Reliability Analysis of C 4 ISR Systems Based on Goal ‐ Oriented Methodology

: Hard ‐ and ‐ software integrated systems such as command and control systems (C 4 ISR sys ‐ tems) are typical systems that are comprised of both software and hardware, the failures of such devices result from complicated common cause failures and common (or shared) signals that make classical reliability analysis methods will be not applicable. To this end, this paper applies the Goal ‐ Oriented (GO) methodology to detailed analyze the reliability of a C 4 ISR system. The reliability as well as the failure probability of the C 4 ISR system, are reached based on the GO model constructed. At the component level, the reliability of units of the C 4 ISR system is computed. Importance analysis of failures of such a system is completed by the qualitative analysis capability of the GO model, by which critical failures of hardware failures like communication module failures and motherboard module failures as well as software failures like network module application software failures and decompression module software failures are ascertained. This method of this paper contributes to the reliability analysis of all hard ‐ and ‐ software integrated systems.


Introduction
Command and control systems (C 4 ISR systems), integrated by both hardware and software, are the core element of battlefield command and dispatch operations, which are designed to reliably and error-freely distribute commends to all stakeholders under the complex, variable and unpredictable battlefield conditions during wartime [1]. Therefore, the reliability of such systems is always one of the core performance features that need to be investigated. However, two characteristics of C 4 ISR systems, that are, complicated configurations of systems and large-scale information involved, introduce chaos to the reliable operation of these systems, especially to their failure mechanism identification, reliability analysis, and availability improvement [1,2]. Failure frequency of C 4 ISR systems is high under the real battlefield circumstance according to the failure information already mentioned and which reduces significantly the reliability, availability, failure-free operation time of C 4 ISR systems [3].
To this end, a thorough and comprehensive reliability analysis of C 4 ISR systems is mandatory before its delivery and installation to end-users. System reliability analysis is to discover and determine the risky factors that may lead to malfunctions during the design and actual operation of systems so that to improve the system's reliability by preventing the occurrence of critical failures. However, unlike mechanical, electrical, and software systems that consist of either hardware or software systems, C 4 ISR systems were composed of both, which introduces additional difficulties to the reliability analysis of such systems. Each of the system's components could have a more or less complex redundant structure, but we should consider it as a whole. Consequently the system could be The rest of this paper is arranged as follows: Section 2 introduces the modeling and analysis of the GO method. Section 3 presents the case study. Results are demonstrated in Section 4. Discussions are settled at Section 5. The conclusions are listed in Section 6.

