20200709_Guideline_for_Applying_Functional_Safety_to_Autonomous_Systems-

GMG-AM-FS-v01-r01

GUIDELINE FOR APPLYING

FUNCTIONAL SAFETY TO
AUTONOMOUS SYSTEMS IN MINING
SUBMITTED BY
Functional Safety for Autonomous Equipment Sub-committee

VERSION DATE
09 Jul 2020

APPROVED BY
Autonomous Mining Working Group
31 Jul 2020
and
GMG Executive Council
12 Aug 2020

PUBLISHED
18 Aug 2020

DATE DOCUMENT TO BE REVIEWED

18 Aug 2022

PREPARED BY THE FUNCTIONAL SAFETY FOR AUTONOMOUS EQUIPMENT SUB-COMMITTEE

OF THE AUTONOMOUS MINING WORKING GROUP

Global Mining Guidelines Group (GMG)

ii | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

DISCLAIMER

Although the Global Mining Guidelines Group (GMG) believes that the information on https://gmggroup.org, which includes
guidelines, is reliable, GMG and the organizations involved in the preparation of the guidelines do not guarantee that it is accu-
rate or complete. While the guidelines are developed by participants across the mining industry, they do not necessarily rep-
resent the views of all of the participating organizations. This information does not replace or alter requirements of any
national, state, or local governmental statutes, laws, regulations, ordinances, or other requirements. Your use of GMG guide-
lines is entirely voluntary.

CREDITS

Organizations Involved in the Preparation of these Guidelines

ABB, Abbott Risk Consulting, Agnico Eagle, Airobiotics, Alex Atkins & Associates, Ambuja Cements, AMOG Consulting, Antofa-
gasta Minerals, Australian Droid + Robot, Autonomous Solutions, BBA, BHP, British Columbia Ministry of Energy and Mines,
Cadia Valley Operations, Calibre Global, Canadian Natural Resources, Canary HLE, Caterpillar, CEMI, CITIC Pacific Mining,
Clickmox, DMIRS, Digital Mine from GE Transportation (a Wabtec Company), ECG Engineering, Edge Case Research, Epiroc,
Finning, Fluidmesh/CISCO, Fortescue Metals Group, Fundación Chile, Glencore, Gold Fields, Government of Alberta, Hard Line,
Haultrax, Hitachi, Hudbay Minerals, Imperial Oil, Infosys, Intersystems Chile, Ionic Engineering, JVA, Kevin Connelly, KMC Min-
ing, Komatsu, Lang O’Rourke, Liebherr, Ma’aden, Maclean Engineering, Marcus Punch, Marubeni Corporation, METS Ignited,
MineARC Systems, Minetec, Modular Mining Systems, New Gold, Newmont Goldcorp, NIOSH, Nova Systems, OSISoft,
Phoenix Contact, Proudfoot, RCT, Riivos, Rio Tinto, Rock Tech, Roy Hill, SafeAI, Sandvik, Santoencanto, SAP Asia, Scania,
Schnieder Electric, Seyo, SMS Equipment, Stantec, Strategy Focused Innovation, Suncor, Symbiotic Innovations, Syncrude,
Teck, Terry Reid, Thiess, Tommy Martinez, Vale, Vedanta Resources, Whitehaven Coal

Project Leaders
Chirag Sathe, Principal Equipment Automation, BHP
Gareth Topham, Principal Functional Safety, Rio Tinto

COPYRIGHT NOTICE

This document is copyright protected by the Global Mining Guidelines Group (GMG). Working or committee drafts can be
reproduced and used by GMG participants during guideline development. GMG hereby grants permission for interested indi-
viduals/organizations to download one copy. Written permission from GMG is required to reproduce this document, in whole
or in part, if used for commercial purposes.

To request permission, please contact:

Global Mining Guidelines Group
Heather Ednie, Managing Director
[email protected]
http://www.gmggroup.org

Reproduction for sales purposes may be subject to royalty payments or a licensing agreement. Violators may be prosecuted.

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 1

TABLE OF CONTENTS
1. FOREWORD 2
2. DEFINITIONS OF TERMS AND ABBREVIATIONS 2
3. KEYWORDS 2
4. SCOPE 2
5. INTRODUCTION 3
6. CONTEXTUAL BACKGROUND ON IMPLEMENTING AUTONOMOUS AND SEMI-AUTONOMOUS 3
SYSTEMS 3
6.1 Managing People and Change 3
6.2 Operation 3
6.3 Original Product Supplier and Mine Operator Relationship 4
6.4 Risk Assessment and Emergency Management 4
6.5 Configuration 4
7. RECOMMENDED REFERENCE MATERIAL 4
8. FUNCTIONAL SAFETY LIFECYCLE 5
9. SOFTWARE DEVELOPMENT, VERIFICATION, AND VALIDATION 12
9.1 Architectural Considerations 12
9.2 Lifecycle Considerations 12
9.3 Developing Conventional System Elements 13
10. COMPETENCY MANAGEMENT 14
11. CYBERSECURITY 14
12. ASSURANCE DOCUMENTATION 14
13. NON-DETERMINISTIC SYSTEMS 15
14. FUTURE WORK 15
15. RESOURCES AND REFERENCES 16
APPENDIX A: FUNCTIONAL SAFETY IN OVERALL SAFETY MANAGEMENT 18
APPENDIX B: SUMMARY OF STANDARDS 19
B.1 Key Standards 19
B.2 Non-Core Standards 19
APPENDIX C: EXAMPLE FUNCTIONAL SAFETY MANAGEMENT PLAN 21
APPENDIX D: POTENTIAL ACTIVITIES FOR SOFTWARE DEVELOPMENT 22

Global Mining Guidelines Group (GMG)

2 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

1. FOREWORD Independent: In a review or investigation setting, refers to a

The Global Mining Guidelines Group (GMG) is a network of separation of responsibilities to maintain objectivity.
representatives from mining companies, equipment and Integrity level / performance level: Identification of the risk
technology suppliers, research organizations, academia, reduction required to be provided by each safety function.
regulatory agencies, consultancies, and industry associa- Examples include machine performance level (MPL), per-
tions who collaborate to tackle the challenges facing our formance level (PL), and safety integrity level (SIL).
industry. GMG aims to accelerate the improvement of mining Mine operator: The mining operation applying functional
performance, safety, and sustainability and creates guide- safety to autonomous systems in mining who is responsible
lines, such as this one, that address common industry chal- for the functional safety lifecycle of the application.
lenges. GMG guidelines are peer-reviewed documents that Non-deterministic system: A system or aspects of a system
offer best practices, advise on the implementation of new where decisions are derived from complex sensor and pro-
technologies, develop industry alignment, or educate cessing algorithms and / or involve machine learning (e.g.,
broadly. They are developed through industry-wide collabo- emergency intervention systems, advanced driver assistance
ration to assist the global mining community in implement- systems, and artificial intelligence route planning). It may not
ing practices to improve operations and / or implement new be possible to establish an integrity level / performance level
technologies. Please note that GMG guidelines are not rating (e.g., MPL / PL / SIL) when using these systems.
industry standards. Draft documents are checked and Original product supplier (OPS): The equipment manufac-
approved by working group members prior to approval by turer or integrator who is responsible for part or all of the
the GMG Executive Council. functional safety lifecycle of the product.
Please note: If some of the elements of this document are Safety function: The machine functions that are required to
subject to patent rights, GMG and the Canadian Institute of achieve or maintain a safe state and of which failure or
Mining, Metallurgy and Petroleum (CIM, of which GMG is a malfunction could increase the risk of injury or harm to the
legal entity) are not responsible for identifying such patent involved people or environment.
rights. System operator: The person with control over a system.
System safety: Measures that are taken to confirm that the
2. DEFINITIONS OF TERMS AND overall design of a system is safe to operate. Functional
ABBREVIATIONS safety is a part of system safety.
Autonomous machine: Refers to autonomous and semi- * The formal IEC International Standard IEC 61508 definition of func-
autonomous machines (ASAMs) as they are defined in ISO tional safety is: “The part of the overall safety relating to the EUC
17757 (2019a, 3.1.3.1 and 3.1.3.2). In this guideline, it refers (Equipment Under Control) and the EUC control system that
specifically to mining machines. depends on the correct functioning of the E/E/PE (Electrical/Elec-
tronic/Programmable Electronic) safety-related systems and other
Autonomous system: Refers to autonomous and semi-
risk reduction measures.”
autonomous systems (ASAMS) as they are defined in ISO
17757 (2019a, 3.1.2). In this guideline, it refers specifically to
mining systems. 3. KEYWORDS
Competency: Having people with the necessary knowledge, Autonomous mining, autonomous systems, functional
skill, and experience to apply functional safety to safety, lifecycle, mobile autonomous machines, risk man-
autonomous systems. agement, safety
Deterministic system: A system where outcomes are deter-
mined based on known and understood modes and condi- 4. SCOPE
tions. This document provides guidance on the application of
Functional safety: Refers to “the part of the overall safety that functional safety to new deployments of autonomous sys-
depends on a system or equipment operating correctly in tems in mining in surface and underground operations. It is
response to its inputs.” It is defined as “the detection of a intended as a starting point to help readers who are imple-
potentially dangerous condition resulting in the activation of a menting autonomous systems navigate communication
protective or corrective device or mechanism to prevent haz- with other key stakeholders, but is not an exact process to
ardous events arising or providing mitigation to reduce the follow and does not serve as a standard or set of rules. It
consequence of the hazardous event” (Source: www.iec.ch).* covers in situ material—the mining and related support
Functional safety lifecycle: The process of managing func- activities that contribute to material extraction such as
tional safety over the life of a product. drilling, blasting, loading, haulage, dumping.

