Comparative analysis of the M-out-of-N structure in EN50129:2018 and IEC61508:2010

By comparing and analysing EN50129:2018 and IEC 61508:2010, it is found that there are differences in the meaning of the M-out-of-N structure between these two standards. The reason for the differences lays in that the M-out-of-N structure definition of EN50129:2018 is based on the required functions, while the M-out-of-N structure definition of IEC 61508:2010 is based on the dangerous failures. The 2 out of 2 structure defined by EN50129:2018 is equivalent to the 1 out of 2 structure defined by IEC 61508:2010. The 2 out of 2 structure defined by IEC 61508:2010 is equivalent to the parallel redundancy or dual hot standby structure. Further, it is found that the formula given by EN50129:2018 is not as conservative as that given by IEC61508:2010.

The importance of safety structure for railway signal safety related electronic system is self-evident. EN50129:2018 puts forward three ways for railway signal safety related electronic system to realize fail-safety principle: composition, reaction and inherent. Among them, composite fail-safety is the most common.
According to EN50129:2018, the realization of composite fail-safety principle is realized by M-out-of-N ( MooN, N≥M,M≥2) redundancy, which means that in order to realize the composite fail-safety principle and reach the safety integrity level (SIL) SIL-4 index requirements, at least 2 out of 2 (2oo2) structure can be used. Of course, the 2 out of 2 structure here must use the composite fail-safety dual electronic structure with the fail-safety comparison or the diverse electronic structure based on the fail-safety comparison recommended in table E.4 of the appendix of this standard.
IEC61508:2010 series of standards [3,4] does not give a complete and clear definition of M-out-of-N (MooN) Channel architecture, but only states that it has a mmajority voter for detecting and shielding faults. Of course, the voter can accept external tests by itself or use self-monitoring technology. According to the calculation results given in IEC61508-6:2010, under the same conditions, the safety index parameters of 2 out of 2 structure are far lower than those of 1 out of 2 (1oo2),2 out of 3 (2oo3) structure (about 1-2 orders of magnitude). In most cases, when the 1 out of 2 and 2 out of 3 structures meet the SIL-4 index requirements, the 2 out of 2 structures do not meet the SIL-4 index requirements.
Through the comparative analysis of EN50129:2018 and IEC61508:2010, it can be found that although they are both called 2 out of 2 structures, the meanings of the two standards are different, and the reasons behind the differences need to be given a comparative analysis. Therefore, this paper compares the definition of M-out-of-N structure in EN50129:2018 and IEC61508:2010, the calculation method of safety index and the numerical analysis of safety index to analyse the differences between the two standards on 2 out of 2 structure.

2.
Comparison and analysis of structure definition of M-out-of-N in EN50129:2018 and IEC61508:2010 In the EN50129:2018, M-out-of-N structure redundancy, which is defined as: in the total N items, at least M items complete the function, so as to meet the requirements. M-out-of-N system is composed of N independent main items (EN50129:2018 B.3.2.2 is written as M-out-of-N system has M main items), each main item can have one or more "additional items" to check the main items.
The standard clearly points out that under the composite fail-safety condition, each safety related function is executed by at least two items, and the nonrestrictive behavior can only be executed when the required numbers of items are consistent. Unrestricted state output adopts "AND" logic. Each item should have an independent failure detection and negation mechanism. For item X (or Y), this mechanism can be performed by item Y (or X). The failure of two items occurring at the same time may be dangerous, which is equivalent to giving a clear definition of 2 out of 2 structure.
Although the IEC61508:2010 series standard does not directly give a complete definition of M-out-of-N structure, it gives the definitions of 1 out of 2, 2 out of 2, 2 out of 3 and other structures [3].
Among them, the 1 out of 2 structure consists of two parallel connected channels, and any channel can handle safety functions. Both channels appear dangerous failure and the safety function fails on demand. This means that only when two channels appear dangerous failure, the safety function will fail. This structure needs to consider common cause failure.
2 out of 2 structure is composed of two parallel channels, both of which require safety function before safety function occurs. This means that if one of the two channels appears dangerous failure, the safety function will fail. This structure does not need to consider common cause failure.
2 out of 3 structure is composed of three parallel channels, and its output signal has majority vote arrangements. If only one channel output is different from the other two channels output state, the final output state will not change accordingly, so the structure needs to consider common cause failure.
It can be seen that the starting point of EN50129:2018's definition of M-out-of-N structure is the required function. However, the starting point of IEC61508:2010 for the definition of M-out-of-N structure is dangerous failure.
Theoretically, the failure of any electronic system can be further divided into "safe" failure and "dangerous" failure [5], and the failure rate    = dangerous failure rate ) After the system fails, normal system functions will not be executed any more. However, if only a "safety" failure occurs, the system is still safe; only a "dangerous" failure occurs, the system is dangerous.
Of course, if the system failure is directly regarded as a dangerous failure, it is also feasible. At this time, it is equivalent to the system failure rate    = the system dangerous failure rate   D  , and there is no system safe failure, that is, the system safe failure rate   S  = 0. This interpretation is suitable for the railway signal safety related system. Because the railway signal safety related system not only needs to continuously and directly perform all system functions including the safety critical signal control function, but also must carry out safety protection for its own failure.
For the 1 out of 2 structure given in IEC61508:2010 series standards, there is the output logic shown in table 1.   It can be concluded that the 1oo2 structure given in IEC61508:2010 series of standards adopts "OR" logic for dangerous failure and adopts "AND" logic for function. The function here shall have the same meaning as the nonrestrictive behavior of "AND" logic output in EN50129:2018.
In the same analysis process, another conclusion can be drawn: the 2oo2 structure given in IEC61508:2010 series of standards adopts "AND" logic for dangerous failure and adopts "OR" logic for function.
In conclusion, according to the definition of the 2oo2 structure given in EN50129:2018, it can be found that the 2oo2 structure defined in EN50129:2018 is equivalent to the 1oo2 structure defined in IEC61508:2010 series standard. Further promotion, the NooN structure defined in EN50129:2018 is equivalent to the 1ooN structure defined in IEC61508:2010 series standards. The 2oo2 structure defined in IEC61508:2010 series of standards is equivalent to the parallel redundancy or dual machine hot standby in Chinese context. Further promotion, the NooN structure defined in IEC61508:2010 series of standards is equivalent to parallel N-Modular redundancy or N-Modular hot standby.

