FAQ - Directives and standards



Safety-related pneumatics


Does Festo also offer complete solutions such as control cabinets and mounting plates for the explosion protection area?
Festo is also an expert in this complex area. Simply contact our specialist staff in the Ready-to-Install Pneumaticsarea.


For which categories of explosive zones does Festo offer products?
Festo offers products for zones 1, 21 and 2,22.


How long has the ATEX directive been in force?
The directive was transposed into German law on 12 December 1996. This directive ultimately took effect on 1 July 2003, replacing all previous provisions.


Why is no IP protection class prescribed for control cabinets?
A control cabinet does not provide any protection against gas penetration. Instead, all equipment in the control cabinet must be rated for the appropriate zone.


Why are service units in the D series only approved for the hazardous areas with regard to gas?
All regulators and filter regulators are fitted with a secondary vent from which air can be freely released into the atmosphere and stir up dust. The same is true of the on/off valve type HEE-...


What is meant by ATEX?
Explosive atmospheres are a constant hazard in the mining, chemical and petrochemical industries because of the processing techniques used. Such atmospheres can be caused through conditions such as released gases, vapours or mist. Explosive atmospheres should also be anticipated in mills, silos and sugar and feed processing plants. For this reason, electrical equipment in potentially explosive atmospheres is subject to a special directive, ATEX 95 or 94/9/EC. This directive was also extended to non-electrical equipment on 1 July, 2003. ATEX is a working title and is derived from “Atmosphère Explosible” (French for explosive atmosphere). ATEX is Directive 94/9/EC dated 23 March 1994 concerning equipment and protective systems intended for use in potentially explosive atmospheres.


What does "intrinsically safe" mean?
  • The voltage and/or current (power) in an intrinsically safe circuit is so low that a potentially explosive atmosphere cannot be ignited as the result of a short circuit, interruption or earth fault.
  • The ignition energy of any spark that may arise is smaller than the minimum ignition energy of the potentially explosive atmosphere.
  • Neither a spark nor a thermal effect will ignite the potentially explosive atmosphere.
  • A piece of equipment is defined as intrinsically safe if all its circuits can be defined as intrinsically safe. Voltage and current in an intrinsically safe circuit are so low that a potentially explosive atmosphere cannot be ignited as the result of a short circuit, interruption or earth fault, i.e. the ignition energy of any spark that may arise is smaller than the minimum ignition energy of the potentially explosive atmosphere.



Which equipment category covers which zone?
Equipment category Gas zone Dust zone
1 0 20
2 1 21
3 2 22


Which Festo products are designed for the explosion protection area?

Current explosion protection information for Festo components can be found on our website. Simply click on the Explosion Protection page


Which isolation amplifier can be used with the proximity sensor SMT-8F-I-8,2 V...?

Festo does not offer any isolating amplifiers, however we would be happy to help you further. Simply call any of our Technical Consultants.


What spacing is necessary between terminals that are intrinsically safe and those that are not?
The spacing between intrinsically safe terminals and those that are not intrinsically safe must be at least 50 mm.


Is a manufacturer’s declaration required for a module for which all the individual parts have been rated?
No, but one can be provided if requested by the customer.



What does RoHS mean?
On 1 July 2006, the EU Directive on the restriction of the use of certain hazardous substances (RoHS) came into force. This directive forbids the use of six materials (lead, cadmium, mercury, hexavalent chromium, PBB (polybromided biphenyls) and PBDE (polybromided diphenyl ether)) in electrical and electronic equipment offered for sale after 1 July 2006.


What materials does the RoHS ban?
Lead, cadmium, mercury, hexavalent chromium, PBB (polybrominated biphenyls), PBDE (polybrominated diphenyl ether)


What is the definition of RoHS-compliant?
RoHS specifies the following limits: maximum 0.1 percent by weight of lead, mercury, hexavalent chromium, polybrominated biphenyls (PBB) or polybrominated diphenyl ether (PBDE) per homogenous material or maximum 0.01 percent by weight of cadmium per homogenous material.


