EUROPEAN

JOURNAL
OF OPERATIONAL
RESEARCH
ELSEVIER

European Journal of Operational Research 100 (1997) 216-224

Theory and Methodology

A simulation approach to reliability analysis of weapon systems 1

J. Y ~ e z

*, T. O r m f i o , B. V i t o r i a n o

Department of Statistics and Operations Research, Universidad Complutense de Madrid, 28 040 Madrid, Spain
Received 1 November 1995; accepted 1 August 1996

Abstract

We report a modeling simulation approach to analyse weapon systems reliability. The introduced functional diagram
generalises the logic diagram allowing the replication on the functioning mode of system components. To handle the
functional diagram, the availability and connection rules are also introduced. Based on the functional diagram, a simulation
model is outlined and a case study, the propulsion system of a Mine Hunter, is included. 1997 Published by Elsevier
Science B.V.
Keywords: Reliability; Simulation; Weapon system

1. Introduction

Weapon systems are a typical example of large

systems in which the reliability, availability and
maintenance analysis is of critical importance. As
pointed out by Landers et al. [10], the trend toward
concurrent engineering raises the need for
reliability-modeling tools that are simple to use and
can be easily integrated in the production process.
In system reliability studies, the goal is to predict
suitable reliability indices for the system on the basis
of component failure data and system design. Several
approaches have been developed to compute system
reliability indices from component reliability information. Following Endrenyi [4], there are two broad
groups of analytical approaches to compute system
reliability: one is based on the logic networks solu-

I Research supported by Empresa Nacional Baz~in, Complutense University (PR295//95-6145).

* Corresponding author. Fax: +34 1 394 4607, e-mail:
jayage@eucmax.sim.ucm.es

tion model, and the other on the state-space solution

model. The main drawback of the state-space approach is its elaborate technique, including the
Markov models solution and the analysis of failure
effects. Furthermore, the system size has to be limited.
The network approach is more straightforward
and requires simpler computations than the statespace approach. The reliability of the system can be
evaluated with the help of logic diagrams, also called
reliability block diagrams.
Although the network approach allows a suitable
representation of the system, it should be noted that
even if the logic diagram exists it may not be an easy
task to construct it. Only in simple series-parallel
cases are these results obvious. Examples of nonsimple series-parallel systems are the 'r-out-of-n'
systems and complex systems; see Grosh [6] for
further details. In order to handle these non-simple
series-parallel systems, Hurley [7] introduced probability maps. But, as was pointed out by Brown [3],
Hurley's method becomes tedious when the system
contains more than six or seven elements.

0377-2217//97/$17.00 1997 Published by Elsevier Science B.V. All rights reserved

PHS0377-2217(97)00274-3

J. Ydfiez et al. / European Journal of Operational Research 100 (1997) 216-224

In this paper we propose an alternative representation of the system and its components. This representation is based on the functioning mode of the components in the system. The functional diagram so
defined is equivalent to the logic diagram only for
the non-redundant series-parallel systems. Otherwise, the replicated components or modules will be
considered as different functioning modes. This
would be the case, for example, of an electrical
battery connected to three electrical circuits and
whose failure implies the failure of the three of them.
Dealing with weapon systems, and taking into
account the complexity of any statistic defined to
analyse the cost and operational effectiveness of
such systems, the simulation is the most appropriate
technique to handle the model. Furthermore, it is
also appropriate for other large systems, such as
space shuttles, nuclear reactors, etc.
The functional diagram is defined in Section 2.
The availability and connection rules, which allow
the computation of reliability indices through this
functional diagram, are also defined.
A simulation model based on the functional diagram has been developed by the authors to compute
the mission reliability and other reliability indices of
weapon systems. The data structure and some
flowcharts of this program are outlined in Section 3.
This simulation model is being applied to estimate
the necessary reliability indices for some Spanish
Navy weapon systems. In Section 4 a case study, the
propulsion of a Mine Hunter, is included.

