Professional Documents
Culture Documents
applications – Guide
of use
Siemens
SIRIUS Safety / SIRIUS Control Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/109807687 Support
Legal information
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several
components in the form of text, graphics and/or software modules. The application examples are
a free service by Siemens AG and/or a subsidiary of Siemens AG ("Siemens"). They are
non-binding and make no claim to completeness or functionality regarding configuration and
equipment. The application examples merely offer help with typical tasks; they do not constitute
customer-specific solutions. You yourself are responsible for the proper and safe operation of the
products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the
application examples used by technically trained personnel. Any change to the application
examples is your responsibility. Sharing the application examples with third parties or copying the
application examples or excerpts thereof is permitted only in combination with your own products.
The application examples are not required to undergo the customary tests and quality inspections
of a chargeable product; they may have functional and performance defects as well as errors. It is
your responsibility to use them in such a manner that any malfunctions that may occur do not
result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without
limitation, liability for the usability, availability, completeness and freedom from defects of the
application examples as well as for related information, configuration and performance data and
any damage caused thereby. This shall not apply in cases of mandatory liability, for example
under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of
life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent
non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for
damages arising from a breach of material contractual obligations shall however be limited to the
© Siemens AG 2022 All rights reserved
foreseeable damage typical of the type of agreement, unless liability arises from intent or gross
negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions
do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens
against existing or future claims of third parties in this connection except where Siemens is
mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any
damage beyond the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without
notice. In case of discrepancies between the suggestions in the application examples and other
Siemens publications such as catalogs, the content of the other documentation shall have
precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with Industrial Security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines
and networks. Such systems, machines and components should only be connected to an
enterprise network or the Internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
at: https://www.siemens.com/industrialsecurity.
Table of contents
Legal information ......................................................................................................... 2
1 Introduction ........................................................................................................ 4
1.1 Purpose of the documentation ............................................................. 4
1.2 The objective of safety systems ........................................................... 4
1.3 Formula characters and abbreviations ................................................. 5
2 Basics of applying contactors to safety applications ................................... 6
2.1 Safety integrity calculation.................................................................... 6
2.1.1 Device types according to VDMA standard sheet 66413 ..................... 6
2.1.2 Calculation of contactors in safety applications ................................... 8
2.2 Break time .......................................................................................... 16
2.3 Feedback circuit monitoring ............................................................... 17
2.4 Safety Evaluation with TIA Selection Tool ......................................... 23
2.5 Special case F-PLC-IN contactor as certified component ................. 29
2.6 Wear-related service life..................................................................... 35
2.7 Cable installation ................................................................................ 39
2.8 Special case contactors in the process industry according to
IEC 61511 .......................................................................................... 42
3 Choosing the appropriate contactor ............................................................. 45
3.1 Range of SIRIUS contactors .............................................................. 45
3.2 SIRIUS Schütze: The right safety solution for every power
© Siemens AG 2022 All rights reserved
range .................................................................................................. 46
3.3 Operating mechanisms ...................................................................... 46
3.4 Auxiliary switches ............................................................................... 47
3.5 Surge suppression ............................................................................. 48
4 Combined applications ................................................................................... 50
4.1 Reversing contactor assembly ........................................................... 50
4.2 Contactor assembly for star-delta (wye-delta) starting ...................... 52
4.3 Contactor assembly for star-delta (wye-delta) starting with
reverse starting ................................................................................... 54
4.4 Combination of a contactor with a circuit breaker .............................. 56
4.5 Combination of a contactor with a soft starter 3RW55 Failsafe ......... 58
4.6 Combination of a contactor with a frequency converter ..................... 59
4.7 Combination of a contactor with a non-safety device ........................ 62
5 Appendix .......................................................................................................... 64
5.1 Service and support ........................................................................... 64
5.2 Industry Mall ....................................................................................... 65
5.3 Links and literature ............................................................................. 65
5.4 Change documentation ...................................................................... 65
1 Introduction
1.1 Purpose of the documentation
Contactors are an essential component in safety-related applications. In many
safety-related applications, a contactor is used as an actuator to set the machine to
a safe state in the event of a requested safety function (e.g., opening a monitored
door).
This documentation explains the possibilities and requirements for the use of
contactors in safety-related applications. The focus is largely on applications in the
manufacturing industry, but a separate chapter also explains the use in the process
industry.
For this purpose, the basics of the use of contactors in functional safety technology
are first taught based on the relevant standards. The user is then provided with a
concrete guide to select the right contactor for a wide variety of applications.
To understand this documentation, general knowledge in the following areas is
required:
• Low-voltage switching technology
• Automation technology
• Functional safety technology
© Siemens AG 2022 All rights reserved
DC Diagnostic coverage
T10D Mean time until 10 % of the components fail dangerously = wear-related service
life
T2 Diagnostic test interval
In principle, the VDMA standard sheet 66413 distinguishes between four types of
devices:
Device type 1
• developed by the manufacturer specifically for use in safety functions and
according to safety standards
• SIL- or PL-classified
• e.g. safety relays, failsafe PLCs or drives
© Siemens AG 2022 All rights reserved
Device type 2
• not necessarily developed according to safety standards
• Application data is required for evaluation
• Failure behavior is time dependent (MTTFD)
• e.g. non-safety-related electronics, proximity switches, pressure sensors,
hydraulic valves
• Required characteristic values when applying ISO 13849-1 or IEC 62061:
o MTTFD (alternativ MTTF + AgA)
o λD
o MTBF
o T1
Device type 3
• not necessarily developed according to safety standards
Device type 4
• like type 1, but no random failures (PFHD = 0)
• e.g. Devices with fault exclusion or where all faults always lead to a safe
state
• Required characteristic values when applying ISO 13849-1:
o PL
o Kategorie
o T1
• Required characteristic values when applying IEC 62061:
o SIL
o T1
© Siemens AG 2022 All rights reserved
MTTF x
MTBF x
© Siemens AG 2022 All rights reserved
In practice, the device types 1 and 3 are decisively relevant. Since contactors
belong to device type 3, the following explains in detail how devices of this type are
calculated in terms of safety.
