P3: Considerations on the Safe Failure Fraction in High and Low Demand

In a previous article we presented an important parameter, used in both high and Low Demand Mode Safety Systems: the Safe Failure Fraction.

In this article we discuss some critical aspects linked to the use of the SFF. We also provide some requirements for failures to be defined as Detectable.

From the previous article we remind that the Safe Failure Fraction is represented by the following equation:

SFF = (λS+λDD) / (λS+λD )

It is used together with the Hardware Fault Tolerance (HFT) of the safety subsystem to determine its maximum reachable SIL level.

In Low demand mode of Operation the SFF is used when Route 1H is selected and, depending upon the type of component, one of the following two tables has to be used.

In High demand mode of Operation, IEC 62061 has the following reference table, valid for any type of component. We remind that the classification Type A and Type B is not applicable in High Demand Mode.

Route 1_H uses both the Failure rates and the SFF Parameter. In the first edition of IEC 61508 (2000), that was the only possible approach. During the discussion for the second edition of the series of standards (released in 2010) there were a majority of members, in the Technical Committee, that had more faith in reliability data and considered SFF as being not useful / too conservative. That was the reason why the Route 2_H was defined.

Using Route 2_H the reliability data look like the following (Rosemount Pressure Transmitter):

• λ_D = 5·10 ^-7 [h^-1]
• λ_DU = 1,49·10 ^-7 [h^-1]
• λ_SU = 7,70·10 ^-8 [h^-1]
• Component Type B

There is no need to calculate the SFF; the architectural constraints are indicated in the following table:

There is another issue linked to the use of the SFF parameter. Considering the definition of SFF, the safety of a component can be  enhanced by making the dangerous failure rate lower, and the safe failure rate higher, assuming the total failure rate of the component does not change.

Therefore, the following situation can occur: a component manufacturer has designed and developed a  product with an estimated dangerous failure rate of 2·10^-8, however, the SFF is estimated at 50%. The company modifies the design in order to increase the Safe failures and/or the Dangerous Detected failures, however, the modified component will not assure more safety and will cause economical losses for the user, since its process will be subject to more spurious trips.

Therefore, does a high SFF indicate a safer design? Reliability experts, system integrators, and end users have questioned the suitability of SFF as an indicator of a safe design. The reason is that Safe failures are not always positive for safety, since spurious trips may create other hazardous situations, during the shut-down clearance and the process restart. Moreover, the SFF may credit unneeded hardware, since the SFF gives credit to high rate of ‘‘safe’’ failures, and for producers it is a business advantage to claim a high SFF. With a high SFF, components may be used in configurations with low HFT, which means more business for the component manufacturer.

As an Example, let’s consider the following two components used in HFT = 0 subsystem in high demand mode (IEC 62061).

Component 1:

• λ_DU = 50 FIT
• λ_DD = 0 FIT
• λ_S = 0 FIT
• SFF = 0
• PFH_D = 50 FIT
• Max SIL reachable: SIL 1

Component 2:

• λ_DU = 50 FIT
• λ_DD = 3950 FIT
• λ_S = 1000 FIT
• SFF = 99%
• PFH_D = 50 FIT
• Max SIL reachable: SIL 3

In other terms, both components have the same PFH_D; one is “intrinsically safe” and has no safe failures. The second has a much higher total failure rate, but has a very high capability of detecting dangerous failures; moreover, it has a certain amount of safe failures.

The second component, despite having the same Average probability of dangerous failure per hour as the first one, can be used up to SIL 3, only because it has a lot of “Safe Failures” (DD and S).

Again, that is the reason why, in the second edition of IEC 61508, the concept of No Effect Failures was introduce: to avoid the overestimation of Safe Failures.

This is an important aspect highlighted in the 2021 edition of IEC 62061.

Let’s consider, as an output safety subsystem, a contactor that prevents a saw to turn. The safety sub-function is the following: when the contactor coil is de-energised, the power contacts open.

