Contactors in Safety Applications V1 en

Contactors in safety
applications – Guide
of use
Siemens
SIRIUS Safety / SIRIUS Control Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109807687 Support
Legal information
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several
components in the form of text, graphics and/or software modules. The application examples are
a free service by Siemens AG and/or a subsidiary of Siemens AG ("Siemens"). They are
non-binding and make no claim to completeness or functionality regarding configuration and
equipment. The application examples merely offer help with typical tasks; they do not constitute
customer-specific solutions. You yourself are responsible for the proper and safe operation of the
products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the
application examples used by technically trained personnel. Any change to the application
examples is your responsibility. Sharing the application examples with third parties or copying the
application examples or excerpts thereof is permitted only in combination with your own products.
The application examples are not required to undergo the customary tests and quality inspections
of a chargeable product; they may have functional and performance defects as well as errors. It is
your responsibility to use them in such a manner that any malfunctions that may occur do not
result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without
limitation, liability for the usability, availability, completeness and freedom from defects of the
application examples as well as for related information, configuration and performance data and
any damage caused thereby. This shall not apply in cases of mandatory liability, for example
under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of
life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent
non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for
damages arising from a breach of material contractual obligations shall however be limited to the
© Siemens AG 2022 All rights reserved
foreseeable damage typical of the type of agreement, unless liability arises from intent or gross
negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions
do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens
against existing or future claims of third parties in this connection except where Siemens is
mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any
damage beyond the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without
notice. In case of discrepancies between the suggestions in the application examples and other
Siemens publications such as catalogs, the content of the other documentation shall have
precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with Industrial Security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines
and networks. Such systems, machines and components should only be connected to an
enterprise network or the Internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
at: https://www.siemens.com/industrialsecurity.
Contactors in safety applications

Entry-ID: 109807687, V1.0, 03/2022 2
Table of contents
Table of contents
Legal information ......................................................................................................... 2
1 Introduction ........................................................................................................ 4
1.1 Purpose of the documentation ............................................................. 4
1.2 The objective of safety systems ........................................................... 4
1.3 Formula characters and abbreviations ................................................. 5
2 Basics of applying contactors to safety applications ................................... 6
2.1 Safety integrity calculation.................................................................... 6
2.1.1 Device types according to VDMA standard sheet 66413 ..................... 6
2.1.2 Calculation of contactors in safety applications ................................... 8
2.2 Break time .......................................................................................... 16
2.3 Feedback circuit monitoring ............................................................... 17
2.4 Safety Evaluation with TIA Selection Tool ......................................... 23
2.5 Special case F-PLC-IN contactor as certified component ................. 29
2.6 Wear-related service life..................................................................... 35
2.7 Cable installation ................................................................................ 39
2.8 Special case contactors in the process industry according to
IEC 61511 .......................................................................................... 42
3 Choosing the appropriate contactor ............................................................. 45
3.1 Range of SIRIUS contactors .............................................................. 45
3.2 SIRIUS Schütze: The right safety solution for every power
range .................................................................................................. 46
3.3 Operating mechanisms ...................................................................... 46
3.4 Auxiliary switches ............................................................................... 47
3.5 Surge suppression ............................................................................. 48
4 Combined applications ................................................................................... 50
4.1 Reversing contactor assembly ........................................................... 50
4.2 Contactor assembly for star-delta (wye-delta) starting ...................... 52
4.3 Contactor assembly for star-delta (wye-delta) starting with
reverse starting ................................................................................... 54
4.4 Combination of a contactor with a circuit breaker .............................. 56
4.5 Combination of a contactor with a soft starter 3RW55 Failsafe ......... 58
4.6 Combination of a contactor with a frequency converter ..................... 59
4.7 Combination of a contactor with a non-safety device ........................ 62
5 Appendix .......................................................................................................... 64
5.1 Service and support ........................................................................... 64
5.2 Industry Mall ....................................................................................... 65
5.3 Links and literature ............................................................................. 65
5.4 Change documentation ...................................................................... 65

Entry-ID: 109807687, V1.0, 03/2022 3
1 Introduction
1 Introduction
1.1 Purpose of the documentation
Contactors are an essential component in safety-related applications. In many
safety-related applications, a contactor is used as an actuator to set the machine to
a safe state in the event of a requested safety function (e.g., opening a monitored
door).
This documentation explains the possibilities and requirements for the use of
contactors in safety-related applications. The focus is largely on applications in the
manufacturing industry, but a separate chapter also explains the use in the process
industry.
For this purpose, the basics of the use of contactors in functional safety technology
are first taught based on the relevant standards. The user is then provided with a
concrete guide to select the right contactor for a wide variety of applications.
To understand this documentation, general knowledge in the following areas is
required:
• Low-voltage switching technology
• Automation technology
• Functional safety technology
1.2 The objective of safety systems

The objective of safety systems is to keep potential hazards for both people and
the environment as low as possible by means of design measures and suitable
technical equipment, without restricting, more than absolutely necessary, industrial
production, the use of machines and the production of chemical products. The
protection of man and environment has to be put on an equal footing in all
countries by applying rules and regulations that have been internationally
harmonized. At the same time, the distortion of competition due to differing safety
requirements in international trade are to be avoided.
The field of functional safety technology deals with technical protective devices,
such as safety door monitoring. In order to achieve functional safety of a machine
or plant, it is necessary that the safety-relevant parts of the protective devices and
control devices function correctly and behave in the event of a fault in such a way
that the system remains in a safe condition or is brought into a safe state. This sub-
area of safety technology is the focus of this documentation.
The measure of the functional safety achieved is represented by the safety
integrity. It is expressed in the standards using different terms:
• In IEC 62061: "Safety Integrity Level" (SIL)
• In ISO 13849-1: "Performance Level" (PL)
The safety integrity is made up of the likelihood of dangerous failures, fault

tolerance and the quality that ensures freedom from systematic failures.

Entry-ID: 109807687, V1.0, 03/2022 4
1 Introduction
1.3 Formula characters and abbreviations
B10 Number of operations after which 10% of devices failed
B10D Number of operations after which 10% of devices failed dangerously
CCF Common cause failure
DC Diagnostic coverage
DCavg Average diagnostic coverage (of a redundant architecture)
FIT Failure in time = failures per 109 hours
F-PLC Failsafe Programmable Logic Controller / Failsafe Central Processing Unit

/ F-CPU
HFT Hardware fault tolerance
MTBF Mean time between failures
MTTF Mean time to failure
MTTFD Mean time to dangerous failure
nop Number of operations per year

PFDavg Average probability of dangerous failure on demand
PFHD Probability of dangerous failures per hour
PLr Required performance level (according to risk assessment)

RDF Ratio of dangerous failures
SIL Safety integrity level
SFF Safe failure fraction
STO Safe torque off
T1 = TM Mission time = Proof test interval
T10D Mean time until 10 % of the components fail dangerously = wear-related service
life
T2 Diagnostic test interval
λD Rate of dangerous failure

Entry-ID: 109807687, V1.0, 03/2022 5
2 Basics of applying contactors to safety applications
2 Basics of applying contactors to safety

applications
2.1 Safety integrity calculation
The safety integrity (SIL / PL) of a safety function resp. of a subsystem of a safety
function is determined differently depending on the components used.
2.1.1 Device types according to VDMA standard sheet 66413
The VDMA standard sheet 66413 describes the required safety-relevant

characteristic values of automation devices and specifies a uniform electronic data
format for the provision of safety parameters in libraries.
In principle, the VDMA standard sheet 66413 distinguishes between four types of
devices:
Device type 1
• developed by the manufacturer specifically for use in safety functions and
according to safety standards
• SIL- or PL-classified
• e.g. safety relays, failsafe PLCs or drives
• Required characteristic values when applying ISO 13849-1:

o PL
o Kategorie
o PFHD
o T1
• Required characteristic values when applying IEC 62061:
o SIL
o PFHD
o T1
Device type 2
• not necessarily developed according to safety standards
• Application data is required for evaluation
• Failure behavior is time dependent (MTTFD)
• e.g. non-safety-related electronics, proximity switches, pressure sensors,
hydraulic valves
• Required characteristic values when applying ISO 13849-1 or IEC 62061:
o MTTFD (alternativ MTTF + AgA)
o λD
o MTBF
o T1
Device type 3
• not necessarily developed according to safety standards

Entry-ID: 109807687, V1.0, 03/2022 6
• Application data is required for evaluation

• Failure behavior depends on the switching frequency (B10D)
• e.g. wear-prone electromechanical devices, contactors, switches,
pneumatic valves
• Required characteristic values when applying ISO 13849-1 or IEC 62061:
o B10D (alternativ B10 + AgA)
o T1
Device type 4
• like type 1, but no random failures (PFHD = 0)
• e.g. Devices with fault exclusion or where all faults always lead to a safe
state
• Required characteristic values when applying ISO 13849-1:
o PL
o Kategorie
o T1
• Required characteristic values when applying IEC 62061:
o SIL
o T1

Entry-ID: 109807687, V1.0, 03/2022 7
Assignment of the characteristic values required depending on the device type
Characteristic Device type

comment
value 1 2 3 4
ISO 13849-1
PL x x
IEC 62061
SIL x x
ISO 13849-1 and IEC 62061
PFHD x
ISO 13849-1
Kategorie x x
ISO 13849-1 and IEC 62061
MTTFD x
(Exactly one of the values is required,
preferably MTTFD)
λD x
MTTF x
MTBF x
ISO 13849-1 and IEC 62061

RDF/AgA o o
ISO 13849-1 and IEC 62061
B10D x
(Exactly one of the values is required; if B10
is given, RDF would also be necessary)
B10 x
ISO 13849-1 und IEC 62061
TM = T1 x x x x (TM is sufficient as designation of the
characteristic value)
Figure 1: VDMA standard sheet 66413, table 1
Note: x = Mandatory value o = Optional value
2.1.2 Calculation of contactors in safety applications
In practice, the device types 1 and 3 are decisively relevant. Since contactors
belong to device type 3, the following explains in detail how devices of this type are
calculated in terms of safety.
An indication of the SIL/PL, PFHD or MTTFD by the contactor manufacturer is not
possible at device level, as these are wear-prone devices. For contactors, the
above values depend largely on the switching frequency and the switched load of
the application. These values can only be determined by the user. An exception
are the contactors with fail-safe control input, which can be assigned to device type
1 and are dealt within the chapter Special case F-PLC-IN contactor as certified
component.