An indication of the SIL/PL, PFHD or MTTFD by the contactor manufacturer is not
possible at device level, as these are wear-prone devices. For contactors, the
above values depend largely on the switching frequency and the switched load of
the application. These values can only be determined by the user. An exception
are the contactors with fail-safe control input, which can be assigned to device type
1 and are dealt within the chapter Special case F-PLC-IN contactor as certified
component.
In the following, the procedure for determining the achievable performance level
(PL) according to ISO 13849-1 for a contactor is presented. The mechanisms of
IEC 62061 for calculating the Safety Integrity Level (SIL) are similar and are
illustrated in the chapter Safety Evaluation with TIA Selection Tool.
Category 1
In order to implement a category 1 according to ISO 13849-1, the use of well-tried
components is required. In table D.3 of ISO 13849-2 (Part 2 of ISO 13849
describes the validation process), a main contactor is declared as such a well-tried
component. Since the SIRIUS contactors also fall into this category and are
regarded as well-tried components, a PL c can be achieved very easily by applying
category 1 with SIRIUS contactors.
As a further criterion for the implementation of this category, basic and well-tried
safety principles must be applied. These can be found in tables D.1 and D.2 of ISO
13849-2. The well-tried safety principle of oversizing is particularly relevant for
contactors. Accordingly, components used in safety applications must be
underloaded. As a possible implementation, the standard states that the current
passed through the switching contacts should be less than half of the current
nominal value.
When designing the safety-relevant application according to IEC 62061, an
oversizing factor of 1.5 is required, which corresponds to a load on the contactor of
less than 66% of the current nominal value.
A redundant architecture and diagnostic measures are not required when
implementing Category 1. Therefore, a PL c can be achieved with a single SIRIUS
contactor. The only other requirement is a high MTTFD value. See table 4 of ISO
13849-1.
To calculate the MTTFD, which forms the basis for determining the PL achieved for
a type 3 device, the user receives a B10 value as well as the ratio of dangerous
failures (RDF) from the contactor manufacturer. The B10 value for wear-prone
devices is expressed in number of switching cycles and reflects the number of
actuations after which 10 % of the devices failed dangerously during a lifetime test.
An example of a dangerous failure within a contactor is the welding of the main
contacts, which prevents the machine from being shut down when this would be
required due to a safety function. An example of a safe failure, in turn, is a defect in
the main contacts, which results in them not being able to be closed again.
© Siemens AG 2022 All rights reserved
Although this error prevents the machine from being switched on again, it is not
safety critical. The B10D value depends on the B10 value and the ratio of
dangerous failures:
B10
B10D =
RDF
The B10 value and the RDF of a SIRIUS contactor can be found in its data sheet.
In the technical data, these values can be found under "Safety related data". The
values are also stored in the Safety Evaluation in the TIA Selection Tool.
The B10 values of safety-relevant SIRIUS and SENTRON devices can also be
found in SN 31920. An image of this standard can also be found in the Industry
Online Support at:
https://support.industry.siemens.com/cs/ww/en/view/109739348
Particular attention must be paid to the conditions under which these parameters
apply. As a rule, the B10 value of a SIRIUS contactor is determined at 66% of the
rated operating current. This results from the necessity of oversizing as one of the
well-tried safety principles and must therefore also be met in the application. The
value of 66% is specified in IEC 62061. In ISO 13849-2, on the other hand, a
maximum utilization of 50% is allowed when applying the well-tried safety
principles. However, since the B10 value of a contactor decreases with increasing
operating current, the information in the data sheet of a SIRIUS contactor is always
valid, even when applying ISO 13849-2.
If the device manufacturer does not provide information on the B10 value, the user
has two more options.
For this purpose, ISO 13849-1, chapter 4.5.2, describes the following hierarchical
procedure:
1. Using manufacturer’s data
2. Using methods in Annex C and D:
see e.g. table C.1 – Contactors with nominal load → B10D = 1.300.000
3. Choosing 10 years as MTTFD
However, the user should always question whether the device is actually suitable
for use in safety-related applications, if no information on the B10 value is provided
by the device manufacturer.
MTTFD is determined based on B10D and the actuations per year nop:
B10D
MTTFD =
0,1 x nop
In turn, nop is determined on the basis of the average operating time in days per
year (dop), the average operating time in hours per day (hop) and the average
operating time between two consecutive cycles (tcycle):
ISO 13849-1 does not accept an MTTFD value of a channel greater than 100 years,
because safety-related component for high risks should not depend on component
reliability alone.
Consequently, the MTTFD is limited to 100 years. An exception to this is category
4, where the limit on the MTTFD of any channel is not until 2500 years.
If the calculated MTTFD is not sufficient to achieve the SIL/PL required by the risk
assessment, the user is left with the following alternatives:
1. Using a separate contactor for operational switching:
Often, a high level of switching frequency is caused by the simultaneous use of
a contactor for both operational and safety switching. This can be remedied by
outsourcing operational switching to another contactor. This relieves the
contactors responsible for safety-related switching and results in a higher
MTTFD.
2. Requesting a load-dependent B10 value:
If the safety function itself is responsible for the high switching frequency or if
operational switching cannot be outsourced, it is possible to request a load-
dependent B10 value via Technical Support (siemens.com/SupportRequest). If
the contactor is operated below 66 % of the rated operational current, a partly
considerably higher B10 value results. If the contactor is even de-energized by
© Siemens AG 2022 All rights reserved
After the MTTFD has been determined, the PL achieved and the resulting PFHD
can be read off in table K.1 of ISO 13849-1.
