4th IEEE Conference on Automation Science and Engineering
Key Bridge Marriott, Washington DC, USA
August 23-26, 2008
Reliability Evaluation of Reconfigurable Conveyor Systems
Saju A. Kuruvilla, Swapna S. Gokhale, and Shivakumar Sastry
Abstract— Conveyor systems are critical in automation ap-
plications such as material handling and packaging. Networked
embedded devices, such as tiny microcontrollers that are inte-
grated with sensors, actuators and low power radio transceivers,
significantly impact the design of future such systems by
offering flexible topologies, reduced wiring costs and distributed
controllers. Because the application domains of such systems
are critical, these systems are expected to have high reliabilities.
As a result, to exploit the benefits offered by the emerging
technologies, a study of the reliability of such systems that are
regulated by an integrated, embedded, distributed collection of
microcontrollers is important.
We present a model-based approach to evaluate the reliability
of composable conveyor systems based on the fault tree mod-
eling paradigm. We illustrate how the methodology provides
valuable guidance to navigate the design space of these systems
using several examples. Our results indicate that while using
redundant sensors has little effect on system-level reliability,
wireless link reliability has a significant impact. In the future, a
similar methodology can be developed to evaluate the reliability
of composable automation systems in which stations operate on
entities moving over a conveyor system.
I. I NTRODUCTION
Emerging device-level technologies, such as microcon-
trollers, sensors, actuators, and low power wireless radio
transceivers [1] are poised to alter the landscape of future
automation systems. The integration of such technologies
into automation systems affords finer grain control, re-
configurable topologies, improved diagnostics, and reduced
system lifecycle costs. Coupled Conveyors scheme is an
example of how emerging technologies can be used to
achieve reconfigurable conveyor systems [2]. Because such
reconfigurable systems represent a significant departure from
the current state-of-practice in a critical application domain,
gaining insights into factors that impact the reliability of such
systems is an important problem.
Existing automation systems are organized hierarchically
with multiple layers of supervisory controllers [3]. Often,
the controllers in such systems regulate the behavior of a
specific subsystem in the hierarchy and do not exchange
control information to coordinate actions across different
levels of the hierarchy. Such hierarchical systems are brittle
and do not adequately leverage recent advances in distributed
systems and fault management. However, existing automa-
tion systems are reliable, safe and predictable. The adoption
of new and emerging technologies into automation systems
poses significant risk because of the potential impact on
our economies and societies. Consequently, it is necessary
to incorporate emerging technologies into subsystems of
existing systems and validate these technologies in rigorous
operational conditions. To enable such adoption, it is neces-
sary to assure designers that the reliability of the integrated
978-1-4244-2023-0/08/$25.00 ©2008 IEEE. 929
system will not be severely compromised. For these reasons,
a study of the reliability of systems that rely on emerging
technologies is urgently needed.
Reliability, performability and survivability evaluation of
large-scale composable systems is a challenging and interest-
ing problem. We present a model-based approach to analyze
the reliability of reconfigurable conveyor systems. Using
the well-known fault tree modeling paradigm, we propose
a method to evaluate structural and operational reliability
of these systems. The paper applies well-established mod-
eling tools and techniques, which have been proven to be
enormously successful in the evaluation of many engineered
systems [4], to the problem of assessing reconfigurable
conveyor systems. We illustrate the potential of our approach
steer the design of such systems through several examples.
These results provide a key insight that the wireless link
reliability has a more significant impact on system reliability
than the reliability of sensor and actuator devices.
The remainder of this paper is organized as follows.
Section II briefly outlines the Coupled Conveyors scheme.
Section III defines the metrics to evaluate the reliability of
conveyor systems. Following a description of the analysis
methodology in Section IV, we discuss how we estimated
the parameters to illustrate the methodology in Section V.
Section VI presents the results with an illustrative example
and Section VII presents our conclusions and next steps.
II. OVERVIEW OF C OUPLED C ONVEYORS
The Coupled Conveyors scheme is based on three kinds
of units that are referred to as Segment, Turnaround and
Crossover that are shown in Figure 1. Each unit has a fixed
number of sensors and actuators. Figure 1a shows a Segment;
u is the upstream sensor, d is the downstream sensor, and a is
the actuator that moves the belt of the Segment. The sensors
and actuators in each unit are wired to a local microcontroller
that is integrated with a low power radio transceiver. These
microcontrollers interact in a peer-to-peer manner to achieve
system-level objectives [2].
A specific composition of instances of the above kinds of
units is a conveyor system. Figure 2 shows example conveyor
systems obtained by composition. Figure 2a shows a simple
conveyor system (SCS) with four paths along which entities
may move. Figure 2b shows another example that can be
used for materials inspection; this system is used in our
illustrations.
The conveyor systems we consider move entities that
arrive at one or more input ports to the output ports. There are
two overlaid networks in each system. The network of elec-
tromechanical components comprising the sensors, actuators,
 0,4

