kSIST FprEN ISO 25119-2:2018

SLOVENSKI STANDARD
oSIST prEN ISO 25119-2:2017
01-marec-2017
Traktorji ter kmetijski in gozdarski stroji - Varnostni deli krmilnih sistemov - 2. del:
Faza koncepta (ISO/DIS 25119-2:2017)
Tractors and machinery for agriculture and forestry - Safety-related parts of control
systems - Part 2:Concept phase (ISO/DIS 25119-2:2017)
Tracteurs et matériels agricoles et forestiers - Parties des systèmes de commande
relatives à la sécurité - Partie 2: Phase de projet (ISO/DIS 25119-2:2017)
Ta slovenski standard je istoveten z: prEN ISO 25119-2
ICS:
35.240.68 Uporabniške rešitve IT v IT applications in agriculture
kmetijstvu
65.060.01 Kmetijski stroji in oprema na Agricultural machines and
splošno equipment in general
oSIST prEN ISO 25119-2:2017 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO 25119-2:2017
oSIST prEN ISO 25119-2:2017
DRAFT INTERNATIONAL STANDARD
ISO/DIS 25119-2
ISO/TC 23/SC 19 Secretariat: DIN
Voting begins on: Voting terminates on:
2017-01-04 2017-03-28
Tractors and machinery for agriculture and forestry —
Safety-related parts of control systems —
Part 2:
Concept phase
Tracteurs et matériels agricoles et forestiers — Parties des systèmes de commande relatives à la sécurité —
Partie 2: Phase de projet
ICS: 35.240.99; 65.060.01
THIS DOCUMENT IS A DRAFT CIRCULATED
This document is circulated as received from the committee secretariat.
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
ISO/CEN PARALLEL PROCESSING
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 25119-2:2017(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO 2017

oSIST prEN ISO 25119-2:2017
ISO/DIS 25119-2:2017(E)
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Contents Page
Foreword . iv
Introduction . v
1 Scope . 2
2 Normative references . 3
3 Terms and definitions . 3
4 Abbreviated terms . 3
5 Concept — Unit of observation. 4
5.1 Objectives. 4
5.2 Prerequisites. 4
5.3 Requirements. 4
5.4 Work products . 5
6 Hazard and risk analysis method description . 6
6.1 Objectives. 6
6.2 Prerequisites. 6
6.3 Requirements. 6
6.4 Work products . 9
7 Specification of system design requirements . 9
7.1 Objectives. 9
7.2 Prerequisites. 9
7.3 Requirements. 9
7.4 Work products .11
Annex A (normative) Designated architectures for SRP/CS.12
Annex B (informative) Simplified method to estimate channel MTTF .18
dC
Annex C (informative) Determination of diagnostic coverage (DC).22
Annex D (informative) Estimates for common-cause failure (CCF) .26
Annex E (informative) Systematic failure .28
Annex F (informative) Characteristics of safety-related functions .32
Annex G (informative) Example of a risk analysis .35
Annex H (normative) Compatibility with other functional safety standards .40
Annex I (informative) Joined systems alternative compliance method .43
Annex J (normative) Alternate combinations of SRP/CS to achieve overall AgPL .44
Annex ZA (informative) Relationship between this European Standard and the Essential
Requirements of EU Machinery Directive 2006/42/EC.46
Bibliography.47

iii
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 25119-2 was prepared by Technical Committee ISO/TC 23, Tractors and machinery for agriculture and
forestry, Subcommittee SC 19, Agricultural electronics.
ISO 25119 Tractors and machinery for agriculture and forestry — Safety-related parts of control systems
consists of the following parts:
 Part 1: General principles for design and development
 Part 2: Concept phase
 Part 3: Series development, hardware and software
 Part 4: Production, operation, modification and supporting processes
iv © ISO 2017 – All rights reserved

oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Introduction
ISO 25119 sets out an approach to the design and assessment, for all safety life cycle activities, of
safety-relevant systems comprising of electrical and/or electronic and/or programmable electronic systems
(E/E/PES) on tractors used in agriculture and forestry, and on self-propelled ride-on machines and mounted,
semi-mounted and trailed machines used in agriculture. It is also applicable to municipal equipment.
A prerequisite to the application of ISO 25119 is the completion of a suitable hazard identification and risk
analysis (e.g. ISO 12100) for the entire machine. As a result, the control system parts of the machines
concerned are frequently assigned to provide the critical functions of the safety-related parts of control
systems (SRP/CS). These can consist of hardware or software, can be separate or integrated parts of a
control system, and can either perform solely critical functions or form part of an operational function.
In general, the designer (and to some extent, the user) will combine the design and validation of these
SRP/CS as part of the risk assessment. The objective is to reduce the risk associated with a given hazard (or
hazardous situation) under all conditions of use of the machine. This may be achieved by applying various
protective measures (both SRP/CS and non-SRP/CS) with the end result of achieving a safe condition.
ISO 25119 allocates the ability of safety-related parts to perform a critical function under foreseeable
conditions into five performance levels. The performance level of a controlled channel depends on several
factors, including system structure (category), the extent of fault detection mechanisms (diagnostic coverage),
the reliability of components (mean time to dangerous failure, common-cause failure), design processes,
operating stress, environmental conditions and operation procedures. Three types of failures are considered:
systematic, common-cause and random.
In order to guide the designer during design, and to facilitate the assessment of the achieved performance
level, ISO 25119 defines an approach based on a classification of structures with different design features and
specific behaviour in case of a fault.
The performance levels and categories can be applied to the control systems of all kinds of mobile machines:
from simple systems (e.g. auxiliary valves) to complex systems (e.g. steer by wire), as well as to the control
systems of protective equipment (e.g. interlocking devices, pressure sensitive devices).
ISO 25119 adopts a risk-based approach for the determination of the risks, while providing a means of
specifying the required performance level for the safety-related functions to be implemented by E/E/PES
safety-related channels. It gives requirements for the whole safety life cycle of E/E/PES (design, validation,
production, operation, maintenance, decommissioning), necessary for achieving the required functional safety
for E/E/PES that are linked to the performance levels.
The structure of safety standards in the field of machinery is as follows.

a) Type-A standards (basic safety standards) give basic concepts, principles for design and general aspects
that can be applied to machinery.

b) Type-B standards (generic safety standards) deal with one or more safety aspect(s), or one or more
type(s) of safeguards that can be used across a wide range of machinery:

type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);

type-B2 standards on safeguards (e.g. two-hand controls, interlocking devices, pressure sensitive devices,
guards).
c) Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular
machine or group of machines.
This part of ISO 25119 is a type-B1 standard as stated in EN ISO 12100.

