Rail mounted mobile machines are prolific in the mining industry and are used in many applications such as stacking of material on stockpiles, reclaiming of material and the loading of large bulk carrier ships.

In normal operation these machines are usually operated remotely (but not always e.g. ship loaders) but due to their size and capability there are many personnel, financial and environmental risk scenarios associated with their operation and maintenance, for example:

  • Collision with other machines, maintenance equipment, tie-down cradle
  • Collision with stockpile
  • Operating beyond final limits
  • Boom tip overspeed

Depending on the machine type and installation the above scenarios can all lead to machine collapse and potential multiple fatalities. These machines are designed to meet the requirements / load cases specified in AS4324 (mobile equipment for continuous bulk handling of materials) but this does not prevent machine collapse in certain load cases.

Historically mobile machines were installed with hardwired safety circuits and protection devices such as emergency stops, pull wire switches, limit switches and relays which were designed to meet safety category levels (e.g. Cat 3). These category levels were introduced in 1997 via European standard EN594 and adopted by AS4024 (Safeguarding of Machinery).

In 2006 the European Standard ISO13849 was released and introduced the term ‘performance levels’ (PL) to specify the ability of safety related parts of a control system (SRP/CS) to perform a safety function.

The main improvements associated with the use of the performance level concept is the rating of the quality of the components used in the safety design and quantifying the level of circuit monitoring, known as ‘diagnostic coverage’.

More recently the AS61508-2011 standard has been employed on mobile machine and similar applications. The advantage of AS61508 is that it is based on the ‘whole of life’ safety lifecycle process and uses a Safety Integrity Level (SIL) model which takes into account low, high and continuous demand modes of operation.

Whereas AS4024 uses a simple decision tree to determine risk and does not include the design of programmable electronic safety-related systems (e.g. safety PLC) which is a major deficiency for more complex applications. Take note that one element missing from AS61508 is the design of other risk reduction measures (i.e. guards, barriers, procedures) which is not within the scope of AS61508.

AS62061 (safety of machinery) is another standard which can be used but it only covers the ‘realisation’ phase of the safety lifecycle and does not include ‘low’ demand modes of operation which are often applicable to mobile machines. It also does not include the design of other risk reduction measures.

In summary there are now a number of standards available to an electrical / control system designer for implementation of functional safety on a new or existing mobile machine:

  • AS4024 – Performance / CAT Levels
  • AS62061 – Safety Integrity Level
  • AS61508 – Safety Integrity Level

The designer may decide to use a combination of one or more the above standards as the basis for their functional safety design. The approach and standards to be applied for a particular project or site will be detailed in the functional safety management plan. In general, the use of a SIL model and lifecycle phases described in AS61508 are preferred by many mining owners and end-users with complex applications such as mobile machines. Other risk reduction measures can be addressed by applying AS4024.

A typical functional safety lifecycle (which is a modified version of the AS61508 lifecycle) is shown following. The figure shows the lifecycle stages that are typically completed by the owner or functional safety designer.

The risk assessment / hazard identification phases (2 and 3) are critical to the functional safety design. The risk assessment determines all hazards relating to the equipment under control and the risks associated with those hazards. For this reason, it is essential the risk assessment workshops include knowledgeable representatives from engineering, maintenance and operations.

Once the hazardous scenarios (based on the client’s screening criteria) are identified a quantitative risk assessment method as recommended by AS61508 such as LOPA (layer of protection analysis) is used to calculate the tolerable risk (LOPA) gap. Each scenario is classified as either high demand or low demand depending on the assessment of the demand on the safety related system:

  • Low demand – demand on system is no greater than one per year, e.g. machine boom impacts stockpile
  • High demand – demand on system is greater than one per year, e.g. boom conveyor running above roadway

For low demand mode the LOPA gaps are expressed as a Risk Reduction Factor RRF:

Safety Integrity Level (SIL) Target Risk Reduction (or RRF)
4 > 10,000 to ? 100,000
3 > 1,000 to ? 10,000
2 > 100 to ? 1,000
1 > 10 to ? 100


For high demand mode the LOPA gaps are expressed as a Probability of a Dangerous Failure per Hour (PFH):

Safety Integrity Level (SIL) Probability of Dangerous Failure per Hour (or PFH)
4 ? 10-9 to < 108
3 ? 10-8 to < 10-7
2 ? 10-7 to < 10-6
1 ? 10-6 to < 10-5


The safety functions are identified and documented and a SIL target for each function is allocated based on the above tables. Typically, safety functions for mobile machines are required to prevent / detect the following conditions:

