Safety in pneumatics

From FestoWiki - english
Jump to: navigation, search

At Festo, quality has many aspects – one of these is handling machines safely. This is the reason for our safety-oriented automation technology. These components ensure that optimum safety is achieved in the workplace.
Festo has offered products in the field of safety technology for many years. These are for example the two-hand control block ZSB, the certified brake unit KEC-S or the safety valve MS6-SV.

Reduce risk – think preventively

Machines have to be designed in a way that protects people, animals, property and the environment from harm. The objective is to prevent physical damage of any type.
Using safety-oriented pneumatics from Festo provides you with the security of implementing safety measures in compliance with the EC Machinery Directive. This could for example be the
reliable prevention of collisions or uncontrolled restarts after an emergency stop. At the same time, using safety-oriented pneumatics also minimises the risk of liability claims.
The EC Machinery Directive specifies a risk analysis and assessment for machines. These have helped to develop and define safety objectives.
The safety objectives are achieved using various safety functions.
Reliable operation of machines should be possible in all modes and stages of their service life.

Safety-related pneumatics

Festo provides solutions for:

  • Commissioning
  • Automatic/manual operation
  • Setting operation
  • Risk situations and emergency functions such as safe stop, safe
  • venting
  • Restart - prevention of unexpected start-up
  • Service/maintenance

In addition to this, if faults occur, they must not lead to failure of the safety functions, depending on their hazard potential.

Simple - but safe!

As a general rule, the simpler the safety technology used in the application, the more efficient it is. The complexity of the safety technology lies in the variety of status combinations and transitional statuses. As a result, it would seem virtually impossible to implement standardised safety engineering concepts.
Due to their flexible application, pneumatic drive systems from Festo need to be included in the risk analysis and assessment for each machine, depending on the application. To ensure that the electrical safety functionality of your control system is a suitable continuation of your safety concept for pneumatic components, Festo offers solutions based on risk analyses and risk assessments for the most commonly used applications.

Categories of DIN EN ISO 13849-1

These are basic parameters for reaching a special performance level (PL). They define the required behaviour of safety-relevant parts of a control system with regard to their resistance to faults.

Category Requirements System behaviour Principle for
B The safety-related parts of control systems and/or their
protective devices and their components must be designed, built, selected,
assembled and combined in accordance with the applicable standards
so that they can withstand the expected influences
The occurrence of a fault can lead to the loss of the safety function. Primarily characterised by the selection of components
1 The requirements in B must be met. Reliable components and safety principles must be used
The occurrence of a fault can lead to the loss of the safety function.The probability of occurrence is lower than in category B. Primarily characterised by the selection of components

The category B requirements have to be fulfilled and reliable safety principles
must be used

The safety function must be tested at suitable intervals by the
machine control system

The occurrence of a fault can lead to the loss of the safety function
between the test intervals

Failure of the safety function is detected through the test

Primarily characterised by the structure

The category B requirements have to be fulfilled and reliable safety principles
must be used. Safety-related parts
must be designed in such a way that:

• One fault in each of these
parts does not lead to the loss of the safety function •If reasonably possible,
the individual fault should be identified

If individual faults occur, the safety function always remains intact.
Some but not all faults are detected.
An accumulation of unknown faults may result in the loss of the safety function
Primarily characterised by the structure

4 The category B requirements have to be fulfilled and reliable safety principles
must be used. Safety-related parts
must be designed in such a way that: • One fault in each of these
parts does not lead to the loss of the safety function. • Individual
faults are identified when or before the safety function is
next required. If identification is not possible, a cluster of unidentified faults
must not lead to the loss of the safety function.
If individual faults
occur, the safety function must always be preserved.
The detection of clusters of faults reduces the probability of the
loss of the safety function (high diagnostic coverage)
The fault is detected early enough to prevent the loss of the
safety function
Primarily characterised by the structure

Which safety objectives must be achieved?

The safety objective is the protection of people, animals or property against damage.
In this case, damage means physical injuries, health impairments or the collision of objects.

Which safety principles must be adhered to?

