2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C)

A Model-based RCM Analysis Method

Zhibao Mian Shuli Jia Xiaodong Shi
College of Computer Science & Department of Computer Science Department of Computer Science
Engineering North Minzu University North Minzu University
Northwest Normal University Yinchuan, China Yinchuan, China
Lanzhou, China [email protected] [email protected]
[email protected]
Junjie Chen Yaqing Gao
Cairong Tang Department of Computer Science Department of Computer Science
Department of Computer Science North Minzu University North Minzu University
North Minzu University Yinchuan, China Yinchuan, China
Yinchuan, China [email protected] [email protected]
[email protected]

Abstract—The reliability-centered maintenance (RCM) is TABLE I. THE COMPARISON OF THE TPM, CBM, PM AND RCM
one of the most advanced maintenance plan generating
technologies for equipments. At present, the key technologies Name Context Advantage Disadvantage
such as FMEA and FMECA supporting the RCM analysis TPM It focuses on Its teamwork Its maintenance
remains in the manual stage in some enterprises. The maximizing could maximize content is wide;
disadvantages are time-consuming, labour-intensive and error- equipment efficiency of It is only carried out
prone. For complex systems containing thousands of efficiency by equipments. after equipment
creating the failing.
components, to achieve a fast and effective FMECA analysis is perfect
difficult. RCM should benefit from the most advanced model- relationship
based systems engineering methods. In this paper, a model- between
based RCM analysis framework (MRAF) is presented. Based on employees and
this framework, RCM analysts can use model-based reliability equipments [1].
analysis techniques, such as AADL, to model the system CBM It obtains the Condition Condition
architecture and faults information. Then the AADL-based equipment monitoring could monitoring test
analysis platform OSATE can be used to automatically produce information by obtain equipment equipments and
detecting the failure costs to train staff
the FMEA. By combining the generated FMEA with the
equipment; It uses information in are expensive.
criticality analysis (CA) technology, this paper can semi- this status real time or near
automatically generate the FMECA for equipments and systems information to real time;
being analyzed by RCM. make equipment Minimizing time
maintenance spent on
Keywords—Reliability-centered maintenance, AADL, MRAF, requirements. maintenance [2].
FMEA, FMECA PM It is regularly Making planning High cost, labor-
performed on a is the biggest intensive, large
I. INTRODUCTION piece of benefit to prevent spare parts
equipment to failure. inventory and
Currently, the functions and structures of equipments are lessen the unnecessary
gradually developing towards the direction of complexity and likelihood of it maintenance.
diversification, which makes their dependability analysis failing [3].
much more difficult. It is very hard to determine which RCM It uses failure It can avoid or Its seven steps are
modes and effect reduce implemented
component or process that has caused the entire system to fail analysis methods unnecessary separately from each
by traditional maintenance methods such as regular based on maintenance other, which is
inspection. Moreover, to satisfy the dependability reliability theory work and inconvenient.
performance of equipments and systems in each phase of its to determine minimize
maintenance life cycle, an automated dependability analysis is equipment maintenance
maintenance costs [6];
required. There is still a lack of automated, accurate, needs and Selecting the
dependable, and reusable analysis methods in this field. methods [7]; It most appropriate
focuses on the maintenance
Some advanced maintenance methods such as Total critical system tactic (TPM,
Productive Maintenance (TPM) [1], Condition-based (the important CBM, etc.) for
Maintenance (CBM) [2], Preventive Maintenance (PM) [3], functional each failure
Reliability Centered Maintenance (RCM) [4] are compared system) and mode of a system
and analyzed in this paper (as shown in table I ). improves the [5].
reliability and
safety of
equipments.
.
Following the analysis of the above methods, the RCM is
selected as a maintenance technology with great economy and
reliability for complex system in this paper. The traditional
procedure of applying the RCM method [8] is as follows:

978-1-7281-8915-4/20/$31.00 ©2020 IEEE 301

DOI 10.1109/QRS-C51114.2020.00059

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.
 • Step1: System selection and data collection. The most generate the FMEA by using manpower. The model-based
critical system should be screened because the RCM system engineering (MBSE) method [11] is considered as an
analysis requires time and resources. Next, the system effective means to solve this problem. The MBSE emphasizes
information is to be collected, mainly including system the establishment of a comprehensive model of system
components information and fault data. function and reliability. The model requires defining a
system's constituent elements and normal operating behaviors.
• Step2: System boundary definition. System boundaries Then, the fault behaviors of system are described and
and definitions lay the foundation for system selection annotated to a system model, so that FMEA and FMECA can
in step1. They usually have been found in the normal be automatically exported.
course of equipment design.
In light of the above research, this paper proposes a model-
• Step3: System components and functional block based RCM analysis framework (MRAF). The MRAF is used
description. The essential details of the critical system to perform the RCM analysis by building a comprehensive
must be identified and recorded to perform the model for a complex system. The processing is that the
remaining steps in a thorough and technically RCM’s first four steps’ information is established into a
reasonable manner. The functional block is a top-level system model by using modeling languages and tools. By
representation of the major functions that the system using the proposed MRAF, the FMEA can be automatically
performs. generated. The FMECA table can be also semi-automatically
• Step4: System functions and functional fault generated. These tables can be further used later for RCM
definition. The previous steps provide the basis for logic decision analysis and maintenance plan generating.
effectively promoting the defined system functions in II. RELATED WORK
the step. A complete list of system functions is defined
by RCM analysts. They also need to define the The MBSE provides supports for automated FMEA and
functional failures to determine how functions might FMECA analysis through the architecture fault and criticality
be defeated. modeling [25]. Reference [12] introduced the development of
model-based reliability analysis techniques for complex
• Step5: Generate system FMEA and FMECA. This step system. In model-based system engineering, it is required to
is to identify failure modes that could potentially build various modeling languages to support various
generate unexpected functional failures. The failures analysises. Researchers had compared and analyzed some
are based on the results of step4 of RCM. RCM expert famous modeling languages, including UML (unified
analyzes the impact of these failures on the entire modeling language), East-ADL (electronics architecture and
system. The FMECA goes a step further, assessing the software technology-architecture description language),
risks associated with each failure mode and then SysML (system modeling language) and AADL (architecture
prioritizing corrective action. analysis and design language) [14-16], and summarized their
• Step6: RCM logic decision analysis. The failure modes advantages and disadvantages. From the comparison of the
in step5 are further classified in this step. The goal of above modeling languages, AADL’s architecture and fault
this step is to further prioritize the resources and modeling mechanisms could promote RCM analysis and is
emphasis in terms of their impact on each failure mode. easier to meet the modeling requirements for large complex
systems. Therefore, AADL and its supporting open-source
• Step7: Maintenance plan. For each of these failure tool platform OSATE [22] are selected to demonstrate the
modes identified in step6, this step is to ascertain a list proposed MRAF method. Systems’ architecture is modeled
of appropriate candidate tasks. Then the most effective by using AADL’s specific semantics elements. The fault
task from among the competing candidates is information (error model) of a system is described by using
eventually selected to formulate a maintenance plan. AADL-based error model annex EMV2 [10, 19]. Moreover,
EMV2 specifies the system failure behavior and error
In these above 7 steps, the first 4 steps are used to collect
propagation to solve the reliability aspects of the system
equipment’s information. Step 5 comprehensively analyzes
architecture [18, 19], which is very suitable for the reliability
those collected information and produces important FMEA
analysis background for the proposed MRAF method.
and FMECA tables. Meanwhile, FMEA and FMECA plays a
key role in the logical decision step (step6) and the Some research has been done for using AADL and its
maintenance plan step (step7). Thus, how to generate an EMA to automatically generate FMEA [20-21]. Wang and et
accurate FMEA and FMECA is crucial for RCM analysis. al. [26] proposed a reliability modeling method for the
Integrated Modular Avionics System based on AADL and
Traditional FMEA and FMECA analysis methods are
EMA [17]. Gu and et al. [29] developed the FMEA and CA
highly subjective. The accuracy of the analysis results highly
properties into AADL’s error model annex to generate the
depends on the engineers’ skills. For the same system, FMEA
FMECA table automatically. Currently, their method has not
and FMECA analyzed by different engineers may vary greatly
yet been integrated into OSATE. In this paper, we adopt the
due to differences in their knowledge and thinking approaches
CA method developed in [29] to create AADL’s criticality
[9]. Meanwhile, these technologies also gradually show some
model.
shortcomings, e.g. consuming a large amount of time,
manpower, material resources and are error-prone for III. THE MODEL-BASED RCM ANALYSIS FRAMEWORK
complex systems. One of the major difficulties is that RCM (MRAF)
needs to link and track all of the various functional failure-
component combinations to generate the FMEA. For small A. An overview of the Framework
systems, the FMEA could be produced manually. But for This paper proposes a MRAF as shown in the righthand
systems with a large number of components, it is quite hard to side of Fig. 1, which integrates the seven steps of the

