ISO/TS 15998-2:2012

TECHNICAL ISO/TS
SPECIFICATION 15998-2
First edition
2012-10-15
Earth-moving machinery — Machine
control systems (MCS) using
electronic components —
Part 2:
Use and application of ISO 15998
Engins de terrassement — Systèmes de contrôle-commande utilisant
des composants électroniques —
Partie 2: Utilisation et application de l’ISO 15998
Reference number
©
ISO 2012
© ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the
address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2012 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 General . 4
4.1 Other controls standards . 4
4.2 Risk assessments (see 4.4 of the first part of ISO 15998) . 4
5 Additional guidance for safety-related machine-control systems .6
6 Documentation . 6
7 Test for safety-related MCS . 6
Annex A (informative) Guidelines for risk assessment . 7
Annex B (informative) Guidance for describing the ISO 15998 safety concept .39
Annex C (informative) Example of compliance with ISO 15998 .41
Annex D (informative) EMM example for complying with ISO 15998 .44
Annex E (informative) Qualitative proposal for control of random hardware failures .47
Annex F (informative) Architecture .52
Annex G (informative) Realized design to meet determined SIL or PLr levels .53
Bibliography .58
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of document:
— an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical
experts in an ISO working group and is accepted for publication if it is approved by more than 50 %
of the members of the parent committee casting a vote;
— an ISO Technical Specification (ISO/TS) represents an agreement between the members of a
technical committee and is accepted for publication if it is approved by 2/3 of the members of the
committee casting a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for
a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or
ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be
transformed into an International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TS 15998-2 was prepared by Technical Committee ISO/TC 127, Earth-moving machinery,
Subcommittee SC 3, Machine characteristics, electrical and electronic systems, operation and maintenance.
ISO 15998 consists of the following parts, under the general title Earth-moving machinery — Machine
control systems (MCS) using electronic components:
— Performance criteria and tests for functional safety
— Part 2: Use and application of ISO 15998 [Technical Specification]
ISO 15998:2008, Performance criteria and tests for functional safety, is to become Part 1.
iv © ISO 2012 – All rights reserved

Introduction
The complexity inherent in electronic controls standards makes it difficult to determine even the basic
levels of safety requirements. This part of ISO 15998 has been developed to assist the user of ISO 15998
by defining common earth-moving machinery features and possible failure modes with the reasonable
and consistent levels of safety requirements. It will help the user to know that others will be adopting
similar requirements for similar hazardous conditions.
While the first part of ISO 15998 and its reference documents are written in the abstract, this Technical
Specification outlines processes in a way that relate directly to earth-moving machinery. Through its
multiple examples, the user can more easily determine how to apply ISO 15998 to the different types of
earth-moving machine.
TECHNICAL SPECIFICATION ISO/TS 15998-2:2012(E)
Earth-moving machinery — Machine control systems
(MCS) using electronic components —
Part 2:
Use and application of ISO 15998
1 Scope
This part of ISO 15998 assists in the interpretation and application of the performance criteria and tests
of functional safety for electronic machine control systems (MCS), used on earth-moving machinery,
given in the first part of ISO 15998, by
— illustrating an alternative method of hazard assessment,
— providing information and application examples to illustrate compliance with ISO 15998,
— clarifying definitions, requirements and application of ISO 15998, in addressing the risk of hazardous
machine movements by safety-related MCS, and
— providing guidance on the use and relationship of the normative references cited in the first part
of ISO 15998.
Electronic MCS are those control systems that directly affect machine motion, i.e. propulsion (powered
motion), braking, steering, attachments and working tool control systems. ISO 15998 is applicable to
the mechanical failures of switches, sensors and other electronic devices and to the mechanical failure
of solenoid valves such as sticking caused by debris (electronic fault monitoring of the solenoid valve
function can be used if the risk assessment determines it is necessary).