How RoHS-compliant products are marked?

RoHS does not prescribe any marking of RoHS-compliant parts. Festo does not mark its supplied parts separately. However, you can check RoHS compliance using the Product list on Festo's website. Or contact us directly: Festo addresses worldwide


Have the RoHS and WEEE directives already been incorporated into German law?

Both directives have been implemented by the "ElektroG - Elektro- und Elektronikgerätegesetz" (Electrical and Electronic Device Law), which came into force on 24 March 2005.


Which countries are affected by RoHS?

This is an EU directive and therefore has legal application in EU member countries only. Nonetheless, RoHS has considerably greater consequences. Comparable laws already exist in other countries or are in preparation. The market for electronics is global and Europe is simply one part of it. On the other hand, in future foreign manufacturers who wish to sell in Europe will only manufacturing products which are RoHS-compliant.


Safety-related pneumatics

Does Festo produce a valve for safe venting?

The MS6-SV electro-pneumatic soft-start/quick exhaust valve is intended for reducing pressure quickly and safely and for building up pressure gently in pneumatic pipeline systems and terminal equipment in industry.

The MS6-SV corresponds to the standard DIN EN ISO 13849-1.

Max. possible performance level = "e"



Which categories are specified for the safety-relevant part of a control system (SRP/CS)?

The categories are described in DIN EN ISO 13849-1:2007.
They are basic parameters for reaching a special performance level (PL). They define the required behaviour of safety-relevant parts of a control system with regard to their resistance to faults.


Category Requirements System behaviour Principle for achieving safety
B The safety-relevant components of control systems and/or their protection mechanisms, and your own components, must be designed, built, selected, assembled and combined in such a way as to conform with the relevant standards so that they can withstand the expected influences. The occurrence of a fault can lead to a loss of the safety function. Primarily characterised by the selection of components

The requirements in B must be met.

Proven components and safety principles must be used.

The occurrence of a fault can lead to a loss of the safety function. The probability of occurrence is lower than in category B. Primarily characterised by the selection of components

The category B requirements have to be fulfilled and proven safety principles must be used.

The safety function must be checked by the machine controller at suitable intervals.

The occurrence of a fault between such checks can lead to a loss of the safety function.
The loss of the safety function will be detected by the next check.
Primarily characterised by the structure

The category B requirements have to be fulfilled and proven safety principles must be used.

Safety-relevant parts must be designed in such a way that:
• An isolated error in any of these parts does not lead to a loss of safety function
• If at all possible, this one fault will be detected

When this one fault occurs, the safety function is still preserved.
Some, but not all faults will be detected.
The occurrence of a number of undetected faults together can lead to a loss of the safety function.
Primarily characterised by the structure

The category B requirements have to be fulfilled and proven safety principles must be used.

Safety-relevant parts must be designed in such a way that:
• An isolated error in any of these parts does not lead to a loss of safety function
• Individual faults are identified when or before the safety function is next required. If identification is not possible, a cluster of unidentified faults must not lead to a loss of the safety function.

When individual faults occur, the safety function must always be preserved.
The recognition of clusters of faults reduces the probability of a loss of function of the safety system (high DC).
The faults must be detected early enough to prevent a loss of the safety function.
Primarily characterised by the structure



What is the relationship between the categories, DC, MTTFd and PL?

These are related to the probability-based approach in DIN EN ISO 13849-1:2007.
The figure shows the relationships between the safety categories, DC, MTTFd and PL.

The combination of category and DCavg determines which column to choose in the figure. One of the three colour-coded ranges in the corresponding column must be chosen depending on the MTTFd of each channel.
The vertical position of these ranges determines the PL achieved. This can be read off the vertical axis.


Performance level


How is MTTFd (mean time to dangerous failure) determined for pneumatic components?

The MTTFd for each channel is specified in three stages and must be observed individually
for each channel (e.g. individual channel or each channel of a redundant system).
The maximum MTTFd which can be specified is 100 years.


