Getting Started with the Siemens Safety PLC

Automation and Control Industrial Automation and Control
, ,
1

This engineering brief presents an application of the Siemens fail-safe PLC. The demo has one safety zone, including one motor with E-stop and light-curtain guarding. It also monitors for welded motor starter contacts and implements a two-hand safety start. We begin with a brief description of the hardware and then focus on the transfer of variables between main and safety.

Never allow a machine restart to surprise you or the operator.

Written for technicians and engineers already familiar with the Siemens S7-1200 and S7-1500 PLCs. It also assumes some familiarity with the ET 200SP distributed I/O system as described in this document. As a reference point, we assume you are comfortable with Siemens data blocks and the use of tags from within a structure.

This article is part of the DigiKey Field Guide for Industrial Automation

Location: Understand It → Safety Concepts
Difficulty: :wrench: Technician — difficulty levels explained
Author: Aaron Dahlen | MSEE | Senior Applications Engineer, DigiKey
Last update: 06 Mar 2026

Introduction

Never wire the E-stop directly to a conventional PLC.

The problem exists on two levels:

  • Hardware: General PLC inputs are not designed for safety. This is true even for the safety-rated CPU 1215 FC PLC used in this project. Instead, safety-related I/O are handled using hardware safety modules such as the F-DI or the ET 200SP modules pictured in Figure 1. These modules are designed with redundancy and fail-safe operations not directly found in the core PLC.

  • Software: By definition, the fail-safe software is a subset of the traditional software. It’s been stripped down to include a minimal set of straightforward functions. Less complexity reduces the chance of breaking safety.

Disclaimer: This material is for education only. You are responsible for implementing the Safety Integrity Level (SIL) and the Required Performance Level (PLr) for the equipment in your facility. Follow all applicable local, state, federal, and international regulations.

While the material has been prepared with care, it may contain unintentional errors or misinterpretation of the standards. Refer to DigiKey’s Terms of Service for official guidance. We appreciate any feedback you can provide to improve the narrative and factual content.

Figure 1: Image of the Siemens safety modules as part of an ET 200SP distributed I/O system from the author’s workbench.
Figure 1: Image of the Siemens safety modules as part of an ET 200SP distributed I/O system from the author’s workbench.975×730 123 KB

Figure 1: Image of the Siemens safety modules as part of an ET 200SP distributed I/O system from the author’s workbench.

Tech Tip: Redundancy is a defining aspect of industrial safety. For example, the E-stop is handled by hardware that forms a one-out-of-two (1oo2) signal. This requires a switch with two independent contact blocks. See this page for more information about the E-stop pushbutton.

Recognize that this fail-safe redundancy is not included with conventional PLC inputs. Consequently, they are not considered safe for monitoring a safety device. Similar statements can be made for the OSSD signal outputs produced by a light curtain.

Description of the Featured Safety Project

The machine is configured for a single safety zone guarding a three-phase motor. The primary objective is to immediately secure the motor on application of E-stop or a break in the light curtain.

The project’s brain is an S7-1200 safety PLC (CPU 1215 FC) with the safety hardware included in the ET 200SP distributed I/O. The safety components include:

  • Emergency Stop switch with redundant normally closed switch contacts.

  • Light curtain with Output Signal Switching Device (OSSD) signals.

  • Monitored motor starter with two Siemens 3RT2015 contactors. The three-phase contacts are connected in series (redundant). The auxiliary contacts are then monitored to detect a stuck armature (welded contacts). Note that an interposing relay is used to connect the contactor to the PLC. This article describes how the contactor’s opening speed increases as opposed to diode clamping from a standard PLC output pin.

  • A two-hand safety start is included in the safety functionality.

Tech Tip: Know the difference between startup and shutdown. Contact welding and two-handed safety inhibit machine startup, while E-stop and light curtain are for immediate shutdown.

Physical Connections to the Safety Modules

Figure 2 presents the safety I/O assignments and tag names.

Safe Input Connections

  • The twin E-stop contacts form a 1oo2 interface using input channels 0 and 4. The tag name of RemoteStop1 is associated with address %I10.0 where 10 is the chosen address for the module. The red text was added as a reminder that input channels 0 and 4 form a pair.

    Note that the E-stop is driven by the V0 and V4 signals originating from the lower connection of the base unit. These are used to detect shorts and crossed wire faults.

  • The OSSD signals from the light curtain are connected to input channels 3 and 7 using a 1002 assignment. Unlike the E-stop, the light curtain develops its own test signal. Consequently, there is no connection to the base unit’s lower signal generator.

  • The switch contacts for the two-hand input (normally open) are connected to channels 2 and 6.

  • The line monitoring the motor starters series connect normally closed auxiliary contacts is connected to input channel 1. The base unit V1 is used as the signal source.

Safe Output Connections

Two outputs are used to drive the motor starter via an interposing relay. We could have driven two relays from a single output channel. There is no advantage in this case as only a few of the safety outputs are used.

Non-Safe Connections

A normally open pushbutton is connected to the non-safe input module. Non-safe is acceptable as the reset is not directly involved with a safety shutdown or a monitored start.

Figure 2: Physical connection to the safety modules along with tag name assignments. Red text shows the 1oo2 pairs.
Figure 2: Physical connection to the safety modules along with tag name assignments. Red text shows the 1oo2 pairs.975×627 142 KB

Figure 2: Physical connection to the safety modules along with tag name assignments. Red text shows the 1oo2 pairs.

