Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
CSA C22.2 No. 0.8-19: Safety Functions and Safety-Related Control of Machinery – An In-Depth Guide
Understanding the Requirements for Functional Safety and Performance Levels in Industrial Machinery
Scope and Purpose of CSA C22.2 No. 0.8-19
CSA C22.2 No. 0.8-19 is a Canadian Standard adopted, with modifications, from ISO 13849-1:2015, titled Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design. It specifies the requirements for the design and integration of safety-related parts of control systems (SRP/CS) that provide safety functions, including those that are programmable. The standard applies to all types of machinery, regardless of the technology used (electrical, hydraulic, pneumatic, mechanical) and is intended for machinery manufacturers, system integrators, and safety engineers.
The primary goal of CSA C22.2 No. 0.8-19 is to enable the design of safety-related control systems that achieve a specified performance level (PL) while minimizing the risk of harm to persons. It provides a structured methodology for assessing risk, selecting appropriate control system architectures (Categories), verifying reliability parameters, and validating the overall safety function. The standard is a key reference for compliance with Canadian occupational safety regulations and is often used in conjunction with CSA Z432 (Safeguarding of Machinery) and provincial OHS requirements.
Tip: Although CSA C22.2 No. 0.8-19 is a standalone standard, it is frequently cited in broader machinery safety audits. Always ensure that your risk assessment follows a recognized method such as ISO 12100 or CSA Z432 to determine the required performance level (PLr).
Key Technical Requirements
Performance Levels (PL and PLr)
The standard introduces the concept of performance level (PL), which is a discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions. PL is defined from PL a (lowest) to PL e (highest). The required performance level (PLr) is determined through a risk assessment, considering the severity of injury (S), frequency and exposure (F), and possibility of avoidance (P). For example:
- PL a: Low risk contribution
- PL b: Moderate risk contribution
- PL c: Medium risk contribution
- PL d: High risk contribution
- PL e: Very high risk contribution (highest integrity)
Once the PLr is established, the designer must demonstrate that the achieved PL of the safety function is at least equal to PLr. This involves evaluating the category, mean time to dangerous failure (MTTFd), diagnostic coverage (DCavg), and common cause failure (CCF) measures.
Designated Architectures (Categories)
CSA C22.2 No. 0.8-19 defines five structural categories (B, 1, 2, 3, and 4) that represent different levels of fault tolerance and diagnostic behavior. These categories are not directly equivalent to PL but are combined with reliability data to achieve a given PL. The table below summarizes the key attributes:
| Category | Basic Principle | Fault Tolerance | Detection of Faults | Typical Achievable PL |
|---|---|---|---|---|
| B | Basic design principles | None | Not required | PL a (limited) |
| 1 | Well-tried components and principles | None | Not required | PL b (or PL c with high MTTFd) |
| 2 | Periodic functional test | None | Test by machine control or monitoring | PL c (with DC low) |
| 3 | Redundancy with monitoring | Single fault tolerated | Detection before next demand (or at test) | PL d (with adequate DC and MTTFd) |
| 4 | Redundancy with high diagnostic coverage | Single fault tolerated; accumulation considered | Immediate detection of most faults | PL e (requires DCavg high) |
Important: Simply selecting Category 4 does not guarantee PL e. The designer must also ensure that MTTFd of each channel, DCavg of the system, and measures against CCF all meet the thresholds defined in Annex A of the standard.
Reliability Parameters (MTTFd, DCavg, CCF)
The standard quantifies safety performance using three key parameters:
- MTTFd (Mean Time to Dangerous Failure): expressed in years per channel, with ranges Low (3-10 years), Medium (10-30 years), and High (30-100 years).
- DCavg (Average Diagnostic Coverage): expressed as None (<60%), Low (60-90%), Medium (90-99%), High (>99%).
- CCF (Common Cause Failure): measures against systematic failures, evaluated via a scoring system based on separation, diversity, protection, etc.
The combination of Category, MTTFd, DCavg, and CCF determines the achieved PL. For example, Category 3 with medium MTTFd and low DCavg may yield only PL c, whereas the same Category with high MTTFd and medium DCavg can achieve PL d.
Software and Programming Requirements
For safety-related control systems that include software, CSA C22.2 No. 0.8-19 mandates compliance with IEC 61508-3 or ISO 13849-1 Annex F (software safety lifecycle). It requires structured development, version control, and validation. The standard distinguishes between software for safety functions (SRASW) and firmware; both must follow a V-model approach with documented verification steps.
Best Practice: When implementing programmable safety controllers, use certified functional safety development tools and maintain a traceability matrix linking each safety requirement to its implementation and test case. This greatly simplifies audit and certification.
Implementation Highlights
Risk Assessment and Determination of PLr
Before any design begins, the manufacturer must conduct a risk assessment in accordance with ISO 12100 (or CSA Z432). The risk graph approach (S, F, P parameters) is used to derive PLr. This step is iterative and must involve cross-functional teams. It is critical to document the assumptions for each parameter to avoid under- or over-engineering.