Designation for each channel Range for each channel
Low 3 years ≤ MTTFd < 10 years
Middle 10 years ≤ MTTFd < 30 years
High 30 years ≤ MTTFd ≤ 100 years

MTTFd values for individual components can be calculated or estimated.
In accordance with good engineering practice, the MTTFd or B10d value for a pneumatic component be assumed with B10d = 20 000 000 switching cycles, if certain properties remain constant.

To calculate MTTFd according to DIN EN ISO 13849-1, Appendix C, proceed as follows:

With B10d and nop, the mean number of annual actuations, the MTTFd for components can be calculated as follows:





with the following specifications which are met in relation to the component:
- hop is the mean operating time in hours per day
- dop is the mean operating time in days per year
- tZyklus is the mean time between the beginning of two consecutive cycles of the component (e.g. switching of a valve) in seconds per cycle


How is the required performance level PLr determined?

The performance level (PL) is determined according to DIN EN ISO 13849-1:2007.

The performance level (PL) is defined in terms of probability of dangerous failure per hour. There are five set performance levels (a to e) with defined ranges of probability of dangerous failure.


Performance level Average probability of dangerous failure per hour.
a ≥ 10-5 Up to < 10-4
b ≥ 3 x 10-6 Up to < 10-5
c ≥ 10-6 Up to < 3 x 10-6
d ≥ 10-7 Up to < 10-6
e ≥ 10-8 Up to < 10-7


For each safety function which is run by a safety-relevant part of a control system, a required performance level (PLr) must be defined and documented. The required performance level is determined by the result of the risk assessment as related to the proportion of risk reduction achieved by the safety-relevant parts of the control system.

The required performance level (PLr) is the performance level (PL) required in order to achieve the required risk reduction for each safety function.

For the purposes of risk assessments being carried out, it is assumed that the intended safety function has not yet been provided.
For this estimation, a risk graph is used to determine the required performance level (PLr) for each safety function.




L Low contribution to risk reduction
H High contribution to risk reduction
PLr Required performance level

Risk parameters:
S Severity of injury
S1 Slight (generally reversible) injury
S2 Severe (generally irreversible) injury, including death
F Frequency and/or duration of exposure to hazard
F1 Rare to less often and/or duration of exposure to hazard short
F2 Frequent to constant and/or duration of exposure to hazard long
P Possibility of avoiding the hazard or limiting damage
P1 Possible under certain conditions
P2 Scarcely possible


Which safety standards does the machine manufacturer have to comply with?

EN ISO 13849-1:2007, Safety-related parts of control systems, Part 1: General principles for design, stipulates the following:

"The structure of safety standards for machines is as follows:

a) Type A standards (Basic safety standards) deal with basic definitions, design principles and general aspects that can be applied to machines.
b) Type B standards (Basic technical safety standards) deal with a particular safety issue or a type of protective equipment that can be used for an entire series of machines:
- Type B1 standards for particular safety issues (e.g. safety distances, surface temperature, noise);
- Type B2 standards for protective equipment (e.g. two-hand controls, locking mechanisms, pressure-sensitive protective equipment, disconnecting protective equipment).
c) Type C standards (Machine safety standards) deal with detailed safety requirements for a particular machine or group of machines."


Which protection objectives need to be achieved?

The protection objective is to protect people, animals or property from damage.
Damage in this sense includes physical injury, impairment of health or collision of objects.


Which safety principles need to be observed?

For pneumatic systems, fundamental and established safety principles are described in DIN EN ISO 13849-2, Appendix B.

The following fundamental safety principles are specified:

Use of appropriate materials and manufacturing methods,
correct sizing and moulding,
appropriate selection, combination, arrangement,
assembly and installation of components, adhering to the manufacturer's instructions for use
Application of the energy separation principle. This principle cannot be used in some applications, e.g. if the failure of the pneumatic pressure creates an additional hazard.
Appropriate mounting
Pressure limitation, e.g. using pressure relief valves
Limitation/reduction of speed, e.g. using flow control valves
Adequate measures to prevent contamination of compressed air
Appropriate response time range, taking into account e.g. length of pipe, pressure, venting capacity, force, reduction in spring force, friction, lubrication, temperature, inertia during acceleration and deceleration, interaction of tolerances.
Resistance to ambient conditions, e.g. temperature, moisture, vibrations, contamination,
Protection against unexpected start-up
Simplification, e.g. reduction in the number of components in safety-related systems.
Appropriate temperature range
Separation of safety-related functions from other functions

