Distributed Safety:

Sensor-actuator
interfacing

Siemens AG © 2010

Contents Page
Sensor-actuator interfacing: overview ................................................................................................. 2
Overview: Sensor/encoder wiring to F-DI modules (recommendation) ............................................... 3
Example: Sensor/encoder interfacing: Cat. 3/PLd/SIL2 ...................................................................... 4
Example: Sensor/encoder interfacing: Cat. 4/PLe/SIL3 ...................................................................... 5
Actuator interfacing to F-DO PM: Cat. 3/4/PLd/e/SIL2/3 (ET200S) .................................................... 6
Actuator interfacing to F-DO PP (S7-300/ET200M) ............................................................................ 7
Actuator interfacing to F power module PM-E F pm (ET200S) ........................................................... 8
Actuator interfacing to F power module PM-E F pp (ET200S) ............................................................ 9
Analog value processing with (SM 336; AI 6 x 13-bit) ......................................................................... 10
Current measurement, 4 to 20 mA (Cat. 3/PLd/SIL2) ......................................................................... 11
Current measurement, 4 to 20 mA (Cat. 4/PLe/SIL3) ......................................................................... 12
Examples of sensor/encoder interfacing: Emergency Stop command devices
and position switches ........................................................................................................................ 13
Series connection of sensors ............................................................................................................... 14
Examples of interfacing ESPE: light curtains/light arrays/laser scanners ............................................ 15
Protective door monitoring, Cat. 4/PL e/SIL3 with tumbler in Cat. 3/PLd/SIL2 .................................... 16
Distinguishing Emergency Off - Emergency Stop, EN 60204-1........................................................... 17
Safe shutdown in compliance with IEC 61800-5-2: STO, SS1, SS2 ................................................... 18
Example: actuator interfacing in Cat. 3/4/PLd/e/SIL2/3 ....................................................................... 19
Example: ET200S load circuit 24V DC/24-230V AC up to 8A 1F-RO fail-safe relay module .............. 20
Single and group deactivation of actuators in Cat. 4/PLe/SIL3 ............................................................ 21
STO in Cat. 4/PLe/SIL3 SS1 and SLS in Cat. 3/PLd/SIL2 ................................................................... 22
Help on use of safety technology ......................................................................................................... 23

SITRAIN Training for

Page 1 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Sensor-actuator interfacing: overview

Switch

SIMATIC ET 200S SIMATIC S7-

Proxy IE/PB SIMATIC S7- SIMATIC ET 200pro PN SIMATIC S7-315F- with frequency converter 416F-2DP/
link 317F-2PN/DP 2PN/DP and motor starter CP443-1 ADV

SIMATIC ET 200S PN
SIMATIC
ET 200pro
EMERG
ENCY
STOP

SIMATIC S7-315F- SIMATIC ET 200S SINUMERIK/SIN SINUMERIK/SIN

DP/AS
SIMATIC SIMATIC Laser 2PN/DP AMICS S120 ODRIVE
Interface Link
ET 200pro ET 200eco scanners

EMERG
ENCY
STOP

Stand-alone Parallel wiring

Safety Unit
transducer
technology
EMER-
Laser scanners SIRIUS SIRIUS AS- Safe AS- GENCY Light curtain
position Interface Interface Light SIRIUS EMER-
STOP GENCY SIRIUS load
switches safety module curtain safety
STOP feeder
monitor relay

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 2 Siemens AG © 2010

Notes
....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

SITRAIN Training for

Page 2 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Overview: sensor/encoder wiring to F-DI modules
(recommendation)

Cat. 2/PLc/SIL1 Cat. 3/PLd/SIL2 Cat. 4/PLe/SIL3

F-DI F-DI F-DI
DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5

F-DI
Terminal module
Vs1 Vs2 Vs1 Vs2 Vs1 Vs2

Sensors

1-channel

2-channel
equivalent

2-channel
antivalent

External L+ L+
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 3 Siemens AG © 2010

Sensor/ When fail-safe input modules are used, the substitute value '0' is forwarded to the
encoder use CPU after the detection of faults, which causes the safety program to execute a
safe reaction. Therefore, pay attention to the fact that the sensors/encoders must
also be implemented in such a way that they supply a 0 signal when the safety
program is to execute the safe reaction.