2. Functional diagram
As it was pointed out previously, the logic diagram can be constructed easily for simple seriesparallel systems. Non-simple series-parallel systems
can arise in many real systems. A particular case of
this situation is described in the next example.
Example (two circuits and three batteries). Consider
the case of an electrical battery that operates in two
circuits; see Fig. 1. Both circuits are parallel-connected and each one is composed by an electric
motor and its battery: (El, B1) and (E2, B2). If B1
(B2) fails, then B3 is connected to the first (second)

217

Fig. 1. Configuration of the two circuits and three batteries

example.

circuit; B3 cannot be connected simultaneously to

both circuits.
Although one of the three batteries is needed for
the functioning of the system, there is not any ' 1 out
of 3' structure included in it. Indeed, let us suppose
that the battery B1 fails and the battery B3 is connected to the first circuit. In this moment, the system
is up, but if the electric motor E1 and the battery B2
fail, then the system fails.
In order to model such situations, we can distinguish the physical components from their functioning modes. In this example, there are 5 components
(El, E2, B1, B2, B3) and 6 functioning modes, denoted as (U1.E1, U1.E2, U1.B1, UI.B2, U1.B3,
U2.B3). A representation which takes into account
the different functioning modes of the components is
shown in Fig. 2. This representation will be defined
formally as the functional diagram.
Let M1, M2, M3, M4 be the introduced modules
to relate the system and the components. The stand-by
battery B3 has two functioning modes: U1.B3 and
U2.B3, associated respectively to M3 and M4. The
other modules and components have only one functioning mode.

Definition of the functional diagram

The functional diagram is a graph. The vertices
are the components, modules and the system, as well
as their functioning modes. The edges link these two
types of vertices: any (physical) component will be
linked with its functioning modes - one or more
than one - and, on the other hand, any of these
functioning modes will be included in one module or
in the system itself.
In the previous example, the two types of vertices
are distinguished by representing the (physical) components as 'bold typed' boxes. The system has an
unique functioning mode and will be omitted from
n o w on.

218

J. Ydfiez et al. / European Journal of Operational Research 100 (1997) 216-224

t its indicator variable is computed in the following

way:
1

if

)-". X j ( t ) >~AR m,
j e E,,

Xm(t ) =

if

Y'.X:(t)<ARm.
j e Em

Fig. 2. Functional diagram for the two circuits and three batteries
example.

F o r any component i, its indicator variable X~(t)

is defined as a binary variable which takes the value
1 or 0 if the time t is lower or greater than its
lifetime.
Let Xs(t) denote the indicator variable o f the
system. This variable takes the value 1 when the
system is available and 0 otherwise. In order to
compute this variable as a function o f the indicator
variables of the components, a successive modular
decomposition is needed, see Barlow [2]: the system
is decomposed into its major subsystems; each major
subsystem is decomposed into components, and so
on. These intermediate subsystems between the system and the components are the modules. Let X,,(t)
denote the indicator variable of any included module
m.

R e m a r k . To avoid any notational confusion, given

an n-component system, the modules will be indexed as m ~ { n + l , n + 2
. . . . . S - 1} and the index S will be reserved for the system. F o r a given
module m, let E,, be the index set of its elements.

Availability rule
The functional diagram generalises the logic diagram considering any module as a 'k-out-of-n' structure. The availability rule of any module m, denoted
by A R m, identifies the minimum number of its available elements, components or modules, that assures
the availability of the module. For a c-element module m, A R m ~ {1, 2 . . . . . c}. For instance, A R m = c
for a series module m and A R m = 1 for a parallel
module m.
Given a c-element module m, with index elements set E,, and availability rule A R m, at any time

E x a m p l e (two circuits and three batteries). The

availability rules for the modules (M1, M2, M3 and
M4) and the system S are: ARM~ = 2; ARM2 = 2;
ARM3 = 1; ARM4 = 1;
A R s = 1.

Connection rule
A n y component may be connected or disconnected. Let Y~(t) be the situation variable of the
component i ~ { 1, 2 . . . . . n}. This situation variable
will take the value 0 when the component is disconnected at time t and a non-zero value otherwise.
Based on the modular decomposition, the connection rule of any module m, denoted by CR,,, states
if its elements - components or modules - must be
connected or disconnected.
Without any loss of generality, three rules are
considered in this paper: the 'Chain rule', which
disconnects all the elements o f the module when it
fails, the 'stand-by rule',which connects only the
elements needed for the functioning of the module,
and the 'active redundancy rule', which disconnects
all elements only when the module is disconnected.
The situation variable must also be defined for
any module including the system. Given a c-element
module m, at any time t the situation variable of any
element i ~ E m, is computed in the following way:

1. Chain rule

10
Yi(t) =

(CR m = 'C'):

if X,.(t) = 1,
if X , , ( t ) = 0.

