The ISO 3691-4 standard defines the safety requirements and verifications for driverless industrial trucks, including industrial mobile robots (IMRs) such as autonomous mobile robots (AMRs). The standard describes the safety requirements of the overall machine; therefore, it is the responsibility of the designer to decide where the safety functions are placed within the industrial truck modules as Figure 2-1 shows.

Figure 2-1 Simplified Mobile Robot Block Diagram

The safety standard ISO 3691-4 describes the safety considerations that must be implemented in case a hazardous situation exists, to meet the necessary risk reduction. For each of the described risk situations, the ISO 3691-4 standard assigns a minimum required performance level (PL) per ISO 13849-1. PL is a value commonly used to achieve a required risk reduction for each safety function and is defined in the standard of machinery ISO 13849-1.

Similarly to PL, several standards measure the system safety performance by using the safety integrity level (SIL) parameter defined in IEC 61508. The relation between PL and SIL levels is found in Table 2-1.

Both SIL and PL are discrete levels for safety performance and these levels quantify the diagnostic capabilities by using different parameters. SIL uses Safety Failure Fraction (SFF) as a parameter to quantify the ratio between safe faults and total faults of the system. Similarly, PL refers to the DC parameter as a measure of effectiveness of the diagnostics implemented in the system. However, both SIL and PL are related through two main parameters which are inversely proportional: MTTF (Mean Time to Dangerous Failure) – used in the ISO standards – and PFH (Probability of dangerous failure per hour) – used in IEC standards. By using this relation, it is possible to use both PL and SIL levels when assessing a system for safety.

Although PL or SIL applies to the complete safety function, typically formed by sensors, data processing and actuators, each one of those function subsystems need to meet a minimum PL or SIL. Per subsystem, different standards exist to describe how the safety level is met. As an example, for motor drives and actuators implementations, the subsystem specific standard, IEC 61800-5-2 is used to specify the safety requirements.

IEC 61800-5-2 defines the requirements for the design and development of motor drives by describing designated safety subfunctions such as safe torque off (STO), safe limited speed (SLS), safe brake control (SBC), and so forth.

Within the standard, IEC 61800-5-2 refers to ISO 13849-1 and describes the requirements needed for each subfunction to achieve a minimum PL. Moreover, aspects such as independence between systems, redundancy, and the processing time are discussed on both previously-mentioned standards and must be considered when implementing the system.

Therefore, prior to starting the system implementation, it is important to understand the key relationship between the safety requirements per application, the safety subfunctions needing to be implemented, and the level of risk reduction (SIL or PL) required per subfunction.

For this specific case, as summarized in Table 1 of ISO 3691-4, a minimum PLd level is required. Focusing on the motor drive subsystem, the safety subfunctions defined in IEC 61800-5-2 are used so as to meet the PLd requirements. Table 2-3 summarizes the main relationship between those three standards.