Entry-ID: 109807687, V1.0, 03/2022 8
In the following, the procedure for determining the achievable performance level
(PL) according to ISO 13849-1 for a contactor is presented. The mechanisms of
IEC 62061 for calculating the Safety Integrity Level (SIL) are similar and are
illustrated in the chapter Safety Evaluation with TIA Selection Tool.
Categories according to ISO 13849-1

Categories are the basic parameter to achieve a certain PL. They determine the
required behavior of the safety-related parts with regard to their resistance to
failures.
Basically, ISO 13849-1 distinguishes between categories B, 1, 2, 3 and 4.
Figure 2: Correlations of the safety-related characteristic values
In most cases, categories 1, 3 or 4 are used for contactors as shutting down

device.
Category 1
In order to implement a category 1 according to ISO 13849-1, the use of well-tried
components is required. In table D.3 of ISO 13849-2 (Part 2 of ISO 13849
describes the validation process), a main contactor is declared as such a well-tried
component. Since the SIRIUS contactors also fall into this category and are
regarded as well-tried components, a PL c can be achieved very easily by applying
category 1 with SIRIUS contactors.
As a further criterion for the implementation of this category, basic and well-tried
safety principles must be applied. These can be found in tables D.1 and D.2 of ISO
13849-2. The well-tried safety principle of oversizing is particularly relevant for
contactors. Accordingly, components used in safety applications must be
underloaded. As a possible implementation, the standard states that the current
passed through the switching contacts should be less than half of the current
nominal value.
When designing the safety-relevant application according to IEC 62061, an
oversizing factor of 1.5 is required, which corresponds to a load on the contactor of
less than 66% of the current nominal value.
A redundant architecture and diagnostic measures are not required when
implementing Category 1. Therefore, a PL c can be achieved with a single SIRIUS

Entry-ID: 109807687, V1.0, 03/2022 9
contactor. The only other requirement is a high MTTFD value. See table 4 of ISO
13849-1.
Mean time to dangerous failure of each channel (MTTFD)
Figure 3: ISO 13849-1, table 4
To calculate the MTTFD, which forms the basis for determining the PL achieved for
a type 3 device, the user receives a B10 value as well as the ratio of dangerous
failures (RDF) from the contactor manufacturer. The B10 value for wear-prone
devices is expressed in number of switching cycles and reflects the number of
actuations after which 10 % of the devices failed dangerously during a lifetime test.
An example of a dangerous failure within a contactor is the welding of the main
contacts, which prevents the machine from being shut down when this would be
required due to a safety function. An example of a safe failure, in turn, is a defect in
the main contacts, which results in them not being able to be closed again.
Although this error prevents the machine from being switched on again, it is not
safety critical. The B10D value depends on the B10 value and the ratio of
dangerous failures:
B10
B10D =
RDF
The B10 value and the RDF of a SIRIUS contactor can be found in its data sheet.
In the technical data, these values can be found under "Safety related data". The
values are also stored in the Safety Evaluation in the TIA Selection Tool.
Figure 4: Safety related data of a SIRIUS contactor (3RT2035-1KB40)

Entry-ID: 109807687, V1.0, 03/2022 10
The B10 values of safety-relevant SIRIUS and SENTRON devices can also be
found in SN 31920. An image of this standard can also be found in the Industry
Online Support at:
https://support.industry.siemens.com/cs/ww/en/view/109739348
Particular attention must be paid to the conditions under which these parameters
apply. As a rule, the B10 value of a SIRIUS contactor is determined at 66% of the
rated operating current. This results from the necessity of oversizing as one of the
well-tried safety principles and must therefore also be met in the application. The
value of 66% is specified in IEC 62061. In ISO 13849-2, on the other hand, a
maximum utilization of 50% is allowed when applying the well-tried safety
principles. However, since the B10 value of a contactor decreases with increasing
operating current, the information in the data sheet of a SIRIUS contactor is always
valid, even when applying ISO 13849-2.
If the contactors are also to be switched in an operational manner, it must be noted

that this also has an influence on the calculation of the safety integrity. Thus, when
calculating the failure rate, the actuation cycle must be assumed to be the value
that includes both operational and safety-related switching. The requirements for
the temporal detection of faults must be taken into account so that there can be no
accumulation of faults during operational switching. If this is not the case, the
operational switching must be implemented differently.
In the standards, a proportion of 50 % dangerous failures (in accordance with ISO

13849-1, Annex C5) is specified as an approach for wear-prone devices if no
manufacturer information is available for the device.
This results in B10D ≈ 2 x B10.
Alternatively, the worst-case scenario B10D = B10 (RDF = 100%) can always be
assumed.
If the device manufacturer does not provide information on the B10 value, the user
has two more options.
For this purpose, ISO 13849-1, chapter 4.5.2, describes the following hierarchical
procedure:
1. Using manufacturer’s data
2. Using methods in Annex C and D:
see e.g. table C.1 – Contactors with nominal load → B10D = 1.300.000
3. Choosing 10 years as MTTFD
However, the user should always question whether the device is actually suitable
for use in safety-related applications, if no information on the B10 value is provided
by the device manufacturer.
MTTFD is determined based on B10D and the actuations per year nop:
B10D
MTTFD =
0,1 x nop
In turn, nop is determined on the basis of the average operating time in days per
year (dop), the average operating time in hours per day (hop) and the average
operating time between two consecutive cycles (tcycle):

Entry-ID: 109807687, V1.0, 03/2022 11
dop x hop x 3600 s/h

nop =
t cycle
ISO 13849-1 does not accept an MTTFD value of a channel greater than 100 years,
because safety-related component for high risks should not depend on component
reliability alone.
Consequently, the MTTFD is limited to 100 years. An exception to this is category
4, where the limit on the MTTFD of any channel is not until 2500 years.
If the calculated MTTFD is not sufficient to achieve the SIL/PL required by the risk
assessment, the user is left with the following alternatives:
1. Using a separate contactor for operational switching:
Often, a high level of switching frequency is caused by the simultaneous use of
a contactor for both operational and safety switching. This can be remedied by
outsourcing operational switching to another contactor. This relieves the
contactors responsible for safety-related switching and results in a higher
MTTFD.
2. Requesting a load-dependent B10 value:
If the safety function itself is responsible for the high switching frequency or if
operational switching cannot be outsourced, it is possible to request a load-
dependent B10 value via Technical Support (siemens.com/SupportRequest). If
the contactor is operated below 66 % of the rated operational current, a partly
considerably higher B10 value results. If the contactor is even de-energized by
a previous disconnection of the load by another switching device, the B10

value increases even umpteen times.
After the MTTFD has been determined, the PL achieved and the resulting PFHD
can be read off in table K.1 of ISO 13849-1.
Figure 5: ISO 13849-1, table K.1 (Extract)

Entry-ID: 109807687, V1.0, 03/2022 12
Category 3 and 4
By using SIRIUS contactors according to category 3, a PL d can be achieved.
To implement a category 3 according to ISO 13849-1, basic and well-tried safety
principles must also be applied. The use of well-tried components is not
mandatory.
In addition to the quality of the device, represented by at least a low MTTFD, the
diagnostic mechanisms of the subsystem are decisive for the safety integrity of a
subsystem in category 3. These are represented by the diagnostic coverage DC (or
DCavg). Its determination for a power contactor used as a switch-off device is
explained in the chapter Feedback circuit monitoring. For category 3, at least a low
DC is required.
The calculation of the MTTFD for power contactors is analogous to the procedure
shown for category 1, with the difference that the calculation must be performed
here for both redundant contactors. The MTTFD of both channels must be at least
low.
In the specific case that different MTTFD values have been calculated for the two
redundant contactors, there are two possibilities for symmetrizing the "MTTF D for
each channel" (see first column of table K.1 of ISO 13849-1):
• the smaller value should be considered as a worst case assumption;
• Equation D.2 can be used to estimate a surrogate value for MTTF D for
each channel:
One reason for different resulting MTTFD values of the redundant contactors may
be the use of one of the two for operational switching, since this results in a higher
number of switching cycles per year (nop) for one of the contactors.
After determining the MTTFD for each channel and the diagnostic coverage, the PL
achieved and the resulting PFHD can be read in Table K.1 of ISO 13849-1.
To implement category 4 according to ISO 13849-1, the same principles must be

applied as for category 3. The only differences are the requirement for a high
MTTFD as well as a high diagnostic coverage.
By using SIRIUS contactors according to category 4, a PL e can be achieved.
Figure 6: ISO 13849-1, table 6

Entry-ID: 109807687, V1.0, 03/2022 13
Finally, the fulfillment of the CCF measures (Common Cause Failure) must still be
confirmed by a point system. Estimates of common cause failures are not
significantly specific to contactors and are therefore not considered in detail in this
documentation. Guidance on this can be found in Annex F of ISO 13849-1 or
Annex F of IEC 62061.
An example calculation according to ISO 13849-1 with two redundant contactors

can be found in the chapter Wear-related service life.
Calculation according to IEC 62061

In contrast to ISO 13849-1, where the architecture of the safety function plays a
decisive role, the calculation according to IEC 62061 is primarily based on the
probability of failure.
Figure 7: IEC 62061, table 3 – Safety Integrity Levels: Specified failure tolerances
In IEC 62061, the architecture of the safety function is directly considered in the
calculation of the probability of failures. Depending on the architecture, the
calculation becomes very complex, which illustrates the advantage of using ISO
13849-1. To calculate the resulting PFHD value, a different formula must be applied
depending on the subsystem architecture used (see IEC 62061, chapter 6.7.8.2).
The two most common formulas are listed below as examples:
1. Basic subsystem architecture A: Zero fault tolerance without diagnostic
function
PFHD = λD
➔ corresponds to category 1 according to ISO 13849-1
2. Basic subsystem architecture D: Single fault tolerance with diagnostic
function(s) for subsystem elements of the same design (e.g. two redundant
contactors)
T2
PFHD = (1-β)2 x {(2 𝑥 𝐷𝐶 𝑥 λD 2 ) 𝑥 + λD 2 𝑥 ( 1 − 𝐷𝐶) 𝑥 T1 } + 𝛽 𝑥 λD
2
➔ corresponds to category 3 or 4 (depending on DC) according to ISO
13849-1
The following applies to the calculation of λD of a subsystem element (e.g.

contactor):
RDF x 0,1 x C 0,1 x C

λD = =
B10 B10D
Here, C corresponds to the number of operations per hour.

Entry-ID: 109807687, V1.0, 03/2022 14
T2 is the diagnostic test interval and T1 is the minimum of the proof test interval and
the service life.
β corresponds to the susceptibility to common cause failures and is the equivalent
of the CCF from ISO 13849-1. Table F.2 of IEC 62061 shows the conversion of the
two quantities into each other.
Figure 8: IEC 62061, table E.2 – Criteria for estimation of CCF (β)
The conditions of table 5 of IEC 62061 must be fulfilled in order to be able to

directly conclude the achieved SIL on the basis of the probability of failures.
Here, the hardware fault tolerance (HFT) indicates the failure of how many
channels of the subsystem lead to the failure of the safety function. For example,
an HFT = 0 is a single-channel system (consisting of one contactor), an HFT = 1 is
a dual-channel system (consisting of two redundant contactors).
In turn, the safe failure fraction (SFF) is similar to the diagnostic coverage (DC)
with the difference that it includes the safe failures, such as the inability of the
contactor to be reenergized. Therefore, in a worst case assumption, SFF = DC can
always be assumed.
Figure 9: IEC 62061, table 6 – Architectural constraints on a subsystem

Entry-ID: 109807687, V1.0, 03/2022 15
The chapter Feedback circuit monitoring shows that a high degree of diagnostic
coverage can be assumed by checking the plausibility of the mirror contacts of two
contactors in a redundant architecture. This diagnostic mechanism is very
widespread in the use of contactors and has no alternative in most cases. If, for
example, a SIL 2 or PL d (category 3) is required by the risk assessment, the
feedback circuit monitoring must be performed for the two redundant contactors in
order to meet the required - albeit low - diagnostic coverage. However, from the
statement made above (feedback loop monitoring always results in a high DC), it
follows that this always results in category 4 and thus PL e or SIL 3 being
achieved. This is the reason why almost all application examples with contactors
as actuators in SIOS (Siemens Industry Online Support) reach either SIL 1 / PL c
or SIL 3 / PL e. An exception is the combination of a contactor with a circuit breaker
in category 2. A closer look at this topic is shown in the chapter Combination of a
contactor with a circuit breaker.
2.2 Break time

In safety applications, the response time of the overall system plays a decisive role.
During the risk assessment, it is defined within which time the hazardous
movement of the machine must be terminated in the event of a safety requirement.
With regard to monitoring of a safety door, the response time depends on the
distance of the safety door from the movement behind it and thus the danger point.
On the part of the control system, the required reaction time is made up of many
individual values (example without claim to completeness):

• Input filter of the safety evaluation unit
• Cycle time of the user program
• Offset due to communication protocols
• Diagnostic mechanisms of the outputs of the safety evaluation unit
• Break time of the contactors
• Overtravel time of the motor
The break time of a contactor is defined as the time that elapses from the removal
of the coil voltage (at A1/A2) until the opening of the main contacts. It is composed
of the opening delay of the main contacts and the arcing time.
For the SIRIUS contactor 3RT1054-1AB36, for example, this results in a break time
in the range between 50 and 75 ms. When calculating the total response time, the
worst of the individual values must always be taken into account - in this case 75
ms.

