EN ISO 25119-2:2023

SLOVENSKI STANDARD
01-november-2023
Traktorji ter kmetijski in gozdarski stroji - Varnostni deli krmilnih sistemov - 2. del:
Faza koncepta (ISO 25119-2:2019)
Tractors and machinery for agriculture and forestry - Safety-related parts of control
systems - Part 2: Concept phase (ISO 25119-2:2019)
Traktoren und Maschinen für die Land- und Forstwirtschaft - Sicherheitsbezogene Teile
von Steuerungen - Teil 2: Konzeptphase (ISO 25119-2:2019)
Tracteurs et matériels agricoles et forestiers - Parties des systèmes de commande
relatives à la sécurité - Partie 2: Phase de projet (ISO 25119-2:2019)
Ta slovenski standard je istoveten z: EN ISO 25119-2:2023
ICS:
35.240.99 Uporabniške rešitve IT na IT applications in other fields
drugih področjih
65.060.01 Kmetijski stroji in oprema na Agricultural machines and
splošno equipment in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO 25119-2
EUROPEAN STANDARD
NORME EUROPÉENNE
September 2023
EUROPÄISCHE NORM
ICS 35.240.99; 65.060.01
English Version
Tractors and machinery for agriculture and forestry -
Safety-related parts of control systems - Part 2: Concept
phase (ISO 25119-2:2019)
Tracteurs et matériels agricoles et forestiers - Parties Traktoren und Maschinen für die Land- und
des systèmes de commande relatives à la sécurité - Forstwirtschaft - Sicherheitsbezogene Teile von
Partie 2: Phase de projet (ISO 25119-2:2019) Steuerungen - Teil 2: Konzeptphase (ISO 25119-
2:2019)
This European Standard was approved by CEN on 9 January 2023.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 25119-2:2023 E
worldwide for CEN national Members.

Contents Page
European foreword . 3
Annex ZA (informative) Relationship between this European Standard and the essential
requirements of Directive 2006/42/EC aimed to be covered . 4

European foreword
The text of ISO 25119-2:2019 has been prepared by Technical Committee ISO/TC 23 "Tractors and
machinery for agriculture and forestry” of the International Organization for Standardization (ISO) and
has been taken over as EN ISO 25119-2:2023 by Technical Committee CEN/TC 144 “Tractors and
machinery for agriculture and forestry” the secretariat of which is held by AFNOR.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by March 2024, and conflicting national standards shall
be withdrawn at the latest by March 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a Standardization Request given to CEN by the European
Commission and the European Free Trade Association, and supports essential requirements of EU
Directive(s) / Regulation(s).
For the relationship with EU Directive(s) / Regulation(s), see informative Annex ZA, which is an integral
part of this document.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO 25119-2:2019 has been approved by CEN as EN ISO 25119-2:2023 without any
modification.
Annex ZA
(informative)
Relationship between this European Standard and the essential
requirements of Directive 2006/42/EC aimed to be covered
This European Standard has been prepared under a Commission’s standardization request “M/396
Mandate to CEN and CENELEC for Standardisation in the field of machinery" to provide one voluntary
means of conforming to essential requirements of Directive 2006/42/EC of the European Parliament
and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (recast).
Once this standard is cited in the Official Journal of the European Union under that Directive,
compliance with the normative clauses of this standard given in Table ZA.1 confers, within the limits of
the scope of this standard, a presumption of conformity with the corresponding essential requirements
of that Directive, and associated EFTA regulations.
Table ZA.1— Correspondence between this European Standard and Annex I of Directive
2006/42/EC
The relevant Essential Clause(s)/sub-clause(s) of Remarks/Notes
Requirements of Directive this EN
2006/42/EC
1.1.2. Principles of safety -----