S1 T1 S2
0,3 I1 O1

u a d
S3 S4
(a) Segment
0,2

ps S5 S6
Port A pd Port D
0,1

I2 O2
a
uA dD
uB dC
0,0 1,0 2,0 3,0 4,0 5,0
Port B Port C

(a) Simple Conveyor

(b) Turnaround
O1 I1
H2
0,4

S1 S6
S2 S3 S4 S5

e1 e2 0,3

T1 C1 T2
S10 S9 S8 S7
a 0,2

Segment 1 Segment 2 Manual

S11 S12 S16
Inspection S15

(c) Crossover O2 0,1 I2

S18 T4 S13 S14 T3 S17

Fig. 1: Reconfigurable conveyors are composed using in-

H1 H3
stances of the three kinds of units shown in this figure.
0,0 1,0 2,0 3,0 4,0 5,0

(b) Inspection Station

belts, and fixtures form the paths along which entities move
in the system. The electronic network comprises the micro-
controllers and their integrated wireless radio transceivers.
In the SCS system shown in Figure 2a, when an entity
arrives at the downstream end of S1, the microcontroller in
Segment S1, µS1, sends a message to the microcontroller in
Turnaround T 1, µT 1; µT 1 receives the message, ensures that
no safety or operational conditions are violated, and actuates
its local belt to move the entity along the path. Thus, both
networks must operate reliably to enable operation of the
conveyor system.
There are two classes of messages exchanged on the elec-
tronic network — ControlMessages and StatusMessages.
The microcontrollers exchange ControlMessages to regulate
the movement of entities along the paths of the electrome-
chanical network and exchange StatusMessages over the
multihop wireless network with one or more monitoring
stations. For example, in Figure 2b, the low power of the
transceivers and their dense deployment warrant the multihop
transmission [1]. There are three monitoring stations namely
H1, H2, and H3.
III. R ELIABILITY M ETRICS
The following metrics capture the desired system behav-
iors under various operational scenarios. Not all the metrics
may be pertinent to every conveyor system.
Fig. 2: Conveyor Systems are obtained by composing in-
stances of units shown in Figure 1.
We consider structural reliability, operational reliability,
and the monitoring reliability of the reconfigurable conveyor
systems. The structural reliability is the reliability of an in-
stance of a unit shown in Figure 1. The operational reliability
is represented by one of the following three metrics.
1) Minimally Reliable: A conveyor system is minimally
reliable if there is at least one operational path between
some input port and some output port. This metric is
useful when the input/output ports are identical, i.e.,
the system objective is achieved if any entity is moved
from some input port to any output port. When all the
conveyor system units between an input port and an
output port are properly functioning, we refer to this
path as an operational path.
2) Minimally Performing: A conveyor system is min-
imally performing if there are at least k operational
paths1 . Each such path begins in some input port and
ends at some output ports. This metric is also useful
when the input/output ports are identical.
1 We use a fixed pre-determined value for k as a threshold.

