Date

July 18th, 2017

Frequently Asked Question

Our reference
PT-200038
Are there definitions of element safety functions for pneumatic drives and systems?

This document defines element safety functions for pneumatic applications. The
prototype is the standard for electric power drive systems with adjustable speed [1]. The Legal form:
Limited partnership
element security functions defined there have been used for years in the general Registered office: Esslingen a. N.
Registry court Stuttgart
language of mechanical engineering and system integrators. Therefore VDMA 24584 HRA 211583
"Safety functions of controlled and non-controlled (fluid-) mechanical systems" [2] with Value added tax id. number:
DE 145 339 206
the cooperation of Festo was developed at VDMA. General partner:
Festo Management
Aktiengesellschaft
The definitions contained in the standard VDMA 24584 increase the transparency and Registered office: Vienna/Austria
Commercial registry court:
consistency of the element safety functions. The element safety functions described Commercial court Vienna
there for pneumatic drives and systems are described here and are explained in more Register no. FN 303027 d
Management Board:
detail. Dipl.-Ing. Gerhard Borho
Dipl.-Kfm. Alfred Goll
Dr. Ansgar Kriwet
We would like to point out that it is important for functional safety applications to Dr. Dirk Erik Loebermann
Chairman of the Supervisory Board:
distinguish between the safety function and the element safety function. A safety Prof. Dr.-Ing. Klaus Wucherer
function is a function that puts a machine in a safe state, e.g. the opening of the safety
gate leads to the stopping of all machine movements and switching off of all dangerous
machine functions. On the other hand, an element safety function is the function of a
component in a safety-related circuit which is used to implement a safety function.

Festo AG & Co. KG

Fig. 1 Realization of a safety function by a safety-related circuit
Ruiter Straße 82
73734 Esslingen
Phone +49 711 347-0
Fax +49 711 347 2144
service_international@festo.com
www.festo.com
GERMANY
Notes:
 The circuit examples shown are only for explaining the element safety function.
These do not provide information which category and PL according to EN ISO
13849-1 can be achieved.
 As a rule, additional measures are required for the full implementation of the
element safety functions.

1 Overview

The element safety functions described here can be divided into three groups:

1. Drive influencing (active) element safety functions

These element safety functions act on the pneumatic drive and its typical
parameters position, speed, acceleration, force or moment.

2. System influencing (active) element safety functions

The system influencing element safety functions act on the subsequent system
part by providing a defined state, e.g. pressure or energy.

3. Monitoring (passive) element safety functions

With these element safety functions, safety-related monitoring functions are
provided to monitor the compliance with certain limit values and to trigger an
active element safety function in the event of a violation.
No. Element Safety Function Abbr.

Drive influencing (active) element safety functions

1 Safe Torque Off STO
2 Safe Stop 1 SS1
3 Safe Stop 2 SS2
4 Safe Stopping and Closing SSC
5 Safe Operating Stop SOS
6 Safely-limited Acceleration SLA
7 Safe Acceleration Range SAR
8 Safely-limited Speed SLS
9 Safe Speed Range SSR
10 Safely-limited Torque SLT
11 Safe Torque Range STR
12 Safe Equilibrium of Torque SET
13 Safely-limited Position SLP
14 Safely-limited Increment SLI
15 Safe Direction SDI

System influencing (active) element safety functions

16 Safe Brake Control SBC
17 Safe De-energization SDE
18 Safe Energization SEZ
19 Prevention of unexpected start-up PUS

Monitoring (passive) element safety functions

20 Safe Cam SCA
21 Safe Valve Position SVP
22 Safe Accelaration Monitor SAM
23 Safe Speed Monitor SSM
24 Safe Force Monitor SFM
25 Safe Pressure Monitor SPM
26 Safe Volume Flow Monitor SVM
27 Safe Brake Monitor SBM

Table 1 Overview element safety functions pneumatics

2 Drive Influencing (active) Element Safety Functions

2.1 Safe Torque Off (STO)

Fig. 2 Circuit example “safe torque off” (STO)

No energy is supplied to the pneumatic drive, which can cause a movement or force
(moment). Energy stored in the piston chambers is dissipated, so that no work can be
performed.

