Mean Time to Dangerous Failure
Key Takeaways
- MTTFd counts only dangerous failures, those that create hazardous conditions, not all failures. It is a subset metric derived from general MTTF analysis.
- Formula: MTTFd = Total operating time / Number of dangerous failures. MTTFd values are typically much higher than MTTF because dangerous failures are rare within the total failure population.
- MTTFd is a required parameter in ISO 13849-1 and IEC 62061, the primary standards governing safety-related control systems in industrial machinery.
- It is used as an input to calculate Performance Level (PL) and Safety Integrity Level (SIL), which define whether a safety function meets the risk reduction requirements from a machine risk assessment.
- Improvement strategies focus on proactive maintenance of safety-critical components, enhanced diagnostic coverage, and redundancy in safety system architecture.
- Component manufacturers publish MTTFd values in data sheets. Designers use these published values when calculating the safety performance of a system assembled from multiple components.
What Is Mean Time to Dangerous Failure?
Mean Time to Dangerous Failure is the safety engineering metric that quantifies the average time before a safety-critical component fails in a way that could produce a hazardous outcome. The key distinction from general reliability metrics is in what gets counted: not all failures are dangerous, and MTTFd specifically measures only the subset of failures that create risk to people, equipment, or the environment.
Consider two failures on an industrial conveyor system. If the conveyor motor stops running, production is disrupted, but no one is in immediate danger. This is a production failure, relevant to MTTF and MTBF calculations, but not a dangerous failure in the MTTFd sense. Now consider a safety interlock that is designed to stop the conveyor when a worker enters the maintenance zone. If that interlock fails to engage, a worker could be struck by moving machinery. That is a dangerous failure, directly relevant to MTTFd.
This distinction is what makes MTTFd a safety tool rather than simply a maintenance planning tool. It quantifies the reliability of the safety layer itself, and that quantification is required by international standards before safety-critical machinery can be put into service.
MTTFd Formula and Calculation
The formula mirrors general MTTF but applies only to dangerous failures:
MTTFd = Total operating time / Number of dangerous failures
Worked example: A safety interlock system across a fleet of 20 machines accumulates 500,000 total operating hours over a five-year period. During this time, reliability engineers identify 2 instances where the interlock failed in a dangerous mode (failed to engage when required).
MTTFd = 500,000 / 2 = 250,000 hours
For context: if these safety systems operate 16 hours per day, 250,000 hours translates to approximately 43 years of expected time between dangerous failures per system. This high value is typical for well-designed safety components; standards classify components with MTTFd above 100 years as "high" reliability for safety calculations.
Accurate MTTFd calculation requires a rigorous definition of what constitutes a "dangerous failure" for the specific safety function being analyzed. This definition must be established before data collection begins, and it must distinguish between safe failures (which may take a system to a non-functional but safe state) and dangerous failures (which could allow a hazardous condition to persist or develop).
MTTFd vs. MTTF
| Dimension | MTTF | MTTFd |
|---|---|---|
| Failures counted | All failures of the component | Only dangerous failures (hazardous failure modes) |
| Primary use | Maintenance planning, spare parts stocking | Safety system design, regulatory compliance |
| Applies to | All non-repairable components | Safety-critical components and systems |
| Typical value range | Thousands to tens of thousands of hours | Hundreds of thousands to millions of hours |
| Standards relevance | General reliability engineering | ISO 13849-1, IEC 62061 |
MTTFd in Safety Standards: ISO 13849 and IEC 62061
MTTFd is a required input parameter in the two dominant international standards for safety-related control systems in industrial machinery.
ISO 13849-1 (Safety of Machinery: Safety-Related Parts of Control Systems) uses MTTFd as one of three parameters for calculating the Performance Level (PL) of a safety function. The other two parameters are Diagnostic Coverage (DC) and Common Cause Failure (CCF) resistance. Together they determine which PL category (a through e) a safety function achieves, where PLe represents the highest reliability.
IEC 62061 (Safety of Machinery: Functional Safety of Safety-Related Electrical Control Systems) uses a similar approach with MTTFd as an input to calculating the Safety Integrity Level (SIL) of a safety function, ranging from SIL 1 (lowest) to SIL 3 (highest) for machinery applications.
In both frameworks, higher MTTFd values contribute to achieving higher performance levels and safety integrity levels. Designers assembling safety systems from multiple components use published MTTFd values from component data sheets to calculate the composite safety performance of the complete system.
MTTFd Classification
ISO 13849-1 provides a classification scheme for MTTFd values to simplify system-level calculations:
| Category | MTTFd Range | Interpretation |
|---|---|---|
| Low | 3 to 10 years | Minimum reliability for safety applications |
| Medium | 10 to 30 years | Typical for standard safety components |
| High | 30 to 100 years | High-reliability safety components |
| Capped at 100 years | Above 100 years | Treated as 100 years for calculation purposes to prevent over-reliance on single component reliability |
Factors That Affect MTTFd
Component Quality and Design
Safety-rated components are designed with specific failure mode distributions: they are engineered to fail safely (to a non-dangerous state) rather than dangerously where possible. Higher-quality safety components from established manufacturers have validated MTTFd data derived from field performance and accelerated life testing. Generic components substituted for safety-rated ones may have similar MTTF values but very different MTTFd characteristics.
Operating Environment
Temperature extremes, humidity, vibration, contamination, and electromagnetic interference all accelerate component degradation and can shift the balance between safe and dangerous failure modes. Safety components specified and maintained within their rated environmental envelope achieve MTTFd values consistent with published data; those operating outside rated conditions may fail earlier and with a higher proportion of dangerous failures.
