ISO 13849 Controller Design Principles

Typically the design of control units is based on the safety hypothesis stating that the equipment is in a "safe state" if all outputs of the ECU are disabled.

To detect potentially dangerous failures and guarantee the transition to the safe state in a timely manner, the architecture is based on a "main CPU" executing the user application and a second, smaller "diagnostic CPU", which continuously monitors the main CPU as well as the safety critical inputs and outputs. In case an error is detected, e.g. a short circuit on an output stage, a stuck CPU or an out-of-range sensor, an internal switch opens, disconnecting all output stages from power, and thereby activating the safe state.