Advanced Maintenance Modelling

Aircraft Mission Reliability Modelling with Maintenance

Free Operating Periods

Sam Chew, and Sarah Dunnett

Department of Aeronautical and Automotive Engineering
Loughborough University
LE11 3TU, UK

John Andrews
Nottingham Transportation Engineering Centre
University of Nottingham
NG7 2RD, UK

Abstract

To evaluate the likelihood of the successful completion of an aircraft flight it can be

defined as a phased mission. In this case the mission is represented as a sequence of
tasks each of which requires a different functionality for success. As such the failure
causes of each phase will be different, usually represented by a phase failure fault
tree. Mission success requires that every phase is completed successfully. A
simplistic representation for the aircraft flight would have phases of: taxi to runway,
take off, ascend, cruise, descend, land and taxi back to terminal building.

Aircraft failures potentially have two effects when they occur. They could, in extreme
cases, produce a catastrophic failure resulting in the loss of the platform, or require
repair and so render the aircraft unavailable for service. For military aircraft this
would mean that missions planned may not be possible and result in an inability to
respond to threats. The unpredictability of the fault occurrence also makes it difficult
to plan the resources required for the maintenance. A concept proposed to better
represent this situation compared with traditional reliability metrics is that of the
Maintenance Free Operating Period (MFOP). This is a period of time that the
aircraft would operate with a specified, high, probability that it will not require
maintenance. After the MFOP a Maintenance Recovery Period (MRP) is carried out
when the aircraft is prepared for its next MFOP.

To model the effectiveness of a fleet of aircraft operating under an MFOP regime is

complex This paper describes how this can be achieved using a Petri Net approach.
The model features are described along with the validation process.

Keywords: phased missions, Petri nets, maintenance free operating period, MFOP

1
 Proceedings of the 38th ESReDA Seminar, Pecs, May 4-5, 2010

1. Introduction
Aircraft flights can be represented as a phased mission as a means to evaluate the
likelihood of its failure. A mission is known as phased if it can be split up into
consecutive periods of time where the objectives to be achieved are different from
one phase to the next. Since the objectives vary between phases then so do the causes
of failure. The causes of each phase failure can be expressed as a phase fault tree.
For the mission to be completed successfully all of the phases must have been
completed successfully. The analysis of such a mission will give the mission failure
probability or mission unreliability.

The main methods used to calculate the mission unreliability are Fault Tree Analysis
(FTA), Markov analysis and simulation depending on whether the system is
repairable during the mission. For non-repairable systems such as aircrafts in flight
fault tree analysis can be used [1,2] usually solved by converting the fault trees to
Binary Decision Diagrams (BDDs) for efficiency. If at least some of the components
can be repaired during the mission such, as a ship voyage, then Markov or simulation
techniques can be used [3].

The concept of a Maintenance Free Operating Period (MFOP) was proposed by the
UK Ministry of Defence. Its intended purpose is to improve the performance of
military aircraft to better meet the needs of aircraft operators [4]. Its applications,
however, are not restricted to aircraft. MFOP is defined as “a period of operation
during which the equipment must be able to carry out all its assigned missions
without any maintenance action and without the operator being restricted in any way
due to system faults or limitations with a specified level of confidence (probability).”
[5]. Following each MFOP is a Maintenance Recovery Period or MRP, where the
aircraft is repaired to such a level that it is capable of completing the next MFOP.

Predicting the performance of aircraft which operate phased missions within an

MFOP maintenance regime is complex and predicts the likelihood of MFOP
completion. A Petri net method to analyse such a situation has been developed
previously [6,7]

The method reported in this paper extends the original basic approach to include more
complex aspects of both phased missions and MFOPs. The following sections
consider the elements of the model described above in more detail.

2. Petri Nets
Petri nets (PNs) [8] are a graphical modelling tool used to representation the dynamic
changing of states in a system. It is a generally applicable method which has been
applied to a large range of systems in many disciplines. A Petri Net is a bipartite
directed graph with two types of nodes: places, which are circular, and transitions,
shown as bars, which are linked to each other through directed edges called arcs. In a

2
 Advanced Maintenance Modelling

reliability application the places represent states of components or sub-systems within

the system. The transitions are the means by which the system state change occurs.
Places contain a discrete number of tokens (shown as small dots), which indicate the
state that the system currently resides in. This provides the dynamic aspect to the net
and the tokens are moved through transition switching. An example of transition
switching is shown in Figure 1. Transition Enabling and Switching.
.

