Safety PLC Symbol
Definition: The Safety PLC symbol represents a fail-safe programmable logic controller designed to execute safety-critical functions, depicted as a rectangular block with safety input pins (SI1, SI2), safety output pins (SO1, SO2), power pins (PWR, GND), and labelled 'Safety PLC', conforming to IEC 61508 (functional safety of E/E/PE systems) and IEC 62061 / ISO 13849-1 (safety of machinery), capable of achieving Safety Integrity Level 2–3 (SIL 2–3) or Performance Level d–e (PLd–PLe).
Also known as: fail-safe PLC, safety controller, guardian controller, F-PLC, safety logic controller, SIL PLC.
What the Safety PLC symbol means
The Safety PLC symbol in a circuit diagram represents a dedicated programmable controller whose hardware and firmware are designed and certified to execute safety functions — emergency stops, guard monitoring, two-hand control, safe speed monitoring — with a level of reliability and fault-tolerance sufficient to meet SIL 2/3 or PLd/e requirements. Unlike a standard PLC, a safety PLC uses dual processors that cross-check each other's results, watchdog timers, and self-diagnostic routines to detect internal faults within a defined safe failure fraction.
In safety system schematics, the safety PLC symbol indicates the central decision-making element that reads safety sensor signals (SI1, SI2 from interlock switches, light curtains, e-stops) and drives safety output actuators (SO1, SO2 to contactors, drives, valves). The dual-channel input and output architecture ensures that a single component failure does not produce a dangerous output state.
How to identify the Safety PLC symbol
The Safety PLC symbol is drawn as a large rectangle labelled 'Safety PLC' or 'F-PLC' with safety input pins SI1 and SI2 on the left edge, safety output pins SO1 and SO2 on the right edge, PWR (power supply) at the top, and GND at the bottom. The symbol may also show additional I/O pins for diagnostics, communication (e.g., PROFIsafe), and standard (non-safety) I/O channels. The 'Safety PLC' label and the distinct SI/SO pin designations differentiate it from a standard PLC block symbol.
Function in a circuit
A safety PLC reads dual-channel safety input signals from devices such as e-stop buttons, safety interlock switches, and light curtains through its SI (safety input) channels. The internal dual-processor architecture cross-compares both channels and executes the certified safety program. When a safety event is detected (e.g., both SI1 and SI2 open simultaneously, confirming an e-stop actuation), the safety PLC opens its SO (safety output) contacts or transitions safety output transistors to a de-energised state, removing power from hazardous actuators. The safety PLC continuously monitors its own internal diagnostics, detects component faults, and drives the outputs to the safe state if any self-test fails.
Standards: IEC vs ANSI
| IEC 60617 | IEC 61508 Parts 1–7 define hardware and software requirements for safety-related programmable electronic systems. IEC 62061:2021 applies IEC 61508 specifically to safety of machinery, defining SILCL (SIL Claim Limit) for safety PLCs. IEC 61131-3 defines the programming languages used for safety programs (Ladder, FBD, ST with restricted subsets). |
|---|---|
| ANSI/IEEE 315 | ANSI/UL 61508 is the North American adoption of IEC 61508. ANSI/NFPA 79 governs safety PLC applications in industrial machinery in North America. ISO 13849-1 (adopted as ANSI/ASSE Z244.1 in North America) provides the Performance Level framework used alongside SIL. |
| Key difference | IEC 62061 uses SIL (Safety Integrity Level) as the metric; ISO 13849-1 uses Performance Level (PLa–PLe). Both frameworks yield equivalent safety performance at their respective levels (SIL 2 ≈ PLd; SIL 3 ≈ PLe) and are used interchangeably depending on the region and application standard. |
Terminals / pins
| Pin | Name |
|---|---|
| si1 | SI1 |
| si2 | SI2 |
| so1 | SO1 |
| so2 | SO2 |
| pwr | PWR |
| gnd | GND |
Typical values
Supply voltage: 24 V DC typical. SIL/PL rating: SIL 2–3 / PLd–PLe (device and architecture dependent). Cycle time: 1–10 ms (safety task). Diagnostic coverage (DC): ≥90% (Category 3) to ≥99% (Category 4). PFHD (probability of dangerous hardware failure per hour): 10⁻⁷ to 10⁻⁸ per hour for SIL 2–3. Safe state: output de-energised (0 V / open contact).
