This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

The flight-control system is a typical safety-critical system whose reliability will affect the safety of aircraft significantly. The failure or malfunction of the flight-control system will lead to an unsafe flight path or structural failure preventing continued safe flight and landing, which are considered as catastrophic top level failure conditions of the aircraft. In the modern transport category airplanes, fly-by-wire systems have been widely used to replace hydromechanical ones. By utilizing the fly-by-wire system, pilots’ commands are converted to electronic signals transmitted by wires to flight-control computers, and control commands are calculated by flight-control computers based on control laws to determine the movements of the actuators at each control surface. Therefore, the mechanical circuits consisting of rods, cables, and pulleys are not required anymore, and the weight of the airplane can be reduced.

In order to improve the reliability of the fly-by-wire system, redundancy architectures including parallel, majority, standby, and load-sharing have been widely used in the design of the fly-by-wire system. As there are dynamic or state-dependent behaviors in the standby or load-sharing systems, the failure of the systems depends not only on the combinations of its component failures but also on the occurrence order of the component failures [1, 2]. At present, fault tree analysis (FTA), dependence diagram analysis (DDA), and Markov analysis (MA) are the most widely used tools for reliability modeling and safety analysis of airborne systems. FTA is a deductive failure analysis that focuses on one particular undesired event and provides a method for determining causes of this event. DDA, which is equivalent to reliability block diagram (RBD) in reliability engineering, provides an alternate pictorial representation of combinations of failures for the purpose of probability analysis. In MA, Markov chains are used to represent various system states and relationships among them. The states can be either operational or nonoperational. The transition rate from one state to another is a function of the failure rate or repair rate. The state probabilities are derived by solving a set of differential equations that are derived from the Markov chain [3, 4]. Among all the three methods, FTA and DDA are both static tools; they cannot capture the state-dependent behavior of system failure mechanisms [5]. Although MA can cope with state-dependent behaviors, it will be faced with the infamous state space explosion problem when the system is large and complex. What is more, the solution of the differential equations for the Markov chains is a cumbersome work and MA can only deal with the system whose components are following exponential distributions [6].

As a tool for discrete event system simulation, Petri nets have been widely applied in reliability engineering since three decades ago. One of the important applications is focusing on system reliability modeling by using Petri nets instead of traditional reliability tools [7–11]. Hura and Atwood [7] presented a method to represent fault trees with Petri nets, which they thought can provide more insight into failure behaviors. Malhotra and Trivedi [8] studied to construct the reliability models by using stochastic Petri nets and stochastic reward nets, and different kinds of repair scenarios are also considered in these models. Liu and Chiou [9] used Petri nets to denote different kinds of logic operations, and a trapezoidal graph method is applied to account for failure scenarios. Schneeweiss [10] developed the Petri net models for many reliability scenarios, and maintenance cost and benefit are considered in their research. Volovoi [11] applied aging tokens in the Petri net-based reliability model, and the advantages of their method have been illustrated by comparing with classical reliability tools. Katsigiannis et al. [12] presented a new methodology for reliability modeling-based fluid stochastic Petri nets for small isolated power systems. Robidoux et al. [13] presented an algorithm that automatically converts the RBD model into a colored Petri net, and a case study is used to illustrate the effectiveness of the method. Wu et al. [14] established the reliability model for a solar array mechanical system by using fault tree and fuzzy reasoning Petri nets, and their method can be applied to find the fault mechanisms. Chu et al. [15] built a reliability model for the jet pipe servo valve by using generalized stochastic Petri nets, and the effectiveness of their method is illustrated by comparing with the Markov model. In recent years, the application of Petri nets has been extended to many other fields of reliability and safety engineering, which include the reliability analysis of integrated modular avionics [16], the reliability modeling of multimission phased mission system [17], the formal model-based safety analysis [18], and the dependability analysis of safety-critical real-time systems [19].

