ISO 21919-2:2021

INTERNATIONAL ISO
STANDARD 21919-2
First edition
2021-06
Physical device control — Interfaces
for automated machine tending —
Part 2:
Safety and control interface
Ensemble de commande pour les équipements — Interfaces pour le
chargement automatisé des machines —
Partie 2: Interface de sécurité et de commande
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Description of the interfaces . 2
4.1 General . 2
4.2 Characteristics of the interface . 3
4.2.1 General. 3
4.2.2 Conformance class . 3
4.2.3 Conformance options . 8
4.3 Safety interface .13
4.3.1 General.13
4.3.2 Principle approach and concept .13
4.3.3 Matrix for safety-related functional relationships .13
4.3.4 Distribution of performance levels and PFHD value .15
4.4 Control interface .16
5 Extension of the interfaces .16
5.1 General .16
5.2 Examples of project-specific extensions .16
5.2.1 General.16
5.2.2 Additional signals .16
5.2.3 More than one interference area .16
Annex A (normative) List of signals .17
Annex B (informative) Examples for safety matrices .18
Annex C (normative) Flow charts .31
Bibliography .44
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 184, Automation systems and integration,
Subcommittee SC 1, Physical device control.
A list of all parts in the ISO 21919 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved

Introduction
The ISO 21919 series describes interfaces for automated machine tending of at least one computer
numerically controlled (CNC) machine by using a machine tending system. These interfaces are the
link between automated machine tending systems and machines used for production. The automated
machine tending is initiated by either the machine tending system or by the machine.
ISO 21919-1 gives an overview and defines the fundamental principles on how the interfaces are set
up. It defines the necessary vocabulary and sets the syntax for the structure of signals. It distinguishes
between the safety interface, the control interface and project specific extensions.
Automated machine tending refers to the automatic loading or unloading of one or more machines by
using a machine tending system.
EXAMPLE Examples for machines are machine tools, typically computer numerically controlled (CNC),
metrology co-ordinate measuring machines (CMM), 3D structured light scanner (3DSL), and X-ray machines.
Examples for machine tending systems are robots, handling systems, gantrys, autonomous intelligent vehicles
(AIV), and automated guided vehicles (AGV).
Automated machine tending is a substantial element in highly productive industrial environments.
It is a complex endeavour. Necessary devices are complex systems by itself, are oftentimes provided
by different suppliers and encounter each other at the production site first time. For a trouble-free
collaboration of all units a clear definition of the interfaces is indispensable. For manufacturing systems
such standardized interfaces at an international level haven't been defined yet.
Therefore, the definition of the interfaces often is project-specific from the scratch or each supplier
tries to establish its in-house standards. These procedures cause great efforts, are prone to failure and
hence take a lot of time and manpower. As each interface is built individually and testing beforehand is
often not possible, commissioning times exceed the planned ones. Machine builders, system integrators
and production plant operators report these issues being substantial obstacles for such automation
projects.
Standardized interfaces lead to lean coordination processes, give higher planning reliability, shorten
times for commissioning and are less error-prone.
On the other hand, automated machine tending systems can be very complex systems and standards
need to be flexible enough to allow an adaption to the requirements of individual projects.
Applications are ranging from simple parts removal to material flow dedicated complex production
lines. It is noteworthy that the processing technologies of the machines are independent to the interface
and a majority of machine technologies can be integrated with the same standard.
Figure 1 and Figure 2 display the range of complexity of machine tending systems covered by the
ISO 21919 series. Figure 1 shows an example of a simple automated machine tending system, consisting
of a machine tool loaded by a conveyor.
Figure 1 — Example of a simple automated machine tending system
Figure 2 shows an example of a complex production line with five computer numerically controlled
machine tools tended by a loading gantry.
Figure 2 — Example of a complex production line loaded by a gantry
In general, the interfaces for automated machine tending are composed of:
— mechanical;
— control-related; and
— safety-related connections.
vi © ISO 2021 – All rights reserved

