Application

• When motor needs Safe Torque Off ( STO) function compliant with SIL 3

Auxiliary Contact Monitoring

Requirements Properties

• Connect DS7 Soft Starter Start Enable ( +A1 ) Pin • Design according to basic and well-tried safety
and EN pin to safety relay output relay principles (EN ISO 13849-1 and EN ISO 13849-2)
• The Safe Torque Off command can be received • Control circuit device, supply conductor and
over Safety Relay via E-STOP. command processing are redundant and self-
• Install contactor and with mechanically linked monitoring.
auxiliary contact for feedback. • Single faults: Wire break, connection fault and
• Connect Auxiliary Contact feedback to safety relay cross circuit are detected immediately or with the
for monitoring. next start command.
• Hard wire with electromechanical components.
• Activate hazardous movements after enable with
separate STO command.
• Separation of power supply from mains contactor.
• Observe additional applicable standards, e.g. IEC
60204-1, IEC 61800-5-2

1
Function

The safety relay receives STO demand and activate
Safety Torque Off ( STO ) by opening the relay
across Start Enable (+A1) pin, EN pin and
simultaneously opening the contactor to de-
energize the motor and achieve safe torque off
function. The safety relay shall be programmed
such a way that it keep +24 V connected to Start
Enable(+A1) pin, EN pin in normal condition.
On receiving STO command via E-STOP switch the
safety relay opens up output relay across Start
Enable(+A1) , EN pin and also open relay across
contactor to de energize contactor. The auxiliary
contact monitoring by safety relay confirms
contactor operation. A restart is only possible
after the Emergency-stop actuator is reset or reset
command received over communication and
enabled by pressing the RESET pushbutton.

Condition EN ISO 13849-1:2015 Condition IEC 62061:2005

Structure Cat 4 Structure SS D, symmetrical
MTTFd 80 PFHd 1.842 x 10-8
B10d S1: 100000, Q1 :1300000 B10 S1: 20000,Q1:975000
nop S1:1800, Q1 : 3600 λd /λ S1: 0.2, Q1: 0.75
CCF 80 CSA 0.3125
DCavg 99 % ß 0.05
PL e DC S4: 99 %, Q1: 99
T10d >20 yrs SIL 3
Safety Related switching devices

FAK foot and palm switch easySafety relay : ESR5-NO-21- DILM12 contactor
24VAC-DC
Safety standards

Standard Contents → page

EN ISO 13849-1/2 Safety of machinery - Safety-related parts of control systems - 96
Part 1: General principles for design
Part 2: Validation
IEC 62061 Safety of machinery – functional safety of safety-related electrical, 97
electronic and programmable electronic control systems
IEC 60947-4-1 Low-voltage switchgear and controlgear - Part 4-1: Contactors and motor --
starters; electromechanical contactors and motor starters
EN ISO 13850 Safety of machinery - Emergency-stop equipment - Principles for design 101
IEC 61800-5-2 Adjustable speed electrical power drive systems - Part 5-2: Safety --
requirements – Functional

2
Table 1 : Individual components calculation as per ISO 13849-1 and IEC 62061:
ISO 13849-1
E-STOP B10d : 1300000
nop : 1800 considering
Safe torque function activation
by Emergency-Stop switch
occurs at an operating frequency
of 5 operations per day. The
system is required to be in
operation 360 days a year and
two shifts per day, i.e. 16 hours
per day. This results in nop of
10
1800 operating cycles
 ℎ
10 99% is assumed for E-STOP
 =
0.1 × 
100000
 =
0.1 × 1800
 = 555.5 []
Safety Relay ESR5-NO-21-24VAC-DC  = 96 []
# ℎ
DILM12 contactor B10d : 1300000
nop : 3600 considering
Safe torque function de-
energizing by contactor switch
occurs at an operating frequency
of 10 operations per day which is
double the E-stop operations per
day . The system is required to
be in operation 360 days a year
and two shifts per day, i.e. 16
10
hours per day. This results in nop
of 3600 operating cycles
& ℎ
10
 =
0.1 × 
1300000
 =
0.1 × 18000
 = 3611.1 []
IEC 62061
B10 : 20000
C: Operating frequency C for two
8-hour shifts per day and an
actuation frequency of 5
actuations per day : C = 5/16 =
0.3125 operations per hour
Dangerous failure rate

 = 0.2 ×

0.1 ×

 = 0.2 ×
0.1 × 0.3125

 = 0.2 ×
20000

 = 3.125 × 10
Diagnostic coverage ( DC ) of
based on estimation of single
fault probabilities and the
manufacturing specifications for
the switch in accordance with
IEC 60947-5-1
!" = 1.59 × 10
B10 : 975000
C: Operating frequency C for two
8-hour shifts per day and an
actuation frequency of 5
actuations per day : C = 5/16 =
0.3125 operations per hour
Dangerous failure rate

 = 0.75 ×

0.1 ×

 = 0.75 ×
0.1 × 0.3125

 = 0.75 ×
975000

 = 2.404 × 10
Diagnostic coverage ( DC ) of
99% is assumed for contactor
based on contact position
monitoring by auxiliary relay and
the manufacturing specifications
for the contactor in accordance
with IEC 60947-4-1
3
MTTFd and DCavg calculations as per ISO 13849-1:

The Safe Torque Off ( STO ) safety function can be performed by following safety channel.