The Petri nets have displayed a powerful ability in reliability and safety modeling; thus, a stochastic Petri net-based reliability model will be proposed for the fly-by-wire systems in this study. The rest of this paper is structured as follows. In Section 2, a brief description of the stochastic Petri net is presented. In Section 3, the Petri net-based reliability models are constructed for both static and dynamic architectures including series, parallel, $m$-out-of-$n$, warm standby, cold standby, and load-sharing architectures, and the substitution transitions are applied in the hierarchical reliability model to simplify complex net structures. In Section 4, a Monte Carlo simulation method is proposed for the stochastic Petri net-based reliability models to generate system lifetime samples, and the system reliability parameters can be calculated in terms of the lifetime samples. In Section 5, a fly-by-wire system is used as a case study to illustrate the application and effectiveness of our proposed reliability approaches. In Section 6, concluding remarks are presented.

2. Definitions Related to the Stochastic Petri Net-Based Reliability Model

2.1. Definitions of the Stochastic Petri Net-Based Reliability Model

According to the definition of the stochastic Petri net [20, 21], the stochastic Petri net-based reliability model can be defined as a 7-tuple $\sum =\left(\mathbf{P},\mathbf{T},\mathbf{F},K,W,M_0,\mathbf{\Lambda }\right)$ such that

(i)

$\mathbf{P}=\left\{p_1,p_2,\cdots ,p_n\right\}$ is the set of places which are used to denote the states of components or systems

2.2. Enabled and Fired of Transitions

$\forall x\in \mathbf{P}\cup \mathbf{T}$, $•x$ is called the preset of $x$ and $x•$ is called the postset of $x$ such that $$\begin{array}{c}\text{(1)}& •x=\left\{y\mid \left(y\in \mathbf{P}\cup \mathbf{T}\right)\cap \left(\left(y,x\right)\in F\right)\right\},x•=\left\{y\mid \left(y\in \mathbf{P}\cup \mathbf{T}\right)\cap \left(\left(x,y\right)\in F\right)\right\}.\end{array}$$

A transition $t\in \mathbf{T}$ is enabled if and only if $$\begin{array}{}\text{(2)}& \left\{\begin{array}{cc}\forall p\in •t:\hfill & M\left(p\right)\ge W\left(p,t\right),\hfill \\ \forall p\in t•-•t:\hfill & M\left(p\right)+W\left(t,p\right)\le K\left(p\right),\hfill \\ \forall p\in t•\cap •t:\hfill & M\left(p\right)+W\left(t,p\right)-W\left(p,t\right)\le K\left(p\right).\hfill \end{array}\right.\end{array}$$

Equation (2) illustrates the prerequisite of the component or system state changing.

When a transition is enabled, it does not imply that it will be immediately fired. Among all the enabled transitions, only the transition that has the minimum firing time will be fired. If several transitions have identical minimum firing time, one of them will be selected randomly to be fired. After the transition $t$ is fired, the markings of the net will be changed according to the following rule: $$\begin{array}{}\text{(3)}& \forall p\in \mathbf{P}:M^{\prime }\left(p\right)=\left\{\begin{array}{cc}M\left(p\right)-W\left(p,t\right),\hfill & p\in •t‐t•,\hfill \\ M\left(p\right)+W\left(p,t\right),\hfill & p\in t•‐•t,\hfill \\ M\left(p\right)+W\left(t,p\right)-W\left(p,t\right),\hfill & p\in •t\cap t•,\hfill \\ M\left(p\right),\hfill & \text{otherwise}.\hfill \end{array}\right.\end{array}$$

Equation (3) illustrates how the states will change after the transitions have been fired.

3. Petri Net-Based Reliability Model of Typical Architectures for the Fly-By-Wire Systems

A fly-by-wire system usually consists of three subsystems, which are the sensor subsystem, the flight-control-computer subsystem, and the servo-control subsystem. The sensor subsystem usually has a majority architecture, such as $m$-out-of-$n$ architecture, which means the subsystem will be failed at least $m+1$ of the total $n$ sensors or transducers are failed. The flight-control-computer subsystem usually applies standby architecture, especially the warm standby or hot standby (parallel) architectures. Hence, the uninterruptible command calculation and monitoring can still be provided when part of the redundant channels in the computer is failed. The servo-controls usually have a load-sharing architecture. When one of the redundant actuators is failed, the failure rate of other actuators will increase. To the overall flight-control system, it can be treated as a series system composed of sensing units, flight-control computers, and servo-controls. In this section, the reliability models of all the abovementioned architectures will be presented based on the stochastic Petri net.

