The
concept of IEC 61508 appears at a quick glance coherent and
plausible. This impression holds true even at a closer look. ISO 13849,
however, is considerably less clear and raises questions.
SFF
and HFTrequirements
of IEC 61508 are
intuitive. These parameters don't contribute to PFH directly; however,
they are additional architectural constraints in the sense that safety
is based not only on reliability calculations.
Depending
on the system design, PFH values can strongly depend on failure
detection time. While failure detection time is not covered explicitly
in IEC 61508, it is implicitly addressed by the PFH requirement itself
by allowing, among others, short failure detection times. This is just
an example for IEC 61508 being not restrictive with respect to system
design.
In
contrast, ISO 13849 covers (only) three dedicated system configurations
and provides specific requirements for the individual so called
channels rather
than for the entire system. PFH is finally calculated by taking into
account DCavg and system architecture. Failure detection time, in
particular, is handled in a very rudimentary manner, and it turns out
to be
inefficient for safe system design. This last statement is just an
example of ISO 13849 (in contrast to IEC 61508) offering a restricted
toolset for the system designer.
The following example demonstrates
the relatively small influence of DCavg
and system design on PFH:
Single channel safety related system, category B, MTTFd
= 10 years. According to appendix K of ISO 13849, the PFH for this
simple system is 1,14E-5.
Here, 10 years and 1,14E-5/h means the same; they can be transformed
into each other with a simple conversion.
A
dual channel system consisting of two identical channels as described
before, plus DCavg >90%. According to appendix K
of ISO 13849, this more sophisticated system has already category 3
with PFH = 1,36E-6.
--> The sophisticated system is only by factor 8 safer than
the simple system (1,14E-5 / 1,36E-6 ~ 8) taking into account the
difference of 3 categories between cat. B and cat. 3 ( B-1-2-3), this
factor 8 is really ridiculously small compared with IEC 61508 SIL
levels (between 3 SIL levels there is factor 100).
The reason for only factor 8 is the
fact that ISO 13849 category requirements are verbalized in a soft
manner: Cat. 3 systems need not be thoroughly fault tolerant; Cat. 3
systems shall be "almost" fault tolerant "whenever possible and
feasible". This verbalization is an enormous concession for system
design cost to the disadvantage of safety.
Here's another example:
Same simple system as described above (cat. B) versus a two
channel category 4 system. The difference is higher now, but still only
factor 40 (between 3 SIL levels there is factor 1000).
Since category 4 systems must be 100%
fault tolerant, there must be a different reason for only factor 40:
Common
cause failures.
Like for
category 3 fault tolerance, the
requirements for category 4 (and by the way category 3) common cause
failures is again soft. ISO 13849 provides a simple checklist with
common cause specific questions. With a score of at least 65 of 100
points, measures against common cause failures are considered
sufficient. It is interesting that this checklist does rather address
the development process than the safety related product itself. A more quantitative explanation for
only factor 40 is the so called beta factor. ISO 13849 assumes beta =
2%, which means that for redundant systems, 2% of the failure rate of
each channel are considered common cause failures.
The complexity of the ISO 13849,
specifically its restriction to specific architectures and approaches,
makes this standard is easier to apply in practice. The requirements
are rather soft and oriented to general technical common sense. The
downside is worse PFH values in comparison with IEC 61508. IEC 61508 allows in contrast to the
ISO 13849 significantly safer systems, however at a much higher safety
case effort.
Apart from all the above, ISO 13849
has indeed real disadvantages:
Limiting the MTTFd per channel to a range between 3 and 100
years, which corresponds to failure rates between 38 and 1.14 fpmh.
This limitation is not only unnecessary, but also a drawback because in
the real safety world, MTTFd values up to 1000 years can be
achieved ( e.g. with channel designs consisting of gravity switches and
some passive electronic components).