Systems and ESAs (electrical/electronic subassemblies) that are ancillary to machine operation and
which do not alter machine control — such as monitors, alarms, gauges, lights and wipers, as well as
those portions of systems that provide feedback to the operator — are outside the scope of ISO 15998, as
are purely hydraulic, pneumatic and/or mechanical MCS not using electronic/electric components, and
mechanical failures such as broken axles, purely mechanical valves, tyres and similar.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 13766, Earth-moving machinery — Electromagnetic compatibility
ISO 13849-1:2006, Safety of machinery — Safety related parts of control systems. Corrected by
ISO 13849-1:2006/Cor 1:2009
ISO 15998:2008, Earth-moving machinery — Machine-control systems (MCS) using electronic components
1)
— Performance criteria and tests for functional safety
1) To become ISO 15998-1.
3 Terms and definitions
For the purposes of this document, the terms, definitions and abbreviations given in the first part of
ISO 15998 and the following apply.
3.1
base machine
machine with a cab or canopy and operator-protective structures if required, without equipment or
attachments but possessing the necessary mounting for such equipment and attachments
[SOURCE: ISO 6016.]
3.2
equipment
set of components mounted onto the base machine that allows an attachment to perform the primary
design function of the machine
[SOURCE: ISO 6016.]
3.3
attachment
assembly of components that can be mounted onto the base machine or equipment for specific use
[SOURCE: ISO 6016.]
3.4
safety integrity level
SIL
discrete level (one out of a possible three), corresponding to a range of safety integrity values, where
safety integrity level 3 has the highest level of safety integrity and safety integrity level 1 has the lowest
[SOURCE: IEC 61508-4:2010, 3.5.8, modified.]
NOTE 1 The target failure measures (see Table 1).
NOTE 2 Safety integrity levels are used for specifying the safety integrity requirements of the safety functions
to be allocated to the electrical/electronic/programmable electronic system safety-related systems.
NOTE 3 SIL is not a property of a system, subsystem, element or component. The correct interpretation of the
phrase “SIL n safety-related system (where n is 1, 2, or 3)” is that the system is potentially capable of supporting
safety functions with a safety integrity level up to n.
NOTE 4 SIL is most useful for manufacturers applying IEC 61508 or the risk graph presented in the first part
of ISO 15998.
NOTE 5 SIL 4 is not used for EMMs (earth-moving machines).
NOTE 6 SIL Θ designates either “No requirement” or “No special safety requirement”. See Table 1 and Figure 1.
3.5
performance level
PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety
function under foreseeable conditions
[SOURCE: ISO 13849-1:2006, 3.1.23.]
NOTE 1 PL is most useful for manufacturers using ISO 13849.
NOTE 2 See Table 1.
2 © ISO 2012 – All rights reserved

3.6
required performance level
PL
r
performance level (PL) applied in order to achieve the required risk reduction for each safety function
SEE: Figures 1 and A.1
[SOURCE: ISO 13849-1:2006, 3.1.24.]
3.7
electrical/electronic subassembly
ESA
electrical and/or electronic components or set of components intended to be part of an earth-moving
machine, together with any associated electrical connections and wiring, which performs one or more
specialized functions
[SOURCE: ISO 13766:2006, 3.10.]
3.8
functional safety
part of the overall safety that depends on a system or equipment operating correctly in response to its inputs
[IEC/TR 61508-0, 3.1.]
NOTE 1 For example, an overtemperature protection device, using a thermal sensor in the windings of an
electric motor to de-energize the motor before it can overheat, is an instance of functional safety. But providing
specialized insulation to withstand high temperatures is not an instance of functional safety (although it is still
an instance of safety and could protect against exactly the same hazard).
NOTE 2 Neither safety nor functional safety can be determined without considering the systems as a whole
and the environment with which they interact.
3.9
safety-related part of a control system
SRP/CS
part of a control system that responds to safety-related input signals and generates safety-related
output signals
[SOURCE: ISO 13849-1:2006, 3.1.1, modified.]
NOTE The combined safety-related parts of a control system start at the point where the safety-related input
signals are initiated (including, for example, the actuating cam and the roller of the position switch) and end at the
output of the power control elements (including, for example, the main contacts of a contactor).
3.10
machine control system
MCS
system which responds to input signals from parts of machine elements, operators, external control
equipment or any combination of these and generates output signals causing the machine to behave in
the intended manner
[SOURCE: ISO 13849-1:2006, 3.1.32.]
