Using COTS Components in Safety-Critical Systems

Risk is a broadranging and multidimensional topic, including both management risks and technical risks. Management risks for COTS are well known, such as loss of market control, rapid obsolescence, and the shift from a buyer’s market to a seller’s market. Technical risk factors are less well understood. These factors include interoperability and performance issues as well as safety. This paper concentrates on risks related to safety, where safety is defined broadly as related to a significant loss (accident) involving human life or health, environmental damage, money, or system mission. The risk becomes a safety issue when the loss is significant enough that it becomes necessary or worthwhile to devote resources to reducing the risk. One of the major drivers for using COTS software is to save money. Much, if not all, of the savings, however, may be offset by the activities needed to ensure an acceptable level of risk. This assurance might involve additional testing or analysis procedures. In some highly critical systems, COTS may raise the cost of certification or ensuring safety to the point where the use of COTS products is no longer feasible or cost-effective; any potential savings are eliminated by additional assurance costs. Before any conclusions can be reached about the cost of achieving acceptable safety risk using products or components involving COTS software, we need to define what is meant by safety and the type of accidents being considered, the process required to achieve acceptable risk for those accident types, and the potential