3.1. Petri Net-Based Reliability Model of Static Architectures

Failures of the static system are completely decided by the combinations of its component failures. The reliability model of a static system can be expressed by either a dependence diagram (RBD) with series, parallel, and $m$-out-of-$n$ architectures, or a fault tree with AND, OR, and Voting gates.

In this study, a unified Petri net-based reliability model is proposed to express all static architectures including the series, parallel (hot standby), and $m$-out-of-$n$architectures. To a system composed of $n$ components, the unified Petri net-based reliability model is shown in Figure 1.

In Figure 1, the place $\text{P}k.\text{up}\left(k=1,2,\cdots ,n\right)$ denotes the operating state of the $i$th component, and their capacity functions are all equal to 1, namely, $$\begin{array}{}\text{(4)}& K\left(\text{P}k.\text{up}\right)=1.\end{array}$$

When there is a token in $\text{P}k.\text{up}$, the component $k$ is in the operating state; otherwise, the component $k$is in the failed state. The place $\text{Ps}.\text{down}$ denotes the failed state of the system, and its capacity function is decided by the system architecture. To the series architecture, the capacity function of $\text{Ps}.\text{down}$ is equal to 1, and the system will be failed when there is one token in $\text{Ps}.\text{down}$. To the parallel architecture, the capacity function of $\text{Ps}.\text{down}$ is equal to $n$, and the system will be failed when there are $n$ tokens in $\text{Ps}.\text{down}$. To the $m$-out-of-$n$ architecture, the capacity function of $\text{Ps}.\text{down}$ is equal to $n-m+1$, and the system will be failed when there are $n-m+1$ tokens in $\text{Ps}.\text{down}$. The capacity function of the three types of static architectures can be expressed as follows: $$\begin{array}{}\text{(5)}& K\left(\text{Ps}.\text{down}\right)=\left\{\begin{array}{cc}1,\hfill & \text{series},\hfill \\ n,\hfill & \text{parallel}\left(\text{hot}\text{standby}\right),\hfill \\ n-m+1,\hfill & m‐\text{out}‐\text{of}‐n:\text{G}.\hfill \end{array}\right.\end{array}$$

The timed transition $\text{T}k\left(i=1,2,\cdots ,n\right)$ denotes the failure of the $k$th component, and its firing time equals the time to failure of the $k$th component.

The weight of the arc originating from $\text{Ps}.\text{down}$ is equal to $n-m+1$, and the weights of all other arcs are equal to 1.

3.2. Petri Net-Based Reliability Model of Standby Architectures

A standby system consists of an active component and one or more standby ones. A sensing and switching mechanism is used to detect failures of the active component and activate the standby ones immediately when a failure of the active one occurs. There are three types of standby architectures including hot standby, warm standby, and cold standby. The hot standby is just the parallel architecture, and the standby components have the same failure rate as if it was operating in the system. The standby component cannot fail in a cold standby system which is usually assumed for spare or shelf items, whereas the standby component has a lower hazard rate than the operating component in a warm standby system and this is usually a realistic assumption [22]. Additionally, the flight-control system does not have individual sensing and switching mechanisms, whose function will be fulfilled by the monitor module in each channel of the flight-control computers.

The stochastic Petri net-based reliability model of a warm standby system composed of $n$ components is expressed by Figure 2.

In Figure 2, $\text{P}k.\text{active}$, $\text{P}k.\text{down}$, and $\text{P}k.\text{standby}\left(k=1,2,\cdots ,n\right)$ denote the active state, the failed state, and the standby state of the $k$th component, respectively. Their capacity function is equal to 1. Hence, $$\begin{array}{}\text{(6)}& \left\{\begin{array}{c}K\left(\text{P}k.\text{active}\right)=1,\hfill \\ K\left(\text{P}k.\text{down}\right)=1,\hfill \\ K\left(\text{P}k.\text{standby}\right)=1.\hfill \end{array}\right.\end{array}$$

When there is a token in $\text{P}k.\text{active}$, $\text{P}k.\text{down}$, or $\text{P}k.\text{standby}$, it means the component $k$ is in the active, failed, or standby state, respectively. The place $\text{Ps}.\text{down}$ denotes the failed state of the system, and its capacity function is equal to $n$, namely, $$\begin{array}{}\text{(7)}& K\left(\text{Ps}.\text{down}\right)=n.\end{array}$$

The system will be failed when there are $n$ tokens in $\text{Ps}.\text{down}$.