Category 3 and 4
By using SIRIUS contactors according to category 3, a PL d can be achieved.
To implement a category 3 according to ISO 13849-1, basic and well-tried safety
principles must also be applied. The use of well-tried components is not
mandatory.
In addition to the quality of the device, represented by at least a low MTTFD, the
diagnostic mechanisms of the subsystem are decisive for the safety integrity of a
subsystem in category 3. These are represented by the diagnostic coverage DC (or
DCavg). Its determination for a power contactor used as a switch-off device is
explained in the chapter Feedback circuit monitoring. For category 3, at least a low
DC is required.
The calculation of the MTTFD for power contactors is analogous to the procedure
shown for category 1, with the difference that the calculation must be performed
here for both redundant contactors. The MTTFD of both channels must be at least
low.
In the specific case that different MTTFD values have been calculated for the two
redundant contactors, there are two possibilities for symmetrizing the "MTTF D for
each channel" (see first column of table K.1 of ISO 13849-1):
• the smaller value should be considered as a worst case assumption;
• Equation D.2 can be used to estimate a surrogate value for MTTF D for
each channel:
© Siemens AG 2022 All rights reserved
One reason for different resulting MTTFD values of the redundant contactors may
be the use of one of the two for operational switching, since this results in a higher
number of switching cycles per year (nop) for one of the contactors.
After determining the MTTFD for each channel and the diagnostic coverage, the PL
achieved and the resulting PFHD can be read in Table K.1 of ISO 13849-1.
Finally, the fulfillment of the CCF measures (Common Cause Failure) must still be
confirmed by a point system. Estimates of common cause failures are not
significantly specific to contactors and are therefore not considered in detail in this
documentation. Guidance on this can be found in Annex F of ISO 13849-1 or
Annex F of IEC 62061.
Figure 7: IEC 62061, table 3 – Safety Integrity Levels: Specified failure tolerances
In IEC 62061, the architecture of the safety function is directly considered in the
calculation of the probability of failures. Depending on the architecture, the
calculation becomes very complex, which illustrates the advantage of using ISO
13849-1. To calculate the resulting PFHD value, a different formula must be applied
depending on the subsystem architecture used (see IEC 62061, chapter 6.7.8.2).
The two most common formulas are listed below as examples:
1. Basic subsystem architecture A: Zero fault tolerance without diagnostic
function
PFHD = λD
➔ corresponds to category 1 according to ISO 13849-1
2. Basic subsystem architecture D: Single fault tolerance with diagnostic
function(s) for subsystem elements of the same design (e.g. two redundant
contactors)
T2
PFHD = (1-β)2 x {(2 𝑥 𝐷𝐶 𝑥 λD 2 ) 𝑥 + λD 2 𝑥 ( 1 − 𝐷𝐶) 𝑥 T1 } + 𝛽 𝑥 λD
2
➔ corresponds to category 3 or 4 (depending on DC) according to ISO
13849-1
T2 is the diagnostic test interval and T1 is the minimum of the proof test interval and
the service life.
β corresponds to the susceptibility to common cause failures and is the equivalent
of the CCF from ISO 13849-1. Table F.2 of IEC 62061 shows the conversion of the
two quantities into each other.
Figure 8: IEC 62061, table E.2 – Criteria for estimation of CCF (β)
In turn, the safe failure fraction (SFF) is similar to the diagnostic coverage (DC)
with the difference that it includes the safe failures, such as the inability of the
contactor to be reenergized. Therefore, in a worst case assumption, SFF = DC can
always be assumed.
The chapter Feedback circuit monitoring shows that a high degree of diagnostic
coverage can be assumed by checking the plausibility of the mirror contacts of two
contactors in a redundant architecture. This diagnostic mechanism is very
widespread in the use of contactors and has no alternative in most cases. If, for
example, a SIL 2 or PL d (category 3) is required by the risk assessment, the
feedback circuit monitoring must be performed for the two redundant contactors in
order to meet the required - albeit low - diagnostic coverage. However, from the
statement made above (feedback loop monitoring always results in a high DC), it
follows that this always results in category 4 and thus PL e or SIL 3 being
achieved. This is the reason why almost all application examples with contactors
as actuators in SIOS (Siemens Industry Online Support) reach either SIL 1 / PL c
or SIL 3 / PL e. An exception is the combination of a contactor with a circuit breaker
in category 2. A closer look at this topic is shown in the chapter Combination of a
contactor with a circuit breaker.
The break time of a contactor is defined as the time that elapses from the removal
of the coil voltage (at A1/A2) until the opening of the main contacts. It is composed
of the opening delay of the main contacts and the arcing time.
For the SIRIUS contactor 3RT1054-1AB36, for example, this results in a break time
in the range between 50 and 75 ms. When calculating the total response time, the
worst of the individual values must always be taken into account - in this case 75
ms.
The break time of the contactor (= the opening delay of the normally open
contacts) increases if the contactor coils are attenuated against voltage peaks.
More detailed information on this can be found in the chapter Surge suppression.
When using a feedback circuit monitoring, the closing delay of the normally closed
© Siemens AG 2022 All rights reserved
contacts (mirror contacts) must be taken into account in addition to the break time
of the main current contacts when parameterizing the evaluation unit. This is
explained at the end of the following chapter.
defect. This is contrasted with a larger number of inputs required and an increased
programming effort.
As an example, the feedback circuit monitoring of two redundant contactors by a
SIRIUS 3SK2 safety relay is shown below.
