How do Performance Level (PL) and Safety Integrity Level (SIL) differ?

Performance Level (PL) and Safety Integrity Level (SIL) are metrics used to assess the safety performance of safety-related systems, primarily in industrial and machinery applications. IEC 61508 is a foundational standard for functional safety, while IEC 61511 focuses on safety instrumented systems (SIS) in the process industry. SIL is primarily associated with IEC 61508 and IEC 61511, while PL is associated with machinery safety standards like ISO 13849-1.

Why are there two parameters ?

Basically, there are different industries involved in the standardisation of functional safety: classic series machine building and plant building, which is used in fields such as the chemical and process industries. Topics such as risk assessment, hazard analysis and evaluation methods are very important for both approaches.

Performance Level (PL)

In machine building, this refers to manageable units on which life safety systems are frequently used. ISO 13849-1 was developed with this context in mind. The standard takes into account the machinery directive and considers safety functions from both a qualitative and quantitative perspective. To classify various technical safety performance capabilities, it defines five Performance Levels (PL a, b, c, d, e), representing the average probability of dangerous failure per hour (PFH). ISO 13849-1 specifies an iterative process for designing and validating the safety-related parts of a control system (SRP/CS).

Safety Integrity Level (SIL)

The chemical industry was the driving force behind basic safety standard IEC 61508. As a result, the focus was on basing safety statements on how likely the reliable response to the function requirements is to occur, should a safe response be required. In terms of architecture, chemical and process-technical facilities tend to be large and complex. The life safety systems here are designed to rarely have to take action. The term SIL (SIL 1, 2, 3, 4) is derived from IEC 61508. IEC 62061 also defines the SIL claim limit, and describes the iterative process for determining and validating the SIL of safety-related electrical, electronic and programmable control systems (SRECS).

When does ISO 13849-1 apply and when does IEC 62061 apply?

At first glance, both standards seem to apply to the same application areas. However, they must be applied appropriately depending on the technology, risk assessment and architecture. Note that IEC 62061 does not contain any requirements for the performance of non-electrical, safety-related control elements (hydraulics, pneumatics and mechanics). Refer to ISO 13849-1 for these. The manufacturers of safety-relevant components provide corresponding safety-related characteristics for determining the SIL and PL.

How can PL overlap with SIL and vice versa?

The two parameters overlap in one place. This is the MTTFd when calculating the Performance Level and the PFHd for the Safety Integrity Level. MTTFd represents the mean time to dangerous failure, while PFHd represents the probability of a dangerous failure per hour. If this value is compared to the safety parameters, the various PL levels can be compared with the SIL levels, allowing one parameter to be converted into the other. 

The engineer determines the machine’s required PL during their risk assessment with the help of the risk graph provided in ISO 13849-1, and verifies that the SRP/CS meet the required PL by performing the necessary calculations. The PL can subsequently be converted into a SIL value using the table above.

With that in mind, note that although IEC 61508 defines four safety integrity levels, general machine building applications require at most SIL 3. SIL 4 is only required in very specific, highly critical applications that pose a high risk of damage or a high potential risk of personal injury. These include the fly-by-wire or steer-by-wire systems in aircraft and vehicles, for example.

Both PL and SIL have their merits in terms of safety and are important building blocks on the way to creating safe machines and facilities, and therefore functional safety. The fact that there are two parameters for assessing the technical safety performance of systems is primarily down to historical reasons. As a result, the standards are comparable and can even be 'converted' to each other. Basically, engineers can use either the ISO 13849-1 or IEC 62061 approach for purely electrical, electronic and programmable electronic (E/E/PE) systems, and therefore have the choice of using PL or SIL.

Choosing ISO 13849-1

Choosing ISO 13849-1 as the primary standard is indeed a more strategically advantageous and preferable decision for most equipment manufacturers and system integrators.

1. Technological Flexibility (Not Just Electrical)

Unlike IEC 62061, which focuses primarily on electrical and electronic systems, ISO 13849-1 allows for the evaluation of:

Mechanics (safety guards, locks).

Pneumatics (pressure relief valves).

Hydraulics (locks, hydraulic control valves).

This makes it a "universal language" for the entire machine, not just its controller.

2. A clear "engineering" approach (Categories)

ISO 13849-1 uses the concept of Categories (B, 1, 2, 3, 4). These are structural diagrams that are much easier for engineers to visualize and implement in hardware. 

