Implementing Safety PLCs in Industrial Machinery

Implementing Safety PLCs in Industrial Machinery

Safety PLCs have become the preferred architecture for many modern machines because they combine deterministic control, diagnostics, and certified safety functions in one platform. However, “using a safety PLC” is not the same as “designing a safe machine.” A compliant implementation still requires a disciplined risk assessment, correct safety function allocation, validated hardware and software, and careful integration with the machine control system. In European projects, this must be done within the framework of the Machinery Directive 2006/42/EC, the harmonized standards EN ISO 12100, EN ISO 13849-1/-2, EN IEC 62061, and where applicable EN IEC 60204-1 for electrical equipment of machines.

1. What a Safety PLC Actually Does

A safety PLC is a programmable controller designed to execute safety-related control functions with a defined level of integrity. Typical functions include emergency stop, guard door interlocking, light curtain muting, safe speed monitoring, enabling devices, and safe torque off (STO) of drives. Unlike a standard PLC, a safety PLC includes certified internal diagnostics, redundant processing or cross-monitoring, and mechanisms to detect faults that could lead to loss of the safety function.

In practical terms, a safety PLC is part of the overall safety-related control system (SRP/CS). It is not the entire safety system. Sensors, actuators, wiring, contactors, drives, and even the logic structure all contribute to the final Performance Level (PL) or Safety Integrity Level (SIL).

2. Standards and Compliance Framework

For European machinery, the usual design chain is:

• EN ISO 12100: risk assessment and risk reduction principles.
• EN ISO 13849-1: design of safety-related parts of control systems using Performance Level (PL).
• EN ISO 13849-2: validation of safety functions.
• EN IEC 62061: functional safety of safety-related electrical, electronic, and programmable electronic control systems, using SIL concepts.
• EN IEC 60204-1: electrical equipment of machines, including stop categories, protective bonding, and control circuit requirements.

Where hazards involve moving machinery, emergency stop design should also be aligned with EN ISO 13850. For industrial cybersecurity in connected automation environments, NIS2 is increasingly relevant at the organizational and supply-chain level, especially when safety PLCs are networked, remotely accessed, or integrated into OT architectures.

Clause-level references that matter in design reviews include EN ISO 12100:2010 Clause 5 for risk reduction, EN ISO 13849-1 Clause 6 for safety function specification and design, Clause 7 for validation principles, and EN IEC 60204-1 Clause 9 for control circuits and stop functions. For emergency stop, EN ISO 13850 is the primary reference; for interlocking devices, EN ISO 14119 is often applicable.

3. Start with Risk Assessment, Not Hardware Selection

A common engineering mistake is selecting a safety PLC before defining the required safety functions. The correct sequence is:

1. Identify hazards and operating modes.
2. Estimate risk severity, frequency/exposure, and possibility of avoidance.
3. Determine required risk reduction.
4. Allocate safety functions to the control system.
5. Specify the required PLr or SIL for each function.
6. Design the architecture and validate it.

For example, a packaging machine may require:

• Emergency stop: PL d
• Guard door interlock: PL e
• Safe speed monitoring for maintenance mode: PL d
• Two-hand control for a press cycle: PL e

Different functions can and often should have different integrity requirements. Do not overdesign low-risk functions or underdesign high-risk ones.

4. Architecture Choices: Input, Logic, and Output

A safety PLC-based safety function typically consists of three layers:

• Input subsystem: E-stops, interlocks, light curtains, safety mats, enabling switches, encoders, or safe drive feedback.
• Logic solver: the safety PLC CPU and safety I/O modules executing certified safety logic.
• Output subsystem: safety contactors, safety relays, STO inputs, safe brake control, or hydraulic dump valves.

EN ISO 13849-1 uses categories and diagnostic coverage to determine PL. EN IEC 62061 uses subsystem architecture and SIL claims. In practice, many machine builders select a safety PLC because it simplifies complex logic, provides built-in diagnostics, and supports networked safety protocols such as PROFIsafe, CIP Safety, or FSoE.

Typical architecture considerations

• Dual-channel inputs for emergency stops and interlocks.
• Safe communication over certified networks, but only where the complete chain is validated.
• Force-guided contactors when a hard power removal is needed.
• STO preferred for many drives, but not always sufficient if coast-down time is unacceptable.

5. Worked Example: Estimating a Safety Function with EN ISO 13849-1

Consider a guarded access door on a conveyor line. Opening the door must stop hazardous motion. The target is PL d.

Assume the following:

• Each safety switch has a mean time to dangerous failure $MTTF_d = 80$ years.
• The diagnostic coverage of the input channel arrangement is moderate-to-high, say $DC = 90\%$.
• The subsystem architecture is Category 3, with redundancy and fault detection.
• Common cause failure factor is controlled with good separation and diversity, say $\beta = 5\%$.

