PLC Programming.io
Learn PLCs free
Programming Guides11 min read4 980 words

Performance Level (PL) in ISO 13849 Explained

Performance Level (PL) explained — what PLa-PLe mean in ISO 13849, how PLr is determined with the risk graph, MTTFd, DC, and Category, and PL vs SIL.

IAE
Senior PLC Programmer
15+ years hands-on experience • 50+ automation projects completed
PLC
Programming Excellence

Performance Level (PL) is a discrete measure — expressed as PLa through PLe — of a safety function's ability to reduce the risk of a hazardous event. Defined in ISO 13849-1, PL characterises how reliably a safety function performs under foreseeable conditions. The higher the letter, the lower the probability of a dangerous failure per hour, and the greater the risk reduction the safety function delivers.

PL sits at the core of machine safety in the EU and is the primary metric engineers use to prove that a safety function — a guard interlock, an emergency stop, a two-hand control — is reliable enough for the hazard it controls.

What Performance Level (PL) Is — ISO 13849-1, PLa Through PLe

ISO 13849-1 defines five Performance Levels: PLa, PLb, PLc, PLd, and PLe. Each level corresponds to a range of Average Probability of Dangerous Failure per Hour (PFHd), expressed in units of h⁻¹.

Performance Level PFHd Range (dangerous failures/hour) Typical Risk Reduction
PLa ≥ 10⁻⁵ to < 10⁻⁴ Lowest
PLb ≥ 3×10⁻⁶ to < 10⁻⁵ Low
PLc ≥ 10⁻⁶ to < 3×10⁻⁶ Medium
PLd ≥ 10⁻⁷ to < 10⁻⁶ High
PLe ≥ 10⁻⁸ to < 10⁻⁷ Highest
ISO 13849 Performance Levels PLa through PLe: PFHd ranges and corresponding Category, MTTFd, DC requirements Vertical stack hierarchy showing five Performance Levels from PLa at the bottom to PLe at the top, with PFHd ranges, typical Category requirements, and example safety functions for each level. ISO 13849-1 Performance Levels — PLa through PLe PLe PFHd: 10⁻⁸ to 10⁻⁷ /h Category 4 — Highest reliability Highest DC ≥ 99 % both channels Robot cells, stamping presses, SIL 3 equivalent PLd PFHd: 10⁻⁷ to 10⁻⁶ /h Category 3 — Dual-channel redundant High DC ≥ 90 % (Medium) Machining centres, palletizer guard doors, SIL 2 equiv PLc PFHd: 10⁻⁶ to 3×10⁻⁶ /h Category 2 or 3 — Monitored single channel Medium DC ≥ 60 % (Low) Conveyors, two-hand control, SIL 1 equiv PLb PFHd: 3×10⁻⁶ to 10⁻⁵ /h Category 1 — High MTTFd, no diagnostics Low DC none Low-speed conveyors, enabling device PLa PFHd: 10⁻⁵ to 10⁻⁴ /h Category B — Single channel, no monitoring Lowest DC none, Low MTTFd Very low hazard — minor, reversible injury only PLe = lowest dangerous failure rate; PLa = highest. PFHd is a property of the complete safety function, not a single component.
ISO 13849-1 Performance Levels: PLe (highest reliability, Category 4) through PLa (lowest, Category B), each defined by a PFHd range and requiring specific Category, MTTFd, and DC combinations.

PLe is the most stringent — it requires the fewest dangerous failures per hour and demands the most robust architecture. PLa is the least stringent, appropriate for lower-severity hazards where a relatively simple safety function is sufficient.

The PFHd figure is not a component spec — it is a property of the complete safety function, from the initiating device (a guard switch or light curtain) through the logic (a safety relay or safety PLC) to the final element (a contactor or drive). All three subsystems contribute to the overall PFHd.

Why "Performance Level" Rather Than Just a Failure Rate?

Quoting a raw failure rate would require engineers to match precise numbers across every component in a chain. ISO 13849-1 uses the PL letter system as a practical shorthand that captures not just the failure rate but also the architecture, self-test capability, and resistance to common-cause failures that together determine how trustworthy a safety function is in service.

Required Performance Level (PLr) — Using the Risk Graph

Before designing any safety function, you need to know what PL it must achieve. ISO 13849-1 provides a risk graph method to determine the Required Performance Level (PLr) — the minimum PL that the safety function must meet to provide adequate risk reduction.

