Last updated on August 25th, 2022 at 03:42 pm
Note: This article references now-obsolete versions of standards. Please use the current editions in your work! — DN 2022-08-18
I’ve now written six posts on circuit architectures for the safety-related parts of control systems, including this one. In this post, I will compare the International and North American systems. Comparing the requirements is not intended to conclude which is “better,” but rather to compare and contrast the two systems so that designers can see where the overlaps and the gaps in the systems exist.
Since we’ve spent a lot of time talking about ISO 13849-1 [1] in the previous five posts in this series, I think we should begin by looking at [1, Table 10].
| Category | Summary of requirements | System behaviour | Principle used to achieve safety | MTTFd of each channel | DCavg | CCF |
|---|---|---|---|---|---|---|
| B (see 6.2.3) | SRP/CS and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by selection of components | Low to medium | None | Not relevant |
| 1 (see 6.2.4) | Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function but the probability of occurrence is lower than for category B. | Mainly characterized by selection of components | High | None | Not relevant |
| 2 (see 6.2.5) | Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine control system. | The occurrence of a fault can lead to the loss of the safety function between the checks. The loss of safety function is detected by the check. | Mainly characterized by structure | Low to high | Low to medium | See Annex F |
| 3 (see 6.2.6) | Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that ⎯ a single fault in any of these parts does not lead to the loss of the safety function, and ⎯ whenever reasonably practicable, the single fault is detected. | When a single fault occurs, the safety function is always performed. Some, but not all, faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function. | Mainly characterized by structure | Low to high | Low to medium | See Annex F |
| 4 (see 6.2.7) | Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that ⎯ a single fault in any of these parts does not lead to a loss of the safety function, and ⎯ the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function. | When a single fault occurs the safety function is always performed. Detection of accumulated faults reduces the probability of the loss of the safety function (high DC). The faults will be detected in time to prevent the loss of the safety function. | Mainly characterized by structure | High | High including accumulation of faults | See Annex F |
| NOTE For full requirements, see Clause 6. | ||||||
[1, Table 10] summarizes all the key requirements for the five categories of architecture, giving the fundamental mechanism for achieving safety, the required MTTFd, DC and CCF. Well-justified fault exclusions can be used in any Category. There is no similar table available for CSA Z432 [2] or RIA R15.06 [3], so I have constructed one following a similar format to Table 10.
| CSA Z432-04 / Z434-03 | RIA R15.06 1999 | |||
|---|---|---|---|---|
| Category | Summary of requirements | System behaviour | Principle used to achieve safety | Summary of requirements |
| All | Safety control systems (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in Clauses 4.5.2 to 4.5.5. | Safety circuits (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in 4.5.1 through 4.5.4.2 2These performance criteria are not to be confused with the European categories B to 3 as described in ISO/IEC DIS 13849-1, Safety of machinery &emdash; Safety-related parts of control systems &emdash; Part 1: General principles for design (in correlation with EN 954-1.) They are different. The committee believes that the criteria in 4.5.1-4.5.4 exceed the criteria of B - 3 respectively, and further believe the reverse is not true. | ||
| SIMPLE | Simple safety control systems shall be designed and constructed using accepted single channel circuitry.Such systems may be programmable. Note: This type of system should be used for signalling and annunciation purposes only. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by component selection. | Simple safety circuits shall be designed and constructed using accepted single channel circuitry, and may be programmable. |
| SINGLE CHANNEL | Single channel safety a) be hardware based or comply with Clause 6.5; b) include components that should be safety rated; and c) be used in accordance with manufacturers' recommendations and proven circuit designs (e.g., a single channel electromechanical positive break device that signals a stop in a de-energized state). Note: In this type of system a single component failure can lead to the loss of the safety function. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by component selection. | Single channel safety circuits shall be hardware based or comply with 6.4,include components which should be safety rated, be used in compliance with manufacturers' recommendations and proven circuit designs (e.g. a single channel electro-mechanical positive break device which signals a stop in a de-energized state.) |
| SINGLE CHANNEL WITH MONITORING | Single channel safety control systems with monitoring shall include the requirements for single channel, be safety rated, and be checked (preferably automatically) at suitable intervals in accordance with the following:
Note: In this type of circuit a single component failure can also lead to the loss of the safety function. | The occurrence of a fault can lead to the loss of the safety function. | Characterized by both component selection and structure. | Single channel with monitoring safety circuits shall include the requirements for single channel, shall be safety rated, and shall be checked (preferably automatically) at suitable intervals.
