What is the difference between SIL and Performance Level?

SIL (Safety Integrity Level) is defined in IEC 61508 and IEC 62061 with four levels (SIL 1–4), using Probability of Dangerous Failure per Hour (PFH) as the metric. Performance Level (PL) is defined in ISO 13849-1 with five levels (PL a–e), also using PFH but with different calculation methods. They measure the same fundamental property — the reliability of a safety function — but use different frameworks. Approximate equivalences: PL d ≈ SIL 2, PL e ≈ SIL 3.

When should I use ISO 13849 versus IEC 62061?

Both are valid for machinery CE marking. ISO 13849 is preferred for simpler safety functions, especially those involving non-electrical technologies (hydraulic, pneumatic). IEC 62061 is better suited for complex electrical/electronic/programmable electronic safety functions. For most control panel applications (e-stops, safety gates, light curtains), ISO 13849 is the more practical choice due to its simplified calculation method.

What is SISTEMA and do I need to use it?

SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) is a free software tool developed by IFA/DGUV (German Social Accident Insurance) for calculating Performance Levels per ISO 13849-1. While not legally mandatory, it is the de facto industry standard tool for PL verification and is widely accepted by notified bodies. It calculates PL based on the category, MTTF_d, DC_avg, and CCF score of each safety function.

Can a safety relay achieve PL e / SIL 3?

Yes. Many safety relays are certified to PL e / SIL 3 when used in the appropriate architecture (typically Category 4 with dual-channel inputs and monitored dual-channel outputs). The key requirement is that the complete safety function — from sensor through logic to actuator — must achieve the required PL, not just the logic device. Even a PL e-rated safety relay cannot deliver PL e if the sensors or actuators are not appropriately rated.

How often must safety systems be proof-tested?

Proof test intervals depend on the safety function's mode of operation and the assumed failure rates. For low-demand systems (IEC 61508), typical proof test intervals range from 1 to 10 years. For high-demand/continuous systems (common in machinery), diagnostic testing is typically automatic (built into the safety controller) and runs every safety cycle. Manual proof testing of the complete safety function (e.g., physically pressing an e-stop) should be performed at intervals defined in the maintenance plan — often annually or per the safety system manufacturer's recommendations.

Functional Safety: Understanding SIL and Performance Levels

By Control-Panels.org Editorial Team·Published: 2024-09-05·Updated: 2025-04-12

functional safetySILPerformance LevelISO 13849IEC 61508safety systems

Functional safety is a critical discipline for control panel builders working on machinery and process applications. This article explains the relationship between IEC 61508 (Safety Integrity Levels), ISO 13849 (Performance Levels), and IEC 62061, providing practical guidance on risk assessment, safety function specification, and hardware/software architecture for safety-related control systems.

What Is Functional Safety?

Functional safety is the part of overall safety that depends on a system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures, and environmental changes. In the context of industrial control panels, functional safety addresses the question: If something goes wrong, will the safety system reliably bring the process or machine to a safe state?

The core concept is that safety-related functions must achieve a quantified level of reliability. This is expressed through Safety Integrity Levels (SIL) in IEC 61508/IEC 62061 or Performance Levels (PL) in ISO 13849.

The Standards Landscape

IEC 61508: The Foundation

IEC 61508 ("Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems") is the umbrella standard for functional safety across all industries. It defines:

A lifecycle approach to safety system development
Four Safety Integrity Levels (SIL 1 through SIL 4)
Requirements for hardware reliability, software development, and systematic capability
Methods for calculating Probability of Dangerous Failure per Hour (PFH) and Probability of Failure on Demand (PFD)

IEC 61508 is sector-independent. Sector-specific standards derive from it:

Standard	Sector
IEC 61511	Process industries (chemical, oil & gas, pharmaceutical)
IEC 62061	Machinery (safety of machinery — functional safety of SRP/CS)
IEC 61800-5-2	Adjustable speed electrical power drive systems
IEC 61513	Nuclear power plants

ISO 13849: The Machinery Safety Workhorse

ISO 13849-1 ("Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design") uses Performance Levels (PL a through PL e) instead of SIL ratings. It evolved from the former EN 954-1 category system and is the most widely used standard for machinery safety in Europe and internationally.

