Last edit: 26/02/2024
There is another issue linked to the use of the SFF parameter. Considering the definition of SFF, the safety of a component can be enhanced by making the dangerous failure rate lower, and the safe failure rate higher, assuming the total failure rate of the component does not change.
Therefore, the following situation can occur: a component manufacturer has designed and developed a product with an estimated dangerous failure rate of 2·10-8, however, the SFF is estimated at 50%. The company modifies the design in order to increase the Safe failures and/or the Dangerous Detected failures, however, the modified component will not assure more safety and will cause economical losses for the user, since its process will be subject to more spurious trips.
Therefore, does a high SFF indicate a safer design? Reliability experts, system integrators, and end users have questioned the suitability of SFF as an indicator of a safe design. The reason is that Safe failures are not always positive for safety, since spurious trips may create other hazardous situations, during the shut-down clearance and the process restart. Moreover, the SFF may credit unneeded hardware, since the SFF gives credit to high rate of ‘‘safe’’ failures, and for producers it is a business advantage to claim a high SFF. With a high SFF, components may be used in configurations with low HFT, which means more business for the component manufacturer.
As an Example, let’s consider the following two components used in HFT = 0 subsystem in high demand mode (IEC 62061).
Component 1:
- λDU = 50 FIT
- λDD = 0 FIT
- λS = 0 FIT
- SFF = 0
- PFHD = 50 FIT
- Max SIL reachable: SIL 1
Component 2:
- λDU = 50 FIT
- λDD = 3950 FIT
- λS = 1000 FIT
- SFF = 99%
- PFHD = 50 FIT
- Max SIL reachable: SIL 3
In other terms, both components have the same PFHD; one is “intrinsically safe” and has no safe failures. The second has a much higher total failure rate, but has a very high capability of detecting dangerous failures; moreover, it has a certain amount of safe failures.
The second component, despite having the same Average probability of dangerous failure per hour as the first one, can be used up to SIL 3, only because it has a lot of “Safe Failures” (DD and S).
Again, that is the reason why, in the second edition of IEC 61508, the concept of No Effect Failures was introduce: to avoid the overestimation of Safe Failures.