BS EN 16590-2:2014 BSI Standards Publication Tractors and machinery for agriculture and forestry — Safety-related parts of control systems Part 2: Concept phase (ISO 25119-2:2010 modified) BS EN 16590-2:2014 BRITISH STANDARD National foreword This British Standard is the UK implementation of EN 16590-2:2014 It supersedes BS ISO 25119-2:2010 which is withdrawn The UK participation in its preparation was entrusted to Technical Committee AGE/6, Agricultural tractors and forestry machinery A list of organizations represented on this committee can be obtained on request to its secretary This publication does not purport to include all the necessary provisions of a contract Users are responsible for its correct application © The British Standards Institution 2014 Published by BSI Standards Limited 2014 ISBN 978 580 82329 ICS 35.240.99; 65.060.01 Compliance with a British Standard cannot confer immunity from legal obligations This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 April 2014 Amendments issued since publication Date Text affected BS EN 16590-2:2014 EN 16590-2 EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM April 2014 ICS 35.240.99; 65.060.01 English Version Tractors and machinery for agriculture and forestry - Safetyrelated parts of control systems - Part 2: Concept phase (ISO 25119-2:2010 modified) Tracteurs et matériels agricoles et forestiers - Parties des systèmes de commande relatives la sécurité - Partie 2: Phase de projet (ISO 25119-2:2010 modifié) Sicherheit von Land- und Forstmaschinen Sicherheitsbezogene Teile von Steuerungen - Teil 2: Konzeptphase (ISO 25119-2:2010 modifiziert) This European Standard was approved by CEN on 23 February 2014 CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member This European Standard exists in three official versions (English, French, German) A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels © 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members Ref No EN 16590-2:2014 E BS EN 16590-2:2014 EN 16590-2:2014 (E) Contents Page Foreword Introduction Scope Normative references Terms and definitions Abbreviated terms 5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.4 Concept — Unit of observation Objectives .9 Prerequisites Requirements Unit of observation and ambient conditions Limits of unit of observation and its interfaces with other units of observation 10 Sources of stress 10 Additional determinations 10 Work products 11 6.1 6.2 6.3 6.3.1 6.3.2 6.3.3 6.3.4 6.3.5 6.3.6 6.3.7 Risk analysis and method description 11 Objectives 11 Prerequisites 11 Requirements 11 Procedures for preparing a risk analysis 11 Tasks in risk analysis 11 Participants in risk analysis 11 Assessment and classification of a potential harm 11 Assessment of exposure in the situation observed 12 Assessment of a possible avoidance of harm 12 Selecting the required AgPLr 13 Work products 15 6.4 7.1 7.2 7.3 7.3.1 7.3.2 7.3.3 7.4 System design 15 Objectives 15 Prerequisites 15 Requirements 15 Assignment of AgPL 15 Achieving the required AgPLr 16 Achievement of the performance level 17 Work products 17 Annex A (normative) Designated architectures for SRP/CS 18 A.1 General 18 A.2 Category B (basic) 18 A.3 Category 19 A.4 Category 19 A.5 Category 20 A.6 Category 22 Annex B (informative) Simplified method to estimate channel MTTFdC 24 BS EN 16590-2:2014 EN 16590-2:2014 (E) B.1 General 24 B.2 Component MTTFd values 24 B.2.1 Determination of component MTTFd values 24 B.2.2 MTTFd for components from B10 25 B.3 Parts count method 25 B.4 Calculation of symmetric MTTFdC for two-channel architectures 26 Annex C (informative) Determination of diagnostic coverage (DC) 27 C.1 General 27 C.2 Estimation of the required DC 27 C.3 Estimation of channel DC 29 C.4 Calculation of channel DC 30 C.5 Calculation of DC 30 Annex D (informative) Estimates for common-cause failure (CCF) 31 Annex E (informative) Systematic failure 33 E.1 General 33 E.2 Procedure for the control of systematic failures 33 E.3 Procedure for the avoidance of systematic failures 33 Annex F (informative) Characteristics of safety functions 36 F.1 General 36 F.2 Start interlock 36 F.3 Stop function 36 F.4 Manual reset 36 F.5 Start and restart 37 F.6 Response time 37 F.7 Safety-related parameters 37 F.8 External control function 37 F.9 Muting (manual suspension of safety functions) 37 F.10 Operator warning 37 Annex G (informative) Example of a risk analysis 38 G.1 Workflow 38 G.2 Example risk analysis of an electro-hydraulic transmission for a self-propelled working machine (forage harvester) — Extract from a complete risk analysis 38 G.2.1 System description 38 G.2.2 Surrounding conditions 39 G.2.3 System states and transitions 39 G.2.4 System failures 40 G.3 Assessment 41 G.3.1 System failure — Stops unintentionally 41 BS EN 16590-2:2014 EN 16590-2:2014 (E) G.3.2 System failure — Does not move when commanded 42 G.4 Results 42 Annex ZA (informative) Relationship between this European Standard