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 3

Non-deterministic systems are outside of the scope of management (Section 10); cybersecurity (Section 11);
this guideline. However, some high-level information on non- and assurance documentation (Section 12)
deterministic systems is provided in Section 13.
While functional safety exists within the larger scope of 6. CONTEXTUAL BACKGROUND ON
system safety, guidance on overall system safety is outside IMPLEMENTING AUTONOMOUS AND SEMI-
the scope of this guideline. However, Section 6 outlines AUTONOMOUS SYSTEMS
some contextual background on implementing autonomous A focus on functional safety is important for autonomous
systems and overall safety, and Appendix A describes how systems due to their reliance on technology (i.e., hardware
functional safety fits into overall safety management. A sep- and software) to manage safety functions. A strong focus on
arate GMG document on overall autonomous system safety the administrative controls that are critical to system safety
is currently in development. is also important.
The four key audiences for this guideline are:
• Those who design and supply autonomous systems 6.1 Managing People and Change
(i.e., OPS) Change management should be comprehensive because,
• The operations delivery and integration teams for example, software changes can affect the system oper-
• Mining company technology, operations, and mainte- ates, and system operator actions can affect safety. There
nance teams should also be appropriate communication to all relevant
• Regulators stakeholders, and all necessary updates should be made to
These groups have different perspectives and needs, so the user documentation—such as guidelines and training
the scope has been kept broad enough to cover all. manuals— to confirm that the operations personnel are
ready to adapt to the change.
5. INTRODUCTION Training for all personnel who will interact with
The global mining industry is embracing automation. autonomous systems is imperative for safe automation.
However, requirements for managing functional safety are Everyone working at the operation should understand the
unclear. There are several reasons for this lack of clarity: risks of automation for the mine site to be safe.
• The use of autonomous systems is accelerating, but
adoption is uneven across the industry. 6.2 Operation
• Current OPSs are at different stages of maturity in Conflicts between the procedures for manned operation
terms of managing functional safety. and those for autonomous operation need to be addressed.
• Several international and national functional safety Operational procedures need to be well defined.
standards exist or are in development, but there is a Autonomous systems require standard operating proce-
lack of clarity regarding what applies to autonomous dures in code that is executable because a machine cannot
systems in mining. understand the intent of the standard operating procedures
This guideline provides a common approach to applying like a human can.
functional safety to autonomous systems and references Different levels of autonomous maturity require different
international standards within the context of the mining safety practices. For example, a current practice is to desig-
industry and its current maturity. This guideline also nate an autonomous operating zone that restricts unautho-
describes clear expectations for the communication require- rized access. However, as mobile autonomous machines
ments to support change management and effective appli- evolve, this practice will not always be the most cost-effec-
cation. To this end, this guideline: tive option. In order to address varying levels of maturity,
• Identifies important reference materials and lists stan- safety standards will need to be developed or updated.
dards that are relevant to applying functional safety to Metrics about autonomous systems need to be much
various aspects of autonomous systems (Section 7) more precise with respect to functional safety.
• Outlines an example of a functional safety lifecycle for • Infrastructure / system status metrics should be accu-
applying autonomous systems in mining and identifies rate. For example, if a GPS device moves half a metre,
some key expectations and responsibilities for provid- it can significantly affect how the autonomous system
ing information, documentation, and support at each functions.
stage (Section 8) • Autonomous mining system health metrics are critical
• Offers high-level guidance on software development, in validating the performance that forms the assump-
verification, and validation (Section 9); competency tions in the risk assessments.

Global Mining Guidelines Group (GMG)

4 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

6.3 Original Product Supplier and Mine Operator maintain optimal performance for the autonomous system.
Relationship This process needs to capture all hardware and software
Operational intent defines the concept of operations and elements that could impact safety (e.g., the configuration
the assumptions about how the system will operate. Opera- definition should include vehicle mechanical items used in
tional intent is a partnership between the mine operator and manned operation as well as the sensing, computing, and
OPS when using autonomous systems, while it is within the tuning implemented in software). This process also needs to
control of the mine operator when using manned systems. capture delivery, integration, and maintenance aspects that
Effective channels of communication are required could affect safety.
between the OPS and mine operator to address aspects For further guidance refer to ISO 10007, Quality manage-
such as residual risk and operations and maintenance ment - Guidelines for configuration management (2017c).
requirements. More interaction may be required due to the Updates may occur frequently because of the rapid pace
complexity of such systems. For further information, see the of innovation.
Western Australia Code of Practice for Safe Autonomous
Mining (Government of Western Australia Department of 7. RECOMMENDED REFERENCE MATERIAL
Mines, Industry Regulation and Safety, 2015). Consideration should be given to the following documents
during the design and implementation process:
6.4 Risk Assessment and Emergency Management • Local and international standards
Risk assessments require: • Industry guidelines
• A broader scope because autonomous systems are • Jurisdictional regulations and legislation
typically more complex than manned systems. • Corporate standards
• A strong focus on the administrative controls on which • OPS and vendor product information
the autonomous system is reliant. They should also Table 1 lists standards that are relevant to applying func-
consider how human behaviour changes as aspects of tional safety to various aspects of autonomous systems. A
manned operation are replaced by the autonomous summary of each of these standards, as well as other stan-
systems. dards that are non-core but still useful references, can be
• More focus on edge case scenarios, which are the sce- found in Appendix B. Subsequent references to these stan-
narios that test the system design in unexpected and dards are by standard number. Full references, including
often untested ways. While the system operator can individual published parts, can be found in Section 15.
adapt to uncertainty and change
when using a manned system, an
Table 1. Key Standards (in numerical order)
autonomous system works within its
design limits. Standard Citation(s)
Emergency procedures need to be ISO 12100 Safety of machinery – General Principles for International Organization for
reviewed to include autonomous opera- design – Risk assessment and risk reduction Standardization, 2010
tions. The following questions should be ISO 13849 Safety of machinery – Safety-related parts of International Organization for
considered when reviewing and updating control systems Standardization, 2015b, 2012b
existing procedures and as part of ongoing ISO 17757 Earth-moving machinery and mining – International Organization for
Autonomous and semi-autonomous machine system Standardization, 2019a
change management:
safety
• How to stop an autonomous opera-
ISO 19014 Earth-moving machinery – Functional safety International Organization for
tion (Parts 1 and 3 are published, Parts 2, 4, and 5 are Standardization, 2018c, 2018d
• How to approach the autonomous currently in development)
operating zone ISO 31000 Risk management International Organization for
• How to remove the autonomous Standardization, 2018e
machine if it is broken down IEC 31010 Risk management – Risk assessment International Electrotechnical
• Training requirements for emergency techniques Commission, 2019b
responders IEC 61508 Functional safety of electrical / electronic / International Electrotechnical
programmable electronic safety-related systems Commission, 2010a–2010g
6.5 Configuration IEC 62061 Safety of machinery – Functional safety of International Electrotechnical
electrical, electronic and programmable electronic Commission, 2015b
A configuration management approach
control systems
should be implemented to establish and

