SIMATIC TIA Portal S7-1500 Programming 3

Contents 9
9. Appendix: Introduction to Fail-safe Controllers .................................................. 9-2
9.1. Safety Concept in the EU ...................................................................................................... 9-3
9.1.1. Machinery Directive: Fundamental Safety Requirements ................................................... 9-4
9.1.2. Presumption of Conformity ................................................................................................... 9-5
9.1.3. EU Declaration of Conformity and CE Marking .................................................................... 9-6
9.2. Functional Safety is Only a Part of It..................................................................................... 9-7
9.2.1. Risk Reduction in Compliance with IEC 61508 .................................................................... 9-8
9.2.2. Risk Analysis Criteria ............................................................................................................ 9-9
9.2.3. ISO 13849-1: Risk Graph.................................................................................................... 9-10
9.2.4. IEC 62061 and ISO 13849-1: Safety Performance............................................................. 9-11
9.3. Safety Integrated Technology ............................................................................................. 9-12
9.3.1. SIMATIC Safety Integrated: Required Hardware................................................................ 9-13
9.3.2. Overview: Sensor/Encoder Wiring to F-DI Modules (Recommendation) ........................... 9-14
9.3.3. Actuator Interfacing to F-DO PM: Cat.3/4 / PLd/e / SIL2/3 (ET 200S) ............................... 9-15
9.3.4. Example: Actuator Interfacing in Cat.3/4 / PLd/e / SIL2/3 .................................................. 9-16
9.3.5. Safety Concept: Safety Program ........................................................................................ 9-17

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-1
 SIMATIC TIA Portal S7-1500 Programming 3

9. Appendix: Introduction to Fail-safe Controllers

At the end of the chapter the participant will ...

... know the safety concept of the E(uropean) U(nion)

... be able to explain the sense and purpose of standards

… be able to explain the term "functional safety"

... be able to explain the functional principle of fail-safe controllers

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-2 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.1. Safety Concept in the EU

... addresses product requirements and social aspects

Safety requirements

Article 95 of the EC Treaty Article 137 of the EC Treaty

(Free Movement of Goods) (Occupational Safety)

"Occupational Safety" Framework

e.g. Machines
Directive (89/391/EEC)

"Use of Work
Low Voltage Machinery
Equipment"
Directive Directive
Directive
(2006/95/EC) (2006/42/EC)
(86/665/EEC)

Harmonized European standards National legislation

Manufacturers Users

Article 95
The EC Directives that affect the implementation of products, and thus are directed mainly at the
manufacturer, are based on Article 95 of the EC Treaty. They are based on a global approach:
• Through the EC Directives, free movement of goods is to be ensured in the European
Economic Area. The goal is to remove all technical trade barriers that exist because of
different technical requirements of member states for technical products and their use.
• EC Directives contain general safety goals only and define fundamental safety requirements.
• Standards bodies which have received the appropriate mandate from the European
Commission (CEN, CENELEC) can define technical specifications in standards. These
standards, which must be adopted without change in national standards by all member states,
are listed in the EC Official Journal and are thus harmonized in a specific directive.
• Compliance with specific standards remains voluntary. However, "it can be presumed" that,
by conforming to the harmonized standards, the corresponding safety requirements of the
directives are fulfilled.

Article 137
The EC Directives for occupational safety and for machine use mainly address the users of
machines. The level of protection defined in the minimum requirements can be increased through
national regulations.
The "Safety and health of workers at work" framework (directive) (89/391/EEC) defines essential
requirements for safety in the workplace. In Germany, the requirements are summarized in the
German Health and Safety at Work Regulations (BetrSichV).
You will find more information (in German) on the Internet pages of the Federal Institute for
Occupational Safety and Health (BauA) (http://www.baua.de/baua/index.htm).

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-3
 SIMATIC TIA Portal S7-1500 Programming 3

9.1.1. Machinery Directive: Fundamental Safety Requirements

Manufacturers are obliged to assess hazards in order to identify all of those that apply
to their machines …..
• Protective measures against mechanical hazards
(stability, danger of breakage, movable parts)
• Protective measures against hazards through electrical energy, fire/explosion,
radiation, gas emissions, dust, etc.
• Protective goals as well as requirements with regards to people-friendly design of
machines, maintenance and user information with warnings about residual
hazards
• Requirements for controllers and control devices for the startup and
shutdown of machines in case of a failure of the power supply or the
control circuit
• Documentation and operating manual

Machinery Directive
According to the Machinery Directive, the member states of the EC are obliged to ensure that
only those machines and safety components are sold, marketed, and operated that fulfill the
essential health and safety requirements listed in Annex 1.
The states may not refuse, limit or hinder market access or operation if a manufacturer declares
the conformity with the essential requirements of the machinery directive.