and the Essential Requirements of EU Machinery Directive 2006/42/EC 43 Bibliography 44 BS EN 16590-2:2014 EN 16590-2:2014 (E) Foreword This document (EN 16590-2:2014) has been prepared by Technical Committee CEN/TC 144 “Tractors and machinery for agriculture and forestry”, the secretariat of which is held by AFNOR This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by October 2014, and conflicting national standards shall be withdrawn at the latest by October 2014 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights This document has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association, and supports essential requirements of EU Directive(s) For relationship with EU Directive(s), see informative Annex ZA, which is an integral part of this document EN 16590 Tractors and machinery for agriculture and forestry — Safety-related parts of control systems consists of the following parts: — Part 1: General principles for design and development — Part 2: Concept phase — Part 3: Series development, hardware and software — Part 4: Production, operation, modification and supporting processes The modifications to ISO 25119-2:2010 are indicated by a vertical line in the margin According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom BS EN 16590-2:2014 EN 16590-2:2014 (E) Introduction EN 16590 sets out an approach to the design and assessment, for all safety life cycle activities, of safety-relevant systems comprising electrical and/or electronic and/or programmable electronic systems (E/E/PES) on tractors used in agriculture and forestry, and on self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture It is also applicable to municipal equipment It covers the possible hazards caused by the functional behaviour of E/E/PES safety-related systems, as distinct from hazards arising from the E/E/PES equipment itself (electric shock, fire, nominal performance level of E/E/PES dedicated to active and passive safety, etc.) The control system parts of the machines concerned are frequently assigned to provide the critical functions of the safety-related parts of control systems (SRP/CS) These can consist of hardware or software, can be separate or integrated parts of a control system, and can either perform solely critical functions or form part of an operational function In general, the designer (and to some extent, the user) will combine the design and validation of these SRP/CS as part of the risk assessment The objective is to reduce the risk associated with a given hazard (or hazardous situation) under all conditions of use of the machine This can be achieved by applying various protective measures (both SRP/CS and non-SRP/CS) with the end result of achieving a safe condition EN 16590 allocates the ability of safety-related parts to perform a critical function under foreseeable conditions into five performance levels The performance level of a controlled channel depends on several factors, including system structure (category), the extent of fault detection mechanisms (diagnostic coverage), the reliability of components (mean time to dangerous failure, common-cause failure), design processes, operating stress, environmental conditions and operation procedures Three types of failures are considered: systematic, common-cause and random In order to guide the designer during design, and to facilitate the assessment of the achieved performance level, EN 16590 defines an approach based on a classification of structures with different design features and specific behaviour in case of a fault The performance levels and categories can be applied to the control systems of all kinds of mobile machines: from simple systems (e.g auxiliary valves) to complex systems (e.g steer by wire), as well as to the control systems of protective equipment (e.g interlocking devices, pressure sensitive devices) EN 16590 adopts a risk-based approach for the determination of the risks, while providing a means of specifying the required performance level for the safety-related functions to be implemented by E/E/PES safety-related channels It gives requirements for the whole safety life cycle of E/E/PES (design, validation, production, operation, maintenance, decommissioning), necessary for achieving the required functional safety for E/E/PES that are linked to the performance levels The structure of safety standards in the field of machinery is as follows a) Type-A standards (basic safety standards) give basic concepts, principles for design and general aspects that can be applied to machinery b) Type-B standards (generic safety standards) deal with one or more safety aspect(s), or one or more type(s) of safeguards that can be used across a wide range of machinery: − type-B1 standards on particular safety aspects (e.g safety distances, surface temperature, noise); − type-B2 standards on safeguards (e.g two-hand controls, interlocking devices, pressure sensitive devices, guards) c) Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular machine or group of machines BS EN 16590-2:2014 EN 16590-2:2014 (E) This part of EN 16590 is a type-B1 standard as stated in EN ISO 12100 For machines which are covered by the scope of a machine specific type-C standard and which have been designed and built according to the provisions of that standard, the provisions of that type-C standard take precedence over the provisions of this type-B standard BS EN 16590-2:2014 EN 16590-2:2014 (E) Scope This part of EN 16590 specifies the concept phase of the development of safety-related parts of control systems (SRP/CS) on tractors used in agriculture and forestry, and on self-propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture It can also be applied to municipal equipment (e.g street-sweeping machines) It specifies the characteristics and categories required of SRP/CS for carrying out their safety functions This part of EN 16590 is applicable to the safety-related parts of electrical/electronic/programmable electronic systems (E/E/PES), as these relate to mechatronic systems It does not specify which safety functions, categories or performance levels are to be used for particular machines Machine specific standards (type-C standards) can identify performance levels and/or categories or they should be determined by the manufacturer of the machine based on risk assessment It is not applicable to non-E/E/PES systems (e.g hydraulic, mechanic or pneumatic) Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application For dated references, only the edition cited applies For undated references, the latest edition of the referenced document (including any amendments) applies EN 16590-1:2014, Tractors and machinery for agriculture and forestry — Safety-related parts of control systems — Part 1: General principles for design and development EN 16590-3:2014, Tractors and machinery for agriculture and forestry — Safety-related parts of control systems — Part 3: Series development, hardware and software Terms and definitions For the purposes of this document, the terms and definitions given in EN 16590-1:2014 apply Abbreviated terms For the purposes of this document, the following abbreviated terms apply ADC analogue to digital converter AgPL agricultural performance level AgPLr required agricultural performance level CAD computer-aided design Cat hardware category CCF common-cause failure CRC cyclic redundancy check DC diagnostic coverage DCavg average diagnostic coverage ECU electronic control unit ETA event tree analysis E/E/PES electrical/electronic/programmable electronic systems BS EN 16590-2:2014 EN 16590-2:2014 (E) Table D.2 — Quantifying common-cause failure Total score S 32 Measures to avoid CCF 65 % or better Meets the requirements Less than 65 % Process failed → apply additional measures BS EN 16590-2:2014 EN 16590-2:2014 (E) Annex E (informative) Systematic failure E.1 General A systematic failure (see EN 16590-1:2014, definition 3.52) is related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors E.2 Procedure for the control of systematic failures The following measures should be applied — Power loss The SRS should be designed so that with loss of its electrical supply, a safe state of the machine can be achieved or maintained SRS behaviour in response to voltage loss, overvoltage and undervoltage conditions should be predetermined so that the SRS can achieve or maintain a safe state of the machine For a single-point fail operational system (e.g categories and 4), a redundant power supply is required — Measures to control or avoid the effects of the physical environment (e.g temperature, humidity, water, vibration, dust, corrosive substances, electromagnetic interference) SRS behaviour in response to the effects of the physical environment should be predetermined so that the SRS can achieve or maintain a safe state of the machine — Program sequence monitoring This should be used with SRS that contain software A defective program sequence exists if the individual elements of a program (e.g software modules, sub-programs or commands) are processed in the wrong sequence or period of time, or if the clock of the processor is faulty — Measures to control the effects of errors and other effects arising from any data communication process E.3 Procedure for the avoidance of systematic failures The following measures should be applied — Use of suitable materials and adequate manufacturing Select material, manufacturing methods and treatment in relation to, for example, stress, durability, elasticity, friction, wear, corrosion, temperature, conductivity — Correct dimensioning and shaping Consider, for example, stress, strain, fatigue, temperature, surface roughness, tolerances, manufacturing 33 BS EN 16590-2:2014 EN 16590-2:2014 (E) — Proper selection, combination, arrangement, assembly and installation of components, including cabling, wiring and interconnections Apply appropriate standards and manufacturer's