3.
Calculation method of hardware safety integrity in EN50129:2018 and IEC61508:2010 IEC61508:2010 defines low demand, high demand or a continuous mode [6], and EN50129:2018 clearly states the use of high demand or a continuous mode. For IEC61508:2010, the SIL quantitative index in high demand or a continuous mode is "the average frequency of a dangerous failure of the safety function [h -1 ] ".
The calculation formula of PFH value of 1oo2 structure defined in IEC61508:2010 series standard is shown in equation (1): Among them,  is the fraction of undetected failures that have a common cause, D  is the Among them, T 1 is the proof test interval (hour), MTTR is the mean time to restoration (hour), and MRT is the mean repair time (hour).
EN50129:2018 defines the following basic formula for the asymptotic hazardous functional failure rate (FFR): It can be reduced to, when A and B are identical: In equation (6), SDT refers to the safe down time (hour), which is equal to the reciprocal of SDR.

4.
Comparative It can be seen that the standard implicitly treats the system failure as a dangerous failure, which indicates that it will be more conservative.
IEC61508:2010 series standards not only distinguish the dangerous failure rate D  and safe failure rate S  , but also further distinguish the dangerous failure rate D  into the detectable dangerous failure rate DD  and the undetectable dangerous failure rate DU  . The influence of common cause failure factor  should be considered. The PFH value calculation formula of 1oo2 structure defined in IEC61508:2010 series standard is shown in equation (1).
When calculating the PFH value, T 1 in IEC61508-6:2010 is taken as 1 month, 3 months, 6 months and 12 months. Considering that the standard EN50129:2018 requires that SDT cannot be too long, T 1 is taken as 1 month, MTTR = MRT = 8h.  is 0.1 × 10 -6 , 0.5 × 10 -6 , 1 × 10 -6 , 5 × 10 -6 , 10 × 10 -6 and 50 × 10 -6 respectively.    The NooN structure defined in EN50129:2018 (i.e. N-out-of-N structure in Chinese context) is equivalent to the 1ooN structure defined in IEC61508:2010 series standards, while the NooN structure defined in IEC61508:2010 series standards is equivalent to parallel N-Modular redundancy or N-Modular hot standby in Chinese context.  It is not appropriate for EN50129:2018 Formula B.1 not to consider common cause failure [7].However, even if the common cause failure is considered, the FFR value is not conservative enough compared with the PFH calculated in IEC61508-6:2010 under the same conditions. It is recommended to use the methods of IEC61508:2010 series standards, or derivative methods such as PDS method [8][9][10][11], to calculate the safety index parameters.
 In order to distinguish whether the N out of M structure is for dangerous failure or for the required function, it is recommended to distinguish it in the subscript mode: the subscript DF represents for dangerous failure, that is, N is M DF , and the subscript F or SF represents for function or safety function, that is, N is M F or n is M SF .