302

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.
 traditional RCM analysis procedures (as shown in the left- into three phases to integrate different steps of RCM. This
hand side of Fig. 1) into a comprehensive model by using the paper concentrates on the first phase.
MBSE techniques [13]. The comprehensive model is divided

Fig. 1. The correspondence diagram of the traditional RCM analysis method and the model-based RCM analysis framework (MRAF).
In Fig. 1, the first three steps of the traditional RCM B. The Description of the First Phase of MRAF
corresponds to the MRAF’s M1. The RCM’s step4 1) RCM pre-analysis system architecture modeling: The
corresponds to the M2 and M3 of the MRAF. The RCM’s
pre-analysis system in the RCM reliability model mainly
step5, step6 and step7 corresponds to MRAF’s M4, M5 and
M6 respectively. builds an RCM architecture model for the first three defined
features of traditional RCM analysis. A system’s architecture
The first phase of the MRAF includes the RCM reliability model is built for each component and subsystem and
model, fault data, manpower such as the system and reliability connections between them by using architecture modeling
experts. By adopting the model-based reliability analysis languages such as SysML [23] or AADL.
technology, the defined features of the first four steps of the
It is important to note that the system architecture model,
traditional RCM are implemented in the RCM reliability
could only include the lowest level of repairable and
model. Next, through analyzing the RCM reliability model,
detachable components.
the FMEA and FMECA shown in the step5 of the traditional
RCM method will be obtained automatically. Besides, the 2) System fault behavior modeling and fault data
fault data in Fig. 1 is defined to collect critical systems’ annotation: This step mainly builds an RCM error model
historical fault data such as failure probability. The fault data specifying the fault and dangerous behavior of the system. The
is collected and analyzed by the reliability experts for the fault information is annotated into the RCM architecture
RCM reliability model. The second phase describes that the
model. Annotation means associating the architecture model
RCM decision logic diagram could be automatically
generated by adding RCM logic decision analysis information with corresponding fault data.
to the MRAF model. The third phase adds the maintenance 3) RCM criticality model: A criticality analysis (CA)
information into the MRAF model by using intelligent feature of the system (shown as M3 in Fig. 1) is implemented
maintenance planning technologies to automatically analyze to the system model to build an RCM criticality model. The
and generate maintenance plans. CA [27] feature could assign criticality ratings to assets based
on their potential risks. It is composed of risk priority number
(RPN).

303

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.
 The RPN consists of occurrence probability ranking selected should be critical depending on its effect on
(OPR), effect severity ranking (ESR) and detection difficulty operations, its previous costs of repair, its frequency of
ranking (DDR). The RPN value is composed of the product of failures and time leading to downtime. Therefore, the
the value of OPR, ESR and DDR ( range from 1 to 10 ) as GPS.computeerror system, one of the important GPS
defined in IEC 60812 [27]. The value of OPR, ESR and DDR subsystems [28], is chosen to illustrate the MRAF method. We
could be obtained by combining with the experience and adjusted the GPS.computeerror system for the convenience of
knowledge of experts and standards. Finally, the RPN demonstrating our method. This system is mainly used to
promotes the establishment of the RCM criticality model. calculate possible errors in positioning data. The system’s
software, hardware architecture and their corresponding
4) Generate system FMEA and FMECA: The RCM functions are described by using AADL concepts of
architecture model, fault model and RCM criticality model components and connections.
are used to build the RCM reliability model. The RCM
reliability model can be used to automatically generate the Fig. 2 shows the top-level architectural model of the
GPS.computeerror system. In the top of Fig. 2, an AADL
FMEA and FMECA reports including failure modes, failure
architecture model of the system is built on the OSATE
effects and hazard analysis for the overall system. The reports platform by using its graphical modeling approach. The
can help engineers to obtain reliability defects and eliminate corresponding AADL text description is shown in the bottom
or control component hazards to an acceptable level. More of Fig. 2. The system mainly has the following components:
important, in the context of this paper, advanced maintenance power supply (component type device), satellite signal
decisions for the system can also be obtained automatically receivers (device), CPU (processor), processing (process) and
based on those important FMEA and FMECA reports. network (bus). Each system or task has its corresponding input
and output data and events, which is implemented through the
IV. ILLUSTRATIVE EXAMPLE concept of ports, such as satelliteSignal (abstract port),
In this section, to realize the application of MARF, a networkaccess (access port), senseData (data port). The
GPS’s important subsystem is analyzed by the MRAF. The functional requirements of the system (data exchange) are
RCM reliability model in the MRAF is implemented as an realized through connections such as
AADL reliability model. An AADL reliability model includes sattoSatelliteSignalReceiver1 (line 13 in Fig. 2). An abstract
an AADL architecture model, an AADL error model and an processing is used to describe one of the system tasks and is
AADL criticality model. These models can be modelled by achieved by using AADL’s process component type.
using AADL’s OSATE platform [22]. The AADL architecture model of the
A. AADL Architecture Modeling for the GPS.computeerror GPS.computeerrorsystem is created by the above modeling
System work. This model is the implementation of the RCM pre-
analysis system architecture modeling in the first phase of the
A complex GPS system can be divided into several MRAF method.
subsystems in terms of functional independence. A system