application notes, e.g catalogue sheets, installation instructions, specifications, and use of good engineering practice — Compatibility Use components with compatible operating characteristics — Withstanding specified environmental conditions Design each SRS so that it is capable of working in specified environmental conditions, e.g temperature, humidity, vibration and electromagnetic (EMC) Use components that are designed to an appropriate standard and have their failure modes well defined — Design modularisation Use a hierarchical modularisation of the system in smaller, clearly defined subunits to such an extent that 1) the functional and physical interfaces of each module are kept as simple as possible, i.e the number of parameters exchanged with other modules should be manageable and testable, and 2) the number of safety-related states (e.g start-up, operating, fault, etc.) for each module are manageable and testable — Restrictive use of common resources The use of common resources, such as memory (RAM, EPROM) or memory partitions, of an A/D converter by two and more modules, should either 1) be avoided, or 2) be done via standardized or defined interfaces with appropriate control measures (see EN 165903:2014, Clauses and 7) — Separation of SRS and non-SRS In system design, a decision should be made whether a separation into safety-related and non-safetyrelated modules is possible The interfaces between the two should be clearly specified A separation can greatly reduce the time and effort for a development complying with this part of EN 16590 and reduce the overall complexity — Limitation on the number of system states The number of safety-related states that the unit of observation can have should be manageable and testable This can be achieved, for example, through a hierarchical summary of module states — Use of proven design principles To reduce the risk of unknown and first-time errors, proven design principles should be used in the preparation of the technical safety concept Examples of proven design principles are 1) proven safety architectures, and 2) proven measures for fault detection and fault control 34 BS EN 16590-2:2014 EN 16590-2:2014 (E) — Use of standardized interfaces To reduce the risk of unknown and first-time errors, wherever possible, the interfaces used should be defined in standards and should have been tried and tested in many applications In addition, one or more of the following measures should be applied, taking into account the complexity of the SRS and its performance level 1) Design review Carry out a design review to reveal discrepancies between the specification and implementation 2) Computer-aided design tools capable of simulation or analysis Perform the design procedure systematically and include appropriate automatic construction elements that are already available and tested 3) Simulation Perform a systematic and complete inspection of the SRS design in terms of both the functional performance and the correct specification of components 35 BS EN 16590-2:2014 EN 16590-2:2014 (E) Annex F (informative) Characteristics of safety functions F.1 General This annex provides typical safety functions which should be considered in the design of a safety-related control system The designer should include the necessary safety functions to achieve the measures of safety required of the control system for the specific application F.2 Start interlock Prevents safety functions from starting up unintentionally F.3 Stop function A stop function initiated by a protective device should, as soon as necessary after actuation, put the machine in a safe state Such a stop should have priority over a stop for operational reasons When a group of machines is working together in a coordinated manner, provision should be made to signal to the supervisory control and/or the other machines that such a stop condition exists NOTE Such a stop can cause operational problems and a difficult restart In some applications, this function can be combined with a stop for operational reasons to reduce the temptation to defeat the safety function F.4 Manual reset After a stop command has been initiated by a protective device, the stop condition should be maintained until the manual reset function is actuated and safe conditions for restarting exist The re-establishment of the safety function by resetting the protective device cancels the stop command If indicated by the risk assessment, this cancellation of the stop command should be confirmed by a manual, separate and deliberate action (manual reset) The manual reset function should: a) be provided through a separate and manually operated function, different from start and restart, within the safety-related parts of the control system, b) only be achieved if all safety functions and protective devices are operative and, if this is not possible, the reset should not be achieved, c) not initiate motion or a hazardous situation by itself, d) be activated