How do I calculate MTTFd for a sensor (e.g., light curtain) per ISO 13849-1?

MTTFd (mean time to dangerous failure) is derived from the sensor’s dangerous failure rate (λD). Using the constant failure‑rate assumption: MTTFd (hours) = 1 / λD. If λD is given per hour, invert directly; if given in FIT (failures per 10^9 h) convert (1 FIT = 1×10^-9 failures/h). Use manufacturer λD or FMEDA data (Pilz, Siemens, or third‑party reports from exida/FMEDA providers). Record source and confidence per ISO 13849‑1:2015 (clauses on reliability data). For assemblies, sum component dangerous failure rates for series elements, or compute channel MTTFd from parallel/redundant elements using reliability algebra. Enter values into SISTEMA or FMEDA spreadsheets and always validate results against supplier datasheets and the standard’s guidance on acceptable MTTFd ranges.

What is DCavg and how do I determine it for a safety PLC channel?

DCavg (average diagnostic coverage) is the proportion of dangerous failures detected by diagnostics in a channel. Compute it as DCavg = 1 − (Σ undetected dangerous failures / Σ total dangerous failures), weighting by each failure mode’s λD. For safety PLCs, obtain detailed λD breakdown and built‑in diagnostic capabilities from the vendor FMEDA (Siemens S7‑1500F, Rockwell GuardLogix, Pilz PNOZmulti). If vendor FMEDA is unavailable, use conservative estimates per ISO 13849‑1:2015 and IEC 61508 guidance. Enter each channel’s DC values into SISTEMA to calculate the averaged diagnostic coverage used to derive the Performance Level required. Document data sources, test coverage, and production SIL/PL evidence in the safety file.

When should I choose category 3 vs category 4 for a machine safety function?

Category selection depends on architecture, diagnostics and ability to maintain safety despite a single fault. Category 3 requires redundant channels such that a single fault does not lead to loss of function but undetected faults can remain — diagnostics must detect many faults during subsequent demand. Category 4 requires redundancy plus diagnostic measures and the ability to detect faults quickly so that a single fault cannot accumulate to cause loss of function; it typically supports high PLr (e.g., PL d/e depending on component metrics). Use ISO 13849‑1:2015 clause on categories and SISTEMA to model channels: input MTTFd, DCavg and β (CCF) then verify the achieved PLr. Prefer Category 4 where risk assessment demands highest integrity or where diagnostics cannot guarantee quick detection.

How do I account for common‑cause failures (CCF/β factor) in PL calculations?

ISO 13849‑1 requires modelling Common Cause Failure (CCF) effects as a β‑factor or equivalent approach. β represents the fraction of failures that affect multiple channels simultaneously (e.g., wiring, EMI, shared power). In SISTEMA you assign β values based on architectural diversity, separation, and physical protection; the tool applies β to adjust the effective failure rates and reduce PLr. IEC 61508 and ISO 13849‑1 recommend reduction of β through diversity (different manufacturers, technologies), separation (physical/electrical segregation) and independent power supplies. Document chosen β justification (tests, separation distances, vendor data). Typical engineering practice uses lower β (0.01–0.1) for well‑separated, diverse channels and higher β for identical, co‑located components, but select values per company policy and standard guidance.

Step‑by‑step: how do I use SISTEMA to calculate PL for a light‑curtain + E‑stop circuit?

1) Create a new function in SISTEMA and name the safety function (e.g., ’Area stop – light curtain + E‑stop’). 2) Build the architecture: add sensor channel(s) for the light curtain, actuator/relay or safety PLC channel for E‑stop, and cross‑channel voting if present. 3) Enter component MTTFd values (from vendor FMEDAs: Sick, Keyence, Pilz) and DC values for each diagnostic mechanism. 4) Set category (3/4) and β for CCF based on separation/diversity. 5) Run the analysis: SISTEMA outputs PLr, PFHD equivalent, MTTFd per channel and graphical reports. 6) Export PDF as part of the safety file and retain raw .xml/.sistema for traceability. Cross‑check against ISO 13849‑1:2015 acceptance criteria and validate on the machine.

How do I document and validate an ISO 13849‑1 PL calculation for compliance?

