PLC Programming.io
Learn PLCs free
Programming Guides11 min read4 628 words

Safety Circuit Categories (B, 1, 2, 3, 4) in ISO 13849

Safety circuit categories explained — what Category B, 1, 2, 3, and 4 mean in ISO 13849, single vs dual channel, fault detection, and how they relate to PL.

IAE
Senior PLC Programmer
15+ years hands-on experience • 50+ automation projects completed
PLC
Programming Excellence

Safety circuit categories are the structural building blocks of machine safety. ISO 13849-1 defines five architecture categories — B, 1, 2, 3, and 4 — that describe how a safety function is wired, how it handles faults, and how well it can detect them before they cause harm. Choosing the wrong category for a given risk means your machine either falls short of the required Performance Level or wastes budget on overengineered circuitry.

This guide walks through every category from a controls engineer's perspective: what the architecture looks like on the panel, what failures it can and cannot tolerate, and how the category feeds directly into your final PL calculation.

What Safety Categories Are (ISO 13849-1 Architecture Categories)

ISO 13849-1:2015 is the machine-safety standard that replaced EN 954-1. At its core it asks one question: if a component fails, does the safety function still work?

To answer that question, the standard groups safety circuit architectures into five categories. Each category is a structural template — it specifies:

  • How many channels carry the safety signal (single or dual)
  • Whether a monitoring or test channel exists
  • What happens when a single fault occurs (safe stop vs. hazardous state)
  • Whether fault accumulation can lead to loss of the safety function

Categories are not a ranking of quality in isolation. A Category 2 circuit is not automatically better than Category 1. The category is one input into the PL calculation; the other two inputs are Mean Time to Dangerous Failure (MTTFd) and Diagnostic Coverage (DC). Together, the three factors determine the achieved Performance Level — see our guide to Performance Level for how the combinations map to PL a through PL e.

ISO 13849 safety circuit categories B through 4 stacked hierarchy showing channels, fault tolerance, DC, and max PL Vertical stack hierarchy diagram for ISO 13849-1 Categories B, 1, 2, 3, and 4, showing how architecture complexity, fault tolerance, and achievable Performance Level increase from bottom to top. Cat B Single channel | No fault detection | No redundancy Max PL a Cat 1 Single channel | Well-tried components | No DC Max PL b Cat 2 Single channel + test channel | Periodic fault detection | DC Low–Med Max PL d Cat 3 Dual independent channels | Single-fault tolerant | Detection at demand | DC Med Max PL d Cat 4 Dual channels | Fault accumulation detected | Continuous DC ≥ 99% | EDM Max PL e Increasing Safety →
ISO 13849-1 safety circuit category hierarchy — each level adds channels, fault detection, or diagnostic coverage; Category 4 is the only architecture that can achieve PL e.

Why Category Matters More Than You Think

Many engineers conflate "safety relay" with "Category 4." That is not correct. A safety relay can implement Category 1, 2, 3, or 4 depending on how you wire it. The category is a property of the safety circuit architecture, not of any single device.

Category B — Basic

Category B is the baseline. It requires only that the safety-related parts of the control system are designed, built, selected, assembled, and combined according to relevant standards using basic safety principles.

What the architecture looks like

A single channel carries the safety signal. No redundancy. No monitoring. If the component fails, the safety function is lost — and whether that loss is detected depends entirely on the next machine cycle or a manual inspection.

When Category B applies

Category B is appropriate only where the risk assessment confirms a very low probability of occurrence and severity of harm. In practice this means:

  • Low-severity hazards (minor injury only)
  • Infrequent exposure
  • Avoidance is reasonably possible

Most industrial machines cannot justify stopping at Category B. It appears primarily in office-type equipment or machinery where the hazardous event has negligible severity.

Key characteristics

  • Channels: Single
  • Fault tolerance: None
  • Fault detection: None required
  • Typical MTTFd range: Low to medium

Category 1 — Well-Tried Components

Category 1 keeps the single-channel architecture of Category B but raises the bar on component reliability. The standard requires the use of well-tried components and well-tried safety principles.

What "well-tried" means

A well-tried component is one that has been widely used in the past with successful results in similar applications, or is made and verified using principles that demonstrate its suitability and reliability for safety-related applications. Positively guided relays, spring-return actuators, and proven electromechanical switching devices are classic examples.

What the architecture looks like

Still a single channel. The difference from Category B is that every component in the safety path must meet the well-tried criteria, and the design must apply safety principles such as positive opening, forced guidance, and proper dimensioning.

Fault behavior

Because there is still only one channel, a single fault can still lead to loss of the safety function. Category 1 reduces the probability that a fault occurs, but it does not ensure detection if one does.

