Glossary

Glossary

Functional safety terminology

For greater understanding of the terms associated with functional safety and the safety of machinery.

A to E

Back to top

A

Demand rate for safety-related actions of SRP/CS (safety-related parts of control systems).

In IEC 61508, the term safe failure fraction (SFF) is defined as the sum of the potentially dangerous failures which result in a safe operating state.

This type of software is tailored precisely to the application. It is embedded by the machine manufacturer and generally contains logical sequences, limits, and expressions which check inputs, outputs, calculations, and decisions so that the safety requirements concerning SRP/CS are met.

Refers to the operational failure of different elements resulting from common single events where these failures are not consequences of each other.

A distinction is made between common cause failures (CCF) and common mode failures (CMF) as per ISO 12100:2010, 3.36.

A restart should only occur automatically if there is no hazardous situation. Please refer to the detailed information in standard EN ISO 12100, Section 6.3.3.2.5.

B

Number of operating cycles after which 10% of the devices have failed.

Evidence based on an analysis of the operational experience for a particular configuration of an element. The probability of dangerous systematic failures must be low enough that every safety function of the element achieves the required safety level.

Just like INTERBUS-Safety, PROFIsafe uses the black channel principle to transmit safe data via a standard network. The safe data, consisting of purely safety-related user data and the protocol overhead required for protection, is transmitted via PROFIBUS or PROFINET together with non-safety-related data. The F-Host in the safe controller and the F-Device in the I/O module exchange safe signals in this way. The integrated safety mechanisms protect against the following possible errors:

  • Repetition of messages
  • Loss of messages
  • Insertion of messages
  • Incorrect order of messages
  • Data corruption
  • Delay of messages
  • Recurring memory errors in switches
  • Mix up of devices

C

The abbreviation CE stands for Communauté Européenne (European Community). Products that fall under one or more EU directives must be marked with the CE mark before being placed on the market, provided the product satisfies all relevant health and safety requirements. It may be necessary to involve a notified body. The CE mark acts as a passport for entry to participation in the free movement of goods within the European single market.

D

Frequency of demands for safety-related actions of SRP/CS (safety-related parts of control systems).

Measurement for the effectiveness of the diagnostics represented as the ratio between the failure rate of the identified failure rates and the rate of total failures.

Diagnostic coverage can either relate to the entire system or certain components, such as sensors, logical systems or final elements.

MTTF (mean time to failure) describes the time to the first failure of a machine.

MTTFd (mean time to dangerous failure) is the expected average time to the first dangerous failure of a machine.

MTBF (mean time between failure) describes the time between two failures.

E

The software is part of the overall system and is provided by the manufacturer. It cannot be adapted or modified by the machine operator. These software programs are usually written in FVL.

Concerns the analysis of the operational capability of a particular configuration of an element. This ensures that the probability of dangerous systematic failures occurring is so low that the safety function achieves the required performance level PLr.

Period of time for the proper use of safety-related parts of control systems (SRP/CS).

The software is part of the overall system and is provided by the manufacturer. It cannot be adapted or modified by the machine operator. These software programs are usually written in FVL.

The performance level (PL) applied to achieve the required risk reduction for each safety function.

F to J

Back to top

F

Status of an object characterized by the inability to perform an intended function. Excludes fault states that occur during preventive maintenance due to planned actions or the absence of operational resources.

A fault state commonly occurs because the object itself caused the actual fault and there was no pre-existing fault.

Fault masking is where there is a sequence of several undetected faults in a safety-related system, which occur successively and independently of one another, such that a dangerous state can occur for people as a consequence. In the case of the logical series connection of safety door switches with floating contacts, the fault masking effect can be caused by opening different safety doors independently. As a result dangerous situations can occur, such as the deactivation of safety door guards.

Possible errors are considered at component level and their possible effects for the customer are evaluated with a rank. Reliability engineering involves analyzing the probability of occurrence and detection.

FVL is a programming language which enables a wide range of functions and applications to be used (e.g., C, C++, assembler).

G

Probability of dangerous failure per hour. PFHD stands for probability of dangerous failure per hour.

The potential sources of hazardous situations can be distinguished by their origin (e.g., mechanical or electrical hazard) or by their characteristics (e.g., electric shock, toxic hazard, fire risks).

Hazards can be defined as follows: they either occur on a permanent basis when machinery is being used (e.g., movement of dangerous components, high temperatures) or they occur unexpectedly (e.g., explosions, emission of dangerous substances or elements).