Antivalent If an antivalent sensor/encoder is used for deactivation, its normally-closed contact

sensors/encoders must be wired to the input module's lower channel address so that the 0 signal can
be evaluated in the safety program when the button is operated.
If the antivalent sensor/encoder is used as an enabling button, its normally-open
contact must be wired to the input module's lower channel address so that the
1 signal can be evaluated in the safety program when the button is operated.

SITRAIN Training for

Page 3 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Example: sensor/encoder interfacing: Cat. 3/PLd/SIL2

F-DI F-DI F-DI

DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5

Vs1 Vs2 Vs1 Vs2 Vs1 Vs2

External L+

• Caution: SIL2 is attainable only if the appropriate

sensor/encoder quality is used.
• Sensor/encoder supply is provided by the F-DI module
(it must be from Vs1 when using a single-channel
sensor/encoder)

External L+ L+

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 4 Siemens AG © 2010

SIL2/PLd • Possible with a 1-channel sensor/encoder (supply by the module), that is

evaluated through 1 channel with 1 out of 1 evaluations, but only under the
assumption that an appropriately qualified (certified) sensor/encoder is
used.
• With redundantly connected sensors/encoders (sensor supply can also come
from an external source; see figure) and 2-channel evaluation by means of the
F-DI module if the sensor/encoder used does not fulfill the requirements of the
target safety class.

SITRAIN Training for

Page 4 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Example: sensor/encoder interfacing: Cat. 4/PLe/SIL3

F-DI F-DI F-DI

DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5

Vs1 Vs2 Vs1 Vs2 Vs1 Vs2

• Caution: SIL3 is attainable only if the appropriate

sensor/encoder quality is used.
• Sensor/encoder supply is provided by the F-DI module
(it must be from Vs1 when using a single-channel
sensor/encoder)

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 5 Siemens AG © 2010

SIL3/PLe • The sensor/encoder signals must be evaluated through 2 channels (2 out of 2

evaluation)
• "Short-circuit test" must be activated on the F-DI module so that the module
can detect short-circuits or cross circuits between different input channels.
However, this is only possible if the sensor/encoder receives its supply from the
F-DI module itself.
• Possible with a 1-channel sensor/encoder (supply by the module), but only
under the assumption that an appropriately qualified (certified)
sensor/encoder is used.
Setting in HW Config:

SITRAIN Training for

Page 5 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Actuator interfacing to F-DO PM: Cat. 3/4/PLd/e/SIL2/3 (ET200S)

Variant 1 (recommended) Variant 2

Standard Standard
PM-E 4 F-DO PM-E 4 F-DO

DO 0 DO 1 DO 0 DO 1
L+ M P M P M L+ M P M P M

Note:
It is no longer possible to shut down an actuator if a cross
circuit has developed between the P and M switches of the
output.
To prevent cross circuits between the P and M switches of a
fail-safe digital output, you must route the cables used to
connect the relays on the P and M switches in a cross circuit-
proof manner (e.g. as separate, unsheathed cables or in
separate cable ducts).
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 6 Siemens AG © 2010

ET200S Standard The power module of the potential group in which the F-DO modules are inserted
power modules must be a standard power module. You can find out which of the power modules is
suitable to supply a potential group with fail-safe modules by looking in the
ET200S manuals.

F-DO parameters For some F-DO modules, it is possible to parameterize safety operation for
…S7-300/ET200M SIL2 or SIL3 (the type of test signal injection is specified internally).

…ET200 S/pro/eco For the F-DO modules, no parameterization possibilities exist since they are
generally designed for safety class SIL2/3.

Warning If the actuators are operated with voltages higher than 24V DC (at 230 V DC, for
example) or if the actuators switch higher voltages, safe electrical isolation must
be guaranteed between the outputs of the fail-safe output module and the
components carrying higher voltage (in compliance with the EN 50178 standard).
This requirement is generally met by relays and contactors and particular attention
must be paid to it when using semiconductor switches.