The risk graph uses three parameters:

S — Severity of Injury

  • S1: Reversible injury (e.g., a crush that heals, a laceration)
  • S2: Irreversible injury or death (e.g., amputation, fatal crush)

F — Frequency and/or Exposure Time to the Hazard

  • F1: Seldom to less often and/or exposure time is short
  • F2: Frequent to continuous and/or exposure time is long

P — Possibility of Avoiding the Hazard or Limiting Harm

  • P1: Possible under specific conditions (slow machinery, operator can react)
  • P2: Scarcely possible (fast-moving hazard, no reaction time)

How the Risk Graph Works

You start at S (choose S1 or S2), then branch at F (F1 or F2), then branch again at P (P1 or P2). The endpoint gives you the PLr:

  • S1 / F1 / P1 → PLr = a
  • S1 / F1 / P2 → PLr = b
  • S1 / F2 / P1 → PLr = b
  • S1 / F2 / P2 → PLr = c
  • S2 / F1 / P1 → PLr = c
  • S2 / F1 / P2 → PLr = d
  • S2 / F2 / P1 → PLr = d
  • S2 / F2 / P2 → PLr = e

A robotic cell where an operator must reach into the working envelope daily (F2), where a failure could cause a fatal crush (S2), and where the robot's speed means avoidance is nearly impossible (P2) requires PLr = e. A low-speed conveyor with a light-curtain zone that an operator passes through weekly (F1), where contact causes a reversible injury (S1), and where the slow belt speed gives time to react (P1) might require only PLr = a.

ISO 13849-1 risk graph for PLr determination: S1/S2 severity, F1/F2 frequency, P1/P2 avoidance branches Risk graph tree showing how combining severity S, frequency F, and avoidance P parameters leads to PLr outcomes from PLa to PLe, illustrating all eight risk graph endpoint combinations. ISO 13849-1 Risk Graph — Determining PLr S S1 S2 F F1 F2 F F1 F2 P1 P2 P1 P2 P1 P2 P1 P2 PLr = a PLr = b PLr = b PLr = c PLr = c PLr = d PLr = d PLr = e Parameters S1 Reversible injury S2 Irreversible / fatal F1 Seldom exposure F2 Frequent / continuous P1 Avoidance possible P2 Scarcely avoidable S2+F2+P2 → PLr = e (robot cells, fast hazards) Use the risk graph before designing — PLr must be known before selecting Category, MTTFd, and DC
ISO 13849-1 risk graph: combine Severity (S), Frequency (F), and Avoidance (P) to determine PLr before any safety function design begins. S2+F2+P2 always requires PLr = e.

Practical note: The risk graph is a guide, not a calculation. Where the consequences are borderline between S1 and S2, engineers should be conservative and select the higher severity. Always document your reasoning — assessors will ask.

How PL Is Achieved — Category, MTTFd, DC, and CCF

Once you know the PLr, you design the safety function to achieve it. ISO 13849-1 defines PL as the result of three interacting engineering parameters applied within a structural framework called a Category.

Categories B / 1 / 2 / 3 / 4 — The Architecture

Category describes the structural design of the safety function — how many channels it has, whether it self-tests, and what happens when a single fault occurs.

Category Channels Fault Detection Fault Tolerance Typical Use
B 1 None None Lowest-risk applications
1 1 None None Better components, same structure
2 1 + test channel Periodic test Fault detected at next demand Lower-risk functions with infrequent access
3 2 (redundant) Cross-monitoring Single fault does not cause loss of function Most common for PLd
4 2 (redundant, high DC) Continuous cross-monitoring Single fault detected before next demand PLe functions

Category 3 and 4 both use dual-channel redundancy — the safety function has two independent paths so that a single component failure in one channel does not prevent the function from working. The difference lies in how well those failures are detected before they can accumulate.

MTTFd — Mean Time to Dangerous Failure

MTTFd (Mean Time to Dangerous Failure) quantifies the reliability of individual components. It is derived from component failure-rate data published by manufacturers in their product documentation — usually sourced from reliability handbooks (IEC 62061 B10d data for electromechanical components).

ISO 13849-1 groups MTTFd into three bands per channel:

  • Low: 3 years ≤ MTTFd < 10 years
  • Medium: 10 years ≤ MTTFd < 30 years
  • High: 30 years ≤ MTTFd ≤ 100 years

A single E-stop pushbutton with a published B10d of 100,000 operations, used twice per day (730 operations per year), gives an MTTFd of approximately 137 years — High. Pairing two such channels in a Category 3 architecture immediately achieves a high starting point for PL calculation.

