3.Terms definitions

3.1.1
safety–related part of a control system SRP/CS

part of a control system that responds to safety-related input signals and generates safety-related
output signals
Note 1 to entry: The combined safety-related parts of a control system start at the point where the safety-related input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and end at the output of the power control elements (including, for example, the main contacts of a contactor).
Note 2 to entry: If monitoring systems are used for diagnostics, they are also considered as SRP/CS.

3.1.2
category
classification of the safety-related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability

3.1.3
fault
state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources
Note 1 to entry: A fault is often the result of a failure of the item itself, but may exist without prior failure. Note 2 to entry: In this part of ISO 13849, “fault” means random fault.
[SOURCE: IEC 60050-191:1990, 05-01.]

3.1.4
failure
termination of the ability of an item to perform a required function
Note 1 to entry: After a failure, the item has a fault.
Note 2 to entry: “Failure” is an event, as distinguished from “fault”, which is a state.
Note 3 to entry: The concept as defined does not apply to items consisting of software only.
Note 4 to entry: Failures which only affect the availability of the process under control are outside of the scope of
this part of ISO 13849.
[SOURCE: IEC 60050–191:1990, 04-01.]

3.1.5
dangerous failure
failure which has the potential to put the SRP/CS in a hazardous or fail-to-function state
Note 1 to entry: Whether or not the potential is realized can depend on the channel architecture of the system; in redundant systems a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-  function state.
Note 2 to entry: [SOURCE: IEC 61508–4, 3.6.7, modified.]

3.1.6
common cause failure CCF
failures of different items, resulting from a single event, where these failures are not consequences of each other
Note 1 to entry: Common cause failures should not be confused with common mode failures (see
ISO 12100:2010, 3.36).
[SOURCE: IEC 60050-191-am1:1999, 04-23.]

3.1.7
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors
Note 1 to entry: Corrective maintenance without modification will usually not eliminate the failure cause. Note 2 to entry: A systematic failure can be induced by simulating the failure cause.
Note 3 to entry: Examples of causes of systematic failures include human error in

1. the safety requirements specification,
2. the design, manufacture, installation, operation of the hardware, and
3. the design, implementation, etc., of the software.

[SOURCE: IEC 60050-191:1990, 04-19.]

3.1.8
muting
temporary automatic suspension of a safety function(s) by the SRP/CS

3.1.9
manual reset
function within the SRP/CS used to restore manually one or more safety functions before re-
starting a machine

3.1.10
harm
physical injury or damage to health
[SOURCE: ISO 12100:2010, 3.5.]

3.1.11
hazard
potential source of harm
Note 1 to entry: A hazard can be qualified in order to define its origin (e.g. mechanical hazard, electrical hazard) or the nature of the potential harm (e.g. electric shock hazard, cutting hazard, toxic hazard, fire hazard).
Note 2 to entry: The hazard envisaged in this definition:

1. either is permanently present during the intended use of the machine (e.g. motion of hazardous moving elements, electric arc during a welding phase, unhealthy posture, noise emission, high temperature);

1. or may appear unexpectedly (e.g. explosion, crushing hazard as a consequence of an unintended/unexpected start-up, ejection as a consequence of a breakage, fall as a consequence of acceleration/deceleration).

[SOURCE: ISO 12100:2010, 3.6, modified.]

3.1.12
hazardous situation
circumstance in which a person is exposed to at least one hazard
Note 1 to entry: The exposure can result in harm immediately or over a period of time.
[SOURCE: ISO 12100:2010, 3.10.]

3.1.13
risk
combination of the probability of occurrence of harm and the severity of that harm
[SOURCE: ISO 12100:2010, 3.12.]

3.1.14
residual risk
risk remaining after protective measures have been taken
Note 1 to entry: See Figure 2.
[SOURCE: ISO 12100:2010, 3.13, modified.]

3.1.15
risk assessment
overall process comprising risk analysis and risk evaluation
[SOURCE: ISO 12100:2010, 3.17.]

3.1.16
risk analysis
combination of the specification of the limits of the machine, hazard identification and risk estimation
[SOURCE: ISO 12100:2010, 3.15.]

3.1.17
risk evaluation
judgement, on the basis of risk analysis, of whether risk reduction objectives have been achieved
[SOURCE: ISO 12100:2010, 3.16.]

3.1.18
intended use of a machine
use of the machine in accordance with the information provided in the instructions for use [SOURCE: ISO 12100:2010, 3.23.]

3.1.19
reasonably foreseeable misuse
use of a machine in a way not intended by the designer, but which may result from readily predictable
human behaviour
[SOURCE: ISO 12100:2010, 3.24.]

