJi(t)m(t),

-dt

-

381

+

d m ( t ) - P,.m(t){K - m ( t ) } bn(t) - b,.m(t),

--

dt

where K is the total number of terminals, p is the infection rate of computer virus, b is the removal rate of computer virus, PI.is the spread rate of KS and 6,, is the disappearance rate of KS. This virus model by Kephart and White5, of course, can represent the temporal behavior of viral prevalence, but just gives an average trend of computer virus prevalence. Note that the viral prevalence is in fact random and uncertain. In addition, since their model implies the rather strong assumption that any terminal connects to all the terminals, we cannot analyze the actual computer virus prevalence depending on network structure by using it. Taking account of the adjacency of terminals, we develop a stochastic model to represent the computer virus prevalence. 2.2. stochastic model with adjacency

To represent the fluid of computer virus in detail, we develop a stochastic model of computer virus with KS. First of all, we consider a simple example consisting of three terminals. Consider three terminals which are connected as in Figure 1. Let X A ( t ) , xB(t) and xC(t) be the probabilities of infection for respective terminals a t time t. To simplify our analysis, it is assumed that KSs are not sent t o the terminals at all. Under this assumption, we derive the probability of infection in Terminal A at time t + At, namely, xA(t + A). Since no terminal sends KSs to the others, Terminal A is naturally infected at t + At whenever Terminal A is infected with computer virus at time t. On the other hand, if Terminal A is not infected at time t , the probability of infection in Terminal A at time t At depends on the infection in Terminals B and C. For example, in the situation where both Terminals B and C have been already infected, let p denote the probability that an infected terminal influences other terminals. Then the conditional probability of infection in Terminal A is given by 1 - (1- P ) ~ Similarly, . by taking account of all the cases of infection in Terminals A, B and C, we can derive

+

r A ( t + At) = ( 1 - q ) r A ( t ) f ( 1 - K A ( t ) ) { p x B ( t ) ( l- r C ( t ) )

+P(l

-

+ ( 1 - (1 - PI2) n o ( t ) r c ( t ) } ,

TB(t))TC(t)

(3)

where q is the removal probability of computer virus. Hence it is immediate to obtain nA(t

+ At) - n A ( t )

= -qnA(t)

+ (1 - T A ( t ) ) { p r B ( t )+ p r C ( t )

-p2xC(t)nB(t)}.

(4)

Suppose that the probabilities of infection and removal of computer virus are proportional to the time difference. That is, define p = /?At and q = b a t . By taking

382 Connection

Terminal B

Connection

Terminal A

Terminal C

Figure 1. Simple network configuration.

At

--t

0, we get the differential equation which governs the infection:

d

-7TA(t) dt

= -bTA(t)

+ p { T B ( t ) + zC(t)}(l - r A ( t ) ) .

(5)

We can derive the differential equations gvering the other probabilities as follows:

Roughly speaking, the differential equations for infection probabilities are composed with the sum of infection probabilities in directly connected terminals. Next, we expand the above result to a general case. Let v(t)be the column vector of probabilities, with the i-th component representing the probability that the i-th terminal is infected with computer virus at time t . Similarly, let p ( t ) be the column vector of probabilities, with the i-th component representing the probability that the i-th terminal keep KS at time t . To represent connectivity structure of the terminals, define the adjacency matrix C . When the i-th terminal connects to j - t h terminal, the (i,j)-element in C is given by 1. Then we derive the following differentia3 equations: d v( t ) - P{1 - v ( t )- p ( t ) } T C v ( t )- 6v(t)- P r v ( t ) T C p ( t ) ,

dt

where 1 is the column vector of 1s and T denotes the transpose of vector. Solving these differential equations under initial conditions v(0) = Y O and p(0) = po, we obtain the expected number of infected terminals and the expected number of terminals receiving KS as v(t)'l and ~ ( t ) ~respectively. l , Figure 2 shows the behavior of number of infected terminals in KW and the proposed model, where the adjacency matrix is given by 0 1 .'. 1 1 1 0

C= 1 0 1 1 1 ..' 1 0

383

Figure 2. Comparison between the KW model and the proposed model (high connectivity case; K = 5, p = 0.2, 6 = 0.2, 9,.= 0.0, 6, = 0.0).

Figure 3. Comparison between the KW model and the proposed model (low connectivity case; = 0.0). K = 5, p = 0.2, 6 = 0.2, flT = 0.0,

This means that all the terminals are connected t o each other. In this case, we can find just a little difference in the number of infected terminals, by comparing both models. Figure 3 also illustrates the time-dependent property of number of infected terminals. In this figure, the adjacency matrix is given by

c=

[ I: :

I).

0 1 0 0 ... 0 0

It can be found from Figure 3 that the expected number of infected terminals in our model is less than the number in the KW model. This is because the network connectivity in the proposed model becomes lower by changing the adjacency matrix. Consequently, the network structure, namely, the adjacency of terminals, strongly affects the computer virus prevalence, but the KW model cannot represent

384

Figure 4. Configuration of tree structure.

Figure 5.

Configuration of lattice structure.

the difference depending on network structures at all. 3. Computer virus prevalence on different network structures

We investigate the dependence of computer virus prevalence on network structures, by comparing two differently configurated network structures. Here we focus on two specific structures: tree structure and lattice structure. Figures 4 and 5 depict the configuration of these two network structures under consideration. In both figures, the circles (nodes) denote the terminals and, in particular, the filled circles represent the terminals infected with computer virus. In the tree structure, the root node is connected to 4 child nodes. Since each child node has 5 grandchild nodes, there are totally 25 nodes which correspond to terminals. In the lattice structure, one node has usually 4 adjacent nodes. For instance, for 5 x 5 lattice, there are the same number of terminals as in Figure 4. Furthermore, we assume the following parameters: the infection rate of computer virus p = 0.2, the removal rate of computer virus 6 = 0.2 or 0.8, the spread rate of KS p, = 0 and the disappearance rate of KS 6, = 0. In this example, the parameters related to KS are assumed to be pT = 0 and 6,. = 0, so that the activity of KS is simply limited to the immunity from computer virus because our main concern is the computer viral prevalence on different network structures. Figures 6 and 7 show the numbers of infected terminals in both tree and lattice structures. More precisely, the expected number of infected terminals in Figure 6 is calculated by solving the differential equations (8) and (9) numerically. The cumulative number of infected terminals in Figure 7 is numerically calculated as the sum of the number of infected terminals in Figure 6, say, v ( t ) T l d t . From these results in both cases with 6 = 0.2 and 6 = 0.8, the number of infected terminals in the tree structure is less than that in the lattice one. In the case where the removal rate is relatively low, namely, the computer viruses widely spread, the difference between tree and lattice structures becomes remarkable. This result is due to the

sow

385

Figure 6.

The number of infected terminals on both tree and lattice structures.

I

Figure 7.

I

The cumulative number of infected terminals on both tree and lattice structures.

fact that the viral prevalence on the tree network is slower than that on the lattice network. 4. Conclusion

In this paper, we have developed a stochastic model to investigate the dependence of viral prevalence on network structures of terminals, and have compared two different network structures. In the proposed model, we have introduced the probability of infection on each terminal, so that we have described the computer virus prevalence by applying the adjacency matrix which represents the connectivity structure for all terminals. In numerical examples, we have compared with different two network structures; tree structure and lattice structure, as typical network topologies. It is concluded that, for the tree network structure, the viral prevalence is restrained. This is because the connectivity of tree network is less than that of lattice network. In other words, it takes long time for a terminal infected by computer virus t o influence all terminals in the network. However, this result also implies that it takes long time even for KS spreading.

386 In future, we will perform the sensitivity analysis of computer virus prevalence on various network structures. In particular, the effective security policy for computer virus prevalence will be developed by estimating the influence of one node in terms of network safety.

Acknowledgments This research was partially supported by the Ministry of Education, Science, Sports and Culture: Grant-in-Aid for Young Scientists (B), Grant No. 15700060 (20032004) and Exploratory Research, Grant No. 15651076 (2003-2005).

References 1. Okamoto, T. and Ishida, Y.: A distributed approach to computer virus detection and neutralization by autonomous and heterogeneous agents, Proceedings of the 4th International Symposium on Autonomous Decentralized Systems, pp. 328-331 (1999). 2. Badhusha, A., Buhari, S., Junaidu, S. and Saleem, M.: Automatic signature files update in antivirus software using active packets, Proceedings of the ACS/IEEE International Conference on Computer Systems and Applications, pp. 457-460 (2001). 3. Thimbleby, H., Anderson, S. and Cairns, P.: A framework for modelling Trojans and computer virus infection, The Computer Journal, Vol. 41, No. 7, pp. 445-458 (1998). 4. Kephart, J. 0. and White, S. R.: Directed-graph epidemiological models of computer viruses, Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 343-359 (1991). 5 . Kephart, J. 0. and White, S. R.: Measuring and modeling computer virus prevalence, Proceedings of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 2-15 (1993). 6. Kephart, J. 0.: A biologically inspired immune system for computers, Proceedings of International Joint Conference on Artificial Intelligence, pp. 20-25 (1995). 7. Toyoizumi, H. and Kara, A.: Predators: good will codes combat against computer viruses, presented at ACM SIGSAC New Security Paradigms Workshop (2002). 8. Wang, C.: Knight, J. C. and Elder, M. C.: On computer viral infection and the effect of immunization, Proceedings of 16th Annual Computer Security Applications Conference, pp. 246-256 (2000). 9. Billings, L.; Spears, W. M .and Schwartz: I.B.: A unified prediction of computer virus spread in connected networks, Physics Letters A , Vo1.297, pp. 261-266 (2002). 10. Wierman, J . C. and Marchette, D. J.: Modeling computer virus prevalence with a susceptible-infected-susceptible model with reintroduction, Computational Statistics and Data Analysis, Vo1.45, pp. 3-23 (2004). 11. Kobayashi, H.: Okamura, H. and Dohi, T.: Characteristic analysis of computer viruses by stochastic models (in Japanese), Journal of IPSJ: Vo1.45, No.5 (2004).

OPTIMAL INSPECTION POLICIES WITH AN EQUALITY CONSTRAINT BASED ON THE VARIATIONAL CALCULUS*

T. O Z A K I ~ T. , DOHI+ AND N. KAIO* Department of Information Engineering, Hiroshima University 1-4-1 Kagamiyama, Higashi-Hiroshima 739-8527, Japan I Department of Economic Informatics, Hiroshima Shudo University 1717 Ohtsuka, Numata-Cho, Asa-Minami-Ku, Hiroshima 731-3195, Japan E-mail: [email protected]. ac.jp / kaio @shudo-u.ac.jp

In this paper we consider inspection problems with an equality constraint over infinite/finite time horizons, and develop approximate algorithms to determine the optimal inspection sequence based on the variational principle. More precisely, the inspection problems with an equality constraint are transformed t o non-constraint problems with the Lagrange multiplier, and are solved by the familiar variational calculus method. Numerical examples are devoted to derive the optimal inspection sequence.

1. Introduction

The inspection policy can be applied t o detect correctively a system failure occurred during the system operation. Barlow e t al. give the mathematical framework to determine the optimal inspection sequence which minimizes the expected operation cost as the sum of inspection cost and system down (penalty) cost. Since their inspection algorithm is difficult for use and is not always stable for computing the inspection sequence numerically, several approximate methods are developed in the past literature. Among them, Keller proposes an approximate method in which the mean number of inspections per unit time is described by a continuous function called the inspection density. More specifically, by the methods of calculus of variations, he finds the optimal inspection density minimizing the expected operation cost and derives the optimal inspection sequence based on it. Kaio and Osaki point out the problem for Keller model and reformulate the same problem. This model is quite simple but can be used potentially to some real examples. For instance, Fukumoto e t al. 4 , Ling e t al. apply the inspection model to place the optimal checkpoint for a file system. In this paper, we consider the different inspection problems with an equality constraint over infinitelfinite time horizons, e.g. like a case where personnel costs *This work is supported by the Grant 15651076 (2003-2005) of Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Exploratory Research, and the Research Program 2004 under the Institute for Advanced Studies of the Hiroshima Shudo University, Japan.

387

388 for inspectors are needed. And we develop approximate algorithms t o determine the optimal inspection sequence based on the variational principle. More precisely, the inspection problems with an equality constraint are transformed t o non-constraint problems with the Lagrange multiplier, and are solved by the familiar variational calculus method. The infinite-time horizon problem with a n equality constraint is first formulated by Yamada and Osaki '. However, their formulation involves the same problem as Keller 2 , it has t o be improved along the similar line t o Kaio and Osaki '. Also, we extend the infinite-time horizon model t o the finite-time one. Viscolani develops the variational calculus approach for the optimal inspection problem with finite-time horizon. We also use Viscolani's idea t o formulate the inspection problems with a n equality constraint. Numerical examples are devoted to derive the optimal inspection sequence. Here, we perform the sensitivity analysis of model parameters on the optimal inspection policy and its associated expected cost. 2. Basic Optimal Inspection Policy 2.1. Barlow, Hunter and Proschan Model

Consider a single unit system with sequential inspection over an infinite time horizon. The system operation is started at time t = 0, and the inspection is sequentially executed at time {tl, t 2 , . . . ,t,, . . . }. At each inspection, t j ( j = 1 , 2 , .. .), the condition of the system is inspected immediately, where the cost co (> 0) is needed for each inspection. Failure may occur according t o an absolutely continuous and non-decreasing probability distribution function F ( t ) having density function f ( t ) and finite mean 1 / p (> 0). Upon a failure, it can be detected at only the inspection time performed after it occurred. Since the time period from the failure t o the inspection time is system down time, the penalty cost L ( . ) , which depends on the length of system down time, is incurred. It is assumed with no loss of generality that the function L ( . ) is differentiable and increasing. Then, the problem is t o derive the optimal inspection sequence t, = { t l ,t 2 , t 3 . . . } minimizing the expected cost function:

where t o = 0. Barlow et al. show that the optimal inspection sequence t, is a non-increasing sequence, i e . , tl < t 2 < t 3 < . . . , if the failure time distribution F ( t ) is PF2 (P6lya frequency function of order 2). If there exists the optimal inspection sequence t;, then it must satisfy the following first order condition of optimality:

Since the problem in Eq.(l) is regarded as a nonlinear programming problem, the quasi-Newton method can be applied t o calculate tT, = { t ; ,t;, ' . . } numerically.

389 Nevertheless, it is not so easy to calculate the optimal inspection sequence with higher accuracy, because the solution based on the quasi-Newton method strongly depends on the initial value t l , and the computation algorithm is quite unstable. This fact motivates to develop approximate methods to calculate the optimal inspection sequence. 2.2. Variational Calculus Approach Keller proposes an approximate method t o derive the optimal inspection sequence, based on the variational calculus approach. Let D ( t ) be an absolutely continuous function of time t and denote the number of inspections placed per unit time, where l / D ( t ) means the mean time interval between successive inspections. We call D ( t ) the inspection density in this paper. The expected cost associated with the inspection and the system down are approximately given by cg t D ( z ) d z and

so

r D (~, t)-’

respectively. Define

X ( t )= Keller

L(z)dz % L ( { 2 D ( t ) } - l ) ,

(3)

Ju

(4)

t

D(z)dz, t

2 0.

considers the variational problem to seek the optimal inspection density

with respect to X ( t ) and further derives the optimal inspection density D ( t ) = X’(t) = d X ( t ) / d t . On the other hand, Kaio and Osaki revisit the Keller’s method and give the easier variational problem:

Once the optimal inspection density D * ( t )is obtained, then the suboptimal inspection sequence t& = {tT,tf,. . . } can be calculated, so as t o satisfy the following equation:

3. Optimal Inspection Policies with an Equality Constraint 3.1. Yamada and Osaki Model Yamada and Osaki consider a just a little bit different inspection problem. In the traditional Barlow, Hunter and Proschan problem in Eq. (l),the tradeoff relationship between the inspection cost and the system down cost is taken into account. In actual maintenance practice, however, we are not always aware such a tradeoff

390 relationship. For example, when the number of inspectors is fixed, the allowable level of inspection cost should be fixed. In such a case, the problem should be formulated as the minimization problem of expected system down cost subject t o the constant expected inspection cost. Conversely, we can consider the minimization problem of expected inspection cost subject to the constant expected system down cost. Yamada and Osaki formulate the former problem based on the Keller’s method as

L ( 1/ 2 x / (t)) dF( t ) coX(t)dF(t) = 6,

s.t.

where 6 is a constant and denotes the allowable inspection cost level. In the literature [6], the above problem is solved with the Keller’s original method. For better understanding the problem, we reformulate it in the following:

By introducing the Lagrange multiplier y, the minimization problem with an equality is rewritten as

Then the Euler equation of this problem is given by

Solving the Euler equation with respect t o D(t) yields

where r ( t ) = f ( t ) / F ( t )is the grange multiplier y in Eq.(12) straint in Eq.(9). As a special case, consider the following result is same as

failure rate and L’(t) = d L ( t ) / d t . Finally, the Lacan be determined so as to satisfy the equality conthe linear cost structure L ( t ) = aot Yamada and Osaki ‘.

(a0

> 0). Then

Proposition 3.1: Suppose that L ( t ) = aot. Then the suboptimal inspection sequence is given by t& = { t ; ,t;, . . . }, where rt,

391 and

(14)

4. Further Results Next, consider the minimization problem of expected inspection cost subject to the constant expected system down cost:

where 0 (> 0) is a constant. With the Lagrange multiplier, it is seen that the problem in Eq.(15) is rewritten as

In a fashion similar to Eq.(12), we obtain

where y is determined from Eq.(15).

Theorem 4.1: For the problem in Eq.(15), suppose that L ( t ) = aot. Then the inspection density of the optimal inspection density is given by

Lemma 4.1: Let D6(t) and De(t) be the optimal inspection densitys in Eq.(14) and (17), respectively. Then the solutions for two problems in Eqs. (8) and (15) are same if

Lemma 4.2: Let K6(D6(t))and Ko(Dg(t)) be the minimum expected costs for ) Ke(Do(t))if two problems in Eqs. (8) and (15), respectively. Then, K s ( D & ( t )=

6

= 0.

Theorem 4.2: Two minimization problems in Eqs. (8) and (15) are equivalent if

392 so that

+

is the solution of the problem minoct){Kb(D(t)) K e ( D ( t ) ) } .

5. Finite-Time Horizon Problem

Next, we consider the finite-time horizon problem which is a natural extension of the infinite-time horizon problem given in Eq.(8) or (15). Suppose that the time horizon of operation for the system is finite, say T (> 0). For a finite sequence tN = { t l ,t2,. . . , t ~ }the , optimal inspection problem is formulated as

where N is the integer satisfying N = min{n : tn+l > T } . To simplify the notation, we define t N + l = T in this paper. From Eq.(22), the approximate problem based on the variational calculus approach is given by

1

rT

min

1

X(t)

s.t.

L(l/2X'(t))dF(t) c o X ( t ) d F ( t )= 6.

Applying the Lagrange multiplier method, we have

Similar to Eq.(12), the optimal inspection density D*(t) is given by

as the solution of the Euler equation:

where ,B is a constant satisfying X ( t ) = N .

Theorem 5.1: Suppose that L ( t ) = aot. Then the optimal inspection density with finite-time horizon for the problem in Eq.(22) is given by

393 Table 1. Dependence of shape parameter on the expected cost with infinite-time horizon: ao = 1, co = 1, 7 = 30.

m 1.o

1.1

6=2 expected cost 7.5000 7.2105 6.9636 6.7462 6.5503 6.3708

6=3 expected cost 5.0000 4.8070 4.6424 4.4975 4.3669 4.2472

6=4 expected cost 3.7500 3.6053 3.4818 3.3731 3.2752 3.1854

where ,Ll is determined so as t o satisfy X ( t ) = N .

so T

In Theorem 5.1, for an arbitrary N , we seek P so as to satisfy N = D*(z)dz. For all possible combinations of N , we calculate all ,Ll satisfying p > F ( T ) ,the optimal number of inspections N * , and the corresponding optimal inspection density D *( t ) . On the other hand, the minimization problem with constant system down cost level 0 is formulated as min

J

T

coX(t)dF(t)

iT

X(t) 0

s.t.

L(1/2X'(t))dF(t) = 8.

(28)

Theorem 5.2: Suppose that L ( t ) = sot. Then the optimal inspection density with finite-time horizon for the problem in Eq.(28) is given by

6. Numerical Examples We calculate numerically the optimal inspection sequence and the corresponding expected operating cost. Suppose that the failure time distribution obeys the Weibull distribution:

F ( t ) = 1 - e-(+)7''

(30)

with shape parameter m ( 2 1) and scale parameter 77 (> 0). Then, it can be seen l / m ) , where I?(.) that the MTTF (mean time to faulue) is given by l/p = $'(l denotes the standard gamma function. When rn 2 1 then the failure time distribution is IFR and the optimal inspection policy for Barlow, Hunter and Proschan model in Eq.(l) is given by a non-increasing sequence. Table 1 presents the dependence of shape parameter on the expected operating cost with infinite-time horizon. When the shape parameter increases, the minimum expected operating cost for the problem in Eq.(9) monotonically decreases.

+

394 Table 2. Dependence of shape parameter and CP cost restriction on the minimum expected recovery cost with finite-time horizon (T = 30): ao = l , y , = l , q = 30.

Table 3. Dependence of shape parameter on the expected cost with finite-time horizon (T=60): a o = l , c o = l , q = 3 0 . s=3

6=2

rn 1.o

6=4

expected cost

p

expected cost

p

expected cost

p

5.6865 5.7669

0.8990 0.9301

3.7390 3.9210

0.9816 0.8957

2.8834 2.8834

0.9301

1.1

On t h e other h a n d , Tables 2 a n d 3 show t h e minimum expected operating cost a n d i t s associated parameter p i n finite-time horizon cases with T = 30 a n d T = 60. It c a n be observed that the optimal inspection policy with an equality constraint does not always exist, where NG implies that no inspection policy with the equality constraint exists. As a remarkable difference from the infinite-time horizon case, t h e expected operating cost does not always increase as m becomes larger (see Table

3). References 1. R. E. Barlow, L. C. Hunter and F. Proschan, Optimum checking procedures, Journal of Society for Industrial and Applied Mathematics 11, 1078-1095 (1963). 2 . J. B. Keller, Optimum checking schedules for systems subject t o random failure, Management Science 21, 256-260 (1974). 3. N. Kaio and S. Osaki, Some remarks on optimum inspection policies, ZEEE Pansactions on Reliability R-33,277-279 (1984). 4. S. Fukumoto, N. Kaio and S. Osaki, Optimal checkpointing strategies using the checkpointing density, Journal of Information Processing 15,87-92 (1992) 5. Y . Ling, J. Mi and X. Lin, A variational calculus approach to optimal checkpoint placement, IEEE Transactions on Computers 50, 699-707 (2001). 6. S. Yamada and S. Osaki, Optimum number of checks in checking policy, Microelectronics and Reliability 16,589-591 (1977). 7. B. Viscolani, A note on checking schedules with finite horizon, R.A.I.R.0.-Operations Research 25, 203-208 (1991).

OPTIMAL IMPERFECT PREVENTIVE MAINTENANCE POLICIES FOR A SHOCK MODEL

C. H. QIAN

College of Management Science and Engineering, Nanjing University of Technology, 200 Zhongshan Road North, Nanjing, 210009, China E-mail: qch643l7@njut,edu.cn

K. I T 0 Nagoya Guidance & Propulsion Systems Works, Mitsubishi Heavy Industries, Ltd., Komaki, 485-8561 Japan

T. NAKAGAWA Department of Marketing and Information System, Aichi Institute of Technology, 1247 Yachigusa Yagusa, Toyota, Aichi,470-0392 Japan E-mail: [email protected] This paper applies a preventive maintenance(PM) policy for a used system to a cumulative damage shock model where the P M is imperfect. Shocks occur according to a nonhomogeneous Poisson process. The system is assumed to fail only by degradation, as only when the total amount of damage exceeds a prespecified level K , still the system undergoes only PM where it take the place of replacement and its cost is C K . The system undergoes P M where its cost is co at operating time T , or when the total amount of damage exceeds a level k ( k 5 K ) , whichever occurs first. The expected cost rate is obtained and optimal T' and k* to minimize the expected cost are analytically discussed when shocks occur at a homogeneous Poisson process. Several examples are presented.

1. Introduction Many replacement policies for a new system have been studied by many authors, ie., a new system begin t o operate at time 0, and any systems which operate successively are as good as new after In many real situations, it may be more economical t o use a used system than to do a new one in the case where the cost of PM (overhaul etc.) is much less than the one of replacement. However, each PM seems only imperfect in the sense that it does not make a system like new but younger. The replacement policies for a used nit,^,^ and many types of imperfect PM have been considered.5p13 The first imperfect P M model where PM is imperfect with probability p was con-

396 sidered by Chan and Downs.5 Refs. [9-12] introduced improvement factors in hazard rate or age after PM. Further, Kijima and Nakagawa introduced improvement factors in damage after PM to a cumulative damage m0de1.l~ Cumulative damage models, where a system suffers damage due to shocks and fails when the total amount of damage exceeds a failure level K , generate a cumulative process.14 Some aspects of damage models from reliability viewpoints were discussed by Esary, Marshall and P r 0 ~ c h a n . It l ~is of great interest that a system is replaced before failure as preventive maintenance. The replacement policies where a system is replaced before failure at time T,16at shock N,l7,lSor at damage were considered. Nakagawa and Kijima 21 applied the periodic replacement with minimal repair’ a t failure t o a cumulative damage model and obtained optimal values T * , N* and Z* which minimize the expected cost. Satow et al. applied the cumulative damage model t o garbage collection or incremental backup policies for a databa~e.”?~~ In this paper, we apply a P M policy for a used system to a cumulative damage shock model where the P M is imperfect. The used system as begins to operate at time 0 after PM, the amount of damage at time 0 is ZO. Shocks occur at a nonhomogeneous Poisson process. A system undergoes PM at operating time T , or when the total amount of damage exceeds a level k , whichever occurs first. we obtain the expected cost rate. Further, we obtain optimal T’ and lc* to minimize the expected cost when shocks occur at a homogeneous Poisson process. Several numerical examples are given.

Z19320

2. Problem Formulation

Suppose that shocks occur at a nonhomogeneous Poisson process with an intensity function X(t) and a mean-value function R(t), ie., R(t) = s,”X(u)du. Then, the probability that shocks occur exactly j times during (0, t]is 24

where R(0) = 0 and R ( m ) = 00. Let F j ( t ) denotes the probability that the j-th shock occurs during (0, 11, is given by

F,(t)=XH,(t)

(j=o,1,2,.”) .

(2)

2=3

Then, Fo(t) = 1 and F ( t ) = Fl(t) = 1 - e-R(t). Further, an amount Y, of damage due to the j-th shock has an identical distribution G3(z) G PT{Y, 5 x} (3 = 1 , 2 , . . . ) with finite mean. It is assumed that the Y , to the j-th shock where damage is additive. Then, the total damage 2, 3 ZO= 0 has a distribution

c:=,

Pr{Z,

I z> = G(J)(z)

( j= 1 , 2 , . . . ) ,

(3)

397 and G(’)(z) = 1 for z 2 0, 0 for x < 0, where G ( J ) ( x () j = 1 , 2 , . . . ) denote the j-fold Stieltjes convolution of G(z) with itself. Then, the probability that the total damage exceeds exactly a prespecified level K at j - t h shock is G ( j - l ) ( K )- G ( j ) ( K ) . Let Z ( t ) be the total amount of damage at time t. Then, the distribution of Z ( t ) is given by15 00

i=O

Consider the system which should operate for an infinite time span and assume: When the total damage has reached a prespecified level K by the maker of system, the system must undergoes preventive maintenance (PM) at once, and the PM cost C K is a kind of penalty cost, i e . , it would be greater than scheduled PM cost co because C K includes all its cost resulting from the PM. The PM of system during actual operation is costly and dangerous for the total amount of damage to exceed a level K , then it is important t o determine when to undergoes P M before damage level K . It is better to use the level and operating time as a PM indicator. We make a P M of the system when the total amount of damage exceeds a level k (0 < k 5 K ) , or at operating time T after its installation or previous PM, whichever occurs first. It is also assumed that we discuss optimal P M policies with respect to a used system, i e . , the used system begins to operate at time 0, the amount of damage at time 0 is ZO. Because each P M is imperfect and it may be better t o operate a used system than to do a new one in t h e case where the cost of P M is much less than the one of replacement. Further, a n amount of damage after the PM becomes ZO when it was ZT, Zk or ZK before the P M (ZO < Z T , Z ~5 Z K ) . Then, the the probability PT that the system undergoes P M at time T is

and the probability Pk that the system undergoes PM when the total amount of damage exceeds the level k is

Using the relation rT

Fj+1(T) =

H j ( t ) X ( t ) d t , ( j = 0 , 1 , 2 ,’ ‘ ‘ )

+

t 7)

we have Pk = Cj”=, H j ( T )[ 1 - G(j)( k - Z O ) ] and PT Pk = 1. Let E [ U ]denotes the mean time to the PM. Then, from Eqs. ( 5 ) and (6), we

398 have

It is evident that

J;-"[l - G ( K - zo - u)]dG(j-l)(u)Fj(T)and J G(z where PK = C,"=, u)dG(')(u) = G ( z ) . PR- denotes the probability that the total amount of damage exceeds a level K during (0,T ]at the first shock or at the j -t h shock when the amount of damage was u zo (ZO 5 u zo < k ) at the ( j - 1)-th shock, and as the probability that the P M cost is C K . Thus, the total expected cost E[C] t o P M is

+

+

E [ C ]= CO

+

(CK - C 0 ) P K .

(10)

Therefore, from Eqs. (8) and ( l o ) ,the expected cost rate is

3. Optimal Policy Suppose that shocks occur at a Poisson process with rate A, i.e., A ( t ) = A, = 0,1,2,.. . ) . We discuss optimal values k* and T* which minimize the expected cost C ( T , k ) in Eq.(ll). We have that C ( 0 , k ) = limT,oC(T,k) = 00 for any k (ZO 5 k 5 K ) and C ( c o , K ) = limT.+m,k+K C(T,k ) = X c ~ / [ 1 M ( K - ZO)] where M ( x ) = C,"=, G j ( x ) . Thus, there exists a positive pair (T*,k * ) (0 < T" 5 co,ZO 5 k 5 K ) which minimizes C(T,k ) when M ( K - Z O ) < co. Differentiating C(T,k ) with respect to T and setting it equal to zero, we have

R(t) = At and H j ( t ) = [(At)j/j!]e-" ( j

+

where

Similarly, differentiating C ( T ,k ) with respect to k and setting it equal to zero, we have

399 Noting that G ( K - k)C,"O=,G(j)(lc - zo)Hj(T) < ~ ; " = o ~ ~ - z "-Gt ( o Ku)dG(j)(u)Hj(T), since the function G ( z )is continuous and strictly increasing. We have that there does not exist a positive pair ( T * , k * )(0 < T* < 03,zo < k < K ) which satisfies Eqs. (12) and (14), simultaneously. Thus, if such a positive pair ( T k, * ) exists which minimizes C ( T ,k ) in Eq.(ll), then ( T * ,k*) must be (03, k * ) , (T*, K ) or (T*,to).

3.1. Model 1 First, consider an optimal policy for the model 1, i.e., the system undergoes PM a t operating time T , or first shock occurs, whichever occurs first. Since we put k = to in Eq.(ll), the expected cost rate is

It can be easity see that CI(T) is a strictly decreasing in T , and hence, T; = and C1(00)= XcoG(K - 20) k K [ 1 - G ( K - Z o ) ] .

+

03

3.2. Model 2 Secondly, consider an optimal policy for .the model 2, i.e., the system undergoes PM when the total amount of damage exceeds a level K , or at operating time T , whichever occurs first. Putting that k = K in Eq.(ll), the expected cost rate is

Then, Eq.(12) is simplified as

where

Note that G j f ' ( x ) / G j ( ~ is)strictly decreasing in j . Thus, Q ( T )is strictly increasing in T from Ref.[22] and Q(m) = limT-,, Q ( T ) = 1. Letting U ( T ) be the leftU ( T )= hand side of Eq.(17), we have U ( 0 ) = limT-0 U ( T )= 0, U(M) 3 limT,, & ( ~ o ) [ l + M ( K - ~ o ) ] -=l M ( K - t o ) , U'(T)= Q'(T)Cj"=o G(j)(K-Zo)F>+i(T) > 0. Thus, U ( T )is a strictly increasing function from 0 t o M ( K - Z O ) .

Theorem 3.1. If M ( K - to) > C O / ( C K - cg) then there exists a finite and unique T; (0 < T; < m) which minimizes C 2 ( T ) ,and it satisfies Eq.(17). I n this case, the resulting cost is Cz(T;) = X(CK - co)&(T;). I f M ( K - Z O ) I CO/(CK - C O ) then T; = 00 and c z ( o ~ ) / X= CK/[1+ M ( K - ZO)].