Objective
At no time may any machine present a danger to the consumer, machine or the environment.
The machinery directive helps machine manufacturers to detect hazards resulting from a machine
and thus to take appropriate measures before a machine is sold, marketed and operated. This
process is also called the hazard assessment, which ultimately leads to the necessary protective
measures through a risk assessment.
The EN ISO 12100 (EN292) and EN1050 (ISO 14121) standards are standards that machine
manufacturers can utilize in the procedure and definition of protective measures.

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-4 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.1.2. Presumption of Conformity

Presumption of conformity (Machinery Directive):

• If a machine or a safety component is produced in compliance with a European
product standard that is listed as a "harmonized standard" in the EU Official Journal,
member states are to presume that the product conforms to the essential
requirements of the directive.

Deviations from standards:

• Other technical solutions are permitted if an equivalent safety level is achieved.
(Problem of proof?)

Liability:
• When standards are complied with, it can be presumed that a machine
manufacturer has not acted with gross negligence.
• In the event of a claim, the criminal law consequences are thereby reduced to a
minimum.

Manufacturer's Responsibility
A machine manufacturer who wants to market a machine in the EU and who declares conformity
with the machinery directive is obliged to adhere to all requirements of this directive. This will
ensure that the machine manufacturer has done everything humanly possible to construct a safe
machine.
In accordance with current practice in the Member States, manufacturers are responsible for
certifying that their machines conform to the essential requirements. This allows a manufacturer
the freedom to have the machines tested by third parties and to have their conformity confirmed.

Presumption of Conformity
Compliance with harmonized standards results in automatic presumption of conformity with the
directive, i.e. manufacturers can be assured that they have fulfilled the safety aspects of the
directive insofar as they are dealt with in the respective standard.
However, not every European standard has been harmonized. Listing in the EU Official Journal is
what counts. These lists are updated regularly and can be viewed on the internet at
www.newapproach.org

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-5
 SIMATIC TIA Portal S7-1500 Programming 3

9.1.3. EU Declaration of Conformity and CE Marking

An EU Declaration of Conformity must contain, among other things, the following

information:
• Description of the machine or equipment
(including technical identification, make, type, serial number, etc.)
• Harmonized standards applied
(e.g. EN60204-1, safety product standards, etc.)
• Notified body
(for machines with specific hazards only; see Machinery Directive Annex IV)
• Legally binding signature with details of the signatory

The CE mark is a "free movement of goods marking" that…

• …is stipulated for all products within the EU that fall under
the application of one or more EC Directives
• …stands for the conformity of a product with one or more
EC Directives

EC Conformity Declaration
Before marketing (and, if applicable, putting into operation) a machine or safety component,
manufacturers must produce an EC Declaration of Conformity or a manufacturer declaration in
compliance with the Machinery Directive Annex IV.
The existence of technical documentation and the delivery of operating instructions for the
machine or the safety component is a prerequisite for issuing an EC Declaration of Conformity.
With the conformity declaration, manufacturers confirm that they adhere to all requirements of the
European directive under which their product falls.

Manufacturer Declaration
A manufacturer declaration is required from the manufacturer or his agent for a machine that
does not function independently within the scope of the EU Machinery Directive 98/37/EC.
According to the Annex IIB of the directive, this manufacturer declaration must contain the
reference that the commissioning of the machine or system in which this component is installed is
prohibited until the conformity with the directive is established.
In the redrafting of the Machinery Directive (2006/42/EC dated 17. May 2006) the manufacturer
declaration was replaced by an installation declaration which is legally binding since the 29.
December 2009.

CE Marking
Machines that are useable, ready to use and ready for operation in compliance with the
machinery directive are identified with the CE marking within the scope of the conformity
declaration.
Safety components are assigned the EC Declaration of Conformity only, but no CE marking!