integration
1.1.2(a) 5.3, 6.3, 7.3, A.1, A.2, A.3, A.4,

A.5, A.6, H.2, H.3, H.4, H.5, J1, J2
1.1.2(c) 5.3, 6.3, 7.3, A.1, A.2, A.3, A.4,

A.5, A.6, H.2, H.3, H.4, H.5, J1, J2
1.1.2(d) NOT COVERED
1.1.2(e) NOT COVERED
1.1.3. Materials and products NOT COVERED
1.1.4. Lighting NOT COVERED
1.1.5. Design of machinery to
NOT COVERED
facilitate its handling
1.1.6. Ergonomics NOT COVERED
1.1.7. Operating positions NOT COVERED
1.1.8. Seating NOT COVERED
1.2. CONTROL SYSTEMS -----
1.2.1. Safety and reliability of 5.3, 6.3, 7.3, A.1, A.2, A.3, A.4,

control systems A.5, A.6, H.2, H.3, H.4, H.5, J1, J2
1.2.2. Control devices NOT COVERED
1.2.3. Starting NOT COVERED
1.2.4. Stopping -----
1.2.4.1 Normal Stop NOT COVERED
1.2.4.2. Operational stop NOT COVERED
1.2.4.3. Emergency stop NOT COVERED
1.2.4.4. Assembly of machinery NOT COVERED
1.2.5. Selection of control or
NOT COVERED
operating modes
1.2.6. Failure of the power 6.3, 7.3

supply
1.3. PROTECTION AGAINST ----
MECHANICAL HAZARDS
1.3.1. Risk of loss of stability NOT COVERED
1.3.2. Risk of break-up during
NOT COVERED
operation
1.3.3. Risks due to falling or
NOT COVERED
ejected objects
1.3.4. Risks due to surfaces,
NOT COVERED
edges or angles
1.3.5. Risks related to combined
NOT COVERED
machinery
1.3.6. Risks related to variations
NOT COVERED
in operating conditions
1.3.7. Risks related to moving
NOT COVERED
parts
1.3.8. Choice of protection
against risks arising from NOT COVERED
moving parts
1.3.9. Risks of uncontrolled
NOT COVERED
movements
1.4. REQUIRED ----
CHARACTERISTICS OF GUARDS
AND PROTECTIVE DEVICES
1.4.1. General requirements NOT COVERED
1.4.2. Special requirements for
NOT COVERED
guards
1.4.3. Special requirements for
NOT COVERED
protective devices
1.5. RISKS DUE TO OTHER ----
HAZARDS
1.5.1. Electricity supply NOT COVERED
1.5.2. Static electricity NOT COVERED
1.5.3. Energy supply other than
NOT COVERED
electricity
1.5.4. Errors of fitting NOT COVERED
1.5.5. Extreme temperatures NOT COVERED
1.5.6. Fire NOT COVERED
1.5.7. Explosion NOT COVERED
1.5.8. Noise NOT COVERED
1.5.9. Vibrations NOT COVERED
1.5.10. Radiation NOT COVERED
1.5.11. External radiation NOT COVERED
1.5.12. Laser radiation NOT COVERED
1.5.13. Emissions of hazardous
NOT COVERED
materials and substances
1.5.14. Risk of being trapped in
NOT COVERED
a machine
1.5.15. Risk of slipping, tripping
NOT COVERED
or falling
1.5.16. Lightning NOT COVERED
1.6. MAINTENANCE -----
1.6.1. Machinery maintenance NOT COVERED
1.6.2. Access to operating
NOT COVERED
positions and servicing points
1.6.3. Isolation of energy
NOT COVERED
sources
1.6.4. Operator intervention NOT COVERED
1.6.5. Cleaning of internal parts NOT COVERED
1.7. INFORMATION ----
1.7.1. Information and warnings
NOT COVERED
on the machinery
1.7.1.1. Information and
NOT COVERED
information devices
1.7.1.2. Warning devices NOT COVERED
1.7.2. Warning of residual risks NOT COVERED
1.7.3. Marking of machinery NOT COVERED
1.7.4. Instructions NOT COVERED
2.4. MACHINERY FOR ----
PESTICIDE APPLICATION
2.4.2. General NOT COVERED
2.4.3. Controls and monitoring NOT COVERED
2.4.4. Filling and emptying NOT COVERED
2.4.5. Application of pesticides ----
2.4.5.1. Application rate NOT COVERED
2.4.5.2. Distribution, deposition
NOT COVERED
and drift of pesticide
2.4.5.3. Tests NOT COVERED
2.4.5.4. Losses during stoppage NOT COVERED
2.4.6. Maintenance ----
2.4.6.1. Cleaning NOT COVERED
2.4.6.2. Servicing NOT COVERED
2.4.7. Inspections NOT COVERED
2.4.8. Marking of nozzles,
NOT COVERED
strainers and filters
2.4.9. Indication of pesticide in
NOT COVERED
use
2.4.10. Instructions NOT COVERED
3.2. WORK POSITIONS ---
3.2.1. Driving position NOT COVERED
3.2.2. Seating NOT COVERED
3.2.3. Positions for other
NOT COVERED
persons
3.3. CONTROL SYSTEMS ---
3.3.1. Control devices NOT COVERED
3.3.2. Starting/moving NOT COVERED
3.3.3. Travelling function NOT COVERED
3.3.4. Movement of pedestrian-
NOT COVERED
controlled machinery
3.3.5. Control circuit failure NOT COVERED
3.4. PROTECTION AGAINST ---
MECHANICAL HAZARDS
3.4.1. Uncontrolled movements NOT COVERED
3.4.2. Moving transmission
NOT COVERED
parts
3.4.3. Roll-over and tip-over NOT COVERED
3.4.4. Falling objects NOT COVERED
3.4.5. Means of access NOT COVERED
3.4.6. Towing devices NOT COVERED
3.4.7. Transmission of power
between self-propelled
NOT COVERED
machinery (or tractor) and
recipient machinery
3.5. PROTECTION AGAINST ----
OTHER HAZARDS
3.5.1. Batteries NOT COVERED
3.5.2. Fire NOT COVERED
3.5.3. Emissions of hazardous
NOT COVERED
substances
3.6. INFORMATION AND ----
INDICATIONS
3.6.1. Signs, signals and
NOT COVERED
warnings
3.6.2. Marking NOT COVERED
3.6.3. Instructions ----
3.6.3.1. Vibrations NOT COVERED
3.6.3.2. Multiple uses NOT COVERED

