Functional Safety in USA and Canada: the Concept of “Control Reliable”

In Europe, in the 90’s, the reference standard for Functional Safety of Machinery was EN 954-1. At that time, Safety-related Control Systems were classified in 5 Categories: from Category B to Category 4. Hereafter a brief description

• Category B is the basic category. The occurrence of a fault can lead to the loss of the safety function.
• In Category 1 improved resistance to faults is achieved predominantly by selection and application of
• In Categories 2, 3 and 4, improved performance in respect to a specified safety function is achieved predominantly by improving the structure of the safety-related part of the control system.
• In Category 2 this is provided by periodically checking that the specified safety function is being performed.
• In Categories 3 and 4 this is provided by ensuring that the single fault will not lead to the loss of the safety function.
• In Category 4, and whenever reasonably practicable in category 3, such faults will be detected. In category 4 the resistance to the accumulation of faults will be specified.

There was no such type of Technical Standards in the USA. However, OSHA in 1975, in the standard for Power Presses, introduced the concept of Control Reliable.

[OSHA 1910.217: Mechanical power presses]. 1910.217(b)(13): Control reliability.

When required by paragraph (c)(5) of this section, the control system shall be constructed so that a failure within the system does not prevent the normal stopping action from being applied to the press when required, but does prevent initiation of a successive stroke until the failure is corrected. The failure shall be detectable by a simple test, or indicated by the control system. This requirement does not apply to those elements of the control system which have no effect on the protection against point of operation injuries

In other words, in case the safety control system has a failure, it shall be “Fail Safe”: it shall bring the machinery to a Safe State. Again, no technical standard defined how to implement a Control Reliable system.

That concept was later adopted by the ANSI RIA R15.06: 1999 and expanded, following a bit the approach of the EN 954-1, while stating the following in a note:

[ANSI RIA R15.06: 1999] 4.5  Safety circuit performance.

Note 2: These performance criteria are not to be confused with the European categories B to 3 as described in ISO/IEC DIS 13849-1, Safety of machinery – Safety-related parts of control systems – Part 1:  General principles for design (in correlation with EN 954-1.)  They are different.  The committee believes that the criteria in 4.5.1-4.5.4 exceed the criteria of B – 3 respectively, and further believe the reverse is not true.

The 4 Safety Circuit Performance Criteria described in ANSI RIA R15.06 were the following:

• Simple Safety Circuit:

Simple safety circuits are designed and constructed using accepted single channel circuitry, and may be programmable. It resembles a Category B.

• Single channel Circuit:

Single channel safety circuits include components which should be safety rated, be used in compliance with manufacturers’ recommendations. and proven circuit designs (e.g. a single channel electro-mechanical positive break device which signals a stop in a de-energized state). It resembles a Category 1.

• Single channel with monitoring Circuit.

Single channel with monitoring safety circuits include the requirements for single channel, they are safety rated, and they shall be checked (preferably automatically) at suitable intervals.

1. The check of the safety function(s) shall be performed
   1. at machine start-up, and
   2. periodically during operation;
2. The check shall either:
   1. allow operation if no faults have been detected, or
   2. generate a stop signal if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion;
3. The check itself shall not cause a hazardous situation;
4. Following detection of a fault, a safe state shall be maintained until the fault is cleared.

It resembles a Category 2, but with PL d level since, in case of a fault, a safe state has to be reached.

• Control reliable Circuit.

Control reliable safety circuitry are designed such that any single component failure does not prevent the stopping action of the machine.

1. The monitoring shall generate a stop signal if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion;
2. Following detection of a fault, a safe state shall be maintained until the fault is cleared.
3. Common mode failures shall be taken into account when the probability of such a failure occurring is significant.
4. The single fault should be detected at time of failure. If not practicable, the failure shall be detected at the next demand upon the safety function.

That is equivalent to the following reliability levels:

• Category 2, PL d according to ISO 13849-1 or Architecture C SIL 2, according to IEC 62061
• Category 3, PL d or PL e or Category 4 PL e or Architecture D SIL 2 or SIL 3, according to IEC 62061.

Despite initially it was not possible to state a correct equivalence between the ANSI RIA safety circuits and the EN 954-1, we think it is now possible. The following table shows our position on the subject.