NOTE The machine control system can use any technology or any combination of different technologies (e.g.
electrical/electronic, hydraulic, pneumatic, mechanical).
3.11
diagnostic time interval
interval between on-line tests to detect faults in the SRP/MCS
3.12
fault reaction time
time to perform the specified action to achieve or maintain a safe state
3.13
high/continuous mode
mode of operation where the frequency of demands for operation on a SRP/MCS is greater than one per
year or greater than twice the frequency of the self-checking feature of the control system
3.14
process safety time
period of time between a failure occurring in the SRP/MCS and the occurrence of the hazardous event if
the safety function is not performed
4 General
4.1 Other controls standards
It is strongly recommended that the user of ISO 15998 use at least one of the controls standards referenced
in this part of ISO 15998. In particular, IEC 61508-1 or ISO 13849-1 provide general information and
theory on electronic control system safety:
— IEC 61508-1:2010, Figure 1, outlines a process for using the IEC 61508 standards to ensure control
system safety.
— ISO 13849-1:2006, Figure 1, presents an alternative flow diagram for demonstrating control system
safety. Figure 3 shows risk reduction methods (which are further explained in Annex A of this
document) for determining both SILs and PLrs.
See Annex B for guidance on creating the safety concept.
Manufacturers may also follow ISO 26262 (road vehicles) or ISO 25119 (agricultural machinery), making
appropriate modifications to account for differences with earth-moving machinery. This allowance is to
help in the transfer of technology across different industries. Manufacturers should follow one method
completely as practical, except they may substitute or add appropriate clauses of IEC 61508.
4.2 Risk assessments (see 4.4 of the first part of ISO 15998)
4.2.1 SILs and PLs
Users have the option of following SIL methods such as those found in IEC 61508-5 and ISO 15998, or
PL methods including those found in ISO 13849-1, ISO 25119-2 and ISO 26262-3. Regardless of whether
a SIL or PL methodology is chosen, the failure rates for high/continuous demand mode operations shall
demonstrate the appropriate level of safety summarized in Table 1.
NOTE 1 Table 1 is for high/continuous demand mode of operation systems. Low demand failure rates are
also provided in IEC 61508-1:2010, Clause 7, and Table 2. An explanation on how to use Table 1 is provided in
IEC 61508-1:2010, Clause 7, and ISO 13849-1:2006, 4.5.
NOTE 2 SIL 4 is not used for the machines covered by this part of ISO 15998, as it is not a reasonable assessment
of an EMM to have a SIL 4 system requirement.
4 © ISO 2012 – All rights reserved

Table 1 — SIL/PL cross-reference table
Average probability of dangerous failure Average probability of dangerous failure
SIL PLr
per hour (1/h) per hour (1/h)
— No safety requirement — No safety requirement
−5 −4
— No special safety requirements a > 10 to < 10
−6 −5
1 b > 3 × 10 to < 10
−6 −5
> 10 to < 10
−6 −6
c > 10 to < 3 × 10
−7 −6 −7 −6
2 > 10 to < 10 d > 10 to < 10
−8 −7 −8 −7
3 > 10 to < 10 e > 10 to < 10
4 Not used for EMM — Not applicable
4.2.2 Risk assessment variations
Because the referenced risk assessment tools are intended as general guidance on determining SILs, it
is acceptable and sometimes necessary to adjust risk assessments such as those modifications shown in
Figure 1 to achieve a more straightforward correspondence between the reference methods used.
Because of complexity in using the W factor as per Annex A of the first part of ISO 15998, it is also
acceptable to assume the W factor is always equal to W .
NOTE 1 “Θ” designates either “No requirement” or “No special safety requirement”.
NOTE 2 C in ISO 15998:2008, Annex A is not applicable to EMMs, as the probability of EMM involvement in the
death of large number of people is negligible.
Figure 1 — Risk graph
4.2.3 Reconciling different methods
Regardless of the method used, SIL, PL , or equivalent, the failure rates provided in Table 1 shall be used
r
for high/continuous demand systems. Minor adjustments may be made when failure rates do not exactly
match those from other standards. Generic SILs/PLs have been established for certain machine control
systems and summarized in Annex A. A risk assessment should be completed in order to specify the
SIL/PL or similar safety requirements for the specific safety function. When risk assessment results
r
vary significantly from the generic SILs, the user of ISO 15998 should examine them carefully to ensure
that proper assumptions were made.
