CCF evaluation for redundant architectures

CCFs (Common Cause Failures) are failures due to a single cause that can affect multiple components at the same time.

CCFs can occur simultaneously on multiple components due to a shock, or due to an increase in system stress (e.g increase in temperature, humidity, vibration), or due to electromagnetic interference, or due to design errors.

It is important to consider whether common cause failures can occur. These failures can nullify the effects of redundancy. Indeed, if two or more distinct channels in a multichannel system are simultaneously in a faulty state because of common cause failures, the entire safety-related control system could lose the protective effect.

For Cat. 2, Cat. 3 and Cat. 4 it is therefore necessary to implement defence strategies in order to reduce the probability of having CCF. Reduction of the coupling factor between two indipendent channels, choice of robust components, increase of the inherent reliability of the system and keeping the operating environment within the design constraints are some of the defence strategies.

ISO 13849-1 presents a list of 10 measures in Table F.1.

The measures are grouped into the following categories:

Physical design

Separation / segregation
Diversity / redundancy
Complexity / design / application / maturity / experience
Analysis

Data evaluation / analysis and feedback

Human problems

Expertise / training / safety culture of designers

Environment problems
 EMC / Environmental control / pollution of fluidic systems

A score is assigned to each of the measure listed in the table. The total sum is 100. A score of 65 or better must be achieved. With a score of 65 it is conceivable that the residual fraction of common cause failures is less than or equal to 2%. If, on the other hand, the total score is less than 65, further measures must be taken.

The highest credits are assigned to measures against environmental influences (25 points) and to the use of different technologies / physical principles for the two channels in a two channel system (20 points).

Diversity example

Two position switches used in combination, one directly mechanically operated and one indirectly mechanically operated as shown in the table below:

Mechanic Drive

Direct

Guard close
Guard open
Working mode

The plunger (actuator) is held down by a cam until the guard is not closed.

When the guard is closed, the output changes status as a result of the action of the return spring.

Behaviour example in case of failure

The output will remain in the safe state when the guard is open even if the spring breaks.

Indirect

The plunger (actuator) is held down by a cam until the guard is closed.

When the guard is open, the output changes status as a result of the action of the return spring.

If the spring breaks, the output may be in an unsafe state even if the guard is open.

Output made by a combination of a mechanical switch in series with an electronic switch.

Each measure on Table F.1 must be evaluated. The related score is assigned only if the measure has been fully applied; in the case of partial adoption, the associated scoring is zero.