FAQ - Directives and standards

ATEX

RoHS

Safety-related pneumatics

ATEX

Does Festo also offer complete solutions such as control cabinets and mounting plates for the explosion protection area?
Festo is also an expert in this complex area. Simply contact our specialist staff in the Ready-to-Install Pneumaticsarea.

For which categories of explosive zones does Festo offer products?
Festo offers products for zones 1, 21 and 2,22.

How long has the ATEX directive been in force?
The directive was transposed into German law on 12 December 1996. This directive ultimately took effect on 1 July 2003, replacing all previous provisions.

Why is no IP protection class prescribed for control cabinets?
A control cabinet does not provide any protection against gas penetration. Instead, all equipment in the control cabinet must be rated for the appropriate zone.

Why are service units in the D series only approved for the hazardous areas with regard to gas?
All regulators and filter regulators are fitted with a secondary vent from which air can be freely released into the atmosphere and stir up dust. The same is true of the on/off valve type HEE-...

What is meant by ATEX?
Explosive atmospheres are a constant hazard in the mining, chemical and petrochemical industries because of the processing techniques used. Such atmospheres can be caused through conditions such as released gases, vapours or mist. Explosive atmospheres should also be anticipated in mills, silos and sugar and feed processing plants. For this reason, electrical equipment in potentially explosive atmospheres is subject to a special directive, ATEX 95 or 94/9/EC. This directive was also extended to non-electrical equipment on 1 July, 2003. ATEX is a working title and is derived from “Atmosphère Explosible” (French for explosive atmosphere). ATEX is Directive 94/9/EC dated 23 March 1994 concerning equipment and protective systems intended for use in potentially explosive atmospheres.

What does intrinsically safe mean?
- The voltage and/or current (power) in an intrinsically safe circuit is so low that a potentially explosive atmosphere cannot be ignited as the result of a short circuit, interruption or earth fault. - The ignition energy of any spark that may arise is smaller than the minimum ignition energy of the potentially explosive atmosphere. - Neither a spark nor a thermal effect will ignite the potentially explosive atmosphere.

Which equipment category covers which zone?
Equipment category Gas zone Dust zone
1 0 20
2 1 21
3 2 22

Which Festo products are designed for the explosion protection area?
Current explosion protection information for Festo components can be found on our website. Simply click on the Explosion Protection page

What spacing is necessary between terminals that are intrinsically safe and those that are not?
The spacing between intrinsically safe terminals and those that are not intrinsically safe must be at least 50 mm.

Is a manufacturer’s declaration required for a module for which all the individual parts have been rated?
No, but one can be provided if requested by the customer.

RoHS

What does RoHS mean?
On 1 July 2006, the EU Directive on the restriction of the use of certain hazardous substances (RoHS) came into force. This directive forbids the use of six materials (lead, cadmium, mercury, hexavalent chromium, PBB (polybromided biphenyls) and PBDE (polybromided diphenyl ether)) in electrical and electronic equipment offered for sale after 1 July 2006.

What materials does the RoHS ban?
Lead, cadmium, mercury, hexavalent chromium, PBB (polybrominated biphenyls), PBDE (polybrominated diphenyl ether)

What is the definition of RoHS-compliant?
RoHS specifies the following limits: maximum 0.1 percent by weight of lead, mercury, hexavalent chromium, polybrominated biphenyls (PBB) or polybrominated diphenyl ether (PBDE) per homogenous material or maximum 0.01 percent by weight of cadmium per homogenous material.

How RoHS-compliant products are marked?
RoHS does not prescribe any marking of RoHS-compliant parts. Festo does not mark its supplied parts separately. However, you can check RoHS compliance using the Product list on Festo's website. Or contact us directly - by email technikservice@festo.com or call us on 0180 303 3000.

Safety-related pneumatics

Does Festo produce a valve for safe venting?

The MS6-SV electro-pneumatic soft-start/quick exhaust valve is intended for reducing pressure quickly and safely and for building up pressure gently in pneumatic pipeline systems and terminal equipment in industry.

The MS6-SV corresponds to the standard DIN EN ISO 13849-1.

