ElectricalSupplys
Functional Safety with Safety PLCs: SIL and Performance Levels

Functional Safety with Safety PLCs: SIL and Performance Levels

By ElectricalSupplys Team2026-03-28
safetyplcstandards

Introduction

Functional safety is a disciplined engineering approach for reducing risk from machinery and industrial processes to an acceptable level. In modern automation, Safety PLCs (programmable logic controllers designed for safety functions) are a common backbone for implementing safety-related control systems—everything from emergency stop circuits and safety gates to speed monitoring and safe motion.

Two rating systems dominate safety discussions in industrial electrical engineering:

  • SIL (Safety Integrity Level) from IEC 61508 and its sector standard IEC 62061 (machinery).
  • Performance Level (PL) from ISO 13849-1 (machinery safety-related parts of control systems).

Understanding how SIL and PL relate to Safety PLCs—and how to select hardware, design architectures, and document compliance—helps engineers build safer machines while meeting regulatory and customer requirements.

Safety PLCs in Functional Safety Architectures

A Safety PLC is a controller designed and certified to execute safety functions with defined integrity. Unlike standard PLCs, Safety PLCs typically feature:

  • Redundant internal diagnostics (CPU, memory, I/O checking)
  • Fault detection and reaction (e.g., transition to a safe state on detected failures)
  • Certified safety function blocks (EDM, two-hand control, muting, safe speed, etc.)
  • Safety communication options (e.g., PROFIsafe, CIP Safety, FSoE, Safety over EtherCAT)

In practice, the Safety PLC sits inside a safety-related control system such as:

  • Guarding and access safety: interlocks, light curtains, area scanners
  • Emergency stop circuits
  • Safety-rated stop and motion (often in conjunction with a safety drive)
  • Process protection: burner management or chemical process safety (more common under IEC 61511, though Safety PLCs may still be used in packaged systems)

A key point: the Safety PLC is only one component in the safety function. The achieved SIL/PL depends on the entire safety chain:

Sensor(s) → Safety logic solver (Safety PLC) → Final element(s) (contactors, safety drives, valves)

SIL: What It Means and How Safety PLCs Fit (IEC 61508 / IEC 62061)

SIL basics

IEC 61508 is the core functional safety standard for E/E/PE (electrical/electronic/programmable electronic) safety-related systems. For machinery, IEC 62061 applies the IEC 61508 framework to machine control systems and defines SILCL (SIL claim limit) for subsystems.

SIL is largely a measure of probabilistic risk reduction. Depending on the operating mode, a safety function is evaluated as:

  • Low demand mode (infrequent demands): uses PFDavg (average probability of failure on demand)
  • High demand/continuous mode: uses PFH (probability of dangerous failure per hour)

Typical SIL targets for machinery safety functions are SIL 1 to SIL 3 (SIL 4 is rare in machinery).

Safety PLC specification: SIL capability vs achieved SIL

Many Safety PLCs are certified “up to SIL 3.” This means the device is suitable to be used in systems up to that integrity—not that every circuit you build automatically achieves SIL 3.

To claim SIL for a safety function, you must consider (per IEC 62061 / IEC 61508 concepts):

  • PFH/PFD of each subsystem (sensor, logic, final element)
  • Architecture constraints (hardware fault tolerance, diagnostics)
  • Systematic capability (development process quality, avoiding systematic faults)
  • Proof test intervals (if applicable)
  • Common cause failures (especially in redundant channels)

Practical SIL design notes for engineers

When implementing a SIL-rated safety function with a Safety PLC:

  • Use manufacturer data: PFH/PFD, SFF, diagnostic coverage, mission time, and recommended test intervals.
  • Validate that the final elements match the target integrity. Contactors, for example, often dominate PFH due to wear and mechanical failure modes.
  • Ensure appropriate feedback monitoring (e.g., EDM—external device monitoring) to detect welded contacts.
  • Treat wiring, grounding, and EMC seriously; functional safety assumes certain environmental and installation conditions.

Performance Levels (PL): What It Means in ISO 13849-1

PL basics

ISO 13849-1 is widely used for machinery safety-related control systems and defines Performance Levels:

  • PL a (lowest) to PL e (highest)

PL is determined by combining:

  • Category (B, 1, 2, 3, 4): structural architecture and fault tolerance
  • MTTFd (mean time to dangerous failure)
  • DCavg (diagnostic coverage)
  • CCF (common cause failure measures)

ISO 13849-1 is popular because it provides a practical, component-oriented path. Many device manufacturers publish ISO 13849-1 parameters (MTTFd, DC, etc.) to support PL calculations.