Table ZA.2 — Applicable Standards to confer presumption of conformity as described in this
Annex ZA
Column 1 Column 2 International Column 3 Column 4
Reference in Clause Standard Edition
Title Corresponding
European Standard
Edition
ISO 25119-1:2018 ISO 25119-1:2018 Tractors and machinery EN ISO 25119-1:2023
for agriculture and
ISO 25119- EN ISO 25119-
forestry — Safety-
1:2018/A1:2020 1:2023/A1:2023
related parts of control
systems — Part 1:
General principles for
design and
development
ISO 25119-3:2018 ISO 25119-3:2018 Tractors and machinery
for agriculture and
ISO 25119- EN ISO 25119-3:2023
forestry — Safety-
3:2018/A1:2020
EN ISO 25119-
related parts of control
3:2023/A1:2023
systems — Part 3:
Series development,
hardware and software
ISO 25119-4:2018 ISO 25119-4:2018 Tractors and machinery
for agriculture and
ISO 25119- EN ISO 25119-4:2023
forestry — Safety-
4:2018/A1:2020
EN ISO 25119-
related parts of control
4:2023/A1:2023
systems Part 4:
production, operation,
modification and
supporting processes
The documents listed in the Column 1 of table ZA.2, in whole or in part, are normatively referenced in
this document, i.e. are indispensable for its application. The achievement of the presumption of
conformity is subject to the application of the edition of Standards as listed in Column 4 or, if no
European Standard Edition exists, the International Standard Edition given in  Column 2 of table ZA.2.
WARNING 1 — Presumption of conformity stays valid only as long as a reference to this European
Standard is maintained in the list published in the Official Journal of the European Union. Users of this
standard should consult frequently the latest list published in the Official Journal of the European
Union.
WARNING 2 — Other Union legislation may be applicable to the product(s) falling within the scope of
this standard.
INTERNATIONAL ISO
STANDARD 25119-2
Third edition
2019-08
Tractors and machinery for
agriculture and forestry — Safety-
related parts of control systems —
Part 2:
Concept phase
Tracteurs et matériels agricoles et forestiers — Parties des systèmes
de commande relatives à la sécurité —
Partie 2: Phase de projet
Reference number
ISO 25119-2:2019(E)
©
ISO 2019
ISO 25119-2:2019(E)
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved

ISO 25119-2:2019(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Abbreviated terms . 2
5 Concept — UoO . 3
5.1 Objectives. 3
5.2 Prerequisites . 3
5.3 Requirements . 3
5.3.1 Basic requirements and ambient conditions . 3
5.3.2 Limits of UoO and its interfaces with other UoO . 4
5.3.3 Mapping and allocation of relevant functions to involved UoO, sources of stress . 4
5.3.4 Additional determinations . 4
5.4 Work products . 4
6 HARA — Determination of the AgPL . 5
r
6.1 Objectives. 5
6.2 Prerequisites . 5
6.3 Requirements . 5
6.3.1 Procedures for preparing a HARA . 5
6.3.2 Tasks in the HARA . 5
6.3.3 Participants in HARA . . 5
6.3.4 Classification of a potential harm . 5
6.3.5 Classification of exposure in the situation observed . 6
6.3.6 Classification of a possible avoidance of harm . 6
6.3.7 Selecting the AgPL .
r 7
6.4 Work products . 9
7 Functional safety concept. 9
7.1 Objectives. 9
7.2 Prerequisites . 9
7.3 Requirements . 9
7.3.1 Safety goals . 9
7.3.2 Functional safety requirements . 9
7.3.3 Value of MTTF .10
D
7.3.4 Value of DC .10
7.3.5 Selection of categories, MTTF , DC and SRL .10
DC
7.3.6 Achieving the AgPL .11
r
7.3.7 Compatibility with other functional safety standards .12
7.3.8 Joining E/E/PES.12
7.3.9 Alternate combinations of SRP/CS to achieve overall AgPL.12
7.4 Work products .12
Annex A (normative) Designated architectures for SRP/CS.13
Annex B (informative) Simplified method to estimate channel MTTF .20
DC
Annex C (informative) Determination of diagnostic coverage (DC) .24
Annex D (informative) Estimates for common-cause failure (CCF) .29
Annex E (informative) Systematic failure .31
Annex F (informative) Characteristics of safety-related functions that are often
fundamental to risk reduction .34
ISO 25119-2:2019(E)
Annex G (informative) Example of a risk analysis .37
Annex H (normative) Compatibility with other functional safety standards .42
Annex I (informative) Joined systems alternative compliance method .44
Annex J (normative) Alternate combinations of SRP/CS to achieve overall AgPL .45
Bibliography .47
iv © ISO 2019 – All rights reserved