5 Additional guidance for safety-related machine-control systems
For ISO 15998:2008, 5.2, see Annex E for guidance.
No additional guidance is given for the remainder of Clause 5 of the first part of ISO 15998.
6 Documentation
Table B.1 (see Annex B) provides a method to summarizing the risk assessment, risk reduction and
safety concept in a single spreadsheet for the purposes of organizing the documentation.
7 Test for safety-related MCS
The testing of hardware required per Clause 7 of the first part of ISO 15998, may be conducted at the
machine level, system level, sensor level, switch level, harness level or solenoid level, or at the circuit
board level or similar, depending upon which is most practical or preferred by the user of ISO 15998.
Consideration shall be made for how machine level affects the electrical system for the environmental
testing, e.g. temperature in the engine compartment, rigid and soft mounting, and so on.
Documentation from suppliers regarding performance of components is acceptable, in the absence of
confirming testing by the OEM.
6 © ISO 2012 – All rights reserved

Annex A
(informative)
Guidelines for risk assessment
A.1 General risk assessments similar to ISO 13849-1 assessments
The ISO 13849-1 method described in this annex provides guidance in determining the PL and
r
corresponding SIL associated with specific EMM forms and their SRP/MCS. For examples of other risk
assessment methodologies, see Annex A of the first part of ISO 15998, ISO/TR 14121-2, ISO 25119-2,
ISO 26262-3 or IEC 61508-5.
The hazard analysis should only consider reasonably foreseeable scenarios. For example, a steel tracked
dozer on the highway should not be evaluated (unless the intent is to meet some unique customer
requirement). Simply state that it is normally illegal to use a steel tracked dozer on the highway because
of the severe road damage that would result. Each reasonable foreseeable scenario should be assessed in
terms of the operator and a bystander’s severity of injury, frequency and possibility of avoiding the hazard.
A.1.1 Use of risk graphs
The initial determination of the risk parameters is made without the consideration of any MCS or any
safety feature integrated in the MCS to analyse the risk solely on the associated hazard. Additional
guidance on how to perform a risk assessment is included in the risk parameters instructions below. The
risk assessment initially assumes failure modes exist, which will cause hazardous machine behaviour.
Means for mitigating those hazards are considered later in the process.
A.1.2 Severity of injury — S1, S2 and S3
Severity has 3 levels: S1 (slight — normally reversible injury), S2 (serious — normally irreversible
injury or single death) and S3 (catastrophic — multiple fatalities). When selecting a severity level for a
hazard, select the level that would result from the worst credible outcome of the hazard rather than the
worst conceivable outcome, as this could always result in an S3. When selecting a level, also look at the
immediate result without additional conditions to be present for the consequence to occur. For instance,
one could imagine a tracked dozer steering right uncommanded and hitting a gas pipe line, exploding
and causing multiple fatalities among bystanders. This scenario relies on many conditions to be present
and is not a credible outcome of the uncommanded steering hazard. To make a decision, the usual
consequences of accidents and normal healing processes should be taken into account in determining
S1 and S2. For example, bruising and/or lacerations without complications would be classified as S1,
whereas amputation or death would be S2.
S3 is equivalent to C according to the first part of ISO 15998. This severity/consequence is defined as
the “death of several people”.
Another condition to consider is whether or not the EMM will be operating in traffic on public roads, a
credible scenario that could result in multiple deaths (S3), whereas hazards associated with operation
at a confined construction site may be one (1) level less severe (S2). When used off-road, machines are
exposed to far less vehicular traffic. Therefore, machines prohibited from on-road use can reduce the
severity level by one (1), compared to a similar roadable version, with respect to loss of steering or
braking functionality and the associated risks of collisions with vehicular traffic.
EXAMPLE A 4WD loader that is used on-road might have a S3 for a complete loss of steering. If there is a
similar loader, but it is too large for use onroad, then a lower severity level S2 might be specified for the same loss
of steering condition.
