Reliability Analysis of Different Configurations of Master and Back-Up Systems Used in Maritime Navigation

This paper presents a comparison of the reliability of various configurations of electronic navigation appliances, from a single system not duplicated (without back-up) to complex systems built of a master system and different numbers of reserve (back-up) systems. For reliability analysis, we created a model of an electronic navigation system reflecting the influence of the number of reserve systems on the entire system reliability. Navigation systems were analyzed as multistate systems. Assuming that they degrade from the state of full reliability to entire failure, their basic reliability characteristics were determined. We also conducted a comparison of system lifetimes in certain reliability state subsets, for different system configurations depending on the number of back-up systems. Additionally, the relationship between the costs associated with setting up a system with a certain configuration and its mean lifetime in reliability state subsets is shown. We also propose procedures for determining the moment of exceeding the allowed limit of system safety, with the use of reliability functions determined for different configurations of the system. One of the major conclusions arising from the reliability analysis is that setting a navigation system with a certain number of back-up solutions is of key importance to improve the system’s reliability in the initial period of operation, while the number of back-up systems has a minor influence on the overall system lifetime.


Introduction
Several types of electronic appliances are used on the navigational bridges of merchant ships. The usage of certain devices and their numbers are derived from International Maritime Organization (IMO) requirements, specified in the 1974 SOLAS Convention. According to the Convention [1], all ships 3000 gross tons or more should be equipped, inter alia, with a receiver for a global navigation satellite system to establish and update the ship's position by automatic means; a 9 GHz radar to determine and display the range and bearing of other surface craft, obstructions, shorelines, navigational marks, etc.; an electronic plotting aid or other means to electronically plot the range and bearing of targets to determine collision risk; an automatic identification system (AIS); and an electronic chart display and information system (ECDIS) to plan and display the ship's route for the intended voyage and to plot and monitor positions throughout the voyage.
Certain devices, according to SOLAS [1], are to be duplicated or equipped with a reserve (back-up) system. The following outfit requirements of Regulation 19 of the SOLAS Convention for radar,

Research Related to Reliability of Electronic Navigation Systems
A few approaches to electronic navigation system reliability analysis were found, which mainly focused on determining the reliability characteristics of the system and its subsystems. Some studies on navigation system reliability refer to its definition [4], stating that it is the probability that an aid to navigation, or any indicated system or component, when it is available, will perform a specified function without failure under given conditions for a specified period of time. The unique parameter used thereafter to characterize reliability is mean time between failures (MTBF), which is the average time between successive failures of a system or part of a system. Besides reliability, IALA [4] specifies availability, defined as the probability that an aid or system of aids will perform the required functionality under stated conditions at any randomly chosen instant in time. The parameter used for the availability evaluation is mean time to repair (MTTR).
Specht [5], for reliability analysis of the Differential Global Positioning System (DGPS), introduced reliability structures of the system and its subsystems, which were related to their functionality and relationships. Then, two states of the components and systems were assigned, connected to their functioning: 0 if the component or system failed and 1 if the component or system was functioning properly. Further, taking into account specified reliability structures, the reliability of the navigational system in an interval of time, defined as the survival probability of a system, was determined. By assuming exponential life and failure time distributions, the reliability of a navigational system in a specified interval of time was determined, as well as its limit reliability.
The analysis of AIS system availability, introduced by Jaskólski [6], applies to Markov chains. By collecting AIS data transmission availability, three states of the system were distinguished (operating, intermediate, and failure), depending on the availability coefficient. Then, the stochastic matrix was set for the probability of transitions between particular states of AIS availability. The matrix was drawn up based on the intensity of transitions between states, determined by an analysis of recorded AIS base station signals. Finally, by adopting initial distributions and collected distributions of transitions between particular states, the probability of the system staying in each operating state was determined.
A reliability operational assessment of electronic transport systems with regard to electromagnetic interference, presented by Paś and Rosiński [7], was conducted by distinguishing three system safety states: full worthiness (full ability), safety hazard (impendence over safety), and unreliable safety. By specifying the transitions among particular safety states, the analyzed system was described by the system of Chapman-Kolmogorov equations. Then, by applying the initial conditions and by means of Laplace transformation, the probability of the system staying in particular states was determined. Further, by collecting transition rates between particular states and the probabilities of the system staying in certain states, the probability of the system staying in full worthiness state was fixed. The application to reliability assessment of an electronic transport system is based on the assumption that times of transition between particular safety states are described by exponential distributions.
Sumic et al. [8] applied a Markov model for reliability and availability analysis of an ECDIS system consisting of primary (master) and back-up (reserve) subsystems. Master and back-up subsystems form a parallel structure, by which, assuming each subsystem can stay in a working or failed state, the system takes one of four possible states. By means of Markov modelling properties (conditional probability distribution of future states of the process depends solely on the present state; the next state depends only on the current state, not on the history that led there), system reliability, defined as the probability of not being in a failed state, was calculated. The main outcome of that study was that the desired level of reliability was not achieved. That made the authors propose an alternative, so-called cold standby system solution to add more back-up systems connected in series or in parallel.
A reliability analysis of inertial navigation systems by means of GO methodology was proposed by Jiang et al. [9]. The GO methodology provided the ability to translate the principle diagram of the system into a GO chart (equivalent to a system reliability model). Then, by combining the GO methodology and the concept of reliability centered maintenance, predictive maintenance for a complex structure of an inertial navigation system with several redundant components was conducted. The methodology was applied to build a system reliability analysis model that would work well for multicomponent systems with complex structural relationships among components, such as redundant structure. The basic assumptions in that study, similar to other studies, were exponential distributions of failure of system components and two-state (working or failed) system modules.