Key Safety Program Attributes for the S7-1200 PLC

The featured safety program provides two types of functionality:

  • Unquestioned shutdown via the E-stop and light curtain.

  • Conditional start by monitoring for welded contacts on the motor starter and proper use of two-hand safety.

Tech Tip: The motor starter consists of two three-phase contactors wired in series along with an overload block. The safety PLC monitors a set of normally closed auxiliary contacts from each contactor. A fault occurs when the armature of one of the contactors jams such as when the contacts are welded. Without this safety feature a single latent failure would go undetected resulting in an unresponsive system that continues to run when an E-stop command is issued.

Fail-Safe Ladder Logic Example

The single most important ladder logic network is shown in Figure 3. We start the three-phase motor if:

  • The E-stops are released as determined by two ESTOP1 function blocks with one block for the E-stop and one block for the light curtain.

  • There are no welded contacts as determined by the FDBACK function block.

  • The main [OB1] program has requested a motor start. The two-hand safety permissive (not shown) is passed to main to be logically combined with other conditions. When satisfied, the request is passed back to main as the Boolean xMotorRunRequest.

The motor runs when Coil1A and Coil1B are activated.

Figure 3: This is the principal ladder logic network for the safety program.
Figure 3: This is the principal ladder logic network for the safety program.975×530 81.1 KB

Figure 3: This is the principal ladder logic network for the safety program.

Fault Behavior of the Safety Program

Predictability is a fundamental attribute of all safety systems.

Unexpected equipment starts must be eliminated. This safety latch behavior is implicit in the design of the ESTOP1 and FDBACK blocks. When triggered, each will remain in the fault state until an acknowledge (ACK) signal is received. Consequently, the machine is off until the fault block is reset.

The fault state ACK reset signal is shown in Figure 4. The xResetRequest originates from the main and is asserted only when the primary selector switch is placed in the off position and when the safety reset button is pressed. This ensures that the machine is in a known deenergized state before the system is reset.

Figure 4: The ESTOP1 and FDBACK blocks share a common ACK reset request.
Figure 4: The ESTOP1 and FDBACK blocks share a common ACK reset request.975×1225 145 KB

Figure 4: The ESTOP1 and FDBACK blocks share a common ACK reset request.

Tech Tip: The latching nature of the system cannot be overstated. As a vivid example, consider what would happen if a person were to enter the machine enclosure by passing through the light curtain. Yes, the equipment would stop while the curtain’s beams were broken. However, without the latching fault, the equipment would immediately restart when the person was fully within the machine enclosure.

How to Pass Variables Between Main and Safety in a Siemens PLC

Close inspection of Figure 3 reveals that all tags are safety tags (highlighted in yellow). Yet, we previously stated that xMotorRunRequest originates from main.

For clarity we transport variables between main and safety using a pair of global data blocks called DataToSafety and DataFromSafety. The safety program is structured using three parts:

  • Read from the DataToSafety data block (transfer global tags to local safety tags)

  • Perform the safety routine

  • Write to the DataFromSafety data block (transfer local safety tags to global tags)

While this bridge is not strictly necessary, separating the global from the local safety tags provides programming clarity to eliminate potential errors.

Tech Tip: This three part bridge mimics the structure of the PLC scan cycle: read the inputs, perform the logic, set the outputs.

Let’s call it the PLC way.

Fault Identification

There are three potential safety faults in the featured project including, E-stop, light curtain, and failure of the monitored motor starter (welded contacts). For effective troubleshooting, it’s important to make the faults available to main. This allows activation of panel lamps, HMI display, or data transfer to a larger SCADA system or historian.

Transfer is accomplished using the DataFromSafety data block which contains a set of fault tags within a structure. Main now has access to each fault and may take appropriate action.

Figure 5: Tags used to transfer data from safety to main.
Figure 5: Tags used to transfer data from safety to main.975×397 67.1 KB

Figure 5: Tags used to transfer data from safety to main.

Parting Thoughts

Remember the bridge to pass variables between main and safety.

If you remember nothing else follow the bridge: read the inputs, perform the logic, set the outputs. Remember this pattern for the PLC scan as well as interfacing main to safety.

From there, get busy programming. It’s not the kind of thing you can read about. Attempting to lay out a safety program with reasonable coordination between main and safety is harder than it looks.

Best wishes,

APDahlen

:books: Continue Exploring Industrial Control Systems

If this discussion was helpful, you may also want to explore:

:world_map: DigiKey Navigation

:japanese_symbol_for_beginner: Related Foundational Articles

About This Author

Aaron Dahlen, LCDR USCG (Ret.), is a Senior Applications Engineer at DigiKey in Thief River Falls. His background in electronics and industrial automation was shaped by a 27-year military career as both technician and engineer, followed by over a decade of teaching.

Dahlen holds an MSEE from Minnesota State University, Mankato. He has taught in an ABET-accredited electrical engineering program, served as coordinator of an electronic engineering technology program, and instructed military technicians in component-level repair.

Today, he has returned to his home in northern Minnesota, completing a decades-long journey that began with a search for capacitors. Read his story here.

Difficulty Levels Used Industrial Control Field Guide
Siemens PLC and Automation Technical Briefs
AS-i Floating Bus: How a Hidden Ground Fault Can Bring Down Your Network
Configure the PWM on a Siemens S7 PLC
How to Configure the Analog Modules on a Siemens S7 PLC
Thermal PID on the Siemens S7 PLC
Field Guide to Industrial Automation and Control
Using UDTs to Enforce Structure in PLC Programs