Failure Modes of Safety Instrumented Function

new title - Copy (2) (1)

Instrumentation equipment can fail in various ways, commonly referred to as “failure modes.” For example, a two-wire pressure transmitter, designed to provide a 4–20 milliamp signal proportional to the pressure input, can experience multiple failure modes. Detailed failure mode, effects, and diagnostic analyses have identified several potential issues, including frozen output, current reaching the upper or lower limit, diagnostic failure, communication failure, and drifting or erratic output. Depending on the specific application, these instrument failures can be categorized into distinct failure mode classifications.

Fail-Safe or Safe Failure

Most practitioners define “Fail-Safe” for an instrument as a failure that causes a “false or spurious” trip of a safety instrumented function unless that trip is prevented by the architecture of the safety instrumented function. Many formal definitions have been attempted that include “a failure which causes the system to go to a safe state or increases the probability of going to a safe state.” This definition is useful at the system level and includes many cases where redundant architectures are used.

IEC 61508 uses the definition “failure which does not have the potential to put the safety-related system in a hazardous or fail-to-function state.” This definition includes many failures that do not cause a false trip under any circumstances and is quite different from the definition practitioners need to calculate the false trip probability. Using this definition, all failure modes that are NOT dangerous are called “safe.”

Fail-Danger or Dangerous Failure

Many practitioners define “Fail-Danger” as a failure that prevents a safety instrumented function from performing its design intent i.e. the SIF does not put the process into the defined safe state on demand. Variations of this definition exist in standards. IEC 61508 provides a definition similar to the one used herein, which reads: “failure which has the potential to put the safety-related system in a hazardous or fail-to-function state.”

The definition from IEC 61508 “Whether or not the potential is realized may depend on the channel architecture of the system; in systems with multiple channels to improve safety, a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state.” The note from IEC 61508 recognizes that a definition for a piece of equipment may not have the same meaning at the safety instrumented function level or the system level.


The dangerous failures, prevent the SIF from achieving its design intent. That is correct for subsystems with no redundancy, i.e. NooN architecture. For architectures with redundancy, i.e. MooN where M < N, the dangerous failure of one device does
not directly prevent the SIF from acting but puts it into a “degraded state”.

For safe failures, the situation is somewhat similar. A 1ooN subsystem will trip on safe failure of one device, whereas a MooN with M > 1 will not trip on a single safe failure

Annunciation Failures 

Failures of diagnostic detection systems, so that they can no longer detect fault.  Some practitioners recognize that certain failures within equipment used in a safety instrumented function prevent the automatic diagnostics from correct operation. When reliability models are built, many account for the automatic diagnostics ability to reduce the probability of failure. When these diagnostics stop working, the probability of dangerous failure or false trip is increased. While these effects may not be significant, unless they are modeled, the effect is not known.

An annunciation failure is therefore defined as a failure that prevents automatic diagnostics from detecting or annunciating that a failure has occurred inside the equipment. Note that the failure may be within the equipment that fails or inside an external piece of equipment designed for the purpose of automatic diagnostics. These failures would be classified as “Fail-Safe” in the definition provided in IEC 61508.

No Effect Failures

Some failures within a piece of equipment have no effect on the safety instrumented function, nor cause a false trip, nor prevent automatic diagnostics from working. Some functionality performed by the equipment is impaired, but that functionality is not needed. These may simply be called “No Effect” failures. They are typically not used in any reliability model intended to obtain probability of a false trip or probability of a fail-danger. Per IEC61508, these would be classified as “Fail-Safe” or may be excluded completely from any analysis depending on interpretation of the analyst.


  • IEC-61508
  • Functional Safety from Scratch by Peter Clarke
Share on facebook
Share on whatsapp
Share on linkedin
Share on pinterest
Share on telegram

Leave a Comment

Home Forums Topics

Viewing 15 topics - 76 through 90 (of 132 total)
Viewing 15 topics - 76 through 90 (of 132 total)