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 5

8. FUNCTIONAL SAFETY LIFECYCLE where these other aspects fit within the overall lifecycle
The functional safety lifecycle is a process for managing example. The arrows between the two lifecycles represent
functional safety over the life of a product. This section is an some key communications.
example of a functional safety lifecycle for autonomous sys- While the stages of product and application lifecycles can
tem applications that describes the relationship between the be similar, they do not have a one-to-one relationship, and
OPS's product lifecycle and the mine operator's application they do not necessarily happen concurrently. If the OPS and
lifecycle. It also summarizes some recommendations for mine operator are developing a custom solution, they may
information to be communicated between the key partici- be on similar timelines. However, the product is often devel-
pants. OPSs may vary in how they manage the approach to oped first, and then some stages of the product lifecycle may
their product lifecycles, so these recommendations may also be revisited based on the application. For example, if the
vary depending on the approach. This lifecycle example also mine operator communicates information from any stage of
considers both new and existing systems and how the pro- the application lifecycle back to the OPS, then an earlier
cess may be adapted for each. stage of the product lifecycle may need to be repeated or
This lifecycle example covers an overall site-specific revisited. If design modifications are identified during the
autonomous system environment with several layers of application, the hazard identification and risk assessment
automation. These layers comprise several types of product may need to be revisited for the product. Further, the
lifecycles that need to be integrated into the application life- sequence of activities outlined in Figure 2 is one of many
cycle (Figure 1). examples of what the process can look like. This is especially
Figure 2 summarizes this lifecycle example. Tables 2–12 true for the product lifecycle, as some of the stages may
describe the expectations and the relevant information, doc- occur in a different order or may not apply in every situation
umentation, or support that the mine operator and OPS may depending on the product development approach.
be responsible for providing at each related stage. Figure 2 The OPS is accountable for functional safety while develop-
and Tables 2–12 outline the key stages of both the product ing a product. The OPS provides the mine operator with all the
and application lifecycles from concept and scope to opera- necessary information to demonstrate that the application
tion and maintenance as well as some key aspects (other specification is met and that the autonomous system can be
risk controls, operational readiness, and change manage- operated and maintained at the required safety performance.
ment) that should be considered as part of functional safety Once the product is deployed in an operation, the mine opera-
lifecycle management. In Figure 2, dotted arrows indicate tor is accountable for the overall safety of the autonomous
system. However, the OPS is still accountable for
changes that they make to their product during the
product upgrade cycle (i.e., software upgrade). If a
third party performs the integration, then the sys-
tem integrator would be responsible for the devel-
opment and analysis of the safety functions within
the autonomous system while the mine operator
would still be accountable for the overall safety of it.
Communication and transparency between the
mine operator applying the autonomous system
and the OPS providing it is essential. The OPS will
typically develop the autonomous system for an
intended use; over time, there may be modifica-
tions to both the system and the use cases in the
field. If such modifications are made, then it is crit-
ical that mine operators apply change and config-
uration management principles. The mine
operator needs to determine their user require-
ments and the resulting system and safety
requirements for their application. They then need
to communicate with the OPS to confirm that the
Figure 1. Layers of the Overall Autonomous System Environment product meets those requirements.

Global Mining Guidelines Group (GMG)

6 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

Figure 2. An Example of the Relationship Between Product and Application Lifecycles (Abbreviations: Identification, ID); Note: the contents in the lifecycles
may vary.

Table 2. Concept and Scope

At this stage, the concept and scope are examined within well-defined operational, regulatory, and risk environments. The potential requirements
and safety controls for managing functional safety are also identified.
Product Application

• Identify the relevant legislation, regulations, standards, and codes of • Identify the relevant legislation, regulations, standards, and codes of
practice practice
• Identify the equipment under control and its intended use and limits • Clearly define the concept of operations
of operation • Clearly define the operational parameters
• Identify the potential operating environments • Identify the actual operating environment
• Identify the communication requirements • Identify the existing or planned communications infrastructure
• Identify the OPS-specific risk criteria • Engage with the relevant regulators
• Identify the operation-specific risk criteria

Provided from OPS to mine operator:

• All product expectations (as outlined in the product column above)

Provided from mine operator to OPS:

• All application expectations (as outlined in the application column above)

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 7

Table 3. Planning
This stage involves developing the process for managing functional safety and assigning the responsibilities for implementing it. See Appendix C for
an example outline for a functional safety management plan.
Product Application
• Document the process for how functional safety should be managed • Set up the functional safety management plan based on the
• Set up the process for managing functional safety based on the appropriate functional safety standard(s) where applicable and
appropriate functional safety standard(s) where applicable and adapted to the specific application
adapted to the specific product • Determine clear roles and responsibilities for all parties throughout
• Put certified quality management in place (e.g., certified to ISO the application lifecycle
quality management systems standard, ISO 9001; 2015a)

Provided from OPS to mine operator:

• Documentation of the rationale for the selection and use of the methodology for managing functional safety
Provided from mine operator to OPS:
• The expected use conditions for the equipment

Table 4. Hazard Identification and Risk Assessment

Robust hazard identification and risk assessment activities are completed at this stage so that the available controls can be identified, and effective
decisions can be made about how to apply functional safety. During design, the OPS will typically complete the hazard identification and risk
assessment for their product based on industry-wide standards. The mine operator applying the product will then complete their risk assessment
with support from the OPS to clarify what risks are mitigated and to identify where they may need to put additional measures in place.
Product Application
• Identify all of the hazards associated with operating the product in its • Use a facilitator and group of stakeholders with the appropriate
intended use cases, including foreseeable misuse expertise
• Assess the risks associated with the hazards (use external sources • Identify all hazards associated with operating the product(s) in the
such as ISO 17757 for a list of hazards to consider and a list of risk context of the operational scenario, including foreseeable misuse
identification tools) • Assess the risks associated with the hazards (use external sources
• Identify the existing controls such as ISO 17757 for a list of hazards to consider and a list of risk
• Use an appropriate methodology and the appropriate tools (e.g., ISO identification tools)
12100 or IEC 31010) to suit the equipment and related systems • Identify the existing and proposed controls
• Use an appropriate methodology and the appropriate tools (e.g., ISO
12100 or IEC 31010) to suit the equipment and related systems

Provided from OPS to mine operator:

• A list of hazards considered
• Participation in risk assessment:
– Communication of outcomes from OPS design risk assessment
– Participation in the mine operator risk assessment
• A description of the product functionality / use cases and the primary risk controls of the equipment / safety manual

Provided from mine operator to OPS:

• A list of the hazards from the operation to consider

Global Mining Guidelines Group (GMG)

8 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

Table 5. Other Risk Controls

Other risk controls—safety-related controls that need to be handled outside of, but in parallel with, the functional safety lifecycle—also need to be
considered. For example, these controls may include physical changes such as road width, access control, and signage that are needed to safely
accommodate autonomous machines.
Action Related lifecycle stage
Identified Hazard identification and risk assessment (Table 4)
Specified Control identification, specification, and requirements (Table 6)
Managed (in parallel) Design and possible design modifications (Table 7)
Validated Validation (Table 8)

Table 6. Control Identification, Specification, and Requirements

At this stage, the functional safety performance requirements and controls are defined and specified so that safety can be embedded in the design
or in any design modifications.
Product Application
• Define the safety function and the required safe state • For existing (i.e., off-the-shelf) systems:
• Evaluate the performance and risk reduction requirements – Conduct workshops with the OPS to understand the outcomes of
• Specify the safety requirements at the product level the risk assessment and functional safety analysis to use as an
input for the mine operator's risk assessment and procedures to
enable safe operation of the system
• For systems being modified extensively or a custom system that is
being developed:
– Conduct workshop(s) to define safety function performance and risk
reduction requirements with input from product domain experts
– Define the application-specific functional safety requirements, as
identified in the layer of protection analysis (LOPA) or equivalent
evaluation
• Specify the safety requirements at the application level
• Verify that the product performance meets the application targets
Provided from OPS to mine operator:
• Documented safety functions, including any safety-critical information, safety-related parts, and risk reduction requirements. These may be
defined as integrity levels / performance levels if applicable.
Provided from mine operator to OPS:
• A revised safety requirements specification if modifications are made or the design is done in collaboration with the OPS

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 9

Table 7. Design / Possible Design Modifications

At this stage, the product is designed to meet the performance and risk reduction requirements and the functional safety requirements
specification. Those applying the solution should verify the product and identify any possible design modifications.
Product (design) Application (possible design modifications)
• Design the product in accordance with the performance and risk- • Verify that the product performance meets the performance
reduction requirements identified in the control identification, requirements identified in the control identification, specification, and
specification, and requirements stage (Table 6) requirements stage (Table 6)
• Verify the design for safety • If required, apply any additional controls
• If the required application safety requirements specification • Design the other risk controls identified in risk assessments in
performance target cannot be met, then provide the documentation previous stages (e.g., road layout, access control)
to demonstrate that all reasonably practicable steps have been
taken, any limitations are clearly identified, and the actual
performance that can be achieved
Provided from OPS to mine operator:
• A listing of the safety functions of the autonomous system and what is required to maintain their integrity over the lifecycle of the machine /
system

Provided from mine operator to OPS:

• A revised functional safety requirements specification

Table 8. Installation and Commissioning

This stage involves preparing the autonomous system to be put into service safely, including implementing installation and test plans.
Product Application
• Develop clear instructions for on-site installation and commissioning • Implement the installation plan for the overall system where
• Generate the installation and configuration records applicable
• Implement the installation and test plan for safety functions • Generate the installation and configuration records
• Run acceptance testing* • Test the overall system, including the integration of sub-systems and
ensuring a record is captured

Provided from OPS to mine operator:

• Installation and site acceptance test plan* for review
• Configuration checklist
• As-built and commissioning records
Provided from mine operator to OPS:
• Feedback on any deviations from installation and test plan or failures
• Configuration records where appropriate (e.g., communications network performance meets specified requirements)
*Types of acceptance tests: Factory acceptance test: An evaluation of the equipment completed by the vendor before installation to identify whether or not it is
operating as specified. It is the final step of the manufacturing process. Site acceptance test: A joint activity between the vendor, integrator, and mine operator to
identify whether or not the equipment is operating as specified and if the site is prepared for installation and commissioning. It is signed off by the integrator. User
acceptance test: The testing completed by the mine operator to identify whether or not the system works for them and meets the business intent.