Figure 1. Transition Enabling and Switching.

Figure 2. Inhibitor arc preventing switching

In Figure 1. Transition Enabling and Switching.

a transition is shown as having three input places. Note that the arcs connecting two
of the input places to the transition have a number associated with them. This number
is known as its multiplicity. This indicates the number of tokens required to reside in
the place in order to enable the transition. When each of the input places contains a
number of tokens which is at least equal to the number of arcs between itself and the
transition, the transition is said to be enabled. Upon enablement, the transition may
have a delay time attached to it, t, after which time it will switch, removing the
number of tokens indicated by the arcs from the input places and putting an arc-
number of tokens in each of the output places. If the transition is immediate, t=0, it is
shown on the Petri net as a solid bar.

Figure 2 shows the same Petri net with one addition – a fourth place inputs to the
transition using an inhibitor arc, shown as normal arc but with a small circle instead
of an arrow. Whenever the input place is marked with the correct number of tokens
(one in this case), the transition is disabled and cannot switch after its delay time.
Note that if a transition takes inhibitor arcs from more than one place, any one of the
arcs being activated is enough to disable the transition.

Jensen [9] introduced coloured tokens. These allow tokens to be of different colours
to represent the performance of similar systems on the same net. A single net can
process tokens of different ‘colours’ (platforms) in different ways. By this means a

3
 Proceedings of the 38th ESReDA Seminar, Pecs, May 4-5, 2010

fleet of independent yet identical platforms can be modelled. This is the situation
which is considered in his paper.

Different Petri nets may interact by arcs linking specific places and transitions in the
relevant Petri nets, displayed as dashed lines. The presence of these arcs essentially
combines the nets into one whole PN.

Two failure modes for each aircraft are considered in the analysis. The first failure
mode is one which requires maintenance and therefore leaves the platform intact but
fails the MFOP. A second failure mode is catastrophic which results in the loss of the
aircraft.

3. Model Predictions
For analysis the Petri net models would be simulated and once convergence had be
reached certain system performance parameters extracted from the model. The
critical performance measures which would be of interest for this type of system are:

• The probability that a platform will complete a specified MFOP

successfully.
• The probability that a platform will not experience a catastrophic
failure.

The flexibility of the Petri net approach means that there is a great deal of information
which can be extracted to relate mission failure (catastrophic and non-catastrophic) to
the type of mission being undertaken at the time, the phase in which failure occurred,
or the likelihood of each component or sub-system contributing to the mission failure
event (importance measures).

4. Modelling Phased Missions

As described in Chew et al [6,7], the overall Petri net structure used to model
MFOPs and phased missions is generated by linking smaller Petri net structures
created to represent the system hierarchy. This extends the approach given in [10] to
provide a structured modelling technique and uses three different types of net:
• Component Petri Net (CPN) – represents the failure and repair
transitions for each component. Times to failure are generated by
sampling from the component failure time distribution. Repair is
allowed in the MRP.
• Phase Petri Nets (PPN) – Each phase of the mission has a given
failure logic which expresses the system failure in that phase in terms
of component or basic event failures. These are commonly expressed
as fault trees, which can be converted into PN form. For each phase
two failure modes are modelled – that which causes catastrophic
platform failure, and that which requires the platform to undergo
maintenance during the MFOP period and so just fails the MFOP.

4
 Advanced Maintenance Modelling

• Master Petri Net (MPN) – Governs Platform, MFOP, mission and

phase operation, abandonment and failure.

4.1 Master Petri Net

The Master PN capability has been extended from that described in [6] and considers
different missions and MFOPs performed by a fleet of identical platforms. This is
accomplished using complex combinations of the network structures given below:

Mission Modelling

Phased missions are sequences of phases which, if any phase is failed or abandoned,
are considered failed themselves. Figure 3. Example Four-Phase Mission PN Model.
3 shows the PN structure for an example four-phase mission.
Msn Active Phase 1 t1 Phase 2 t2 Phase 3 t3 Phase 4 t4 Mission
End

P1 P4
Failure P2 Failure P3 Failure Failure

Mission Failure
Figure 3. Example Four-Phase Mission PN Model.