400 Example 3.1. Suppose that G(z) = 1 - e-w”, i.e., G(j)(z) = c,”=j[(pz)i/i!] and M ( z ) = p. Table 1 gives the optimal PM times AT,* and the resulting costs C~(T;)/(XCO) for zo = 100,200, 1/11 = 100,150,200 and C K / C O = 1.1,1.5,2.0 when K = 2000. This indicates that the optimal values of T,* are decreasing with C K / C O , and the costs C2(T$)are increasing with both C K / C O and 1/11. However, they are almost unchanged for zo. For example, when the mean time of shock occurs is 1/X = 1 day, C K / C ~ = 1.5, 1/11 = 100 and zo = 100, the optimal P M time T,* is about 21 days. In this case, ( K - z o ) / ( X / p ) = 19 days, and note that it represents the mean time unit the total amount of damage exceed a level K .

100

200

100

90.9297

0.0550

20.7103

0.0722

16.1504

0.0844

150

328.8639

0.0805

16.5211

0.1080

11.7853

0.1308

200

00

0.1048

15.0183

0.1419

9.8295

0.1767

100

98.6480

0.0579

19.9930

0.0762

15.4359

0.0895

150

502.1780

0.0846

16.1489

0.1138

11.3545

0.1385

200

00

0.1100

14.8692

0.1492

9.5509

0.1867

3.3. Model 3 Next, consider an optimal policy for the model 3, i e . , the system undergoes PM only when the total amount of damage exceeds a level k . putting that T = 00 in Eq. (1l), the expected cost rate is

C3(k) C(T,k) - lim ~

T-cc

-

co

+ (CK

-

co){l

-

G ( K - ZO) 1

+

Jgk-’O[l-

+M(k

-

20)

G ( K - 20 - u ) ] ~ M ( ~ L ) } ’

(19)

Then, Eq.(14) is simplified as (20) Letting V ( k )be the left-hand side of Eq.(20), we have V ( z 0 )= limk--ttoV ( k ) = 0, V ( K ) = M ( K - Z O ) , V ’ ( k ) = [l M ( k - zo)]g(K - k ) > 0, where g(z) = d G ( z ) / d z > 0, since the function G(z) is strictly increasing. Thus, V ( k ) is a strictly increasing function from 0 t o M ( K - zo).

+

40 1

Theorem 3.2. If M ( K - zo) > C O / ( C K - CO) then there exists a finite and unique k* (zo < k* < K ) which minimizes C 3 ( k ) , and it satisfies Eq.(20). In this case, the resulting cost is C3(k*)= X(CK - co)[l - G ( K - k * ) ] .I f M ( K - 20) 5 C O / ( C K - CO) then k* = K and C3(K)/X = c ~ / [ 1 +M ( K - zo)]. In particular, if zo = 0 as the P M is perfect, then this result agrees with the result of Nakagawa.20

Example 3.2. Suppose that G(z) = 1 - e-p”. Then, if p ( K - zo) > C O / ( C K - CO) then there exists a finite and unique k* (20 < k* < K ) which minimizes C s ( k ) ,and it satisfies p ( k - zo)e-p(K-k) = C O / ( C K - CO). Table 2 gives the optimal PM levels k” and the resulting costs C3(lc*)/(Xco) for zo = 100,200, l / p = 100,150,200 and cK/co = 1.1,1.5,2.0 when K = 2000. This indicates that the optimal values of k* are decreasing with cK/co, and the costs C3(k*)are increasing with both C K / C O and l / p . However, they are almost unchanged for 20.

Table 2.

Optimal P M levels k’ and the resulting costs C3(k’)/(Xco) when K = 2000. c K / c o = 1.5

CK/@ = 1.1

CK/CO

= 2.0

to

1Ip

k*

C3(k*)/(Xco)

k*

C3(k*)/(Xco)

k*

C3 (k*)/(Xco)

100

100

1939.0738

0.0544

1786.7753

0.0593

1721.4152

0.0617

150

1967.1609

0.0803

1744.8070

0.0912

1649.6915

0.0968

200

2000.0000

0.1048

1720.2311

0.1234

1597.3833

0.1336

200

100

1944.3650

0.0573

1729.5250

0.0628

1727.3891

0.0655

150

1974.7719

0.0845

1753.3843

0.0966

1658.8677

0.1028

200

2000.0000

0.1100

1731.4950

0.1306

1609.4824

0.1419

Note that C1(T;) = C3(z0) < C3(k*) since lirnk+,,,dCs(k)/dk < 0 and from Theorems 3.1 and 3.2, we have Remark 3.1.

Remark 3.1. If M ( K - 20) > C O / ( C K - CO) then ( T * ,k * ) = (m,k * ) or(T*, k * ) = (T;, K ) . If M ( K - ZO) 5 c o / ( c ~- CO) then(T*, k * ) = ( m , K ) . Compaerd with Tables 1 and 2 , it is found that C3(k*) 5 Cz(T,”);that is, k * ) is better than (T,”,K ) . However, it would be generally easier to check the operating time than the total amount of damage. From this point of view, the time policy would be better than the level policy. Therefore, how t o select among two policies would depend on actual mechanism of a system. (00,

References 1. R. E. Barlow and F. Proschan, Mathematical Theory of Reliability, John Wiley & Sons, New York (1965)

402 2. T. Nakagawa, Optimal preventive maintenance policies for repairable system. IEEE Trans. Reliability, R-26, 168-173 (1977). 3. E.J.Muth, An optimal decision rule for repair vs replacement. IEEE Trans. Reliability, R-26, 179-181 (1977). 4. T. Nakagawa, Optimum replacement policies for a used unit. Journal of the Operations Research Society of Japan, 22, 338-347 (1979). 5. P.K.W.Chan and T.Downs, Two criteria preventive maintenance. IEEE Trans. Reliability, R-27, 272-273 (1978). 6. M.Brown and F. Proschan, Imperfect repair. Journal of Applied Probability, 20, 851859 (1983). 7. D.N.P.Murthy and D.G.Nguyen, Optimal age-policy with imperfect preventive maintenance. IEEE Trans. Reliability, R-30, 80-81 (1981). 8. T. Nakagawa, Optimal policies when preventive maintenance is imperfect. IEEE Trans. Reliability, R-28, 331-332 (1979). 9. C.H.Lie and Y.H.Chun, An algorithm for preventive maintenance policy. IEEE Trans. Reliability, R-35, 71-75 (1986). 10. T . Nakagawa, A summary of imperfect preventive maintenance policies with minimal repair. R A I R O Operations Research, 14, 249-255 (1980). 11. D.G.Nguyen and D.N.P.Murthy, Optimal preventive maintenance policies for repairable systems. Operational Research, 29, 1181-1194 (1981). 12. T . Nakagawa, Sequential imperfect preventive maintenance policies, IEEE Trans. Reliability, 37, 581-584 (1989). 13. M. Kijima and T . Nakagawa, Replacement policies for a shock model with imperfect preventive maintenance, European Journal of Operational Research, 57, 100-110 (1992). 14. D. R.Cox, Renewal Theory, Methuen, London (1962). 15. J. D. Esary, A. W. Marshall and F. Proschan, Shock models and wear processes, Annals of Probability, 1, 627-649 (1973). 16. H. M. Taylor, Optimal replacement under additive damage and other failure models., Naval Res. Logist. Quart, 22, 1-18 (1975). 17. T. Nakagawa, A summary of discrete replacement policies, European J. of Operational Research, 17, 382-392(1984). 18. C.Qian, S.Nakamura and T. Nakagawa, Replacement and minimal repair policies for a cumulative damage model with maintenance, Computers and Mathematics with Applications, 46, 1111-1118 (2003). 19. R. M. Feldman, Optimal replacement with semi-Markov shock models, Journal of Applied Probability, 13, 108-117 (1976). 20. T. Nakagawa, On a replacement problem of a cumulative damage model, Operational Research Quarterly, 27 895-900 (1976). 21. T. Nakagawa and M. Kijima, Replacement policies for a cumulative damage model with minimal repair a t failure, IEEE Trans. Reliability, 38, 581-584 (1989). 22. T.Satow, K.Yasui and T. Nakagawa, Optimal garbage collection policies for a database in a computer system, RAIRO Operations Research, 30, 359-372 (1996). 23. C.Qian, Y.Pan and T. Nakagawa, Optimal policies for a database system with two backup schemes, R A IRO Operations Research, 36, 227-235 (2002). 24. S. Osaki, Applied Stochastic Systems Modeling, Springer Verlag, Berlin (1992).

DETERMINATION OF OPTIMAL WARRANTY PERIOD IN A SOFTWARE DEVELOPMENT PROJECT

K. RINSAKA AND T. DOH1 Department of Inforrnataon Enganeerang, Haroshama Unaversaty, 1-4-1 Kagamayama, Hagasha-Haroshama 739-8527, JAPAN E-mad: ( n n s a k a , dohz) &el. hzroshzma-u. ac.3p

This paper presents a stochastic model to determine the optimal warranty period for a computer software, considering the difference between the debugging environment in the testing phase and the executing environment in the operational phase. The software reliability models based on non-homogeneous Poisson processes are assumed to describe the debugging phenomena for both the environments. We model the operational profile of the software based on the idea of accelerated life testing for hardware products. We formulate the total expected software cost incurred in both testing and operational phases, and derive the optimal software warranty period which minimizes it. Numerical examples are provided to investigate the dependence of model parameters on the optimal warranty policy.

1. Introduction

Product warranty plays an increasingly significant role in both consumer and commercial transactions. The problem for designing the product warranty service has been recognized to be important in terms of customer service, even if the product is rather reliable. From such a background, the stochastic models called warranty models [ 1,2] have been developed in the reliability/maintenance research area. For software developers, it is important to determine the optimal time when software testing should be stopped and when the system should be delivered t o a user or a market. This problem, called optimal software release problem, plays a central role for the success or failure of a software development project. Many authors formulated the optimal software release problems based on various different assumptions and/or several software reliability growth models [3-71. Okumoto et d 3assumed that the number of software faults detected in the testing phase is described by an exponential software reliability model based on non-homogeneous Poisson processes (NHPPs) [8], and derived an optimal software release time which minimizes the total expected software cost. Koch et d4considered the similar problem for the other software reliability model. Bai et aL5 discussed the optimal number of faults detected before the release. It is difficult t o detect and remove all faults remaining in a software during the testing phase, because exhaustive testing of all executable paths in a general pro-

403

404 gram is impossible. Once the software is released t o users, however the software failures may occur even in the operational phase. It is common for software developers to provide the warranty period when they are still responsible for fixing software faults causing failures. In order t o carry out the maintenance during the software warranty period, the software developer has t o continue keeping a software maintenance team. At the same time, the management cost in the operational phase has t o be reduced as much as possible, but human resources should be utilized effectively. Although the problem which determines the software warranty period is important only a very few authors paid their attention t o this problem. Kimura et aLg considered the optimal software release problem in the case where the software warranty period is a random variable. Pham et a1.l' developed a software cost model with warranty and risk costs. They focused on the problem for determining when t o stop the software testing under the warranty contract. However, note that the software developer has t o design the warranty contract itself and often provides the posterior service for users after software failures. Dohi et al." formulated the problem for determining the optimal software warranty period which minimizes the total expected software cost under the assumption that the debugging process in the testing phase is described by a n NHPP. Since the user's operational environment is not always same as the software testing phase, however, the above papers did not take account of the difference between these phases. Some reliability assessment methods during the operational phase have been proposed by some authors [12,13]. Okamura et d i 3represented the operational profile by introducing an accelerated life testing for hardware products. In this paper, we develop a stochastic model t o determine the software warranty period under the assumption that the testing phase is different from the operational phase in terms of debugging phenomenon. First, we formulate the total expected software cost based on the NHPP type of software reliability models. In the special case with the exponential fault-detection time distribution, we derive analytically the optimal warranty period which minimizes the total expected software cost under a milder condition. In numerical examples with real data, we compare three debugging scenarios, say three NHPP models and examine the dependence of model parameters on the optimal warranty policy.

2. Model Description

First, the following assumptions on the software fault-detection process are made: (a) In each time when a system failure occurs, the software fault causing the system failure is detected and removed immediately. (b) The number No of initial faults contained in the software program follows the Poisson distribution with mean w (> 0). (c) Time t o detect each software fault is independent and identically distributed nonnegative random variable with the probability distribution function F ( t )

405 and density function f ( t ) Let { N ( t ) ,t 2 O} be the cumulative number of software faults detected up to time t. From above assumptions, the probability mass function of N ( t ) is given by Pr{N(t) = m }

=

[wF(t)]VWF@)

,

m!

m=0,1,2,....

Hence, the stochastic process { N ( t ) t, 2 0} is equivalent to the NHPP with mean value function w F ( t ) , where the fault-detection rate (debugging rate) per unit of time is given by

r(t)=

f( t ) ~

1- F ( t ) '

Suppose that a software developer releases a software system a t time t o (> 0) to the user or market after completing software testing. The length of the life cycle t L (> 0) of the software is known in advance and is assumed to be sufficiently larger ) the software warranty period. More precisely, than t o . Let tw (0 5 t w 5 t ~denote the warranty period is measured from time t o and expires at time t o tw.The software developer covers to the maintenance cost for the software failures within the warranty period. After the warranty expires, even if an additional system failure caused by a software fault occurs, the software developer does not detect and remove the fault in the out-of-control state. We assume that the penalty cost is incurred for the software developer when the software user encounters the software failure after the warranty expires. Further, we define the following costs:

+

cost to remove each fault in the testing phase cost to remove each fault during the warranty period C L : penalty cost per failure after the warranty period ko: testing cost per unit of time kw:warranty cost per unit of time CO:

CW:

3. Total Expected Software Cost

In this section we formulate the total expected software cost which can occur in both testing and operational phases. In the operational phase, we consider two cost factors; the maintenance cost for the warranty period and the penalty cost caused by the software failure after the warranty expires. From Eq.(l), the probability math function of the number of software faults detected during the testing phase is given by

It should be noted that the operational environment after the release may differ from the debugging environment in the testing phase. This difference is similar to that between the accelerated life testing environment and operating environment for

406 hardware products. We suppose that the elapsed time in the operational phase is proportional t o the time in the testing phase, and introduce the environment factor a (> 0) which expresses the relative severity in the operational environment after the release. Okamura et al.I3 apply the similar technique to model the operational phase of software, and estimate the software reliability through an example of the actual software development project. Under this assumption, note that a = 1 means the equivalence between the testing and operational environments. On the other hand, a > 1 ( a < 1) means that the operational environment is severe (looser) than the testing environment. Then, the probability math function of the number of software faults detected during the warranty period is given by

Since the software developer does not eliminate software faults which appear after the warranty expires, the software reliability growth phenomenon can not be observed in this case. It is assumed that the debugging rate r ( t ) becomes uniform after the software warranty period. Since the debugging rate at time to t w is r ( t o a t w ) , the fault-detection process of the software is expressed by

+

+

4. Determination of the Optimal Software Warranty Period Suppose that the time to detect each software fault obeys the exponential distribution [8] with mean 1/X (> 0). In this case, the total expected software cost in Eq. (6) becomes

We make the following assumption:

(A-I)

CL

> cw > co.

Then the following result provides the optimal software warranty policy which minimizes the total expected software cost.

407

Theorem 4.1. When the software fault-detection time distribution follows the exponential distribution with mean 1/X, under the assumption (A-I), the optimal software warranty period which minimizes the total expected software cost is given as follows: (1) If k w

2 (CL

-

cW)wXae-At", then the optimal policy is tb = 0 with

< ( C L - cw)wXae-Ato and k w > ( c -~cw)wXae-X(tn+atL),then there t, (0 < & t, < exists a finite and unique optimal software warranty period & t L ) , and its associated expected cost is given by

(2) If k w

C(t&) = koto

+ QW

+ cww

(3) If kw 5

(CL -

(1 - e p X t o )k w t >

I

e-A(to+atb)

-

+ c w w [e-Atn

-

I

e-A(to+atb)

e-A(to+atL)l.

(9)

cW)wXaepX(to+atL),then we have tb = t L with

5. Numerical Examples Based on 86 software fault data observed in the real software testing process [14], we calculate numerically the optimal software warranty period which minimizes the total expected software cost. For the software fault-detection time distribution, we apply three distributions: exponential [ 8 ] ,gamma of order 2 [15] and Rayleigh [16] distributions. The probability distribution functions for the gamma and Rayleigh distributions are given by

F ( t ) = 1 - (1+ Xt)e-xt

(11)

and

respectively. Suppose that the software is released t o the user or market at the time point when 70 fault data are observed, namely to = 67.374. Then we estimate the unknown parameters in the software reliability models by the method of maximum likelihood. Then, we have the estimates (&,A) = (98.5188, 1.84e-02) for the exponential distribution, ,;( A) = (75.1746, 6.46224e-02) for the gamma model and (G, 8) = (71.6386, 2.45108e+01) for the Rayleigh model. Figure 1 shows the actual software fault data and the behavior of estimated mean value functions. For the other model parameters, we assume: ko = 0.02, kw = 0.01, co = 1.0, cw = 2.0, C L = 20.0 and t L = 1000.

408 90

80

70 60

30 20 10 0

0

20

40

60

80

100

120

f

Figure 1. The actual software fault data and the behavior of estimated mean value functions.

Table 1 presents the dependence of the environment factor a on the optimal software warranty period tk . As the environment factor monotonically increases, i e . , the operational circumstance tends to be severe, it is observed that the optimal software warranty period t& and its associated minimum total expected software cost C(t&,) decrease for both exponential and gamma models. For the Rayleigh distribution, the optimal software warranty period is always 0, that is, it is optimal t o carry out no warranty program. This is because the goodness-of-fit of the Rayleigh model is quite low. In this situation, it can be expected that a lot of software faults will be detected after the release of product. In Table 2, the dependence of the software testing period t o on the optimal software warranty period tk is examined. For the exponential and gamma distributions, we assume a = 2. On the other hand, for the Rayleigh distribution, a = 0.75. As the testing period t o monotonically increases, it is found that the optimal software warranty period t& decreases drastically, and the associated minimum expected software cost C(t>) first decreases and then increases. This observation is quite natural because with the increase in the testing time, it is always possible t o reduce the total expected software cost. But after the certain testing time period, the software fault can hardly be detected. As a result, the total expected software cost increases. Table 3 shows the dependence of the parameters X and 0 on the optimal software warranty period. As X increases or 0 decreases, it is seen that the optimal software warranty period C& decreases.

409 Table 1. Optimal software warranty period for varying environment factor. Exponential

a

Gamma

Rayleigh

t’w

C(t&)

0.50

669.3

136.1

141.3

83.4

0.0

72.1

0.75

475.6

133.9

102.2

82.9

0.0

72.1

1.00

372.3

132.7

80.9

82.7

0.0

72.1

1.25

307.6

131.9

67.4

82.5

0.0

72.1

1.50

262.9

131.4

57.9

82.4

0.0

72.1

2.00

205.0

130.7

45.6

82.2

0.0

72.1

3.00

144.0

130.0

32.4

82.1

0.0

72.1

Table 2. period.

Optimal software warranty period for varying testing

Exponential

Gamma

Rayleigh

to

t’w

C(t’w)

40

218.7

149.0

59.2

97.0

26.4

60

208.7

134.7

49.2

84.5

0.0

72.8

80

198.7

125.0

39.2

79.9

0.0

72.9 73.6

88.0

100

188.7

118.3

29.2

78.4

0.0

200

138.7

106.7

0.0

79.2

0.0

75.6

300

88.7

106.1

0.0

81.2

0.0

77.6

400

38.7

107.2

0.0

83.2

0.0

79.6

Acknowledgments T h i s work is partially based on t h e financial support by t h e Ministry of Education, Science, Sports a n d Culture: Grant-in-Aid for Exploratory Research, G r a n t

NO. 15651076 (2003-2005). References W.R. Blischke and D.N.P. Murthy, Warranty cost analysis, Marcel Dekker, New York (1994). W.R. Blischke and D.N.P. Murthy, (eds), Product warranty handbook, Marcel Dekker, New York (1996). K. Okumoto and L. Goel, “Optimum release time for software systems based on reliability and cost criteria,” J . Sys. Software, 1315-318 (1980). H.S. Koch and P. Kubat, “Optimal release time of computer software,” IEEE Trans. Software Eng., SE-9 323-327 (1983).

410 Table 3.

Optimal software warranty period for varying model parameters X and

e. Gamma

Exponential

x

t&

C(t&)

Rayleigh

X

ttv

C(t&)

e

tG

qtty)

0.005

714.4

178.3

0.03

124.8

108.0

22.0

0.0

72.4

0.010

375.0

154.3

0.04

88.6

96.3

24.0

0.0

72.1

0.015

252.3

138.6

0.05

66.3

88.6

26.0

0.0

72.2

0.020

188.0

127.6

0.06

51.1

83.8

28.0

1.2

73.4

0.025

148.1

119.8

0.07

40.0

80.8

30.0

7.7

75.2

0.030

120.9

114.3

0.08

31.6

79.1

32.0

14.2

77.4

0.035

101.0

110.3

0.09

25.0

78.2

34.0

20.7

79.7

5. D.S. Bai and W.Y. Yun, “Optimum number of errors corrected before releasing a software system,” IEEE Trans. Reliab., R-3741-44 (1988). 6. W.Y. Yun and D.S. Bai, “Optimum software release policy with random life cycle,” IEEE Trans. Reliab., R-39 167-170 (1990). 7. T. Dohi, N. Kaio and S. Osaki, “Optimal software release policies with debugging time lag,” Int. J. Reliab., Quality and Safety Eng., 4 241-255 (1997). 8. A.L. Goel and K. Okumoto, “Time-dependent error-detection rate model for software reliability and other performance measures,” IEEE Trans. Reliab., R-28206-211 (1979). 9. M. Kimura, T . Toyota, and S. Yamada, “Economic analysis of software release problems with warranty cost and reliability requirement,” Reliab. Eng. 63 Sys. Safe., 66 49-55 (1999). 10. H. Pham and X. Zhang, “A software cost model with warranty and risk costs,” IEEE Trans. Comput., 48 71-75 (1999). 11. T. Dohi, H. Okamura, N. Kaio and S. Osaki, “The age-dependent optimal warranty policy and its application to software maintenance contract,” Proc. 5th Int’l Conf. on Probab. Safe. Assess. and Mgmt. ( S . Kondo and K. Furuta, eds.), 4 2547-2552, University Academy Press Inc. (2000). 12. J . Musa, G. Fuoco, N. Irving, D. Kropfl and B. Juhlin, “Chapter 5: The operational profile,” in Handbook of Software Reliability Engineering (M.R. Lyu ed.), McGraw-Hill, New York (1996). 13. H. Okamura, T. Dohi and S. Osaki, “A reliability assessment method for software products in operational phase - proposal of an accelerated life testing model -,” Electronics and Communication in Japan, Part 3 , 84 25-33 (2001). 14. A.A. Abde-Ghaly, P.Y. Chan and B. Littlewood, “Evaluation of competing software reliability predictions,” IEEE Trans. Software Eng., SE-12 950-967 (1986). 15. S. Yamada and S. Osaki, “Software reliability growth modeling: models and applications,” IEEE Trans. Software Eng., SE-11 1431-1437 (1985). 16. A.L. Goel, “Software reliability models: assumptions, limitations, and applicability,” IEEE Trans. Software Eng., SE-11 1411-1423 (1985).

OPTIMAL INSPECTION-WARRANTY POLICY FOR WEIGHT-QUALITY BASED ON STACKELBERG GAME - FRACTION DEFECTIVE AND WARRANTY COST -

H. SANDOH Department of Business Administration, Kobe Gakuin University, 518, Arise, Ikawadani-cho, Nishi, Kobe, 651-2180, J A P A N E-mail: [email protected]. ac.jp

T. KOIDE Department of Healthcare i 3 Social Services, University of Marketing tY Distribution Sciences, 3-1, Gakuen-nishi-machi, Nisha, Kobe, 651-2188, J A P A N E-mail: [email protected] In the final stage of manufacturing some specific products, there is a weighing process where we weigh each product using a scale. However, the scale occasionally becomes uncalibrated and therefore, the product may be shipped out with a label or a mark showing incorrect weight. Such an uncalibrated state of the scale can be detected by inspection carried out to the scale. Further, we should introduce warranty to the products whose labels or marks show incorrect weights. This study considers two types of inspection and warranty policy (inspection-warranty policy in short) and make a comparison between them through a Stackelberg game formulation to discuss an optimal policy, taking into account the consumers’ viewpoint. Numerical illustrations are also presented.

1. Introduction

In the final stage of manufacturing for some specific products such as chemical products, there is a process in which we weigh each product using a scale with a view to obtaining its exact weight, and then marking each product with its weight. This weighing process is observed in the situation, e.g., where drums are filled with some specific chemical product so that each drum contains approximately 250 kilograms of the product, and in the final stage, individual drums are weighed to obtain the actual weight of each drum of product. Such a weighing process is not necessarily regarded as important and its associated cost is reduced as much as possible since it does not affect the product quality itself. However, the scale occasionally becomes uncalibrated particularly when the objective product is very heavy or we are very busy in weighing many products 41 1

412

within a restricted time. Once the scale becomes uncalibrated, it will produce inaccurate weights for individual products, and hence there is a risk that the products will be shipped out with marks or labels indicating incorrect weights. In this study, when a product with a mark or a label revealing incorrect weight is shipped out, it is referred to as defective regardless of its quality. Under real circumstances, such inaccuracy or uncalibrated state of a scale is detected by periodical inspection. In the cases where the products are expensive or exact weight is a critical factor, the scale will be inspected and found t o be normal prior to each shipment. In other cases, however, each lot of products may be shipped out immediately after they are weighed without the scale being inspected. This is because of cost reduction for this weighing process. Even in such a case, the volume of defective products to be shipped out with inaccurate marks of weights can be restrained in various ways. Sandoh and Igakilg have proposed both a continuous and a discrete model for an inspection policy for a scale when inspection activities involve adjustment operations. Sandoh and Igaki” have also considered a case where inspection is executed only for detecting scale inaccuracy and the adjustment operations follow the inspection when the scale is found to be uncalibrated. Sandoh and Nakagawa” have dealt with a different situation where (1) the scale is inspected only twice a day, once in the morning and one more in the evening, (2) if the scale is detected to be uncalibrated in the evening, we weigh again a prespecified volume of the products in the order of tracing them back after the scale is adjusted, and (3) immediately after we finish reweighing products, we ship out all the products without waiting for the scale inspection next morning owing t o their due date. Under these conditions, Sandoh and Nakagawa” discussed optimal volume of products t o be reweighed. In this study, we consider two types of inspection-warranty policy t o make a comparison between them. The comparison is carried out through a Stackelberg game formulation to take into account both the consumer’s viewpoint and the manufacturer’s one. 2. Assumptions and Notations

We make the following assumptions: (1) We consider a monopoly. (2) The manufacturer weighs each product using a scale and ships out each product after he puts a label on each individual product to show its weight. (3) There are many products to be weighed and therefore we regard the volume of products t o be weighed as continuous. The unit of time is defined as the time required for weighing a unit of product. (4) We call the products which are weighed by an uncalibrated scale to be shipped out defective regardless of their quality. ( 5 ) The scale is inspected at iT(i = 1 , 2 , . . . ). (6) Inspection activities involve adjustment operation and hence the scale becomes

41 3

calibrated immediately after inspection. (7) Let co and c1 respectively express the cost per inspection activity and the cost for weighing a unit of product. (8) For i = 1,2,. . . , let us denote, by a random variable X i , the time for a scale to be uncalibrated on an interval ((2 - l)T,iT]. Let X l , X z , . . . be independent and identically distributed with distribution function F and density function f. In addition, we assume t,hat E [ X J = p 0) through the warranty service. The products shipped out under this policy are called Type 1 products. Type 1 product is sold at price PI (< R). [Policy 21 Products are not shipped out until we assure that the scale is calibrated by inspection. In case the scale is found t o be uncalibrated by an inspection activity, all the products waiting for being shipped out are weighed again until the scale is inspected to be normal. The products shipped out under this policy are called Type 2 products. The price of Type 2 product is denoted by Pz(P1 < P2 5 R). Under Policy 2, we never ship out defective products, and therefore we provide the consumer with no warranty on weight-quality. It should, however, be noted that we need secure some space for the weighed products t o wait for being shipped out. Let c3 and c4, respectively, express the cost for a unit of weighed product t o occupy the space per unit of time and the cost for each weighed product to waste a unit of time without being shipped out. It is very difficult to analytically compare Policy 1 with Policy 2 based on the cost for inspection-warranty policies from the manufacturer’s point of view. In the following, we introduce a Stackelberg game formulation t o make a comparison between the two policies taking the consumer’s and the manufacturer’s viewpoint.

3. Consumer’s Optimal Reaction 3.1. Fraction Defective of Type 1 Product The assumptions described above indicate that the process behavior generates a renewal reward p r o ~ e s s ~where ~,~~ , a renewal point corresponds to the time when the inspection activity has been completed. Hence, under Policy 1, the volume of

41 4

defective products t o be shipped out per unit of time is given by

and D ( T ) expresses the fraction defective of Type 1 products. It should be noted that D ( T ) increases with T from 0 t o 1.

3.2. Optimal Reaction of Consumer 3.2.1. Expected profit of consumer If the consumer purchases a Type 1 product, his expected profit becomes K ( P , W ) = ( R - P1)(1- P )

+ (W

-

Pl)P,

(2)

where p = D ( T ) in Eq. (1). When he chooses a Type 2 product, his expected profit is given by

nz(pz)= R - pz, while his expected profit becomes

IT0 =

(3)

0 when he purchases no product

3.2.2. Optimal reaction of consumer By comparing IIl(p, W ) with nz(P2) or no, we can obtain the optimal reaction by the consumer as follows: (1) In the case of PI < Pz < R, the consumer purchases either a Type 1 or a Type 2 product, and this case can further be classified as i. If (p, W ) E Rl\Ra, the consumer purchases a Type 1 product. ii. If ( p , W ) E Rz\R1, the consumer chooses a Type 2 product,. iii. If ( p , W ) E R1 n Rz,Type 1 product is indifferent t o that of Type 2 for the consumer, where

(2) In the case of Pz

=

R , purchasing a Type 2 product becomes indifferent t o

purchasing no product for the consumer, and we have the following classification: i. If ( p , W ) E R1\Ro, the consumer purchases a Type 1 product. ii. If (p, W ) E Ro\Rl, the consumer chooses a Type 1 product or purchases no product. iii. If ( p , W ) E R1 n 0 0 ,purchasing a Type 1 product becomes indifferent to choosing Type 2 product or purchasing no product,

41 5

4. Manufacturer's Optimal Strategy This section first formulates the expected cost per unit of time under each inspection-warranty policy from the manufacturer's viewpoint, and second, discusses an optimal strategy for the manufacturer, considering the consumer's optimal reaction we have observed above.

4.1. Expected Profit From the renewal reward t h e ~ r y the ~ ~expected ~ ~ ~ ,profit per unit of time under Policy 1 is expressed by

where the manufacturer can control fraction defective p through inspection time interval T and the warranty W via c2 of Type 1 product. On the other hand, the expected cost per unit of time under Policy 2 becomes C~

Qz(T,Pz) = P2

-

a

-

+ clT +

C

~

+T C~4 T 2 [ 1 + F ( T ) ]

TF(T)

,

(9)

where the manufacturer can control inspection time interval T as well as the price Pz of Type 2 product. 4.2. Optimal P o l i c y

4.2.1. Policy 1 In the case of ( p , W ) E 0 1 \ 0 2 for PI < Pz < R as well as ( p , W ) E 0 1 \ 0 0 for PZ = R, the consumer purchases Type 1 product. In theses cases, the manufacturer can increase his expected profit per unit of time by reducing cz(= a W ) since T a Q l ( T , c ~ ) / a c z= - f,, F ( z ) d z / T < 0. Consequently, he can maximize his expected profit with ( p * ,W " ) E 01 locating on the indifference curve given by the following two equations:

416 Let us define I I ( T ) ,Fa and

5?b

by

then we have the following theorem:

Theorem 4.1. (1) I t we have

H ( F a ) > 0 for PI < P 2 < R H ( T b ) > 0 f o r Pz = R

I

the optimal policy (TT,c;) m u z m i z z n g Q1(T,c z ) under Policy I becomes

{ TT;T

+ +

ya, cf Tb,

2,W *

S O , p* + 1 cf + +o, p* + +, p2-p --f

+ +O f o r PI < PZ< R W * + +O f o r P 2 = R

( 2 ) If we have

H ( T a ) 5 0 for Pi < P 2 < R , H(Tb) 5 0 for p2 = R it can be discussed f o r the following subcases: i. If p > olco/R, there exists a unique optimal solution (T:,cf), ie., ( p * ,W * ) o n the c u m e given by Eq. (11). ii. Otherwise, we have -+

03, cf + ( R

+ PI - P2)/ol, p*

+ 03, c; + Pl/Cy,

p*

+

1, W* + R 1, W" + Pl ---f

+ PI

-

PZ f o r PI < Pz < R for Pz = R

4.1.2. Policy 2

If ( p , W ) E Rz\R1 for PI < P2 product. In addition, we have

< R, the consumer naturally purchases Type 2

lim Q2(T,Pz) = lim Q2(T,Pz) = -m,

T-tO

T++CC

(15)

These observations reveal there exists T = Tg maximizing Qz(T,P z ) for a fixed P 2 under Policy 2. It should also be noted that T = T,* is independent of Pz. In the case of Pz = R and ( p , W ) E Ro\f21, the consumer purchases no product, and the expected profit of the manufacturer becomes zero.

