Functional Safety Certification

Introduction

The TM5/TM7 Safety I/O modules are certified by TÜV Nord for use in applications up to SIL 3 according to IEC 61508 and IEC 62061.

This certification verifies that the TM5 and TM7 modules are compliant with the following standards:

IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems, Parts 1 to 4, up to SIL 3
ISO 13849-1: Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design, up to PL e (Category 4)
IEC 62061: Safety of machinery - Functional safety of safety-related electrical, electronic, and programmable electronic control systems up to SILcl 3

NOTE: Using a Safety Logic Controller equipment is a necessary but not sufficient precondition for the certification of a SIL 3 application. A SIL 3 application must also fulfill the requirements of the IEC 61508, IEC 61511, IEC 61131-2, and other application standards.

Classification of the Schneider Electric Products

The safety-related modules allow to perform safety-related functions. However, they also support non-safety-related modules, enabling you to add non-safety parts to your SIL 3 project.

Therefore, the Schneider Electric products must be distinguished into:

safety-related modules and
non-safety-related modules

In contrast to the safety-modules, non-safety-related modules are not used to perform safety-related functions. They are designated as non-interfering modules for use with the Safety Logic Controller. A detected error in one of these modules does not detract the execution of the safety-related functions.

Functional Safety Parameters

The Functional Safety parameters according to EN ISO 13849 are as follows:

Performance Level for
- SDI (safety-related digital input) to SDO (safety-related digital output): up to PL e
- SAI (safety-related analog input) to SAO (safety-related analog output): up to PL e
Category: up to 4.

Available Safety-Related Controller

The following Schneider Electric safety-related controllers are available:

Module Type	Module Reference
Safety Logic Controller SLC 100 SERCOS III 20 nodes	TM5CSLC100FS
Safety Logic Controller SLC 200 SERCOS III 100 nodes	TM5CSLC200FS
Safety Logic Controller SLC 300 SERCOS III 20 nodes	TM5CSLC300FS
Safety Logic Controller SLC 400 SERCOS III 100 nodes	TM5CSLC400FS

NOTE: The safety-related modules must be connected by using an additional Sercos III Bus Interface TM5NS31 exclusively to the Safety Logic Controller. Mechanical, hardware, and firmware features are described in the Modicon TM5 Safety Logic Controller TM5CSLC•00FS Hardware Guide.

Available Bus Interface

The following Schneider Electric bus interface is available:

Module Type	Module Reference
Sercos III Bus Interface	TM5NS31

NOTE: The Sercos III Bus Interface, required for communication with the Safety Logic Controller, is considered a non-interfering module and does not contribute nor detract from the safety-related function of the controller. The safety layer part of the Sercos III communication is managed inside the safety-related modules and not in the Sercos III Bus Interface.

For more information on safety-related product architectures, refer to the PacDrive TM5 / TM7 Safety Flexible System, System Planning and Installation Guide and to the M262 Embedded Safety - Integration Guide.

DANGER
	IMPROPER SAFETY-RELATED SYSTEM Use only modules designated as safety-related modules to perform safety-related functions. Make sure that neither inputs nor outputs of non-safety-related modules are used for safety-related functions. Failure to follow these instructions will result in death or serious injury.

Probabilities of Failure

For SIL 3 applications, IEC 61508 defines the following probabilities of failure on demand (PFD) and probabilities of failure per hour (PFH) depending on the mode of operation:

PFD ≥ 10^-4 to < 10^-3 for low demand mode of operation
PFH ≥ 10^-8 to < 10^-7 for high demand mode of operation