How to determine Performance Level (PLr) according to ISO 13849-1
Date: 08/06/2026
Contents
Ensuring machinery safety goes well beyond selecting a protective device. Standards bodies and regulators require engineers to demonstrate, quantitatively, that each safety-relevant function in a control system reduces risk to an acceptable level. Failure to do so can result in regulatory non-compliance, liability exposure, and—most critically—harm to operators.
Two internationally recognized frameworks are commonly used for this purpose:
Performance Level (PL), defined in ISO 13849-1
Safety Integrity Level (SIL), defined in IEC 62061 and IEC 61508
Both frameworks aim to reduce the probability of dangerous failures in safety-related control systems. However, they use different approaches and terminology.
This article focuses primarily on Performance Level (PL) and how machine designers determine the required level for a safety function.
What is a safety function?
Definition – ISO 13849-1
A safety function is a function intended to maintain the machine in a safe state or to bring it into a safe state in relation to a specific hazard. Its failure may lead to an increase in risk. Each safety function should be defined and assessed individually.
A well-defined safety function specifies:
- The hazardous condition it addresses,
- The triggering event or input signal,
- The required safe state the machine must reach upon activation.
Example
If the joystick is released or fails (input signal), the machine shall stop all arm/bucket movement immediately (safe state), preventing risk of collision or crush injury (hazard).
👍Good to know
Each safety function must be defined, linked to a specific hazard, and evaluated independently before any performance level compliance assessment begins. Bundling multiple hazard scenarios into a single safety function is a common and consequential error.
Risk assessment according to ISO 13849-1
Determining the required Performance Level (PLr) always begins with a risk assessment.
According to ISO 13849-1, risk estimation is based on three parameters:
Parameter | Meaning | Assessment |
S | Severity of injury | S1 — Reversible injury (cuts, bruises) S2 — Irreversible injury or death |
F | Frequency and/or duration of exposure | F1 — Seldom to infrequent exposure F2 — Frequent to continuous exposure |
P | Possibility of avoiding or limiting the hazard | P1 — Possible under specific conditions P2 — Scarcely possible |
How to calculate performance level (PLr)
The process follows these steps:
Identify all hazardous situations associated with the machine throughout its lifecycle.
Define each safety function clearly: input, output, and the specific hazard it addresses.
Assess S, F, and P for each safety function based on realistic worst-case operating conditions.
Read the PLr from the ISO 13849-1 risk estimation graph.
Design the SRP/CS (Safety-Related Parts of the Control System) to achieve a PL ≥ PLr.
👍Good to know
Each safety function is assessed independently.
A single machine may have multiple safety functions, each with a different PLr.
👉 The outcome is the required performance level (PLr) for the individual safety function.
Example
Joystick Control on a mobile machine
Consider the following safety function on a mobile work machine: If the joystick is released or fails, all machine arm/bucket movement must stop immediately.
The PLr calculation will be:
Severity: unintended arm/bucket movement can cause crushing or collision injuries, including fatal outcomes.
→ S2 (serious/irreversible)Frequency: the operator uses the joystick continuously throughout the working shift. Exposure to the hazard is frequent and sustained.
→ F2 (frequent/continuous)Avoidance : unintended movement is visually detectable; the operator can react and stop the machine before impact in most scenarios.
→ P1 (avoidance possible under specific conditions)
As a result: S2 / F2 / P1 → PLr = d
How components contribute to the overall Performance Level
In functional safety, the Required Performance Level (PLr) is assigned to the safety function as a whole. Individual components and sub-systems contribute to achieving this level through their reliability and diagnostic capabilities. A component breakdown is necessary because the safety requirements of a system can vary depending on the components involved and how they interact within the application.
In some applications, it is sufficient to inform the operator that maintenance is required. In others, a contingency strategy may be implemented in parallel. In more critical situations, an automatic response must be triggered. For example, the system may restrict the speed at which a heavy or specialized vehicle can be maneuvered.
Verification and validation, what ISO 13849 says
Once the required PLr is defined, the safety function must be designed accordingly. Claiming a Performance Level is not sufficient—ISO 13849-1 requires both verification (proving the design meets PLr analytically) and validation (confirming correct behavior under real conditions).
This involves analytical calculations using MTTFd, DCavg, CCF (and the resulting PFHd), plus functional validation testing on sub-systems and the machine. Tools like SISTEMA can be used to support the demonstration of safety and evidence.
Calculate MTTFd (Mean Time to Dangerous Failure)
Evaluate Diagnostic Coverage (DCavg)
Assess Common Cause Failures (CCF) and the resulting PFHd (Probability of Dangerous Failure per Hour)
The role of APEM in Functional Safety
APEM supports machine manufacturers by providing reliable HMI components and technical data required for functional safety analysis.
This includes:
MTTFd values
Reliability information
Safety-oriented product architectures
Robust HMI solutions for harsh environments
These elements help engineers design systems capable of meeting the required Performance Level for their applications.
Required Performance Level calculation: summary
Determining the required Performance Level (PLr) or Safety Integrity Level is a structured, standards-governed process—not an estimation. For machinery applications governed by ISO 13849-1, the workflow is consistent: define each safety function, assess its risk using the S/F/P parameters, read PLr from the risk graph, then design and verify an SRP/CS architecture that achieves PL ≥ PLr.
Every component in the safety chain carries weight in this calculation. Joysticks, pushbuttons, and enabling devices with manufacturer-declared MTTFd values are not interchangeable with undocumented alternatives—the data supports the calculation, and the calculation supports the demonstration that the required level has been achieved.
🔔 Key takeaway:
Safety level determination begins at the hazard, not at the component. But it is ultimately implemented—and limited—by the components chosen. Selecting components with traceable, standards-compliant safety data is as important as the architectural decisions that surround them.
Get the help and resources you need quickly with APEM
If you have questions or suggestions, we’re here to listen.
Our sales and support set the standard for helping you.
All the technical documentation you need to make things work...