2. Stand-by rule (CR,, = ' S ' ) :

if X i ( t ) = 1 and

Y'~

Yi( t ) =

X j ( t ) . Yj(t) = A R m - 1,

j ~ Em,j~ i

0,

otherwise.

J. Y~fiez et al. / European Journal of Operational Research 100 (1997) 216-224

3. Active redundancy rule

(CR m = 'A'):

1 if rm(t)=l,
Yi(t)=

if Y m ( t ) = 0 "

Example (two circuits and three batteries). In this

example, the system S and the modules M1 and M2
are connected with the chain rule; the modules M3
and M4 are connected with the stand-by rule:
For the system S (CR s = 'C'):

(~
YMl(t)

ifXs(t)=l,
Xs(t ) = O.

= YM2(t) =

if

For the module M3 (CRM3 = 'S'):

1
vB,(t) =

3(t) =

if XBI(t ) = 1 and
xB3(t),

yB3(t) = o

0,

otherwise

if XB3(t ) = 1 and

0,

otherwise.

v,,(t)

219

The construction of the functional diagram does

not need any mathematical representation of the
structure function nor the computing of the minimal
path or minimal cut set. With an adequate computer
program any system can be modeled through its
functional diagram.

3. Simulation model based on the functional diagram

Following the previous scheme, the authors have

developed a simulation program which computes
some reliability indices for weapon systems. This
program allows the analysis of systems up to 500
components and 500 modules. The complexity of the
reliability indices computed by the program justifies
this simulation model, whose block diagram and its
basic assumptions and data structure will be outlined
in this section. See Yfifiez et al. [14] for further
details about this program.

= o.

For any module, its elements, availability rule and

connection rule must be introduced. The process
finishes introducing the life and repair times of the
components.
The state of the system is defined by the variables
X and Y associated to each module and component.
Indeed, any change of the system is characterised by
a change of these variables through the availability
and connection rules.
The fail/repair events of the component will be
transmitted (down-top) following the functional diagram from the right-nodes (associated to the components) to the left-nodes (the modules); the top is the
system. Analogously, the connection/disconnection
events of the system and the modules will be transmitted (top-down) from any module (including the
system) to the affected modules and components.
In large systems, numerical techniques are the
only suitable ones to handle the set of X and Y
variables and, within them, the Monte Carlo technique is the most appropriate. The double scheme
presented above is the kernel of this technique. All
the statistics that can be calculated depend on the
evolution of the X and Y variables over time.

Mission reliability of weapon systems

The weapon systems reliability is based on its
behaviour under different environmental conditions
over time. Any of these different situations will be
denoted as phase type. Example of phase types for a
war ship could be the cruising phase, anti-submarine
warfare phase, port phase, etc.
The phased mission profile is a set of sequences,
each one characterised by one of these phase types
and a time length. Consequently, the mission reliability will be used to evaluate the weapon system
reliability.
The mission reliability is an effectiveness index
based on the system down time, which is compared
with a fixed critical time. This critical time may vary
with the phase type. For instance, a failure in the
communication system of a war ship is catastrophic
under anti-air warfare and not in the port.
The Mission reliability is defined at instant t as
the probability that the accumulated 'down times' for
the system in the sequence (with phase type p) and
in the mission are lower than ADP(p) (Allowed
Down time for the Phase type p) and ADM (Allowed Down time for Mission) respectively.
We must notice the complexity of the mission
reliability evaluation. As it was pointed out, the