For machines which are covered by the scope of a machine specific type-C standard and which have been
designed and built according to the provisions of that standard, the provisions of that type-C standard take
precedence over the provisions of this type-B standard.
v
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Tractors and machinery for agriculture and forestry —
Safety-related parts of control systems —
Part 2:
Concept phase
1 Scope
This part of ISO 25119 specifies the concept phase of the development of safety-related parts of control
systems (SRP/CS) on tractors used in agriculture and forestry, and on self-propelled ride-on machines and
mounted, semi-mounted and trailed machines used in agriculture. It may also be applied to municipal
equipment (e.g. street-sweeping machines).
This part of ISO 25119 is not applicable to:
 aircraft and air-cushion vehicles used in agriculture,
 lawn and garden equipment.
This part of ISO 25119 specifies the characteristics and categories required of SRP/CS for carrying out their
safety-related functions.
This part of ISO 25119 is applicable to the safety-related parts of electrical/electronic/programmable electronic
systems (E/E/PES), as these relate to mechatronic systems. It does not specify which safety-related functions
or performance levels are to be used for particular machines. It covers the possible hazards caused by
malfunctioning behaviour of E/E/PES safety-related systems, including interaction of these systems. It does
not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity,
corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of
E/E/PES safety-related systems.It also covers malfunctioning behaviour of E/E/PES safety-related systems
involved in protection measures, safeguards, or safety-related functions in response to non-E/E/PES hazards.
Examples included in scope:
 SRP/CS’s limiting current flow in electric hybrids to prevent insulation failure/shock hazards,
 electromagnetic interference with the SRP/CS, and
 SRP/CS’s designed to prevent fire.
Examples not included in scope:
 insulation failure due to friction that leads to electric shock hazards,
 nominal electromagnetic radiation impacting nearby machine control systems, and
 corrosion causing electric cables to overheat.
Machine specific standards (type-C standards) can identify performance levels and/or categories or they
should be determined by the manufacturer of the machine based on risk assessment.
It is not applicable to non-E/E/PES systems (e.g. hydraulic, mechanic or pneumatic).
NOTE See also EN ISO 12100 for design principles related to the safety of machinery.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 25119-1:2014, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 1: General principles for design and development
ISO 25119-3:2014, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 3: Series development, hardware and software
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 25119-1:2014 apply.
4 Abbreviated terms
For the purposes of this document, the following abbreviated terms apply.
ADC analogue to digital converter
AgPL agricultural performance level
AgPL required agricultural performance level
r
CAD computer-aided design
Cat hardware category
CCF common-cause failure
CRC cyclic redundancy check
DC diagnostic coverage
DC average diagnostic coverage
avg
ECU electronic control unit
ETA event tree analysis
E/E/PES electrical/electronic/programmable electronic systems
EMC electromagnetic compatibility
EUC equipment under control
FMEA failure mode and effects analysis
FMECA failure mode effects and criticality analysis
EPROM erasable programmable read-only memory
FSM functional safety management
FTA fault tree analysis
HAZOP hazard and operability study
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
HIL hardware in the loop
MTTF mean time to failure
MTTF mean time to dangerous failure
d
MTTF mean time to dangerous failure for each channel
dC
PES programmable electronic system
QM quality measures
RAM random-access memory
SOP start of production
SRL software requirement level
SRP safety-related parts
SRP/CS safety-related parts of control systems
SRS safety-related system
5 Concept — Unit of observation
5.1 Objectives
The objective of this phase is to develop an adequate understanding of the unit of observation in order to
satisfactorily complete all of the tasks defined in the safety life cycle (see ISO 25119-1:2014, Figure 2). On the
basis of the chosen safety concept, a suitable method shall be used to determine the required performance
level. Suitable methods include risk analysis (described below), other standards, legal requirements and test
body expertise or a combination of these.
5.2 Prerequisites
The necessary prerequisites are a description of the unit of observation, its interfaces, already-known safety
and reliability requirements and the scope of application
5.3 Requirements
5.3.1 Unit of observation and ambient conditions
A safety-related concept shall include the following:
a) the scope, context and purpose of the unit of observation;
b) functional requirements for the unit of observation;
c) other requirements regarding the unit of observation and ambient conditions, including
 technical or physical requirements, e.g. operating, environmental and surrounding conditions and
constraints, and
 legal requirements, especially safety-related legislation, regulations and standards (national and
international);
d) historical safety and reliability requirements and the level of safety and reliability achieved for similar or
related units of observation.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
5.3.2 Limits of unit of observation and its interfaces with other units of observation
The following information shall be considered in order to gain an understanding of the operation of the unit of
observation in its environment:
 the limits of the unit of observation;
 its interfaces and interactions with other units of observation and components;
 requirements regarding other units of observation;
 mapping and allocation of relevant functions to involved units of observation.
5.3.3 Sources of stress
The sources of stress which could affect the safety and reliability of the unit of observation shall be determined,
including the following:
 the interaction of different units of observation;
 hazards of a physical or chemical nature (energy content, toxicity, explosiveness, corrosiveness,
reactivity, combustibility, etc.);
 other external events [temperature, shock, electromagnetic compatibility (EMC), etc.];
 reasonable foreseeable human operating errors;
 hazards originating from the unit of observation, and events triggering failure (e.g. during assembly or
maintenance).
5.3.4 Additional determinations