Key characteristics

  • Channels: Single
  • Fault tolerance: None (improved component reliability compensates)
  • Fault detection: None required
  • Typical MTTFd range: Medium to high
Safety Category B and Category 1 single-channel circuit architecture with E-stop, relay, and contactor Side-by-side wiring topology diagrams for ISO 13849 Category B and Category 1 single-channel safety circuits, highlighting the upgrade from standard components to well-tried positively guided relays. Category B — Single Channel 24 V E-stop NC Standard relay Contactor → Drive No fault detection — single fault can cause hazardous state. Max PL a. Category 1 — Well-Tried Components 24 V E-stop NC ✓WT Positively guided relay Contactor ✓WT → Drive Well-tried components reduce fault probability. Still single channel. Max PL b. ✓WT = Well-Tried component per ISO 13849-1
Category B vs Category 1 circuit topology — both use a single channel; Category 1 mandates well-tried components such as positively guided relays to reduce the probability of dangerous failure.

Category 2 — Single Channel with Periodic Test

Category 2 introduces the first active fault-detection mechanism: a test channel (often called an OTE — Output Test Equipment) that periodically exercises the safety function to check it is still intact.

What the architecture looks like

One main safety channel handles the safety function. A separate monitoring/test channel checks the main channel at defined intervals — either automatically on each machine cycle, or on a timed basis. If the test detects a fault, the machine must stop or prevent a hazardous start.

Critical constraint on test frequency

The standard requires that the probability of a hazardous situation between tests is low. In plain language: if the machine cycles 1,000 times per day, a test that runs once per shift may leave a large window of undetected failure. The test must be frequent relative to the demand rate.

Fault behavior

  • Detected fault: machine stops safely (or prevents start)
  • Undetected fault between tests: safety function may be lost until next test

Category 2 can achieve PL c or even PL d depending on MTTFd and DC values, but the window between tests caps its effectiveness at high demand rates.

Key characteristics

  • Channels: Single (main) + test channel
  • Fault tolerance: None between tests
  • Fault detection: Periodic (automatic or timed)
  • Typical MTTFd range: Medium to high

Category 3 — Dual Channel, Single-Fault Tolerant

Category 3 is the architecture you will see on the majority of industrial safety applications — guarded presses, collaborative robot cells, conveyor safety gates, and most E-stop circuits on machines with serious injury risk.

What the architecture looks like

Two independent channels carry the safety signal in parallel. Either channel alone can bring the machine to a safe state. A single fault in one channel does not cause loss of the safety function because the other channel remains active.

The key requirement: a single fault must be detected before or during the next demand on the safety function. In most implementations this means cross-monitoring — the safety relay or safety PLC constantly compares the state of both channels and flags a discrepancy.

Dual-channel E-stop: the textbook example

Consider a dual-channel E-stop button wired to a safety relay:

  • Channel 1: NC contact of E-stop → Safety relay input A1
  • Channel 2: NC contact of E-stop → Safety relay input A2
  • Safety relay monitors that both channels open and close simultaneously (within a defined synchronicity window, typically 0.5 s)

If Channel 1 contact welds closed, the relay detects the discrepancy on the next E-stop press and locks out. The machine cannot restart until the fault is cleared and the relay is manually reset.

What Category 3 does not guarantee

Category 3 requires fault detection but does not require the system to remain safe if two faults accumulate. If Fault A occurs and is not acted on before Fault B occurs, the safety function may be lost. This is the distinction between Category 3 and Category 4.

ISO 13849 Category 3 dual-channel E-stop wiring with cross-channel monitoring showing E-stop button, safety relay inputs A1 A2, and output contactors Wiring diagram for a Category 3 dual-channel E-stop circuit showing two independent NC contacts routed to separate safety relay input channels, with cross-monitoring detecting a discrepancy on the next demand. Category 3 — Dual-Channel E-Stop Circuit 24 V DC CH 1 E-stop NC₁ CH 2 E-stop NC₂ Safety Relay Input A1 (CH1) Input A2 (CH2) Cross-monitor 0.5 s window e.g. Pilz PNOZ Contactor 1 Contactor 2 Hazardous Drive EDM feedback (Cat 4 addition) CH1 and CH2 must use separate conduit / cable routes Single-Fault Scenario (Cat 3) CH1 contact welds closed → discrepancy detected on next E-stop press → relay locks out ✓
Category 3 dual-channel E-stop: two independent NC contacts route to separate relay inputs; cross-monitoring detects a welded contact on the next E-stop demand and forces lockout.

