Safety PLCs & Safety Relays: Engineering Guide
Safety PLCs and safety relays are the core building blocks of modern machine and process safety architectures. Both are used to monitor emergency stops, guard doors, light curtains, safety mats, two-hand controls, enabling switches, and other protective devices, then force the machine into a safe state when a fault or demand occurs. The practical difference is scope: a safety relay is typically a dedicated, fixed-function device for one or a few safety loops, while a safety PLC is a programmable safety controller that can manage many safety functions, diagnostics, networks, and interlocks across a larger system.
What They Are and How They Work
A safety relay contains redundant internal channels, monitored contactors or semiconductor outputs, and cross-fault detection logic. It expects input devices to be wired in dual-channel where required, continuously checks for discrepancies, and de-energizes outputs if a fault is detected. Typical functions include manual reset, EDM/feedback loop monitoring, and fault latching. Many devices are designed to meet performance levels such as PL d or PL e under ISO 13849-1.
A safety PLC performs the same safety logic in software, but on a certified safety CPU and I/O system designed with redundancy, diagnostics, and fail-safe behavior. The safety program is executed in a safety-rated runtime, often with watchdogs, CRC checks, and cross-monitoring between processors. Safety PLCs also support distributed safety over fieldbus protocols such as PROFIsafe, CIP Safety, or FSoE, allowing safety I/O to be placed near the machine rather than home-run wired to a central cabinet.
In both cases, the architecture is usually based on the concept of “de-energize to trip” or a defined safe state. For example, a dual-channel E-stop opens, the safety logic detects the change, and safety outputs drop out to remove energy from contactor coils, STO inputs on drives, or safety valves. The overall risk reduction depends on the complete safety function, not only the device.
Main Vendors and Product Families Engineers Should Know
Safety Relays
- Siemens SIRIUS 3SK1 / 3SK2 safety relays and monitoring modules
- Pilz PNOZ X classic safety relays and PNOZsigma compact relays
- Schneider Electric Preventa XPS series
- Allen-Bradley Guardmaster safety relays such as 440R families
- Omron G9SE and related safety relay units
- ABB Jokab Safety line, including RT9 and related modules
Safety PLCs / Safety Controllers
- Siemens S7-1200F / S7-1500F with PROFIsafe
- Pilz PSS 4000 and PNOZmulti 2 configurable safety controllers
- Rockwell Automation GuardLogix 5380 / 5580
- Schneider Electric Modicon M580 Safety
- Omron NX-SL safety CPU and NX safety I/O
- Beckhoff TwinSAFE with EL6900, EL6910, and TwinSAFE Logic
- ABB AC500-S safety PLC platform
Selection Criteria with Concrete Sizing Rules
Selecting between a relay and a safety PLC is usually a question of safety function count, diagnostics, network integration, and lifecycle flexibility. A safety relay is often best for one machine with a small number of hardwired functions. A safety PLC is usually better when you need multiple safety zones, muting, safe motion, data logging, remote I/O, or integration with a larger automation system.
Rule 1: Match the required Performance Level or SIL
Under ISO 13849-1, determine the required performance level (PLr) from risk assessment, then select architecture and component reliability to achieve it. For many machine functions, PL d or PL e is common. Under IEC 62061 or IEC 61508, the target may be SIL 2 or SIL 3. The device must be capable of supporting the complete safety function, including sensors, logic solver, actuators, and diagnostics.
Rule 2: Check input and output capacity with margin
For a safety relay, count the number of channels and contact sets. For a safety PLC, count safety inputs, test pulse requirements, safety outputs, and remote nodes. A practical rule is to keep at least 20% spare I/O for commissioning changes and future modifications.
Example: a machine has 6 E-stops, 4 guard doors, 2 light curtains, and 3 safety contactors. If each E-stop and guard door uses dual channels, the safety input count is:
$$N_{DI} = 2(6 + 4) + 2(2) = 24 \text{ channels}$$
If the controller has 16-channel safety input capacity, it is undersized. A 32-channel or distributed safety I/O architecture is more appropriate.
Rule 3: Size the output current and contactor coils
Safety outputs must drive the final switching elements reliably. Suppose a safety PLC output module can source 0.5 A per channel, and each contactor coil draws 0.12 A at 24 VDC. If three contactors are driven in parallel, the current is:
$$I_{total} = 3 \times 0.12 = 0.36 \text{ A}$$
This fits the output rating with margin. If inrush is 2.5 times steady-state, the peak is:
$$I_{inrush} = 2.5 \times 0.36 = 0.9 \text{ A}$$
That may exceed a direct output rating, so interposing relays or contactor interfaces may be required. Always verify both steady-state and transient load data from the vendor.
