German Version
ISO 13849 and IEC 61508 definitions (alphabetical order)


Common Cause Failures. Multiple failures with the same (common) cause. This is very important for redundant and fault tolerant systems: Independence of single failure modes is not just given by nature, instead independence must be justified by a dedicated so called common cause analysis.
ISO 13849 offers a one page questionnaire for the purpose of common cause analysis. The questionnaire focuses on the development process and on the skills of the developers rather than on the safety product itself. If at least 65 out of 100 points are reached, measures against common cause failures are conceived "sufficient" and therefore independence of *almost* all single failure modes can be assumed.
This "almost" is the crux of the matter:  ISO 13849 fault tolerance requirements are somewhat "soft";  see this category table for  details.

Other standards like IEC 61508 suggest so called beta factors in case that common cause failures can not be completely ruled out. A beta factor (very often ~ 2%) is the percentage of the single failure rate that is accounted for common cause failure rate. This conservative approach compromises significantly any design effort for fault tolerance and redundancy.
While ISO 13849 doesn't mention beta factors, it  seems obvious that it uses beta factors intensively, because this would intuitively explain the relatively low PFH range in comparison with IEC 61508: While ISO 13849 covers only 3 orders of magnitude (3E-5/h ... 2,5E-8/h)
in 5 steps, IEC 61508 covers 4 orders of magnitude in 4 steps (1E-5/h ... 1E-9/h)

Diagnostic tests must be automatic (can not be forgotten by persons) and built in (part of the safety system). Diagnostic test frequency must be higher than the expected safety function demand rate. A diagnostic test can either be a dedicated diagnostics routine, or it can be inherently realised by the natural behavior of the system, e.g. potentially dangerous failure modes may compromise the safety function in a visible and apparent way. The latter is even more true for complex facilities where the safety function can not be divided from the rest of the facility.
Example: 4...20 mA principle and I outside [4 ... 20] mA.

Diagnostic Coverage

Said in words: Dangerous detectable failure rate divided by dangerous (detectable and undetectable) failure rate.
The indices mean:

Index Meaning 
Failure rate
Index SD
Safe, Detectable
Index SU
Safe, Undetectable
Index DD
Dangerous, Detectable
Index DU
Dangerous, Undetectable

The definition of DCavg is a pity, because it somewhat compromises safe system design. The following table will explain this.
The table shows the difference between ISO 13849 DCavg and IEC 61508 safe failure fraction (SFF).

SFF vs DCavg

Two things can be seen:
  1. SFF is at least as high as DCavg. For realistic Lambdaxx distributions, SFF is always higher.
  2. A close look reveals that
Example 4 in the above table would be a highly safe system in the sense of IEC 61508 (SFF = 99%), but for ISO 13849 it is only average  (DCavg = 50%). Hence the ISO 13849 definition can be considered half-baked and should therefore not be used in safety analyses. The author recommends that  DCavg *never* be used in ISO 13849 safety analyses. Instead, SFF should always be used in ISO 13849 analyses.

Dangerous Failure
Any failure that has the potential to
- disable the safety function, or
- put the system into a potentially dangerous state.
Dangerous failures need special attention, however, undetectable dangerous failures need even more attention.


Hardware Fault Tolerance.
The minimum number of failures which a system can tolerate without losing the safety function. Typical values are 0 and 1.

Performance Level
A MTTFd (or PFH) range in ISO 13849. Instead of stating system MTTFd (or PFH) explicitly, ISO 13849 uses 5 ranges, so called called performance levels a ... e.
See performance level table for more details.

Probability of failure per hour.
For small values, PFH = failure rate (in units of failures per hour).

SFF: Safe Failure Fraction
Safe Failure Fraction
All but the dangerous undetectable failure rates divided by all failure rates.

Safe Failure
Any failure that has NOT the potential to either
- disable the safety function, or
- put the system into a potentially dangerous state.

In the safety context, safe failures need not be addressed. 

Safety Function
Those parts of a system needed only for safety. This definition implies that the system has actually components serving only for safety. However, many safety related systems have inherently built in safety functions, and therefore it is impossible to tell safety related components from other components.


Privacy Policy