SIST EN ISO 19014-1:2018

SLOVENSKI STANDARD
SIST EN ISO 19014-1:2018
01-november-2018
Stroji za zemeljska dela - Funkcijska varnost - 1. del: Metodologija ugotavljanja
delov krmilnega sistema, ki so povezani z varnostjo in zahtevanimi lastnostmi (ISO
19014-1:2018)
Earth-moving machinery - Functional safety - Part 1: Methodology to determine safety-
related parts of the control system and performance requirements (ISO 19014-1:2018)
Engins de terrassement - Sécurité - Partie 1: Méthodologie permettant de déterminer les
parties du système de commande et les exigences de performance liés à la sécurité
(ISO 19014-1:2018)
Ta slovenski standard je istoveten z: EN ISO 19014-1:2018
ICS:
53.100 Stroji za zemeljska dela Earth-moving machinery
SIST EN ISO 19014-1:2018 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN ISO 19014-1:2018

---------------------- Page: 2 ----------------------

SIST EN ISO 19014-1:2018


EN ISO 19014-1
EUROPEAN STANDARD

NORME EUROPÉENNE

August 2018
EUROPÄISCHE NORM
ICS 53.100
English Version

Earth-moving machinery - Functional safety - Part 1:
Methodology to determine safety-related parts of the
control system and performance requirements (ISO
19014-1:2018)
Engins de terrassement - Sécurité fonctionnelle - Partie Erdbaumaschinen - Funktionale Sicherheit - Teil 1:
1: Méthodologie pour la détermination des parties Methodik zur Bestimmung sicherheitsbezogener Teile
relatives à la sécurité des systèmes de commande et les einer Steuerung und von Leistungsanforderungen (ISO
exigences de performance (ISO 19014-1:2018) 19014-1:2018)
This European Standard was approved by CEN on 23 May 2018.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 19014-1:2018 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN ISO 19014-1:2018
EN ISO 19014-1:2018 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------

SIST EN ISO 19014-1:2018
EN ISO 19014-1:2018 (E)
European foreword
This document (EN ISO 19014-1:2018) has been prepared by Technical Committee ISO/TC 127 "Earth-
moving machinery" in collaboration with Technical Committee CEN/TC 151 “Construction equipment
and building material machines - Safety” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2019, and conflicting national standards
shall be withdrawn at the latest by February 2019.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Endorsement notice
The text of ISO 19014-1:2018 has been approved by CEN as EN ISO 19014-1:2018 without any
modification.

3

---------------------- Page: 5 ----------------------

SIST EN ISO 19014-1:2018

---------------------- Page: 6 ----------------------

SIST EN ISO 19014-1:2018
INTERNATIONAL ISO
STANDARD 19014-1
First edition
2018-06
Earth-moving machinery —
Functional safety —
Part 1:
Methodology to determine safety-
related parts of the control system and
performance requirements
Engins de terrassement — Sécurité fonctionnelle —
Partie 1: Méthodologie pour la détermination des parties relatives à
la sécurité des systèmes de commande et les exigences de performance
Reference number
ISO 19014-1:2018(E)
©
ISO 2018

---------------------- Page: 7 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

---------------------- Page: 8 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Method to determine MPLr for SRP/CS of earth moving machinery .5
4.1 General . 5
4.2 Machine Control System Safety Analysis (MCSSA) method . 5
5 Requirements for immediate action warning indicators. 6
5.1 General . 6
6 Performance level determination procedures . 6
6.1 General . 6
6.2 Participants in the risk assessment . 6
6.3 Assessment and classification of a potential harm . 6
6.4 Assessment of exposure in the situation observed . 7
6.5 Assessment of a possibility to avoid harm . 7
6.6 Determining the required MPL . 9
Annex A (informative) Process flow chart for machinery risk assessment .11
Annex B (informative) Table of warning/operation indicators .13
Annex C (informative) Example of MCSSA Process .14
Annex D (informative) List of possible safety control systems (SCS) of earth moving machines .18
Bibliography .20
© ISO 2018 – All rights reserved iii

---------------------- Page: 9 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 127, Earth-moving machinery,
Subcommittee SC 2, Safety, ergonomics and general requirements.
This first edition of ISO 19014-1, together with ISO 19014-2, ISO 19014-3, ISO 19014-4 and ISO/
TS 19014-5, cancels and replaces ISO 15998 and ISO/TS 15998-2, which have been technically revised.
The main changes compared to the previous documents are as follows:
— method for determination of performance levels and machine control system safety analysis,
— additional requirements for mobile machines,
— environmental test requirements for components of safety controls systems, and
— requirements for software validation and verification of machine performance levels.
A list of all parts in the ISO 19014-series can be found on the ISO website. At the time of publication of
this document, Part 2, Design and evaluation of safety-related machine control systems, Part 4, Design and
evaluation of software and transmission for safety related parts of the control system, and Part 5, Tables of
performance levels, are under development.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2018 – All rights reserved

---------------------- Page: 10 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

Introduction
This document addresses systems of all energy types used for functional safety in earth-moving
machinery.
The structure of safety standards in the field of machinery is as follows.
Type-A standards (basis standards) give basic concepts, principles for design and general aspects that
can be applied to machinery.
Type-B standards (generic safety standards) deal with one or more safety aspects, or one or more types
of safeguards that can be used across a wide range of machinery:
— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
— type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive
devices, guards).
Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular
machine or group of machines.
This document is a type C standard as stated in ISO 12100.
This document is of relevance, in particular, for the following stakeholder groups representing the
market players with regard to machinery safety:
— machine manufacturers (small, medium and large enterprises);
— health and safety bodies (regulators, accident prevention organisations, market surveillance etc.).
Others can be affected by the level of machinery safety achieved with the means of the document by the
above-mentioned stakeholder groups:
— machine users/employers (small, medium and large enterprises);
— machine users/employees (e.g. trade unions, organizations for people with special needs);
— service providers, e. g. for maintenance (small, medium and large enterprises);
The above-mentioned stakeholder groups have been given the possibility to participate at the drafting
process of this document.
The machinery concerned and the extent to which hazards, hazardous situations or hazardous events
are covered are indicated in the Scope of this document.
When requirements of this type-C standard are different from those which are stated in type-A or
type-B standards, the requirements of this type-C standard take precedence over the requirements of
the other standards for machines that have been designed and built according to the requirements of
this type-C standard.
© ISO 2018 – All rights reserved v

