Earth-moving machinery - Functional safety - Part 2: Design and evaluation of hardware and architecture requirements for safety-related parts of the control system (ISO 19014-2:2022)

This part of EN ISO 19014 specifies general principles for the development and testing of safety‐related parts of machine‐control systems (MCS) in earth‐moving machinery and its equipment, as defined in EN ISO 6165.

Erdbaumaschinen - Funktionale Sicherheit - Teil 2: Entwurf und Bewertung von Hardware- und Architekturanforderungen für sicherheitsrelevante Teile des Steuerungssystems (ISO 19014-2:2022)

Engins de terrassement - Sécurité fonctionnelle - Partie 2: Conception et évaluation des exigences de matériel et d’architecture pour les parties relatives à la sécurité du système de commande (ISO 19014-2:2022)

Le présent document spécifie les principes généraux d’élaboration et d’évaluation du niveau de performance de machine obtenu (MPLa) des systèmes de commande de sécurité (SCS) utilisant des composants alimentés par toutes les sources d’énergie (par exemple, électronique, électrique, hydraulique, mécanique) utilisées dans les engins de terrassement et leur équipement, comme défini dans l’ISO 6165.
Les principes du présent document s’appliquent aux systèmes de commande d’engins (MCS) qui commandent le mouvement d’un engin ou atténuent un phénomène dangereux; ces systèmes sont évalués pour vérifier que les exigences de niveau de performance des engins (MPLr) sont conformes à l’ISO 19014‑1 ou à l’ISO/TS 19014‑5.
Les systèmes suivants sont exclus du domaine d’application du présent document:
—    systèmes de connaissance n’ayant aucun impact sur le mouvement de l'engin (par exemple, caméras et détecteurs radar);
—    systèmes de lutte contre l’incendie, excepté si l’activation du système interfère ou active un autre SCS.
Les autres systèmes ou composants pour lesquels les défaillances pourraient être constatées par l’opérateur (par exemple, les essuie-glaces, les phares, l’éclairage de la cabine, etc.) ou ceux qui servent essentiellement à protéger la propriété sont exclus du présent document. Les avertisseurs sonores sont exclus des exigences de la couverture de diagnostic.
De plus, le présent document traite des phénomènes dangereux significatifs tels que définis dans l’ISO 12100 atténués par les composants matériels dans le SCS.
Le présent document n’est pas applicable aux engins de terrassement fabriqués avant la date de sa publication.

Stroji za zemeljska dela - Funkcijska varnost - 2. del: Oblikovanje in vrednotenje strojnih in arhitekturnih zahtev za varnostne dele krmilnega sistema (ISO 19014-2:2022)

General Information

Status
Published
Public Enquiry End Date
30-Nov-2019
Publication Date
19-Jul-2022
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
13-Jul-2022
Due Date
17-Sep-2022
Completion Date
20-Jul-2022

Buy Standard

Standard
SIST EN ISO 19014-2:2022
English language
51 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
oSIST prEN ISO 19014-2:2019
English language
41 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN ISO 19014-2:2022
01-september-2022

Stroji za zemeljska dela - Funkcijska varnost - 2. del: Oblikovanje in vrednotenje

strojnih in arhitekturnih zahtev za varnostne dele krmilnega sistema (ISO 19014-
2:2022)

Earth-moving machinery - Functional safety - Part 2: Design and evaluation of hardware

and architecture requirements for safety-related parts of the control system (ISO 19014-

2:2022)
Erdbaumaschinen - Funktionale Sicherheit - Teil 2: Entwurf und Bewertung von
Hardware- und Architekturanforderungen für sicherheitsrelevante Teile des
Steuerungssystems (ISO 19014-2:2022)

Engins de terrassement - Sécurité fonctionnelle - Partie 2: Conception et évaluation des

exigences de matériel et d’architecture pour les parties relatives à la sécurité du système

de commande (ISO 19014-2:2022)
Ta slovenski standard je istoveten z: EN ISO 19014-2:2022
ICS:
53.100 Stroji za zemeljska dela Earth-moving machinery
SIST EN ISO 19014-2:2022 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO 19014-2:2022
---------------------- Page: 2 ----------------------
SIST EN ISO 19014-2:2022
EN ISO 19014-2
EUROPEAN STANDARD
NORME EUROPÉENNE
June 2022
EUROPÄISCHE NORM
ICS 53.100
English Version
Earth-moving machinery - Functional safety - Part 2:
Design and evaluation of hardware and architecture
requirements for safety-related parts of the control system
(ISO 19014-2:2022)

Engins de terrassement - Sécurité fonctionnelle - Partie Erdbaumaschinen - Funktionale Sicherheit - Teil 2:

2: Conception et évaluation des exigences de matériel Entwurf und Bewertung von Hardware- und

et d'architecture pour les parties relatives à la sécurité Architekturanforderungen für sicherheitsrelevante

du système de commande (ISO 19014-2:2022) Teile des Steuerungssystems (ISO 19014-2:2022)

This European Standard was approved by CEN on 25 May 2022.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2022 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 19014-2:2022 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN ISO 19014-2:2022
EN ISO 19014-2:2022 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO 19014-2:2022
EN ISO 19014-2:2022 (E)
European foreword

This document (EN ISO 19014-2:2022) has been prepared by Technical Committee ISO/TC 127 "Earth-

moving machinery" in collaboration with Technical Committee CEN/TC 151 “Construction equipment

and building material machines - Safety” the secretariat of which is held by DIN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by December 2022, and conflicting national standards

shall be withdrawn at the latest by December 2022.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document has been prepared under a Standardization Request given to CEN by the European

Commission and the European Free Trade Association.

Any feedback and questions on this document should be directed to the users’ national standards

body/national committee. A complete listing of these bodies can be found on the CEN website.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice

The text of ISO 19014-2:2022 has been approved by CEN as EN ISO 19014-2:2022 without any

modification.
---------------------- Page: 5 ----------------------
SIST EN ISO 19014-2:2022
---------------------- Page: 6 ----------------------
SIST EN ISO 19014-2:2022
INTERNATIONAL ISO
STANDARD 19014-2
First edition
2022-06
Earth-moving machinery —
Functional safety —
Part 2:
Design and evaluation of hardware
and architecture requirements for
safety-related parts of the control
system
Engins de terrassement — Sécurité fonctionnelle —
Partie 2: Conception et évaluation des exigences de matériel et
d’architecture pour les parties relatives à la sécurité du système de
commande
Reference number
ISO 19014-2:2022(E)
© ISO 2022
---------------------- Page: 7 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO 2022 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 2

4 Symbols and abbreviated terms..........................................................................................................................................................2

5 General requirements .................................................................................................................................................................................... 3

5.1 Application ................................................................................................................................................................................................. 3

5.2 Existing SCS ............................................................................................................................................................................................... 4

6 System design .......................................................................................................................................................................................................... 4

6.1 Overview ...................................................................................................................................................................................................... 4

6.2 General requirements ...................................................................................................................................................................... 4

6.3 Hardware design .................................................................................................................................................................................. 5

7 System safety performance evaluation ....................................................................................................................................... 6

7.1 Machine performance level achieved (MPL ) .............................................................................................................. 6

7.2 Hardware safety evaluation ....................................................................................................................................................... 6

7.2.1 General ........................................................................................................................................................................................ 6

7.2.2 Fault consideration ........................................................................................................................................................... 6

7.2.3 Fault exclusion ...................................................................................................................................................................... 7

7.2.4 Mean time to dangerous failure (MTTF ) .................................................................................................... 7

7.3 Diagnostic coverage (DC) .............................................................................................................................................................. 7

7.3.1 DC of ESCS ................................... .............................................................................................................................................. 7

7.3.2 DC of N/ESCS .......................................................................................................................................................................... 7

7.4 System-level fault reduction measures of hydraulic systems based on hydraulic

system robustness (HSR) .............................................................................................................................................................. 8

7.4.1 General ........................................................................................................................................................................................ 8

7.4.2 HSR score calculation ..................................................................................................................................................... 8

7.5 Category classifications .................................................................................................................................................................. 9

7.5.1 General ........................................................................................................................................................................................ 9

7.5.2 Category B/Category 1 ...............................................................................................................................................12

7.5.3 Category 2 ............................................................................................................................................................................. 14

7.5.4 Conflicting safety functions .................................................................................................................................. 15

7.5.5 Considerations for the SRP/CS of fail-operational systems ...................................................... 16

7.6 Combination of SCS to achieve an overall MPL ....................................................................................................... 16

8 Information for use and maintenance .......................................................................................................................................18

8.1 General ...................................................................................................................................................................................................... 18

8.2 Operator’s manual ........................................................................................................................................................................... 18

Annex A (informative) Example systems and evaluations ........................................................................................................19

Annex B (informative) Examples of evaluations using HSR scoring ...............................................................................33

Annex C (normative) Compatibility with other functional safety standards .......................................................37

Annex D (informative) Safety function evaluation ............................................................................................................................38

Annex E (normative) Exceptions, exclusions, additions to ISO 13849-1 and ISO 13849-2 ......................40

Bibliography .............................................................................................................................................................................................................................43

iii
© ISO 2022 – All rights reserved
---------------------- Page: 9 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 127, Earth-moving machinery,

Subcommittee SC 2, Safety, ergonomics and general requirements, in collaboration with the European

Committee for Standardization (CEN) Technical Committee CEN/TC 151, Construction equipment and

building material machines - Safety, in accordance with the Agreement on technical cooperation between

ISO and CEN (Vienna Agreement).