Entry-ID: 109807687, V1.0, 03/2022 16
Figure 10: Break time using the example of contactor 3RT1054-1AB36
The break time of the contactor (= the opening delay of the normally open
contacts) increases if the contactor coils are attenuated against voltage peaks.
More detailed information on this can be found in the chapter Surge suppression.
When using a feedback circuit monitoring, the closing delay of the normally closed
contacts (mirror contacts) must be taken into account in addition to the break time
of the main current contacts when parameterizing the evaluation unit. This is
explained at the end of the following chapter.
2.3 Feedback circuit monitoring

Feedback circuit monitoring is the most important diagnostic mechanism for
electromechanical actuators. The diagnostic coverage (DC) is defined in the
standards ISO 13849-1 and IEC 62061 as a measure of the quality of the
diagnostics applied.
Figure 11: ISO 13849-1, table 5 "Diagnostic coverage (DC)"
The diagnostic coverage is the measure of the effectiveness of the diagnosis,

which can be determined as the ratio of the failure rate of the detected dangerous
failures and the failure rate of the total dangerous failures.
The value for the DC is given in four levels. In most cases, a failure mode and
effects analysis (FMEA) or similar methods can be used to estimate the DC. In this
case, all relevant failures and/or failure modes should be considered.

Entry-ID: 109807687, V1.0, 03/2022 17
A simplified approach to estimating the DC is provided in Annex E of ISO 13849-1,

where possible diagnostic measures are described for each subsystem of a safety
function (input unit, logic, output unit) as well as the resulting diagnostic coverage
in each case. In particular, table E.1 of ISO 13849-1 contains measures and their
assignment to a quantified diagnostic coverage.
A feedback circuit is used to monitor actuators (e.g. relays or contactors) with
positively driven contacts or mirror contacts. The actuators are controlled via a
failsafe output of the evaluation unit (e.g. SIRIUS 3SK2 safety relay). In the case of
a contactor, the load is switched via its main current contacts (release circuits,
normally open contacts, NO). When a safety function is requested, the contactor is
switched off and its main current contacts open. In order to diagnose whether the
NO contacts have actually opened, the status of a normally closed contact (NC) of
the contactor is checked at the latest when the machine is switched on again. For
this purpose, the NC contact is read back to an input of the evaluation unit. If a
logical “1” is detected at this input, the main current contacts are open for sure, and
the preceding shutdown process has been carried out correctly by the contactor. In
the logic of the evaluation unit, the release circuits of the contactor can only be
reactivated or closed if the feedback circuit is closed (signaled by a logical “1” at
the input).
In the case of a safety function with redundant architecture and thus the use of two
contactors connected in series, the feedback circuit of both actuators must be
evaluated. However, the mirror contacts may be read back to a single input of the
evaluation unit (series connection of the two mirror contacts). Reading in to two
separate inputs would only have the advantage that, in the event of a feedback
circuit fault, it could be determined directly which of the two contactors has a
defect. This is contrasted with a larger number of inputs required and an increased
programming effort.
As an example, the feedback circuit monitoring of two redundant contactors by a
SIRIUS 3SK2 safety relay is shown below.
Figure 12: Schematic drawing of a feedback circuit monitoring

Entry-ID: 109807687, V1.0, 03/2022 18
Figure 13: Wiring diagram of a feedback circuit monitoring
In safety applications, only the last devices of the safety chain must be read back
for feedback circuit monitoring. In safety applications in which a coupling level is
required to control a contactor, it would therefore be sufficient to read back only the
power contactors (figure below: Q1 and Q2). A failure of the coupling level would
be transmitted to the power contactors, which in turn would be diagnosed by the
evaluation unit, thus ensuring a safe state of the machine. Reading back the
positively driven contacts of the auxiliary contactors or coupling relays (figure
below: Q1.1 and Q2.1) in series with the mirror contacts of the power contactors is
nevertheless recommended to ensure the fastest possible fault response time.

Entry-ID: 109807687, V1.0, 03/2022 19
Figure 14: Feedback circuit monitoring when using a coupling level
When using an F-PLC as an evaluation unit, the NC contact does not necessarily
have to be read back to a safe input (F-DI) – a standard input (DI) is also sufficient
in most applications.
In the following cases, connection of the feedback circuit to an F-DI may be useful
or advisable:
• Single-channel design of the actuator system but nevertheless requirement
of a high degree of diagnostic coverage.
• Certain diagnostic functions (e.g. STEP 7 module "FDBACK") are not
possible.
• Use of a fail-safe module in the decentralized periphery in order to use the
safety mechanisms of PROFIsafe.
For more information on feedback circuit monitoring with an F-PLC, refer to the
following application example:
As already described, diagnostic mechanisms are only required from category 2

and thus to achieve PL d / SIL 2 or PL e / SIL 3.
Thus, for a subsystem according to category 1, consisting of a single contactor,
feedback circuit monitoring would not be necessary. Nevertheless, it is
recommended to use the existing NC contact of the contactor as a feedback circuit
in order to make the application more fail-safe by simple means and without the
use of additional components.

Entry-ID: 109807687, V1.0, 03/2022 20
By using a feedback circuit, a high degree of diagnostic coverage (DC ≥ 99 %) can

be assumed for the reaction subsystem, if the fault is detected at the latest when
the system is switched on again.
A prerequisite for correct feedback circuit monitoring of contactors is the use of
mirror contacts. According to Annex F of IEC 60947-4-1, a mirror contact is an
auxiliary NC contact that cannot be closed at the same time as an NO main
contact. This ensures that the normally closed contact of a contactor always
switches antivalent to its main contacts, thus providing reliable feedback circuit
monitoring. For SIRIUS contactors, this feature is confirmed in the technical data.
Figure 15: Extract from the technical data of a SIRIUS contactor
In circuit diagrams, NC contacts that meet the requirements of a mirror contact are
shown with a dot.
Figure 16: Circuit diagram of a SIRIUS power contactor
For auxiliary contactors and coupling relays, this product characteristic is called
"positive guidance".
Positively guided (or positively driven) contacts according to Annex L of IEC
60947-5-1 are a combination of normally open and normally closed contacts
designed so that they cannot be closed at the same time.
In circuit diagrams, contacts that meet the requirements of positive guidance are
shown connected by a double line.

Entry-ID: 109807687, V1.0, 03/2022 21
Figure 17: Circuit diagram of a SIRIUS auxiliary contactor
Only auxiliary contacts that are included in switchgear and for which the actuating
forces are generated internally are eligible for the positive guidance feature.
Examples of components with positive guidance are the SIRIUS 3RH auxiliary
contactors and the SIIRUS 3RQ1 positively driven coupling relays.
The standard describes a mirror contact as an auxiliary contact connected to a
contactor´s main contact to avoid any confusion with the positively driven contacts
of the contactor relays. However, this does not prevent an auxiliary contact from
meeting both requirements.
An FAQ on this topic is available in the Industry Online Support:

"What is the difference between positively driven contact elements of auxiliary
contactors and mirror contacts of power contactors?"
(https://support.industry.siemens.com/cs/ww/en/view/109758261)
There are basically two types of feedback circuit monitoring:

• In static feedback circuit monitoring, the evaluation unit merely checks the
off-state of the contactors before the application is switched on again.
• With dynamic feedback circuit monitoring, on the other hand, the state of
the mirror contacts is checked for plausibility by the evaluation unit both
when the application is switched on and when it is switched off. In addition,
some evaluation units send a dynamic pulse signal via the feedback circuit
wiring, which can be used to detect short circuits, for example.
Since, in order to achieve the maximum diagnostic coverage, fault detection must
not occur until the application is switched on again at the latest, static feedback
circuit monitoring can also ensure maximum safety integrity.
Setting the feedback circuit monitoring time

The feedback circuit monitoring time is the time that an evaluation unit with
activated feedback circuit monitoring waits after the shutdown command until it
evaluates the feedback signal. In other words, this is the maximum time between
the negative edge of the output of the evaluation unit and a positive edge at the
feedback circuit input, which corresponds to a closing of the mirror contact of the
contactor.

Entry-ID: 109807687, V1.0, 03/2022 22
Within F-PLCs and software-parameterizable safety relays, the feedback circuit

monitoring time is adjustable. It must be above the time that elapses between
switching off the coil voltage and the closing of the mirror contact.
For the SIRIUS contactor 3RT1054-1AB36, for example, a closing delay of the
auxiliary NC contacts (mirror contacts) in the range between 20 and 95 ms is
specified. Therefore, the parameterized feedback circuit monitoring time should be
selected above 95 ms, considering a certain safety buffer.
Figure 18: Closing delay of a mirror contact using the example of a contactor 3RT1054-
1AB36
The switch-off time of a contactor (= opening delay of the NO contacts) and the
closing delay of the NC contacts increase if the contactor coils are damped against
voltage peaks using protective circuits. More detailed information on this can be
found in the chapter Surge suppression.
2.4 Safety Evaluation with TIA Selection Tool

When evaluating safety functions on machines and systems, the quick and easy
handling of the Safety Evaluation in the TIA Selection Tool offers the user valuable
support.
The offline tool guides the user step-by-step from defining the structure of the
safety system, to selecting the components, to determining the achieved safety
integrity in accordance with ISO 13849-1 and IEC 62061.
The integrated extensive libraries also support in this process. As a result, the user
receives a standard-compliant report that can be integrated into the machine
documentation as evidence of safety.
You can ensure that the safety-related data from Siemens is up to date by
performing regular updates of the TIA Selection Tool. This ensures that
calculations are always performed using the current standards situation and that
the latest technical data for all Siemens safety-related components is always
accessed.
The Safety Evaluation in the TIA Selection Tool can be found on the Internet under
the following link:
http://www.siemens.com/safety-evaluation-tool

Entry-ID: 109807687, V1.0, 03/2022 23
SIRIUS Safety Integrated Application Manual (SIAM)

The SIRIUS Safety Integrated Application Manual (SIAM) shows simple circuit
examples of safety functions from typical application areas (e.g. emergency
shutdown, safety door monitoring) based on SIRIUS Safety Integrated products.
For each of the applications included, there is a corresponding article in Siemens
Industry Online Support (SIOS) with, among other things, downloadable circuit
diagram and safety evaluation file.
The application manual can be found in SIOS:
Based on one of the examples of the SIAM, the functionality of the Safety
Evaluation in the TIA Selection Tool is explained below.
As in previous chapters, the example consisting of an emergency stop, a SIRIUS
3SK2 safety relay and two redundant contactors is discussed. The associated
SIOS article is available on the Internet at:
Figure 19: Emergency stop shutdown to SIL 3 or PL e with a 3SK2 safety relay
Operating principle:
The safety relay monitors the emergency stop command device on two channels.
When the emergency stop command device is actuated, the safety relay opens the
enabling circuits and switches the power contactors off in a safety-related way.
If the emergency stop command device is unlatched and the feedback circuit is
closed, the Start button can be used to switch on again.
The file "Safety_Evaluation_Emergency_stop_SIL3_3SK2_en.zip" which can be

downloaded under the above-mentioned article contains a TIA Selection project. It
compromises the components used for this example in duplicate, once starting with
"ISO" and once starting with "IEC".

