kSIST FprEN ISO 25119-1:2022

SLOVENSKI STANDARD
oSIST prEN ISO 25119-1:2022
01-januar-2022
Traktorji ter kmetijski in gozdarski stroji - Varnostni deli krmilnih sistemov - 1. del:
Osnovna načela za načrtovanje in razvoj (ISO 25119-1:2018)
Tractors and machinery for agriculture and forestry - Safety-related parts of control
systems - Part 1: General principles for design and development (ISO 25119-1:2018)
Traktoren und Maschinen für die Land- und Forstwirtschaft - Sicherheitsbezogene Teile
von Steuerungen - Teil 1: Allgemeine Gestaltungs- und Entwicklungsleitsätze (ISO
25119-1:2018)
Tracteurs et matériels agricoles et forestiers - Parties des systèmes de commande
relatives à la sécurité - Partie 1: Principes généraux pour la conception et le
développement (ISO 25119-1:2018)
Ta slovenski standard je istoveten z: prEN ISO 25119-1
ICS:
35.240.99 Uporabniške rešitve IT na IT applications in other fields
drugih področjih
65.060.01 Kmetijski stroji in oprema na Agricultural machines and
splošno equipment in general
oSIST prEN ISO 25119-1:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO 25119-1:2022
oSIST prEN ISO 25119-1:2022
DRAFT
EUROPEAN STANDARD
prEN ISO 25119-1
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2021
ICS 35.240.99; 65.060.01
English Version
Tractors and machinery for agriculture and forestry -
Safety-related parts of control systems - Part 1: General
principles for design and development (ISO 25119-
1:2018)
Tracteurs et matériels agricoles et forestiers - Parties Traktoren und Maschinen für die Land- und
des systèmes de commande relatives à la sécurité - Forstwirtschaft - Sicherheitsbezogene Teile von
Partie 1: Principes généraux pour la conception et le Steuerungen - Teil 1: Allgemeine Gestaltungs- und
développement (ISO 25119-1:2018) Entwicklungsleitsätze (ISO 25119-1:2018)
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/TC 144.
If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN ISO 25119-1:2021 E
worldwide for CEN national Members.

oSIST prEN ISO 25119-1:2022
prEN ISO 25119-1:2021 (E)
Contents Page
European foreword . 3
Annex ZA (informative) Relationship between this European Standard and the essential
requirements of Directive 2006/42/EC aimed to be covered . 4
oSIST prEN ISO 25119-1:2022
prEN ISO 25119-1:2021 (E)
European foreword
The text of ISO 25119-1:2018 has been prepared by Technical Committee ISO/TC 23 “Tractors and
machinery for agriculture and forestry” of the International Organization for Standardization (ISO) and
has been taken over as prEN ISO 25119-1:2021 by Technical Committee CEN/TC 144 “Tractors and
machinery for agriculture and forestry” the secretariat of which is held by AFNOR.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association, and supports essential requirements of EU Directive.
For relationship with EU Directive, see informative Annex ZA, which is an integral part of this
document.
Endorsement notice
The text of ISO 25119-1:2018 has been approved by CEN as prEN ISO 25119-1:2021 without any
modification.
oSIST prEN ISO 25119-1:2022
prEN ISO 25119-1:2021 (E)
Annex ZA
(informative)
Relationship between this European Standard and the essential
requirements of Directive 2006/42/EC aimed to be covered
This European Standard has been prepared under a Commission’s standardization request “M/396
Mandate to CEN and CENELEC for Standardisation in the field of machinery" to provide one voluntary
means of conforming to essential requirements of Directive 2006/42/EC of the European Parliament
and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (recast).
Once this standard is cited in the Official Journal of the European Union under that Directive,
compliance with the normative clauses of this standard given in Table ZA.1 confers, within the limits of
the scope of this standard, a presumption of conformity with the corresponding essential requirements
of that Directive, and associated EFTA regulations.