This first edition, together with ISO 19014-1, ISO 19014-3, ISO 19014-4 and ISO 19014-5 cancels and

replaces the first editions (ISO 15998:2008 and ISO/TS 15998-2:2012), which have been technically

revised.
The main changes are as follows:
— elimination of alternative procedures ECE R79, Annex 6, and IEC 62061;

— application of ISO 13849-1 to mobile Earth-moving machinery, including analysis of non-electronic

control systems used in Earth-moving machine applications.
A list of all parts in the ISO 19014 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2022 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)
Introduction

This document addresses systems comprising all technologies used for functional safety in earth-

moving machinery.
The structure of safety standards in the field of machinery is as follows:

— Type-A standards (basis standards) give basic concepts, principles for design and general aspects

that can be applied to machinery.

— Type-B standards (generic safety standards) deal with one or more safety aspects, or one or more

types of safeguards that can be used across a wide range of machinery:

— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature,

noise);

— type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure

sensitive devices, guards).

— Type-C standards (machinery safety standards) deal with detailed safety requirements for a

particular machine or group of machines.
This document is a type-C standard as stated in ISO 12100.

This document is of relevance, in particular, for the following stakeholder groups representing the

market players with regard to machinery safety:
— machine manufacturers (small, medium and large enterprises);

— health and safety bodies (regulators, accident prevention organisations, market surveillance etc.)

Others can be affected by the level of machinery safety achieved with the means of the document by the

above-mentioned stakeholder groups:
— machine users/employers (small, medium and large enterprises);

— machine users/employees (e.g. trade unions, organizations for people with special needs);

— service providers, e. g. for maintenance (small, medium and large enterprises);

— consumers (in case of machinery intended for use by consumers).

The above-mentioned stakeholder groups have been given the possibility to participate at the drafting

process of this document.

The machinery concerned and the extent to which hazards, hazardous situations or hazardous events

are covered are indicated in the Scope of this document.

When requirements of this type-C standard are different from those which are stated in type-A or

type-B standards, the requirements of this type-C standard take precedence over the requirements of

the other standards for machines that have been designed and built according to the requirements of

this type-C standard.

This document is the adaptation of ISO 13849 to provide a type-C standard to address the specific

application of functional safety to earth-moving machinery.

This document is to be used in conjunction with the ISO 13849 series when applied to earth-moving

machinery (EMM) and supersedes ISO 15998.

This document complements the safety life cycle activities of safety control systems per

ISO 13849-1:2015 and ISO 13849-2:2012 on earth-moving machinery as defined in ISO 6165.

© ISO 2022 – All rights reserved
---------------------- Page: 11 ----------------------
SIST EN ISO 19014-2:2022
---------------------- Page: 12 ----------------------
SIST EN ISO 19014-2:2022
INTERNATIONAL STANDARD ISO 19014-2:2022(E)
Earth-moving machinery — Functional safety —
Part 2:
Design and evaluation of hardware and architecture
requirements for safety-related parts of the control system
1 Scope

This document specifies general principles for the development and evaluation of the machine

performance level achieved (MPL ) of safety-control systems (SCS) using components powered by all

energy sources (e.g. electronic, electrical, hydraulic, mechanical) used in earth-moving machinery and

its equipment, as defined in ISO 6165.

The principles of this document apply to machine control systems (MCS) that control machine motion

or mitigate a hazard; such systems are assessed for machine performance level required (MPL ) per

ISO 19014-1 or ISO/TS 19014-5.
Excluded from the scope of this document are the following systems:

— awareness systems that do not impact machine motion (e.g. cameras and radar detectors);

— fire suppression systems, unless the activation of the system interferes with, or activates, another

SCS.

Other systems or components whereby the operator would be aware of failure (e.g. windscreen wipers,

head lights, etc.), or are primarily used to protect property, are excluded from this document. Audible

warnings are excluded from the requirements of diagnostic coverage.

In addition, this document addresses the significant hazards as defined in ISO 12100 mitigated by the

hardware components within the SCS.

