IEC 61508 appears to include two very similar concepts. Type A and simple, which is referred to as “low complexity”. Anything that isn’t low complexity is then considered high complexity.
Low complexity is defined in part 4, and type A is used in part 2.
Figure 1: Low Complexity from Part 4 and Type A from IEC 61508 Part 2
The difference between the two is the additional point c) in the type A description. Therefore, anything that is type A meets the definition of low complexity, but not all low complexity items are type A. In particular, a low complexity item without good evidence for its claimed failure rate does not meet the requirements for type A.
Below, I will discuss related issues in more detail. I don’t believe there is any equivalent of these concepts for our automotive friends working to ISO 26262.
The most significant use of low complexity is in part one of the scope, where it states that certain requirements of the standard don’t apply, but doesn’t specify which.
Figure 2: From IEC 61508-1:2010 Scope
Type A is used, but only in relation to the tradeoff between the hardware metrics SFF and HFT. SFF stands for safe failure fraction, a measure of diagnostic coverage and the tendency to fail to the safe state. HFT stands for hardware fault tolerance and measures the redundancy in a system.
If an element or sub-system is type A, you need less SFF for a given HFT than if it is type B (anything not type A is type B). For type A you can achieve SIL 1, 2 or even SIL 3 with an SFF of 0% provided you add appropriate redundancy. If the element is type B, you would need a higher SFF and/or HFT. It’s worth remembering that SFF and HFT apply at the element level and not at the component level.
Figure 3: Table 2 from IEC 61508-2:2010
To understand why you get this reduction in requirements for type A, we have to understand why the hardware metrics SFF and HFT were added in IEC 61508.
To comply with IEC 61508, you must meet the requirements for a given SIL related to
- The hardware metrics SFF and HFT – SFF is a measure of the diagnostic coverage and the likelihood of failing to a safe state. HFT expresses the level of redundancy
- Systematic capability – how well is the item designed, verified, and validated
- The dangerous failure rateis described as a PFH or PFD
In theory, you should be able to rely on a PFH or PFD alone, as it represents the dangerous failure rate. But systematic failures are generally not quantifiable, and the reliability predictions are notoriously unreliable.
Note – PFH is the average rate of dangerous failure per hour and is used as the metric when the demand rate of the safety function is > 1/year, and PFD is the average probability of failure on demand and is used as the metric when the demand rate is < 1/year.
Because of poor confidence in the reliability predictions, an additional hardware metric, SFF and HFT, was added to reduce reliance on reliability predictions alone. There is a good discussion of this in “Proposal for requirements for low complexity safety related systems” published by the UK HSE (Health and Safety Executive) in 2002 (around the same time as revision 1 of IEC 61508 was released).
It's interesting to note that the HSE papers say that one method to satisfy item c) from the type A definition (dependable failure rate data) is to do Failure Modes and Effects analysis, and goes on to say that doing an FMEA for such a system is not difficult or onerous for a low complexity system. Therefore, if your system is low complexity and shows it is type A, it should not be a difficult burden. This somewhat ties together the two principles of type and complexity.
As regards which specific requirements of IEC 61508 don’t apply to low complexity in part 2, clause 1.2. If you already know all the failure modes and their behavior, then the process used to develop the low complexity item is probably not important. However, the item would need to be pretty simple for these requirements to be met. Various other standards attempt to define low and high complexity, but I have never found a definition I agree with. The examples in the definition indicate the type of systems that might qualify.
Figure 4: Low Complexity Example from IEC 61508-4:2010 3.4.3
Check back next month on the second Tuesday of the month for the next blog in this series. Until then, I hope to post “mini blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
Related Blogs
For previous blogs in this series, see here.
For the full suite of ADI blogs on the EngineerZone platform, see here.
For the full range of ADI products, see here.