ISO/DIS 19014-1.2:2025(en)
ISO/TC 127/SC 2
Secretariat: ANSI
Date: 2025-05-30
Earth-moving machinery — Functional safety — Part 1: Methodology to determine safety-related parts of the control system and performance requirements
Engins de terrassement — Sécurité fonctionnelle — Partie 1: Méthodologie pour la détermination des parties relatives à la sécurité des systèmes de commande et les exigences de performance
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
Contents
4 Method to determine MPLr for SRP/CS of earth moving machinery 6
4.1.1 Information for use Error! Bookmark not defined.
4.2 Machine Control System Safety Analysis (MCSSA) method 6
5 Requirements for immediate action warning indicators 6
6 Performance level determination procedures 7
6.2 Participants in the risk assessment 7
6.3 Assessment and classification of a potential harm 7
Table 1 — Examples of the descriptions of injuries 7
6.4 Assessment of exposure in the situation observed 7
Table 2 — Exposure to the hazardous event based on application profile 8
6.5 Assessment of a possibility to avoid harm 8
Figure 1 — Controllability classification 9
6.6 Determining the required MPL 9
Figure 2 — Determination of MPLr 10
Annex A (informative) Process flow chart for machinery risk assessment 11
Figure A.1 — Relationship between ISO 12100 and ISO 19014 12
Annex B (informative) Table of warning/operation indicators Error! Bookmark not defined.
Table B.1 — EMM indicators Error! Bookmark not defined.
Annex C (informative) List of possible safety control systems (SCS) of earth-moving machines 13
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 127, Earth-moving machinery, Subcommittee SC 2, Safety, ergonomics and general requirements, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC 151, Construction equipment and building material machines - Safety, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Agreement).
This second edition cancels and replaces the first (ISO 19014-1:2018), which has been technically revised.The main changes are as follows:
— referenced standards dated;
— “quality measure” is clarified;
— wording, covering controllability when multiple actions are required to avoid a hazard, is improved (Section 6.5);
— the term machine abuse added;
— machine control system safety analysis (MCSSA) process updated to reflect content of ISO 19014-5:202X;
— r ISO 19014-5:202X changed to a normative reference;
— Guide 78 requirements covering information for use added.
A list of all parts in the ISO 19014-series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.
Introduction
This document addresses systems of all energy types used for functional safety in earth-moving machinery.
The structure of safety standards in the field of machinery is as follows.
Type-A standards (basis standards) give basic concepts, principles for design and general aspects that can be applied to machinery.
Type-B standards (generic safety standards) deal with one or more safety aspects, or one or more types of safeguards that can be used across a wide range of machinery.
— Type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise).
— Type-B2 standards on safeguards (e.g. two-hands controls, interlocking devices, pressure sensitive devices, guards).
Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular machine or group of machines.
This document is a type C standard as stated in ISO 12100.
This document is of relevance, in particular, for the following stakeholder groups representing the market players with regard to machinery safety:
— machine manufacturers (small, medium and large enterprises);
— health and safety bodies (regulators, accident prevention organisations, market surveillance etc.).
Others can be affected by the level of machinery safety achieved in accordance with this document:
— machine users and employers (small, medium and large enterprises);
— machine users and employees (e.g. trade unions, organizations for people with special needs);
— service providers, e. g. for maintenance (small, medium and large enterprises);
— consumers (in case of machinery intended for use by consumers).
The above-mentioned stakeholder groups have been given the possibility to participate in the drafting process of this document.
The machinery concerned and the extent to which hazards, hazardous situations or hazardous events are covered are indicated in the scope of this document.
When the requirements of this type-C standard differ from those in type-A or type-B standards, the requirements of type-C standard take precedence over the requirements of the other standards for machines that have been designed and built according to the requirements of this type-C standard.
Earth-moving machinery — Functional safety — Part 1: Methodology to determine safety-related parts of the control system and performance requirements
1.0 Scope
This document specifies a methodology for the determination of performance levels required for earth-moving machinery (EMM) as defined in ISO 6165.
A machine control system safety analysis (MCSSA) determines the amount of risk reduction of hazards associated with control systems that is required for safety control systems (SCS). This reduction is quantified by the machine performance level (MPL) and the hazards are identified using the risk assessment principles as defined in ISO 12100 or by other means.
NOTE 1 Step 2 as shown in Annex A demonstrates the relationship between ISO 12100 and ISO 19014 as a complementary protective measure.
NOTE 2 ISO 19014 can also be used to assess the functional safety requirements of other off-road mobile machinery.
For those controls determined to be safety-related, the characteristics for architecture, hardware, software environmental requirements and performance are covered by other parts in ISO 19014.
The ISO 19014 series covers the significant hazards caused by the failure of a safety control system and excludes hazards arising from the equipment itself (for example, electric shock, fire,).
Other controls that are not safety control systems (SCS), that do not mitigate a hazard or perform a control function, and where the operator would be aware of a failure, are excluded from this standard (e.g. windscreen wipers, head lights, cab light,).
NOTE 3 A list of safety control systems is included in Annex B.
NOTE 4 Audible warnings are excluded from the requirements of diagnostic coverage.
This document is not applicable to EMM manufactured before the date of its publication
2.0 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 6165:2022, Earth-moving machinery — Basic types — Identification and vocabulary
ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction
ISO 19014‑2:2022, Earth-moving machinery — Functional safety — Part 2: Design and evaluation of hardware and architecture requirements for safety-related parts of the control system
ISO 19014‑3, Earth-moving machinery — Functional safety — Part 3: Environmental performance and test requirements of electronic and electrical components used in safety-related parts of the control system
ISO 19014‑4, Earth-moving machinery — Functional safety — Part 4: Design and evaluation of software and data transmission for safety-related parts of the control system
3.0 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12100:2010 and ISO 6165:2012 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
machine performance level
MPL
discrete level to specify the ability of safety-related part of control systems (3.3.2) to perform a safety function under reasonably foreseeable conditions
Note 1 to entry: The term MPL is used to describe the performance level from a safety-related part of a control system. The "M" refers to machine and denotes "earth moving machinery" covered by this document and is used to differentiate from other functional safety standards (e.g. PL, AgPL, ASIL, etc.).
3.1.1
machine performance level required
MPLr
discrete level required as determined by the processes specified in this document
3.1.2
machine performance level achieved
MPLa
discrete level achieved by the safety control systems (3.3.1), hardware, architecture and software
Note 1 to entry: Process for determination of MPLa will be covered in ISO 19014-2 and ISO 19014-4, under development.
3.2
functional safety
part of the overall safety relating to the equipment under control and its control system that depends on the correct functioning of the safety control system (SCS) (3.3.1) and other risk reduction measures
[SOURCE: IEC 61508-4:2010, 3.1.12, modified changed “EUC” to “equipment under control, changed “EUC control system” to “its control system”, changed “E/E/PE safety-related systems” to “safety control system (SCS) (3.3.1)”]
3.3
machine control system
MCS
system which responds to input signals from parts of machine elements, operator (3.4.1), external control equipment or any combination of these and generates output signals causing the machine to behave in the intended manner
Note 1 to entry: The machine control system can use any technology or any combination of different technologies (e.g. electrical/electronic, hydraulic, pneumatic and mechanical).
[SOURCE: ISO 13849-1:2023, 3.1.2]
3.3.1
safety control system
SCS
sub-system or system used by an MCS (3.3) to achieve functional safety (3.2) by affecting machine behaviour or mitigating a hazard
Note 1 to entry: A system which can fail in a way that creates a hazard is considered an SCS.
Note 2 to entry: For example, an SCS for propulsion can include throttle, gear shift, start and stop, etc.
3.3.2
safety-related part of the control system
SRP/CS
part of a control system that performs a safety function (3.1.27), starting from a safety-related input(s) to generating a safety-related output(s)
Note 1 to entry: The safety-related parts of a control system start at the point where the safety-related inputs are initiated (including, for example, the actuating cam and the roller of the position switch) and end at the output of the power control elements (including, for example, the main contacts of a contactor).
Note 2 to entry: If monitoring systems are used for diagnostic coverage, they are also considered as SRP/CS.
Note 3 to entry: SRP/CS is a part or component within the specific MCS.
[SOURCE: ISO 13849-1:2023, 3.1.1, modified — Note 2 and 3 to entry have been added]
3.4
person group
groups of people analysed in the MCSSA (3.14)
3.4.1
operator
person operating the EMM and aware of associated risks or hazards
3.4.2
co-worker
person working in the vicinity of a machine and aware of associated hazards
3.4.3
bystander
person including non-employee, child, or member of the public with little or no awareness of machine hazards and no training
3.4.4
maintainer
person whose function is to perform maintenance tasks on the machine
Note 1 to entry: A maintainer is trained and familiar with the machine.
3.5
controllability
ability to avoid harm to the person group (3.4) at risk through the timely reactions of the operator (3.4.1), possibly with the support of alternative controls
3.6
exposure
percentage of time a person group (3.4) is exposed to the hazard
Note 1 to entry: The exposure is the product of the following dependent probabilities: application use case (3.11), hazard time (3.12), and person group exposure (3.15).
3.7
severity
estimate of the extent of harm to one or more individuals that can occur in a potentially hazardous situation
[SOURCE: ISO 26262-1:2011, 1.120]
3.8
operation indicator
means by which the state of the equipment or machinery is represented to an observer
[SOURCE: ISO 22555:2007, 3.2]
3.8.1
warning indicator
visual, sensory or audible indications where an action from the operator (3.4.1) or control system is required
3.8.2
immediate action warning indicator
warning indicator (3.8.1) requiring immediate action from the operator (3.4.1) to mitigate hazard or system failure
3.9
application
different industries where a machine is used in, that can have different hazardous situations from one another
Note 1 to entry: Applications can include general construction, road construction, waste management, quarrying, etc.
3.10
use case
intended use of a machine within an application (3.9)
Note 1 to entry: For example, a dozer can have dozing, ripping, travel and maintenance use cases within an application.
3.11
application use case
highest percentage of time a machine is anticipated to be used in a use case (3.10) within a given application (3.9) during the intended use of the life cycle of the machine
Note 1 to entry: Because the application use case represents the highest percentage of time, and not the average, that a machine in the population spends in a use case, the sum of application use cases across an application can be greater than 100 %.
3.12
hazard time
percentage of time within the work cycle of the application use case (3.11) where it is reasonably foreseeable that a hazard can exist if the control system being assessed fails
Note 1 to entry: For example, a dozer pushing material off a high wall is only exposed to the hazard of going over the high wall for the time where the machine is traveling towards the high wall within the stopping distance of the machine.
3.13
hazard zone
any space within or around machinery in which a person can be exposed to a hazard from the SCS (3.3.1) under analysis
[SOURCE: ISO 12100:2010 3.11, modified — “from the SCS under analysis” has been added.]
3.14
machine control system safety analysis
MCSSA
risk assessment used to determine the MPLr (3.1.1) for the SCS (3.3.1) on a machine as outlined in this document
3.15
person group exposure
highest percentage of hazard time (3.12) that someone from the person group (3.4) being assessed is present in the hazard zone (3.13)
Note 1 to entry: The analysis is a sum of all the persons exposed from the person group, not a single individual within that group i.e. not a single car driving by, but the flow of traffic.
3.16
failure type
description of the type of failure that can occur in a SCS (3.3.1)
Note 1 to entry: Failure types to consider include failure to apply, failure to release, uncommanded apply, uncommanded release, incorrect apply rate, incorrect release rate or incorrect direction, etc.
3.17
worst credible harm
estimation of severity (3.7) of the most severe harm that can realistically occur from a single hazardous event
3.18
machine abuse
activities that are outside the intended use of the machine and are beyond the reasonably foreseeable usage as communicated in the machine operation and service literature
EXAMPLE 1 Standing under a suspended load.
EXAMPLE 2 Using an earth-moving machine as an elevating work platform.
EXAMPLE 3 Intentionally driving machines in a way that would harm oneself or others.
EXAMPLE 4 Performing activities that are illegal.
Note 1 to entry: It is considered abuse to perform some maintenance tasks with the engine running or systems de-energized unless otherwise stated in the operator’s manual.
3.19
idle factor
a percentage adjustment to the H variable
Note 1 to entry: Idle factor is applied as part of determining the H variable (hazard time) to account for maximum or minimum idle time depending on the failure type
EXAMPLE 1 The failure type is uncommanded activation of the park brake, which is hazardous when the machine is in motion; therefore, the minimum idle time would be used (idle factor = 90 %).
EXAMPLE 2 The failure type is failure to apply the park brake, maximum idle time would be applied to hazards associated with a stationary machine (idle factor = 50 %).
3.20
work cycle
repeated process or task a machine performs within a use case
Note 1 to entry: Work cycles can be broken down into segments and steps.
4.0 Method to determine MPLr for SRP/CS of earth moving machinery
4.1 General
Functional safety is achieved by one or more SCS which rely on many technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic).
Parts of the SCS which provide safety functions are called safety-related parts of control systems (SRP/ CS). These can consist of hardware or software and can be separate or integrated parts of a control system. Such parts shall be included in the MCSSA process.
The objective is to reduce the risk associated with a given hazard (or hazardous situation) during intended use of the machine. This shall be achieved by applying both SRP/CS and non-SRP/CS protective measures to achieve a safe condition.
An examination of risk for safety functions is focused on injury to people. If in the analysis of potential harm, it can be established that damage is clearly limited to property and does not involve injury to people, this does not require a MCS to be classified as an SCS. In addition, it is the responsibility of the user (owner) to perform a specific job site risk assessment and these assessments are not part of the MCSSA process.
4.1.1 Machine control system safety analysis (MCSSA) method
When conducting an MCSSA, the following steps shall be followed. Applicable data from ISO 19014-5 may be used for the assessment but applicable data for other machine types and use cases that are not covered in ISO 19014-5 may be applied.
a) Identify all MCS or functions, and intended uses of the machine being evaluated.
b) Identify possible failure types for each MCS or function.
c) Identify risks presented for each failure type of each MCS or function.
1) If no risks are identified, the MCS or function is not an SCS but can still be covered by the requirements for quality measure (QM) (see 6.6).
2) If risks are identified, the MCS or function is an SCS. Continue MCSSA with step d).
d) Evaluate severity, exposure and controllability scores using the method defined in Clause 6, and continue to step e).
e) Determine MPLr using a risk graph (see Figure 2 in 6.6) for each failure type of each SCS, following the process in 6.3, 6.4 and 6.5. Select the highest MPLr to assign to that SCS as per 6.6.
f) If MCSSA was completed by function, not system, then assign MPLr to relevant SCS.
g) Use ISO 19014-2, ISO 19014-3 and ISO 19014-4 to determine the MPLa of the SCS, ensuring that MPLa ≥ MPLr.
If additional protective measures are added, they shall meet the MPLr for the SCS to which they relate.
5.0 Requirements for immediate action warning indicators
5.1 General
The principles of this standard can be applied to immediate action warning indicator intended to alert the operator of a possible hazard but these indicators shall not be designated as meeting a performance level as the indicator does not control the machine.
Note 1: Immediate action warning indicators can be OTE in category 2 architecture. See ISO 19014-2:XXXX, 7.5.3.
Note 2: Guidance on indicators can be found in ISO 6011.
6.0 Performance level determination procedures
6.1 General
This clause shall be applied when step d) in 4.2 is applicable and an SCS is required.
The architecture (e.g. redundant channels, additional protective devices, interlocks that share common components with the SCS.) of the SCS being reviewed shall not be considered during the MCSSA. Additional protective devices and interlocks can be a SCS, if so, an analysis is required.
Decisions made later in the life cycle that change the basis on which earlier decisions were made shall initiate a new MCSSA and assessment of the systems in accordance with all parts of ISO 19014.
6.1.1 Participants in the risk assessment
The MCSSA should involve a cross functional team, for example, electronic or electrical development, testing or validation, machine or hydraulics design, operator, service, sales and marketing.
6.1.2 Assessment and classification of a potential harm
Worst credible harm shall be used and can be determined using past incident history and the potential outcome of malfunctions of the SCS being analysed. The severity of harm shall be described for each relevant scenario in the MCSSA.
The most severe harm can be very improbable and the most probable harm can be inconsequential; either case can lead to an inappropriate estimation of risk.
Categorization shall be used in classifying the severity of harm in four categories: S0, S1, S2, and S3 (see Table 1).
The operator of the involved machine and other parties (e.g. people lending assistance, other operators of machinery, bystander, co-worker, etc.) in the hazard zone, shall be used in a detailed description of the harm.
Table 1 — Examples of the descriptions of injuries
S0 | S1 | S2 | S3 |
No significant injuries, requires only first aid | Injuries, requires medical attention, total recovery, reversible injury with no loss in work capacity after recovery | Severe injury, permanent loss in work capacity. | Fatality |
6.1.3 Assessment of exposure in the situation observed
6.1.4 Exposure calculation
This clause reflects the effects of possible failures in specific working and operating conditions.