Methodology
The GO method is the combination of graph theory and probability methodology [32]. The operator of the GO method connects the signal flow to simulate units of a system. Overall, in this method, 17 operators have been defined, as shown in Table 1. The operator type determines characteristics of the operator including operation rules, function, etc. [33] Moreover, signal flow in the GO model represents the logical relationship between input and output operators. State value and state probability are basic attributes of operators and signal flow [34]. The steps of the establishment of reliability GO graph model for a system based on the GO method, generally, are as follows [14,[16][17][18]: (i) System identification and analysis. Identify the system that to be analyzed including its scope, failure mode, function, and relationship among each unit; (ii) Input and output determination. Ascertain the inputs and outputs of the system that already identified in Step (i); (iii) the successful operation criteria determination. A successful state includes the degraded operation of the system and it can give the minimum output signal set; (iv) GO model construction. To create a GO diagram based on the structural diagram of the system by connecting the operators according to the signal flow direction, which includes several steps:  Select the corresponding operator according to the function of the system unit.
 Connect signal flow to operators selected. Specifically, the essence of the signal flow is the direction of the signal in the system.  Number the operators and signal flow in the GO diagram.  Checking the GO model until it complies with the drawing rules of the GO method, otherwise, modify the model (repeat the above steps).
The qualitative analysis of the GO method is to seek the minimum failure unit within the system, while, the quantitative analysis calculates the overall reliability of the system. The state accumulation analysis method is used to quantitatively analyze the system. Accordingly, the state value of the signal flow in the GO method is defined as 0, , N  , where 0 represents the advanced state and N represents the failure state. Other values correspond to multiple states between 0 and N. Specifically, ( ) The reliability analysis is to find the minimum cut set of the GO model. For a system with M operators, find out the smallest cut set of the system until the states of other operators are 0 and only one operator whose state value is 1, calculate the probability that the system can run successfully according to the probability analysis method. After the firstorder minimum failure sets of the system had been ascertained, repeat the above step until the second-order minimum failure set of the system is obtained. The qualitative analysis flowchart of the GO model is shown in Figure 1. In the GO graph model of the system, except for the first-order, second-order, ..., N-1 minimum cut sets, any K function operator fails, and other operators have no failures.
Perform GO operations For a complicated system such as a C 4 ISR system, common cause failures and common signals introduce uncertainty to the results concluded by the GO model. Accordingly, data pretreatments, also known as data corrections, are required. Generally, data correction of GO models, for both common signals and common cause failures, obeys the following rules: Regarding the correction of reliability data with common signals. The common signal is a signal that the input signal of multiple operators simultaneously. Hence, the state probability of which can be included in all subsequent signal flows related. For a system with M common signals, j S , 1,2, , j M   and only one output signal R. The state probability of the output signal is: where, R P is the success probability of the output signal, 1 2 , , , denote M success probabilities of common signals. For one common signal, denote 1 0 S P  (The common signal S1 fails) and the success probability of the system output signal 0 R P , 1 1 S P  (The common signal S1 succeeds) and the success probability of the system output signal 1 R P . Hence, the success probability of the output signal is: For two common signals S1 and S2, whose success probabilities of the common signals are 1 S P and 2 S P , respectively. The cumulative probability of the state of the output signal R is R P . According to the GO operation rule, R P can be calculated by: where, 0 1 2 3 , , , c c c c are constant parameters. Furtherly, Equation (4) can be reformed to to: , and 00 01 10 11 , , , R R R R P P P P are probabilities of the system output signal in the success state under the condition that the common signals S1 and S2 are in failure-fault ( 1 , the success probability of each signal is Sm P , the success probability of the output signal is R P , The cumulative probability of the state of the output signal can be obtained by: where, Moreover, the probability of a single signal can be calculated as: As for the reliability data correction with common cause failures. Common cause failures denote that several failures share the same common cause in a system. The  -factor model and the probability algorithm are primary methods handling the data correction of common cause failures in GO models.
The  -factor model uses the  factor to measure the impact of common cause failures. Let 1  , 2  , and  denote failure rates of unit failure, common cause failure, and system failure, respectively. It is obvious that: where, 1 Q , 2 Q , and Q are unit failure probability, common cause failure probability, and system failure probability, separately.
Accordingly, the  factor can be computed by: In engineering cases, the  factor should be within [0, 0.25], in which, 0 represents no common cause failures. Generally, the more common cause failures involved, the larger the value of  . And, the value can be selected based on the experience of specialists. Additionally, the probability algorithm assumes the existence of a common cause failure between units A and B, thus the following formula can be obtained: where, AI Q and BI Q are failure probabilities of units A and B. Accordingly, the following equation can be obtained: where, I R is the system success probability without common cause failures; 00 R and 11 R are system success probabilities under the condition that the success probabilities of units A and B with common cause failures are 0 and 1. Hence, for the situation of the system with M common cause failure units, the following formula is easy to be reached:

Case Study
The C 4

ISR System
This paper analyzes the reliability of the C 4 ISR system. The C 4 ISR system is mainly composed of a database, an information desk, a command and control desk, and a commander center. In the database, the signal is the input of the signal receiver, and the outputs are two signal flow paths: the from the input to the server and information exchange module we well as from the input to the RAID control. Then the signal flows into the data storage module, and finally reaches the hard disk; The output of the database is the input of the information editing station. In this device, the signal reaches the data loading mod-ule and then goes to the motherboard module; The input of the command console is conducted by the intelligence editing station. The signal passes the USB interface module and motherboard module, then it is distributed in two paths: from the input to the touch display and from the input to the control exterior; After the headquarters receives the signal from the command console it sends the signal to the motherboard module. The schematic diagram of the C 4 ISR system is demonstrated in Figure 2. According to the C 4 ISR system, a GO model was constructed, see in Figure 3. The elements of the GO model are introduced in detail in Table 2. The failure rates of each unit are listed in Table 3.

