I might sell you a speed sensor, pressure measurement system, liquid level sensor with an accuracy of 0.1%. That is the normal accuracy of the item. Will anybody die in a horrible accident if the accuracy degrades to +/-0.11%. I should hope not. For safety there is normally a margin, and the rated safety accuracy might be +/-1%, +/-2% or even +/-10%.
Figure 1 Safety accuracy vs normal accuracy
When analysing failures according to IEC 61508, a failure with an impact less than the safety accuracy limits is a no effect failure. Such failures don’t cause the system to trip and so are not safe failures, but they don’t violate the safety accuracy limits and so are not dangerous either. Being no effect means they have no impact on the SFF calculation. An FMEDA should therefore always state the assumed safety accuracy.
Note – there is no equivalent of no effect failures in ISO 26262.
I don’t see the term safety accuracy or similar anywhere in IEC 61508, ISO 26262, or IEC 61511 but I think the term is relevant and as I show later is used in some safety related literature by various terms.
So why have a safety accuracy which is different from the normal accuracy. You could say it is being conservative. You could say it’s because a small deviation in a sensor performance should not lead to my life being put at risk.
A more fundamental engineering reason is because functional safety needs diagnostics. It may be possible to implement the core functionality of an item to be +/-0.1% but can you identify diagnostics to detect a deviation of +/-0.1%. Suppose your diagnostics are only good enough to verify an accuracy of +/-0.5% then your safety accuracy is at best +/-0.5% regardless of the accuracy of the underlying system. That is the accuracy that your diagnostics can guarantee.
Another practical reason is what we might call the total error or a sensor. Often a sensor might specify offset error, gain error, reference drift error over time and temperature…. The real-word accuracy is some combination of all these. For a normal accuracy specification, you might do an RMS sum of all these error sources because they are uncorrelated and statistically unlikely to be at all at their worst-case values and add. However, for safety it is usual (even if I’m not sure it is mathematically justified but would need to think about it a bit more) to add the values in the worst way (using min/max specifications) to give the safety accuracy.
Safety accuracy can also be relevant for EMI testing. Your normal accuracy could once again be +/-0.1% but during EMI testing the sensor output deviates by +/-0.2% which means it is a dangerous failure. With a safety accuracy of +/-0.5% that EMI failure becomes no effect. Of course, this reduced accuracy isn’t free. In general, a system with a safety accuracy of +/-0.1% will have benefits over a one with a safety accuracy of +/-0.5%. The more accurate device might allow a robot travel down a narrower factory aisle or a nuclear power station operate with an extra 0.2% efficiency.
Safety accuracy will mostly affect the sensing functions. For something like an encoder measuring speed it will include at least two components.
Figure 2 Constituents of safety accuracy
The noise is normally an acceptable fraction of the normal accuracy and since the safety accuracy will be so much larger than the normal accuracy then the noise term is not significant. If this isn’t true then I have explored the topic in a previous blog which suggests a 5 sigma allowance could be appropriate for SIL 2.
Looking for some good examples available on the internet of where safety accuracy is used I found this example from a TUV Nord assessment report for a Honeywell transmitter an extract of which is shown below.
Figure 3 an example from a TUV Nord report
A term sometimes used in the same context as safety accuracy is safety deviation (see for instance here from an Exida paper). A real world example is shown below, see here for source.
Figure 4 an extract from a Rosemount 3051S series
Check back next month on the second Tuesday of the month for the next blog in this series. Until then I hope to post “mini-blogs” on the other Tuesday’s in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
For previous blogs in this series see here.
For the full suite of ADI blogs on the EngineerZone platform see here.
For the full range of ADI products see here.