41 7 4.2.3. Optimal Strategy of Manufacturer From the above analyses, the optimal strategy for the manufacturer becomes: (1) Pi < Pz < R. For a fixed Pz(< R ) , if we have Q I ( T ; , c ; ) 2 &2(T;,Pz), the manufacturer should make the consumer purchase Type 1 product by letting (T,c2) = (TT,cf) under Policy 1 and setting T arbitrarily under Policy 2. Otherwise, his optimal strategy becomes to make the consumer purchase Type 2 product by letting T = T2 under Policy 2 and setting (T,c2) arbitrarily on the condition that ( p ,W ) E 0 2 \ 0 1 under Policy 1. (2) P2 = R. In this case, purchasing a Type 2 product is indifferent to buying no product for the consumer. It follows that if we have &~(T;,c;) > 0, the manufacturer can maximize his expected profit by setting ( T ,cp) = (TT,c f ) under Policy 1 and setting T arbitrarily under Policy 2. 5 . Numerical Illustrations Let us assume that the distribution function F of X i ( i = 1 , 2 , . . . ) is given by

F ( z ) = 1 - e-X",

3:

> 0.

(16)

Table 1 shows the cases considered in this section, while Table 2 reveals the optimal policies under Policy 1 along with those under Policy 2. In Table 2, Cases 1-(a), (b) and (c) represent the situation where purchasing a Type 2 product is indifferent t o buying no product for the consumer, while Cases 2 and 3 have 0 2 explicitly. If QF > Qf in Cases 2 and 3, the optimal policy under Policy 1 is the optimal strategy for the manufacturer. When Q; < &;, the manufacturer should let ( p , W ) E 0 2 \ C 2 1 under Policy 1 and use the optimal policy under Policy 2 to maximize his expected profit. Table 1. Cases. Case

R

PI

1-(a)

100

90

1-(b) 1-(c) 2-(a) 2-(b) 2-iCj

100 100 100 100 100 100 100 100

94 98

Pz 100 100 100

90 94 98 90 94 98

99 99 99 99 99 99

%(a)

%(b) 3-(c)

a 50

50 50 SO 50 50 50 SO 50

cy

co

c1

c3

1.0

200 200 200 200 200 200 200 200 200

0.01

0.01 0.01 0.01 0.01 0.01 0.01

1 1 1 0.1 0.1 0.1 0.01

0.01 0.01

0.01 0.01

1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0

c4 1 1 1 0.1 0.1 0.1 0.05 0.05 0.05

X 0.001 0.001 0.001 0.001 0.001 0.001 0.001 0.001

0.001

418 Table 2.

Optimal Strategy

Policy 1

z-icj 3-(a) P(b) 3-(c)

I I

64.6 191.7 103.5 64.6

0.03 0.09 0.05 0.03

68.4 0.0 0.0 68.4

Policy 2

42.7 38.9 42.1 42.7

1 50.0 1

67.7 67.7 67.7

36.8 43.2 43.2 43.2

References 1. R. E. Barlow and F. Proschan, Mathematical Theory of Reliability, Wiley, New York, (1965). 2. R. E. Barlow and L. C. Hunter, Operations Research, 8 , 90 (1960). 3. G. H. Weiss, Management Science, 8 , 266 (1962). 4. S. Zacks and W. J. Fenske, Naval Research Logistics Quarterly, 20, 377 (1973). 5. J. B. Keller, Management Science, 21, 256 (1974). 6. H. Luss and Z. Kander, Operational Research Quarterly, 25, 299 (1974). 7. N. Wattanapanom and L. Shaw, Operations Research, 27, 303 (1979). 8. T. Nakagawaand K. Yasui, Journal ofthe Operational Research Society, 31, 851 (1980). 9. A. Gupta and H. Gupta, IEEE Transactions on Reliability, R-30, 161 (1981). 10. T. Nakagawa, Naval Research Logistics Quarterly, 31, 33 (1984). 11. N. Kaio and S. Osaki, IEEE Trans. on Reliability, R-33, 277 (1984). 12. N. Kaio and S. Osaki, Journal of Mathematical Analysis and Applications, 119, 3 (1986). 13. N. Kaio and S. Osaki, RAZRO/ Recherche Op&ationnelle, 22, 387 (1988). 14. N. Kaio and S. Osaki, Journal of the Operational Research Society, 40, 499 (1989). 15. D. J. D. Wijnmalen and J. A. M. Hontelez, European Journal of Operational Research, 62, 96 (1992). 16. C. G. Gassandras and Y. Han, European Journal of Operational Research, 63, 35 (1992). 17. N. Kaio, T. Dohi and S. Osaki, Microelectronics and Reliability, 34, 599 (1994). 18. H. Sandoh and N. Igaki, Journal of Quality i n Maintenance Engineering, 7, 220 (2001). 19. H. Sandoh and N. Igaki, Computers and Mathematics with Applications, 46, 1119 (2003). 20. H. Sandoh and T. Nakagawa, Journal of the Operational Research Society, 54, 318 (2003). 21. D. Fundenburg and J. Tirole, Game Theory, The MIT Press, Massachusetts, (1991). 22. R. Gibbons, Game Theory for Applied Economics, Princeton Univ. Press, New Jersey, (1992). 23. M. J. Osborne and A. Rubinstein, A Course in Game Theory, The MIT Press, Massachusetts, (1994). 24. S. M. Ross, Applied Probability Models with Optimization Applications, Holden-Day, San Francisco, (1970). 25. S . M. Ross, Introduction to Probability Models: 5th edition, Academic Press, New York, (1993).

AN AUTOMATIC DEFECT DETECTION FOR C++ PROGRAMS

s. SARALA Research Scholar

S.VALLI Assistant Professor,

Department of Computer Science and Engineering, College of Engineering, Guindy. Anna University, Chennai-25, India. Email: va1lilii)lannauniv.edu Abstract

In this work a tool is developed to generate test cases automatically for C++ Programs.This approach analyses the prototypes and is focused to detect defects in the program. A defect results due to omission or commission made when developing the software. This work checks the correctness of the program when operator[] is overloaded. in the context of inheritance when virtual function is used, it has been observed that expected results are not achieved under certain circumstances. A test case has been developed to handle this situation. Test case has been prepared to ascertain the working of template hnctions in the context of character input. A test case has been developed to tackle dangling reference problem, In the context of exception handling, test cases have been developed to ascertain the working of the program.

1. Introduction

1.1 Testing Object-Oriented Sofhvare

Software testing is an important software quality assurance activity. The objective of software testing is to uncover as many errors as possible with a minimum cost. A successful test should show that a program contains bugs rather than showing that the program works. Defects of omission are those deviations from the specifications that lead to some intended hnction not being implemented. For example, the inability of a software product to display the result of a calculation or query due to the omission of a print function is a defect due to omission. Defects of commission are those deviations from the specification that although functionally implemented, fail to operate properly. They provide incorrect or unexpected results despite the provision of valid inputs; for instance, the print function printing the address of x rather than its value [4]. These defects are 41 9

420 termed as F-type defects. Removing F-type defects logically improve the functionality of the software [4]. 1.2 Developed Test Cases

This tool detects defects caused by omission or commission. When operator[] is overloaded, the C++ compiler does not check for subscript bounds, which results in defects. The tool detects such flaws and reports to the user. When virtual function is overridden and they differ in signature the C++ compiler ignores this situation. The tool fixes this bug. In the context of template function call if the actual parameter is of type character and the value passed exceeds the length of one, the C++ compiler is not intelligent enough to trap this mistake. When the derived class object is assigned to base class object and a member function is accessed, the result is not as expected under certain circumstances. The tool captures this defect caused by omission and reports the same. Dangling reference leads to execution error. The tool handles this defect. Test cases have been developed for defects encountered with exception handling. 1.3 An Overview

Section 2 discusses the existing work. Section 3 brings out the test cases generated. Section 4 describes the developed algorithm to automatically generate test case for C++ programs. Section 5 reports the working of the algorithm and the results achieved. Section 6 concludes the work. 2. Existing Work Several literatures exist [ l ] [7] 181 [15] [18] [20] in the area of Object-Oriented Programs. E. Sabbatini et.al [14] have concentrated on automatic testing of database confirmation commands. B.Korel et.al [ 121 [ 131 have worked on automatically generating test cases using data dependence analysis. Marcio E.Delamaro et.al, [8] present interface mutation, which is used for integration testing. Jean Hartmann et.al [ 1 I] developed a tool for interfacing to components based on COM/DCOM and CORBA Middleware. They derive the test cases from state charts. Y.G.Kim et.al [15] have proposed a set of coverage criteria based on control and data flow in UML state diagrams and they show how to generate test cases from them. Usha Santhanam [9] has applied the tool, Test Set Editor (TSE) for testing Ada programs. G.Antonio1 eta1 [7] seed a significant number of faults in an implementation of a specific container class,Ordset. They seeded faults that cannot be detected by the compiler and that can possibly be found by running test cases, which is similar to our work. Tse et.al [18] focus on classes with mutable objects, which is based on finite state machines. They analyse the class specifications. Amie L.Souter eta1 [101 have tackled structural testing of Object Oriented software systems with possible unknown clients and unknown information. Bor-Yuan Tsai et.al [ 191 [20] combine functional and structural testing techniques. The approach 1201 uses state charts and state transition trees to generate test

42 1

files and inspection trees (IT) automatically. R.K.Doong eta1 [ 171 describe a set of tools such as test case generation, test driver generation, test execution and test checking for performing testing on Object-Oriented programs. They have exploited testing of parameters and combinations of operations. The authors [ 191 combine functional with structural testing techniques of intra class testing. Using data flow technique the authors detect whether the data member or parameter in public methods have been defined prior to being used.

3. Implementation Figure 1 depicts the test cases developed for C++ programs. The number of arguments is counted for virtual functions. Test cases have been developed for the following Object Oriented Programming concepts, namely, Function templates, Inheritance, Operator Overloading, Exception handling and Dangling reference. The tool is developed such that,

size S is determined

4. Algorithm

1 .[Generation of test case for operator[ ] 3 /* The lines containing operator[] are extracted using grep and the array size is

determined as size*/ if (subscript < 0 11 subscript > size) display (subscript out of range)

422

2.[Virtual function header is extracted by grepping virtual( ) as pattern] /* The function name and the parameter types are determined */ All the corresponding hnction prototypes are validated for their signatures. The mismatch is displayed as ‘parameter mismatch ’. 3.[The actual parameters of template function are validated] /* The presence of template function is found using grep with the pattern as ‘template’ */ All template function calls are extracted. until (currentchar[i]! =’(‘ ) i ++; i ++; until (currentchar[i]! =’)’ ) { if(currentchar[i]==’”&& currentchar[i+2]!=’ ’ ’ ) {display wrong character input in template function call break; } else {if(currentchar[i] = = ‘a’ thru ‘z’) {repeat until(currentchar[i] != ” (1 ‘)’ (1 ‘ ,‘) {tempti] = currentchar[i]; j++; i++;} If type of temp is char the value is validated 1 1 i++;) 4. [Check for object assignment in the context of inheritance] The base and derived class is determined using ‘:’ as pattern for the grep command. The base and derived class objects are determined using the corresponding class name and ; as pattern for the grep command. The base and derived object are determined as b and d respectively.

b=d is grepped. if it is present display (statement has no effect due to omission) S.[Test case to report dangling reference problem] grep class obj = obj1 if it is found delete obj1 is used as pattern for grep. If a match occurs display (dangling reference problem) 6.[Test case in the context of exception handling] Throw statements are located using grep with pattern as throw until (currentchar[i]!= ‘w’) i++; until(currentchar[i] == ‘ ’) i++; { /* catch(. ..) presence is checked if present break; } iflcurrentchar[i] == ‘ “ ’) catch (char *) presence is checked if not present display(string exception not handled); if(currentchar[i] = =’ ‘ ’) catch char presence is checked { if not present display (char exception not hand1ed); } until(currentchar[i] != ‘.’) i++; if(currentchar[i]== ‘.’) { catch float presence is checked if not present display(float exception not handled);} if(currentchar[i] is int ) { catch int presence is checked if not present display(int exception not handled) } default: display(‘n0 exception handler’)

423

5. Working of the Algorithm 5.1 Detection of Subscript out of bounds When [ ] is overloaded in the context of array operations, the C++ compiler does not validate the subscript for out of bounds in an assignment operation. This may lead to execution error. In other circumstances junk value is returned. A test case has been developed that takes care of this situation as given by step 1 of the algorithm. The code in Table 1 depicts a situation where an array subscript is out of bounds. There are three elements in the array. When the code displays the fourth element using overloaded operator [ 1, only junk is displayed. Whereas if assignment is tried using an out of bound script, it results in execution error. So, these two instances are tackled by the test case meant for validating array subscript. The developed test case locates the presence of overloaded operator [ 1, by executing grep with the pattern as ‘operator [ ] ( )’. Once it identifies that[ ] is overloaded, the test case identifies the maximum size of the array by grepping with pattern ‘data type [ 1’. The maximum size is determined as ‘size’. The test case then extracts all occurrences of the call to overloaded operator[ 3. The subscript is checked with ‘size’ to see if it is within the bounds. If it exceeds the bound or negative the test case displays ‘subscript out of bound’. When the code in Table 1 was tested, the test case identified that ‘cout vfunc(); //base Table 2. Overridden virtual Table 1 . Array Subscript out return O;} function differing in parameter of Bounds class atype class base{ Table 3. An Abnormal {int a[31; public: Exception Thrown public: virtual void vfknc() class sample{ public: atype(int i,int j,int k) {cout calculate the new z, by new F c ( z ) ,and return to Step 2.

43 1 I

The pa.rameters of exponential distribution function, H0,l(x),are determined by the gradient of the target distribution in the interval [O,dl]. The value of R: used to determine the para.mcters is called da.tum points.

[Procedure 31 (1) Determine the parameters, Ab,l and P;,~, of the exponential distribution HA,l(r)to approximate the interval [0, dl] by the least squares method. (2) Determine the value s,,~ where H~,l(r,,o) = E . If T,,O < T , then set both datum points for r = 0 and d l , and go to Procedure 4-a since the length of the tail in the exponential distribution in the interval [O,dl] is short. Otherwise set the datum points for r = 0 and a point on the tail, and go to Procedure 4-b since the length of the tail is long. I

[Procedure 4-a] (1) Determine the parameters of the Erlang distribution h‘,(dl) which is adjacent to the exponential distribution for the monotonous part.

A: = (Nl - l ) / t l ,

Set the value of f’(d1) by f’(d1) = f(d1) - h$(dl).

(11)

(2) Calculate the parameters of the exponential distribution from the datum points, f(0) and f’(dl), where X0,l

= 1n(f(O)/f’(d1))/d1,

P0,l = f(O)/XO,l.

(12)

(3) Replace the target distribution by

F “ ( s )+ F C ( r )- H,C,,(x).

(13) I

In Step 1 for the above procedure, the value of f’(d1) is set by Eq.(ll) to prevent the degradation of accuracy due to the effect of hl(x) .

[Procedure 4-b] (1) Calculate the parameters. A o , ~and PO,^, using dataum points at x = 0 and Zk(E c o = [ZMr 4). AO,k = ln(f(O)/f(R:k))/Zk,

PO,k = f ( O ) / A l , k .

(14)

432 ( 2 ) Calculate the parameters of the estimated distribution H ; ( r ) for the a p proximated distribution Hl(x) for the unimodal part. The part is adjacent to the exponential distribution approximating monotonous part.

( 3 ) Determine the parameters, X O , ~and p o , ~provided that both X O , ~and p0.k satisfy the ininimiiin REk(0, d l ) . (4) Replace the target dsitribution, i.e. F " ( x ) + F " ( x ) - HF(x).

(17)

3.3.3. Approximataon of the unimodal parts After approximating the monotonous part, the unimodal parts are approximated by using the Erlang distributions, H1 ( x ).~. . , H b f ( x ) in Procedure 5 . Figure 2 shows an example of approximation for unimodal part f (x)- ho(:c). The approximations are made from the tail of the distribution and continue while average error is larger than the target error or the number of nodes is less than the specified maxinium number of nodes, N,.

[Procedure 51 (1) Set 711 = $1. (2) Set n, = 2. ( 3 ) Calculate the parameters Xm,k and p,,k C , = [dml d m + l ] ) , where

by using the candidate value Z ~ ( E

(4) Determine the parameters A, and p, by Am,k and P,,k which satisfy the minimum REk(d,, T K ) in the interval ( d m , ~ ~ - 1 1 . ( 5 ) If mink(REk(d,,rK)) 5 Em or n, 2 N , then go to Step 6, otherwise, increase the number of nodes 71, and return to Step 3. (6) If m = 1 then complete the approximation procedure, otherwise replace the target distribution, decrement m , and return to Step 2. I

433 3.4. Parameters of the Coxian distribution function We determine the parameters Al =

Al

Plyt

in Eq.(l) via [2]. L

-

C t = l + l Al(Pt,l - P%-l,l) 101,l

(20)

In the above equation, &l is the coefficient of l/(s + A L ) when ~ ~ the product n:=, A,/(s in each term is the model A,) in Eq.(l) is expanded. Prameter parameter, and nl is the number of nodes having parameters being equal to A(.

+

4. Examples Figures 3 and 4 show the probability distributions of the task arrival processes in NLANR (National Laboratory for Applied Network Research)[9]. Example 1 corresponds to the task arrival procecess for ftp in OSU-2000, and Example 2 the task arrival procecess for telnet in APN-1999. Figure 5 shows the phase structure of approximated distribution for Example 1, and Figure 7 shows the Coxian distribution function for it. First, we determine the parameters p o , ~= 0.029, A o , ~= 0.002 of Ho,z(z) which approximates the tail which of the distribution by Procedure 2, and p0,l = 0.207, A0 1 = 0.083 of Ho,J(T) approximates [0, dl] by Procedure 4-a. Finally, we obtain pz = 0.319, A2 = 0.035 of H ~ ( Twhich ) approximates the iinimodal part with t 2 = 138, and we obtain pl = 0.445, A1 = 0.138 of Hl(r) which approximates the unimodal part with tl = 27 by Procedure 5. The relative error of the unimodal part in the tail was quite small. however the error increases as the numbert of nodes decreases. In the examples the number of nodes for approximation is limited to less than 20. Figure 6 shows the phase structure of approximated distribution for Exmple 2, and Figure 8 shows the Coxian distribution function for it. We determine thf parameters p o , ~= 0.028, A o , ~= 0.002 of Ho,z(z) by Procedure 2, the parameters p 0 , l = 0.769, A o , ~= 0.007 of H o , ~ ( by T ) Procedure 4-b, and the parameters pl = 0.203, A1 = 0.054 of Hi (z) by Procedure 5. The relative error of Example 2 is quile small. 5. Conclusion In this paper, we have shown an approximation procedure for the probability distributions having non-monotonous property by extending the existing method in [2]. We have also shown the usefulness of this approximation method through examples. We are going to improve the approximation accuracy. and to apply proposed approximation method to actual systems performance evaluation. Also, we will evaluate multimedia systems using the same mothod.

References 1. Y. Sasaki, H. Imai, M. Tsunoyama and I. Ishii, “Approximation method for probability distribution functions using Cox distribution to evaluate multimedia systems”,

434

2.

3.

1.

5. 6.

7. 8.

9.

Proc.2001 Pacific Rim International Symp. on Dependable Computing, pp. 333-340, 2001. Y. Sasaki, H. Imai, M. Tsunoyama and I. Ishii, “Approximation of probability distribution functions by Coxia distribution t o evaluate multimedia systems“, Trans. of IEICE(D-I), Vol..J85-D-I, No.9, pp. 887-895, 2002. W. T. Marshall and S. P. Morgan, “Statstics of mixed data traffic on a local area network, Computer Networks ISDN Systems, No.10, pp. 185-195,1985. .J. Beran, R. Sherman, M. S. Taqqu and W. Willinger, “Long-range dependence in variable-hit-rate video traffic”, IEEE Transactions on Communications, Vo1.43, No.24, pp. 15661579, 1995. S. Asumussen, 0. Nerman and M. Olsson, “Fitting phase-type distributions via the EM algorithm”, Scandinavian J. Statist., V01.23, pp. 419-441, 1996. M. C. Heijden, “On the three moment approximation of a general distribution by a Coxian distribution”, Probability in the Engineering and Information Science, V01.2, pp. 257-261, 1988. E.Gelenbe and I. Mitrani, “Analysis and Synthesis of Computer Systems”, Academic Press, 1988. A. Feldmann and W. Whitt, “Fitting mixtures of exponentials to long-tail distributions to analyze network performaqnce models“, Performance Evaluation, Vo1.31, pp. 245279, 1998. S. Aata, M. Murata and H. Hiyama, “Analysis of network traffic for the design of hight-speed layer 3 switches”, Technical Report of IEICE, Q98-35, pp. 29-36, 1998.

target dist.

-

approximation dist. .....

approximationdist.

......

0.01 0.002

200

0 ‘

400

600

00

800

Figure 3. Approximate probability distribu- Figure 4. tion for Ex.1. for Ex.2.

Approximat probability distribution

0.

0. 0. 0

Figure 5. Phase structurc of Approximated Figure 6 . Phase structure of Approximated distribution in Ex.2. distribution in Ex.1. 0 125 0057 0.024 0010 0564 0.014 0049 0 167 0.382 0.624 0.692 1 O W

Figure 7.

Coxian distribution for Ex.1.

0 105 0.102 0.098 0094 0.090 0.0%

Figure 8.

0.081 0.077 0.509 0.941 1.000

Coxian distribution for Ex.2.

TUMOR TREATMENT EFFICACY BY FRACTIONATED IRRADIATION WITH GENETIC RADIOTHERAPY *

T . SATOW AND H. KAWAI Tottori University 4-101 Koyama-Minami, Tottori 680-8552, JAPAN E-mail:[email protected],kawaiQsse.tottori-.u.ac.jp

Genetics and radiologic therapies were recently combined to improve the score of cancer treatment. From the standpoint of evaluating an influence of radiotherapy, some useful objective indicators were proposed. TCP, NTCP and EUD are considered as typical instances. Using these reliable indicators, we propose two objective functions to evaluate tumor treatment efficacy by fractionated irradiation with genetic radiotherapy. The transforming probability from a susceptible cell to a impervious cell and the transduced fraction at which the number of viral vector injections is assumed to be a variable are used for the formulation. Some numerical illustrations are given to understand the influence of these parameters.

1. Introduction 1.1. Basic Indices Result of remarkable technical improvement, radiation therapy is a necessity and an indispensable tool to cancer treatment. With rapid hardware improvement, the development of software which plan for treatment scheduling etc is also important for the achievement of efficient treatment. To achieve the effective software development, the establishment of evaluation techniques with not only empirical administration but also a theoretical criterion is required. Hit and Target model' is widely known as a technique to derive the survival probability of the cell from the number of lesions by radioactivity. As a concept of hit and target model, the place(target) where the cell is necessary and indispensable to live exists. It is an idea that the cell death happens when a radiation particle hits the target. Cells in microorganism and mammalian organs, the survival probability of calculating with the target theory might be suited well. However, it is not proof of the validity of present target models. Linear-quadratic (LQ) model' pays close attention to the dual helical structure of the DNA strand. The cell survival is a model considered by assuming that it is necessary to pay attention to not an easy single strand break of the reparation but a difficult double strand break of the reparation. 'This work is supported by Grant-in-Aid for Young Scientists (B) 15710115

435

436

From biological viewpoints, tumor control probability(TCP) and normal tissue complication probability (NTCP) are well-known and useful objective indicators. T C P is defined as the probability of local control that given the planned dose distribution. Tom6 and Fowler4 use T C P to indicate the effectiveness of modest boost dose to an arbitrary subvolume of the tumor. Waaijer et aZ3 investigated the influence of waiting time for radiotherapy to the consequences of volume increase. They also used T C P to evaluate consequences for outcome. However, the irradiation to the tumor influences normal cells which are adjacent region to the tumor. NTCP is proposed as one probability which measures the influence of irradiation on the normal cell. For instance, NTCP is used to describe the dose-volume tolerance for radiation induced liver diseases5. Some kinds of NTCP models were proposed for suitable estimation. Comparison among these NTCP models was studied for predicting the incidence of radiation pneumonitis6. From the instances above, T C P and NTCP are being used as effective indicators. As a physical viewpoint, dose-volume histogram(DVH) is used as the limitation of constraint. Since DVH can indicate the dose-volume relation at normal tissue surrounding tumor, it is generally used a s an index which judges the quality of a treatment scheme7. Recently, the concept of equivalent uniform dose(EUD) was introduced by Niemierko'?'. EUD for tumors is defined as the biologically equivalent dose that, if given uniformaly, will lead to the same cell kill in the tumor volume as the actual nonuniform dose distributions. The advantage of EUD is that it can reduce the number of parameters which compose an objective function for the radiation therapy. Further, it allows exploration of a large solution space for the radiation therapy". As for these indices, the following relation is known. By DVH reduction techniques, DVH of a complicated 3D distribution can be replaced by DVH of a uniform dose distribution, where the whole organ is irradiated with EUD". Further, it is possible to convert it into NTCP by using the monotonous increase function such as a sigmoid function. These indices are used for the optimization problem of the radiation therapy scheduling. Mathematical optimization methods keep still being researched by the operation research community12.

1.2. Therapies

As for the treatment method by radioactivity, a lot of techniques are proposed. The method of using the medicine such as hypoxic cell sensitizer was a typical means in clinical15. The fractionated irradiation is generally known as a therapeutic procedure to be effective in the medical p r a ~ t i c e ' ~ The , ~ ~ fractionated . irradiation is a technique for using the difference of the radiosensitivity of the normal and tumor tissues by time-dose fractionation. By the way, genetic radiotherapy was begun to be researched as a method for technically improving the efficiency of the radiation therapy. A basic concept of genetic radiotherapy is to improve the radiotherapeutic effect by controlling the radiosensitivity of the cell by gene therapy. Wheldon et aZI3 discussed modeling the enhancement of fractionated radiotherapy by gene transfer

to sensitize tumor cells to radiation. Keall et all4 investigated the influence of gene therapy by TCP. In addition, the techniques such as brachytherapy(BT) and intensity-modulated radiotherapy(1MRT) are known to be effective.

1.3. The A i m of This Work The research of a criterion modeling on a treatment scheme of genetic radiotherapy is a little. It is a current state that there is no patient outcome data concerning genetic radiotherapy though pointed out by Keall et all4. However, the discovery of the tumor suppressor gene keeps being reported, and the development of genetic radiotherapy in the future is expected strongly now. There are chiefly two purposes in this work. One proposes two objective functions to evaluate the genetic radiotherapy by using the indices where effectiveness is recognized in the radiation therapy. An important point in the evaluation of genetic radiotherapy is to estimate the a transduced fraction of the tissue by virus injections. The transforming probability from a susceptible cell t o a impervious cell and the transduced fraction at which the number of viral vector injections is assumed to be a variable are used for the formulation of objective functions. The second is to examine the influence that the treatment scheme gives the objective function. Some numerical examples are given to understand the influence of treatment parameters.

2. Notations and Model Description Total dose of scheduled treatment is D (20). The total dose D is irradiated by n fractionated delivery, i.e. D = Dl+Dz+. . .+D,. The notation Dj ( j = 1 , 2 , . . . , n ) indicates the dose of j - t h irradiation. Now, we define the following set of a sequence of irradiation doses.

N

is an integer value set. For the purpose of improving the radiosensitivity, genetic therapy is executed before irradiation. The following explanation of genetic radiois injected in multiple positions with therapy quotes from the p a p e r ~ l ~ , A ’ ~tumor . a viral vector. The therapeutic gene carried by the virus is released into the infected cell. The radiosensitivity of the cells including transfected gene is increased. As a result of the transfection, tumor cells are classified in three populations. The first population is transfected cell which is controlled the radiosensitivity. The second is susceptible cell which is available for transfection. The third population is impervious cell which are not ava.ilable for transfection. A part of susceptible cells transforms into the transfected cells by repeating the viral vector injecting. Now, we define a transduced fraction of cells. The transduced fraction is defined as the ratio of the number of transfected cells to the number of tumor cells. Obviously, the transduced fraction depends on the number of viral vector injections. A function ~ ( j () j ,= 0 , 1 , 2 , . . . ) is the transduced fraction of cells after j - t h viral vector

438 injection. It assumes that ~ ( 0 = ) 0, t,he number of cells in the target tumor is m. The probability of transforming to the transdeuced cell from the susceptible cell is p(constant). An initial fraction of impervious cell is a. The number of transfected, susceptible and impervious cells after j viral vector injections are defined as N t ( j ) ,N , ( j ) and N i ( j ) ,respectively. These numbers are

N ( j ) = 11 - (1 -P)jINs(O),

(2)

Ns(j)= (1 - P ) j N S ( O ) , N(j) = a m ,

(3)

+

(4)

+

where N,(O) = rn - am. Clearly, " j ( > 0), N t ( j ) N s ( j ) N i ( j ) = rn. Therefore, the transduced fraction of cells after j - t h viral vector injection is

2.1. TCP for Genetic Radiotherapy

TCP for the genetic radiotherapy is derived under interpatient heterogeneity and nonuniform dose delivery. It assumes that the viral vector injection is carried out


0) and the upper bound of NTCP is y ( 2 0). When ( n ,D) satisfies A(z, y), the difference between 7 C P ( n ,ID) and N I C P ( n ,ID) should be maximized. Unlike the multiplication model, a focus of the model is whether schemes t o satisfy the criteria exist or not. 4. Numerical Illustrations

The parameters used through the numerical experiment are set as follows. It is assumed that the tumor which is the treatment object is homogeneous, and the influence of each part of the tumor by each irradiation is equivalent from stochastic viewpoints. For the simplification, 721, = 1. The total volume of tumor utot is 100 cm3. The colonogen density p is 1/2.43 x 10W7. The LQ parameter for single strand break cr is 0.305. cy/p is 10Gy(early tissue). The enhancement factor e is 1.3. The initial fraction of impervious cells a is 0.01. The rate of the viral vector injection to the radiotherapy is 1. It means that the viral vector injection is executed at each irradiation. TD50 is 50Gy. The power-low exponent w is 0.88. The slope parameter s is 0.12. The dose when each irradiating it is assumed to be a dose in which the total dose is simply divided equally by the number of fractions. Figures 1 and 2 give TCP as a function of dose and the number of fractions(abbreviati0n:NF) for tmnsforming probability(p) 0.2 and 0.8. TCP is increasing with the transforming probability p . It is shown to be able to control the tumor as a result of genetic radiotherapy with the low-dose radiation. It corresponds to the clinical study result that NTCP is increasing with dose per fraction.


~), . That is, 7, represents the probability that the first j outcomes are all of type I. This study assumes throughout, that the domain of PI is {O,I,2, ... } and that 1 =Po2 PI > F 22 ... [I]. The reliability 7, does not increase with the number of PM itemsj. This study uses the abbreviation { p , } to represent a sequence of with ) ) , domain { l,2,3,...}. probabilities. Let p , = p ( M = j ) = p , , - p,=F,., ( I - ( ~ , / F ~ - ~ Hence, when the j-th PM occurs, then that PM is either type I with probability - 4 , = p l / p l - l or type I1 with probability 8, = 1 - 4 , . Let f ( t ) , F ( t ) ,F ( t ) and r ( t ) denote the pdf, Cdf, SF and hazard rate of time to failure of a unit. Additionally, H ( T )= [C,(P,-, - P , ) ~ f ( j t ) ] /,(P,-] C -F,),F(jt)] ; [weighted sum of pdf f(jt)]/[weighted sum of Sf F(jt)]. 2.1. Model I

Consider the case in which the following assumptions are made; PM occurs at j . T , j = 1,2,... , at cost R, . 1. 2. If failure occurs in ( ( j - 1). T , j . T ) , j=1,2, ..., then an operating unit is repaired; otherwise it is maintained preventively at time j . T , at cost R , . Following the repair, the unit is as good as new. All failures are instantly detected. Additionally, the repaired and PM times are 3. negligible. Let y, , y 2 , .. . be independent copies of Y . For the present policy,

Where u, represents the operating time during the renewal interval r, between the 0-1)th PM and thej-th PM. Additionally, let R;, be the total cost incurred over the renewal interval r, between the (j-l)-th PM and the j-th PM. The s-expected cost rate is, J , ( T ;{i, })

=

c,m:,1 c,E[U, 1

46 1

Differentiating J , ( T ;{F,

with respect to T yields,

thernecessaryconditionfor r to be optiomalis d mustbe the solution of

Theorem 1. If H ( ~ ) > L, &-(R,//.o)>O and (&-4/qd)f@) is monotonously increasing in T , then a finite and unique optimal solution T' >O exists that minimizes the total expected cost per unit time J , ( T ; ~ ,.

h

Proof. If H ( w ) > L , 4 -(I?, /dco))>Oand (4-R, /dT))H(T)is strictly increasing in T , then the left-hand sides of Eqs. (7) and (8) are continuous and strictly increasing in T ; they change si n exactly once from negative to positive as T increases from 0 to 0 0 , as does d J , ( T ; k j ) / d T .The result follows. 0 ) (R, -R, I ~ ( T * ) ) H ( T * ) . From Eq. (8), the s-expected cost rate is, J , ( T ' ; ~ , =

(9)

462

2.2. Model 2 Let J2(T;F,])represent the total cost per unit time between two PMs when the planned PM is performed at time ;. T . The following assumptions are then made; 1. As in model 1. 2. If failure occurs in ( ( ~ - I ) . T , ~ . ~~ )=,i , 2..., , then minimal repair is performed, at cost R, . A minimal repair merely restores the system to a functioning state after it has failed. That is, minimal repairs do not change the hazard rate r ( t ) I 3. As in Model 1. 4. -y(Pl-l-2P, +P,+,)>O. T h e s-expected cost rate is,

find the cptional times r, which minimize with respectto r.

