PLC Programming.io
Learn PLCs free

Functional Safety in PLCs: SIL, PL, Fail-Safe & IEC 61508/61511 Explained

A definitive guide to functional safety in PLCs — SIL ratings, PL ratings, fail-safe design philosophy, and the IEC standards that govern them.

Functional safety is the discipline of designing control systems that fail in the safest possible way. Not preventing all failures (impossible), but ensuring that when components do fail, the consequences don't hurt people or destroy equipment. It's the difference between an emergency stop button that always works and a press machine that crushes someone because a relay welded shut.

This guide covers the four standards every controls engineer needs to know (IEC 61508, IEC 61511, IEC 62061, ISO 13849), the SIL and PL rating systems that quantify safety, the fail-safe design principles that govern safety-rated PLC programming, and how to decide between a safety PLC and a standard PLC for any given application.

Safety Integrity Levels (SIL) ladder Diagram of the four Safety Integrity Levels from SIL 1 lowest to SIL 4 highest, with required PFD probability of failure on demand and typical applications for each. Safety Integrity Levels (IEC 61508 / IEC 61511) SIL 4 Catastrophic risk PFD: 10⁻⁵ to 10⁻⁴ RRF: 10,000–100,000 Nuclear shutdown Emergency reactor trip systems Rare in machinery SIL 3 Severe injury PFD: 10⁻⁴ to 10⁻³ RRF: 1,000–10,000 Burner management High-pressure tank protection SIL 2 Major injury PFD: 10⁻³ to 10⁻² RRF: 100–1,000 Press safety, conveyor guards SIL 1 Minor injury PFD: 10⁻² to 10⁻¹ RRF: 10–100 Light curtains, basic guards

A SIL rating quantifies how reliably a safety function reduces risk. The number is conservative: SIL 4 means a target failure rate of 1 in 10,000 to 1 in 100,000 demands. Most plant-level safety functions are SIL 1 or SIL 2; SIL 3 appears in burner management, high-pressure tank protection, and similar process safety; SIL 4 is rare outside nuclear and aerospace.

PFD (Probability of Failure on Demand) is the underlying metric. RRF (Risk Reduction Factor) is its inverse. A SIL 2 system must reduce risk by between 100× and 1,000×, equivalent to a PFD of 10⁻² to 10⁻³.

Continue Learning

Frequently Asked Questions

What is functional safety in PLCs?

Functional safety is the discipline of designing control systems that fail in the safest possible way. It quantifies how reliably a safety function reduces risk using ratings like SIL (Safety Integrity Level, IEC 61508) or PL (Performance Level, ISO 13849). A SIL 2 / PL d safety function must reduce risk by 100× to 1,000× compared to having no protection.

What is the difference between SIL and PL?

SIL (Safety Integrity Level) comes from IEC 61508 / 61511 and is used in process industries and IEC 62061 machinery applications. PL (Performance Level) comes from ISO 13849 and covers electrical, electronic, mechanical, hydraulic and pneumatic safety controls together. The two were harmonised in 2010 — PL d ≈ SIL 2, PL e ≈ SIL 3 — and most machine builders use ISO 13849 because it covers all hardware types.

What is a safety PLC?

A safety PLC (or F-PLC, safety controller) is a PLC certified to SIL 2 / PL d or higher. Examples: Siemens S7-1500F, Allen-Bradley GuardLogix, Pilz PSS 4000, Schneider M580 Safety, Beckhoff TwinSAFE. They use redundant CPUs, certified firmware, safety-rated I/O with pulse testing, and a restricted instruction set. You need one whenever your application has a safety function rated SIL 2 / PL d or above.

What does fail-safe mean?

Fail-safe means a system fails in a way that does not cause harm — typically by entering its safe state on power loss. An emergency-stop button is fail-safe because it breaks the control circuit; if a wire breaks, the protection still works. The opposite (energise-to-actuate) is dangerous because broken wires silently disable the safety function. De-energise-to-safe is one of the four core fail-safe design principles.

What is the difference between IEC 61508 and IEC 61511?

IEC 61508 is the generic functional safety standard that defines SIL ratings, the safety lifecycle, and architectural constraints for any electrical/electronic safety-related system. IEC 61511 is the application-specific standard for process industries (chemical, oil & gas, pharma) — it tells you how to apply IEC 61508 principles to safety instrumented systems in process plants, including HAZOP, LOPA and SIL allocation methods.

When do I need a safety PLC?

You need a safety PLC whenever your application has a safety function rated SIL 2 (PL d) or higher. For SIL 1 / PL c safety functions, a standard PLC plus a separate safety relay and hardware E-stop is often sufficient. The decision is driven by hazard and risk analysis, not by personal preference — if HAZOP / risk assessment puts you at SIL 2, the safety controller is required.

How long is a typical safety PLC certification valid?

Hardware certifications (TÜV, Exida) cover the lifetime of the product as released. The applied safety function — the way you wired and programmed it — is verified once at commissioning and then revalidated through periodic proof testing (typically annually for SIL 2-3). Any modification to the safety function requires re-validation through a Management of Change (MOC) process.

What is a Performance Level (PL)?

Performance Level (PL) is the ISO 13849 metric for safety-related parts of machinery control systems. It ranges from PL a (lowest) to PL e (highest) and considers severity of injury, frequency of exposure, and possibility of avoiding harm to determine the required PL for a given hazard. PL a is roughly comparable to SIL 1 in lower confidence; PL d ≈ SIL 2; PL e ≈ SIL 3.

Free PLC simulator

Stop reading, start doing

Write ladder logic in your browser, hit Run, and watch real machine scenarios react. 12 guided lessons across 8 PLC dialects — free account, no credit card.

Practice PLCs free →