5 Safety requirements and protective measures
5.1 General
5.2 Safety-related control system performance (hardware/software)
5.3 Design and installation
5.4 Limiting robot motion
5.5 Layout
5.6 Robot system operational mode application
5.7 Pendants
5.8 Maintenance and repair
5.9 Integrated manufacturing system (IMS) interface
5.10 Safeguarding
5.11 Collaborative robot operation
5.12 Commissioning of robot systems
5 Safety requirements and protective measures
5.1 General
The integration of robot systems and cells shall comply with the requirements of this part of ISO 10218. In
addition, the robot cell or robot line shall be designed according to the principles of ISO 12100 for relevant
hazards that are not specifically dealt with by this part of ISO 10218 (e.g. sharp edges). The design of the
robot system should follow ergonomic principles to ensure that it is easy to operate and maintain. The robot
system shall be designed to avoid exposing personnel to hazards.
NOTE 1 Not all of the hazards identified by this part of ISO 10218 apply to every robot system, nor will the level of risk
associated with a given hazardous situation be the same from robot system to robot system.
NOTE 2 Recommended methods of verification of various requirements in this clause are found in Clause 6.
5.2 Safety-related control system performance (hardware/software)
5.2.1 General
Safety-related control systems (electric, hydraulic, pneumatic and software) shall comply with 5.2.2, unless the
results of the risk assessment determine that an alternative performance criterion as described in 5.2.3 is
appropriate. The safety-related control system performance of the robot system and any furnished equipment
shall be clearly stated in the information for use.
NOTE 1 Safety-related control systems can also be called SRP/CS (safety-related parts of control systems).
For the purposes of this part of ISO 10218, safety-related control system performance is stated as:
- Performance Levels (PL) and categories as described in ISO 13849-1:2006, 4.5.1;
- Safety Integrity Levels (SIL) and hardware fault tolerance requirements as described in IEC 62061:2005,
5.2.4.
Those two standards address functional safety in similar but different methods. Requirements in those
standards should be used for the respective safety-related control systems for which they are intended. The
designer may choose to use either of the two standards. The data and criteria necessary to determine the
safety-related control system performance shall be included in the information for use.
NOTE 2 The comparison with ISO 13849-1 and IEC 62061 is described in ISO/TR 23849.
Other standards offering alternative performance requirements, such as the term “control reliability” used in
North America, may also be used. When using these alternative standards to design safety-related control
systems, an equivalent level of risk reduction shall be achieved.
Any failure of the safety-related control system shall result in a stop category 0 or 1 in accordance with
IEC 60204-1.
5.2.2 Performance requirement
Safety-related parts of control systems shall be designed so that they comply with PL=d with structure
category 3 as described in ISO 13849-1:2006, or so that they comply with SIL 2 with hardware fault tolerance
of 1 with a proof test interval of not less than 20 years as described in IEC 62061:2005.
This means in particular:
a) a single fault in any of these parts does not lead to the loss of the safety function,
b) whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the
safety function,
c) when the single fault occurs, the safety function is always performed and a safe state shall be maintained
until the detected fault is corrected,
d) all reasonably foreseeable faults shall be detected.
The requirements a) to d) are considered to be equivalent to structure category 3 as described in
ISO 13849-1:2006.
NOTE The requirement of single-fault detection does not mean that all faults will be detected. Consequently, the
accumulation of undetected faults can lead to an unintended output and a hazardous situation at the machine.
5.2.3 Other control system performance criteria
The results of a comprehensive risk assessment performed on the robot system and its intended application
may determine that a safety-related control system performance other than that stated in 5.2.2 is warranted
for the application.
Selection of one of these other safety-related performance criteria shall be specifically identified, and
appropriate limitations and cautions shall be included in the information for use provided with the affected
equipment.
5.3 Design and installation
5.3.1 Environmental conditions
The robot system and protective measures of the robot cell shall be designed taking into account
environmental conditions like surrounding temperature, humidity, electro-magnetic disturbances, lighting, etc.
These can lead to some requirements for the surrounding environment due to technical restrictions.
The robot and robot system and cell components shall be chosen to withstand the expected operational and
environmental conditions.