Table ZA.1— Correspondence between this European Standard and Annex I of Directive
2006/42/EC
The relevant Essential Clause(s)/sub-clause(s) of this Remarks/Notes
Requirements of Directive EN
2006/42/EC
1.1.2 (a) 6, 7, 8, 9
1.1.2 (c) 6, 7, 8, 9
1.2.1. Safety and reliability of control 6, 7, 8, 9
systems
1.2.3. Starting 6, 7, 8, 9
1.2.4.1. Normal stop 6, 7, 8, 9
1.2.4.2. Operational stop 6, 7, 8, 9
1.2.4.3. Emergency stop 6, 7, 8, 9
1.2.5. Selection of control or 6, 7, 8, 9
operating modes
1.2.6. Failure of the power supply 6, 7, 8, 9
1.6.3. Isolation of energy sources 6, 7, 8, 9
3.3.5. Control circuit failure 6, 7, 8, 9

WARNING 1 — Presumption of conformity stays valid only as long as a reference to this European
Standard is maintained in the list published in the Official Journal of the European Union. Users of this
standard should consult frequently the latest list published in the Official Journal of the European
Union.
WARNING 2 — Other Union legislation may be applicable to the product(s) falling within the scope of
this standard.
oSIST prEN ISO 25119-1:2022
INTERNATIONAL ISO
STANDARD 25119-1
Second edition
2018-10
Tractors and machinery for
agriculture and forestry — Safety-
related parts of control systems —
Part 1:
General principles for design and
development
Tracteurs et matériels agricoles et forestiers — Parties des systèmes
de commande relatives à la sécurité —
Partie 1: Principes généraux pour la conception et le développement
Reference number
ISO 25119-1:2018(E)
©
ISO 2018
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Abbreviated terms . 8
5 Quality management system . 9
6 Management during complete safety lifecycle . 9
6.1 Objectives. 9
6.2 General . 9
6.2.1 Introduction to the safety life cycle concept . 9
6.2.2 External functional safety measures . 9
6.3 Prerequisites . 9
6.4 Requirements — Functional safety management activities across safety life cycle .11
6.4.1 Functional safety culture .11
6.4.2 Continuous improvement .11
6.4.3 Training and qualification .12
6.4.4 Assignment of safety responsibilities .12
6.4.5 Assignment of tasks.12
6.4.6 Planning of all safety management activities during development .12
6.5 Work products .14
7 Assessment of functional safety .14
7.1 Objectives.14
7.2 General .14
7.3 Prerequisites .14
7.4 Requirements .14
7.4.1 Considerations for the assessment of the functional safety .14
7.4.2 Verification .15
7.5 Work products .16
8 Functional safety management activities after start of production (SOP) .16
8.1 Objectives.16
8.2 General .17
8.3 Prerequisites .17
8.4 Requirements .17
8.4.1 Management of production and modification procedures .17
8.4.2 Tasks for preparing and conducting production and end of line inspections .17
8.4.3 Tasks for safe machine operation, maintenance, repair and decommissioning .17
8.5 Work products .17
9 Plan for production and installation of safety-related systems .18
9.1 Objectives.18
9.2 General .18
9.3 Prerequisites .18
9.4 Requirements .18
9.4.1 Production plan .18
9.4.2 Test plan .18
9.4.3 Production and testing .18
9.4.4 Process capability .19
9.4.5 Documentation .19
9.4.6 Non-compliance . . .19
9.4.7 Traceability .19
9.4.8 Storage and transport conditions .19
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
9.4.9 Modification .19
9.5 Work products .19
Annex A (informative) Example of the structure of a project-specific safety plan .20
Bibliography .23
iv © ISO 2018 – All rights reserved

oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 23, Tractors and machinery for agriculture
and forestry, Subcommittee SC 19, Agricultural electronics.
This second edition cancels and replaces the first edition (ISO 25119-1:2010), which has been technically
revised. The main changes compared from the previous edition are as follows:
— the introduction has been modified to add specific information on safety standards;
— Tables 1 to 3 have been deleted and the succeeding tables have been renumbered;
— Clause 5 (management system) has been inserted and the succeeding clauses have been renumbered;
— in 8.5, work products from the safety management activities after SOP have been specified;
— Figure 2 has been modified;
— the document has been editorially revised.