DC — Diagnostic Coverage

Diagnostic Coverage (DC) measures how effectively the safety function's self-monitoring detects dangerous failures before they cause harm. It is expressed as a percentage: what fraction of dangerous failure modes are covered by the diagnostics?

ISO 13849-1 defines four DC bands:

  • None: DC < 60 %
  • Low: 60 % ≤ DC < 90 %
  • Medium: 90 % ≤ DC < 99 %
  • High: DC ≥ 99 %

In a Category 2 architecture, the test channel periodically exercises the safety path and compares the result. In Category 3 and 4, cross-monitoring between the two channels provides ongoing DC. A Category 4 design must achieve DC ≥ 99 % (High) across both channels.

CCF — Common Cause Failure

Common Cause Failure (CCF) is a single event — a power surge, vibration, contamination, or maintenance error — that defeats both channels of a redundant system simultaneously. ISO 13849-1 requires that Category 3 and 4 designs score at least 65 points on a CCF checklist that covers:

  • Separation / segregation of channels
  • Diversity of technology or design
  • Protection against environmental stress (EMC, overvoltage, temperature)
  • Competent installation and maintenance

Failing the CCF score degrades the achievable PL regardless of MTTFd and DC figures.

How the Three Parameters Combine

ISO 13849-1 provides a PL determination table (Table K.1 in the standard) that maps Category + MTTFd + DC to the achievable PL. In simple terms:

  • Category B, Low MTTFd, None DC → PLa
  • Category 1, High MTTFd, None DC → PLb / PLc
  • Category 2, Medium MTTFd, Low DC → PLc
  • Category 3, High MTTFd, Medium DC → PLd
  • Category 4, High MTTFd, High DC → PLe

An architecture that uses Category 3 but achieves only Low MTTFd per channel will not reach PLd — the system caps out at a lower level. This is why engineers iterate: choose an architecture, calculate MTTFd from component data, estimate DC from the monitoring method, check against the table, and revise if the result falls short of PLr.

Determining MTTFd and Diagnostic Coverage in Practice

MTTFd from Component Data

For electromechanical components (relays, switches, actuators), manufacturers publish a B10d figure — the number of operations at which 10 % of components have failed dangerously. The conversion to MTTFd requires an estimate of the annual operating cycles (nop):

MTTFd = B10d / (0.1 × nop)

For electronic components, manufacturers publish failure rates (λd) directly, and MTTFd = 1 / λd.

Always use the manufacturer's certified safety data. Do not estimate B10d from general component catalogues — the value is specific to the failure mode and test conditions the manufacturer used.

DC from the Monitoring Method

ISO 13849-1 Annex E lists typical DC values for common monitoring techniques:

Monitoring Method Typical DC
No monitoring 0 %
Cross-monitoring without test signal 60–90 %
Cross-monitoring with test signal 90–99 %
Direct monitoring with output testing 99 %

A safety relay with internal redundant relay paths and EDM (External Device Monitoring) feedback from the controlled contactor typically achieves DC = 99 % on its output channel. A safety PLC running a self-test diagnostic every scan cycle with cross-channel comparison achieves similar figures.

PL vs SIL — What Is the Difference?

PL (ISO 13849) and SIL (IEC 62061 / IEC 61508) are parallel metrics that address the same underlying question — how reliable must a safety function be? — but they come from different standards with different scopes.

Performance Level (PL) Safety Integrity Level (SIL)
Standard ISO 13849-1 IEC 62061 / IEC 61508
Primary sector Machinery (mechanical + electrical) Process industry / machinery (electrical)
Scale PLa – PLe (5 levels) SIL 1 – SIL 4 (4 levels, SIL 4 rare)
Risk determination Risk graph (S, F, P) LOPA or risk graph
Quantification PFHd (dangerous failures/hour) PFD or PFH
Architecture Category B/1/2/3/4 Architecture A/B, HFT
PL vs SIL equivalence mapping: PLc equals SIL 1, PLd equals SIL 2, PLe equals SIL 3 for ISO 13849 and IEC 62061 Side-by-side vertical scale showing approximate equivalence between ISO 13849 Performance Levels and IEC 62061 Safety Integrity Levels with PFHd ranges as common reference. PL vs SIL — Approximate Equivalence (ISO 13849 / IEC 62061) Performance Level (PL) ISO 13849-1 — Machinery PFHd (common reference) Safety Integrity Level (SIL) IEC 62061 / IEC 61508 — Process/Machinery PLe 10⁻⁸ to 10⁻⁷ /h SIL 3 PLd 10⁻⁷ to 10⁻⁶ /h SIL 2 PLc 10⁻⁶ to 3×10⁻⁶ /h SIL 1 PLb 3×10⁻⁶ to 10⁻⁵ /h < SIL 1 Approximate equivalence only — standards are NOT interchangeable. Machinery directive projects use ISO 13849; process safety projects use IEC 61511/62061.
PL and SIL use PFHd as a common reference: PLc ≈ SIL 1, PLd ≈ SIL 2, PLe ≈ SIL 3. The scales are broadly comparable but the standards have different scopes, documentation, and lifecycle requirements.