INTERNATIONAL STANDARD ISO 21919-2:2021(E)
Physical device control — Interfaces for automated
machine tending —
Part 2:
Safety and control interface
1 Scope
This document deals with the safety interface and control interface. It allocates signals to a conformance
class and/or conformance option. It describes the detailed functions of each signal, describes and
displays the timing interactions between signals in flow charts and shows examples for safety matrices
and safety-related functional relationships.
This document defines three conformance classes and dedicated conformance options. Classes and
options consist of a number of signals to:
— allow a flexible adaptation of the interface(s) to a project-specific scope of functions and
simultaneously;
— tie sets of signals tight enough to avoid unnecessary coordination efforts between suppliers of the
machine tending systems and machines.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles
for design
ISO 21919-1, Automation systems and integration — Interfaces for automated machine tending — Part 1:
Overview and fundamental principles
IEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and programmable
electronic control systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 21919-1 and the following
apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
emergency stop
function which is intended to
— avert arising or reduce existing hazards to persons, damage to machinery or to work in progress,
and
— be initiated by a single human action
Note 1 to entry: ISO 13850 gives detailed provisions.
[SOURCE: ISO 12100:2010, 3.40]
3.2
guard
physical barrier, designed as part of a functional unit to provide protection
[SOURCE: ISO 12100:2010, 3.27, modified — In the definition, "the machine" has been changed to "a
functional unit". Notes 1 to 3 to entry have been removed.]
3.3
part family
all parts that a machine accepts for processing without a new set up
Note 1 to entry: A part family consists at least of one part.
4 Description of the interfaces
4.1 General
For an extensive description of the interfaces for automated machine tending, the following interfaces
shall be defined:
— safety interface;
— control interface.
Figure 3 shows the principle setup of the interfaces for automated machine tending.
2 © ISO 2021 – All rights reserved

Figure 3 — Principle setup of the interface
4.2 Characteristics of the interface
4.2.1 General
The signals are grouped in conformance classes and conformance options for a flexible adaptation of
the interface to the project-specific sets of functions. Grouping allows individual characterization of the
interface while simultaneously meeting the requirements of this document.
For the application of this document, one conformance class shall be selected, all desired conformance
options can be selected, and a project specific extension can be defined.
The signals assigned to the relevant conformance class or the relevant conformance option shall be
made available at the interface if the characteristics on this conformance class/conformance option are
selected.
When realizing the interface, the signals shall correlate in the way shown in the relevant flow charts in
Annex C.
4.2.2 Conformance class
4.2.2.1 General
With the selection of a conformance class a basic set of signals is selected in order to fulfil the task of
automated machine tending.
The following conformance classes are available. Only one conformance class shall be selected.
— Conformance class 1: Minimum set of signals.
— Conformance class 2: Extended set of signals.
— Conformance class 3: Extended set of signals with process optimization.
4.2.2.2 Conformance class 1: Minimum set of signals
4.2.2.2.1 General
At conformance class 1, the following functions can be realized:
— safety of people;
— simple unloading;
— simple loading;
— simple combined unloading and loading.
The word "simple" indicates that there is no distinction between coherent and non-coherent transfer
and that clamping functions are not handled via the interface.
Conformance class 1 is not applicable for machines that need coherent transfer.
4.2.2.2.2 Simple unloading
The function "simple unloading" serves the requirement to unload one part from the machine.
See the corresponding flow chart in Figure C.1.
4.2.2.2.3 Simple loading
The function "simple loading" serves the requirement to load one part to the machine.
See the corresponding flow chart in Figure C.2.
4.2.2.2.4 Simple combined unloading and loading
The function "simple combined unloading and loading" serves the requirement to unload one part from
the machine and then load another part after that. The time period between unloading and subsequent
loading is not defined.
However, the restriction applies that there shall be no machine movements required in the interference
area during the loading and unloading process. In this case, the automated machine tending system can
remain within the interference area.
See the corresponding flow chart in Figure C.3.
4.2.2.3 Conformance class 2: Extended set of signals
4.2.2.3.1 General
At conformance class 2, all functions of conformance class 1 and the following can be realized:
— unloading with non-coherent transfer, with/without clamping function;
— unloading with coherent transfer;
4 © ISO 2021 – All rights reserved