A list of all parts in the ISO 25119 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
Introduction
ISO 25119 (all parts) sets out an approach to the assessment, design and verification, for all safety life
cycle activities, of safety-related parts comprising electrical and/or electronic and/or programmable
electronic systems (E/E/PES) on tractors used in agriculture and forestry, and on self-propelled ride-
on machines and mounted, semi-mounted and trailed machines used in agriculture. It is also applicable
to mobile municipal equipment.
A prerequisite to the application of ISO 25119 (all parts) is the completion of a suitable hazard
identification and risk analysis (e.g. ISO 12100) for the entire machine. As a result, an E/E/PES is
frequently assigned to provide safety-related functions that create safety-related parts of control
systems (SRP/CS). These can consist of hardware or software, can be separate or integrated parts of
a control system, and can either perform solely safety-related functions or form part of an operational
function.
In general, the designer (and to some extent, the user) will combine the design and validation of these
SRP/CS as part of the risk assessment. The objective is to reduce the risk associated with a given hazard
(or hazardous situation) under all conditions of use of the machine. This can be achieved by applying
various measures (both SRP/CS and non-SRP/CS) with the end result of achieving a safe condition.
ISO 25119 (all parts) allocates the ability of safety-related parts to perform a safety-related function
under foreseeable conditions into five performance levels. The performance level of a controlled
channel depends on several factors, such as system structure (category), the extent of fault detection
mechanisms (diagnostic coverage), the reliability of components (mean time to dangerous failure,
common-cause failure), design processes, operating stress, environmental conditions and operation
procedures. Three types of failures that can cause E/E/PES malfunctions leading to potential hazardous
situations are considered: systematic, common-cause and random.
In order to guide the designer during design, verification, and to facilitate the assessment of the achieved
performance level, ISO 25119 (all parts) defines an approach based on a classification of architecture
with different design features and specific behaviour in case of a fault.
The performance levels and categories can be applied to the control systems of all kinds of mobile
machines: from simple systems (e.g. auxiliary valves) to complex systems (e.g. steer by wire), as well as
to the control systems of protective equipment (e.g. interlocking devices, pressure sensitive devices).
ISO 25119 (all parts) adopts a risk-based approach for the determination of the risks, while providing a
means of specifying the required performance level for the safety-related functions to be implemented
by E/E/PES safety-related channels. It gives requirements for the whole safety life cycle of E/E/PES
(design, validation, production, operation, maintenance, decommissioning), necessary for achieving the
required functional safety for E/E/PES that are linked to the performance levels.
The structure of safety standards in the field of machinery is as follows.
a) Type-A standards (basic safety standards) give basic concepts, principles for design and general
aspects that can be applied to machinery.
b) Type-B standards (generic safety standards) deal with one or more safety aspect(s), or one or more
type(s) of safeguards that can be used across a wide range of machinery:
— type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
— type-B2 standards on safeguards (e.g. two-hand controls, interlocking devices, pressure
sensitive devices, guards).
c) Type-C standards (machinery safety standards) deal with detailed safety requirements for a
particular machine or group of machines.
This document is a type-B1 standard as stated in ISO 12100.
vi © ISO 2018 – All rights reserved

oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
This document is of relevance, in particular, for the following stakeholder groups representing the
market players with regard to machinery safety:
— machine manufacturers (small, medium and large enterprises);
— health and safety bodies (regulators, accident prevention organizations, market surveillance, etc.).
Others can be affected by the level of machinery safety achieved with the means of the document by the
above-mentioned stakeholder groups:
— machine users/employers (small, medium and large enterprises);
— machine users/employees (e.g. trade unions, organizations for people with special needs);
— service providers, e.g. for maintenance (small, medium and large enterprises);
— consumers (in case of machinery intended for use by consumers).
The above-mentioned stakeholder groups have been given the possibility to participate at the drafting
process of this document.
In addition, this document is intended for standardization bodies elaborating type-C standards.
The requirements of this document can be supplemented or modified by a type-C standard.
For machines which are covered by the scope of a type-C standard and which have been designed and
built according to the requirements of that standard, the requirements of that type-C standard take
precedence.
oSIST prEN ISO 25119-1:2022
oSIST prEN ISO 25119-1:2022
INTERNATIONAL STANDARD ISO 25119-1:2018(E)
Tractors and machinery for agriculture and forestry —
Safety-related parts of control systems —
Part 1:
General principles for design and development
1 Scope
This document sets out general principles for the design and development of safety-related parts of
control systems (SRP/CS) on tractors used in agriculture and forestry and on self-propelled ride-on
machines and mounted, semi-mounted and trailed machines used in agriculture. It can also be applied
to mobile municipal equipment (e.g. street-sweeping machines).