The following established safety principles are specified:

Oversizing/safety factor. Safety factors are stipulated in standards or are based on experience with safety-related applications.
Safe position, the moving element of a component is mechanically held in one of the possible positions
Increased OFF force. A possible solution is that the surface area ratio for movement of a valve piston to the safe position (OFF position) is significantly greater than the surface area ratio for movement of the valve piston to the ON position (a safety factor).
Valve that closes under load pressure. These are generally poppet valves, e.g. conical poppet valves, ball valves.
Forced mechanical action/actuation
Multiplication of parts, reduction in effective faults by use of multiple identical parts,
use of reliable springs
Limitation/reduction of speed by a resistance to reaching a defined volumetric flow rate, examples include fixed diaphragms and restrictors.
Limitation/reduction of force, which can be achieved by using a reliable pressure relief valve, e.g. fitted with a reliable spring and correctly sized and selected.
Appropriate range for operating conditions, e.g. pressure, volumetric flow and temperature range should be taken into account.
Appropriate prevention of compressed air contamination
Sufficiently large positive overlap in slide valves. This positive overlap ensures the stop function and prevents non-permissible movements.
Hysteresis limitation, e.g. the hysteresis is increased by greater friction. Interaction of tolerances also influences the hysteresis.

There is no list of reliable components. A component that is suitable for certain applications may be totally unsuitable for others.

In addition, DIN EN ISO 13849-2, Appendix B, also contains fault lists with fault assumptions and exclusions for various pneumatic component groups.
These general fault assumptions should be supplemented by specific assumptions for individual components based on accurate product knowledge.

The aim is to investigate how failure of a component will affect the safety function.


What are safety-related parts of a control?
A safety-related part of a control (SRP/CS) is one which reacts to safety-related input signals and generates safety-related output signals. EN ISO 13849-1:2007, Safety-related parts of control systems, Part 1: General principles for design, stipulates the following: “Parts of machine control systems that are assigned to provide safety functions are called safety-related parts of control systems (SRP/CS), and these can either consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions (e.g. two-handed controls as a means of process initiation). The ability of safety-related parts of control systems to perform a safety function under foreseeable conditions is allocated one of five levels, called the “performance level” (PL). These performance levels are defined in terms of probability of dangerous failure per hour.”


What is the difference between hazard and risk?
The terms are described in EN ISO 12100-1:2004. A hazard analysis is conducted during which the predominant risk is determined. Where necessary, this is followed by a process of risk reduction. A hazard is a potential source of harm, where harm refers to either a physical injury or damage to health. A hazard can be specified according to its cause (e.g. mechanical hazard, electrical hazard) or the type of harm to be expected (e.g. electrical shock hazard, cutting hazard, poisoning hazard, fire hazard). The hazard in the sense of this definition is either continuously present during proper use of the machine (e.g. hazardous motion of parts, arc when welding, unhealthy bodily posture, noise emissions, high temperature) or can occur unexpectedly (e.g. explosion, crushing hazard due to unintended/unexpected starting, forcible ejection due to breakage, crashing due to acceleration/braking). The risk is a combination of the probability of the harm being incurred and the degree of harm. After the hazard analysis and implementation of corresponding risk reduction measures, some residual risk may remain. In the course of a risk assessment, comprising a risk analysis and risk classification, the limits of the machine are defined, hazards are identified and risks estimated and an assessment is made as to whether the goals of risk reduction have been reached.


Which risk reduction measures are there?