Key characteristics

  • Channels: Dual, independent
  • Fault tolerance: Single fault — safety function maintained
  • Fault detection: Required before or at next safety demand
  • Typical MTTFd range: Medium to high per channel

Category 4 — Dual Channel with Fault Accumulation Detection

Category 4 is the highest architecture category and the one required for PL e — the highest Performance Level for machine safety. It is used for applications where a single failure could cause death or severe irreversible injury and where the probability of exposure is high.

How Category 4 differs from Category 3

The structural difference is subtle but critical: Category 4 must continue to perform the safety function even when faults accumulate. The system must detect each fault and either stop the machine immediately or ensure the safety function remains available until the fault is corrected.

In practice this means:

  • Continuous cross-channel monitoring, not just at the moment of demand
  • The safety PLC or relay must detect Fault A and flag it before Fault B can go unnoticed
  • Diagnostic Coverage (DC) must be high — ISO 13849-1 assigns Category 4 a minimum DC of 99% (DC High)

Typical Category 4 implementations

  • Dual-channel light curtain with EDM (External Device Monitoring) of output contactors
  • Dual-channel safety gate switch with monitored contactors and a safety PLC that compares feedback
  • Redundant safety PLCs (e.g., Pilz PSS 4000, Siemens S7-1500F) with cross-comparison on every scan cycle

What EDM (External Device Monitoring) adds

EDM checks that the downstream contactors or actuators actually opened or closed when commanded. Without EDM, a welded contactor could allow hazardous motion even though the safety relay switched off. EDM closes the loop: if the feedback contacts do not respond within the expected time, the system locks out. This is a hallmark of Category 4 wiring for guarding applications.

Key characteristics

  • Channels: Dual, independent
  • Fault tolerance: Single fault — safety function maintained
  • Fault detection: Fault accumulation detected; DC ≥ 99%
  • Typical MTTFd range: High per channel

Single vs. Dual Channel and Fault Detection — Quick Reference Table

Category Channels Fault Tolerance Fault Detection Min. DC (ISO 13849-1) Max. Achievable PL
B 1 None None None PL a
1 1 None (high-reliability parts) None None PL b
2 1 + test None between tests Periodic Low (60–90%) PL d
3 2 Single fault tolerated At next demand Low–Medium (60–99%) PL d
4 2 Single fault tolerated Continuous; fault accumulation detected High (≥ 99%) PL e

Notes:

  • DC values and PL ceilings depend on MTTFd as well as category. The table shows category-level constraints, not guaranteed PL.
  • Category 2 can reach PL d only with high MTTFd and sufficiently frequent testing.
  • Category 3 with high MTTFd per channel and DC Medium can reach PL d; it cannot reach PL e.

How Categories Combine with MTTFd and DC to Give PL

The category alone does not determine PL. ISO 13849-1 uses all three axes:

  1. Category — structural architecture (B, 1, 2, 3, 4)
  2. MTTFd — Mean Time to Dangerous Failure of each channel (Low/Medium/High: < 10 y / 10–30 y / > 30 y)
  3. DC — Diagnostic Coverage (None/Low/Medium/High: < 60% / 60–90% / 90–99% / ≥ 99%)

The standard provides a simplified lookup in Annex K (the PL table) and a full calculation method using the PFHD (Probability of dangerous Failure per Hour). The SISTEMA software tool from IFA automates this calculation and is freely available.

Worked example: Cat 3 dual-channel E-stop

A machine has a dual-channel E-stop (Category 3) wired to a safety relay:

  • Each channel uses NC contacts rated MTTFd = 40 years → High
  • The safety relay performs cross-channel monitoring on every demand → DC Medium (approx. 90%)
  • Category 3, MTTFd High per channel, DC Medium → PL d

To reach PL e, the engineer would need Category 4 with DC High (≥ 99%) and MTTFd High — typically achieved with monitored contactors (EDM) and a safety PLC that performs continuous cross-comparison.

ISO 13849 Performance Level lookup showing how Category combined with MTTFd and Diagnostic Coverage determines PL a through PL e Matrix diagram mapping ISO 13849-1 Category and MTTFd combinations to achievable Performance Level, highlighting the path from Category 3 to PL d and from Category 4 to PL e. PL Determination: Category × MTTFd × DC MTTFd Low MTTFd Med MTTFd High DC Cat B Cat 1 Cat 2 Cat 3 Cat 4 PL a PL a PL b None PL b PL b PL c None PL c PL d PL d Low–Med PL b PL d PL d ★ Low–Med PL e ★ ≥ 99% ★ Common dual-channel E-stop at PL d: Cat3 + MTTFd High + DC Med ★ Cat4 + MTTFd High + DC High (≥99%) → PL e only achievable path
ISO 13849-1 simplified PL lookup matrix — Category sets the ceiling; MTTFd and DC determine the actual achieved PL within that ceiling.

