compare · South Africa
Safety PLC vs non-safety PLC: when SIL is required
Safety PLC vs non-safety PLC compared for SA — when SIL 2/3 is legally required, the cost delta, TÜV certification, F-modules and dual-channel realities.
There is a moment on every mid-career project where someone — usually the safety officer, sometimes the insurer, occasionally an inspector — asks the question that decides the panel BOM for the next decade: does this function need a safety PLC, or will a standard CPU do? The answer is rarely a matter of opinion. It is set by a hazard study, a risk graph, a SIL target derived from IEC 61508 or 61511, and the consequences of getting it wrong sit on the same page as the consequences of the hazard itself. This page is for the technician or junior engineer who has heard the words "F-CPU", "dual-channel" and "TÜV" and now has to make sense of them in a real SA panel.
Try the simulator →TL;DR
- A safety PLC (Siemens F-CPU + F-modules, Rockwell GuardLogix + safety I/O) is required when a hazard analysis assigns the function a SIL rating of 1 or higher under IEC 61508 / 61511. "The logic is simple" is not a reason to use a standard CPU.
- The hardware cost delta is real: F-modules typically run 3-4x the price of equivalent standard modules, and the F-CPU itself is materially more expensive than a base S7-1500 or CompactLogix.
- Certification by TÜV (or equivalent notified body) covers the platform — Siemens F-CPUs and Rockwell GuardLogix are pre-certified to SIL 3 / IEC 61508. Your application logic still has to be written, reviewed and validated to the safety lifecycle.
- Dual-channel monitoring, reset latches, automatic versus manual reset, and discrepancy timers are the day-one details that catch people who came from standard ladder.
- SA mining sites under the Mine Health and Safety Act usually demand SIL 2 minimum on guard interlocks and emergency stop circuits. Petrochem typically asks SIL 3 on burner management and emergency shutdown systems.
Side-by-side
| Criterion | Safety PLC | Non-safety PLC |
|---|---|---|
| Typical platform | Siemens S7-1500F + F-DI/F-DO; Rockwell GuardLogix + 1734-IB8S / 1734-OB8S | Siemens S7-1500 + standard SM; Rockwell CompactLogix / ControlLogix |
| Certification base | TÜV-certified to IEC 61508 SIL 3 / IEC 62061 / ISO 13849 PL e | None — IEC 61131-3 functional only |
| Diagnostic coverage | High DC by design (typically >99% on F-DI / F-DO) | Whatever the application checks for, manually |
| Channel architecture | Dual-channel inputs and outputs supported natively (1oo2D, 2oo3) | Single-channel by default; dual-channel needs application code |
| Hardware cost delta | 3-4x equivalent standard hardware on the I/O side; F-CPU premium ~30-50% | Baseline |
| Safety logic language | F-LAD / F-FBD with restricted instruction set; F-blocks only | Full IEC 61131-3 ladder, FBD, ST, SFC, IL |
| Application validation | Required: FAT plus safety acceptance test, signed off | Functional FAT only |
| Failure on power loss | Outputs go to the de-energised safe state by design | Whatever the application sets — often the unsafe state |
| Where it is required (SA) | Mining guard interlocks, E-stops, runaway protection; petrochem ESD, BMS, fire & gas | Process control, motor sequencing, recipe management, HMI |
| Reference standard | IEC 61508 (general); IEC 61511 (process); IEC 62061 (machinery) | IEC 61131-3 |
| Wiki overview | SIL on Wikipedia | PLC on Wikipedia |
Where each one wins
Safety PLC
The safety PLC wins anywhere a hazard study has assigned the function a SIL target. That sentence is doing a lot of work, so unpack it. A hazard study (HAZOP for process, or a machinery risk assessment under ISO 12100 for discrete) identifies a hazardous event, estimates the consequences and frequency, and the risk graph spits out a SIL target — SIL 1, 2 or 3 — for the function that has to mitigate the hazard. The PLC implementing that function then has to be capable of meeting that SIL target. A standard CPU cannot, full stop, regardless of how clever the application code is — because the hardware fault tolerance and diagnostic coverage are not certified.
