Safety PLC — Failsafe controllers
PLCs that don't go wrong — or rather that detect their own failures and go to safe state. Certified IEC 61508 SIL 2 to SIL 3, internal redundant architecture (1oo2D, 2oo3), continuous diagnostics, separation of standard / safety logic. Heart of process SIS (Safety Instrumented Systems) and machinery emergency stops.
Core principles
A Safety PLC is not faster or more powerful than a standard PLC — it is designed to DETECT its own failures. Four structuring principles distinguish a IEC 61508 certified controller from an ordinary one.
Internal redundant architecture
Two or three processors execute the same logic in parallel and compare results. On disagreement, fail-safe state. Typical topologies: 1oo1D, 1oo2, 1oo2D, 2oo3, 2oo4.
Continuous diagnostics
Automatic tests of CPU, memory, I/O, internal bus each cycle. Typical diagnostic coverage (DC) > 90% for SIL 2, > 99% for SIL 3. No diagnostics, no SIL claim.
Defined safe state
For each output: designer defines the safe state (typically "de-energized" = valve closed, motor stopped). On detected fault, PLC forces all outputs to safe state within Safety Function Response Time (SFRT).
Standard / safety separation
Safety tasks run in dedicated memory space, isolated from standard tasks by certified firmware. No shared variables without validation. Allows a single hybrid PLC (S7-1500F, ControlLogix GuardLogix).
Redundant architectures (HFT)
MooN notation means "M operational channels out of N total" for the function to remain assured. The higher N, the higher the Hardware Fault Tolerance (HFT) — and the cost.
| Topology | Description |
|---|---|
| 1oo1D | 1 channel + diagnostics. Low cost. SIL 2 max with very high DC. |
| 1oo2 | 2 independent channels. High safety but lower availability (one channel fault → trip). |
| 1oo2D | 2 channels + diagnostics. If one channel fails but diagnosed, continue on the other. Most common SIL 3 in practice. |
| 2oo3 | 3 channels with majority voting. Very high availability AND safety. Most expensive. Typical of critical Triconex / HIMA SIS. |
| 2oo4 | 4 channels, 2-out-of-4 vote. Very high availability — one channel in maintenance without degradation. Reserved for critical applications. |
Vendors by sector
| Sector | SIL | Typical vendors |
|---|---|---|
| Process (SIS) | SIL 3 | HIMA HIMax / HIMatrix, Schneider Triconex, Emerson DeltaV SIS, Yokogawa ProSafe-RS, Honeywell Safety Manager, ABB AC 800M HI, Siemens SIMATIC Safety |
| Machinery (E-stop, light curtains) | SIL 2 / PL d-e | Pilz PSS 4000, Siemens S7-1500F / S7-300F, Rockwell GuardLogix / Compact GuardLogix, Schneider Modicon M580 Safety, B&R Safety, Beckhoff TwinSAFE |
| Burner (BMS) | SIL 3 | HIMA HIMatrix, Honeywell Safety Manager, Siemens SIMATIC PCS 7 + S7-1500F |
| Energy / nuclear | SIL 4 / Cat 1E | Westinghouse Common Q, Framatome Teleperm XS, Mitsubishi MELTAC, Siemens SPPA-T2000 |
2026 trends
Hybrid standard + safety platform
Single PLC handles both: Siemens S7-1500 + F-tasks, Rockwell ControlLogix + GuardLogix. Single engineering, qualified inter-variable communication. Saves hardware and training.
Functional safety fieldbus
PROFIsafe (over PROFINET), CIP Safety (over EtherNet/IP), FSoE (over EtherCAT), openSAFETY. Sends safety messages over a standard bus with end-to-end integrity check. IEC 61784-3.
IO-Link Safety
Safety extension of the single-drop IO-Link protocol. Allows safety sensors and actuators at reasonable cost. IEC 61131-9 amendment 2022.
Cyber certification of Safety PLCs
IEC 62443-4-2 SL 2-3 becomes mandatory — Triton/Trisis (2017) showed that unprotected SIS is a target. New Safety PLCs are co-certified IEC 61508 (safety) + IEC 62443 (cyber).
Standards
- IEC 61508 — Parent standard — Functional safety of E/E/PE safety-related systems
- IEC 61511 — Application of IEC 61508 to process industry (SIS)
- IEC 62061 — Functional safety for machinery — sector version
- ISO 13849-1 — Safety-related parts of control systems (PL a-e)
- IEC 61784-3 — Functional safety fieldbuses (PROFIsafe, CIP Safety, FSoE)
- IEC 62443-4-2 — Cybersecurity — technical requirements for IACS components