— loading with non-coherent transfer, with/without clamping function;
— loading with coherent transfer;
— combined unloading and loading with non-coherent transfer, with/without clamping function;
— combined unloading and loading with coherent transfer;
— preparation of a part;
— emptying;
— functions of guard doors;
— further status information.
NOTE Conformance class 2 and conformance class 3 are typically implemented as bus interface as many
signals are handled.
4.2.2.3.2 Unloading with non-coherent transfer, with/without clamping function
Function "Unloading with non-coherent transfer, with/without clamping function" serves the
requirement to unload a part from the machine at non-coherent transfer.
See the corresponding flow chart in Figure C.4.
4.2.2.3.3 Unloading with coherent transfer
Function "Unloading with non-coherent transfer, with clamping function" serves the requirement to
unload a part from the machine at coherent transfer.
See the corresponding flow chart in Figure C.5.
4.2.2.3.4 Loading with non-coherent transfer, with/without clamping function
Function "Loading with non-coherent transfer, with/without clamping function" serves the requirement
to load a part from the machine at non-coherent transfer.
See the corresponding flow chart in Figure C.6.
4.2.2.3.5 Loading with coherent transfer
Function "Loading with coherent transfer" serves the requirement to load a part from the machine at
fixed transfer.
See the corresponding flow chart in Figure C.7.
4.2.2.3.6 Combined unloading and loading with non-coherent transfer, with/without clamping
function
Function "Combined unloading and loading with non-coherent transfer, with/without clamping
function" serves the requirement to unload a part from the machine at not fixed transfer and then load
another part to the machine. The time period between unloading and subsequent loading is not defined.
See the corresponding flow chart in Figure C.8.
4.2.2.3.7 Combined unloading and loading with coherent transfer
Function "Combined unloading and loading with coherent transfer, with/without clamping function"
serves the requirement to unload a part from the machine at coherent transfer and then load another
part to the machine. The time period between unloading and subsequent loading is not defined.
See the corresponding flow chart in Figure C.9.
4.2.2.3.8 Preparation of a part
Function "Preparation of a part" is used to inform the automated machine tending system at an early
stage that there is no part at the loading space of the machine or that the machine will complete
processing shortly.
4.2.2.3.9 Emptying
Function "Emptying" serves the requirement to unload all parts from the machine.
Emptying can be requested from the automated machine tending system to the machine, e.g. if there
are no new raw parts.
If the machine needs to have all parts unloaded, it shall send a request to the automated machine
tending system. Automated machine tending system decides when the machine can be unloaded and
acknowledges the request by setting its request for emptying. Up to this point, the machine shall
request loading cycles.
See the corresponding flow chart in Figure C.10.
4.2.2.3.10 Function of guard doors
The functions of the guard doors serve the requirement to unlock the guard door(s), if necessary. Here,
distinction shall be made whether the guard door is assigned to the automated machine tending system
or to the machine. It can also be differentiated if a request for unlocking the guard door remains until
the guard door has actually been unlocked or if the request has prematurely been withdrawn.
Figure C.11 differentiates between the two cases and shows the corresponding flow charts.
4.2.2.3.11 Further status functions
Conformance class 2 contains further signals which provide information at the interface.
4.2.2.4 Conformance class 3: Extended set of signals with process optimization
4.2.2.4.1 General
At conformance class 3, all functions of conformance class 2 and the following can be realized:
— process optimizations at the combined unloading and loading with coherent transfer;
— process optimizations at the combined unloading and loading with non-coherent transfer, with/
without clamping function;
— process optimizations, if pre-positioning by the machine;
— process optimizations, if clamping and releasing is executed in more than one step.
4.2.2.4.2 Process optimizations at combined unloading and loading
4.2.2.4.2.1 General
Description of pre-positioning by the automated machine tending system.
Figure 4 displays the principle coherence of different typical areas of machine and automated machine
tending system and its interactions.
6 © ISO 2021 – All rights reserved