930
 3) Minimally Delivering: The input/output ports are
not identical in many applications. For example, in
Figure 2a, the specification may require that small
entities be delivered at port O1 and large entities at
port O2. Similarly, small entities may arrive at port I1
and large entities mar arrive either at port I1 or port
I2. A conveyor system is minimally delivering if there
is at least one operational path between each input port
and every output port.
There are other variations of the minimally delivering
metric. For example, the input/output ports may be clustered
into classes and the system can be defined to be minimally
delivering if there are operational paths between some input
port and some output port for a given class. Alternatively, this
metric may incorporate a notion of performance and require
a minimum number of operational paths between specific
input and output ports.
The conveyor system units use low power transceivers.
StatusMessages from each unit must travel over multihop
routes to one or more monitoring stations. The monitoring
reliability represents the reliability with which the conveyor
system can be monitored from a given monitoring station.
Essentially, this metric reflects the reliability of the wireless
links involved in the multihop routes.
IV. A NALYSIS M ETHODOLOGY
Fault trees are a natural choice to capture a sequence of
failures that result in a system failure. We therefore used
fault trees as the primary modeling paradigm; our models
capture failure events at the level of sensor and actuator
devices in each unit. Because the behaviors of the conveyor
system units are pre-programmed, it was not not necessary
to capture the software failures. The fault trees are solved
using the decomposition algorithms in the SHARPE software
package [5].
This section describes how we construct fault tree models
to evaluate the metrics described in the preceding section.
A. Structural Reliability
For each kind of unit, namely Segment, Turnaround or
Crossover, we captured the impact of device level reliabilities
on the reliability of the unit. For example, the fault tree for a
Segment (Figure 1a) comprises an OR gate with the failure
events that correspond to the two sensors and an actuator
as inputs to the gate. This model captures the fact that a
Segment will fail if any of its sensors or its actuator fail. The
models for the Turnaround and Crossover units are similar
and hence not reported here.
B. Operational Reliability
We designed fault trees that capture the relationships
between device and path failures. These fault trees aggregate
path failures to evaluate the three system-level metrics for op-
erational reliability. Each path in the conveyor system is oper-
ational only when the electromechanical network comprising
the units and the wireless links, over which ControlMessages
are exchanged, are functional. This is fundamentally different
931
from models for communication systems’ reliability, where
the nodes are assumed to be perfectly reliable [6]. Our model
for operational paths integrates both electromechanical and
electronics failures into a single framework.
SCS
Path Path
Path I2-O1 I2-O2 Path
I1-O2 I2-O2
S1 S4
T1.uA T1.uB
S4 T1.uC S6 T1.uC
S6 S1-T1 T1.df S3 S5-S3 T1.df
S3-T1
T1-S4
S4-S6
T1.ac S5
T1-S4
T1.ac
S4-S6
Fig. 3: Fault Tree for Minimally Reliable Metric
The reliability metrics guide the structure of the fault tree.
Figure 3 depicts the fault tree for the minimally reliable
metric. The OR gate corresponding to the path I1 − O2
depicts that this path will fail if Segments S1, S4, S6,
wireless links S1 − T 1, T 1 − S4, S4 − S6, the upstream
sensor T 1.uA, the downstream sensor T 1.uC, and actuator
T 1.ac or the deflection actuator T 1.df fail. The AND gate
combines the failures of all the paths to provide a value for
the unreliability of paths between all input-output pairs; i.e.,
the system fails if the paths I1 − O1, I2 − O2 I2 − O1 and
I1 − O2 fail. The complement of this unreliability provides
a value for the minimally reliable metric.
It is important to note that while a Segment unit is
represented as an atomic unit in the fault tree, a Turnaround
unit must be disaggregated to the level of its sensors and
actuators. Such disaggregation is necessary because all de-
vice failures do not impact every path along through a
turnaround. For example, referring to Figure 2a, the upstream
sensor T 1.uB, downstream sensor T 1.uC and the deflection
actuator, T 1.df , of T 1 do not have any impact on an entity
moving along the path I1, S1, T 1, S2, and O2.
The minimally performing metric can be computed using
a fault tree similar to the one shown in Figure 3. The AND
gate must be replaced by a k-of-n gate, where n is the total
number of paths in the system and k is the minimum, or
the threshold, number of paths that must be operational. For
the SCS system, n = 4 and k = 2 or 3. As in the case
of the minimally reliable metric, the value provided by the
AND gate must be complemented to determine the minimally
performing metric.
The minimally delivering metric is computed using a
three-level fault tree in which the leaf nodes represent the
unreliability of the paths, the intermediate nodes represent
the unreliability of at least one path between each input