only by deliberate action, e) prepare the control system for accepting a separate start command, and f) only be accepted by actuation of the actuator from its released (off) position 36 BS EN 16590-2:2014 EN 16590-2:2014 (E) The category of safety-related parts providing the manual reset should be selected so that the inclusion of the manual reset does not diminish the performance level of the relevant safety function The reset actuator should be situated outside the danger zone and in a safe position from which there is a good visibility for checking that no person is within the danger zone F.5 Start and restart A restart should take place automatically only if a hazardous situation cannot exist These requirements for start and restart should also apply to machines which can be controlled remotely F.6 Response time The designer or supplier should declare the response time when the risk assessment of the safety-related parts of the control system indicates that this is necessary NOTE The response time of the control system is divided into three parts: failure recognition, initiate measures and reach safe state The required overall response time of the machine can influence the design of the safety-related part F.7 Safety-related parameters When safety-related parameters (e.g position, speed, temperature, pressure) deviate from pre-set limits, the control system should initiate appropriate measures (e.g actuation of stopping, warning signal, alarm) If errors in manual inputting of safety-related data in programmable electronic systems can lead to a hazardous situation, then a data-checking system within the safety-related control system should be provided (e.g check of limits, format and/or logic input values) F.8 External control function When a machine is controlled externally, for example, by a portable control device or master-slave system, the following should also apply: a) the means for selecting external control are defined; b) switching to an external control device does not create a hazardous situation; c) in case of loss of control of an external control device, the system goes to a defined state; d) when a machine is remote-controlled as one of several devices located on the machine, switching between other control devices and remote control device does not create a hazardous situation F.9 Muting (manual suspension of safety functions) Muting may be required for diagnostics or repair During muting, safe conditions should be provided by other means (e.g instructions) At the end of muting, all safety functions should be reinstated F.10 Operator warning A suitable operator warning system should be considered as part of the safety function Optical and/or audio methods may be used 37 BS EN 16590-2:2014 EN 16590-2:2014 (E) Annex G (informative) Example of a risk analysis G.1 Workflow The following activities should be carried out in a risk analysis Step 1: Description of the system to be examined Step 2: Listing of surrounding conditions Every allowance made for operational limitations or human intervention should be accurately described Step 3: Description of the system to be examined using a state flowchart and transition tables Step 4: Listing of system failures without taking into account possible or already existing safety measures Closer examination due to malfunctions and not due to causes of malfunctions Step 5: Estimation and assessment of EUC (equipment under control) risk for each hazardous event in risk tables Bases of the assessment are the machine states and the transitions Definition of the sequences of events leading to hazardous events (harm scenario) and determination of the possible effects associated with the hazardous events Steps to will be done in advance by the system developer and checked by all participants for completeness and correctness during the implementation of the risk analysis, and corrected or extended if necessary Steps to are generally used only for — in this example — the hydraulic gear box Step is specific to various applications in different machines After these steps, the harm scenarios are prepared by all participants and assessed in terms of risk The harm scenarios are then assigned to the appropriate systematic failures and system states in the risk tables G.2 Example risk analysis of an electro-hydraulic transmission for a self-propelled working machine (forage harvester) — Extract from a complete risk analysis G.2.1 System description The system is described as follows: — electro-hydraulic motor electronically controlled, hydraulic-motor spring applied to neutral position; — drive ranges are shifted mechanically; — drive train connected to front axle; — non-driven rear axle with steering function; — etc Figure G.1 shows the principal structure of the drive train in schematic form 38 BS EN 16590-2:2014 EN 16590-2:2014 (E) Key E/E/PES hand-operated drive control hydraulic motor engine hydraulic pump gear shift transmission Figure G.1 — Principal