1 system implementation GPS.computeerror
2 features
3 satelliteSignal: in feature;
4 location: out data port;
5 subcomponents
6 SatelliteSignalReceiver1: device GPSParts::sensor;
7 processing: process GPSParts::GPSProcessing;
8 cpu1: processor GPSHardwareParts::CPU;
9 network: bus GPSHardwareParts::Network;
10 powersupply1: device GPSHardwareParts::PowerSupply;
11 connections
12 -- logical connections
13 sattoSatelliteSignalReceiver1: feature satelliteSignal -> SatelliteSignalReceiver1.satelliteSignal;
14 s1toproc: port SatelliteSignalReceiver1.sensedData -> processing.inSensor1;
15 proctoext: port processing.location -> location;
16 -- physical network connections
17 s1tonetwork: bus access network <-> SatelliteSignalReceiver1.networkaccess;
18 cputonetwork: bus access cpu1.networkaccess <-> network;
19 -- power connections
20 powertos1: feature powersupply1.power -> SatelliteSignalReceiver1.powersource;
21 powertocpu: feature powersupply1.power -> cpu1.powersource;
22 powertonetwork: feature powersupply1.power -> network.power;

Fig. 2. The AADL architecture model and its corresponding text description for the GPS.computeerror system [28].
process, the component powersupply1 is used as an example
B. AADL Error Model for the GPS.computeerror (as shown in Fig. 3). Other components use the similar fault
After completing the AADL architecture modeling, it modeling method. The error model includes the declarations
needs to build a corresponding error model, i.e. to annotate of error events, error propagations and error flows.
each component with an error behavior information for the
system. To illustrate the AADL error model construction

304

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.
 In Fig. 3, The PowerSupply defines a component error system fault behavior modeling and fault data annotation in
behavior to declare the error event ‘PowerFailure’. After the first phase of the MRAF method.
occurring the ‘PowerFailure’ error event the state of the device
will change its ‘operational’ state to the ‘FailStop’ state. Then, C. AADL criticality model for the GPS.computeerror
the device will propagate the error type In the bottom of Fig 3, a CA property is defined and
‘power{ServiceOmission}’ through the three connections annotated to EMV2. According to the criticality analysis (CA)
declarations (from line 20 to 22 in Fig. 2). standard and the experience of RCM experts, the effect
severity ranking (ESR), occurrence probability ranking
(OPR), and detection difficulty ranking (DDR) grades (from
line 20 to 25 in Fig. 3) for the error event ‘PowerFailure’
defined for the component powersupply1 are annotated to the
AADL model. The annotation of CA property for each
component is used to create an AADL criticality model. The
combination of AADL architecture model, AADL error
model and criticality model is called AADL reliability model.
This relates to the concrete implementation of the RCM
reliability model.
D. Generate system FMEA and FMECA based on AADL
The previous steps have developed an AADL reliability
model including the first four defined features of RCM.
AADL then uses this reliability model to obtain the FMEA
and FMECA. By using the ‘Analyze Fault Impact’ command
Fig. 3. The error model for the powersupply1 component in the
GPS.computeerror system.
on the OSATE platform, the FMEA report for the above built
AADL reliability model can be automatically generated as
The system component failure and impact information are shown in table II. By combining the generated FMEA with the
annotated into its AADL architecture model to create an criticality analysis (CA) technology, the paper can semi-
AADL error model so as to specify the fault and dangerous automatically produce the FMECA for the GPS.computeerror
behavior of the system. This work is the implementation of the system as shown in table II.