Where the Safety PLC symbol is used
- Robot cell safety systems — centralised monitoring of all access interlocks, e-stops, and speed monitoring, with PROFIsafe or FSoE network integration
- Press and stamping machine safety functions — two-hand control, guard monitoring, and stop category 0/1 for press brakes and power presses
- Automated warehouse and conveyor systems — zoned safety functions permitting maintenance access to one zone while adjacent zones continue operating
- Process plant emergency shutdown (ESD) systems — SIL 2/3 shutdown functions for gas detection, high-pressure trips, and fire-and-gas panels
- Collaborative robot (cobot) installations — safe-speed monitoring, joint-torque limit monitoring, and workspace zone management
- Automotive assembly lines — body-in-white welding cells with complex multi-zone safety architectures managed by a central safety PLC
Example
In a robotic welding cell, the Safety PLC symbol shows SI1 receiving the dual-channel signal from the cell access gate safety interlock switch, SI2 receiving the dual-channel e-stop signal, SO1 driving the robot enable contactor coil, and SO2 driving the positioner drive enable; when the gate interlock opens, SI1 transitions to a safe state, the safety PLC program drops SO1 within one safety task cycle (5 ms), the robot drive contactor opens, and the robot executes a safe-stop function.
Key facts
- A safety PLC uses a dual-processor (1oo2D or 2oo2) internal architecture where both processors execute the safety program and cross-check results each scan cycle; a discrepancy drives all safety outputs to the safe (de-energised) state.
- Safety PLC hardware is certified to IEC 61508 SIL 2 or SIL 3 (and often IEC 62061 SILCL 3) by independent bodies such as TÜV Rheinland or TÜV SÜD, with the certificate specifying achievable SIL and PFHD value.
- Safety I/O channels (SI, SO) are internally isolated from standard I/O, have cross-channel monitoring, and use test-pulse diagnostics to detect short circuits, open circuits, and cross-shorts between channels.
- Safety programs on a safety PLC are written in restricted-subset IEC 61131-3 languages (Ladder, FBD, or structured text without pointers or recursion) and require dual sign-off and CRC/checksum verification at download.
- The safe state for safety PLC outputs is always the de-energised state (0 V or open contact), meaning a power loss or internal fault causes machine stop — this is the fail-safe principle (de-energise-to-trip).
- PROFIsafe, FSoE (EtherCAT Safety), and CIP Safety are the major safety fieldbus protocols that allow safety I/O modules to communicate with a safety PLC over a standard network with integrated CRC and monitoring.
- Reference designators: safety PLCs are labelled CPU-S or F-CPU in Siemens TIA Portal nomenclature; generically labelled as SIL-PLC or Safety Controller on schematics.
Frequently asked questions
What does the safety PLC symbol mean in a circuit diagram?
The safety PLC symbol represents a fail-safe programmable controller that monitors dual-channel safety inputs (SI1, SI2 from e-stops, interlocks, light curtains) and controls safety outputs (SO1, SO2 to contactors and drives). It executes certified safety logic to de-energise hazardous actuators when a safety event is detected.
What does a safety PLC symbol look like?
The safety PLC symbol is a rectangle labelled 'Safety PLC' with safety input pins (SI1, SI2) on the left, safety output pins (SO1, SO2) on the right, PWR at the top, and GND at the bottom. The symbol follows the standard IC/functional block convention and is distinguished by its 'Safety PLC' label and SI/SO pin nomenclature.
What is the difference between a safety PLC and a standard PLC?
A safety PLC has dual-processor hardware with continuous cross-checking, self-diagnostic routines, and certified safety I/O with test-pulse monitoring, achieving SIL 2–3 / PLd–PLe per IEC 61508 / ISO 13849-1. A standard PLC has no dual-processor cross-check, no certified safety diagnostics, and cannot be used for safety functions above PL b / SIL 1 without additional external monitoring.
What standards govern safety PLCs?
IEC 61508 Parts 1–7 define the base requirements for safety-related programmable electronic systems. IEC 62061:2021 applies IEC 61508 to machinery applications and defines SIL Claim Limits (SILCL) for safety PLCs. ISO 13849-1 provides the Performance Level framework. Safety PLC devices must be independently certified (e.g., TÜV SÜD) to one or more of these standards.
What SIL level can a safety PLC achieve?
Most commercially available safety PLCs are certified to SIL 2 or SIL 3 per IEC 61508 / IEC 62061, and PLd or PLe per ISO 13849-1. The achievable SIL for a specific safety function depends on the PFHD of the complete safety function (sensor + safety PLC + actuator), not just the safety PLC alone.
What are SI and SO pins on the safety PLC symbol?
SI (Safety Input) pins connect to dual-channel safety sensor signals such as e-stop buttons, door interlock switches, and light curtain OSSD outputs. SO (Safety Output) pins drive safety actuators such as contactor coils and drive-enable signals. Both SI and SO use dual-channel wiring and internal cross-monitoring to detect single-channel failures.
What is the safe state for a safety PLC output?
The safe state for all safety PLC outputs is the de-energised state — 0 V DC or open contact. This means that on any detected fault (internal self-test failure, power loss, or safety input event), the outputs transition to 0 V, de-energising contactors and drives. This fail-safe design ensures the machine stops rather than continues operating on a fault.
Place the Safety PLC symbol on a wiring diagram or schematic in the free online circuit diagram maker — no download required.