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-6 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.2. Functional Safety is Only a Part of It

Safety requires protection against all hazards, for example:

Electric Heat and fire

shock

Dangerous radiation Hazards posed by

and emissions malfunctions
(IEC 61508)

IEC 61508: Basic Standard for Functional Safety

The safety-related parts of a control system must be designed in such a way that they work
reliably according to the hazard risk when used in accordance with their intended purpose and in
foreseeable cases of misuse, and also when faults occur. The following are to be prevented by
avoiding systematic faults and by controlling systematic and random faults in safety-related
functions:
• Human injuries or death
• Disastrous impacts on the environment
• Destruction or damaging of production facilities and industrial goods, including production
losses (optional)

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-7
 SIMATIC TIA Portal S7-1500 Programming 3

9.2.1. Risk Reduction in Compliance with IEC 61508

Residual Tolerable Risk of controlled

risk risk equipment

Increasing risk

Necessary risk reduction

Actual risk reduction

Partial risk, covered Partial risk,

Partial risk, covered by
by non- electrical/
covered by electronic systems
external
electronic and equipment
(e.g. mechanical,
and
electrical systems hydraulic) measures

Principle of Risk Reduction

The aim is to reduce risk to a tolerable level. First, an attempt is made to implement risk-reducing
measures to reduce the overall risk of a machine by structural measures (e.g. affixing a protective
guard or warning signs).
If a risk regarded as too high then still exists, an attempt is made with the safety-related parts of
the control system to achieve a further risk reduction. These are ultimately the so-called safety
functions such as a safety-door monitoring function with a position switch and a safety relay or a
fail-safe PLC.
What remains in the end is an actual risk that is lower than the tolerable or acceptable risk.

Risk
A risk involves various elements, which are described in detail in the standard:
• Extent of harm
• Frequency and duration of hazard exposure
• Probability of occurrence
• Possibility of risk avoidance or limiting

Safety
Freedom from intolerable risks

Reference to ISO13849 IEC62061

The assessment of the named risk elements defines the level of the requirements for risk
reduction measures and thus represents the input parameter for the risk graphs according to ISO
13849-1 (EN954-1) and the SIL classification according to IEC 62061.

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-8 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.2.2. Risk Analysis Criteria

How
Severity of severe • Severe
injury • Slight

How
Frequency often
and/or • Frequent
exposure time • Seldom

How
probable
Possibilities • Hardly possible
of avoidance • Possible

Severity
Severity of injury or damage
• Type of "legally protected interest" to be protected (persons, materials, environment)
• Type of injury (of persons) (slight, severe, fatal injury)
• Extent of harm (one/several persons)

Frequency
Frequency and duration of hazard exposure
• Need for access (operation, maintenance, repair, etc.)
• Exposure time in the hazard area (acclimatization to the hazard)
• Frequency of access, number of persons
• Statistics, accident history, risk comparisons

Avoidance
Avoidance possibilities
• Structural measures
• Surveillance of operation (e.g. also using video cameras)
• Deployment of specially trained personnel

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-9
 SIMATIC TIA Portal S7-1500 Programming 3

9.2.3. ISO 13849-1: Risk Graph

Risk graph for determining the necessary PLr of a safety function

Severity Frequency Preventable PLr

P1
F1 a
S1 P2
P1 b
F2
P2
c
P1
F1
P2
S2 P1 d
F2
P2
e

PLr
A required performance level (PLr) must be defined and documented for every chosen safety
function.

Severity S
Severity of injury or damage
• Type of "legally protected interest" to be protected (persons, materials, environment)
• Type of injury (of persons) (slight, severe, fatal injury)
• Extent of harm (one/several persons)

Frequency F
Frequency and duration of hazard exposure
• Need for access (operation, maintenance, repair, etc.)
• Exposure time in the hazard area (acclimatization to the hazard)
• Frequency of access, number of persons
• Statistics, accident history, risk comparisons

Avoidance P
Avoidance possibilities
• Structural measures
• Surveillance of operation (e.g. also using video cameras)
• Deployment of specially trained personnel

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-10 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.2.4. IEC 62061 and ISO 13849-1: Safety Performance

aa

The categories (Cat.) (EN 954-1) do not provide a clear definition of the
safety performance. SIL (IEC 62061) and PL (ISO 13849-1) defines
a clear, hierarchically staggered rating of the safety performance.