Entry-ID: 109807687, V1.0, 03/2022 24
Figure 20: Applied components in TIA Selection Tool
The Safety Evaluation in the TIA Selection Tool offers the possibility to perform the
calculation of the safety chain according to ISO 13849-1 (PL) as well as according
to IEC 62061 (SIL). In the example project, all components are therefore designed
in both standards.
When inserting a SIRIUS contactor, a dialog window appears. If "ISO 13849-1" is

selected as the standard in the first line, the category of the component must
initially be selected. As explained in the chapter Calculation of contactors in safety
applications, a single contactor can be used in category 1 due to its property "well-
tried component". Even if this contactor, together with a second one, is ultimately to
be used in a redundant architecture of category 3 or 4, category 1 is selected when
creating it.
The values for B10, RDF and T1 (service life, mission time) are already stored.
Next, the number of operations per time unit (test interval, switching cycles) must
be specified. Since the contactor in the example is used exclusively for switching
off in the event of an emergency stop and not for operational switching, a switching
cycle of once per week is assumed.
The results of the calculations are displayed in the lower part of the window. This
saves the user from manually calculating B10D and MTTFD (see chapter
Calculation of contactors in safety applications) and from looking up PFHD and the
resulting PL in Table K.1 of ISO 13849-1.
The significance of the wear-related service life, which is also an output as the
result of the calculations, is explained in a separate chapter (Wear-related service
life).
The second contactor was created analogously.

Entry-ID: 109807687, V1.0, 03/2022 25
Figure 21: Creating a SIRIUS contactor according to ISO 13849-1
If "IEC 62061" is selected as the standard in the first line when creating a SIRIUS
contactor, the architecture of the component must first be selected. The application
property "Category" does not exist in IEC 62061. Even if this contactor, together
with a second one, is to be used ultimately in a redundant one, "1 channel" is
selected first when creating it.
The values for B10, RDF and T1 (service life, mission time) are already stored.
Next, the number of operations per time unit (test interval, switching cycles) must
be specified. Since the contactor in the example is used exclusively for switching
off in the event of an emergency stop and not for operational switching, a switching
cycle of once per week is assumed.
Furthermore, the check mark must be set for "Use of tried-and-tested
components". The combination of this with "1 channel" above is equivalent to
category 1 according to ISO 13849-1.
The results of the calculations are displayed in the lower part of the window.
Instead of the MTTFD, IEC 62061 uses the λD as an intermediate result to the SIL.
The PFHD is calculated by a formula from the λD and the DC of the individual
components. The resulting SIL in turn depends only on the PFH D. The calculation
mechanisms are therefore more complex in IEC 62061 and are based on pure
formulas. Therefore, the use of the Safety Evaluation in the TIA Selection Tool
offers additional advantages when designing according to IEC 62061.
The second contactor was designed analogously.

Entry-ID: 109807687, V1.0, 03/2022 26
Figure 22: Creating a SIRIUS contactor according to IEC 62061
If Safety Evaluation is selected in the project navigation, an interface appears on

which safety functions can be created under safety areas.
In the example project, two safety areas exist, each with an emergency stop,
designed according to ISO 13849-1 and IEC 62061.
For the reaction subsystems, a two-channel architecture was created for both
standards, each filled with the two previously created SIRIUS contactors.
When the second contactor is added to the two-channel architecture, another
dialog window opens.
In the case of ISO 13849-1, the category must first be selected here. The two
created contactors of category 1 become a category 3 or 4 in the redundant
network. Since, as described in the previous chapter, a high degree of diagnostic
coverage can be achieved in each case by the feedback circuit monitoring of the

Entry-ID: 109807687, V1.0, 03/2022 27
contactors, 99 % is specified for the DC in the next two lines. A high diagnostic
coverage furthermore results in selection of category 4.
Finally, the fulfillment of the CCF (Common Cause Failure) measures must still be
confirmed by a point system. Common cause failure estimates are not significantly
specific to contactors and are therefore not considered in detail in this
documentation. Guidance on this can be found in Annex F of ISO 13849-1.
As a result, the window provides the PFH D of the two-channel subsystem and the
resulting PL.
Figure 23: Creating a two-channel architecture according to ISO 13849-1
In the case of IEC 62061, the test interval for the two contactors must be specified
again for the opening window in addition to the DC. Since in this example there are
no switching cycles beyond the regular emergency stop actuations, the value of
one actuation per week, which was specified when the individual contactors were
created, is entered again.
The CCF measures are - in comparison to the point system in ISO 13849-1 -
qualified with a factor in IEC 62061.
As a result, the window provides the PFH D of the two-channel subsystem as well
as the resulting SIL.

Entry-ID: 109807687, V1.0, 03/2022 28
Figure 24: Creating a two-channel architecture according to IEC 62061
2.5 Special case F-PLC-IN contactor as certified

component
While contactors of lower power can be connected directly to outputs of safety
relays and fail-safe controllers, the realization of a safety-related application with
standard contactors of higher power is considerably more complex and expensive
due to necessary coupling elements.
With semiconductor outputs of the evaluation unit, the output current is often
limited to 2 A, in some cases even to 0.5 A - and this at 24 V DC. This can already
be too little for contactors with a rated power greater than or equal to 18.5 kW. In
addition, the limitation to an output voltage of 24 V DC represents a further hurdle.
Even with relay outputs of the evaluation unit, which are mostly limited to 5 A at
24 V DC, a coupling level becomes necessary for contactors of larger power
classes.
Thanks to a fail-safe control input, special SIRIUS contactors offer a significant
simplification here, recognizable by the S in the ninth position of the part number:
• Contactors 3RT20..-.S from 18,5 kW to 55 kW
• Contactors 3RT10..-.S from 55 kW to 250 kW
• Contactors 3RT14..-.S from 55 kW to 250 kW

Entry-ID: 109807687, V1.0, 03/2022 29
Due to the possibility of direct connection to the output of a fail-safe controller (F-
PLC), these contactors are also called F-PLC-IN contactors. They can be identified
by the yellow marked terminal or coil cover of the fail-safe control input.
Figure 25: Example F-PLC-IN contactors 3RT2037-1SF30 and 3RT1056-6SF36

Unlike standard contactors in this power class, the above contactors have a fail-
safe control input in addition to the conventional coil (terminals A1/A2). Compared
to the coil, this requires a much lower closing and closed current (approx. 5 mA vs.
up to > 5 A depending on the power class), which allows operation directly on fail-
safe 24 V DC outputs of safety relays and fail-safe controllers. While the contactor
is switched via the fail-safe control input, the coil contacts (A1/A2) are permanently
supplied with the corresponding voltage.

Entry-ID: 109807687, V1.0, 03/2022 30
Figure 26: Safety application with standard contactors and coupling level
Figure 27: Safety application with contactors with fail-safe control input
Since SIRIUS contactors with fail-safe control input contain additional electronics
compared to standard contactors, they cannot be regarded as purely
electromechanical components. Consequently, they do not fall under device type 3
(see Device types according to VDMA standard sheet 66413) and cannot be used
as well-tried components according to ISO 13849-2. A calculation via B10 value
and ratio of dangerous failures (RDF) is therefore not possible.

Entry-ID: 109807687, V1.0, 03/2022 31
SIRIUS contactors with fail-safe control input contain components that cannot be
evaluated by the user. Therefore, they fall under device type 1 and are delivered by
Siemens with a certification as well as ready PDHD and SIL / PL.
For the user, this makes the calculation of the safety integrity much easier
compared to the use of a standard contactor.
Figure 28: Safety related data of a SIRIUS contactor with fail-safe control input (3RT1056-
6SF36)
As can be seen from the data sheet, PL c and SIL 2 can be achieved with a single
SIRIUS contactor with fail-safe control input. This combination may seem wrong at
first glance, as the equivalent to a PL c is normally a SIL 1. In contrast to ISO
13849-1, which requires at least category 2 for a PL d and thus does not permit a
single-channel architecture, IEC 62061, according to its table 5, allows a SIL > 1 to
be achieved even with a single channel with HFT (hardware fault tolerance) = 0. A
prerequisite for fulfilling SIL 2 in a single-channel architecture is a safe failure
fraction (SFF) ≥ 90 %. The SFF is a value determined by the device manufacturer
that considers all failures within the device and was determined by an FMEDA
(Failure modes, effects and diagnostic analysis). According to the data sheet
above, the example contactor achieves an SFF of 93 %.

Entry-ID: 109807687, V1.0, 03/2022 32
Figure 29: IEC 62061, Table 6 – Architectural constraints on a subsystem
It should be noted that although PL c can be achieved without diagnostic

mechanisms in the case of single-channel use of this contactor, to achieve SIL 2

the mirror contact of the contactor must be used for fault diagnostics and monitored
in the higher-level evaluation unit in order to be able to initiate appropriate
reactions in the event of a fault.
Advantages of the SIRIUS contactor with fail-safe control input:
• Saving of the additional coupling level by direct control from controllers and
safety relays
• Simplified calculation of safety integrity through ready PL / SIL certification
• Achievement of SIL 2 with a single F-PLC-IN contactor compared to SIL 1
with a single standard contactor
Notice:
The SIL certification of a type 1 device is always performed in accordance with IEC
61508, which is also included in the above data sheet. This standard describes the
requirements for safety-related devices and is used exclusively by the device
manufacturer. The user in turn applies IEC 62061 in order to be able to use and
evaluate the devices in the context of his safety application.
Of course, it is also possible to set up a redundant architecture to achieve PL d, PL

e and SIL 3. The safety evaluation in the TIA Selection Tool enables the setup of a
two-channel architecture also for device type 1. The possibility to implement safety
applications up to SIL 3 / PL e with two redundant F-PLC-IN contactors is
confirmed in their type examination certificate by TÜV:
• Contactors 3RT20..-.S from 18,5 kW to 55 kW:
• Contactors 3RT1...-.S from 55 kW to 250 kW:

Entry-ID: 109807687, V1.0, 03/2022 33
Figure 30: Type Examination Certificate 3RT20..-.S – Extract

Figure 31: Type Examination Certificate 3RT1...-.S – Extract
When using the F-PLC-IN contactors, an overdimensioning of the rated operational

current must be provided - just as for the standard contactors - if well-tried safety
principles must be applied due to the required SIL / PL (or category) (see chapter
Calculation of contactors in safety applications).
Application examples for both single-channel and redundant design of a safety
application using SIRIUS contactors with fail-safe control input can be found in
SIOS - including circuit diagram and safety evaluation file:

Entry-ID: 109807687, V1.0, 03/2022 34
• Emergency stop shutdown to SIL 2 or PL c with a contactor with F-PLC-IN

and 3SK2 safety relay
• Emergency stop shutdown to SIL 2 or PL c with a contactor with F-PLC-IN
and fail-safe controller
• Emergency stop shutdown to SIL 3 or PL e with contactors with F-PLC-IN
and 3SK2 safety relay
• Emergency stop shutdown to SIL 3 or PL e with contactors with F-PLC-IN
and fail-safe controller
The fact that a B10 value can be found in the data sheet for SIRIUS contactors with
fail-safe control input despite their classification as device type 1 is due to the need
to calculate the wear-related service life. This is explained in the following chapter.
2.6 Wear-related service life

All safety-related devices have a service life T1, which is specified in the respective
data sheet. It is also referred to as mission time (TM) or proof test interval. This
value is also specified for SIRIUS contactors and is 20 years, as for almost all
safety-relevant devices from Siemens. This means that after this period the device
must be replaced, as its characteristics are only guaranteed within this period.
Electromechanical components are subject to wear depending on the switched
load as well as the switching cycle. For devices containing electromechanics, a
separate wear-related service life must therefore be determined. This must be
done by the user, as only he knows the exact operating conditions of the device in
the safety application. All type 3 devices fall into this category, including relays and
contactors.
The wear-related service life T10D depends on the B10D value as well as the
actuations per year nop:
B10D
T10D =
nop
Alternatively, the MTTFD value calculated during the safety integrity calculation can
be used to determine T10D:
MTTFD
T10D =
10
The result of this calculation is compared with the T 1 value from the data sheet and
the device is replaced according to the smaller of the two values.
Type 1 devices also exist for which a wear-related service life must be determined.
Basically, whenever electromechanical components are included in a device, the
T10D value must be calculated by the user and compared with the T1 value –
regardless of whether the device is certified (incl. PFHD and SIL / PL) or not.
Examples of certified type 1 devices for which a calculation of the T 10D must be

Entry-ID: 109807687, V1.0, 03/2022 35
performed are SIRIUS 3SK1 safety relays (only those with relay outputs) or fail-
safe relay output modules of the ET 200SP (F-RQ). The F-PLC-IN contactors
presented in the previous chapter also fall into this category because, although
they are certified, their main current contacts are still subject to wear depending on
the switched load as well as the switching cycle.
A sure indication of the need to determine a wear-related service life for a safety-
related device is the presence of a B10 value in its data sheet.
Example calculation: Subsystem reaction with two redundant SIRIUS contactors
Data of the machine: Manufacturer specifications:

nop = 1 cycle / week B10 = 1.000.000
= 52 cycles / year RDF = 73%
PLr = e (PL required according to T1 = 20 years
risk assessment)
Formulas from chapter Calculation of contactors in safety applications:

B10 B10D
B10D = MTTFD =
RDF 0,1 x nop
Results:
➔ B10D = 1.369.863
➔ MTTFD = 263.435 years (high, limited to 2500 years for Cat. 4)
➔ T10D = 26.343,5 years (T1 < T10D)
➔ Max. service life = T1 = 20 years
➔ DC ≥ 99% (high) due to feedback circuit monitoring
➔ PFHD = 9,06 x 10-10 and PL e according to table K.1 of ISO 13849-1
Figure 32: ISO 13849-1, table K.1 (Extract)
As already seen in the example of the chapter Safety Evaluation with TIA Selection
Tool, the calculation of the T10D value is also taken by the Safety Evaluation.

Entry-ID: 109807687, V1.0, 03/2022 36
Figure 33: Wear-related service life of a SIRIUS contactor in Safety Evaluation with TIA
Selection Tool
Note:
The slight deviation of the MTTFD and T10D value calculated by the Safety
Evaluation is due to a rounding of the software when calculating the B10D value.
The calculation of Safety Evaluation for the two-channel contactor architecture

provides the same results for PFHD and PL as the manual calculation shown
above.

Entry-ID: 109807687, V1.0, 03/2022 37
Figure 34: PFHD and PL of two redundant SIRIUS contactors in the Safety Evaluation with
TIA Selection Tool
In the example shown above, a low switching cycle is required by the safety
application. This results in a high MTTFD value as well as a high wear-related
service life (T10D). The fact that T10D always corresponds to one tenth of the
MTTFD can lead to cases where the calculated MTTFD is sufficient to achieve the
required safety integrity, but the corresponding T10D leads to the impractical
necessity of replacing the contactor several times within the lifetime of the
machine.
To illustrate such a case, another example calculation follows.
Data of the machine: Manufacturer specifications:

dop = 220 days / year B10 = 1.000.000
hop = 16 h / day RDF = 73%
tcycle = 30 s / cycle T1 = 20 years
PLr = e (PL required according to
risk assessment)
Formulas from chapter Calculation of contactors in safety applications:

B10 B10D dop x hop x 3600 s/h
B10D = MTTFD = nop =
RDF 0,1 x nop t cycle
Results:

Entry-ID: 109807687, V1.0, 03/2022 38
➔ B10D = 1.369.863
➔ nop = 422.400 cycles / year
➔ MTTFD = 32,43 years (high)
➔ T10D = 3,243 years (T1 > T10D)
➔ Max. service life = T10D = 3,243 years
➔ DC ≥ 99% (high) due to feedback circuit monitoring
➔ PFHD = 9,06 x 10-10 and PL e according to table K.1 of ISO 13849-1
From these results, it would follow that the contactors would need to be replaced
every approximately three years.
The recommendation at this point would be to question the background of the high
switching cycle. Does it result from the fact that the two contactors (or one of them)
are also used for operational switching? If so, outsourcing to a third contactor can
lead to a significant increase in the wear-related service life.
A second way to increase T10D would be to request a load-dependent B10 value. If
the safety function itself is responsible for the high switching frequency or if the
operational switching cannot be outsourced, it is possible to request a load-
dependent B10 value via Technical Support (siemens.com/SupportRequest). If the
contactor is operated below the 66 % of the rated operational current, a partly
considerably higher B10 value results. If the contactor is even de-energized by a
prior disconnection of the load by another switching device, the B10 value
increases even umpteen times.
2.7 Cable installation

The principle of redundancy is applied to the safe outputs of the evaluation unit:
Two switching elements are used for each output. There are two possible
connections:
• pp-switching: The two switching elements of the output are in the supply to
the load.
• pm-switching: The load is located between the two switching elements of
the output. The supply and the ground are switched.

Entry-ID: 109807687, V1.0, 03/2022 39
Figure 35: Two variants of a fail-safe output (pp- and pm-switching)
Both the semiconductor and the relay outputs of the 3SK safety relays are basically
pp-switching, although in the variants with relay outputs they can also be wired pm-
switching by using two pp-switching relay outputs to connect an actuator.
With the SIMATIC F-PLC, there are fail-safe pm and pp output modules as well as
combined ones (ppm), for which it is possible to set in the engineering how they
act.
When connecting actuators, such as contactors, to safe outputs of the evaluation

unit, there are various options depending on the required SIL / PL.
In the following, these possibilities are shown based on pp-switching outputs – in
each case for relay and semiconductor outputs. The corresponding connection to
pm-switching outputs is made analogously with the only difference that the second
NO contact or transistor is located in the ground supply line of the respective
contactor.
If PL c or SIL 1 is required according to the risk assessment, a single contactor,

controlled by an output of the value unit, is sufficient.

Entry-ID: 109807687, V1.0, 03/2022 40
Figure 36: Actuator circuit up to PL c according to ISO 13849-1 or SIL 1 according to IEC
62061
If at least PL d or SIL 2 is required according to the risk assessment, two redundant

contactors are required. These are controlled via two separate outputs of the
actuator unit.
Figure 37: Actuator circuit up to PL e according to ISO 13849-1 or SIL 3 according to IEC
62061
Two redundant contactors can also be controlled up to PL e or SIL 3 via a single

output of the evaluation unit. For this purpose, protected wiring is required between
the output and the point where the cable for connection to A1 of the two contactors
splits. Thereby, a fault exclusion can be assumed for the single-channel part of the
line.

Entry-ID: 109807687, V1.0, 03/2022 41
Figure 38: Actuator circuit with protected wiring up to PL e according to ISO 13849-1 or
SIL 3 according to IEC 62061
Protected routing of the control lines from the output (14, Qx) to the
relays/contactors (A1 of Q1 and Q2) is characterized by cross-circuit and short-
circuit protection.
This can be ensured by a separately sheathed cable or routing in a separate cable
duct.
Another possibility for protected wiring is to use the two devices to be connected
(evaluation unit and contactor) within a control cabinet. The coupling between
devices within a control cabinet may be implemented up to PL e or SIL 3 using a

single channel, since cable routing within a control cabinet is considered to be
protected against cross-circuits and short-circuits (fault exclusion according to ISO
13849-2, table D.4).
2.8 Special case contactors in the process industry

according to IEC 61511
The previous considerations in this documentation concerned the use of contactors
in safety applications in the manufacturing industry in accordance with ISO 13849-
1 and IEC 62061.
The standard for the certification of safety-related devices IEC 61508 distinguishes
between low and high demand rates.
Definition according to IEC 61508-4, chapter 3.5.16:
• Operating mode with low demand rate (low demand mode): Frequency of
demands no more than once per year.
• Operating mode with high demand rate (high demand mode): Frequency of
demands more than once a year.
The use of contactors in the manufacturing industry is characterized by a high

demand rate of the safety function, whereas the use in the process industry is with
a low demand rate.
For devices that are operated at a low demand rate, IEC 61508 describes safety-
relevant parameters that have not yet been explained in the previous
considerations in this documentation.
These are required by the user primarily for the use of certified devices (device
type 1) in safety applications in the process industry. The data sheet of a certified
SIRIUS contactor with fail-safe control input (already known from the chapter

Entry-ID: 109807687, V1.0, 03/2022 42
Special case F-PLC-IN contactor as certified component) is shown below. There

you can find the following characteristics (besides those already known from the
manufacturing industry):
• PFDavg = average probability of a dangerous failure on demand
• MTBF = mean time between failures
• SFF = safe failure fraction (this parameter is significant for both low and
high demand rate and is identical for both cases)
Figure 39: Safety-relevant parameters of a SIRIUS contactor with fail-safe control input
(3RT1056-6SF36)
The value for the probability of failure is often given in "FIT". Failure in Time
describes the failure rate of technical components, in particular electronic
components. The unit FIT indicates the number of components that fail in 10 9
hours.
Thus: 1 FIT = 1 x 10-9 failures / hour.
For the use of SIRIUS standard contactors (device type 3) in the process industry
(low demand rate), the following parameters are required:
• RDF (this characteristic is important for both low and high demand rate,
but it is different for both cases).
• FIT
These can be found in the data sheet of a SIRIUS standard contactor.

