Dealing adequately with technical uncertainties

Statistics, RAMS & Quality Management
Search this site:
  Functional Safety: Introduction
  Safety vs. Reliability
  IEC 61508
  ISO 13849
  IEC 61508 vs. ISO 13849 

The concept of the IEC 61508 appears at a quick glance coherent and plausible. This impression remains even at a closer look. ISO 13849, however, is considerably less clear and raises questions. SFF and HFT requirements of IEC 61508 are intuitive. These parameters don't contribute to PFH directly; however, they are additional architectural constraints in the sense that safety is based not only on reliability calculations.

Depending on the system design, PFH values can strongly depend on failure detection time. While failure detection time is not covered explicitly in IEC 61508, it is implicitly addressed by the PFH requirement itself by allowing, among others, short failure detection times. This is just an example for IEC 61508being rather liberal with respect to system design.

In contrast, ISO 13849 covers (only) three dedicated system configurations and provides specific requirements for the individual channels rather than for the entire system. PFH is finally calculated by taking into account DCavg and system architecture.
Failure detection time, in particular, is handled in that a coarse manner that it turns out to be inefficient for safe system design. This last statement is just an example of ISO 13849 (in contrast to IEC 61508) offering only a narrow perspective for the system designer.

The following example demonstrates the relatively small influence of DCavg and system design on PFH:
The reason for only factor 8 is the fact that ISO 13849 category requirements are verbalized in a "soft" manner: Cat. 3 systems need not be thoroughly fault tolerant; Cat. 3 systems shall be "almost" fault tolerant "whenever possible and feasible". This verbalization is an enormous concession for system design cost to the disadvantage of safety. 

Here's another example:
Since category 4 systems must be 100% fault tolerant, there must be a different reason for only factor 40: Common cause failures. Like for category 3 fault tolerance, the requirements for category 4 (and by the way category 3) common cause failures is again soft. ISO 13849 provides a simple checklist with common cause specific questions. With a score of at least 65 of 100 points, measures against common cause failures are considered sufficient. It is interesting that this checklist does rather address the development process than the safety related product itself. 
A more quantitative explanation for only factor 40 is the so called beta factor. ISO 13849 assumes beta = 2%, which means that for redundant systems, 2% of the failure rate of each channel are considered common cause failures.

The complexity of the ISO 13849, specifically its restriction to specific architectures and approaches, makes this standard is easier to apply in practice. The requirements are rather soft and oriented to general technical common sense. The downside is worse PFH values in comparison with IEC 61508.
IEC 61508 allows in contrast to the ISO 13849 significantly safer systems, however at a much higher safety case effort.

Apart from all the above, ISO 13849 has indeed real disadvantages:
  1. The definition of DCavg (will be explained here) and
  2. Limiting the MTTFd per channel to a range between 3 and 100 years, which corresponds to failure rates between 38 and 1.14 fpmh. This limitation is not only unnecessary, but also a drawback because in the real safety world, MTTFd values up to 1000 years can be achieved ( e.g. with channel designs consisting of gravity switches and some passive electronic components).

Privacy Policy