structure of the drive train G.2.2 Surrounding conditions The surrounding conditions are described as follows — The first gear is intended for field driving Speed range in first gear is km/h up to 15 km/h The second gear is used for road driving Speed in second gear is km/h up to 30 km/h — A change of gears can mechanically be carried out only at a dead stop (output speed ≈ min−1) The control lever should be put into neutral — Etc G.2.3 System states and transitions The state flowchart and the listing of transitions are one method of identifying the most severe system states See Figure G.2 39 BS EN 16590-2:2014 EN 16590-2:2014 (E) Key States to machine situations 1_2 to 7_6 transition from one state to another (including direction) Figure G.2 — State flowchart G.2.4 System failures System failures are described as follows: — stops unintentionally; — does not move when commanded; — does not stop when commanded; 40 BS EN 16590-2:2014 EN 16590-2:2014 (E) — changes speed unintentionally (without stopping); — moves in wrong direction when commanded; — etc All system failures need to be considered for the determination of the AgPLr For the assessment (see G.3), the first and second system failure in the above list has been chosen as an example G.3 Assessment G.3.1 System failure — Stops unintentionally See Tables G.1 to G.3 Table G.1 — System failure — Stops unintentionally Machine without driver System states Level Uphill Downhill Machine with driver Level Uphill Downhill Vehicle stopped, ignition off, engine off, neutral N.A gear N.A N.A N.A N.A N.A Vehicle stopped, ignition on, engine off, neutral N.A gear N.A N.A N.A N.A N.A Vehicle stopped, ignition on, engine on, neutral N.A gear N.A N.A N.A N.A N.A Vehicle stopped, ignition on, engine on, in gear N.A N.A N.A N.A N.A N.A Vehicle moving, acceleration N.A N.A N.A Sc1/Sc2 Sc1/Sc2 Sc1/Sc2 Vehicle moving, deceleration N.A N.A N.A Sc1/Sc2 Sc1/Sc2 Sc1/Sc2 Vehicle moving, constant speed N.A N.A N.A Sc1/Sc2 Sc1/Sc2 Sc1/Sc2 Sc1 Sc2 scenario scenario NOTE All driving conditions are merged to Sc1/Sc2 Table G.2 — Scenario Sc1 Operator E3 Forage harvester is driving on a public road with maximum speed; hydrostatic motor moves to neutral position; drive axle locks C2 High deceleration; loss of steering; vehicle moves into ditch or hits obstacle S1 Operator injured Assumptions Lock of drive axle immediately; weight transfer to drive axle Result: AgPLr = a (see Figure 1) 41 BS EN 16590-2:2014 EN 16590-2:2014 (E) Table G.3 — Scenario Sc2 Bystander E3 Forage harvester is driving on a public road with maximum speed; hydrostatic motor moves to neutral position; following traffic close behind machine; drive axle locks C3 Bystander cannot avoid collision S2 Bystander injured Assumptions Severity depends on design of the rear end of machine Result: AgPLr = c (see Figure 1) NOTE In this example the estimation of the parameters E, C and S depend on the type of machine, operation conditions, system behaviour and other circumstances G.3.2 System failure — Does not move when commanded All system failures need to be evaluated (see G.3.1) G.4 Results The resulting system is AgPLr = c (the highest identified value) 42 BS EN 16590-2:2014 EN 16590-2:2014 (E) Annex ZA (informative) Relationship between this European Standard and the Essential Requirements of EU Machinery Directive 2006/42/EC This European Standard has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association to provide a means of conforming to Essential Requirements of the New Approach Machinery Directive 2006/42/EC Once this standard is cited in the Official Journal of the European Union under that Directive and has been implemented as a national standard in at least one Member State, compliance with the normative clauses of this standard confers, within the limits of the scope of this standard, a presumption of conformity with the relevant Essential Requirements 1.2.1 and 1.7 of Annex I of that Directive and associated EFTA regulations NOTE Compliance with the normative clauses of parts 1, 2, and of EN 16590 is required to achieve the presumption of conformity indicated in this annex WARNING — Other requirements and other EU Directives may be applicable to the product(s) falling within the scope of this standard 43 BS EN 16590-2:2014 EN 16590-2:2014 (E) Bibliography [1] ISO 3600:1996, Tractors, machinery for agriculture and forestry, powered lawn and garden equipment — Operator's manuals — Content and presentation [2] EN ISO 9001:2008, Quality management systems - Requirements (ISO 9001:2008) [3] EN ISO 12100, Safety of machinery - General principles for design - Risk assessment and risk reduction (ISO 12100) [4] ISO 15003, Agricultural engineering — Electrical and electronic equipment — Testing resistance to environmental conditions [5] ISO/TS 16949:2009, Quality management systems — Particular requirements for the application of ISO 9001:2008 for automotive production and relevant service part