Battle Royale: Performance Level vs. Safety Integrity Level (Part Three)
Let’s get ready to RUMBLE!
That’s right … we’ve got quite a matchup in the ring: PL (Performance Level) faces off against SIL (Safety Integrity Level). This is a classic battle between ISO and IEC standards (ISO 13849 vs IEC 62061).
I always like to simplify, so let’s start by naming a clear winner in this match. Wait – there isn’t one! PL and SIL are basically the same thing. (But don’t tell that to the folks on the standards committees … they won’t like me for saying that.)
As mentioned above, Performance Level is a probability rating that originates from ISO 13849. Safety Integrity Level is a probability rating that originates from IEC 62061.
The main difference between these two standards is this: ISO 13849 addresses mechanical devices used in safety applications (such as mechanical gate switches, safety limit switches, or valves); IEC 62061 does not.
But most machines have mechanical devices on them, right? IEC 62061 is meant for electronic and programmable safety systems; it addresses programming techniques and best practices (ISO 13849 does not). To better understand PL and SIL, let’s review what defines a safety circuit.
Understanding Safety Circuits
Remember a safety circuit is the WHOLE circuit which includes the input, logic, and output safety devices. The PL or SIL rating is a rating for all of those working together. The PL or SIL of these safety-related parts of a control system must at least equal the required PL or SIL. The required PL (PLr) is determined in a Risk Assessment.
PL ratings are designated as a through e (PLe being the highest rating). SIL ratings are designated as 1, 2, or 3 (SIL3 being the highest rating).
A safety circuit (safety function) has three required characteristics:
- Design structure (single channel or dual channel)
- Monitoring
- Time before first dangerous safety circuit failure
Both standards agree on these three items – they just call them by different names, as illustrated below.
ISO 13849 nomenclature:
- Category (1-4) = design structure
- Diagnostic coverage (DC%) = monitoring
- MTTFd (Mean Time to Dangerous Failure) = time before first dangerous failure
IEC 62061 nomenclature:
- Hardware fault tolerance = design structure
- Safe failure fraction = monitoring
- PFHd (Probability of Failure on Demand per Hour) = time before first dangerous failure PFHd is calculated from MTTFd [above])
Here’s a simple example: The more dangerous the hazard, the better the safety circuit must be. You need a very robust safety circuit to protect you from a hazard if it’s so dangerous that it could kill you, it’s fast moving and likely not avoidable, and you are exposed to it at all times.
On the other hand, you wouldn’t need nearly as robust a safety circuit if a machine’s hazard gives you (at best) a decent bruise if it strikes you, it’s slow moving and easy to avoid, and you’re not exposed to it very often.
Calculating Probability of Dangerous Failure per Hour
Let’s compare these two charts, which reference probability of dangerous failure per hour in ISO 13849 and IEC 62061:
ISO 13849
Performance Levels (PL)
| PL | Average probability of dangerous failure per hour 1/h |
|---|---|
| a | ≥ 10-5 to < 10-4 |
| b | ≥ 3 × 10-6 to < 10-5 |
| c | ≥ 10-6 to < 3 × 10-6 |
| d | ≥ 10-7 to < 10-6 |
| e | ≥ 10-8 to < 10-7 |
| NOTE: Besides the average profitability of dangerous failure per hour, other measures are also necessary to achieve the PL. | |
IEC 62061
Safety integrity levels: target failure values for SRCFs
| Safety integrity level | Probability of a dangerous Failure per hour (PFHD) |
|---|---|
| 3 | ≥ 10-8 to < 10-7 |
| 2 | ≥ 10-7 to < 10-6 |
| 1 | ≥ 10-6 to < 10-5 |
As you can see, both standards want you to calculate the Probability of Dangerous Failure per Hour (PFHd) of your entire safety circuit. Statistics are involved … but don’t let that scare you. A free software called SISTEMA can do the math for you. Most safety hardware manufacturers also provide libraries you can import into SISTEMA.
These calculations help determine how many times you can exercise a safety circuit before it fails in a dangerous state. The keyword here is “dangerous,” which means “an undetectable fault.” For example: A machine that doesn’t stop when you put your hand past a light curtain or press the emergency stop button. Remember: PFHd makes up only one-third of a safety circuit’s total characteristics; design structure (Category) and monitoring (DC) are also important.
If your safety circuit’s chance of failure to a dangerous state (PFHd) is between one in one million and one in 10 million, that’s 1×10-6 to 1×10-7, which equates to PLd or SIL2 (see table above).
If your safety circuit’s chance of failure to a dangerous state is less than one in 10 million, then that equates to PLe or SIL3 (see table above).
I prefer to use ISO 13849 and if I need to convert that to a SIL, a few charts in IEC 62061 make it easy to do so.
Want to learn more about machine safety and safety standards? Start with these two blogs in our safety series:
And don’t hesitate to ask us questions along the way. We have many TUV-certified machine safety engineers and technicians who are happy to help. Stay tuned for more blogs in our safety series! Next up: We’ll discuss methods of risk reduction.
RANDY TURNER
EMPLOYEE-OWNER, SOLUTION CONSULTANT - SAFETY
For more information about Van Meter’s industrial controls solutions, please call 1-800-247-1410.