In addition to the activities described in 5.3.2, the following determinations or actions shall be implemented:
 determination as to whether the unit of observation is a new development or a modification, adaptation or
derivative of an existing unit of observation and, in the case of modification, the carrying out of an impact
analysis to adjust the safety life cycle accordingly;
 preparing a plan and a specification to validate the requirements regarding the unit of observation defined
in 5.3.1;
 definition of project management for the appropriate phases in the life cycle;
 adequate input data for the reliability assessment;
 adequate procedures and application of tools and technologies;
 utilisation of qualified staff.
5.4 Work products
The work products of the concept/definition of the unit of observation are
a) the unit of observation and ambient conditions,
b) limits of the unit of observation and its interfaces with other units of observation,
c) sources of stress, and
d) additional determinations.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
6 Hazard and risk analysis method description
6.1 Objectives
Risk analysis provides information required for the risk evaluation, which in turn allows judgments to be made
about whether or not risk reduction is required. Risk is defined (see ISO 25119-1:2014, definition 3.39) as the
combination of the probability of occurrence of harm and the severity of that harm.
When considering the frequency of the occurrence of harm, as a rule, the probability of being exposed to a
hazardous situation is taken into account.
When considering systems, the possibility that the operator will react in many cases to avoid harm is generally
to be taken into account.
The procedure described in 6.2 through 6.4 provides guidance for determining the AgPL .
r
6.2 Prerequisites
Definition of the unit of observation
6.3 Requirements
6.3.1 Procedures for preparing a risk analysis
The risk analysis shall take into account the overall scope of the application. If decisions are made later in the
safety life cycle changing the scope of application, a new risk analysis shall be carried out.
The architecture of the SRP/CS shall not be considered as part of the risk analysis.
6.3.2 Tasks in risk analysis
The operating conditions in which the unit of observation can initiate hazards when correctly used (including
reasonable foreseeable human operating errors and part failures) shall be considered.
6.3.3 Participants in risk analysis
The risk analysis shall involve several individuals from different departments, e.g. electronic or electrical
development, testing or validation, machine or hydraulics design, service, or external consultants (e.g.
technical inspection authority).
6.3.4 Assessment and classification of a potential harm
Potentially harmful effects can be deduced by considering possible malfunctions and systematic failures in
relevant operating conditions. The potential severity of harm shall be described as precisely as possible for
each relevant scenario.
A certain categorisation shall be used in the description of the harm. For this reason, a classification of the
severity of harm is presented in four categories: S0, S1, S2 and S3 (see Table 1).
The operator of the involved machine and other parties (e.g. people lending assistance, other operators of
machinery, bystander, etc.) shall be used in a detailed description of the harm.
An examination of risk for safety-related functions is focused on the origin of injuries to people. If in the
analysis of potential harm it can be established that damage is clearly limited to property and does not involve
injury to people, this would not be cause for classification as a safety-related function. The introduction of an
S0 harm classification allows for this fact. No advanced risk assessment need be carried out for functions
assigned to harm class S0.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Table 1 — Examples of the descriptions of injuries
S0 S1 S2 S3
No significant injuries, Light and moderate Severe and life-threatening Life-threatening injuries (survival
requires only first aid uncertain), severe disability
injuries, requires medical injuries (survival probable),
attention, total recovery permanent partial loss in
w ork capacity
6.3.5 Assessment of exposure in the situation observed
A risk analysis reflects the effects of possible failures in specific regional working and operating conditions.
These situations range from daily routine activities to extreme, rare situations. The variable “E” shall be used
to categorise the different frequencies or duration of exposure. Five categories, designated E0, E1, E2, E3
and E4, are used (see Table 2), where “E” serves as an estimation of how often and how long an operator or
bystander is exposed to a hazard where a failure could result in an injury to the operator or bystander. The
exposure for a given situation is determined by frequency and duration, and the most appropriate should be
used for the determination of AgPLr
NOTE A hazard can be a combination of conditions (e.g. environmental and/or operational) of the machine.
Table 2 — Exposure to the hazardous event
Description E0 E1 E2 E3 E4
Improbable
Rare events Sometimes Often Frequently
Definition of
(theoretically
(less than once (more than once (more than once (almost every
frequency possible; once
per year) per year) per month) operation)
during lifetime)
Definition of
duration
0,01 % to 0,1 % 0,1 % to 1 % 1 % to 10 %
 0,01 %  10 %
t
exp
t
av op
t exposure time
exp
t average operating time
av op
6.3.6 Assessment of a possible avoidance of harm
Assessing possible avoidance of harm involves appraising whether or not a typical machine operator, trained
if practicable, has control over the dangerous situation that could arise and can avoid it, or if the situation is
completely uncontrollable. Even a bystander can avoid a harmful situation. In turn, four classifications have
been set up by which the avoidance of harm can be rated. The rating for a possible avoidance of harm
assumes only the function without additional safety precautions (avoidance of harm beyond the technical
system). The classifications C0, C1, C2 and C3 represent “easily controllable”, “simply controllable”, “mostly
controllable” and “none” (see Table 3).
Table 3 — Possible avoidance of harm
C0 C1 C2 C3
Easily controllable Simply controllable Mostly controllable None
The operator or bystander More than 99% of people More than 90% of people The typical operator or
controls the situation, and control the situation. In more control the situation. In more bystander cannot generally
harm is avoided. than 99% of the than 90% of the avoid the harm.
occurrences, the situation occurrences, the situation
does not result in harm. does not result in harm.

oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
6.3.7 Selecting the required AgPL
r
The required AgPL is illustrated in Figure 1 by combining the severity, exposure, and controllability values for
r
each identified hazard.
The required AgPL are designated from AgPL  a to AgPL  e. AgPL  a has the lowest system requirements
r
and AgPL  e has the highest system requirements. In addition to these levels, there is a quality measure
designation, QM, whose implicit requirement is to carry out system development in accordance with standards
like EN ISO 9001. A function classified as QM shall not be considered as a safety-related function because
the risk analysis has defined the risk as sufficiently low.

Key
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
S severity
E exposure to hazardous event
C controllability
QM quality measures
a, b, c, d, e required agricultural performance level (AgPL )
r
Figure 1 — Determination of AgPLr
NOTE See 6.3.7 for description of QM
6.4 Work products
The work product of hazard and risk analysis is the AgPLr for the safety functions”.
7 Specification of system design requirements
7.1 Objectives
Derived from the results of the previous phases, the objectives of the requirements of this phase are to define
design requirements.
7.2 Prerequisites
Results of hazard and risk analysis.
7.3 Requirements
7.3.1 Assignment of AgPL
An AgPL shall be assigned to each identified hazard within the safety-related function analysed. The AgPL
with the highest rating shall define the AgPL of the safety-related function.
r
Various combinations of reliability and architecture may be used to achieve the required AgPL . For example,
r
it is possible (within certain limits) for a single-channel architecture of high reliability to provide the same or
higher performance level as a dual-channel architecture of lower reliability (see Figure 2).
The agricultural performance level of a safety-related control system is a function of the following four aspects:
 category (see Annex A);
 MTTF (see Annex B);
dC
 DC (see Annex C);
 SRL (see ISO 25119-3:201x, Clause 7).
Additionally, the following items shall be considered during system design:
 CCF for categories 3 and 4 architectures (see Annex D);
 systematic failure (see Annex E);
 the ability to perform a safety-related function under expected environmental conditions (such as those
set out in ISO 15003);
 other typical functions (see Annex F).
An example risk assessment and resulting AgPL is given in Annex G.
r
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Key
low MTTF
dC
medium MTTF
dC
high MTTF
dC
Figure 2 — Relationship between agricultural performance level, categories, DC, MTTF and SRL
dC
The AgPL is shown on the vertical axis of Figure 2. The hardware categories are listed on the horizontal axis.
r
Each category has an associated diagnostic coverage (DC), mean time to dangerous failure (MTTF ) and
dC
software requirement level (SRL) for a given performance level.
For the required AgPL the designer shall select one hardware category.
r
NOTE Choosing a higher category for a given AgPL could allow low er MTTF and/or SRL.
dC
7.3.2 Achieving the required AgPL
r
The system design requirements shall be derived from the safety goals and, if necessary, from information
about the safe state defined in the risk analysis (e.g. switching off or maintain function). The selected design
shall be verified in an appropriate manner for effectiveness.
NOTE The effectiveness can be verified, for example, in clinics, studies, by test subjects, or by simulation. The
measures can also be defined in standards.
A safety-related function may be implemented by one or more safety-related parts of the control system. The
designer may use any of the technologies available singularly, or in combination. A safety E/E/PES may be
combined with a mechanical function (e.g. mechanically linked contacts).
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
A typical safety-function control channel with associated safety-related parts is shown in Figure 3, with input (I),
E/E/PES (L), output/power control elements (O) and interconnecting means (e.g. electrical, optical).