Maintenance Practices
Proactive maintenance programs that include regular proof testing of safety functions are essential for maintaining MTTFd in practice. Many dangerous failures develop as hidden failures: the safety component has failed internally but the failure is not visible until the safety function is demanded. Regular proof tests exercise the safety function, bringing hidden failures to light before they result in a dangerous undetected state. Condition monitoring and predictive maintenance programs help detect degradation trends in safety-critical components before they reach dangerous failure thresholds.
Improving MTTFd in Industrial Facilities
Proactive and Predictive Maintenance of Safety Components
Safety-critical components should receive the highest priority in preventive and predictive maintenance programs. Regular inspection, calibration, and proof testing schedules ensure that the safety function is exercised periodically, revealing any hidden failures that have developed since the last test. Tracking the actual dangerous failure history of safety components builds the internal data needed to validate and improve MTTFd estimates over time.
Enhanced Diagnostic Coverage
Diagnostic Coverage (DC) is the fraction of dangerous failures in a component that are detectable by automatic self-monitoring or test routines. Higher DC means more dangerous failures are caught automatically, reducing the time a component can operate in a dangerous but undetected failure state. Choosing components with higher published DC values, and configuring systems to execute diagnostic routines regularly, improves the safety performance of the overall system.
Redundancy in Safety-Critical Systems
Redundant architectures, where two or more independent channels must both fail before a dangerous condition results, substantially reduce the probability of dangerous failure in the overall system. The contribution of MTTFd to system safety integrity is compounded when redundant channels are used, enabling systems assembled from medium-reliability components to achieve high-reliability system performance through architecture rather than component selection alone.
The Bottom Line
MTTFd is not a general maintenance metric: it is a safety engineering parameter required by international standards before safety-critical machinery can enter service. Understanding it is essential for any maintenance or reliability professional working with safety-rated control systems, interlocks, or protective devices.
The practical implication is straightforward: dangerous failures are a subset of all failures, and they require a different maintenance strategy. Proof testing, enhanced diagnostic coverage, and redundant architectures are the levers available to improve MTTFd performance in operation. Component selection provides the design baseline; maintenance practices sustain it.
For facilities subject to ISO 13849 or IEC 62061 compliance requirements, tracking MTTFd by safety function and maintaining records of proof test results is not optional. It is the evidence base that demonstrates a safety function continues to meet its required Performance Level or Safety Integrity Level throughout its operational life.
Monitor Safety-Critical Assets Continuously
Tractian's condition monitoring detects developing faults in critical equipment before they progress to dangerous failure states, supporting proactive safety maintenance and regulatory compliance.
See How It WorksFrequently Asked Questions
What is Mean Time to Dangerous Failure?
Mean Time to Dangerous Failure (MTTFd) is a reliability metric that calculates the average expected time before a safety-critical component or system experiences a failure that could create a hazardous condition. Unlike general MTTF, which counts all failures, MTTFd counts only those failures classified as dangerous based on their potential consequences for people, equipment, or the environment.
How is MTTFd calculated?
MTTFd equals total operating time divided by the number of dangerous failures. For example, a safety interlock fleet accumulating 500,000 hours with 2 dangerous failures gives an MTTFd of 250,000 hours. Only failures classified as dangerous are counted. Accurate calculation requires a pre-defined, rigorous classification of which failure modes qualify as dangerous for the specific safety function being analyzed.
What is the difference between MTTFd and MTTF?
MTTF counts all failures of a component. MTTFd counts only failures in dangerous modes, those that could create hazardous conditions. A safety interlock that fails to a safe (de-energized) state contributes to MTTF but not to MTTFd. A safety interlock that fails to engage when demanded contributes to both. MTTFd values are typically much higher than MTTF values because dangerous failures are a subset of all failures.
Which standards require MTTFd?
MTTFd is a required parameter in ISO 13849-1 (Safety of Machinery: Safety-Related Parts of Control Systems) and IEC 62061 (Safety of Machinery: Functional Safety of Control Systems). These standards use MTTFd as an input for calculating Performance Level (PL) and Safety Integrity Level (SIL) respectively, which determine whether a safety function meets the risk reduction requirements defined in a machine's risk assessment.
How can facilities improve MTTFd performance?
The three primary strategies are: implementing proactive maintenance and regular proof testing of safety-critical components to detect degradation before dangerous failure; enhancing diagnostic coverage so automatic monitoring catches more dangerous failures early; and increasing system redundancy so that a single component failure does not directly create a hazardous condition. Selecting components with higher published MTTFd values from reputable manufacturers provides the design baseline; maintenance practices sustain that baseline in operation.
Why is MTTFd capped at 100 years in ISO 13849?
ISO 13849-1 caps MTTFd at 100 years for calculation purposes even when a component's actual MTTFd exceeds this value. The cap prevents over-reliance on a single component's reliability to achieve a required safety performance level. Safety systems that depend entirely on one component never failing in a dangerous mode are inherently fragile. The cap encourages designers to use redundant architectures rather than depending on component reliability alone.
Related terms
Expected Useful Life: Definition
Expected useful life estimates how long an asset will remain functional under normal conditions. Learn how it is determined, how it affects depreciation, and its role in replace-or-repair decisions.
Facility Maintenance: Definition
Facility maintenance covers the upkeep of buildings, infrastructure, and supporting systems. Learn the types of facility maintenance, how it differs from equipment maintenance, and key KPIs.
Facility Management: Definition
Facility management is the discipline that ensures buildings and systems support operations safely and efficiently. Learn its scope, the difference from facility maintenance, and the tools used.
Facility Manager: Role
A facility manager oversees buildings, maintenance, compliance, and space to support operations. Learn responsibilities, CFM certification, tools like CMMS and CAFM, and key KPIs.
Factory Time: Definition
Factory time is the total scheduled operating period for a production facility. Learn how it is measured, how it differs from cycle time and takt time, and how it drives OEE and efficiency.