For each mission three places are used to indicate the status of the mission – “Mission
active”, commencing the first phase; “Mission End”, signalling the end of the
mission; and “Mission Failure”, displaying failure of the mission without total loss of
the platform. The mission net also contains a number of places equivalent to the
number of constituent phases, leading in sequence from the first phase through to the
mission end. A timed transition allows the switch between phases, with each
switching time being equivalent to the phase length or sampled from a distribution of
phase lengths.

MFOP Modelling

During any MFOP period an aircraft can be scheduled to perform a variety of

missions selected from a set of possible missions. These missions can also be
performed in different sequences. In the modelling an MFOP is defined as a
predetermined set of missions carried out in a set order. Error! Reference source not
found.Figure 4 shows an example of this. Each MFOP has a distinct sequence of
missions, and can be carried out by multiple platforms at the same time, as the two
tokens of different colours in the “MFOP 1” place shows. In this example all MFOPs
are made up of mission types Msn1, Msn2 and Msn3 performed in orders (1,2,3),
(3,2,1) and (2,1,3) respectively. Upon beginning a mission, a token is sent to begin
the phases that make up that mission. When the mission ends it places a token back
in the “Msn End” place. Once all missions are complete, a token is put in the “MFOP
End” place, beginning an MRP.

5
 Proceedings of the 38th ESReDA Seminar, Pecs, May 4-5, 2010

Msn Active Msn Active Msn Active

MFOP 1 Msn 1 Msn 2 Msn 3

Msn End Msn End Msn End
Msn Active Msn Active Msn Active

MFOP
End
MFOP 2 Msn 3 Msn 2 Msn 1
Msn End Msn End Msn End
Msn Active Msn Active Msn Active

MFOP 3 Msn 2 Msn 1 Msn 3

Msn End Msn End Msn End

Figure 4. MFOP Model

Figure 5 shows the method by which MFOP failure is modelled. In this example the
MFOP is required to carry out three types of mission ‘Msn 1’, ‘Msn 2’and ‘Msn 3’ in
the order 3,2,1 as shown. An MFOP is considered failed if during any mission within
that MFOP a failure is experienced which requires maintenance prior to the MRP.
Catastrophic platform failure (total loss of platform) in each phase of each mission
has a different model. In this example MFOP 2 is shown as being the active MFOP
for a platform. Mission 2 is currently active, but that mission has just failed. Instead
of the usual procedure of commencing the next mission (mission 1) upon completion
of mission 2, an immediate transition removes the token from the “Msn 2” place and
deposits one in the “MFOP End” place, so the repair process can begin immediately.

Msn 2
Failure Msn 1
Failure
Msn Active Msn Active Msn Active

MFOP
End
MFOP 2 Msn 3 Msn 2 Msn 1
Msn End Msn End Msn End

Msn 3
Failure

Figure 5. MFOP Failure

Fleet Modelling

The PN model will consider a number of aircraft, each one of which performs its own
sequence of MFOPs, as shown in Figure 4. Once that sequence is completed for each

6
 Advanced Maintenance Modelling

aircraft, the simulation is complete. Different coloured tokens are used to identify
each aircraft.

Total Loss of Platform

A catastrophic failure of a platform results in its total loss. The causes of such a
failure have their own PN structure for each phase of each mission. The overall
model structure for this situation is shown in Figure 6.

Component A.B Phase 2 PN Phase 1 Phase 2 Phase 3 Phase 4

PN
A up A dn
P2 Top

C.D
B up B dn
Msn 3
Complete

Catast-
C up C dn Msn 3 rophe Total Loss
Active Simulation
Complete

D up D dn MFOP 2 Msn 3

Master PN
Plane 3 MFOP 2

Figure 6– PN Model of Catastrophic Failure

In this simple example the overall system performance is dependent upon four
components, A, B, C and D. The individual component PNs are illustrated to the left
of the PN. Part of the Master PN is shown on the right of the figure, showing Plane 3
executing its first MFOP 2 and mission 3, which is in phase 2. The conditions for
catastrophic failure are given in the central section of the PN where the causes of the
phase 2 failure of the current mission and MFOP are given. So in this case if both A
and B, or C and D fail at the same time then a token is placed in ‘P2 Top’ indicating
that the conditions for a catastrophic failure in phase 2 have been achieved (as
shown).