What you get with a Siemens F-CPU or a Rockwell GuardLogix is a platform that has been TÜV-certified to IEC 61508 SIL 3, with the diagnostic coverage built into the silicon and the firmware. F-DI modules continuously cross-check inputs across two channels and flag a discrepancy if they disagree for longer than the configured tolerance time. F-DO modules read back the actual output state and trip if the commanded state and the read-back diverge. Watchdogs, voltage monitors, temperature checks, RAM patterns — all of it runs in the background and forces the CPU into the safe state on any detected fault. None of this is application code. You get it for buying the platform.
The other thing safety PLCs do properly is the application language. F-LAD and F-FBD are restricted subsets of standard ladder and FBD. You cannot use indirect addressing inside an F-block. You cannot call a non-safety FB from a safety FB. The instruction set is smaller and the data types are stricter. This is annoying when you first hit it and exactly the right design choice when you understand why — the smaller the surface area, the smaller the validation burden, the lower the chance a clever optimisation hides a systematic fault.
Non-safety PLC
The non-safety PLC wins everywhere else, which is most of the plant. Process control loops, motor start-stop sequencing, batch recipe management, HMI alarming, data logging, OEE tracking, MES integration — none of these are safety functions in the IEC 61508 sense, none of them carry a SIL target, and using an F-CPU for them would be expensive and pointless. The standard CPU is what gets the work done.
The split is functional, not physical. A common architecture in SA petrochem is a single S7-1500F doing both — running the safety logic in the F-runtime and the process control logic in the standard runtime, on the same CPU, with the firmware enforcing strict separation between them. Same in Rockwell with a GuardLogix CPU, where standard tasks and safety tasks coexist with hardware-enforced isolation. So the question is rarely "which CPU do I buy" and more often "which functions do I assign to the safety runtime, which to the standard runtime, and where does the boundary sit". That boundary is the output of the SIL allocation in the hazard study.
Where you would use a pure standard CPU with no safety runtime: small machines below the SIL trigger threshold, batch process where the only safety function is a hardwired E-stop relay (a category 1 stop done with a dual-channel safety relay like a Pilz PNOZ, no PLC involvement), process areas where the safety functions are all instrumented protective functions handled by a separate dedicated SIS on its own CPU.
What this means in SA
SA mining is governed by the Mine Health and Safety Act 29 of 1996 and the regulations under it. The Department of Mineral Resources publishes guidance on safe machinery design that, in practice, pushes most underground and surface beneficiation projects to SIL 2 minimum on guard interlocks, conveyor pull-cords, runaway protection on hoists, and emergency stop circuits. SIL 3 shows up on shaft-bottom signalling, winder protection, and on some of the larger mill drives where a runaway has fatality consequences. The OEMs who supply the bulk of the mining beneficiation hardware in SA — particularly into PGM and base metals concentrators — typically ship Siemens F-CPU panels by default, because the customers' specs require them.
SA petrochem at the major refining and synfuels operations runs to SIL 3 on the safety instrumented systems — burner management on furnaces, emergency shutdown on reactor sections, fire and gas detection, depressurisation logic. The architecture is usually a separate SIS layer (often Honeywell Safety Manager, Siemens Simatic Safety, or HIMA) sitting alongside the basic process control system. The split is deliberate — IEC 61511 strongly recommends physical separation between the BPCS and SIS, and the major SA petrochem operators implement that separation rigorously.
SA F&B and discrete manufacturing sit lower on the scale. A typical canning line, dairy plant, or automotive components cell will have SIL 1 / PL d on guard doors and E-stops, often implemented with safety relays rather than safety PLCs for cost reasons. Once the line has more than four or five guarded zones, the maths swings toward a small safety PLC (Siemens ET 200SP F or Rockwell Compact GuardLogix) because relay logic gets unwieldy. The cost crossover is usually around 6-8 safety functions.
