& Quality Management
Safety: Reliability vs. Safety
In theory, safe systems may be
unreliable, while reliable systems may
be unsafe. Nevertheless, systems can be designed in order to be both
safe and reliable, but it is very rare that both requirements are
The following examples illustrate the difference:
Example 1: Safe but unreliable
A smoke detector producing many false alarms. As long as potentially
dangerous smoke is detected reliably, the smoke detector can be
By producing many false alarms, the smoke detector is considered
unreliable because it announces dangerous situations while in reality
everything is safe.
The sensor element of this smoke detector may be too sensitive, and
therefore a slight sensitivity reduction may improve reliability
without affecting safety.
2: Reliable, but unsafe
An old hedge trimmer. There is only one switch to operate the hedge
trimmer. If pressed, the trimmer starts immediately
with full speed.
to its simplicity, the electrical part of such a hedge trimmer
would probably be more reliable than today's trimmers, because the
latter usually have at least two switches, and in addition probably
some extra electronics. Both switches must
be activated in order to operate the trimmer, and the switches
are arranged in a way that you would need both hands for activation.
Additionally, modern hedge trimmers have a soft start
which inherently serves as a kind of announcement for the operator.
Beyond any reasonable doubt,
these features make modern hedge trimmers safe. The downside effect is
that, due to more electrical parts involved, modern trimmers are
probably less reliable.
Example 3: Reliable and safe
Railroad crossing, controlled by three independent and redundant
controllers. Each controller would be able to handle the railway
crossing on it's own. Under normal conditions, all three controllers
would produce identical output signals from the same input data. If one
controller fails, there
are still two controllers left producing identical output signals, and
therefore the system would still be able to keep the railroad crossing
in a safe state.
The operation would be as follows:
system is safe and reliable at the same time:
- As long as all three controllers produce identical output
everything is OK.
- If the output of one controller is different from the other two,
repair must be completed within the next 24 hours. In the meantime, the
railroad crossing continues operating, now with two functional
- If all three controllers produce different output signals, whicht
would be extremely improbable, the railroad
crossing would be driven into a safe state where it will remain
until repair has been finished.
highly safety relevant systems, the following (partially mutually
exclusive) strategies are common:
- Safe: 2 of 3 controllers must
identical output signals,
- Reliable: The loss of
one controller is tolerabhle
- Simplicity. Only switches and
cabling, and probably some mechanical components. There is neither
active electronics nor software.
- Periodic diagnostic tests and proof
Redundant and/or fault tolerant
design (with or without diagnostics).
- Automatic diagnostics routine or system is tested by external
means. The test interval must be substantially shorterr than the
expected demand rate of the safety function. For electronic diagnostics
routines, test frequency may be related to the system clock.
- This would require electronics and/or software.
All three strategies are state of the
art, with the first being the most important. The higher the required
safety level, the more likely the safety related system being
technologically simple (without active electronics and software).
Technological complexity can be
scaled as follows (simplest first):
- This would usually require electronics and/or software.
A good reason for simplicity is the
fact that with increasing system complexity, development effort and
safety rerquirements become disproportionately high.
For example, there is a big
difference in the safety requirements whether or not a system has an
While safety and reliability use the
same methodological spectrum for quantitative analysis (MTBF
calculation, FMEA, Fault Trees, Markov, statistical methods, finite
elements, ...) ,there are significant differences on the qualitative
While reliability relies mainly on
failure rates and probabilities, safety goes beyond that. Apart from
architectural constraints, it is mainly the requirements for the
development process that makes the difference. Safe products need to be
designed as such from the very beginning of the design phase.
There is some similarity with ISO
9001: This quality management standard does not address quality
explicitly, however, if the business processes are in line with ISO
9001 requirements, there is a good chance that the products and
services are good as well.
- Mechanics only
- Electro-mechanics (switches, cabling, relays)
- Passive electronics
- Active electronics
- Programmable logic (Firmware, not configurable by user)
- Software (configurable by user)