Last edit: 05/02/2024
We remind that there are four types of Failures:
- Safe failures;
- Dangerous failures;
- No Effect failures; and
- No Part failures
A Safe failure is the failure of an element, inside a component that plays a part in implementing a safety function, that results in a spurious operation of the safety function. That means, it places the machine into a safe state (it generates and emergency stop of the machine for example). An example of a safe failure for a power contactor is when, despite the contactor coil is energised, the coil itself has a failure and the power contacts open.
A Dangerous failure is the failure of an element, inside a component that plays a part in implementing a safety function, that prevents the safety function from operating when required such that the machine is put into a hazardous or potentially hazardous state. An example of a dangerous failure for a power contactor is when, despite the contactor coil was de-energised, the power contacts do not open and therefore the dangerous movement continues.
A No Effect Failure the failure of an element, inside a component that plays a part in implementing a safety function, but that has no direct effect on the safety function itself. An example of a No effect failure for a power contactor is when it will not close once the safety function is reset. That means, for example the door gate in a robot cell is closed, the safety system is reset but the robot does not start. This failure is of no relevance for the safety function and it has an influence only on the robot availability, but again not on its safety.
The Safe Failure Fraction (SFF)
The Safe Failure Fraction (SFF) was introduced in the first edition of IEC 61508 as a measure used to determine the minimum level of redundancy, or better, of Hardware Fault Tolerance (HFT), of a safety subsystem.
The SFF can be defined as a property of a safety component, like a pressure transmitter, that is defined by the ratio of the average failure rates of safe plus dangerous detected failures and safe plus dangerous failures. This ratio is represented by the following equation:
SFF= (λs+λdd) / (λs+λd)
The SFF is the proportion of “safe” failures among all failures: please notice that neither the No Effect nor the No Part failures are considered. A “safe” failure is either a failure that is safe by design, or a dangerous failure that is immediately detected and corrected. IEC standards define a safe failure as a failure that does not have the potential to put the SIS in a hazardous or fail-to-function state. A dangerous detected failure is a failure that can prevent the SIS from performing a specific SIF, but when detected soon after its occurrence, for example by online diagnostics, the failure is considered to be “safe” since the Diagnostics can bring the system to a safe state. In some cases, the SIS can automatically respond to a dangerous detected failure as if it were a true demand, for example, causing the shutdown of the process [68].
Many electronic safety devices have built-in diagnostics such that most dangerous failures become Dangerous Detected failures and they will therefore have a high SFF, often greater than 90%. Mechanical safety devices, for which internal diagnostics is not feasible, will have, in general, a low SFF.
Example of SFF for and Pressure Trasmitter used in Safety Applications
Hereafter is an example of the failure rate of a pressure transmitter that can be used in a safety instrumented system.
The SFF is the following:
SFF = (λs+λdd)/(λs+λd ) = (184+280) / (184+280+36) = 464 / 500 = 92,8%
The pressure transmitter certificate (ABB 2600T, model 261) states that it is a Type B component and it has a Systematic Capability SC 2.
In order to understand the full meaning of what is stated just above, we need to introduce first of all the difference between Random and Systematic Failures; than you need to have clear the difference between a Type A and a Type B component and what is meant with Route 1H.