TABLE II. THE FMECA REPORT FOR THE GPS.COMPUTEERROR SYSTEM

FMECA

FMEA CA
Initial Failure Failure
No. Component 1st Level Effect Failure Mode 2nd Level Effect 3rd Level Effect ... OPR ESR DDR RPN
Mode Mode

{ServiceOmission}location
{ServiceOmission}
SatelliteSignalR processing{Service ->
1 {SensorFailure} sensedData ->   ... 6 3 5 90
eceiver1 Omission} GPS_computeerror_Instance:
processing:inSensor1
location [External Effect]

{ServiceOmission}
2 network {NetworkFailure} bindings ->     ...
[No Binding]
{ServiceOmission
{ServiceOmission}
{ServiceOmission} processing } location ->
access -> SatelliteSignalRec
3 network {NetworkFailure} sensedData -> {ServiceO GPS_computeerror ...
SatelliteSignalReceive eiver1{ServiceOmi 7 3 5 105
processing:inSensor1 mission} _Instance:location
r1:networkaccess ssion}
[External Effect]
{ServiceOmission
{ServiceOmission} cpu1{ServiceOmis {ServiceOmission} network
} bindings ->
4 network {NetworkFailure} access -> sion} [All Out networkaccess -> {ServiceO ...
[Propagation
cpu1:networkaccess Props] network:access mission}
Cycle]
{ServiceOmission}
5 cpu1 {CPUFailure} bindings -> [No     ...
Binding]
7 5 3 105

{ValueError} bindings
6 cpu1 {CPUFailure}     ...
-> [No Binding]

{InaccurateData}
location ->
error event
7 processing GPS_computeerror_In     ... 5 3 3 45
computeError
stance:location
[External Effect]
{LowPrecisionData}
location ->
{LowPrecisionDat
8 processing GPS_computeerror_In     ... 7 5 2 70
a}
stance:location
[External Effect]
{ServiceOmission
{ServiceOmission}
{ServiceOmission} } location ->
error event power -> SatelliteSignalRec processing{
9 powersupply1 sensedData -> GPS_computeerror ...
PowerFailure SatelliteSignalReceive eiver1{ServiceOmi ServiceOmi
processing:inSensor1 _Instance:location
r1:powersource ssion} ssion}
[External Effect]

{ServiceOmission} cpu1{ServiceOmis 5 6 3 90
error event
10 powersupply1 power -> sion}[Unhandled    ...
PowerFailure
cpu1:powersource Failure Effect]

{ServiceOmission}
error event network{ServiceO {ServiceOmission} bindings
11 powersupply1 power ->   ...
PowerFailure mission} -> [No Binding]
network:power

The report is generated by tracing a fault occurrence from are determined by error flow declarations. The propagation
its error sources through the error flows within components paths are determined by AADL connection declarations. It
and propagation paths between components. The error flows traces a failure from its error source or error event. Each effect

