The most significant attribute of a Performance Level is the structure of the circuit or Category. Table 5 in ISO 13859-1 defines the type of components and principles that are used to design a safety circuit.
Table 5 – Overview of Requirements for Categories
Category | Summary of Requirements | System Behavior | Principle Used to Achieve Safety | MTTFD of Each Channel | DV avg | CCF |
---|---|---|---|---|---|---|
B (see 6.1.3.2.2) |
Either subsystems or their protective equipment, or both, as well as their components, shall be designed, constructed, selected, assembled, and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles shall be used. | The occurrence of a fault can lead to loss of the safety function. | Mainly characterized by selection of components | Low to medium | None | Not relevant |
1 (see 6.1.3.2.3) |
Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function but the probability of occurrence is lower than for category B. | Mainly characterized by selection of components | High | None | Not relevant |
2 (see 6.1.3.2.4) |
Requirements of B and the use of well-tried safety principles shall apply. Subsytems shall be tested at suitable intervals. | The occurrence of a fault can lead to the loss of safety function between the checks. The loss of safety function is detected by the check. | Mainly characterized by structure | Low to high | Low to medium | See Annex F |
3 (see 6.1.3.2.5) |
Requirements of B and the use of well-tried safety principles shall apply. Subsystems shall be designed, so that: - a single fault in any of these parts does not lead to the loss of the safety function, and - whenever reasonably practicable, the single fault is detected. | When a single fault occurs, the safety function is always performed. Some, but not all, faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function. | Mainly characterized by structure | Low to high | Low to medium | See Annex F |
4 (see 6.1.3.2.6) |
Requirements of B and the use of well-tried safety principles shall apply. Subsystems shall be designed, so that: - a single fault in any of these parts does not lead to the loss of the safety function, and - the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function. | When a single fault occurs, the safety function is always performed. Detection of accumulated faults reduces the probability of the loss of the safety function (high DC). The faults will be detected in time to prevent the loss of the safety function. | Mainly characterized by structure | High | High including accumulation of faults | See Annex F |
Categories of control are used to define different circuit structures of safety control systems and are defined by the relationships between input, logic, and output portions of the circuit. In general, the structure of a circuit is classified based on whether the circuit is of a single channel or dual channel design, whether or not diagnostics are implemented, and how well the diagnostics work to detect failures in the circuit.
Another important concept that goes along with the circuit structure is fault tolerance. A redundant valve system provides fault tolerance, whereas a non-redundant valve has no fault tolerance. For instance, if a single valve is used to shut off flow and that valve fails open, there is no fault tolerance. Adding redundancy can provide fault tolerance but must be implemented properly. For example, in a safe exhaust valve, there is a combination of two safety functions – blocking supply and exhausting downstream pressure. The blocking function should be redundant in series. If one device sticks open, the other one can still shut off flow. This is an example of single-fault tolerance. For the exhaust function, this redundancy should be in parallel. In parallel, the second device can still open to exhaust if the first device fails closed. This provides a fault tolerance of 1 for the exhaust function. For a safe exhaust valve whose function is to block supply and exhaust downstream pressure, this is a well-tried concept. Furthermore, fault tolerance combined with excellent diagnostics can create a true fail-to-safe system.
Categories B, 1, and 2 have a single-channel structure with differing levels of reliability. Category 2 is further differentiated from B and 1 due to the addition of diagnostics to the circuit. This single-channel structure allows a single fault within the system can lead to a dangerous failure. This fault could occur within the input, logic, or output device. At Category 2, this dangerous fault must be detected and indicated by the diagnostics. The function blocks below represent Categories B, 1, and 2.

Categories 3 and 4 have dual channel structures with Category 4 requiring the highest level of reliability and diagnostics. A dual-channel (redundant) structure provides the ability of a second channel to perform the safety function if a failure occurs within the other channel. The level of diagnostics determines which faults are detected and whether an accumulation of faults can lead to the loss of the safety function (Category 3) or if this accumulation is not allowed (Category 4). Accumulation of faults can happen when a fault is not detected (masked) until another fault occurs. Masking of faults is dangerous because the first fault can cause the system to run essentially as a single-channel system. For example, having a number of guard interlocks wired in series could allow for a short in one interlock to go unnoticed until that specific interlocked door is opened.

The required system category can be achieved easiest by using input, logic, and output devices that are rated at or above the required category which was derived from a risk assessment. However, the system is limited to the lowest category of the input, logic, or output devices.