Smaller machines, due to their smaller mass, impart lower forces during collision. Therefore, a compact
machine’s severity level relative to bystanders and vehicular traffic could be lowered by 1, when
compared to a larger version in the same conditions.
A.1.3 Frequency and/or exposure times to hazard (F and F )
1 2
A percent time of exposure can be difficult to determine when selecting between F and F . However, the
1 2
following explanation could facilitate making the right decision where doubt exists.
F should be selected if a person is frequently or continuously exposed to the hazard i.e. ≥ 10 % of the
time. It is irrelevant whether the same or different persons are exposed to the hazard on successive
exposures, e.g. for the use of lifts. The frequency parameter should be chosen according to the frequency
and duration of access to the hazard.
Where the demand on the safety function is known by the designer, the frequency and duration of this
demand can be chosen instead of the frequency and duration of access to the hazard. In this annex, the
frequency of demand on the safety function is assumed to be more than once per year.
The period of exposure to the hazard should be evaluated on the basis of an average value which can
be seen in relation to the total period of time over which the equipment is used. For example, if it is
necessary to have workers in close proximity to the EMM during cyclic operation in order to feed and
move work pieces, then F should be selected. If exposure is only required from time to time, then F
2 1
should be selected.
In case of no other justification F should be chosen if the frequency is higher than once per hour or
exposure to the hazard more than 10 % of the time.
EXAMPLE 1 Operating near the edge of a cliff: the operator is most likely exposed to the edge of the cliff less
than 10 % of the time so the frequency level would be F .
EXAMPLE 2 If operation is grading, and the steering system fails, for a motor grader this occurs most of the
time, so the frequency level would be F .
A.1.4 Possibility of avoiding the hazard (P and P )
1 2
When a hazardous situation occurs, P should only be selected if there is a realistic chance of avoiding
an accident or significantly reducing its effect; P should be selected if there is almost no chance of
avoiding the hazard.
EXAMPLE A full loss of brakes on a wheel loader can initially appear to be P . A bucket could be lowered to
stop the machine so the possibility level would drop to P . Lesson: when including external sources as a means
of avoiding a hazard, it needs to be ensured that the design is independent of the system being evaluated. In this
case, as long as the implement controls are independent from the braking system (i.e. no shared components),
then dropping the bucket sufficiently mitigates the hazard risk.
It is important to know whether a hazardous situation can be recognized and avoided before leading to
an accident. For example, an important consideration is whether the hazard can be directly identified
by its physical characteristics, or recognized only by technical means, e.g. indicators. Other important
aspects which influence the selection of parameter P include
— operation with or without jobsite supervision,
— operation by experts or non-professionals,
— speed with which the hazard arises (e.g. quickly or slowly),
— possibilities for hazard avoidance (e.g. by escaping), and
— practical safety experiences relating to the process.
The “possibility of avoiding” should not take into account design architecture to address the safety
function being analysed: i.e. if analysing risks surrounding an electronic steering system, the design
8 © ISO 2012 – All rights reserved

architecture of the electronic steering system cannot contribute to the possibility of avoiding the hazard
but other independent systems (such as brakes or mechanical steering system) can.
Figure A.1 provides an example of a risk graph used to determine the required PL for various scenarios
r
using the hazard analysis parameters for severity, frequency and/or exposure time and possibility of
avoiding the hazard. The graph (or the alternative risk graph mentioned in 4.1.2) should be used for assessing
all reasonably foreseeable scenarios for each safety function. The risk assessment method is based on
ISO/TR 14121-2 (see also ISO 13849-1:2006, Annex A) and should be used in accordance with ISO 12100.
Key
1 starting point for risk estimation
S1/C slight (normally reversible injury)
S2/C serious (normally irreversible injury or death)
S3/C death of several people
F seldom-to-less-often and/or exposure time is short
F frequent-to-continuous and/or exposure time is long
P possible under specific conditions
P scarcely possible
a–e required performance level (PLr) for MCS
Figure A.1 — Risk graph for determining PL for safety function
r
If ISO 13849 methods are used, then in applications where the SRP/CS can be considered simple, and
the required performance level is a to c, a qualitative estimation of the PL may be justified in the design
rationale. See also Annex E for additional guidance on using ISO 15998 methods more directly.