The two scales are broadly comparable: PLc ≈ SIL 1, PLd ≈ SIL 2, PLe ≈ SIL 3. However, "approximately equivalent" does not mean interchangeable — the standards have different requirements for systematic failure, documentation, and the lifecycle process. A machinery directive project typically uses ISO 13849; a COMAH / ATEX / process safety project typically uses IEC 61511.

For a detailed comparison, see our guide on SIL vs PL and our overview of functional safety basics.

Verifying PL — SISTEMA

Manual PL calculation from the ISO 13849-1 tables is straightforward for simple single-subsystem functions, but real safety functions often chain multiple subsystems (sensor + logic + actuator), each with its own Category, MTTFd, and DC. The combined PFHd of the complete function must still meet the PLr.

SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) is a free tool published by the German Institute for Occupational Safety and Health (IFA) that automates ISO 13849-1 PL calculations. It:

  • Stores component libraries with certified MTTFd / B10d / DC values supplied by manufacturers
  • Calculates PFHd for each subsystem and the complete safety function
  • Checks CCF scores
  • Generates a structured documentation report suitable for a technical file

Most safety component manufacturers (Pilz, Schmersal, SICK, Rockwell, Phoenix Contact) publish certified SISTEMA libraries for their products. Download the component data, build your safety function architecture in SISTEMA, and the tool outputs the achieved PL directly.

Validation is still required. SISTEMA verifies the quantitative PL — it does not replace functional testing of the safety circuit on the actual machine.

Practical Example — Designing a Safety Function to Meet PLr = d

Scenario: A horizontal machining centre has a side-access door. The hazard is contact with a rotating spindle. Risk assessment gives: S2 (amputation possible), F2 (operator opens door every 15 minutes), P2 (spindle coasts for 8 seconds after power cut — operator cannot reliably avoid contact). The risk graph result is PLr = d.

Step 1 — Select a Safety Function Architecture

The safety function runs sensor → logic → actuator:

  • Sensor (input subsystem): Coded magnetic interlock switch, dual-channel output, B10d = 2,000,000 operations. At 40 openings per hour × 8,760 h/year = 350,400 nop/year → MTTFd per channel = 2,000,000 / (0.1 × 350,400) ≈ 57 years (High).
  • Logic (logic subsystem): Safety relay with dual-channel monitoring and EDM feedback. Manufacturer-certified PFHd = 5×10⁻⁸ h⁻¹. DC = 99 % (High). Category 4-capable.
  • Actuator (output subsystem): Two contactors in series, each with a mechanically-linked auxiliary contact fed back into the safety relay EDM circuit. B10d per contactor = 1,000,000. At 350,400 nop/year → MTTFd ≈ 29 years (Medium/High boundary — use Medium conservatively). DC from EDM monitoring = 99 %.

Step 2 — Choose Category

Dual-channel sensor, dual-channel logic, dual cross-monitored contactors with EDM, plus physical separation between cable runs = Category 3 with CCF score > 65 points. (Category 4 would require DC High on all subsystems — the actuator's MTTFd pushes the contactor pair toward Medium, so Category 3 is the realistic choice unless higher-rated contactors are specified.)

ISO 13849-1 safety function subsystem chain: input sensor, logic safety relay, and output contactor pair achieving PLd Category 3 Horizontal flow diagram showing a PLd machining centre safety function with dual-channel magnetic interlock input, Category 4-capable safety relay logic, and dual EDM-monitored contactor output achieving Category 3 PLd. Safety Function Chain — PLr = d (Machining Centre Door) Input Subsystem Coded Magnetic Interlock Switch Dual-channel output B10d = 2,000,000 ops MTTFd = High (57 yr) Cat 3 capable Logic Subsystem Safety Relay Dual-channel + EDM PFHd = 5×10⁻⁸ /h DC = 99 % (High) Cat 4-capable device EDM monitors output Output Subsystem Two Contactors in Series + EDM B10d = 1,000,000 ops MTTFd = Medium DC = 99 % via EDM Guided aux contacts Result: Category 3 + High MTTFd + Medium-High DC → Achieved PL = d ≥ PLr = d ✓
PLd safety function chain: dual-channel magnetic interlock (input) → safety relay with EDM (logic) → dual EDM-monitored contactors (output). Category 3 architecture with High MTTFd and 99% DC achieves PLd — matching PLr = d for the machining centre door hazard.