ISO 25119-2:2019(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 23, Tractors and machinery for agriculture
and forestry, Subcommittee SC 19, Agricultural electronics.
This third edition cancels and replaces the second edition (ISO 25119-2:2018), of which it constitutes a
minor revision. The changes compared to the previous edition are as follows.
— A minor revision was made to Annex H to improve the clarity and understanding of the requirements
to be followed by the end user about subsystems, elements, or components designed according to
ISO 26262.
A list of all parts in the ISO 25119 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
ISO 25119-2:2019(E)
Introduction
ISO 25119 (all parts) sets out an approach to the assessment, design and verification, for all safety life
cycle activities, of safety-related parts comprising electrical and/or electronic and/or programmable
electronic systems (E/E/PES) on tractors used in agriculture and forestry, and on self-propelled ride-
on machines and mounted, semi-mounted and trailed machines used in agriculture. It is also applicable
to mobile municipal equipment.
A prerequisite to the application of ISO 25119 (all parts) is the completion of a suitable hazard
identification and risk analysis (such as ISO 12100) for the entire machine. As a result, an E/E/PES
is frequently assigned to provide safety-related functions that create safety-related parts of control
systems (SRP/CS). These can consist of hardware or software, can be separate or integrated parts of
a control system, and can either perform solely safety-related functions or form part of an operational
function.
In general, the designer (and to some extent, the user) will combine the design and validation of these
SRP/CS as part of the risk assessment. The objective is to reduce the risk associated with a given hazard
(or hazardous situation) under all conditions of use of the machine. This can be achieved by applying
various measures (both SRP/CS and non-SRP/CS) with the end result of achieving a safe condition.
ISO 25119 (all parts) allocates the ability of safety-related parts to perform a safety-related function
under foreseeable conditions into five performance levels. The performance level of a controlled
channel depends on several factors, including system structure (category), the extent of fault detection
mechanisms (diagnostic coverage), the reliability of components (mean time to dangerous failure,
common-cause failure), design processes, operating stress, environmental conditions and operation
procedures. Three types of failures that can cause E/E/PES malfunctions leading to potential hazardous
situations are considered: systematic, common-cause and random.
In order to guide the designer during design, verification, and to facilitate the assessment of the achieved
performance level, ISO 25119 (all parts) defines an approach based on a classification of architecture
with different design features and specific behaviour in case of a fault.
The performance levels and categories can be applied to the control systems of all kinds of mobile
machines: from simple systems (such as auxiliary valves) to complex systems (such as steer by wire), as
well as to the control systems of protective equipment (such as interlocking devices, pressure sensitive
devices).
ISO 25119 (all parts) adopts a risk-based approach for the determination of the risks, while providing a
means of specifying the required performance level for the safety-related functions to be implemented
by E/E/PES safety-related channels. It gives requirements for the whole safety life-cycle of E/E/PES
(design, validation, production, operation, maintenance, decommissioning), necessary for achieving the
required functional safety for E/E/PES that are linked to the performance levels.
The structure of safety standards in the field of machinery is as follows.
a) Type-A standards (basic safety standards) give basic concepts, principles for design and general
aspects that can be applied to machinery.
b) Type-B standards (generic safety standards) deal with one or more safety aspect(s), or one or more
type(s) of safeguards that can be used across a wide range of machinery:
— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
— type-B2 standards on safeguards (e.g. two-hand controls, interlocking devices, pressure
sensitive devices, guards).
c) Type-C standards (machinery safety standards) deal with detailed safety requirements for a
particular machine or group of machines.
This document is a type-B1 standard as stated in ISO 12100.
vi © ISO 2019 – All rights reserved

