Building Machine Safety Control Systems with MTTFd

Posted by Eric Olson on Aug 31, 2016 8:42:39 AM

Find me on:


Picture this, you are driving down the road and you come upon a bridge.  What do you do?  Do you get out and inspect the girders before crossing over?  Of course not!  Why are you so confident that you can just drive over without any problem?  Because the designers, builders and inspectors have all taken the time to ensure that the bridge is safe. 

This is the same when discussing the construction of a building or even construction of industrial equipment.  One of the factors that comes into play is MTTFd (Mean Time To Dangerous Failure).  This refers to an average amount of time that it takes a safety control system to encounter a dangerous failure.

Dangerous failure means that the safety function is not performed because of a component failure. Every part in a safety system has a predicted length of life, but that length of time has to do with how they are used and the frequency of use.

The Concept of MTTFd in Everyday Life

In the case of buildings, components required for the structure (tent’s supports, houses wooden beams, high rises steel frame) have their specific useful life expectancy.  You wouldn’t use a tent pole to hold up the roof of a house, nor would you build a high rise office with wooden pillars.  The stress and fatigue that those materials would have on them would be so severe that failure would be imminent if not immediate.

The frequency of use in a tent may only be once or twice a year and only by one or two people.  A house on the other hand is used every day and by more (possibly) people. Though an office building may only be in use 8 hours a day 5 days a week it may be in use by hundreds or even thousands of people.

How Does a Safety Control System Work?

We have been speaking in general terms so far, now let’s look at safety control systems in more detail. Each channel of a safety control system as defined in ISO13849-1:2006 consists on an I (input device), an L (logic operations device) and an O (output device) in series.  In reliability engineering, the probability of a system failure is expressed as the sum of failure probabilities of individual components comprising the channel. 

This also applies to dangerous failures. But there is a relationship of reciprocity between dangerous failure rates and average dangerous failure times. With all of that in mind, the average dangerous failure time (MTTFd) for the entire system is calculated as the reciprocal of the sum of the reciprocals of the individual component’s dangerous failure times (MTTFd).


There are two options for calculating the MTTFdi for individual components according to ISO13849-1:2006:

  1. Use data provided by component manufacturers.
  2. When manufacturers do not provide data, you can use the estimated data specified in Annex C Table C1 of ISO13849-1:2006.

This can be a very labor intensive project, so it is common practice to evaluate a system on the level of I, L and O components.  Sometimes manufacturers do not provide this information so Annex C provides values of MTTFd or B10d for typical components. B10d refers to the number of operations it takes for 10% of the samples to experience a dangerous failure. 

This data is primarily used to determine the MTTFd for components that wear out through use such as electro-mechanical devices.

After that has all been determined you next need to estimate how many times a year the component is operated (Nop).

The value of Nop is determined by the following:

  • Tcycle: An average time interval for an operating cycle (Unit: seconds per cycle)
  • Hop: The number of Operating hours per day (Unit: hours per day)
  • Dop: The number of operating days per year (Unit: days per year)

In other words the machine designer needs to understand how many hours a day/year the machine needs to operate and how frequently the safety component needs to operate as well.

Once all of this is figured the resulting MTTFd is classified in one of three levels.

Low, medium or high.

Low = 3 years < MTTFd < 10years
Medium = 10 years < MTTFd < 30years
High = 30 years < MTTFd < 100years

Hopefully this has helped to clear up any questions regarding what MTTFd means and how important it is to the design of your safety control system.  Next time you drive over a bridge be thankful that the designers also care about how long the bridge will last!

Speak to an Expert


You may also be interested in reading:


Topics: Machine Safety

ACD Connect

About the Blog

Welcome to ACD Connect! We will be bringing you the latest industry news in Industrial Automation, features on new products and manufacturers, helpful Engineering tips and how-to's, as well as exciting company updates. ACD Connect is where to go to read about the industry's newest technologies. 

Subscribe to ACD Connect!

Recent Posts