In safety applications, only the last devices of the safety chain must be read back
for feedback circuit monitoring. In safety applications in which a coupling level is
required to control a contactor, it would therefore be sufficient to read back only the
power contactors (figure below: Q1 and Q2). A failure of the coupling level would
be transmitted to the power contactors, which in turn would be diagnosed by the
evaluation unit, thus ensuring a safe state of the machine. Reading back the
positively driven contacts of the auxiliary contactors or coupling relays (figure
below: Q1.1 and Q2.1) in series with the mirror contacts of the power contactors is
nevertheless recommended to ensure the fastest possible fault response time.
When using an F-PLC as an evaluation unit, the NC contact does not necessarily
have to be read back to a safe input (F-DI) – a standard input (DI) is also sufficient
in most applications.
In the following cases, connection of the feedback circuit to an F-DI may be useful
or advisable:
• Single-channel design of the actuator system but nevertheless requirement
of a high degree of diagnostic coverage.
• Certain diagnostic functions (e.g. STEP 7 module "FDBACK") are not
possible.
• Use of a fail-safe module in the decentralized periphery in order to use the
safety mechanisms of PROFIsafe.
For more information on feedback circuit monitoring with an F-PLC, refer to the
following application example:
https://support.industry.siemens.com/cs/ww/en/view/21331098
In circuit diagrams, NC contacts that meet the requirements of a mirror contact are
shown with a dot.
© Siemens AG 2022 All rights reserved
For auxiliary contactors and coupling relays, this product characteristic is called
"positive guidance".
Positively guided (or positively driven) contacts according to Annex L of IEC
60947-5-1 are a combination of normally open and normally closed contacts
designed so that they cannot be closed at the same time.
In circuit diagrams, contacts that meet the requirements of positive guidance are
shown connected by a double line.
Only auxiliary contacts that are included in switchgear and for which the actuating
forces are generated internally are eligible for the positive guidance feature.
Examples of components with positive guidance are the SIRIUS 3RH auxiliary
contactors and the SIIRUS 3RQ1 positively driven coupling relays.
The standard describes a mirror contact as an auxiliary contact connected to a
contactor´s main contact to avoid any confusion with the positively driven contacts
© Siemens AG 2022 All rights reserved
of the contactor relays. However, this does not prevent an auxiliary contact from
meeting both requirements.
Figure 18: Closing delay of a mirror contact using the example of a contactor 3RT1054-
1AB36
The switch-off time of a contactor (= opening delay of the NO contacts) and the
closing delay of the NC contacts increase if the contactor coils are damped against
voltage peaks using protective circuits. More detailed information on this can be
found in the chapter Surge suppression.
Based on one of the examples of the SIAM, the functionality of the Safety
Evaluation in the TIA Selection Tool is explained below.
As in previous chapters, the example consisting of an emergency stop, a SIRIUS
3SK2 safety relay and two redundant contactors is discussed. The associated
SIOS article is available on the Internet at:
https://support.industry.siemens.com/cs/ww/en/view/109479271
© Siemens AG 2022 All rights reserved
Figure 19: Emergency stop shutdown to SIL 3 or PL e with a 3SK2 safety relay
Operating principle:
The safety relay monitors the emergency stop command device on two channels.
When the emergency stop command device is actuated, the safety relay opens the
enabling circuits and switches the power contactors off in a safety-related way.
If the emergency stop command device is unlatched and the feedback circuit is
closed, the Start button can be used to switch on again.
The Safety Evaluation in the TIA Selection Tool offers the possibility to perform the
calculation of the safety chain according to ISO 13849-1 (PL) as well as according
to IEC 62061 (SIL). In the example project, all components are therefore designed
in both standards.
If "IEC 62061" is selected as the standard in the first line when creating a SIRIUS
contactor, the architecture of the component must first be selected. The application
property "Category" does not exist in IEC 62061. Even if this contactor, together
with a second one, is to be used ultimately in a redundant one, "1 channel" is
selected first when creating it.
The values for B10, RDF and T1 (service life, mission time) are already stored.
Next, the number of operations per time unit (test interval, switching cycles) must
be specified. Since the contactor in the example is used exclusively for switching
off in the event of an emergency stop and not for operational switching, a switching
cycle of once per week is assumed.
Furthermore, the check mark must be set for "Use of tried-and-tested
components". The combination of this with "1 channel" above is equivalent to
category 1 according to ISO 13849-1.
The results of the calculations are displayed in the lower part of the window.
Instead of the MTTFD, IEC 62061 uses the λD as an intermediate result to the SIL.
The PFHD is calculated by a formula from the λD and the DC of the individual
components. The resulting SIL in turn depends only on the PFH D. The calculation
mechanisms are therefore more complex in IEC 62061 and are based on pure
formulas. Therefore, the use of the Safety Evaluation in the TIA Selection Tool
offers additional advantages when designing according to IEC 62061.
The second contactor was designed analogously.
contactors, 99 % is specified for the DC in the next two lines. A high diagnostic
coverage furthermore results in selection of category 4.
Finally, the fulfillment of the CCF (Common Cause Failure) measures must still be
confirmed by a point system. Common cause failure estimates are not significantly
specific to contactors and are therefore not considered in detail in this
documentation. Guidance on this can be found in Annex F of ISO 13849-1.
As a result, the window provides the PFH D of the two-channel subsystem and the
resulting PL.
© Siemens AG 2022 All rights reserved
In the case of IEC 62061, the test interval for the two contactors must be specified
again for the opening window in addition to the DC. Since in this example there are
no switching cycles beyond the regular emergency stop actuations, the value of
one actuation per week, which was specified when the individual contactors were
created, is entered again.
The CCF measures are - in comparison to the point system in ISO 13849-1 -
qualified with a factor in IEC 62061.
As a result, the window provides the PFH D of the two-channel subsystem as well
as the resulting SIL.
Due to the possibility of direct connection to the output of a fail-safe controller (F-
PLC), these contactors are also called F-PLC-IN contactors. They can be identified
by the yellow marked terminal or coil cover of the fail-safe control input.