The calculated exposure, E, shall be used to categorize the different frequencies or duration of exposure. It is calculated using the following formula:
where
A is the application use case;
H is the hazard time;
P is the person group exposure.
Demonstrations of how to calculate H and P variables are found in ISO 19014-5:202X.
Where an application use case has a cycle with variable H and P values, H × P can be calculated for each step and summed for the cycle to obtain a total H × P for the cycle.
The portion of the work cycle when the machine is not actively working, and where the hazard would not be possible, is included in the calculation for the H variable as idle factor.
Where idle factor is applied, a rationale for the value used should be included in the MCSSA documentation.
EXAMPLE 1 Wheel loader during a loading v-cycle the machine movement is stopped while waiting for a truck to arrive at loading point.
EXAMPLE 2 Hydraulic excavator during a loading cycle the swing and linkage movement is stopped while waiting for a truck to arrive at loading point.
6.1.5 Exposure level identification
Machines shall be designed to mitigate risks of all intended uses, even if the worst case intended usage is a small percentage of the total field population. Applications with different hazards than a typical machine, for example derivative machine, designed with control systems specifically for that application can be treated as specialized applications and removed from the analysis and be considered in a separate MCSSA.
Three levels, designated E0, E1, and E2, are used (see Table 2), where E serves as an estimation of how often and how long an operator or bystander is exposed to a hazard which can result in an injury to the person group that is exposed. When carrying out a MCSSA, the risk from the highest exposure shall be used. Lower exposures that have higher severities shall also be reviewed in the assessment in order to verify whether a higher performance level is generated.
Exposure for maintainers should reflect the time spent maintaining the machine, consideration shall be given in the MCSSA when SRP/CS is muted for maintenance purposes.
NOTE A hazard can be a combination of conditions (e.g. environmental and operational) of the machine.
Table 2 — Exposure to the hazardous event based on application profile
E0 | E1 | E2 |
E < 1 % | 1 % ≤ E < 10 % | E ≥ 10 % |
6.2 Assessment of a possibility to avoid harm
The controllability of a given hazard shall be assessed, taking into consideration human reaction (e.g. panic, repeated command of function.) and the capacity for the operator to react to the hazard and provide a means to enter a safe state. Alternative controls cannot be considered when they share a common cause failure with the system being analysed.
When considering multiple alternative actions, each of these actions shall be independent from each other.
The following factors are used to determine controllability and calculated using Figure 1.
— Alternative controls
— AC0 – no alternative controls or possible action
— AC1 – One or more alternative control or possible action
— Awareness of hazard
— AW3 – High: Known before action of function
— AW2 – Medium: Known at action of function, all the time
— AW1 – Low: Known at action of function, some of the time
— AW0 – None: Not known at action of the function e.g a system one cannot see or one is not aware of, operating with an uncommand action
Warning indicators shall only be considered in the assessment of awareness of hazard when they are defined as an immediate action warning indicator that has no common components with the SRP/CS of the system being analysed.
— Ability to react
— AR 3 – Operator can react in time, natural response, operator has hand or foot on control e.g operator can steer around hazard when brakes fail
— AR 2 – Operator can react in time, natural response, operator has to move hand or foot to operate e.g. operator applies park brake when brake fails
— AR 1 – Operator can react in time, unnatural response e.g operator grounds implement when brakes fail
— AR 0 – Regardless of if there is another system to respond with, the operator or system is unable to respond in time to avoid the hazard
Multiple actions include expected, intended and intuitive actions, and shall be documented. This process will vary according to machine type and the application that is being considered. For example, with a machine propulsion failure, it is natural to apply the brake, which is under the operator’s foot. If the brake application is not effective in avoiding the hazard completely, it is expected and intuitive that the operator lowers the implement. When using more than one action to avoid a hazard, select the lower AR score of the actions taken.
Examples of possible safety control systems are included in Annex B.
Classification of controllability
— C0 – High controllability
— C1 – Medium controllability
— C2 – Low controllability
— C3 – No controllability
Key
AC Alternative Controls
AW Awareness of hazard
AR Ability to react
Figure 1 — Controllability classification
6.2.1 Determining the required MPL
The required MPLr is determined in Figure 2 by combining the severity, exposure, and controllability values for each identified hazard on the risk assessment. SCS used in multiple scenarios where the severity, controllability or exposure can vary, each scenario shall be considered. The highest performance level determined by the MCSSA shall be used for that SCS.