Global Mining Guidelines Group (GMG)

10 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

Table 9. Validation
At this stage, procedures are completed to validate that the autonomous system has undergone all relevant assessments and meets all
requirements. The product validation and application validation will not happen at the same time unless the OPS and mine operator are developing a
custom solution.
Product Application
• Clearly demonstrate that the product safety requirements have been • Confirm that the overall integrated system application validation is
fulfilled as defined in the product safety requirements specification carried out at the mine site, working in conjunction with the OPS
• Confirm that all verifications and functional safety assessments have • Clearly demonstrate that the application safety requirements have
been completed as required been met as defined in the application safety requirements
• Document the residual risks after verification specification
• Confirm that all additional controls required to meet risk reduction
factors have been implemented
• Confirm that the scope of validation covers the fully integrated
system
• Confirm that all required verifications and functional safety
assessments have been completed

Provided from OPS to mine operator:

• Evidence that the product safety requirements have been met

Provided from mine operator to OPS:

• If the OPS agrees to validate a third-party modification or interface, then any required information that the OPS needs to evaluate the impact of
the modification

Table 10. Operational Readiness

Assessing operational readiness is essential before the autonomous system can be safely operated. It is primarily an application process, but it
uses input from product development (see also ISO 17757:2019).
Product Application
• Provide the relevant support documentation and input (see list below • Confirm that configuration management processes related to
of what the OPS provides to the mine operator) functional safety are in place
• Identify and procure the safety-critical spares
• Confirm that preventive maintenance plans and strategies are in
place (e.g., proof testing, inspections, end of life replacement)
• Develop a strategy such as bypassing or overriding to manage
impaired safety functions
• Develop strategies for performance monitoring diagnostics
• Recruit and train staff and assess their competencies
• Develop and modify the standard operating procedures

Provided from OPS to mine operator:

• Test procedures
• Safety manuals, operating procedures, maintenance instructions, and other information required for operating and maintaining safety functions
• Performance monitoring diagnostics and training

Provided from mine operator to OPS:

• Confirmation that the functional safety-related requirements and specifications from the OPS have been met and are ready to go live

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 11

Table 11. Operation and Maintenance

Continuous functional safety management and maintenance are essential once the autonomous system is in operation; it is part of applying the
solution, but it also requires support from the product side.
Product (support) Application (operation and maintenance)
• Manage obsolescence • Manage safety-critical spares
• Provide fault investigation support and support continuous • Implement a strategy such as bypassing or overriding to manage
improvement (see change management, Table 12) impaired safety functions
• Manage incident alerts and advice • Maintain a configuration management system for functional safety
• Provide training updates • Confirm that there is ongoing use of performance monitoring
diagnostics
• Maintain staff competencies
• Verify all controls, including procedures and other risk reduction
measures, on an ongoing basis
• Revalidate the operational risk assessments periodically
• Confirm that there is an appropriate investigation methodology
(e.g., incident cause analysis method) in place with competent
independent facilitators

Provided from OPS to mine operator:

• The documentation relevant to the support items listed under the product column
Provided from mine operator to OPS:
• Feedback on performance, incidents, and failures

Table 12. Change Management

Change management is a key consideration throughout the lifecycle to make sure that every change that is made allows for the same level of
functional safety. Every time changes are made to a product or application, the stages from planning onward may need to be revisited to consider
the adjustments. If the mine operator is modifying or developing a system independently from the OPS, some of the expectations under the product
column may need to be met on the application side.
Product Application
• Confirm that the change management process* covers the • Confirm that the change management process covers the evaluation
evaluation of functional safety, including impact analysis of functional safety, including impact analysis
• Confirm that any changes made to the product that affect safety • Establish a mechanism to communicate product changes to the OPS
functions are communicated to all product owners, and the and engage with them
communications are documented • Apply functional safety change management processes to anything
• Reasonably support product owner in the change management that affects the risk profile (e.g., a new use case, environmental
process changes, new initiating events, or changes to existing events)
• Confirm that the change management process defines the
appropriate review and approval authorities
Provided from OPS to mine operator:
• An explanation of any changes that are made to the product that affect its safety functions

Provided from mine operator to OPS:

• The identification of opportunities for improvement with details for assessment
* Further detail on change management can be found in the GMG (2019) Guideline for the Implementation of Autonomous Systems in Mining.

Global Mining Guidelines Group (GMG)

12 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

9. SOFTWARE DEVELOPMENT, VERIFICATION, ever, for autonomous systems, there is still a notable reliance
AND VALIDATION on other administrative and non-control system mitigation
Autonomous system software often carries out safety measures.
functions. This section describes general considerations
around software development within the context of the func- 9.2 Lifecycle Considerations
tional safety lifecycle outlined in Section 8. It focuses on The software development lifecycle is contained within a
conventional software development methods and determin- small portion of the functional safety lifecycle identified in
istic systems. Section 8 and Figure 2, particularly the product lifecycle. The
software lifecycle primarily fits into the design / possible
9.1 Architectural Considerations design modifications (Table 7) and the control identification,
The requirements for autonomous system software archi- specification, and requirements (Table 6) stages. Some ele-
tectures will vary depending on the relationship between the ments of the software requirements validation are part of the
control and protection elements. validation stage (Table 9).
While system architectures designed with separate con- Figure 3 shows how the functional safety lifecycle fits into
trol and protection elements allow functional safety require- a basic software development V-model diagram. Functional
ments to focus on the protection system, it is not always safety standards use similar V-models to describe the soft-
possible or practical in mobile machine applications. This ware development lifecycle (e.g., ISO 13849-1:2015, Figure 6
clear separation of control and protection elements is possi- and IEC 61508-3:2010, Figure 6). This lifecycle corresponds
ble if those designing the safety protection function can well with the functional safety lifecycle outlined in Section 8,
specify and implement it without having any information and the relationship between the two lifecycles is as follows:
about the workings of the control function (see Example A). • The “software safety requirements specification” is
This approach to functional safety is typical of stationary part of the “control identification, specification, and
machines in factory automation settings. requirements” stage in Table 6.
If knowing the state of the control function or what it is • The “validation and acceptance testing” is part of the
doing is necessary to maintain safety, it is much harder to “validation” stage in Table 9.
produce a simple, independent protection function (see • The remaining steps in Figure 3 are encompassed
Example B). In such situations, it is recommended to place a within the “design / possible design modifications”
greater reliance on the integrity of the control function, how- stage in Table 7.

Example A: Situation where protection and control elements can be separate

An underground load, haul, dump automation system (i.e., the control element) is separated from human interaction by
a barrier control system (i.e., the protection element). If the barrier system is breached, the machine goes to a safe state,
which requires a specific process to be followed to reinitiate autonomous operations. This works because people,
machines, and vehicles can be segregated from the autonomous machine.

Example B: Situation where knowing the state of the control function is necessary
When machine control systems (e.g., steering, braking, propulsion) are used as part of an autonomous machine system
around other machines and vehicles with people in them, the autonomous system needs to know what the machine is
doing, where it should be going, and where other things are so that it can act accordingly. The inputs into these systems
can come from both deterministic and non-deterministic aspects. Safety is dependent on the correct operation of the
autonomous and machine systems and other risk mitigation measures. Further information on non-deterministic aspects
can be found in the CMEIG, EMESRT, and ICMM White Paper and Guiding Principles for Functional Safety for Earthmoving
Machinery (2020).

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 13

!"#$%&'#()*+(,-%.*)&,-$.$)-/ !"#$%&'#()*+(,-%.*)&,-$.$)-/
*'(&+'#),%-(&$.$/"&$'(0)12-/$.$/"&$'(0) !"#$%"&$'()
"(%)+-34$+-5-(&1 !"#$%& '(
!"#$%& )( !:;,6:<,=>

*+,-.#/&0
:#%5;#-5+70#7;0
1#,&-20
#99&8-#79&0
/&345/&6&7-10
-&1-57<
18&95,59#-5+7

*+,-.#/&0 *21-&6
121-&6 57-&</#-5+7

!?@,A,*:<,=>
;&15<7 -&1-57<

5+ 0
#- ;
>+68+7&7- >+68+7&7-

</ 0 # 7
7
@&

;&15<7

-& <
-&1-57<

57 1-57
15<
7

"&
A+;4%& A+;4%&
;&15<7 -&1-57<

>+;57<0?0
568%&6&7-#-5+7

!"#$%&'#()*+(,-%.*)&,-$.$)-/
6-1$7()8)2'11$9#-)%-1$7()5'%$.$/"&$'(1
!"#$%& =(

Figure 3. The Relationship between the Functional Safety Lifecycle and a Software Development V-Model Lifecycle Diagram

