Last edit: 03/07/2023
There is another important aspect to be taken into consideration and it is the fact that, in a component we can define dangerous detectable failure only if, in case of such a failure, it is possible to bring the subsystem to a safe state.
For example, if we consider an output subsystem made of a monitored power contactor (figure on the left), the DC has to be assumed ≈ 0. The reason is that, in case we detect that the power contacts did not open, we cannot bring the safety system into a safe state. Instead, in case of a dual channel safety subsystem (figure on the right) the DC can be assumed ≈ 99%. The reason is that, in case we detect that the power contacts of, for example K1, did not open, we can de-energise K2 and therefore bring the safety system into a safe state.
That concept is now valid in High demand mode of operation, according to the following language in IEC 61508-2: 2010
[IEC 61508-2: CD 2023] 7.4.4 Hardware safety integrity architectural constraints
[…] 7.4.4.1.4 When estimating the safe failure fraction of an element, intended to be used in a subsystem having a hardware fault tolerance of 0, and which is implementing a safety function, or part of a safety function, operating in high demand mode or continuous mode of operation, credit shall only be taken for the diagnostics if:
- the sum of half the diagnostic test interval and the time to perform the specified action to achieve or maintain a safe state is less than the process safety time; or,
- when operating in high demand mode of operation, the ratio of the diagnostic test rate to the demand rate equals or exceeds 100.
That will probably be extended to components used in Low Demand Mode of Operation in the new edition of IEC 61508-2 foreseen within few years.