Unlike standard contactors in this power class, the above contactors have a fail-
safe control input in addition to the conventional coil (terminals A1/A2). Compared
to the coil, this requires a much lower closing and closed current (approx. 5 mA vs.
up to > 5 A depending on the power class), which allows operation directly on fail-
safe 24 V DC outputs of safety relays and fail-safe controllers. While the contactor
is switched via the fail-safe control input, the coil contacts (A1/A2) are permanently
supplied with the corresponding voltage.
Figure 26: Safety application with standard contactors and coupling level
© Siemens AG 2022 All rights reserved
Figure 27: Safety application with contactors with fail-safe control input
Since SIRIUS contactors with fail-safe control input contain additional electronics
compared to standard contactors, they cannot be regarded as purely
electromechanical components. Consequently, they do not fall under device type 3
(see Device types according to VDMA standard sheet 66413) and cannot be used
as well-tried components according to ISO 13849-2. A calculation via B10 value
and ratio of dangerous failures (RDF) is therefore not possible.
SIRIUS contactors with fail-safe control input contain components that cannot be
evaluated by the user. Therefore, they fall under device type 1 and are delivered by
Siemens with a certification as well as ready PDHD and SIL / PL.
For the user, this makes the calculation of the safety integrity much easier
compared to the use of a standard contactor.
© Siemens AG 2022 All rights reserved
Figure 28: Safety related data of a SIRIUS contactor with fail-safe control input (3RT1056-
6SF36)
As can be seen from the data sheet, PL c and SIL 2 can be achieved with a single
SIRIUS contactor with fail-safe control input. This combination may seem wrong at
first glance, as the equivalent to a PL c is normally a SIL 1. In contrast to ISO
13849-1, which requires at least category 2 for a PL d and thus does not permit a
single-channel architecture, IEC 62061, according to its table 5, allows a SIL > 1 to
be achieved even with a single channel with HFT (hardware fault tolerance) = 0. A
prerequisite for fulfilling SIL 2 in a single-channel architecture is a safe failure
fraction (SFF) ≥ 90 %. The SFF is a value determined by the device manufacturer
that considers all failures within the device and was determined by an FMEDA
(Failure modes, effects and diagnostic analysis). According to the data sheet
above, the example contactor achieves an SFF of 93 %.
Notice:
The SIL certification of a type 1 device is always performed in accordance with IEC
61508, which is also included in the above data sheet. This standard describes the
requirements for safety-related devices and is used exclusively by the device
manufacturer. The user in turn applies IEC 62061 in order to be able to use and
evaluate the devices in the context of his safety application.
The fact that a B10 value can be found in the data sheet for SIRIUS contactors with
fail-safe control input despite their classification as device type 1 is due to the need
to calculate the wear-related service life. This is explained in the following chapter.
safety-relevant devices from Siemens. This means that after this period the device
must be replaced, as its characteristics are only guaranteed within this period.
Electromechanical components are subject to wear depending on the switched
load as well as the switching cycle. For devices containing electromechanics, a
separate wear-related service life must therefore be determined. This must be
done by the user, as only he knows the exact operating conditions of the device in
the safety application. All type 3 devices fall into this category, including relays and
contactors.
The wear-related service life T10D depends on the B10D value as well as the
actuations per year nop:
B10D
T10D =
nop
Alternatively, the MTTFD value calculated during the safety integrity calculation can
be used to determine T10D:
MTTFD
T10D =
10
The result of this calculation is compared with the T 1 value from the data sheet and
the device is replaced according to the smaller of the two values.
Type 1 devices also exist for which a wear-related service life must be determined.
Basically, whenever electromechanical components are included in a device, the
T10D value must be calculated by the user and compared with the T1 value –
regardless of whether the device is certified (incl. PFHD and SIL / PL) or not.
Examples of certified type 1 devices for which a calculation of the T 10D must be
performed are SIRIUS 3SK1 safety relays (only those with relay outputs) or fail-
safe relay output modules of the ET 200SP (F-RQ). The F-PLC-IN contactors
presented in the previous chapter also fall into this category because, although
they are certified, their main current contacts are still subject to wear depending on
the switched load as well as the switching cycle.
A sure indication of the need to determine a wear-related service life for a safety-
related device is the presence of a B10 value in its data sheet.
Results:
➔ B10D = 1.369.863
➔ MTTFD = 263.435 years (high, limited to 2500 years for Cat. 4)
➔ T10D = 26.343,5 years (T1 < T10D)
➔ Max. service life = T1 = 20 years
➔ DC ≥ 99% (high) due to feedback circuit monitoring
➔ PFHD = 9,06 x 10-10 and PL e according to table K.1 of ISO 13849-1
As already seen in the example of the chapter Safety Evaluation with TIA Selection
Tool, the calculation of the T10D value is also taken by the Safety Evaluation.
Figure 33: Wear-related service life of a SIRIUS contactor in Safety Evaluation with TIA
Selection Tool
Note:
The slight deviation of the MTTFD and T10D value calculated by the Safety
Evaluation is due to a rounding of the software when calculating the B10D value.
Figure 34: PFHD and PL of two redundant SIRIUS contactors in the Safety Evaluation with
TIA Selection Tool
In the example shown above, a low switching cycle is required by the safety
application. This results in a high MTTFD value as well as a high wear-related
service life (T10D). The fact that T10D always corresponds to one tenth of the
MTTFD can lead to cases where the calculated MTTFD is sufficient to achieve the
required safety integrity, but the corresponding T10D leads to the impractical
necessity of replacing the contactor several times within the lifetime of the
machine.
To illustrate such a case, another example calculation follows.