---------------------- Page: 11 ----------------------

SIST EN ISO 19014-1:2018

---------------------- Page: 12 ----------------------

SIST EN ISO 19014-1:2018
INTERNATIONAL STANDARD ISO 19014-1:2018(E)
Earth-moving machinery — Functional safety —
Part 1:
Methodology to determine safety-related parts of the
control system and performance requirements
1 Scope
This document provides a methodology for the determination of performance levels required for earth
moving machinery (EMM) as defined in ISO 6165.
A Machine Control System Safety Analysis (MCSSA) determines the amount of risk reduction of hazards
associated with control systems, required for Safety Control Systems (SCS). This reduction is quantified
by the Machine Performance Level (MPL), the hazards are identified using the risk assessment principles
as defined in ISO 12100 or by other means.
NOTE 1 Step 2 as shown in Annex A demonstrates the relationship between ISO 12100 and ISO 19014 as a
complementary protective measure.
NOTE 2 ISO 19014 can also be used to assess the functional safety requirements of other off-road mobile
machinery.
For those controls determined to be safety-related, the characteristics for architecture, hardware,
software environmental requirements and performance are covered by other parts in ISO 19014.
ISO 19014 covers the hazards caused by the failure of a safety control system and excludes hazards
arising from the equipment itself (for example, electric shock, fire, etc.).
Other controls that are not safety control systems (SCS), that do not mitigate a hazard or perform a
control function and where the operator would be aware of a failure, are excluded from this standard
(e.g. windscreen wipers, head lights, cab light, etc.).
NOTE 3 A list of safety control systems is included in Annex D.
NOTE 4 Audible warnings are excluded from the requirements of diagnostic coverage.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 6165, Earth-moving machinery — Basic types — Identification and terms and definitions
ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 6165 and ISO 12100 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
© ISO 2018 – All rights reserved 1

---------------------- Page: 13 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

— ISO Online browsing platform: available at http: //www .iso .org/obp
3.1
Machine Performance Level
MPL
discrete level to specify the ability of safety-related parts of control systems (3.3.2) to perform a safety
function under reasonably foreseeable conditions
Note 1 to entry: The term MPL is used to describe the performance level required from a safety-related part of
a control system. The ‘M’ refers to machine and denotes Earth Moving Machinery covered by the scope of this
document and is used to differentiate from other functional safety standards (e.g. PL, AgPL, ASIL, etc.).
3.1.1
Machine Performance Level required
MPL
r
discrete level required as determined by processes in this document
3.1.2
Machine Performance Level achieved
MPL
a
discrete level achieved by the safety control systems (3.3.1) hardware, architecture and software
Note 1 to entry: Process for determination of MPLa will be covered in ISO 19014-2 and ISO 19014-4, under
development.
3.2
functional safety
part of the overall safety relating to the equipment under control and its control system that depends
on the correct functioning of the safety control system (SCS) (3.3.1) and other risk reduction measures
[SOURCE: IEC 61508-4:2010, 3.1.12, modified]
3.3
machine control system
MCS
system which responds to input signals from parts of machine elements, operators (3.4.1), external
control equipment or any combination of these and generates output signals causing the machine to
behave in the intended manner
[SOURCE: ISO 13849-1:2015, 3.1.32]
3.3.1
safety control system
SCS
sub-system or system used by a MCS (3.3) to achieve functional safety (3.2) by affecting machine
behaviour or mitigating a hazard
Note 1 to entry: A system which can fail in a way that creates a hazard is considered a SCS.
Note 2 to entry: For example, SCS for propulsion may include throttle, gear shift, start/stop, etc.
3.3.2
safety-related part of the control system
SRP/CS
part of a SCS (3.3.1) that responds to safety-related input signals and generates safety-related
output signals
Note 1 to entry: The combined safety-related parts of a control system start at the point where the safety-related
input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and
end at the output of the power control elements (including, for example, the main contacts of a contactor).
Note 2 to entry: If monitoring systems are used for diagnostic coverage, they are also considered as SRP/CS.
2 © ISO 2018 – All rights reserved

---------------------- Page: 14 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

Note 3 to entry: SRP/CS is a part or component within the specific MCS.
[SOURCE: ISO 13849-1:2015, 3.1.1, modified - Note 3 to entry has been added.]
3.4
person group
groups of people analyzed in the MCSSA (3.14)
3.4.1
operator
person operating the EMM and aware of associated risks or hazards
3.4.2
co-worker
person working in the vicinity of a machine and aware of associated hazards
3.4.3
bystander
person including non-employee, child, or member of the public with little or no awareness of machine
hazards and no training
3.4.4
maintainer
person whose function is to perform maintenance tasks on the machine
Note 1 to entry: A maintainer is trained and familiar with the machine.
3.5
controllability
ability to avoid harm to the person group (3.4) at risk through the timely reactions of the operator
(3.4.1), possibly with the support of alternative controls
3.6
exposure
percentage of time a person group (3.4) is exposed to the hazard
Note 1 to entry: The exposure is the product of the following dependent probabilities: application use case (3.11),
hazard time (3.12), and person group exposure (3.15).
3.7
severity
estimate of the extent of harm to one or more individuals that can occur in a potentially hazardous
situation
[SOURCE: ISO 26262-1:2011, 1.120]
3.8
operation indicator
means by which the state of the equipment or machinery is represented to an observer
[SOURCE: ISO 22555:2007, 3.2]
3.8.1
warning indicator
visual, sensory or audible indications where an action from the operator (3.4.1) or control system is
required
3.8.2
immediate action warning indicator
warning indicator (3.8.1) requiring immediate action from the operator (3.4.1) to mitigate hazard or
system failure
© ISO 2018 – All rights reserved 3

---------------------- Page: 15 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