3.1.20
safety function
function of the machine whose failure can result in an immediate increase of the risk(s)
[SOURCE: ISO 12100:2010, 3.30.]

3.1.21
monitoring
safety function which ensures that a protective measure is initiated if the ability of a component or an element to perform its function is diminished or if the process conditions are changed in such a way that a decrease of the amount of risk reduction is generated

3.1.22
programmable electronic system
PES
system for control, protection or monitoring dependent for its operation on one or more programmable electronic devices, including all elements of the system such as power supplies, sensors and other input devices, contactors and other output devices
[SOURCE: IEC 61508-4:1998, 3.3.2, modified.]

3.1.23
performance level PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety
function under foreseeable conditions
Note 1 to entry: See 4.5.1.

3.1.24
required performance level PLr
performance level (PL) applied in order to achieve the required risk reduction for each safety function
Note 1 to entry: See Figures 2 and A.1.

3.1.25
mean time to dangerous failure MTTFD
expectation of the mean time to dangerous failure
[SOURCE: IEC 62061:2005, 3.2.34, modified.]

3.1.26
diagnostic coverage DC
measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure
rate of detected dangerous failures and the failure rate of total dangerous failures
Note 1 to entry: Diagnostic coverage can exist for the whole or parts of a safety-related system. For example, diagnostic coverage could exist for sensors and/or logic system and/or final elements.
[SOURCE: IEC 61508-4:1998, 3.8.6, modified.]

3.1.27
protective measure
measure intended to achieve risk reduction
EXAMPLE 1      Implemented by the designer: inherent design, safeguarding and complementary protective
measures, information for use.
EXAMPLE 2 Implemented by the user: organization (safe working procedures, supervision, permit-to-work systems), provision and use of additional safeguards, personal protective equipment, training.
[SOURCE: ISO 12100:2010, 3.19, modified.]

3.1.28
mission time
TM
period of time covering the intended use of an SRP/CS

3.1.29
test rate
rt
frequency of automatic tests to detect faults in a SRP/CS, reciprocal value of diagnostic test interval

3.1.30
demand rate
rD
frequency of demands for a safety-related action of the SRP/CS

3.1.31
repair rate
rr
reciprocal value of the period of time between detection of a dangerous failure by either  an online test or obvious malfunction of the system and the restart of operation after repair or system/component replacement
Note 1 to entry: The repair time does not include the span of time needed for failure-detection.

3.1.32
machine control system
system which responds to input signals from parts of machine elements, operators, external control equipment or any combination of these and generates output signals causing the machine to behave in the intended manner
Note 1 to entry: The machine control system can use any technology or any combination of different technologies (e.g. electrical/electronic, hydraulic, pneumatic, mechanical).

3.1.33
safety integrity level SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest
[SOURCE: IEC 61508-4:1998, 3.5.6.]

3.1.34
limited variability language
LVL
type of language that provides the capability of combining predefined, application-specific library functions to implement the safety requirements specifications
Note 1 to entry: Typical examples of LVL (ladder logic, function block diagram) are given in IEC 61131–3. Note 2 to entry: A typical example of a system using LVL: PLC.
[SOURCE: IEC 61511-1:2003, 3.2.80.1.2, modified.]

3.1.35
full variability language
FVL
type of language that provides the capability of implementing a wide variety of functions and applications
EXAMPLE            C, C++, Assembler.
Note 1 to entry: A typical example of systems using FVL: embedded systems.
Note 2 to entry: In the field of machinery, FVL is found in embedded software and rarely in application software.
[SOURCE: IEC 61511-1:2003, 3.2.80.1.3, modified.]

3.1.36
application software
software specific to the application, implemented by the machine manufacturer, and generally containing logic sequences, limits and expressions that control the appropriate inputs, outputs, calculations and decisions necessary to meet the SRP/CS requirements

3.1.37
embedded software
firmware system software
software that is part of the system supplied by the control manufacturer and which is not accessible for modification by the user of the machinery
Note 1 to entry: Embedded software is usually written in FVL.

3.1.38
high demand or continuous mode
mode of operation in which the frequency of demands on a SRP/CS is greater than one per year or the safety related control function retains the machine in a safe state as part of normal operation
[SOURCE: IEC 62061:2012, 3.2.27, modified.]

3.1.39
proven in use
demonstration, based on an analysis of operational experience for a specific configuration of an element, that the likelihood of dangerous systematic faults is low enough so that every safety function that uses the element achieves its required performance level (PLr)
[SOURCE: IEC 61508-4:2010, 3.8.18, modified.] 3.2  Symbols and abbreviated terms See Table 1. Table 1 — Symbols and abbreviated terms

Table 1 (continued)