Performance Level (PL) vs. Safety Integrity Level (SIL)

PL (Performance Level) faces off against SIL (Safety Integrity Level)
This is a classic battle between ISO and IEC standards (ISO 13849 vs IEC 62061).

iso vs iec standards

I always like to simplify, so let’s start by naming a clear winner in this match. Wait – there isn’t one! PL and SIL are basically the same thing. (But don’t tell that to the folks on the standards committees … they won’t like me for saying that.)

As mentioned above, Performance Level is a probability rating that originates from ISO 13849. Safety Integrity Level is a probability rating that originates from IEC 62061.

The main difference between these two standards is this: ISO 13849 addresses mechanical devices used in safety applications (such as mechanical gate switches, safety limit switches, or valves); IEC 62061 does not.

But most machines have mechanical devices on them, right? IEC 62061 is meant for electronic and programmable safety systems; it addresses programming techniques and best practices (ISO 13849 does not). To better understand PL and SIL, let’s review what defines a safety circuit.

Understanding Safety Circuits

Remember, a safety circuit is the WHOLE circuit, which includes the input, logic, and output safety devices. The PL or SIL rating is a rating for all of those working together. The PL or SIL of these safety-related parts of a control system must at least equal the required PL or SIL. The required PL (PLr) is determined in a Risk Assessment.

PL ratings are designated as a through e (PLe being the highest rating). SIL ratings are designated as 1, 2, or 3 (SIL3 being the highest rating).

A safety circuit (safety function) has three required characteristics:

  1. Design structure (single channel or dual channel)
  2. Monitoring
  3. Time before the first dangerous safety circuit failure

Both standards agree on these three items – they just call them by different names, as illustrated below.

ISO 13849 nomenclature:

    1. Category (1-4) = design structure
    2. Diagnostic coverage (DC%) = monitoring
    3. MTTFd (Mean Time to Dangerous Failure) = time before first dangerous failure

IEC 62061 nomenclature:

    1. Hardware fault tolerance = design structure
    2. Safe failure fraction = monitoring
    3. PFHd (Probability of Failure on Demand per Hour) = time before first dangerous failure. PFHd is calculated from MTTFd [above].

Here’s a simple example: The more dangerous the hazard, the better the safety circuit must be.
You need a very robust safety circuit to protect you from a hazard if it’s so dangerous that it could kill you, it’s fast-moving and likely not avoidable, and you are exposed to it at all times.

On the other hand, you wouldn’t need nearly as robust a safety circuit if a machine’s hazard gives you (at best) a decent bruise if it strikes you, it’s slow-moving and easy to avoid, and you’re not exposed to it very often.

Calculating Probability of Dangerous Failure per Hour

Let’s compare these two charts, which reference the probability of dangerous failure per hour in ISO 13849 and IEC 62061:

ISO 13849
Performance Levels (PL)

PL Average probability of dangerous failure per hour
1/h
a ≥ 10-5 to < 10-4
b ≥ 3 × 10-6 to < 10-5
c ≥ 10-6 to < 3 × 10-6
d ≥ 10-7 to < 10-6
e ≥ 10-8 to < 10-7
NOTE: Besides the average profitability of dangerous failure per hour, other measures are also necessary to achieve the PL.

IEC 62061
Safety integrity levels: target failure values for SRCFs

Safety integrity level Probability of a dangerous Failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

As you can see, both standards want you to calculate the Probability of Dangerous Failure per Hour (PFHd) of your entire safety circuit. Statistics are involved … but don’t let that scare you. A free software called SISTEMA can do the math for you. Most safety hardware manufacturers also provide libraries you can import into SISTEMA.

These calculations help determine how many times you can exercise a safety circuit before it fails in a dangerous state. The keyword here is “dangerous,” which means “an undetectable fault.” For example, A machine that doesn’t stop when you put your hand past a light curtain or press the emergency stop button. Remember: PFHd makes up only one-third of a safety circuit’s total characteristics; design structure (Category) and monitoring (DC) are also important.

  • If your safety circuit’s chance of failure to a dangerous state (PFHd) is between one in one million and one in 10 million, that’s 1×10-6 to 1×10-7, which equates to PLd or SIL2 (see table above).

