We get a version of this question almost every week: “Your light curtain says PL e — so my emergency-stop function is PL e, right?” The honest answer is “not necessarily, and probably not.” That gap — between the rating printed on a component and the rating of the safety function it sits inside — is where a surprising amount of machine-safety paperwork quietly falls apart.
This article explains what PL and SIL actually are, what inputs decide them, how the two scales relate, and the handful of mistakes that cause real functions to come in below the level their designers assumed. It is not a substitute for the standards themselves or for a competent safety engineer — but it should let you read a safety calculation without taking anything on faith.
Two standards, one question
A safety function — “when the light curtain is broken, the machine stops” — has to be reliable. Both major machinery standards exist to quantify that reliability so it stops being a matter of opinion.
ISO 13849-1 gives you the Performance Level, written PL a through PL e. PL e is the highest. This is the standard most machine builders reach for first, because its method is approachable and there is good software tooling for it.
IEC 62061 gives you the Safety Integrity Level, written SIL 1 through SIL 3 in the machinery context. It is the machine-sector application of IEC 61508, the broad functional-safety standard that also underpins the process industries. SIL 4 exists in IEC 61508 but is essentially never required on machinery.
Here is the important part: they measure the same thing. Both ultimately resolve to PFHd — the average probability of a dangerous failure per hour. That shared currency is what lets a PL rating and a SIL rating be compared at all.
How the two scales line up
| Performance Level (ISO 13849-1) | SIL (IEC 62061) | PFHd — dangerous failures per hour |
|---|---|---|
| PL a | — | 10⁻⁵ to 10⁻⁴ |
| PL b | SIL 1 | 3×10⁻⁶ to 10⁻⁵ |
| PL c | SIL 1 | 10⁻⁶ to 3×10⁻⁶ |
| PL d | SIL 2 | 10⁻⁷ to 10⁻⁶ |
| PL e | SIL 3 | 10⁻⁸ to 10⁻⁷ |
Each step down the table is roughly a factor of ten in reliability. A PL e function is about ten times less likely to fail dangerously in a given hour than a PL d function. That factor-of-ten intuition is worth holding onto, because it explains why combining components is not free — the failure probabilities add up.
What actually determines the Performance Level
Under ISO 13849-1, the PL of a subsystem is not a single number you look up. It is built from several inputs:
- Category (B, 1, 2, 3, 4) — the structural architecture. Category B and 1 are single-channel. Category 3 adds a second channel so a single fault does not cause loss of the safety function. Category 4 adds enough monitoring that faults are detected before they accumulate. This is the backbone of the rating.
- MTTFd — mean time to dangerous failure of each channel, classified as low, medium or high. It is a property of the components and how hard they are worked.
- DC — diagnostic coverage — what fraction of dangerous failures the system detects itself, rated none, low, medium or high.
- CCF — common cause failure — a scored checklist proving that one shared cause (a wiring error, a power surge, a temperature extreme) cannot knock out both redundant channels at once.
You combine Category, MTTFd and DC using the chart in the standard to read off the PL, then confirm the CCF score clears the minimum. The CCF step is the one people skip — and skipping it is dangerous, because redundancy that shares a common failure cause is not really redundancy.
A worked example — and the mistake hiding in it
Take a simple safety function: a light curtain guards a robot cell; when a beam is broken, the robot stops. The chain has three subsystems.
- Input — the safety light curtain. A Type 4 curtain to IEC 61496 is, by design, capable of PL e.
- Logic — a safety relay or safety PLC that evaluates the curtain's OSSD outputs. A properly applied dual-channel safety relay can also reach PL e.
- Output — the contactors or drive that actually remove power or motion. This is where functions quietly fail.
If the output stage is a single contactor with no feedback monitoring, that subsystem might only reach PL c. And the PL of the whole function cannot exceed the PL of its weakest subsystem — so the headline result is PL c, regardless of the PL e printed on the light curtain. The fix is well known: use two contactors in series, monitor them with an EDM (external device monitoring) feedback loop into the safety logic, and the output subsystem can reach PL e too.
How much PL do you actually need?
The required PL is not a free choice — it comes from the risk assessment. ISO 13849-1 provides a risk graph that takes three parameters: the severity of the potential injury (reversible or irreversible), the frequency and duration of exposure to the hazard, and the possibility of avoiding the hazard once it occurs. Feed those in and the graph returns a required PL — the PLr — for that function.
A hazard that can cause an irreversible injury, with frequent exposure and little chance of avoidance, lands at PLr e. That is why presses, robot cells and similar high-energy machinery so often demand PL e. A lower-energy hazard with rare exposure may only call for PL c. Designing to PL e everywhere “to be safe” is not actually conservative — it just wastes money and can over-complicate a system to the point where it is harder to maintain. Match the PL to the assessed risk.
ISO 13849-1 or IEC 62061 — which one?
A fair question, and our answer is opinionated. For the kind of safety functions most machine builders deal with — light curtains, interlocked guards, emergency stops, two-hand controls, all assembled from a sensor, a safety relay or safety PLC and contactors — ISO 13849-1 is the practical default. The category-and-MTTFd method is mature, well-tooled, and readily accepted by notified bodies.
IEC 62061 earns its place when the safety function is complex, heavily programmable, or electronically intricate enough that the detailed IEC 61508-style probabilistic treatment genuinely adds value. The 2021 revision of IEC 62061 widened its scope beyond purely electrical systems, narrowing the old gap between the two standards. One firm rule regardless of choice: do not mix the two methods within a single safety function. Pick one framework per function and stay inside it.
Common mistakes
Reading the component label as the function rating. Covered above, and worth repeating because it is that common. PL e on a curtain box is a capability, not a result.
Skipping the CCF checklist. Two channels that share a power supply, a cable route, or an environmental weakness can fail together. CCF scoring exists to catch that. A calculation that shows Category 3 architecture but never scores CCF is incomplete.
Forgetting the output stage. Engineers lavish attention on the sensor and the logic and then wire the result to a single unmonitored contactor. The output is a full subsystem and needs its own treatment — usually two monitored contactors with EDM feedback. Our light curtain and safety relay wiring guide shows the EDM loop in practice.
Ignoring response time. The PL tells you how reliably the function works; it says nothing about howfast. Those are separate requirements. A perfectly PL e function still injures someone if it is mounted closer than the ISO 13855 safety distance allows. Reliability and timing are both mandatory — see our ISO 13855 safety-distance guide.
Where DAIDISIKE products sit
For completeness, since you may be reading this on our site: the DQA safety light curtain is a Type 4 device to IEC 61496 and is rated for use in PL e / SIL 3 functions, and the DA31 safety relay provides the dual-channel logic stage with EDM feedback. Those ratings describe what the components are capable of. The PL your machine achieves still depends on the whole chain and your risk assessment — and our engineering team is happy to review a safety function with you rather than just quote a part.
The bottom line
PL and SIL are two scales for the same idea — how reliably a safety function reduces risk — and they map cleanly through PFHd. Pick ISO 13849-1 for ordinary machine functions, reach for IEC 62061 when complexity demands it, and never mix the methods. Above all, remember that the rating you care about is the rating of the function, not the rating on the box. Evaluate the whole chain, score the CCF, and respect the output stage. Do that and the paperwork survives the audit.