Notes on Variant 1:
The "wire break" fault is only detected if both contactors are disconnected from P
or M due to the wire breaking (not safety-related).
on Variant 2:
The contactors must be connected to L+ and M of the power module in whose
potential group they are located (same reference potential is required).
The "wire break" and "overload" faults are detected only at the P switch of the
F-DO module, and not at the M switch

SITRAIN Training for

Page 6 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Actuator interfacing to F-DO PP (S7-300/ET200M)

Address switch
Overvoltage
protection

Output driver 1

Output driver 2

Readback
Logic

Diagnostics

Backplane bus
interface
SF SAFE State F

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 7 Siemens AG © 2010

PP-switching If loads are to be switched that have a connection between ground and earth
F-DO (e.g. to improve EMC properties) and their supplying power supply unit has a
ground-earth connection, then a PM-switching F-DO module would detect a "short-
circuit", since, from the point of view of the power module, the ground-earth
connection short-circuits the M switch of the module. This problem can be solved
with a PP-switching F-DO module:

Attainable The module switches the P voltage bus via two output drivers in a fail-safe
safety classes manner up to SIL3/Cat.4/PLe.

Wiring For safety reasons, the ground cable to the terminal module must be laid in
Notes duplicate because any interruption of a single ground conductor would prevent the
safety-related shutdown of voltage bus P2.

Note The potential groups 1L+, 2L+ and 3L+ can be supplied by separate power supply
units, but also by one common power supply unit as well.

SITRAIN Training for

Page 7 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Actuator interfacing to F power module PM-E F pm (ET200S)

Fail-safe
power module Standard DO
PM-switching

K5

Cat. 4 Cat. 3
PLe PLd
Cat.SIL3
4 K6
SIL2
SIL3

Note:
The "wire break" fault is detected only if the wire break has disconnected
both contactors from P or M (not safety-related)

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 8 Siemens AG © 2010

Fail-safe The fail-safe power module PM-E F pm 24VDC PROFIsafe has 2 fail-safe
power module digital outputs (P/M-switching, output current 2 A) and 2 relays for switching the
voltage buses P1 and P2 (output current 10 A).
The voltage buses P1 and P2 can be used to switch the power supply of the
following standard output modules (EM DO1, DO2, DO3 in the figure). The
individual standard DO outputs cannot be activated in a fail-safe manner, but only
deactivated simultaneously or all of them together in a fail-safe manner.

Warning: Only specific standard DO modules can be used.

You must reckon with all imaginable sorts of faults of the standard DO modules
and of the controlling program for which there is no fault detection.
Diagnostic functions must be handled indirectly in the controlled process since the
self-test function of standard DO modules cannot be used to detect safety-related
faults. To this end, the safety-related data must be
• functionally safe
• read-in through fail-safe input modules (F-DI)
(standard DI modules can also be used depending on the application)
• processed dynamically by the F-CPU's safety program and used for control of
the power module
Fail-safe shutdown takes place as soon as the process shows unwanted or
dangerous behavior.

Attainable Electronic outputs DO 0 and DO 1: Cat. 4/PLe/SIL3

safety classes (only if no standard DO modules are switched via P1/P2),
when using standard DO: Cat. 3/PLd/SIL2

Wiring • The ET200S standard module power supply inputs must be connected to the
Notes fail-safe power module.
• The actuators connected to the standard DOs must always be supplied through
the terminal modules of the fail-safe power modules.

SITRAIN Training for

Page 8 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Actuator interfacing to F power module PM-E F pp (ET200S)
Bus/process

SIL1/Cat2/PL SIL1/Cat2/PL
PM-E F pp d PM-E F pp c

DO DO AO Relay
DO
Backpl.

Electronics

Electronics
Electronics
bus

IM 151

P2 P1
P M
Electronic supply
P

24V DC Load supply

Analog 24V DC
actuator
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 9 Siemens AG © 2010

PP-switching If loads are to be switched that have a connection between ground and earth
power modules (e.g. to improve EMC properties) and their supplying power supply unit has a
ground-earth connection, then a PM-switching power module would detect a
"short-circuit", since, from the point of view of the power module, the ground-earth
connection short-circuits the power module's M switch.
This problem can be solved with the PP-switching power module:
The power module switches the voltage bar P2 in a fail-safe manner via two
series-connected relay contacts with SIL2/Cat. 3/PLd or SIL3/Cat. 4/PLe.
P2 is available as P on the terminal module, and P1 as M.

Attainable As described previously for the PM-switching power module

safety classes

Wiring For safety reasons, the ground cable to the terminal module must be laid in
Notes duplicate because any interruption of a single ground conductor would prevent the
safety-related shutdown of voltage bus P2.

SITRAIN Training for

Page 9 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Analog value processing with (SM 336; AI 6 x 15 bit)

Input addressing in
the user program:
IW x
IW x+2
IW x+4

IW x+6
IW x+8
IW x+10

x = Module start address

Bit number 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Significance of the bits sign 214 213 212 211 210 29 28 27 26 25 24 23 22 21 20
Example 0 1 0 0 1 1 0 0 1 1 1 1 1 1 0 0

Warning

In the safety mode, only a measuring range of 4 to 20 mA is permitted.