  • Long Travel / Slew / Boom Tip Overspeed
  • Slew Over Travel (collision between stacker structure and tripper)
  • Stacker Boom Conveyor Running over Roadway (ore stream striking personnel)
  • Stockpile Collision Side (e.g. Stockpile collision)
  • Stockpile Collision Underside (Boom grounding)
  • Vehicle Collision
  • Machine to machine collision (Stockyard anti-collision system)

The safety functions are implemented by the designer of the safety related electrical control system, with the following devices commonly used in the applications for mobile machines. Where possible / available all devices shall be safety certified (IEC61508 certification preferred):

Logic Solvers

  • Safety PLC (e.g. Rockwell GuardLogix, Schneider Modicon M580)
  • Safety software – use of safety certified logic instructions

Input / Sensing Devices

  • Safety I/O (dual channel with diagnostic capabilities, e.g. discrepancy, short circuit, open circuit detection)
  • Safety encoders (slew, luff, long travel position and speed)
  • Final limit devices (limit switches, proximity switches)
  • Pressure transmitters
  • GPS (non-safety, used for diagnostics only)

Output / Final Elements

  • Solenoid valves (brake lift, luff hydraulics)
  • Dual contactors (DOL drives)
  • Variable speed drive safe torque off (STO) and safe stop 1 (SS1) functions (long travel and slew drives)
  • Hydraulic and electromagnetic brakes

The safety position detection system implemented on the mobile machines is an important component of the safety hardware design. The recent improved availability of safety encoders which use safety rated communications to the safety PLC has meant that a safety certified position detection system can be implemented. This system normally comprises of the following devices:

  • Dual redundant SIL3 rated safety encoders for each of long travel, slew and luff motions (e.g. Allen Bradley, TR electronics, Posital)
  • Calibration switch per encoder with uniquely identifiable strikers (e.g. Sick TR4 proximity switch, Turck inductive proximity switch)
  • GPS (non-safety devices used for diagnostics)

The use of redundant encoders allows the system to detect failure modes outside of the instrumentation itself. The GPS is used as a key diagnostic measure for long travel and slew positioning due to the negligible common-cause failure modes with encoders. The table below summarises a typical voting arrangement used for long travel and slew encoder positioning systems:

Healthy Devices Operation Restrictions Operation Arrangement / Description
2 x Encoders, 1 x GPS No restrictions For machine to operate in this case two encoders must agree position values with GPS. No restrictions are required in this case.


2 x Encoders, 0 x GPS No restrictions.

High prominence alarm is raised to alert the operator.
Time restriction – all affected machine motions are tripped when the timer expires.

For machine to operate in this case, two SIL3 rated encoders must agree position values with each other.
The system must be restored to have the GPS functioning correctly to prevent shutdown of the machine within set time period.
After the timer expires, the affected machine motion is tripped. All automatic sequences of the machine are interlocked and tripped.


1 x Encoder, 1 x GPS No restrictions.

High prominence alarm is raised to alert the operator.
Time restriction – all affected machine motions are tripped when the timer expires.

For machine to operate in this case, one SIL3 rated encoder must agree its position value with the GPS.
The system must be restored to have the second encoder functioning correctly to prevent shutdown of the machine within set time period.
After the timer expires, the affected machine motion is tripped. All automatic sequences of the machine are interlocked and tripped.


1 x Encoder, 0 x GPS Faulted – no operation The affected machine motion is tripped.  All automatic sequences of the machine are interlocked and tripped.



Determining how to implement functional safety on legacy mobile machines is an important consideration for many end users / owners. It is critical that they are not ignored because they are an ‘existing installation’ and that the risk assessment / hazard identification process is performed as would be done with a new machine. If the risk assessment process results in actions that are technically difficult to implement these should be considered on a case by case basis with a so far as is reasonably practical (SFAIRP) approach used to manage these risks. For example, emergency stop devices on machines are considered a complementary protective measure and provided they comply with the requirements of local legislation and AS4024 they do not need to be upgraded.

Once a safety system is handed over to the end user / owner there are many considerations needs to be managed to maintain the integrity of the safety system, e.g.

  • Competency of maintenance and engineering personnel (management and recording)
  • Change management system
  • Proof testing
  • Operation and maintenance plan / procedures

The owner / end user needs to ensure that all relevant safety documentation is handed over, this can be in the form of a Functional Safety Dossier.

In summary companies have a legal, ethical and financial duty to manage and limit the risks posed by their operation. Following a systematic risk management process and implementing a rugged, well designed safety system as discussed in this article to manage these risks is an important part of fulfilling these obligations.