3.9
application
different industries where a machine is used in, that can have different hazardous situations from
one another
Note 1 to entry: Applications can include general construction, road construction, waste management,
quarrying, etc.
3.10
use case
intended use of a machine within an application (3.9)
Note 1 to entry: For example, a dozer can have dozing, ripping, travel and maintenance use cases within an
application.
3.11
application use case
highest percentage of time a machine is anticipated to be used in a use case (3.10) within a given
application (3.9) during the intended use of the life cycle of the machine
Note 1 to entry: Because the application use case represents the highest percentage of time, and not the average,
a machine in the population spends in a use case, the sum of application use cases across an application can be
greater than 100 %.
3.12
hazard time
percentage of time within the work cycle of the application use where it is reasonably foreseeable that a
hazard may exist should the control system being assessed fail
Note 1 to entry: For example, a dozer pushing material off a high wall is only exposed to the hazard of going over
the high wall for the time where the machine is traveling towards the high wall within the stopping distance of
the machine.
3.13
hazard zone
any space within or around machinery in which a person can be exposed to a hazard from the SCS
(3.3.1) under analysis
[SOURCE: ISO 12100:2010 3.11, modified - “from the SCS under analysis” has been added.]
3.14
machine control system safety analysis
MCSSA
risk assessment used to determine the MPLr (3.1.1) for the SCS (3.3.1) on a machine as outlined in this
document
3.15
person group exposure
highest percentage of hazard time (3.12) that someone from the person group (3.4) being assessed is
present in the hazard zone (3.13)
Note 1 to entry: The analysis is a sum of all the persons exposed from the person group, not a single individual
within that group i.e. not a single car driving by, but the flow of traffic.
3.16
failure type
description of the type of failure that can occur in a SCS (3.3.1)
Note 1 to entry: Failure types to consider include failure to apply, failure to release, uncommanded apply,
uncommanded release, incorrect apply rate, incorrect release rate or incorrect direction, etc.
4 © ISO 2018 – All rights reserved

---------------------- Page: 16 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

3.17
worst credible
estimation of severity (3.7) of the most severe harm that can realistically occur from a single
hazardous event
Note 1 to entry: Worst credible is not always the worst conceivable or the most likely but it is based on
consideration of incident history and potential outcome of a hazardous events.
4 Method to determine MPLr for SRP/CS of earth moving machinery
4.1 General
Functional safety is achieved by one or more SCS which rely on many technologies (e.g. mechanical,
hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety strategy shall
consider all of the elements within a SCS, such as sensors, controlling devices and actuators.
Parts of the SCS which provide safety functions are called safety-related parts of control systems (SRP/
CS). These can consist of hardware or software, can be separate or integrated parts of a control system,
that shall be included in the MCSSA process.
The objective is to reduce the risk associated with a given hazard (or hazardous situation) during
intended use of the machine. This shall be achieved by applying various protective measures (both
SRP/CS and non-SRP/CS) with the end-result of achieving a safe condition.
An examination of risk for safety functions is focused on the origin of injuries to people. If in the
analysis of potential harm it can be established that damage is clearly limited to property and does
not involve injury to people, this would not require a MCS to be classified as a SCS. In addition, it is the
responsibility of the user (owner) to perform a specific job site risk assessment and these assessments
are not part of the MCSSA process.
4.2 Machine Control System Safety Analysis (MCSSA) method
a) Identify all MCS or functions for the machine being evaluated.
b) Identify possible failure types for each MCS or functions.
c) Identify risks presented for each failure type of each MCS or functions.
1) If no risks are identified, the MCS or functions is not a SCS but may still be covered by the
requirements for Quality Measure (QM) (see 6.6).
2) If risks are identified, the MCS or functions is a SCS. Continue MCSSA with step 4.
d) Evaluate risks
1) Determined above using severity, exposure and controllability assessments using the method
as defined in Clause 6, and continue to step 5.
NOTE ISO/TS 19014-5, on Machine Control System Safety Analysis (MCSSA) and performance
levels, is being developed; this document will detail an alternative method to use when determining the
appropriate MPLr for some common MCS’s.
e) Determine MPLr using a risk graph (see Figure 2 in 6.6) for each failure type of each SCS, following
the process in 6.3, 6.4 and 6.5.
1) Select the highest MPLr to assign to that SCS as per 6.6.
f) If MCSSA was completed by function, not system, then assign MPLr to relevant SCS.
g) Use the other parts in the ISO 19014 series to determine the MPLa of the SCS.
© ISO 2018 – All rights reserved 5

---------------------- Page: 17 ----------------------

SIST EN ISO 19014-1:2018
ISO 19014-1:2018(E)

h) Ensure MPLa ≥ MPLr.
If additional protective measures are added, they shall meet the MPLr for the SCS to which they relate.
NOTE Annex C provides a worked example of the MCSSA process
5 Requirements for immediate action warning indicators
5.1 General
The principles of this standard should also be applied to immediate action warning indicator intended
to warn the operator of a possible hazard and requiring immediate action from the operator to correct
and prevent such a hazard.
These indicators shall not be designated as meeting a performance level as the output/diagnostic
coverage is reliant on human reaction; indicators provide no control of the system and therefore cannot
be labelled as safety-related parts of the control system.
A review of immediate ac
...

SLOVENSKI STANDARD
oSIST prEN ISO 19014-1:2017
01-julij-2017
Stroji za zemeljska dela - Varnost - 1. del: Metodologija ugotavljanja delov
krmilnega sistema, ki so povezani z varnostjo in zahtevanimi lastnostmi (ISO/DIS
19014-1:2017)
Earth-moving machinery - Safety - Part 1: Methodology to determine safety-related parts
of the control system and performance requirements (ISO/DIS 19014-1:2017)
Engins de terrassement - Sécurité - Partie 1: Méthodologie permettant de déterminer les
parties du système de commande et les exigences de performance liés à la sécurité
(ISO/DIS 19014-1:2017)
Ta slovenski standard je istoveten z: prEN ISO 19014-1
ICS:
53.100 Stroji za zemeljska dela Earth-moving machinery
oSIST prEN ISO 19014-1:2017 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO 19014-1:2017

---------------------- Page: 2 ----------------------
oSIST prEN ISO 19014-1:2017
DRAFT INTERNATIONAL STANDARD
ISO/DIS 19014-1.2
ISO/TC 127/SC 2 Secretariat: ANSI
Voting begins on: Voting terminates on:
2017-05-17 2017-07-11
Earth-moving machinery — Safety —
Part 1:
Methodology to determine safety-related parts of the
control system and performance requirements
Engins de terrassement — Sécurité —
Partie 1: Méthodologie permettant de déterminer les parties du système de commande et les exigences de
performance liés à la sécurité
ICS: 53.100
THIS DOCUMENT IS A DRAFT CIRCULATED
This document is circulated as received from the committee secretariat.
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
ISO/CEN PARALLEL PROCESSING
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 19014-1.2:2017(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO 2017