Key
1 range of automated machine tending system
2 range of machine
3 interference area preposition automated machine tending system
4 interference area
5 location of transfer station
6 interference area preposition machine
Figure 4 — Interference area at pre-positioning by automated machine tending system
Involved signals are AM_ENA_InIntfrArea, AM_STA_OutIntfrArea, AM_STA_OutIntfrAreaFixt, MA_
ENA_InIntfrArea, MA_ENA_InIntfrAreaPrePos, and MA_STA_OutIntfrArea. For definition of these
signals, see Annex A.
4.2.2.4.2.2 With coherent transfer
The process optimizations at the combined unloading and loading with coherent transfer function
unloads a part from the machine at coherent transfer and then load another part to the machine. The
time period between unloading and subsequent loading is not defined.
In addition to conformance class 2, process optimizations (optimization of cycle time) are carried out
concerning:
— pre-positionings;
— preparation of unloading part(s).
See the corresponding flow chart in Figure C.13.
4.2.2.4.2.3 With non-coherent transfer, with/without clamping function
Function "Combined unloading and loading with non-coherent transfer, with/without clamping
function" serves the requirement to unload apart from the machine at non-coherent transfer and then
load another part to the machine. The time period between unloading and subsequent loading is not
defined.
In addition to conformance class 2, process optimizations (optimization of cycle time) are carried out
concerning:
— pre-positionings;
— preparation of unloading part(s).
See the corresponding flow chart in Figure C.12.
4.2.2.4.3 Process optimizations, if pre-positioning by machine
In conformance class 3, signals are provided for process optimizations which require a pre-positioning
of the machine. A process description shall be coordinated specifically to the project and depending on
the mechanical design.
4.2.2.4.4 Process optimizations, if clamping and releasing is executed in more than one step
In conformance class 3, signals are provided for process optimizations which require clamping and
releasing in more than one step. A process description shall be coordinated specifically to the project
and depending on the mechanical design.
4.2.3 Conformance options
4.2.3.1 General
The selection of a conformance option allows adding an additional scope of functions to the selected
conformance class. The set of signals allocated to a conformance option is intended to fulfil a specific
task.
The following conformance options are available. Any desired conformance option can be selected.
— loading access controlled by machine;
— loading access controlled by automated machine tending system;
— enabling device;
— monitoring of communication;
— tool life management;
— central functions;
— control signals for safety-relevant functions;
8 © ISO 2021 – All rights reserved

— with parts data;
— setup information;
— machine panel;
— part seat control.
Table 1 shows if a conformance option contains safety-relevant and/or control-relevant signals.
Table 1 — Allocation of safety-relevant and control-relevant signals to conformance options
Conformance option Safety-relevant signals Control-relevant signals
 
Loading access controlled by machine
Loading access controlled by automat-
 
ed machine tending system
Enabling device  
Monitoring of communication 
Tool life management 