Entry-ID: 109807687, V1.0, 03/2022 43
Figure 40: Safety-relevant parameters of a SIRIUS contactor (3RT2035-1KB40)


Entry-ID: 109807687, V1.0, 03/2022 44
3 Choosing the appropriate contactor

3.1 Range of SIRIUS contactors
The SIRIUS modular system includes all devices for switching, protecting,
controlling and monitoring motors in power ratings from 3 to 250 kW and widths
from 45 to 160 mm. The completely innovative generation of devices has more
than 50.000 combination tests and approvals for worldwide use. The optimally
matched devices can be easily combined and use the same accessories to the
greatest possible extent.
Abbildung 41: SIRIUS modular system
The selection of the SIRIUS contactor suitable for the respective safety application
is primarily based on the load to be switched.
SIRIUS contactors are identified by the utilization category in conjunction with the
rated operational current or motor power and the rated voltage.
Abbildung 42: Overview of contactors in utilization category AC-3 and AC-1

Entry-ID: 109807687, V1.0, 03/2022 45
The TIA Selection Tool guides users quickly and conveniently to error-free device
selection and configuration in any automation project. Among other things, it
includes a configurator to help select the right SIRIUS contactor.
More information and the tool are available on the Internet at:
www.siemens.com/tst
When selecting the right contactor for the respective safety application, the well-
tried safety principle of overdimensioning must be observed from PL c or SIL 1
(see chapter Calculation of contactors in safety applications).
Accordingly, when applying ISO 13849-1 and a required PL ≥ c, the current
conducted through the switching contacts may be less than half of the current
rating.
When applying IEC 62061 and a required SIL ≥ 1, an oversizing factor of 1.5 must
be applied. Consequently, the current conducted through the switching contacts
must be less than 66 % of the current rating.
The above information on overdimensioning with regard to the current rating can
be applied to the rated power of the contactor using the same percentage values.
3.2 SIRIUS Schütze: The right safety solution for every

power range
SIRIUS contactors up to 18.5 kW (3RT201 and 3RT202) can be operated directly

on fail-safe outputs without any problems.
For 3RT203 contactors (up to 37 kW), it may already be necessary to add a
coupling level, depending on the output of the evaluation unit. However, as with the
larger contactors (3RT204 and 3RT10), the resulting additional space and cost can
be avoided by using a SIRIUS contactor with a fail-safe control input (F-PLC-IN
contactor).
For the 3RT201, 3RT202 and 3RT203 contactors, so-called safety main current
connectors (3RA29.6-1A) are available to reduce the wiring effort when using two
redundant contactors.
3.3 Operating mechanisms

SIRIUS 3RT contactors can be divided into two classes, 3RT1 and 3RT2, which
are characterized by different power spectra. Different drive types are available in
each case.
SIRIUS 3RT20 contactors are available in standard variants with AC or DC drive or

as variants with electronic wide-range drive and universal actuating voltage (AC or
DC operation possible). DC coupling contactors with reduced power consumption
are also available for optimum connection to the control system. Actuation is via
the control supply voltage connection A1 / A2 with different operating ranges (for
details, see the respective product data sheet).
In addition, variants with electronic drive for AC or DC operation with a fail-safe
control input (F-PLC-IN) are available for the 3RT203 and 3RT204 contactors.
Here, the contactor is switched via the control input with a few milliamps, while the
drive (A1/A2) is permanently supplied.

Entry-ID: 109807687, V1.0, 03/2022 46
The following control or drive variants are available for the 3RT203 and 3RT204
contactors:
• 3RT20..-.A: Standard actuator for AC operation
• Electronic drive:
For contactors with electronic drive, the overvoltage damping of the drive
coil is already integrated in the electronics.
The following variants are available:
- 3RT20..-.K: Coupling contactors with adapted power consumption;
suitable for electronic PLC/F-PLC outputs with 2 A (DC 24 V)
- 3RT20..-.N..: Variants with electronic wide-range actuator and
universal actuating voltage (AC or DC operation); contactors with
reduced closing and closed power
- 3RT20..-.S: Actuation only with fail-safe control input (F-PLC-IN,
DC 24 V) to simplify safety applications (without operating mode
selection); in this case the contactor is switched via the control
input with a few milliamps, while the actuator (A1/A2) is
permanently supplied.
The drives of the SIRIUS 3RT10 contactors are supplied via a supply voltage with
an operating range of 0.8 to 1.1 x Us, optionally also controlled depending on the
selected operating mode. Different nominal voltage ranges are available for AC/DC
control.
The following control or drive variants are available for the contactors 3RT105 to
3RT107:
• 3RT10..-.A:
Standard drive for AC and DC operation (reduction of closing and closed
power)
• Electronic drive:
For contactors with electronic drive, the overvoltage damping of the drive
coil is already integrated in the electronics.
The following variants are available:
- 3RT10..-.N: With two operating modes: direct control or via PLC
input (DC 24 V)
- 3RT10..-.P: Control only via PLC input (standard PLC-IN,
DC 24 V), but additionally with residual life time signal (RLT)
- 3RT10..-.S: Control only with fail-safe control input (F-PLC-IN, DC
24 V) to simplify safety applications (without operating mode
selection); here the contactor is switched via the control input with
a few milliamps, while the actuator (A1/A2) is permanently
supplied.
3.4 Auxiliary switches

As explained in the chapter Feedback circuit monitoring, a mirror contact of the
contactor used in the safety application must be read back into the evaluation unit
for diagnostic purposes and to achieve a certain DC (diagnostic coverage) and SIL
/ PL. In the case of relays and auxiliary contactors, this must be done with a
positively driven NC contact. In the evaluation unit, this signal is checked for
plausibility with the drive signal.

Entry-ID: 109807687, V1.0, 03/2022 47
If the number of NC contacts of a contactor or auxiliary contactor is not sufficient,

for example because they are required elsewhere in the machine control system,
the SIRIUS contactor or auxiliary contactor can be extended by an additional
auxiliary switch. The contacts of this auxiliary switch also meet the standard
requirements for mirror contacts or positively driven contacts and can therefore be
used without hesitation for feedback circuit monitoring.
Optionally, there are contactor versions with permanently mounted auxiliary
switches, which can be identified by the suffix "3MA0". This alternative is not
required by standard for the use of the auxiliary switch in safety applications and
for feedback circuit monitoring. However, this provides additional protection against
tampering. The permanently mounted auxiliary switches can be identified by the
red labeling cover and are available for SIRIUS power and auxiliary contactors.
Additionally attached auxiliary switches are mounted either on the front or on the
side, depending on the power class of the contactor.
Figure 43: Additional permanently mounted auxiliary switches using the example of a
standard contactor as well as an F-PLC-IN contactor
Auxiliary switch configuration of SIRIUS contactors according to power class:

• Contactors 3RT201: An auxiliary contact is integrated in the basic device,
either a NO or a NC contact (= mirror contact), depending on the variant
• Contactors 3RT202 to 3RT204: The basic devices contain two integrated
auxiliary contacts, one NO and one NC (= mirror contact)
• All basic units 3RT20 can be additionally extended by auxiliary switches
(except coupling contactor sizes S00 and S0)
• Contactors 3RT105 to 3RT107 are supplied with two side-mounted
auxiliary switches (depending on the variant with two NO contacts and two
NC contacts or one NO contact and one NC contact); all auxiliary switch
NC contacts are certified mirror contacts; auxiliary switches can be fitted
on the front and on the side.
3.5 Surge suppression

The contactors supplied without coil suppression can be retrofitted with RC
elements, varistors, diodes or diode assemblies (combination of diode and Z-diode
for short break times) to attenuate coil switch-off overvoltages.

Entry-ID: 109807687, V1.0, 03/2022 48
The break times of the contactor (= the times of the opening delay of the NO
contacts) and those of the closing delay of the NC contacts increase if the
contactor coils are damped against voltage peaks. Different accessories are
available for the SIRIUS contactors, each of which causes a different time change:
• Interference suppression diode: 6- to 10-fold
• Diode assemlby: 2 to 6-fold
• Suppressor diode: +1 to +5 ms
• Varistor: +2 to +5 ms
When parameterizing the feedback circuit monitoring time in the evaluation unit,
the break time of the contactor must be taken into account (see chapter Feedback
circuit monitoring). When using one of the above-mentioned circuits for damping
the contactor, the extended break time must be taken into account when
parameterizing the feedback circuit monitoring time in the evaluation unit, as
otherwise unwanted feedback circuit faults may occur.

Entry-ID: 109807687, V1.0, 03/2022 49
4 Combined applications
4.1 Reversing contactor assembly
In general, reversing contactor assemblies can be used for safety-related switch
off.
For applications up to SIL 1 according to IEC 62061 or PL c according to ISO
13849-1, it is sufficient to consider the motor contactors for clockwise and
counterclockwise rotation. This means that both are to be switched safety-related
and monitored via the mirror contact (NC contact) in the feedback circuit. Feedback
circuit monitoring for SIL 1 / PL c is not mandatory but recommended. When
calculating the achieved safety integrity, in turn, the consideration of a single
contactor is sufficient as an example for both. If the switching cycle is higher for
one of the two contactors (clockwise or counterclockwise rotation), it must be
ensured that the contactor with the higher switching cycle is considered. The wear-
related service life must be determined separately for both contactors.
In addition to separate SIRIUS contactors, the 3RA23 reversing contactor
assembly can also be used. Completely wired 3RA23 reversing contactor
assemblies are available up to 55 kW. They consist of two contactors of the same
rating with an auxiliary NC contact (for 3RT201) or an NO and an NC contact (for
3RT202, 3RT203 and 3RT204). The contactors are mechanically and electrically
interlocked with each other (NC contact interlock). Optionally, there are also
reversing contactor assemblies with an interface to IO-Link or AS-Interface.
Using a 3RA23 reversing contactor assembly as an example, a safety-related

reversing circuit up to SIL 1 / PL c with a 3SK1 safety relay is shown below. The
circuit can be set up analogously with two separate SIRIUS contactors for Q1 and
Q2.
Figure 44: 3RA23 reversing contactor assembly with 3SK1 safety relay up to SIL 1 or PL c
From SIL 2 according to IEC 62061 or PL d according to ISO 13489-1, a two-

channel architecture is required. For this reason, an additional higher-level

Entry-ID: 109807687, V1.0, 03/2022 50
contactor (Q1) is required in the design - two contactors must always switch (either
Q1 + Q2 or Q1 + Q3) for the motor to start. An additional, fourth contactor is
therefore not necessary.
The correct function of all three contactors must be monitored by means of the
mirror contacts (NC contacts) (feedback circuit monitoring mandatory from SIL 2 /
PL d). Care must be taken to ensure that sufficient mirror contacts (NC contacts)
are available for feedback circuit monitoring when connecting the reversing
combination.
When calculating the achieved safety integrity, it is sufficient to consider the
superior contactor (Q1) and one of the two reversing contactors (Q2 or Q3,
exemplary for both). Thus, a two-channel architecture consisting of two redundant
contactors is calculated. If the switching cycle is higher for one of the two reversing
contactors (clockwise or counterclockwise), it must be ensured that the contactor
with the higher switching cycle is considered. The wear-related service life must be
determined separately for all three contactors.
To avoid common cause failures (CCF), the control cables to the contactors must
be routed separately or similar measures must be taken (see chapter Cable
installation).
Figure 45: Reversing combination with separate contactors and 3SK1 safety relay up to
SIL 3 or PL e

Entry-ID: 109807687, V1.0, 03/2022 51
The following also shows a safety-related reversing circuit up to SIL 3 / PL e

consisting of a 3SK1 safety relay, a 3RA23 reversing contactor assembly (Q2 +
Q3) and an additional contactor (Q1).
In the example, additional auxiliary switches 3RH29 are plugged onto the 3RA23
reversing contactor assembly to integrate the feedback circuit. The additional
auxiliary switch 3RH29 is necessary because the internal NC auxiliary contacts of
the 3RT contactors are used for the electrical interlocking of the reversing
combination.
Figure 46: 3RA23 reversing contactor assembly with 3SK1 safety relay up to SIL 3 or PL e
4.2 Contactor assembly for star-delta (wye-delta) starting

In general, star-delta combinations can be used for safety-related switch off.
Regardless of which safety integrity must be fulfilled by the star-delta combination
or whether it must be switched in a safety-related manner at all, it consists of three
SIRIUS contactors. Depending on the required SIL / PL, however, the number of
contactors to be considered in the safety calculation varies.