For pneumatic systems, fundamental and reliable safety principles are described in DIN EN ISO 13849-2, Appendix B.
The following basic safety principles must be used:
The use of appropriate materials and manufacturing processes, correct sizing and design, appropriate selection, combination, configuration, assembly and installation of the components, taking into account the manufacturer's guidelines for use.
Application of the energy isolation principle. This principle may not be used on some applications, for example if failure of the pneumatic pressure generates an additional hazard.
Suitable mounting; pressure limitation, for example through pressure regulators; limitation/reduction of speed, for example through flow control valves, sufficient measures to prevent compressed air contamination; suitable switching time range by taking into account the length of the tubing, pressure, ventilation capacity, force, reduction in spring force, friction, lubrication, temperature, inertia during acceleration and deceleration and the interaction of tolerances.
Resistance to ambient conditions, for example temperature, humidity, vibrations, contamination, protection against unexpected start-up, simplification, for example through a reduction of the number of components in safety-related systems.
Appropriate temperature range Isolation of the safety-related functions from other functions

The following reliable safety principles must be followed:

Oversizing/safety factor; the safety factors are stated in standards or are based on experience with safety-related applications.
A safe position; the moving element of a component is mechanically held in one of the possible positions
Increased OFF force; one solution is that the area ratio for the movement of the valve piston into a safe position (OFF position) is significantly larger that the area ratio for the movement of the valve piston into the ON position (a safety factor).
A valve which closes under load pressure. These are generally poppet valves, for example cone poppet valves, ball valves.
Forced mechanical action/actuation
Multiplication of parts, reduction of the effect of faults by using several identical parts, using reliable springs
Limitation/reduction in speed through a resistance to the achievement of a defined flow rate: examples are fixed apertures and restrictors.
Limitation/reduction in force; this can be achieved through a reliable pressure-relief valve equipped with a reliable spring, which is correctly sized and selected.
Appropriate range for the operating conditions, for example pressure, flow rate and temperature ranges should be taken into account.
Appropriate prevention of compressed air contamination; sufficiently large positive overlap in slide valves; this positive overlap ensures reliability of the stop function and prevent impermissible movements.
Hysteresis limitation; the hysteresis increases for example through increased friction.
The interaction of tolerances also influences the hysteresis.
There is no list of reliable components. A component which is reliable for certain applications may be unsuitable for others.
In addition, in DIN EN ISO 13849-2, Appendix B, you can find fault lists with fault assumptions and fault exclusions for different pneumatic component groups.
These general fault assumptions should be supplemented with more detailed knowledge of the product through specific fault assumptions for the individual components.
Also to be investigated is how a component failure affects the safety function.

Safety-related parts of control systems

A safety-related part of a control system (SRP/CS) is one which reacts to safety-related input signals and generates safety-related output signals. DIN EN ISO 13849-1:2007 Safety-related parts of control systems, Part 1: General principles for design, stipulates the following: "Parts of machine control systems that are assigned to provide safety functions are called safety-related parts of control systems (SRP/CS); these can either consist of hardware and software, and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions (e.g. two-handed controls as a means of process initiation). The ability of safety-related parts of control systems to perform a safety function under foreseeable conditions is allocated one of five levels, called the “performance level” (PL). These performance levels are defined in terms of probability of dangerous failure per hour".

What is the difference between hazard and risk?

This description is contained in DIN EN ISO 12100-1:2004. A hazard analysis is conducted during which the predominant risk is determined. Where necessary, this is followed by a process of risk reduction. A hazard is a potential source of harm, where harm refers to either a physical injury or damage to health. A hazard can be specified according to its cause (e.g. mechanical hazard, electrical hazard) or the type of harm to be expected (e.g. electrical shock hazard, cutting hazard, poisoning hazard, fire hazard). The hazard in the sense of this definition is either continuously present during proper use of the machine (e.g. hazardous motion of parts, arcs when welding, unhealthy body posture, noise emissions, high temperature) or can occur unexpectedly (e.g. explosion, crushing hazard due to unintended/unexpected starting, forcible ejection due to breakage, crashing due to acceleration/braking). The risk is a combination of the probability of the harm being incurred and the degree of harm.
After the hazard analysis and implementation of corresponding risk reduction measures, some residual risk may remain. In the course of a risk assessment, comprising a risk analysis and risk classification, the limits of the machine are defined, hazards are identified and risks estimated and an assessment is made as to whether the objectives of risk reduction have been reached.

What risk reduction measures are there?

The general strategies for risk reduction are described in detail in DIN EN ISO 12100-1.
In principle, it should be assumed that damage will occur sooner or later if there is a hazard on a machine and no protective measures are taken.
If a hazard is present, the maximum possible risk reduction should be aimed for. The safety of the machine (over its entire service life and in all operating modes) takes precedence over how operational, user-friendly and inexpensive it is. However, this only applies within the specified machine limits for its intended use, for feasibly predictable misuse, within the spatial limits of the machine and its intended service life.
The objectives for risk reduction are achieved using the so-called "3-stage method" through: inherently safe design (is achieved by preventing hazards or reducing risks through a suitable selection of design characteristics on the machine itself and/or interactions between the people at risk and the machine), safeguarding, and user information with respect to the residual risk.