output pair of ports, and the nodes at the highest level rep-
resent the system-level unreliability. The complement of this
unreliability value yields the minimally delivering metric.
Note that in Figure 2a, there is only one path between any
input-output pair of ports. However, multiple paths between
a pair of ports can be seen in Figure 2b.
C. Monitoring Reliability
Finally, the monitoring reliability is obtained using a
multi-level fault tree that reflects the multihop network
structure between every unit and a monitoring station.
V. PARAMETER E STIMATION
To estimate the failure rates of the sensor and actuator
devices used in the units, we used the distribution of fault
reasons that lead to production breakdown reported in [7]
as a starting point. This paper reported a total of 539
fault incidents distributed over 19 categories in a typical
automation environment.
Drawing from our plant-floor experience, we consider
optimistic and pessimistic scenarios for the spread of these
fault incidents over time. For the optimistic scenario we
assumed that the 539 incidents occurred over a three week
period, i.e., over 45 8-hour shifts at a rate of 12 incidents
per shift. For the pessimistic scenario, we assumed that
these 539 incidents occurred over the period of one week
at a rate of 35 incidents per shift. To make our estimates
conservative, and because this data was not reported in the
paper, we assumed that these fault incidents occur in a typical
automation environment, such as automotive assembly, that
may use about 60,000 sensors and actuators in roughly 50
independently-working automation systems.
We narrowed the 539 fault incidents to the conveyor
systems’ context. There is neither programmed software nor
a centralized PLC in the conveyor systems we consider. Fur-
thermore, there are no mechanic-induced faults and because
the conveyors move entities automatically, there is little or
no misuse; hence, we ignore the failures classified into these
four categories. Failures of the sensors/operating buttons and
cables and conductor rails, electric power failure, loose parts
and dirt, and lights and indicators failures cause the upstream
and downstream sensors to fail. A total of 147 failures were
of these type, resulting in the overall sensor failure rates of
147 failures/week and 49 failures/week in the pessimistic and
optimistic scenarios, respectively.
Failures of conveyors, roll tables, carriers, fuses, thermal
relays, motors, brakes, inverters, lubrication system, lights
and indicators contribute to the failure of the actuators in
the building blocks. A total of 25 failures were reported in
these categories. We assume that 10% of the total actuators
are deflection actuators whereas the remaining 90% are
Segment/Crossover actuators. Thus, we allocate 10% of the
25 failures (3 failures) to deflection actuators and 90% (22
failures) to the Segment actuators. Finally, we assumed that
the deflection actuator is a pneumatic device. Because 13 fail-
ures were reported for pneumatic devices, the resulting total
number of failures for the deflection actuators is 16. Thus, the
932
Device Optimistic Pessimistic
Scenario Scenario
Upstream or
Downstream
Sensor 0.0035 0.0105
Segment,
Crossover, or
Turnaround
Actuator 0.001543 0.004629
Deflection
Actuator 0.00722 0.02167
TABLE I: Sensor and Actuator Failure Rates (per week)
optimistic and pessimistic failure rates of Segment actuators
is 7 failures/week and 22 failures/week respectively, while
the optimistic and pessimistic failure rates of the deflection
actuators is 5 failures/week and 16 failures/week respectively.
Finally, to scale the data to the conveyor systems context,
instead of the general automation environment, we assumed
a population of 20,000 devices comprised of 14,000 sensors
and 6,000 actuators. 600 of the actuators were assumed to
be deflection actuators for the turnarounds. The failures rates
for the sensors and the actuators used in this study based on
the preceding discussion are shown in Table I2 .
VI. R ESULTS AND D ISCUSSION
We now illustrate the reliability evaluation method using
several illustrative examples focused on a simple conveyor
system. We have developed a Java-based tool to automati-
cally extract the fault tree models for the different reliability
metrics for any arbitrary conveyor system topologies. Exten-
sive results from this study are reported in [8].
A. Structural Reliability
Figure 4 shows the reliability of a Segment, Turnaround
and Crossover in the optimistic and pessimistic scenarios. As
expected, the Segment is more reliable than the Turnaround
both in the optimistic and pessimistic cases. Because the
Crossover is comprised of two Segments and additional
devices, its reliability is worse than that of the Turnaround
in both the scenarios.
The structural reliability helps to improve the design of
the units. For example, Figure 5 shows the reliability of a
Segment in the optimistic and pessimistic scenarios for two
designs. The first design uses a single upstream and a single
downstream sensor. The second design uses three redundant
sensors at either end and requires two of these to be report
the same value. Contrary to the expectation, we notice that
the use of redundant sensors does not significantly improve
the reliability of the Segment in both scenarios. We believe
that this is because the reliability of a sensor is sufficiently
high in both the optimistic and pessimistic scenarios.
2 This data is realistic and representative. Our method does not depend
on the actual values of these failure rates.
 1
Optimistic Scenario for Segment
0.9 Pessimistic Scenario for Segment
Optimistic Scenario for Turnaround
0.8 Pessimistic Scenario for Turnaournd
Optimistic Scenario for Crossover 1
0.7 Pessimistic Scenario for Crossover
Reliability