5.3.2 Location of controls
Operational controls and equipment (e.g. weld controller, pneumatic valves, etc.) requiring access during
automatic operation shall be located outside the safeguarded space forcing a person using the control
actuators to be outside the safeguarded space. Controls and equipment should be placed and constructed so
as to allow a clear view of the robot restricted space.
5.3.3 Actuating controls
Actuating controls shall meet the requirements of IEC 60204-1. The controls shall be designed consistent with
ISO 10218-1. The robot system shall not respond to any external remote commands or conditions that would
cause hazardous situations.
5.3.4 Power requirements
All sources of robot and other equipment power (e.g. pneumatic, hydraulic, mechanical, electrical) shall meet
the requirements as specified by the machine and component manufacturers. Electrical installations shall
meet the requirements of IEC 60204-1. Hydraulic power installations shall meet the requirements of ISO 4413
and pneumatic power installations shall meet those of ISO 4414.
5.3.5 Equipotential bonding/earthing requirements (grounding)
Protective bonding and functional bonding shall meet the requirements of IEC 60204-1.
5.3.6 Isolating sources of energy
Means shall be provided to isolate hazardous energy sources without exposing personnel to a hazard. These
means shall be lockable and/or secured only in the de-energized position.
The robot system should have a single supply disconnecting device for each type of energy source. For
multiple robot or large installations, multiple disconnecting devices for each type of energy can be necessary.
The span of control for each of these devices shall be clearly marked in the vicinity of the handle of the
disconnecting device (e.g. text or symbol).
NOTE Energy sources can be electrical, mechanical, hydraulic, pneumatic, chemical, thermal, potential, kinetic, etc.
5.3.7 Control of stored energy
A means shall be provided for the control of and/or the controlled release of stored hazardous energy. A label
shall be affixed to identify the stored energy hazard.
NOTE 1 Stored energy sources can be air or hydraulic pressure accumulators, capacitors, batteries, springs, counter
balances, flywheels ,gravity, etc.
NOTE 2 A hanging axis can create a significant hazard depending on the frequency and duration of exposure
(e.g. standing below the robot arm during setting). It is advisable that mechanical blocking or holding control systems
designed to protect persons exposed to stored hazardous energy have control performance designed in accordance with
5.2.2 or 5.2.3, as determined by the risk assessment.
5.3.8 Robot system and cell stopping functions
5.3.8.1 General
Every robot system or cell shall have a protective stop function and an independent emergency stop function.
The respective functions shall have the ability for the connection of additional protective or emergency stop
devices.
5.3.8.2 Emergency stop function
Each control station capable of initiating motion or other hazardous functions shall have a manually initiated
emergency stop function that complies with the requirements of IEC 60204-1 and ISO 13850.
The actuation of an emergency stop function shall stop all robot motion and other hazardous functions in the
cell, or at the interface between cells and other areas of the workspace.
Robot systems shall have a single emergency stop function affecting all relevant parts of the system. In the
case of larger systems (e.g. multiple robot or multiple cells), a separation of the span of control may be
necessary. In such cases the span of control shall be set according to the requirements of the task(s) to be
performed or characteristics of the system (e.g. equipment structure, position of perimeter safeguarding). The
span of control shall be clearly marked in the vicinity of the emergency stop device (e.g. by text or symbol).
If the restricted spaces of two or more robots overlap, or if two or more robots are accessible within a common
safeguarded space, this space shall be one workspace. All emergency stop devices for a workspace shall
have the same span of control.
The span of control may include multiple workspaces. Information for use shall include information on the
span of control of each emergency stop device.
Robot system emergency stops shall remain functional even if the control station is not active.
Selection of a category 0 or category 1 stop function in accordance with IEC 60204-1 shall be determined
from the risk assessment.
The emergency stop function shall comply with at least the requirements in 5.2.2, unless the risk assessment
determines that another performance criterion is appropriate.
NOTE Some protective stop circuits are automatically bypassed in the manual mode and would not be suitable for
connecting emergency stop devices.
When an emergency stop output signal is provided either:
- the output shall continue to function when the robot system power is removed, or
- if the output does not continue to function when the robot system power supply is removed, an
emergency stop signal shall be generated.
5.3.8.3 Protective stop
The robot system shall have one or more protective stop circuits designed for the connection of external
protective devices. Selection of stop category 0 or 1 as described in accordance with IEC 60204-1 shall be
determined by the risk assessment.
