2.4 Control Reliability
OSHA 1910.211
Logically contains the following requirements: A control system must be constructed in such a way that
- a fault that occurs inside the system does not prevent the normal stop process from being activated,
- another machine cycle cannot be executed before the fault has been removed and
- the fault can be revealed by a simple test, or displayed by the control system.
ANSI B11.19-2003
Subpart 3.14 logically defines Control Reliability as follows:
Control reliability is the capability of the machine control system, the safeguarding, other control components and related interfacing to achieve a safe state in the event of a fault within their safety related functions.
Subpart E.6.1 specifies and limits:
Control Reliability can’t prevent the reinitation of a machine cycle in case of a:
- severe mechanical failure or
- a simultaneous failure of more components.
The standard provides the following information on the structural setup:
Control reliability is not guaranteed by simple redundancy. Monitoring must be made to ensure that the redundancy remains effective.
ANSI B11.20
The following is also logically stated with regard to the control system structure in ANSI B11.20, Subpart 6.13:
Protection against the consequences of failure of control components should not depend solely upon simple redundancy. A failure of one component of two or more parallel or serially switched control components can remain unnoticed with simple or unmonitored redundancy. The appearance of a safe operation is maintained. If another element now also fails in another redundant circuit, this can result in a dangerous state. A monitoring of redundant control system structures and the uncovering of and safe reaction to such single errors is therefore mandatory.
ANSI/RIA R15.06-1999
This ANSI standard contains further functional requirements for control reliability and also includes statements on errors that have common causes, such as overvoltage. Note: The term common means that these causes can have the same, simultaneous effect on the redundantly set up control channels.
- The monitoring must activate a stop signal when a fault is detected.
- A warning must be issued if the hazard continues to exist after the movement has been brought to a stop.
- After the fault has been detected a safe state must be maintained until the fault has been removed.
- Failures with common causes (e.g. overvoltage) must be considered when the probability of occurrence of such failures is high.
- A single fault should be detected at the time at which it occurs. If this is not practical the fault should be detected the next time the safety function is requested.
Comparison of the ANSI, IEC/EN requirements for safety-related controls
There is no precise concurrence on the definition of functional safety or control reliability in the US and IEC/EN world of standards. The requirements of Category 3 of the still valid EN 954-1 come relatively close to the OSHA/ANSI requirements:
|
