ELECTRON. MODULE 6ES7138-4FB04-0AB0 6ES7 138-4FB04-0AB0 6ES7138-4FBO4-OABO

Siemens 6ES7138-4FB04-0AB0 | SIMATIC ET 200S 4 F-DO PROFIsafe — 24VDC / 2A / SIL 3 / PL e / Dual-Channel / Fail-to-Safe / 30mm 

Certified Safety Output Switching in 30mm

Where a standard ET 200S digital output module switches 24VDC to an actuator on command from the PLC, the F-DO module does something categorically different: it adds internal dual-channel redundancy, continuous self-diagnostics, and PROFIsafe communication — enabling the system to demonstrate to certification bodies that the safety function (removing power from a hazardous actuator) is achieved with a quantified failure probability that satisfies SIL 3 or PL e requirements.

Before distributed safety I/O existed, SIL 3 output switching required hardwired safety relay assemblies — bulky, expensive, inflexible. The 6ES7138-4FB04-0AB0 implements the same safety function in a 30mm-wide module on the ET 200S station, communicating via PROFIsafe over the same PROFIBUS DP cable that already carries standard I/O data. The module's 30mm width (double the standard 15mm) accommodates the second switching transistor per channel and the cross-monitoring circuitry required for dual-channel architecture.

Key Specifications

SIL 3 / PL e — Quantified, Not Claimed

SIL 3 (IEC 61508) defines a probability of dangerous failure on demand (PFD) between 10⁻⁴ and 10⁻³ per year — the probability of the output failing to de-energise when commanded is between 0.01% and 0.1% per year. PL e (ISO 13849) corresponds to a PFHd below 10⁻⁷ dangerous failures per hour.

These ratings require redundancy within the module. Each output channel uses a dual-channel architecture: two independent semiconductor switches in series, with cross-monitoring. If one switch fails to open on command, the other forces the output to a de-energised (safe) state. Periodic test pulses exercise each transistor and verify that it can actually switch — detecting stuck-on faults before they become dangerous.

The SIL 3 / PL e rating is what the module hardware can support. Whether a specific application achieves these levels depends on the complete safety loop — F-CPU, PROFIsafe configuration, safety programme written with certified F-FBs, and the system integrator's SIL verification calculation across all components.

PROFIsafe — Fail-to-Safe on Communication Loss

PROFIsafe (IEC 61784-3-3) adds a safety communication layer above the standard PROFIBUS or PROFINET telegram: a CRC computed over safety data plus a sequence number, plus a watchdog timer in the F-DO module itself.

When the PROFIBUS DP master (F-CPU) loses contact with the ET 200S station — cable fault, bus termination error, station power loss — the F-DO module's internal watchdog timer expires. The module unconditionally de-energises all four outputs and enters the safe state, without any explicit command from the CPU it can no longer reach. Communication loss = safe state. There is no automatic re-activation after communication is restored; deliberate operator re-activation is required after fault clearance.

FAQ

Q1: What happens to F-DO outputs when PROFIBUS DP communication fails?

The F-DO module's internal watchdog expires when no valid PROFIsafe telegram is received within the configured timeout. The module immediately de-energises all four outputs and holds the safe state — without waiting for a CPU command, which it can no longer reach. Outputs remain de-energised until communication is restored and the safety programme explicitly re-activates them through a deliberate restart sequence. There is no automatic re-activation.

Q2: Does the SIL 3 module rating guarantee SIL 3 for any application that uses it?

No. The module provides the hardware architecture to support SIL 3, but the entire safety loop must be assessed: F-CPU hardware fault tolerance, PROFIsafe timing configuration, safety programme written with Siemens certified F-FBs, and a complete PFD/PFHd calculation for the safety loop using failure rates from each component's Safety Manual. The 6ES7138-4FB04-0AB0 Safety Manual (available via Siemens Industry Online Support) is the authoritative reference for architectural constraints, proof test intervals, and safety parameter values.

Q3: How does the F-DO's test pulse mechanism work, and can it cause load switching?

Brief test pulses de-energise each output channel periodically to verify that the output transistors can actually switch open. Pulse duration is in the microsecond range — short enough that standard safety relay coils and electromechanical contactors, which have electromagnetic inertia, do not have time to change state. The F-DO Safety Manual specifies the maximum test pulse duration and minimum required load inductance. For the majority of safety relay and contactor coil loads, test pulses cause no interference.

Q4: What are the differences between an F-DO and a standard ET 200S DO module in wiring, programming, and certification?

Wiring: F-DO outputs connect via the TM-PF30S47-F1 terminal module. Some applications use two channels in series (2oo2 voting) — the TM-PF30S47-F1 provides the appropriate wiring configuration. Programming: F-DO channels are only addressable within the safety programme, running in the F-CPU's dedicated F-runtime using Siemens F-FBs.

Standard OBs and standard programme instructions cannot access F-DO addresses. Certification: standard DO modules have no safety rating. The F-DO's SIL 3 / PL e rating requires implementation per the Safety Manual by qualified functional safety engineers.

Q5: What is the recommended replacement for new safety designs?

For new installations, Siemens recommends the SIMATIC ET 200SP platform with the appropriate F-DQ modules (e.g., F-DQ 4×24VDC/2A PPM). ET 200SP provides equivalent or higher safety capability with smaller module widths and TIA Portal / STEP 7 Safety Advanced compatibility. Existing ET 200S installations using 6ES7138-4FB04-0AB0 can be maintained with spare units from the industrial surplus market — verify safety certificate integrity, firmware version, and proof test history before installing any used or refurbished F-module in a safety application.