In my last Blog, I posed the question “What are 3 key requirements for a safety integrity level?”.
A functional safety standard such as IEC 61508 runs to over 700 pages across 7 parts. However, the requirements can be summarized under 3 key requirements
Requirement 1: Most people would accept that while having good reliability doesn’t guarantee safety it is at least a good first step. Reliability is measured in FIT (failures per billion hours of operation). Reliability predictions can be based on field experience or predictions using systems such as IEC 62380, SN29500 or the FIDES guide. The allowed dangerous failure rate will depend on the SIL with 10000 FIT for SIL 1, 1000 for SIL 2, 100 for SIL 3 and 10 for SIL 4.
ADI publishes the die FIT for all released products at www.analog.com/ReliabilityData. The data is presented using a tool which allows the average operating temperature to be entered and gives the reliability predictions at the 60% and 90% confidence levels. The numbers presented below are based on accelerated life testing.
Most equipment suppliers are interested in reliability, but functional safety insists on it with specific limits depending on the required safety level for the allowed probability of dangerous failure. It also offers means to enhance it using techniques such as derating and architectures such as MooN which are topics for future blogs.
Requirement 2: If you accept that no matter how good the reliability the system will still fail, then ways to cope with this failure include diagnostics and redundancy. Diagnostics detect that a failure has occurred and take the system to a safe state. Redundancy implies that there is more than one system capable of performing the safety action and that even if one failure occurs there is another redundant piece of equipment which will maintain safety. In IEC 61508 the diagnostic coverage figure of merit is the SFF (safe failure fraction). SFF gives credit safe failures and detected dangerous failures. For SIL 1 a minimum SFF of 60% is required, for SIL 2 90% and for SIL 3 99%. It is allowed to trade off redundancy (HFT) for SFF so that a SIL 2 safety function can be implemented with two channels each having 60% SFF. At the IC level parts such as the AD7124 feature lots of diagnostics which can be used to detect both internal and system level failures. On-chip diagnostics include references inputs such as 0V, +/-full-scale and +/-20mV and state machines to detect internal bit flips. System level diagnostics include transducer burnout current sources.
Requirement 3: In IEC 61508 functional safety refers to the measures taken to prevent the introduction of design errors as the systematic safety integrity of the item. These measures are necessary since no matter how good your reliability and despite your built-in hardware fault tolerance you must recognize that a system can fail to carry out its safety related task without any failures. The causes of such failures might include missed, forgotten requirements, improper verification or validation. Software coding errors are considered as systematic errors because they are not caused by failures per say as typically the system is operating as designed. Harder to accept is that EMI (electromagnet immunity) failures are also considered as systematic failures because once again the system hasn’t failed as such but rather was not built with enough robustness. Measures advocated by IEC 61508 to prevent the introduction of systematic errors include things like coding standards, design review, verification plans, safety plans, checklists, requirements management and many more.
Video of the day – https://www.youtube.com/watch?v=QxG41aFl5Ns (the excuse for including this video is that it vaguely relates to determining customer requirements).
For the next time - Name some functional safety standards?
Click here to read more Safety Matters blogs.