Safely in control?
June 1st 2006

In recent years a culture has arisen in which probabilistic techniques are used to evaluate safety-related performance of control systems.

Peter Still, of Schneider Electric, examines this culture and considers the extent to which it is appropriate in a safety context

The committees that draw up safety standards are often manned by academics rather than engineers and sometimes make assumptions that can be misleading.

When an 'expert' expresses an opinion as a fact, no one in the group wants to challenge it. Sometimes ideas are expressed poorly or are so complicated that those outside the group fail to challenge it because they may be seen as 'stupid' for not understanding it in the first place.

Standards such as the revised ISO 13849-1 and draft IEC 62061, which are based on Mean Time to Failure (MTTF) measurements, use assumptions that by their nature can make unsafe control systems appear safer than they really are. As with any mathematical equation if an incorrect assumption is made when calculating the MTTF then the conclusion will be incorrect.

MTTF is often incorrectly believed to be the time before the wear-out phase is reached. It is in fact the reciprocal of the average failure rate during the constant failure rate phase. It is a statistical measure, and has little if any relevance to an individual device. As an example, if a device has an MTTF of 100 years, this does not mean that the device can be expected to operate without failure for 100 years; it means that if 100 of the devices are in service, then on average one will fail every year. This is of interest to manufacturers seeking to produce 'reliable' devices, but is of little use to a system designer wishing to estimate how long a single sample of that device will perform in service. It is also only applicable in the 'constant failure rate' phase.

An even more misleading measure is Mean Time To dangerous Failure (MTTFd). This is derived from the MTTF by multiplying the MTTF by a factor that represents the proportion of failures that are not dangerous. For example, it has been suggested that 10% of contactor failures are 'fail-to-close' failures such as welded contacts.

The MTTFd is therefore considered to be 0.9 x MTTF.

However it is impossible to determine whether a failure is dangerous or not unless the application is known - a welded contactor, for example, might not be dangerous.

In addition, the application can affect the relative proportion of failures in different modes.

There are a number of standards that have been written by people with an academic/financial interest in the functional safety theory (dependability of a safety function). Because they are not experts in the machinery safety field they have relied too much on mathematics and too little on proper safety principles.

It is important that designers of machine control systems are not misled into assuming that devices with higher reliability or 'performance level' are necessarily safer.

In practice, very few industrial accidents are caused by random hardware failures.

Most accidents result either from human behaviour, such as bypassing safety devices or failing to ensure that a machine is in a safe state (e.g. isolated) before entering a hazardous zone, or from 'systematic failures', such as incorrect selection of safety devices. Neither of these causes can be predicted by statistical methods.

The bottom line is that institutions should spend more time on getting the message across of corporate responsibility. In other words it is better to inform people not to get carried away in mathematics but to do the job properly. Companies should plan and implement proper safety principles to ensure staff stay safe.

More articles from Schneider Electric Ltd: