Redundancy: The Infancy of Autonomous Maintenance

I’m not a Sci-Fi aficionado by any means but there is not a clearer depiction of autonomous maintenance than in the movie “Star Wars: The Phantom Menace.” There’s a specific scene where droid robots scurry onto the wing structure of an aircraft (while in flight) to make necessary and expedient repairs to keep the craft space-worthy. Now, we are still a long way off from this level of autonomous maintenance, but the future of autonomous machines is at our doorstep. To fully leverage the benefits of autonomy for national defense, we need to begin envisioning how to address the concept of “autonomous maintenance”. The quick answer to this question is with redundancy.

What is Redundancy?

Redundancy (in the world of engineering) is the design practice of duplicating the sources of a function so that the function remains available in the same quality and quantity required after the failure of one or more identical components. From a practical perspective, redundancy means we can absorb an equipment failure because we have a backup.

The Two Dominant Approaches to Redundancy

There are two dominant approaches to redundancy. There is “active” redundancy and “passive” redundancy (or standby redundancy), and pros and cons to each design approach. Additionally, both approaches can be combined in a single system to leverage the pros and mitigate the cons of each respective design philosophy. The benchmark of employing either design in a system or subsystem is that maintenance intervals, system reliability, mission reliability, and/or the retention of mission capability should positively offset an increase in weight and the increase in cost of the overall system.

Active redundancy is when you have multiples of the exact same component configured in the same system that are all operating in the same way at the same time. The benefit of active redundancy is that the system can function despite the loss of one or more of the components without a complex or complicated changeover procedure. Additionally, since multiple iterations of the same component are functioning at the same time in the same way, none of the components are required to operate at their maximum rated workload capacity. This can extend the maintenance interval of the system and/or the service life of the components.

Passive redundancy is the application of an identical component only when a like component has failed or has exceeded its useful service life. The benefit of a system engineered with passive redundancy is that a passively redundant system can offer much greater extended maintenance intervals when compared to an actively redundant system. Additionally, passively redundant components do not degrade the inherent system reliability. The gain in maintenance interval is derived from the service life of a passively redundant component starting at the point of failure of the primary operational component. However, there is a fundamental compromise (besides weight and cost) when utilizing passive redundancy in a system. When employing passive redundancy there is an additional system or component needed to accomplish the function of “changeover” from the failed/life exceeded component to the new component. Adding changeover components or a changeover process can add complexity to the overall design of the system and/or system operation. One must be careful when employing passive redundancy so as not to have a negative impact on system reliability, which would negate the benefit of extended service intervals that a passive redundant design can provide.

Application of Redundancy in Design

Redundancy can be applied in design practice at a system level, just as it can be applied at the subsystem level. Most long-life cycle defense systems feature redundancy by default due to the design specifications required to meet the mission requirements. Examples of system level redundancy include multiple engine propulsion systems, electrical systems with double or triple power generators, and steering systems that feature multi servo or actuator control. If one of the systems loses an iteration of itself (engine, generator, servo) the system may no longer be mission-capable, but it still retains a degraded capability to operate. These long-life cycle systems often include manned crews or maintenance elements to keep these systems operating at full mission capability. As we push larger and larger systems deeper into the spectrum of autonomy (no on-board maintenance capability for extended periods of time), we ask ourselves how to support the maintenance concept of a large-scale autonomous system. We must seriously consider making tradeoffs by creating redundancies at the subsystem level.

Leveraging Redundancy for Maintenance

What current subsystems are prime candidates for redundant components? What form of redundancy should be implemented to extend maintenance intervals? The focus should be on subsystems with fluid paths and/or multiple single point failures. Fluid handling systems within Internal Combustion Engines (ICE) are good examples of such systems. Examples of components that we can make redundant in ICE fluid circuits include:

• Radiators, Pumps, and Fans in Cooling Systems
• Pumps, Filters, and Radiators in Lubrication Systems
• Pumps, Filters, and Coolers in Fueling Systems

When dealing with fluid-based systems and subcomponents, passive redundancy offers the most advantages to extend maintenance intervals. The first advantage of integrating passive redundancy into these sub systems is that we can have multiple passive fluid circuits which can be efficiently changed over to an operational status as the prior system fluid reaches the end of its useful service life. This extends our maintenance interval. The second advantage is that by increasing the number of redundant fluid circuits, we have a level of mission assurance against component failure. A third advantage is that by removing fluid circuit components from the engine block, we make any applicable preventive or corrective actions (when manned maintenance can occur) much more efficient, as complex tear down is not necessary. Lastly, “on mission” repair or maintenance of one fluid circuit can occur while the redundant circuit is operational. To ensure all the benefits of a passively redundant subsystem are realized, we need to ensure the operation of our “changeover” function is as reliable as possible.

One of our goals with redundancy is to eliminate single point failure, as well as to improve mission reliability. When we employ a passively redundant system, the “changeover” function becomes the focus of single point failure. In fluid-based subsystems change over occurs with the energizing/de-energizing of pumps and with the physical switching of valves to open and close the fluid circuits. Electrical energizing and de-energizing of pumps can be handled by high reliability reed relays. The opening and closing of fluid valves will require a more physical approach though. To reliably open and close valves we can employ active redundancy. An actively redundant valve control setup would involve configuring multiple actuators in a push-pull or dual rotating gear setup linked in mechanical fashion to the valve stem. Refer to Figures 3, 4, and 5 for examples of redundancy.

Active redundancy is a great design practice for adding redundancy to control systems. It needs no changeover function if one component in the “team” fails and allows for each component in the “team” to operate at a lower than maximum rated workload capacity. ICE fluid-based subsystems now feature elements of active and passive redundant design. The new subsystem design extends the maintenance interval with multiple fluid circuits and increases the reliability of the overall system with redundant components. Issues associated with weight gain and cost growth are minimal compared to enhanced mission capability.

Conclusion

To push the limits of autonomous design, redundancy is a good starting point for maximizing autonomy. Redundancy will require modifications to current system designs and tradeoffs but should return enhanced autonomous mission capability. Until we can build a drone fleet for our maintenance and repair needs, we should embrace redundancy. To maintain military superiority, we need to keep the conversation going to explore what effective maintenance is in an autonomous environment.

Article Authored by Zach Pusnik