Results:
➔ B10D = 1.369.863
➔ nop = 422.400 cycles / year
➔ MTTFD = 32,43 years (high)
➔ T10D = 3,243 years (T1 > T10D)
➔ Max. service life = T10D = 3,243 years
➔ DC ≥ 99% (high) due to feedback circuit monitoring
➔ PFHD = 9,06 x 10-10 and PL e according to table K.1 of ISO 13849-1
From these results, it would follow that the contactors would need to be replaced
every approximately three years.
The recommendation at this point would be to question the background of the high
switching cycle. Does it result from the fact that the two contactors (or one of them)
are also used for operational switching? If so, outsourcing to a third contactor can
lead to a significant increase in the wear-related service life.
A second way to increase T10D would be to request a load-dependent B10 value. If
the safety function itself is responsible for the high switching frequency or if the
operational switching cannot be outsourced, it is possible to request a load-
dependent B10 value via Technical Support (siemens.com/SupportRequest). If the
contactor is operated below the 66 % of the rated operational current, a partly
considerably higher B10 value results. If the contactor is even de-energized by a
prior disconnection of the load by another switching device, the B10 value
increases even umpteen times.
© Siemens AG 2022 All rights reserved
Both the semiconductor and the relay outputs of the 3SK safety relays are basically
pp-switching, although in the variants with relay outputs they can also be wired pm-
switching by using two pp-switching relay outputs to connect an actuator.
© Siemens AG 2022 All rights reserved
With the SIMATIC F-PLC, there are fail-safe pm and pp output modules as well as
combined ones (ppm), for which it is possible to set in the engineering how they
act.
Figure 36: Actuator circuit up to PL c according to ISO 13849-1 or SIL 1 according to IEC
62061
Figure 37: Actuator circuit up to PL e according to ISO 13849-1 or SIL 3 according to IEC
62061
Figure 38: Actuator circuit with protected wiring up to PL e according to ISO 13849-1 or
SIL 3 according to IEC 62061
Protected routing of the control lines from the output (14, Qx) to the
relays/contactors (A1 of Q1 and Q2) is characterized by cross-circuit and short-
circuit protection.
This can be ensured by a separately sheathed cable or routing in a separate cable
duct.
Another possibility for protected wiring is to use the two devices to be connected
(evaluation unit and contactor) within a control cabinet. The coupling between
© Siemens AG 2022 All rights reserved
Figure 39: Safety-relevant parameters of a SIRIUS contactor with fail-safe control input
(3RT1056-6SF36)
The value for the probability of failure is often given in "FIT". Failure in Time
describes the failure rate of technical components, in particular electronic
components. The unit FIT indicates the number of components that fail in 10 9
hours.
Thus: 1 FIT = 1 x 10-9 failures / hour.
For the use of SIRIUS standard contactors (device type 3) in the process industry
(low demand rate), the following parameters are required:
• RDF (this characteristic is important for both low and high demand rate,
but it is different for both cases).
• FIT
The selection of the SIRIUS contactor suitable for the respective safety application
is primarily based on the load to be switched.
SIRIUS contactors are identified by the utilization category in conjunction with the
rated operational current or motor power and the rated voltage.
The TIA Selection Tool guides users quickly and conveniently to error-free device
selection and configuration in any automation project. Among other things, it
includes a configurator to help select the right SIRIUS contactor.
More information and the tool are available on the Internet at:
www.siemens.com/tst
When selecting the right contactor for the respective safety application, the well-
tried safety principle of overdimensioning must be observed from PL c or SIL 1
(see chapter Calculation of contactors in safety applications).
Accordingly, when applying ISO 13849-1 and a required PL ≥ c, the current
conducted through the switching contacts may be less than half of the current
rating.
When applying IEC 62061 and a required SIL ≥ 1, an oversizing factor of 1.5 must
be applied. Consequently, the current conducted through the switching contacts
must be less than 66 % of the current rating.
The above information on overdimensioning with regard to the current rating can
be applied to the rated power of the contactor using the same percentage values.
The following control or drive variants are available for the 3RT203 and 3RT204
contactors:
• 3RT20..-.A: Standard actuator for AC operation
• Electronic drive:
For contactors with electronic drive, the overvoltage damping of the drive
coil is already integrated in the electronics.
The following variants are available:
- 3RT20..-.K: Coupling contactors with adapted power consumption;
suitable for electronic PLC/F-PLC outputs with 2 A (DC 24 V)
- 3RT20..-.N..: Variants with electronic wide-range actuator and
universal actuating voltage (AC or DC operation); contactors with
reduced closing and closed power
- 3RT20..-.S: Actuation only with fail-safe control input (F-PLC-IN,
DC 24 V) to simplify safety applications (without operating mode
selection); in this case the contactor is switched via the control
input with a few milliamps, while the actuator (A1/A2) is
permanently supplied.
The drives of the SIRIUS 3RT10 contactors are supplied via a supply voltage with
an operating range of 0.8 to 1.1 x Us, optionally also controlled depending on the
selected operating mode. Different nominal voltage ranges are available for AC/DC
© Siemens AG 2022 All rights reserved
control.
The following control or drive variants are available for the contactors 3RT105 to
3RT107:
• 3RT10..-.A:
Standard drive for AC and DC operation (reduction of closing and closed
power)
• Electronic drive:
For contactors with electronic drive, the overvoltage damping of the drive
coil is already integrated in the electronics.
The following variants are available:
- 3RT10..-.N: With two operating modes: direct control or via PLC
input (DC 24 V)
- 3RT10..-.P: Control only via PLC input (standard PLC-IN,
DC 24 V), but additionally with residual life time signal (RLT)
- 3RT10..-.S: Control only with fail-safe control input (F-PLC-IN, DC
24 V) to simplify safety applications (without operating mode
selection); here the contactor is switched via the control input with
a few milliamps, while the actuator (A1/A2) is permanently
supplied.
