Safety Related Parts of Control Systems, Part 1: General principles for design.
ISO 138491 is a revised version of EN 9541
The complex mathematical formulas of the system reliability theory were replaced with precalculated tables.
Some concepts of EN 954 were retained, i.e. categories, redundancy, monitoring.
A number were modified, i.e. risk graph, selection of Categories.
The role of Categories is no longer crucial as in EN 9541.
To assess the resistance to dangerous failure, the Category concept is replaced by Performance Level (PL) as the ability of the safetyrelated machine
control system (hereinafter called SRP/CS) to assure protection in specified operating conditions.
The parameter used to evaluate the PL of the safetyrelated system is the Average probability of dangerous failure/hour.
A failure is considered to be dangerous where it inhibits the system protection function if undetected.
There are 5 levels, PLa to PLe.
The greater the contribution to reducing risk the lower the Average probability of dangerous failure/hour.
PL is a function of control system architecture, component reliability, ability to promptly detect internal failure potentially affecting the safety function and
quality of the design.
The table below summarizes mandatory qualitative and quantitative requirements to be met for safe control system design to ISO 138491.
See also glossary
To claim a given PL, in addition to evaluating the Average probability of dangerous failure/hour for the control system in question, it will also be necessary
to prove compliance with quality requirements specified by the standard.
The claimed PL must be validated using ISO 138492 Safety Related Parts of Control Systems  Validation defining procedures tests andanalysis, for
the assessment of:
• Safety function provided
• Category attained
• Performance level reached.
IMPORTANT! 
Average Probability of Dangerous Failure/Hour is only one of the parameters contributing to assignment of PL.
To obtain a PL rating, it is also mandatory to prove and substantiate having considered and complied with all requirements, including:
• Monitoring of systematic failures
• Using robust and reliable components (in line with Product Standards if available)
• Working according good engineering practice
• Considering environmental conditions in which the safetyrelated system will operate
• In the case of new software, adopting all organizational aspects of Vtype development model shown in Figure 6 of the Standard
ISO 138491 and meeting development requirements for applications and builtin SW. 
Design of an SRP/CS as per ISO 138491 may be summarized in the following eight steps
1 – Identification of safetyrelated function through risk analysis
2 – Assignment of Performance Level requested (PLr) through risk graph
3 – Selection of system structure (architectures) and selfdiagnostic techniques
4 – Technical development of control system
5 – Calculation of MTTFd, DCavg and verification of CCF
6 – Calculation of PL using Table 5
7 – Verification of PL (if calculated PL is below PLr return to Step 3)
8 – Validation.
Identification of safety related item and assignment of Performance Level required  PLr
Identification of the safety function and assignment of the Performance level required PLr.
For each safetyrelated function identified (see ISO 14121 – Risk Assessment) the designer of the SRP/CS decides the contribution to reduction of risk
to be provided, i.e. PLr.
This contribution does not cover overall machine risk but only the part of risk related to the application of the safety function in question.
Parameter PLr represents the Performance Level required for the safetyrelated function in question.
Parameter PL represents the Performance Level of implementation hardware.
PL of hardware must be equal to or higher than specified PLr.
A tree type graph of decisions is used to find the contribution to risk reduction that must be provided by the safetyrelated function, leading to univocal
identification of PLr.
If more than one safetyrelated function are identified, PLr shall be identified for each of them.
Note: contrary to EN9541 as regards Categories, here PLrs are totally “hierarchical”.
PLr(e) provides the greatest contribution to risk reduction, whereas PLr(a) makes the lowest contribution. 
Design of the safety related control system and evaluation of the PL
After deciding on the PLr needed, a suitable SRP/CS is designed, calculating the resulting PL and ensuring that it is higher than or equal to PLr.
Fig. 3 shows that, to obtain the PL, the Average probability of dangerous failure/hour of the SRP/CS designed must be calculated
The Average probability of dangerous failure/hour for a safetyrelated control system may be estimated in various ways.
Using such methods implies that for each components the following are known:
• Failure rate (λ)
• Percent distribution of failure rate for all component failure modes, (e.g. if for a positive action switch the failure modes are: the contact will not open
when required = 20% of cases and the contact will not close when required = 80% of cases. Gives: will not open = λ x 0,2 will not close = λ x 0,8 )
• The effect of each failure on safetyrelated system performance, (e.g. dangerous failure = λd, or nondangerous failure = λs)
• Percent of dangerous failures detected (by automatic selfdiagnostic techniques implemented) out of total dangerous failures: λdd = λd x DC.
• Percent of dangerous failures not detected (by automatic selfdiagnostic techniques implemented) out of total dangerous failures: λdu = λd x (1DC).
ISO 138491 simplifies calculation by providing a table based on Markov modeling in which average probability of dangerous failure per hour is precalculated
for various Category combinations and range values of MTTFd and DCavg which are in turn obtained using tables.
Denotations of
MTTFd 
Range of MTTFd 