13849-1, it is sufficient to consider the mains contactor and switch it safety-related.
Feedback circuit monitoring of the mirror contact is not mandatory for SIL 1 / PL c
but recommended.

channel architecture is required. This is already given by the characteristics of a
star-delta combination - for the motor to start, two contactors must switch (either

Entry-ID: 109807687, V1.0, 03/2022 52
mains contactor Q1 and star contactor Q2 or mains contactor Q1 and delta

contactor Q3). An additional, fourth contactor is therefore not necessary.
However, all three contactors of the combination must always be switched and
monitored in terms of safety to ensure two-channel disconnection in every
switching state of the star-delta combination. The correct function of all three
contactors must be monitored by means of the mirror contacts (NC contacts).
Depending on the type of feedback circuit monitoring (static or dynamic), it may be
necessary to read in the mirror contacts to separate inputs of the evaluation unit
and evaluate them in different function blocks due to the staggered switching
states. It must be ensured that sufficient mirror contacts (NC) are available for the
feedback circuit monitoring when connecting the star-delta combination.
When calculating the achieved safety integrity, it is sufficient to consider the mains
contactor (Q1) and one of the other two contactors (Q2 or Q3, exemplary for both).
Thus, a two-channel architecture consisting of two redundant contactors is
calculated. If the switching cycle of the star contactor (Q2) is higher than that of the
delta contactor (e.g., because the application is not always switched to the higher
power stage) or vice versa, care must be taken to consider the contactor with the
higher switching cycle. The wear-related service life must be determined separately
for all three contactors.
installation).
In the following circuit example of a star-delta combination, the timing control or

changeover between star and delta operation is handled by a higher-level standard

control system. Alternatively, the timing control and changeover with a 3SK2 safety
relay would also be possible directly in the evaluation unit.

Entry-ID: 109807687, V1.0, 03/2022 53
Figure 47: Star-delta combination with 3SK1 safety relay up to SIL 3 or PL e
Ready-made star-delta combinations are also suitable for use in safety-related

applications up to SIL 3 or PL e. They are available as follows:
• Star-delta combinations 3RA24: Completely wired and tested, with
electrical and mechanical interlocking, available up to 90 kW
• As individual parts for self-assembly (contactors, wiring modules, electrical
interlocking and function modules).
The changeover pause of 50 ms is already integrated in the function
module for star-delta. Individual components are available for all SIRIUS
sizes up to 500 kW (except function modules).
The function modules are available for combinations up to 90 kW.
4.3 Contactor assembly for star-delta (wye-delta) starting

with reverse starting
In general, star-delta reversing combinations can be used for safety-related switch
off.
Regardless of which safety integrity must be fulfilled by the star-delta reversing
combination or whether it must be switched in a safety-related manner at all, it
consists of four SIRIUS contactors. In contrast to the star-delta combination, the
mains contactor is replaced by two contactors for switching the direction of rotation.

Entry-ID: 109807687, V1.0, 03/2022 54
Depending on the required SIL / PL, however, the number of contactors to be

considered in the safety calculation varies.

13849-1, it is sufficient to consider the mains contactors for clockwise and
counterclockwise rotation (Q1 and Q2). This means that both are to be switched
safety-related and monitored via the mirror contact (NC contact) in the feedback
circuit. Feedback circuit monitoring is not mandatory for SIL 1 / PL c but
recommended. When calculating the achieved safety integrity, in turn, the
consideration of a single contactor is sufficient as an example for both. If the
switching cycle is higher for one of the two contactors (clockwise or
counterclockwise rotation), it must be ensured that the contactor with the higher
switching cycle is considered. The wear-related service life must be determined
separately for both contactors. In addition to individual SIRIUS contactors for Q1
and Q2, the 3RA23 reversing contactor assembly can also be used. Both the star
contactor (Q3) and the delta contactor (Q4) are not part of the safety chain.

channel architecture is required. This is already given by the characteristics of a
star-delta reversing combination – for the motor to start, two contactors must switch
(always one of the two mains contactors Q1 or Q2 as well as either the star
contactor Q3 or the delta contactor Q4). An additional, fifth contactor is therefore
not necessary.
However, all four contactors of the combination must always be switched and
monitored in terms of safety to ensure two-channel disconnection in every

switching state of the star-delta reversing combination. The correct function of all
four contactors must be monitored by means of the mirror contacts (NC contacts).
Depending on the type of feedback circuit monitoring (static or dynamic), it may be
necessary to read in the mirror contacts to separate inputs of the evaluation unit
and evaluate them in different function blocks due to the staggered switching
states. It must be ensured that sufficient mirror contacts (NC) are available for
feedback circuit monitoring when connecting the star-delta reversing combination.
When calculating the achieved safety integrity, it is sufficient to consider one of the
line contactors (Q1 or Q2, exemplary for both) and one of the other two contactors
(Q3 or Q4, exemplary for both). Thus, a two-channel architecture consisting of two
redundant contactors is calculated. If the switching cycle is higher for one of the
two reversing contactors (clockwise or counterclockwise), care must be taken to
consider the contactor with the higher switching cycle. If the switching cycle of the
star contactor (Q2) is higher than that of the delta contactor (e.g. because the
application is not always switched to the higher power stage) or vice versa, care
must also here be taken to consider the contactor with the higher switching cycle.
The wear-related service life must be determined separately for all four contactors.
In addition to individual SIRIUS contactors for Q1 and Q2, the 3RA23 reversing
contactor assembly can also be used.
installation).
In the following circuit example of a star-delta reversing combination, the timing

control or changeover between star and delta operation is handled by a higher-
level standard control system. Compared to the circuit example of the chapter
Contactor assembly for star-delta (wye-delta) starting, an additional 3SK1 output
extension - connected to the 3SK1 via device connectors - is required to control the
four contactors. Alternatively, timing control and changeover with a 3SK2 safety
relay would also be possible directly in the evaluation unit.

Entry-ID: 109807687, V1.0, 03/2022 55
Figure 48: Star-delta reversing combination with 3SK1 safety relay up to SIL 3 or PL e
4.4 Combination of a contactor with a circuit breaker

Since the circuit breaker does not have a diagnostic option such as mirror contacts,
it cannot be used as a second function channel in the safety function. In addition, it
is impractical to trip the circuit breaker every time a safety request is made, as it
must either be reset manually, or a remote motorized operating mechanism must
be used to restart it remotely. In addition, the number of switching cycles (B10
value) is usually much lower for circuit breakers compared to contactors.
However, it is possible to use the circuit breaker as a so-called "test equipment
output". In combination with a contactor, this corresponds to a category 2
according to ISO 13849-1 and can thus achieve up to PL d. According to IEC
62061, up to SIL 2 can be achieved.
Category 2 is implemented by monitoring the contactor by the evaluation unit and,
in the event of a contactor failure (welding of the main contacts), a sufficiently
prompt fault reaction takes place. In the event of a fault, the circuit breaker is
tripped by means of an undervoltage release. Accordingly, it is a 1-channel
architecture with a specified fault response. In addition, both contactor and circuit
breaker represent well-tried components according to ISO 13849-2.
The diagnostic coverage (DC) can be assumed to be 90% - 99% (medium). This is
justified in the following:
The diagnostic capability of the power contactor can be assumed to be 99 % due
to its mirror contacts. It must be taken into account that this diagnostic capability
alone can trigger or even prevent the fault reaction. It is imperative to take this fact
into account. Therefore, an additional worst case consideration should be made by
reducing the diagnostic coverage from the original 99 % to 90 % and increasing the
associated dangerous failure rate accordingly.

Entry-ID: 109807687, V1.0, 03/2022 56
Under certain conditions, diagnostics may be possible for a circuit breaker. This
requires dynamic monitoring of the circuit breaker during closing and opening. This
is possible by means of an F-PLC with a corresponding remote motorized
operating mechanism for restarting the circuit-breaker. This is described in detail in
the following FAQ:
In this case, a higher level of safety integrity can be achieved.
To avoid an undetected accumulation of faults, the circuit breaker must be tested

after 6 to 12 months at the latest. This test arrangement must be documented in
the description of the safety function and the operating instructions (of the
machine). Likewise, the tests carried out by the user during the use phase must be
documented.
The set time delay (between switching off the contactor and switching off the circuit
breaker after a failure of the contactor has been detected by the evaluation unit)
has an influence on the maximum reaction time. It must be ensured that, based on
the risk assessment, this reaction time is sufficiently short in the event of a fault.
For the category 2 architecture, the calculation of the MTTFD and the DC only
considers the function channel (contactor) and not the test channel (circuit
breaker). The circuit breaker therefore has no influence on the safety evaluation.
However, it is checked whether the circuit breaker can basically withstand the
expected operating stresses, e.g. reliability in terms of switching capacity and

switching frequency.
ISO 13849-1 recommends that for category 2, the MTTFD of the test channel
(circuit breaker) is greater than half the MTTFD of the functional channel
(contactor). It should be noted that the MTTFD for categories B to 3 is limited to 100
years. It follows that an MTTFD > 50 years is sufficient for the circuit breaker.
The same calculation mechanism like that of a contactor is used to calculate the
MTTFD of the circuit breaker. The B10 value and the ratio of dangerous failures of
a SIRIUS or SENTRON circuit breaker can be taken from its data sheet. These
values can be found in the technical data under "Safety related data". These values
are also stored in the Safety Evaluation with TIA Selection Tool. In addition, the
values can be found in SN 31920. An image of this standard can also be found in
Industry Online Support at:
A detailed example calculation of the combination of contactor and circuit breaker

according to both ISO 13849-1 and IEC 62061 can be found in the following FAQ:
A possible safety application including circuit diagram and safety evaluation file is
shown in the application example “Emergency stop shutdown to SIL 2 or PL d with
a SIRIUS 3SK1 safety relay“:

Entry-ID: 109807687, V1.0, 03/2022 57
Figure 49: Application example: Emergency stop shutdown to SIL 2 or PL d with a SIRIUS
3SK1 safety relay
4.5 Combination of a contactor with a soft starter 3RW55

Failsafe
The 3RW55 Failsafe soft starter is a certified type 1 device. It is designed so that
Safe Torque Off (STO) applications up to SIL 1 or PL c can be implemented
without the user having to add other devices in the shutdown path.
The shutdown command at the fail-safe input F-DI of the 3RW55 Failsafe can
come from a directly connected emergency stop command device or from a safe
output of a higher-level safety relay or F-PLC.
An evaluation of the fail-safe signal output F-RQ (terminal 41/42) is not required for
applications up to SIL 1 or PL c. However, it can also be used in these cases, e.g.
to signal an error on the 3RW55 Failsafe to the operator via an indicator lamp.
Restarting the motor is only possible after resetting the F-DI signal and changing
the control source from OFF to ON.
To implement safety applications higher than PL c or SIL 1 with the 3RW55

Failsafe, an additional redundant shutdown path is required.
In conjunction with an additional redundant contactor connected between the
3RW55 Failsafe soft starter and the motor, the 3RW55 Failsafe can be used to
implement two-channel STO applications up to SIL 3 and PL e.
The solution for applications up to SIL 2 or PL d with a 3RW55 Failsafe soft starter
is identical to the solution described here for applications up to SIL 3 or PL e.
The safe signal output F-RQ (terminal 41/42) of the 3RW55 Failsafe and the
auxiliary contacts of the contactor are monitored by a higher-level evaluation unit
(e.g. 3SK1 safety relay).