In addition to these levels, there is a quality measure (QM) whose implicit requirement is to carry out system development in accordance with quality management tools or system (see ISO 19014-2:2022, Clause 7.1), relevant technical requirements and standards as applicable.
Key
S severity
E exposure to hazardous event
C controllability
QM Quality Measure
a, b, c, d, e Machine Performance Level required, MPLr
Figure 2 — Determination of MPLr
7.0 Verification of the safety requirements and/or protective/risk reduction measures
Verification of the safety requirements and/or protective/risk reduction measures shall be confirmed in accordance with ISO 19014-2:20XX.
8.0 Information for use
Limits of machine use, notable assumptions or examples of machine abuse considered in this document shall be communicated in the information for use in accordance with ISO 19014-2:2022, Clause 8 and ISO 12100:2010, 6.4 and 6.4.5.
(informative)
Process flow chart for machinery risk assessment
See Figure A.1.
a ISO 12100:2010, Clause 6, further defines what can be considered adequate risk reduction; inherently safe design measures, and either safeguarding or complementary protective measures, or both, for use.
Figure A.1 — Relationship between ISO 12100 and ISO 19014
(informative)
List of possible safety control systems (SCS) of earth-moving machines
This is a non-inclusive list of possible SCS for earthmoving machines. On any given machine, these systems can be considered SCS, depending on MCSSA and machine application.
ISO 19014-5 provides further details on which systems are SCS.
BRAKES:
— Service brakes (MCSSA and standards determine secondary brake requirements).
— Park brake (manual or automatic).
— Retarder.
STEERING:
— Steering system (MCSSA and standards determine secondary steering requirements).
IMPLEMENTS:
— Raise, lower, left, right of all linkage movements.
— Powered quick coupler.
PROPULSION:
— Throttle control.
— Transmission.
— Direction.
— Gear selection.
HAZARD MITIGATION SYSTEMS:
— Emergency stop (if fitted).
— Operator presence.
OTHERS:
— Remote control systems.
— Powered access systems.
— Excavator swing system.
— Lock out systems (for maintenance).
— Interlocks.
Annex ZA
(informative)
Relationship between this European Standard and the essential requirements of Regulation (EU) 2023/1230 aimed to be covered
This European Standard has been prepared under a Commission’s standardization request C(2025)129 final Commission Implementing Decision of 20 January 2025 to the European Committee for Standardization and to the European Committee for Electrotechnical Standardization as regards machinery in support of Regulation (EU) 2023/1230 of the European Parliament and of the Council (M/605) to provide one voluntary means of conforming to essential requirements of Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery (OJ L 165, 29.6.2023).
Once this standard is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of this standard given in Table ZA.1 confers, within the limits of the scope of this standard, a presumption of conformity with the corresponding essential requirements of that Regulation, and associated EFTA regulations.
Table ZA.1 — Correspondence between this European Standard and Annex III of Regulation (EU) 2023/1230
The relevant Essential Requirements of Regulation (EU) 2023/1230 | Clause(s)/sub-clause(s) of this EN | Remarks/Notes |
1.2.1 | 4, 5, 6, 7 |
|
1.7.4.2 (g) | 8 |
|
WARNING 1 — Presumption of conformity stays valid only as long as a reference to this European Standard is maintained in the list published in the Official Journal of the European Union. Users of this standard should consult frequently the latest list published in the Official Journal of the European Union.
WARNING 2 — Other Union legislation may be applicable to the product(s) falling within the scope of this standard.
Bibliography
[1] ISO 6011:2003, Earth-moving machinery — Visual display of machine operation
[2] ISO 13849‑1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
[3] ISO 19014‑5, Earth-moving machinery — Functional safety — Part 5: Tables of performance levels
[4] ISO 20474‑1:2017, Earth-moving machinery — Safety — Part 1: General requirements
[5] ISO 26262‑1:2018, Road vehicles — Functional safety — Part 1: Vocabulary
[6] ISO 22555, Ships and marine technology — Propeller pitch indicators
[7] IEC 61508‑4:2010, Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations (see Functional Safety and IEC 61508)