ISO 13849 is often preferred for machinery applications because:

It accommodates non-electronic technologies (hydraulic, pneumatic, mechanical)
It provides a simplified calculation method (using designated architectures and MTTF_d, DC_avg, CCF scoring)
It aligns with the EU Machinery Directive (2006/42/EC) and the new Machinery Regulation (EU 2023/1230)

IEC 62061 vs. ISO 13849: Which to Use?

Both IEC 62061 and ISO 13849-1 are harmonized under the EU Machinery Directive and are equally valid for CE marking. The practical differences:

Aspect	ISO 13849-1	IEC 62061
Metric	Performance Level (PL a–e)	Safety Integrity Level (SIL 1–3 for machinery)
Technology scope	All technologies (electrical, hydraulic, pneumatic, mechanical)	Electrical/electronic/programmable electronic systems only
Calculation method	Designated architectures (Categories B, 1, 2, 3, 4) with MTTF_d, DC, CCF	Subsystem architecture with PFH_d calculation per IEC 61508 methods
Software requirements	Simplified (SRESW and SRASW classification)	Full IEC 61508 Part 3 software lifecycle
Complexity handling	Best for simpler safety functions	Better for complex, multi-subsystem safety functions

For most control panel applications involving machinery — e-stops, safety gates, light curtains, safe speed monitoring — ISO 13849-1 is the more practical choice.

Safety Integrity Levels (SIL) Explained

SIL ratings quantify the reliability of a safety function. There are four levels:

SIL Level	PFH (Probability of Dangerous Failure per Hour) — Continuous/High Demand	PFD (Probability of Failure on Demand) — Low Demand
SIL 1	≥ 10⁻⁶ to < 10⁻⁵	≥ 10⁻² to < 10⁻¹
SIL 2	≥ 10⁻⁷ to < 10⁻⁶	≥ 10⁻³ to < 10⁻²
SIL 3	≥ 10⁻⁸ to < 10⁻⁷	≥ 10⁻⁴ to < 10⁻³
SIL 4	≥ 10⁻⁹ to < 10⁻⁸	≥ 10⁻⁵ to < 10⁻⁴

SIL 4 is rarely required outside the nuclear and railway sectors. Most industrial machinery applications require SIL 1, SIL 2, or SIL 3.

Important distinction: The mode of operation determines which metric applies:

Low demand mode: The safety function is demanded less than once per year (e.g., emergency shutdown of a chemical reactor). Use PFD.
High demand / continuous mode: The safety function is demanded more than once per year or operates continuously (e.g., a safety-rated speed monitor on a servo axis). Use PFH.

Performance Levels (PL) Explained

ISO 13849-1 defines five Performance Levels:

PL	Average PFH_d (per hour)	Approximate SIL Equivalent
PL a	≥ 10⁻⁵ to < 10⁻⁴	Below SIL 1
PL b	≥ 3 × 10⁻⁶ to < 10⁻⁵	SIL 1 (lower range)
PL c	≥ 10⁻⁶ to < 3 × 10⁻⁶	SIL 1 (upper range)
PL d	≥ 10⁻⁷ to < 10⁻⁶	SIL 2
PL e	≥ 10⁻⁸ to < 10⁻⁷	SIL 3

The required PL for a given safety function is determined through risk assessment using the risk graph in ISO 13849-1, which considers:

S — Severity of injury (S1: slight/reversible, S2: serious/irreversible including death)
F — Frequency/duration of exposure (F1: seldom/short, F2: frequent/long)
P — Possibility of avoiding the hazard (P1: possible under certain conditions, P2: scarcely possible)

Designated Architectures (Categories)

ISO 13849-1 defines five designated architectures that determine the structural behavior of the safety function:

Category B

Basic safety principles applied. No fault tolerance. Single-channel architecture. A single fault can lead to loss of the safety function. Maximum achievable PL: PL b.

Category 1

Category B plus the use of well-tried components and well-tried safety principles. Still single-channel with no fault detection. Maximum achievable PL: PL c.

Category 2

Single-channel with periodic testing by the logic system. The test frequency must be at least 100 times the demand rate. Maximum achievable PL: PL d (with high MTTF_d and DC_avg).

Category 3

Dual-channel (redundant) architecture. A single fault in either channel does not lead to loss of the safety function. Not all faults are necessarily detected, but accumulation of faults must be considered. Maximum achievable PL: PL e (with high MTTF_d and DC_avg).