9.3 Developing Conventional System Elements Errors made in software development can be reduced by
It is recommended to develop the software based on the constraining the use of the programming language. One
safety function performance requirements for a particular option is the use of limited variability languages (LVLs). For
control and with consideration given to relevant standards example, function block diagrams are used to construct pro-
(e.g., ISO 13849, IEC 61508, ISO 19014). When it is published, grams by linking pre-defined function blocks, thereby reduc-
ISO/DIS 19014-4, Earth Moving Machinery — Functional ing the scope for error. When more general programming
safety — Part 4: Design and evaluation of software and data languages are used, it is common to use a language subset,
transmission for safety-related parts of the control system, which means only using some of the aspects of a language
will likely be the most relevant standard (https:// or using them in a particular way. For example, the Motor
www.iso.org/standard/70718.html). The safety performance Industry Software Reliability Association (MISRA) has devel-
requirements are often identified by the risk reduction required oped guidelines for commonly used languages:
in the Control Identification, Specification, and Requirements • MISRA C, Guidelines for the Use of C Language in Criti-
stage of the functional safety lifecycle (Table 6). cal Systems (2013), which has now been updated to
For example, ISO 13849-1:2015 includes an analysis of address security concerns (2016)
the degree of reliance on safety functions, defining the per- • MISRA C++: Guidelines for the Use of the C++ Lan-
formance requirements by designating performance levels guage in Critical Systems (2008)
(PLs). PLs are labelled a–e, with e representing the highest These subsets are now widely used and supported by
reliance on the function in terms of safety. See Appendix D tools. While subsets are not defined for all languages and
for an example of the potential activities for software devel- there are other variants of those that are defined, using a
opment for allocated PLs based on ISO 13849-12015. tool-enforced subset is good practice.
Some system developers may employ techniques / meth- Note: Section 9 was developed with assistance from John McDer-
mid, Director of the Assuring Autonomy International Programme,
ods like these.
University of York

Global Mining Guidelines Group (GMG)

14 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

10. COMPETENCY MANAGEMENT • Institute of Engineering and Technology (2016),

Those managing functional safety are expected to be suit- Competence Criteria for Safety-related System
ably competent in their knowledge, skills, experience, and Practitioners
behaviours. This section provides guidance for mining oper- • The UK Health and Safety Executive (2006, 2007),
ations on assessing competency. Potential competency Managing competence for safety-related systems
requirements include the following:
• Identifying the relevant safety lifecycle phases 11. CYBERSECURITY
• Identifying the tasks to be carried out in those phases Cybersecurity is an emerging issue that has the potential
• Defining a competency criterion for each task to significantly affect the safety functions of autonomous
• Mapping the tasks to roles systems; it should therefore be considered throughout the
• Allocating the roles to departments or individuals lifecycle. Because autonomous systems rely heavily on soft-
• Developing and executing a plan for assessment ware, threats that affect sensor operation, software design,
• Planning for and proactively managing gaps system interoperation, and human-machine interaction all
• Carrying out periodical assessments to confirm that have the potential to affect functional safety. Cybersecurity
competencies remain valid threats also exist that specifically target safety systems.
• Managing competencies of new starters Cybersecurity measures should preserve the safety func-
• Periodically revisiting the tasks and criteria to confirm tionality of the autonomous system. The system should be
they remain relevant designed to act to preserve safety as the highest priority if it
Guidance for successfully implementing a competency is sent messages that could result in unsafe operation.
management plan in an operation includes these steps: Security for control interfaces should be considered and
• Develop the competency criteria to include require- managed as part of the functional safety risk management
ments that demonstrate knowledge, skills, experience, process and should address the requirements for compli-
and behaviours. This demonstration should go beyond ance, certification, and risk mitigation following a “so far as
training courses and certifications, which are not reasonably practicable” methodology. A risk assessment
always comprehensive. carried out on cybersecurity threats using information from
• Use clear language within the competency criteria. the MM-ISAC autonomous systems threat model is recom-
• Match the level of detail and rigour within the compe- mended (http://www.mmisac.org/).
tency criteria to the level of safety performance Recommended literature on cybersecurity includes:
required by the product or application and its potential • IEC TR 63069:2019 Industrial-process measurement,
to cause harm. control and automation - Framework for functional
• Consider how to evaluate domain knowledge within the safety and security (International Electrotechnical
competency criteria. For example, while it may be good Commission, 2019a)
to have a functional safety expert on board, their • IEC TR 63074:2019 Safety of machinery - Security
expertise needs to be complemented by knowledge of aspects related to functional safety of safety-related
mining operations and autonomous systems. control systems (International Electrotechnical Com-
• Integrate the competency criteria into existing sys- mission, 2019d)
tems. Some companies have a competency framework • ISA TR 84.00.09_2017 Cybersecurity Related to the
or system in place (e.g., managing health and safety Functional Safety Lifecycle (International Society of
risks by working in a restricted space). Automation, 2017)
• Collaborate with OPSs for assistance with formal train- More detailed cybersecurity guidance will be developed
ing, simulated training, joint on-the-job assessments, through the GMG System Safety for Autonomous Mining pro-
and handover if there is not sufficient competency ject and the GMG-MMISAC Cybersecurity Working Group.
within the operation.
• Allow the criteria development process to expose com- 12. ASSURANCE DOCUMENTATION
petency gaps. Competency gaps can then be managed The mine operator and OPS should collaborate on what
through strategies such as collaboration between team assurance documentation and analysis are appropriate for
members who collectively meet the competency the system. Options to consider include:
requirements for a given task. • References to or conformance with relevant interna-
Recommended literature that discusses functional safety tional standards, including functional safety standards
competency management in detail includes: where applicable

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 15

• Outcomes of the hazard and risk analysis respond to conditions based on probability, these responses
• A list of the safety functions, a description of their cannot be quantified using these methods. The CMEIG,
functionality and safe states of operation EMESRT, and ICMM White Paper and Guiding Principles for
• System limitations or safety goals necessary for the Functional Safety for Earthmoving Machinery (2020) offers
site to operate the system safely some high-level guidance on the direction for the mining
• Validation report that all safety functions are working industry in terms of non-deterministic systems. They
during commissioning onsite (where practicable) describe:
• If safety functions are unable to be tested onsite, evi- • An interim approach until new standards are avail-
dence of validation of those safety functions able: A risk-based evaluation that combines traditional
• Outcomes of causal analyses, for example failure and evolving risk management techniques, a robust
modes and effects analysis (FMEA), fault tree analysis development process, an extensive system testing and
(FTA), and systems theoretic process analysis (STPA) validation framework, and strong engagement and col-
• An overview of the software development process that laboration among relevant stakeholders ("Proposed
may use methods such as those in ISO 19014, ISO Approach for the Evaluation of Systems with Non-
13849 or IEC 61508 Deterministic Aspects," CMEIG, EMESRT, and ICMM,
Note that some documentation may not be shareable due 2020).
to intellectual property protection requirements for the OPS. • The approach in the automotive industry: ISO/PAS
In such situations, the OPS and mine operator will need to 21448:2019 Road vehicles — Safety of the intended
agree on an appropriate mechanism for providing adequate functionality is intended to be applied to evaluating
assurance of the safety of the product to the mine operator. non-deterministic aspects of safety-related systems
It may also be helpful for the OPS to provide a high-level through “extensive validation over a series of use/mis-
overview of the OPS product lifecycle management to the use cases" ("Other Industries Approach,” CMEIG,
mine operator. EMESRT, and ICMM, 2020).
• Relevant standardization work for earth-moving
13. NON-DETERMINISTIC SYSTEMS machinery: ISO/TC 127 Earth-moving machinery com-
In its current state, the mining industry is accustomed to mittee has some work ongoing to address the current
systems that are predominantly deterministic, meaning that lack of standardization in this area, including an adap-
they respond to known and understood states, failure tation of the automotive safety of the intended func-
modes, and conditions. Based on the current trends in the tionality approach for earth-moving vehicles (ISO/TC
evolution of mining and other industries, it is likely that non- 127/SC2 WG 24;
deterministic systems and aspects of systems will be preva- https://www.iso.org/committee/52180.html).
lent. A non-deterministic system is one where decisions are
derived from complex sensor and processing algorithms and 14. FUTURE WORK
/ or involve machine learning. Examples of non-deterministic Because functional safety for autonomous systems in
systems include: mining is a rapidly evolving topic, this guideline is also
• Perception systems (including collision avoidance sys- expected to evolve and add any appropriate detail over time
tems) to align with new and updated standards and consider
• GPS technology (including geofences) emerging concepts and technological advances. A separate
• Route planning systems based on artificial intelligence GMG project on system safety is also ongoing and will com-
The existing standards include the assignment of perfor- plement this guideline by addressing adjacent topics such as
mance or integrity levels and can be applied more directly to safety case and risk management, human factors, integra-
deterministic systems. Because non-deterministic systems tion, and verification and validation.