---------------------- Page: 3 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Method to determine MPLr for SRP/CS of earth moving machinery .5
4.1 General . 5
4.2 Method . 5
5 Determination of the limits of the machine . 6
5.1 General . 6
5.2 Identification of hazards . 6
6 Performance level determination procedures . 6
6.1 General . 6
6.1.1 Tasks in risk analysis . 6
6.1.2 Participants in the risk assessment . 7
6.1.3 Assessment and classification of a potential harm . 7
6.1.4 Assessment of exposure in the situation observed . 7
6.1.5 Assessment of a possibility to avoid harm . 8
6.1.6 Selecting the required MPL . .10
Annex A (informative) Process flow chart for machinery risk assessment .11
Annex B (normative) Table of warning / operation indicators .12
Annex C (informative) List of hazards from ISO 12100 (EMM Specific) .14
Annex D (informative) Examples of A, H and P variable calculations for Exposure .17
Annex E (informative) LIST OF POSSIBLE SAFETY FUNCTIONS OF EARTH MOVING MACHINES .20
Annex ZA (informative) Relationship between this European Standard and the Essential
Requirements of EU Directive 2006/42/EC aimed to be covered .22
Bibliography .23
© ISO 2017 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www .iso .org/ directives
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received. www .iso .org/ patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 127.
ISO 19014 consists of the following parts, under the general title Earth-moving machinery —
Functional Safety:
— Part 1: Risk assessment methodology to determine control system performance requirements
— Part 2: Design and Evaluation of Safety-Related Machine Control Systems
— Part 3: Environmental Testing Requirements
— Part 4:Design and evaluation of software and data transmission for safety-related parts of the
control system
— Part 5: Technical report: Guidance and table of MPLr for EMM
ISO 19014- series replaces ISO 15998
iv © ISO 2017 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

Introduction
This document addresses systems of all energy types used for functional safety in earth-moving
machinery.
The structure of safety standards in the field of machinery is as follows.
Type-A standards (basis standards) give basic concepts, principles for design and general aspects that
can be applied to machinery.
Type-B standards (generic safety standards) deal with one or more safety aspects, or one or more types
of safeguards that can be used across a wide range of machinery:
— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
— type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive
devices, guards).
Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular
machine or group of machines.
This part of ISO 19014 is a type C standard as stated in ISO 12100.
© ISO 2017 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO 19014-1:2017

---------------------- Page: 8 ----------------------
oSIST prEN ISO 19014-1:2017
DRAFT INTERNATIONAL STANDARD ISO/DIS 19014-1.2:2017(E)
Earth-moving machinery — Safety —
Part 1:
Methodology to determine safety-related parts of the
control system and performance requirements
1 Scope
This part of ISO 19014 provides guidance and a methodology for determination of performance levels
required for earth moving machinery (EMM), as described in ISO 6165 after a hazard is identified by
risk assessment.
NOTE This series can also be used to assess the functional safety requirements of other off-road mobile
machinery
Hazard identification is determined by risk assessment (herein also known as machine control system
safety analysis MCSSA) using the method described in ISO 12100 or by other means and is not covered
by this document.
If a sub-system is determined to be a safety control system (SCS), a Machine Performance Level (MPL)
is allocated to that sub-system.
NOTE The term MPL is used to describe the performance level required from a safety-related part of a
control system. The ‘M’ refers to machine and denotes Earth Moving Machinery covered by the scope of this
document and is used to differentiate from other functional safety standards (e.g PL, AgPL, ASIL, etc) .
For those controls determined as safety-related, the characteristics for architecture, hardware,
software environmental requirements and performance are covered by other parts in this series.
ISO 19014 covers the hazards caused by the functional behaviour of safety-related systems and excludes
hazards arising from the equipment itself (for example, electric shock, fire, etc.)
The principles of this standard shall also be applied to immediate action warning indicator intended
to warn the operator of a possible hazard and requiring immediate action from the operator to correct
and prevent such a hazard. . (e.g. vision systems, proximity detection systems etc)
NOTE A normative list of immediate action warning indicators is included in Annex B
Other controls that are not safety control systems (SCS), that do not mitigate a hazard or perform a
control function and where the operator would be aware of a failure, are excluded from this standard
(e.g. windscreen wipers, head lights, cab light etc.)
NOTE 1 An informative list of safety functions is included in Annex E.
NOTE 2 Audible warnings are excluded from the requirements of diagnostic coverage.
This standard supersedes ISO 15998:2008.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies
ISO 6165, Earth-moving machinery — Basic types — Identification and terms and definitions
© ISO 2017 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction
ISO 19014-2 Earth-moving machinery — Safety — Control system performance level architecture and
,
requirements
ISO 19014-3 Earth-moving machinery — Safety — Control system performance level environmental
,
requirements
ISO 19014-4, Earth-moving machinery – Safety – Design and evaluation of software and data transmission
for safety-related parts of the control system
ISO 20474-1, Earth Moving Machinery — Safety— General Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12100 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp”
3.1
Machine Performance Level
MPL
discrete level to specify the ability of safety-related parts of control systems to perform a safety
function under reasonably foreseeable conditions
3.1.1
Machine Performance Level required
MPL
r
discrete level required as determined by processes in this document
3.1.2
Machine Performance Level achieved
MPL
a
discrete level achieved as determined by processes in ISO 19014-2 and ISO 19014-4
3.2
functional safety
part of the overall safety relating to the equipment under control and its control system that depends
on the correct functioning of the safety-related systems and other risk reduction measures
[SOURCE: 3.1.12 of IEC 61508-4:2010]
3.3
Machine control system
MCS
system which responds to input signals from parts of machine elements, operators, external control
equipment or any combination of these and generates output signals causing the machine to behave in
the intended manner
[SOURCE: ISO 13849-1:2015, 3.1.32]
Note 1 to entry: The extent of the system is not limited to the electronic controls, but is defined by the machine-
related function of the complete system. It therefore consists generally of electronic, non-electronic and
connection devices. This can include mechanical, hydraulic, optical or pneumatic components/systems.
2 © ISO 2017 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

3.3.1
safety control system
SCS
a sub-system or component used by a MCS to achieve functional safety by affecting machine behaviour
or mitigating a hazard
Note 1 to entry: A system which can fail in a way that creates a hazard is considered a SCS.
Note 2 to entry: for example, SCS for propulsion may include throttle, gear shift, start/stop etc
3.3.2
Safety-related part of the control system
SRP/CS
part of a SCS that responds to safety-related input signals and generates safety-related output signals
[SOURCE: ISO 13849-1:2015, 3.1.1]
Note 1 to entry: The combined safety-related parts of a control system start at the point where the safety-related
input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and
end at the output of the power control elements (including, for example, the main contacts of a contractor).
Note 2 to entry: If monitoring systems are used for diagnostics, they are also considered as SRP/CS
Note 3 to entry: SRP/CS is a part or component within the specific MCS
3.4
operator
Person operating the EMM
3.5
co-worker
Person working in the vicinity of a machine
3.6
bystander
Person including non-employee, child or member of the public with little or no awareness of machine
hazards and no training
3.7
maintainer
person whose function is to perform maintenance tasks on the machine
Note 1 to entry: A maintainer is trained and familiar with the machine
3.8
controllability
ability to avoid harm to the person group at risk through the timely reactions of the operator, possibly
with the support of alternative controls
3.9
exposure
percentage of time a person group is exposed to the hazard
3.10
severity
estimate of the extent of harm to one or more individuals that can occur in a potentially hazardous
situation
[SOURCE: ISO 26262-1:2011, 3.120]
© ISO 2017 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

