Redundancy in Functional Safety — How to Calculate It Correctly

30 September 2022 · Dr. Michel Houtermans · 3 min read
functional safety
Redundancy in Functional Safety — How to Calculate It Correctly

Redundancy is often misunderstood. It is not about how many components you see, but how many are actually needed to perform a function when failures occur.

What Redundancy Really Means

Everybody knows the word redundancy, but not everybody knows what it exactly means or how it applies.

Dictionaries define redundancy as “multiple means to carry out the same function.” At first glance, this sounds simple. If you have multiple components doing the same job, you might assume you have redundancy.

But redundancy is not about how many components you have. It is about how many are required for the function to still work when something fails.

The key question is: how many components can fail while the function still works?

The Ladder Example

Imagine a situation where three men are holding up a ladder. These men should not be doing this in the first place, but it is a useful example to explain redundancy.

We have three people performing the same function: holding the ladder. But how many are actually needed?

  • If only one man is needed to hold the ladder, then the other two are redundant.
  • If two men are needed, then only one is redundant.
  • If all three are needed, then there is no redundancy at all.
Redundancy is not defined by how many elements you have, but by how many you can lose without losing the function.

When Do You Have Redundancy?

You only have redundancy if the function can still be carried out after one or more failures.

If all elements are required for the function to work, then there is zero redundancy, even if multiple elements are present.

Important: Seeing multiple components does not mean you have redundancy. You must understand the function and the failure behaviour.

Can Redundancy Be Expressed as a Number?

Yes, redundancy can be expressed as a number, but only if you clearly define how many failures you are considering.

Case 1: One Man Required (1oo3 Thinking)

Let us assume that only one man is required to hold the ladder, but we have three available.

  • If no one has failed, we have three available options → three redundant
  • If one man fails, two options remain → two redundant
  • If two men fail, one option remains → one redundant

Case 2: Two Men Required (2oo3 Thinking)

Now assume that two men are required to hold the ladder.

  • If no one has failed, we have three combinations → three redundant
  • If one man fails, only one valid combination remains → one redundant
  • If two men fail, the function cannot be performed → zero redundancy

Why the Assumption Matters

If you want to calculate redundancy, you must first define how many failures you assume. Without this assumption, redundancy as a number has no meaning.

This is exactly why, in functional safety, we prefer to use concepts like Hardware Fault Tolerance (HFT). HFT clearly defines how many dangerous failures a system can tolerate while still performing its function.

Redundancy without a failure assumption is meaningless. Always define how many failures you are considering.

Related articles

Go deeper — IEC 61508 Course

Our IEC 61508 course explains redundancy, HFT, and voting in detail, and shows how to apply them correctly in safety system design.

Explore the course → Ask us a question

← Back to all articles
We use cookies
Cookie preferences
Below you may find information about the purposes for which we and our partners use cookies and process data. You can exercise your preferences for processing, and/or see details on our partners' websites.
Analytical cookies Disable all
Functional cookies
Other cookies
We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. Learn more about our cookie policy.
Accept all Decline all Change preferences
Cookies