If you need PL e, you immediately understand: "I need Category 4 (full redundancy and continuous monitoring)."

3. Visual connection between Risk and Decision

The required performance level (PL) determination graph in this standard is intuitive. It directly links: S (Severity): Injury severity. F (Frequency): Frequency of exposure to the hazard. P (Possibility): The ability to avoid the hazard. By selecting PL e, you clearly demonstrate to the customer that you have provided protection against the most severe consequences.

4. Ease of integration (PL e = SIL 3)

The standard is fully harmonized with international requirements. By selecting PL e, you automatically meet the SIL 3 requirements. This allows your product to seamlessly enter the European (CE), US, and Asian markets.

Why is this an advantage? 

• Data libraries: Most component manufacturers (Siemens, Festo, Sick) provide ready-made data files in the ISO 13849-1 (SISTEMA) format. 

• Validation: Using free software (such as SISTEMA) allows you to quickly prove compliance with safety levels mathematically. 

• Standard type: As a Type B standard, it gives your equipment the "right to exist" even if there is no specific Type C standard for it yet.

Safety Instrumented Systems (SIS)

IEC 61511 is the international technical standard for functional safety in the process industry sector. It provides a framework for managing Safety Instrumented Systems (SIS) throughout their entire life cycle - from initial risk analysis to system decommissioning. Specifically tailored for process industries like oil and gas, chemicals, pharmaceuticals, and power generation (excluding nuclear). It is the "sector-specific" implementation of the broader IEC 61508 standard. While manufacturers follow IEC 61508 to build devices, plant owners and engineers use IEC 61511 to integrate them safely. It mandates a systematic process to identify hazards, assess risks, and design appropriate protection layers.

Key Concepts:

• Safety Instrumented Function (SIF): A specific safety action (e.g., closing a valve when pressure is too high) designed to reduce a specific risk.

• Safety Integrity Level (SIL): A measurement of performance for a SIF, ranging from SIL 1 (lowest risk reduction) to SIL 4 (highest).

• Hardware Fault Tolerance (HFT): Requirements for system redundancy to ensure safety even if a component fails.

• Competence Management: Recent updates (Edition 2, 2016) emphasize that all personnel involved must have documented proof of their competence and training.

Functional safety of machinery

IEC 62061 is the international standard for the functional safety of machinery. It provides a framework for designing and integrating safety-related control systems (SCS) for machines. IEC 62061 standard, developed specifically for the mechanical engineering sector. IEC 62061 focuses on systems with high loads or continuous operation (when the safety function is activated more than once a year), while IEC 61511 often addresses low-load systems. As of the 2021 update, IEC 62061 is no longer limited to electrical systems; it now also covers hydraulic and pneumatic technologies.

The standard uses a systematic process to ensure equipment safety:

• Safety Integrity Levels (SIL): Like IEC 61511, it uses SILs to rank reliability, but for machinery and equipment it is limited to levels from SIL 1 to SIL 3 (SIL 4 is typically reserved for other industries, such as rail or nuclear power).

• Risk assessment: Risks are assessed based on a "risk graph" taking into account four parameters: Severity of injury (Se), Frequency and duration of exposure (Fr), Probability of occurrence (Pr), Avoidability of harm (Av).

• PFHd calculation: Safety is measured by the probability of dangerous failure per hour (PFHd) rather than the probability of failure on demand (PFD).

ISO 12100 and Functional Safety (FS)

ISO 12100 is the fundamental Type-A standard that provides the overarching methodology for machinery safety. While it defines the risk assessment process. ISO 12100 acts as the "roadmap" for the entire safety design process. Specifies the basic terminology and methodology for risk assessment. It helps designers identify hazards and decide if a safety function is needed.

ISO 12100 mandates a specific order for reducing risks, where Functional Safety is the second priority:

• Inherently Safe Design: Change the design to eliminate the hazard (e.g., removing a pinch point).

• Safeguarding & Functional Safety: Use guards or safety functions (e.g., E-stops, light curtains) when design changes aren't enough.

• Information for Use: Use warnings, signs, and training for any remaining residual risk.

Functional Safety (FS) in Drives (IEC 61800-5-2)

Functional Safety in Power Drive Systems is defined by IEC 61800-5-2 (Part 5-2). 