Theorem 2. If r(t) is continuous and strictly increasing in T and [!&(t)> R, ,(TI-,- 2 p , + p 1 + , ) 1then , a finite and unique optimal solution f > O exists that minimizes the total expected cost per unit time

/[R,C

J,(cFJ 1).

C

Proof. If Irntdr(t)> R, / [ R , (Pl-]- 2 P , + P,,, 11 and is strictly increasing in then the left-hand sides of Eqs. (12) and (13) are continuous and strictly increasing in they change si n exactly once from negative to positive as T increases from 0 to 00, does d 1 2 ( T ; ~ ~ ) l The d T . result follows. -

From Eq.(12), J 2 ( T * ; e l }=) R , C

l(P,-~- 2 P ,

-

+P,+i)jr(jT*).

T, T;

as 0 (14)

2.3. Model 3

Let J,(r;e,}) represent the total cost per unit time between two PMs when the planned PM is performed at time T . The following assumptions then are made;

463 As for models 1 and 2. If failure occurs in ((, - I ) . T,, .T ) , = 1,2 ..., then the failure remains until the next perfect PM. Let R, be cost-rate of time lapse between failure and its detection. 3. As in models 1 and 2. 4. As for model 2. The s-expected cost rate is 1.

,

2.

- -

JmeI}) = [R, + R,CP,-I(I - P , /P/-,)(j~~~~(~T-t)~(f)dt + TF((/ I). T ) ] / T -

= [ R,

+ R,C,(P,-,

-2P,

-

(15)

+ P,+1)1:F(t)dt]/T.

Let = r F ( t ) d t . Find the optimum time T’ which minimizes differentiafle J,(T;@,}) with respect to T .

PI)!J J d T

d/,( T ;

=[R,C

-

, ( p , 1-27,+P,+i),F(,T)]/T-[R, + R , x ( 7 , - 1 - 2 P ,

.J3(cF,}) , and

-

+P,+~)j;F’(t)dt]/T’.

(16)

Then, set ~ J , ( T ; @) ,) / d T= 0, implying that T’ satisfies

Theorem 3. If > R, / [ R , , - 2P , + )I , then a finite and unique optimal solution T*>O exists that minimizes the total expected cost per unit time J , ( T ; ~)), .

C

C

,+,

-

-

Proof. If p > R, /[R, ,(P,-, - 2 p , + p,,, )I, then the left-hand sides of Eqs. ( I 7) and (1 8) are continuous and strictly increasing in T ; they change sign exactly once from negative to positive as T increases from 0 to a,as does dJ3(T;@,/)/dT.The result follows. 0 From Eq. (17h J , ( T * ; ~ , } ) = R , ~ , ( ~-,2. PI , +F,+,)jF’(jT*). 3

(19)

Special Case

The learning curve concerns a repetitive job or task and represents the relationship between experience and productivity. This investigation applies the learning curve model to the PM model. Following the discussion of cases 3.2 and 3.3, a learning curve is developed, and the following assumptions are made; P,-, > P , , j = 1,2 ,... . Let r be learning rate. I. 2. If each doubling of the number of PM reduces the probability of imperfect PM by ( ~ - r ) , t h e nP , = P l j b ,j=1,2 ,....

464

3.

4. 3.1.

If each PM can reduce the probability of imperfect PM by ( I - r ) , then j = 1,2,.... b =~ ~ o g ~ ~ l ~ [ ~ o g @ l ~ PO

= I ; P , = 0, j = IJ,

p , =Fir/-',

...

This case involves an operating system that must be as good as new following PM at j . T(j = 1,2, ...) .

J,~T;{1,0,0,...,0}~ = ( R , F ( T ) +R , F ( T ) ) / IOTF(t)dt

(20)

and ~,(~‘;{1,0,0,...,0})=(R, - R, I v ( T ’ ) ) H ( T * )= ( R , - R , ) r ( T * ) . The case in Barlow and Pros Chan (1965)[9,p87]. J~(T;{I,o,o ,...,oh = (R, + R, JoTr(t)dt)/T

and J , (T*;{1,0,0,...,0)) = R,r( T’ ) . The case in Barlow and Proschan (1965)[9,p97]. ~,(~;{l,o,~,...,o}) = (R, + R4 l y F ( r ) d f ) / T

and 3.2.

J , (T’ ;{l,O,O ,..., O}) = R,F(T* ) .

PO=I;P,

-

= r I , j=1,2

(25)

,..., O < r < I ,

r=l-r.

Here, a random number M, of instances of PM until a type I1 PM is performed, has a geometric distribution. This case is considered by Nakagawa (1979) [7]. J , ( T ; { r ’ } )= [R,C

-;c, ~ J - ~ F ( ~ T[C) I,r/-l I / Ji:,TF(t)dt~

, ~ I - ~ F +( ~R JTI )

(26)

In this case, learning curves provide their greatest advantage in performing the early PM in response to new causes of failure. As the number of times PM has been performed

465 becomes large, the learning effect is less noticeable. The following figure provide an example for Fl=O.9 and 80% learning rate. Figure 1 reveals that the probability ?, decreases rapidly during the early PM.

Fig 1 Learning curve - _

J , ( T ;{, Pl,PI

.2b

-

)...})

j=2

-

j=2

3.4-Fo = 1 ; P j = q J a , j =1,2,... 7 0 5 q < 1,a > 0 . Here, a random number M, of instances of PM until a type I1 PM is performed, is a discrete Weibull distribution that is IFR for a 2 1 and DFR for 0 < a I 1.

466

and J I ( T * ; b l u ) =( R , - R , I v ( T * ) ) H ( T * ) .

4

(39)

Concluding Remarks

This study presented a general PM model that incorporates two types of outcomes following PM. Three models for obtaining the optimum times T’ have been investigated. The nature of a PM process and policy leads to the hypothesis that the probability that PM is perfect depends on the number of times imperfect maintenance has been performed since the previous renewal cycle. The results of an investigation of the conditions for optimal policy show that such a policy is more general and more flexible than policies already reported in the literature. Special cases were examined in detail. At a given learning rate, an analyst can use the learning curves to project PM costs. This information can be used to estimate training requirements and develop PM plans. References

1. Shey-Huei Sheu, “Extended optimal replacement model for deteriorating system, ”European Journal of Operational Research ~01.112,pp. 503-516, 1999. 2. Jae-Hak Lim, and Dong Ho Park, “Evaluation of Average Maintenance Cost for Imperfect-Repair Model, ”IEEE Trans, Reliability, vol. 48, no. 2, pp. 199-204, 1999. 3. Toshio Nakagawa, “Sequential Imperfect Preventive Maintenance Policies, ”IEEE Trans. Reliability, vol. 37, no. 3, pp. 295-298,Aug. 1988. 4. Toshio Nakagawa, and Kazumi Yasui, “Periodic-Replacement Models with Threshold Levels, ’’ IEEE Trans. Reliability, vol. 40, no. 3, pp. 395-397,Aug. 1991. 5. Jae-Hak Lim, and Dong Ho Park, “Evaluation of Average Maintenance Cost for Imperfect-Repair Model, ”IEEE Trans, Reliability, vol. 48, no. 2, pp. 199-204, 1999. 6. Toshio Nakagawa, and Kazumi Yasui, “Optimal Policies for a system with Imperfect Maintenance, ”IEEE Trans. Reliability, vol. R-36, no. 5, pp.631-633, Dec. 1987. 7. Toshio Nakagawa, “Optimum Policies when Preventive Maintenance is Imperfect, ”IEEE Trans. Reliability, vol. R-28, no. 4, pp. 331-332, Oct. 1979. 8. Hoang Pham, and Hongzhou Wang, “Imperfect maintenance, ”European Journal of Operational Research, vol. 94,no. 3, pp. 425-438,Nov. 1996. 9. R.E. Barlow, F. Proschan, Mathematical Theory of Reliability. New York : Whiley, 1965. 10. C. J. Liao and W. J. Chen, “Single-machine scheduling with periodic maintenance and nonresumable jobs, ”Computers & Operation Research 30, pp.1335-1347,2003.

OPTIMAL SCHEDULE FOR PERIODIC IMPERFECT PREVENTIVE MAINTENANCE

SANG-WOOK SHIN Department of Statistics, Hallym University, Chunchon, 200-702, Korea E-mail: [email protected] DAE-KYUNG KIM Department of Statistics, Chonbuk National University, Chonju, 561- 756, Korea E-mail: [email protected] JAE-HAK LIM Division of Business Administration, Hanbat National University Taejon, 305-719, Korea E-mail: [email protected]

In this paper, we consider a periodic imperfect preventive maintenance(PM) policy in which the system after each P M remains unchanged (i.e. having the same failure rate as one just prior to PM) with probability p and is restored to the state as good as new one with probability p = 1 - p . And the system undergoes only minimal repairs a t failures between PM’s. T h e expected cost rate per unit time is obtained. T h e optimal number N of P M and the optimal period x, which minimize the expected cost rate per unit time are discussed. Explicit solutions for the optimal periodic PM are given for the Weibull distribution case.

1. Introduction

Preventive Maintenance( PM) has played an important role in effective operation and economic management of industrial systems. P M prevents unexpected catastrophic failure of system and ultimately extends the system life. P M problems have been studied by many authors : Barolw and Hunter (1960) propose two types of P M policies. One policy is that P M is done periodically and minimal repair at any intervening failure between periodic PM’s. The imperfect PM policy, in which PM is imperfect with probability p , is firstly introduced by Chan and Down(1978). Nakagawa( 1979) propose three imperfect P M models among which the model B assumes that the system undergoes imperfect PM at periodic times k T , where k = 1, 2 , . . . , and is minimally repaired at any failure between PM’s. In Nakagawa(1979), the system after imperfect P M has 467

468

the same failure rate as it has been before PM with probability p and as good as new with probability p . And optimal period minimizing cost rate per period is obtained. Murthy and Nguyen(l981) discuss an imperfect PM model where the system undergoes PM a t age TI if the most recent maintenance action was corrective maintenance(CM) or PM at T2 if it was PM. They treat imperfect PM in a way that the system after PM has a different (worse) failure time distribution than after CM. Brown and Proschan(l983) propose a imperfect repair model in which the failed unit is either minimally repaired with probability p or perfectly repaired with probability 1 - p . And they investigate aging preservation properties of life distribution of the unit after imperfect repair. Fontenot and Proschan(1984) and Wang and Pham(1996) obtain the optimal imperfect maintenance policies for one component system. Nakagawa( 1988) considers a sequential imperfect PM policies in which the hazard rate after PM k becomes akh(t),where ak is an improvement factor, when it was h ( t ) in period k of PM. Pham and Wang( 1996) give an excellent summary on imperfect maintenance. In this paper, we extend the model B of Nakagawa(1970) to the model that assumes additionally that the system is preventively maintained at periodic times k T and is replaced by a new system at the N t h PM, where k = 1, 2 , . . . N . The expected cost rate per unit time is obtained. The optimal number N * of the pewhich minimize the expected cost rate per riodic PM and the optimal period T*, unit time, are discussed. And the optimal schedules are computed explicitly when the failure time follows Weibull distribution.

Notations h(t) hazard rate without PM hpm(t) hazard rate with PM T period of PM N number of PM’s where the system is replaced probability that the failure rate of the system after PM remains unP changed cost of minimal repair at failure c r n r Cre cost of minimal replacement Cpm cost of PM expected cost rate per unit time C ( T ,N )

2. Model and Assumptions

A pcriodic impcrfcct P M modcl we consider in this paper assumes the followings: (i) The system begins to operate at time t = 0. (ii) The PM is done at periodic time k T ( k = 1, 2 , . . . N - 1) where T is replaced by new one at the N t h PM.

2 0, and

469 (iii) The system after P M has the same failure rate as it has been before P M with probability p and as good as new with probability p. (iv) The system undergoes only minimal repair at failures between PM's. (v) The repair and PM times are negligible. (vi) h ( t ) is strictly increasing and convex.

3. Expected Cost Rate Per Unit Time The PM model we consider in this paper is a periodic imperfect PM model for which the hazard rate after each P M remains unchanged with probability p and is reduced to zero with probability p = 1 - p . More explicitly, the hazard rate hpm(t) of the proposed imperfect PM model is given by

where k = 1, 2, . . . N , hprn(0)= h(0) and T is the time interval between P M interventions. The expected cost rate per unit time, C(T,N ) is defined as follows. Cost for minimal repairs + Cost for PM + Cost for replacement (2) NT Since it is well-known that the number of minimal repairs during the period k of PM is nonhomogeneous Poisson process(NHPP) with intensity function kT hpm(t)d t , the expected cost rate per unit time is easily given by the following equation. When 0 p < 1 C ( T , N )=

S(k-l)T



2

(1

=

(1

- (t-)m)

71

71

m+l 77

7177 (-(S)m)

Fm7Lt;m, 77)

(log

,

m t

- ---)m),

7171

+ mlog -t + 71

71

77

For calculating the MLE, the following transformations are used to remove the restrictions on the parameter space: 61 = l o g m ; 6'2 = logr]; 6'3 = log(&). We use the following score equations:

a1 = -(m,+,e) a1 861

dm

dl = " ( m ; < , p ) 862

x m = 0,

x7j=o,

dl = y m , 7 j , @ ) x 86'3

where,

6=

6,

is the MLE of

(3)

871

dm

4, i

=

1

+

P exp(i3) =

1,2,3, and then, riZ

=

'1

exp(&), 7j

=

exp(&), and

are the MLE of m, 17, and p , respectively, because of the invariance of l+exp(&) MLE. From the above equations, we can calculate the MLE m, 7j, and p based on

520

the Newton-Raphson Method. The asymptotic covariance matrix of the m, 7j, and

fi can be calculated from the following information matrix (Louis, 1982):

4. Analysis of an Actual Data Set Table 2 shows a n example of the marginal count failure data, which is an actual data set provided by a manufacturer.

Calendar year Number of sales Number of failures

1 512,120 605

2 211,790 990

3 12,020 536

4 5 5,000 647 7,406

6

7

8

36,880

65,275

60,213

The percentage of product units remaining in service at age t (shown in Table 3), that is, the survival function of the discard time, G d ( t ) , was estimated by the manufacturer based on survey data for product replacement. Tatable3. Percentage of proiduct units remaining in services by age yearsble 3.

t

I

G,j(t)

t Gd(t)

0 100

1 99.9

2 99.4

3 98.2

4 95.7

5 91.1

6 84.0

8 63.2

9 51.0

10 39.1

11 28.4

12 19.6

13 12.8

14 8.0

7 74.5

The results for the estimation of the parameters are shown in Table 4, which were obtained according to the algorithm described in the above section: the MLE was calculated using (2) and (3), and the asymptotic variance using (4).

MLE Avar*

m 6.8405 3.262

6 7.1668 0.2874

P 0.35564 0.01144

Using the value of riz, 6, and 6, the estimates of the number of failures were calculated and given in Table 5 . Figure 1 shows the estimated number of failures each year in contrast to the number of failures occurred actually. We see from the results that the proposed method is a n effective approach to analysis of such failure data sets.

521

to N,

s 1 2 3 4

512,120 211,790 12,020 5,000

Expected number Actual number

1 0.3

2 29.1 0.1

3 438.6 12.0 0.0

4 2818.9 181.4 0.7

0.3 605

29.2 990

450.7 536

s

NS 512,120 211,790 12,020 5,000 Expected number

1 2 3 4

0.0

5 11038.2 1165.8 10.3 0.3

6 29027.5 4564.9 66.2 4.3

3001.0 647

12214.6 7,406

33662.9 36,880

9 12792.2 17232.3 1136.5 283.4

10 798.6 5290.3 978.0 472.7

4.1 330.3 300.2 406.8

31444.3

7539.6

1041.4

11

12 0.0 1.7 18.7 124.9 145.3

13 0.0 0.0 0.1

7.8 7.9

7 48419.9 12004.5 259.1 27.5 60710.9 65,274

8 41668.6 20024.3 681.3 107.8 62481.9 60,213

14 0.0 0.0 0.0 0.0

0.0

70000 60000

5

m

40000 30000 20000 10000

0 0

2

4

6

8

10

12

14

16

Calendar year Figure 1. Number of failures estimated vs. occurred actually.

5 . Conclusions

This paper was mainly motivated by an actual marginal failure data set provided by a consumer electronics company. The population of the products are supposed to be a mixture of defective ones and non-defective ones. No failure occurs among the nondefective product units. Assuming that failure times follow a Weibull distribution, we obtained the maximum likelihood estimates of the shape and scale parameters

522 of the distribution and the proportion of the defective units in the population. Furthermore, the estimates of the number of failures were calculated by using the estimates of the parameters. we use them t o compare t o the number of failures occurred actually and t o give the prediction of number of failures in the future. The results show that the proposed method is useful and applicable t o more complicated data sets with more realistic limitations which we cannot deal with before. For the proposed model, we will further investigate its properties by conducting some simulation experiments and clarify its performance in different cases through applying it t o other actual data sets.

References 1. A. P. Dempster, N. M. Laird and D. B. Rubin, Maximum Likelihood from Incomplete Data via the EM algorithm (with discussion), Journal of the Royal Statistical Society Ser. B, 39,1-38 (1977). 2. N. L. Johnson, S. Kotz, and N. Balakrishnan, Discrete Multivariate Distributions. John Wiley & Sons, New York (1997). 3. M. R. Karim, W. Yamamoto and K. Suzuki, Statistical Analysis of Marginal Count Failure Data, Lzfetetime Data Analysis 7,173-186 (2001). 4. T. A. Louis, Finding the Observed Information Matrix When Using the EM algorithm, Journal of the Royal Statistical Society Ser. B, 44, 226-233 (1982). 5. W. Q. Meeker, Limited Failure Population Life Tests: Application to Integrated Circuit Reliability, Technometrics 29, 51-65 (1987). 6. K. Suzuki, L. Wang, W. Yamamoto and K. Kaneko, Field Failure Data Analysis with Discard Rate, MMR2002: Third International Conference on Mathematical Methods in Reliability Methodology and Practzce, 619-626, Trondheim, Norway (2002).

ON A MARKOVIAN DETERIORATING SYSTEM WITH UNCERTAIN REPAIR AND REPLACEMENT

N. TAMURA Department of Industrial and Systems Engineering, Faculty of Science and Engineering, Chuo University, 1-13-27 Kasuga, Bunkyo-ku, Tokyo 112-8551, Japan E-mail: [email protected]?l.ac.jp This paper considers a system whose deterioration is described as a discrete-time Markov chain. After each inspection, one of three actions can be taken: operation, repair or replacement. We assume that the result of repair is uncertain. If repair is taken, we decide whether t o inspect the system or not. When inspection is performed, we select an optimal action. We study an optimal maintenance policy which minimizes the expected total discounted cost for unbounded horizon. It is shown that, under reasonable conditions on the system's transition and repair laws and the cost structures, a control limit policy is optimal. Furthermore, we derive valid properties for finding the optimal maintenance policy numerically.

1. Introduction

Various maintenance policies for stochastically failing systems have been widely investigated in the literature. The papers by Pierskalls and Voelkerl, Sherif and Smith', Valdez-Flores and Feldman3 and Cho4 are excellent reviews of the area. For multi-state systems, most work concentrate on modeling the deteriorating process of a stochastically failing system by a Markov process in order to derive an optimal maintenance policy because of the tractability of the resulting mathematical problems. Ohnishi et d 5 and Lam and Yeh' studied optimal maintenance policies for continuous-time Markovian deteriorating system and showed a control limit rule is optimal under reasonable conditions. These studies considered that maintenance action is only replacement. In real situations, however, replacement is not the only maintenance action possible. So, various models for systems with imperfect repair have been suggested and studied by Lam7, Kijima', and Kijima and N a k a g a ~ a . Pham and Wan&' provided a survey of recent studies. Chiang and Yuan'' studied a continuous-time Markovian deteriorating system with uncertain repair and replacement. Because of complexity of the model, however, it is not shown that a control limit policy holds. For discrete-time case, Derman13 considered a Markovian deteriorating system

523

524 where replaceinent is the only maintenance action possible, and established sufficient conditions on the transition probabilities and the cost functions under which the optimal maintenance policy has a control limit rule. Douer and Yechiali14 introduced the idea of a general-degree of repair which is the action from any state to any better state at any time of inspection and showed that, under reasonable conditions, a control limit policy holds. Also, they proposed a model where the result of repair is uncertain. Then Douer and Yechiali'* assume that one always operate the system until the next inspection time after repair is completed. However, if repair is not enough, i.e. the system is repaired to a worse state than the current state, then it is not adequate to operate it. In this paper, we consider a discrete-time Markovian deteriorating system with uncertain repair and replacement. After each inspection, one of three actions can be taken: operation, repair or replacement. If repair is taken, then we decide whether t o inspect the system or not. When inspection is performed, we select an optimal action. We formulate the model as a Markov decision process. We examine the properties of an optimal maintenance policy which minimizes the expected total discounted cost for unbounded horizon. The structure of the paper is as follows. In the next section, the maintenance model is described in details. In section 3, the mathematical formulation of the problem is given. In section 4,we investigate properties of the optimal maintenance policy. Finally, some conclusions are drawn in section 5 . 2. Model Description Consider a system (a unit, a component of a system, a piece of operating equipment, etc.) which is inspected a t equally spaced points in time. After each inspection, the system can be classified into one of N 1 states, 0, . . . ,N . Then inspection cod d l is incurred. State 0 represents the process before any deterioration takes place; that is, it is initial new state of the system, whereas state N represents a failure state of the system. The intermediate states 1, . . ., N - 1 are ordered to reflect their relative degree of deterioration (in ascending order). Through inspection, the true state is certainly identified. Let the times of inspection be t=0,1,... , and let X t be the observed state of the system a t time t . We assume that { X t ;t = 0,1,. . . } is a finite-state Markov chain with stationary transition probabilities,

+

PZ, = P{Xttl = jjx, = 9 ,

(1)

for all i, j and t. Denote p l y ) the n-step transition probability from state i to state j . Then we suppose that, for each i=O,. . . , N , > 0 for some n. This condition assures that the system eventually reaches the failure state regardless of its initial state. When the system state is identified through inspection, one of the following actions can be taken.

(1) Action 1: We continue to operate the system until the next time.

525 (2) Action 2: We repair the system and select one of the following actions. (a) Action 2a: We continue to operate the system until the next time without inspection. (b) Action 2b: We identify state of the system with inspection and select optimal action k ( k = 1,2 or 3) at the next time. (3) Action 3: We replace the system with a new and identical one and operate it until the next time.

It is assumed that the result of repair is uncertain. So, we can not know true state of the system immediately after repair without inspection. Let qij be the probability that the system in state i is repaired to state j . We call qij repair probability. For the transition and repair probabilities, we impose the following conditions. In this paper, the term “increasing” means “nondecreasing.” Condition 2.1. For any h, the function N

Fh(i) = Z P i j j=h

is increasing in i.

Condition 2.2. For any h, the function N j=h

is increasing in i. Condition 2.1 means that as the system deteriorates, it is more likely to make a transition to worse states. This condition is also called the condition of increasing failure rate (IFR) of the system. Condition 2.2 implies that as the system deteriorates, it is less likely to be repaired to better states. From Derman13, condition 2.1 and 2.2 are equivalent to the following conditions, respectively.

Condition 2.3. For any increasing function a ( i ) , i = 0 , l . . , N ,the function N

j=O

is also increasing in i.

Condition 2.4. For any increasing function u ( i ) ,i N j=O

is also increasing in i.

= 0,1,. . .

, N ,the function

526 Furthermore, we impose the following conditions on p,, and q2,.

Condition 2.5. For any h, N

/

N

\

is increasing in i .

Condition 2.6. For any h, N j=h

is increasing in i . Condition 2.5 indicates that as the system deteriorates, the system which is operated until the next time is more likely t o move t o worse states in comparison with the system which is repaired and operated until the next time. Condition 2.6 indicates that as the system deteriorates, the system which is operated until the next time is more likely t o move t o worse states in comparison with the system which is repaired. Since the result of repair is uncertain, it is necessary to perform inspection in order to identify state of the system. So, when repair is performed, we decide whether to operate the system without inspection or to select an optimal action with inspection. Then inspection cost d2 (# d l ) is incurred. For example, in the case of a production process which produces items, state of the process may be determined by sampling the item produced. On the other hand, when repair is performed, we need grasp the process state by using other methods since no item is produces. Hence, we consider that inspection cost after operation is not equal to that immediately after repair. When we select action 1 for the system in state i , the system moves to state j with probability p i j at the next time and operating cost ui is incurred. When we select action 2 for the system in state i , the system is repaired t o state j with probability qij and repair cost ri is incurred. Thereafter, we decide whether to inspect the system or not. If inspection is performed, then the system state is identified and we select an optimal action at the next time. Otherwise, we operate the system until the next time. When we select action 3 for the system in state i , we replace the system with a new and identical one and operate it until the next time. Then replacement cost ci is incurred. For these costs, we introduce the following conditions.

Condition 2.7. ui,r z , ci are increasing in i Condition 2.7 implies that as the system deteriorates, it is more costly to operate, repair or replace the system.

527 Condition 2.8.

ui

-

cz,

are increasing in i. Condition 2.8 means that as the system deteriorates, in Eqs.(2), (3) and (4),the merit of replacement or repair becomes bigger than that of operation, and, in Eq.(5), the merit of replacement becomes bigger than that of repair. 3. Mathematical Formulation

Our objective here is to derive an optimal maintenance policy that minimizes the total expected discounted cost for unbounded horizon. Let V ( i )be the total expected discounted cost for unbounded horizon when the system starts in state i and an optimal maintenance policy is employed. We denote a discount factor by P (1 < /3 < 1). Furthermore, we let Hk(i) denote the total discounted cost when the system starts in state i and action k is selected. Then H l ( i ) is given by

Therefore, we have

528 4. Properties of Optimal Maintenance Policy In this section, we examine some structural properties of an optimal maintenance policy. When the operation horizon is finite T (T periods, say), denote by V T ( i ) the minimal total expected discounted cost when the system starts in state i. First, the following lemma is derived.

Lemma 4.1. For any T , V T ( i )is increasing in i . Since lim T+CC

vT(i)= ~ ( i ) ,

we obtain theorem 4.1.

Theorem 4.1. V ( i )is increasing in i. Theorem 4.1 implies that the expected total discounted cost is smaller if the system begins in a better state. The result is intuitively true. We denote by D ( i ) an optimal action when the system stays in state i. Using the above theorem, we can derive structural properties of an optimal maintenance policy.

Theorem 4.2. There exist the states

D(i)= where 0 5

&5k 5N

+ 1.

{

k

and k such that

1 for 0 5 i < k , 2 f o r k 5i < k , 3 f o r i5i I N ,

Furthermore, we impose the following condition.

Condition 4.1. For any h,

is increasing in i. This condition indicates that as the system deteriorates, the system which is repaired and operated until the next time is more likely t o move t o worse states in comparison with the system which is repaired. Then we obtain theorem 4.3.

Theorem 4.3. There exists an optimal maintenance policy of the form,

529 where 0

5 Ic, 5 i b 5 I 5 N

+ 1.

This theorem states that since the system is less likely to be repaired to better states with deterioration, we should inspect the system and select an optimal action while the system stays in some worse states. Intuitively, when d2 is not so large, it will be considered that we should inspect the system immediately after repair regardless of state. The following theorem states that this interpretation is true.

Theorem 4.4. I i f o r a n y i, 2

1=0

and

then there exists an optimal maintenance policy of the f o r m ,

where

o I kb I I

5N

+ 1.

Eq.(13) indicates that the system is repaired t o a better state than the current one without fail.

5. Conclusion We consider a discrete-time Markovian deteriorating system with uncertain repair. If repair is performed, then we decide whether to inspect the system or not. When inspection is taken, the system state is identified and an optimal action is selected at the next time. We examine properties of an optimal maintenance policy minimizing the total expected discounted cost. We derive sufficient conditions that a control limit policy holds and the optimal maintenance policy may be characterized by four regions. Also, it is shown that, under some conditions, the optimal maintenance policy may be characterized by three regions.

References 1. W.P. Pierskalls and J.A. Voelker, A survey of maintenance models: the control and surveillance of deteriorating, Naval Research Logistics Quarterly, 23, 353-388 (1976). 2. Y.S. Sherif and M.L. Smith, Optimal maintenance models for systems subject to failure - a review, Naval Research Logistics Quarterly, 28, 47-74 (1981). 3. C. Valdez-Flores and R.M. Feldman, A survey of preventive maintenance models for stochastically deteriorating single-unit systems, Naval Research Logistics, 36, 419-446 (1989).

530 4. D.I. Cho, A survey of maintenance models for multi-unit systems, European Journal of Operational Research, 51, 1-23 (1991). 5. M. Ohnishi, H. Kawai and H. Mine, An optimal inspection and replacement policy for a deteriorating system, Journal of Applied Probability, 23,973-988 (1986). 6. C.T. Lam and R.H. Yeh, Optimal maintenancepolicies for deteriorating systems under various maintenance Strategies. IEEE Transactaons on Reliability, 43,423-430 (1994). 7. Y . Lam, Geometric processes and replacement problem, Acta Mathematicae Applicatae Sinica, 4, 366-377 (1988). 8. M. Kijima, Some results for repairable systems with general repair, Journal of Applzed Probability, 26,89-102 (1989). 9. M. Kijima and T. Nakagawa, A cumulative damage shock model with imperfect preventive maintenance, Naval Research Logistics, 38,145-156 (1991). 10. M. Kijima and T. Nakagawa, Replacement policies of a shock model with imperfect preventive maintenance, European Journal of Operational Research, 57, 100-110 (1992). 11. H. Pham and H. Wang, Imperfect repair, European Journal of Operational Research, 94, 425-438 (1996). 12. J.H. Chiang and J. Yuan, Optimal maintenance policy for a Markovian system under periodic inspection Reliability Engineering and System Safety, 71,165-172 (2001). 13. C. Derman, On optimal replacement rules when changes of states are Markovian, In: Mathematical Optimization Techniques (R. Bellman, Ed.), The RAND Corporation, 201-210 (1963). 14. N. Douer and U. Yechiali, Optimal repair and replacement in Markovian systems, Communications in Statistics -Stochastic Models-, 10, 253-270 (1994).

SOFTWARE RELIABILITY MODELING FOR INTEGRATION TESTING IN DISTRIBUTED DEVELOPMENT ENVIRONMENT

YOSHINOBU TAMURA Department of Information Systems, Faculty of Environmental and Information Studies, Tottori University of Environmental Studies, Kita 1-1-1, Wakabadaa, Tottori-shi 689-1111, Japan E-mail: [email protected]

SHIGERU YAMADA Department of Social Systems Engineering, Faculty of Engineering, Tottori University, Minami 4.101, Koyama, Tottori-shi 680-8552, Japan E-mail: [email protected]

MITSUHIRO KIMURA Department of Industrial and Systems Engineering, Faculty of Engineering, Hosea University 3-7-2, Kajino, Koganei-shi, Tokyo, 184-8584, Japan E-mail: [email protected]. ac.jp In new software development paradigm such as client/server systems and distributed development by using network computing technologies, it has been difficult to assess the software reliability in recent years, because the complexity of software systems has been increasing as the result of distributed system development. In this paper, we propose a software reliability growth model based on stochastic differential equations for the integration testing phase of distributed development environment.