A.2 Guidance and examples of risk analysis for EMMs fitted with MCS for steer-
ing, propel, braking, and attachment operation for ISO 15998, ISO 13849-1 or
other similar risk assessments
The hazards for the four primary operating functions of EMM examples are given to illustrate hazard
identification and allocation of risk parameters. This clause is without respect to a specific control
system, but is based on typical EMM forms, given a failure can occur that causes the EMM to behave in
an unintended manner.
The risk graph given in ISO 13849-1, in the first part of ISO 15998 and by other risk assessment methods
could indicate in some cases higher SILs/PL s than provided by the examples and generic SILs/PL s in
r r
this annex. However, the examples and generic SILs/PL s do reflect state of the art available for each
r
type of function. Furthermore, experience (e.g. accident history) indicates they are adequate and proven
for each function.
The following should be considered when using the risk assessments and Tables A.1 to A.5 for EMMs.
A.2.1 Severity considerations
Severity should not be skewed by extremely unlikely events. If, for example, in 999 cases out of a 1 000,
the anticipated injury would be very minor in an accident, but in one case a death is predicted, then the
consequence is properly rated S1 or C .
A.2.2 Frequency considerations
Some machine applications can have very low frequencies of exposure, such that F would not adequately
describe how low the frequencies are. In those cases, it may be more appropriate not to evaluate the scenario
EXAMPLE Using a steel tracked dozer on the highway is very seldom done and is generally illegal. It is
therefore not necessary to evaluate the risks associated with it.
A.2.3 Overall assessment considerations
S/C, P and F values are typically based on the consideration of a list of contributing factors that each tend
to raise or lower these value partially. Table A.1 shows some of the key factors used in determining the
values. After the contributors are known, the closer of the values, for example, P or P , was selected.
1 2
Risk assessments may have more resolution (e.g. ISO 25119-2) than in the examples provided here.
Examples are given for two of the various risk assessment methods. The user should select one risk
assessment method for the entire control systems evaluated, to avoid conflicting results.
As speed increases, SILs/PL associated with steering and braking increase due to limitations of the
r
operator in maintaining control after a failure (P). Severity also increases due to higher speeds during
a collision (S/C).
Bystander presence varies significantly in some scenarios: mining sites typically have few or no
bystanders, the presence of which is restricted on most mining sites. Small and medium-sized excavators
and all tractor loader backhoes more often have bystanders near excavation sites. The frequency (F)
should vary accordingly for bystanders.
Collisions between EMMs typically cause fewer and less severe injuries, which tends to result in lower
S/C values and lower SIL/PL values. EMM and vehicular traffic collisions tend to have higher S/C with
r
respect to the occupants of the vehicle.
Partial loss: it is easier to maintain control of the machine in steering and braking losses, than complete
losses (P). Braking and steering maintained at 90 % operate almost normally. Steering and braking
functionality at < 5 % are insufficient to prevent most accidents.
E-Stop/PB/hydraulic enable/key switch: a shutdown control’s effectiveness in avoiding an accident (P)
varies significantly with machine speed. It is somewhat effective when an immediate stop works, such
10 © ISO 2012 – All rights reserved

as for a slow-moving steel tracked machine, or stopping an attachment when a bystander is present. It is
not as effective in dealing with a loss in steering at higher speeds.
When used off-road, machines are exposed to far less vehicular traffic and have a correspondingly
lower S/C value. Therefore, machines prohibited from on-road use may have a SIL/PL one level less
r
than a similar road-able version with respect to loss of all steering functionality and the associated
risks of collisions with vehicular traffic. For example, A 4WD loader used on-road has a SIL 3/PL e for a
r
complete loss of steering when there is no prior warning. For a similar loader too large for on-road use,
the requirement is one level less or SIL 2/PL d for the same loss of steering condition.
r
Table A.1 — Generic SIL/PL risk assessments of hazard identification and risk parameter
r
allocation for EMMs with and without MCS, using risk assessment similar to that of
ISO 13849-1 or ISO 15998
Frequency and/or Required
Severity of injury, Possibility of avoiding
Hazards to operator exposure time to performance SIL
S or C the hazard, P
hazard, F level, PL
r
1 – Steel tracked N/A F P No require- Θ
2 1
dozer travelling at (not applicable) ment
speeds ≤ 12 km/h
Uncommanded brake Operator very Machine frequently Machine is provided with
apply. Machine stops very unlikely to be propels at speeds a seat belt, when used it
abruptly. injured adequate to cause significantly reduces risk
minor injuries. of injury.