Global Mining Guidelines Group (GMG)

16 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

15. RESOURCES AND REFERENCES

Construction and Mining Equipment Industry Group (CMEIG), International Electrotechnical Commission (2010g). Functional
Earth Moving Equipment Safety Round Table (EMESRT), and safety of electrical/electronic/programmable electronic safety-
International Council on Mining and Metals (ICMM). (2020). White related systems – Part 7: Overview of techniques and measures
Paper and Guiding Principles for Functional Safety for Earthmov- (IEC 61508-7:2010). Retrieved from https://webstore.iec.ch/pub-
ing Machinery. Retrieved from https://www.cmeig.com.au/work- lication/5521
ing-groups/engineering/ International Electrotechnical Commission (2015b). Safety of
Global Mining Guidelines Group (2019). Guideline for the Imple- machinery – Functional safety of safety-related electrical, elec-
mentation of Autonomous Systems in Mining (2019). Guideline tronic and programmable electronic control systems (Standard
No. 20181008_Implementation_of_Autonomous_Systems-GMG- No. IEC 62061:2005 +AMD1:2012+AMD2:2015 CSV). Retrieved
AM-v01-r01. Retrieved from https://gmggroup.org/wp-content/ from https://webstore.iec.ch/publication/22797
uploads/2019/06/20181008_Implementation_of_Autonomous_S International Electrotechnical Commission (2016). Adjustable
ystems-GMG-AM-v01-r01.pdf speed electrical power drive systems - Part 5-2: Safety require-
Government of Western Australia Department of Mines, Industry ments – Functional (Standard No. IEC 61800-5-2:2016). Retrieved
Regulation and Safety (2015). Safe mobile autonomous mining in from https://webstore.iec.ch/publication/24556
Western Australia [Code of Practice]. Retrieved from http:// International Electrotechnical Commission (2019a). Industrial-
www.dmp.wa.gov.au/Documents/Safety/MSH_COP_SafeMobile process measurement, control and automation - Framework for
AutonomousMiningWA.pdf functional safety and security (Standard No. IEC TR 63069:2019).
Institute of Engineering and Technology (2016). Code of Prac- Retrieved from https://webstore.iec.ch/publication/31421
tice: Competence Criteria for Safety Related Systems Practition- International Electrotechnical Commission (2019b). Risk man-
ers. Retrieved from https://shop.theiet.org/code-of-practice- agement — Risk assessment techniques (Standard No. IEC
competence-for-safety-related-systems-practitioners 31010:2019). Retrieved from https://webstore.iec.ch/publica-
International Electrotechnical Commission (2010a). Functional tion/59809
safety of electrical/electronic/programmable electronic safety- International Electrotechnical Commission (2019c). Safety of
related systems – Part 1: General requirements (Standard No. IEC machinery – Safety-related sensors used for the protection of
61508-1:2010). Retrieved from https://webstore.iec.ch/publica- persons (Standard No. IEC TS 62998-1:2019). Retrieved from
tion/5515 https://webstore.iec.ch/publication/31009
International Electrotechnical Commission (2010b). Functional International Electrotechnical Commission (2019d). Safety of
safety of electrical/electronic/programmable electronic safety- machinery - Security aspects related to functional safety of
related systems – Part 2: Requirements for electrical/electronic safety-related control systems (Standard No. IEC TR
/programmable electronic safety-related systems (Standard No. 63074:2019). Retrieved from https://webstore.iec.ch/publica-
IEC 61508-2:2010). Retrieved from https://webstore.iec.ch/publi- tion/31572
cation/5516 International Organization for Standardization (2007a). Earth-
International Electrotechnical Commission (2010c). Functional moving Machinery – Rubber tyred machines – Steering Require-
safety of electrical/electronic/programmable electronic safety- ments (Standard No. ISO 5010: 2007) Retrieved from
related systems – Part 3: Software requirements (Standard No. https://www.iso.org/standard/45105.html
IEC 61508-3:2010). Retrieved from https://webstore.iec.ch/publi- International Organization for Standardization (2010). Safety of
cation/5517 machinery – General principles for design – Risk assessment and
International Electrotechnical Commission (2010d). Functional risk reduction (Standard No. ISO 12100-2:2010). Retrieved from
safety of electrical/electronic/programmable electronic safety- https://www.iso.org/standard/51528.html
related systems – Part 4: Definitions and abbreviations (Standard International Organization for Standardization (2011a). Earth-
No. IEC 61508-4:2010). Retrieved from https://webstore.iec.ch moving machinery – Wheeled or high-speed rubber-tracked
/publication/5518 machines – Performance requirements and test procedures for
International Electrotechnical Commission (2010e). Functional brake systems (Standard No. ISO 3450: 2011) Retrieved from
safety of electrical/electronic/programmable electronic safety- https://www.iso.org/standard/42076.html
related systems – Part 5: Examples of methods for the determi- International Organization for Standardization (2011b). Robots
nation of safety integrity levels (Standard No. IEC 61508-5:2010). and robotic devices – Safety Requirements for industrial robots –
Retrieved from https://webstore.iec.ch/publication/5519 Part 1: Robots (Standard No. ISO 10218-1:2011) Retrieved from
International Electrotechnical Commission (2010f). Functional https://www.iso.org/standard/51330.html
safety of electrical/electronic/programmable electronic safety- International Organization for Standardization (2012a). Earth-
related systems – Part 6: Guidelines on the application of IEC moving machinery – Safety requirements for remote operator
61508-2 and IEC 61508-3 (Standard No. IEC 61508-6:2010). control systems (Standards No. ISO 15817:2012) Retrieved from
Retrieved from https://webstore.iec.ch/publication/5520 https://www.iso.org/standard/46237.html

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 17

International Organization for Standardization (2012b). Safety of International Organization for Standardization (2018d). Earth-
machinery – Safety-related parts of control systems – Part 2: moving machinery – Functional safety – Part 3: Environmental
Validation (Standard No. ISO 13849-2:2012). Retrieved from performance and test requirements of electronic and electrical
https://www.iso.org/standard/53640.html components used in safety-related parts of the control system
(Standard No. ISO 19014-3:2018). Retrieved from https://
International Organization for Standardization (2015a). Quality man-
www.iso.org/standard/70717.html
agement systems – Requirements (Standard No. ISO 9001:2015).
Retrieved from https://www.iso.org/standard/62085.html International Organization for Standardization (2018e). Risk man-
agement—Guidelines (Standard No. ISO 31000:2018). Retrieved
International Organization for Standardization (2015b). Safety of
from https://www.iso.org/standard/65694.html
machinery – Safety-related parts of control systems – Part 1:
General principles for design (Standard No. ISO 13849-1:2015). International Organization for Standardization (2018f). Road vehi-
Retrieved from https://www.iso.org/standard/69883.html cles – Functional safety – Part 1: Vocabulary (Standard No. ISO
26262-1:2018). Retrieved from https://www.iso.org/standard
International Organization for Standardization (2015c). Systems /68383.html
and software engineering – System lifecycle processes (Standard
No. ISO/ IEC/IEEE 15288: 2015) Retrieved from https://www.iso.org International Organization for Standardization (2019a). Earth-
/standard/63711.html moving machinery and mining—autonomous and semi-
autonomous machine system safety (Standard No. 17757:2019).
International Organization for standardization (2017a). Earth-mov- Retrieved from https://www.iso.org/standard/76126.html
ing Machinery – Object Detection Systems and Visibility Aids –
Performance Requirements and Tests (Standards No. ISO 16001: International Organization for Standardization (2019b). Road
2017) Retrieved from https://www.iso.org/standard/63688.html vehicles - Safety of the intended functionality (Standard No. ISO/
PAS 21448: 2019) Retrieved from https://www.iso.org/standard
International Organization for Standardization (2017b). Earth- /70939.html
moving machinery – Safety – Part 1: General Requirements
International Society of Automation (2017) Cybersecurity Related
(Standard No. ISO 20474-1: 2017) Retrieved from https://
to the Functional Safety Lifecycle. (Standard No. ISA-TR84.00.09).
www.iso.org/standard/60734.html
Retrieved from https://www.isa.org/store/isa-tr840009-2017,-
International Organization for Standardization (2017c). Quality cybersecurity-related-to-the-functional-safety-
management – Guidelines for configuration management (Stan- lifecycle/56889051
dard No. ISO 10007:2017). Retrieved from https://www.iso.org
MISRA (2013). Guidelines for the Use of the C Language in Critical
/standard/70400.html
Systems (Guideline No. MISRA C:2012). Retrieved from
International Organization for Standardization (2018a). Earth- https://www.misra.org.uk/Publications/tabid/57/Default.aspx
moving and building construction machinery – Electromagnetic
MISRA (2016). Additional security guidelines for MISRA C:2012
compatibility (EMC) of machines with internal electrical power (Guideline No. MISRA C:2012 – Amendment 1) Retrieved from
supply – Part 1: General EMC requirements under typical environ- https://www.misra.org.uk/Publications/tabid/57/Default.aspx
mental conditions (Standard No. ISO 13766-1:2018) Retrieved
from https://www.iso.org/standard/67347.html MISRA (2008). Guidelines for the Use of the C++ Language in Crit-
ical Systems. (Guideline NO. MISRA C++) Retrieved from
International Organization for Standardization (2018b). Earth- https://www.misra.org.uk/Publications/tabid/57/Default.aspx
moving and building construction machinery – Electromagnetic
compatibility (EMC) of machines with internal electrical power U.K. Health and Safety Executive (2006). Managing competence
supply – Part 2: Additional EMC requirements for functional for safety-related systems, Part 1: Key Guidance. Retrieved from
safety (Standard No. ISO 13766-2:2018) Retrieved from http://www.hse.gov.uk/humanfactors/topics/mancomppt1.pdf
https://www.iso.org/standard/67403.html U.K. Health and Safety Executive (2007). Managing competence
International Organization for Standardization (2018c). Earth- for safety-related systems, Part 2: Supplementary material.
moving machinery – Functional safety – Part 1: Methodology to Retrieved from http://www.hse.gov.uk/humanfactors/topics/
mancomppt2.pdf
determine safety-related parts of the control system and per-
formance requirements (Standard No. ISO 19014-1:2018). U.K. Defence Standardization (2017). Safety Management for
Retrieved from https://www.iso.org/standard/70715.html Defence Systems. Issue 7. (Standard No. MOD DEF STAN 00-56).