1 ) STO demand received via E-STOP.

Following section explain MTTFd and DCavg calculation for both safety channels.

STO demand received over E-STOP.

Safety Channel :

MTTFd for Safety Channel based on MTTFd data for components as per Table 1 above.

1 1 1 1
= + +
  ' ()*+  '(-.  /01234

1 1 1 1
= + + = 80 5
 555 96 3611

DCavg for Safety channel based on MTTFd data for components as per Table 1 above and DC for
components as detailed in table below.

Safety Channel Component Measure Diagnostic Coverage as per

ISO 13849-1 Annex E
E-STOP Fault exclusion according to ISO 99%
13849-2 is possible for
emergency stop device
Logic TUV certified components with 99%
( ESR5 Safety Relay ) PL e ~ SIL 3
Contactor Direct monitoring ( monitoring of 99%
( DILM12 ) electromechanical devices by
mechanically linked auxiliary
contact elements)

6 ' ()*+ 6 '(-. 6 /01234

+ +
 ' ()*+  '(-.  /01234
6 789 =
1 1 1
+ +
 ' ()*+  '(-.  /01234

0.99 0.99 0.99

+ +
6 789 = 555 96 3611 = 0.99
1 1 1
+ +
555 96 3611

As per ISO 13849-1 Table 6 DCavg for safety channel is “HIGH”

4
Considering SIL 3 ESR5 will detect single fault within device and auxiliary contactors would monitor
single fault in DILM12 contactor above safety channel architecture is Category 4 as per ISO 13849-1.

As per ISO 13849-1:2015 Table 6 the safety channel with Category 4 architecture, MTTFd “High” and
DCavg High Performance level for safety channel can be estimated as “PL e “

5
PFHd calculation as per IEC 62061

Determining Common Cause Failures ( β )

Table F.1 in Annex F of the IEC 62061 standard provides estimation criteria for the design of the
subsystem. The listed criteria are assessed with a scoring system. The overall score calculated from the
table F.2 of factors of common cause failures (β).

With overall score of 57 points the CCF factor is β = 0.05

Determination the proof test interval for the proof test or the lifetime T1 per hour

The proof test is a repeated test that enables faults to be detected in a safety-related electrical control
system SRECS. A proof test confirms that the SRECS is in a condition that guarantees the specified safety
integrity. The proof test sets the SRECSs and the subsystems to an “as new state” if required.
The standard refers at this point to EN ISO 13849-1 and recommends a lifetime of 20 years.

Result
We shall use a proof test interval of 20 years and calculate the appropriate lifetime of:
T1 = 20 years x 365 days x 24 hours = 175200 h

Determination of the diagnostic test interval T2

The diagnostic test interval T2 is stated in hours and is the period between two diagnostic tests carried
out by the system. The diagnostic test interval of each subsystem with a hardware fault tolerance of
more than zero (HFT = 1), must be selected so that the subsystem can meet the requirements for the
probability of a random hardware fault.

Result
The diagnostic tests of the subsystems E-STOP and Contactor are carried out when the contacts are
triggered. This produces a test rate from the hourly actuation of both subsystem elements.
With a daily use of two shifts, i.e. 16 hours and 5 actuations, the diagnostic test interval of T2 = 3.2 hours
of both subsystem elements.

Determining the probability of dangerous failure of the subsystems PFHd

The single fault probabilities of the subsystems must be calculated from the individual subsystem
elements in order to determine the total failure rate.
The dangerous failure rate of each subsystem can then be converted to an hourly rate.

The following characteristic values can be combined from the Table 1:

E-STOP Safety Relay ESR5 Contactor DILM12
λd 3.125 × 10  !" = 1.59 × 10 # ℎ 2.404 × 10 &
DC 99% as specified in safety 99%
T2 3.2 h manual 3.2 h
T1 175200 h 175200 h
β 0.05 0.05

6
The subsystems E-STOP and Contactor have both elements with the same design so that the equation
for structures with the same design must be used here.

E-STOP PFHd = 1.57 × 10 &

Safety Relay ESR5 PFHd = 1.59 × 10 #

Contactor DILM12 PFHd = 1.202 × 10 #

1) PFHd for STO demand received over E-STOP

Safety Channel :

!" (7:;<= >?7@@;A = !" ' ()*+ + !" '(-. + !" /01234

!" (7:;<= >?7@@;A = 1.57 × 10 & + 1.59 × 10 # + 1.202 × 10 # = 1.842 × 10 &

The Safety Integrity Level ( SIL ) for each safety channel is ≥ 10-8 so SIL 3 can be assigned to Safe Torque
Off (STO) safety function.