If your safety circuit’s chance of failure to a dangerous state is less than one in 10 million, then that equates to PLe or SIL3 (see table above).

I prefer to use ISO 13849, and if I need to convert that to a SIL, a few charts in IEC 62061 make it easy to do so.

What’s the difference between PL and SIL machine safety standards?
, , ,

 By link to original article

Machine safety is governed by two standards: EN/ISO 13849-1 and EN/IEC 62061. Both standards are harmonized to the EU Machinery Directive 2006/42/EC, which defines the Essential Health and Safety Requirements (EHSR) for machinery. Although their methods for performing risk assessment are different, both standards — EN ISO 13849-1 and EN 62061 (SIL) — when correctly applied, achieve the same result.

The EU Machinery Directive requires that machine manufacturers eliminate or minimize hazards as much as reasonably possible, apply necessary protective measures against hazards that cannot be eliminated, and inform users of the risks that remain and requirements for training or personal protective equipment. Although this directive is specific to the European Union (EU), it is recognized and followed in other regions around the world to better facilitate equipment shipments outside the EU.

The EN/ISO 13849-1 machine safety standard uses a qualitative risk graph, or flow chart, to assign a performance level (PL), based on three criteria:

  • severity of injury
  • frequency and/or exposure time to the hazard
  • possibility of avoiding the hazard or limiting the harm

The performance level (PL) is designated by an alphabetic character, a through e, with PLe being the highest risk level.

machine safety standards
EN/ISO 13849-1 assigns a performance level (PL) rating from a to e, with PLe being the highest risk.
Image credit: TUV

Once the performance level has been determined, the architecture that facilitates the defined performance level is classified into one of six categories (“B” and 1 through 5, with B being the least safe and 5 being the most safe). The architecture category is determined by combining the performance level (PL) with quantitative measures of diagnostic coverage (DC) and mean time to dangerous failure (MTTFd).

functional safety
This chart shows the relationship between Category, Diagnostic Coverage, and Mean Time to Dangerous Failure for PL levels under EN/ISO 13849-1. Note also the correlation with probability of dangerous failure per hour (PFHd) rates.
Image credit: ABB

The EN/IEC 62061 machine safety standard (often written as just EN 62061) assigns a safety integrity level (SIL) to each function based on the severity of the potential harm (Se) and the probability of the harm occurring.

The severity of potential harm is given a score from 1 to 4, with 4 being the most severe. The probability of harm occurring is broken down into three parameters:

  • frequency and duration of exposure (Fr)
  • probability of an event occurring (Pr)
  • probability of avoiding or limiting the harm (Av)
machine safety standards
EN 62061 assigns a safety integrity level (SIL) from 1 to 3 based on the severity of potential harm and the probability of the harm occurring.
Image credit: TÜV

Each of these parameters is scored from 1 to 5, with 5 being the “worst,” or least safe situation, and their scores are summed to determine a class (Cl). The SIL rating is then chosen from a matrix that plots the severity scores (Se) and classes (Cl).

machine safety standards
SIL ratings are determined by a matrix that ranks the severity of injury and the injury classification.

Once the safety integrity level (SIL) has been assigned, the system is broken into subsystems, whose architectures are classified as A, B, C, or D, with D being the “highest,” or safest. Each architecture is associated with a formula to determine the probability of dangerous failure per hour (PFHd) of the subsystem.

machine safety standards

Note that performance level (PL) ratings under EN/ISO 13849-1 are also correlated with probability of dangerous failures per hour (PFHd) values, so direct comparisons can be made between EN/ISO 13849-1 performance levels and EN 62061 safety integrity levels.

There is no strict guideline regarding the use of machine safety standards for particular applications, but the choice may be influenced by:

  • Prior experience with one standard or risk assessment methodology
  • The use of safety-related controls that are not based on electrical, electronic, or programmable electronic systems (use EN/ISO 13849-1)
  • A requirement to use SIL ratings to demonstrate safety integrity (use IEC 62061)
  • Use of equipment in process industries where other safety-related systems are characterized in terms of SIL (use IEC 62061)