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 10 Siemens AG © 2010

Modules Two fail-safe, redundancy-enabled analog modules of the S7-300 module line are
available for connecting analog sensors/encoders:
• SM 336; AI 6 x 13-bit
• SM 336; F-AI 6 x 0/4 ... 20 mA HART.

Wire break and For the range of 4 to 20 mA required in the safety mode, a distinction is made
underflow test according whether wire break testing is parameterized:
• When wire break testing is parameterized, no underflow testing is
implemented and, in the event of a wire breaking (< 3.6 mA), the PII of the CPU
receives the substitute value 0 instead of the value 7FFFHex
• If no wire break testing is parameterized, in the event of an underflow (< 1.18 mA),
the PII of the CPU receives the substitute value 0 instead of the value 8000Hex

Input The inputs of the analog input module can be used as follows:
utilization • Standard mode:
All 6 channels for current measuring from 0 to 20 mA or 4 to 20 mA or up to
4 channels for voltage measuring (0 to 10 V) and the remaining two channels for
current measuring
• Safety mode: All 6 channels for current measurements from 4 to 20 mA only

Addressing Unlike standard analog modules, fail-safe analog modules are addressed in the
process image area. Therefore, the results of measurements are not accessed via
direct I/O access (which would not be possible in the safety program anyway), but by
access to the CPU's process image.

SITRAIN Training for

Page 10 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Current measurement, 4 to 20 mA (Cat. 3/PLd/SIL2)

2-wire measuring transducer 4-wire measuring transducer

2-wire
measuring
transducer
- +

4-wire
Recommended
measuring
transducer
+ -

Recom-
mended

Warning

To achieve SIL2 (Category 3) with this wiring, you must install a suitably
qualified sensor, for example in accordance with IEC 60947.
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 11 Siemens AG © 2010

Encoder supply You are strongly advised to always use the short circuit-proof internal sensor
supply of the module. This internal sensor supply is monitored and its status is
indicated by the Vs LED.
The encoders can also be supplied through an external encoder supply. However,
the stability of the external encoder supply must correspond to the required safety
class SIL2!

Encoder signals Up to 6 process signals can be connected to one analog module. In the safety
mode, only the measuring range of 4 to 20mA is permitted.

SITRAIN Training for

Page 11 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Current measurement, 4 to 20 mA (Cat. 4/PLe/SIL3)

2-wire measuring transducer 4-wire measuring transducer

2-wire 2-wire 4-wire 4-wire

measuring measuring measuring measuring
transducer transducer transducer transducer
- + - + + - - +

Acquisition of the same

Acquisition of the same process variable with
process variable with mechanically separate
mechanically separate encoders
encoders
Recom- Recommended
Recommended mended

Warning

To achieve SIL3 (Category 4) with this wiring, you must install a suitably
qualified sensor, for example in accordance with IEC 60947.
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 12 Siemens AG © 2010

Encoder supply You are strongly advised to always use the short circuit-proof internal sensor
supply of the module. This internal sensor supply is monitored and its status is
indicated by the Vs LED.
The encoders can also be supplied through an external encoder supply. However,
the stability of the external encoder supply must correspond to the required safety
class SIL3!

Process signals Up to 6 process signals can be connected to one analog module. In the safety
mode, only the measuring range of 4 to 20mA is permitted.
Two redundant sensors are connected to two opposite inputs of the analog module
for each process signal (1oo2 ((2oo2) evaluation).

SITRAIN Training for

Page 12 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Examples of sensor/encoder interfacing:
Emergency Stop command devices and position switches

Emergency Stop
Position switches (e.g. for door monitoring)
command devices

Cat. 2
PLc
SIL1 Position switch with
separate actuator Door monitoring
(or hinge switch) with solenoid switch

Cat. 3
PLd
SIL2
External encoder supply

Cat. 4
PLe
SIL3
Internal sensor/encoder supply by evaluation unit

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 13 Siemens AG © 2010

General As from Cat. 3/PLd/SIL2, electromechanical sensors must be electrically and

mechanically of the 2-channel type.
In Cat. 4/PLe/SIL3, cross circuit detection is necessary (to achieve adequately
high diagnostic coverage DC), which can only be realized with a sensor/encoder
supply from the evaluation unit.*

Emergency Stop Despite a mechanical 1-channel structure, Emergency Stop command devices
command devices manufactured in compliance with EN ISO 13850 can be used in applications up to
Cat. 4 in compliance with EN954-1 or PLe in compliance with EN ISO 13849-1 and
SIL3 in compliance with EN IEC 62061.

