German Version
ISO 13849 and
IEC 61508 definitions (alphabetical order)
Homepage
CCF
Common Cause Failures. Multiple
failures with the same (common) cause. This is very important for
redundant and fault tolerant systems: Independence of single failure
modes is not just given by nature, instead independence must be
justified by a dedicated so called common cause analysis.
ISO 13849 offers a one page
questionnaire for the purpose of common cause analysis. The
questionnaire focuses on the development process and on the skills of
the developers rather than on the safety product itself. If at least 65
out of 100 points are reached, measures against common cause failures
are conceived "sufficient" and therefore independence of *almost* all
single failure modes can be assumed.
This "almost" is the crux of the
matter: ISO 13849 fault tolerance requirements are somewhat
"soft"; see this category table for details.
Other standards like IEC 61508 suggest so called beta factors in case
that common cause failures can not be completely ruled out. A beta
factor (very often ~ 2%) is the percentage of the single failure rate
that is accounted for common cause failure rate. This conservative
approach compromises significantly any design effort for fault
tolerance and redundancy.
While ISO 13849 doesn't mention beta factors, it seems obvious
that it uses beta factors intensively, because this would intuitively
explain the relatively low PFH range in comparison with IEC 61508:
While ISO 13849 covers only 3 orders of magnitude (3E-5/h ... 2,5E-8/h)
in 5 steps, IEC 61508 covers 4 orders of magnitude in 4 steps (1E-5/h ... 1E-9/h)
Diagnostics
Diagnostic tests must be automatic
(can not be forgotten by persons) and built in (part of the safety
system). Diagnostic test frequency must be higher than the expected
safety function demand rate. A diagnostic test can either be a
dedicated diagnostics routine, or it can be inherently realised by the
natural behavior of the system, e.g. potentially dangerous failure
modes may compromise the safety function in a visible and apparent way.
The latter is even more true for complex facilities where the safety
function can not be divided from the rest of the facility.
Example: 4...20 mA principle and I outside [4 ... 20] mA.
Diagnostic Coverage
Said in words: Dangerous detectable failure rate divided by dangerous (detectable and undetectable) failure rate.
The indices mean:
| Index |
Meaning
|
Lambda
|
Failure rate
|
Index SD
|
Safe, Detectable
|
Index SU
|
Safe, Undetectable
|
Index DD
|
Dangerous, Detectable
|
Index DU
|
Dangerous, Undetectable
|
The definition of DCavg is a pity, because it somewhat compromises safe system design. The following table will explain this.
The table shows the difference between ISO 13849 DCavg and IEC 61508 safe failure fraction (SFF).
Two things can be seen:
- SFF is at least as high as DCavg. For realistic Lambdaxx distributions, SFF is always higher.
- A close look reveals that
- IEC 61508 SFF rewards the existence of safe failure rates, whereas
- ISO 13849 penalises safe failure modes (by ignoring them) and rewards the
existence of dangerous failure modes. This is clearly against safe
system design, because safe systems should have a high percentage of
safe failures, regardless if detectable or not.
Example 4 in the above table would be
a highly safe system in the sense of IEC 61508 (SFF = 99%), but for ISO
13849 it is only average (DCavg = 50%). Hence the ISO 13849 definition can be considered half-baked and should therefore not be used in safety analyses. The author recommends that DCavg *never* be used in ISO 13849 safety analyses. Instead, SFF should always be used in ISO 13849 analyses.
Dangerous Failure
Any failure that has the potential to
- disable the safety function, or
- put the system into a potentially dangerous state.
Dangerous failures need special attention, however, undetectable dangerous failures need even more attention.
HFT
Hardware Fault Tolerance.
The minimum number of failures which a system can tolerate without losing the safety function. Typical values are 0 and 1.
Performance
Level
A MTTFd (or PFH) range in ISO 13849. Instead of stating system MTTFd (or PFH) explicitly, ISO 13849 uses 5 ranges, so called called performance levels a ... e.
See performance level table for more details.
PFH
Probability of failure per hour.
For small values, PFH = failure rate (in units of failures per hour).
SFF:
Safe Failure Fraction
All but the dangerous undetectable failure rates divided by all failure rates.
Safe Failure
Any failure that has NOT the potential to either
- disable the safety function, or
- put the system into a potentially dangerous state.
In the safety context, safe failures need not be addressed.
Safety Function
Those parts of a system needed only for safety. This definition implies that the system has actually components serving only for
safety. However, many safety related systems have inherently built in
safety functions, and therefore it is impossible to tell safety related
components from other components.
Privacy Policy