220

J. Ydfiezet al./ EuropeanJournal of OperationalResearch 100 (1997)216-224

reliability indices depend on the phase type and,

moreover, the system structure may change drastically with the phase type. A war ship under anti-submarine warfare, for example, must be propelled by
electric motors because Diesel engines are not allowed.
Basic assumptions of the simulation model:
1. Each component is either operating or failed,
and so is the system.
2. Each component lifetime distribution is known.
3. The state of the system is determined solely by
the states of the components by means of a binary
coherent structure function.
4. The states of the components are statistically
independent.
5. Components are repaired-same-as-new. The repair begins once the component fails. Each repair
time distribution is known.
In the case that components are replaced, the time
involved in this operation, if the needed spare exists,
will be denoted by repair time also.
In the simulation model, the failure and repair
times were assumed to be exponentially distributed.
The exponential distribution can be used either to
compute the lower bounds of the system MTBF and
system MTTR (see Kim et al. [9]), or to model any
probability distribution through modular decomposition (see Bain et al. [1]).
Simulation model inputs:
1. Number of phase types. Structure function for
each phase type.
2. Mission: number of sequences, time length and
phase type for each sequence.
3. Allowed down time for each phase type and for
the overall mission.
4. For every component: MTBF and MTTR. The
MTTR may vary with the phase type.
5. For every module m: Its elements (E,,), its availability rule (AR,,) and connection rule (CR,,).
6. Two replication modes are considered: 'one functioning mode' (this is the case of battery B3 of the
example given in Section 2) or 'shared functioning
modes', when the simultaneous connection is allowed.
7. Spare limits and delays: The repair of a failed
component needs the associated spare. There are
three storage levels and associated to them, a number
of spares and a time to acquire them. The spares are

required to the first level, if there is no spare in this

level, it is required to the second level, and so on. To
clarify this concept, consider a war ship for which
the spares can be stored in the ship (level 1), in
another ship of the fleet (level 2) or in port (level 3).
This delayed time associated to each level must be
added to the repair time and could be of critical
importance in the down time system computation.
Event descriptions and data structure
The time simulation evolution is based on the
next-event scheme. Five types of events are considered: Failure of a component, repair of a component,
end of sequence, end of mission and down time of
the mission. The two former events are generated by
Monte Carlo techniques. The end of sequence or
mission depends on the mission profile. The down

Set mission clock = 0

Initialise statistics of mission

Set type phase of sequence

Update parameters of sequence
Add System to c. list

Deternfine the nexl event type.

Advance the mission clock to the
time when event i is to occur.

failure of mission

"f NO

end of mission ]

Fig. 3. Mission control flow for the next-event time-advance

approach.

J. Yffiez et al. / European Journal o f Operational Research 100 (1997) 216-224

time of the mission depends on the evolution of the

system and the values A D P ( p ) and ADM.
Suppose, for instance, that the next event is the
failure of a component c at time t. This failed
component is checked in order to see if the failure is
transmitted or not to the module which contains any
of the functioning modes of such element. In the
case that the failure is transmitted up, the failed
module must be checked, and so on.
These computations are performed through a list:
any element, component or module, which fails is
added to the list and it will be removed from the list
after it is checked. The process finishes when the list
is empty.
The list associated to the failure event type is
denoted by f list. Analogously, other three lists
must be defined: r_ list, c list and d_ list, associ-

221

ated respectively to the repair, connection and disconnection event types.

The functioning of the other lists is similar. It is
important to notice that the lists are not independent.
For example, every element of a module must be
disconnected when it fails and the connection rule of
the module is the chain rule. The simulation clock
can be advanced only when every list is empty.
The simulation model control flow and the failure
type event routine flowchart are shown in Figs. 3 and
4.
Simulation model outputs

The mission reliability is estimated as the rate of

mission failures. Other reliability indices are also
estimated: the mission reliability function, the system
availability function, etc.
Some logistic parameters can also be estimated
for each component:
F a i l u r e s / m i s s i o n : computes the total number of
failures of each component divided by the number of
simulated missions.
- Unavailable time mission: computes the overall
unavailable time for each component divided by the
simulation time. This time includes the repair time
and the delayed time to get the needed spare. For
non-repairable components, this statistic computes
the time since the instant of failure until the end of
the mission.
- Induced mission o f failures: computes the percentage of mission failures induced by each component.
For a parallel system with four components this
statistics will be 25.00 for all components.
-

F
1No
Let h be the head
of the f_list
i.
Remove h from fli.~.l

4. Case study. Propulsion system of a mine hunter

~

el~.atfor all

functioning modes

u of element h

Let m be tile modul~

which includes
/
functioning mode u I

Fig. 4. Routine void f _ list.