Stop category 2 may be applied if the external power drive system complies with IEC 61800-5-2.
This protective stop function shall cause a stop of all robot system motion, and cause cessation of any other
hazardous functions controlled by the robot system. This stop may be initiated manually or by control logic.
The protective stop function performance shall comply with the requirements in 5.2.2 or 5.2.3.
5.3.9 Associated equipment shut-down
The robot system shall be installed so that shut-down of associated equipment does not result in a hazard or
hazardous condition.
5.3.10 End-effector (end of arm tooling) requirements
End-effectors shall be designed and constructed so that:
a) loss or change of energy supply (e.g. electrical, hydraulic, pneumatic, vacuum supply) does not cause
release of the load that would result in a hazardous condition;
b) the static and dynamic forces created by the load and the end-effectors together are within the load
capacity and dynamic response of the robot;
c) wrist plates (mounting flange) and accessories properly align (couple);
d) detachable tools are securely attached while in use;
e) release of detachable tools only occurs in designated locations or under specific, controlled conditions, if
the release could result in a hazardous situation;
f) the end-effector withstands the anticipated forces for its expected life.
When practicable, power can be supplied to end-effectors for troubleshooting without applying motive energy
to the robot actuator(s).
NOTE This feature can be a useful option offered by robot manufacturers; however, it is not a requirement in
ISO 10218-1.
The information for use shall include the intended life of end-effectors, based on expected parameters in
normal operation if the failure of the end-effector would result in a potentially hazardous condition.
Prior to operation of the robot system, the robot tool centre point(s) (TCP) shall be adjusted using the offset
feature provided by the robot manufacturer. Measures to avoid hazardous conditions shall be provided (e.g.
mechanically protected pneumatic or vacuum hoses; self-retaining devices such as spring-loaded additional
grips).
5.3.11 Emergency recovery procedure
The information for use shall include detailed instructions for fault recovery of robot system-related equipment
together with the robot manufacturer's instructions on emergency or abnormal movement of the robot without
drive power. If signs or labels are required, they shall be affixed or instructions for affixing shall be provided.
5.3.12 Warning signs
When warning signs on a robot or other piece of equipment in the system are obscured by the
installation/integration, then other equally effective means of warning shall be provided (e.g. another warning
sign in a visible location).
5.3.13 Lighting
The level of required task lighting shall be identified and specified in the information for use.
The robot system shall be supplied with integral lighting suitable for the operations concerned where the
absence thereof is likely to cause a risk despite ambient lighting of normal intensity. The robot system shall
be designed and constructed so that there is no area of shadow likely to cause nuisance, no irritating dazzle
and no dangerous stroboscopic effects on moving parts due to the lighting. Internal parts requiring frequent
inspection and adjustment, as well as maintenance areas, shall be provided with appropriate lighting.
Illumination shall be at least 500 lx at the area where frequent inspection and adjustment is necessary (see
ISO 8995-1).
NOTE Areas to be considered for lighting include work stations, entry areas, etc.
5.3.14 Application hazards
The integration of the robot system shall also take into account the application's hazards (e.g. fumes, gases,
chemicals, hot materials) associated with the process and tooling (e.g. welding, laser cutting, machining).
Interface requirements to other machines shall follow the guidance of the manufacturer as specified in the
information for use.
5.3.15 Enabling devices
Pendant and additional enabling devices and their integration shall comply with ISO 10218-1 (see Annex D for
additional information).
When more than one person is required to be protected within the safeguarded space, an enabling device
shall be provided to each person. All enabling devices associated with a single robot control shall have the
same functionality (span of control).
Where personnel could be exposed to a hazardous situation (e.g. standing in the restricted space of an
adjoining robot having overlapping restricted spaces while working on auxiliary equipment or other robot)
during manual operation, control systems shall be interlocked such that enabling devices control all hazards in
areas of the cell.
Interlocked hazardous machine functions shall require a separate act to restart after being controlled
(stopped) by the enabling device.
NOTE 1 An interlocking enabling device's span of control depends on layout, the space, the anticipated tasks and the
work locations anticipated for these tasks. Control measures complying with 5.2.2 can be designed to prevent overlapping
robots from being active at the same time during manual operation.