A situation in which a person is exposed to at least one hazard. This means that the effects can be immediate or may emerge after some time.

Failure capable of placing the SRP/CS in a dangerous state or failure state. The system design determines the extent to which this state can occur. In redundant systems, hardware failures rarely result in complete system failure.

In safety technology, low-demand applications are where a safety demand occurs once a year or even less frequently. The corresponding safety parameter is the PFD value (PFD: probability of failure on demand).

Safe over-speed monitoring of rotary axes may be required in conjunction with additional measures such as inching mode in setup operations for machine tools. When a defined speed is exceeded, a safe state is initiated.

Refers to failures that do not have a common cause; however, the failure of different units is the result of a single event.

H

The term “harmonized standards” refers to European standards for products. They are part of the European Commission's “New Approach” where essential requirements for products are defined by standards organizations CEN and CENELEC. The harmonized standards are published in the Official Journal of the EU. Only goods and services that satisfy the essential requirements may be placed on the market. They can be identified by certificates or CE markings.

For example, if a machine has been manufactured in accordance with the specified harmonized standards, it can be assumed that the machine satisfies the essential health and safety requirements of the Machinery Directive.

The abbreviation HAZOP stands for hazard and operability study, a type of risk analysis which is performed for functional safety in process technology applications, for example. The German equivalent term for HAZOP is PAAG.

Through the definition of keywords and control words, such as “over”, “more than”, etc., parameters can be specified to identify and prevent potential modifications, and to make recommendations.

The P&ID (piping and instrumentation diagram) is used as a basis for examining every single detail of the overall process to determine the mandatory parameters that apply and the possible extent of any deviation from these parameters. Possible measures are then developed to prevent or reduce parameter deviations. They may apply to the overall system or to specific components.

A method of operation where the frequency of commands for a safety-related part of a control system (SRP/CS) is greater than once per year or the safety-related control function of the machine ensures a safe state as its normal operating state.

A method of operation where the frequency of safety demands for a safety-related part of a control system (SRP/CS) is greater than once per year or the safety-related control function of the machine ensures a safe state as its normal operating state.

I

As a sector standard based on IEC 61508, the IEC 61511 series of standards describes the requirements concerning functional safety for systems in the process industry. It is made up of three parts.

Part of electro-sensitive protective equipment that is connected to the machine control system and switches to the OFF-state if the sensor starts during correct operation.

K to O

Back to top

K

Physical injuries or damage to health.

L

Light grids are items of safety equipment consisting of several photoelectric barriers arranged in parallel. They are tripped as soon as at least one sensor registers an interruption in the photoelectric barrier beam. Reliable tripping can only be ensured if the object to be registered is larger than two photoelectric barriers connected in parallel.

LVL is a programming language which enables predefined and application-specific functions to be combined in order to implement safety-specific requirements.

Typical examples for LVL can be found in standard IEC 61131-3, and a PLC (programmable logic controller) is typically used for a system here.

In safety technology, low-demand applications are where a safety demand occurs once a year or even less frequently. The corresponding safety parameter is the PFD value (PFD: probability of failure on demand).

M

A function of the safety-related parts of control systems (SRP/CS) that is used to manually restore one or more safety functions before the machine has to be restarted.

Systems that respond to input signals from different parts of the machine elements, operators, external control equipment or other combinations that generate output signals.

The machine control system works in conjunction with any type of technology or combinations of different technologies (e.g., electronic, hydraulic, pneumatic or mechanical technologies).

European directive for the standardization of essential health and safety requirements with the aim of ensuring the free movement of goods for machinery and safety components within the European single market.

Classification of safety-related parts of control systems (SRP/CS) with regard to their resilience to faults and their subsequent behavior in the event of faults. The category is selected based on the structural design of the parts, fault detection, and its reliability.

Automatic temporary suspension of one or more safety functions by the SRP/CS (safety-related parts of control systems).

N

An emergency stop is important in order to actively bring about a safe state in a hazardous situation and to ensure that people are protected. Harm can be prevented or reduced by actuating the emergency stop control device. The safe state is initiated when the operator or a third party actuates the emergency stop control device (e.g., stopping the dangerous movement of a machine).

P to T

Back to top

P

The performance level (PL) is a qualitative classification of the individual SRP/CS (safety-related parts of control systems) with regard to the performance capability of the individual safety functions in the event of unforeseeable situations.

