3.4 Control Reliability

OSHA 1910.211

Logically contains the following requirements: A control system must be constructed in such a way that

  • a fault that occurs inside the system does not prevent the normal stop process from being activated,
  • another machine cycle cannot be executed before the fault has been removed and
  • the fault can be revealed by a simple test, or displayed by the control system.

ANSI B11.19-2003

Subpart 3.14 logically defines Control Reliability as follows:

Control Reliability is the capability of the machine control system, the safeguarding, other control components and related interfacing to achieve a safe state in the event of a fault within their safety related functions.

Subpart E.6.1 specifies and limits:

Control Reliability can't prevent the reinitation of a machine cycle in case of a

  • severe mechanical failure or
  • a simultaneous failure of more components.

The standard provides the following information on the structural setup:

Control Reliability is not guaranteed by simple redundancy. Monitoring must be made to ensure that the redundancy remains effective.

ANSI B11.20

The following is also logically stated with regard to the control system structure in ANSI B11.20, Subpart 6.13:

Protection against the consequences of failure of control components should not depend solely upon simple redundancy. A failure of one component of two or more parallel or serially switched control components can remain unnoticed with simple or unmonitored redundancy. The appearance of a safe operation is maintained. If another element now also fails in another redundant circuit, this can result in a dangerous state. A monitoring of redundant control system structures and the uncovering of and safe reaction to such single errors is therefore mandatory.

ANSI / RIA R15.06-1999

This ANSI standard contains further functional requirements for Control Reliability and also includes statements on errors that have common causes, such as overvoltage. Note: The term "common" means that these causes can have the same, simultaneous effect on the redundantly set up control channels.

  • The monitoring must activate a stop signal when a fault is detected.
  • A warning must be issued if the hazard continues to exist after the movement has been brought to a stop.
  • After the fault has been detected a safe state must be maintained until the fault has been removed.
  • Failures with common causes (e.g. overvoltage) must be considered when the probability of occurrence of such failures is high.
  • A single fault should be detected at the time at which it occurs. If this is not practical the fault should be detected the next time the safety function is requested.

Comparison of the ANSI, IEC/EN requirements for safety-related controls

There is no precise concurrence on the definition of functional safety or Control reliability in the US and IEC/EN world of standards. The requirements of category 3 of EN ISO 13849‑1 come relatively close to the OSHA/ANSI requirements:

  • The safety-related parts of control systems and/or their protective devices and their components must be designed, constructed, selected and combined in accordance with the applicable standards in such a way that they can withstand the expected influences and effects.
  • Proven-in-practice safety principles must be applied in design and construction. Safety-related parts must be designed so that:
    • A single fault in each of these parts does not cause the loss of the safety function.
    • The single faults are detected whenever this is reasonably possibly.

The behavior when a fault of a safety-related control unit in accordance with category 3 occurs is specified as follows:

  • If a single fault occurs, the safety function is always maintained.
  • Some but not all faults are detected.*
  • An accumulation of undetected errors can lead to the loss of the safety function.*

*) The risk assessment shows whether or not the complete or partial loss of the safety function(s) that the faults cause is manageable.


The SISTEMA PC software of the German Institute for Occupational Safety and Health (IFA) is used for the automatic calculation and evaluation of the functional safety of control systems in accordance with EN ISO 13849‑1. It is an ideal complement to Safexpert and can be downloaded as freeware from www.leuze.de/sistema. For further information, see chapter 2.4.1.