Figure 43: Additional permanently mounted auxiliary switches using the example of a
standard contactor as well as an F-PLC-IN contactor
The break times of the contactor (= the times of the opening delay of the NO
contacts) and those of the closing delay of the NC contacts increase if the
contactor coils are damped against voltage peaks. Different accessories are
available for the SIRIUS contactors, each of which causes a different time change:
• Interference suppression diode: 6- to 10-fold
• Diode assemlby: 2 to 6-fold
• Suppressor diode: +1 to +5 ms
• Varistor: +2 to +5 ms
When parameterizing the feedback circuit monitoring time in the evaluation unit,
the break time of the contactor must be taken into account (see chapter Feedback
circuit monitoring). When using one of the above-mentioned circuits for damping
the contactor, the extended break time must be taken into account when
parameterizing the feedback circuit monitoring time in the evaluation unit, as
otherwise unwanted feedback circuit faults may occur.
© Siemens AG 2022 All rights reserved
4 Combined applications
4.1 Reversing contactor assembly
In general, reversing contactor assemblies can be used for safety-related switch
off.
For applications up to SIL 1 according to IEC 62061 or PL c according to ISO
13849-1, it is sufficient to consider the motor contactors for clockwise and
counterclockwise rotation. This means that both are to be switched safety-related
and monitored via the mirror contact (NC contact) in the feedback circuit. Feedback
circuit monitoring for SIL 1 / PL c is not mandatory but recommended. When
calculating the achieved safety integrity, in turn, the consideration of a single
contactor is sufficient as an example for both. If the switching cycle is higher for
one of the two contactors (clockwise or counterclockwise rotation), it must be
ensured that the contactor with the higher switching cycle is considered. The wear-
related service life must be determined separately for both contactors.
In addition to separate SIRIUS contactors, the 3RA23 reversing contactor
assembly can also be used. Completely wired 3RA23 reversing contactor
assemblies are available up to 55 kW. They consist of two contactors of the same
rating with an auxiliary NC contact (for 3RT201) or an NO and an NC contact (for
3RT202, 3RT203 and 3RT204). The contactors are mechanically and electrically
interlocked with each other (NC contact interlock). Optionally, there are also
reversing contactor assemblies with an interface to IO-Link or AS-Interface.
© Siemens AG 2022 All rights reserved
Figure 44: 3RA23 reversing contactor assembly with 3SK1 safety relay up to SIL 1 or PL c
contactor (Q1) is required in the design - two contactors must always switch (either
Q1 + Q2 or Q1 + Q3) for the motor to start. An additional, fourth contactor is
therefore not necessary.
The correct function of all three contactors must be monitored by means of the
mirror contacts (NC contacts) (feedback circuit monitoring mandatory from SIL 2 /
PL d). Care must be taken to ensure that sufficient mirror contacts (NC contacts)
are available for feedback circuit monitoring when connecting the reversing
combination.
When calculating the achieved safety integrity, it is sufficient to consider the
superior contactor (Q1) and one of the two reversing contactors (Q2 or Q3,
exemplary for both). Thus, a two-channel architecture consisting of two redundant
contactors is calculated. If the switching cycle is higher for one of the two reversing
contactors (clockwise or counterclockwise), it must be ensured that the contactor
with the higher switching cycle is considered. The wear-related service life must be
determined separately for all three contactors.
To avoid common cause failures (CCF), the control cables to the contactors must
be routed separately or similar measures must be taken (see chapter Cable
installation).
© Siemens AG 2022 All rights reserved
Figure 45: Reversing combination with separate contactors and 3SK1 safety relay up to
SIL 3 or PL e
Figure 46: 3RA23 reversing contactor assembly with 3SK1 safety relay up to SIL 3 or PL e
Figure 48: Star-delta reversing combination with 3SK1 safety relay up to SIL 3 or PL e
The diagnostic coverage (DC) can be assumed to be 90% - 99% (medium). This is
justified in the following:
The diagnostic capability of the power contactor can be assumed to be 99 % due
to its mirror contacts. It must be taken into account that this diagnostic capability
alone can trigger or even prevent the fault reaction. It is imperative to take this fact
into account. Therefore, an additional worst case consideration should be made by
reducing the diagnostic coverage from the original 99 % to 90 % and increasing the
associated dangerous failure rate accordingly.
Under certain conditions, diagnostics may be possible for a circuit breaker. This
requires dynamic monitoring of the circuit breaker during closing and opening. This
is possible by means of an F-PLC with a corresponding remote motorized
operating mechanism for restarting the circuit-breaker. This is described in detail in
the following FAQ:
https://support.industry.siemens.com/cs/ww/en/view/109483115
In this case, a higher level of safety integrity can be achieved.
For the category 2 architecture, the calculation of the MTTFD and the DC only
considers the function channel (contactor) and not the test channel (circuit
breaker). The circuit breaker therefore has no influence on the safety evaluation.
However, it is checked whether the circuit breaker can basically withstand the
© Siemens AG 2022 All rights reserved
A possible safety application including circuit diagram and safety evaluation file is
shown in the application example “Emergency stop shutdown to SIL 2 or PL d with
a SIRIUS 3SK1 safety relay“:
https://support.industry.siemens.com/cs/ww/en/view/38472027
Figure 49: Application example: Emergency stop shutdown to SIL 2 or PL d with a SIRIUS
3SK1 safety relay
A detailed description of the various options for using a 3RW soft starter in a safety
application is provided in the FAQ “3RW Soft Starter: Safe switching acc. IEC
62061 (SIL) rep. ISO 13849-1 (PL)“:
https://support.industry.siemens.com/cs/ww/en/view/67474130
Figure 50: Frequency converters without and with integrated safety technology
If the frequency converter itself cannot contribute to the safety chain, upstream and
downstream contactors can be used to safely shut down the machine in the event
of a safety requirement, regardless of the status of the converter. A connection
upstream (on the line side) or downstream of the converter (on the motor side)
results in different advantages and disadvantages, which will be explained during
this chapter.