This document is not applicable to EMM manufactured before the date of its publication.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 12100, Safety of machinery — General principles for design — Risk assessment and risk reduction

ISO 13849-1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General

principles for design

ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation

ISO 19014-1, Earth-moving machinery — Functional safety — Part 1: Methodology to determine safety-

related parts of the control system and performance requirements

ISO 19014-3, Earth-moving machinery — Functional safety — Part 3: Environmental performance and test

requirements of electronic and electrical components used in safety-related parts of the control system

ISO 19014-4:2020, Earth-moving machinery — Functional safety — Part 4: Design and evaluation of

software and data transmission for safety-related parts of the control system
© ISO 2022 – All rights reserved
---------------------- Page: 13 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)

ISO/TS 19014-5, Earth-moving machinery — Functional safety — Part 5: Table of Machine Performance

Levels
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 12100, ISO 13849-1,

ISO 19014-1 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
ESCS
electronic safety control system

safety control system made of electronic components from input device to output device

3.2
function
defined behaviour of one or more MCS

Note 1 to entry: A control unit (e.g. electronic control unit) can execute more than one function. When multiple

safety functions are contained in a control unit, each safety function and the associated circuit are analysed

separately.
3.3
N/ESCS
non-electronic safety control system

safety control system made of non-electronic components from input device to output device

3.4
safe state

condition in which, after a fault of the safety control system, the controlled equipment, process or system

is automatically or manually stopped or switched into a mode that prevents unintended behaviour or

the potentially hazardous release of stored energy

Note 1 to entry: A safe state can also include maintaining the function (3.2) of the safety control system (e.g.

steering) in the presence of a single fault depending on the hazard being mitigated.

[SOURCE: ISO 3450:2011, 3.15, modified – "malfunction" has been replaced by "fault"; "performance"

has been replaced by "behaviour"; Note 1 to entry has been added.]
3.5
well-tried component

component for a safety-related application that has been widely used in the past with successful results

in the same or similar applications and which has been made and verified using principles which

demonstrate its suitability and reliability for safety-related applications
4 Symbols and abbreviated terms

For the purposes of this document, the following symbols and abbreviated terms apply.

a, b, c, d, e graduation of machine performance levels
ASIC application specific integrated circuit
B, 1, 2, 3, 4 denotation of categories
© ISO 2022 – All rights reserved
---------------------- Page: 14 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)
CCF common cause failure
DC diagnostic coverage
DC average diagnostic coverage
avg
ECU electronic control unit
EMM earth-moving machinery
ESCS electronic safety control system
FMEA failure modes and effects analysis
FMEDA failure modes, effects and diagnostics analysis
FPGA field programmable gate array
HFT hardware fault tolerance
HSR hydraulic system robustness
MCS machine control system
MPL machine performance level
MPL machine performance level achieved
MPL machine performance level required
MTTF mean time to failure
MTTF mean time to dangerous failure
N/ESCS non-electronic safety control system
OTE output of test equipment
SCS safety control system
SRP/CS safety-related part of the control system
TE test equipment
5 General requirements
5.1 Application

The ISO 19014 series shall be used in conjunction with the ISO 13849 series when applied to earth

moving machinery (EMM) and supersedes ISO 15998. Where specific requirements are given in this

document, they take precedence over the requirements in the ISO 13849 series; however, where no

specific requirements are given in this document, the ISO 13849 series shall apply, using PL instead of

MPL (e.g. MPL = b is analogous to PL = b). For a summary of applicable clauses in the ISO 13849 series or

this document, see Tables E.1 and E.2 in Annex E.

The principles of this document shall be applied to MCS that are deemed SCS in ISO 19014-1 or

ISO/TS 19014-5. Other machine control systems that interfere with or mute a safety function of

the safety control system shall be assigned the same machine performance level as the system it is

interfering with or muting.
© ISO 2022 – All rights reserved
---------------------- Page: 15 ----------------------
SIST EN ISO 19014-2:2022
ISO 19014-2:2022(E)

Machinery shall comply with the safety requirements and/or protective/risk reduction measures of

this clause. In addition, the machine shall be designed according to the principles of ISO 12100:2010 for

relevant but not significant hazards which are not dealt with by this document. Safety related software

within any components within the SCS shall meet the requirements of ISO 19014-4:2020.

5.2 Existing SCS

Where an existing SCS has been developed to a previous standard and demonstrated through application

usage and validation to reduce the likelihood of a hazard to as low as reasonably practicable, there shall

be no requirement to update the lifecycle documentation. When the previously utilized SCS is modified,

an impact analysis (see ISO 19014-4:2020, 3.28) of the modifications shall be performed and an action

plan developed and implemented to ensure that the safety requirements are met.
6 System design
6.1 Overview

Many safety functions on mobile machines do not have run/stop outputs like non-mobile machine safety

functions normally do and are not always added to a machine purely to mitigate a hazard. For example,

steering, service brakes, swing, and equipment controls can have modulated or variable outputs within

a certain range. While these types of systems can fit into the ISO 13849 architectures, designers need

to consider how the characteristics of the safety functions can differ on a mobile machine (e.g. does the

system need closed loop control rathe
...