3.11
warning indicator
visual, sensory or audible indications were an action from the operator or control system is required.
3.11.1
immediate action warning indicator
warning indicator requiring immediate action from the operator to mitigate hazard or system failure
3.12
indicator
means by which the state of the equipment or machinery is represented to an observer
[SOURCE: ISO 22555:2007, 3.2]
3.13
application
different industries that a machine is used in, that may have different hazard from one another
Note 1 to entry: Applications can include, general construction, road construction, waste management, quarry etc
3.14
use case
uses of a machine within an application
Note 1 to entry: An example of this is that a dozer can have dozing, ripping, travel and maintenance use cases
within an application.
3.15
application use case
highest percentage of time a machine is used in a use case within a given application during the intended
use of the life cycle of the machine
Note 1 to entry: because the application use case represents the highest percentage of time a machine spends in a
use case, the sum of application use cases across an application can be greater than 100%.
3.16
hazard time
percentage of time within the work cycle where it is reasonably foreseeable that a hazard may exist
should the control system being assessed fail
Note 1 to entry: For example, a dozer pushing material off a high wall is only exposed to the hazard of going over
the high wall for the time where the machine is traveling towards the high wall within the stopping distance of
the machine.
3.16.1
hazard zone
any space within or around machinery in which a person can be exposed to a hazard from the SCS
under analysis
[SOURCE: ISO 12100:2010, 3.11(MOD)]
3.17
machine control system safety analysis
MCSSA
risk assessment used to determine the required MPL for the SCS on a machine as outlined in this
r
document
3.18
person group
groups of people analyzed in the MCSSA
Note 1 to entry: The four person groups are operators, maintainers, bystanders and co-workers
4 © ISO 2017 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

3.19
person group exposure
highest percentage of time someone from the person group being assessed is present within the
hazard zone
Note 1 to entry: The analysis is a sum of all the persons exposed from the person group, not a single individual
within that group i.e. not a single car driving buy, but the flow of traffic.
3.20
failure type
description of the type of failure that can occur in a SCS
Note 1 to entry: Failure types to consider include failure to apply, failure to release, uncommanded apply,
uncommanded release, incorrect apply rate, incorrect release rate or incorrect direction etc
4 Method to determine MPLr for SRP/CS of earth moving machinery
4.1 General
Functional safety is achieved by one or more SCS which rely on many technologies (e.g. mechanical,
hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety strategy shall
consider all of the elements within a SCS, such as sensors, controlling devices and actuators
Parts of the SCS which provide safety functions are called safety-related parts of control systems
(SRP/CS). These can consist of hardware or software, can be separate or integrated parts of a control
system, that shall be included in the MCSSA process.
The designer (and to some extent, the user) shall combine the design and validation of these SRP/CS
as part of the risk assessment. The objective is to reduce the risk associated with a given hazard (or
hazardous situation) during intended use or reasonably foreseeable misuse of the machine . This shall
be achieved by applying various protective measures (both SRP/CS and non-SRP/CS) with the end
result of achieving a safe condition.
In order to guide the designer during design, and to facilitate the assessment of the achieved
performance level, ISO 19014 defines an approach based on a classification of structures with different
design features and specific behaviour in case of a fault. The performance levels and categories can
be applied to the SCS of all kinds of mobile machines: from simple systems (e.g. auxiliary valves) to
complex systems (e.g. steer by wire), as well as to the control systems of protective equipment (e.g.
interlocking devices, pressure sensitive devices).
ISO 19014 adopts a risk-based approach for the determination of the risks, while providing a means of
specifying the target performance level for the safety-related functions to be implemented by safety-
related channels. Requirements are given for the whole safety life cycle of SRP/CS (design, validation,
production, operation, maintenance, decommissioning), necessary for achieving the required functional
safety for SRP/CS that are linked to the performance levels.
4.2 Method
The following key stages apply to determining MPLr for Safety-related Part of the Control System SRP/CS:
a) Determine the intended EMM limits in accordance with EN ISO 12100:2010. (Clause 5)
b) Complete a MCSSA using a suitable tool and identifying the hazards associated with the function or
application of the machine.
c) Determine how the hazards identified in the MCSSA process are mitigated or protected against.
(This may require additional MCS or means of ensuring the integrity of inherent control systems.)
d) Determine if the hazard mitigation / protective measure used is dependent upon a SCS and if this
is a SRP/CS. (This shall include MCS added to the machine to mitigate a hazard, control systems
© ISO 2017 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

that control the movement of the machine or control systems used if failure creates a hazardous
situation.)
e) If a MCS is not determined as a SCS, the MCSSA process is not required. The MCS which are not
subject to the requirements of ISO 19014-1 MPL are covered by the requirements for quality
management systems (QM) (clause 6.1.7) and the integrity is to be ensured by following quality
management tools and QM technical standards as defined in ISO 19014-2 and other parts of the
ISO 19014- series are not applicable.
f) If the protective measure is dependent upon a SCS, use the MCSSA to decide the MPL required for
the SCS. (Clause 6)
g) For a system to achieve a determined MPL refer to other parts in this series.
5 Determination of the limits of the machine
5.1 General
The limits of the machinery shall be documented for all the phases of the machinery life including the
characteristics and expected performances of the machine.
Limits shall include the related people, environment and product, each shall be identified in terms of
the limits of the machinery.
Determination of limits of machinery shall be done according to ISO 12100.
5.2 Identification of hazards
Once limits have been determined all hazards associated with the EMM in use shall be reviewed.
A review of immediate action warning indicators should also be under taken to ensure the designer
understands the reactions required by the operator to mitigate a hazard when a warning has been
given. Annex B provides a normative list of indicators although this is not exhaustive.
Annex C provides an informative list of hazards although this is not exhaustive and each hazard shall
be assessed to consider conditions of use as shown in the flow chart in Annex A.
6 Performance level determination procedures
6.1 General
Using the flow chart in Annex A, this section (6) shall be applied when step 2 is applicable and a safety-
related part of the control system is required (i.e. protective device).
The architecture (e.g. redundant channels) of the SCS being reviewed shall not be considered as part of
the MCSSA.
Decisions made later in the life cycle that change the basis on which earlier decisions were made shall
initiate a new MCSSA and assessment of the systems in accordance with all parts of the ISO 19014-
series.
6.1.1 Tasks in risk analysis
The operating conditions in which the EMM can initiate hazards when correctly used shall be
considered.
SCS used in multiple scenarios where the severity, controllability or exposure can vary, each scenario
shall be considered. The highest performance level determined by the MCSSA shall be used for that SCS.
6 © ISO 2017 – All rights reserved

