Jorgen Bergs Ten

7/27/2019 Jorgen Bergs Ten

1/26

ISO 15998:2008Earth-moving machinery Machine control systems (MCS) using

electronic components Performance criteria and tests forfunctional safety

Jrgen Bergsten
http://jb.ppt/http://jb.ppt/


2/26

Laws & Regulations, Jrgen Bergsten, ISO 15998:2008

2

Volvo Construction Equipment

2009-08-24
http://violin.volvo.net/volvogroup/corporate/en/policies_and_strategies/our_values/corporate_values/policies_strat_values_corpval_safety/policies_values_safety.htm


3/26


3


2009-08-24

Volvo CE are manufacturing

Machinery Not Vehicle

2007

/46/EC

2003/

37/EC

2006

/42/EC

2002

/24/EC

From legal point of view,

same legislation as an.

upright drilling machine


4/26


4


2009-08-24

Europe (CE marking) NA and rest of the world No Directives in NA or other parts of

the world as I know. In NA applicableparts of OSHA, MSHA and SAE shouldbe fulfilled. ISO standards are valid inNA as well as most of the world.

ISO 20474-1 are more or less similarto EN 474-1 and could be used outsideEurope. (rollers are included as part 13)Will be national std. In China 2011-01-01

No Standard are Law. Standards arereflecting what we call State of the Art

Deviation from a Standard are permitted,IF there is verified that the Requirement isnot applicable OR the safety level arereached in another way

Machinery Directive

2006/42/EC

Harmonized standard

EN 474-1:2006+A1:2009

EN 500-1:2006

Normative references, such as

ISO 15998:2008

M C S
http://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist.htmlhttp://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist.htmlhttp://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist.htmlhttp://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist.htmlhttp://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist.htmlhttp://ec.europa.eu/enterprise/newapproach/standardization/harmstds/reflist.html


5/26


5


2009-08-24

Machinery

Directive

2006/42/EC

EN 474EN 500

ISO 15998

Machine ControlSystems

EN ISO 13849-1 ISO 62061

ISO 13766

E M C

ISO 5010

Steering

ISO/CD 3450

Brakes

Some connections to / from other standards vs.

ISO 15998:2008

Alternative standards

Harmonized Std.

Normative Ref.

IEC 61508Part 2 and 3


6/26


6


2009-08-24

ANNEX I

ESSENTIAL HEALTH AND SAFETY REQUIREMENTS RELATINGTO THE DESIGN AND CONSTRUCTION OF MACHINERY

GENERAL PRINCIPLES1. The manufacturer of machinery or his authorized representative

must ensure that a risk assessment is carried out in order todetermine the health and safety requirements which apply to the

machinery. The machinery must then be designed and constructedtaking into account the results of the risk assessment.

By the iterative process of risk assessment and risk reduction referredto above, the manufacturer or his authorized representative shall:

determine the limits of the machinery, which include the intendeduse and any reasonably foreseeable misuse thereof.

According to the Machinery directive 2006/42/EC


7/26


7


2009-08-24

Reference from EN 474-1:2006+A1:2009

5.16 Electro-magnetic compatibility (EMC)

Earth-moving machines shall comply with the requirements of

electromagnetic compatibility as specified in EN 13309:2000 1).

5.17 Electrical and electronic systems

5.17.1 General

Safety related electrical function shall comply with ISO 15998:2008.

1)

ISO 15998 refer to ISO 13766


8/26


8


2009-08-24

ISO 15998:2008

Earth-moving machinery Machine control systems (MCS)using electronic components Performance criteria and

tests for functional safety

1 Scope

This International Standard specifies performance criteria and tests for

functional safety of safety-related machine-control systems (MCS) using

electronic components in earth-moving machinery and its equipment, as

defined in ISO 6165. The procedures of ECE R79, Annex 6, ISO 13849-1 or IEC

62061 can be used as an alternative, provided verification and testing is carried

out by the manufacturer using Clause 7 of this International Standard.