Global Mining Guidelines Group (GMG)

18 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

APPENDIX A: FUNCTIONAL SAFETY IN • Safety management systems are put in place to con-
OVERALL SAFETY MANAGEMENT firm that a system is operated safely. These include
Overall safety relies on components of a safety system risk, emergency, and change management and estab-
being designed and operated safely. Functional safety is a lishing a safety culture.
part of the broader context of overall safety, which consists • System safety confirms that the overall design of a
of the following layers: system is safe. Functional safety is a part of this layer
• Societal expectations of safety. What is considered to and refers to “a system or equipment operating cor-
be safe is decided by socially defined descriptions of rectly in response to its inputs” (source: www.iec.ch).
what risks are deemed tolerable with respect to the Figure A1 illustrates some examples of what may be in
benefits with operating a system. These societal each layer.
expectations are expressed through legislation and
common law.

Figure A1. Layers of Overall Safety (Provided by a GMG Contributor)

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 19

APPENDIX B: SUMMARY OF STANDARDS This is a five-part standard that covers the application of
The following descriptions summarize the content and functional safety to mobile machinery used in construction
scope of key and non-core standards relevant to functional and mining applications. The first and third parts are pub-
safety. The key standards are relevant to various aspects of lished, and the other three are currently in development.
the application of functional safety to autonomous systems Many concepts are similar to those in ISO 13849 and IEC
in mining. The non-core standards are not specific to func- 61508. This standard uses an industry-specific and risk-
tional safety for autonomous systems in mining but are rel- based approach to determine machine PLs of the safety-
evant to the processes and activities surrounding it or related control systems used. It addresses concerns with
provide guidance for other industries that could be adapted environmental conditions and provides further details on
to mining. They are arranged numerically. how to analyze complex embedded machine controls involv-
Full references to these standards and full standard num- ing the use of integrated electrical, hydraulic, and pneumatic
bers can be found in Section 15. Please note that for non- systems on earth-moving machinery.
core standards, only the general sections of multi-part ISO 31000 Risk management (International Organization for
standards are cited unless otherwise specified. Standardization, 2018e)
This standard provides general principles and guidelines
B.1 Key Standards to establish a framework for managing process risk across
ISO 12100 Safety of machinery – General principles for an organization and explores various risk assessment con-
design – Risk assessment and risk reduction (International cepts and methodologies.
Organization for Standardization, 2010) IEC 31010 Risk management – Risk assessment tech-
This standard defines general terminology, principles, and niques (International Electrotechnical Commission, 2019b)
methods of risk assessment associated with various types This standard (a double logo standard with ISO) provides
of fixed and mobile machinery. It provides a list of common guidance on hazard identification and risk assessment tech-
hazards and is intended to be used in conjunction with other niques.
application-specific (i.e., Type B and Type C) safety stan- IEC 61508 Functional Safety of electrical / electronic / pro-
dards. grammable electronic (E/E/PE) safety-related systems
ISO 13849 Safety of machinery – Safety-related parts of (International Electrotechnical Commission, 2010a–2010g)
control systems (International Organization for Standardiza- This is a broad seven-part standard covering various
tion 2015b, 2012b) aspects to be considered when E/E/PE systems are used to
This two-part standard provides guidance on the design, carry out safety functions. It is particularly relevant to the
integration, and validation of safety-related control system principles of lifecycle management. It is intended to support
hardware and software used in various types of machinery. the development of application or sector-specific functional
It is primarily focused on fixed machinery, but it can also be safety standards and is only focused on electrical and elec-
applied to systems used is mobile equipment. Hazard tronic systems. It does not address concerns related to
assessment is used to establish required PLs of the control mechanical controls or human factor requirements related
systems, and achieved PLs are analyzed through an evalua- to the design of E/E/PE systems. System design require-
tion of the system architecture, including reliability of the ments are expressed using SILs.
components used and fault detection capability. It refer- IEC 62061 Safety of machinery – Functional safety of elec-
ences some concepts from other standards such as IEC trical, electronic and programmable electronic control sys-
61508 and suggests using an application-specific risk graph tems (International Electrotechnical Commission, 2015)
for determining performance requirements. This is an adaptation of IEC 64508 that is specific to fixed
ISO 17757 Earth-moving machinery and mining – machinery in which safety-related component design
Autonomous and semi-autonomous machine system requirements are expressed using SILs.
safety (International Organization for Standardization, 2019)
This standard provides the general safety requirements B.2 Non-Core Standards
and considerations for autonomous and semi-autonomous Defence Standard 00-56 Safety Management Require-
mobile machines used in earth-moving and mining applica- ments for Defence Systems (U.K. Defence Standardization,
tions. 2017).
ISO 19014 Earth-moving machinery – Functional safety This standard defines general concepts and principles for
(International Organization for Standardization, 2018c, hardware and software system developers to consider when
2018d) developing a safety system. It uses some aspects similar to

Global Mining Guidelines Group (GMG)

20 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

methodologies presented in IEC 61508 with a focus on con- This standard specifies general requirements and meth-
tracts and the contractor’s responsibilities. ods for evaluating and testing the performance of object
ISO 3450 Earth-moving machinery – Wheeled or high- detection systems used on mobile machinery.
speed rubber-tracked machines – Performance require- ISO 20474 Earth-moving machinery – Safety (International
ments and test procedures for brake systems (International Organization for Standardization 2017b)
Organization for Standardization, 2011a) This 15-part standard specifies the general safety require-
This standard specifies the performance requirements ments for earth-moving machinery. The first part contains
and test procedures for mobile machine braking systems. general requirements and the parts that follow are specific to
ISO 5010 Earth-moving machinery – Rubber tyred individual types of machines and their specific functions and
machines – Steering requirements (International Organiza- applications. It specifies the appropriate technical measures
tion for Standardization, 2007a) for eliminating or reducing risks from relevant hazards. It ref-
This standard specifies the performance and testing crite- erences use of ISO 17757 for autonomous systems.
ria used to evaluate the steering capability of wheeled mobile ISO 21448 Road vehicles – Safety of the intended function-
machinery. ality (International Organization for Standardization, 2019c)
ISO 10218 Robots and robotic devices – Safety Require- This standard complements ISO 26262; it is intended to be
ments for industrial robots – Part 1: Robots (International applied where situational awareness is critical to safety and
Organization for Standardization, 2011b) is derived from complex sensor and processing algorithms
This standard covers the safety requirements associated (e.g., emergency intervention systems, advanced driver
with industrial robots, including the potential hazards and assistance systems) where it may not be possible to estab-
steps to reduce or eliminate them. lish a SIL or PL rating.
ISO 13766 Earth-moving and building construction ISO 26262 Road vehicles – Functional safety (International
machinery – Electromagnetic compatibility (EMC) of Organization for Standardization, 2018f)
machines with internal electrical power supply (Interna- This is a 10-part standard focused on the application of
tional Organization for Standardization, 2018a, 2018b) functional safety to automotive electrical and electronic sys-
This is a two-part standard focused on electromagnetic tems. Many concepts are derived from IEC 61508 using an
compatibility. The first part is around general equipment industry-specific and risk-based approach to determine
compatibility requirements. The second part is focused on automotive safety integrity levels (ASILs) of the safety-
the test methods and acceptance criteria for safety-related related control systems used.
parts of control systems (functional safety) used on mobile IEC 61800 - Adjustable speed electrical power drive sys-
machinery. tems (International Electrotechnical Commission, 2016)
ISO / IEC/ IEEE 15288 - Systems and software engineering This is a nine-part standard focused on various aspects of
- System life cycle processes (International Organization for AC and DC drive system design, including considerations for
Standardization, 2015c) safety, interface requirements, electromagnetic compatibil-
This standard establishes a common framework of pro- ity, and energy efficiency. The most relevant document in this
cess controls that can be used by organizations when series is IEC 61800-5-2:2016, Adjustable speed electrical
acquiring or supplying systems. power drive systems - Part 5-2: Safety requirements – Func-
ISO 15817 Earth-moving machinery – Safety requirements tional.
for remote operator control systems (International Organi- IEC 62998 – Safety of machinery – Safety-related sensors
zation for Standardization, 2012a) used for the protection of persons (International Elec-
This standard specifies the essential safety requirements trotechnical Commission, 2019b)
for remote operator control of mobile machinery. It is not This is a technical specification of requirements for devel-
applicable to autonomous systems that are capable of work- oping and integrating safety related sensor systems and
ing without operator assistance. protecting people.
ISO 16001 Earth-moving machinery – Object detection
systems and visibility aids – Performance requirements
and tests (International Organization for Standardization,
2017a)