The operator can use feet
to brace himself.
Front of cab has no sharp
edges inside the zone of
reach.
Machine typically slips
traction as it stops,
reducing abruptness of
the stopping.
2 – Articulated S2/C F P c 1
2 2 1
dump truck travel-
ling ≤ 60 km/h
Uncommanded brake Operator can Machine frequently Machine is provided with
apply. Machine stops very experience signifi- propels at speeds a seat belt, when used it
abruptly. cant injury during and payload suf- significantly reduces risk
a rollover. ficient to cause a of injury.
rollover. The operator can use
feet and hands to brace
himself.
Front of cab has no sharp
edges inside the zone of
reach.
Payload prevents brake
from locking in most
cases.
Machine ROPs prevents
operator from being
crushed.
3 – Rubber-tyred N/A F P Θ
2 1
trencher trav-
els < 12 km/h
Table A.1 (continued)
Frequency and/or Required
Severity of injury, Possibility of avoiding
Hazards to operator exposure time to performance SIL
S or C the hazard, P
hazard, F level, PL
r
1. Machine begins to propel Operator very Operator is normally Operator can press the No Require-
with F/N/R in neutral. unlikely to be present. Machine service brake to stop. ment
2. Or machine propels in injured. is frequently in Machine is provided with
opposite direction com- neutral. a seat belt, when used it
manded. significantly reduces risk
— Operator is compelled of injury.
to be present in operator Front of cab has no sharp
station edges inside the zone of
— Operator has at least reach.
one primary control to stop Machine speed is typi-
motion. cally very slow, allowing
more time for operator
to respond.
4 – Tractor loader back- S1 or C F P a Θ
1 2 1
hoe travels ≤ 40 km/h
1. Machine begins to propel Operator can Operator is normally Operator can press the
with F/N/R in neutral. experience minor present. Machine service brake to stop.
2. Or machine propels in reversible injury. is frequently in Machine is provided with
opposite direction com- Bumps and bruises neutral. a seat belt, when used it
manded. are most likely. In significantly reduces risk
— Operator is compelled very rare cases the of injury.
to be present in operator machine can roll Front of cab has no sharp
station and the operator edges inside the zone of
— Operator has at least can fall from the reach.
one primary control to stop operator station Machine speed is typi-
motion. and suffer more cally very slow, allowing
severe injuries. more time for operator
to respond.
5 – Articulated wheeled S2/C F P b 1
2 1 1
loader, too big for on-
road use, travel speed
less than 40 km/h
Complete loss of all brakes Operators can Loaders typically Operator can steer the
for stopping. be injured due operate near obsta- machine around obsta-
— Operator can only allow to Machine col- cles including EMMs cles.
machine to coast to a stop liding with other that can be hit. Machine is provided with
or use attachment to stop. machines. Machine a seat belt, when used it
— Steering remains func- can be involved in significantly reduces risk
tional. a rollover. of injury.
6 – Articulated wheeled S2/C F P c 1
2 1 2
loader
Machine boom, bucket or Operator can be Operator typically If operator is near mov-
other attachment moves greasing machine, in harm’s way, much ing part, it can be very
without command. or otherwise near less than 10 % of difficult to get away
The equipment or attach- moving parts. time. quickly enough to pre-
ment is turned-off by a vent injury.
disabling lever, switch or
similar.