Prepare a safety file containing: the hazard and risk assessment; functional description of the safety function; architecture diagrams; detailed FMEDA/MR data sources (manufacturer datasheets, FMEDA reports from Pilz/Siemens/exida); SISTEMA project and PDF reports; assumptions (MTTFd, DCavg, β); validation test plans and verification checklists; and maintenance/test intervals. ISO 13849‑1:2015 requires validation of the safety function in the machine environment (Annex on validation and clause references). Include evidence of functional testing (on‑machine validation), proof tests, and evidence of competency for persons performing calculations and validation. Retain revision control and change history for audits.

How do I translate PL (a–e) to IEC SIL levels when customers ask for an equivalent?

ISO 13849‑1 includes guidance on approximate equivalence between Performance Levels (PL a–e) and IEC 61508 Safety Integrity Levels (SIL 1–3). Use the standard’s informative comparison tables: PL a–c generally map to SIL 1, PL d to SIL 2 and PL e to SIL 3, but this is a functional approximation — direct equivalence depends on PFHd ranges, diagnostic coverage and validation rigor. For contractual or certification purposes, compute PFHd and compare the numeric ranges in IEC 61508/IEC 62061. Always state that equivalence is approximate and provide the numeric PFHd and assumptions from your SISTEMA/FMEDA outputs when presenting a SIL mapping to the customer.

What specific component data (MTTFd/DC) should I use for safety controllers like Siemens S7‑1500F or Rockwell GuardLogix?

Use vendor FMEDA and datasheets for S7‑1500F, S7‑1200F, Rockwell GuardLogix, or Pilz PNOZmulti. Manufacturers publish component MTTFd, decomposition of λD by failure mode, and diagnostic coverage figures for safety CPUs and I/O modules. When vendor FMEDA is available, import those MTTFd/DC values into SISTEMA. If unavailable, use conservative third‑party FMEDA (exida) or perform component‑level testing. Also account for architecture: dual‑channel redundant safety CPUs may reach higher PLr (d/e) if diagnostics and CCF mitigation are documented. Always quote the FMEDA version, date, and part number in your safety documentation per ISO 13849‑1 traceability requirements.

ISO 13849 PL Calculation FAQs | Engineering Service

ISO 13849 Performance Level Calculation

This article provides a detailed, authoritative, step-by-step guide to calculating Performance Levels (PL) per EN ISO 13849-1:2015 for safety-related parts of control systems (SRP/CS). It explains the full workflow from risk assessment and required PL (PLr) through architecture selection, MTTFd and DCavg calculation, common cause failure (CCF) considerations, and final verification using tables or tools such as SISTEMA. The guidance reflects the normative requirements, practical calculation techniques, and industry best practices engineers need to produce auditable documentation for CE marking and machine safety compliance.

Key Concepts

Understanding the technical foundation and the normative framework is essential before attempting PL calculations. EN ISO 13849-1:2015 uses a discrete scale (PL a through e) to express the capability of a safety function in terms of the average probability of dangerous failure per hour (PFHd). The PL combines architecture (category), component reliability (MTTFd), diagnostic effectiveness (DCavg), and the mitigation of common cause failures (CCF).

Performance Levels and PFHd Ranges

EN ISO 13849-1:2015 defines PLs and their corresponding PFHd ranges. These quantitative thresholds are central to verifying that a designed SRP/CS meets the PL required by the risk assessment:

Performance Level (PL)	PFHd (average probability of dangerous failure per hour)
a	≥ 1×10⁻⁵ to < 1×10⁻⁴
b	≥ 3×10⁻⁶ to < 1×10⁻⁵
c	≥ 1×10⁻⁶ to < 3×10⁻⁶
d	≥ 1×10⁻⁷ to < 1×10⁻⁶
e	≥ 1×10⁻⁸ to < 1×10⁻⁷

These ranges originate from Annex K (Table K.1) of EN ISO 13849-1 and serve as the target when you calculate the PFHd of the safety function (see EN ISO 13849-1:2015).

Core Parameters: Category, MTTFd, DCavg, CCF

Category (architecture) — Defines structural features such as redundancy and diagnostics: B, 1, 2, 3, and 4 (where Categories 3 and 4 are redundant; 4 is fault tolerant against accumulation).
MTTFd (Mean Time To Dangerous Failure) — Derived from component failure data such as B10d or manufacturer MTTFd values. ISO 13849 defines qualitative bands: Low (10–30 years), Medium (30–100 years), High (>100 years). In practice you compute subsystem MTTFd from series/parallel combinations or use SISTEMA for aggregation.
DCavg (Average Diagnostic Coverage) — The proportion of dangerous failures detected by implemented diagnostics. DC categories map to ranges: None (0–60%), Low (60–90%), Medium (90–99%), High (≥99%).
CCF (Common Cause Failure) — For redundant architectures, EN ISO 13849 requires evaluation (20-point check) and typically a ≥65% score to assume common cause mitigations. If CCF measures are insufficient, achieved PL decreases.

