Failsafe PLC


Thread Starter

Mahmood Vafaei

Is it possible to have two safety-related applications, e.g. BMS (Burner Management System) and BPS (Boiler Protection System) running in one CPU? By CPU we suppose a Failsafe PLC like Siemens S5-95F or S7-400FH.

That's possible.

In the above list of failsafe PLCs i miss the S7-315F, the S7-317F and the S7-416F, these are distributed safety PLCs that have a lot of certified blocks to program the mentioned equipment.

Because of the high certification of the systems (also S5-95F, S5-115F and S7-414FH/417FH) on the level SIL3 of the 61508 certification al this equipment can build up in one system. Thereby is the number of safety-loops (SIF: Safety Integrated Functions) to built that way that the Failsafe I/O is not on one card for the different asked functions.

With S7-414FH/S7-417FH you can built on this way also a redundant system (there is where the "H" is standing for in the CPU-name), but with one CPU you have already EN61508 SIL3 (the software is doubled). So you can with this system also built up your failsafe I/O double to get more availability !, one failsafe I/O block is already certified for EN 61508 SIL3. The different blocks are on basis of distributed I/O and the blocks that are there are mentioned in the text:

ET 200M I/O:
12/24 * 24V DC F-DI {SIL3/SIL2}
4/8 * NAMUR {Exi} F-DI {SIL2/SIL3} [Intrinsic safe and failsafe, no barriers needed]
10 * 24V DC / 2A F-DO {SIL2/3}
6 * 4..20mA 2-wire/4-wire {SIL2/3}

ET 200S I/O:
4/8 * 24V DC F-DI {SIL2/SIL3}
4 * 24V DC / 2A F-DO {SIL2/3}
1 * Failsafe powermodul where standard DO can swithed off 24V DC / 10A

For the S7-414FH/417FH equipment there is a library thats already certified for burner-controls. For the Distributed Safety the Burner blocks are now checked by the TUV and are aspected very soon for delivery.

If you need more information then please give your email-address so i can give you al the information you need.

On the page by Siemens you also can find information, its the page

Best Regards,

Depending what the feil-safe state is:
If the fail-safe state is switched off, I would say yes, but if part of the system needs to continue to operate to get to the safe state, then no.

You have to do a risk analysis defining the critical functions and the risk associated with it. Once you know the risks you can come up with the HW and SW structures.

As a good guidline use IEC 61508.


Geoff Farnsworth

It depends upon which specification or norm you are working to. If it is NFPA 85 or the previous NFPA 8502 then the answer is no as there is a mandatory requirement within these publications for independant hardware and software. With European specifications this need for independance is not so strict providing the equipment used, and the configuration of the hardware and software, meets at least IEC61508 (SIL3). My own feeling is that if you do not use a dedicated system for burner management safety functions then a hardwired backup should be provided.