305

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.
 column indicates the path of the outgoing propagation of one example system modeled in AADL. The hardware and
component to another component being affected by the software of the system have been modeled in the form of an
propagation. The resulting failure mode of the receiving AADL reliability model by using AADL architecture
component is indicated in the next column. The trace description and error model description in the OSATE
terminates as an external effect, that is, impact to the platform. By analyzing the reliability model, the FMEA and
operational context of the top-level system, as being masked, FMECA tables are produced effectively. These tables are
or a number of other indicators. utilized to carry out further RCM decision analysis.
In table II, the SatelliteSignalReceiver1’s initial failure In the future work, on the one hand, by using the AADL’s
mode shows that the component as a failure source occurs the extension mechanism, an FMECA plug-in will be developed
fault ‘{SensorFailure}’. The fault propagates to the processing based on the OSATE platform to generate the FMECA
directly connected to it and thus is the 1st level effect. Then, automatically. On the other hand, by using AADL’s extension
the effect causes the processing occurs the failure mechanism, we will continue to extend our MRAF model to
‘processing{ServiceOmission}’ and has a second level effect. implement the rest work (step6 and step7 as shown in Fig. 1)
The network’s error ‘{NetworkFailure}’ impact terminates as in the RCM analysis procedure.
a ‘No Binding’, that is, the outgoing propagation is for a
binding point, but the binding has not been specified yet. This ACKNOWLEDGMENT
network’s error has three propagation paths. The third
This work was supported by the Ningxia Key Research
propagation path (No.4) propagates the fault process with a
and Development Plan Project (No.2018BEE03019), the
fault mode ‘All Out Props’. This indicates the situation when
Natural Science Foundation of Ningxia Province of China
an incoming propagation is mapped to all outgoing
(No.2019AAC03120), the 2020 Scientific Research Ability
propagations. At last, the fault impact terminates as a
Promotion Program for Young Teachers from the Northwest
‘Propagation Cycle’. It means the impact trace reaches an
Normal University (No.NWNU-LKQN2020-15), the
element in the trace that has previously propagated the same
Research start-up Project from the Northwest Normal
error type on the same outgoing propagation point.
University.
The powersupply1’s (No.10) initial failure mode shows
that the component occurs a failure event ‘PowerFailure’. Its REFERENCES
error impact terminates as an ‘Unhandled Failure Effect’. It [1] N. Habidin, S. Hashim, N. Fuzi, and M. Salleh, Total productive
means an incoming failure effect that is not handled as sink or maintenance, kaizen event, and performance. The International Journal
by an outgoing error propagation, i.e., the incoming of Quality & Reliability Management, Vol. 35(9), 2018, pp. 1853-
1867.
propagated error type is not listed in any error paths or
[2] T. Hiruta, T. Uchida, S. Yuda, and Y. Umeda, A design method of the
outgoing error propagations. data analytics process for condition-based maintenance. CIRP Annals
- Manufacturing Technology, Vol. 68(1), 2019.
For the CA in table II, the network and cpu1 have the
largest RPN number. This means that relevant work should be [3] N. Yang, Research on preventive maintenance strategy for the task-
based system. Beijing Jiaotong University, 2019.
done to focus on solving the components’ problems when
[4] J. Liu, Reliability-centered maintenance implementation analysis and
formulating the maintenance plan of the system. The influence research in the chemical industry, Tsinghua University, 2016.
factors of their failure modes should be reduced. [5] Y. Wu, X. Jia, L. Wen, W. Song, and C. Guo, Review on the
The FMECA and FMEA provide an effective and Development and Application of Reliability-centric Maintenance
(RCM). Journal of Ordnance Engineering College, Vol. 28 (04), 2016,
scientific basis for further faults classifying of RCM’s logical pp.13-21.
decision (step6) and formulating maintenance plan (step7). [6] C. Luo, Research on RCM-based Gantry Crane Maintenance Strategy.
Some suggestions for the formulation of maintenance Southeast University, 2018.
programs are given. For instance, if the failed component has [7] J. Moubray, Reliability-centered Maintenance (2nd Ed.). Oxford:
a low reliability and leads to multiple repeated reaction Butterworth-Heinemann, UK. 1997.
failures. Then, maintenance personnel can carry out detailed [8] I. Afefy, Reliability-Centered Maintenance Methodology and
inspections one by one and also replace those components Application: A Case Study. Engineering. Vol. 2(11), 2010, pp.863-873.
with higher reliability if it is necessary. Meanwhile, some [9] C. Spreafico, D. Russo, and C. Rizzi, A state-of-the-art review of
auxiliary detection methods and equipments can be utilized FMEA/FMECA including patents. Computer Science Review. 2017.
for troubleshooting and maintenance [24]. According to [10] B. Larson, J. Hatcliff, K. Fowler, and J. Delange, Illustrating the AADL
FMEA, FMECA reports and an acceptable maintenance level error modeling annex (v.2) using a simple safety-critical medical
device. 2013, 33(3).
of the enterprise, the investment in maintenance time and cost
[11] I. Scheeren and C. Pereira, Combining Model-Based Systems
for each failure mode can also be analyzed and considered. Engineering, Simulation and Domain Engineering in the Development
of Industrial Automation Systems: Industrial Case Study. 2014 IEEE
V. CONCLUSIONS AND FUTURE WORK 17th International Symposium on Object/Component/Service-Oriented
This paper presents a model-based RCM analysis method. Real-Time Distributed Computing, Reno, NV, 2014, pp. 40-47.
This method standardizes the traditional RCM analysis [12] Y. Hu, R. Wang, X.Wang, and Y. Fu, Review on the development of
model-based analysis technology for safety and reliability of complex
process, improves the operability and implementation rate of systems. Journal of Aeronautics, 2019.
the RCM analysis, and provides support for the further
[13] P. Feiler. AADL and model-based engineering. ACM, 2014.
development of RCM theory. The paper has implemented the
[14] CMU/SEI, Architecture Analysis & Design Language (AADL)
first five steps of the traditional RCM analysis procedures to http://www.aadl.info/. (accessed May.25.2019).
the proposed MRAF model by using AADL. After analyzing [15] P. Feiler and D. Gluch, Model-Based Engineering with AADL: An
the model, the FMEA table, one of the significant basis for Introduction to the SAE Architecture Analysis & Design Language.
RCM analysis, has been obtained automatically. The FMECA 2013.
table has been obtained semi-automatically by combining the [16] A. Johnsen and K. Lundqvist, Developing Dependable Software-
generated FMEA with CA. The method is illustrated with an Intensive Systems: AADL vs. EAST-ADL. In Proceedings of 16th