Standards Context

EN ISO 13849-1:2015 is the machinery-specific functional safety standard for control systems. It complements EN ISO 12100 (general risk assessment) and EN ISO 13849-2 (validation and verification, including component selection rules). For safety-related drive and motion control, EN 62061 (SIL) is an alternative method; IEC 61508 provides the broader functional safety framework. Use ISO 13849-1 when designing SRP/CS for machines, and document conformity to the relevant clauses (risk graph, PLr determination, PL verification) as part of the technical file.

Implementation Guide

The PL design and verification process follows a structured workflow. The following step-by-step method aligns with ISO 13849-1:2015 clauses and Annex K guidance and reflects practical usage of SISTEMA and manufacturer data.

Step 1 — Risk Assessment and Required PL (PLr)

Perform a thorough risk assessment using EN ISO 12100 principles and the ISO 13849 risk graph to determine required PL (PLr) for each safety function. The risk graph uses three parameters: Severity (S), Frequency/Exposure (F), and Possibility of Avoidance (P). For example, an S2 (severe or fatal), F2 (frequent exposure), P2 (difficult to avoid) typically returns PLr = e or d depending on the combination. Document the rationale and the risk graph outcomes for every safety function (see EN ISO 13849-1).

Step 2 — Define Safety Functions and Boundaries

Break each safety function into clear inputs, logic, outputs, and system boundaries. Treat sensors, logic controllers, and actuators as separate subsystems. This modular approach simplifies MTTFd aggregation, DC assignment, and allows targeted use of certified components with published B10d or MTTFd values.

Step 3 — Select Architecture / Category

Choose an architecture consistent with the PLr. As a rule of thumb:

PL a–b: Category B/1 or 2 may be sufficient.
PL c: Category 2 or 3 depending on MTTFd/DC metrics.
PL d–e: Category 3 or 4, with high MTTFd and high DCavg and effective CCF measures.

Prefer Cat. 3 or 4 for high-risk applications. Document channel separation, physical diversity, and monitoring strategies used to meet CCF requirements.

Step 4 — Calculate MTTFd for Subsystems

Obtain MTTFd data from component datasheets (B10d conversions) or manufacturer libraries. Convert B10d to MTTFd using MTTFd = 0.7 × B10d / (3600 × operations per hour) when required by the reference. Use table aggregation methods from ISO 13849-1 for series/parallel configurations, or use SISTEMA to compute composite MTTFd. Record the resulting MTTFd band (low/medium/high) for each subsystem.

Step 5 — Determine DCavg

Assign diagnostic coverage to each subsystem based on the implemented diagnostics (self-test, cross-monitoring, periodic tests). Estimate DCavg numerically when possible (for example, cross-channel comparison with plausibility checks often achieves DC > 90%). Where exact numeric DC is not available, use the standard DC bands defined by ISO 13849-1. Combine subsystem DCs to obtain the averaged DC for the entire SRP/CS function.

Step 6 — Evaluate and Mitigate CCF

For redundant architectures, perform the 20-point CCF checklist (or use SISTEMA's CCF assessment). Required CCF mitigation measures include physical separation, separate power supplies, diverse component technologies, and independent software stacks. Achieve a CCF score ≥65% to use the higher PL results from Table K.1; if not achievable, the designer must lower expectations or redesign.

Step 7 — Compute PL and Verify Against PLr

With category, MTTFd band, and DCavg determined (and CCF evaluated), determine the achieved PL using Table K.1 of EN ISO 13849-1 or by running SISTEMA. If PL achieved < PLr, iterate: increase redundancy, improve diagnostics, select components with higher MTTFd, or improve CCF measures.

Step 8 — Validation, Documentation, and Testing

Validate the implemented system per EN ISO 13849-2:2012. Produce a comprehensive safety file including the risk assessment, SRS, architecture diagrams, B10d/MTTFd sources, SISTEMA calculation files, and verification test protocols. Conduct periodic functional testing and maintain records for audits and CE marking.

