Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 25119-2:2019 — Concept Phase for Safety-Related Parts of Agricultural Machinery Control Systems
Hazard Identification, Risk Estimation, and Safety Requirements Definition in the Concept Phase
1. The Concept Phase Lifecycle in ISO 25119-2
ISO 25119-2:2019 focuses exclusively on the concept phase of the safety lifecycle for safety-related parts of control systems (SRP/CS) in agricultural machinery. This standard serves as the foundational step where the safety strategy is established before any detailed design begins. The concept phase encompasses: definition of the machine and its boundaries, hazard identification and risk analysis, determination of required performance levels, and formulation of the safety requirements specification (SRS).
Investing adequate effort in the concept phase — typically 15-20% of total project safety engineering budget — pays back exponentially by reducing costly redesigns during later phases. Field data from agricultural machinery manufacturers show that concept-phase errors discovered during production cost 10-50x more to correct than those found during concept review.
The standard requires a clear definition of the machine functional scope, including all operating modes (normal operation, setup, cleaning, maintenance, fault conditions), operational limits (speed, load, environmental range), and interface definitions (operator controls, ISOBUS connections, hydraulic interfaces, power take-off). This definition forms the boundary for subsequent hazard analysis activities and ensures the safety team has a complete understanding of the machine intended behavior.
2. Hazard Identification and Risk Graph Methodology
The hazard identification process in ISO 25119-2 follows a structured approach derived from ISO 12100 but with significant extensions for control-system-specific hazards. Engineers must consider hazards arising from: loss of control function, unexpected start-up, unintended movement, incorrect speed or position, inability to stop the machine, and hazards related to control system faults that lead to dangerous machine behavior.
| Risk Graph Parameter | Classification | Description |
|---|---|---|
| S — Severity of injury | S1 / S2 | S1 = slight (normally reversible) injury; S2 = serious (normally irreversible) injury including death |
| F — Frequency/exposure | F1 / F2 | F1 = seldom to less-often exposure; F2 = frequent-to-continuous exposure |
| P — Possibility of avoidance | P1 / P2 | P1 = possible under specific conditions; P2 = hardly possible |
| PL — Required performance level | a through e | Determined by the combination of S, F, and P parameters |
The risk graph produces the required PL through a decision tree. For example, an S2 + F2 + P2 combination yields PL e — the highest safety integrity requirement, typically reserved for hazards such as unintended power take-off engagement during maintenance or loss of steering control at transport speed. Each hazardous event must be documented in a hazard log, which becomes the central reference document throughout the project lifecycle.
A common mistake in risk graph application is over-classifying exposure frequency (F). ISO 25119-2 requires engineers to consider exposure during all operational phases including setup, cleaning, and maintenance — not just normal operation. A task that occurs only weekly but involves direct exposure to a severe hazard may still be classified as F2 due to high exposure during that specific task.
3. Safety Requirements Specification and Design Validation Planning
The output of the concept phase is the safety requirements specification (SRS), which captures the functional and integrity requirements for each safety function. Each safety requirement must include: functional description (what the safety function does), required performance level (PLr), fault reaction time, behavior in fault conditions, behavior on power-up and power-down, and interfaces with other systems.
Well-written SRS items follow the SMART principle: Specific (one safety function per requirement), Measurable (quantified PLr and reaction time), Achievable (feasible with available technology), Relevant (addresses a specific hazardous event), and Traceable (uniquely identifies the hazard log entry). This approach significantly reduces ambiguity during the verification and validation phases.
The standard also requires preparation of a validation plan during the concept phase, specifying: the overall validation strategy, acceptance criteria for each safety function, test methods (simulation, bench testing, field testing), environmental test conditions, and responsibilities for validation activities. By planning validation upfront, organizations ensure that testability is built into the design rather than discovered as an afterthought during system integration.
One of the most frequently cited non-conformances during ISO 25119 assessments is the lack of traceability between hazard log entries and SRS items. Every hazardous event requiring risk reduction must be traceable to one or more specific safety requirements. Implementing a bidirectional traceability matrix from the concept phase is strongly recommended.
4. Frequently Asked Questions
Q: How detailed should the hazard analysis be for a simple agricultural machine?
A: The level of detail should be proportionate to the complexity and risk. For a simple machine with well-understood hazards, a structured hazard analysis using checklists and published data may suffice. For complex autonomous machines, techniques such as HAZOP, FMEA, or STPA are recommended.
A: The level of detail should be proportionate to the complexity and risk. For a simple machine with well-understood hazards, a structured hazard analysis using checklists and published data may suffice. For complex autonomous machines, techniques such as HAZOP, FMEA, or STPA are recommended.
Q: Can the concept phase be applied to retrospective safety upgrades on existing machines?
A: Yes. ISO 25119-2 can be applied to assess and improve existing machines. In such cases, the concept phase includes reverse-engineering the existing control logic, documenting the as-built architecture, and assessing gaps compared to the required PL before specifying retrofit safety measures.
A: Yes. ISO 25119-2 can be applied to assess and improve existing machines. In such cases, the concept phase includes reverse-engineering the existing control logic, documenting the as-built architecture, and assessing gaps compared to the required PL before specifying retrofit safety measures.
Q: What is the relationship between ISO 25119-2 and the Machinery Directive 2006/42/EC?
A: ISO 25119-2 provides the specific methodology for control-system-related safety that supports compliance with the essential health and safety requirements (EHSR) of the Machinery Directive. Compliance with ISO 25119-2 creates a presumption of conformity for the SRP/CS aspects of the machinery.
A: ISO 25119-2 provides the specific methodology for control-system-related safety that supports compliance with the essential health and safety requirements (EHSR) of the Machinery Directive. Compliance with ISO 25119-2 creates a presumption of conformity for the SRP/CS aspects of the machinery.
📥 Standard Documents Download
No download files available yet