For the full PL calculation methodology and the required PL (PLr) determination from risk parameters, see our dedicated guide to Performance Level. For comparison with the IEC 62061 approach using SIL, see SIL vs PL.

The Controls View — Cat 3/4 Safety Function with Dual-Channel E-Stop

Here is how a Category 3 or 4 safety function looks from the panel and PLC perspective.

Hardware

  • E-stop button: Dual NC contacts (two independent contacts on one actuator — never wire two contacts from different actuators in series to fake dual channel)
  • Safety relay or safety PLC input module: Two dedicated safety inputs (e.g., OSSD1/OSSD2 on a light curtain, or A1/A2 on a Pilz PNOZ or Schmersal SRB)
  • Output contactors: Two contactors in series on the hazardous drive; feedback (EDM) contacts wired back to the safety relay as a normally open series loop

Wiring rules that matter

  • Both channels must be routed separately — no common conduit run that could cause both channels to short to the same fault simultaneously
  • Synchronicity window: most safety relays require both channels to open within 0.5 seconds of each other; a discrepancy outside this window indicates a fault
  • Cross-short detection: safety PLCs with pulse testing (test pulses on each output) can detect a short between Channel 1 and Channel 2 wiring — this is required for Category 4

Where the safety relay fits

The safety relay sits between the E-stop (inputs) and the contactors (outputs). Its job is to:

  1. Monitor both channels continuously
  2. De-energize its output contacts on E-stop actuation or fault detection
  3. Require a manual reset after a fault — it must not automatically restart
  4. Provide feedback monitoring via the EDM loop (Category 4)

Where the safety PLC fits

A safety PLC (e.g., Siemens S7-1500F, Allen-Bradley GuardLogix, B&R SafeLogic) replaces the discrete safety relay for complex machines or where many safety functions must be combined. The safety PLC:

  • Reads dual-channel safety inputs through F-modules (failsafe I/O)
  • Executes certified safety function blocks (e.g., SF_EmergencyStop, SF_TwoHandControl from PLCopen)
  • Cross-compares channel states on every safety program scan (typically 10–20 ms)
  • Drives output contactors through F-output modules with EDM feedback

The safety program runs in a separate, certified partition from the standard PLC program. See our overview of machine guarding for how safety gates, light curtains, and muting fit into a complete safety architecture, and our functional safety basics guide for the broader IEC 61508 framework these categories sit within.

Frequently Asked Questions

What are safety categories in ISO 13849?

Safety categories in ISO 13849-1 are five structural architectures — B, 1, 2, 3, and 4 — that define how a safety circuit is built and how it behaves when a component fails. They specify whether the circuit uses a single or dual channel, whether fault detection is required, and whether the safety function survives a single fault. The category is one of three inputs (along with MTTFd and DC) used to calculate the achieved Performance Level of a safety function.

What is the difference between Category 3 and Category 4?

Both Category 3 and Category 4 use dual independent channels, and both maintain the safety function through a single fault. The critical difference is fault accumulation: Category 3 requires fault detection before or at the next demand, but two undetected faults could theoretically accumulate and cause loss of the safety function. Category 4 requires continuous fault detection with Diagnostic Coverage of at least 99%, so fault accumulation is caught before a second fault can go undetected. Category 4 is the only architecture that can achieve PL e.

What is a dual-channel safety circuit?

A dual-channel safety circuit routes the safety signal through two independent, physically separated paths. Both channels must signal a safe condition for the machine to run. If either channel breaks the signal — due to E-stop actuation, a gate opening, or a component failure — the machine stops. Cross-monitoring between the two channels detects discrepancies (one channel open, one closed) that indicate a wiring fault or stuck contact. Dual-channel architecture is the basis of Category 3 and Category 4 safety functions.

How do categories relate to Performance Level?

Performance Level (PL a through PL e) is calculated from three factors: category, MTTFd (Mean Time to Dangerous Failure), and DC (Diagnostic Coverage). The category sets a ceiling on achievable PL: Category B caps at PL a, Category 1 at PL b, Category 2 at PL d, Category 3 at PL d, and Category 4 at PL e. Within those ceilings, MTTFd and DC determine the actual PL reached. A Category 3 circuit with low MTTFd and low DC may only achieve PL b even though the architecture could support PL d.

#safetycategories#ISO13849#category3#category4#dualchannel#machinesafety
Share this article:

Related Articles