TwinSAFE project design

Individually scalable: the TwinSAFE architectures

TwinSAFE gives machine builders the possibility to realize the most diverse safety architectures with components in different form factors – from stand-alone control to distributed control, including pre-processing of data directly by I/O terminals, through to system-integrated software-based control for highly complex safety applications. Customers have the benefit of attractively priced, flexible and optimally scalable solutions – and the certainty of being able to meet all safety requirements as needed at all times and in the future, too.

TwinSAFE architectures in detail

TwinSAFE as a stand-alone controller

With the rollout of the two components EK1960 and EP1957, TwinSAFE offers a safety solution for compact applications. These devices can be operated in stand-alone mode without connection to the EtherCAT fieldbus. The safety application is realized on the basis of the safe local inputs and outputs. The stand-alone-capable components can of course also be used, as usual, when fully integrated into the overall system.

TwinSAFE as a compact controller

With the integration of the TwinSAFE Logic functionality into all new TwinSAFE components and therefore also into all TwinSAFE I/O components, the potential range of applications for TwinSAFE is significantly extended. In this way, an individual component with local inputs and outputs can be used to realize a safety application (EL1957). As with all TwinSAFE Logic components, communication with existing TwinSAFE components is also possible. In addition to the components represented here, which have both local inputs and local outputs, pure input or output components are also available with TwinSAFE Logic.

TwinSAFE as a central safety controller

TwinSAFE provides dedicated safety controllers, which can be used for centralized control from a safety technology perspective. These devices themselves do not have local inputs and outputs. Instead, communication relationships are established with 1...n safety-related components, and the safe input and output signals are processed in accordance with the user-defined safety application. The architecture in this case corresponds to the traditional architecture of safety applications. In addition to the dedicated safety controllers represented here, all Logic-capable components can of course also be used in context with a conventional architecture.

TwinSAFE as a distributed system

Through the integration of the TwinSAFE Logic functionality into all new TwinSAFE components, any distribution or modularization of a safety applications can be realized. In contrast to the traditional architecture, not all safety-related input and output signals have to be transmitted for processing to the central safety controller. The options of distributed control means that, from a safety technology perspective, functionally related components can be modelled by a dedicated safety project. If a system involves an AX8000 group with n modules, for example, where each of these n modules also has to execute safety-related drive functions, then, in the traditional approach, these drive functions have to be controlled individually by the central safety controller. Through the principle of distributed control, on the other hand, one of the modules can now be used as a TwinSAFE Logic, which locally takes over the safety-related control of the other TwinSAFE modules in the group.

Safety control with the standard Industrial PC

With the introduction of the TwinCAT Safety PLC software, TwinSAFE can leverage the enormous performance of standard Industrial PCs in safety control applications. Using an Industrial PC as a software safety controller, even the most sophisticated safety applications can be executed. With the TwinCAT Safety PLC used in a traditional architecture, the overall system is controlled by a single, centralized device, which realizes both the standard functionality and the safety functionality. In contrast to the TwinSAFE hardware components, this safety controller can also be programmed in a standard C derivative with Safety C. This means that safety applications with any level of complexity can be represented. As is typical with TwinSAFE, this architecture can be combined as required with other TwinSAFE architectures.

TwinCAT 3 and TwinCAT 2

In the Beckhoff world, a safety application can be implemented with either TwinCAT 2 or TwinCAT 3. Whereas TwinCAT 2 can be used exclusively for the TwinSAFE Logic components EL6900, EL6930 and KL6904, all Logic components with the exception of the KL6904 can be configured with TwinCAT 3.

TwinCAT 3 XCAD Interface

Beckhoff provides the possibility to create a safety application directly within a CAD tool. With the help of the TwinCAT 3 XCAD Interface, the application can subsequently be converted into a fully functional safety project in TwinCAT 3 to undergo final configuration.


As an option, the Beckhoff TwinSAFE Logic components can be configured using Codesys Safety.

TwinSAFE Loader

The TwinSAFE Loader tool offers a possibility to download a safety project entirely without the TwinCAT engineering environment. It is a command line tool that can be integrated into customer-specific processes. It enables, for example, the loading of TwinSAFE Logic components during series production without the use of a development environment. Furthermore, TwinSAFE Loader enables an existing system to be customized at runtime. When using TwinSAFE Loader in the context of customer-specific processes, the FMEDA method for risk analysis given in the user manual must always be observed.

TwinSAFE User

The TwinSAFE User tool can be used to handle the user administration for a TwinSAFE Logic component. It enables, e.g., to configure the user administration for accessing a TwinSAFE Logic component during series production, without using a development environment.

To simplify the design of safety functions, Beckhoff has made the TwinSAFE application guide available for download.

The user-friendly manual contains a compilation of sample applications for TwinSAFE with a collection of widely used safety functions. Each sample shows the interconnection of the hardware components and the corresponding mapping inside the safety application itself, i.e. the implementation with the help of pre-certified function blocks and the parameterization of input and output components. For further support the verification of the respective safety level as confirmed by the TÜV SÜD authority is executed for each sample, so that the samples can either be adopted 1:1 or adapted very simply to specific application requirements.

Comprehensive support in conceptual design and implementation:

  • continuously expanded collection of relevant application examples
  • best-possible support to enable correct implementation of safety applications
  • simple adaptation to modified applications through detailed documentation of the safety acceptance

All hardware components with integrated TwinSAFE Logic can be programmed based on certified function blocks. The certified safety function blocks of the TwinSAFE Logic components allow simple, fault-free and cost-effective realization of all safety tasks – from simple safety door monitoring to complex muting functions based on digital signals through to safe control of highly complex processes based on analog signals.

The SISTEMA software utility (Safety Integrity Software Tool for the Evaluation of Machine Applications) is used for evaluating the safety of machine controls in the context of DIN EN ISO 13849-1. The tool enables modelling of safety functions before they are realized or evaluation of safety functions after they have been realized. Outputs include reliability values and the achieved performance level (PL).

To support this process, manufacturers of safety-relevant components provide libraries containing product data that are relevant for the calculation. These can be imported into SISTEMA.