The general risk reduction strategies are set out in detail in DIN EN ISO 12100-1.
In principle, it should be assumed that damage will occur sooner or later if there is a hazard on a machine and no protective measures are taken.
If a hazard is present, the maximum possible risk reduction should be aimed for. The safety of the machine (over its entire service life and in all operating conditions) takes precedence over its functionality, user-friendliness and costs.
However, this only applies within the specified machine limits, for its intended use, for reasonably foreseeable incorrect applications, within the physical limits of the machine and for its foreseeable service life.
The aims of risk reduction are achieved using the so-called "3-stage method" as follows:

Inherently safe design (achieved by preventing hazards or minimising risks through appropriate choice of design features of the machine itself and/or interactions between the persons at risk and the machine).
Technical protective measures
User information on remaining risks.


What is the difference between a fault and a failure?
A fault is a state of a functional unit characterised by the incapability to perform a required function, with the exception of incapability during preventative maintenance or other planned activities or due to the lack of external materials. A fault is often the result of failure of the unit itself. Failure is the termination of the capability of a functional unit to fulfil a required function. Following a failure, the unit will have a fault. The “failure” is the event, in contrast to the “fault” which is a state. A further distinction must be made between: hazardous failure, which is a failure which has the potential to place a safety-related part of a control system into a state of hazard or malfunction; common cause failure (CCF): failures of different units due to a single event, where these failures are not interdependent; systematic failure: failure with a deterministic relationship to a particular cause which can only be eliminated by changing the design, the manufacturing process, operating procedure, documentation or associated factors.


What is the differnce between DIN EN 954-1 und DIN EN ISO 13849-1?
EN 954-1:1996 has been replaced by EN ISO 13849-1:2007. Both standards describe safety-related parts of control systems and have been harmonised with the EC Machinery Directive. The new standard is subject to a transition period until November 2009. Before that date, application is possible but not obligatory. The replacement brings with it a fundamental change in approach. The previously deterministic viewpoint of EN 954-1 is complemented by probabilistic considerations. The basic approach of EN 954-1 is based on the consideration of structures, applying proven methods such as safety functions, risk graph and categories. The new standard adds probability calculus, with a quantification of component reliability and testability and consideration of potential failures. The risk graph no longer leads to a control category as in EN 954-1, but rather to a performance level (PL).


How is the achieved performance level (PL) assessed?

An estimate of the performance level (PL) attained must be carried out for every safety-related component of a control system. The following aspects need to be determined:

MTTF value for individual components (mean time to failure resulting in hazard);
DC (diagnostic coverage);
CCF (estimate of common cause failures);
Behaviour of safety function under malfunction conditions;
Safety-related software;
Systematic failures;
Ability to execute a safety function under foreseeable ambient conditions.


What is the diagnostic coverage (DC)?
The diagnostic coverage (DC) states the effectiveness of the diagnostics that can be achieved as a ratio of the rate of dangerous failures detected to the rate of all dangerous failures. Failure Mode and Effects Analysis (FMEA) or similar methods can be used to estimate the DC in most cases. Classification by range: minimal DC < 60%, low 60% ≤ DC < 90%, medium 90% ≤ DC < 99%, high 99% ≤ DC. For estimates of DC in pneumatic systems, applicable guidelines include the following from EN ISO 13849-1, Appendix E: indirect monitoring (e.g. monitoring using pressure switches, electrical position monitoring of actuators): 90% to 99% DC, regardless of application; direct monitoring (e.g. electric position monitoring of control valves, monitoring of electromechanical units by positively driven operation) : 99% DC


Which measures are available for protection against common cause failures (CCF)?

Failures of various units due to an individual event, where these failures are not based on a mutual cause, are known as common cause failures (CCF).

Common cause failures should not be confused with similar failures.

Estimating CCF and its implications is a quantitative process that should be applied to the entire system and take into account every safety-related component of the control system.
To do this, measures are provided with associated values, based on an engineering assessment representing the contribution of each measure to reducing the common cause failures.

The procedure for allocating points and quantifying measures against common cause failures should be based on DIN EN ISO 13849-1, Appendix F.


What functional aspects are important in the context of EMERGENCY STOP devices?

The functional aspects of emergency-stop devices are described in EN ISO 13850:2007, Emergency stop – Principles for design. It replaces EN 418:1993.