The timed transition $\text{T}k\left(k=1,2,\cdots ,n\right)$ denotes the failure of the $k$th component in its active state, and its firing time is also equal to the time to failure of the $k$th component. The time transition $\text{T}k.\text{standby}\left(k=2,3,\cdots ,4\right)$ denotes the failure of the $k$th component in the standby state, and its firing time is equal to the time to failure of the $k$th component in the standby state. Transitions $\text{Ti}1$ to $\text{Ti}n$ are immediate transitions. Each $\text{Ti}k$ connects all $\text{P}l.\text{down}\left(l<k\right)$ by a dual-arrow arc, which means the failures of component 1 to component $k-1$ are the prerequisite to enable transition $\text{Ti}k$, and place $\text{P}l.\text{down}\left(l<k\right)$ will still hold a token after $\text{Ti}k$ have been fired.

The weight of the arc originating from $\text{Ps}.\text{down}$ is equal to $n$, and the weights of all other arcs are equal to 1. The arcs connecting places $\text{P}k.\text{down}$ or $\text{Ps}.\text{down}$ with transitions are bidirectional. It means the number of tokens in these places will not change after the pertinent transitions have been fired. As the state of a failed component or system will not change in the flight duration.

The stochastic Petri net-based reliability model of a cold standby system composed of $n$components is given in Figure 3, which is simplified based on Figure 2. In the cold standby system, the place $\text{P}n.\text{down}$ is just the place $\text{Ps}.\text{down}$.

3.3. Petri Net-Based Reliability of Load-Sharing Architectures

In a load-sharing architecture, there is a dependency between the components. If one component fails, the failure rate of the other components increases as the result of the additional load placed on it. The servo-control with a load-sharing architecture usually has two or three redundant components. The Petri net-based reliability model of a load-sharing architecture with three components can be expressed by Figure 4.

In Figure 4, $\text{P}i.\text{up}\left(i=1,2,3\right)$ denotes the operating state of the $i$th component when all the three components are operating. $\text{P}{i}^{\prime }.\text{up}\left(i=1,2,3\right)$ denotes the operating state of the $i$th component when one of the other two components is failed. $\text{P}{i}^{"}.\text{up}\left(i=1,2,3\right)$ denotes the operating state of the $i$th component when the other two components are failed. And the capacity functions of $\text{P}i.\text{up}$, $\text{P}{i}^{\prime }.\text{up}$, and $\text{P}{i}^{"}.\text{up}$ are equal to 1; we have $$\begin{array}{}\text{(8)}& \left\{\begin{array}{c}K\left(\text{P}i.\text{up}\right)=1,\hfill \\ K\left(\text{P}{i}^{"}.\text{up}\right)=1,\hfill \\ K\left(\text{P}{i}^{"}.\text{up}\right)=1.\hfill \end{array}\right.\end{array}$$

$\text{Ps}.\text{down}$ denotes the failed state of the load-sharing system. The load-sharing system will be failed if and only if all the three components are failed; therefore, there will be three tokens in $\text{Ps}.\text{down}$ when the system is failed. The capacity function of $\text{Ps}.\text{down}$ is equal to 3. Hence, we have $$\begin{array}{}\text{(9)}& K\left(\text{Ps}.\text{down}\right)=3.\end{array}$$

$\text{T}i\left(i=1,2,3\right)$ denotes the failure of the $i$th component when all the three components are operating. $\text{T}{i}^{\prime }\left(i=1,2,3\right)$ denotes the failure of the $i$th component when one of the other two components is failed. $\text{T}{i}^{"}\left(i=1,2,3\right)$ denotes the failure of the $i$th component when the other two components are failed. The firing times of $\text{T}i$, $\text{T}{i}^{\prime }$, and $\text{T}{i}^{"}$ are equal to the time to failure of the $i$th component in the case that all the three components are operating, one of the other two components is failed, and the other two components are failed, respectively. $\text{Ti}1$ to $\text{Ti}6$ are all immediate transitions.