Max. possible performance level = "e"

MS6-SV

What are safety-related parts of a control?
A safety-related part of a control (SRP/CS) is one which reacts to safety-related input signals and generates safety-related output signals. EN ISO 13849-1:2007, Safety-related parts of control systems, Part 1: General principles for design, stipulates the following: “Parts of machine control systems that are assigned to provide safety functions are called safety-related parts of control systems (SRP/CS), and these can either consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions (e.g. two-handed controls as a means of process initiation). The ability of safety-related parts of control systems to perform a safety function under foreseeable conditions is allocated one of five levels, called the “performance level” (PL). These performance levels are defined in terms of probability of dangerous failure per hour.”

What is the difference between hazard and risk?
The terms are described in EN ISO 12100-1:2004. A hazard analysis is conducted during which the predominant risk is determined. Where necessary, this is followed by a process of risk reduction. A hazard is a potential source of harm, where harm refers to either a physical injury or damage to health. A hazard can be specified according to its cause (e.g. mechanical hazard, electrical hazard) or the type of harm to be expected (e.g. electrical shock hazard, cutting hazard, poisoning hazard, fire hazard). The hazard in the sense of this definition is either continuously present during proper use of the machine (e.g. hazardous motion of parts, arc when welding, unhealthy bodily posture, noise emissions, high temperature) or can occur unexpectedly (e.g. explosion, crushing hazard due to unintended/unexpected starting, forcible ejection due to breakage, crashing due to acceleration/braking). The risk is a combination of the probability of the harm being incurred and the degree of harm. After the hazard analysis and implementation of corresponding risk reduction measures, some residual risk may remain. In the course of a risk assessment, comprising a risk analysis and risk classification, the limits of the machine are defined, hazards are identified and risks estimated and an assessment is made as to whether the goals of risk reduction have been reached.

What is the difference between a fault and a failure?
A fault is a state of a functional unit characterised by the incapability to perform a required function, with the exception of incapability during preventative maintenance or other planned activities or due to the lack of external materials. A fault is often the result of failure of the unit itself. Failure is the termination of the capability of a functional unit to fulfil a required function. Following a failure, the unit will have a fault. The “failure” is the event, in contrast to the “fault” which is a state. A further distinction must be made between: hazardous failure, which is a failure which has the potential to place a safety-related part of a control system into a state of hazard or malfunction; common cause failure (CCF): failures of different units due to a single event, where these failures are not interdependent; systematic failure: failure with a deterministic relationship to a particular cause which can only be eliminated by changing the design, the manufacturing process, operating procedure, documentation or associated factors.

What is the differnce between DIN EN 954-1 und DIN EN ISO 13849-1?
EN 954-1:1996 has been replaced by EN ISO 13849-1:2007. Both standards describe safety-related parts of control systems and have been harmonised with the EC Machinery Directive. The new standard is subject to a transition period until November 2009. Before that date, application is possible but not obligatory. The replacement brings with it a fundamental change in approach. The previously deterministic viewpoint of EN 954-1 is complemented by probabilistic considerations. The basic approach of EN 954-1 is based on the consideration of structures, applying proven methods such as safety functions, risk graph and categories. The new standard adds probability calculus, with a quantification of component reliability and testability and consideration of potential failures. The risk graph no longer leads to a control category as in EN 954-1, but rather to a performance level (PL).

What is the diagnostic coverage (DC)?
The diagnostic coverage (DC) states the effectiveness of the diagnostics that can be achieved as a ratio of the rate of dangerous failures detected to the rate of all dangerous failures. Failure Mode and Effects Analysis (FMEA) or similar methods can be used to estimate the DC in most cases. Classification by range: minimal DC < 60%, low 60% ≤ DC < 90%, medium 90% ≤ DC < 99%, high 99% ≤ DC. For estimates of DC in pneumatic systems, applicable guidelines include the following from EN ISO 13849-1, Appendix E: indirect monitoring (e.g. monitoring using pressure switches, electrical position monitoring of actuators): 90% to 99% DC, regardless of application; direct monitoring (e.g. electric position monitoring of control valves, monitoring of electromechanical units by positively driven operation) : 99% DC

What functional aspects are important in the context of EMERGENCY STOP devices?

