Functional Safety: Summary

Functional Safety, Introduction

Reliability vs. Safety

IEC 61508

ISO 13849

IEC 61508 vs. ISO 13849

→ Summary

The concept of IEC 61508 appears at a quick glance coherent and plausible. This impression holds true even at a closer look. ISO 13849, however, is considerably less clear and raises questions.

SFF and HFT requirements of IEC 61508 are intuitive. These parameters don't contribute to PFH directly; however, they are additional architectural constraints in the sense that safety is based not only on reliability calculations.

Depending on the system design, PFH values can strongly depend on failure detection time. While failure detection time is not covered explicitly in IEC 61508, it is implicitly addressed by the PFH requirement itself by allowing, among others, short failure detection times. This is just an example for IEC 61508 being not restrictive with respect to system design.

In contrast, ISO 13849 covers (only) three dedicated system configurations and provides specific requirements for the individual so called channels rather than for the entire system. PFH is finally calculated by taking into account DC_avg and system architecture.
Failure detection time, in particular, is handled in a very rudimentary manner, and it turns out to be inefficient for safe system design. This last statement is just an example of ISO 13849 (in contrast to IEC 61508) offering a restricted toolset for the system designer.

The following example demonstrates the relatively small influence of DC_avg and system design on PFH:

Single channel safety related system, category B, MTTF_d = 10 years. According to appendix K of ISO 13849, the PFH for this simple system is 1,14E-5. Here, 10 years and 1,14E-5/h means the same; they can be transformed into each other with a simple conversion.
A dual channel system consisting of two identical channels as described before, plus DC_avg >90%. According to appendix K of ISO 13849, this more sophisticated system has already category 3 with PFH = 1,36E-6.
--> The sophisticated system is only by factor 8 safer than the simple system (1,14E-5 / 1,36E-6 ~ 8) taking into account the difference of 3 categories between cat. B and cat. 3 ( B-1-2-3), this factor 8 is really ridiculously small compared with IEC 61508 SIL levels (between 3 SIL levels there is factor 100).

The reason for only factor 8 is the fact that ISO 13849 category requirements are verbalized in a soft manner: Cat. 3 systems need not be thoroughly fault tolerant; Cat. 3 systems shall be "almost" fault tolerant "whenever possible and feasible". This verbalization is an enormous concession for system design cost to the disadvantage of safety.

Here's another example:

Same simple system as described above (cat. B) versus a two channel category 4 system. The difference is higher now, but still only factor 40 (between 3 SIL levels there is factor 1000).

Since category 4 systems must be 100% fault tolerant, there must be a different reason for only factor 40: Common cause failures. Like for category 3 fault tolerance, the requirements for category 4 (and by the way category 3) common cause failures is again soft. ISO 13849 provides a simple checklist with common cause specific questions. With a score of at least 65 of 100 points, measures against common cause failures are considered sufficient. It is interesting that this checklist does rather address the development process than the safety related product itself.
A more quantitative explanation for only factor 40 is the so called beta factor. ISO 13849 assumes beta = 2%, which means that for redundant systems, 2% of the failure rate of each channel are considered common cause failures.

The complexity of the ISO 13849, specifically its restriction to specific architectures and approaches, makes this standard is easier to apply in practice. The requirements are rather soft and oriented to general technical common sense. The downside is worse PFH values in comparison with IEC 61508.
IEC 61508 allows in contrast to the ISO 13849 significantly safer systems, however at a much higher safety case effort.

Apart from all the above, ISO 13849 has indeed real disadvantages:

The definition of DC_avg (will be explained here) and
Limiting the MTTFd per channel to a range between 3 and 100 years, which corresponds to failure rates between 38 and 1.14 fpmh. This limitation is not only unnecessary, but also a drawback because in the real safety world, MTTF_d values up to 1000 years can be achieved ( e.g. with channel designs consisting of gravity switches and some passive electronic components).

Previous Page Next Topic