‘P2Top’s marking enables the immediate firing of the transition below the “Phase 2”
place. Switching this removes the tokens from “Phase 2” and “Msn 3 Active”, and
places a token in the “Catastrophe” place.

5. Complex Model Features

Having developed a basic Petri net modelling capability for groups of platforms
undergoing phased missions and employing a MFOP maintenance regime
complexities can be developed into the models which enable improved modelling of
the actual situation.

The following features have been incorporated into the model capabilities [11]:

7
 Proceedings of the 38th ESReDA Seminar, Pecs, May 4-5, 2010

Variable Phase Lengths

Rather than fixed phase time durations as is required for many of the analytical
phased mission models, the phase durations can be sampled from a statistical
distribution. This feature is incorporated in the code together with a process which
identifies phases which have to be the same length. This option would be relevant for
aircraft flying on the same route.

Phase Selection
A phased mission does not necessarily consist of a linear sequence of phases. It is
possible that different events, such as failure of one or more of the objectives (for
example failing to destroy a target with a missile) may lead to future actions in a
mission being selected from an array of choices. There are two ways in which future
phases can be determined: event driven from within the model (such as loss of some
functionality), and external factors (such as enemy threats emerging). In the first of
these situations the selection of the future phases is linked to the occurrence of an
event in the model. The second is linked to selection based on the likelihood of
occurrence.

Component Replacement
This feature of the modelling allows components with deteriorating condition to be
replaced after a specified life-time, usage, or on condition, prior to failure.
Inspections to establish component conditions can be carried out at any specified
intervals. Many components, known as line replaceable components, are not replaced
individually but in batches since they are physical items removed or replaced as a
whole. This too is accommodated in the model.

Redundancies
Systems which operate an MFOPS regime would need to be designed to operate in
this way and have the ability to carry some failures enabling the reliable completion
of the MFOP. As such there would need to be redundancy built into the system.
Redundant elements of the system can operate as hot, warm, or cold standby
depending on the failure characteristics in standby. All three situations can permitted
in the model capabilities.

Prognostics
Some components can be monitored to predict the useful life remaining. These
components have a prognostic indicator which allows an estimate of the remaining
life to be made. This capability, monitoring the prognostic indicator by a sensor
involves the development of a model to predict the rate of wear on a component.

6. Example Application

A Petri net software tool has been developed to establish the reliability parameters for
a fleet of aircraft operating under maintenance free operating period regime
comprising of phased missions. The software has been used to analyse a number of
MFOPS examples. Some of these are small enough for the accuracy of the

8
 Advanced Maintenance Modelling

methodology to be validated, others demonstrate the ability to analyses real system

problems.

Test case 1
The first test case was a simple single system for which analytical results could be
obtained. In order for an analytical solution to be obtained the definition of the
phased mission is necessarily simple. Four phase fault trees were defined and the
systems were only dependent upon four components. Full details of this example are
given in reference 11. These four phases were considered to make up a mission and
this was carried out three times in an MFOP period. This effectively constructs a 12-
phase phased mission. After 10 million simulations the results of the Petri net model
and the analytical solution were compared. This comparison is shown in Table 1.

Phase 1 2 3 4 5 6
Analytical 0.00225 0.03850 0.05107 0.00194 0.03452 0.05447
Solution
Petri net 0.00224 0.03857 0.05096 0.00194 0.03453 0.05442
model
Percentage 0.444% 0.182% 0.215% 0.0% 0.029% 0.092%
error

Phase 7 8 9 10 11 12
Analytical 0.05210 0.00327 0.03271 0.05493 0.05302 0.00451
Solution
Petri net 0.05209 0.00328 0.03270 0.05486 0.05302 0.00448
model
Percentage 0.019% 0.306% 0.031% 0.127% 0.0% 0.665%
error

Table 1: Comparison of model results

Test Case 2
The system structure for this test case consisted of ten phases dependent upon the
performance of ten components. Results obtained after 1,000,000 simulations were
compared with those obtained from an alternative simulation model. The modelling
included both catastrophic failure of the system and MFOPS failures. The results for
comparison is shown in table 2.