The weight of the arc originating from $\text{Ps}.\text{down}$ is equal to 3; the weights of the arcs between $\text{Ti}2$ and $\text{Ps}.\text{down}$, $\text{Ti}4$ and $\text{Ps}.\text{down}$, and $\text{Ti}6$ and $\text{Ps}.\text{down}$ are all equal to 2; and the weights of all other arcs are equal to 1.

To a load-sharing architecture with two components, the Petri net-based reliability model can be simplified. Figure 5 illustrates the model of a load-sharing architecture with two components.

3.4. Petri Net-Based Hierarchical Reliability Model

Creating the Petri net-based reliability model of a large system can be a cumbersome task. A Petri net-based hierarchical reliability model is proposed to simplify the reliability modeling of large systems in this section, and the state space explosion problem can be avoided to some extent.

In our model, a transition is used to represent an entire piece of net architecture or a branch of the Petri net. Such a transition is a substitution transition. Thus, a large Petri net can be simplified by replacing its small pieces of net or branches by substitution transitions. In this study, we use a square to denote the substitution transition. When the substitution transition is used to represent the pieces of net or branch architectures, two immediate transitions should be added. One is connected to the $\text{Ps}.\text{down}$ place, and the other is connected to the places that have tokens in the initial markings. Take the static architecture given in Figure 1 as an example; the corresponding piece of the net architecture represented by the substitution transitions is shown in Figure 6.

4. Stochastic Petri Net-Based Monte Carlo Simulation for Reliability Evaluation

A Monte Carlo simulation method is proposed for the stochastic Petri net-based reliability model, and the lifetime samples can be obtained via the Monte Carlo simulation. In this way, the reliability parameters can be calculated in terms of the lifetime samples.

4.1. Procedure of Stochastic Petri Net-Based Monte Carlo Simulation

The input of our Monte Carlo simulation procedure includes as follows:

(1)

The input incidence matrix ${\mathbf{W}}^{-}=\left[W\left(p_i,t_j\right)\right]$

The flowchart of the Monte Carlo simulation procedure is given in Figure 7. We can get one sample of the system lifetime from one simulation.

The detailed procedure of the Monte Carlo simulation is as follows.

4.2. Reliability Parameter Calculation Based on Lifetime Samples

Let $s_1,s_2,\cdots ,s_{N_{\max }}$ denote the $N_{\max }$ ordered lifetime samples, i.e., $s_1\le s_2\le \cdots \le s_{N_{\max }}$; the estimate of reliability can be expressed as follows: $$\begin{array}{}\text{(10)}& \widehat{R}\left(s_i\right)=\frac{N_{\max }-i}{N_{\max }}.\end{array}$$

In this way, we can get a corresponding reliability value $\widehat{R}\left(s_i\right)$ for each lifetime sample $s_i$. By treating the $N_{\max }$ pairs of $s_i$ and $\widehat{R}\left(s_i\right)$ as training samples, we can get the regression curve of reliability function by using the backpropagation (BP) neural network. The method we used here is a kind of nonparametric regression; we do not make the assumption that the lifetime follows a specific distribution such as exponential distribution, lognormal distribution, or Weibull distribution. This is reasonable that the lifetime of a complex system may not follow a specific distribution.

The BP neural network we used has three layers, which are the input layer, the hidden layer, and the output layer. Both the input layer and the output layer only have one unit (neuron); the input unit denotes the lifetime sample $s_i$ and the output unit denotes the corresponding estimate of reliability function $\widehat{R}\left(s_i\right)$. The neural network we used is shown in Figure 8.

According to the structure of the BP neural network, the reliability function can be expressed as follows: $$\begin{array}{}\text{(11)}& R\left(t\right)=\frac{1}{1+\exp \left[-{\sum }_{i=1}^n\left(\left(w_{2i}\right)/\left(1+\exp \left(-w_{1i}t\right)\right)\right)\right]},\end{array}$$where $w_{1i}$ and $w_{2i}$ are weights, and we can get the optimal values of weights by backpropagation algorithm.

5. Case Study

In the case study, a rudder control system of a commercial aircraft is used to illustrate the application and effectiveness of our proposed approach.

5.1. System Description

The rudder control system also consists of the sensor subsystem, the flight-control-computer subsystem, and the servo-control subsystem. Figure 9 shows the architecture of the rudder control system.