SLOVENSKI STANDARD
oSIST prEN ISO 19014-2:2019
01-november-2019

Stroji za zemeljska dela - Funkcijska varnost - 2. del: Oblikovanje in vrednotenje

strojnih in arhitekturnih zahtev za varnostne dele krmilnega sistema (ISO/DIS
19014-2:2019)

Earth-moving machinery - Functional safety - Part 2: Design and evaluation of hardware

and architecture requirements for safety-related parts of the control system (ISO/DIS

19014-2:2019)
Erdbaumaschinen - Funktionale Sicherheit - Teil 2: Entwurf und Bewertung von
Hardware- und Architekturanforderungen für sicherheitsrelevante Teile des
Steuerungssystems (ISO/DIS 19014-2:2019)

Engins de terrassement - Sécurité fonctionnelle - Partie 2: Conception et évaluation des

exigences de matériel et d’architecture pour les parties relatives à la sécurité du système

de commandeé (ISO/DIS 19014-2:2019)
Ta slovenski standard je istoveten z: prEN ISO 19014-2
ICS:
53.100 Stroji za zemeljska dela Earth-moving machinery
oSIST prEN ISO 19014-2:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO 19014-2:2019
---------------------- Page: 2 ----------------------
oSIST prEN ISO 19014-2:2019
DRAFT INTERNATIONAL STANDARD
ISO/DIS 19014-2
ISO/TC 127/SC 2 Secretariat: ANSI
Voting begins on: Voting terminates on:
2019-09-19 2019-12-12
Earth-moving machinery — Functional safety —
Part 2:
Design and evaluation of hardware and architecture
requirements for safety-related parts of the control system
ICS: 53.100
THIS DOCUMENT IS A DRAFT CIRCULATED
This document is circulated as received from the committee secretariat.
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
ISO/CEN PARALLEL PROCESSING
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 19014-2:2019(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2019
---------------------- Page: 3 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative References ..................................................................................................................................................................................... 1

3 Terms and Definitions .................................................................................................................................................................................... 2

4 Symbols and Abbreviated Terms ......................................................................................................................................................... 2

5 General Requirements .................................................................................................................................................................................... 3

5.1 Existing SCS ................................................................................................................................................................................................ 4

6 System Design .......................................................................................................................................................................................................... 4

6.1 General ........................................................................................................................................................................................................... 4

6.1.1 Interaction between different SRP/CS .......................................................................................................... 5

6.1.2 Differences between safety functions of mobile and stationary machines ................... 5

6.1.3 Assessment process ...................................................................................................................................................... 5

6.2 Hardware design ................................................................................................................................................................................... 5

7 System safety performance evaluation ......................................................................................................................................... 7

7.1 Machine Performance Level achieved (MPLa) ............................................................................................................ 7

7.2 Hardware safety evaluation ......................................................................................................................................................... 7

7.2.1 General...................................................................................................................................................................................... 7

7.2.2 Fault consideration ........................................................................................................................................................ 7

7.2.3 Fault exclusion ................................................................................................................................................................... 7

7.2.4 Mean Time to Dangerous Failure (MTTFd)............................................................................................... 8

7.3 Diagnostic coverage (DC) ............................................................................................................................................................... 8

7.3.1 DC of ESCS .............................................................................................................................................................................. 8

7.3.2 DC of N/ESCS ....................................................................................................................................................................... 8

7.4 System-Level Fault Exclusion of Hydraulic Systems Based On Hydraulic System

Robustness (HSR) ................................................................................................................................................................................. 8

7.5 Category classifications ................................................................................................................................................................... 9

7.5.1 General...................................................................................................................................................................................... 9

7.5.2 Category 1 ...........................................................................................................................................................................11

7.5.3 Category 2 ...........................................................................................................................................................................13

7.5.4 Guidance on conflicting safety functions ................................................................................................14

7.5.5 Considerations for the SRP/CS of fail-operable systems............................................................15

7.6 Combination of SCS to achieve an overall MPL ........................................................................................................15

8 Information for Use and Maintenance ........................................................................................................................................17

Annex A (informative) Example Systems and Evaluations ..........................................................................................................18

Annex B (normative) Example of Evaluations Using HSR Scoring ......................................................................................30

Annex C (normative) Compatibility with other functional safety standards ..........................................................33

Annex D (informative) Safety Function Evaluation ............................................................................................................................34

Annex E (informative) Exceptions, Exclusions, Additions to ISO 13849-1 and ISO 13849-2 ...................35

Bibliography .............................................................................................................................................................................................................................36

© ISO 2019 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2. www .iso .org/directives

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received. www .iso .org/patents

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO's adherence to the WTO principles in the Technical

Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information

The committee responsible for this document is ISO/TC 127.
The ISO 19014 series replaces ISO 15998.
iv © ISO 2019 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
Introduction

This document addresses systems comprising all energy types used for functional safety in earth-

moving machinery.
The structure of safety standards in the field of machinery is as follows:

Type-A standards (basis standards) give basic concepts, principles for design and general aspects that

can be applied to machinery.