PL (ISO 13849-1) Average probability of a hazardous fault per SIL (IEC 62061)
Performance level (PL) hour [1/h] Safety Integrity Level (SIL)

a ≥ 10-5 to < 10-4 no correspondence

b ≥ 3 x 10-6 to < 10-5 1
c ≥ 10-6 to < 3 x 10-6 1
d ≥ 10-7 to < 10-6 2
e ≥ 10-8 to < 10-7 3

SIL and PL can be mapped to one another

Safety Performance
The categories of EN 954-1 were independent of a specific solution and did not provide a clear
measure of the safety performance of a control system.
IEC 62061 and ISO 13849-1 consider safety functions as follows:
• A particular hazard (through a machine) can be assigned to a defined safety function
• The required safety performance can be determined for a defined safety function

The required safety performance is dependent on the specific solution and risk:
• IEC 62061: Safety Integrity Level (SIL)
• ISO 13849: Performance Level (PL)

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-11
 SIMATIC TIA Portal S7-1500 Programming 3

9.3. Safety Integrated Technology

Standard I/O Standard Host / PLC

Coexistence of Standard and Fail-safe communication

PG/ES with
secure access
e.g. Firewall
F-Gate-
way Standard-I/O
TCP/IP
Engineering F-Sensor F-Field F-Actuator
Tool Device other Master-Slave
Safety Assignment
Bus Systems

Safety Integrated Technology

Safety Integrated is a holistic safety concept for Automation and Drives Technology from
Siemens. Proven technologies and systems from automation are used for the safety technology.
Safety Integrated includes the complete safety chain from sensor/encoder and actuator up to the
controller including safety-related communication via standard field buses. In addition to their
function tasks, drives and controllers also take on safety tasks. In addition to reliable safety,
safety integrated technology enables higher flexibility and productivity.
Standard and safety-related stations are linked via a common bus system. The bus can be
PROFIBUS, PROFINET or a combination of both since fail-safe communication is possible even
across bus boundaries.

Benefits
The integration of safety technology in standard automation systems results in the following
important benefits:
• more flexibility than electromechanical solutions
• reduced wiring overhead
• only one CPU is necessary because of the coexistence of the standard and safety program
• simple communication between standard and safety program
• reduced engineering overhead since a standard engineering tool is used for configuring and
programming

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-12 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.3.1. SIMATIC Safety Integrated: Required Hardware

Previous Standard CPUCPU1516 Fail-safe CPU CPU1516F

exchange

Previous Standard ET200S Fail-safe ET200S

expand

F-CPU
As a rule, it is sufficient if the F-CPU used at least fulfills the same requirements as the previously
used standard CPU with regards to performance data or performance profile (including
communication possibilities). The most important characteristic values are the CPU processing
speed from which the cycle time and thus the response time of the automation system result and
the size of the working memory that must accommodate the execution-related parts of the
standard and safety programs.

F-DI/DO
Standard and safety-related input and output modules (F-DI/DO) can be operated together in
mixed configurations. The F-DI/DO modules required in place of the safety relay could also be
integrated in an already existing ET 200S station. All already used I/O modules including their
wiring can continue to be used unchanged.
If the dangerous function of the plant is implemented in SIL3/Cat.4, then the F-DI and the F-DO
modules must be inserted into a separate potential group or must be isolated from the standard
modules by an additional power module (PM) (see slide).

PROFIsafe Communication
The safety-related communication between F-CPU and the F-DI/DO modules using PROFIsafe is
integrated in the failsafe modules. It is executed automatically and does not have to be
programmed – regardless of whether the F-DI/DO modules are used centrally or distributed via
PROFIBUS or PROFINET. Already configured standard communication remains unaffected by
the safety-related communication via PROFIsafe.

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-13
 SIMATIC TIA Portal S7-1500 Programming 3

9.3.2. Overview: Sensor/Encoder Wiring

to F-DI Modules (Recommendation)

Cat.2 / PLc / SIL1 Cat.3 / PLd / SIL2 Cat.4 / PLe / SIL3

F-DI F-DI F-DI
DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5 DI 0 DI 1 DI 4 DI 5

F-DI
Terminal module
Vs1 Vs2 Vs1 Vs2 Vs1 Vs2

Sensors

1 - channel

2 - channel
Equivalent

2 - channel
Non-equivalent

external L+ L+

Sensor/encoder Use
When fail-safe input modules are used, the substitute value '0' is forwarded to the CPU after the
detection of faults, which causes the safety program to execute a safe reaction. Therefore, pay
attention to the fact that the sensors/encoders must also be implemented in such a way that they
supply a 0 signal when the safety program is to execute the safe reaction.

Non-equivalent Sensors/encoders
If a non-equivalent sensor/encoder is used for deactivation, its normally-closed contact must be
wired to the input module's lower channel address so that the 0 signal can be evaluated in the
safety program when the button is operated.
If the non-equivalent sensor/encoder is used as an enabling button, its normally-open contact
must be wired to the input module's lower channel address so that the 1 signal can be evaluated
in the safety program when the button is operated.