Denomination
DCavg 
Range of value DC/
DCavg 
Low 
3 years ≤ MTTFd < 10 years 

None 
DC < 60% 
Medium 
10 years ≤ MTTFd < 30 years 

Low 
60% ≤ DC < 90% 
High 
30 years ≤ MTTFd < 100 years 

Medium 
90% ≤ DC < 99% 



High 
Alto 99% ≤ DC 
The problem is thus reduced to: selecting the architecture, calculating DCavg in relation to selfdiagnostic techniques implemented, calculating simplified
MTTFd of circuit designed and verifying compliance with requirements for independent channel operation (CCF) for redundant architectures (Cat. 2, 3 and 4).
The combination of Category plus DCavg adopted, is shown in one of the seven columns of fig. 5 of ISO 138491. Calculated MTTFd determines which part
of the column is to be considered. Corresponding PL is shown on the left of the table.

The part of column selected may include two or three possible values of PL, e.g. for Cat. 3, DCavg = Medium and MTTFd = Low, the following three
values are possible: PLb, PLc, PLd. In these cases, to obtain the correct PL use is made of Table K.1 of Annex K of the Standard (not shown) providing
detailed values of Average probability of dangerous failure per hour and PL in relation to actual value of MTTFd and the combination CategoryplusDCavg
implemented.
The Standard may be adopted only if the control system is designed using one (or more) of the five architectures specified.
Each architecture corresponds to one of the Categories defined in EN 9541.
For systems designed to EN 9541, category selection is directly linked to risk through the risk graph.
ISO 138491 is more flexible, as several options are available for each Performance Level specified.
An example is given in Table 5 where for a system having PL of “c” the following five alternatives are possible:
1. Category 3 with MTTFd = Low and DCavg medium.
2. Category 3 with MTTFd = Medium and DCavg low.
3. Category 2 with MTTFd = Medium and DCavg medium.
4. Category 2 with MTTFd = High and DCavg low.
5. Category 1 with MTTFd = High.
Combination of several SRC/PS to achieve the overall PL
The safetyrelated function may include one or more SRP/CSs, and several safetyrelated function may use the same SRP/CSs.
Individual SRP/CSs could also be obtained using other architectures.
Where the safetyrelated function is obtained by a series connection of several SRP/CSs, e.g. safety light curtains, control logics, power output, and for each
of these the PL is known, the Standard provides a simple method for calculating overall PL.
Locate the part with PL = PL low
Find the number of parts having PL = PL low
Enter data in the following table to obtain total PL

The PL obtained using this table refers to reliability values at midposition for each of the intervals in Table 3 of ISO 138491.
We have: PL low = d N low = 1 (< 3)
Therefore: PL total = d
and average probability of dangerous failure per hour for the entire system will be a number somewhere between 1 x 106 and 1 x 107 (see Table
3 of ISO 138491).