The purpose of an emergency stop function integrated into the machine is to avert an impending hazard or minimise a hazard which already exists.
The emergency stop function must be triggered by the single action of a person.
The safety requirements according to DIN EN ISO 13850:2007 are as follows:

  • The emergency-stop function must be available and functional at all times and must have priority over all other functions and processing steps in all modes of machine operation, without impairing any devices or fittings which are designed for freeing trapped persons. It must not be possible to use start commands of any kind (intended, unintended or unexpected) to affect processing steps which were stopped by the triggering of the emergency-stop function until the emergency-stop function has been reset manually.
  • The emergency-stop function must not be used as a replacement for protective measures or other safety functions, but rather should be designed as a complementary protective measure. The emergency-stop function must not impair the effectiveness of guards or of fittings or mechanisms with other safety functions.
  • The emergency-stop function must be designed in such a way that hazardous movements and the operation of the machine are stopped in an appropriate manner once the emergency-stop device has been actuated, without any additional hazards being caused and without any further actions by any person, in accordance with the risk assessment.
  • The emergency-stop function must be designed in such a way that the decision to actuate the emergency-stop control element can be taken without the person needing to consider what effects might follow as a result.

The emergency stop must be described as in one of the following stop categories:

Stop category 0

Shutdown through:
immediate disconnection of the power supply to the machine driving components or
mechanical isolation between hazardous parts and their machine driving components and, if necessary, by braking.

Stop category 1

Controlled shutdown with power supply to the machine’s driving components in order to come to a halt, and subsequently, after shutdown, disconnection of the power supply.
Examples of disconnecting the power supply include:
switching off the power supply to the electric motors of the machine,
disconnecting the movable parts of the machine from the source of mechanical power and
shutting off the hydraulic/pneumatic power supply to a piston/plunger.

The choice of stop category for an emergency stop must be determined on the basis of the risk assessment for the machine.

After an emergency stop device is triggered by an emergency stop command, the effect of this command must continue until it is manually reset. Resetting must only be possible at the location at which the emergency stop command was triggered. Resetting the command must not result in the machine starting up again, but only enable for the machine to be restarted. Restarting the machine must only be possible once the machine has been manually reset at the location at which the emergency stop was triggered.

An emergency stop device must be attached to all operating panels, unless the risk assessment determines this to be unnecessary.

The principle of direct actuation with mechanical locking function must be applied to the emergency stop device.

In the event of a fault in the emergency stop device (including the function of saving the emergency stop command), the function of generating the emergency stop command must take priority over the saving function. Resetting (e.g. unlocking) the emergency stop must only be possible as a result of a manual action at the location where the emergency stop was initiated.

The emergency stop actuator must be red. If there is a background behind the actuator, this must be yellow, as far as this is feasible.


What is the functional relationship between the stop functions in electrical and pneumatic systems?

DIN EN 60204-1:1993 (simultaneously known as VDE-0113), Electrical equipment on machines, sets out stop functions for electrical systems.

There are the following three categories of stop functions:

Category 0: Shutdown by immediately turning off the energy supply to the machine drives (i.e. uncontrolled shutdown);
Category 1: Controlled shutdown, where the energy supply is only disconnected when the machine has stopped;
Category 2: Controlled shutdown, where the energy supply to the machine components is maintained.

Every machine must be equipped with a category 0 stop function. Category 1 and/or 2 stop functions must be provided if this is necessary for the safety and/or functional requirements of the machine. Category 0 and category 1 stops must be functional regardless of the operating mode and a category 0 stop must take priority.*

The following assignments can be made for pneumatics:

Category 0: Turn off compressed air and electrical power;
Category 1: Use of clamping unit or clamping cartridge;
Category 2: e.g. 5/2-way valve, monostable effect - cylinder returns to initial position.


Which functional aspects are important in the context of a pneumatic two-hand control?

