Safety PLC & Machinery Directive: What Automation Engineers Really Need to Know

The Legal Foundation: Machinery Directive and Its Successor

EU Machinery Directive 2006/42/EC is the cornerstone of machine safety in Europe. It defines essential health and safety requirements that every machine manufacturer must fulfill before placing a product on the market. CE marking certifies conformity — not safety itself, but compliance with requirements.

Important: 2023/1230/EU is the new Machinery Regulation (no longer a directive), which takes full effect from January 2027. Key changes: stricter requirements for AI-controlled machines, clearer requirements for networked machines, and an expanded scope. Anyone developing machines today should already consider the new regulation.

Performance Level (PL) per EN ISO 13849-1

Performance Level describes the ability of safety-related control parts to perform a safety function under foreseeable conditions. Five levels:

• PL a: Very low requirements (probability of dangerous failure: 10⁻⁵ to 10⁻⁴ per hour)
• PL b: Low requirements (10⁻⁶ to 10⁻⁵)
• PL c: Medium requirements (10⁻⁷ to 10⁻⁶)
• PL d: High requirements (10⁻⁸ to 10⁻⁷) — typical for industrial robots
• PL e: Very high requirements (10⁻⁹ to 10⁻⁸) — medical devices, presses

The required PL (PLr) is determined through a risk assessment (EN ISO 12100). Influencing factors: severity of injury, frequency of exposure, avoidability.

SIL Levels per IEC 62061 and IEC 61508

Safety Integrity Level (SIL) is the IEC equivalent of PL. Three levels (SIL 1 to 3) with corresponding PFH (Probability of Dangerous Failure per Hour) values. Rough correspondence:

• SIL 1 ≈ PL c
• SIL 2 ≈ PL d
• SIL 3 ≈ PL e

IEC 62061 applies specifically to control systems in machines; IEC 61508 to general functional safety. In machine building, EN ISO 13849-1 (PL) is by far the more widely used standard.

SISTEMA: The Free Calculation Tool

SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) is a free tool from the IFA (Institute for Occupational Safety and Health of the DGUV). It calculates the achievable PL based on the components used and their interconnection. Inputs:

• Category (B, 1, 2, 3, 4) per EN ISO 13849-1
• MTTFd (Mean Time to Dangerous Failure) of components from data sheets
• DC (Diagnostic Coverage) — quality of fault diagnosis
• CCF (Common Cause Failure) — measures against common cause failures

SISTEMA delivers the PL verification as a PDF — an indispensable document in the technical documentation for CE marking.

Siemens S7-1500F and ET 200SP F

The F variants of the S7-1500 series are designed for safety-related applications. The S7-1515F can execute standard and safety programs on a single CPU. Key features:

• F peripherals (ET 200SP F modules) communicate via PROFIsafe
• Safety program runs in separate F-OBs (F-OB1, F-DB)
• F libraries (FDBACK, FESTO, etc.) for standard safety functions
• Password protection for the safety program
• Mandatory safety acceptance after each program change

Important: the safety program must not be called directly from the standard program. Communication occurs via global F variables.

Safety Functions per EN 61800-5-2

The most common safety functions for drive systems:

• STO (Safe Torque Off): Torque-free state — motor cannot start. Equivalent to emergency stop. No braking action, immediate torque removal.
• SS1 (Safe Stop 1): Controlled deceleration to standstill, then STO. Corresponds to stop category 1 per EN 60204-1.
• SS2 (Safe Stop 2): Deceleration and holding at zero speed (control remains active). For processes requiring a defined stopping point.
• SLS (Safely-Limited Speed): Ensures speed does not exceed a defined limit. Enables setup mode without full standstill.
• SBC (Safe Brake Control): Safe brake actuation that safely closes the mechanical brake during STO.
• SDI (Safe Direction): Monitors direction of rotation — only one direction is permitted.

Common Mistakes in Safety Implementation

From our experience, the most common errors found during safety audits:

• Wrong category selected: Category 2 instead of 3 because DCavg requirements were not met. Always verify DC.
• MTTFd values not documented: Manufacturer data sheets must be archived. A SISTEMA project without MTTFd sources is worthless.
• Cross-fault monitoring omitted: Two-channel inputs without cross-short test do not meet Category 3.
• Validation test flawed: Safety functions must be validated in the worst-case fault scenario — not just normal operation.
• Change management missing: Every change to the safety program must be documented and re-accepted.

Safety Validation: What Is Actually Tested

Validation of a safety function includes:

1. Fault injection: simulated failure of sensors, cables, valves
2. Response time measurement: time between trigger and safe state
3. Continuity testing: check safety circuits for cross-faults
4. Restart prevention: must require acknowledgment after a fault
5. Documentation: test record with date, tester, result

A safety engineer bears personal responsibility for the correctness of the safety assessment. This is not an overstatement — in the event of an incident, the question of liability can point directly to the responsible engineer.

Conclusion: Safety as an Engineering Task

Functional safety is not difficult — but it requires systematic discipline and diligence. Those who know the relevant standards, master SISTEMA, and implement safety functions correctly can build safe machines. When in doubt, seek external support: incorrect CE marking can be costly — not only financially.