1. Introduction

A computer-software system is developed by human work, therefore many software faults must be introduced into the system during the development process. Thus, these software faults often cause complicated break-downs of computer systems. Recently, it has been more difficult for the developers to produce highly-reliable software systems efficiently because of the diversified and complicated software requirements. Therefore, it is necessary to control the software development process in terms of quality and reliability. Many software systems have been produced under host-concentrated development environment. In such host-concentrated one, even the progress of software

531

532 development tools has caused several issues. For instance, one issue is that all of software development management has to be suspended when the host computer is down. From the late 1980s, personal computers have been spread on our daily life instead of conventional mainframe machines, because the price and performance of personal computers have been extremely improved. Hence, computer systems which aid the software development have been also changing into UNIX workstations or personal computers to reduce the cost for the development. A Client/Server System (CSS) which is a new development method have come into existence as a result of the progress of networking technology by UNIX systems. On the other hand, the effective testing method for distributed development environment has only a few presented’”. Basically, software reliability can be evaluated by the number of detected faults or the software failure-occurrence time in the testing phase which is the last phase of the development process, and it can be also estimated for the operational phase. A software failure is defined as an unacceptable departure of program operation caused by a software fault remaining in the software system. Especially, software reliability models which describe software fault-detection or software failure-occurrence phenomena in the testing-phase are called software reliability growth models (SRGM’s). The SRGM’s are very useful to assess the reliability for quality control and testingprocess control of software development.

2. Testing in Distributed Development Environment We discuss characteristics of the integration testing and the system testing phases in distributed development environment. 2.1. Characteristics of the Integration Testing We show main characteristics of the integration testing in distributed development environment as

0 0 0 0 0

The confirmation of link connection for interface, file, and database based on the defined specifications is performed. The integration testing is executed selectively for software functions. The interlock processing of software between server and client is confirmed. It is generally located in between the module testing and the system testing. The validity, operationality, performance, and capability for software functions are confirmed.

2.2. Characteristics of the System Testing We show main characteristics of the system testing in distributed development environment as

0

The implementation of the whole functions in software system is confirmed.

533

0 0 0

It is the final-stage to verify whether the reliability requirement of a software system is satisfied. The defined specifications in software design are verified. It is selectively tested for the effects of actual operations.

3. Software Reliability Modeling for Distributed Development

Environment 3.1. Modeling for Module Testing Many SRGM's have been used as the conventional methods to assess the reliability for the quality control and testing-process management of software development. Among others, nonhomogeneous Poisson process (NHPP) models have been discussed in many literatures since the NHPP models can be easily applied in actual software development. In this section, we describe a n NHPP model for analyzing software fault-detection count data. Considering stochastic characteristics associated with the fault-detection procedures in the testing-phase, we treat { N ( t ) ,t 2 0} as a nonnegative counting process where random variable N ( t ) means the cumulative number of faults detected up to testing-time t. The fault-detection process { N ( t ) , t2 0} is formulated as follow^^>^:

(n=O,1,2;").

(1)

In Eq. (l),Pr{A} means the probability of event A, and H ( t ) is called a mean value function which represents the expected cumulative number of faults detected in the testing-time interval ( 0 ,t ] . According to the growth curve of the cumulative number of detected faults, we assume that the software reliability for each component is assessed by applying the following SRGM's' based on NHPP's:

0 Exponential SRGM 0 Delayed S-shaped SRGM 0 Inflection S-shaped SRGM

0 Testing-effort dependent SRGM We assume that the following fault-detection rate per remaining fault derived from each NHPP model has the equivalent characteristics for each component:

dH,o bi(t) =

dt

a - H i ( t )'

where b,(t) is the fault-detection rate per remaining fault for i-th component, H,(t) the mean value function for i-th software component, and a the expected number of initial inherent faults in i-th component.

534 3.2. Modeling for Integration Testing

We have proposed several SRGM’s for distributed development environment. However, these models are considered for the system testing phase that is the final-stage to verify whether the reliability requirement of a software system is satisfied. The testing process in distributed one can be simply shown as follows:

(Phase 1.) Module testing that manages as a unit of client/server. (Phase 2.) Subsystem testing that manages as a software component after the combination of several modules. (Phase 3.) System testing that is the final-stage to verify whether the reliability requirement of a software system is satisfied. Especially, it is difficult to proceed with the testing phase 2.-3., because the architecture of each component is considered to have different development styles. It is the cause of new faults introduced by combining of several software components. Also, the whole architecture of the software system needs to be modified, if the contradiction in software development is verified in the system testing phase’!’. From the above matter, it is necessary t o verify sufficiently software reliability in the integration testing phase of distributed development environment, because new faults are introduced by combining of several components. Therefore, we propose a software reliability growth model for integration testing of distributed one. 3.2.1. Model Description

Let M ( t ) be the number of faults remaining in the software system at testingtime t (t 0). Suppose that M ( t ) takes on continuous real values. Since latent faults in the software system are detected and eliminated during the testing phase, M ( t ) gradually decreases as the testing procedures go on. Thus, under common assumptions for software reliability growth modeling, we consider the following linear differential equation:

>

= -b(t)M(t), (3) dt where b ( t ) is a fault-detection rate per unit time per fault a t testing-time t and is a non-negative function. Next, we assume that b ( t ) includes the characteristics for each software component in the integration testing phase of the distributed one approximately. Especially, it is necessary to verify sufficiently software reliability in the integration testing phase of distributed one, because new faults are introduced by combining of several software components. Therefore, we suppose that b(t) in Eq. ( 3 ) has the irregular fluctuation. That is, we extend Eq. (3) t o the following stochastic differential e q ~ a t i o n ~ , ~ :

535 where ( ( t )is a noise representing an irregular fluctuation and B ( t ) the total faultdetection rate. In this paper, we consider that B ( t ) is given by the following equation:

where bi(s)(i= 1 , 2 , . . . ,n ) is the software failure-occurrence rate per inherent fault for the i-th component in Eq. (2). We assume that a software system consists of n software components. Further, to make its solution a Markov process, we assume that [ ( t ) can be expressed as follows:

where a is a positive constant representing a magnitude of the irregular fluctuation and y(t) a standardized Gaussian white noise. Substituting Eq. (6) into Eq. (4),we can obtain the following solution process under the initial condition M ( 0 ) = mo as follows:

where W ( . )is a one-dimensional Wiener process which is formally defined as an integration of the white noise y(t) with respect to time t. A Wiener process is a Gaussian process, and it has the following properties:

1,

(8)

E[W(t)l = 0,

(9)

Pr(W(0) = 0}

=

E [ W ( t ) W ( t ’ ) ]= Min[t, t’],

(10)

where E [ X ] means the expected value of X.

3.2.2. Software Reliability Assessment Measures Information on the current number of remaining faults in the system is very important to estimate the degree of the progress on the software testing process. Since it is a random variable in our model, its expected value can be useful measures6. We can calculate them from Eq. (7) as follows:

E [ M ( t ) ]= mo . exp

[

-

B(s)ds

+ “t] 2

.

(11)

4. Numerical Examples

We analyze actual software fault data t o show several numerical examples for application of our SRGM. A set of fault-detection count data used in this section is obtained from an actual software project that developed the software system

536

consisting of seven components. The testing data were recorded on the basis of a testing-day. In this paper, we estimate the model parameters by using conventional models shown in Sec. 3.1 in terms of the seven software components during the module testing phase. However, we have verified that the unknown parameters in these models have diverged in terms of two components of the seven software components. Therefore, we have considered that these two components have no effect on the whole system, because these components have the properties that the sizes and the number of detected faults are small compared t o other 5 components and so on. We show the testing period for each software component in Figure 1.

3

2 z

System Test Integration Test

tiz

No.5

E!

z u

No.4

w

No.3 No.2

0

10

No. 1 -

I

Testing Period

-

1

Figure 1. The testing period for each component in the actual data.

4.1. Reliability assessment results for each component According t o the growth curve of the cumulative number of detected faults, we assume that the software reliability in each software component is assessed by applying the SRGM’s based on NHPP’s. The selected models in Sec. 3.1 is decided by using the mean square error (MSE)’. First, Table 1 shows the result of goodness-of-fit comparison in terms of the MSE for each component. 4.2. Reliability assessment results for integration testing

Next, the sample path of the estimated number of remaining faults in Eq. ( 7 ) ,k(t) is plotted in Figure 2 approximately along with actual data.

537

No.1 No.2 No.3 Nn4

Exponential

Delayed S-shaped

Inflection S-shaped

SRGM ___

SRGM

SRGM

cI.""". ) nm7*

0.9702* 1.7087* 4.044R*

I

2.5230 3.0427 11.600

Testing-effort dependent

SRGM I

1.8898

I

120 I

40 -

20 IActual -1 M(f) -

I

Figure 2.

..

The sample path of the estimated number of remaining faults,

o(t)

The estimated expected number of remaining faults in Eq. (ll),E [ A 4 ( t ) ] is plotted in Figure 3. 5 . Concluding Remarks

In this paper, we have proposed a software reliability growth model in the integration testing phase of distributed development environment. Especially, we have discussed the method of software reliability assessment considering the interaction among software components in distributed one. Additionally, we have presented several numerical examples for the actual data. Conventional SRGM's for system testing phase in distributed one have included many unknown parameter^^>^. Especially, the effective estimation method in terms of the weight parameters pi(i = I , 2, . . . , n) in 7,9, which mean the proportion of the total testing-load for the software component, has been never presented. Our SRGM can be easily applied in distributed software development, because our model has

538

0

10

20

30 TIME (DAYS)

40

50

Figure 3. The estimated number of remaining faults, E(M(t)] t h e simple structure, i.e., the number of unknown parameters included in our model is only two, i.e., mo a n d c. Therefore, we consider t h a t our model is very useful for software developers i n terms of practical reliability assessment in the actual distributed development environment.

References 1. A. Umar, Distributed Computing and Client-Server Systems, Prentice Hall, New Jersey (1993). 2. L. T. Vaughn, Client/Server S y s t e m Design and Implementation, McGraw-Hill, New York (1994). 3. M. R. Lyu, ed., Handbook of Software Reliability Engineering, IEEE Computer Society Press, Los Alamitos, CA (1996). 4. P. N. Misra, Software reliability analysis, IBM Systems J. 22, 3, 262-270 (1983). 5 . S. Yamada, Software Reliability Assessment Technology (in Japanese), HBJ Japan, Tokyo (1989). 6. S. Yamada, M. Kimura, H. Tanaka, and S. Osaki, Software reliability measurement and assessment with stochastic difierential equations, IEICE Trans. Fundamentals E77-A, 1, 109-116, Jan (1994). 7. Y. Tamura, M. Kimura, and S, Yamada, Software reliability growth model for a distributed development environment: Stochastic differential equation approach and its numerical estimation (in Japanese), Trans. Japan SIAM 11,3, 121-132, Sept. (2001). 8. A. Iannino, J. D. Musa, K. Okumoto, and B. Littlewood, Criteria for software reliability model comparisons, IEEE Trans. Software Engineering SE-10, 6, 687-691, Nov. (1984). 9. S. Yamada, Y. Tamura, and M. Kimura, A software reliability growth model for a distributed development environment, F,lectronics and Communications in Japan, Part 3 83,12, 1-8, Dec. (2000).

PERFORMANCE EVALUATION FOR MULTI-TASK PROCESSING SYSTEM WITH SOFTWARE AVAILABILITY MODEL

KOICHI TOKUNO AND SHIGERU YAMADA Department of Social Systems Engineering, Faculty of Engineering, Tottori University, 4-101, Koyama, Tottori-shi, 680-8552 Japan E-mail: { toku, yamada} Qsse. tottori-u. ac.jp We propose the performance evaluation method for the multi-task system with software reliability growth process. The time-dependent behavior of the system itself alternating between up and down states is described by the Markovian software availability model. We assume that the cumulative number of tasks arriving at the system and the processing time for a task follow the homogeneous Poisson process and the exponential distribution, respectively. Then we can formulate the distribution of the number of tasks whose processes can be complete with the infinite-server queueing model. From the model, several quantities for software performance measurement related t o the task processing can be derived. Finally, we present several numerical examples of the quantities t o analyze the relationship between the software reliability characteristics and the system performance measurement.

1. Introduction

For the last few decades, the stochastic modeling for software reliability/availability measurement and assessment in the dynamic environment such as the testing phase of the software development or the user operation phase has been much d i s c ~ s s e d . On ' ~ ~the ~ ~other hand, performance evaluation methods for fault-tolerant computing systems have been proposed. These have often been discussed from the viewpoints of the hardware configuration. Beaudry4 has proposed the performancerelated measures such as the cornputlation availability and the mean computation between failures. Meyer5 has proposed the performability taking account of accomplishment levels from the customer's viewpoint. Nakamura and Osaki' have classified the lost jobs caused by processor failure and by cancellation. Sols' has introduced the concept of degraded availability. However, the above studies have not included the characteristics peculiar t o software systems such as the software reliability growth process. In this paper, we propose the software performance evaluation method based on the number of tasks. Most of the existing techniques for software performance/ quality evaluation related t o reliability have paid attention t o only the states of the systems themselves such as the software failure-occurrence phenomenon and had no consideration for the external factors, for example, the frequency of the occurrence

540 of usage demands for the system and the stochastic characteristic of customer’s usage time. Here we attempt to discuss the software performance evaluation from the viewpoint of the task processing. We consider what we call the multi-task software system which can be process the plural tasks simultaneously. We assume that the cumulative number of tasks arriving a t the system and the processing time for a task follow the homogeneous Poisson process and the exponential distribution, respectively. The software failure-occurrence phenomenon and the restoration characteristic in the dynamic environment are described by the Markovian software availability model.8 The stochastic behavior of the number of tasks whose processes can be complete is modeled with the infinite-server queueing modeLg From the model, we derive several quantities €or software performance measurement related to the task processing. The organization of the paper is shown as follows. Section 2 states the software availability model used in the paper. Section 3 describes the stochastic processes of the numbers of tasks whose processes are complete and canceled out of the tasks arriving up to a given time point. Section 4 derives several software performance measures based on the number of tasks from the model. Section 5 presents the numerical examples of the measures and examines the software performance analysis. In Section 6, we state the conclusion of the paper.

2. Software Availability Model

The following assumptions are made for software availability modeling: AI-1. The software system is unavailable and starts to be restored as soon as a software failure occurs, and the system cannot operate until the restoration action is complete. AI-2. The restoration action implies the debugging activity; this is performed perfectly with the perfect debugging rate a (0 < a 5 1) and imperfectly with probability b(= 1 - a ) . One fault is corrected and removed from the software system when the debugging activity is perfect. 1-hAr

I-hiAr

l-Lh

I -L I AT

Figure 1. Sample state transition diagram of X ( t ) .

54 1

X,, and restorations, V,, when n faults have already been corrected from the system, follow the exponential distributions with means l / X n and l / p n , respectively.

AT-3. The time intervals of software failures,

The state space of the stochastic process {X(t), t 2 0} representing the state of the software system at the time point t is defined as follows:

W,: the system is operating, R,: the system is inoperable and debugged, where n = 0, 1, 2, . . . denotes the cumulative number of corrected faults. Figure 1 illustrates the sample state transition diagram of X ( t ) . The state occupancy probabilities that the system is in the states Wn and R, at the time point t are given by

Pw, ( t )= Pr{X(t)

PR,

( t )E Pr{X(t)

= Wn}

Rn}

1

respectively, where g n ( t ) is the probability density function of the random variable Sn representing the first passage time t o the state Wn, and g k ( t ) = dg,(t)/dt. The distribution function G n ( t )E gn(x)dz is given by

Ji

G n ( t ) = Pr{S, 5 t } n-1 =

1-

[A:,ne-”’t

+ A:,,e-Y‘t]

a=O

2 2

Yz

}

( n = 1, 2, . . . ; Go(t)= I ( t ) (the step function)) 1

=

5 [(Az + p a )f d(Xa+ p z ) 2

-

4aX,pa]

(double signs in same order)

n

n-1

XJY3

3=0

At,,

= 2 2

n J

n

(3)

n-1

n-1

( 2 3 - 2,)

(Y3

-22)

3=0

=o

J#a

n-1

rI

XJYJ

3=0

4 , n

n

n-1

n-1

1

Ya

J=O J#%

(z=O,

(Y3 - Yz)

rl[ ( 2 3 J

-

Ya)

=O

1, 2, . . . ) n - 1 )

1

542

3. Model Description We make the following assumptions for system’s task processing:

AII- 1. The number of tasks the system can process simultaneously is sufficiently large.

AII-2. The process { N ( t ) ,t 2 0) representing the number of tasks arriving at the system up to the time t follows the homogeneous Poisson process with the arrival rate 0. AII-3. The processing time of a task, Y , follows the exponential distribution with mean l / a and each of the processing times is independent. AII-4. When the system causes a software failure before the processes of tasks do not finish, the tasks are canceled. Figure 2 illustrates the configuration of the system’s task processing.

Software Failure Time Figure 2.

Configuration of task processing.

Let { Z ( t ) , t 2 0} be the random variable representing the cumulative number of tasks whose processes can be complete out of the tasks arriving up to the time t. By conditioning with { N ( t )= k } , we obtain the probability mass function of Z ( t ) as

543 Given that {X(t) = Wn},the probability that the process of an arbitrary task is complete is given by Pr{Xn

Ly

> YIX(t) = W n }= An

+

(5)

Furthermore, the arrival time of an arbitrary task out of ones arriving up to the time t is distributed uniformly over the time interval (0, t].' Therefore, the probability that the process of the task having arrived up t o the time t is complete is obtained as

Then from assumption AII-3,

That is, given that { N ( t )= k } , the number of tasks whose processes can be complete follows the binomial process with mean k p ( t ) . Accordingly, from (4)the distribution of Z ( t ) is given by

Equation (8) means that Z ( t ) follows the nonhomogeneous Poisson process with the mean value function Btp(t). Let { W ( t )t, 2 0} be the random variable representing the cumulative number of tasks whose processes are interrupted out of the tasks arriving up to the time t. Then we can apply the same discussion as Lbove t o the derivation of the distribution of W ( t ) ,ie., we can obtain Pr{W(t) = j } as

544 4. Software Performance Measures

The expected numbers of tasks completable a.nd incompletable out of the tasks arriving a t the time t are given by

respectively. Furthermore, the instantaneous task completion and incompletion ratios are given by

respectively. These represent the ratios of the numbers of tasks completed and canceled t o one of tasks arriving a t the system per unit time a t the time point t . As to p ( t ) in Eq. (6) and q ( t ) in Eq. (lo), we can give the following interpretations:

That is, p ( t ) and q ( t ) are the task completion and incompletion probabilities per task arriving up to the time t , respectively. We note that p ( t ) and q ( t ) have no bearing on the arrival rate of the task, 8.

5. Numerical Examples We show several numerical examples of software performance analysis. Here we apply the model of MorandalO t o the hazard rate A, = Dcn (D > 0, 0 < c < 1) and the restoration rate pn = Ern ( E > 0, 0 < r 5 l ) , respectively. Figure 3 shows the time-dependent behaviors of the instantaneous task completion ratio, h ( t ) ,in Eq. (13) and the instantaneous task incompletion ratio, p ( t ) , in Eq. (14) along with the instantaneous software availability, A ( t ) = C,"==, Pw,(t). This figure tells us that h(t) and p ( t ) converge to 1 and zero, respectively, and that h ( t ) gives more pessimistic evaluation than the past performance measure ( A @ ) ) since this model considers that it takes a time duration to finish a task. If we specify the objective of h ( t ) ,say ho, then we can calculate the testing time t = t h satisfying h(t) = ho. Figure 4 shows h(t) for various values of the perfect

545

0

100

50

150

200

250

300

Time Figure 3 . Behaviors of h ( t ) ,f i ( t ) ,and A ( t ) ( a = 1.0, a = 0.9, D = 0.2, c = 0.9, E = 1.0,

T

=

0.95).

a=l .o\

0

50

100

150

200

250

300

Time Figure 4. Dependence of h ( t ) on a ( a = 1.0,. D = 0.2, c = 0.9, E = 1.0,

T

= 0.95).

debugging rate, a, where the solid horizontal straight line designates the example of the objective, ho = 0.85. We can see that it takes longer time to satisfy the objective of h(t) as the debugging ability becomes lower. 6. Concluding Remarks

In this paper, we have discussed the software performance measurement based on the number of tasks. The stochastic behavior peculiar to the software system such as software reliability growth process, the upward tendency of difficulty in debugging, and the imperfect debugging environment have been described by the Markovian

546 availability model. Assuming that the cumulative number of the tasks arriving at the system up to a given time point follows the homogeneous Poisson process, we have analyzed the distribution of the number of tasks whose processes can be complete with the concept of the infinite-server queueing model. From the model, we have derived several software performance measures such as the expected numbers of completable and incompletable tasks, the instantaneous task completion and incompletion ratios, and the task completion and incompletion probabilities per task. We have also illustrated the several numerical examples of these measures. It has been meaningful to correlate the software reliability characteristics with software performance measurement.

Acknowledgments This work was supported in part by the Saneyoshi Scholarship Foundation, Japan, and Grants-in-Aid for Young Scientists (B) of the Ministry of Education, Culture, Sports, Science and Technology of Japan under Grant No. 16710114.

References 1. M. R. Lyu (ed.), Handbook of Software Reliability Engineering, IEEE Computer Scciety Press, Los Alamitos, CA (1996). 2. S. Yamada, Software reliability models, in Stochastic Models in Reliability and Maintenance, Springer-Verlag, Berlin, 253 (2002). 3. K. Tokuno and S. Yamada, Software availability theory and its applications, in Handbook of Reliability Engineering, Springer-Verlag, Berlin, 235 (2003). 4. M. D. Beaudry, Performance-related reliability measures for computing systems, IEEE Trans. Comput. C-27, 540 (1978). 5. J. F. Meyer, On evaluating the performability of degradable computing systems, IEEE Trans. Comput. C-29, 720 (1980). 6. M. Nakamura and S. Osaki, Performance/reliability evaluation of a multi-processor system with computational demands, Int. J. Sys. Sci. 15,95 (1984). 7. A. Sols, System degraded availability, Reliab. Eng. Sys. Safety 5 6 , 91 (1997). 8. K. Tokuno and S. Yamada, Markovian software availability measurement based on the number of restoration actions, IEICE Trans. Fundamentals E83-A, 835 (2000). 9. S. M. Ross, Applied Probability Models with Optimization Applications, Holden-Day, San Francisco (1970). 10. P. B. Moranda, Event-altered rate models for general reliability analysis, IEEE Trans. Reliab. R-28, 376 (1979).

QUALITY ENGINEERING ANALYSIS FOR HUMAN FACTORS AFFECTING SOFTWARE RELIABILITY IN THE DESIGN REVIEW PROCESS WITH CLASSIFICATION OF DETECTED FAULTS*

KOUSUKE TOMITAKA, SHIGERU YAMADA, AND RYOTARO MATSUDA Department of Social Systems Engineering, Faculty of Engineering, Tottori University, Minami 4-101, Koyama-cho, Tottori 680-8552, Japan E-mail: { 99t7036, yamada} @sse.tottori-u.ac.jp

Software faults introduced by human development work have great influence on the quality and reliability of a final software product. The design-review work can improve the final quality of a software product by reviewing the design-specifications, and by detecting and correcting a lot of design faults. In this paper, we conduct an experiment t o clarify human factors and their interactions affecting software reliability by assuming a model of human factors which consist of inhabitors and inducers. Finally, extracting the significant human factors by using the quality engineering approach based on the orthogonal array L l ~ ( 2 xl 37) and the signal-to-noise ratio, we discuss the relationships among them and the classification of detected faults, i.e., descriptive-design and symbolic-design ones, in the design-review process.

1. Introduction

Software faults introduced by human errors in development activities of complicated and diversified software systems have occurred a lot of system failures of modern computer systems. Since these faults concern with mutual relations among human factors in such software development projects, it is difficult to prevent from software failures beforehand in the software production control. Additionally, most of these faults are detected and corrected after software failure occurrences during the testing phase. If we can make the mutual relations among human factors [1,2] clear, then the problem for software reliability improvement is expected to be solved. So far, several studies have been carried out to investigate the relationships among software reliability and human factors by performing software development experiments and providing fundamental frameworks for understanding the mutual relations among various human factors (for example, see [3,4]). *This work is partially supported by the Grant-in-Aid for the Scientific Research (C)(2) from the Ministry of Education, Culture, Sports, Science and Technology of Japan under Grant No.15510129.

547

548

In this paper, we focus on a software design-review process which is more effective than the other processes for elimination and prevention of software faults. Then, we adopt a quality engineering approach for analyzing the relationships among the quality of the design-review activities, i.e., software reliability, and human factors to clarify the fault-introduction process in the design-review process. We conduct a design-review experiment of graduate and undergraduate students as subjects. First, we discuss human factors categorized in inhabitors and inducers in the design-review process, and set up controllable human factors in the designreview experiment. Especially, we lay out the human factors on an orthogonal array based on the method of design of experiment [ 5 ] . Second, in order to select human factors which affect the quality of the design-review, we perform a software design-review experiment reflecting an actual design process based on the method of design of experiment. For analyzing the experimental results, we adopt a quality engineering approach, i.e., Taguchi-method. That is, applying the orthogonal array L l ~ ( 2 'x 37) with inside and outside factors t o the human factor experiment and classifying the faults detected in design-review work into descriptive-design and symbolic-design ones, we carry out the analysis of variance by using the data of signal-to-noise ratio (defined as SNR) [6] which can evaluate the stability of quality characteristics, discuss effective human factors, and obtain the optimal levels for the selected inhabitors and inducers. 2. DESIGN-REVIEW AND HUMAN FACTORS

2.1. Design-review The design-review process is located in the intermediate process between design and coding phases, and has software requirement-specifications as inputs and software design-specifications as outputs. In this process, software reliability is improved by detecting software faults effectively [7]. 2.2. Human factors

The attributes of software designers and design process environment are mutually related for the design-review process. Then, influential human factors for the designspecification as outputs are classified into two kinds of attributes in the following [8,9,10]: (i) Attributes of the design reviewers (Inhabitors) Attributes of the design reviewers are those of software engineers who are responsible for design-review work. For example, they are the degree of understanding of requirement-specifications and design-methods, the aptitude of programmers, the experience and capability of software design, the volition of achievement of software design, etc. Most of them are psychological human factors which are considered to contribute directly t o the quality of software design-specification.

549

(ii) Attributes of environment for the design-review (Inducers) In terms of design-review work, many kinds of influential factors are considered such as the education of design-methods, the kind of design methodologies, the physical environmental factors in software design work, e.g., temperature, humidity, noise, etc. All of these influential factors may affect indirectly the quality of software design-specification. 3. DESIGN-REVIEW EXPERIMENT 3.1. Human factors in the experiment In order to find out the relationships among the reliability of software designspecification and its influential human factors, we have performed the design-review experiment by selecting five human factors as shown in Table 1 as control factors which are concerned in the review work.

-

Table 1. Controllable factors in the design-review experiment.

I

Level

Control Factor

A

BGM of classical music in the review work environment [Inducer]

Ai:

1

2

3

yes

Az: no

-

B

Time duration of software design-review work (minute) [Inducer]

Bi: 20min

Bz: 30min

B3:

C

Degree of understanding of the designmethod (R-Net Technique) [Inhabitor]

Ci: high

Cz: common

c3: low

D

Degree of understanding of requirementspecification [Inhabitor]

Di: high

Dz: common

D3: low

Check list (indicating the matters that require attention in review work) [Inducer1

El: detailed

Ez: common

E3:

E

40min

nothing

3.2. S u m m ary of experiment

In this experiment, we conduct an experiment t o clarify the relationships among human factors affecting software reliability and the reliability of design-review work by assuming a human factor model [8,9,10]consisting of the inhabitors and inducers. The actual experiment has been performed by 18 subjects based on the same designspecification of a triangle program which receives three integers representing the sides of a triangle and classifies the kind of triangle such sides form [ll]. We measured the 18 subjects’ capability of both the degrees of understanding of designmethod and requirement-specification by the preliminary tests before the design of experiment. Further, we seeded some faults in the design-specification intentionally. Then, we have executed such a design-review experiment in which the 18 subjects detect the seeded faults.

550 We have performed the experiment by using the five control factors with three levels as shown in Table 1, which are assigned to the orthogonal-array L18(21 x 37) of the design of experiment as shown in Table 3. 3.3. Classijication of detected faults

We distinguish the design parts as follows to be pointed out in the design-review as detected faults into the descriptive-design and symbolic-design parts. 0

0

Description-design faults The descriptive-design parts consist of words or technical terminologies which are described in the design-specification to realize the required functions. In this experiment, the descriptive-design faults are algorithmic ones, and we can improve the quality of design-specification by detecting and correcting them. Symbolical-design faults The symbolical-design parts consist of marks or symbols which are described in the design-specification. In this experiment, the symbolical-design faults are notation mistakes, and the quality of the design-specification can not be improved by detecting and correcting them.

3.4. Data analysis with classification of detected faults

For the orthogonal-array L18(2l x 3'), setting the classification of detected faults as outside factor R and the control factors A, B, C, D, and E as inside factors, we perform the design-review experiment. Here, the outside factor R has two levels such as descriptive-design parts(R1) and symbolical-design parts(&). 4. ANALYSIS OF EXPERINMENTAL RESULTS 4.1. Definition of SNR We define the efficiency of design-review, i.e., the reliability, as the degree that the design reviewers can accurately detect correct and incorrect design parts for the design-specification containing seeded faults. There exists the following relationship among the total number of design parts, n, the number of correct design parts, no, and the number of incorrect design parts containing seeded faults, n1:

n = no

+

721.

(1)

Therefore, the design parts are classified as shown in Table 2 by using the following notations: noo = the number of correct design parts detected accurately as correct design parts,

nol = the number of correct design parts detected by mistake as incorrect design parts,

551 nlo

=

the number of incorrect design parts detected by mistake as correct design parts,

n11 = the number of incorrect design parts detected accurately as incorrect design parts, where two kinds of error rate are defined by

n10 nl Considering the two kinds of error rate, p and q, we can derive the standard error rate, Po, 161 as 1 Po = (4) q = -.

1

+

/

m

.

Then, the signal-to-noise ratio based on Eq. (4)is defined by

The standard error rate, PO, can be obtained from transforming Eq. (5) by using the signal-to-noise ratio of each control factor as

Table 2. Two kind of inputs and outputs in t h e design-review experiment. ( i )Observed v a l u e s ( ii )Error r a t e s

4.2. Orthogonal-array LI8(2l x 37)

The method of experimental design based on an orthogonal-array is a special one that requires only a small number of experimental trials to help us discover main factor effects. On traditional researches [4,8], the design of experiment has been conducted by using orthogonal-array Ll2 (211). However, since the orthogonal-array L12(211) has two levels for grasp of factorial effect to the human factors experiment,

552 Table -

.

The orthogonal

i

.ay L 1 8 ( 2 l x 37) with assigned human factol and experimental data.

Observed Values

Control Factor

SNR (d 1

No

- A B C D E 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -

1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2

1 1 1 2 2 2 3 3 3 1 1 1 2 2 2 3 3 3

1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3

1 2 3 1 2 3 2 3 1 3 1 2 2 3 1 3 1 2

1 2 3 2 3 1 1 2 3 3 1 2 3 1 2 2 3 1

4 9 50 52 50 4 5 52 4 7 52 52 47 4 6 46 49 46 50 50 4 4

3 2 0 2 7 0 5 0 0 5 6 6 3 6 2 2 8

8 12 2 4 8 2 6 10 10 1 8 10 11 10 2 4 6

(R1: Descriptive-design

6 2 12 10 6 12 8 4 4 13 6 4 3 4 12 10 8

5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5

9 9 9 7 9 9 9 8 8 9 9 9 9 9 9 7 9

0 0 0 2 0 0 0 1 1 0 0 0 0 0 0 2 0

2 4 0

0 3 2 2 1 1 3 4 0 4 0 0 0 3

2

0 4 4 1 2 2 3 3 1 0 4 0 4 4 4 1

Ri 7.578 -3.502 -8.769 7.578 1.784 -7.883 7.578 -3.413 0.583 0.583 3.591 -6.909 -10.939 -8.354 -10.939 4.120 1.784 -5.697

R2 6.580 3.478 -2.342 8.237 4.841 0.419 3.478 3.478 4.497 4.497 0.419 -2.342 8.237 -2.342 8.237 8.237 4.841 0.419

parts, Rz: Symbolical-design parts)

the middle effect between two levels can not be measured. Thus, in order to measure it, we adopt the orthogonal-array Lls(2l x 37) which can lay out one factor with 2 levels (1, 2) and 7 factors with 3 levels (1, 2, 3) as shown in Table 3, and dispense with 2 l x 37 trials by executing independent 18 experimental trials each other. Considering such circumstances, we can obtain the optimal levels for the selected inhabitors and inducers efficiently by using the orthogonal-array Ll8(2l x 37). 5. DATA ANALYSIS WITH CORRELATION AMONG INSIDE AND OUTSIDE FACTORS

5.1. Analysis of experimental results We analyze simultaneous effects of outside factor R and inside control factors A, B, C, D, and E. As a result of the analysis of variance by taking account of correlation among inside and outside factors discussed in 3.4, we can obtain Table 4. There are two kinds of errors in the analysis of variance: el is the error among experiments of the inside factors, and e2 the mutual correlation error between el and the outside factor. In this analysis, since there was no significant effect by performing F-testing for el

553 with e2, F-testing for all factors was performed by e2. As a result, the significant control factors such as the degree of understanding of the design-method (Factor C), the degree of understanding of requirement-specification (Factor D), and the classification of detected faults (Factor R) were recognized. Fig.1 shows the factor effect for each level in the significant factors which affect design-review work. Table 4.