Two-hand controls should be designed in accordance with DIN EN 574:1997.
Two-hand controls require at least simultaneous or synchronised actuation by both hands in order to operate a machine.
Two-hand controls are divided into types I, II, III A, III B and III C. The choice of type depends on the hazards present, the risk assessment and other influencing factors which will vary with each application.
The physical arrangement of the control elements should be designed so that the risk of accidental actuation of the control elements is as low as possible, and so that the protective effect of the two-hand control cannot be easily bypassed.  
The pneumatic two-hand control block ZSB-1/8 is a safety component that complies with the machine directive
89/392/EEC Appendix 4. It corresponds to category 1 of DIN EN 954 (only in conjunction with a pressure sequence valve, e.g. VD-3-PK-3) and Type III A of DIN EN 574.


What must be taken into consideration when designing pneumatically operated separating guards?

Guards must be designed in accordance with EN 953:1997. 

Guards are classified as fixed or movable. The following is set out in EN 953:1997 regarding powered guards: “Powered guards must not cause injuries (e.g. due to closing pressure, exerted force, speed or sharp edges). If the guard is fitted with another safety device which automatically re-opens the guard as soon as the guard comes in contact with a person or object, the force to prevent the guard closing must not exceed 150 N. The kinetic energy of the guard must not exceed 10 Nm. If no such safety device is fitted, these values must be reduced accordingly to 75 N and 4 Nm, respectively.” 

Simple pneumatically driven, horizontally or vertically closing doors or windows must therefore be designed with values of 75 N and 4 Nm. The higher values can only be applied if the doors or windows are functionally linked to e.g. safety mats, light barriers, touch-sensitive barrier rails etc. which automatically cause the guard to re-open.


What does a validation require you to do?

The validation plan must also identify the means to be used to validate the defined
safety functions and categories. Where appropriate, it must set out the following:
• the identity of the documents for the specifications;
• the operating and ambient conditions;
• the underlying safety principles;
• the established safety principles;
• the established components;
• the error assumptions and error exclusions which are to be considered;
• the analyses and tests which were applied.


    What information about safety-related components has to be documented by the machine manufacturer?

    When designing safety-related components of a control system, the manufacturer must document at least the following information in compliance with DIN EN ISO 13849-1:2007:

    Safety functions provided by the safety-related components of a control system;
    Properties of each safety function;
    Exact points at which the safety-related components begin and end;
    Ambient conditions;
    Performance Level (PL);
    Selected category;
    Parameters relating to reliability (MTTF, DC, CCF and usage period);
    Measures against systematic faults;
    Technology used;
    All safety-related faults taken into account;
    Reasons for fault exclusions;
    Reasons for design (e.g. faults considered, excluded faults);
    Software documentation;
    Measures against reasonably foreseeable misuse.

    In general, this documentation is intended for internal use by the manufacturer and is not passed on to the machine user.

    By contrast, the user must be provided with the information that is important for safe use of the safety-related components of a control system.
    This must include, but is not limited to, the following:

    Limits of the safety-related components in the selected categories and for each fault exclusion;
    The limits of the safety-related components and each fault exclusion for these, if they make a significant contribution to maintaining the selected category and safety performance, must have the appropriate information (e.g. for modification, maintenance and repairs) to maintain the continued justification of the fault exclusion;
    Effects of variations from the specified performance of the safety functions;
    Clear descriptions of the interfaces to the safety-related components and protective mechanisms;
    Response time;
    Limits for operation (including ambient conditions);
    Displays and alarms;
    Muting and temporary cancellation of safety functions;
    Operating modes;
    Checklists for maintenance;
    Simplification of accessibility and replacement of internal parts;
    Methods for easy and reliable troubleshooting;
    Information explaining the possible applications for use of the corresponding category;
    Monitoring of test intervals, if relevant.

    Specific information about the category or categories and the performance level of the safety-related components must be indicated as follows:

    Dated reference to DIN EN ISO 13849-1:2006;
    Category B, 1, 2, 3, or 4;
    Performance level a, b, c, d or e.

    EXAMPLE: A safety-related component with category B and performance level a would have the following information:
    ISO 13849-1:2006 Category B PL a