Scope: It sets safety requirements (functional, electrical, thermal, and environmental) for drives that incorporate safety-related functions.

Safety Functions: Typical safety functions defined include:

• STO (Safe Torque Off)

• SS1-t (Safe Stop 1, time controlled)

• SLS (Safely Limited Speed)

• SBC (Safe Brake Control)

Safety Levels: Drives certified to 61800-5-2 commonly meet SIL 2 / SIL 3 (Safety Integrity Level) according to IEC 61508 or PL d / PL e (Performance Level) according to ISO 13849-1.

Automotive Safety Integrity Levels (ASIL)

Automotive Safety Integrity Levels (ASIL) are a four-tier risk classification system (A–D) defined by ISO 26262 to ensure functional safety in automotive electronic systems. Ranging from low (A) to high (D) risk, ASIL ratings dictate the development rigor required for components—such as airbags (D) or taillights (A)—based on severity, exposure, and controllability.

ASIL is determined by conducting a Hazard Analysis and Risk Assessment (HARA) that combines three factors: 

• Severity (S): Potential injury level

• Exposure (E): Frequency of the hazard scenario

• Controllability (C): Ability of the driver to manage the situation

The Four ASIL Levels:

• ASIL A: Lowest integrity, basic safety mechanisms (e.g., rear-view camera).

• ASIL B: Moderate integrity (e.g., brake lights, instrument cluster).

• ASIL C: High integrity (e.g., adaptive cruise control, battery management).

• ASIL D: Highest integrity, requires extreme rigor/redundancy (e.g., airbags, anti-lock brakes, steering).

QM (Quality Management): Components with no safety impact, not requiring special functional safety measures.

IEC 61000 and Functional Safety (FS)

IEC/TS 61000-1-2:2008: Establishes a methodology to achieve functional safety for electrical/electronic systems regarding electromagnetic phenomena. It aligns with IEC 61508 for safety-related systems.

Performance Criterion FS: This is a specialized, often more stringent, performance criterion applied to safety-related equipment, requiring it to maintain safety functions during electromagnetic disturbances (such as surges or transients).

IEC 61000-6-7: Defines generic immunity requirements for equipment intended to perform functions in a safety-related system.

ISO 60730 and Functional Safety (FS)

IEC 60730 is the primary functional safety (FS) standard for automatic electronic controls in household appliances. It ensures that embedded hardware and software operate safely to prevent hazards like fire, electric shock, or mechanical failure. IEC 60730 is a sector-specific standard tailored for the consumer appliance market. It is often used alongside IEC 60335, which covers the general safety of household appliances.

The standard categorizes equipment based on its safety role: 

• Class A: Controls not intended to be relied upon for the safety of the equipment (e.g., simple lighting timers).

• Class B: Controls designed to prevent unsafe operation (e.g., thermal cut-outs in washing machines or ovens).

• Class C: Controls for high-risk applications where failure could cause special hazards (e.g., automatic gas burner controls).

To meet these standards, manufacturers often use "Safety Ready" components and libraries: 

• Self-Test Libraries: Pre-certified software kits (like those from Microchip or Renesas) that run diagnostic tests on CPU registers, memory, and clocks.

• Certified Toolchains: Using TÜV SÜD-certified compilers and development environments simplifies the path to final product certification.

• Safety Annex H: Specifically within IEC 60730-1, Annex H defines the acceptable measures and tests for electronic controls to address faults and errors.

Functional Safety (FS) in IEC 60335-1

IEC 60335-1 is the international safety standard for electrical appliances used for household and similar purposes, covering appliances with voltage ratings not more than 250V (single-phase) or 480V (others). Annex R of this standard deals with software evaluation for appliances using programmable electronic circuits to ensure safety, acting as a crucial component of functional safety.

• Purpose: The main objective is to minimize risks of fire, electric shock, and personal injury through proper component selection, design, and testing.

• Annex R (Software Evaluation): As household appliances increasingly incorporate smart features and microcontrollers, Annex R is used to evaluate programmable electronic circuits to handle fault conditions safely. It requires that software components crucial to safety are designed, implemented, and tested in accordance with strict, well-defined processes.

• Edition 6 Update (2020): The latest version extends Annex R to manage new risks from connectivity and unauthorized access.

