With the introduction of its SIL 3 capable failsafe I/O modules suitable for use in Zone 1 hazardous areas, Siemens now offers an integrated safety, control and hazardous area capability. Ian Curtis, process safety consultant for Siemens Industry Automation, explains the benefits of the solution

Addressing functional safety and regulatory control in a single system has been a challenge for the past decade – even more so when systems are destined for use in the hazardous area. The worlds of functional safety and hazardous area protection are, of necessity, often closely associated. However, when it comes to meeting the requirements of these two complementary yet distinct disciplines in a distributed I/O system, there are technical challenges to overcome.

With the release of the first SIL 3 capable failsafe I/O modules for the Siemens ET200iSP hazardous area remote I/O station, these obstacles have been addressed – giving users the potential for new safety system architectures with simplified engineering and a reduced total lifecycle cost for automation and safety. The three new failsafe capable I/O modules are suitable for Zone 1 hazardous areas.


When employing a more distributed approach, one of the challenges is the scalability of the system. Distributed I/O stations often have to accommodate relatively small I/O counts in a cost effective manner. It is therefore advantageous if control and safety I/O modules can co-exist without any compromise in terms of safety. This integrated control and safety concept can also extend to the control and communications. There are customers that seek to run standard and failsafe programs on one CPU and to handle standard and failsafe communications on one bus with PROFIsafe.

The Siemens system can accommodate this, but users can maintain physical separation if they prefer. It is also possible to implement safety-related functions with a separate CPU and a separate bus – and many opt for this more conservative approach. But, in principle, separate hardware is no longer necessary to achieve safety. To meet the requirements for SIL 3 all that is needed in the chain is one controller, one bus, one station, and one I/O module. These components are developed and certified according to IEC 61508 up to SIL 3. Redundancy of the entire system or portions of the system help to increase availability, but are not necessary to achieve SIL 3.

The integrated control and safety approach brings other benefits such as consolidating information from the control and safety systems, which gives engineering, operations and maintenance staff a single window into the process and the automation system assets.

The first large customers for the ET200 iSP F-modules have been from the oil and gas industry. They have used the modules in water-oil separating equipment and tank farms. Other early adopters have come from the basic chemical industry.

When compared to standard I/O with barriers, the hardware costs with ET200iSP are reduced by up to 25%. Added to this are the reduced costs associated with engineering manpower, a reduced footprint (approximately 30% smaller), simpler documentation and explosion protection calculations. There are also cabling and wiring cost savings to be had.

Another benefit of a distributed approach is expandability. A standard centralised approach will normally have some spare capacity built in – but beyond this, further expansion can often be problematic. The ability to expand in a distributed scenario is effectively unlimited. Additional modules and stations can be added as required.

The ET200iSP distributed I/O subsystem with Failsafe I/O allows users to do away with conventional barriers – which often prove incompatible with the diagnostics functions of a typical failsafe module. The “internal barriers” of the new modules, on the other hand, permit diagnostics down to the sensor/actuator level. In addition, the safety evaluation is simplified. This applies in particular to the calculation of probability of failure on demand (PFD) for safety-related functions – also known as SIL verification.


SIL verification is perceived by some as being challenging and there may be a concern that an integrated approach may compound this problem. In this case, it is a simple combining of the PFD values for the individual components within the safety loop. This doesn’t change when the configuration combines fail-safe and non-fail-safe modules. Fail-safe is becoming the new standard – and for this to happen – it must have usability to match.

For the more complex situations manufacturers supply the safety parameters which are required, but it is no longer a case of simple combination. For more complex SIF architectures involving 1oo2, 2oo3 configurations of system elements standards and guidelines such as IEC 61511 and VDI 2180 provide simplified formulas.

The complex task falls to manufacturers of safety certified devices to determine the safety characteristic values. This up front work simplifies the calculations from a user perspective and means that modules will comply with standards worldwide.

With this new development, failsafe and standard I/O can be used side-by-side in a Zone 1 hazardous area with failsafe communication over PROFIsafe back to the Control layer. Importantly, this helps to simplify the task of ensuring safety by incorporating the barriers into the equipment, enhancing diagnostics and simplifying the SIL verification activity.