Many industrial products are controlled by software. Errors in the control software make the products and users danger. To avoid this situation, it is necessary that in expected behaviors and operations do not make the products unsafe state. This paper proposes a method that the control software makes safe by conducting "Failure Mode and Effects Analysis (FMEA)" and "Fault Tree Analysis (FTA)" repeatedly. The outline of the proposed method is as follows. In the upper phase, risks of control software are analyzed by using FMEA exhaustively, and the measures are reflected to the specifications. In the lower phase, risks that cannot be taken the measures are clarified, and the measures are reflected to the specifications and software. FMEA and FTA are conducted repeatedly, until the control software does not contain risk.