Assumptions Made for Reliability Analysis
To conduct a reliability analysis of various configurations of an electronic navigation system, it is assumed that the system consists of four independently operating subsystems forming a series structure: data collection system S 1 , data processing system S 2 , data presentation system S 3 , and user interface S 4 ( Figure 1) [10]. The analysis of AIS system availability, introduced by Jaskólski [6], applies to Markov chains. By collecting AIS data transmission availability, three states of the system were distinguished (operating, intermediate, and failure), depending on the availability coefficient. Then, the stochastic matrix was set for the probability of transitions between particular states of AIS availability. The matrix was drawn up based on the intensity of transitions between states, determined by an analysis of recorded AIS base station signals. Finally, by adopting initial distributions and collected distributions of transitions between particular states, the probability of the system staying in each operating state was determined.
A reliability operational assessment of electronic transport systems with regard to electromagnetic interference, presented by Paś and Rosiński [7], was conducted by distinguishing three system safety states: full worthiness (full ability), safety hazard (impendence over safety), and unreliable safety. By specifying the transitions among particular safety states, the analyzed system was described by the system of Chapman-Kolmogorov equations. Then, by applying the initial conditions and by means of Laplace transformation, the probability of the system staying in particular states was determined. Further, by collecting transition rates between particular states and the probabilities of the system staying in certain states, the probability of the system staying in full worthiness state was fixed. The application to reliability assessment of an electronic transport system is based on the assumption that times of transition between particular safety states are described by exponential distributions.
Sumic et al. [8] applied a Markov model for reliability and availability analysis of an ECDIS system consisting of primary (master) and back-up (reserve) subsystems. Master and back-up subsystems form a parallel structure, by which, assuming each subsystem can stay in a working or failed state, the system takes one of four possible states. By means of Markov modelling properties (conditional probability distribution of future states of the process depends solely on the present state; the next state depends only on the current state, not on the history that led there), system reliability, defined as the probability of not being in a failed state, was calculated. The main outcome of that study was that the desired level of reliability was not achieved. That made the authors propose an alternative, so-called cold standby system solution to add more back-up systems connected in series or in parallel.
A reliability analysis of inertial navigation systems by means of GO methodology was proposed by Jiang et al. [9]. The GO methodology provided the ability to translate the principle diagram of the system into a GO chart (equivalent to a system reliability model). Then, by combining the GO methodology and the concept of reliability centered maintenance, predictive maintenance for a complex structure of an inertial navigation system with several redundant components was conducted. The methodology was applied to build a system reliability analysis model that would work well for multicomponent systems with complex structural relationships among components, such as redundant structure. The basic assumptions in that study, similar to other studies, were exponential distributions of failure of system components and two-state (working or failed) system modules.