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 21

APPENDIX C: EXAMPLE FUNCTIONAL SAFETY Table C1. Functional Safety Management Plan
MANAGEMENT PLAN
1. Introduction
Table C1 is an example outlining the contents to consider
1.1 Scope
in a functional safety management plan. Please note that the
• Consider system and application
details will vary depending on the context and that the con-
1.2 Standards
tents of the functional safety management plan should be
• Identify functional safety standards utilized
tailored to suit the specific product or application. Also note
that a range of other processes may also fulfill the criteria of 2. Organization
the functional safety management plan. 2.1 Roles and responsibilities
Note that the items contained in Table C1 may be embed- 2.2 Competency
ded in a overall process rather than exist as a distinct func- •Develop strategy for internal competency management
tional safety management plan. 2.3 Communications
• Define interface points between OPS and mine operator, and set
requirements for documentation exchanged
2.4 Supplier management
3. Safety management
3.1 Lifecycle
• Outline functional safety lifecycle to be followed
3.2 Phase activities
• Plan for each phase, including identifying inputs, outputs, and
dependencies
3.3 Change management
3.4 Configuration management
3.5 Hazard log / risk register
4. Technical delivery
4.1 Design principles applied
• Structure software and hardware techniques employed (e.g.,
architecture)
4.2 Installation and commissioning
4.3 Verification
4.4 Validation
• Conduct site-specific safety validation exercise
4.5 Cybersecurity
4.6 Safety constraints
5. Operations and maintenance
5.1 Change management
• Detail how to maintain the risk register during production phase
5.2 Configuration management
• Define requirements for configuration management in operations
and maintenance
5.3 In-service performance management
• Define requirements for ongoing safety management and
continuous improvement
5.4 Management of actions
5.5 Emergency preparedness
6. Assurance
6.1 Audits
6.2 Functional safety assessments
• Define requirements for functional safety assessment

Global Mining Guidelines Group (GMG)

22 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

APPENDIX D: POTENTIAL ACTIVITIES FOR SOFTWARE DEVELOPMENT

Tables D.1 and D.2 list potential activities for software development and their relationship to PLs as they are defined in ISO
13849-1:2015. Please note that these tables are not for audit purposes because the activities and requirements will vary sig-
nificantly depending on the development process. These can be used to help understand and identify some of the activities
that may apply.
Please note that ISO 13849-1:2015 is under revision at the time of publication and this information will be outdated once
the next version is released. Please also note that other approaches and standards for software development may be more
appropriate for specific systems.

Table D.1. Safety-Related Embedded Software (SRESW)

PL
# Activity
a b c d e
1 Software safety lifecycle with verification and validation activities ✓ ✓ ✓ ✓ ✓
2 Documentation of specification and design ✓ ✓ ✓ ✓ ✓
3 Modular and structured design and coding ✓ ✓ ✓ ✓ ✓
4 Control of systematic failures ✓ ✓ ✓ ✓ ✓
Where using software-based measures for control of random hardware failures, verification of correct
5
implementation
✓ ✓ ✓ ✓ ✓
6 Functional testing (e.g., black-box testing) ✓ ✓ ✓ ✓ ✓
7 Appropriate software safety lifecycle activities after modifications ✓ ✓ ✓ ✓ ✓
8 Project management and quality management system comparable to (e.g., ISO 9001) ✓ ✓ ✓ ✓ ✓
9 Documentation of all relevant activities during software safety lifecycle ✓ ✓ ✓ ✓ ✓
10 Configuration management to identify all configuration items and documents related to an SRESW release ✓ ✓ ✓
11 Structured specification with safety requirements and design ✓ ✓ ✓
12 Use of suitable programming languages and computer-based tools with confidence from use ✓ ✓ ✓
Modular and structured programming, separation in non-safety-related software, limited module sizes with fully
13
defined interfaces, use of design and coding standards
✓ ✓ ✓
14 Coding verification by walk-through / review with control flow analysis ✓ ✓ ✓
15 Extended functional testing (e.g., grey-box testing, performance testing, or simulation) ✓ ✓ ✓
16 Impact analysis and appropriate software safety lifecycle activities after modifications ✓ ✓ ✓
17 Structural test coverage (statements) 100% (Note: in addition to ISO 13849 requirements) ✓ ✓ ✓

Global Mining Guidelines Group (GMG)

 GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING | 23

Table D.2. Safety-Related Applied Software (SRASW)

PL
# Activity
a b c d e
1 Software safety lifecycle with verification and validation activities ✓ ✓ ✓ ✓ ✓
2 Documentation of specification and design ✓ ✓ ✓ ✓ ✓
3 Modular and structured design and coding ✓ ✓ ✓ ✓ ✓
4 Functional Testing ✓ ✓ ✓ ✓ ✓
5 Appropriate development activities after modifications ✓ ✓ ✓ ✓ ✓
The safety-related software specification should be reviewed, made available to people involved in the lifecycle,
and contain the description of:

6 Safety functions with required PL and associated operating modes ✓ ✓ ✓ ✓ ✓

7 Performance criteria (e.g., reaction times) ✓ ✓ ✓ ✓ ✓
8 Hardware architecture with external signal interfaces ✓ ✓ ✓ ✓ ✓
9 Detection and control of external failure ✓ ✓ ✓ ✓ ✓
Selection of tools, libraries, languages:
Suitable tools with “confidence from use.” The tool should comply with the appropriate safety standard; if two
diverse components with diverse tools are used, confidence from use may be sufficient. Technical features that
10
detect conditions that could cause systematic error (such as data type mismatch, ambiguous dynamic memory
✓ ✓ ✓
allocation, incomplete called interfaces, recursion, pointer arithmetic) should be used.

Whenever reasonable and practicable, validated function block libraries should be used, either safety-related
11 function block libraries provided by the tool manufacturer (highly recommended for PL = e) or validated ✓ ✓ ✓
application-specific FB libraries.

A justified limited variability language (LVL) subset suitable for a modular approach should be used (e.g., the
12 accepted subset of IEC 61131-3 languages). Graphical languages (e.g., function block diagram, ladder diagram) ✓ ✓ ✓
are highly recommended.
Software design should feature:
13 Semi-formal methods to describe data and control flow(e.g., state diagram or program flow chart) ✓ ✓ ✓
Modular and structured programming predominantly realized by function blocks deriving from safety-related
14
validated function block libraries
✓ ✓ ✓
15 Function blocks of limited size of coding ✓ ✓ ✓
16 Code execution inside function block that should have one entry and one exit point ✓ ✓ ✓
17 Architecture model of three stages: inputs, processing, outputs ✓ ✓ ✓
18 Assignment of a safety output at only one program location ✓ ✓ ✓
Use of techniques for detection of external failure and for defensive programming within input, processing, and
19
output blocks that lead to a safe state
✓ ✓ ✓

Global Mining Guidelines Group (GMG)

24 | GUIDELINE FOR APPLYING FUNCTIONAL SAFETY TO AUTONOMOUS SYSTEMS IN MINING

Table D.2. Continued

PL
# Activity
a b c d e
Where SRASW and non-SRASW are combined in one component:
20 SRASW and non-SRASW should be coded in different function blocks with well-defined data links ✓ ✓ ✓
There should be no logical combination of non-safety-related and safety-related data that could lead to the
21 downgrading of the integrity of safety-related signals (e.g., combining safety-related and non-safety-related ✓ ✓ ✓
signals by a logical “OR” where the result controls safety-related signals)

Software implementation / coding:

Code should be readable, understandable and testable using symbolic variables instead of explicit hardware
22
addresses
✓ ✓ ✓
23 Justified or accepted coding guidelines should be used ✓ ✓ ✓
Data integrity and plausibility checks (e.g., range checks) available on application layer (defensive programming)
24
should be used
✓ ✓ ✓
25 Code should be tested by simulation ✓ ✓ ✓
26 Verification should be by control and data flow analysis for PLd or PLe ✓ ✓
Testing:
The appropriate validation method is black-box testing of functional behavior and performance criteria (e.g.,
27
timing performance)
✓ ✓ ✓
28 For PLd and PLe, test case execution from boundary value analysis is recommended ✓ ✓
29 Test planning is recommended and should include test cases with completion criteria and required tools ✓ ✓ ✓
30 Input / output testing should confirm that safety-related signals are correctly used within SRASW ✓ ✓ ✓
31 Structural test coverage (statements) 100% (Note: in addition to ISO 13849 requirements) ✓ ✓ ✓
Documentation:
32 All lifecycle and modification activities should be documented ✓ ✓ ✓ ✓ ✓
33 Documentation should be complete, available, readable, and understandable ✓ ✓ ✓ ✓ ✓
Code documentation within source text should contain module headers with legal entity, functional and I/O
34 description, and version of used library function blocks, and sufficient comments on networks and declaration ✓ ✓ ✓
lines
Configuration management:
It is highly recommended that procedures and data backup be established to identify and archive documents,
35
software modules, verification/validation results, and tool configuration related to a specific SRASW version
✓ ✓ ✓ ✓ ✓
Modifications:
After modifications of SRASW, impact analysis should be performed to confirm correct specification. Appropriate
36 lifecycle activities should be performed after modifications. Access rights to modifications should be controlled, ✓ ✓ ✓ ✓ ✓
and modification history should be documented.

Global Mining Guidelines Group (GMG)