Step 3 — Calculate PFHd

Using SISTEMA with the manufacturer data above, a Category 3 architecture with High MTTFd on the input, High DC on logic, and Medium-High DC on the actuator subsystem yields a combined PFHd in the range 1–3×10⁻⁷ h⁻¹ — squarely within the PLd band.

Step 4 — Verify PLd ≥ PLr = d

The achieved PL (PLd) equals the required PL (PLr = d). The safety function is adequate. Document the SISTEMA project file, the component data sources, and the CCF checklist in the machine's technical file.

The safety relay is the logic hub in this example — it is where the dual channels are monitored, the EDM loop is closed, and the manual reset is enforced. Sizing and wiring the safety relay correctly is critical to achieving the Category 3 architecture. See our guides on safety circuit categories and machine guarding for more on how the sensor and actuator subsystems integrate.

Frequently Asked Questions

What is Performance Level in ISO 13849?

Performance Level (PL) is a measure of the reliability of a safety function, defined in ISO 13849-1 as five discrete levels from PLa (lowest) to PLe (highest). Each level corresponds to a range of average probability of dangerous failure per hour (PFHd). PL is determined by the combination of the safety function's architectural Category, the Mean Time to Dangerous Failure (MTTFd) of its components, and the Diagnostic Coverage (DC) of its monitoring circuits.

What is PLr in ISO 13849?

PLr (Required Performance Level) is the minimum PL that a safety function must achieve to provide adequate risk reduction for a specific hazard. PLr is determined before any design work begins, using the ISO 13849-1 risk graph, which considers the severity of injury (S), the frequency of exposure (F), and the possibility of avoiding the hazard (P). The designer then engineers the safety function to achieve a PL equal to or higher than the PLr.

What is the difference between PL and Category?

Category and PL are related but different. Category (B, 1, 2, 3, or 4) describes the structural architecture of a safety function — the number of channels, the presence of cross-monitoring, and the fault tolerance. PL is the outcome — the reliability level actually achieved by a specific design. You cannot determine PL from Category alone. Two Category 3 designs with different component MTTFd values and DC levels can achieve different PLs. Category sets the ceiling; MTTFd and DC determine where the design lands within that ceiling.

What is the difference between PL and SIL?

PL (ISO 13849) and SIL (IEC 62061 / IEC 61508) both quantify safety function reliability, but they originate in different standards with different scopes. PL is used primarily in machinery applications and is determined via the risk graph and the Category + MTTFd + DC framework. SIL is used in process safety and electrical/electronic machinery and is determined via LOPA or a risk graph under IEC 62061. The levels are broadly comparable (PLd ≈ SIL 2, PLe ≈ SIL 3) but the standards are not directly interchangeable. See our full comparison: SIL vs PL.

Summary

Performance Level is the ISO 13849-1 language for quantifying machine safety function reliability. The workflow is always the same:

  1. Determine PLr using the risk graph (S, F, P parameters) — before touching any design.
  2. Choose a Category (architecture) that can in principle reach the PLr.
  3. Calculate MTTFd from manufacturer B10d data and the actual operating frequency.
  4. Estimate DC from the monitoring method used in the design.
  5. Score CCF using the ISO 13849-1 checklist — confirm ≥ 65 points for Category 3/4.
  6. Look up the achieved PL in Table K.1 or run SISTEMA — confirm PL ≥ PLr.
  7. Document everything in the technical file.

The controls view is straightforward: every safety function is a chain of sensor → logic → actuator. The safety relay or safety PLC is the logic node where channels are monitored and the achieved PL is most directly engineered. For new machinery covered by the EU Machinery Directive, demonstrating PLr ≤ PL for every identified safety function is a mandatory part of the CE marking process.

For a deeper look at the standards framework that PL sits within, see functional safety basics and what is SIL.

#performancelevel#PL#ISO13849#PLr#machinesafety#MTTFd
Share this article:

Related Articles