The result of analysis of variance by taking account of correlation among inside and outside factors

Factor

f

s

V

A B

1 2 2 2 2 2 6 1 1 2 2 2 2 8 35

37.530 47.500 313.631 137.727 4.684 44.311 38.094 245.941 28.145 78.447 36.710 9.525 46.441 120.222 1188.909

37.530 23.750 156.816 68.864 2.342 22.155 6.460 16.366 28.145 39.224 18.355 4.763 23.221 15.028

C

D E AxB el

R AxR BxR CxR DxR ExR e2

T

FO 2.497 1.580 10.435** 4.582* 0.156 1.474 0.422 16.366** 1.873 2.610 1.221 0.317 1.545 3.870

P (%)

3.157 3.995 26.380 11.584 0.394 3.727 3.204 20.686 2.367 6.598 3.088 0.801 3.906 10.112 100.0

*: 5% level of significant

**: 1% level of significant

5.2. Discussion and concluding remarks

As a result of analysis, in the inside factors, only Factors C and D are significant and the inside and outside factors are not mutually interacted. That is, it turns out that the reviewers with that of understanding of the design-method and the high degree of understanding of requirement-specification exactly can review the designspecification efficiently regardless of the classification of detected faults. Moreover, the result that outside factor R is highly significant, and the descriptive-design faults are detected less than the symbolic-design faults, can be obtained. That is, although it is a natural result, it is difficult to detect and correct the algorithmic faults which lead t o improvement in quality rather than the notation mistakes. However, it is important to detect and correct the algorithmic fault as an essential problem of the quality improvement for design-review work. Therefore, in order t o increase the rate of detection and correction of the algorithmic faults which lead t o the improvement of quality, it is required before design-review work to make reviewers

554

8.0

8 v

Fig.1.

6.0

-6.0

1

-8.0

I

1 I

Ci

I

I

C2

C3

.

I

I

I

I

I

DI

Dz

Lh

RI

R2

The estimation of significant factors with correlation among inside and outside factors

fully understand the design technique used for describing design-specification and the contents of requirement-specifications.

References 1. V. R. Basili and R. W. Reiter, Jr.: “An investigation of human factors in software development”, IEEE Computer Magazine, vol. 12, no. 12, pp. 21-38 (1979). 2. T. Nakajo and H. Kume: “A case history analysis of software error cause-effect relationships ”, IEEE Trans. Software Engineering, vol. 17, no. 8, pp. 830-838 (1991). 3. K. Esaki and M. Takahashi: “Adaptation of quality engineering to analyzing human factors in software design”(in Japanese) , J. Quality Engineering Forum, vol. 4, no. 5, pp. 47-54 (1996). 4. K. Esaki and M. Takahashi: “A software design review on the relationship between human factors and software errors classified by seriousness”(in Japanese), J. Quality Engineering Forum, vol. 5 , no.4, pp. 30-37 (1997). 5 . G. Taguchi: A Method of Design of Eqeriment (the First volume (2nd. ed.)) (in Japanese), Maruzen, Tokyo (1976). 6. G. Taguchi (ed.): Signal-to-Noise Raito for Quality Evaluation (in Japanese), Japanese Standards Association, Tokyo (1998). 7. S. Yamada: Software Reliability Models: Fundamentals and Applications (in Japanese), JUSE Press, Tokyo (1994). 8. K. Esaki, S. Yamada, and M. Takahashi: “A quality engineering analysis of human factors affecting software reliability in software design review process”(in Japanese), %ns. IEICE Japan, vol. J84-A, no. 2, pp. 218-228 (2001). 9. R. Matsuda and S. Yamada: “A human factor analysis for software reliability improvement based on a quality engineering approach in design-review process”, Proc. 9th ISSAT Intern. Conf. Reliability and Quality in Design, Honolulu, Hawaii, U.S.A., pp.7S79 (2003). 10. S. Yamada and R. Matsuda: “A quality engineering evaluation for human factors affecting software reliability in design review process” (in Japanese), J. Japan Industrial Management Association, vol. 54, no. 1, pp. 71-79 (2003). 11. I. Miyamoto: Software Engineering -Current Status and Perspectives- (in Japanese), TBS Publishing, Tokyo (1982).

CONSTRUCTION OF POSSIBILITY DISTRIBUTIONS FOR RELIABILITY ANALYSIS BASED ON POSSIBILITY THEORY' XIN TONG HONG-ZHONG HUANG Department of Mechanical Engineering, Heilongjiang Institute of Science and Technology Harbin 150027, China School of Mechanical Engineering, Dalian University of Technology Dalian, 116023, China

MING J. ZUO Department of Mechanical Engineering, University of Alberta Edmonton, Alberta, T6G 2G8, Canada

The construction of possibility distributions is a crucial step in the application of possibilistic reliability theory. In this paper, a concise overview of the development of reliability theory based on possibility theory is provided. Then, it is presented that all methods for generating membership functions can be used to construct relevant possibility distribu:ions in principle. Some methods used to construct possibility distributions are discussed in detail and a method used to generate L - R type possibility distributions are provided with the possibilistic reliability analysis of fatigue strength of mechanical parts. Finally, an example of generating possibility distributions of fatigue lifetime of gears is provided

1

Introduction

Since Zadeh [I] introduced the mathematical framework of possibility theory in 1978, many important theoretical as well as practical advances have been achieved in this field. The possibility theory has been applied to artificial intelligence, knowledge engineering, fuzzy logic, automatic control, and other fields. Some researchers have also attempted to apply possibility theory to reliability analysis and safety assessment. Then, how can we apply these models to real-life systems or structures under the various frameworks of possibilistic reliability theory? Eliciting possibility distributions from data is one of the fundamental issues associated with the application of possibilistic reliability theory. On one hand, in the theory of possibilistic reliability, the concept of possibility distribution plays a role that is analogous-though not completely-to that of probability distribution in the theory of probabilistic reliability. On the other hand, developing possibility distributions is of fundamental importance because the success * This work is partially supported by the National Natural Science Foundation of China

under the contract number 50175010, the Excellent Young Teachers Program of the Ministry of Education of China under the contract number 1766, the National Excellent Doctoral Dissertation Special Foundation of China under the contract number 200232, and the Natural Sciences and Engineering Research Council of Canada.

555

556 and/or simplicity of an algorithm depends on the possibility distribution used in the model of possibilistic reliability analysis. Furthermore, it might be difficult, if not impossible, to come up with a general method for developing possibility distributions which will work for all applications. Because the concept of membership functions bears a close relation to the concept of possibility distributions [I], in the present paper, we believe that all the methods for generating membership functions can be used to construct the relevant possibility distributions in principle. Some methods for constructing possibility distributions and their suitability are discussed in detail. Then, a method used to generate L - R type possibility distributions is provided with the possibilistic reliability analysis of fatigue strength of mechanical parts. Finally, an example of generating possibility distributions of fatigue lifetime of gears using the proposed method is given.

2

The Methods for Constructing Possibility Distributions

2.1. Possibility Distributions Based on Membership Functions

As Zadeh [l] pointed out, a possibility distribution can be viewed as a fuzzy set which serves as an elastic constraint on the values that may be assigned to a variable. Therefore, the possibility distribution numerically equals to the corresponding membership function, I.e.,

where x is a fuzzy variable and 2 is the fuzzy set induced by X . According to the above-mentioned viewpoint, we can use the methods for constructing membership functions to generate the corresponding possibility distributions. In the following, we present a few commonly used methods for generating membership functions.

2.1. I

Fuzzy statistics (21

Fuzzy statistics are analogous to probability statistics in form and they all use certainty approaches to deal with uncertainty problems in real-life systems or structures. When fuzzy statistics are used, a definite judgment must be made on whether a fixed element in the universe of discourse belongs to an alterable crisp set A' or not. In other words, based on n observations, we have the gradeof membershipof u ~ in ,A=

1.

2.

the number of times of " u 0 E A'" n

The following principles must be observed in evaluation of fuzzy statistics: The user should be familiar with concepts of fuzzy sets and capable of quantifying the entity being observed. In other words, the user should be an expert in the field of application. A preliminary analysis of the raw data should be conducted so that abnormal data may be removed.

557

For further details and examples of fuzzy statistics, readers are referred to [2]. 2.1.2

Transformation of probability distributions to possibility distributions

According to Kosko’s argument that “fuzziness contains probability as a special case” [ 3 ] , if we have obtained estimates of the probability density function or other statistical properties of an entity being measured, we can construct its corresponding membership function following the approach outlined in [4]. Based on the technique in [4], we summarize the following simple method for constructing the membership function from the probability density function of a Gaussian random variable, i.e., P k )=

+(4

(2)

1

(3)

i’=maxo) where p ( x ) is the pdf of a Gaussian random variable and membership function based on p ( x ) . 2. I . 3

~ ( x )is

the corresponding

Heuristic methods (51

With heuristic methods, we first select a predefined shape of the membership function to be developed. The specific parameters of the membership function with the selected shape are determined from the data collected. In most real-life problems, the universe of discourse of the membership functions is the real number line. The commonly used membership function shapes are the piecewise linear function and the piecewise monotonic function. Linear and piecewise linear membership functions have the advantages of reasonably smooth transitions and easy manipulation through fuzzy operations. However, the shapes of many heuristic membership functions are not flexible enough to model all kinds of data. Moreover, the parameters of the membership functions must be provided by experts. In many applications, the parameters need to be adjusted extensively to achieve a certain performance level. In practical applications, we often combine fuzzy statistics with heuristic methods. First, the shape of the membership function is suggested by statistical data. Then, the suggested shape is compared with the predefined shape and the more appropriate ones are selected. Finally, the most suitable membership function is determined through practical tests.

2.2. Transformation of Probability Distributions to Possibility Distributions The methods for transforming probability distributions to possibility distributions are based on the possibility/probability consistency principle. The possibility/probability consistency principle states:

558 If a variable x can take the value u , , . . . , u n with respective possibilities probabilities p =(p(u,)...,p(u,)),then the degree of consistency of the probability distribution p with possibility distribution n is expressed by n=(n(uI)....n(un))and

cz b.P)=

2(,.

)P(.,

1

I=,

For more details on this principle, readers are referred to [ 13. 2.2.1

The Bijective transformation method [7]

Let x = {xEli= I, 2,. .., n} be the universe of discourse. If the histograms (or the probability density function) of the variable X has a decreasing trend, that is, P(X, 12 P k , 12 ... 2 Pb,)

(4)

then, the corresponding possibility distribution can be constructed as follows:

Generally, the histograms can be normalized by setting the maximal value to 1, i.e.,

2.2.2

The conservation of uncertainty method

Klir [8] presented a method for constructing possibility distributions based on the principle of uncertainty conservation. When uncertainty is transformed from one theory T, to another r, , the following requirements must be met: 1 . The amount of inherent uncertainty should be preserved and 2. All relevant numerical values in r, must be converted to their counterparts in Tz by an appropriate scale. The probabilistic measure of uncertainty is the well known Shannon entropy and is given by

Hb)=-&? log, P, ,=I

In the possibility theory, there are two types of uncertainties, nonspecificity N(n), and discord D ( x ) ,and they are given by

and

559

Klir [8] contends that the log-interval scale transformation is the only one that exists for all distributions and is unique. Its form is

where a is a positive constant determined by solving Eq. (7); Klir conjectures that a lies in the interval [0,1].

2.3. Subjective Manipulations of Fatigue Data Assume that we have obtained fatigue life data of a device, denoted by (n:),s,s,,l 5 r < M , where M is the number of stress levels, N is the number of data points at each stress level. Then the mean fatigue life at stress level i can be expressed as

The lifetime data at each stress level can be divided into two groups, that is, G, = {n: ,J

= 1,2,. -,N

1 n; < m , }

(9)

The mean value mn, is assigned a possibility degree of 1 and the possibility degree of 0.5 is assigned to the means of the lifetime data in the two groups G, and G2, that is, 1 m,",=

#(GI

)=

E n , ' , nn,(m,", 0.5, r = 1,2, ..., M ""6,

where # (.) denotes the number of data points in a set. By use of the above-mentioned analysis, we can express the L - R type possibility distribution of fatigue lifetime as follows:

560 where

a,=

m", -m/ L- 0 5

and 8 , =- m,", - m , L-'(0.5)

'

Considering the various types of L - R type possibility distributions mentioned earlier in this paper, we can use Eq. (13) to get specific possibility distributions to represent fatigue lifetime data. For example, the following triangular possibility distribution may be used to represent fatigue lifetime data: 10.

n:

< mn, - a ,

m ,+ 5 , < n :

1.

where a , = 2(mn,- mIn,) and 8n,= 2(- m , + m,", Similarly, we may use the following Gaussian possibility distribution to represent fatigue lifetime data:

3

Example

We illustrate the method presented in Section 2 for constructing the possibility distribution of the fatigue lifetime data given in [9]. The collected data of bending fatigue lifetime are shown in Table 1. Only four data points at each stress level are given in Table 1 and they are sufficient for subjective estimation of the possibility distribution of fatigue lifetime. Table 1 The bending fatigue lifetime data of gear-teeth made of hardened and tempered steel 40Cr (in units of lo6 loading cycles) Points 0 0 0 0

S i 4 6 7 2, S ~ 4 2 3, 4 Si=381 6, S4=339 0 1404 0 1573 0 2919 0 3879 0 1723 0 3024 0 4890 1508 0 1857 0 3250 0 5657 1572 0 1872 0 3343 0 5738 1738

Using Eq. (8) and Table 1, we have

561 1 '

1

m , =-cn,' N ,=I

4

1

= - c n { =-(0.1404+0.1508+ O.l572+O.l738)=0.15555 4 /=I 4 xn,(m,,, = 0.15555)= 1

The data points at the first stress level is divided into two groups separated by the calculated mean value m , , i.e., GI = (0.1404,O.1508 I n: < mn,} G, = {0.1572,0.17381n: > m , }

Further, from Eqs. (1 1 ) and (1 2), we have E n ; =T(0.1404+0.1508)=0.1456 1

qn, =- 1

1

#(GI !>I&,

xn,(qfl= 0.1456)= 0.5 =-

m ?"I

1 #(G2

1

)

c n , ' = - ( O 1572+0.1738)=0.1655 "I'EGI

2

x,,,[m,", = 0.1655)= 0.5

Finally, with these calculated results and Eq. (14), we can construct the triangular possibility distribution of the bending fatigue lifetime of gear-teeth made of hardened and tempered steel 40Cr under the stress level of 467.2MPa as follows: a,

= 2 ( m , - m b , =2(0.15555-0.1456)=0.0199

O,,, = 2(-m,,

+ m?,, )= 2(-0.15555 + 0.1655)=0.0199

Note that the procedure for constructing the possibility distributions at other stress levels is the same. After obtaining the possibility distribution of fatigue lifetime of the gear, we can derive the possibilistic reliability of bending fatigue strength of the gear at any time according to posbist reliability theory, e.g., under the stress level of 467.2MPa, we can figure out the possibilistic reliability of bending fatigue strength of the gear as follows:

562 I1,

t 50.15555

t -0.15555

, 0.155550.17545

4 1.

2.

Conclusions In this paper, we addressed the critical problem in the possibilistic reliability theory which is the construction of the possibility distribution and pointed out that all methods for generating membership functions can be used to construct the corresponding possibility distributions. We also presented a new method for constructing the possibility distribution with the possibilistic reliability analysis of fatigue lifetime of mechanical parts. The methods for constructing possibility distributions are not as mature as those for constructing probability distributions. The present paper has provided a concise overview of the methods for constructing the possibility distributions in possibilistic reliability analysis. Further research is needed to develop a more general method for constructing possibility distributions.

References 1.

Zadeh L A. Fuzzy sets as a basis for a theory of possibility. Fuzzy sets and Systems, 1978; l(1): 3-28. 2. Wang P Z. Fuzzy Sets and Their Applications. Shanghai: Shanghai Scientific & Technical Publishers, 1983. 3. Mcneill D, Freiberger P. Fuzzy Logic. New York: Simon and Schuster, 1993. 4. Civanlar M R, Trussell H J. Constructing membership functions using statistical data. Fuzzy sets and Systems, 1986; 18(1): 1-13. 5. Medasani S, Kim J, Krishnapuram R. An overview of membership function generation techniques for pattern recognition. International Journal of Approximate Reasoning, 1998; 19: 391-417. 6. Medaglia A L, Fang S C, Nuttle H L W, Wilson J R. An efficient and flexible mechanism for constructing membership functions. European Journal of Operational Research, 2002; 139: 84-95. 7. Dubois D, Prade H. Unfair coins and necessity measures: towards a possibilistic interpretation of histograms. Fuzzy Sets and Systems, 1983; 10: 15-20. 8. Klir G. A principle of uncertainty and information invariance. International Journal of General Systems, 1990; 17(2/3): 249-275. 9. Tao J, Wang X Q, Tan J Z. Reliability of gear-tooth bending fatigue strength for through hardened and tempered steel 40Cr. Journal of University of Science and Technology Beijing, 1997; 19(5): 482-484.

A SEQUENTIAL DESIGN FOR BINARY LIFETIME TESTING ON WEIBULL DISTRIBUTION WITH UNKNOWN SCALE PARAMETER

W. YAMAMOTO, K. SUZUKI, AND H. YASUDA The University of Electro-Communications 1-5-1 Chofugaoka, Chofu, Tokyo 182-8585, Japan E-mail: [email protected] We develop an sequential experimental plan for items which needs destructive lifetime testings. This plan repeats estimating unknown parameters by MLE and trying to set the observation time so as to gain the precision of the final estimates. We conduct a simulation study to compare our procedure with a plan in the literature and find certain advantages against it.

1. Introduction

Many products allow us to monitor the conditions of each item or to diagnose their conditions repeatedly, during their reliability experiments or through their lives. Typical examples include LCDs, computers, and cars which we can use repeatedly until they fail. We can plan the experiments with limited resources for such items and estimate the reliability properties parametrically or nonparametrically. There are many products of other types which restrict our ways of observations and limit the numbers of inspection records per item. The typical examples of such products include are extinguishers, films and air bags. They can be used and diagnosed at most once through their lives. The outcomes of experiments are often binary in that each item is reported as successfully used or as defected. We call the lifetime experiments on such products as binary lifetime testings. Many authors investigate the design problem for binary testing which seeks sets of appropriate inspection times and allocations of items on them. Abdelbasit and Plackett (1983), Atkinson and Donev (1992), and Silvey (1980) proved that the number of distinct observation times are at most q(q+1)/2, where q is the number of unknown parameters of the underlying lifetime distribution. Iwamoto and Suzuki (2002) investigate the properties of the optimal designs for various distributions, assuming the all parameters known. Yamamoto, Iwamoto, Yasuda, and Suzuki (2003) apply their result to the Weibull distributions with unknown scale parameters and develop a multi-stage procedure based on an approximate D-optimal design, which is intended to be less

563

564 Observation Time

t=O

.+

8 ........

-.MI .--.+q

...........0 M Ordinary Lifetime Data

Figure 1.

Outcmes from Binary Testing

Difference Between Lifetime Testings

insensitive t o the unknown parameter than the true optimal design. However t,he total time on test grows several times as long as MTTF of each item with their procedure. Among the literature on the design problems for binary testing, Bergman and Turnbull (1983) developed a sequential procedure which is invented so as not to spend too many items at each observation time. This procedure works pretty well. But we find there are still some rooms to improve this procedure. In this paper, we develop a sequential procedure of a different type in that the observation times are the sequence of estimated optimal observation times. We restrict our attention to one parameter Weibull distributions, F ( t ;7, m ) = 1 exp(-(t/7)m), with scale parameter 7 unknown while shape parameter m is known. We note that our discussion can be extended to other parametric distributions witholit any difficulty. 2. D-Optimal Design for Binary Life Testing Assume that the times to failure of each item are distributed independently with a distribution function p ( t ; Q ) = Pr (T 5 t ) . Let N be the total number of items available for testing, t = ( t l , . . . . tfil) be pre-assigned inspection times, and n = ( n l ,. . . . nfil) be the numbers of items allocated to each time. Further let X1 ...... Xfif be the numbers of failed items at each time. Then the observed likelihood is proportional to M

and the Fisher information is

565 for one parameter case. D-optimal design is given by n* = {n;,. . . , n k } and t* = ( t ; ,. . . ,t k ) that maximize 11 (0; t)I. For Weibull distribution with the unknown scale parameter 17, the Fisher information is given as

The maximum is given by hf = 1, n1 = N and tl = 1.26317, where 1.263 = J- log (1 - p ” ) with p* = 0.797 is derived analytically. We refer to this design as PI, though this is of no immediate use. For this design depends on the unknown parameter 17 itself. We use this result to modify the procedure developed by Bergman and Turnbull( 1983) into a multi-stage procedure with varying steps on observation times.

3. A Sequential Procedure by Bergman and Turnbull a multi-stage sequential procedure with the following instruction: Fix a sequence of inspection times for each stage, tl < . . . < t M , a t which the inspections are made on one or more items. Usually this sequence consists of an arithmetical progression sequence. At each stage, items are selected randomly and are diagnosed until a stopping rule is satisfied or no item is left. If there are still items under the test, proceed to the next stage, i.e. keep the lifetime test going on until the next time to inspect. Repeat 2 and 3 until the test reaches a t the final stage M . At the final stage, if reached, all remaining items will be inspected. Bergman and Turnbull (1983) proposed three stopping rules for each stage. Among them, they recommend the one called the ratio rule, where we stop each stage when the outcome, the number of failed items T ( ~ and ) the number of functional items T ( ~ )satisfies , b*F(3) - T ( 3 ) > 2 ,

(4)

for the prespecified b’ and 2 . Other two rules are called the uniform design and the negative binomial design. We refer to this procedure with the ratio rule as PBT. 4. A Sequential Procedure with Estimated Optimal Observation Times We propose a sequential procedure with the different sequence of inspection times. At each stage, the optimal inspection time 1.27317 is estimated with the results obtained so far. If the optimal time passed, we would inspect all items remained.

566

il)

tb)

$3,

t(4)

.. .

Fix a sequence of times or “stage” tl Figure 2.

R(3):ratiorule (4F(i)

< . .. < t M

-T-(~)

> 8)

z

(1) Set the first observation time f1, which can be equivalent to an initial guess for 7 , as 6 = f1/1.263. (2) At il, conduct sequential inspections with the stopping rule same as that of Bergman and Turnbull (1983), b * F ( j ) - T ( ~ > ) z , , where b* = 4, ?* = 2, and z = 8. (3) Compute the MLE of 7 , 61, with outcomes obtained at fl and set the second observation time &I as 1.26761. (4) Then, conduct sequential inspections with the same stopping rule a t t ^ ~ , compute the MLE of 7 , 6 2 , with all outcomes obtained so far and set the next observation time t^3 as 1.26762. If t^3 is the past, inspect all renaining items and compute the final MLE with all results. (5) Repeat 3 and 4 until the termination date comes or all items are inspected.

The MLE of 7 is obtained by solving the following score equation. After inspecting items at t j , we have

This can be solved by Newton-Raphson methods. For cases where the first a few outcomes are zeros, we can modify the procedure t o estimate 7 with the lower confidence bound with confidence level p. It is given as

where Tj. is the total of times on test of all items powered by m,

567

Figure 3. Efficiency ( N = Figure 4. Efficiency ( N = Figure 5. Efficiency ( N = 24, m = 0.7) 24, m = 1.0) 24, m = 2.0)

Figure 6. Efficiency ( N = Figure 7. Efficiency ( N = Figure 8. Efficiency ( N 60, m = 0.7) 60, m = 1.0) 60, m = 2.0)

Figure 9. Efficiency ( N = Figure 10. Efficiency (N = Figure 11. Efficiency ( N = 120, m = 0.7) 120,m = 1.0) 120, m = 2.0)

568 This procedure is referred to as PSD

5. Simulation Study To compare our procedure with Bergman and Turnbull’s procedure, we conduct Monte Carlo studies. The total number of items N is set as 24, 60, and 120. The shape parameter m of Weibull distribution is assumed known and we investigate the cmes with 0.7, 1.0, and 2.0. The first observation time t, is set as 30, M = 12, and t M = 360. Figures 3-12 show that P I could work well if we set f j ( 0 ) near the true value q for three cases, m = 0.7,1.0,2.0. But regarding the facts that PI have one observation time and also that the time is set based on f j ( o ) , it is very difficult and uncertain t o guess the initial estimate 7j(o) as 0.817 < 7j(o) < 1.2577 without any prior information. PI is meant to be a benchmark in comparing Psu with PBT. All three procedures suffer from the loss of efficiency when 7j(o) 2 1 . 6 7 ~If. we fail to set t(l) as t(l) < 1.67t* with Pso and PET,where t* is the optimal observation time for one stage experiments, we had better rather diagnose all items at t(l), i.e. follow PI procedure. This is the common difficulty for all binary lifetime testing. The differences among three lie in cases with 7j(o) < 1.677. Psn gives better efficiency with 7 j ( ~values around 7j(o)/v= 1 than PBT for cases with m is 1.0 and 2.0. This observation can be explained with the contribution of each item to the Fisher information. The relative contributions as functions of m and 7 j ( o ) / ~ are shown in Figure 1. The curves have sharper maximums around fj(o)/q = 1.0 for larger values of m. This is an advantage of introducing two steps, the jump to t’ and one more stopping rule, against PBT. Other results will be presented at the conference. References 1. Iwamoto, D. and K. Suzuki (2002) : “Optimal Design based on Binary Data in Reliability Lifetime Experiment”, J. Rel. Eng. Assoc. Japan, 24, pp.183-191. 2. Yamamoto, Y., D. Iwamoto, H. Yasuda, and K. Suzuki (2003) : “Sequential D-Optimal Design for Binary Lifetime Testing on Weibull Distribution”, J. Rel. Eng. Assoc. Japan, 2 5 , pp.75-87. 3. Abdelbasit, K.M. and Plackett, R.L.( 1983): “Experimental Design for Binary Data,” Journal of the American Statistical Association, 7 8 , pp.90-98. 4. Atkinson, A.C. and Donev, A.N.(1992): “Optimum Experimental Designs,” Wiley, pp.91-117. 5. Bergman, S.W. and Turnbull, B.W.( 1983): “Efficient sequential designs for destructive life testing with application to animal serial sacrifice experiments,” Biometrika, 70, pp.305-314. 6. Salomon, M.(1987) :“Optimal Designs for Binary Data,” Journal of the American Statistical Association, 82, pp.1098-1103. 7. Silvey, S.D. (1980): “Optimal Design,” Chapman and Hall. (pp.1-16, pp.72-73)

THE GENERALLY WEIGHTED MOVING AVERAGE CONTROL CHART FOR DETECTING SMALL SHIFTS IN THE PROCESS MEDIAN LING YANG' Department of Industrial Engineering and Management St. John s and St. Mary s Institute of Technology Taipei, Taiwan, ROC

SHEY-HUE1 SHEU Department ofhdustrial Management National Taiwan University of Science and Technology Taipei, Taiwan, ROC

This study proposes the generally weighted moving average (GWMA) control chart for monitoring the process sample median The GWMA control chart is a generalization of the EWMA control chart The properties and design strategies of the GWMA median control chart are investigated We use simulation to evaluate the average run length properties of the EWMA median control chart and the GWMA median control chart After an extensive comparison, it reveals that the GWMA median control chart performs much better than the EWMA median control chart for detecting small shifts in the process sample median An example is given to illustrate this study

1

Introduction

Effective quality control can be instrumental in increasing productivity and reducing cost. A control chart is a graphical display of a quality characteristic to monitor process performance, and Shewhart charts are often employed for this purpose. Under the assumption of normal distribution, the process mean is equivalent to the process median ( f ). The control charts are easier to do on the shop floor because no arithmetic operations are needed. The person doing the charting can simply order the data and pick the center element. Therefore, many users use the 2 control charts for convenience. It is well known that Shewhart control charts are relatively inefficient in detecting small shifts of the process mean. Alternative control charts, such as the CUSUM chart and the EWMA chart, have been developed to compensate for the inefficiency of Shewhart control charts. Roberts"] first applied the EWMA, denoted as geometric moving average (GMA) control chart, controlled the process mean. The properties and design strategies of the EWMA chart for the mean and for the variance have been well investigated by Sweet"'], Crowder['], Ng and CaseL6],Lucas and Sacc~cci[~], Crowder and

x

*Correspondence: Ling Yang, Department of Industrial Engineering and Management, St. John's and St. Mary's Institute of Technology, 499, Sec. 4, Tam King Road, Tamsui, Taipei, Taiwan, 251, ROC. Fax: (886) 2-2801-3 143. E-mail: [email protected]

569

570

Hamilton[31,and MacGregor and Harris[']. In contrast to the process mean and variance, using the EWMA control chart as a tool for monitoring the process sample median ( i ) still has received very little attention in literature. So far, Castagliola"] has showed that the EWMA-based 8 control chart (EWMA- 8 , for short) is more efficient than the Shewhart control chart in detecting small shifts of the process median. The generally weighted moving average (GWMA) control chart proposed by Sheu and Lin['] is a generalization of the EWMA control chart. Due to the added adjustment parameter a, the GWMA control chart has been shown to perform much better than Shewhart and EWMA control chart in monitoring small shifts of the process mean. In this paper, we assume that the process characteristic follows the fiormal distribution. We use the GWMA control chart to monitor the process median 8 (denoted as GWMA- 8 ) and use the distribution of sample median f , derived by Castagliola"] to compute the control limits of the GWMA- 8 control chart. Simulation is used to evaluate the average run length (ARL). The remainder of this paper is organized as follows: In Section 2, we describe the model of the GWMA control chart. In Section 3, the numerical simulation is used to evaluate the ARL of various process meadmedian shifts under various adjusted parameters. We compare the shift detecting performance between the GWMA- 2 control chart and the EWMA- 8 control chart. In Section 4, we give an example for illustration. Finally, some conclusion remarks are included in the last section. 2

Description of the GWMA Control Chart

2.1. The GWMA- 8 Control Chartfor the Process Median Suppose that the quality characteristic is a variable and the samples have been collected at each point in time (size of rational subgroups n). Let 8, be the sample median of subgroup j which is composed of n independent normal(p,,d)random variables X,,,..., X,,where ,uoand o' are the nominal process mean (also the nominal process median) and the process variance respectively. The distribution of sample median 8, is very close to the (,ucl,Ez)normal distribution, where 5' is the variance of y , . If E o I is the standard deviation of normal (0, 1) sample median, then we have 5 = c x Z(,, . For the values of & , ,refer to Castagliola"] for details. Now we apply the GWMA control chart to control the process median. From Sheu and Linl'], the GWMA- k control statistic, Y, , can be represented as

where (qoa-4'' ),(ql" -q2a),...,(q(l-')e- q l m ) are the weights ofthe most updated sample, the 2"d updated sample, (ql'

- q2u)

..., the most out-of-date sample, respectively. If

(qoa- q ' " ) >

> .. . > (q(l-I)= - qlo) , then the weights decrease with the age of the samples.

The expected value of Eq. (1) can then be computed by

571 E ( y , ) = E[(q"" - q l " ) X , +(q1" -qz")Y,-l +...+(q''-l'" - q , " ) X , +q'"po] = [(q[IC- qlR) + (q'=- q1" ) + ...+ (q(l-1'" - q,"

-

)]E( X)+ q,"pl,

(2)

= pi!

Since X,, j = 1,2,3,... , are independent random variables with variance E 2 = ( a x 6I ) z . The variance of Eq. ( 1 ) is Vur(Y,) = [((

- qIa) 2 + (q'- - q2e -J)2

)* + ... +

+(q'"-q2')2

(

p

)

O

-q j n

)'I

x

5 2

+...+(p)= -qJm)2](ax~o,i)2

(3)

=Q,(ax%J)2,

where Q =(qO' -qi')*+(qiY - q 2 ~ ) z + . . . + ( q ( ' - i ) u - q ' Then, ~ ) ) 2 .the time-varying control limits of the GWMA- 8 control chart can be written as Po + LJgoEo,,

.

(4)

2.2. The EWMA Control Chart as a Special Case of the GWMA Control Chart

In the following (from Eq. (5) to Eq. (S)), we will show that the GWMA control chart turns out to be the EWMA control chart, which was introduced by Roberts"]. When a = 1 and q = 1 - A , Eq. (1) will reduce to Y, =

Ax, + A(1 - A)Z,-,+ ...+ A(l - A)'-'

2 1

+ (1 - A)' p".