System Validation and Verification
Validation involves testing each safety function to confirm that it meets the specified PLr. The standard requires that the validation plan includes fault insertion, environmental tests, and measurement of response times. Verification ensures that the design and documentation match the intended architecture. All results must be recorded in a technical construction file.
Documentation and Marking
For each safety function, the manufacturer must provide documentation that specifies:
- The achieved PL for each function
- Category, MTTFd, DCavg, and CCF score
- Identification of SRP/CS components and their safety-related data
- Instructions for periodic testing (if Category 2)
- Environmental limits and installation requirements
Products covered by this standard may be marked with the manufacturer’s evidence of compliance, but certification by a recognized body (e.g., CSA Group) is strongly recommended for market acceptance.
Critical: Failure to include CCF measures (e.g., physical separation, diverse technologies) in redundant architectures (Categories 3 and 4) can nullify the fault tolerance and lead to undetected dangerous failures. Always calculate the CCF score using the checklist in Annex E of ISO 13849-1.
Compliance and Certification Notes
Relation to Other Standards
CSA C22.2 No. 0.8-19 harmonizes with IEC 61508 (functional safety) and ISO 13849-1. In Canada, it is often used alongside CSA Z432 (Safeguarding of Machinery) and provincial OHS codes. For electrical equipment, the base standard CSA C22.2 No. 0 (General Requirements) may also apply. If the machinery includes electrical safety functions, additional requirements from CSA C22.2 No. 14 (Industrial Control Equipment) or No. 142 (Process Control Equipment) might be relevant.
Approval and Inspection Requirements
Canadian jurisdictions generally require that machinery used in workplaces be certified by an accredited body (e.g., CSA, TÜV, UL). For safety-related control systems, this means providing a technical file demonstrating compliance with CSA C22.2 No. 0.8-19. During inspection, inspectors focus on:
- Risk assessment documentation
- PLr determination and justification
- Actual vs. claimed Category and PL
- Presence of required marking and instructions
The standard also requires that any modification to a safety function after initial validation must be re-assessed and documented. Periodic re-validation is not explicitly mandated but is a prudent practice for high-integrity systems.
Q: Can CSA C22.2 No. 0.8-19 be used for non-electrical safety control systems (e.g., hydraulic, pneumatic)?
A: Yes, the standard is technology-neutral. Its principles apply to any energy medium as long as the reliability parameters (MTTFd, DCavg, CCF) are properly evaluated for that technology. However, specific pneumatic or hydraulic components might have different failure rates, so consult ISO 13849-2 for guidance on validation.
A: Yes, the standard is technology-neutral. Its principles apply to any energy medium as long as the reliability parameters (MTTFd, DCavg, CCF) are properly evaluated for that technology. However, specific pneumatic or hydraulic components might have different failure rates, so consult ISO 13849-2 for guidance on validation.
Q: What is the difference between Category 3 and Category 4 in terms of diagnostic coverage?
A: Category 3 requires that a single fault be detected at or before the next demand, but it does not require immediate detection; some faults may accumulate if not caught. Category 4 demands immediate detection of most faults and prevents the accumulation of undetected faults. Consequently, Category 4 demands a higher DCavg (≥99%) compared to Category 3 (≥90%).
A: Category 3 requires that a single fault be detected at or before the next demand, but it does not require immediate detection; some faults may accumulate if not caught. Category 4 demands immediate detection of most faults and prevents the accumulation of undetected faults. Consequently, Category 4 demands a higher DCavg (≥99%) compared to Category 3 (≥90%).
Q: Do I need to obtain third-party certification to claim compliance with CSA C22.2 No. 0.8-19?
A: While self-declaration is possible in some cases, most Canadian jurisdictions and large OEMs require third-party certification by an accredited body such as CSA Group or TÜV SÜD. Certification provides legal presumption of conformity and simplifies market access. The standard itself does not mandate third-party involvement, but end users and regulators often expect it.
A: While self-declaration is possible in some cases, most Canadian jurisdictions and large OEMs require third-party certification by an accredited body such as CSA Group or TÜV SÜD. Certification provides legal presumption of conformity and simplifies market access. The standard itself does not mandate third-party involvement, but end users and regulators often expect it.
Q: How does CSA C22.2 No. 0.8-19 address cybersecurity threats?
A: The standard focuses on functional safety (random and systematic hardware/software failures) and does not explicitly address cybersecurity. However, for programmable safety systems, the standard recommends following IEC 61508-3 security measures to avoid intentional tampering that could lead to loss of safety functions. For comprehensive cybersecurity, refer to IEC 62443 series.
A: The standard focuses on functional safety (random and systematic hardware/software failures) and does not explicitly address cybersecurity. However, for programmable safety systems, the standard recommends following IEC 61508-3 security measures to avoid intentional tampering that could lead to loss of safety functions. For comprehensive cybersecurity, refer to IEC 62443 series.
Last reviewed: 2026