Position Use of an electrically 2-channel, but mechanically only 1-channel position switch
switches is only possible if it is equipped with a separate actuator whose breakage can be
ruled out (see DIN VDE 0113 for details or appropriate measures).
This exclusion of faults is not permitted for Cat. 4/PLe/SIL3!

Solenoid switches SIRIUS solenoid switches are certified for use up to Cat. 4/PL e/SIL 3.

* Note: An average diagnostics coverage of 90%, which can also be achieved with an
external sensor/encode supply, would also be possible to achieve SIL3 in
compliance with EN 62061. However, in compliance with ISO 13849-1, an
average diagnostics coverage is not sufficient for PLe!

SITRAIN Training for

Page 13 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Series connection of sensors

... Emergency Stop

... Emergency stop ... Position switches command devices
control device and position switches
EMERGENCY STOP
EMERGENCY
STOP 1

EMERGENCY Protective
STOP n door
Closed

Open
Evaluation unit
Evaluation unit Evaluation unit

Max. Cat. 4/PLe/SIL3 Max. Cat. 3/PLd/SIL2 Max. Cat. 3/PLd/SIL2

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 14 Siemens AG © 2010

Series connection Basically sensors can be connected in series in all categories.

Cat. 4/PL e/SIL 3 requires, however, that
- every fault is detected
and
- an accumulation of faults does not lead to loss of the safety function.

... of Emergency Stop command devices:

Emergency Stop command devices may be connected in series up to Cat.
4/PLe/SIL3: failure and/or simultaneous actuation of the command devices can be
ruled out.

... of position switches:

Up to Cat. 3/PLd/SIL2, position switches (e.g. protective door monitoring) may be
connected in series unless several protective doors are simultaneously opened on
a regular basis (as otherwise fault detection is not possible).
In Cat. 4/PLe/SIL3, position switches must never be connected in series because,
in this case, every hazardous fault must be detected (independently of operating
personnel).

... of Emergency Stop command devices and position switches:

Up to Cat. 3/PLd/SIL2, position switches (e.g. protective door monitoring) and
Emergency Stop command devices may be connected in series unless several
protective doors or Emergency Stop command devices are simultaneously
actuated on a regular basis (as otherwise fault detection is not possible).
In Cat. 4/PLe/SIL3, position switches and Emergency Stop command devices
must never be connected in series because, in this case, every hazardous fault
must be detected (independently of operating personnel).

SITRAIN Training for

Page 14 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Examples of interfacing ESPE:
Light curtains/arrays/laser scanners

Light curtains/light arrays/laser scanners* Light curtains/light arrays

with electronic outputs OSSD 1/2 with relay outputs

depending on the version, up to Cat. 4/PLe/SIL3

(* due to their design, laser scanners only up to Cat. 3/PLd/SIL2)

OSSD 1
OSSD 1

OSSD 2
OSSD 2

Internal s e n s o r / e n c o d e r
External encoder supply s u p p l y by e v a l u a t i o n u n i t

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 15 Siemens AG © 2010

ESPE Electro-sensitive protective equipment

... with electron. Sensors with OSSD (Output Signal Switching Device) outputs possess
outputs integrated cross-/short-circuit detection. These must therefore be deactivated on
the evaluation unit (in HW Config in the case of F-DI modules).

... with relays Sensors with relay outputs cannot realize any cross-/short-circuit detection
outputs via their floating contacts.
In the case of Cat. 4/PLe/SIL3 applications, cross-/short-circuit detection must
therefore be activated on the evaluation unit (in HW Config in the case of F-DI
modules).