Central functions
Control signals for safety-relevant

functions
With parts data 
Setup information 
Machine panel 
Part seat control 
4.2.3.2 Conformance option: Loading access controlled by machine
The signals assigned to the conformance option "Loading access controlled by machine" in Annex A
shall be provided at the interface.
The conformance option "Loading access controlled by machine" includes signals with the belonging
functions required if a loading access is controlled by the machine.
Handling the signals is analogous to the description and diagrams of the guard doors.
4.2.3.3 Conformance option: Loading access controlled by automated machine tending system
The signals assigned to the conformance option "Loading access controlled by automated machine
tending system" in Annex A shall be provided at the interface.
The conformance option "Loading access controlled by automated machine tending system" includes
signals with the belonging functions which are required if a loading access is controlled by the
automated machine tending system.
Handling the signals is analogous to the description and diagrams of the guard doors.
4.2.3.4 Conformance option: Enabling device
The signals assigned to the conformance option "Enabling device" in Annex A shall be provided at the
interface.
The conformance option "Enabling device" includes signals with the belonging functions which are
necessary for operating the system in enabling mode.
4.2.3.5 Conformance option: Monitoring of communication
The signals assigned to the conformance option "Monitoring of communication" in Annex A shall be
provided at the interface.
The conformance option "Monitoring of communication" includes signals with the belonging functions
which are necessary for the monitoring of communication. Each functional unit sends a binary signal
to the interface with a pulse of 1 Hz. The other functional unit evaluates this signal and detects if the
communication is disturbed or alright.
See the corresponding flow chart in Figure C.14.
4.2.3.6 Conformance option: Tool life management
The signals assigned to the conformance option "Tool life management" in Annex A shall be provided at
the interface.
The conformance option "Tool life management" includes signals with the belonging functions which
are necessary for the tool life management.
4.2.3.7 Conformance option: Central functions
The signals assigned to the conformance option "Central functions" in Annex A shall be provided at the
interface.
The conformance option "Central functions" includes signals with the belonging functions which are
provided by the automated machine tending system for one or more machine(s) and the relevant status
information of the machine.
4.2.3.8 Conformance option: Control signals for safety-relevant functions
The signals assigned to the conformance option control signals for safety-relevant functions in Annex A
shall be provided at the interface.
The conformance option dontrol signals for safety-relevant functions includes signals with the
belonging functions which are used as a supplement to the safety-relevant interface.
4.2.3.9 Conformance option: With parts data
4.2.3.9.1 General
Signals of the conformance option "With parts data" are divided into:
— signals for controlling data handling;
— preparation data and parts data.
4.2.3.9.2 Signals for controlling data handling
The signals assigned to the conformance option "With parts data" in Annex A shall be provided at the
interface.
See the corresponding flow charts in Figures C.15 to C.21.
NOTE When transferring parts data, the data sovereignty moves from one control to another one together
with the part. Ideally, the physical transfer of a part and the data transfer take place at the same time.
10 © ISO 2021 – All rights reserved

4.2.3.9.3 Preparation data and parts data
4.2.3.9.3.1 Signal names and content of preparation data and parts data
This document determines the signal names of the container for the preparation data and parts data. It
defines the belonging signals for controlling the container as well. This document does not determine
the content of the container for the preparation data and parts data.
The contents of the required preparation data and parts data depends on the specific project. It can be
very different and is therefore not standardized within this document.
Examples of information concerning preparation data and parts data:
— part reference number:
— part type;
— part family;
— part state;
— part-ID;
— operation index;
— cycle time - target value;
— cycle time - actual value;
— processing progress;
— measurement and correction data;
— clamping process on spindle x;
— production date;
— change positons of the machine;
— washing program number;
— clamping device number, type, and opening width;
— maximum speed of the workpiece spindle.
4.2.3.9.3.2 Use of preparation data and parts data
Figure 5 gives an overview of possibilities for the use of preparation data and parts data and its
belonging control signals. The selection of possibilities depends on the specific project.
Figure 5 — Overview of possibilities for the use of preparation data and parts data
a) For unloading process
Preparation data are used for controlling the logistic processes for unloading.
They can be provided by the machine to the automated machine tending system or by the automated
machine tending system to the machine. Typically, only one direction is used.
Parts data are taken over by the automated machine tending system from the machine during the
unloading process.
b) For loading process
Preparation data are used for controlling the logistic processes for loading.
They can be provided by the machine to the automated machine tending system or by the automated
machine tending system to the machine. Typically, only one direction is used.
Parts data are information which the automated machine tending system transfers to the machine
during the loading.
The parts reference number is transferred from the machine to the automated machine tending system,
when the machine takes over the selection of a parts reference number.
4.2.3.10 Conformance option: Setup information
The signals assigned to the conformance option "Setup information" in Annex A shall be provided at the
interface.
The conformance option "Setup information" includes signals with the belonging functions which are
necessary to report the setup state (setup for the parts family xx or for rework) of a machine to the
automated machine tending system.
4.2.3.11 Conformance option: Machine panel
The conformance option "Machine panel" consists of a subset of signals of the basic buttons of a
functional unit's panel. The state of these signals is provided at the interface.
The signals assigned to the conformance option "Machine panel" in Annex A shall be provided at the
interface.
The conformance option "Machine panel" includes signals with the belonging functions which provide
information about using the buttons (hardware or soft key) of a control panel.
12 © ISO 2021 – All rights reserved

