SIL2 assessment of an Active/Standby COTS-based Safety-Related system

The need of reducing costs and shortening development time is resulting in a more and more pervasive use of Commercial-Off-The-Shelf components also for the development of Safety-Related systems, which traditionally relied on ad-hoc design. This technology trend exacerbates the inherent difficulty of satisfying - and certifying - the challenging safety requirements imposed by safety certification standards, since the complexity of individual components (and consequently of the overall system) has increased by orders of magnitude. To bridge this gap, this paper proposes an approach to safety certification that is rigorous while also practical. The approach is hybrid, meaning that it effectively combines analytical modeling and field measurements. The techniques are presented and the results validated with respect to an Active/Standby COTS-Based industrial system, namely the Train Management System of Hitachi-Ansaldo STS, which has to satisfy Safety Integrity Level 2 requirements. A modeling phase is first used to identify COTS safety bottlenecks. For these components, a mitigation strategy is proposed, and then validated in an experimental phase that is conducted on the real system. The study demonstrates that with a relatively little effort we are able to configure the target system in such a way that it achieves SIL2.