SITRAIN Training for

Page 15 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Protective door monitoring, Cat. 4/PL e/SIL3
with tumbler based on magnetic force locking, Cat. 3/PLd/SIL2

PS CPU PM-E PM-E F-DO

307 315F

IM 151 4DI Actuator contact

F-DI
HF HF
Magnet

Release monitoring

Hinge switches Protective

door
Actuator

Start

Safety position switch 4DI HF

with tumbler (locked by
magnetic force)
Stop

Actuator
F-DI
Machine is
at standstill
Hinge Safety
switch position
switch

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 16 Siemens AG © 2010

Function Locking units with a tumbler are mechanical or electrical units that permit
operation of a machine only when the protective door is closed and latched.
Locking and latching are maintained until the risk of injury from hazardous
machine movement is ruled out.
In this example, a speed or standstill monitor for monitoring hazardous continued
running of a machine is simulated by a pushbutton contact (NO) that is connected
in 1 channel to the fail-safe input module (F-DI). When real speed or standstill
monitors are used, these would have to be connected to the F-DI over 2 channels
(except when a correspondingly certified one-channel sensor/encoder is used)
(2oo2 evaluation).
In the example shown, an actuator fitted on the door moves into a safety position
switch with tumbler. During the potential hazard, the actuator is held (thus latching
the door) by virtue of the fact that a voltage is applied to a solenoid in the safety
position switch. This type of locking is referred to as magnetic force locking.
The solenoid of the safety position switch is triggered via a fail-safe digital output
channel (F-DO).
If the safety position switch fails, the safety function is maintained by the hinge
switch (which also detects when the protective door is open).

Notes For realization of a door tumbler in Cat. 4/PLe/SIL3, two safety position switches,
each with tumbler, should be used.
To achieve Category 4/PL e/SIL 3, for certain actuators (e.g. contactors) it is
imperative to evaluate the actuators' feedback signal by means of the program.
Reading back is not implemented in this example.

SITRAIN Training for

Page 16 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Distinguishing Emergency Off - Emergency Stop, EN 60204-1

Emergency switching off Emergency stop, E-stop

Emergency OFF Emergency Stop

"Safe
standstill"

Danger through

Electric shock - switch Movement - stop with

off with Emergency OFF Emergency Stop

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 17 Siemens AG © 2010

Notes
....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

SITRAIN Training for

Page 17 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Safe shutdown in compliance with IEC 61800-5-2: STO, SS1, SS2

n Initiating
safe shutdown
Stop category 0
n

Safe Torque Off (STO)

t
Safe Torque Off (STO)

n Electrical
Stop category 1
isolation from
n Defined braking the
Safe Stop 1 (SS1)
ramp line
t
t Safe Torque Off (STO) is not
n
necessary!
Stop category 2
n Defined braking
ramp
Safe Stop 2 (SS2) t
t Safe Operating Stop (SOS)
(at full torque)
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 18 Siemens AG © 2010

STO Safe Torque OFF

This function serves to avoid unexpected starting of the drive, in accordance with
EN 60204-1, Section 5.4. Safe Torque Off disables the drive pulses and
disconnects the power supply to the motor (corresponds to Stop Category 0 of
EN 60204-1). The drive is reliably torque-free. This state is monitored internally in
the drive.

SS1 Safe Stop 1

The Safe Stop 1 function can safely stop the drive in accordance with EN 60204-1,
Stop Category 1. When the SS1 function is selected, the drive brakes along a
quick stop ramp autonomously and automatically activates the Safe Torque Off
and Safe Brake Control functions (if enabled) when the parameterized safety delay
timer expires.

SS2 Safe Stop 2

The Safe Stop 2 function can safely stop the drive in accordance with EN 60204-1,
Stop Category 2. When the SS2 function is selected, the drive brakes
autonomously along a quick-stop ramp. In contrast to SS1, the automatic speed
control remains operational afterwards, i.e. the motor can supply the full torque
required to maintain zero speed. Standstill is safely monitored (Safe Operating
Stop function).

SOS Safe Operating Stop

The Safe Operating Stop function represents safe standstill monitoring. The drive
control remains in operation. The motor can therefore deliver the full torque to hold
the current position. The actual position is reliably monitored. In contrast to safety
functions SS1 and SS2, the speed setpoint is not influenced automatically. After
SOS has been activated, the higher-level control must bring the drive to a standstill
within a parameterized time and then hold the position setpoint.

SITRAIN Training for

Page 18 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Example: actuator interfacing in Cat. 3/4/PLd/e/SIL2/3

F-DO DI

Load circuit 400 V

Feedback

Control via F-DO Electronic output - P

DO0 DO1 DO2 DO3

P P P P

DO0 DO1 DO2 DO3

M M M M

Electronic output - M

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 19 Siemens AG © 2010

Note The safety class achieved also depends on the number of switching cycles of the
contactors. In the event of frequent switching, the safety level achieved can be
lower than Cat. 3/PLe/SIL3.