A note on insurance: SA-based operating companies that carry international insurance (Munich Re, Swiss Re, Lloyd's syndicates) will have SIL targets driven partly by the insurer's loss-prevention engineering survey. That survey is independent of the legal SHE framework and can push a project up the SIL ladder for purely financial reasons. The insurer's word is final on this — argue with the hazard study, not the insurer.
Common mistakes when picking
- "The logic is simple, a standard CPU is fine." No. The SIL target sits on the hardware, not the application. A two-rung interlock with a SIL 2 target still requires a SIL 2 capable CPU and certified I/O. The simplicity of the logic does not change the fault-tolerance and diagnostic-coverage requirements on the silicon.
- Mixing safety and non-safety I/O on the same module. Even on platforms that allow it physically, do not. Keep safety inputs on F-DI modules and standard inputs on standard SM modules. The diagnostic story breaks down the moment you blur the line and the next person to read the panel will not understand which signals are safety-rated.
- Forgetting the reset latch. A safety function that resets automatically when the demand clears is a category 0 stop. A safety function that requires an operator-initiated reset before it allows restart is a category 1 stop and it is what most machinery directives require for guard interlocks. The reset latch is application logic and it is wrong by default in a fresh project — write it deliberately.
- Using an automatic-reset E-stop. Dangerous and explicitly non-compliant. E-stops require manual reset, full stop. The reset has to be a positive operator action through a separate pushbutton, not the lifting of the E-stop button itself.
- Skipping the validation step. TÜV certifies the platform. Your application has to be validated by your team — typically a documented FAT plus a separate safety acceptance test against the safety requirements specification. Skipping this turns the SIL claim into marketing.
- Treating GuardLogix safety tasks as ordinary tasks. They are not. Safety tasks have priority and timing constraints that ordinary tasks do not, and inter-task communication between safety and standard scopes goes through a specific safety-rated tag mechanism. Read the manual before you assume your existing Studio 5000 reflexes carry over.
How to test the trade-off in the simulator
Drop both architectures into the simulator side by side. On the safety side, build an S7-1500F with an F-DI 16, an F-DO 8, and a couple of standard SM modules for the non-safety functions. Wire a guarded door interlock as a SIL 2 function: dual-channel input, 100 ms discrepancy time, manual reset latch, output to a safety contactor pair with read-back. On the non-safety side, build a plain S7-1500 with a DI16 and DO16 and try to implement the same function in standard ladder. Time how long each takes you to author from a blank project, and then break one of the channels — short one wire, leave the other open — and watch how each implementation behaves.
The safety implementation flags the discrepancy, drops the output to the safe state, and refuses to reset until the input agrees again and the operator hits the reset button. The standard implementation does whatever you wrote in application code, which on a fresh project is usually nothing — the output stays where it was, the operator never knows there is a problem, and the next time a hand goes through the door it is unprotected. The simulator makes this obvious in twenty minutes.
Start the free tier →Vendor reference
The reference standards are IEC 61508 for general functional safety, IEC 61511 for process industry safety instrumented systems, and IEC 62061 plus ISO 13849 for machinery. The Siemens product family for safety PLCs is documented at Siemens Industry Online Support — search for "S7-1500F" and "Simatic Safety". The Rockwell equivalent is GuardLogix, documented at Rockwell Automation Support. For an independent overview of safety integrity levels, the SIL Wikipedia article covers the underlying maths and the notation used across the standards.
What we don't claim
This site is not SAQA-registered, not MerSETA-accredited, and not an NQF-registered qualification provider. We do not certify your safety application. We are not a TÜV notified body, not a functional-safety engineer registered to a competence scheme, and we do not sign off SIL claims. The simulator is a learning tool — it lets you practise the shape of safety logic in a controlled environment where the cost of a mistake is zero. It does not replace a hazard study, a safety requirements specification, an independent application validation, or a competent functional-safety engineer on the project. If you are commissioning a real safety function on a real plant, hire someone who has the credentials this site does not claim. The cost numbers above are indicative SA list-price ballparks at time of writing — get a current quote from the local distributor.