Data inputs

We consider the propulsion system of a Mine

Hunter. Two phase types are considered: Cruising
and Anti-submarine warfare. The Diesel Engines in
the Anti-submarine warfare phase are not allowed.
The configuration of these two type phases are shown
in Figs. 5 and 6. The component codes will be
explained in Table 2. For further details about this
example, see Garcfa et al. [5].
The arrows indicate a stand-by redundancy for all
blocks except for the LP3 component in the cruising

J. Yd~ez et al. / European Journal of Operational Research 100 (1997) 216-224

222

?t

SWP

RED

BEA

PRO

Table 1
Availability and connection rules of the cruising phase
Module

AR M
CR M

M1

M2

M3

M4

M5

M6

M7

M8

6
C

1
S

1
S

1
S

1
S

2
C

2
C

1
S

1
S

Fig. 5. Cruising structure.

Table 2
Propulsion system components data
Code

Description

MTBF (hours) MTTR (hours)

DGI, DG2
LP1, LP2, LP3
DEI, DE2
EMI, EM2
SWP
RED
BEA
PRO

Diesel Generator
Lubrication Pump
Diesel Engines
Electric Motors
Sea Water Pump
Reduction Gear
Bearing
Propeller

cruising anti-sub.
Fig. 6. Anti-submarine structure.

structure, which has a replication of functioning

mode in stand-by for the LP1 and LP2 components.
The functional diagram of cruising phase structure is
shown in Fig. 7.
The availability and connection rules of the cruising phase structure are shown in Table 1.
The propulsion system components data are shown
in Table 2. Constant failure rates are assumed to
time-to-failure and time-to-repair distributions so that
only MTBF and MTTR must be specified. The
MTTR depends on the phase type. The value oo for

500 4
200 5
150 10
200 2
1500 2
1550 1
2400 0.5
10000 ~

4.5
5
9
2
2
1
0.5
c

the MTTR is assigned to a non-repairable component. For illustrative purposes, the real data have
been modified to enforce the failure of all components.
The Availability-Reliability-Maintenance Analysis is based on a 1200 hours mission. The mission
profile is shown in Fig. 8. The Allowed Down-times
for the Mission and phases cruising and anti-submarine are 10, 10 and 1 hours respectively.
Three logistic levels are considered, their delays
are 0.5, 2.0 and 100 hours respectively. The third
level is not restricted. For each component and for
each logistic levels 1 and 2, the spare limits are
shown in Table 3.

CR~S~G

I ANTI'SUBMARINE I

t=0

1~1000

l=-1200

Fig. 8. Propulsion system mission profile.

Table 3
Spare component limits
Component

r.
Fig. 7. Propulsion system functional diagram.

DG
Log.Level_ 1 2
Log.Level_ 2 1

LP

DE

EM

SWP

RED

BEA

PRO

1
1

5
3

2
1

1
1

2
1

1
I

0
0

J. Ydfiez et al./ European Journal of Operational Research 100 (1997) 216-224

Table 4
Component statistics
Components Failures/mission Unavailable Induced
time mission mission failures
SWP
BEA
RED
PRO
DG 1
DG2
DE 1
DE2
EM I
EM2
LP1
LP2
LP3

.77
.51
.71
. 18
2.08
0.08
4.29
3.47
1.75
.09
3.17
2.4 t
2.19

10.73
4.71
2.71
100.49
55.45
8.09
129.90
117.36
44.56
5.47
530.98
548.44
599.08

23.24
10.25
20.19
25.64
1.83
1.83
1.67
1.28
2.31
1.35
3.17
2.37
4.87

223

structure. Other structures could appear as modules

in many real systems; this is the case of complex
structures: see for example, Tillman et al. [12] and
Hwang et al. [8].
The functional diagram introduced in this paper
generalises the logic diagram allowing the replication of functioning modes of any component and any
module. Indeed, and taking into account that complex systems can be represented as redundant
series-parallel systems, these systems can also be
modeled through the functional diagram.
In Fig. 9, the bridge structure configuration and
its functional diagram based on the minimal path
representation are shown.