For a simplified engineering estimate, the average dangerous failure rate per year is:

$$\lambda_d = \frac{1}{MTTF_d} = \frac{1}{80} = 0.0125 \text{ per year}$$

The undetected dangerous failure rate is approximately:

$$\lambda_{du} = \lambda_d \cdot (1-DC) = 0.0125 \cdot (1-0.90) = 0.00125 \text{ per year}$$

For a rough low-demand safety calculation, the contribution to PFHd from one channel can be represented as:

$$PFH_d \approx \lambda_{du}$$

so:

$$PFH_d \approx 1.25 \times 10^{-3} \text{ per year}$$

To compare with the PL bands, convert to per hour:

$$PFH_d \approx \frac{1.25 \times 10^{-3}}{8760} \approx 1.43 \times 10^{-7} \text{ h}^{-1}$$

This is within the PL d range and approaching PL e territory depending on the full subsystem calculation, proof test assumptions, and architecture details. In a real design, you would not stop here: EN ISO 13849-1 requires the full calculation using the complete subsystem model, including MTTF_d for all components, DC_avg, Category, and CCF scoring. EN ISO 13849-2 then requires validation that the implemented safety function actually meets the specified behavior under foreseeable faults.

Now suppose the stop time of the conveyor after the safety function triggers is 1.2 s, and the hazardous point is 0.35 m behind the guard opening. If an operator can reach in, the stopping distance and access geometry must be checked carefully. For a simplified approach, if the operator’s hand reaches 0.25 m into the opening before the motion becomes dangerous, the design may be acceptable only if the residual motion and access speed are proven safe. In practice, this is why guard design and safety function timing must be evaluated together, not separately.

6. Safety PLC Programming Principles

Safety PLC programming is not ordinary machine control programming. The logic should be simple, explicit, and traceable to the safety function specification. Good practice includes:

• One safety function per clearly named program block or function.
• Fail-safe default states.
• Manual reset after fault or guard opening where required.
• Monitoring of discrepancy time for dual-channel devices.
• Explicit handling of start/restart interlocks.
• Separation between safety logic and standard automation logic.

EN ISO 13849-1 Clause 6.2 and 6.3 are especially relevant for safety-related control design and fault handling. A common pattern is to use safety-rated function blocks for E-stop, guard monitoring, and muting, but the engineer must still configure parameters correctly and verify that the application logic does not bypass the intended safety behavior.

7. Output Devices: Contactors, STO, and Safe Motion

The output stage is often where real-world failures occur. A safety PLC can decide to stop a machine, but the output devices must physically interrupt or limit the hazardous motion.

• Safety contactors: appropriate for hard power removal and legacy systems; require feedback monitoring.
• STO: widely used with modern drives; removes torque-producing capability but does not always create a mechanical stop.
• SS1, SLS, SOS, SBC: safe motion functions useful for robots, servo systems, and high-inertia equipment.

For many machines, STO alone is enough for emergency stop if the risk assessment confirms that coast-down is acceptable. For presses, saws, or machinery with long run-down times, STO may not be sufficient by itself. EN IEC 61800-5-2 is the relevant drive safety standard for these functions.

8. Decision Matrix: Safety PLC or Safety Relay?

Criterion	Safety Relay	Safety PLC
Simple E-stop circuit	Excellent	Possible, but often unnecessary
Multiple interlocks and zones	Poor scalability	Strong fit
Safe motion monitoring	Limited	Strong fit
Diagnostics and event logging	Basic	Advanced
Integration with SCADA/MES	Limited	Strong fit
Engineering effort	Lower for simple machines	Higher upfront, lower for complex systems
Lifecycle flexibility	Limited	High

In general, choose a safety relay for a small, fixed-function machine with one or two safety loops. Choose a safety PLC when the machine has multiple zones, mode-dependent safety, safe motion, diagnostics, or future expandability requirements.

9. Validation, Testing, and Documentation

Validation is where many projects fail. EN ISO 13849-2 requires that the implemented safety-related parts be verified against the specification and validated under foreseeable fault conditions. That means:

• Checking wiring against schematics.
• Testing every safety input and output.
• Simulating single faults where required.
• Verifying restart behavior.
• Confirming stop times and safety distances.
• Recording software version, hardware version, and parameter set.

For CE marking, the technical file should contain the risk assessment, safety function specification, PL or SIL calculations, validation records, electrical drawings, software backup, and operating instructions. If the machine is networked or remotely accessible, cybersecurity controls should be documented as part of the operational risk management expected under modern EU practice and NIS2-aligned governance.

10. Common Engineering Mistakes and How to Avoid Them

The most common mistake is treating a safety PLC as a plug-and-play compliance solution. It is not. Other frequent errors include mixing standard and safety logic without clear boundaries, failing to validate stop times, ignoring common-cause failures in dual-channel wiring, using the wrong device category for the required PLr, and allowing bypasses or maintenance overrides without controlled procedures. Another recurring issue is poor documentation: if the safety function cannot be traced from risk assessment to validation, the design is not complete. Avoid these problems by starting with a formal risk assessment, writing a safety function specification, selecting certified components that match the required PL or SIL, validating every function in the real machine, and maintaining version control over logic, hardware, and parameter sets throughout the machine lifecycle.