Practical Calculation Details

MTTFd Calculation and Bands

MTTFd drives the PFHd result. Practically:

Use manufacturer MTTFd or B10d data for electromechanical devices. Typical B10d values for mechanical switches and relays range from 10⁶ to 10⁷ operations, producing MTTFd values that commonly fall into the medium band for typical mission profiles.
Electronic devices (PLCs, safety controllers) often publish MTTFd classes (High >100 years for some safety-rated modules). Verify the data against EN ISO 13849-2 component selection guidance.
Mission time affects PFHd; ISO 13849 typically assumes a mission time up to 20 years unless specified otherwise. Ensure mission time selection matches lifecycle expectations.

Diagnostic Coverage (DC) — How to Estimate

Quantify DC by assessing the detection mechanisms implemented. Examples:

Periodic manual testing only: low DC (60–90%) depending on interval.
Automatic cross-channel monitoring with watchdogs and plausibility checks: medium to high DC (90–99%+).
Built-in self-tests in certified safety modules: often documented with precise DC estimates in vendor libraries used by SISTEMA.

Using SISTEMA: Practical Tips

SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) is the recommended, free tool for computing PLs and PFHd per EN ISO 13849-1. Use SISTEMA to model block diagrams, input B10d/MTTFd values, DCavg, and to run the CCF checklist. As of 2024, SISTEMA version 2.x supports ISO 13849-1:2015 and includes vendor libraries for Pilz, ABB, Eaton, and Schneider, with ready-made component MTTFd/DC values (verify vendor library version prior to audit).

Practical tips:

Model each sensor/logic/actuator as separate blocks to preserve traceability.
Use vendor libraries for certified modules to avoid manual errors in B10d/MTTFd.
Save SISTEMA files as part of the safety file; auditors expect these artifacts.
Use SISTEMA output plots to demonstrate PFHd vs mission time behavior when required.

Best Practices

Effective PL design balances conservative assumptions with practical engineering. Apply the following proven recommendations from industry resources and standards interpretations.

Design and Component Selection

Prefer certified safety components with published B10d and MTTFd data. Certification reduces uncertainty in numeric inputs (Pilz, ABB, Eaton libraries are commonly used).
Favor architectures with redundancy and diagnostic coverage appropriate to PLr. For PL d or e select Cat. 3 or 4 with high MTTFd and high DCavg.
Implement physical separation of redundant channels and independent power supplies where feasible to score highly on the CCF checklist.

Documentation and Auditing

Maintain a complete safety file: risk assessment, SRS, architecture diagrams, component datasheets, SISTEMA files, verification test reports, and maintenance procedures.
Use SISTEMA outputs and vendor libraries as evidence; auditors commonly request these files during conformity assessment.
Document mission time assumptions and periodic test regimes used to determine DCavg.

Common Pitfalls to Avoid

Using incorrect B10d values or mixing lifetime and hourly failure rates without proper conversion.
Overlooking CCF for redundant systems—lack of CCF mitigation can substantially reduce achieved PL.
Assuming software-only diagnostics yield high DC without independent hardware measures.
Neglecting maintenance and proof-test intervals that materially affect PFHd estimates for components with wear-out modes.

Comparison Tables and Manufacturer Compatibility

Below is a practical comparison of requirement-to-architecture mapping and a manufacturer compatibility snapshot for tools and libraries commonly used with SISTEMA.

Requirement / Characteristic	Category B–2	Category 3	Category 4
Redundancy	Generally single-channel or simple redundancy	Redundant channels; single fault tolerance	Redundant channels; tolerance to accumulation of faults
Fault Monitoring	Limited diagnostic checks	Cross-monitoring; diagnostics to detect single faults	Extensive diagnostics; detection and limitation of fault accumulation
Typical PL achievable	a–c (depending on MTTFd/DC)	c–d (with sufficient MTTFd/DC)	d–e (with high MTTFd/DC and CCF measures)
CCF considerations	Not applicable typically	Required evaluation; mitigations often necessary	Strict evaluation; design must demonstrate tolerance

Related Platforms

Pilz Siemens

Related Services

Safety Systems

Frequently Asked Questions

Need Engineering Support?

Our team is ready to help with your automation and engineering challenges.

sales@patrion.net

Manufacturer	SISTEMA Library / Notes	PL Capability (typical)