Results
In this paper, the unit reliability is calculated under the service time of 100 h, see in Table 4. Units of the C 4 ISR system in this paper are two-state, that are, working (0) and failed (1). The reliability computation of the GO model follows a designed procedure. First, the success probability of signal flow 7 and 9 can be calculated as: 7 1 2 4 5 6 According to the system structure, the signal flows to 10 and 16, respectively at the same time. Obviously, the operator is affected by a common cause. Therefore, in combination with the common cause failure, the output signal flow 22 is corrected by the factor model. Note that the common cause failure rate is set to be 0.000236 Hence, the success probability of signal flow 10 is reached by: Subsequently, the success probability of the signal flow 23 and 30 are computed, see Equation (16), which are a comment (shared) signal of operators 23 and 26. Accordingly, the output signal 30 needs to be corrected and the common cause rate is set to be 0.000236 C    . 23 With the results above, the reliability of the C 4 ISR system under the service time of 100 h is 0.8506. The reliability and failure probabilities of the unit of the C 4 ISR system are listed in Table 4.

Discussion
With the results of the qualitative analysis, for a system with redundant structures, the not critical failure items of the system are identified to be those whose failure probabilities order (in a decrease order) is 4. Hence, the qualitative analysis is conducted based on the minimum cut sets of remining items. The qualitative analysis results of the C 4 ISR system are shown in Table 5, in which, the probabilities of occurrences of minimum cut sets are applied to evaluate their importance.  Table 5 indicates that the criticalities of software and hardware failures of the C 4 ISR system are comparable, which demonstrates that for both the design and the operation stage of the mentioned system performance and failure properties of the software and hardware of the C 4 ISR system should be focused on. This conclusion also indicates that failure properties of software and hardware integrated systems are consequences of the both software and hardware failures which would be different from the maturely implemented software systems and hardware systems. Additionally, applicability and feasibility of the GO methodology for the reliability analysis of software and hardware integrated systems are valeted. At the component point of view, hardware failures like communication module failures and motherboard module failures as well as software failures like network module application software failures and decompression module software failures are critical than others and which call for special attention of designers and operators. More in detailed conclusions can be reached in Table 5.
Moreover, failure modes are observable consequences (failures) of a system. In this paper, the failure modes' criticality analysis of the C 4 ISR system is carried out, as shown in Table 6. In Table 6, the criticality rank of each failure mode in a decreased order indicated that: (i) The criticality ranks of application software failures in the system are high such as information integrated management module 1 and software 2 failure (F48), CPEX main processor module application software 1 and software 2 failure (F54), and Information exchange module application software (F43), which means that the application software is the weak link in the entire C 4 ISR system; (ii) Failure mode F50, F48, F49, F45 ranks the highest in their importance, addition to application software failures already mentioned, information management application software are critical as well and which needs the particular attention in the C 4 ISR system upgrading.

Conclusions
This paper applied the GO method to detailed analyze the reliability of a C 4 ISR system. In the analysis, the impact of common cause failures and shared signals have been considered, which are common phenomena of hard-and-software integrated systems like the C 4 ISR system, and which also makes classical reliability analysis techniques for instance FTA, BN, etc. are not applicable to analysis the reliability such a system. Due to this, this paper constructs a GO method to analysis the reliability of a C 4 ISR system. Overall, the reliability of the C 4 ISR system is computed to be some 0.85 and the reliability as well as the failure probability of units of the C 4 ISR system are reached. Moreover, critical failures of hardware failures like communication module failures and motherboard module failures as well as software failures like network module application software failures and decompression module software failures are ascertained by the GO model as well. The results achieved are in line with the experience accumulated among the historical operations of the C 4 ISR system. This paper contributes to the reliability analysis of all hard-and-software integrated systems. However, in the future more practical factors should be considered in the GO model constructions, including the degradation of mechanical elements, human factors, and environmental factors, which are unneglectable for reliability analysis of the C4ISR system and will extend the capability of the GO methodology.