4.2.3.12 Conformance option: Part seat control
The signals assigned to the conformance option "Part seat control" in Annex A shall be provided at the
interface.
The conformance option "Part seat control" includes signals with the belonging functions which are
necessary for part seat control.
See the corresponding flow chart in Figure C.22.
4.3 Safety interface
4.3.1 General
The safety interface between machine(s) and automated machine tending system determines signals
which are necessary for keeping personal safety.
Part of the realization of the safety interface is the definition of a safety matrix to clarify the functional
relationships between machine and automated machine tending system depending on the status of
main switch, guard(s) and emergency stop.
4.3.2 Principle approach and concept
In principle, an area is considered hazardous concerning functional safety if it can be accessed by
humans and hazardous actions (e.g. movement) of a functional unit occurs. Access to an area is possible
via a guard and/or a loading access. Hazardous actions depend on the status of main switch and
emergency stop of the functional unit.
Mainly, it can be distinguished between loading access open and loading access closed. A machine and
automated machine tending system form a common emergency stop area, if the loading access is open
or does not exist. If the loading access is closed, each functional unit forms its own emergency stop area.
This approach allows maximum flexibility in operating the functional units while being fully compliant
with safety requirements.
4.3.3 Matrix for safety-related functional relationships
The matrix in Figure 6 follows the concept in 4.3.2 to maximize flexibility in operating the functional
units (FU) and should be realized. Then, no further project-specific definitions between the project
partners are necessary.
Key
1 true
a
Stop-category according to EN 60204-1:2019, 9.2.2.
b
Safety-oriented stop function (PLr = c); unexpected start (PLr = d).
c
If required for safety reasons.
d
Status of main switch is not a dedicated signal at the interface.
Figure 6 — Principle matrix of safety-related functional relationships
Figure 7 illustrates an example system configuration on which the above shown matrix can be applied.
14 © ISO 2021 – All rights reserved

Key
1 machine
2 automated machine tending system
ES emergency stop button machine
1-M
ES emergency stop button automated machine tending system
1-A
SW main switch machine
1-M
SW main switch automated machine tending system
1-A
G interlocking guard machine
1-M
G interlocking guard automated machine tending system
1-A
LD loading access machine
1-M
Figure 7 — Example system configuration
Other matrices for safety-related functional relationships can be realized, e.g. if an activated emergency
stop button, shall bring both the automated machine tending system and the machine to STOP. In this
case, an individual matrix of safety-related functional relationships shall be defined by the project
partners.
Depending on the individual project, definition, implementation and realization of the safety matrix
shall be agreed between the project partners in cooperation with the system operator.
Annex B shows simplified examples for safety matrices for dedicated system configurations.
4.3.4 Distribution of performance levels and PFHD value
In the case of comprehensive safety-related parts of control systems (SRP/CS), distribution of the PFHD
value is carried out between the participants at a ratio of 1:2 between access level (signal detection) and
exit level (signal evaluation), in order to enable a verification for the functional safety by two individual
calculations. Other agreements can be made depending on the specific project.
Calculation of the performance of the control (SRP/CS) shall be carried out in accordance with
ISO 13849-1 or IEC 62061.
Figure 8 shows an example on how to distribute PFHD values.
Figure 8 — Example on how to distribute PFHD values
4.4 Control interface
The control-related interface describes signals and data with their functions as well as the belonging
flow charts which are transferred for the parts transport between automated machine tending system
and machine.
5 Extension of the interfaces
5.1 General
Depending on the complexity of a project on hand, an extension (e.g. of signals) described in this
document can become necessary. Therefore, a system-specific extension is allowed.
The principle of a system-specific extension is shown in Figure 3.
The system-specific extension shall be documented.
5.2 Examples of project-specific extensions
5.2.1 General
Project-specific extensions of this document are necessary, for example, if:
— the task can only be fulfilled by additional signals; or
— the machine has more than one interference area.
5.2.2 Additional signals
Additional signals and the belonging functions can be defined for a specific project. The nomenclatures
made for this ISO 21919 series shall be taken into account.
5.2.3 More than one interference area
5.2.3.1 Separated safety areas
Signals of the safety interface and control interface shall be completely duplicated.
5.2.3.2 The same safety area
Signals of the control-related interface shall be completely duplicated. There is only one safety-related
interface.
16 © ISO 2021 – All rights reserved

