adequately with technical uncertainties
& Quality Management
Safety vs. Reliability
→ Safety vs. Reliability
IEC 61508 vs. ISO 13849
is no distinct line between reliability and safety. Most systems must
be both reliable and safe, however, the requirements going along with
reliability and safety can be very different and - given fixed total
cost cost - are usually mutually exclusive.
In theory, safe systems may be unreliable, while reliable systems may
be unsafe. Nevertheless, systems can be designed in order to be both
safe and reliable, but it is very rare that both requirements are
The following examples are intended for clarification
Example 1: Safe but unreliable
A smoke detector producing many false alarms. As long as potentially
dangerous smoke is detected reliably, the smoke detector can be
By producing many false alarms, the smoke detector is considered
unreliable because it announces dangerous situations while in reality
everything is safe.
The sensor element of this smoke detector may be too sensitive, and
therefore a slight sensitivity reduction may improve reliability
without affecting safety.
2: Reliable, but unsafe
An old hedge trimmer. There is only one switch to operate the hedge
trimmer. If pressed, the trimmer starts immediately
with full speed.
Due to its simplicity, the electrical part of such a hedge trimmer
would be more reliable than those trimmers available today.
Today's hedge trimmers have at least two switches. Both switches must
be activated in order to operate the trimmer, and the switch positions
are such that you will need both hands in order to activate them.
Additionally, modern hedge trimmers have a soft start
which inherently serves as an announcement function for the operator.
Beyond any reasonable doubt,
these features make modern hedge trimmers safe. The downside effect is
that, due to more electrical parts involved, modern trimmers are
Example 3: Reliable and safe
Railroad crossing, controlled by three independent and redundant
controllers. Each controller would be able to handle the railway
crossing on it's own. Under normal conditions, all three controllers
yield identical outputs from input data. If one controller fails, there
are still two controllers left in order to keep the railroad crossing
in a safe state.
The operation philosophy is as follows:
system is safe and reliable at the same time:
- As long as all three controllers yield identical results,
everything is OK.
- If the output of one controller is different from the other two,
repair must be completed within the next 24 hours. In the meantime, the
railroad crossing continues operating as usual.
- If all three controllers yield different outputs, the railroad
crossing will be closed (if not already closed) and will remain closed
until repair has been finished.
highly safety relevant systems, the following (partially mutually
exclusive) strategies are currently in use:
- Safe: 2 of 3 controllers must yield
- Reliable: The loss of
one controller can be tolerated.
- Simplicity. Only switches and
cabling, and probably some mechanical components. There is neither
active electronics nor software.
- Periodic diagnostic tests and proof
Redundant and/or fault tolerant
design (with or without diagnostics).
- Automatic diagnostics routine, or system is tested by external
means. It is important that the test frequency is much higher than the
expected demand rate of the safety function. For electronic diagnostics
routines, test frequency may be related to the system clock.
- This would require electronics and/or software.
All three strategies are state of the
art, with the first being the most important. The higher the required
safety level, the more likely the safety related system being
technologically simple (without active electronics and software).
- This would require electronics and/or software.
Technological complexity can be
scaled as follows (simple first):
A good reason for simplicity is the
fact that with increasing system complexity, both development effort
and safety case become disproportionately high.
- Mechanics only
- Electro-mechanics (switches, cabling, relays)
- Passive electronics
- Active electronics
- Programmable logic (Firmware, not configurable by end user)
- Software (configurable by end user)
For example, there is a huge
difference in the safety case whether or not a system has an integrated
While safety and reliability use the
same methodological spectrum for quantitative analysis (MTBF
calculation, FMEA, Fault Trees, Markov, statistical methods, finite
elements, ...) ,there are significant differences on the qualitative
While reliability relies mainly on
failure rates and probabilities, safety requires even more. Apart from
architectural constraints, it is mainly the requirements for the
development process that makes the difference. Safe products need to be
designed as such from the very beginning.
There is some similarity with ISO
9001: This quality management standard does not address quality
explicitly, however, if the business processes are in line with ISO
9001, the resultant product or service is likely to be of good quality.