Phase 1 2 3 4 5
Simulation 0.02119 0.02740 1.21 x 10-5 0.01799 0.15895
Solution
Petri net 0.02130 0.02743 1.42 x 10-5 0.01803 0.15887
model
Percentage 0.519% 0.109% 17.355% 0.222% 0.050%
error

9
 Proceedings of the 38th ESReDA Seminar, Pecs, May 4-5, 2010

Phase 6 7 8 9 10
Simulation 0.01563 0.02864 0.07067 0.00 0.22204
Solution
Petri net 0.01573 0.02879 0.07054 0.00 0.22164
model
Percentage 0.640% 0.524% 0.184% - 0.180%
error

Table 2: Comparison of Phase Failure Probabilities for Different Analysis Methods

Modelling a large system

The Petri net tool was used to analyse mission scenarios for a real aircraft. Three
missions were defined for: anti-submarine warfare, anti-surface warfare, and search
and rescue. These missions were made up of 13 phases each (differing phases for
each mission) depending on around 500 components. A fleet of three aircraft were
considered. Causes for catastrophic and MFOPS failures were determined.
Convergence was achieved after around 71,000 simulations.

7. Summary

A method has been presented to model the reliability characteristics of a fleet of

aircraft operating phased missions under a Maintenance Free Operating Period
(MFOP) regime. Petri nets have provided the flexible modelling technique and
coloured tokens used within the model have enabled the performance of a fleet of
identical platforms to be modelled using the same model structure. Each platform
undergoes a distinct sequence of MFOPs each of which consists of a sequence of
missions, each of which in turn has a sequence of phases. System failures take two
forms – they either are either catastrophic resulting in the loss of the platform, or they
will require repair and fail the current mission and MFOP. This can be considered as
either the failure of the mission objectives where the platform survives (mission
abandonment).

For an aircraft to operate in a MFOPS regime it requires certain features which will
enable the platform to operate whilst carrying some faults. The capability to model
these characteristics has been incorporated into the Petri net code.

The code has been validated against test case problems and demonstrated by
application applied to an example of the complexity of a real industrial problem.

Acknowledgement

John Andrews is the Royal Academy of Engineering and Network Rail Professor of
Infrastructure Asset Management. He gratefully acknowledges the support of both
organisations.

10
 Advanced Maintenance Modelling

References
[1] La Band R.A. and Andrews J.D., “Phased Mission Modelling using Fault Tree
Analysis”, IMechE Proceedings Part E, Journal of Process Mechanical
Engineering, 2004, Vol 218, pp83-91.
[2] Zang, X., Sun, H., and Trivedi, K.S., “A BDD-based Algorithm for Reliability
Analysis of Phased Mission Systems”, IEEE Transactions on Reliability, 1999,
48, pp50-60.
[3] Smotherman, M. and Zemoudeh, K., “A Non-homogeneous Markov Model for
Phased Mission Reliability Analysis, IEEE Transactions on Reliability, 1989,
38(5), pp585-590.
[4] Appleton, D.P., "Future Offensive Aircraft - maintenance free operating
periods," Proceedings of the R, M & T for Future Projects Seminar, 1996.
[5] Hockley, C.J., "Design for success," Proceedings - Institution of Mechanical
Engineers, Vol. 212, No. G, 1998, pp. 371-378.
[6] Chew, S.P., Andrews, J.D. and Dunnett, S.J., “Phased mission modelling of
systems with maintenance-free operating periods using simulated Petri nets”,
Reliability Engineering and System Safety, 93(7), 2008, pp980-994.
[7] Chew S, Dunnett S.J. and Andrews J.D., ‘Aircraft Mission Reliability
Modelling with Maintenance Free operating Periods’, Proceedings of the
COMADEM conference, Prague, June 2008.
[8] Schneeweiss , W.G., 1999. Petri Nets for Reliability Modeling. LiLoLe-Verlag
GmbH.
[9] Jensen, K., "Coloured Petri nets: A high level language for system design and
analysis," Lecture Notes in Computer Science: Advances in Petri Nets 1990,
Vol. 483, 1990, pp. 342-416.
[10] Mura, I., and Bondavalli, A., "Markov Regenerative Stochastic Petri Nets to
Model and Evaluate Phased Mission Systems Dependability," IEEE
Transactions on Computers., Vol. 50, No. 12, 2001, pp. 1337-1351.
[11] Chew, S., “System Reliability Models for Phased Mission Systems Operating
Maintenance Free Operating Periods”, Doctoral Thesis, Loughborough
University, 2010.

11