Key
I input device (e.g. sensor)
L logic
O output device (e.g. actuator)
S interconnecting signal input
I
S interconnecting signal output
O
Figure 3 — Diagram of combination of safety-related parts
All interconnecting means are included in the safety-related parts. Each safety-related part of a safety-function
control channel may consist of a different technology or technologies. Different technologies may be used for
implementing within each safety-related part.
EXAMPLE Input comprising a speed sensor linked to a light-activated signal converter.
7.3.3 Achievement of the performance level
The selection of SRP/CS shall be made to achieve the required performance level characteristics.
7.3.4 Compatibility with other functional safety standards
Use of SRP/CS derived from the application of other functional safety standards is allowed only per Annex H.
7.3.5 Joining E/E/PES systems
Guidance regarding the combination of E/E/PES (e.g. tractor and implement) is found in Annex I.
7.3.6 Alternate combinations of SRP/CS to achieve overall AgPL
Alternate methods for determination of the overall AgPL from joining multiple SRP/CS with existing separate
AgPLs are found in Annex J.
7.4 Work products
The work product of system design is the assignment of AgPL for the covered safety-related function,
comprising the:
 selected category (see Annex A),
 resulting MTTF (see Annex B),
 resulting DC (see Annex C),
 resulting SRL,
 resulting CCF for categories 3 and 4 architectures (see Annex D),
 consideration of systematic failure (see Annex E), and
 consideration of other typical functions (see Annex F).
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
Annex A
(normative)
Designated architectures for SRP/CS
A.1 General
Figure 3 and Figures A.1 to A.3 define the architecture required for each respective hardware category.
All architectures apply well-tried safety principles, including
 avoidance of certain faults, e.g. avoidance of short circuit by separation,
 reducing the probability of faults, e.g. over-dimensioning or underrating of components,
 controlling the fault mode, e.g. by ensuring an open circuit when it is vital to remove power in the event of
fault (normally open contact), and
 detecting faults prior to hazard realization.
The use of well-tried components is recommended. A well-tried component for a safety-related application
shall be a component which has been
a) widely used in the past with successful results in similar applications, or
b) made and verified using principles which demonstrate suitability and reliability for safety-related
applications.
Newly developed components may be considered as being equivalent to well-tried components if they
correspond to b), above.
The figures do not show examples but general architectures. A deviation from these architectures is always
possible. Nevertheless, any deviation from these categories will require justification, by means of appropriate
analytical tools, that the architecture meets the required category.
NOTE 1 Redundancy, e.g. redundant sensors, can be used to improve diagnostic coverage.
NOTE 2  Other hardw are architectures could be found for example in IEC 61508-6, Annex B.
A.2 Category B (basic)
See Figure 3 for the designated architecture.
Properties
 DC = low.
 MTTF for channel = low to medium, the use of well-tried components is recommended.
dC
 The consideration of common-cause failure is not relevant.
 The occurrence of a single fault can lead to the loss of the safety-related function.
 Not suitable for a single-point fail operational system.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
A.3 Category 1
See Figure 3 for the designated architecture.
Properties
 DC = medium.
 MTTF for channel = low to medium.
dC
 The consideration of common-cause failure is not relevant.
 Redundant inputs can be required for diagnostic coverage.
 Not suitable for a single-point fail operational system.
 The occurrence of a single fault can lead to the loss of the safety-related function, but in some cases a
safe state is achievable (for example detected fault on the inputs).
The single fault is detected at or before the next demand upon the safety-related functions by testing at
switch-on of the safety-related function and/or periodic testing, if necessary.
The initiation of this check may be automatic or manual. The check itself shall not lead to a hazardous
situation. Any check of the safety-related function(s) shall either
1. allow operation if no faults have been detected, or
2. generate an output which initiates appropriate control action, if a fault is detected.
Whenever possible this output shall initiate a safe state. When it is not possible to initiate a safe state
(e.g. welding of the contact in the final switching device), the output shall provide an operator warning
of the hazard. After the detection of a fault, if a safe state is initiated by the SRP/CS, the safe state
shall be maintained until the fault is cleared.
 The occurrence of a single fault can lead to the loss of the safety-related function, but the probability of
occurrence is lower than for category B.

A.4 Category 2
See Figure A.1 for the designated architecture.