9/26


9


2009-08-24

Structure of ISO 15998

Foreword

Introduction

1 Scope

2 Normative references

3 Terms, definitions and

abbreviated terms

4 General safety requirements5 Additional requirements for

safety-related machine-control

systems

6 Documentation

7 Tests for safety-related MCS

Annex A (informative)

Guidance for risk assessment

Annex B (informative)

Example of schematic breakdownof systems specification

Annex C (informative)

List of well-tried componentsAnnex D (informative)

Recommendations for bus-

systems for transmission of

safety-related messagesBibliography


10/26


10


2009-08-24

References from ISO 15998 into specific parts of

IEC 61508

Risk analysis and assessment

This may be made in accordance with risk assessment methodologies

such as ISO 14121-1 orIEC 61508-5:1998, Annex D. An example is

given in Annex A of this International Standard.

Performance criteria for the safety concept

The safety concept includes all measures which provide for safe

operation beyond the standard operation (for guidance, seeIEC 61508-2:2000, 7.2.3.1).


11/26


11


2009-08-24

To be able to Verify that you have fulfilled the15998 requirements, you need a structure in

your project

Test Reports

FunctionalSpecifications

Documentation etc.

Risk analysis and assessment

VerificationSpecifications

System Safety Program Plan

Environmental Specification

ISO 15998 Compliance ReportSimplifie

dove

rview

Also

describing

safe state

as well as

safety

concept


12/26


12


2009-08-24

1

23 4

System Safety Program Plan

15998 verificationTo be able to manageall safety issues in a

project, you need to

have a Safety Plan

Not mandatory, but

requested when you

need to use a third

party for examination


13/26


13


2009-08-24

The system description shall also include requirements for the

environmental conditions during the intended operation of the

machine:

climatic conditions (temperature, humidity);

mechanical conditions (vibration, shock);

corrosion conditions (salt spray, gas pollution);

electrical conditions (over- and under-voltage);

electromagnetic conditions;

power-source-voltage fluctuation

Environmental conditions

If You dont

know about

Environmental

threats, you

Cant designA safe machine


14/26


14


2009-08-24

Electromagnetic compatibility (EMC)

The machine-control system shall fulfill the requirements of

ISO 13766.

Earth-moving machinery immunity, for movement controls:

The immunity requirements are fulfilled by a field strength of100 V/m


15/26


15


2009-08-24

Example of typical safety-related machine-control systems

using electronic components, in Earth-moving machinery.

Steering (Steering Wheel and

additional steering controls)

Bakes (service, secondary

and parking brakes)

Attachment controls

Engine speed control (-s)

Gearbox control (-s)

Differential lock

Etc..


16/26


16


2009-08-24

Risk Assessment

Its required to perform

Risk Assessment,

examples of methods

are ISO 14121-1 or

IEC 61508-5 Annex D.

Example is given in ISO

15998 Annex A


17/26


17


2009-08-24

When comparing risk graphs in IEC 61508

annex D with ISO 13849-1, its not giving you thesame result!

Therefore the Working Group of ISO 15998-2 (guideline for ISO

15998) propose (doc. ISO/TC 127SC 3/WG 8 N22).

Abstract from ISO 13849-1

Based on

Volvo proposal
http://10-02-01%20sc3%20wg8%20%20n22%20iso%2015998-2%20meeting%20announ.ppt/http://10-02-01%20sc3%20wg8%20%20n22%20iso%2015998-2%20meeting%20announ.ppt/http://sil%20vs%20pl.ppt/http://10-02-01%20sc3%20wg8%20%20n22%20iso%2015998-2%20meeting%20announ.ppt/


18/26


18


2009-08-24

Abstract from ISO/WD 15998-2

Worki

ngDr

aft,Stil

lund

erdiscu

ssion


19/26


19


2009-08-24

Fault avoidance and fault control

IEC 61508-2:2000, Annexes A and B, orother comparable methods,shall be used as a guide to measures and the techniques for theavoidance and control of faults.