Hazards to bystanders S/C F P PL SIL1
r
7 – Compact S2/C F P b 1
2 1 1
machine ≤ 20 km/h
Machine begins to propel Bystander can be Bystanders close the Operator can stop the
with F/N/R in neutral. crushed between machine and in the machine in the normal
— Operator is compelled to machine and hard path less than 10 % operating position.
be present in cab. surface. of time. Operator will instinc-
— Operator still has ser- tively apply braking.
vice brake. Bystander can move out
of machine’s path
12 © ISO 2012 – All rights reserved

Table A.1 (continued)
Frequency and/or Required
Severity of injury, Possibility of avoiding
Hazards to operator exposure time to performance SIL
S or C the hazard, P
hazard, F level, PL
r
8 – Steel-tracked S2/C F P c 1
2 1 2
dozer travelling at
speeds ≤ 12 km/h
Complete loss of all brakes Bystander can be Bystander is not There is no possibil-
for stopping. crushed between frequently present in ity to steer machine.
— Operator can only allow machine and hard potential path of the Bystander can move
machine to coast to a stop surface. machine. out of machine’s path in
or use blade to stop. Bystander can be some cases.
— Steering does not run over. Machine speed is initially
remain functional lower than most EMMs.
9 – Tractor loader-back- S2/C N/A N/A Θ
hoe Travelling < 40 km/h
Unexpected brake apply. Bystander can be Frequency is neg- No further evaluation is No Require-
Machine stops very crushed between ligible, because a needed. ment
abruptly, and can skid. machine and hard bystander extremely
Steering remains func- surface. unlikely to be in the
tional, but is limited. Bystander can be path of a machine
run over. that is stopping
faster than operator
intended, even in the
event of a rollover.
10 – Skid steer loader S2/C F P c 1
2 1 2
Machine boom or bucket Bystander can be Bystander typically If bystander is near
or other attachment moves crushed between in harm’s way, much moving part, it can be
without command. machine and hard less than 10 % of very difficult to get away
— Operator is compelled to surface. time. quickly enough to pre-
be in the operator station. Bystander can be vent injury.
— Operator can stop run over.
engine, to stop movement.
Hazards to vehicular S/C F P PL SIL
r
traffic
11 – Articulated grader S3/C F P e 3
3 2 2
travelling ≤ 50 km/h.
Machine is roadable
Complete loss of primary Vehicular traffic Roadable motor There is no possibility to
steering and emergency accident can result grader is frequently steer machine. Vehicular
steering (either steers in multiple deaths. roaded. traffic can move out of
uncommanded or not at all machine’s path in some
while propelling). cases.
— Operator has braking to
stop the machine.
— Operator is not warned
prior to loss of steering.
12 - Articulated wheeled S3/C F P e 3
3 1 2
Loaders < 40 km/h
Complete loss of primary Potential to hit Multi-passenger There is no possibility to
steering and emergency higher speed vehi- vehicles in the path steer machine. Operator
steering (either steers cle with multiple of machine is much can stop the machine.
uncommanded or not at all passengers less than 10 % of Vehicle can be able to
while propelling). time. avoid the loader.
— Operator has braking to
stop the machine.
— Operator is not warned
prior to loss of steering.
Table A.1 (continued)
Frequency and/or Required
Severity of injury, Possibility of avoiding
Hazards to operator exposure time to performance SIL
S or C the hazard, P
hazard, F level, PL
r
13 – Rigid frame haul S3/C N/A N/A N/A N/A
truck, not allowed on
highway < 60 km/h
Complete loss of primary Potential to hit Neither used nor No further evaluation is
steering and emergency higher speed vehi- allowed onroad. needed.
steering (either steers cle with multiple Very rare risk of bus
uncommanded or not at all passengers on mining site is
while propelling). negligible.
— Operator has braking to
stop the machine.
— Operator is not warned
prior to loss of steering.
A.3 Safety integrity levels (SIL)/Performance Levels (PL ) from generic SIL/PL
r r
risk assessments
A.3.1 Tables A.2 to A.5 show comparison SIL/PL values for various machine forms and operating
r
functions based upon example risk assessments and assignment of the SIL/PL . These examples show the
r
generic SILs/ PL s to illustrate conservative values for SRP/MCS.
r
A.3.2 Hazards are categorized according the operator (Op.), bystander (Bys.) and vehicular traffic
(Veh.). Vehicular traffic refers to automobiles, trucks and busses encountered while transporting on or
working on highways. Vehicular traffic for this chart does not refer to other EMMs found on a job site.
NOTE 1 Regional requirements for roading are not necessarily the same as the values in Tables A.2 to A.5.
NOTE 2
...