0.6 0.9

0.5
0.8
0.4

0.3 0.7

rel
0.2
0.6
0.1

0
0 20 40 60 80 100 120 140 160 180 200 0.5 Optimistic with Disaggregation
Time Pessimistic with Disaggregation
0.4 Pessimistic without Disaggregation
Fig. 4: Reliability of Segment, Crossover and Turnaround.
Optimistic without Disaggregation
The Segment unit is most reliable because of its simplicity
both in the optimistic and the pessimistic scenarios. 1 2 3 4 5
time
6 7 8 9 10

1
Fig. 6: Disaggregation is important to get accurate reliability
Optimistic Scenario for Segment estimates. The reliability is over estimated in the optimistic
0.9
Pessimistic Scenario for Segment scenario and under estimated in the pessimistic scenario,
0.8
Optimistic Scenario for Segment without disaggregation.
with 2/3 Sensors
0.7
Pessimistic Scenario for Segment
0.6 with 2/3 Sensors

Minimally delivering metric decidedly provides a conserva-

rel

0.5
tive snapshot of the system by differentiating between input
0.4
and output ports. Such a conservative snapshot may force
0.3 system designers to over provision the system. To avoid
0.2 such over provisioning, our results strongly suggests that
0.1
one must not use the minimal delivering metric unless the
corresponding system behavior is critical for the application.
0
0 100 200 300 400 500 600 For example, the minimally delivering metric is critical for
time
a drug delivery or an order filling automation system.
Fig. 5: The addition of redundant sensors (2/3) does not
significantly improve the reliability of the Segment unit.
1
Optimistic Minimally Reliable
0.9 Pessimistic Minimally Reliable
Optimistic Minimally Delivering
B. Operational Reliability 0.8 Pessimistic Minimally Delivering

Next, we illustrate the importance of disaggregation of 0.7

the turnaround by computing the minimal reliability with 0.6

and without disaggregation. Figure 6 indicates that without
rel

0.5
turnaround disaggregation, in the optimistic scenario, the
0.4
minimal reliability is over estimated and in the pessimistic
scenario, the reliability is under estimated. Without disag- 0.3

gregation, the reliability estimates are misleading because 0.2

the over estimation of reliability is likely to minimize en- 0.1
gineering investments while the under estimation will force
0
needless investments. Similar differences were observed for 0 10 20 30 40 50 60 70 80 90 100
time
other topologies and metrics [8].
We now illustrate the importance of a careful choice of Fig. 7: Minimally Reliable Vs. Minimally Delivering. The
metrics to evaluate a system and to guide its design. Figure 7 minimally delivering metric provides a conservative snapshot
shows that there is a considerable difference in the reliability of the system. This metric is useful for critical applications
of the SCS system when it is minimally reliable and when such as drug delivery or order filling systems.
it is minimally delivering, with the values of the minimally
reliable metric higher than the minimally delivering metric.

