Calculations for Functional Safety
Quantities, Formulas and Methods

Thomas Brunnengräber

14 January 2022


Foreword and Motivation

Whereas in the past, functional safety hardly played a role in many industries, and in the others was essentially ensured by detailed design rules, driven by (negative) experiences 1, today the trend is moving away from fixed design rules to quantitative requirements and evidence. This undoubtedly promotes innovation and competition, but it also carries the risk of unsafe systems entering the market.

The practice of the author as an assessor for functional safety shows again and again, that even experienced safety engineers find it difficult to perform correct calculations. This is often caused by a lack of understanding of the different variables, but just as often it is also due to a lack of knowledge about the calculation tools and methods used (especially FTA tools), coupled with an unjustifiably high level of trust in them.

This introduction is primarily intended for prospective and experienced safety engineers, but also to mathematicians or computer scientists, who are entrusted with the development of calculation tools. Reference is occasionally made to standards, however, knowledge of these standards is not presumed.

1 a former colleague used to say: "safety was paid for in blood"


In the following, the term system is used, because this is common in this context. In fact, however, the term function would often be more correct, since a failure and thus all calculations generally refer to a function, which is to be executed by a technical system. The term system is meaningless without naming the considered (failure) function, because a system will usually execute several functions, which will have different failure behavior due to the generally different components involved, and whose different malfunctions will generally have different consequences. The (imprecise) term system is also used in the following, to avoid confusion with mathematical functions and thus make it easier to read.

In the field of reliability calculation usually the scientific notation of numerical values is used, for example 0.0123=1.23e-2=1.23E-2 or 1000=1E3=1.0E3 (whereas 1.0\(\cdot \)10E3=10E3 is actually 1E4=10000 – and not 1000, as often assumed!).

Understanding sections 2 and 4 is a prerequisite for all other sections, they should therefore be read before taking a closer look at the examples given in sections 5 and 6. Those who are only interested in fault trees, can skip the sections on Markov modeling.