Type-B standards (generic safety standards) deal with one or more safety aspects, or one or more types

of safeguards that can be used across a wide range of machinery:

— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);

— type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive

devices, guards).

Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular

machine or group of machines.
This part of ISO 19014 is a type C standard as stated in ISO 12100.

ISO 19014-2 is the adaptation of ISO 13849 to provide a Type –C standard to address the specific

application of functional safety to Earth Moving Machinery.

ISO 19014-2 complements the safety life cycle activities of safety control systems per ISO 13849-1:2015

and ISO 13849-2:2012 on earth moving machinery as defined in ISO 6165.
© ISO 2019 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST prEN ISO 19014-2:2019
---------------------- Page: 8 ----------------------
oSIST prEN ISO 19014-2:2019
DRAFT INTERNATIONAL STANDARD ISO/DIS 19014-2:2019(E)
Earth-moving machinery — Functional safety —
Part 2:
Design and evaluation of hardware and architecture
requirements for safety-related parts of the control system
1 Scope

This part of ISO 19014 specifies general principles for the development and evaluation of the achieved

machine performance level (MPL ) of safety-control systems (SCS) using components powered by

all energy sources used in earth-moving machinery and its equipment, as defined in ISO 6165. This

document is used in conjunction with the other parts in the series.

ISO 19014 is to be used in conjunction with ISO 13849 when applied to Earth Moving Machinery (EMM)

and supersedes ISO 15998. Where specific requirements are given in ISO 19014, they take precedence

over the requirements in ISO 13849.

The principles of this standard apply to control systems that control machine motion or mitigate

a hazard. Such systems are assessed for performance level requirements per ISO 19014-1 or

ISO/TS 19014-5.
Excluded from the scope of ISO 19014 are the following systems:

— Awareness systems that do not impact machine motion (e.g., cameras and radar detectors)

— Fire suppression systems, unless the activation of the system interferes with, or activates,

another SCS.

Other systems or components whereby the operator would be aware of failure (e.g., windscreen wipers,

head lights, etc.), or are primarily used to protect property, are excluded from this document. Audible

warnings are excluded from the requirements of diagnostic coverage. Refer to Clause 7.4.3.

2 Normative References

The following referenced documents are indispensable for the application of this document. For dated

references, only the edition cited applies. For undated references, the latest edition of the referenced

document (including any amendments) applies.

ISO 6165, Earth-moving machinery — Basic types — Identification and terms and definitions

ISO 12100, Safety of machinery — General principles for design — Risk assessment and risk reduction

ISO 13849-1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General

principles for design

ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation

ISO 19014-1, Earth-moving machinery — Functional safety — Part 1: Methodology to determine safety-

related parts of the control system and performance requirements

ISO 19014-3, Earth-moving machinery — Functional safety — Part 3: Environmental performance and test

requirements of electronic and electrical components used in safety-related parts of the control system

ISO 19014-4, Earth-moving machinery – Functional safety – Part 4: Design and evaluation of software and

data transmission for safety-related parts of the control system
© ISO 2019 – All rights reserved 1
---------------------- Page: 9 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)

ISO/TS 19014-5, Earth-moving machinery – Functional safety – Part 5: Table of Machine Performance Levels

IEC 61508, 2, Functional safety of electrical/electronic/programmable electronic safety-related systems –

Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems

3 Terms and Definitions

For the purposes of this document, the terms and definitions given in ISO 19014-1, ISO 12100,

ISO 13849-1:2015 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at http: //www .iso .org/obp
electronic safety control system
ESCS

machine control system made of electronic components from input device to output device

function
defined behavior of one or more control units

Note 1 to entry A control unit (electronic control units) can execute more than one function. When multiple

safety functions are contained in a control unit, each safety function and the associated circuit is analyzed

separately.
N/ESCS
Non-electronic safety control system

machine control system made of non-electronic components from input device to output device

safe state

condition in which after a fault of the safety control system, the controlled equipment process or system

is automatically or manually stopped or switched into a mode that prevents unintended behavior or the

potentially hazardous release of stored energy.