Assumptions Made for Reliability Analysis
To conduct a reliability analysis of various configurations of an electronic navigation system, it is assumed that the system consists of four independently operating subsystems forming a series structure: data collection system S1, data processing system S2, data presentation system S3, and user interface S4 (Figure 1) [10]. Furthermore, four reliability states of the system and its subsystems were distinguished [11]: -State 3, full reliability, meaning the system is fully functional and all of its components are working properly without any disturbances. -State 2, partial reliability, representing the situation where some disruptions in system functioning appear, but exploitation parameters are within allowed limits (e.g., position accuracy decreases, but still satisfies respective standards). -State 1, task-limited reliability, occurring when disruptions of system functioning cause its exploitation parameters to fall below allowed limits. -State 0, entire unreliability, indicating system failure that stops its operation.
In addition, subsystems S 1 , S 2 , S 3 , and S 4 have exponential reliability functions [12]. According to Specht [5], typical realizations of the operating time of a navigational system are characterized by exponential distributions. Thus, the exponential reliability function can be applied to express the system lifetime, which can refer to the lifetime of the system in reliability state subsets in case of multistate systems. Similarly, Jiang et al. [9] assumed that some components of failure distribution follow an exponential distribution. The reliability functions of multistate subsystem S i , i = 1, 2, 3, 4, are then given by the vector: (1) with its coordinates: Parameters λ i (u), u = 1, 2, 3 and i = 1, 2, 3, 4 in Equation (2) represent intensity of departure from subsets of reliability states not worse than the state of u, i.e., {u, u + 1, . . . , 3}. In a special case where u = 1, λ i (1) means failure intensity of subsystems S i , i = 1, 2, 3, 4. Approximate values of intensities λ i (u), u = 1, 2, 3, and i = 1, 2, 3, 4 are estimated based on the mean value E [T i (u)] of lifetimes T i (u), u = 1, 2, 3 and i = 1, 2, 3, 4 of subsystems in reliability state subsets {u, u + 1, . . . , 3}, expressed in years. Subsequently, the reliability functions of systems S 1 and S 4 are: where and the reliability functions of systems S 2 and S 3 are given by where Based on the above assumptions (reliability structure of the system, reliability functions of subsystems S 1 to S 4 ) the reliability function of the whole system can be determined, and its basic characteristics, mean times and their standard deviations of system stay in designated subsets of reliability states, and mean times of the system stay in particular reliability states. By adopting a certain permissible (limited) value of reliability, it is possible to identify the moment of exceeding a specified limit of system reliability, or, more precisely, to determine the moment at which the probability of the system staying in a state above the permissible one exceeds the adopted level.

Reliability Analysis of Single Electronic Navigation System
Assuming that the navigation system is a multistate series system and S 1 , S 2 , S 3 , S 4 have exponential reliability functions (3)-(6), the reliability function of the single master navigation system is [10]: where From Equation (8) we conclude that the intensities of the system departure from reliability state subsets {1, 2, 3}, {2, 3}, {3} are respectively given by: The intensity values specified by Equation (9) will be used in further analysis of the navigation system with a number of backup systems. The mean lifetimes and standard deviations of a single master navigation system in reliability state subsets {1, 2, 3}, {2, 3}, {3} with use of formulas given in [13,14], counted in years, are: (10) and their mean values in reliability states 1, 2, 3 calculated using Equation (10), in years, are, respectively: The mean lifetime µ SM (1) of a system in reliability state subset {1, 2, 3} means the time system stays in either reliability state 1, 2, or 3 (full or partial reliability), and thus is equal to the time to system failure in the case of a two-state approach to system analysis. The mean lifetime µ SM (2) of the system in reliability state subset {2, 3} means the time the system is in reliability state 2 or 3. The mean lifetime µ SM (3) of the system in state 3 means the time the system is in full reliability state (before transitioning to partial reliability).

Reliability Analysis of a System Duplicated with a Number of Back-Up Systems
The reliability structure of an electronic navigation system duplicated with one identical back-up system connected in parallel is shown in Figure 2. The reliability of an electronic navigation system composed of two individual independent ECDIS systems was also analyzed in [15].
From Equation (8) The intensity values specified by Equation (9) will be used in further analysis of the navigation system with a number of backup systems. The mean lifetimes and standard deviations of a single master navigation system in reliability state subsets {1, 2, 3}, {2, 3}, {3} with use of formulas given in [13,14], counted in years, are: and their mean values in reliability states 1, 2, 3 calculated using Equation (10), in years, are, respectively: The mean lifetime µSM (1) of a system in reliability state subset {1, 2, 3} means the time system stays in either reliability state 1, 2, or 3 (full or partial reliability), and thus is equal to the time to system failure in the case of a two-state approach to system analysis. The mean lifetime µSM (2) of the system in reliability state subset {2, 3} means the time the system is in reliability state 2 or 3. The mean lifetime µSM (3) of the system in state 3 means the time the system is in full reliability state (before transitioning to partial reliability).