Possible contactor failures are the following:

• The power contacts will open while the saw is normally working, despite nobody for example entered the safeguarded area: safe failure.

We suppose the opening is not due to the lack of the electrical signal; the signal is present, the coil is energised (1 ⇒ 1) and, despite that, the power contacts suddenly open. It can be considered very unlikely and therefore the failure rate related to this failure is considered λ_S≈0.

• The power contacts will not open when, for example, a person enters the safeguarded area; in other terms, its coil is de-energised (1 ⇒ 0) but the contacts gets stuck and do not open: that is a dangerous failure λ_D.
• The power contacts close “by themselves” despite having the coil de-energised (0 ⇒ 0): it’s a dangerous failure λ_D.
• The power contacts will not close once, the safety function is reset and the saw start button is activated, despite the contactor coil is energised (0 ⇒ 1). This failure is not relevant for our safety function and has an influence only on the Saw availability. That means it is a no effect failure λ_NE and not a safe failure.

That means, also in this case, λ_S ≈ 0 and therefore

Some manufacturers have power contactors in their range  that contain a  bit of electronics. That allows the component to be defined as type B. Moreover, an SFF > 90 % is attributer to the contactor, both in High and in Low demand mode of operation.

That means they can be used without redundancy (HFT = 0) and the output subsystem can reach SIL 2.

We recommend that, in case of HFT = 0, the maximum SIL be limited to 1.

The reason is also because, the same component is declared PL c according ISO 13849-1. That difference was made possible with the first edition of IEC 62061; with the second edition that “approach” is not recommended.

There is another important aspect to be taken into consideration and it is the fact that, in a component we can define dangerous detectable failure only if, in case of such a failure, it is possible to bring the subsystem to a safe state.

For example, if we consider an output subsystem made of a monitored power contactor (figure on the left), the DC has to be assumed ≈ 0. The reason is that, in case we detect that the power contacts did not open, we cannot bring the safety system into a safe state. Instead, in case of a dual channel safety subsystem (figure on the right) the DC can be assumed ≈ 99%. The reason is that, in case we detect that the power contacts of, for example K1, did not open, we can de-energise K2 and therefore bring the safety system into a safe state.

That concept is now valid in High demand mode of operation, according to the following language in IEC 61508-2: 2010

[IEC 61508-2: CD 2023] 7.4.4 Hardware safety integrity architectural constraints

[…] 7.4.4.1.4  When estimating the safe failure fraction of an element, intended to be used in a subsystem having a hardware fault tolerance of 0, and which is implementing a safety function, or part of a safety function, operating in high demand mode or continuous mode of operation, credit shall only be taken for the diagnostics if: 

• the sum of half the diagnostic test interval and the time to perform the specified action to achieve or maintain a safe state is less than the process safety time; or, 

• when operating in high demand mode of operation, the ratio of the diagnostic test rate to the demand rate equals or exceeds 100.

That will probably be extended to components used in Low Demand Mode of Operation in the new edition of IEC 61508-2 foreseen within few years.

In this article we described some of the limits and critical aspects of the SFF parameter.

When the IEC 61508 first edition was defined, the Diagnostic Coverage was used, which came from an old German standard.  However,  it was indicated that some devices may not have DC, but were designed to have the majority of failures to fail to the safe condition (sprung valve). Therefore, still during the development of the first edition, it was agreed that this was equivalent to DC and after several discussions the reference was changed to the SFF.

That generated “abuses” that were reduced in the second edition of the standard, with the definition of the No Effect Failures. Those were considered Safe Failure with the first edition and that induced some laboratories to attribute too high SFF for certain components.

Still in the second edition of IEC 61508, it was made clear that it is not enough that the component can detect dangerous failures to be able to define them as Dangerous detected failures. It is important that, in case of a detected Dangerous Failure, the safety System can be brough to a safe state.

Finally, in 2021, with the new edition of IEC 62061 it was highlighted that, normally, electromechanical components do not have safe failures and therefore, usually, SFF = DC.