Functional Safety Certification

Introduction

The TM5CSLC100FS / TM5CSLC200FS and TM5CSLC300FS /TM5CSLC400FS Safety Logic Controllers are certified

  • by TÜV NORD

  • for use in applications up to and including SIL 3 according to IEC 61508 and IEC 62061.

This certification verifies that the Safety Logic Controllers are compliant with the following standards:

  • IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems, Parts 1 to 4, SIL 3

  • ISO 13849-1: Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design, up to PL e (Category 4)

  • IEC 62061: Safety of machinery - Functional safety of safety-related electrical, electronic, and programmable electronic control systems, SILcl 3

NOTE: Using Safety Logic Controller equipment is a necessary but insufficient precondition for the certification of a SIL 3 application. A SIL 3 application must also fulfill the requirements of the IEC 61508, IEC 61511, IEC 61131-2, and other application standards.

Functional Safety Parameters

The Functional Safety parameters according to EN ISO 13849 are as follows:

  • Performance Level for

    • SDI (safety-related digital input) to SDO (safety-related digital output): up to PL e

    • SAI (safety-related analog input) to SAO (safety-related analog output): up to PL e

  • Category: up to 4

Classification of the Schneider Electric Products

The Safety Logic Controllers are dedicated to perform safety-related functions. The Safety Logic Controller system consist of the controller supporting the Sercos III fieldbus network. The controller then interfaces with the Sercos III Bus Interface, TM5/TM7 Safety-Related I/O modules, and other safety-related devices such as drives and third-party devices. However, it also supports other modules, enabling you to add non-safety-related parts to your SIL 3 project.

Therefore, the Schneider Electric products must be distinguished into:

  • safety-related modules and

  • non-safety-related modules

In contrast to the safety-related modules, non-safety-related modules are not used to perform safety-related functions. They are certified as non-interfering modules for use with the Safety Logic Controller. A detected error in one of these modules does not interfere with the execution of the safety-related functions.

Safety-Related Products of the Safety Logic Controller System

The Safety Logic Controller system is comprised of the following safety-related products:

Type

Module Reference

Safety Logic Controller, SLC 100 Sercos III, 24 Vdc

TM5CSLC100FS

Safety Logic Controller, SLC 200 Sercos III, 24 Vdc

TM5CSLC200FS

Safety Logic Controller, SLC 300 Sercos III, 24 Vdc

TM5CSLC300FS

Safety Logic Controller, SLC 400 Sercos III, 24 Vdc

TM5CSLC400FS

Safety-related Module 2DI 24 Vdc Sink

TM5SDI2DFS

Safety-related Module 4DI 24 Vdc Sink

TM5SDI4DFS

Safety-related Module 20DI 24 Vdc Sink

TM5SDI20DFS

Safety-related Module 2DO 24 Vdc, 0.5 A

TM5SDO2TFS

Safety-related Module 2DO 24 Vdc, 2 A

TM5SDO2TAFS

Safety-related Module 4DO 24 Vdc, 0.5 A

TM5SDO4TFS

Safety-related Module 2DO

TM5SDO2TRFS

Safety-related Module 4DO 24 Vdc, 2 A

TM5SDO4TAFS

Safety-related Module 6DO 24 Vdc, 0.2 A

TM5SDO6TBFS

Safety-related Module 2DI (2 test (pulse) outputs), 2DO 24 Vdc, 6 A

TM5SDM4DTRFS

Safety-related Module 6DI, 2DO 24 Vdc

TM5SDM8TBFS

Safety-related Module 2x2AI 4-20 mA 24 bits

TM5SAI4AFS

Safety-related Module 2x2AI Thermocouple J/K/N/S/R/C/T

TM5STI4ATCFS

Safety-related Counter Module DC1 7 kHz 24 Vdc Sink

TM5SDC1FS

Safety-related Power Distribution Module PS 1DO 24 Vdc

TM5SPS10FS

IP67 Block, 8 DI, 24 Vdc

TM7SDI8DFS

IP67 Block, 8 DI, 4 DO, 2 A

TM7SDM12DTFS

TM5 Bus Base for safety-related Electronic modules, safety coded, internal I/O supply interconnected

TM5ACBM3FS

TM5 Bus Base for safety-related Electronic modules, safety coded, internal I/O supply is left isolated

TM5ACBM4FS

Safety-related Terminal Block, 12-pin, safety coded

TM5ACTB52FS

Safety-related Terminal Block, 16-pin, safety coded, 2x PT1000 integrated for terminal temperature compensation

TM5ACTB5EFS

Safety-related Terminal Block, 16-pin, safety coded

TM5ACTB5FFS

Memory Key, 8 MB(1)

TM5ACSLCM8FS

(1) A memory key is required for operation of the Safety Logic Controller, and is sold separately. For more information concerning the role of the memory key in the Safety Logic Controller system, refer to Safety Logic Controller Memory Key.

Only modules certified as safety-related modules are allowed to perform safety functions. Make certain that neither inputs nor outputs of non-safety-related modules are used for safety-related inputs or outputs.

 DANGER
IMPROPERLY CONFIGURED SAFETY-RELATED SYSTEM
  • Use only safety-certified products for use in safety functions of a safety-related system.
  • Use only Schneider Electric authorized products in a Safety Logic Controller system.
Failure to follow these instructions will result in death or serious injury.
NOTE: The Sercos III Bus Interface, required for communication with TM5 Safety-related modules, is considered a non-interfering module and does not contribute nor detract from the safety function of the controller. The safety layer part of the Sercos III communication is managed inside the Safety-related modules and not in the Sercos III Bus Interface.

Available Bus Interface

The following Schneider Electric bus interface is available:

Module Type

Module Reference

Sercos III Bus Interface

TM5NS31

NOTE: The Sercos III Bus Interface, required for communication with the safety-related expansion modules, is considered a non-interfering module and does not contribute nor detract from the safety-related function of the controller. The safety layer part of the Sercos III communication is managed inside the safety-related modules and not in the Sercos III Bus Interface.

For more information on safety-related product architectures, refer to TM5 / TM7 Safety-Related System I/O Architecture and the M262 Embedded Safety - Integration Guide, referenced in the Related Documents section of this document.

 DANGER
IMPROPER SAFETY-RELATED SYSTEM
  • Use only modules designated as safety-related modules to perform safety-related functions.
  • Make sure that neither inputs nor outputs of non-safety-related modules are used for safety-related outputs.
Failure to follow these instructions will result in death or serious injury.

Probabilities of Failure

For SIL 3 applications, IEC 61508 defines the following probabilities of failure on demand (PFD) and probabilities of failure per hour (PFH) depending on the mode of operation:

  • PFD ≥ 10-4 to < 10-3 for low demand mode of operation

  • PFH ≥ 10-8 to < 10-7 for high demand mode of operation

Defined Safe State and Life Span

For more information on the defined safe state of modules in the case of detected errors as well as on the life span, refer to Defined Safe State and Life Span.