Entry-ID: 109807687, V1.0, 03/2022 58
The safety evaluation of a redundancy consisting of a type 1 device and a type 3

device is complex. The use of the Safety Evaluation with TIA Selection Tool is
particularly suitable in this case, as a mixed two-channel architecture can be
created here. How this is implemented for the combination of a 3RW55 Failsafe
with a contactor is shown in the application example “Emergency stop shutdown up
to SIL3 or PL e with a 3RW55 Failsafe soft starter and 3SK1 safety relay":
A detailed description of the various options for using a 3RW soft starter in a safety
application is provided in the FAQ “3RW Soft Starter: Safe switching acc. IEC
62061 (SIL) rep. ISO 13849-1 (PL)“:
4.6 Combination of a contactor with a frequency converter

Basically, a distinction is made between frequency converters that do not have
safety certification and therefore cannot be part of the safety application (see left
part of the following figure), and those that already have safety integrated (see right
part of the following figure).
Figure 50: Frequency converters without and with integrated safety technology
If the frequency converter itself cannot contribute to the safety chain, upstream and
downstream contactors can be used to safely shut down the machine in the event
of a safety requirement, regardless of the status of the converter. A connection
upstream (on the line side) or downstream of the converter (on the motor side)
results in different advantages and disadvantages, which will be explained during
this chapter.
Like the 3RW soft starter, frequency converters are also available as variants
certified for use in safety applications (device type 1). If a converter is only certified
up to SIL 1 or PL c or up to SIL 2 or PL d, the reaction subsystem can be upgraded
up to SIL 3 or PL e through the redundant use of a contactor. This scenario is
described below for a SINAMICS converter certified up to SIL 2 or PL d.

Entry-ID: 109807687, V1.0, 03/2022 59
The drive is stopped by the fail-safe evaluation unit (in the following example, an F-
PLC) – e.g. after a safety sensor has responded (not shown in the following
figures). For this purpose, the drive-integrated safety function Safe Torque Off
(STO) is triggered via a safe output of the evaluation unit on the SINAMICS
converter, if necessary, with preceding rapid braking function (SS1). It is not
necessary to read back the status feedback into the F-PLC as diagnostics are
implemented internally (crosswise data comparison of the two switch-off paths and,
if an error is detected, initiation of an error response that leads to the safe state).
However, regular forced dynamization (e.g. every 8 hours) by selecting the function
is required.
A power contactor is provided as a second independent shutdown channel in
addition to the SINAMICS safety function. Its positively driven auxiliary contact
(mirror contact, NC contact) is read back into the evaluation unit. In order to detect
errors in the second channel, the evaluation unit checks whether the feedback
assumes correct levels after the safety function has been selected and deselected.
When STO is activated on the SINAMICS, a pulse inhibit is triggered in the
converter on the motor side and the current is thus immediately switched off
electronically. For the contactor to switch without current and thus with less wear, it
makes sense for the fail-safe evaluation unit to briefly delay the switch-off of the
contactor. However, as a second independent shutdown path, the contactor must
be able to switch the load current in the event of failure of the first channel
(converter) and must therefore be designed accordingly. The delay time of the
contactor must be taken into account when determining the response time of the
safety function.
The power contactor used as a second independent shutdown channel can be

used either upstream (on the line side) or downstream (on the motor side) of the
converter.
Variant 1: Power contactor in the mains supply of the converter

In variant 1, the power contactor is provided in the line side of a SINAMICS Power
Module.

Entry-ID: 109807687, V1.0, 03/2022 60
Figure 51: Power contactor in the mains supply of the converter
Advantage:
• The contactor can be designed for resistive load (AC1).
Disadvantages:
• Due to the energy stored in the intermediate voltage circuit, residual motion
can still occur after the line contactor is switched off if the drive-integrated
safety function fails. This must be considered in the risk assessment.
• The contactor must be designed for the continuous thermal current of the
drive reps. drives.
• After switching off, the intermediate circuit capacitors are discharged.
Therefore, the precharge time of the converter must be waited for before
the drive is switched on again.
• This variant is generally only suitable for single drives. In the case of a
multi-motor drive with a common supply, the power supply to all connected
drives would be switched off together with the line-side contactor.
Variant 2: Power contactor on the output side between motor and converter
Variant 2 describes a SINAMICS S120 multi-axis system with contactors on the
output side.

Entry-ID: 109807687, V1.0, 03/2022 61
Figure 52: Power contactor on the output side of the converter
Advantages:
• Suitable for single and multiple motor constellations, as each drive can be
disconnected individually.
• The intermediate circuit remains on the mains and thus precharged,
therfore no thermal load on the components involved and no time delay
when switching back on.
Disadvantages:
• The contactor must be able to switch a DC current with inductive load
(motor winding) in the worst case. At very low speed or at speed setpoint
0, the converter impresses a current with a very low frequency, which acts
like a direct current for the contactor.
• The contactor must be designed for the continuous thermal current of the
drive.
4.7 Combination of a contactor with a non-safety device

If devices are used in the main circuit that cannot be part of the safety application
either because of their characteristics (e.g. not purely electromechanical design) or
because the number of switching cycles is too high, the use of one or more
contactors can still ensure the required safety integrity. In such a case, there is no

Entry-ID: 109807687, V1.0, 03/2022 62
effect of the non-safety-related devices on the safety function. Only the contactors
used for shutdown in the event of a safety requirement are considered in the safety
calculation.
An example of the combination of non-safety-related devices with contactors to
meet up to SIL 3 or PL e is shown in the following example. It comes from the FAQ
“3RW Soft Starter: Safe switching acc. IEC 62061 (SIL) rep. ISO 13849-1 (PL)“:
Figure 53: Safe shutdown of a standard soft starter application by two redundant
contactors up to SIL 3 / PL e

Entry-ID: 109807687, V1.0, 03/2022 63
5 Appendix
5 Appendix
5.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire
service and support know-how and portfolio.
The Industry Online Support is the central address for information about our
products, solutions and services.
Product information, manuals, downloads, FAQs, application examples and videos
– all information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent
support regarding all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
siemens.com/SupportRequest
SITRAIN – Digital Industry Academy

We support you with our globally available training courses for industry with
practical experience, innovative learning methods and a concept that’s tailored to
the customer’s specific needs.
For more information on our offered trainings and courses, as well as their
locations and dates, refer to our web page:
siemens.com/sitrain
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog
web page:
support.industry.siemens.com/cs/sc
Industry Online Support app

You will receive optimum support wherever you are with the "Siemens Industry
Online Support" app. The app is available for iOS and Android:
support.industry.siemens.com/cs/ww/en/sc/2067

Entry-ID: 109807687, V1.0, 03/2022 64
5 Appendix
5.2 Industry Mall
The Siemens Industry Mall is the platform on which the entire siemens Industry
product portfolio is accessible. From the selection of products to the order and the
delivery tracking, the Industry Mall enables the complete purchasing processing –
directly and independently of time and location:
mall.industry.siemens.com
5.3 Links and literature

Table 5-1
No. Topic
\1\ Siemens Industry Online Support

https://support.industry.siemens.com
\2\ Link auf die Beitragsseite des Anwendungsbeispiels
https://support.industry.siemens.com/cs/ww/de/view/109807687
\3\ EN ISO 13849-1:2015
Safety of machinery – Safety-related parts of control systems – Part 1: General
principles for design (prepared by Technical Committee ISO/TC 199 “Safety of
machinery” in collaboration with Technical Committee CEN/TC 114 “Safety of
machinery”)
\4\ EN ISO 13849-2:2012
Safety of machinery – Safety-related parts of control systems – Part 2: Validation
(prepared by Technical Committee ISO/TC 199 “Safety of machinery” in
collaboration with Technical Committee CEN/TC 114 “Safety of machinery”)
\5\ IEC 62061 (Edition 2.0, 2021-03)
Safety of machinery – Functional safety of safety-related control systems (prepared
by IEC technical committee 44: Safety of machinery – Electrotechnical aspects)
\6\ VDMA standard sheet 66413:2012-07
Funktionale Sicherheit – Universelle Datenbasis für sicherheitsbezogene Kennwerte
von Komponenten oder Teilen von Steuerungen
5.4 Change documentation

Table 5-2
Version Date Modifications
V1.0 04/2022 First version

Entry-ID: 109807687, V1.0, 03/2022 65

Contactors in Safety Applications V1 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Contactors in Safety Applications V1 en

Uploaded by

Copyright:

Available Formats

Contactors in safety

Contactors in safety applications

Contactors in safety applications

1.2 The objective of safety systems

The safety integrity is made up of the likelihood of dangerous failures, fault

Contactors in safety applications

1.3 Formula characters and abbreviations

B10 Number of operations after which 10% of devices failed

B10D Number of operations after which 10% of devices failed dangerously

CCF Common cause failure

DCavg Average diagnostic coverage (of a redundant architecture)

FIT Failure in time = failures per 109 hours

F-PLC Failsafe Programmable Logic Controller / Failsafe Central Processing Unit

HFT Hardware fault tolerance

MTBF Mean time between failures

MTTF Mean time to failure

MTTFD Mean time to dangerous failure

nop Number of operations per year

PFHD Probability of dangerous failures per hour

PLr Required performance level (according to risk assessment)

SIL Safety integrity level

SFF Safe failure fraction

STO Safe torque off

T1 = TM Mission time = Proof test interval

λD Rate of dangerous failure

Contactors in safety applications

2 Basics of applying contactors to safety

2.1.1 Device types according to VDMA standard sheet 66413

The VDMA standard sheet 66413 describes the required safety-relevant

• Required characteristic values when applying ISO 13849-1:

Contactors in safety applications

• Application data is required for evaluation

Contactors in safety applications

Assignment of the characteristic values required depending on the device type

Characteristic Device type

ISO 13849-1 and IEC 62061

2.1.2 Calculation of contactors in safety applications

Contactors in safety applications

Categories according to ISO 13849-1

Figure 2: Correlations of the safety-related characteristic values

In most cases, categories 1, 3 or 4 are used for contactors as shutting down

Contactors in safety applications

Mean time to dangerous failure of each channel (MTTFD)

Figure 3: ISO 13849-1, table 4

Figure 4: Safety related data of a SIRIUS contactor (3RT2035-1KB40)

Contactors in safety applications

If the contactors are also to be switched in an operational manner, it must be noted

In the standards, a proportion of 50 % dangerous failures (in accordance with ISO

Contactors in safety applications

dop x hop x 3600 s/h

a previous disconnection of the load by another switching device, the B10

Figure 5: ISO 13849-1, table K.1 (Extract)

Contactors in safety applications

To implement category 4 according to ISO 13849-1, the same principles must be

Figure 6: ISO 13849-1, table 6

Contactors in safety applications

An example calculation according to ISO 13849-1 with two redundant contactors

Calculation according to IEC 62061

The following applies to the calculation of λD of a subsystem element (e.g.

RDF x 0,1 x C 0,1 x C

Contactors in safety applications

The conditions of table 5 of IEC 62061 must be fulfilled in order to be able to

Figure 9: IEC 62061, table 6 – Architectural constraints on a subsystem