---------------------- Page: 14 ----------------------
oSIST prEN ISO 19014-1:2017
ISO/DIS 19014-1.2:2017(E)

6.1.2 Participants in the risk assessment
The MCSA should involve a cross functional team, which can include the following, e.g. electronic or
electrical development, testing or validation, machine or hydraulics design, operator, service, sales and
marketing.
6.1.3 Assessment and classification of a potential harm
Harmful effects can be deduced by using both, past incident history and the potential outcome of
malfunctions of the SCS being analysed. The potential severity of harm or injury shall be described as
precisely as possible for each relevant scenario in the MCSSA.
Note: Estimation of severity usually focuses on the worst severe harm that can realistically occur (worst
credible) rather than the worst conceivable consequence. However severity of harm to be considered is
not always easy. The most severe can be very improbable and the most probable can be inconsequential,
so that using either could lead to an inappropriate estimation of risk.
When carrying out a MCSSA, the risk from the worst credible severity of harm shall be used. Other
severities that occur more frequently shall also be reviewed in the assessment to verify whether a
higher performance level is generated.
A certain categorization shall be used in the description of the harms. For this reason, a classification of
the severity of harm is presented in four categories: S0, S1, S2, and S3 (see Table 1).
The operator of the involved machine and other parties (e.g. people lending assistance, other operators
of machinery, bystander, co-worker etc.) shall be used in a detailed description of the harm.
An examination of risk for safety functions is focused on the origin of injuries to people. If in the analysis
of potential harm it can be established that damage is clearly limited to property and does not involve
injury to people, this would not require a system control to be classified as a safety-related function.
The introduction of an S0 harm classification and QM allows for this.
Table 1 — Examples of the descriptions of injuries
S0 S1 S2 S3
injuries, requires medical
No significant inju-
attention, total
Severe injury,, permanent loss in
ries,
Fatality
recovery, reversible injury with work capacity.
requires only first aid
no loss in work capacity after
recovery
6.1.4 Assessment of
...

SLOVENSKI STANDARD
oSIST prEN ISO 19014-1:2016
01-november-2016
Stroji za zemeljska dela - Varnost - 1. del: Metodologija ugotavljanja delov
krmilnega sistema, ki so povezani z varnostjo in zahtevanimi lastnostmi (ISO/DIS
19014-1:2016)
Earth-moving machinery - Safety - Part 1: Methodology to determine safety-related parts
of the control system and performance requirements (ISO/DIS 19014-1:2016)
Engins de terrassement - Sécurité - Partie 1: Méthodologie permettant de déterminer les
parties du système de commande et les exigences de performance liés à la sécurité
(ISO/DIS 19014-1:2016)
Ta slovenski standard je istoveten z: prEN ISO 19014-1
ICS:
53.100 Stroji za zemeljska dela Earth-moving machinery
oSIST prEN ISO 19014-1:2016 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO 19014-1:2016

---------------------- Page: 2 ----------------------
oSIST prEN ISO 19014-1:2016
DRAFT INTERNATIONAL STANDARD
ISO/DIS 19014-1
ISO/TC 127/SC 2 Secretariat: ANSI
Voting begins on: Voting terminates on:
2016-08-26 2016-11-17
Earth-moving machinery — Safety —
Part 1:
Methodology to determine safety-related parts of the
control system and performance requirements
Engins de terrassement — Sécurité —
Partie 1: Méthodologie·permettant de déterminer les parties du système de commande et les exigences de
performance liés à la sécurité
ICS: 53.100
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
ISO/CEN PARALLEL PROCESSING
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 19014-1:2016(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO 2016

---------------------- Page: 3 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2016 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Method to determine MPLr for SRP/CS of EMM . 3
4.1 General . 3
4.2 Method . 4
5 Determination of the limits of the machine . 5
5.1 General . 5
5.2 Identification of hazards . 5
5.3 Risk estimation . 5
6 Performance level determination procedures . 5
6.1 Requirements . 5
6.1.1 General. 5
6.1.2 Tasks in risk analysis . 6
6.1.3 Participants in the risk assessment . 6
6.1.4 Assessment and classification of a potential harm . 6
6.1.5 Assessment of exposure in the situation observed . 6
6.1.6 Assessment of a possibility to avoid harm . 8
6.1.7 Selecting the required MPL . . 8
7 Information for use .10
7.1 Information for operators/owner’s manual .10
7.2 Information for service/maintenance manuals .10
Annex A (informative) Process Flow Chart .11
Annex B (normative) Table of warning/operation indicators .13
Annex C (informative) List of hazards from 12100 (EMM Specific) .15
Bibliography .18
© ISO 2016 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directives
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received. www.iso.org/patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 127.
ISO 19014 consists of the following parts, under the general title Earth-moving machinery — Safety:
— Part 1: Methodology to determine safety-related parts of the control system and performance
requirements
— Part 2: Design and evaluation of safety-related electrical and electronic machine control systems
— Part 3: Environmental performance and test requirements of electronic and electrical components used
in safety-related parts of the control system
— Part 4: Design and evaluation of software and data transmission for safety related parts of the
control system
ISO 19014- series replaces ISO 15998.
iv © ISO 2016 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

Introduction
This International Standard addresses systems comprising of all energy types used for functional
safety in earth-moving machinery.
The structure of safety standards in the field of machinery is as follows.
Type-A standards (basis standards) give basic concepts, principles for design and general aspects that
can be applied to machinery.
Type-B standards (generic safety standards) deal with one or more safety aspects, or one or more types
of safeguards that can be used across a wide range of machinery:
— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
— type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive
devices, guards).
Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular
machine or group of machines.
This part of ISO 19014 is a type B-1 standard as stated in ISO 12100.
© ISO 2016 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO 19014-1:2016