Notes:
 This element safety functions is correspond to
o An uncontrolled stop according EN 60204-1 [1], stop category 0.
o STO according EN 61800-5-2 [2].
 This element safety function can be suitable, if the switching off of the power
supply to avoid an unexpected start-up according EN 1037 [3] (ISO 14118 [4])
gets necessary.
 This element safety function can be suitable as measure for escaping and
rescuing of trapped persons according EN ISO 12100 [5].
 Requesting STO can cause a dangerous movement due to the following reasons:
o Pressure differences due to different exhausting of the two piston
chambers of the drive.
o External load and weight of moving parts of the drive (especially hen
drive is mounted not horizontally or other external forces).
In order to avoid hazards, further measures, e.g. mechanical brakes maybe
required.
 The term “exhausting” is also common with regard to the safety-related variable
pressure.
2.2 Safe Stop 1 (SS1)

Fig. 3 Circuit example “safe stop 1” (SS1)

The pneumatic drive is controlled decelerated (speed reduction). Therefore the energy
supply or stored energy is used to realize the deceleration. The power supply is
separated and the piston chambers dissipated (STO), when the standstill is reached
according the defined tolerances.

Notes:
 The element safety function SS1 may only be used if there is no danger after
deceleration and activating of STO has not occurred.
 This element safety function is corresponding to
o A controlled stop according EN 60204-1 [1], stop category 1.
o SS1 according EN 61800-5-2 [2].
 Requesting STO can cause a dangerous movement due to the following reasons:
o Pressure differences due to different exhausting of the two piston
chambers of the drive.
o External load and weight of moving parts of the drive (especially hen
drive is mounted not horizontally or other external forces).
In order to avoid hazards, further measures, e.g. mechanical brakes
maybe required.
 This element safety function can be realized by requesting the element safety
function SSC followed by STO.
2.3 Safe Stop 2 (SS2)

14 12

Fig. 4 Circuit example “safe stop 2” (SS2)

The volume flows into and out of the two piston chambers are reduced and the
movement is thereby decelerated and brought to a standstill. If the standstill is reached
according to the defined tolerance window, the energy supply is maintained or the
energy present in the piston spaces is used to maintain the standstill.

Notes:
 The element safety function SS2 may only be used if there is no danger after
deceleration and activating of SOS has not occurred.
 This element safety function is corresponding to
o A controlled stop according EN 60204-1 [1], stop category 2.
o SS2 according EN 61800-5-2 [2].
 The element safety function SS2 is commonly realized with proportional valves.
2.4 Safe Stopping and Closing (SSC) SSC
v
s
0 t

Fig. 5 Example circuits “safe stopping and closing” (SSC)

The flow paths to at least on piston chamber of the drive is blocked and stored energy is
used to stop the movement

Notes:
 This element safety function SSC without additional measures is not
corresponding to a stop function according EN 60204-1 [1] (stop category 0, 1, or
2.
 By blocking of the flow paths in / out of the piston chambers is pressurized air
stored in the piston chambers. According EN 1037 (ISO 14118) stored
pressurized air shall be marked and shall be provided with a possibility for
manual pressure release.
 Leakage in drive and valves can lead to a slow movement by pressure release.
 By the use of unlockable check valves is the power supply not necessarily
prevented.
2.5 Safe Operating Stop (SOS) SOS
v
G s
0 t

14 12

Fig. 6 Example circuit “safe operating stop” (SOS)

The SOS function prevents the drive from deviating from the holding position by more
than a fixed value. The energy supply is maintained so that the drive can withstand
external forces (for example variable load) without further measures (for example,
mechanical brakes).

Notes:
 The element safety function SOS is commonly realized with proportional valves.
2.6 Safe-limited Acceleration (SLA) SLA

G a
0 t

14 12

Fig. 7 Circuit examples “safe-limited acceleration” (SLA)

The SLA function prevents the drive from exceeding the allowable acceleration (e.g. by
volume flow or pressure limitation).