The sensor subsystem consists of the pedal position transducers, the inertial measurement units (IMUs), and the rudder position transducers. The pedal position transducer subsystem has a 2-out-of-4 architecture, and both the IMU subsystem and the rudder position transducer subsystem have a 2-out-of-3 architecture, namely, the triple modular redundancy (TMR).

The flight-control-computer subsystem has three independent channels. Each channel has an input signal monitor, a set of control laws, and a cross-channel monitor. The three channels can become any one of these three channels: the command channel, the standby channel, and the monitor channel. The command channel transmits its command output signals to the servo-control subsystem. It also has a channel monitoring function to find and isolate failures in the standby and monitor channels. The standby channel transmits test data only, and it becomes the command channel and transmits its command output signals to the servo-control subsystem when a failure causes the command channel to shut down. It also performs monitoring functions to find and isolate failures in the command and monitor channels. The monitor channel also transmits test data only. Its command output signals are used internally to find failures in the command and standby channels. The monitor channel becomes the standby channel when the command channel shuts down. The reliability model of the flight-control-computer subsystem has the characteristics of both the standby and the 2-out-of-3 architectures. The command channel is the active state; both the standby and monitor channels are in the warm standby state. The subsystem will be failed if and only if at least two of the three channels are failed.

The hydraulic actuation is achieved by the servo-control subsystem composed of two electrohydraulic servo-controls for the rudder. Each servo-control has two kinds of operation modes, which are the active mode (state) and the damping mode. Both the servo-controls are in the active mode initially, and they have identical failure rate in this situation. When one of the servo-controls is failed, the failed servo-control will be in the damping mode and the other one will be in the active mode. And the failure rate of the servo-control in the active mode will increase.

5.2. Petri Net-Based System Reliability Model

The Petri net-based reliability model of the pedal position transducer subsystem can be expressed as Figure 10(a), and both the IMU subsystem and the rudder position transducer subsystem can be expressed as Figure 10(b).

[figures omitted; refer to PDF]

The Petri net-based reliability model of the flight-control-computer subsystem is shown in Figure 11.

The Petri net-based reliability model of the servo-control subsystem is shown in Figure 12.

The Petri net-based reliability model of the rudder control system is given in Figure 13.

In Figure 13, the place $\text{P}1.\text{up}$ to $\text{P}5.\text{up}$ denote the operating state of the pedal position transducer subsystem, the IMU subsystem, the rudder position transducer subsystem, the flight-control-computer subsystem, and the servo-control subsystem, respectively. $\text{T}1$ to $\text{T}5$ are all substitution transitions which are used to denote the failure of the abovementioned subsystems.

5.3. Results and Discussion

The component failure rates of the rudder control system are given in Table 1.

Table 1

Component failure rates of the rudder control system.

In Table 1, ${\lambda }_{\text{P}}$, ${\lambda }_{\text{I}}$, ${\lambda }_{\text{R}}$, ${\lambda }_{\text{F}}$, and ${\lambda }_{\text{S}}$ are the failure rates in the active state of pedal position transducers, IMUs, rudder position transducers, flight-control-computer channels, and servo-controls, respectively. ${\lambda }_{\text{F}}^{-}$ is the failure rate of the flight-control-computer channels operating as the standby or monitor channels. ${\lambda }_{\text{S}}^{+}=1.5\times {10}^{-6}$ is the increased failure rate the sever-control when the other one is failed. We let $N_{\max }=1000$, and 1000 lifetime samples of the system can be obtained. The reliability curve calculated by Equation (10) is shown in Figure 14. The analytical reliability function and the regression curve of the reliability function obtained by the BP neural network are also shown in Figure 13. The BP neural network used in this case study has ten neurons in the hidden layer.

The analytical expression of the system reliability function can be expressed as follows: $$\begin{array}{}\text{(12)}& R\left(t\right)=R_{\text{P}}\left(t\right)R_{\text{I}}\left(t\right)R_{\text{R}}\left(t\right)R_{\text{F}}\left(t\right)R_{\text{S}}\left(t\right),\end{array}$$where $R_{\text{P}}\left(t\right)$, $R_{\text{I}}\left(t\right)$, $R_{\text{R}}\left(t\right)$, $R_{\text{F}}\left(t\right)$, and $R_{\text{S}}\left(t\right)$ are the reliability function of the pedal position transducer subsystem, the IMU subsystem, the rudder position transducer subsystem, the flight-control-computer subsystem, and the servo-control subsystem, respectively.