organizations [6] EN 61000-4-1, Electromagnetic compatibility (EMC) — Part 4-1: Testing and measurement techniques — Overview of IEC 61000-4 series (IEC 61000-4-1) [7] EN 61496-1, Safety of machinery — Electro-sensitive protective equipment — Part 1: General requirements and tests (IEC 61496-1) [8] HSE Guidelines on Programmable Electronic Systems in Safety-related Applications, Part (ISBN 11 883906 6) and Part (ISBN 11 883906 3) [9] MIL-HDBK-217F, Reliability Prediction of Electronic Equipment 1) [10] SN 29500, Reliability and quality specification failure rates of components 2) [11] RDF 2000, Reliability Data Handbook 3) [12] IEC/TR 62380, Reliability data handbook — Universal model for reliability prediction of electronics components, PCBs and equipment [13] FIDES Guide 2004, Reliability prediction standard 4) 1) Military Handbook, US Department of Defense 2) Siemens standard 3) Union Technique de l'Électricité (UTE), French national electrotechnical standards body 4) FIDES Group (French consortium) 44 This page deliberately left blank NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW British Standards Institution (BSI) BSI is the national body responsible for preparing British Standards and other standards-related publications, information and services BSI is incorporated by Royal Charter British Standards and other standardization products are published by BSI Standards Limited About us Revisions We bring together business, industry, government, consumers, innovators and others to shape their combined experience and expertise into standards -based solutions Our British Standards and other publications are updated by amendment or revision The knowledge embodied in our standards has been carefully assembled in a dependable format and refined through our open consultation process Organizations of all sizes and across all sectors choose standards to help them achieve their goals Information on standards We can provide you with the knowledge that your organization needs to succeed Find out more about British Standards by visiting our website at bsigroup.com/standards or contacting our Customer Services team or Knowledge Centre Buying standards You can buy and download PDF versions of BSI publications, including British and adopted European and international standards, through our website at bsigroup.com/shop, where hard copies can also be purchased If you need international and foreign standards from other Standards Development Organizations, hard copies can be ordered from our Customer Services team Subscriptions Our range of subscription services are designed to make using standards easier for you For further information on our subscription products go to bsigroup.com/subscriptions With British Standards Online (BSOL) you’ll have instant access to over 55,000 British and adopted European and international standards from your desktop It’s available 24/7 and is refreshed daily so you’ll always be up to date You can keep in touch with standards developments and receive substantial discounts on the purchase price of standards, both in single copy and subscription format, by becoming a BSI Subscribing Member PLUS is an updating service exclusive to BSI Subscribing Members You will automatically receive the latest hard copy of your standards when they’re revised or replaced To find out more about becoming a BSI Subscribing Member and the benefits of membership, please visit bsigroup.com/shop With a Multi-User Network Licence (MUNL) you are able to host standards publications on your intranet Licences can cover as few or as many users as you wish With updates supplied as soon as they’re available, you can be sure your documentation is current For further information, email bsmusales@bsigroup.com BSI Group Headquarters 389 Chiswick High Road London W4 4AL UK We continually improve the quality of our products and services to benefit your business If you find an inaccuracy or ambiguity within a British Standard or other BSI publication please inform the Knowledge Centre Copyright All the data, software and documentation set out in all British Standards and other BSI publications are the property of and copyrighted by BSI, or some person or entity that owns copyright in the information used (such as the international standardization bodies) and has formally licensed such information to BSI for commercial publication and use Except as permitted under the Copyright, Designs and Patents Act 1988 no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior written permission from BSI Details and advice can be obtained from the Copyright & Licensing Department Useful Contacts: Customer Services Tel: +44 845 086 9001 Email (orders): orders@bsigroup.com Email (enquiries): cservices@bsigroup.com Subscriptions Tel: +44 845 086 9001 Email: subscriptions@bsigroup.com Knowledge Centre Tel: +44 20 8996 7004 Email: knowledgecentre@bsigroup.com Copyright & Licensing Tel: +44 20 8996 7070 Email: copyright@bsigroup.com