Functional Safety: Reliability vs. Safety

Functional Safety, Introduction

→ Reliability vs. Safety

IEC 61508

ISO 13849

IEC 61508 vs. ISO 13849

Summary

There is no clear difference between reliability and safety. Most systems must be both reliable and safe, however, the requirements going along with reliability and safety can be very different and - given fixed total cost - are often contradictory, if not mutually exclusive.

In theory, safe systems may be unreliable, while reliable systems may be unsafe. Nevertheless, systems can be designed in order to be both safe and reliable, but it is very rare that both requirements are equally important.

The following examples illustrate the difference:

Example 1: Safe but unreliable
A smoke detector producing many false alarms. As long as potentially dangerous smoke is detected reliably, the smoke detector can be considered safe.
By producing many false alarms, the smoke detector is considered unreliable because it announces dangerous situations while in reality everything is safe.
The sensor element of this smoke detector may be too sensitive, and therefore a slight sensitivity reduction may improve reliability without affecting safety.

Example 2: Reliable, but unsafe
An old hedge trimmer. There is only one switch to operate the hedge trimmer. If pressed, the trimmer starts immediately with full speed.
Due to its simplicity, the electrical part of such a hedge trimmer would probably be more reliable than today's trimmers, because the latter usually have at least two switches, and in addition probably some extra electronics. Both switches must be activated in order to operate the trimmer, and the switches are arranged in a way that you would need both hands for activation. Additionally, modern hedge trimmers have a soft start which inherently serves as a kind of announcement for the operator.
Beyond any reasonable doubt, these features make modern hedge trimmers safe. The downside effect is that, due to more electrical parts involved, modern trimmers are probably less reliable.

Example 3: Reliable and safe
Railroad crossing, controlled by three independent and redundant controllers. Each controller would be able to handle the railway crossing on it's own. Under normal conditions, all three controllers would produce identical output signals from the same input data. If one controller fails, there are still two controllers left producing identical output signals, and therefore the system would still be able to keep the railroad crossing in a safe state.
The operation would be as follows:

As long as all three controllers produce identical output signals, everything is OK.
If the output of one controller is different from the other two, repair must be completed within the next 24 hours. In the meantime, the railroad crossing continues operating, now with two functional controllers.
If all three controllers produce different output signals, whicht would be extremely improbable, the railroad crossing would be driven into a safe state where it will remain until repair has been finished.

This system is safe and reliable at the same time:

Safe: 2 of 3 controllers must produce identical output signals,
Reliable: The loss of one controller is tolerabhle

For highly safety relevant systems, the following (partially mutually exclusive) strategies are common:

Simplicity. Only switches and cabling, and probably some mechanical components. There is neither active electronics nor software.
Periodic diagnostic tests and proof tests.

Automatic diagnostics routine or system is tested by external means. The test interval must be substantially shorterr than the expected demand rate of the safety function. For electronic diagnostics routines, test frequency may be related to the system clock.
This would require electronics and/or software.

Redundant and/or fault tolerant design (with or without diagnostics).

This would usually require electronics and/or software.

All three strategies are state of the art, with the first being the most important. The higher the required safety level, the more likely the safety related system being technologically simple (without active electronics and software).
Technological complexity can be scaled as follows (simplest first):

Mechanics only
Electro-mechanics (switches, cabling, relays)
Passive electronics
Active electronics
Programmable logic (Firmware, not configurable by user)
Software (configurable by user)

A good reason for simplicity is the fact that with increasing system complexity, development effort and safety rerquirements become disproportionately high.
For example, there is a big difference in the safety requirements whether or not a system has an integrated circuit.

While safety and reliability use the same methodological spectrum for quantitative analysis (MTBF calculation, FMEA, Fault Trees, Markov, statistical methods, finite elements, ...) ,there are significant differences on the qualitative side:
While reliability relies mainly on failure rates and probabilities, safety goes beyond that. Apart from architectural constraints, it is mainly the requirements for the development process that makes the difference. Safe products need to be designed as such from the very beginning of the design phase.
There is some similarity with ISO 9001: This quality management standard does not address quality explicitly, however, if the business processes are in line with ISO 9001 requirements, there is a good chance that the products and services are good as well.

Previous Page Next Page