Computation of the MTTFD

(average time before a dangerous failure occurs)

The true reliability of a component is never exactly known, but statistics and reliability theory give us the tools for its estimation.

The failure rate λ is the measure of reliability of a component; it gives the number of failures per unit time (hour).

Its reciprocal, called mean time between failures, is commonly indicated with the short form MTBF (mean time between failures) or MTTF (mean time to failure) in case of the first failure after the initial start-up. MTTF is measured in years.

For the computation of the PFHD, it is important to know only the MTTFD, i.e. only the faults that can cause a dangerous system operation.

To help the designer to select which faults to consider, EN ISO 13849-2 (Annexes A to D) provides, for each technology, a list of relevant faults and the conditions under which it is possible to assume that they cannot occur (faults exclusion).

The list is not exhaustive and, if necessary, additional faults can be added depending on the particular application.

In practice, for each SRP / CS it is advisable to build a list of all components used and for each of them establish the faults to be considered on the basis of the list of faults provided in EN ISO 13849-2, then determine if the type of fault is a dangerous fault, or if has no safety relevance or if can be excluded a priori.

For ease of computation or in case of uncertainty, the standard makes it possible to consider, for each component, 50% of possible faults as dangerous (worst case), therefore:


Furthermore, to simplify, the following criterion was adopted:

  • If a “first fault” directly triggers a second fault, the probability of occurrence of this second fault is the same as that of the first fault; it follows that the first fault and all those originated by it must be considered as a single fault.If, in some circumstances, two faults have the same common origin, they must be considered as a single fault (CCF).
  • The simultaneous occurrence of two or more faults due to separate causes is highly unlikely (product of two probabilities extremely low on their own) and therefore is not considered. This means that it is generally acceptable that the simultaneous occurrence of multiple independent faults can generate a hazard.
  • Each SRP / CS must be reasonably reliable so that the probability of a “first failure” is low; therefore, MTTFD values of less than 3 years are not considered.

MTTFD: where to get data?

The hierarchical procedure for finding reliability data should be as follow:

  1. Use of manufacturer’s data
  2. Use of data of table C.1 of the Standard for most commonly used mechanical, hydraulic, pneumatic, electrical components for which the failure mechanism is due to wear of materials
  3. Use of data of tables C.2 to C.7 for electronic components
  4. Select 10 years

The use of data of table C.1 is allowed only if it is possible to prove that good engineering practices have been followed This means:

  • The components selected have been designed and manufactured according to basic safety principles and well tried safety principles according to ISO13849-2 or other relevant standard. (Confirmed in component’s data sheet).
  • The manufacturer specifies that the component is appropriate for the application and operating conditions of the user.
  • The manufacturer of the SRP/CS, declares that the component is used respecting basic and well tried safety principles according to ISO 13849-2.

MTTFD of parts whose failures are mainly due to ware

For all electromechanical and pneumatic components subject to wear (e.g relays, solenoid valves, switches) the failure rate increases with the number of worked cycles, therefore their reliability is generally not referred to the working time but to the number of worked cycles.

The parameter provided by the manufacturers is B10 (numbers of cycles until 10% of the components have failed in a life test, under specified load).

The percentage of B10 for which the component has failed dangerously is indicated with B10D.

In the absence of detailed information, EN ISO 13849-1 recommends considering 50% of failures as dangerous:

Knowing the B10D and the average number of operations in a year (Nop), the value of MTTFD is derived as follows:

Then, the useful life of the component must be limited to T10D (time within which 10% of the components under consideration fail dangerously).

This time must be compared with the missison time of the machine (20 years, established by the standard). If the useful life T10D of the component is less than 20 years, the component must be replaced before the expire of its useful life.

Relay example:

B10 = 3.000.000 cicli

dop = 220 dd/year
hop = 16 h/day (two shifts of work)
tciclo = 15 s (machine cycle)

The useful life of the relay is just over 7 years. The relay must be replaced in the seventh year of operation.

Computation of the MTTFD of the SRP/CS

The relationship between the reliability of the components, their number in a channel and the total MTTFD of the SRP/CS is the following:

Where MTTFDi  is the MTTFD value of each components

The formula is also valid for several SRP/CS connected in series to form a channel where the failure of one component causes the failure of the whole channel.

The MTTFD of a channel greater than 100 years are not acceptable since the PFHd of the SRP/CS must not depend only on the reliability of the components. An exception is Category 4 where the limit is extended up to 2500 years.

Example: channel consisting of three components a, b and c

It should be limited to 100 years up to PLd

In the case of dual channel systems (Cat. 3 and Cat. 4) only one channel needs the computation of the MTTFd, but if the overall MTTFD of each of the two channels have different values (not homogeneous channels), there are two possibilities:

  • The lower MTTFD value of the two is selected (worst case)
  • The following formula is used which “re-homogenizes” the two channels. The dual channel system is replaced with an equivalent architecture having identical MTTFDs for both channels.

MTTFDC1 e MTTFDC2 are the MTTFD values of the two channels.

Once the calculation is completed, the MTTFD class is chosen from the following table:

Denotations of MTTFD Range in years
Low 3 ≤ MTTFD < 10
Medium 10 ≤ MTTFD < 30
High 30 ≤ MTTFD < 100

Individual components of the channel may have MTTFD values higher than 100 years.