This document is not applicable to:
— aircraft and air-cushion vehicles used in agriculture;
— lawn and garden equipment.
This document specifies the characteristics and categories required of SRP/CS for carrying out their
safety-related functions. It does not identify performance levels for specific applications.
NOTE 1 Machine specific type-C standards can specify performance levels (AgPL) for safety-related functions
in machines within their scope. Otherwise, the specification of AgPL is the responsibility of the manufacturer.
This document is applicable to the safety-related parts of electrical/electronic/programmable
electronic systems (E/E/PES), as these relate to mechatronic systems. It covers the possible hazards
caused by malfunctioning behaviour of E/E/PES safety-related systems, including interaction of these
systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity,
flammability, reactivity, corrosion, release of energy, and similar hazards, unless directly caused by
malfunctioning behaviour of E/E/PES safety-related systems. It also covers malfunctioning behaviour
of E/E/PES safety-related systems involved in protective measures, safeguards, or safety-related
functions in response to non-E/E/PES hazards.
Examples included within the scope of this document:
— SRP/CS limiting current flow in electric hybrids to prevent insulation failure/shock hazards;
— electromagnetic interference with the SRP/CS;
— SRP/CS designed to prevent fire.
Examples not included in the scope of this document:
— insulation failure due to friction that leads to electric shock hazards;
— nominal electromagnetic radiation impacting nearby machine control systems;
— corrosion causing electric cables to overheat.
This document is not applicable to non-E/E/PES systems (e.g. hydraulic, mechanic or pneumatic).
NOTE 2 See also ISO 12100 for design principles related to the safety of machinery.
This document is not applicable to safety related parts of control systems manufactured before the
date of its publication.
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 25119-2:2018, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 2: Concept phase
ISO 25119-3:2018, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 3: Series development, hardware and software
ISO 25119-4:2018, Tractors and machinery for agriculture and forestry — Safety-related parts of control
systems — Part 4: production, operation, modification and supporting processes
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
agricultural performance level
AgPL
level which specifies the ability of safety-related parts of control systems to perform a safety-related
function under foreseeable conditions
Note 1 to entry: For the purposes of ISO 25119 (all parts), the performance for each function is divided into
five levels (a, b, c, d and e) where the functional safety contributed by the SRP/CS in “a” is low and in “e” is high.
3.2
required agricultural performance level
AgPL
r
performance level(s) (AgPL) required to be achieved for each safety-related function
Note 1 to entry: Depending on the potential behaviours of a faulted UoO, a safety-related function may have more
than one AgPL . For example, a partial loss of a function, the sudden complete loss of a function, and the inability
r
to enable a function, may have three different AgPL ’s.
r
3.3
category
classification of the safety-related parts of a control system with respect to its resistance to dangerous
failures taking into account the subsequent behaviour in the fault condition, which is achieved by the
structural arrangement (architecture) of the parts
3.4
channel
combination of input, logic and output elements necessary to perform a function(s)
3.5
common-cause failure
CCF
multiple failures within a UoO, resulting from a single event, where these failures are not consequences
of each other
Note 1 to entry: Common-cause failures should not be confused with common-mode failures, as common-mode
failures can result from different causes.
2 © ISO 2018 – All rights reserved

oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
3.6
controllability
involved individual's possibility of avoiding harm in the situation that is putting him/her at risk
3.7
dangerous detected failure rate
λ
DD
detected failure rate within the UoO which result in no or minimal increase in risk, but if undetected,
would result in an immediate increase in risk
3.8
dangerous failure
failure (and multiple failures due to common cause) in which an SRP/CS is no longer able to maintain
the intended function and the resultant machine behaviour could result in a hazardous situation
3.9
dangerous failure rate
λ
D
fraction of all components with dangerous failure (3.8) per time unit
Note 1 to entry: λ is the reciprocal value of MTTF .