Category 4

Dual-channel with fault detection. A single fault does not lead to loss of the safety function. Fault detection ensures that accumulation of undetected faults does not lead to loss of safety. Maximum achievable PL: PL e.

Practical Safety System Design for Panel Builders

Safety Controller Selection

Modern safety controllers fall into several categories:

Safety relays: Simple, hardwired devices for single safety functions (e.g., Pilz PNOZ, Allen-Bradley Guardmaster). Ideal for standalone e-stops, safety gates, and light curtains.
Configurable safety controllers: Mid-range devices that handle multiple safety functions with configurable logic (e.g., Pilz PNOZmulti 2, Siemens 3SK2). No programming required — logic is configured via software tool.
Safety PLCs: Fully programmable safety controllers for complex safety applications (e.g., Siemens F-CPU in S7-1500, Allen-Bradley GuardLogix, Pilz PSS 4000). Required for applications with complex safety logic, multiple safety zones, or integration with safe motion functions.

Wiring Considerations

Dual-channel wiring: Category 3 and 4 architectures require two independent signal paths. Route channels through separate cable bundles or conduits to prevent common-cause failures.
Pulse testing: Many safety inputs use pulse testing (short voltage pulses) to detect short circuits between channels. Ensure cable separation meets the safety controller manufacturer's requirements.
Safe output wiring: Safety outputs are typically dual-channel, series-connected contactors. Each contactor must be monitored by the safety controller (via auxiliary contacts) before the next safety cycle is permitted.

Common-Cause Failure (CCF) Mitigation

Common-cause failures — events that cause both channels of a redundant system to fail simultaneously — are a critical concern. ISO 13849-1 Annex F provides a scoring system for CCF mitigation. Key measures include:

Physical separation of redundant channels (cable routing, component placement)
Diversity of components (using different manufacturers or technologies for each channel)
Environmental protection (appropriate enclosure rating, temperature management)
Testing and maintenance procedures

A minimum CCF score of 65 out of 100 is required for Categories 2, 3, and 4.

Verification and Validation

After designing and building a safety system, verification and validation are mandatory:

Verification: Confirm that the calculated PL (or SIL) of the implemented system meets or exceeds the required PL (or SIL) from the risk assessment. Use tools like SISTEMA (from IFA/DGUV) for ISO 13849 calculations.
Validation: Physically test every safety function under realistic conditions. This includes fault insertion testing — deliberately introducing faults (disconnecting a sensor, shorting a wire) to verify the system responds correctly.

Documentation must include the risk assessment, safety function specification, PL/SIL calculation, validation test plan, and test results. This documentation is required for CE marking and may be audited by notified bodies.

Software Requirements

Safety-related software must meet specific requirements depending on the SIL/PL:

Safety-Related Application Software (SRASW): The user-written logic in safety PLCs. For PL d/e (SIL 2/3), this requires structured programming, limited language complexity (typically Function Block Diagrams or Ladder Diagram), independent review, and tested libraries.
Safety-Related Embedded Software (SRESW): The firmware within safety controllers. This is the manufacturer's responsibility and is certified as part of the device's SIL/PL rating.

Panel builders are responsible for SRASW quality. Even when using configurable safety controllers (where "programming" is configuration), the configuration must be verified against the safety function specification.

Conclusion

Functional safety is not optional — it is a legal requirement for machinery sold in the EU (Machinery Directive) and a professional obligation everywhere. Understanding the relationship between IEC 61508, ISO 13849, and IEC 62061 enables panel builders to design safety systems that are not only compliant but genuinely protective. The key is a disciplined process: assess risks, specify safety functions with required PL/SIL, select appropriate architectures and components, verify calculations, and validate through testing.

Need a Custom Control Panel Solution?

Our engineering team designs and builds industrial control panels to your exact specifications. Get a free quote today.

Get a Quote or email us at sales@patrion.net

Frequently Asked Questions

References & Citations

IEC 61508:2010 — Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

International Electrotechnical Commission (IEC)

ISO 13849-1:2023 — Safety of Machinery — Safety-Related Parts of Control Systems — Part 1: General Principles for Design

International Organization for Standardization (ISO)

SISTEMA: Safety Integrity Software Tool for the Evaluation of Machine Applications

IFA — Institute for Occupational Safety and Health of the German Social Accident Insurance (DGUV)