Rule 4: Estimate thermal load in the cabinet
If a safety relay dissipates 4 W and a safety PLC rack dissipates 18 W, the cabinet thermal impact matters. For 6 relays and one PLC:
$$P_{total} = 6 \times 4 + 18 = 42 \text{ W}$$
At a permissible cabinet temperature rise of 10 K and a simplified thermal resistance of 0.25 K/W, the rise is:
$$\Delta T = P_{total} \times R_{\theta} = 42 \times 0.25 = 10.5 \text{ K}$$
This may require ventilation or a larger enclosure. Thermal checks are especially important in IP65/66 panels and warm ambient environments.
Where They Fit in Automation, Panel, SCADA, and Contracting Projects
In panel building, safety devices define the safety architecture of the control cabinet and field wiring. Safety relays are common in small OEM machines, while safety PLCs are common in modular lines, packaging systems, conveyors, robotics, and process skids.
In automation engineering, safety PLCs often sit beside the standard PLC and exchange status, diagnostics, and permissives. They may control STO on drives, safe speed functions, and zone-based interlocks. In SCADA projects, safety logic should generally remain in the safety controller, not in the SCADA layer. SCADA can visualize status and alarms, but it must not be the sole means of safety function execution.
For EPC and contracting teams, safety architecture affects cable schedules, terminal counts, enclosure sizing, FAT/SAT scope, and documentation. It also affects lifecycle support: safety PLCs require version control, proof test planning, and validation records. Safety relays are simpler to commission but can become wiring-heavy as the machine grows.
Applicable Standards and Clauses
- ISO 13849-1:2015 — Clause 6 for risk reduction and performance level determination; Clause 4 for safety-related parts of control systems; Annex A for MTTFd, DC, and CCF concepts.
- ISO 13849-2:2012 — validation requirements for safety functions.
- IEC 62061:2021 — functional safety of safety-related control systems for machinery; use when engineering to SIL-based machinery requirements.
- IEC 60204-1:2016 — Clause 9 for control circuits and control functions; Clause 10 for control devices and actuators; Clause 18 for verification.
- IEC 61496 — electro-sensitive protective equipment such as light curtains.
- IEC 61131-6 — functional safety communication and PLC-related safety concepts in programmable controllers.
- EN ISO 14119 — interlocking devices associated with guards.
- EN ISO 13850 — emergency stop function design.
- NFPA 79 — industrial machinery electrical standards, widely used in North American projects.
Installation Considerations
Wiring and segregation
Keep safety wiring separated from non-safety control wiring where practical. Use clearly identified terminal blocks, wire ferrules, and dedicated cable routes. Dual-channel devices should be wired with attention to fault exclusion assumptions and cross-fault prevention. For safety networks, use vendor-approved cable types and topology limits.
EMC
Safety devices are not immune to poor EMC practice. Route safety I/O away from VFD motor leads, contactor power wiring, and high dV/dt circuits. Use shield termination per vendor instructions, maintain 360-degree shield bonding where required, and provide proper PE bonding. IEC 60204-1 and EN 61000 series EMC practices should be applied consistently.
Thermal and enclosure layout
Place safety PLCs and relays away from heat-generating components such as drives and power supplies. Respect minimum clearances, airflow paths, and derating curves. If the panel is densely packed, calculate dissipation early and verify ambient limits at the worst-case operating point.
Proof testing and validation
Document the safety function, cause-and-effect, reset behavior, EDM loop, and fault response. Validate the actual installation against the safety requirement specification. For programmable safety, control software changes must be version-managed and revalidated after modification.
Copy-Paste Specification Table
| Parameter | Project Requirement | Notes |
|---|---|---|
| Safety architecture | Safety relay / safety PLC / distributed safety | Match machine complexity and required PL/SIL |
| Required PLr / SIL | PL d, PL e, SIL 2, or SIL 3 | From risk assessment |
| Safety inputs | [ ] channels | Include 20% spare capacity |
| Safety outputs | [ ] outputs | Check current, inrush, and diagnostics |
| Network | None / PROFIsafe / CIP Safety / FSoE | For distributed safety and diagnostics |
| Reset mode | Manual / monitored manual / automatic | Per risk assessment and standard requirements |
| EDM feedback | Yes / No | Recommended for contactor monitoring |
| Supply voltage | 24 VDC | Verify tolerance and hold-up |
| Ambient temperature | [ ] °C | Check derating |
| Enclosure dissipation | [ ] W | Used for thermal sizing |
| Compliance | CE, EN/IEC, machine directive / machinery regulation | Include validation records and technical file |
In practice, the best choice is the simplest architecture that still meets the required safety level, diagnostics, and maintainability. For small machines, safety relays remain cost-effective and robust. For larger systems, safety PLCs provide the scalability and integration needed for modern automation and compliant European machine design.
