Functional Safety Standards for Non-Road Vehicles

Colin Pawsey

Functional Safety is a complex issue for Non-Road Vehicles. Many of these types of vehicles also function as machines in a variety of different ways, and while ISO 26262 applies to automotive-specific electronic systems, various other standards can also come into consideration. IEC 61508, the standard from which ISO 26262 was derived, is also the parent standard of IEC 62061which relates to functional safety of electrical/electronic/programmable electronic safety-related systems, and is written specif-ically for the machinery sector. Furthermore, the standard ISO 13849 (which has been adopted as a successor to EN 954-1, to become EN ISO 13849-1), relates to the design of safety-related control sys-tems in the machinery sector.

Unique Challenges

This situation presents manufacturers with unique challenges as different parts of a non-road vehicle may be covered by different standards, and it becomes increasingly complex to ensure that all of the standards are being met. In addition to those mentioned above, other standards that are applicable include:
  • The updated machinery directive 2006/42/EC, which contains clarifications regarding the machines covered by the directive and encompasses machines, replaceable equipment, safety components, lifting devices, chains and wires, mechanical power transmissions and partly completed machines. The directive sets out requirements for the control systems of the range of machines covered to be constructed and manufactured so that hazardous situations are avoided. This implies that faults in the control system’s hardware and software should not lead to hazardous situations, and also implies that foreseeable faults in handling of the machine should not lead to hazardous situations.
  • ISO 15998 applies to safety-related machine-control systems in earth-moving machinery and its equipment. This includes the group of vehicles that are primarily designed to perform excavation, loading, transportation, drilling, spreading, compacting or trenching of earth, rock or other materials. This standard also requires an understanding of further standards, as it refers to ISO 14121 or IEC 16508-5 (for risk assessment), ISO 13849-1 or 61508-3 (for hardware), and IEC 61508 Annex A and B ( for software).
  • There is no legislative requirement for functional safety, but adherence to the relevant standards is considered technical state-of-the-art in terms of liability in the event of an accident, and as such, pres-sure is on suppliers of non-road vehicles to ensure that the whole machine and all of its components are compliant with each standard as necessary.


Vehicle Safety Standards

ISO 26262 is the automotive-specific functional safety standard that focuses on safety-critical compo-nents. The standard features a system of steps to manage functional safety and regulate product de-velopment on a system, hardware, and software level. The standard provides regulations and rec-ommendations throughout the product development process from conceptual development through to decommissioning. In general terms, ISO 26262:

  • Provides an automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecy-cle phases.
  • Provides an automotive-specific risk-based approach for determining risk classes (Automo-tive Safety Integrity Levels - ASILs)
  • Uses ASILs for specifying the items necessary safety requirements for achieving an ac-ceptable residual risk.
  • Provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved.

ISO 26262 redefines the three SIL (Safety Integrity Level) levels of the IEC 61508 standard into four levels, or ASILs (Automotive Safety Integrity Level). These specify the risks and the requirements for risk reduction. The ASIL is determined at the outset of the development process, when the intended functions of the system are analyzed with respect to potential hazards. An estimation of the level of risk is based on a combination of the probability of exposure, the possible controllability by the driv-er, and the severity of the outcome if a critical event occurs. Each safety requirement is assigned an ASIL of A to D, with D being the most critical. ISO 26262 details the specific minimum testing require-ments depending on the ASIL of the component.

Machinery Safety Standards

Machinery produced for the European market must be compliant with the machinery directive and therefore must meet the Essential Health and Safety Requirements (EHSRs) of the directive. Compli-ance with harmonized standards is not a legal requirement, but they are considered to be ‘best ad-vice’ documents, and provide an ‘approved route’ for machinery manufacturers to meet the EHSRs.
IEC 62061 was harmonised as EN 62061 in 2006, and covers safety of machinery, functional safety of safety-related electrical, electronic, and programmable electronic control systems. It was developed from the IEC/EN 61508 standard, and was written specifically for the machinery sector. It takes a quantitative risk-based approach, similar to that found in its parent standard.
EN 62061 is primarily aimed at developers and manufacturers of complex plant machinery utilising programmable controllers and fieldbus networks for safety functions; and developers of relevant ap-plication software and users of complex programmable safety systems that have been developed in accordance with IEC 61508. However, it becomes very relevant to non-road vehicles when they per-form operations not related to the vehicle itself. These ‘machinery functions’ fall under the machinery directive and a host of other standards will apply, apart from ISO 26262.

The other prominent standard for machinery is ISO 13849-1, which is the main standard for the design of safety-related control systems in the machinery safety sector, and the successor to EN 954-1. The standard was updated to incorporate the probabilistic approach to the assessment of safety-related control systems, and provides the probabilistic techniques required to in order to assess modern cir-cuits. The standard uses performance levels (PL) to determine the requirements of the control system, depending on the level and severity of risk. The PLs are described by the following parameters:

  • Category (Structural requirement)
  • Mean time to dangerous failure (MTTF)
  • Diagnostic coverage
  • Common cause failure
The level of each hazardous situation is classified in five stages from ‘a’ to ‘e’. A PL ‘a’ determines that the control function’s contribution to risk reduction is low, while ‘e’ means that it should be high. The Risk Graph produced with the standard is used to determine the required performance level of each specific safety function.
ISO 13849-1 also breaks down the procedural requirements for machine design, by providing a sys-tematic approach to the design of safety-related parts over several steps; including:
  • Defining the safety function requirements
  • Determining the required performance level (PL)
  • Design and technical realisation of the safety functions
  • Determining and evaluating the actual performance level
  • Verification; and
  • Validation

The various operations of non-road vehicles can fall under machinery standards, and the challenge for manufacturers of such vehicles is first to determine which set of standards is applicable to each component or function, and second to ensure that the necessary standards are being met on all sides.

Meeting the Challenges

While some manufacturers will have the resources to allocate staff specifically to functional safety and compliance with the multitude of directives, this is not necessarily practical for many smaller manu-facturers and suppliers. Some companies will turn to functional safety consultancies that specialise in safety standards, and this could become a growing trend in the industry.

Without a full understanding of the various standards, it is difficult for developers and manufacturers to ascertain which set of standards they need to comply with, and this is one of the issues. Each of the standards relates to the design of components and control systems, and should be considered fully from the outset. With a clear understanding of the requirements of relevant standards, manufacturers can make decisions on which way to approach functional safety much earlier in the design process.

IEC 62061 and ISO 13849-1 are due to be merged into one standard in 2016. The merger will have a transition period of two years, and the new directive will apply worldwide, and aims to make things standardised and easier. The new standard will be IEC/ISO 17305, and should make things easier for the manufacturer from the point of view of machinery standards. It is intended to simplify matters by reducing the two standards into one, without any significant changes to procedures; while issues will be presented in a clearer, simpler format.

As vehicles and machinery incorporate more advanced electronic controls, functional safety gains importance as ultimately, it contributes to the protection of the occupants and users. The number of different standards which can apply to non-road vehicles makes for a complex landscape, and the industry will benefit from a streamlining of the various standards, as E/E systems continue to take control of ever more functions.

Impressum :
Firmeninformationen entsprechend § 5 Telemediengesetz
IQPC Gesellschaft für Management Konferenzen mbH
Address: Friedrichstrasse 94, 10117 Berlin
Geschäftsführung: Silke Klaudat, Richard Worden, Michael R. Worden
Telefonnummer: 030 20913 -274
Fax: 49 (0) 30 20 913 240
Email Adresse:
Registereintragungen: Amtsgericht Charlottenburg HRB 76720
Umsatzsteuer- Indentifikationsnummer DE210454451