(5)

The variance of 4 (from Eq. (5)) will be

The time-varying control limits will become to

The design parameter q is constant, 0 < 4 I 1 , then 0 < (I - A) I 1. When j increases to

d,in Eq. ( 6 ) will increase and approach to a limiting value, 0;- = ( A / ( 2 fixed-width control limits will be

-

00,

A ) ) g 2 . The

i"..

po+L 2-2

That is, the EWMA- 2 chart is a special case in the GWMA-?!, chart when a = 1

572 3

Performance Measurement and Comparison

The design parameters of the GWMA- 2 control chart are the multiple of sigma used in the control limits (L), the value of q, and a. The performance of a control chart is generally measured by the ARL, which is defined as the average number of points plotted before an out-of-control signal is given. When the process is under control, the ARL (named ARLO)of the control chart should be sufficiently large to avoid false alarms; however, when the process is out of control, the ARL (named ARL,) should be sufficiently small to rapidly detect shifts. Because the control limits of the GWMA- 2 control chart are varying with time, finding the exact ARLs for given control limits is not straightforward. Monte Carlo Simulation[*]is used to estimate the ARL of the GWMA2 control chart. Without loss of generality, we assume that in the absence of a special cause of variation, Xlk, j = 1,2,3, ... , k = 1,2, ...,n (n is the size of the rational subgroup), are independent and have a common normal distribution with mean p0 = O and variance CT*= 1 . For simplicity, in the simulation of this paper, we assume n = 5 for the performance comparison; however, any other values of n will conclude similar results. Then, we can get So,,= 0.536 (from Castagliola"], when n = 5) for Eq. (4) to compute the control limits. Let 6 denote the magnitude of the process meadmedian shift (multiple of D ). Each simulation runs 20,000 iterations. The computed GWMA- p control statistics, 5, must be bounded within the GWMA-Y control limits, and each trial ends when either of the control limits is exceeded. In order to realize the performance of the GWMA- control chart, with various design parameters q and different adjustment parameters a, the in-control ( 6= 0) ARL (ARLO)is maintained at approximately 500 by changing the width of the control limits (L). That is, type I errors are set to 0.002 for various GWMA- control schemes herein, while out-of-control ( 6 > 0) ARLl's are used for comparison. The ARL performance for several GWMA- 2 control schemes is shown in Table 1. In Table 1, when a =1.00, qla = q' = (1 -A)' , the GWMA- 2 control chart with time-varying control limits reduces to the EWMA- control chart with time-varying control limits. Based on Table 1, the adjustment parameter a of the GWMA- 3 control chart is more sensitive to small shifts in the process meadmedian than to that of the EWMA- 2 control chart. The boldface numbers in Table 1, especially when q is smaller, make the properties more obvious. When q = 0.50 and a = 0.75, within 0.750, the A m l is smaller than the ARL, of the E W M A - 2 control chart. But when q is larger, the enhancement of detection ability is less apparent. For instance, when q = 0.90 and a = 0.75, the ARLl is only smaller than the ARLl of the EWMA-2 control chart within 0 . 2 5 ~ .Fig. 1 displays the out-of-control run length distributions of the GWMA- 2 control chart with q = 0.90, L = 2.80, with variance of adjustment parameter a, and the initial meadmedian shift of 0.150. Fig. 1 shows that the GWMA- 2 control chart performs better in detecting small shifts in the process meadmedian when a is smaller.

x

x

573 Table 1. ARLs of the GWMA-

-

x control chart with time-varying control limits (ARLOE 500, n

= 5)

6

0.00 0.15 0.25 0.50 0.75 1.oo -

6

0.00 0.15 0.25 0.50 0.75 1.00 -

50000 500000 98.11 106.18 42.94 43.71 11.89 1393 646 721 438 481

50000 107.1 42.19 11.82 632 429

50000 71.20 30.67 1035 5 84 460

50000 500000 500000 76.99 118.52 12869 4889 45.49 3561 11.74 12 17 1230 621 678 6.19 421 421 454

0.012

+

.go010

cr

B 0.008

50000 72.56 31.14 10.17 5.69 402

50000 78.84 32.32 10.17 5.68 399

50000 8693 3367 1030 575 391

albha=1.00( alnha=l 75

P

2 0.006

9

5 0.004 a

0.002

0.000

I

0

10

20

30

40

50

60

70

80

Ruii Length

Figure 1 Out-of-control run length distributions of the GWMA-

x

control chart with q =O 90, L = 2 80, with

variance of adjustment parameter a,and initial meadmedian shift of 0 1%.

4

Application and Illustration

4.1. Design of the GWMA-

2 Control Chart

A better design of the GWMA- 2 control chart is the choice of the parameter (q, a , L ) that meets certain ARLO,the magnitude of shift in the process that wants to be detected quickly, and the minimum ARLl. For example, if a GWMA- 2 control chart is designed for controlling a process median such that the chart will yield an ARLOof 500, and will detect the shift of the process median about 0.25 0 , on average, in fifty samples. Let the controlled process mean = 0 , standard deviation 0 = 1, and subgroup size n = 5. The following steps are recommended: (i) From Table 2, we can apply linear interpolation method to find the (q, a , L ) = (0.8, 0.85, 3.0), which satisfies the ARLOand ARLl

574

x

criteria. (ii) Using Eq. (1) to determine the GWMA- control statistics, 5. Recall that Eq. (4) has an approximate control limit of t0.4674. The GWMAcontrol statistics, q, are then plotted on a control chart with the above UCL and LCL. If any point exceeds the control limits, the process is assumed to be out of control. Table 2 ARLs of the GWMA-

x

x control chart with control limit width L = 3.0 (n= 5)

+

q = 0.50 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 1.25 346.33 344.65 348.78 347.76 350.50 357.47 365.95 365.42 370.89 371.37 380.48 211.46 182.17 172.46 166.29 171.30 173.99 176.81 182.13 187.67 191.36 209.09 121.96 96.36 84.44 78.55 79.11 80.66 82.68 86.35 89.87 93.20 101.46 34.62 26.39 21.77 19.74 18.52 17.99 18.12 18.31 18.78 19.35 21.24 972 8.95 8.36 13.99 11.33 7.99 7.91 7.89 7.77 7.80 8.12 7.17 5.37 5.10 6.21 5.68 4.97 4.83 4.72 4.74 4.70 4.71 q = 0.75

0.10

0.00 0.15 0.25 0.50

0.75

1 .oo

0.00 0.15 0.25 0.50 0.75 1.00

0.00 0.15 0.25 0.50 0.75

1 .oo

000 0 10 025 050 075 1 00

0.10 020 0.30 0.40 050 0.60 345.60 351.03 347.99 359.21 374.74 397.19 193.46 158.48 127.46 113.62 114.02 119.36 110.32 76.89 59.64 50.87 46.40 46.80 31.39 22.08 17.44 15.02 13.60 12.79 7.62 7.11 674 8.55 13.02 10.05 4.88 4.68 4.48 6.80 5.86 5.25 q = 0.80 0 10 0.20 0.30 0.40 0.50 0.60 355.85 355.50 366.22 386.29 408.54 444.24 194.14 149.43 119.48 106.96 105.28 108.67 108.61 75.09 56.17 47.33 43.42 42.44 30 83 21 41 16.88 14.41 13.08 12.39 7.51 6.98 6.60 12.82 9.89 8.50 4.86 4.68 4.47 6.84 5.78 5.22 a = 0.90

010 35501 257 17 19561 2953 1245 668

1.00 1.25 070 0.80 0.90 411.30 438.96 461.56 489.01 517.78 129.07 142.11 150.99 166.49 196.26 49.08 53.11 57.43 63.51 77.45 12.92 14.86 12.61 12.41 12.57 6.54 6.38 6.44 6.62 6.39 4.46 4.33 4.32 4.31 4 32

0.70 0.80 0.90 1.00 1.25 471.28 491.94 519.96 542.88 566.73 116.70 130.44 145.34 158.37 194.99 44.03 46.89 52.54 57.39 72.95 11.84 11.78 11.89 12.22 13.66 6.41 6.35 6.26 6 30 6.49 4.37 4.32 4.28 4.26 4.29

020 030 040 050 060 070 080 090 100 125 36302 36665 42567 48991 56782 65843 72054 769 13 81207 86288 194.42 155.31 134.16 130.22 138.05 148.67 173.31 201.51 233 64 30978 142.31 110.95 94.32 89.83 93.10 99.10 112.56 129.77 149 10 19868 2020 1597 1351 1228 1164 11.20 11.07 11.23 1145 1244 814 724 673 6.14 624 632 963 640 626 6.16 476 451 440 429 572 510 4.23 426 430 426

4.2. An Example

A set of simulation data is used herein to illustrate a G W M A - x control scheme. The values of the process characteristic XJh where j = I, 2, ..., 20 and k = 1, 2, ..., 5 are independent and have a common normal distribution with meadmedian po = 0, variance o2= 1 . Let the target value be po, and the process be under control for the first ten samples. Then, the process median level shifts upward about 0.25 5 during the last ten samples. These twenty simulation data, along with their corresponding EWMA- 2 control statistics, 5,and GWMA- R control statistics, 5, are listed in Table 3.

575 Within this table, we set the parameters /z = 0.25 and L = 3.003 for the EWMA- 2 control chart with time-varying control limits. For a fair comparison, we set the parameters q = 0.90 and L = 2.884 for the GWMA- 2 control chart with time-varying control limits, with the in-control ARL being 500. The EWMA- 2 control statistics, 4, display the out-of-control signal at the 18" sample. The GWMA- control statistics, Y,, display the out-of-control signal at the 16'h sample. Under the assigned parameters as described above, it takes only 30.67 samples in average for the GWMA- 2 control scheme to detect an out-of-control signal, while 56.67 samples are needed for the EWMA- B control scheme. Figs. 2(a) and 2(b) display the plots of the control statistics. Table3 Exam1

L-

x,,

45

0921 -2056 -0898 2587 -0 378 1227 -0 565 0505 0524 -0982 -0 826 1037 -0 473 -0426 1358 2 124 0447 2047 2506 -0092

0617 0445 1405 0202 -0 195 0768 -0494 -0018 -0 159 0086 -0 693 -0091 1 165 -0 294 077C 0522 1046 0292 2016 0804

(a) The EWh4A-

x control scheme and a GWMA- x c( itrol scheme

2 control chart

(b) The GWMA-

0.155 0182 0199 0210 0219 0225 0231 0235 0239 0242 0245 0247 0250 0251 0253

-0.155 -0182 -0 199 -0210 -0219 -0225 -0231 -0235 -0239 -0242 -0245 -0247 -0250 -0251 -0253

0.254 0.256 0.257 0.258 0.259

-0.254 -0.256 -0.257 -0.258 -0.259

x control chart

y,

0 10 0 00

1-1 020 0 30

J

Figure 2. The EWMA- 1 control scheme and the GWMA-

2 control scheme

576 5

Conclusion Remarks

This paper uses the GWMA control chart to monitor the sample median of a process. The ARL of the GWMA- 2 control chart is obtained through a simulation approach. Table 1 has shown the comparison results between the GWMA- j control chart and the EWMA2 control chart. Castagliola"] has showed that the E W M A - j control chart is more efficient than the Shewhart 2 control chart in detecting small shifts of the process median. In this paper, we show that the GWMA- 2 control chart is superior to the EWMA-2 control chart in detecting the small shift of the process median. When the process median is out of control ( 6 > 0), and when the parameter a < 1, the GWMA- j control chart will reduce the type I1 errors. Therefore, if the user prefers the 1control control chart in detecting the small shift of the process median, then the chart to GWMA- 2 control chart is the best among these three median control charts.

x

References

P. Castagliola, Int'l J. Relia., Quali. andsafe. Engin. 8, 123 (2001). S. V. Crowder, J. Quail. Tech. 21, 155 (1989). S. V. Crowder and M. D. Hamilton, J. Quali.Tech. 24, 12 (1992). 4. J. M. Lucas and M. S. Saccucci, Technomefrics.32, 1 (1990). 5. J. F. MacGregor and T. J. Harris, J. Quail. Tech. 25, 106 (1 993). 6. C. H. Ng and K. E. Case, J. Quail. Tech. 21,242 (1989). 7. S . W. Roberts, Technometrics. 1,239 (1959). 8. S . M. Ross, A Course in Simulations. Macmilan Pub. Co. (1990) 9. S. H. Sheu, and T. C. Lin, Quail. Efigin. 16,209 (2003). 10. A. L Sweet, IIE Trans. 18,26 (1986). 1. 2. 3.

SAFETY-INTEGRITY LEVEL MODEL FOR SAFETY-RELATED SYSTEMS IN DYNAMIC DEMAND STATE

I.YOSHIMURA, Y.SAT0 AND K.SUYAMA Tokyo University of Marine Science and Technology, 2-1-6, Etchujima, Koto-Ku, Tokyo, 135-8533, JAPAN E-mail: [email protected]. ac.jp ,[email protected]. ac.jp Recently computer systems have been widely applied to safety-related systems for achievement of safety functions. This general trend forced IEC to compile IEC 61508 as a standard related to functional safety of electrical/electronic/programmable electronic safety-related systems, i,e., E/E/PE SRS (SRS). In accordance with the standard, an SRS is specified with its safety function(s) and safety integrity level(s) (SIL) and the SILs to be allocated to the SRS are specified with four levels of safety integrity. The standard requires assessing the risk reduction achieved by SRS using appropriate probabilistic techniques for allocation of SILs to SRS. However, the relationships among SILs, operation modes and hazardous event rate are not always cleared up yet. This paper presents a new Markov Model to describe causation of hazardous events in the overall system composed of equipment under control (EUC), EUC control system (BCS) and SRS. The SRS is assumed to implement a safety function in a dynamic demand state and assumed to have no automatic self-diagnosis functions. Then, the relationship among a dangerous undetected failure of SRS, demands for actuation of SRS and hazardous events brought about in the overall system is formulated based on the model. Moreover, new demand modes of operation and estimations of hazardous event rate are proposed for allocation of SILs t o SRS.

1. Introduction

Recently computer systems have been widely applied to safety-related systems for achievement of safety functions. This general trend forced IEC to compile IEC 61508 as a standard related to functional safety of electrical / electronic / programmable electronic safety-related systems (SRS) Currently Japanese Industrial Standard (JIS) includes the translated standard of IEC 61508, JIS C 0508'. These standards are applied to various field^^,^. In accordance with the standard, an SRS is specified with its safety function(s) and safety integrity level(s) (SIL(s)). SILs are currently defined in terms of either the probability of failure to perform its safety function for low demand mode of operation or the probability of dangerous failure per unit time for high-demand or continuous mode of operation. Moreover, the SIL(s) to be allocated to the SRS are to be specified with four levels of safety integrity. However, the relationships among SILs, operation modes and hazardous event rate are not always cleared up yet.

'.

577

578

I

Uverall system 1-

1-

r

E/E/PE SRS Other technology safety-related system demand ERRF

1

I

Implementation of safety function Figure 1. Total system and safety-related system

In the present paper a new Markov model is introduced and quantified in order to describe causation of hazardous events in the overall system and to estimate hazardous event rate in the dynamic demand state of SRS. 2. The overall system

In many fields such as manufacturing, transportation and process industries, the overall system is typically composed of an equipment under control (EUC), EUC control system (i.e., basic control system: BCS), SRS(s), other technology safetyrelated system(s) and external risk reduction facility (hereinafter ERRF') as shown in Figure 1. The BCS controls EUC in order to prevent hazardous events or other undesirable events from arising. The SRS, other technology safety-related system and ERRF are redundancies of the safety function(s) of BCS. Here the followings are postulated: (i) the overall system is composed of an EUC, BCS and SRS only, (ii) the SRS implements one safety function and has no automatic self-diagnosis functions, (iii) while a proof test (PT) is carried out for the SRS, the operation of EUC is stopped in order to keep it in a safe state in which no demand arises. Thus, Postulate (iii) makes the stochastic process of the demands dynamic. In order to analyze the causation of hazardous events, the following logics are specified: (1) The SW fails at first and the resultant failed-state (i.e., a dangerous undetected fault) continues until a demand arises. This finally leads to a hazardous event. (2) A demand arises at first and the demand state continues until the SRS fails. This brings about a hazardous event. Nomenclature

579

1-m Figure 2.

State transition model for hazardous events between proof tests (PTs)

[l/hour] probability that a demand occurs per unit time at time t , given the system is not in a demand state at time t (demand rate) pd [l/hour] probability that the demand state recovers per unit time at time t , given the system is in the demand state at time t (completion rate) A, [l/hour] dangerous failure rate of SRS (hereinafter, failure rate) T [h] time between proof tests m [l/hour] probability that state D (see Figure 2) recovers per unit time at time t , given the system is in the state D at time t (recovery rate) P*(t) probability that the system is in state * at time t (where * implies state A, B, C or D in Figure 2 ) P * ( s ) Laplace transformation of P * ( t ) w ( t ) [l/hour] statistically expected number of occurrences of hazardous event per unit time at time t (i.e., hazardous event rate) w* [llhour] average hazardous event rate between two PTs, i.e. average of w ( t ) by T Ad

3. Stochastic model of the system

This is derived under the following assumptions (see Postulate (i)): (1) The demands on and failures of SRS are mutually statistically-independent. (2) The occurrences and completions of demand can be modelled by exponential distributions with demand rate A d and completion rate P d , respectively. (3) Failures of SRS can be modelled by an exponential distribution with failure rate A,, and the fault resulting from the failure continues until the next P T is carried out or until a hazardous event occurs. Namely, any failure brings

580 about a dangerous un-detected fault (hereinafter, a DU fault: see Postulate (ii)).

If a hazardous event happens, then the overall system is recovered according to an exponential distribution with recovery rate m (here, m + 00 implies immediate recovery and m = 0 does no recovery.)

w* is sufficiently smaller than unity, w* 1 / T ) Low demand rate and medium duration (Ad O on [t2,W],and h(t) isnondecreasing on [0, W ] such that h(t) is constant on [W/2, W ]. Then, the function G ( t ) is non-decreasing on [o, W / 2 ] ,and non-increasing on [ W / 2 ,W ]. Moreover, G( t )reaches its maximum value h(W/2)-cr +Rh(W)-2R,,(W/2) at the point t = W / 2 . PROOF. The proof is separated into the following cases. Case (1). 0 I t I W/2. As the same as the proof in Lemma 2, it is clearly. Case(2). W/2 I t < t, . The function h(t) is constant on [ ~ / 2W, ] by assumption, so

h’(t)= 0 and W --t

I W - W/2

=W / 22

t , implying h(W

t, < W - t, I W - t I W - W / 2 I t I t, and

-

t ) I h ( t ). Notably,

r(t) is constant on t E [t,,t 2 ], implying

r ( t ) = r(W - t ) . Hence, G’(t)I 0. Case(3). t, I t I W . The function h(t) is constant on [W/2, W ] by assumption, so

h’(t) = 0 . Notably, 0 I W - t < W - t, I W - W/2 = W/2 I t, I t and h(t) is nondecreasing in t , implying h(W - t ) I h(t) . Also r ( t ) r(W t ) 2 0 on [t,,W ] by ~

assumption, r(W - t ) I r ( t ) hence G’(t)2 0. Accordingly, the desired results are obtained.

~

590 Now, Theorem I , one of the main results in this study, can be proven. - 2Rh( W / 2 )< c,. and the failure rate THEOREM 1 . Suppose that h(W/2)+ Rh(W)

function r ( t ) satisfies (

c,)-(c,) or ( c,)-(c,) is a bathtub-shaped function with

change points t, and t, . Then, L* = K’ , and the optimal strategy is “always to repair” with J ( K * , K ‘ ) = R h ( W ) . PROOF. First the optimal

K

K is fixed and L*( K ), the optimal L as a fimction of K , is found. Then, is obtained by minimizing J ( K , L * ( K ) ) .From Lemma 2 or 3,

G(t)reaches its maximum h(W/2)-cr + Rh(W)-2Rh(W/2) at t = w/2. For each K E [O, W ], L*( K ), the value of L E [K , W ]which minimizes J ( K ,L ) , is found. Differentiating (5) with respect to L yields

and

If h(W/2)+ Rh( W )- 2Rh( W / 2 )< C, then the maximum of C(X) is non-positive,

G(L)IO and dJ(K,L)/dL20,VL~[K,~].Hence,foreach K E [ O , W ] J, ( K , L ) is non-decreasing in L , and so L’ ( K ) = K . Therefore, K’ can be any value in the interval (0,W ] ,L* = K’ , and the optimal service strategy is “always to repair” with

J ( K ’ , K’) = R,(W) . The theorem is proven. LEMMA 4.Suppose that h(W/2)+ Rh(W)-2R,(w/2) >c,. > h ( W ) and the failure rate function r ( t ) is a bathtub-shaped function with change points

t, and t, . Moreover,

r ( t ) satisfies (c,)-(c,) or (c,)-(c,). Then, the equation G(t) = 0 has two roots a E (0, W / 2 ) and b E (W/2,W ). Additionally, the function H(K)=-j:G’(t)F(t)dt, K E[O,b]

(9)

satisfies the following ( R, ) H ( K ) is non-decreasing on [0, W / 2 ] ,non-increasing on [ W / 2 ,b]and reaches its maximum at K = W / 2 , ( R, ) H ( a ) 5 0, H(W/2)> 0, H(b)= 0 .Therefore, the equation H ( K ) = 0 has two

[o,

roots in b],one at b and the other at c E [a,W / 2 ]. PROOF. Suppose that h(W/2)+ R,(W)-2Rh(W/2) > C, > h ( W ) ;from Lemma 2 or 3, the maximum value of

G(t) is positive, G(0) = -c, < 0, and G(W)= h(W)-c,. < 0 .

591 Therefore, the equation G ( t )= 0 has two roots, a E (0,W / 2 ) and b E ( W / 2 ,W ). Differentiating (9) yields H ’ ( K ) = G ’ ( K ) F ( K ) on [O,b]. ff’ has the same sign as G‘. Lemma 2 or 3 thus yields the desired result ( R ,). By definition of H ( K ) , and from the

lbG’(t)F(t)dt 0 , H ( W / 2 ) 1’’ G’(t)F(t)dt> 0 , and,H(a) =-I G‘(t)F(t)dt -5’ F(t)dG(t) 1 G(t)d F ( t ) I 0 . sign of G’(t), H ( b )= -

=

=-

b

h

Wl2

=

=

h

Therefore, the desired result (R,) is again obtained. Accordingly, the following theorem is inferred. THEOREM 2. Suppose that ~ ( w / ~ ) + R , ( w ) - ~ R , ( w>/ ~C, ) > h ( ~and ) the failure rate function ~ ( tis)a bathtub-shaped function with change points t, and t, . Moreover,

c,

r ( t ) satisfies ( c,) - ( C, ) or ( c,) - ( ). Then, K’ E (a, w/2),L* E (W/2, W ),and the optimal strategy is to use the new ( K ,L ) strategy with J(K’,L*) < R h ( W ) . PROOF. Let K be fixed and the optimal L as a fimction of K , i.e., L* ( K ), is found. Then, the optimal K is obtained by minimizing J ( K , L*( K ) ). By Lemma 4, the equation G ( t ) = 0 has two roots, a E (0,W / 2 ) and b E (W/2,W) . Now, the proof is separated into the following cases. Case(1) 0 I K I b . From (7) and (8),

dJO=0 and 8 Z J ( K 9 b>) 0 , so L*(K)= b . 8L2 [ K , w ] , so L*(K)= K .

8L

Case(2) b < K 5 W . G ( L )< 0 and aJ(K,>0, v~ 8L In case ( 1 ) to , the value of K E [0, b] which minimizes J ( K ,b) , is now found, and then J(t,,b) is compared to J ( K , K ) = Rh(W).In order to complete the proof, we have a J ( K b, and to calculate L 8K

H(K ) =-

d2J(K7b)

. First, note that

8K2

1: G‘(t)F(t) dt = h ( K ) F ( K ) h(b)F(b) 1; h( W -

-

- t ) r (W - t ) F ( t )dt. (1 0)

From (5) yields I J ( K , b) = R h ( W ) +--{F(K) F(K)

[ h ( K ) - G ( K ) ]-F(b)[h(b)- G(b)]- j:F(y) h(W - y ) r(W - y ) dy

Differentiating the above with respect to

K yields,

aJ(K,b) - r(K -) H ( K ) and aK F(K)

d 2 J ( K , b )- r ( K ) H ’ ( K ) + [-r ’ ( K ) + r Z ( K ) ] H ( K )

(1 1)

F(K) From Lemma 4-( R, ), H ( K ) = 0 has two roots: b E (W/2,W) and c E [a,W / 2 ] , whereH’(b) < 0 and H’(c) > 0 . By (1 1) and (12) we have

8K2

1.

592

Therefore, to = c is allowed to be the minimizing value of J ( K , b ) for K

E [O,b]

.

From (5) and ( 1 0) 1 J(t0,b)= R h ( W )+ --{F(t,)h(t,)

F(t0)

= R, ( W )+

-{ 1

F(t0)

- K t o ) G ( t o )- F ( b ) h @ )-

j , h -Y P ( W -Y)F(Y)dY)

H(t,) - F(t,)G(t,)) = R, ( W )- G(t,).

(1 2)

The fact that to = c E [a, W / 2 ] ,G is non-decreasing in (0, W / 2 ) and G ( a )= 0 imply

G(to)2 0 . Therefore, J(t,,b) = Rh(W)- G(to)i R h ( W )= J ( K ,K ) . Thus J(t,,b) is the minimizing value of J ( K ,L ) for 0 5 K I L I W , where

K' = to E (a, W / 2 ) and L'

= b E (W/2,

W ),completing the proof of the theorem.

REFERENCES 1. W. R. Blischke and D. N. P. Murthy, Warranty Cost Analysis, Marcel Dekker: New York, (1994). 2 . W. R. Blischke and D. N. P. Murthy, Product Warranty Handbook, Marcel Dekker: New York, (1 996). 3. F. M. Biedenweg, Warranty analysis: consumer value vs manufacturers cost, Unpublished PhD thesis, Stanford University, USA, (1 981). 4. D. G. Nguyen and D. N. P. Murthy, An optimal policy for servicing warranty, Journal of the Operational Research Society 37, 1081-1088, (1986). 5. D. G. Nguyen and D. N. P. Murthy, Optimal replace-repair strategy for servicing items sold with warranty, European Journal of Operational Research 39, 206-212, (1989). 6. D. G. Nguyen, Studies in warranty policies and product reliability, Unpublished PhD thesis, The University of Queensland, Australia,( 1984). 7. N . Jack and D. N. P. Murthy, A servicing strategy for items sold under warranty, Journal of the Operational Research Society 52, 1284-1288, (2001). 8. N. Jack and F. A.Van der Duyn Schouten , Optimal repair-replace strategies for a warranted product, International Journal of Production Economics 6 7 , 9 5 100, (2000). 9. W. Kuo and Y. Kuo, Facing the headaches of early failures: a stateeof-the-art reviews of bum-in decisions, Proceeding of the IEEE 71, 1257-1266, (1983). 10. H. W. Block, W. S. Borges and T. H. Savits, A general age replacement model with minimal repair, Naval Research Logistics. 35, 365-372, (1988). 11. Shey-Huei Sheu, Optimal block replacement policies with multiple choice at failure, Journal Applied Probability 29, 129-14I , (1 992).

CALCULATING EXACT TOP EVENT PROBABILITY OF A FAULT TREE

T. YUGE , K . TAGAMI AND S. YANAGI Dept. of Electrical and Electronic Engineering, National Defense Academy, 1-10-20 Hashirimizv, Yokosuka, 239-8686, JAPAN E-mail: [email protected] An efficient calculation method to obtain an exact top event probability of a fault tree is proposed when the minimal cut sets of the tree model are given. The method is based on the Inclusion-Exclusion method. Generally, the Inclusion-Exclusion method tends to get into computational difficulties for a large scale fault tree. We reduce the computation time by enumerating only non-canceling terms. This method enables us to calculate the top event probability of a large scale fault tree containing many repeated events.

1. Introduction Fault trees are used widely as system models in quantitative risk assessments. Although obtaining the exact top event probability is an important analysis in the assessments, it is a difficult problem for a reasonably large scale system with complex structure, such as a chemical plant, a nuclear reactor, an airplane and so on. The main factor in this difficulty is the existence of repeated events. If there are no repeated events, a bottom-up algorithm' can be used to obtain the top event probability. In this case, even if the scale of the fault tree becomes large, the analysis is simple. For the trees with repeated events, many researchers have proposed efficient algorithms to obtain exact or approximate top event probabilities'. The proposed methods are classified roughly into two groups. One approach for this problem is using a factoring method3y4 in order to decrease the number of repeated events. Dutuit et al. proposed an efficient algorithm, named linear time algorithm', to search modules and the module top events in a fault tree. A module is an independent subtree whose terminal events do not occur elsewhere in the tree. Finding the modules and their module top events reduces the computational cost. The factoring algorithm^^,^ are adopted in order to reduce the tree by application of Bayes' formula and to reduce the problem to the computations of fault trees containing less number of repeated events. In this case, it is an important problem to decide which events should be selected for factoring. The other is using the Boolean function. In this approach, the main effort is to find the structural representation of the top event in terms of the basic events. Find-

593

594

ing the minimal cut sets is one way of accomplishing this step. Several algorithm^^,^ to find minimal cut sets are proposed. After all minimal cut sets are found, the inclusion-exclusion method is used to calculate the exact top event probability or its upper and lower bounds. For a large scale fault tree, however, the Boolean approach tends to get into computational difficulties. Because large trees lead to a large number of Boolean indicators which must be examined, computational time becomes prohibitive when all combinations of Boolean indicators are being investigated. A truncation method7 is useful to obtain the upper and lower bounds of top event probabilities for a large scale system. The Boolean indicators with low probability are truncated in order to reduce the computation time. This method is effective when the basic event probabilities in a tree are small enough. However if the tree contains events with large probabilities, events characterizing human error and some natural phenomena are typical examples, this truncation method is inappropriate and leads to erroneous results. In this paper we present a method for calculating the exact top event probability for a large scale fault tree containing many repeated events when all the cut sets are given. In this case the top event is represented by using cut sets. And the exact top event probability is given by the inclusion-exclusion expression. The main idea in our method is expressing the top event probability by using only non-canceling terms. The conventional inclusion-exclusion expression contains many canceling terms which do not contribute to the top event probability. If we can enumerate only non-canceling terms, the computational effort to calculate top event probability is reduced substantially. This method is an application of Satyanarayana’s topological formula’ proposed for the analysis of network reliability. An efficient algorithm t o generate only non-canceling terms is presented. And some numerical examples are shown. 2. Notations

T,

: top event m : number of basic events in a fault tree n : number of minimal cut sets in a fault tree ei : i-th binary basic event, i = 1 , 2 , . . . ,m p , : probability of occurrence of ei Ci : i-th minimal cut set, i = 1 , 2 , . . . n Ci : event that all basic events in Ci occur, i = 1’2, . . . n 1, : nonempty subset of {Cl,( 2 2 , . . . ,C,}, i = 1 , 2 , . . . 2, - 1 Ji : set of basic events, Ji = { e k l e k E Cj,C, E 1i} Ei : distinct sub set of {el, e 2 , . . . , e m } , Ei is formed by basic events belonging to nonempty sub set of {Cl,C2,. . . ,C,}. (The definition of Ei is almost same to that of J,. Although it is possible that J , = J j for any i and j , Ei is quite distinct from the other.) ai(b,) : number of ways of forming the sub set E, by the union of an odd (even)

595

number of minimal cut sets

di : ai - bi 1x1 : cardinality of set IC Pr{z} : probability of occurrence of event x P ( x ) : joint probability that all the basic events in set x occur

3. Top Event Probability When a fault tree model of a system is given, its T, can be represented as the union of C?i of the system.

Using the inclusion-exclusion rule, the exact value of Pr{T,) can be calculated.

For a large scale tree, however, this method might not be computationally feasible because the number of terms in Eq.(2) increases exponentially with n. However, Eq.(2) is equivalent to Eq.(3) that is represented by using P ( E i ) .

here, di is the domination of sub set Ei. This is a coefficient of P ( E i ) considering the number of canceling terms.

Example Consider a fault tree with 4 cut sets:

The number of I s is 24 - 1(= 15) (see Table 1). However, the number of distinct E is 10 (see Table 2). Eqs.(l) to (3) are rewritten as Eqs.(4) to (6). Then Pr{T,} is given in Eq.(7). Table 2 shows all sub set and their corresponding I s and a,,b,, d, in the tree.

596 Table 1. Relation between I and J

1 2 3 4

5

6

7 8 9

10 11

12 13 14 15

Next theorem gives the relation between canceling terms.

Theorem 3.1. Consider two I s , I , and I p = I , U {C,}. If all basic events in C, belong t o J , too, P(1,) and P(1p) canceled each other.

597 Table 2. Ei and the coefficient of Pr{Ei}.

1 2

3 4

5

6 7 8

9

10

[Proof] Let JL be a set of basic events belonging to C,. R o m the conditions,

P ( J p ) = P ( J , U J:) = P(J,).