D D
3.10
diagnostic coverage
DC
fraction of the probability of detected dangerous failures, λ , and the probability of total dangerous
DD
failures, λ (3.9)
D
3.11
diagnostic test interval
interval between online tests used to detect faults in a safety-related system that have a specified
diagnostic coverage (3.10)
3.12
E/E/PES architecture
allocation of safety-related functions to electronic control units (ECU) and classification into hardware
and software, including communication
3.13
environmental condition
physical condition under which a system is used
3.14
exposure
duration of time and frequency in which an individual is in a situation in which the potential hazard exists
3.15
failure
termination of the ability of an element within a UoO to perform as intended
Note 1 to entry: After a failure, the UoO will have a fault.
Note 2 to entry: “Failure” is an event, as distinguished from fault (3.16), which is a state.
Note 3 to entry: The concept as defined does not apply to a UoO consisting of software only.
3.16
fault
state of a UoO characterised by inability to perform a required function, excluding the inability during
preventive maintenance or other planned actions, or due to lack of external resources
Note 1 to entry: A fault is often the result of a failure (3.15), but can exist without prior failure.
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
Note 2 to entry: For the purposes of ISO 25119 (all parts), a fault is a random fault.
3.17
function
defined behaviour of one or more electronic control units
3.18
functional requirement
requirement for an intended function of the E/E/PES system
3.19
functional safety
system that performs in a way that does not present an unreasonable risk of injury to operators or
bystanders
3.20
functional safety concept
entire collection of functional safety requirements (3.21) including their interactions to achieve
functional safety
Note 1 to entry: It is developed during the concept phase of the safety life cycle.
3.21
functional safety requirement
requirement for a safety-related function of the E/E/PES system
3.22
hardware safety requirement
requirement that applies to safety-related hardware and which is included as an element of a technical
safety requirement
3.23
harm
physical injury or damage to health of persons
3.24
hazard
potential source of harm (3.23)
3.25
hazard analysis and risk assessment
HARA
method to identify and categorize hazardous situations of the UoO and to specify safety goals, AgPL ,
r
related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk
3.26
hazardous situation
circumstance in which a person is exposed to a hazard (3.24) or hazards, exposure (3.14) to which can
have immediate or long-term effects
3.27
intended use
use in accordance with the information provided in the operator's manual
3.28
inspection
systematic formal verification method used to review product quality
Note 1 to entry: During an inspection, the work product is checked by one or more assessors to see whether it
complies with the requirements. The inspection is organized and moderated by an inspection leader. The author
of the work product participates in the inspection but cannot lead the process.
4 © ISO 2018 – All rights reserved

oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
3.29
life of the machine
life cycle
time between production and decommissioning
3.30
manual reset
function within the SRP/CS used to manually restore one or more safety-related functions before
restarting the machine
3.31
machine manufacturer
manufacturer of tractors for agriculture and forestry, self-propelled ride-on machines and mounted,
semi-mounted and trailed machines used in agriculture, and of mobile municipal equipment
Note 1 to entry: See also supplier (3.50).
3.32
mean time to dangerous failure
MTTF
D
average value of the expected time to a dangerous failure (3.8)
Note 1 to entry: MTTF is the reciprocal value of λ .
D D
3.33
monitoring
automatic monitoring
automatic function which ensures that a protective measure (3.36) is initiated if the ability of the SRP/
CS to perform a function is diminished, or if the process conditions are changed such that hazards are
generated
3.34
muting
temporary automatic suspension of a safety-related function by safety-related parts of the control system
3.35
programmable electronic system
PES
system for control, protection or monitoring which uses one or more programmable electronic devices
Note 1 to entry: It comprises all elements of the system, including power supplies, sensors and other input
devices, data highways and other communication paths, and actuators and other output devices.