PROFIsafe is a certified profile for PROFIBUS and PROFINET. With SIL 3 or category 4 in accordance with EN ISO 13849-1, PROFIsafe meets the highest safety requirements for the process and manufacturing industry. The same cable is used for both safety-related and standard communication. The PROFIsafe system is an extension of the PROFIBUS and PROFINET system. Freely programmable safety functions can be executed with the system and the required safe input and output data can be transmitted from and to the safe I/O devices. The safe controller and the safe bus devices communicate with one another via the PROFIsafe protocol, which is superimposed on the standard PROFIBUS or PROFINET protocol and contains the safe input and output data as well as data security information.

PES are used for the control, protection, and monitoring of one or more programmable electronic devices, including all system components as well as energy supply, sensors and other input devices, circuits, and output devices.

Q

In the event of mechanical damage to a cable, cross-circuit detection ensures that an electrical cross-circuit between two or more sensor signals does not result in the loss of the safety function, as a safe state is brought about. Various technological principles are involved here, such as supplying signal generators via test clocks.

R

Time that elapses from triggering an item of safety equipment (e.g., opening a safety door) to reaching the safe state (e.g., stopping the dangerous movement). The response time is used to determine the minimum distance required between an item of safety equipment and the danger zone.

The minimum distance between the safety equipment and danger depends on the following factors:

  • Delay time of the sensor
  • Processing time of the safety program in the safety controller including network transmissions
  • Processing and filter times in the input and output modules
  • Delay or lag time of the actuator

Functional redundancy concerns the safety of systems where if one channel fails, a second independent disabling channel or even an enabling channel is used to bring about a safe state. Both component redundancy and system redundancy are used here.

The time period between the detection of a dangerous failure either through an online test or an obvious malfunction of the system and the resumption of operation after repair or after system/component replacement.

The repair rate does not include the time span required for fault detection.

Residual risk still present after implementing protective measures.

RFID stands for Radio Frequency Identification and means that objects can be identified without physical or visual contact. For example, in the PSRswitch safety switch, RFID technology enables the coded exchange of signals between the sensor and actuator. Standard EN ISO 14119 requires RFID safety switches to be coded to protect against tampering.

Combination of the probability of occurrence of harm and the severity of that harm.

Overall process comprising risk analysis and risk evaluation.

A combination of the specification of the natural machine limits, identification of hazards, and risk estimation.

Final assessment of whether the risk reduction objectives based on the previous risk analysis have been met.

For safety relays, the time that elapses between the demand of a safety function and the opening of the enable contacts. In the case of safe time relays, the release time can be extended via manual adjustment, so that the drives can be shut down in a controlled manner, for example.

S

SafetyBridge Technology offers a network and controller-independent safety solution. Safety-related signals can be transmitted and evaluated via standard automation networks with this technology. This can be done without the use of a safety controller. Due to the properties of the SafetyBridge protocol used, the technology can be used on different bus systems and is certified for the following networks: INTERBUS, PROFIBUS, PROFINET, Modbus, CANopen, DeviceNet, EtherNet/IP, and sercos.

A measure to minimize risk. These measures can be implemented by various groups of people:

Developers: in particular design with protective measures and information concerning use.

Users: organization (safe working practices, monitoring, work authorization systems), provision and use of additional protective measures, personal protective equipment, and training.

Safety doors are items of safety equipment, e.g., in a system, intended to prevent people from entering a danger zone. The safety doors can be set up so that they can only be opened after the machine has stopped (guard locking device) or so that only certain people have access to the machine (authorization via key, etc.).

Drive state in which torque cannot be generated. On demand of the safety function, this state is achieved through disconnection from the power supply.

There is a lower and upper limit for acceleration, thereby ensuring safe operation. If the acceleration values are exceeded, the safe state is initiated.

There is a lower and upper limit for the speed, thereby ensuring safe operation. If the values are undershot or exceeded, the safe state is initiated.

Monitoring of a safe position. As soon as the position is exited, and no alternative safety functions are active, the safe state is initiated.

There is a lower and upper limit for the load indicator, thereby ensuring safe operation. If the values are undershot or exceeded, the safe state is initiated.

Monitoring the direction of a linear or rotary movement. If a direction that is declared dangerous is detected, and no alternative safety functions are active, the safe state is initiated.

If the upper limits for certain values are exceeded, e.g., acceleration or speed, the safe brake control function ensures that the machine is slowed down until it returns to a normal value or switches off.

There is a lower and upper limit for the speed, thereby ensuring safe operation. If the values are undershot or exceeded, the safe state is initiated.