Note 1 to entry A safe state can also include maintaining the function of the safety control system (e.g. steering)

in the presence of a single fault depending on the hazard being mitigated .
[SOURCE: ISO 3450:2011 3.15 mod.] modified – note 1 to entry has been added.
well-tried components

a component for a safety-related application which has been widely used in the past with successful

results in similar or equal applications and which has been made and verified using principles which

demonstrate its suitability and reliability for safety-related applications
4 Symbols and Abbreviated Terms

For the purposes of this document, the following symbols and abbreviated terms apply.

2 © ISO 2019 – All rights reserved
---------------------- Page: 10 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
a, b, c, d, e Graduation of machine performance levels
ASIC Application Specific Integrated Circuit
B, 1, 2, 3, 4 Denotation of categories
CCF Common Cause Failure
DC Diagnostic Coverage
DCavg Average Diagnostic Coverage
ECM Electronic Control Module
EMM Earth Moving Machine
ESCS Electronic Safety Control System
FMEA Failure Modes and Effects Analysis
FMEDA Failure Modes, Effects and Diagnostics Analysis
FPGA Field Programmable Gate Array
HFT Hardware Fault Tolerance
ILO Input Logic Output
MCS Machine Control System
MPL Machine Performance Level
MPLa Achieved Machine Performance Level
MPLr Required Machine Performance Level
MTTF Mean Time To Failure
MTTFd Mean Time to Dangerous Failure
N/ESCS Non-Electronic Safety Control System
OTE Output of Test Equipment
QM Quality Management
RC Reliability Coverage
SCS Safety Control System
SRP/CS Safety-Related Parts of Control System
TE Test Equipment
5 General Requirements

ISO 19014 series shall be used in conjunction with ISO 13849 when applied to Earth Moving Machinery

(EMM) and supersedes ISO 15998. Where specific requirements are given in ISO 19014, they take

precedence over the requirements in ISO 13849.
© ISO 2019 – All rights reserved 3
---------------------- Page: 11 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)

The principles of this standard shall be applied to control systems that control machine motion or

mitigate a hazard. Such systems shall be assessed for performance level requirements per ISO 19014-1

series or ISO/TS 19014-5. Other machine control systems that interfere with or mute a safety function

of the safety control system shall be assigned the same performance level as the system it is interfering

with or muting.
5.1 Existing SCS

Where an existing SCS has been developed to a previous standard and demonstrated through

application usage and validation to reduce the likelihood of a hazard to as low as reasonably practicable,

there shall be no requirement to update the lifecycle documentation. When the previously utilized SCS

is modified, an impact assessment of the modifications shall be performed and an action plan developed

and implemented to ensure that the safety requirements are met.
6 System Design
6.1 General

A safety function which relies on a control system to provide necessary hazard mitigation for the

machine can be implemented by an SCS within the scope of ISO 19014-2. An SCS can contain one or

more SRP/CS, and several SCS can share one or more SRP/CS (e.g. a logic unit, power control elements)

as illustrated in Figure 1. It is also possible that one SRP/CS implements both safety functions and

standard control functions.
NOTE For immediate action warning indicators refer to ISO 19014-1, Annex B.
Figure 1 — Composition of safety-related MCS
4 © ISO 2019 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)

Having identified the safety functions of the control system, the designer shall determine and document

the requirements of each SCS which performs a safety function. During the safety lifecycle, safety

requirements are detailed and specified in greater detail at hierarchical levels. All safety requirements

shall be written such that they are unambiguous, consistent with other requirements, and feasible to

implement.
6.1.1 Interaction between different SRP/CS

When machine functions are designed to be used in a synchronized manner (e.g., task automation), the

control system shall be designed to mitigate hazards due to lack of synchronization.

Note An EMM example of this synchronization is an excavator boom, arm, and bucket being controlled

simultaneously by a grade control system.
6.1.2 Differences between safety functions of mobile and stationary machines

Many safety functions on mobile machines do not have run / stop outputs like stationary machine safety

functions normally do, and are not always added to a machine purely to mitigate a hazard. Steering,

service brakes, swing and equipment controls may have modulated or variable outputs within a certain

range. While these types of systems can fit into the ISO 13849 architectures, designers need to consider

how the safety concepts and safety functions may differ on a mobile machine (e.g. does the system need

closed loop control rather than open loop to address incorrect application rates, does the system need

to address hazards associated with uncommanded activation as well as failure on demand etc.).