Reliability Analysis of a System Duplicated with a Number of Back-up Systems
The reliability structure of an electronic navigation system duplicated with one identical backup system connected in parallel is shown in Figure 2. The reliability of an electronic navigation system composed of two individual independent ECDIS systems was also analyzed in [15].
with the coordinates given by: where values of intensity λSM (u), u = 1, 2, 3 are determined by Equation (9). Substituting these values into Equation (13), we get 2 2 2 Figure 2. Reliability structure scheme of navigation system with one back-up system.
The reliability function of a master system with a single back-up is given by: with the coordinates given by: where values of intensity λ SM (u), u = 1, 2, 3 are determined by Equation (9). Substituting these values into Equation (13), we get Next, based on formulas from [13,14] and using the coordinates of a reliability function given by Equation (14), the mean lifetimes of the navigation system in subsets {1, 2, 3}, {2, 3}, {3} are, respectively: Similarly, we determine the standard deviations of the navigation system in subsets {1, 2, 3}, {2, 3}, {3} by using the coordinates of the reliability function given by Equation (14) and values of mean lifetimes in Equations (15)-(17) according to the following formulas: The mean values of system lifetime in reliability states 1, 2, 3, in years, by Equations (15)-(17), are respectively: To analyze the reliability of the system duplicated with more than one back-up solution, we consider, in general, a system composed of a master system and n, n ≥ 1, (n = 1, 2, . . . ) back-up systems ( Figure 3). Next, based on formulas from [13,14] and using the coordinates of a reliability function given by Equation (14), the mean lifetimes of the navigation system in subsets {1, 2, 3}, {2, 3}, {3} are, respectively: Similarly, we determine the standard deviations of the navigation system in subsets {1, 2, 3}, {2, 3}, {3} by using the coordinates of the reliability function given by Equation (14) and values of mean lifetimes in Equations (15)-(17) according to the following formulas: The mean values of system lifetime in reliability states 1, 2, 3, in years, by Equations (15)-(17), are respectively: To analyze the reliability of the system duplicated with more than one back-up solution, we consider, in general, a system composed of a master system and n, n ≥ 1, (n = 1, 2, …) back-up systems ( Figure 3).  We assume n ≥ 1, because the navigation system with at least one back-up system is analyzed. In case of n = 0, the system consists of only a single navigation system, as described earlier.
The reliability function of a master system with n, n ≥ 1 backup systems linked in a parallel reliability structure (Figure 3) is given as follows: with the coordinates determined by We assume n ≥ 1, because the navigation system with at least one back-up system is analyzed. In case of n = 0, the system consists of only a single navigation system, as described earlier.
The reliability function of a master system with n, n ≥ 1 backup systems linked in a parallel reliability structure (Figure 3) is given as follows: with the coordinates determined by where values of intensity λ SM (u), u = 1, 2, 3 are given by Equation (9). Equation (23), by substituting these values, takes following form: The mean lifetimes in reliability state subsets of a navigation system with n, n ≥ 1 backup systems are determined according to the following formula [13]: where the coordinates are given by Equation (23). By determining this integral we get For values of intensity determined by Equation (9), we get the same result as in Equations (15)-(17). Further, substituting values of intensity λ SM (u), u = 1, 2, 3 given by Equation (9) into Equation (26), we get mean lifetimes in subsets {1, 2, 3}, {2, 3}, {3} of a navigation system with n, n ≥ 1 backup systems: (−1) k−1 n + 1 k 1 1.5k , n ≥ 1. (28) Table 1 shows values determined for n ranging from 0 to 10 backup systems of mean lifetimes for µ (1) in subset {1, 2, 3}, µ (2) in subset {2, 3}, and µ (3) in subset {3} of the system reliability states, and their percentage increases.