Requirements for programmable electronic systems (PES)

The software shall be developed and validated according toappropriate measures (see, for example, IEC 61508-3:1998,

Annex A orISO 13849-1:2006).

Additional functional tests for safety-related machine-controlsystems

A simple functional test, e.g. in accordance with IEC 61508-7:2000,B.5.1 and an expanded functional test, e.g. in accordance with IEC61508-7:2000, B.6.8, shall be made


20/26


20


2009-08-24

Safety could be increased, even when

using the same componentsEx. Differential lock (or equal functions)

SIL 2 ECU+

SwitchPerformance

Level = c

SIL 1 ECU

On-line monitoring

On-line monitoring


21/26


21


2009-08-24

Its always possible to use other comparablestandards, when something is missingAccording to EN ISO 13849-1

it is possible (within certain limits) for a single channel of safety-related parts ofhigh reliability in one technology to provide the

same or higher PL as a fault-tolerant structure of lower reliability

in another technology

1oo1D

1oo2D

Compare

with steeringpivot pin


22/26


22


2009-08-24

Even If you are using EN ISO 13849-1 or otherstandards you still need to verify compliance withclause 7.2 Tests of machine-control systems

7.2.1 Test content

The tests are as follows:

a) test of basic functions (see function and system description in

accordance with 4.2 and description of the basic function in

accordance with 4.3);

b) entering of safe-state test (see 5.4);

c) functional test at operating temperature and humidity in accordance

with 4.6.2 and 7.2.2;

d) EMC test in accordance with 4.6.4;

e) shock and vibration tests in accordance with 4.6.5, 7.2.3 and 7.2.4.


23/26


23


2009-08-24

Additional functional tests for safety-related

machine-control systems

All safety-related machine-control systems shall be tested in

accordance with Clause 5 with the following addition.

A simple functional test, e.g. in accordance with IEC 61508-7:2000,B.5.1 and an expanded functional test, e.g. in accordance with

IEC 61508-7:2000, B.6.8, shall be made.

NOTE Alternative means for verification are also permitted

besides those of the IEC 61508 standards cited in this

International Standard.

Clause 5, only for SIL1


24/26


24


2009-08-24

Documentation

The manufacturer shall retain, according to the manufacturer's record retentionpolicy, all relevant documents for the general safety requirements of themachine-control system in accordance with Clause 4. The documentationshall include at least the following:

a description of the machine-control system in accordance with 4.2;

a description of the basic function in accordance with 4.3;

risk analysis and assessment in accordance with 4.4;

requirements for the safety concept in accordance with 4.5 (including block

diagram with functional description of each block, circuit diagram for externalconnection, description of external signals);

the test case and test results, in order to prove the complete fault-coveragetest.

The documentation showing how the validation of the systems logic has beenmade during the development stage (see 4.5) shall include

a block diagram with a functional description of each block, and

a circuit diagram for external connection, and description of external signals.


25/26


25


2009-08-24

Documentations

A verification of the safety concept for safety-related machine-controlsystems in accordance with Clause 5 is based on a detailed

documentation of the safety-related part of the system. This may be in

the form of

circuit diagrams for internal electronic circuits with a description of the

individual blocks and components,

a functional description of the circuit diagrams,

parts lists, including parts identification and names of the individual

positions, rating values and tolerances,

a description of the relevant loads, type nomination and manufacturer

of the components, data sheets for special and critical components,and

a failure mode and effects analysis of the fault conditions.

Clause 5, only for SIL1


26/26


26


2009-08-24

If you do not know about the hazards involved

you cant make a safe machine-control function

Thanks for Your attention

Jorgen Bergs Ten

Documents

Transcript of Jorgen Bergs Ten