ISO 25119-2:2019(E)
This document is of relevance, in particular, for the following stakeholder groups representing the
market players with regard to machinery safety:
— machine manufacturers (small, medium and large enterprises);
— health and safety bodies (regulators, accident prevention organizations, market surveillance, etc.).
Others can be affected by the level of machinery safety achieved with the means of the document by the
above-mentioned stakeholder groups:
— machine users/employers (small, medium and large enterprises);
— machine users/employees (e.g. trade unions, organizations for people with special needs);
— service providers, e.g. for maintenance (small, medium and large enterprises);
— consumers (in case of machinery intended for use by consumers).
The above-mentioned stakeholder groups have been given the possibility to participate at the drafting
process of this document.
In addition, this document is intended for standardization bodies elaborating type-C standards.
The requirements of this document can be supplemented or modified by a type-C standard.
For machines which are covered by the scope of a type-C standard and which have been designed and
built according to the requirements of that standard, the requirements of that type-C standard take
precedence.
INTERNATIONAL STANDARD ISO 25119-2:2019(E)
Tractors and machinery for agriculture and forestry —
Safety-related parts of control systems —
Part 2:
Concept phase
1 Scope
This document specifies the concept phase of the development of safety-related parts of control
systems (SRP/CS) on tractors used in agriculture and forestry and on self-propelled ride-on machines
and mounted, semi-mounted and trailed machines used in agriculture. It can also be applied to mobile
municipal equipment (such as street-sweeping machines).
This document is not applicable to:
— aircraft and air-cushion vehicles used in agriculture;
— lawn and garden equipment.
This document specifies the characteristics and categories required of SRP/CS for carrying out their
safety-related functions. It does not identify performance levels for specific applications.
NOTE 1 Machine specific type-C standards can specify performance levels (AgPL) for safety-related functions
in machines within their scope. Otherwise, the specification of AgPL is the responsibility of the manufacturer.
This document is applicable to the safety-related parts of electrical/electronic/programmable
electronic systems (E/E/PES), as these relate to mechatronic systems. It covers the possible hazards
caused by malfunctioning behaviour of E/E/PES safety-related systems, including interaction of these
systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity,
flammability, reactivity, corrosion, release of energy, and similar hazards., unless directly caused by
malfunctioning behaviour of E/E/PES safety-related systems. It also covers malfunctioning behaviour
of E/E/PES safety-related systems involved in protection measures, safeguards, or safety-related
functions in response to non-E/E/PES hazards.
Examples included within the scope of this document:
— SRP/CS’s limiting current flow in electric hybrids to prevent insulation failure/shock hazards;
— electromagnetic interference with the SRP/CS;
— SRP/CS’s designed to prevent fire.
Examples not included within the scope of this document:
— insulation failure due to friction that leads to electric shock hazards;
— nominal electromagnetic radiation impacting nearby machine control systems;
— corrosion causing electric cables to overheat.
This document is not applicable to non-E/E/PES systems (such as hydraulic, mechanic or pneumatic).
NOTE 2 See also ISO 12100 for design principles related to the safety of machinery.
This document is not applicable to safety-related parts of control systems manufactured before the
date of its publication.
ISO 25119-2:2019(E)
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 25119-1:2018, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 1: General principles for design and development
ISO 25119-3:2018, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 3: Series development, hardware and software
ISO 25119-4:2018, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 4: Production, operation, modification and supporting processes
3 Terms and definitions
For the purposes of this document, the terms and definitions in ISO 25119-1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Abbreviated terms
For the purposes of this document, the following abbreviated terms apply.
ADC analogue to digital converter
AgPL agricultural performance level
AgPL required agricultural performance level
r
Cat hardware category
CCF common-cause failure
CRC cyclic redundancy check
DC diagnostic coverage
DC average diagnostic coverage
avg
ECU electronic control unit
ETA event tree analysis
E/E/PES electrical/electronic/programmable electronic systems
EMC electromagnetic compatibility
FMEA failure mode and effects analysis
EPROM erasable programmable read-only memory
FTA fault tree analysis
HARA hazard analysis and risk assessment
2 © ISO 2019 – All rights reserved