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-14 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.3.3. Actuator Interfacing to F-DO PM: Cat.3/4 / PLd/e / SIL2/3 (ET 200S)

Variant 1 (recommended) Variant 2

Standard Standard
PM-E 4 F - DO PM-E 4 F - DO

DO 0 DO 1 DO 0 DO 1
L+ M P M P M L+ M P M P M

Caution:
It is no longer possible to shut down an actuator if a cross
circuit has developed between the P and M switches of the
output.
To prevent cross circuits between the P and M switches of a
fail-safe digital output, you must route the cables used to
connect the relays on the P and M switches in a cross circuit-
proof manner (e.g. as separate, unsheathed cables or in
separate cable ducts).

ET 200S Standard Power Modules

The power module of the potential group in which the F-DO modules are inserted must be a
standard power module. You can find out which of the standard power modules is suitable to
supply a potential group with fail-safe modules by looking in the ET 200S manuals.

F-DO Parameters
• S7-300 / ET 200M
For some F-DO modules, it is possible to parameterize the safety operation for SIL2 or SIL3
(the type of test signal injection is specified internally).
• ET 200S / pro / eco
For the F-DO modules, no parameterization possibilities exist since they are generally
designed for safety class SIL2/3.

Warning
If the actuators are operated with voltages higher than 24V DC (at 230 V DC, for example) or if
the actuators switch higher voltages, safe electrical isolation must be guaranteed between the
outputs of the fail-safe output module and the components carrying higher voltage (in compliance
with the EN 50178 standard). This requirement is generally met by relays and contactors and
particular attention must be paid to it when using semiconductor switches.

Note on Variant 1:
The "wire break" fault is only detected if both contactors are disconnected from P or M due to the
wire breaking (not safety-relevant)

Note on Variant 2:
The contactors must be connected to L+ and M of the power module in whose potential group
they are located (same reference potential is required). The "wire break" and "overload" faults are
detected only at the P switch of the F-DO module, and not at the M switch.

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-15
 SIMATIC TIA Portal S7-1500 Programming 3

9.3.4. Example: Actuator Interfacing in Cat.3/4 / PLd/e / SIL2/3

F-DO DI

Load circuit 400 V

Feedback

Control via F-DO Electronic output - P

DO0 DO1 DO2 DO3

P P P P

DO0 DO1 DO2 DO3

M M M M

Electronic output - M

Note
The safety class achieved also depends on the number of switching cycles of the contactors. In
the event of frequent switching, the safety level achieved can be lower than Cat. 3 / PLe / SIL3.

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

9-16 Training Document V15.01.00
SIMATIC TIA Portal S7-1500 Programming 3

9.3.5. Safety Concept: Safety Program

The diverse part

The part of the
of the safety program
safety program created by
generated by
the user in FBD / LAD
Distributed Safety

Fail-safe Fail-safe
input module F-CPU
F-CPU output module

F Program

F-Hardware and Firmware

Sensor Actuator
Standard Program
Standard
Standard
Standard Hardware and Firmware output
input module
module

Acquire Analyze Respond

F-CPU
Only the standard CPU is exchanged for a safety-related F-CPU. This unit combines the
functionalities of a standard CPU with those of a safety CPU. With an operating system extended
with protective mechanisms, standard and safety-related user programs can be executed on one
CPU.

F-Program
The safety program (F-program) for controlling the safety-related functions of the plant is
comprised of a part created by the user in FBD or LAD and a part generated by Safety Advanced
that, among other things, contains the diverse logic to the user part. To this part of the safety
program created by the user, Safety Advanced generates a diverse program that works with
diverse operands and operations.
The creation of the standard and safety program takes place in the same programming
environment. TÜV-certified safety functions for all the usual safety functions simplify the
programming as well and thus lead quickly to the finished program.

Coexistence of Standard and F-Program

The standard program and safety program are executed independently in the CPU. Through the
coexistence of both programs on one CPU, the communication program between the two
programs can be implemented by means of global variables.
Changes to the standard program have no impact on the safety program so that it is still fully
functional.

PROFIsafe Layer
PROFIsafe is the first open standard (IEC 61784) for safety-related (fail-safe) communication that
allows standard and safety-related communication over one and the same connection (cable or
wireless through WLAN).

TIA-PRO3 - Appendix: Introduction to Fail-safe Controllers

Training Document V15.01.00 9-17