Where it's used
- Industrial Automation
End-to-end industrial automation engineering: PLC programming, HMI development, motion control, drive integration, safety systems, and OT networking — delivered to IEC 61131-3, IEC 62443, EN 60204-1, and the EU Machinery Directive.
Read → - Electrical Panels
Design, build, and verify low-voltage switchgear and controlgear assemblies — MCC, PCC, automation cabinets, distribution boards, and custom enclosures — to IEC 61439, EN 60204-1, and NFPA 79.
Read →
Applicable standards
- IEC 61511 (Functional Safety — Process Industry)
Functional safety for the process industry — SIF design, SIL verification, proof testing, and management of change for safety-instrumented systems (SIS).
Read → - EN / IEC 60204-1 (Safety of Machinery — Electrical Equipment)
European safety-of-machinery electrical equipment standard — disconnects, emergency stops, equipotential bonding, and PE conductor sizing for CE-marked machines.
Read → - NFPA 79 (Electrical Standard for Industrial Machinery)
North American electrical standard for industrial machinery — short-circuit protection, conductor sizing, color coding, and disconnect requirements for machine panels exported to the US.
Read →
Frequently asked questions
When should an engineer choose a safety PLC instead of a safety relay in a machine or process panel?
A safety relay is usually the better choice for simple, hardwired safety functions such as one or two emergency-stop circuits, guard door interlocks, or a small number of safety contacts. A safety PLC is preferred when the project needs multiple safety zones, complex logic, diagnostics, time delays, or integration with standard automation and SCADA, while still maintaining compliance with IEC 62061, ISO 13849-1, and IEC 61508.
How do you size a safety PLC or safety relay for the required Performance Level or SIL?
Sizing starts by defining the required risk reduction from the risk assessment, then mapping the safety function to the target Performance Level under ISO 13849-1 or SIL under IEC 62061 / IEC 61508. You must verify the full safety chain, including input devices, logic solver, output elements, diagnostic coverage, and proof that the architecture and component reliability data achieve the target category, MTTFd, DC, or PFHd values.
What are the key wiring rules when integrating safety relays into an electrical panel?
Safety relays should be wired with positively guided or force-guided contacts where required, segregated from non-safety circuits, and installed with proper protection against short circuits, cross faults, and unintended bypasses. Panel design should follow IEC 60204-1 for machine electrical equipment and IEC 61439 for assembly practices, including correct conductor identification, terminal marking, and protective device coordination.
Can a safety PLC communicate with a standard PLC and SCADA system without losing safety integrity?
Yes, but the safety function must remain within the certified safety system, and communication to a standard PLC or SCADA must be treated as non-safety unless a certified safe communication protocol is used. Common approaches include PROFIsafe, CIP Safety, or FSoE, with the safety layer designed and validated according to IEC 61784-3 and the overall safety function assessed to IEC 61508 or IEC 62061.
What should be checked when selecting safety inputs and outputs for field devices like E-stops, light curtains, and interlocks?
Verify that the input device type, contact arrangement, and reset behavior are compatible with the safety logic, including dual-channel monitoring, EDM/feedback loops, and manual reset where required. For outputs, confirm the safety relay or safety PLC output type, switching capacity, and load category match the actuator, contactor, or valve coil characteristics, with installation aligned to IEC 62061 and ISO 13849-1.
How do you determine whether a safety relay can directly switch a contactor or whether an interposing device is needed?
Check the relay output rating against the contactor coil inrush and steady-state current, duty cycle, and suppression method, because coil transients can shorten contact life or prevent reliable dropout. If the load exceeds the safety relay output limits or the project requires higher availability, use a properly rated interposing relay or safety-rated contactor combination designed and validated under IEC 60947 and IEC 60204-1.
What diagnostics and maintenance features should EPC contractors specify for safety PLCs in global projects?
Specify per-channel diagnostics, fault localization, event logging, proof-test support, and clear status indication so maintenance teams can identify failed sensors, wiring faults, or output discrepancies quickly. For larger plants, these features reduce downtime and support lifecycle management, while helping meet functional safety verification and maintenance expectations under IEC 61508 and IEC 62061.
What documentation is typically required for compliance review of a safety PLC or safety relay package?
The package should include the risk assessment, safety function description, calculation or validation evidence for PL or SIL, wiring diagrams, device certificates, and a list of approved components with their safety data. For European projects, reviewers commonly expect conformity evidence aligned with the Machinery Directive or Machinery Regulation context, plus standards such as ISO 13849-1, IEC 62061, IEC 60204-1, and where applicable EN ISO 13850 for emergency stop functions.