ISO 25119-2:2019(E)
HIL hardware in the loop
MTTF mean time to failure
MTTF mean time to dangerous failure
D
MTTF mean time to dangerous failure for each channel
DC
PES programmable electronic system
QM quality measures
RAM random-access memory
SOP start of production
SRL software requirement level
SRP/CS safety-related parts of control systems
UoO unit of observation
5 Concept — UoO
5.1 Objectives
The objective of this phase is to develop an adequate understanding of the UoO in order to satisfactorily
complete all of the tasks defined in the safety life cycle (see ISO 25119-1:2018, Figure 2). For each UoO,
a suitable method shall be used to determine the required performance level. Suitable methods include
risk analysis (described below), other standards, legal requirements and test body expertise or a
combination of these.
5.2 Prerequisites
The necessary prerequisites are a description of the safety-related function to be provided by the UoO,
its interfaces, already-known safety and reliability requirements and the scope of application.
5.3 Requirements
5.3.1 Basic requirements and ambient conditions
The following information shall be available for the safety-related function of the UoO:
a) the scope, context, purpose and known elements;
b) functional requirements;
c) other requirements and ambient conditions that should be taken into account include:
— technical or physical requirements, such as operating, environmental and surrounding
conditions and constraints;
— legal requirements, especially safety-related legislation, regulations and standards (national
and international);
d) historical safety and reliability requirements and the level of safety and reliability achieved for
similar or related UoO.
ISO 25119-2:2019(E)
5.3.2 Limits of UoO and its interfaces with other UoO
The following information shall be considered in order to gain an understanding of the operation of the
UoO in its environment:
— the limits of the UoO;
— its interfaces and interactions with other UoO and components;
— requirements for the safety-related functions related to other UoO.
5.3.3 Mapping and allocation of relevant functions to involved UoO, sources of stress
The sources of stress which could affect the safety and reliability of the UoO shall be determined,
including the following:
— the interaction of different UoO;
— stresses of a physical or chemical nature (energy content, toxicity, explosiveness, corrosiveness,
reactivity, combustibility, etc.);
— other external events [temperature, shock, electromagnetic compatibility (EMC), etc.];
— reasonable foreseeable human operating errors;
— stresses originating from the UoO, and events triggering failure (e.g. during assembly or
maintenance).
5.3.4 Additional determinations
In addition to the activities described in 5.3.2, the following determinations or actions shall be
implemented:
— determination as to whether the UoO is a new development or a modification, adaptation or
derivative of an existing UoO and, in the case of modification, the carrying out of an impact analysis
to adjust the safety life cycle accordingly;
— preparing a plan and a specification to verify and validate the requirements regarding the UoO
defined in 5.3.1;
— definition of project management for the appropriate phases in the life cycle;
— adequate input data for the reliability assessment;
— adequate procedures and application of tools and technologies;
— utilization of suitably qualified staff.
5.4 Work products
The work products if applicable of the UoO shall be:
a) elements included within the UoO;
b) specification of the basic requirements and ambient conditions;
c) limits of the UoO and its interfaces with other UoO;
d) sources of stress;
e) additional determinations.
4 © ISO 2019 – All rights reserved

ISO 25119-2:2019(E)
6 HARA — Determination of the AgPL
r
6.1 Objectives
The main objectives are to analyse risks associated with a faulted UoO (one not performing safety-
related functions as intended, such as not stopping properly, propelling while in neutral, steering in
the wrong direction) and then, assign an appropriate AgPL . Risk is defined as the combination of the
r
probability of occurrence of harm and the severity of that harm (see ISO 25119-1:2018, 3.39). When
considering the probability of the occurrence of harm, when appropriate, the probability of being
exposed to a hazardous situation with a faulted UoO can be taken into account.
The procedure described in 6.2 to 6.4 provides guidance for determining the AgPL based on the HARA.
r
6.2 Prerequisites
The UoO definition associated with each safety-related function.
6.3 Requirements
6.3.1 Procedures for preparing a HARA
The HARA shall take into account the entire safety-related function so that an appropriate specification
for the SRP/CS can be provided. If decisions are made later in the safety life cycle changing the scope of
application, the HARA shall be reworked accordingly. To identify the changes and their impacts on the
work products, an impact analysis shall be carried out in accordance with ISO 25119-4.
6.3.2 Tasks in the HARA
The operating conditions, in which the malfunctioning behaviour of the UoO will result in hazardous
situations, when correctly used and when incorrectly used in a reasonably foreseeable way, shall be
taken into account.
6.3.3 Participants in HARA
The HARA shall involve sufficient people to ensure that all relevant expertise is available.
NOTE Involving individuals from different disciplines often provides valuable input to the HARA.
6.3.4 Classification of a potential harm
The potential severity of harm shall be determined and documented.
Potentially harmful effects shall be deduced by considering all hazardous situations resulting from
malfunctions of the saf
...