The four Architectures

A Safety Control System (SCS), analysed with the simplified method recommended by IEC 62061 has to be composed by subsystems, each of which must be associated with one of the four Basic Subsystem Architectures, described hereafter.

The standard has therefore developed a simplified approach to the estimation of the probability of dangerous random hardware failures (PFH_D) for a number of basic subsystem architectures and gives formulae that can be used for subsystems assembled from either low complexity subsystem elements or complex subsystem elements. The formulae are in themselves a simplification of reliability analysis theory and are intended to provide estimates that are biased towards the safe direction.

The precondition for the validity for all formulae given in this subclause is that λ • T₁ <<  1, where T₁ is the smaller between the Proof Test interval and the Useful Lifetime.

In this Architecture, single channel without diagnostic, any dangerous failure of a subsystem element causes a failure of the safety function. This Architecture corresponds to a hardware fault tolerance of 0.

For architecture A, the probability of dangerous failure of the subsystem is the sum of the probabilities of dangerous failure of all subsystems elements:

Being HFT = 0, up to SIL 3 could be reached. That may be valid for electronic components. However, for electromechanical components, being DC = SFF = 0 %, a maximum of SIL 1 can be achieved.

This Architecture, dual channel without a diagnostic, is such that a single failure of any subsystem element does not cause a loss of the safety function. This Architecture corresponds to a hardware fault tolerance of 1.This Architecture has no equivalent in ISO 13849-1.

The PFH_D is:

Where:

– T₁ is the Proof Test interval of the perfect Proof Test or useful lifetime, whichever is the smaller;

– β is the susceptibility to common cause failures.

Being HFT = 1, up to SIL 3 could be reached. That may be valid for electronic components. However, for electromechanical components, being DC = SFF =0 %, a maximum of SIL 1 can be achieved, even if the formula gives a lower PFH_D, provided well-tried components are used.

In this Architecture, single channel with diagnostic, any undetected dangerous fault of the subsystem element leads to a dangerous failure of the Safety Related Control Function. Where a fault of a subsystem element is detected, the diagnostic function(s) initiates a fault reaction. This Architecture corresponds to a hardware fault tolerance of 0.This Architecture corresponds to Category 2 of ISO 13849-1.

This is a “delicate” Architecture, similarly to the Category 2. The issue is the failure of the Diagnostic Function, called Fault handling Function, while the Functional Channel is still working. The fault handling function comprises both the fault detection function (called Test Equipment, TE in ISO 13849-1) and the fault reaction function (called Output of the Test Equipment, OTE in ISO 13849-1).

In this case the PFH_D is:

For Architecture C, the calculation of PFH_D assumes a time-optimal fault handling. 
Time optimal fault handling of a subsystem element can be assumed if one of the following conditions are satisfied:

• The diagnostic rate is at least a factor of 100 higher than the demand rate of the safety function and the time needed for the fault reaction is sufficiently short to bring the system to a safe state before a hazardous event occurs; or 
• The fault handling is performed immediately upon any potential demand of the safety function and the time needed to detect a detectable fault and to bring the system to a safe state is shorter than the process safety time; or 
• The fault handling is performed continuously, and the time needed to detect a detectable fault and to bring the system to a safe state is shorter than the process safety time; or
• The fault handling is performed periodically and the sum of the test interval, the time needed to detect a detectable fault and time needed to bring the system to a safe state is shorter than the process safety time. 

This Architecture, dual channel with a diagnostic, is such that a single failure of any subsystem element does not cause a loss of the Safety Related Control Function. Where a fault of a subsystem element is detected, the diagnostic function(s) initiates a fault reaction function. This Architecture corresponds to a hardware fault tolerance of 1.

This Architecture corresponds to Category 3 or 4 of ISO 13849-1. The PFH_D of the subsystem is:

where:

– T₁ is the Proof Test interval of the perfect Proof Test or useful lifetime whichever is the smaller;

– T₂ is the diagnostic test interval;

– β is the susceptibility to common cause failures;

– λ_De1 is the dangerous failure rate of subsystem element e1;

– λ_De2 is the dangerous failure rate of subsystem element e2;

– DC₁ is the diagnostic coverage for subsystem element e1;

– DC₂ is the diagnostic coverage for subsystem element e2.

In case the two subsystem elements are identical:

Architecture D systems have an HFT = 1. That means, a maximum achievable SIL equal to SIL3.