Archives

# Following the relationship model adopted in this work to

Following [20], [22], the relationship model adopted in this RHC 80267 work to estimate the time to failure is the Inverse Power Law (IPL): Where L is the SUT life characteristic (e.g. the mean time to failure), s represents the stress level, while k and w are model-related parameters to be defined from the observed experiments. The particularity of IPL is that scaling s by constant k causes the proportionate scaling of L. A linear relationship exists when both L and s are on a log-log scale: .
Clearly, experiments results have a certain variability which needs to be considered. This means that a standard IPL is not enough. Therefore, the IPL is usually integrated with a specific pdf that allows a definition of confidence intervals. The idea is to make the pdf mean time to failure parameters dependent on the stress variable. In this work, a IPL-Weibull distribution is used. This choice seems reasonable as Weibull, unlike Exponential distribution, has a non-constant Hazard function, which is appropriate in case of experimental evaluations as systems get old. The two-parameters Weibull is used, having the following pdf and CDF: where β is the shape parameter, i.e., the slope the Weibull CDF; and η is the scale parameter (or characteristic life). In terms of reliability, f(t) represents the failure rate function, while represents the system availability. The ratio is the Hazard function, i.e., the instantaneous failure rate as function of age. β governs the trend of λ(t) which can increase (β > 1) or decrease (0 < β < 1).
A common approach is to evaluate β and η parameters using a Maximum-Likelihood Estimation (MLE), which generates those numbers from the observed failure data set. The scale parameter, e.g., is calculated for n observations as where T is the observation time and r represents the number of failures.
The IPL-Weibull is derived by setting in the Weibull pdf defined before, yielding:So, using (1), the mean life of the systems in its use condition can be evaluated: .
Once defined the approach and the pdf distribution to use, the workload and the stress schemes need to be characterized.

Conclusions
This paper presented a SIL2 assessment strategy conducted on a commercial SRS. Differently from most of the existing literature (which does not refer to real industry applications), we contribute a methodological framework that can be used in practice as a reference for certifying a wide class of emerging critical systems, virtually any system for which: (i) the general architecture has already been designed, (ii) business constraints impose that (radical) changes to the architecture be avoided, and (iii) the main COTS components that must be integrated have already been chosen. We demonstrate, with respect to a real industrial system (namely: the train management system by Hitachi Ansaldo STS), that gametes is possible to achieve SIL2 via proper configuration of system parameters and set-up of rejuvenation procedures. The system is designed as an Active/Standby cluster based on COTS components. A hybrid approach – i.e. based on a combination of modeling and experiments – was taken to estimate the reliability figures of interest. In a first phase, by means formal model checking, it was proven that the original configuration of the cluster, used on-field by Ansaldo, was not compliant to SIL2 requirements. Then, based on the results of the modeling analysis, a set of mitigation strategies was proposed, to improve the safety of the system and ultimately make it SIL2-compliant. The strategies mainly rely on software rejuvenation, which was proven to provide the best compromise in terms of trade-offs between costs and reliability improvement. Finally, the effectiveness of the proposed rejuvenation strategy – as well as of other modeling predictions – was validated by means of an experimental campaign, performed on a real ASTS test-bed.