Discussion
Assuming the cost of the master system and each back-up system is equivalent, we can compare the differences in the cost of various configurations of the navigation system to the differences in their mean lifetime in reliability state subsets of the configurations and, in particular, to the differences in mean time to failure.  The reliability function coordinate R (t, 1) for a navigation system in various configurations, i.e., single master system and master system with one, two, and three back-up systems, is illustrated in Figure 5. The reliability function coordinate R (t, 1) for a navigation system in various configurations, i.e., single master system and master system with one, two, and three back-up systems, is illustrated in Figure 5.
The values of coordinate R (t, 1) of the reliability function determine the probability of the system staying at subset {1, 2, 3} of the reliability states at moment t, under the assumption that it was at full reliability state (state 3) at t = 0. Thus, assuming a certain limit value of the coordinate, meaning the probability that the system stays at full or partial reliability state {1, 2, 3}, the moment at which the probability limit value is exceeded can be determined [13,16]. For example, for a limit of 80%, meaning the coordinate of the reliability function level R (t, 1) = 0.8, the moment when the limit is exceeded is as follows: • For the single electronic navigation system T M (1) = 0.5 years • For the system duplicated with one backup system T B1 (1) = 1.32 years • For the system with two backup systems T B2 (1) = 1.96 years • For the system with three backup systems T B3 (1) = 2.46 years Figure 5 shows a graph of the above values. Figure 4. Increased time to system failure µ (1) related to increased cost associated with enlarging the system with more back-up systems.
The reliability function coordinate R (t, 1) for a navigation system in various configurations, i.e., single master system and master system with one, two, and three back-up systems, is illustrated in Figure 5. The values of coordinate R (t, 1) of the reliability function determine the probability of the system staying at subset {1, 2, 3} of the reliability states at moment t, under the assumption that it was at full reliability state (state 3) at t = 0. Thus, assuming a certain limit value of the coordinate, meaning the probability that the system stays at full or partial reliability state {1, 2, 3}, the moment at which the probability limit value is exceeded can be determined [13,16]. For example, for a limit of 80%, meaning the coordinate of the reliability function level R (t, 1) = 0.8, the moment when the limit is exceeded is as follows: • For the single electronic navigation system TM (1) = 0.5 years • For the system duplicated with one backup system TB1 (1) = 1.32 years • For the system with two backup systems TB2 (1) = 1.96 years • For the system with three backup systems TB3 (1) = 2.46 years Figure 5 shows a graph of the above values. It can be concluded, based on the results given in Tables 1-3, how the number of back-up systems influences the reliability of the entire navigation system. One of the major outcomes is that each additional back-up system significantly improves the system's reliability at the initial stage of operation. For example, the reliability function coordinate R (t, 1) of a navigation system with one back-up exceeds the 95% threshold after a period around five times longer than that of a single system. The difference decreases over time, however; the moment of exceeding the 85% threshold by the reliability function coordinate R (t, 1) for a system with one back-up is still three times longer compared to a single system. For the 60% threshold, it is exceeded by coordinate R (t, 1) at 2.23 years for a system with one back-up, about twice as long as that of a single system, which is 1.14 years. Similarly, a significant improvement in reliability at the initial stage of system operation is provided by adding further back-up systems, and this difference decreases over time, as can be seen in the results presented in Table 2. By comparing these results to the mean lifetimes of the system staying in subsets of reliability states, for different configurations of the navigation system shown in Table 1, it can be seen that the differences are much less significant. Hence, we can conclude that configuring the navigation system with a certain number of back-up systems is important if the system's reliability for a short period or the overall system lifetime is required. Similarly, by means of coordinate R (t, 3) of the reliability function determining the probability of the system staying at the state of full reliability at moment t, the moment when the probability goes below 80% can be denoted. Thus, it can be determined that for the single electronic navigation system T M (3) = 0.15 year, for the system duplicated with one back-up T B1 (3) = 0.4 year, for the system with two back-up systems T B2 (3) = 0.59 year, and for the system with three backup systems T B3 (3) = 0.74 year. Table 3 presents a comparison of moments when the reliability function coordinate R (t, 3) exceeds thresholds ranging from 95% to 60%.

Conclusions
The results of studies performed with different configurations of electronic navigation systems (various numbers of backup systems) reviewed in this paper allow us to evaluate relationships between whole system reliability and costs incurred to build systems with specified configurations. More particularly, mean time to failure and mean time of system staying at particular subsets of reliability states were compared to the costs incurred for setting up the system including different numbers of back-up subsystems. Computations allow us to point to certain findings. It is easy to distinguish that increased reliability (i.e., time to system failure) with the use of more than two back-up systems has a disproportionately low relationship ( Figure 4) with costs associated with building a system with a particular number of back-up subsystems. Table 1 indicates that mean time of the system staying at a subset of reliability states obtained with the use of three back-up systems is double that of a single system, while the time triples with the use of 10 back-up systems.
It can then be concluded that excessive development of the system with more back-up subsystems is not an appropriate direction, as it does not result in a respective increase of reliability parameters. It seems more useful to concentrate on improving the reliability of particular subsystems, rather than adding more back-up subsystems with lower reliability. The use of a so-called cold reserve system could be considered, as proposed by Sumic et al. [8].
In addition, it was pointed out that each additional backup system significantly improves the system's reliability at the initial stage of its operation, and has less impact on its operation over the long term. A detailed comparison in this regard is presented in Section 6.
Studies reviewed in this paper do not take into account renovations of the system or its subsystems, meaning eventual repairs taking place in case of failure or services improving system reliability during its use. The renovations, depending on implemented procedures, can be performed at scheduled times, or upon exceeding certain levels of system reliability. An analysis of system availability taking into account such renovation activities will be the subject of further research.

Conflicts of Interest:
The authors declare no conflict of interest.