Some systems on mobile machines need to maintain an operable state during a failure. While

ISO 13849-1:2015 allows for this, additional measures will need to be taken to ensure this can happen

safely and that parallel channels do not conflict with each other and that the systems function as the

requirements for the claimed architecture specifies
The following design considerations shall be taken into account:
— Conflicting input or output signals

— Loss of signal and actuation energies to either system (e.g. separate oil supplies for each channel,

redundant power supplies for ECMs)

— Conflicting safe states required by multiple failure types that are being addressed by the system

— Systems that require a fail operable safety concept
6.1.3 Assessment process
Assessment processes should be independent from the design process.
6.2 Hardware design

The hardware structure of the SCS can provide measures for avoiding, detecting or tolerating faults.

Practical measures can include redundancy, diversity, and monitoring.

The hardware development process shall begin at the system level where safety functions and

associated requirements are identified (see Figure 2). The system can be decomposed into subsystems

for easier development.
Where applicable, each phase of the development cycle shall be verified.

See Figure 2 for a depiction of the hardware development process in the form of a V-model.

The design procedure for the hardware system architecture is as follows:
a) identify the component operating environment and stress level
© ISO 2019 – All rights reserved 5
---------------------- Page: 13 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
b) select components

c) identify and document fault exclusions (ref. 7.2.1), or by using the appropriate system analysis (e.g.

FMEA, Fault-tree analysis, etc.)

d) calculate the MTTF (see Annex D, ISO 13849-1:2015), and verify the MTTFd meets the required

level (see ISO 13849-1:2015)

e) determine if the hardware can provide the required level of DC (Annex E, ISO 13849-1:2015). For

systems relying on software interaction to determine diagnostic coverage, this analysis can only

determine if the hardware is available to support DC, not verify that the DC requirement for the

system has been met
f) consider CCF (see Annex F, ISO 13849-1:2015) if required
g) consider Systematic Failure (Annex G, 13849-1:2015)
h) consider possible interaction from other safety functions
i) For FPGA and ASIC design, (see Annex E or Annex F, IEC 61508-2)
See Annex D for supplementary information on safety function evaluation

NOTE 1 This figure is a representation of only one design method (V-Model). Any organized, proven design

process which meets the requirements of ISO 19014 should be used to complete the design process

Figure 2 — Hardware development v-model
6 © ISO 2019 – All rights reserved
---------------------- Page: 14 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
7 System safety performance evaluation
7.1 Machine Performance Level achieved (MPLa)

For the purposes of this part of ISO 19014, the achieved integrity of safety-related parts to perform a

safety function is expressed through the determination of the MPL .

The ability to perform a safety function under expected environmental conditions as specified in

ISO 19014-3 shall be demonstrated and documented.
7.2 Hardware safety evaluation
7.2.1 General

ISO 13849-2:2012, Annexes A-D list the important faults, fault exclusions, and failures for various types

of components; these lists are not exhaustive. If necessary, additional faults shall be considered and

listed; in such cases, the method of evaluation should also be clearly elaborated.

For components not well-tried , a failure mode and effects analysis (FMEA), Fault-tree analysis, or

equivalent system analysis shall be performed to establish the faults and fault exclusions.

7.2.2 Fault consideration
In general, the following fault criteria can be considered:

— if, because of a fault, further components fail, the first fault together with all following faults shall

be considered as a single fault;

— two or more faults having a common cause shall be considered as a single fault (known as a CCF);

— the simultaneous occurrence of two or more faults having separate causes is considered highly

unlikely and therefore need not be considered.
7.2.3 Fault exclusion

Fault exclusions are used in the development of hardware as a means of mitigating the failure

mechanisms leading to known hazards in accordance with recognized industry best practices. Fault

exclusion is a compromise between technical safety requirements and the theoretical possibility of

occurrence of a fault.
Fault exclusion can be based on:
— the technical improbability of occurrence of some faults;

— generally accepted technical experience, independent of the considered application; and

— technical requirements related to the application and the specific hazard.

If faults are excluded, a detailed justification shall be given in the technical documentation.

Fault exclusions can be applied on two levels.

1. Fault by fault basis- After all faults are identified, some faults may be excluded. Others could be

handled by diagnostic means within the control system.

2. Component level- If all known SCS faults can be fault excluded at a component level, then the

component can be fault excluded entirely.
© ISO 2019 – All rights reserved 7
---------------------- Page: 15 ----------------------
oSIST prEN ISO 19014-2:2019
ISO/DIS 19014-2:2019(E)
7.2.4 Mean Time to Dangerous Failure (MTTFd)

Refer to 4.5.2, ISO 13849-1:2015. While ISO 13849-1 recommends the principle assumption of 50% for

hazardous failure rate (e.g., B10d = 2 x B10), lower failure rates may be us
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.