As P ( & )= P ( J i ) ,P(I,)

= P ( I p ) . Furthermore,

(-l)lI-l+lP(Ia) + (-l)lIfil+1P(Ip) = (-l)IIJ+l (P(I,) - P ( I p ) )= 0.

1Q.W The combination of I , and C, which satisfy Theorem 3.1 can be found by the following Lemma.

Lemma 3.1. Let D be a set of basic events whose elements belong t o more than one distinct minimal cut sets. And let JL = { e u l ,em*,. . . , e,, } be the set of basic events belonging to C,, and Kj = {CllCl 3 e W l ,C1 # C,}. If I , consists of cut sets, each of which is taken up f r o m K j , j = 1 , 2 , . . . , t , and i f Jk c D , then JL E J,. 4. Enumeration Algorithm

In this section, two algorithms are proposed in order to calculate top event probability. One algorithm generates sets Hih which express the relation of canceling. The other generates only non-canceling terms and calculates top event probability.

4.1. Inclusion Algorithm The combinations of I , and C, which satisfy Theorem 3.1 is enumerated by the following algorithm using Lemma3.1 and given as Hih. Here, Hih is a set of minimal cut sets and shows the relation of inclusion for the basic events belonging to Ci. Ci occurs automatically if all the minimal cut sets in Hih occur.

Step 1 Generate a set D whose elements belong to more than one distinct minimal cut sets. Set i = 1.

598 Step 2 Let J,' = { e t 1 ,e,,, . . . ,e,+} be a set of basic events in C,. If Ji C D , set j = 1 , l = 0. Else go to Step 6. Step 3 For j = 1 , 2 , . . . ,t , generate a set of minimal cut sets K,. The element ck satisfies ez, E CI, for any k except for i. Set r, as the number of selected minimal cut sets. Step 4 Generate sets of cut sets Hzhr( h = 1 , 2 , . . . , T I x T Z x . . . x rt) of which the j t h element is taken up from K,, j = 1 , 2 , . . . ,t , respectively. Step 5 Adjust the H,h. If there is some common elements in one Hzh or if H,, = H,,, ( u # v), delete the excess. Step 6 If i < n , set i = i + 1 and go to Step 2. 4.2. Enumeration Algorithm

In this algorithm, all non-canceling terms are enumerated by using Hih. Although I0 is not defined in section 2, it is used as an empty set in this algorithm. The policy of this algorithm is: From Ii, , generate all possible I which include Ii, and 1. If the generated I,, satisfies the condition of canceling, check the III = existence of the pairing 10 among the I with IIl = lIill, then delete both 12, and

+

10.

Step 1 Set i l = iz = 0 , j = O,I,, = 4,Pr{Te} = 0. Step 2 If i2 < il go to Step 5. Else set k = II,,I. Step 3 1f.k # 0, set j = max{s}, where C, E I,,. If k = 0 and il # 0 then il = il 1 go to Step 2. Step 4 If j < n, set z = j + 1 and do the following. Else i l = i l + 1 and go to Step 2.

+

+

Step 4.1 Set iz = iz 1, I,, = IzlU {Cz}. Step 4.2 If k 2 2 and there is an Ip that satisfies, /3 > i l , lIpl = k - 1 and then set I,, = I p = 4. I p for c,E HZh C I,,, H,h Step 4.3 If 2 < n, z = z + 1 and go to Step 4.1. Else i l = il + 1 and go t o Step 2. Step 5 Calculate the probabilities of nonempty I . If I, is an odd number, add the probability to Pr{T,}, else subtract it from Pr{T,}.

5. Numerical Examples The following two system models are shown in order to confirm the effectiveness of our method. The common assumptions in this section are m = n, pi = 0.01 O.O01i, i = 1 , 2 , . . . , m and all cut sets have k basic events.

+

(1) Consecutive model : A circular consecutive k-out-of-n:F system. Namely the cut sets are defined as C1 = {el,eZ,e3},Cz = {ez,e3, e4}, . . . ,c30=

599 Table 3. k

n

Computation time of consecutive models

Computation time (sec.) Proposed method

Number of terms

InclusionExclusion

Proposed method

InclusionExclusion’’

low3

2

30

7,508.5

1,988.1

8,574,957

109

3.58 x

3

30

83.7

1,976.0

545,279

109

3.95 x 10-5

4

30

6.5

2,442.1

88,501

109

4.34 x 1 0 - ~

5

30

1.5

2,660.0

24,031

109

4.77 x 1 0 - ~

4

35

408.9

21 hours*2

568,833

3.2 x 10”

5

35

49.4

24 hours*2

123,377

3.2 x lolo

5.57 x 1 0 - ~

5

40

729.3

1 month*2

634,495

1012

6.37 x 1 0 - ~

5.07 x 10-7

Note: *1: the number of terms for an Inclusion-Exclusion method is given as 2n - 1. +2: the expected computation time.

{eso, e l , e z } if k = 3, n = 30. (2) Random model : The basic events in every minimal cut sets are decided randomly by the random number. Naturally, all minimal cut sets are distinct and all basic events must appear at least once. This random model is simulated 50 times for one fault tree. Tables 3 and 4 show the enumeration results. In table 4, “ave” shows the average computation time and the average number of generated non-canceling terms for the tree model. And “min” (“max”) shows the shortest(1ongest) computaion time within 50 samples,and its non-canceling terms and top event probability. For any n, the larger the parameter k becomes, the more the tree becomes complex. As a result, the proposed method becomes effective because of the increase of canceling terms and the computation time becomes less. Table 4 shows that the computation time depends on the structure of a tree very much. The examples shown in this section are fairly complex because we add an assumption of n = m. However we think it is possible in real fault trees that the number of basic events is reduced as a result of a simplification technique which is done by merging two non-repeated inputs into a single one.

6. Conclusion

In this paper, we proposed a method to calculate exact top event probabilities of fault trees containing many repeated events. This method is effective especially for trees with complex structure. We showed the exact probabilities of fault trees with 30 to 60 repeated events in numerical examples. This enumeration method can be applied to obtain the approximated top event probability easily by truncating the terms with small probability. Ofcourse the approximated value is more accurate than that given by the usual Inclusion-Exclusion method. However, if the structure of a tree is not so complex the benefit is little. And if the number of repeated

600 Table 4. k

n

3

30

3

4

4

5

5

5

40

30

40

40

50

60

Computation time of random models Computation time (sec.)

Number of terms

ave

18.7

30,559

-

min

0.001

59

3.99 x 10-5

max

117.5

110,597

3.97 x 10-5

ave *

-

1,979.6

217,714

min*l

0.001

79

5.3 x 10-5

mu*'

5.3 x 10-5

7 hours

1,543,055

ave

1.5

2,445

-

min

0.001

59

4.39 x 10-7

max

3.7

7,169

4.39 x 10-7

ave

36.1

19,328

min

0.001

79

5.86 x 10-7

max

173.8

67,429

5.85 x 10-7

ave

10.3

2,870

min

5.9

1,569

6.44 x 10-9

-

-

max

18.1

5,727

6.44 x 10-9

ave

90.4

13,311

-

min

13.5

2,777

8.05 x 10-9

max

256.6

45,857

8.05 x 10-9

ave

407.8

31,999

~

min

3.9

203

9.66 x 10-9

max

1,406.3

93,569

9.66 x 10-9

Note: *1: the values are given from 20 samples.

events is more, the analysis strikes a snag of computational difficulty. For such a non-complex tree or a huge scale tree, it is believed that a combination of factoring method and the one proposed in this paper is more effective.

References 1. W. S. Lee, D. L. Grosh, F. A. Tillman and C. H. Lie, IEEE Trans. o n Rehab. 34,194 (1985). 2. Y. Dutuit and A. Rauzy, IEEE Trans. o n Reliab. 45,422 (1996).

3. A. S. Heger, J. K. Bhat, D. W. Stack and D. V. Talbott, IEEE Trans. on Reliab. 44, 640 (1995). 4. K. Nakashima, Y. Hattori, IECE Trans. E60, 175 (1977). 5. D. M. Rasnuson and N. H. Marshall, IEEE Trans. on Reliab. R-27, 250 (1978). 6. S. Garribba, P. Nussio, F. Maldi, G. Reina and G. Volta, IEEE Trans. o n Reliab. R-26, 88 (1977). 7. M. Modarres and H. Dezfuli,IEEE Trans. on Reliab. R-33,325 (1984). 8. A. Satyanarayana and A. Prabhakar,IEEE Trans. o n Reliab. R-27, 82 (1978).

A PERIODIC MAINTENANCE OF CONNECTED-(r, s)-OUT-OF-(m,n):F SYSTEM WITH FAILURE DEPENDENCE; WON YOUNG YUN, CHEOL HUN JEONG, GUI RAE KIM Pusan National UniversiQ, Sun 30 Changjeon-Dong Kumjeong-Ku, Busan, 609-735, KOREA HISASHI YAMAMOTO Department of Production Information System Tokyo Metropolitan Institute of Technology

This study considers a linear connected-(r,s)-out-of-(m,n):F lattice system whose components are ordered like the elements of a linear (m,n)-matrix. We assume that all identical components are in the state 1 (operating) or 0 (failed) but the failures of components are dependent. The system fails whenever at least one connected (r,s)-submatrix of failed components occurs. The purpose of this paper is to present an optimization scheme that aims at minimizing the expected cost per unit time and system parameters. To find the optimal maintenance period, we use a genetic algorithm for the cost optimization procedure. The expected cost per unit time is obtained by Monte Carlo simulation. The sensitivity analysis to the different cost parameters is also made.

1

Introduction

A linear (m,n)-lattice system consists of m.n elements arranged like the elements of a (m,n)-matrix, i.e. each of the m rows includes n elements, and each of the n columns includes m elements. A circular (m,n)-lattice system consists of m circles (centered at the same point) and n rays. The intersections of the circles and the rays represent the elements, i.e. each of the circles includes n elements and each of the rays has m elements. The lineadcircular connected-X-out-of-(m,n):F lattice system is defined by Boehme, Kossow and Preuss [ 11. A special case of the connected-X-out-of-(m,n):Flattice system and a generalization of the kZ/n2:F system defined by Salvia & Lasher [ 3 ] is the linear/circular connected-(r,s)-out-of-(m,n):F lattice system. This is a linearicircular (m,n)-lattice system which fails if at least one connected (r,s)-submatrix of failed components occurs. The supervision system sketched in Figure l a is a typical example of connected-(r,s)out-of -(m,n):F system. The knots represent (for example) TV cameras. Each TV camera can supervise a disk of radius c that is a capacity of a TV camera, and the cameras in each row and column are of a same type and has a distance d from each other. The supervision system is failed if an area inside of the sketched square with sides (m-l)d and (n-1)d is out of observation. If the disk of radius c equals a distance d, the system fails if (at least) two * This work was supported by grant No.

(ROS-2002-000-00995-0) from the Basic Research Program of the Korea Science & Engineering Foundation. 601

602 connected cameras in a row or a column fail and we can express the rule connected-( 1,2)or-(2,1)-out-of-(3,3):F lattice system (see Figure lb). If the disk of radius c equals a distance A d , the system fails if one of the operating stations fails, i.e. if a connected (2,2)-matrix of failed elements occurs (see Figure lc).

a) Supervision system

b)connected-(2,l) system

c) connected-(2,2) system

Figure 1. (3,3)-Lattice system

Exact reliability formulas for connected-(r,s)-out-of-(m,n):F lattice systems are known for special cases by Boehme, Kossow and Preuss [l], but not for general cases. Zuo [7] suggested that the SDP method could be applied to general cases. But the SDP method is very complex and Yamamoto and Miyakawa [4]suggested the YamamotoMiyakawa (YM) algorithm that required O(sm-rm2.rn)computing time, viz, polynomial for n, but exponential for (m-r). Malinowski and Preuss [2] gave lower and upper bounds for the reliability of connected-(r,s)-out-of-(m,n):F lattice systems for s-independent components. Yun, Kim and Jeong [5] and Yun, Kim and Yamamoto [6] introduced the economic design problem to two dimensional consecutive system. They suggested a procedure to find the optimal configurations and maintenance policy of the system which consists of i.i.d. components. In this paper, we consider a maintenance problem of the two-dimensional system with failure dependence between components. We propose a procedure to predict the expected cost for unit time of this system and design the optimal system structure and maintenance policy (periodic replacement) minimizing the predicted cost using MonteCarlo simulation with genetic algorithm.

2

Failure dependency

We consider failure dependency in two dimensional consecutive systems. This means that when the arbitrary component (ij)is broken, then the failure rate of some working components are changed. In this paper, we assume that the failure rate of the nearer working components on the failed component is received the more effects. Therefore, when component (ij)is broken in arbitrary point of time tl, failure rates of the four adjacent components become larger than those of the other components (see Figure 2). The distances between one component and the others form a kind of series like d, f i d, 2d, &, d, 3d, f i d , . ., but it has no general form. Table1 shows the values of distance and the number of components within the same distances. Now, we denote d, as

603

d Figure 2. The distances of two components in two dimensional consecutive system

the maximum distance of ability which takes charge of the failure area in the linear connected-(r,s)-out-of-(m,n):F system. If we assume that all adjacent components have as ability of each the same distance d and r 2 s then all components have (PI)& individual. Therefore, if the distance of any component is smaller then d, of the failure component then the failure rate of working component is changed as follows ( r 5 s).

3

Optimal maintenance design

Assumptions 1. Each component and the system either operate or fail. 2. Replacement time is negligible. 0 Notation 0

~

TR

periodic replacement time system with m.n components arranged in m rows and n columns, and r adjacent rows, s adjacent columns whose failures cause ( m , n), (I 4, system failure R(TR), R(TR , r, s) reliability of the system with periodic replacement L(TR), L(TR,r, s) expected life of the system with periodic replacement

604 expected number of failed components in the system with periodic rkplacement at the end of a cycle fixed cost at system failure . co fixed cost for replacing components CI fixed cost for planned replacement cz C( TR ), C( TR , r, s) expected cost per unit time N(TR )' N(TR ' " ')

We consider a periodic replacement policy: If a system fails before periodic replacement time TR, the failed components are replaced with new ones. If a system does not fail until replacement time TR, the planned replacement is executed so that components, which are failed in the system, are replaced with new ones.

3. I Cost model The total cost per unit time as a function of TR is C(TR).If a system fails before periodic replacement time TR then the cost for system down COwill occur. Unless the system fails before periodic replacement time TR, the cost for system replacement COwill occur (C, is larger than C2). Therefore, the expected total cost during one cycle is the sum of an expected cost for replacing failed components with new ones, the expected cost for system down and the expected cost for planned replacement. The expected cost in the interval

W,)= The expected length of the interval The expected cost in the interval equals C&(TR) + Co(1 - R(TR))and the expected length of the interval equals L(TR). Therefore, the expected cost per unit time is given by c(TR)

=

Ci . N ( T R ) + Co (1- R(TR 1) + C , . R(TR 1 L(TR 1

(3)

If TR ,r, s are decision variables, the expected cost rate is given by

C(T,,r,s) =

C,(r's) . N ( T R,Y,s)+ C , (1 - R ( T R,Y,s)) + C , . R ( T , ,Y,s) L(T,,r,s)

(4)

3.2 Optimal designs of simulation and GA 3.2.1 Monte Carlo simulation For complexity of system with maintenance period, it is not easy that N(TR, r, s), R(TR,r, s) and L(TR, r, s) are obtained analytically. So we use Monte Carlo simulation to obtain the expected cost per unit time. Figure 3 shows a simulation procedure to obtain

605 the expected cost per unit time, given the periodic replacement time TR, simulation replication number SRN, cost parameters Co, C, and C, and failure distribution function F( . ) of a component. In this case, the optimal TR and system parameters to minimize the expected cost per unit time are determined by Genetic Algorithm.

+

Check occurrence to periodic replacementand system failure: If CL 2 TR Then !'Periodic replacementoccurs */ CL = TR, .T+~ = I , Go to step 4

SN=0

TCL=O,TFN-0, NSW=O ~

~

+

1 . Initialize: For i = l Tom Forj =1 To n s(i,j) = 1, t ( i , j )= m Next; Next i F N = 0, CL = 0, sDr= 1

Else s(NF) = 0, FN = FN + 1 If FN > rxs Then For ri =Max(l, NF,

- r + 1 ) To Min( m-r+l , NF,

ForjJ = Mar(1,N e -s+ 1 ) To Min( n-s

r=ii

t ( i , j ) = F-'(Rundom (0,l))

Else t(i,j) = Next j

-

+ 1 ,NF, )

j=.jj

sSy,c-

3.2.2 Genetic algorithm We propose an optimization scheme for minimizing the expected cost per unit time. A Genetic algorithm is used to find near optimal solutions. A chromosome encodes real values of a periodic replacement time TR and system parameters to 9-digits strings that each string is a value among the integer from zero to nine. The fimess value is the expected cost per unit time which can be obtained by Monte Carlo simulation. We use one point crossover and one point mutation for evolution. Figure 4 represents a simple procedure of our Genetic algorithm.

606

c

-3

Start

I

P , (5, := P(i) I Determine cromosome i a n d j randomly Determine position d randomly P ’ (1) := crossover {Pi ’ (i), P, ’ (t),d ] 1

Determine cromosome i randomly Determine position d randomly P‘ (i) := mutation {Pi ‘ (i), d}

P”

:= P ,

(i)

(i)+

P(t)

Sort P”(i) in order of fitness

I

.--

P(t) := selection { P ” (r), q }

* Terminal condition :

*

*

Print T l ,r ,s = decoding (P/(i) } Print C(T;,

*

r ,s

*

) = fitness of p,(t)

Figure 4.Simple procedure of Genetic algorithm

4

Numerical example

4.1 The case when r, s arefuced

We consider linear (3,3)-out-of-(5,5):F lattice system. Each component has an exponential failure distribution with parameter k 0 . 0 2 . The replication number of simulation is 100. For Genetic algorithm, we use 50 chromosomes (q=50) in a generation and terminate the procedure on 100 generation. We adapt the crossover rate and the mutation rate to 0.3 and 0.05, respectively. We execute the Genetic algorithm with the set of cost parameters Co={10,50,100}, C2={0.1,0.5,1} and C1 is fixed as 1. Figure 5 shows the relationship between Co, C2and TR. It enables us to know that when CoIC2 increases, the optimal TR decreases conversely.

607

iQ

w

la0

Figure 5. The optimal periodic replacement time according to CO,CZin connected-(3,3)-out-of-(5,5):F system

4.2 The case when r, s, TR are determined simultaneously

In another experiment, we determine r, s and TR simultaneously. Table 1 shows the results of the experiment. when CdC, increases, the optimal TR decreases and the optimal (r,s) also decreases. Table 1 enables us to know that if CJC2 is less than 100, the preventive maintenance is not helpful to save the cost. Table 1. Periodic replacement time and expected cost per unit time for connected-(r,s)-outof-(5,5):F system

5

Conclusion

In this paper, a linear connected-(r,s)-out-of-(m,n):F system with failure dependence in components is considered. We propose a procedure to obtain the expected cost per unit

608 time by Monte Carlo simulation. And we determine the optimal maintenance interval and system parameters to minimize the expected cost per unit time using a Genetic algorithm which includes the procedure to predict the objective function by simulation. The proposed procedure can be applied to other types of consecutive systems and different dependency between components can also be considered. These simulation programs are useful for calculating the periodic replacement time, system parameters, system reliability of the two-dimensional engineering consecutive systems. References 1.

T.K. Boehme, A. Kossow and W. Preuss, A generalization of consecutive-k-out-ofn:F systems, IEEE Transactions on Reliability 41,45 1-457 (1992). 2. J. Malinowski and W. Preuss, Lower & upper bounds for the reliability of connected-(r,s)-out-of-(m,n):F lattice systems, IEEE Transactions on Reliability 45, 156-160 (1 996). 3. A.A. Salvia and W.C. Lasher, 2-Dimensional consecutive-k-out-of-n:F models, IEEE Transactions on Reliability 39,382-385 (1990). 4. H . Yamamoto and M . Miyakawa, Reliability of a linear connected-(r,s)-out-of(m,n):F lattice system, IEEE Transactions on Reliability 44,333-336 (1995). 5. W.Y. Yun, G.R. Kim and C.H. Jeong, A maintenance design of connected-(r,s)-outof(m,n):F system using GA, Proceedings of the Quality Management and Organizational Development, 493-500 (2002). 6 . W.Y. Yun, G.R. Kim and H. Yamamoto, Economic design of linear connected-(r,s)out-of(m,n):F lattice system, International Journal of Industrial Engineering 10, 591-599 (2002). 7. M.G. Zuo, Reliability & design of 2-dimensional consecutive-k-out-ofn:F systems, IEEE Transactions on Reliability 42,488-490 (1993).

ESTIMATING PARAMETERS OF FAILURE MODEL FOR REPAIRABLE SYSTEMS WITH DIFFERENT MAINTENANCE EFFECTS' WON YOUNG YUN, KYUNG KEUN LEE Pusan National Universiv, San 30 Changjeon-Dong Kumjeong-Ku, Busan, 609-735, KOREA SEUNG HYUN CHO Rotem Company, Yongin, Gyunggi-Do, KOREA

KYUNG H. NAM Divison of Economics, Kyonggi University, Suwon, KOREA

The article considers an estimation problem of repairable units with different maintenance effects. Two proportional age reduction models are utilized for imperfect maintenance. Two models are considered; one with effective corrective maintenance (CM) and without preventive maintenance (PM) and the other with effective PM and minimal CM. The parameters of a Weilbull distribution and maintenance effects are estimated by the method of maximum likelihood. Genetic algorithm is used to find a set of values that maximize the likelihood function and simulation is used to illustrate the accuracy of the proposed method.

1

Introduction

An important problem in reliability is the treatment of repeated failures of a repairable system, that is, how to model the maintenance effects. Pham and Wang [I61 classified maintenances according to the degree to which the operating conditions of an item is restored by maintenance in the following ways:

0

Perfect maintenance : a maintenance action which restores the system operating condition to as good as new. Complete overhaul of an engine with a broken connecting rod is an example of perfect maintenance. Minimal maintenance : a maintenance action which restores the system to the intensity function it had when it failed. Changing a flat tire on a car or changing a broken fan belt on an engine are examples of minimal maintenance. Imperfect maintenance : a maintenance action which does not make a system like as good as new, but younger. Usually, it is assumed that imperfect maintenance restores the system operating state to somewhere between as good as new and as bad as old. Engine tune-up is an example of imperfect maintenance because an engine

* This work was supported by the Brain Busan 2 1 Project in 2003.

609

610

tune-up may not make an engine as good as new but its performance might be greatly improved. Worse maintenance : a maintenance action which makes the system intensity function or actual age increases but the system does not break down. Worst maintenance : a maintenance action which undeliberately makes the system fail or break down. Conventional statistical analysis for such failure times takes into account one of the two extreme assumptions, namely, the state of the system after maintenance (repair) is either as good as new (GAN, perfect maintenance model) or as bad as old (BAO, minimal maintenance model. In many practical instances, however, maintenance (repair) activity may not result in such extreme situations [8]. There are some general models for imperfect maintenance (effective maintenance) (Brown and Proschan [5], Block, Borgers and Savits [3], Brown, Mahoney and Sivazlian (BMS) [4], Chan and Shaw [7], Kijima [ I l l , Malik [14]). The two models studied in this paper can be expressed by virtual age concept which is suggested by Kijima [ 1 11.

V'(x,) = V'(x,.,)

+ (l-p)(x, - x,J

V'(x,) = (l-p)[V'(x,.l)

; Malik's model - Model 1

+ x, - x,-~]);BMS's model - Model 2

See Pham and Wang [ 161 for more detailed review of maintenance models. Higgins and Tsokos [9] studied an estimation problem of failure rate under minimal repair model using quasi-Bayes method. Tsokos and Rao [191 considered an estimation problem for failure intensity under the Power-law process. Coetzee [8] proposed a method for parameter estimation and cost models of non-homogeneous Poisson process under minimal repair. Park and Pickering [ 151 studied an estimation problem to estimate parameters of failure process with failure data of multi systems. Whitager and Samaniego [20] estimated the lifetime distribution under Brown-Proshan imperfect repair model. It is assumed that the data pairs (T,, 5) are given, where TI is a failure time and Z, is a Bernoulli variable that records the mode of repair (perfect or imperfect). There are some studies for estimation problems with imperfect maintenances (Lim [12], Lim and Lie [I31 Shin, Lim and Lie [18], Jack [lo], Pulcini [17], Baxter, Kijima and Tortorella [2]). Calabria and Pulcini [6] dealt with some properties of the stochastic point process for the analysis of repairable units. Baker [I] focused on fitting models to failure data. In the existing studies, an expected maintenance effect and lifetime parameters have been estimated for a repairable system; however, when several identical units are repaired by different maintenance systems, degrees of maintenance effects might be different. We estimate these maintenance effects and a lifetime distribution for an estimation problem in which several identical units are used in different maintenance situations. Likelihood functions are constructed and a search algorithm is suggested to find a set of values maximizing the likelihood function.

61 1

Notation m: the number of groups, which is equal to that of repair systems pI:the degree of maintenance effect for the ith maintenance machine (05p121) S,:the number of the units which are repaired by the ith maintenance machine nB*:the number of periods for the jth unit in group i ( = the number of P.M. + 1 ) rlJk:the number of failures in the kth period for thejth unit in group i tl,J,k,l: the 1 th failure time in the kth period for thejth unit in group i qJ;: termination time of the kth period for thejth unit in group i kth preventive maintenance time for thejth unit in group i V-(t): virtual age just before maintenance V'(t): virtual age right after maintenance 2

Model and Assumptions

We consider model 2 (model 1: Malik's model, and model 2: BMS model) with scheduled PM's and CM at failure is assumed to be minimal. The maintenance action which causes the state change for a unit, PM in case B, is defined as the effective maintenance. It is assumed in the existing articles that the number of maintenance systems is just one or the maintenance systems have equal degrees of improvement; however, we assume that each of repairable units is repaired (maintained) with a maintenance machine which has different degrees of improvement to others, see Figure 1. In addition, the followings are assumed: The times to perform maintenance actions are ignored. A unit is repaired by a maintenance machine unit 1 : unit2:

V I fl.l.l.1

fl.l.l.2 T1.1.1

f1.2.1.1

f1.2.1.2

*m.l.l>

fm.1.1.2

unit 49 : ,-,

unit 55 :

...

rl.l,n:J-l

=-•

*l,l,

*-

t

f 1 . 2 4 ,I

...

1,2.n:,,

*m,7,1,l

tm.7.1.1

...

Maintenance system 1

h

rL,l,l v

>

w.

Maintenance system m *tm,,,>*J

.I

Tm.7.n:,7

Figure 1. Failure and maintenance process under multi maintenance system (case B)

3

Parameter Estimation

We consider a parametric distribution on (0, ") governing the lifetime of a new system. The most commonly used lifetime distribution in reliability study would be the 2parameter Weibull distribution whose pdf and the survival function are given by;

612

R(t) = exp[-(t/BI"l where a is the shape parameter and p is the scale parameter.

(2)

The power-law process model where the first failure time follows the Weibull distribution, was found to fit slightly better overall than did the loglinear and linear processes in the study of Baker [ 11. 3.1 Likelihood function

The available data in this study consists of failure time (corrective maintenance time) and the termination time of each period which is equal to the preventive maintenance time. The likelihood function of one observation is of the form

Since the intensity function is not changed after CM in this case, the likelihood function in Eq. (3) can be expressed as

If the virtual ages are represented by the failure and maintenance times then we can get the following likelihood function.

q@fi?fl)=rfi{{d?,k -g?,h 1-1

4

,=I

k-I

I)/d?,h

-fl?,k)}fidflt,,k/ /=I

-R?,k

I)]}

(5)

A Numerical Example

Simulation experiments are carried out to investigate the accuracy of the estimation. The number of parameters in the log-likelihood function is m+2. When many units are operated, that is, m is large, it is difficult to find the set of values that maximizes Eq. ( 5 ) through classical search techniques such as quasi-Newton method. So we have used the Genetic Algorithm which is a meta heuristic technique. 100 simulations are carried out for each experiment. In the first experiment, the effect of the number of the units repaired by an identical machine is investigated. The input values of the parameter are set to be pl = 0.3, p2= 0.5, p 3 = 0.7, a = 2, /3 = 1.5. For s = 1, 3, 5, 10, 30, 100, the experimental results are shown in Table 1.

613 Table 1 . The effect of the number of the units repaired by an identical machine

;

B .................... ............ ;.P.............................. P!....: ................................................ ......P2.............................. . i........................ :..P3........ ................................................ ................... iMeani SD MSE /Mean, . SD 1. MSE ;Mean/SD IMSE iMean/ .....SD ...... /..MSEIMeanI ........... . SD . MSE :........................ ............................................ ................ ........................ ........................................... ........................ ................... ........................ i............ ................... ....................... .......................

[

........................

........

:

i

:

:

/

:

..........................................

:

1

:

i

:

i

i

i

i

&

~

+

:

:

1 0.33 iO.21iO.O47/ 0.43 /0.22/0.054/0.56 /0.2110.0651........................ 3.03 /1.14!2.3821 1.69 iO.3Ojo.126 . . ..................+............ ,....................... *................. /........................>.......................* ................... ....................... .......... ............ ........................ ...................t........................ 3 0.25 iO.17iO.O32/ 0.48 10.19io.036: 0.64 ~0.18~0,037~ 2.19 /0.39/0.188! 1.59 io.2310.062 ................. ........................ .......................................... *........................ ............................................ ............................................ *................................................ ............................................. ............

i'

i

i

:

;

+

~

8

. -

3

1.51 10.18i0.031 5 ................................................................................................ 0.27 10,1510.0241 0.48 /0,16~0,026/ 0.69 i0.14/0.0191 1.98 :.i0.2210.048i . ................. ..................................................................... ................... ............ *........................ ............................................... ............................................ i . . 1

I

1.50 10.16.0.026 . . . . 1010.31 i0.14/0.019/0.48 10,1310.017/ 0.69 /0.11/0.013/ 1.99 ~O.2O~O.O40/ ........................................... ............................................. '....................... +............ < ............................................ ..................................................................... 1.51 10.16/0.021 30/...0.28 0.49 o /0.10(0.01 / ~ .......~..... 1;O............................................................................................ 0.70 ~ /0.10~0,013~ o ~ 1.95 /0.14j0.023/ . . ......... ~ ........... ~ .......~ ..... ~ ........................ ................. ................... *............................................. ............................................ ........................ 1.51 ,0.13/0.017 1.95 10.12.0.019; . . 1001 0.26 /O.O7iO.OO6j0.48 /0.08~0.00710.69 ~0.08~0.006~ .................................................................................................................

I

~

I

~

:

&

i


OandT,a>O.

(5)

Clearly, it has decreasing failure rate. For s > 0, let G(t) = F(t)/F(s) with t 2 s. Furthermore, for simplicity, the shape parameter a in Eq. (5) is set to 1, G(t)is generated, W + s ) / [s(T+t)], 0 5 t 5s G(t)= 1, otherwise. Or, we have that (1+ y ) t / ( y s + t ) , for y= Tls, 0 2 t I s G(t)= 1, otherwise. The failure rate hnction is

{

{

h(t) = l/[s(y+t/s)]+ l/[s(l-t/s)],

OItIs

(6)

where s is scale parameter and y is shape parameter. h(0) = (1 + r ) / (sy) and h(t) + m as t+ s. Schabe [ l l ] proved that C(t) has bathtub-shaped failure rate provided y = T/s 4 . Take the first derivative of h(t) with respect to t and let the derivative equal 0. We have t * = ( 1 -r) s / 2 (7) and h(t*) = 4 / [s ( 1 fr)]. (8) As 0 < y< 1 , there exits the relation, 2/s < h(t*) < 4/s. The typical plots of h(t) are shown in Figure 3. When yapproaches zero, t* = s / 2 , the failure rate curve takes very good

622 symmetry. With increase of y, t* decreases and, at the same time, the burn-in time decreases under the required burn-in rate.

th

h(t) 0.00014

1 \

I

0.00012

0,0001 0.00008 0.00006 0.00004 0.00002

y= 0.95 20000

40000

60000

80000

100000

Figure 3 Typical curves of h(t) with s =lo’, y= 0.015,0.10,0.25,0.50,0.95

4

Modeling Firmware Failure

As firmware and firmware-dominated devices play an important role in safety-critical control systems, the firmware or related products should be designed with rigorous safety standards such as ANSIDSA-SP-84.01 [I61 and IEC 61508 [17]. In each of them, the system performance indices which correspond to different safety levels are clearly stipulated. These indices are indispensable in carrying out firmware reliability analysis and modeling. 4.1. Safety Integrity Levels (SIL)

The Safety Integrity Levels stipulated in IEC 61508 are of important reference for safetycritical system design. There are total 4 levels as shown below. CONTINUOUS MODE OF OPERATION Safety Integrity Level (SIL)

Frequency of Dangerous Failures Per Hour

2 10-’to < 2 lo-*to< 10.~ 210-~t~i 1

2106to