How Safety PLCs help achieve PL d / PL e

A Safety PLC commonly functions as the logic subsystem enabling:

  • Dual-channel inputs (e.g., redundant guard switch contacts)
  • Discrepancy time monitoring and cross-fault detection
  • Periodic test pulses on inputs
  • Output control with feedback (e.g., dual outputs controlling contactors with EDM)
  • Segmentation of safety zones for reduced downtime

In many machine designs, a Safety PLC makes it easier to implement Category 3 or 4 architectures, which are typical for PL d and PL e, provided the overall subsystem reliability supports it.

Practical PL design checklist

To support PL claims using a Safety PLC, engineers commonly verify:

  • Category selection:
    • Category 3: redundancy with diagnostic measures; a single fault should not lead to loss of the safety function.
    • Category 4: redundancy + high diagnostics; accumulation of faults should not lead to loss of the safety function.
  • MTTFd for sensors and final elements (contactors, valves, drives).
  • DCavg from diagnostics (Safety PLC self-tests, EDM, input discrepancy monitoring).
  • CCF score ≥ 65 (ISO 13849-1 provides a points-based checklist).

SIL vs PL: Choosing the Right Approach (and Understanding the Mapping)

In machinery, both IEC 62061 (SIL) and ISO 13849-1 (PL) are accepted routes to design and validate safety-related control systems. Many organizations standardize on one approach to simplify documentation and training.

Key differences in practice

  • ISO 13849-1 (PL) tends to be more component- and architecture-focused with practical categories.
  • IEC 62061 (SIL) is more explicitly probabilistic and aligned with IEC 61508 lifecycle concepts.

Mapping and equivalence (use with care)

ISO 13849-1 includes informative guidance that roughly relates PL to SIL, and many engineers reference the common approximate relationship:

  • PL c ≈ SIL 1
  • PL d ≈ SIL 2
  • PL e ≈ SIL 3

This is not a strict equivalence. You should not “convert” a PL claim into a SIL claim without the appropriate analysis method. Instead, select the standard based on project requirements, customer expectations, and regulatory context—and then perform the required calculations and validation under that standard.

What to specify when buying a Safety PLC

When selecting Safety PLC hardware for a machine or line, look for published compliance and data such as:

  • Certification to IEC 61508 (SIL 3 capable) and/or suitability for IEC 62061
  • Support for ISO 13849-1 up to PL e (Cat. 4) as applicable
  • Safety I/O ratings and constraints (test pulse behavior, input filtering, output types)
  • Safety communication certifications (e.g., PROFIsafe, CIP Safety)
  • Availability of a safety manual, FMEDA/report data, and parameter tables for calculations

Practical Implementation Tips: Designing, Verifying, and Maintaining Safety Functions

A Safety PLC project isn’t complete when the program downloads. Functional safety requires verification, validation, and ongoing control.

1) Start with risk assessment and required integrity

For machinery, risk estimation and risk reduction are guided by ISO 12100 (risk assessment principles). From there:

  • Use ISO 13849-1 to determine PLr (required PL), or
  • Use IEC 62061 to determine the required SIL/SILCL.

Define each safety function clearly, for example:

  • “Opening gate G1 shall initiate Stop Category 0 and remove torque within 200 ms.”

2) Use proven safety function blocks and documented wiring

Safety PLC vendors provide certified blocks for functions such as:

  • E-stop with manual reset
  • Guard door monitoring with restart interlock
  • Two-hand control per ISO 13851
  • Muting (typically for material flow past light curtains)
  • EDM for contactor monitoring

Best practices include:

  • Dual-channel wiring where required by the architecture
  • Clear separation of safety and standard wiring (as practical)
  • Correct use of shield termination and grounding for noise immunity

3) Validate diagnostics and response times

Validation should confirm:

  • Fault detection behavior (e.g., short between channels, stuck input, welded contactor)
  • Correct reset logic (no unexpected restart)
  • Safety response time meets the stopping distance requirements (especially for guards and presence-sensing devices)

Response time is a system property: sensor response + PLC scan + output reaction + actuator stopping time.

4) Plan proof testing and lifecycle management

Even in machinery, periodic inspection and testing are common and often required by internal procedures or regulations. Establish:

  • Functional test intervals (e.g., verify E-stops, gate switches, light curtains)
  • Replacement intervals for wear components (contactors, relays)
  • Change control for safety logic (revision control, password management, documented approvals)

Functional safety depends heavily on controlling systematic failures—errors in design, programming, configuration, and maintenance.

Conclusion

Safety PLCs are powerful tools for implementing functional safety, but SIL and Performance Levels are achieved by the entire safety function, not by the controller alone. By grounding your design in recognized standards—IEC 61508/IEC 62061 for SIL and ISO 13849-1 for PL—and by applying disciplined architecture, diagnostics, verification, and lifecycle practices, engineers can build safety systems that are both compliant and practical to maintain.

For industrial electrical engineers and technicians, the most reliable path is consistent: start with risk assessment (ISO 12100), define clear safety functions, select certified components with published safety data, and validate that the real machine behavior (fault response, stopping performance, diagnostics) matches the required SIL/PL targets.