Like the 3RW soft starter, frequency converters are also available as variants
certified for use in safety applications (device type 1). If a converter is only certified
up to SIL 1 or PL c or up to SIL 2 or PL d, the reaction subsystem can be upgraded
up to SIL 3 or PL e through the redundant use of a contactor. This scenario is
described below for a SINAMICS converter certified up to SIL 2 or PL d.
The drive is stopped by the fail-safe evaluation unit (in the following example, an F-
PLC) – e.g. after a safety sensor has responded (not shown in the following
figures). For this purpose, the drive-integrated safety function Safe Torque Off
(STO) is triggered via a safe output of the evaluation unit on the SINAMICS
converter, if necessary, with preceding rapid braking function (SS1). It is not
necessary to read back the status feedback into the F-PLC as diagnostics are
implemented internally (crosswise data comparison of the two switch-off paths and,
if an error is detected, initiation of an error response that leads to the safe state).
However, regular forced dynamization (e.g. every 8 hours) by selecting the function
is required.
A power contactor is provided as a second independent shutdown channel in
addition to the SINAMICS safety function. Its positively driven auxiliary contact
(mirror contact, NC contact) is read back into the evaluation unit. In order to detect
errors in the second channel, the evaluation unit checks whether the feedback
assumes correct levels after the safety function has been selected and deselected.
When STO is activated on the SINAMICS, a pulse inhibit is triggered in the
converter on the motor side and the current is thus immediately switched off
electronically. For the contactor to switch without current and thus with less wear, it
makes sense for the fail-safe evaluation unit to briefly delay the switch-off of the
contactor. However, as a second independent shutdown path, the contactor must
be able to switch the load current in the event of failure of the first channel
(converter) and must therefore be designed accordingly. The delay time of the
contactor must be taken into account when determining the response time of the
safety function.
© Siemens AG 2022 All rights reserved
Advantage:
• The contactor can be designed for resistive load (AC1).
Disadvantages:
• Due to the energy stored in the intermediate voltage circuit, residual motion
can still occur after the line contactor is switched off if the drive-integrated
safety function fails. This must be considered in the risk assessment.
• The contactor must be designed for the continuous thermal current of the
drive reps. drives.
• After switching off, the intermediate circuit capacitors are discharged.
Therefore, the precharge time of the converter must be waited for before
the drive is switched on again.
• This variant is generally only suitable for single drives. In the case of a
multi-motor drive with a common supply, the power supply to all connected
drives would be switched off together with the line-side contactor.
Variant 2: Power contactor on the output side between motor and converter
Variant 2 describes a SINAMICS S120 multi-axis system with contactors on the
output side.
Advantages:
• Suitable for single and multiple motor constellations, as each drive can be
disconnected individually.
• The intermediate circuit remains on the mains and thus precharged,
therfore no thermal load on the components involved and no time delay
when switching back on.
Disadvantages:
• The contactor must be able to switch a DC current with inductive load
(motor winding) in the worst case. At very low speed or at speed setpoint
0, the converter impresses a current with a very low frequency, which acts
like a direct current for the contactor.
• The contactor must be designed for the continuous thermal current of the
drive.
effect of the non-safety-related devices on the safety function. Only the contactors
used for shutdown in the event of a safety requirement are considered in the safety
calculation.
An example of the combination of non-safety-related devices with contactors to
meet up to SIL 3 or PL e is shown in the following example. It comes from the FAQ
“3RW Soft Starter: Safe switching acc. IEC 62061 (SIL) rep. ISO 13849-1 (PL)“:
https://support.industry.siemens.com/cs/ww/en/view/67474130
© Siemens AG 2022 All rights reserved
Figure 53: Safe shutdown of a standard soft starter application by two redundant
contactors up to SIL 3 / PL e
5 Appendix
5.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire
service and support know-how and portfolio.
The Industry Online Support is the central address for information about our
products, solutions and services.
Product information, manuals, downloads, FAQs, application examples and videos
– all information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent
support regarding all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
siemens.com/SupportRequest
© Siemens AG 2022 All rights reserved
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog
web page:
support.industry.siemens.com/cs/sc
The Siemens Industry Mall is the platform on which the entire siemens Industry
product portfolio is accessible. From the selection of products to the order and the
delivery tracking, the Industry Mall enables the complete purchasing processing –
directly and independently of time and location:
mall.industry.siemens.com
https://support.industry.siemens.com
\2\ Link auf die Beitragsseite des Anwendungsbeispiels
https://support.industry.siemens.com/cs/ww/de/view/109807687
\3\ EN ISO 13849-1:2015
Safety of machinery – Safety-related parts of control systems – Part 1: General
principles for design (prepared by Technical Committee ISO/TC 199 “Safety of
machinery” in collaboration with Technical Committee CEN/TC 114 “Safety of
machinery”)
\4\ EN ISO 13849-2:2012
Safety of machinery – Safety-related parts of control systems – Part 2: Validation
(prepared by Technical Committee ISO/TC 199 “Safety of machinery” in
collaboration with Technical Committee CEN/TC 114 “Safety of machinery”)
\5\ IEC 62061 (Edition 2.0, 2021-03)
Safety of machinery – Functional safety of safety-related control systems (prepared
by IEC technical committee 44: Safety of machinery – Electrotechnical aspects)
\6\ VDMA standard sheet 66413:2012-07
Funktionale Sicherheit – Universelle Datenbasis für sicherheitsbezogene Kennwerte
von Komponenten oder Teilen von Steuerungen