Fault or failure?

A fault is a state of a functional unit characterised by the incapability to perform a required function, with the exception of incapability during preventative maintenance or other planned activities or due to the lack of external materials. A fault is often the result of failure of the unit itself. . Failure is the termination of the capability of a functional unit to fulfil a required function. Following a failure, the unit will have a fault. The “failure” is the event, in contrast to the “fault” which is a state. Furthermore, we must differentiate between: hazardous failure, which is a failure which has the potential to place a safety-related part of a control system in a state of hazard or malfunction. Common cause failure (CCF): these are failures of different units due to one single event, whereby these failures are not based on an interdependent cause Systematic failure: this is a failure with a deterministic relationship to a particular cause which can only be eliminated by changing the design, the manufacturing process, operating procedure, documentation or associated factors.

What is the difference between DIN EN 954-1 and DIN EN ISO 13849-1?

DIN EN 954-1:1996 has been replaced by DIN EN ISO 13849-1:2007. Both standards describe safety-related parts of control systems and have been harmonised with the EC Machinery Directive. The new standard is subject to a transition period until November 2009. Before that date, application is possible but not obligatory. The replacement brings with it a fundamental change in approach. The previously deterministic viewpoint of EN 954-1 is complemented by probabilistic considerations. The basic approach of EN 954-1 is based on the consideration of structures, applying proven methods such as safety functions, risk graphs and categories. The new standard adds probability calculus, with a quantification of component reliability and testability and consideration of potential failures. The risk graph no longer leads to a control category as in DIN EN 954-1, but rather to a performance level PL.

How is the assessment of the achieved performance carried out?

For every safety-related part of a control an estimate of the achieved performance level (PL) must be carried out. The following aspects have to be determined:

  • The MTTFd value of individual components (mean time to dangerous failure)
  • DC (diagnostic coverage)
  • CCF (estimate of the common cause failures) of the structure
  • Behaviour of the safety function under fault condition(s)
  • Safety-related software
  • Systematic failures
  • Ability to implement a safety function under predictable
  • Ambient conditions

What is the diagnostic coverage DC?

The diagnostic coverage (DC) states the effectiveness of the diagnostics that can be achieved as a ratio of the rate of dangerous failures detected to the rate of all dangerous failures. Failure Mode and Effects Analysis (FMEA) or similar methods can be used to estimate the DC in most cases. Designation small range DC < 60% low 60% ≤ DC < 90% medium 90% ≤ DC < 99% high 99% ≤ DC For estimates of the DC in pneumatic systems, the following amongst other things applies: according to DIN EN ISO 13849-1, Appendix E: indirect monitoring (e.g. monitoring using pressure switches, electrical position monitoring of actuators): 90% to 99% DC, dependent on the application; direct monitoring (e.g. electrical position monitoring of control valves, monitoring of electromechanical units through positively driven application): 99% DC

Measures for protection against common cause failures (CCF)

Failures of different units due to a single event, where these failures are not interdependent are called common cause failures (CCF).
Common cause failures should not be confused with faults of the same kind.
Estimating CCF and its effects is a quantitative process which should be applied across the entire system and which takes into account every safety-related part of the control system.To do this, measures are provided with associated values, based on engineering
Evaluations which represent the contribution of every measure to the reduction of the failures due to common causes.
The procedure for allocating points and quantifying measures against common cause failures (CCF) is to be carried out in accordance with DIN EN ISO 13849-1, Appendix F.

What functional aspects are important in the context of emergency stop devices?

The functional aspects of emergency-stop devices are described in DIN EN ISO 13850:2007, Emergency stop – Principles for design. It replaces DIN EN 418:1993.
The purpose of an emergency stop function integrated in the machine is to avert an imminent hazard or alleviate an already existing hazard.
An emergency-stop function must be able to be triggered by a single action by one person.
The safety requirements according to DIN EN ISO 13850:2007 are as follows:

  • The emergency stop function must be available and functional at all times and must have priority over all other functions and processing steps in all machine operating modes, without impairing any devices which are designed to release trapped people. It should not be possible for any start commands (intended, unintended orunexpected) to affect those working processes which have been stopped by the triggering of the emergency stop function, until the emergency stop function has been manually reset.
  • The emergency-stop function must not be used as a replacement for protective measures or other safety functions, but rather should be designed as a complementary protective measure.
  • The emergency stop function must not compromise the effectiveness of guards or of devices with other safety functions.The emergency stop function must be designed so that, after activation of the emergency stop device, hazardous motions and operation of the machine are stopped in an appropriate manner, without causing additional hazards
    and without requiring any further actions by any person,
    corresponding to the risk assessment.
  • The emergency stop function must be designed so that
    the decision to actuate the emergency-stop element can be taken without the person needing
    to consider what effects might follow as a result.
    The emergency stop must be described as in one of the following stop categories:

Stop category 0

Stop by:
Immediate interruption of the power supply to the machine driving components or
mechanical isolation between hazardous parts and their machine driving components and, if necessary, by braking.

Stop category 1

Controlled stopping with power supply to the machine's drive components to stop them, followed by interruption of the power supply after stopping has been achieved.
Examples of interrupting the power supply include:
switching off the power supply to the machine's electric motors,
disconnecting the moving parts of the machine from the source of the mechanical energy
shutting off the hydraulic/pneumatic power supply to a piston/plunger
The choice of stop category for an emergency stop must be determined on the basis of the risk assessment for the machine.
After an emergency stop device is triggered by an emergency stop command, the effect of this command must continue until it is manually reset. Resetting must only be possible at the location at which the
emergency stop command was triggered. Resetting the command must not start up the machine again, but only make it possible for the machine to be started again. Starting the machine up again must only be possible once the machine has been manually reset at the location at which the emergency stop was triggered.
An emergency stop device must be attached to all operating panels, unless the risk assessment determines this to be unnecessary.
The principle of direct actuation with mechanical locking function must be applied to the emergency stop device.
In the event of a fault in the emergency stop device (including the function of saving the emergency stop command), the function of generating the emergency stop command must take priority over the saving function. Resetting (e.g. unlocking) the emergency stop must only be possible as the result of a manual action at the location where the emergency stop was initiated.
The emergency stop actuator must be red. If there is a background behind the actuator, this must be yellow, as far as this is feasible.

Stop functions in electric and pneumatic systems

DIN EN 60204-1:1993 (also known as VDE-0113), Electrical equipment for machines, sets out stop functions for electrical systems.
"There are three categories of stop functions:

  • Category 0: stop through immediate switch-off of the power supply to the machine drives (i.e. uncontrolled stopping);
  • Category 1: a controlled stop, whereby the power supply is not interrupted until the stop has been achieved
  • Category 2: a controlled stop, whereby the power supply to the machine parts is maintained.

Each machine must be equipped with a category 0 stop function.

Category 1 and/or 2 stop functions are to be provided if this is necessary for the safety and/or functional machine requirements. Category 0 and category 1 stops must remain functional independent of the operating mode, and a category 0 stop must have priority".
The following allocations can be made for pneumatic systems:

  • Category 0: disconnection of the compressed air and electrical power;
  • Category 1: use of clamping unit or clamping cartridge;
  • Category 2: e.g. 5/2-way valve, monostable - cylinder returns to its initial position.


First a fault analysis must be carried out. DIN EN ISO 13849-2:2003 lists the most important faults and failures for various technologies. The fault lists are not exhaustive and additional faults must be considered and listed where necessary.
Generally speaking, the following fault characteristics must be taken into consideration:

  • If other components break down as the result of a fault, the first fault and all subsequent faults must together be considered as a single fault
  • Two or more individual faults which have one common cause must be considered as one fault (this is known as a CCF)
  • The simultaneous occurrence of two of more faults with different causes is extremely unlikely and for this reason does not need to be considered further.

It is not always possible to assess the safety-related parts of a control system without assuming that certain faults can be ruled out or excluded.
More detailed information on fault exclusion can be found in DIN EN ISO 13849-2:2003.
Fault exclusion is a compromise between the technical safety requirements and the theoretical possibility of a fault occurring.

The exclusion of faults can be based on

  • the technical unlikelihood of certain faults occurring,
  • generally accepted technical experience, regardless of the application in consideration,
  • the technical requirements in relation to the application and the particular hazard.
  • When faults are excluded, a precise explanation justifying this must be included in the technical documentation.

The validation plan must also identify the means to be used to validate the defined safety functions and categories. Where appropriate, it must outline the following:

  • the identity of the documents for the stipulations
  • the operating and ambient conditions
  • the underlying safety principles
  • the established safety principles
  • the established components
  • the fault assumptions and fault exclusions which are to be considered
  • the analyses and tests which were applied


The Festo Safety Engineering Guidelines