Annex A
(normative)
List of signals
The spreadsheet listing all signals with its attributes is provided in a machine-readable file at https://
standards .iso .org/ iso/ 21919/ -2/ ed -1/ en/ .
Three modes of operation exist.
— Mode of operation 1 (MO 1): an automatic, programmed, sequential operation mode of the machine
with the facility for manual or automatic loading/unloading of workpieces and tools, until stopped
by program or operator.
It is also referred to as automatic mode. It can include an operational interruption for loading/
unloading of workpieces and tools. MO 1 is applicable for machine tending systems and machines.
— Mode of operation 2 (MO 2): an operation mode in which adjustments and preparations for the
following machining process are performed by the operator (setter) with the possibility that guards
are open and/or protective devices suspended.
It is also referred to as setting mode. Assessments of tool or workpiece position (e.g. by touching
the workpiece with a probe or tool in single step mode) are procedures of the setting mode (see
ISO 16090-1:2017, 5.2.4.5).
— Mode of operation 3 (MO 3): a limited automatic mode (fixed sequence of separate consecutive
steps) started by the operator, which temporarily allows manual control or numerically controlled
operation of the machine, with guards opened and/or protective devices suspended. It is also
referred to as optional special mode for manual intervention under restricted operating conditions.
Annex B
(informative)
Examples for safety matrices
B.1 General
This annex shows examples that illustrate specific configurations of machines and automated machine
tending systems together with related safety matrices. Its aim is to support the requirements and
recommendations of 4.3 and to give guidance on how to setup such a matrix depending on the system
configuration.
The first example is a rather simple configuration of one machine that is tended by an automated
machine tending system composed of a robot. The setup space of the machine is not separated by a
(closable) loading access.
Example 2 in B.3 is similar to Example 1 in B.2. The only difference is that the setup space of the machine
is separated by a (closable) loading access.
The third example is a rather complex system of several machines that are tended by a gantry from
above by a loading access.
The collection of scenarios depicted in these examples are not intended to be exhaustive. For reasons of
simplification the inclusion of the main switches is waived.
B.2 Example 1: System configuration with loading setup space without (closable)
loading access
B.2.1 Configuration
Specific to the system configuration of this example is that the machine has a loading setup space
without a (closable) loading access. The system configuration is shown in the Figure B.1.
18 © ISO 2021 – All rights reserved

Key
1 machine
2 automated machine tending system
3 interference area
4 machine work space
ES emergency stop button machine
1-M
ES emergency stop button automated machine tending system
1-A
G interlocking guard machine 1
1-M
G separates work area from automated machine tending system and machine
2-M
G interlocking guard automated machine tending system
1-A
Figure B.1 — Loading setup space without (closable) loading access
Concerning functional safety, the following properties are worth mentioning:
— the machine has one guard G that allows access to the working space of the machine;
1-M
— the automated machine tending system has one guard G that allows access to the working space
1-A
of the automated machine tending system;
— the interference area can be accessed from the automated machine tending system at any time as
there is no (closable) loading access;
— the interference area can be accessed from the machine working space via guard G and guard
1-M
G ;
2-M
— each functional unit has one emergency stop button.
...