933
C. Monitoring Reliability
A monitoring tree is a network of wireless links that relay
StatusMessages from each building block to a monitoring
station. Assuming that a single monitoring station is used
to monitor SCS, and that this station is located to receive
signals only from µT 1, Figure 8 shows a monitoring tree
for SCS. µX represents the microcontroller that regulates
building block X and the edges that connect nodes represent
operational wireless links.
Figure 9 shows the monitoring reliability of the SCS
system. Because the wireless loss rates depend on the media
access protocol used, and the operational environment, we
selected three failure rates that are roughly an order of
magnitude away from each other. Our experiments with low
power transceivers show that loss rates of 10% to 15% are
typical in a lab environment. The low reliability of wireless
links directly impacts the monitoring reliability.
MS
µT1
µS1 µS2
µI1 µO1
µS3 µS4
µS5 µS6
µI2 µO2
Fig. 8: Monitoring Tree for SCS. The structure of the tree
depends on the location of the monitoring station.
VII. C ONCLUSIONS AND F UTURE R ESEARCH
We presented an approach based on the fault tree mod-
eling paradigm to evaluate the reliability of reconfigurable
conveyor systems. We illustrated how our approach provides
insights into the structural, operational and monitoring reli-
ability of these systems. Our results indicate: (i) reliabilities
of wireless links have a more significant impact on system
reliability than the reliabilities of sensors and actuators, and
(ii) device-level disaggregation is necessary to get accurate
reliability estimates for these systems.
934
1
Link failure rate 0.002
0.9
Link failure rate 0.01
0.8
Link failure rate 0.3
0.7
0.6
rel
0.5
0.4
0.3
0.2
0.1
0
0 200 400 600 800 1000
time
Fig. 9: Monitoring Reliability of SCS. The low reliability
of the wireless links significantly impact the monitoring
reliability.
In the future, we propose to extend this method to model
the dynamic aspects of conveyor systems including entity
pileups caused by collisions and failures. We expect that
Markov models and simulation-based techniques will be
necessary to evaluate such dynamic behavior. Furthermore,
we seek to apply these techniques to a variety of existing
and future systems by incorporating observed failure rates
for the devices instead of estimated failure rates.
ACKNOWLEDGMENTS
This work is supported in part by National Science
Foundation under the grant CNS-0720736 and from the
Wright Center for Sensor Systems Engineering. The opinions
expressed are those of the authors and do not represent that
of the National Science Foundation.
R EFERENCES
[1] J. Hill, M. Horton, R. Kling, and L. Krishnamurthy, “The platforms
enabling wireless sensor networks,” Communications of the ACM,
vol. 47, no. 6, pp. 41–46, June 2004.
[2] N. Hayslip, S. Sastry, and J. Gerhardt, “Networked embedded automa-
tion,” Assembly Automation, vol. 26, no. 3, pp. 235–241, 2006.
[3] J. Agre, L. Clare, and S. Sastry, “A taxonomy for distributed real-time
control systems,” in Advances in Computers. Elsevier Science, 1999,
vol. 49, pp. 303–352.
[4] K. S. Trivedi, Probability and Statistics with Reliability, Queuing and
Computer Science Applications. John Wiley, 2001.
[5] R. Sahner, K. Trivedi, and A. Puliafito, Performance and Reliability
Analysis of Computer Systems. Kluwer Academic Publishers, 1996.
[6] C. J. Colbourn, The Combinatorics of Network Reliability. Oxford
University Press, 1987.
[7] V. Salminen and A. Verho, “Multidisciplinary problems in mechatronics
and some solutions,” Computers in Electrical Engineering, vol. 18,
no. 1, pp. 1–9, 1992.
[8] S. Kuruvilla, “Reliability of composable conveyor systems,” Master’s
thesis, The University of Akron, Department of Electrical and Computer
Engineering, 2007.