5. Conclusions

Data outputs

With these data and 100 simulated missions, the

following reliability indices were obtained:
Number of Mission failures: 52.
Rate of Mission failures: 0.52.
Mission reliability ( t = 1000): 0.69.
Mission reliability (t = 1200): 0.48.
System availability (t = 1000): 0.78.
System availability ( t = 1200): 0.76.
Some component statistics are shown in Table 4.
R e m a r k . These data were obtained with the simulation model outlined in Section 3 running on a Compatible IBM Personal Computer 386. The execution
time was 12 seconds.
R e m a r k . The modular decomposition of the system
proposed in this paper is based on the 'k-out-of-n'
;M

The distinction between the physical components

(or modules) and their functioning modes allows
dealing with redundant systems through the functional diagram. Consequently, the functional diagram
is a generalisation of the logic diagram and both
representations are equivalent for simple seriesparallel systems.
The modular decomposition based on the 'k-outof-n' structure, with the availability and connection
rules, allows the functional diagram construction.
This construction does not need the knowledge of
the minimal path or minimal cut sets and it can also
be easily implemented as a general purpose program.
This implies that the analyst-user does not have to
build a separate program for each application; see
Locks [ 11 ].
For weapon systems and other large systems, a
simulation program based on the functional diagram
is appropriate. This simulation model can easily
incorporate any logistic characteristic as spare limits,
delays in the reception of spares, etc. Also any
reliability, availability and maintainability indices can
be defined. For such systems, the mission reliability
is very difficult to compute analytically; see Vujosevic [13].

Acknowledgements
Configuration

Functiotml diagram

Fig. 9. Bridge system.

We thank D. Isidoro Garcfa, Engineer of the

Logistic Department of the 'Empresa Nacional

224

J. Y6~ez et a l . / European Journal of Operational Research 100 (1997) 216-224

Bazfin', and Responsible for the Project 'Tendal'.

The purpose of this project is the analysis of reliability, availability and maintenance of naval weapon
systems.
We also thank the referees and the Associate
Editor for their helpful comments.
References
[1] Bain, L.J., and Engelhardt, M., Statistical Analysis of Reliability and Life-Testing Models, Marcel Dekker, New York,
1991.
[2] Barlow, R.E., and Proschan, F., Statistical Theory of Reliability and Life Testing Models, Holt, Rinehart & Winston,
New York, 1975.
[3] Brown, D.B., " A computerized algorithm for determining
the reliability of redundant configurations", 1EEE Transactions on Reliability 20/3 (1971) 121-124.
[4] Endrenyi, J., Reliability Modeling in Electric Power Systems,
Wiley, New York, 1978.
[5] Garcla, I., and Molinero, J., "An~ilisis de fiabilidad, disponibilidad y mantenibilidad de sistemas complejos", Ingenier~a
Naval 691 (1993) I-XII.

[6] Grosh, D.L., A Primer of Reliability Theory, Wiley, New

York, 1989.
[7] Hurley, M.P., "Probability maps", IEEE Transactions on
Reliability 12 (1963) 39-44.
[8] Hwang, C.L., Tilhnan, F.A., and Lee, M.H., "System reliability evaluation. Techniques for complex large systems - A
review", IEEE Transactions on Reliability 30/5 (1981)
416-423.
[9] Kim, C., and Lee, H.K., " A Monte Carlo simulation algorithm for finding MTBF", IEEE Transactions on Reliability
41/2 (1992) 193-195.
[10] Landers, T.L., Taha, H.A., and King, C.L., " A reliability
simulation approach for use in the design process", IEEE
Transactions on Reliability 40/2 (1991) 177-181.
[11] Locks, M.O., "The maximum error in system reliability
calculations by using a subset of the minimal states", IEEE
Transactions on Reliability 2 0 / 4 (1971) 231-234.
[12] Tillman, F.A., Hwang, C., Fan, L., and Lai, K.C., "Optimal
reliability of a complex system", IEEE Transactions on
Reliability 19/3 (1970) 95-100.
[13] Vujosevic, M., "Uncertainty in reliability evaluation processes and a simulation approach to treating it", European
Journal of Operational Research 32 (1987) 245-250.
[14] Y~ifiez, J., Ortufio, T., and Vitoriano, B. "Manual de usuario
TENDAL 2 (versi6n 2.0)", E.N. Bazfm, 1993.