I would say that it depends upon the relationship of these moving parts to each other, and where relevant, this is something that should be addressed in the risk assessment. For example, if stopping Part A but not stopping Part B introduces a foreseeable hazard due to the foreseeable continued motion of Part B, then that is a situation that may warrant countermeasures - such as stopping both together, or if the risk is of a lesser magnitude, addressing it in the information for use.

Is the intent of separating the analysis to actually physically stop the parts of the machine separately (e.g. a stopping function at one part of the machine does not stop another part of the machine), or is the intent to stop everything together but to facilitate less stringent hardware, circuit, and logic designs on lower-risk parts of the machine?

The former should be addressed by an overall risk assessment that extends beyond the analysis of strictly the SRP/CS, and additionally, standards specific to the equipment under discussion may dictate certain courses of action. The latter is completely legitimate (but whether it's worthwhile or not is quite another matter). In the system architectures that I normally deal with in this day and age, the furthest this might ever go would be to use a single contactor instead of double contactors, or not bother with a redundant monitored safety pneumatic valve, for low-risk functions. No one is going to split up the safety PLC and its safety inputs into high-risk and low-risk sections!

The intent of seperating the circuits is not to stop the different parts of the machine independantly as all parts of the machine would need to be stopped in the same way (according to the category of stop). I believe it is purely to make managing the control circuit calculations simpler for the manufacturer.

In terms of the level of risk, there is potentially scope that Part A moving unexpectedly would create a higher risk than part B moving unexpectedly (which has been covered by the risk assessment) so that may well be a part of the reasoning for this splitting up as well?

In my opinion as this SRP/CS has a single set of inputs (2 start buttons) which seperates into three seperate outputs for parts A, B and C of the machine then it would need to be considered as a whole?

Thanks for the help!

Look at that risk assessment and compare its required countermeasures to the actual control system design. Has the control system design adequately implemented the required countermeasures? Are there foreseeable failure modes that would lead to risks that have not been accounted for? Are there residual risks that can not be fully addressed by technological means, that warrant being addressed in the information for use? Are they so addressed?

Answering that ... is your job as the reviewer!

It's not really enough to just identify that something has been split up in a way that's different than what you would have done as a designer. ISO 13849 is not prescriptive in how to be implemented. It is a performance standard. If the required performance is achieved, that's good. If it isn't, that's not.

I agree that 13849 isn't particularly prescriptive. Just wanted to make sure that there wasn't something obvious that I had missed!

I've done the maths both ways and the performance level comes out the same regardless so I'll give them that this time!

Thanks for the assistance.

Tom