adequately with technical uncertainties
& Quality Management
Safety vs. Reliability
IEC 61508 vs. ISO 13849
concept of the IEC 61508 appears at a quick glance coherent and
plausible. This impression remains even at a closer look. ISO 13849,
however, is considerably less clear and raises questions. SFF and HFT requirements
of IEC 61508 are
intuitive. These parameters don't contribute to PFH directly; however,
they are additional architectural constraints in the sense that safety
is based not only on reliability calculations.
on the system design, PFH values can strongly depend on failure
detection time. While failure detection time is not covered explicitly
in IEC 61508, it is implicitly addressed by the PFH requirement itself
by allowing, among others, short failure detection times. This is just
an example for IEC 61508being rather liberal with respect to system
contrast, ISO 13849 covers (only) three dedicated system configurations
and provides specific requirements for the individual channels rather
than for the entire system. PFH is finally calculated by taking into
account DCavg and system architecture.
Failure detection time, in
particular, is handled in that a coarse manner that it turns out to be
inefficient for safe system design. This last statement is just an
example of ISO 13849 (in contrast to IEC 61508) offering only a narrow
perspective for the system designer.
The following example demonstrates
the relatively small influence of DCavg
and system design on PFH:
The reason for only factor 8 is the
fact that ISO 13849 category requirements are verbalized in a "soft"
manner: Cat. 3 systems need not be thoroughly fault tolerant; Cat. 3
systems shall be "almost" fault tolerant "whenever possible and
feasible". This verbalization is an enormous concession for system
design cost to the disadvantage of safety.
- Single channel safety related system, category B, MTTFd
= 10 years. According to appendix K of ISO 13849, the PFH for this
simple system is 1,14E-5.
Here, 10 years and 1,14E-5/h means the same; they can be transformed
into each other with a simple conversion.
dual channel system consisting of two identical channels as described
before, plus DCavg >90%. According to appendix K
of ISO 13849, this more sophisticated system has already category 3
with PFH = 1,36E-6.
- --> The sophisticated system is only by factor 8 safer than
the simple system (1,14E-5 / 1,36E-6 ~ 8) taking into account the
difference of 3 categories between cat. B and cat. 3 ( B-1-2-3), this
factor 8 is really ridiculously small compared with IEC 61508 SIL
levels (between 3 SIL levels there is factor 100).
Here's another example:
Since category 4 systems must be 100%
fault tolerant, there must be a different reason for only factor 40:
Common cause failures.
category 3 fault tolerance, the
requirements for category 4 (and by the way category 3) common cause
failures is again soft. ISO 13849 provides a simple checklist with
common cause specific questions. With a score of at least 65 of 100
points, measures against common cause failures are considered
sufficient. It is interesting that this checklist does rather address
the development process than the safety related product itself.
- Same simple system as described above (cat. B) versus a two
channel category 4 system. The difference is higher now, but still only
factor 40 (between 3 SIL levels there is factor 1000).
A more quantitative explanation for
only factor 40 is the so called beta factor. ISO 13849 assumes beta =
2%, which means that for redundant systems, 2% of the failure rate of
each channel are considered common cause failures.
The complexity of the ISO 13849,
specifically its restriction to specific architectures and approaches,
makes this standard is easier to apply in practice. The requirements
are rather soft and oriented to general technical common sense. The
downside is worse PFH values in comparison with IEC 61508.
IEC 61508 allows in contrast to the
ISO 13849 significantly safer systems, however at a much higher safety
Apart from all the above, ISO 13849
has indeed real disadvantages:
- The definition of DCavg (will
be explained here)
- Limiting the MTTFd per channel to a range between 3 and 100
years, which corresponds to failure rates between 38 and 1.14 fpmh.
This limitation is not only unnecessary, but also a drawback because in
the real safety world, MTTFd values up to 1000 years can be
achieved ( e.g. with channel designs consisting of gravity switches and
some passive electronic components).