Notes:
 The acceleration depends on start position, friction in the pneumatic drive and
the intersection ratios and volumes in the pneumatic system.
 The element safety function can be realised by a volume flow and pressure
limitation.
 The realization with non controlled flow valves (throttles, orifices) can be
possible, if load and mounting position are constant.
 Proportional valves can be used.
 This element safety function can be suitable as measures for a non dangerous
starting (restart).
2.7 Safely-limited Speed (SLS) SLS

v
G 0 t

14 12

Fig. 8 Circuit examples “safely-limited speed” (SLS)

The SLS function prevents the drive from exceeding the allowable speed.

Notes:
 The acceleration depends on start position, friction in the pneumatic drive and
the intersection ratios and volumes in the pneumatic system.
 The element safety function can be realised by a volume flow and pressure
limitation.
 The realization with non controlled flow valves (throttles, orifices) can be
possible, if load and mounting position are constant.
 Proportional valves can be used.
 This element safety function can be suitable as measures for a non dangerous
starting (restart).
2.8 Safely-limited Torque (SLT) SLT

M
0 t
P P

14 12

M1 M1

Fig. 9 Circuit examples “safely-limited torque” (SLT)

The SLT function prevents the drive from exceeding the allowable force (moment) (e.g. by
force or pressure limitation).

Notes:
 The element safety function SLT can be realized by pressure limitation.
 Proportional valves can be used.
 The term “safe force / pressure reduction” is also common with regard to the
safety-related variable force or pressure.
2.9 Safe Torque Range (STR) STRSTR

M
0 t

P P

14 12
P

Fig. 10 Circuit examples “safe torque range” (STR)

The STR function keeps the force (moment) of the drive in the allowable limits of a value
range.

Notes:
 Frequently, the upper limit of the force is determined by the available operating
pressure and only measures are taken that the lower limit is not falling below
(e.g. the clamping of work pieces).
 Special measures must be taken to ensure the lower limit even in case of
fluctuations, loss and recurrence of energy sources.
 For example, with a pressure vessel, the lower limit can be kept during a failure
of the pressure supply for a certain time.
2.10 Safe Equilibrium of Torque (SET)

Fig. 11 Circuit example “safe equilibrium of torque” (SET)

The SET function prevents the force (torque) of a drive from deviating by more than a
fixed value from the force (moment) equilibrium.

Notes:
 The piston chambers are controlled separately with difference pressures, so that
a force equilibrium between drive, load and other external forces is given.
 Proportional valves can be used.
 The term “force-free” is also common with regard to the safety-related variable
force.
2.11 Safely-limited Position (SLP) SLP

G s
t

14 12

Fig. 12 Circuit examples “safely-limited position” (SLP)

The SLP function prevents the drive from exceeding the allowable position limit(s).

Notes:
 By using of multi-position cylinders, countermarks or mechanical limits is a
realization with non-controlled components possible.
 Proportional valves can be used.
 Position limitation is by mechanical end stops possible.

2.12 Safely-limited Increment (SLI)

SLI SLI SLI
s
t
0 t
G

14 12
M1 M1 M1

Fig. 13 Circuit example for “safely-limited increment” (SLI)

The SLI function prevents the drive from exceeding the allowable step width (increment).

Notes:
 By using of multi-position cylinders, countermarks or mechanical limits is a
realization with non-controlled components possible.
 Proportional valves can be used.
2.13 Safe Direction (SDI)
SDI
G
v
s
0 t
14 12

Fig. 14 Circuit examples “safe direction” (SDI)

The SDI function prevents the drive from moving in the not acceptable direction.

Notes:
 The element safety function SDI is controlled by the volume flow in and out of
the piston chambers in the relevant flow direction.
 Proportional valves can be used.
3 System Influencing (Active) Element Safety Functions

3.1 Safe Brake Control (SBC)

v
M
t
SBC

Fig. 15 Circuit example “safe brake control” (SBC)

The SBC function provides one or more safe output(s) for controlling an external brake or
clamp.

Notes:
 The control input of a pneumatic actuated brake switched to a pressure-free
state.
 This element safety function can be realized in pneumatics by the function SDE
(see 6.17).
 This element safety function can be suitable to control / activate other safety
functions.