• Annex U (Cybersecurity): Introduced to work with Annex R, this annex addresses cybersecurity threats (via public networks like Wi-Fi) that could impair the functional safety of the device.

Programmable Automation Controller (Safety PAC) in Cyber-Physical Systems (CPS)

The primary reason to switch from a Safety PLC (Programmable Logic Controller) to a Safety PAC (Programmable Automation Controller) is to unify safety and process control on a single, high-performance platform. While Safety PLCs are specialized for discrete safety tasks, Safety PACs offer a "universal" architecture that handles complex logic, high I/O counts, and advanced communication simultaneously. Safety PACs are designed with modern, standard Ethernet connectivity, making them essential for Industry 4.0, Industry 5.0 and IIoT applications. They easily integrate with IT systems and cloud services, offering better monitoring.

Key Drivers for the Switch

• Integrated Architecture: A Safety PAC allows you to run both standard machine control and safety-rated functions on the same hardware using a single programming tool. This eliminates the need for separate controllers and dedicated communication networks between them.

• Reduced Total Cost of Ownership: By consolidating systems, you reduce the number of components, spare parts, and panel space required.

• Simplified Engineering & Training: Using one software environment for both safety and process control reduces development time and means staff only need to be trained on one system.

• Advanced Data & Diagnostics: PACs generally have more memory and faster processors, enabling better integration with enterprise-level systems (SCADA, ERP) and more detailed diagnostic reporting for faster troubleshooting.

• Scalability for Complex Systems: Safety PACs excel in environments with high I/O density and diverse communication protocols, making them better suited for large-scale, evolving industrial processes than traditional Safety PLCs.

Functional Safety (FS) and Ethernet

Functional Safety (FS) in the context of Ethernet is the practice of ensuring that a network can reliably transmit safety-critical data (like emergency stop signals) even when the underlying network hardware or software fails. Because standard Ethernet was originally designed for high-speed data transfer rather than "guaranteed" safety, specialized protocols and architectural principles are used to make it safe for industrial and automotive environments. Using Ethernet for functional safety allows a single cable to carry both "normal" data (like a camera feed) and "safety" data (like an emergency stop). This reduces wiring costs by up to 30–50% and allows for much more complex, software-defined safety zones.

The most important concept in Functional Safety over Ethernet is the Black Channel. Instead of trying to make every switch, cable, and router "safety-rated" (which would be incredibly expensive), engineers treat the Ethernet network as an unreliable "black box." The safety measures are moved into the application layer at the endpoints (the sender and receiver).

How the Black Channel protects data:

• Sequence Numbers: Prevents data from being lost, repeated, or arriving in the wrong order.

• Time Stamps / Watchdogs: Detects if a message is delayed beyond a safe limit (e.g., if a brake command takes too long).

• Unique IDs: Ensures a message intended for "Robot A" isn't accidentally processed by "Robot B."

• Safety CRCs (Cyclic Redundancy Checks): More rigorous than standard Ethernet CRCs, these detect if even a single bit was flipped during transmission.

While the Black Channel handles data integrity, Ethernet TSN (Time-Sensitive Networking) handles timing.

In a standard Ethernet network, a large file transfer could "clog" the line and delay a safety signal. TSN is a set of IEEE standards that allow Ethernet to:

• Prioritize traffic: Ensure safety packets always go to the front of the line.

• Guarantee Latency: Ensure a message arrives within a precise microsecond window.

• Redundancy: Send the same safety packet over two different paths simultaneously so that if one cable is cut, the message still arrives.

Different industries use specific "Safety over Ethernet" protocols. These protocols "tunnel" through standard Ethernet frames to deliver safety-critical commands.

The most common Safety over Ethernet protocols are:

• PROFIsafe - PROFINET / Ethernet (for Automotive & Manufacturing)

• FSoE (Fail-Safe over EtherCAT) - EtherCAT (for High-speed Robotics)

• CIP Safety - EtherNet/IP (for Factory Automation)

• openSAFETY - POWERLINK / Ethernet (for Open-source Industrial)

To claim a Ethernet system is "Functionally Safe," it must meet specific international standards:

• IEC 61784-3: Specifically covers the rules for safe communication in industrial networks.

• ISO 26262: The automotive version (essential for "Automotive Ethernet" in self-driving cars).