3.36
protective measure
measure intended to achieve functional safety, as implemented by the designer (intrinsic design,
safeguarding and complementary measures, information for use), and the user (organization, safe
working procedures, supervision, permit to work, systems, additional safeguards, personal protective
equipment, training)
3.37
reasonably foreseeable misuse
use of a machine in a way not intended by the designer, but which can result from readily predictable
human behaviour
3.38
response time
maximum time that can elapse between the occurrence of an error and the attainment of a safe state (3.43)
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
3.39
risk
combination of the probability of occurrence of harm (3.23) and the severity (3.47) of that harm
3.40
risk analysis
combination of the specification of the limits of the machine, hazard identification and risk estimation
3.41
risk assessment
overall process comprising risk analysis (3.40) and risk evaluation (3.42)
3.42
risk evaluation
judgment on the basis of risk analysis as to whether a given risk is acceptable
3.43
safe state
operating mode of a system with an acceptable level of risk
EXAMPLE Intended operating mode, back-up operating mode, or switched-off modes.
3.44
safety goal
description of how a given hazard is to be avoided
EXAMPLE Avoid propel when neutral is commanded.
Note 1 to entry: It is the top level objective as a result of the hazard analysis and risk assessment and where
safety-related functions are derived.
Note 2 to entry: One safety goal can be related to several hazards and several safety goals can be related to a
single hazard.
3.45
safety-related function
function of the machine whose failure can result in an immediate increase of risk
3.46
safety-related part of a control system
SRP/CS
part or subpart of a control system that responds to input signals and generates safety-related
output signals
Note 1 to entry: The combined safety-related parts of a control system start at the point where the safety-related
signals are initiated (e.g. the actuating cam and the roller of the position switch) and end at the output of the
power control elements (e.g. the main contacts of the contactor), and include monitoring systems.
3.47
severity
degree of the most probable harm to an endangered individual, assuming harm has occurred
3.48
software requirement level
SRL
ability of safety-related parts to perform a software safety-related function (3.45) under foreseeable
conditions
Note 1 to entry: The SRL is categorized into four groups: SRL = B, 1, 2 and 3.
6 © ISO 2018 – All rights reserved

oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
3.49
software safety requirement
requirement that applies to safety-related software and that is included as an element of a technical
safety requirement (3.54)
3.50
supplier
manufacturer and distributor of new and spare parts for tractors for agriculture and forestry, self-
propelled ride-on machines and mounted, semi-mounted and trailed machines used in agriculture, and
municipal equipment
3.51
symmetric channel
numerical combination of single-channel MTTF for a dual- or redundant-channel system
DC
3.52
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a modification
of the design or of the manufacturing process, operational procedures, documentation or other
relevant factors
EXAMPLE Human error in the safety requirements specification, the design, manufacture, installation,
operation of the hardware, or the design and implementation of the software.
Note 1 to entry: Corrective maintenance without modification will usually not eliminate the failure cause.
Note 2 to entry: A systematic failure can be induced by simulating the failure cause.
3.53
technical safety concept
entire collection of technical safety requirements (3.54) necessary to implement the functional safety
concept (3.20)and to partition it on the system architecture
Note 1 to entry: It is part of the system specification, specified during system design.
3.54
technical safety requirement
requirement that applies to the SRP/CS as applied to a given technical safety concept (3.53)
3.55
unit of observation
units of observation
UoO
electrical, electronic, electrically-programmable system or function and its scope, context and purpose
Note 1 to entry: The UoO can encompass safety-related function(s) that may be distributed across multiple
systems and their safety-related interactions.
3.56
walk-through
systematic, informal verification method used to review product quality
Note 1 to entry: During a walk-through, the author of a work product provides a step-by-step report to one
or more assessors. The objective is to create a common understanding of the work product, and to identify
any errors, defects, discrepancies or problems in the work product. A walk-through is less stringent than an
inspection.
3.57
work product
output of a design or development activity
oSIST prEN ISO 25119-1:2022
ISO 25119-1:2018(E)
4 Abbreviated terms
For the purposes of this document, the following abbreviated terms apply.
AgPL agricultural performance level
AgPL required agricultural performance level
r
CAD computer-aided design
Cat hardware category
CCF common-cause failure
DC diagnostic coverage
DC average diagnostic coverage
avg
ECU electronic control unit
ETA event tree analysis
E/E/PES electrical/electronic/programmable electronic systems
EMC electromagnetic compatibility
FMEA failure mode and effects analysis
FSM functional safety management
FTA fault tree analysis
HARA hazard analysis and risk assessment
HIL hardware in the loo
...