3.2 Safe De-energization (SDE) SDE

p
0 t

Fig. 16 Circuit example “safe de-energization” (SDE)

The function SDE enables the safe energy-free switching by exhausting of the pneumatic
system.
3.3 Safe Energization (SEZ) SEZ

p
0 t

The SEZ function enables the safe switching-on of a system or a system part with a fixed
pressure-time function (for example, a soft-start function).

Notes:
 The operation pressure is controlled increased.
 When using a softstart function, the dependency of the piloted magnet valves on
the switching pressure must be taken into account.
 For valves with external pilot air supply the switching sequence must be taken
into account.

3.4 Prevention of unexpected start-up (PUS)

The requirements for preventing of an unexpected start-up are described in EN 1037 (or
ISO 14118). A combination of element safety functions from this document may be
appropriate for implementation.

Notes:
 This element safety function is related to the prevention of an unexpected start-
up by failure of the control system.
4 Monitoring (passive) Element Safety Functions

4.1 Safe Speed Monitor (SSM) SSM

S v
0 t

Fig. 17 Example circuit “safe speed monitor” (SSM)

The SSM function provides a safe output signal when the drive speed is within a defined
speed range.

Notes:
 The speed of the drive is monitored. By leaving the allowable range a suitable
element safety function is activated.
 The measuring system is safety-relevant and is the input of the safety-related
circuit.

4.2 Safe Acceleration Monitor (SAM) SAM

S
a
0 t

Fig. 18 Example circuit “safe acceleration monitor” (SAM)

The SAM function provides a safe output signal when the drive acceleration is within a
defined acceleration range.

Notes:
  The acceleration of the drive is monitored. By leaving the allowable range a
suitable element safety function is activated.
 The measuring system is safety-relevant and is the input of the safety-related
circuit.

4.3 Safe Pressure Monitor (SPM) SPM

p
0 t
P

Fig. 19 Example circuit “safe pressure monitor” (SPM)

The SPM function provides a safe output signal when the pressure is within a defined
pressure range.

Notes:
 The pressure is monitored. By leaving the allowable range a suitable element
safety function is activated.
 The pressure sensor is safety-relevant and is the input of the safety-related
circuit.
Please note that the pressure monitoring of an active element safety function,
e.g. SDE, is a monitoring function and does not have to be realized in a safety-
related manner.

4.4 Safe Torque Monitor (STM) SSM

W
M
0 t

M1

Fig. 20 Example circuit “safe torque monitor” (STM)

The element safety function STM provides a safe output signal, if the force (moment) is
within a defined range.

Note:
 The force (moment) is monitored. By leaving the allowable range a suitable
element safety function is activated.
 The force sensor is safety-relevant and is the input of the safety-related circuit.

4.5 Safe Volume Flow Monitor (SVM)

Fig. 21 Example circuit “safe volume flow monitor” (SVM)

The element safety function SVM provides a safe output signal when the volume flow I
within a defined range.

Note:
 The volume flow is monitored. By leaving the allowable range a suitable element
safety function is activated.
 The volume flow sensor is safety-relevant and is the input of the safety-related
circuit.

4.6 Safe Cam (SCA) SCA

G G v
0 x

Fig. 22 Circuit example position monitoring (SCA)

The element safety function SCA provide a safe output signal when the position of the
pneumatic drive I within a defined range.

Notes:
 The position of the drive is monitored. By leaving the allowable position range a
suitable element safety function is activated.
 The limit switch is safety-relevant and is the input of the safety-related circuit.
Please note that the end position monitoring of an active element safety
function, e.g. PUS, is a monitoring function and does not have to be realized in a
safety-related manner.

4.7 Safe Valve Position (SVP)

P
G

Fig. 23 Example circuits “safe valve position” (SVP)

The element safety function SVP provides a safe output signal when the switching
element of the valve I in a defined switching position.

