Functional Safety FAQ - Functional Safety vs. Reliability
Functional Safety FAQ
Must all failures be eliminated for Functional Safety compliance?
No. Each standard has its own unique requirements for failure rates, but the Functional Safety standards do not require zero failures. They do however define a maximum allowable rate of unsafe failures. There is no limit to failures which are safe, because not all failures will necessarily result in an injury. Failures that are unlikely to cause injury are considered safe and are generally allowed. A high failure rate might cause frustration for the user, but Functional Safety standards allow for an unlimited failure rate if the failures are safe.
Does a system with Functional Safety have a low failure rate?
Not necessarily. Two systems, one with and one without Functional Safety, could have identical failure rates, but the one with Functional Safety will fail in ways that people do not get hurt. (safe failure) Example: A valve control system can be designed such that when power is lost, the valve will default to either open or closed. In a power loss situation, if a closed valve is safe but an open valve is not, the Functional Safety system designer must choose the valve that closes when power is lost, but the failure rate will be the same regardless of which valve is chosen.
What is a safe failure? Aren't all failures unsafe?
A safe failure is one that although it happens is unlikely to cause an injury. Example: A windshield wiper switch that fails in the off state could cause a hazard if it failed while raining and thus preventing the driver from seeing clearly. That would be considered an unsafe failure. However, if the windshield wiper switch was designed in a way that when the electronics failed, it defaulted on, to a constant wiping state. This can be defined as a safe failure since the driver can see clearly in all weather conditions. So, while both wiper switches might have the same failure rate, the failure rate of the one that fails in a safe state (on), that failure rate is always allowable. System designers need to carefully consider what they want the system to do when a failure is detected. The safe state is not always the same for every application. For example, a broken door sensor might need to be treated the same as an open door. This failure mode should cause a safe food processor to come to an immediate stop, where a safe car should turn on a warning light rather than come to a sudden stop.
Does Functional Safety require zero unsafe failures?
No, but the allowable unsafe failure rate is typically quite low. Ex: depending on the risk of injury, automotive systems will expect somewhere between 1 FIT and 10FITs of unsafe failures.
What is the allowable unsafe failure rate?
Many Functional Safety standards require that hazards be evaluated for a combination of 3 things. The severity of possible injury, the amount of time that the hazard could occur, and how much control does the user have when the failure occurs.
What is a FIT?
1 FIT is 1 failure per billion device operating hours. PPM is not usually used as the metric for defining allowable failure rates in Functional Safety because it does not account for how often a system is used. If a million pumps are in use, and one of the fails, that is 1 ppm, whether they are in use 1 hour per day or 24 hours per day. The 1 hour per day system would be 1 FIT, if there is only 1 failure after 1000 hours, and will still be 1 FIT if another failure occurs during the next 1000 hours. The 24hr per day system will be 0.015 FITS if only 1 failure occurs after 1000 hrs.
Does using high reliability components help with compliance to Functional Safety standards?
High reliability components reduce failure rates for all types of failures, but don't get tricked into thinking that component selection is the only requirement for Functional Safety. High failure rate components are perfectly acceptable, if when the failures occur the system can detect the failure and transition to a safe state before people get hurt.
What is a hazard vs a failure?
A hazard is the result of a failure. Ex: A failure is when an electronic door lock does not do what the user's controls tell it to do. The hazards are that the user can't get out or open the door when necessary, and the locked door opens unexpectedly when accidentally pulling the handle.
Are reliability caused safe and unsafe failure rates the only concern when developing with Functional Safety in mind?
No. Functional Safety standards generally require robust development processes be used and define methodologies to ensure the development processes are sufficiently robust. The intent is that the development process will detect systematic malfunctions to avoid releasing products that have design bugs. Similar to not having an expectation of zero reliability failures, the Functional Safety standards do not imply that bug free products must be guaranteed. They merely imply that an uncontrolled, unstandardized, undefined development process is less likely to be safe than one which is predictable and provides evidence of how the product was developed, in case there are questions in the future about what was or was not done during development.