Notes
....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

SITRAIN Training for

Page 19 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Example: ET200S load circuit 24V DC/24-230V AC up to 8A
1F-RO fail-safe relay module in Cat. 4/PLe/SIL3

PROFIBUS
with
PROFIsafe

230V AC
Actuation via F-DO
(electronic output) 1F-RO

DO0 DO1 OUT 1 (13) OUT 1 (13)

P P
DO0 DO1
OUT 1 (14) OUT 1 (14)
M M
IN P IN P
OUT 2 (23) OUT 2 (23)

IN M IN M
OUT 2 (24) OUT 2 (24)

Looping
Looping for deactivation
for group group
deactivation of further 1 F-
of further 1 F-ROs
ROs
SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 20 Siemens AG © 2010

Notes
....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

SITRAIN Training for

Page 20 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Single and group deactivation
of actuators in Cat. 4/PLe/SIL3

PS CPU 400 V load circuit

PM-E PM-E F-DO
307 315F
IM 151 2DI
HF HF F-DI

Circuit breakers

For all groups

Emergency
stop (1) Motor M1 and motor M2
in a star circuit
Emergency
Start M1 Start M2 stop (2)

Emergency
Stop all
Acknowledge- Acknowledge-
ment (1) ment (2)

Groups 1 Groups 2

Acknowledge- Motor M1
ment all Contactor Contactor
Contactor K1 Contactor K3
K2 K4

Readback signals
Motor M2

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 21 Siemens AG © 2010

Function Frequently, the following behavior is required when several actuators are used
within a system: it should be possible to safely deactivated one single actuator
(independently of other actuators). Additionally, it should be possible to safely
deactivate all actuators together.
The example here shows single and group deactivation of actuators. To this end,
two three-phase asynchronous motors are used that can be activated
independently of one another. Each motor is assigned an Emergency Stop button,
which deactivates it safely (single deactivation). There is also an Emergency Stop
button that is used to safely deactivate all motors (group deactivation).

Evaluating the To enable detection of contactor welding, their feedback or readback signals
feedback signals must be evaluated in the safety program. The Distributed Safety function block
library provides a certified function block for this purpose.
A group is deactivated if a readback error is detected in it. The other group can
continue to be activated operationally and can be safely deactivated.

SITRAIN Training for

Page 21 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 STO in Cat. 4/PLe/SIL3
SS1 and SLS in Cat. 3/PLd/SIL2
400V
F-CPU with F-DO and
standard DI

24V
24V

SINAMICS G120 with

CU240S DP-F or CU240S
PN-F

External 24V
supply
PROFIBUS or PROFINET
with PROFIsafe

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 22 Siemens AG © 2010

STO in Cat. 4 The SINAMICS G120 and G120D with their safety functions STO, SS1 and
PLe/SIL3 SLS are certified in compliance with Cat. 3/PLd/SIL2.
To realize STO in compliance with Cat. 4/PLe/SIL3, it is necessary to install an
additional line contactor in the 400V supply line to the SINAMICS G120/G120D.

Function STO is activated by the F-CPU in the SINAMICS G120/G120D via PROFIsafe (by
means of PROFIBUS or PROFINET). The 400V supply voltage of the SINAMICS
G120/G120D is also deactivated via the line contactor. This deactivation is
monitored via the safe acknowledgement signals of the SINAMICS G120/G120D
(PROFIsafe) and the signaling contact of the line contactor (digital input) in the
safety program.

SITRAIN Training for

Page 22 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing
 Help on use of safety technology

Contents Attainable

Safety Evaluation Tool Tool for verifying the Online tool

required safety level www.siemens.com/safety-evaluation-tool

Function examples Instructions for functions and Internet download

applications http://support.automation.siemens.com/WW/view/de/20208582/136000

Sitrain Product and standards Internet contact

training courses http://www.siemens.de/sitrain-safetyintegrated

Support The right support for every Internet contact

product phase http://support.automation.siemens.com

SITRAIN
ST-PPDS/Sensor-actuator interfacing Page 23 Siemens AG © 2010

Notes
....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

....................................................................................................................................

SITRAIN Training for

Page 23 ST-PPDS
Automation and Industrial Solutions Sensor-actuator interfacing