|
| CONTROL RELIABLE | Control reliable safety control systems shall be dual channel with monitoring and shall be designed, constructed, and applied such that any single component failure, including monitoring, shall not prevent the stopping action of the robot. These safety control systems shall be hardware based or in accordance with Clause 6.5. The systems shall include automatic monitoring at the system level conforming to the following:
| When a single fault occurs, the safety function is always performed.Some, but not all, faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function. | Characterized primarily by structure. | Control reliable safety circuitry shall be designed, constructed and applied such that any single component failure shall not prevent the stopping action of the robot. These circuits shall be hardware based or comply with 6.4, and include automatic monitoring at the system level.
|
CSA Z434 vs. RIA R15.06
Before we dig into the comparison between North America and the International standards, we need to look at the differences between CSA and ANSI/RIA. There are some subtle differences here that can trip you up and cost significant money to correct after the fact. The following statements are based on my personal experience and on discussions that I have had with people on both the CSA and RIA technical committees tasked with writing these standards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218-1 [7]. This is very significant, but we need to deal with this old discussion first.
Systems vs. Circuits
The CSA standard uses the term “control system(s)” throughout the definitions of the categories, while the ANSI/RIA standard uses the term “circuit(s)”. This is really the crux of the discussion between these two standards. While the difference between the terms may seem insignificant at first, you need to understand the background to get the difference.
The CSA term requires two separate sensing devices on the gate or other guard, just as the Category 3 and 4 definitions do, and for the same reason. The CSA committee felt that it was important to be able to detect all single faults, including mechanical ones. Also, the use of two interlocking devices on the guard makes it more difficult to bypass the interlock.
The RIA term requires redundant electrical connections to the interlocking device, but implicitly allows for a single interlocking device because it only explicitly refers to “circuits”.
The explanation I’ve been given for the discrepancy is rooted in the early days of industrial robotics. Many early robot cells had NO interlocks on the guarding because the hazards related to the robot motion was not well understood. There were a number of incidents resulting in fatalities that drove robot users to begin to seek better ways to protect workers. The RIA R15.06 committee decided that interlocks were needed, but there was a recognition that many users would balk at installing expensive interlock devices, so they compromised and allowed that ANY kind of interlocking device was better than none. This was amended in the 1999 edition to require that components be “safety rated”, effectively eliminating the use of conventional proximity switches and non-safety-rated limit switches.
The recent revision of ANSI/RIA R15.06 to include ANSI/ISO 10218-1 as a replacement for Section 4 is significant for a couple of reasons:
1) It now means that the robot itself need only meet the ISO standard; instead of the ISO and the RIA standards; and
2) It brings in ISO 13849-1 definitions of reliability categories. This means that the US has now officially dropped the “SIMPLE, SINGLE-CHANNEL,” etc. definitions and now uses “Category B, 1, etc.” However, they have only adopted the Edition 1 version of the standard, so none of the PL, MTTFd, etc. calculations have been adopted. This means that the RIA standard is now harmonized to the 1995 edition of EN 954-1. These updates to the 2006 edition may come in subsequent editions of R15.06.
CSA has chosen to reaffirm the 2003 edition of CSA Z434, so the Canadian National Standard continues to refer to the old definitions.
North America vs International Standards
In the description of single-channel systems / circuits under the North American standards you will notice that particular attention is paid to including descriptions of the use of “proven designs” and “positive-break devices”. What the TC’s were referring to are the same “well-tried safety principles” and “well-tried components” as referred to in the International standards, only with less description of what those might be. The only major addition to the definitions is the recommendation to use “safety-rated devices”, which is not included in the International standard. (N.B. The use of the word “should” in the definitions should be understood as a strong recommendation, but not necessarily a mandatory requirement.) Under EN 954-1 [4] and EN 1088 [5] (in the referenced editions, in any case) it was possible to use standard limit switches arranged in a redundant manner and activated using combined positive and non-positive-mode activation. In later editions this changed, and there is now a preference for devices intended for use in safety applications.
Also worth noting is that there is NO allowance for fault exclusion under the CSA standard or the 1999 edition of the ANSI standard.
As far as the RIA committee’s assertion that their definitions are not equivalent to the International standard, and may be superior, I think that there are too may missing qualities in the ANSI standard for that to stand. In any case, this is now moot, since ANSI has adopted EN ISO 13849-1:2006 as a reference to EN ISO 10218-1 [6], replacing Section 4 of ANSI/RIA R15.06-1999.
References
[2] Safeguarding of machinery, CSA Z432. Canadian Standards Association (CSA), Toronto. 2004. (now obsolete)
[3] American National Standard for Industrial Robots and Robot Systems – Safety Requirements, ANSI/RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor. 1999. (now obsolete)
[7] Robots for Industrial Environment – Safety Requirements – Part 1 – Robot, ANSI/RIA/ISO 10218-1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.
© 2011 – 2022, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.