I discuss various aspects of the SFF (safe failure fraction) —whether it applies to an integrated circuit —and whether an integrated circuit can have more than one SFF value in this blog.
SFF is the measure of diagnostic coverage used in the IEC 61508 set of standards. It is different from DC (diagnostic coverage), which is used in the machine safety standard ISO 13849. DC is the fraction of the dangerous failures that are detected, but SFF, in addition, gives you credit for failures that take you to the safe state. Looking at the history of IEC 61508, the reason behind adding the SFF/HFT constraints on top of the PFH/PFD requirements was to allow for uncertainty in the reliability data used to calculate PFH and PFD.
Firstly, let’s discuss whether an integrated circuit has an SFF. You can certainly calculate an SFF and indeed a DC of an integrated circuit, but to what purpose? SFF and HFT are two hardware constraints from IEC 61508-2, and the standard only uses them in the context of elements and sub-systems, see the title of table 3 below. An integrated circuit could be an element or a sub-system, but typically it is a component used to build an element or sub-system, so you could immediately argue that SFF doesn’t apply to an integrated circuit.
Figure 1:SFF and HFT constraints from IEC 61508-2
However if an element or sub-system is built from several integrated circuits and other components and an FMEDA done for the integrated circuit indicates that it has an SFF of less than 90% then something else in the element will have to have an SFF > 90% so that the average for the element is still > 90% assuming the target for the element is SIL 2.
Note that this would be a weighted average based on the IC's reliability. An IC with a higher FIT makes a bigger contribution to the element SFF than one with a lower FIT.
When performing an FMEDA for the integrated circuit, Analog Devices (ADI) will have to assume an application and identify which other components would interact with the integrated circuit in that system. Therefore, while the ADI assumptions will determine an SFF, the real application might have:
- Additional diagnostics are available in the actual system
- A different demand rate
- The ability to calculate diagnostics by comparison
- A different safety accuracy (see here)
- Something else in the element with a higher failure rate and easier diagnostics
Note – the list above is not exhaustive.
Additional diagnostics might include a challenge-response watchdog, such as that on the MAX42500, for a uC beyond a standard watchdog. The challenge-response watchdog actually tests whether a uC can still perform basic calculations.
Let’s look at the demand rate issue. Let’s suppose an element has two diagnostics, diagnostic1 and diagnostic2.
The rules of claiming credit for a diagnostic are given in IEC 61508-2:2010 7.4.5.3.
Figure 2: Guidance from IEC 61508-2 on which diagnostics can be counted in your safety analysis, and which cannot
Let’s suppose:
- diagnostic1 has a diagnostic test interval of 15 minutes (a march test for a RAM)
- diagnostic2 has a diagnostic test interval of 1 second (switching in and converting a reference input).
- It takes 1 second to achieve the safe state
Then, if you have two applications, application 1 with a process safety time of 20 minutes and application 2 with a process safety time of 1 minute, you can claim credit for both diagnostics in application 2, but only claim credit for diagnostic 1 in application 1. Therefore, your SFF will be different depending on the application.
The impact of system-level diagnostics available in the system is probably the most significant. Let’s suppose you buy an ADC (analog-to-digital converter) from ADI (Analog Devices), and claims it has an SFF of 85% based on its assumptions. You could use this integrated circuit in parallel with a second ADC and compare the outputs. This arrangement could easily give an SFF of > 95%.
Figure 3:Two different architectures and their achievable SFF
The claimed SFF can also depend on the claimed safety accuracy. If you claim a safety accuracy of +/-1% but one of your key diagnostics is only good enough to guarantee an accuracy of +/-2% then you can’t claim credit for that diagnostic in your safety case, regardless of any assumptions made by ADI.
Lastly, suppose you design an ADFS7124 with a FIT of 66 and combine it with an RTD with a FIT of 400 to make a temperature measurement element. The main failure mode of the RTD might be transducer open, which the ADFS7124 can detect with its transducer burnout current source. If the total FIT is 466 and you detect 99% of the 400 it almost doesn’t matter what is the SFF of the ADC. Even if the ADC had an SFF of 0, your SFF for the combined RTD+ADC will be 0.99*400/460=86%. This I think is bad practice but meets the requirements of the IEC 61508. There are proposals to add something on “balanced architectures” for IEC 61508 revision 3, but it’s not clear if what will be added will sufficiently address the issue of meeting the SFF metric by only adding diagnostics for the most significant failure modes. Perhaps I’m biased, and that is a perfectly acceptable approach.
Note – FIT in failure in time and is expressed as failures per billion hours of operation.
So the SFF can be different, higher, or lower than the FMEDA done by Analog Devices would determine. Therefore, the question arises whether Analog Devices should bother doing an SFF calculation. This is where application knowledge comes in. If you use reasonable values for safety accuracy, the demand rate that the ADI analysis gives the element designer a reasonable idea of what they can achieve in their system. It’s also a great starting point for a more targeted analysis.
Check back next month on the second Tuesday of the month for the next blog in this series. Until then, I hope to post “mini blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
Related Blogs
- Accuracy vs safety accuracy
- The importance of time
- I think I might be losing my faith in SFF
- Diagnostics are they worth the effort
For previous blogs in this series, see here
For the full suite of ADI blogs on the EngineerZone platform, see here
For the full range of ADI products, see here