---------------------- Page: 8 ----------------------
oSIST prEN ISO 19014-1:2016
DRAFT INTERNATIONAL STANDARD ISO/DIS 19014-1:2016(E)
Earth-moving machinery — Safety —
Part 1:
Methodology to determine safety-related parts of the
control system and performance requirements
1 Scope
This part of ISO 19014 provides guidance and a methodology for determination of performance levels
required for earth moving machinery (EMM), as described in ISO 6165 after a hazard is identified by
risk assessment and a control is determine as a safety related part of the control system (SRP/CS).
Hazard identification is determined by risk assessment using the method described in ISO 12100 or by
other means and is not covered by this document.
Where a control is determined as safety related a Machine Performance Level (MPL) is determined by
the method described.
NOTE 1 The term MPL is used to describe the level of performance required from a safety related part of a
control system. The ‘M’ refers to machine and is applicable to all Earth Moving Machinery covered by the scope of
this document.
For those controls determined as safety related, the characteristics for architecture, hardware,
software environmental requirements and performance are covered by other parts in this series.
A safety related control system that addresses hazards as identified by a machine or system risk
assessment includes but is not limited to systems that control machine movement. (for example
powered motion, braking, steering, attachments and working tool control systems).
Control systems that protect against rapid thermal events, electrical shock, requirements for explosive
atmospheres etc are also included.
The principles of this standard can also be applied to immediate action warning indicator intended to
warn the operator of a possible hazard and requiring immediate action from the operator to correct
and prevent such a hazard.
Other safety related devices that the operator would be aware of failure are excluded from this standard
(e.g. windscreen wipers, head lights etc.).
NOTE 2 Audible warnings are excluded from the requirements of diagnostic coverage.
This standard supersedes ISO 15998:2008.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 3411, Earth-moving machinery — Physical dimensions of operators and minimum operator space
envelope
ISO 6165, Earth-moving machinery — Basic types — Identification and terms and definitions
ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction
© ISO 2016 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

ISO 14121-1:2007, Safety of machinery — Principles of risk assessment
ISO 19014-2, Earth-moving machinery — Safety — Control system performance level architecture and
requirements
ISO 19014-3, Earth-moving machinery — Safety — Control system performance level environmental
requirements
ISO 19014-4, Earth-moving machinery — Safety — Design and evaluation of software and data
transmission for safety related parts of the control system
ISO 20474-1, Earth Moving Machinery — Safety — General Requirements
3 Terms and definitions
For the purposes of this document, the following terms and definitions in ISO 6165, ISO 13849-1,
ISO 12100 and ISO 20474-1 apply, in addition to the definitions listed below.
3.1
Machine Performance Level (MPL)
discrete level to specify the ability of safety-related parts of control systems to perform a safety
function under reasonably foreseeable conditions
3.2
functional safety
part of the overall safety that depends on a system or equipment operating correctly in response to
its inputs
3.3.1
machine-control system (MCS)
system consisting of the components needed to fulfil the function of the system, including sensors,
signal processing unit, monitor, controls and actuators or several of these
Note 1 to entry: The extent of the system is not limited to the electronic controls, but is defined by the machine-
related function of the complete system. It therefore consists generally of electronic, non-electronic and
connection devices. This can include mechanical, hydraulic, optical or pneumatic components/systems.
3.3.2
safety related part of the control system (SRP/CS)
part of a control system that responds to safety-related input signals and generates safety-related
output signals
Note 1 to entry: The combined safety-related parts of a control system start at the point where the safety-related
input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and
end at the output of the power control elements (including, for example, the main contacts of a contractor).
Note 2 to entry: If monitoring systems are used for diagnostics, they are also considered as SRP/CS.
3.4
operator
person operating an EMM with high level of skills, training and awareness
3.5
co-worker
person working in the vicinity of a machine assumed to have a medium level of training (site induction)
and awareness
3.6
bystander
person including non-employee, child or member of the public with little or no awareness of machine
hazards and no training
2 © ISO 2016 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

3.7
maintainer
person whose function is to perform maintenance tasks on the machine being analysed. These
personnel are normally trained, and are familiar with the machine
3.8
controllability
involved individual’s possibility of avoiding harm in the situation that is putting him/her at risk
3.9
exposure
duration of time and frequency in which an individual is in a situation in which the potential hazard exists
3.10
severity
degree of harm to an endangered individual
3.11
warning indicator
visual or audible indications were an action from the operator or control system is required
Note 1 to entry: Note to entry: The action required can be immediate for urgent warnings such as tip over
indicators or advisory such as low oil – action required is generally determined by colour of indicator or urgency
of alarm.
3.11.1
immediate action warning indicator
warning Indicator requiring immediate action from the operator to mitigate hazard or system failure
Note 1 to entry: Note to entry: Annex C provides a list of warning indicators and guidance on those considered
requiring immediate action.
3.12
operation indicator
visual indicator used to show mode of operation
3.13
application profile
breakdown of time a machine is used for a given application in a work cycle (expressed in %)
EXAMPLE Machine application profile = 100 %:
20 % road use,
40 % bucket/jobsite application,
30 % back hoe use,
10 % idle.
4 Method to determine MPLr for SRP/CS of EMM
4.1 General
In most situations, safety is achieved by a number of protective systems which rely on many technologies
(e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic). Any safety
strategy therefore considers not only all the elements within an individual system, such as sensors,
controlling devices and actuators, but also all the safety-related parts of the control systems.
ISO 19014- series sets out an approach to the design and assessment, for all safety life cycle activities,
of safety-relevant control systems of all energy types on earth moving machines as defined in ISO 6165.
© ISO 2016 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