306

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.
 Ada-Europe International Conference on Reliable Software
Technologies. Reliable Software Technologies - Ada-Europe,
Edinburgh UK, 2011.
[17] SAE, SAE-AS5506/1A, Architecture Analysis and Design Language
(AADL) Annex Volume 1: Annex E: Error Model Annex. 2015.
[18] P. Feiler, Model-based validation of safety-critical embedded systems.
In Proceedings of Aerospace Conference. IEEE, 2010.
[19] P. Feiler, Architecture Analysis and Design Language(AADL) Annex
Volume 3: Annex E: Error Model V2 Annex. Number SAE AS5506/3
(Draft) in SAE Aerospace Standard, 2013.
[20] J. Delange, P. Feiler, D. Gluch and J. Hudak, AADL fault modeling
and analysis within an ARP4761 safety assessment. 2014.
[21] Y. Li, L. Nan, and X. Long, Discussion on Reliability Modeling of
Embedded System Based on AADL. Computer Technology and
Development. 2015, pp.234-236.
[22] CMU/SEI, Open Source AADL Tool Environment (OSATE).
http://osate.org/. (accessed May.25.2019).
[23] L. Wu, Y. Yan, F. Gao, X. Chen, and C. Nie, Research on Modeling
and Verification Methods for Embedded Software Systems Based on
SysML. 2019 IEEE 19th International Conference on Software
Quality, Reliability and Security Companion (QRS-C), Sofia, Bulgaria,
2019, pp. 150-157
[24] Q. Luo, RCM-based equipment maintenance decision-making method
and its application research. Zhejiang University of Technology, 2016.
[25] S. Sharvia, S. Kabir, M. Walker, and Y. Papadopoulos. Model-based
dependability analysis: State-of-the-art, challenges, and future outlook.
in Software Quality Assurance: Elsevier, 2016, pp. 251-278.
[26] P. Wang, C. Zhao, and F. Yan, Research on the Reliability Analysis of
the Integrated Modular Avionics System Based on the AADL Error
Model, International Journal of Aerospace Engineering, 2018.
[27] IEC 60812, Analysis techniques for system reliability-Procedure for
failure mode and effects analysis (FMEA). IEC (Intern. Elect.
Commission), 2006.
[28] P. Feiler and others, examples / SafetyTutorial. https:
//github.com/osate/examples/tree/master/SafetyTutorial. (accessed
May.25.2019).
[29] B. Gu, Y. Dong, and X. Wei, A Qualitative Safety Analysis Method for
AADL Model. 2014 IEEE Eighth International Conference on
Software Security and Reliability-Companion, San Francisco, CA,
2014, pp. 213-217.

307

Authorized licensed use limited to: University of Prince Edward Island. Downloaded on June 07,2021 at 18:48:12 UTC from IEEE Xplore. Restrictions apply.