$R_{\text{P}}\left(t\right)$, $R_{\text{I}}\left(t\right)$, and $R_{\text{R}}\left(t\right)$ can be calculated by RBD, and $R_{\text{F}}\left(t\right)$ and $R_{\text{S}}\left(t\right)$ can be calculated by the Markov process as all failure rates are constant values. They can be expressed as follows: $$\begin{array}{c}\text{(13)}& R_{\text{P}}\left(t\right)=\sum _{i=2}^4{C}_4^i{\left(e^{-{\lambda }_{\text{P}}t}\right)}^i{\left(1-e^{-{\lambda }_{\text{P}}t}\right)}^{4-i},R_{\text{I}}\left(t\right)=\sum _{i=2}^3{C}_3^i{\left(e^{-{\lambda }_{\text{I}}t}\right)}^i{\left(1-e^{-{\lambda }_{\text{I}}t}\right)}^{3-i},\\ R_{\text{R}}\left(t\right)=\sum _{i=2}^3{C}_3^i{\left(e^{-{\lambda }_{\text{R}}t}\right)}^i{\left(1-e^{-{\lambda }_{\text{R}}t}\right)}^{3-i},\\ R_{\text{F}}\left(t\right)=\left(\frac{{\lambda }_{\text{F}}+2{\lambda }_{\text{F}}^{-}}{{\lambda }_{\text{F}}^{-}}\right)e^{-\left({\lambda }_{\text{F}}+{\lambda }_{\text{F}}^{-}\right)t}-\left(\frac{{\lambda }_{\text{F}}+{\lambda }_{\text{F}}^{-}}{{\lambda }_{\text{F}}^{-}}\right)e^{-\left({\lambda }_{\text{F}}+2{\lambda }_{\text{F}}^{-}\right)t},\\ R_{\text{S}}\left(t\right)=e^{-2{\lambda }_{\text{S}}t}+\frac{2{\lambda }_{\text{S}}}{2{\lambda }_{\text{S}}-{\lambda }_{\text{S}}^{+}}\left(e^{-{\lambda }_{\text{S}}^{+}t}-e^{-2{\lambda }_{\text{S}}t}\right),\end{array}$$where $C_n^m$ is the combination formula which can be expressed as follows: $$\begin{array}{}\text{(14)}& C_n^m=\frac{n!}{m!\left(n-m\right)!}.\end{array}$$

Figure 15 shows the error between the analytical reliability function and the regression reliability function. And the maximum value of the error is 0.0174 when the lifetime is 723154 hours.

To the system of a civil aircraft, we usually care about the reliability in a flight duration which varies from a few hours to a dozen hours. We set the flight duration as 15 hours arbitrarily; the results obtained by both the analytical method and our Monte Carlo simulation-based regression method show that the reliability of the fly-by-wire system in a flight duration is greater than 99.99%.

Figure 16 shows the error between the analytical reliability function and the regression reliability function in the flight duration. The maximum error is $8.28\times {10}^{-5}$ and the minimum error is $8.10\times {10}^{-5}$ which illustrate that the error in a flight duration is negligible, although the error is greater than 0.01 in the whole life as shown in Figure 14.

6. Conclusion

In this study, stochastic Petri net-based reliability models are established for series, parallel, $m$-out-of-$n$, warm standby, cold standby, and load-sharing architectures, which are commonly used in the fly-by-wire system. And a reliability evaluation approach is proposed by using Monte Carlo simulation in terms of the stochastic Petri net-based reliability models.

Compared with the traditional reliability modeling tools such as RBD (DDA), FTA, and MA, our proposed approaches have the following advantages:

(1)

The time-dependent failure characteristics can be expressed by stochastic Petri net-based reliability models, and the model can be simplified by using the substitution transitions to construct a hierarchical reliability model. In this way, the state space explosion of the Markov model can be reduced to some extent

Acknowledgments

The authors wish to appreciate the support from the National Natural Science Foundation of China (U1733124) and the Aeronautical Science Foundation of China (20180252002).