Notes:
 The position of the switching element of the valve is monitored. Is the switching
position left a suitable element safety function is activated.
 The used sensor is safety-relevant and I the input of the safety-related circuit.
Please note that the spool piston monitoring of an active element safety
function, e.g. SSC, is a monitoring function an does not have to be realized in a
safety-related manner.
4.8 Safe Brake Monitor (SBM) SBM
s
M
0 t
G

Fig. 24 Example circuit “safe brake monitor” (SBM)

The element safety function SBM provides a safe output signal when a brake, holding
brake or clamping unit works in the limits of one or all allowable parameter(s) (e.g. brake
force, brake distance, clamping force, reaction time).

Notes:
 In cyclic time interval the brake function should be tested. Common are following
tests:
o Static clamping: At a standstill, the clamping unit is clamped and a
defined force acts on the clamping unit through the pneumatic drive.
The output signal indicates whether a movement has taken place
outside the allowable tolerance.
o Dynamic brake: During a movement the pneumatic drive is decelerated
down to standstill by a dynamic brake. The output signal indicates
whether the brake distance is outside the allowable tolerance.
o Reaction time: The reaction time for clamping / releasing of the
clamping unit is monitored.
 The senor is safety-relevant and is the input of the safety-related circuit.
 Together with the element safety function SBC the SBM function can be suitable
to control a safe brake.
5 References
[1] DIN EN 61800-5-2:2008-04 Adjustable speed electrical power drive systems - Part
5-2: Safety requirements - Functional (IEC 61800-5-2:2007); German version EN
61800-5-2:2007
[2] VDMA 24584:2016-08 Safety functions of regulated and unregulated (fluid)
mechanical systems
[3] Safety of machinery - Electrical equipment of machines - Part 1: General
requirements (IEC 60204-1:2005, modified); German version EN 60204-1:2006
[4] DIN EN 1037:2008-11 Safety of machinery - Prevention of unexpected start-up;
German version EN 1037:1995+A1:2008
[5] ISO 14118:2000-09 Safety of machinery - Prevention of unexpected start-up.
[6] DIN EN ISO 12100:2011-03 Safety of machinery - General principles for design -
Risk assessment and risk reduction (ISO 12100:2010); German version EN ISO
12100:2010

Copyright Notice
This documentation is the intellectual property of Festo AG & Co. KG, which also has the
exclusive copyright. Any modification of the content, duplication or reprinting of this
documentation as well as distribution to third parties can only be made with the express
consent of Festo AG & Co. KG.
Festo AG & Co KG reserves the right to make modifications to this document in whole or
in part. All brand and product names are trademarks or registered trademarks of their
respective owners.

Legal Notice
Hardware, software, operating systems and drivers may only be used for the applications
described and only in conjunction with components recommended by Festo AG & Co. KG.
Festo AG & Co. KG does not accept any liability for damages arising from the use of any
incorrect or incomplete information contained in this documentation or any information
missing therefrom.
Defects resulting from the improper handling of devices and modules are excluded from
the warranty.
This document with an answer for a frequently asked question is not binding and do not
purport to be complete with regard to configuration and equipment, and any
contingencies for your specific case / application. This document is not a customer
specific solution, but should only provide assistance with typical tasks. You are as
manufacturer of your concrete case / application completely responsible for the proper
operation of the described products.
Therefore: This document not relieve you from the requirement of safe handling during
loading, transport, assembly, installation, commissioning, test run, use,
decommissioning, dismantling and disposal. Furthermore, this document do not relieve
you from carry out a risk assessment and a validation of your specific application. No
liability is accepted for claims for damages arising from a failure or functional defect. In
other respects, the regulations with regard to liability from the terms and conditions of
delivery, payment and use of software of Festo AG & Co. KG, which can be found at
www.festo.com and can be supplied on request, shall apply.
All data contained in this document do not represent guaranteed specifications,
particularly with regard to functionality, condition or quality, in the legal sense.
The information in this document serves only as basic information for the implementation
of a specific, hypothetical application and is in no way intended as a substitute for the
operating instructions of the respective manufacturers and the design and testing of the
respective application by the user.
The operating instructions for Festo products can be found at www.festo.com.
Users of this document (application note) must verify that all functions described here
also work correctly in the application. By reading this document and adhering to the
specifications contained therein, users are also solely responsible for their own
application.