New series provides guidance on Common Cause Failure (CCF)

What is a common cause failure (CCF)? CCF is a term that has much more significance in the new AS 4024.1 series. A good description of CCF can be found from a very trusted reference...TV! If you have ever watched Air Crash Investigation then you may be familiar with the 'Swiss Cheese Model'.

From this Swiss cheese model, it can be seen that if the holes in the multiple layers of cheese line up then a single path through the layers can exist and thus the safety critical system has failed. CCF is an example of this occurring in machine safety systems. If we think of a dual channel system; a CCF would be both channels failing at the same time due to a common event, for example:

• Two independent switches on a guard failing because the ambient temperature is above their rating
• Two independent safety channels having erroneous signals induced on them from the same source of electromagnetic noise
• Two mechanical switches on a guard fracturing due to the one impact event of that guard door

The above explanation shows how threatening common cause failure can be to a safety system. We will generally design machine safety systems with two channels when the risk of the application is high; this provides redundancy so the system can tolerate a fault on a single channel. However if the system hasn't been designed to avoid CCF, then there is a real chance that a certain event will defeat both channels and the system will fail.

For this reason, whether you are designing systems to categories (AS 4024.1501) or performance levels (AS 4024.1503) CCF should be a consideration for any multiple channel architecture. Unfortunately the previous version of AS 4024.1 didn't have any usable process to avoid CCF, however this has been rectified in the new version of the series released in 2014.

AS 4024.1503:2014 Annex F contains a test for common cause failure that can be used to determine if the safety system has been designed to avoid CCF to an acceptable level. I would recommend any machine safety system designed to architectures cat. 2, 3 or 4 should be analysed with the process from Annex F. This is the only usable guidance in the AS 4024.1 series for designing safety control systems to avoid CCF.

Other parts in the 2014 version of AS 4024.1 also provide guidance on designing to avoid CCF for common safety functions. For example, AS 4024.1602:2014 Clause 8.3, provides excellent guidance on how to prevent common cause failures in interlock guard functions.

This is an example of the improvements that have been made with the new 2014 version of AS 4024.1 series. We will be exploring some of the new features of AS 4024.1 in many of the safety blog topics this year. If you missed our last topic Safety Systems Must Be Designed For Productivity, be sure to to check it out as this topic explored how the 2014 version of AS 4024.1602 can help you design interlock guards that operators won't defeat.

Don't be a Robbo or Danny boy, protect yourself from common cause failure.

Pointers on MTTF, MTBF, MTTFd and Availability

Some common questions have started coming up as customers increasingly design their safety systems to SIL or PL. Both of these design methods require reliability data on the components that make up the safety system. There are many acronyms floating around and some common misconceptions about their definitions, here are some explanations that may help you out:

MTTF – Mean Time To Failure
As the name suggests, this metric is the average time until a component fails, based on reliability data or testing results.

MTBF – Mean Time Between Failures
This metric is sometimes assumed to be equal to the MTTF. However the average time between failures also includes the MTTR (Mean Time To Repair) thus:

MTBF = MTTF + MTTR

If the component has a very long expected life compared to the MTTR, then the MTTF and MTBF will be very similar.

The relationship between these values determines the availability of the component:

Availability = MTTF/MTBF

As availability approaches 1, the device is operational more. The smaller the MTTR, in relation to the life of the component, the closer the availability gets to an ideal value of 1.

What's the difference between MTTF_d and MTTF?
So what about the value MTTF_d? Is this the same as MTTF? The answer is no, MTTF_d only considers dangerous failures of the component. 

For example: If an E-Stop contact needs to open to initiate a safe stop, MTTF_d will only consider the failures that cause the contact to remain closed. However MTTF would consider failures that cause the contact to remain open or closed. 

In general, if you can source one of MTTF_d or MTTF, but you require the other value, there is a relationship that can be used to calculate the metric you require:

MTTF_d = 2 x MTTF

Hopefully this clears up any confusion you have about theses reliability metrics.

What Level of Diagnostics is required for Machine Safety Systems?

When designing machine safety control systems, what level of diagnostics is appropriate? This seems to be an issue that causes confusion and inconsistency throughout the industry.

For example, if the safety system is being designed to Safety Category 3 (according to AS 4024.1501), the requirement is as follows:

“Whenever reasonably practicable the single fault should be detected…… some but not all faults will be detected”

Not surprisingly these requirements have led to many interpretations of what diagnostics should be implemented for Category 3. The application that causes most confusion is when the safety system is monitoring multiple guard doors. Can these guard doors be connected in series? If so, how many? What criterion needs to be considered?

Up until now there hasn’t been any appropriate guidance on how wiring guard doors in series degrades the level of diagnostics and what level is acceptable for the Safety Category.

New machine safety standards have now been developed to assist the designer. ISO 13849.1 is a standard that provides a method for the designer to quantify the diagnostics of their safety system, using a measure called Diagnostic Coverage (DC). Each Safety Category will have specific requirements for the DC and the designer will know exactly what level of diagnostics is required for their system.

ISO 13849.1 is a current international standard that can be sourced for your reference and this international standard will be adopted into AS 4024 in the next revision. This will provide better guidance for safety system designers in the Australian Standard.

Is Work Health and Safety Harmonisation Still Alive?

In July 2008, an agreement was reached between the Commonwealth and all states and territories within Australia except Western Australia (WA) to begin the process of harmonising Australia’s work health and safety laws. This new model was aimed at reducing red tape and compliance costs for businesses that operate in multiple states. The umbrella laws would also provide workers with equal levels of safety across the nation as well as recognising their licensing and training nationally.

Fast forward to 2013 and what is the state of play? We now have Queensland, Northern Territory, New South Wales, ACT, South Australia and Tasmania all adopting the harmonised model. This leaves just WA and Victoria out of the loop.

WA are still committed to the process and have completed their draft WHS which is expected to be implemented in 2013. WA has also started public consultation on the Regulations in August 2012 and will be working through this process in 2013.

This leaves Victoria. The last communication on the WorkSafe website stated that Victoria would not adopt the national legislation. The reason for this stance is an expected $3.4 billion cost over five years with no perceived benefit in terms of safety levels.

So what does this mean for harmonisation? Do you believe it will still be successful without the involvement of Victoria? Do you believe that Victoria will eventually join the rest of the states and adopt national safety legislation or stay with their own set of rules?