Key
I input device (e.g. sensor)
L logic
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
O output device (e.g. actuator)
TE test equipment (additional to logic)
OTE output of test equipment
S interconnecting signal input
I
S interconnecting signal output
O
m monitoring
a
Required to provide diagnostic coverage on logic, but not necessarily a separate channel.
Figure A.1 — Designated architecture for category 2
Properties
 Input sensor and output actuator faults are detected in the control logic.
 DC = medium.
 MTTF for channel = low, medium, high.
dC
 The consideration of common-cause failure is not relevant.
 Redundant inputs can be required for diagnostic coverage.
 Output and output of test equipment may be arranged in series or parallel depending on the safe state.
 Not suitable for single-point fail operational system.
 Operator warning is required.
 The occurrence of a single fault can lead to the loss of the safety-related function, but if the fault is
detected a safe state is achieved.
The single fault is detected at or before the next demand upon the safety-related functions by testing at
switch-on of the safety-related function and/or periodic testing, if necessary.
The initiation of this check may be automatic or manual. The check itself shall not lead to a hazardous
situation. The checking equipment may be integral with, or separate from, the safety-related part(s)
providing the safety-related function. Any check of the safety-related function(s) shall either
1) allow operation if no faults have been detected, or
2) generate an output which initiates appropriate control action, if a fault is detected.
Whenever possible this output shall initiate a safe state. When it is not possible to initiate a safe state
(e.g. welding of the contact in the final switching device), the output shall provide an operator warning
of the hazard. After the detection of a fault, if a safe state is initiated by the SRP/CS, the safe state
shall be maintained until the fault is cleared.
NOTE 1 In some cases, category 2 is not applicable because the checking of the safety-related function cannot be
applied to all components and then DC is not achievable, e.g. pressure sw itch or temperature sensor.
NOTE 2 In general, category 2 can be realised w ith electric techniques (e.g. in protective equipment and in particular
control systems).
NOTE 3 Some components are of high reliability and need be checked only periodically. Speed sensors can be
checked only during operation (sensor is counting), but the functionality and line breakdow n can be checked during the
start routine. Machines are normally started several times a day, allow ing multiple checks per day.
NOTE 4 In some cases, the operator has to make a periodical manual test to check safety-related parts, e.g. seat
sw itches.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
A.5 Category 3
See Figure A.2 for the designated architecture.

Key
I1, I2 input device (e.g. sensor)
L1, L2 logic
O1, O2 output device, e.g. actuator
S interconnecting signal input
I
S interconnecting signal output
O
m monitoring
c cross-monitoring
Figure A.2 — Designated architecture for category 3
Properties
 Input sensor, logic and output actuator faults are detected in the control logic.
 DC = medium.
 MTTF for channel = low, medium.
dC
 The consideration of common-cause failure is required (see Annex D).
 Redundant inputs can be required for diagnostic coverage.
 Additional redundant outputs can be required for safe state.
 Outputs 1 and 2 may be arranged in series or parallel depending on the safe state.
 Suitable for a single point fail operational system with a redundant power supply.
 Operator warning is required.
 When a detected single fault occurs, the safety-related function is always performed or the system fails to
a safe state, but an accumulation of undetected faults can lead to the loss of the safety-related function.
Whenever reasonably practicable, the single fault is detected at or before the next demand upon the
safety-related functions by testing at switch-on of the safety-related function and/or periodic testing, if
necessary.
oSIST prEN ISO 25119-2:2017
ISO DIS 25119-2:2017(E)
The initiation of this check may be automatic or manual. The check itself shall not lead to a hazardous
situation. The checking equipment may be integral with, or separate from, the safety-related part(s)
providing the safety-related function. Any check of the safety-related function(s) shall either:
1) allow operation if no faults have been detected, or
2) generate an output which initiates appropriate control action, if a fault is detected.
Whenever possible, this output shall initiate a safe state. The system shall provide a warning to the
operator when a failure condition is detected. After the detection of a fault, if a safe state is initiated
by the SRP/CS, the safe state shall be maintained until the fault is cleared.
NOTE 1 Some components are of high reliability and need be checked only periodically. Speed sensors can be
checked only during operation (sensor is counting), but the functionality and line breakdow n can be checked during the
start routine. Machines are normally started several times a day, allow ing multiple checks per day.
NOTE 2 In some cases, the operator has to make a periodical manual test to check safety-related parts, e.g. seat
sw itches.
NOTE 3 The requirement of single-fault detection does not mean that all faults w ill be detected. Consequently, the
accumulation of undetected faults can lead to an unintended output and a hazardous situation at the machine. Typical
examples of practicable measures for fault detection are the movement of relay contacts and the monitoring of redundant
electrical outputs.
NOTE 4 It is preferable that the error condition(s) be stored for later appraisals.
A.6 Category 4
See Figure A.3 for the designated arc
...