The functional aspects of emergency-stop devices are described in EN ISO 13850:2007, Emergency stop – Principles for design. It replaces EN 418:1993.

The purpose of an emergency stop function integrated into the machine is to avert an impending hazard or minimise a hazard which already exists.
The emergency stop function must be triggered by the single action of a person.
The safety requirements according to DIN EN ISO 13850:2007 are as follows:

  • The emergency-stop function must be available and functional at all times and must have priority over all other functions and processing steps in all modes of machine operation, without impairing any devices or fittings which are designed for freeing trapped persons. It must not be possible to use start commands of any kind (intended, unintended or unexpected) to affect processing steps which were stopped by the triggering of the emergency-stop function until the emergency-stop function has been reset manually.
  • The emergency-stop function must not be used as a replacement for protective measures or other safety functions, but rather should be designed as a complementary protective measure. The emergency-stop function must not impair the effectiveness of guards or of fittings or mechanisms with other safety functions.
  • The emergency-stop function must be designed in such a way that hazardous movements and the operation of the machine are stopped in an appropriate manner once the emergency-stop device has been actuated, without any additional hazards being caused and without any further actions by any person, in accordance with the risk assessment.
  • The emergency-stop function must be designed in such a way that the decision to actuate the emergency-stop control element can be taken without the person needing to consider what effects might follow as a result.

The emergency stop must be described as in one of the following stop categories:

Stop category 0

Shutdown through:
immediate disconnection of the power supply to the machine driving components or
mechanical isolation between hazardous parts and their machine driving components and, if necessary, by braking.

Stop category 1

Controlled shutdown with power supply to the machine’s driving components in order to come to a halt, and subsequently, after shutdown, disconnection of the power supply.
Examples of disconnecting the power supply include:
switching off the power supply to the electric motors of the machine,
disconnecting the movable parts of the machine from the source of mechanical power and
shutting off the hydraulic/pneumatic power supply to a piston/plunger.

The choice of stop category for an emergency stop must be determined on the basis of the risk assessment for the machine.

After an emergency stop device is triggered by an emergency stop command, the effect of this command must continue until it is manually reset. Resetting must only be possible at the location at which the emergency stop command was triggered. Resetting the command must not result in the machine starting up again, but only enable for the machine to be restarted. Restarting the machine must only be possible once the machine has been manually reset at the location at which the emergency stop was triggered.

An emergency stop device must be attached to all operating panels, unless the risk assessment determines this to be unnecessary.

The principle of direct actuation with mechanical locking function must be applied to the emergency stop device.

In the event of a fault in the emergency stop device (including the function of saving the emergency stop command), the function of generating the emergency stop command must take priority over the saving function. Resetting (e.g. unlocking) the emergency stop must only be possible as a result of a manual action at the location where the emergency stop was initiated.

The emergency stop actuator must be red. If there is a background behind the actuator, this must be yellow, as far as this is feasible.

What must be taken into consideration when designing pneumatically operated separating guards?

Guards must be designed in accordance with EN 953:1997. 

Guards are classified as fixed or movable. The following is set out in EN 953:1997 regarding powered guards: “Powered guards must not cause injuries (e.g. due to closing pressure, exerted force, speed or sharp edges). If the guard is fitted with another safety device which automatically re-opens the guard as soon as the guard comes in contact with a person or object, the force to prevent the guard closing must not exceed 150 N. The kinetic energy of the guard must not exceed 10 Nm. If no such safety device is fitted, these values must be reduced accordingly to 75 N and 4 Nm, respectively.” 

Simple pneumatically driven, horizontally or vertically closing doors or windows must therefore be designed with values of 75 N and 4 Nm. The higher values can only be applied if the doors or windows are functionally linked to e.g. safety mats, light barriers, touch-sensitive barrier rails etc. which automatically cause the guard to re-open.

What does a validation require you to do?

The validation plan must also identify the means to be used to validate the defined safety functions and categories. Where appropriate, it must set out the following:

  • the identity of the documents for the specifications;
  • the operating and ambient conditions;
  • the underlying safety principles;
  • the established safety principles;
  • the established components;
  • the error assumptions and error exclusions which are to be considered
  • the analyses and tests which were applied