It covers the possible hazards caused by the functional behaviour of safety-related systems, as distinct
from hazards arising from the equipment itself (electric shock, fire, nominal performance level of
components dedicated to active and passive safety, etc.).
Parts of the control systems of the machines concerned which provide safety functions are called
safety-related parts of control systems (SRP/CS). These can consist of hardware or software, can be
separate or integrated parts of a control system, and can either perform solely critical functions or
form part of an operational function.
In general, the designer (and to some extent, the user) may combine the design and validation of these
SRP/CS as part of the risk assessment. The objective is to reduce the risk associated with a given hazard
(or hazardous situation) under all conditions of use of the machine. This can be achieved by applying
various protective measures (both SRP/CS and non-SRP/CS) with the end result of achieving a safe
condition.
In order to guide the designer during design, and to facilitate the assessment of the achieved
performance level, ISO 19014 defines an approach based on a classification of structures with different
design features and specific behaviour in case of a fault.
The performance levels and categories can be applied to the control systems of all kinds of mobile
machines: from simple systems (e.g. auxiliary valves) to complex systems (e.g. steer by wire), as well as
to the control systems of protective equipment (e.g. interlocking devices, pressure sensitive devices).
ISO 19014 adopts a customer risk-based approach for the determination of the risks, while providing
a means of specifying the target performance level for the safety-related functions to be implemented
by safety-related channels. It gives requirements for the whole safety life cycle of SRP/CS (design,
validation, production, operation, maintenance, decommissioning), necessary for achieving the
required functional safety for SRP/CS that are linked to the performance levels.
4.2 Method
The following key stages apply to determining MPLr for Safety Related Part of the Control System SRP/CS:
a) Determine the intended EMM limits as per EN ISO 12100:2010. (Clause 5)
b) Complete a risk assessment using a suitable tool and identifying the hazards associated with the
function or application of the machine.
c) Determine how the hazards identified in the risk assessment process are mitigated or protected
against. (This may require additional control systems or means of ensuring the integrity of inherent
control systems.)
d) Determine if the hazard mitigation/protective measure used is dependent upon a control system
and if this is a SRP/CS. (This shall include control systems added to the machine to mitigate
a hazard, control systems that control the movement of the machine or control systems used if
failure creates a hazardous situation.)
e) If a control system is not determined as a SRP/CS the process stops and MPL determination is not
required. The control systems which are not subject to the requirements of ISO 19014-1 MPL are
covered by the requirements for quality management systems (QM) (clause 6.1.7) and the integrity
is to be ensured by following quality management tools, relevant technical requirements and
standards as applicable.
f) If the protective measure is dependent upon a SRP/CS, use the performance level determination
calculation to decide the MPL(s) required for the SRP/CS to perform the safety function. (Clause 6)
g) For a system to achieve a determined MPL refer to other parts in this series.
4 © ISO 2016 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

5 Determination of the limits of the machine
5.1 General
The limits of the machinery shall be documented for all the phases of the machinery life including the
characteristics and expected performances of the machine.
Limits shall include the related people, environment and product, each shall be identified in terms of
the limits of the machinery.
Further guidance related to limits of machine use can be found in ISO 12100:2010.
A risk assessment shall take account of information defining the overall scope of the application of
the EMM.
5.2 Identification of hazards
Once limits have been determined all hazards associated with the EMM in use shall be reviewed.
A review of immediate action warning indicators should also be under taken to ensure the designer
understands the reactions required by the operator to mitigate a hazard when a warning has been
given. Annex C provides a normative list of indicators although this is not exhaustive.
Annex D provides an informative list of hazards although this is not exhaustive and each hazard shall
be assessed to consider conditions of use as shown in the flow chart in Annex B.
5.3 Risk estimation
The risk estimation is used to define the likely severity of harm (S) and probability of its occurrence (E).
Where no risk of injury exists the process stops, the risk assessment shall form part of the technical
documentation and the requirements for a QM as defined in ISO 19014-2 is followed as shown in
Annex B.
Where there is a risk of injury that cannot be designed out and the user of this document moves to
step 2 in Annex B, section 6 shall be used to determine the required performance level of the safety
related part of the control system.
6 Performance level determination procedures
6.1 Requirements
6.1.1 General
Using the flow chart in Annex B, this clause shall be applied when step 2 is applicable and a safety
related part of the control system is required (i.e. protective device).
Decisions made later in the life cycle that change the basis on which earlier decisions were made shall
initiate a new risk assessment.
The architecture of the SRP/CS shall not be considered as part of the risk assessment.
NOTE The integrity of control systems which do not require a MPLr are to be ensured by following sound
engineering practice, relevant technical requirements, quality management systems (QM) and standards as
applicable.
© ISO 2016 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

6.1.2 Tasks in risk analysis
The operating conditions in which the EMM can initiate hazards when correctly used (including
reasonable foreseeable human operating errors and part failures) shall be considered.
For systems risk assessed and used in different applications or scenarios where the severity,
controllability or exposure may vary, each application shall be assessed individually and the highest
performance level for a given application obtained from the risk graph shall be used in that system.
6.1.3 Participants in the risk assessment
The risk assessment shall involve several individuals from different departments, e.g. electronic or
electrical development, testing or validation, machine or hydraulics design, service, sales and marketing.
An informative example of a risk assessment methodology is given in Annex A.
6.1.4 Assessment and classification of a potential harm
Potentially harmful effects can be deduced by considering possible malfunctions and systematic
failures in relevant operating conditions. The potential severity of harm is described as precisely as
possible for each relevant scenario.
NOTE Estimation of severity usually focuses on the worst severe harm that can realistically occur (worst
credible) rather than the worst conceivable consequence. (ref ISO/TR 14121-2:2012, clause 6.2.2.3) However
severity of harm to be considered is not always easy. The most severe can be very improbable and the most
probably can be inconsequential, so that using either could lead to an inappropriate estimation of risk.
When carrying out a risk assessment, the risk from the worst credible severity of harm shall be used.
Other severities that occur more frequently shall also be reviewed in the assessment to verify whether
a higher performance level is generated.
A certain categorization shall be used in the description of the harms. For this reason, a classification of
the severity of harm is presented in four categories: S0, S1, S2, and S3 (see Table 1).
The operator of the involved machine and other parties (e.g. people lending assistance, other operators
of machinery, bystander, co-worker etc.) shall be used in a detailed description of the harm.
An examination of risk for safety functions is focused on the origin of injuries to people. If in the analysis
of potential harm it can be established that damage is clearly limited to property and does not involve
injury to people, this would not require a system control to be classified as a safety-related function.
The introduction of an S0 harm classification and QM allows for this.
Table 1 — Examples of the descriptions of injuries
S0 S1 S2 S3
No significant injuries, injuries, requires medical Severe and life- threatening, Fatality
requires only first aid attention, total recovery, permanent partial loss in
reversible injury with no work capacity considered
loss in work capacity after irreversible
recovery
6.1.5 Assessment of exposure in the situation observed
A risk analysis reflects the effects of possible failures in specific working and operating conditions.
These situations range from daily routine activities to extreme, rare situations.
The variable ―E shall be used to categorize the different frequencies or duration of exposure.
6 © ISO 2016 – All rights reserved

---------------------- Page: 14 ----------------------
oSIST prEN ISO 19014-1:2016
ISO/DIS 19014-1:2016(E)

Three categories, designated E0, E1, and E2, are used (see Table 2), where ―E serves as an estimation of
h
...