A safe coupling relay enables a signal to be transmitted between a programmable electronic system (PES) and an actuator in a safety-relayed way. In the event of a fault, e.g., internal relay fault, the safe state is initiated. It is typically switched off by using internal redundancy mechanisms.

If this machine function fails, there is an increased risk of hazards.

Safety relays support the implementation of safety measures. They enable the use of safety functions such as emergency stops, light grids, and safety doors.

Phoenix Contact safety relays can be combined in a modular way, and have force-guided contacts and TÜV certification to ensure maximum safety. In addition, they feature particularly space-saving, quick, and easy installation.

Safety switches (interlocking device) are used to monitor the position of safety doors. When a safety door is opened, the safe state is initiated by means of controlled interlocking.

The PSRswitch safety switch is an electronic, coded safety switch with a compact design. Thanks to the integrated RFID transponder technology and intelligence, you receive maximum protection against tampering and outstanding safety in accordance with EN ISO 14119. With compatible evaluation units and SAC cabling, we provide you with a cost-effective comprehensive solution for flexible safety door and position monitoring for your digital factory.

A safety relay module in a machine control system ensures that safety-related sensors and actuators are monitored in accordance with the required PL or SIL. A safety relay module can be designed as a simple safety relay for monitoring individual functions or it can be used to monitor more complex tasks.

SRP/CS stands for safety-related parts of control systems. They are the parts of a control system that respond to safety-related input signals and generate safety-related output signals.

The combined safety-related parts of a control system begin at the point where the safety-related input signals are triggered (including the operating cam and role of the position switch, for example) and end at the output of the power control elements (including the main contacts of a switching device, for example).

If monitoring systems are used for diagnostics, these are also classed as SRP/CS.

The safety integrity level consists of four separate levels for defining the safety integrity requirements of safety functions that are assigned to the safety-related E/E/PE systems. SIL 4 is the highest safety integrity level and SIL 1 is the lowest. The SIL classification relates to a complete safety function.

The SIL claim limit describes the maximum SIL capability of a subsystem within a safety function.

A function that prevents a drive from deviating from the stop position by more than a specified amount.

When it comes to actually implementing a safety application, choosing a suitable safety concept including the system architecture of the control and evaluating logic can prove just as complex as ensuring compliance with all the requirements of the various standards. If the right type of technology is used, the safety-related application will not only be cost-effective and easy to implement, but will also comply with the relevant standards.

The fault state has a specific cause and can only be rectified by modifying the design, manufacturing process, operating processes, documentation or other relevant factors.  If maintenance is performed correctly and the fault state remains unchanged, the cause of the fault will not usually be rectified. A systematic failure can be induced by simulating the cause of the fault.

Examples of causes of systematic failures associated with human interaction include:

  • Specification of safety requirements
  • Design, manufacture, installation, and operation of hardware
  • Design and implementation of software

T

Interval between protective function tests (proof test).

The frequency of automatic tests to detect faults in SRP/CS. It is determined based on the diagnostic test interval value.

U to Z

Back to top

U

A safety function that is initiated as soon as a component or element is no longer able to perform its function correctly. Or in the event that the conditions have changed, increasing the risks.

V

In accordance with EN ISO 12100, interlocking devices are mechanical, electrical or other types of safety equipment which, in combination with movable guards, reduce risk when accessing danger zones. Usually certain machine functions cannot be performed if the safety door is not closed.

The term “failure” is used when an object is no longer able to perform the required function. The term “fault” is used to describe a malfunction that occurs as a result of a failure.

This does not apply to items that only consist of software. When a fault occurs, the affected item is deemed faulty. Faults that only impact the availability of the controlled process are outside the scope of ISO 13849-1.

Use of a machine in a way that is not intended by the designer, but which may result from easily foreseeable human behavior.

Z

A guard locking device is a locking or closing mechanism that is part of an interlocking device and prevents access to the danger zone by keeping the safety door closed until a safe state is achieved (e.g., when dangerous movements have stopped).

The N/O and N/C contacts of an elementary relay are connected to one another mechanically through forced guidance. This prevents N/O and N/C contacts from closing at the same time. In conjunction with a suitable circuit, failure to open can be reliably detected. This is the most reliable way to ensure maximum safety for both people and machinery.

PHOENIX CONTACT (I) Pvt. Ltd.

A-58/2, Okhla Industrial Area, Phase - II,
New Delhi-110 020
+91.11.30262800

Service

PSRswitch

Eliminate fault masking

More Information