NOTE 2 For process observation, see Annex F.
5.4 Limiting robot motion
5.4.1 General
Robot installations shall be designed and integrated so as to reduce the potential exposure of personnel to
hazards. Robot systems can have a potentially large operating volume (maximum space), particularly when
handling a large workpiece. Locating perimeter guards to safeguard persons from the hazards presented by
the robot system (safeguarded space) at these maximum dimensions could result in enclosure of an
unnecessarily large volume that exceeds the space required by the tasks the robots are required to perform
(operating space). To reduce the safeguarded space, the maximum space can be limited by the provision of
integral or external devices that restrict the movement of the robot system (restricted space).
5.4.2 Establishing safeguarded and restricted spaces
The safeguarded space shall be established by perimeter guarding. This shall be sited with due consideration
of the location and layout of the machines and the hazards within the safeguarded space.
The restricted space of the robot system shall be established by means which limit the motion of the robot,
end-effector, fixture and workpiece. The restricted space should be made smaller than the maximum space.
The restricted space shall be within the safeguarded space and should match the operating space as close as
is reasonably practicable.
The perimeter safeguards shall not be installed closer to the hazard than the restricted space. If the perimeter
safeguard is designed to be the limiting device in accordance with 5.4.3, then the perimeter safeguard
establishes a portion of the boundary for both the safeguarded and restricted spaces.
Additional safeguarding may be needed for operator work stations (e.g. parts loading location). Dynamic
limiting (see 5.4.4), interlocking safeguards, and other safeguards can be used to ensure that an operator is
not exposed to a hazard while at a work station.
5.4.3 Means for limiting motion
Limiting the motion of the robot system may be accomplished by means integral to the robot (e.g. safety-rated
soft axis and space limiting or hard stops provided by the manufacturer), by installing external limiting devices,
or by a combination of both. Limiting means are used to restrict the space in which a robot may perform its
task, i.e. the restricted space is made smaller than the maximum space by use of limiting devices.
Limiting devices fall into two categories: mechanical limiting devices and non-mechanical limiting devices.
Mechanical limiting devices physically restrain the robot from moving beyond a designed limit. Non-
mechanical limiting devices do not limit the robot motion themselves, but rather initiate a stop through the
robot control system. Non-mechanical limiting devices therefore require the integrator to take the robot
stopping distance into account when establishing the restricted space of the robot.
Any associated safety controls connected to the robot controls shall meet the requirements in ISO 10218-1.
The limiting devices shall be correctly adjusted and secured. When a method of limiting the range of motion is
required by the design, it shall comply with one of the following.
- If mechanical stops are provided, they shall meet the requirements for limiting devices in ISO 10218-1
and, when applicable, requirements for dynamic limiting devices in ISO 10218-1.
- If alternative methods of limiting the range of motion are provided, they shall be designed, constructed
and installed to meet at least the requirements for axis limiting in ISO 10218-1. These methods shall
comply with at least the requirements in 5.2.2 unless the risk assessment determines that another
performance criterion is appropriate. The stopping distance associated with the limiting means shall be
included in any calculation of the restricted space. See ISO 10218-1 for information and metric on
stopping time and distance.
When non-mechanical limiting devices are used, including safety-rated soft axis and space limiting
(see ISO 10218-1), the restricted space shall be determined based on the robot with actual load. If the speed
of the robot is limited by a monitoring system satisfying 5.2.2, the restricted space may be based on the
configured speed limit. Otherwise, the restricted space shall be based on the maximum speed of the robot.
If safety-rated soft axis and space limiting features built into the robot are used in accordance with the robot
manufacturer's instructions, information about the programmed limits established by that means shall be
included in the information for use.
In cases where the perimeter guard is designed to be the limiting device, the results of the risk assessment
shall be used to determine the requirements for the design, strength and deflection for that guard.
NOTE 1 For robots designed to compensate speed based on actual load, it is possible for the maximum conditions to
occur when the robot carries less than the rated load.
NOTE 2 The restricted space is defined where the robot motion actually stops, not by where a stop is initiated. This can
be clearly defined by the location of mechanical limiting devices (e.g. hard stops). The location of non-mechanical limiting
devices requires activation time and robot stopping distance to be considered. This includes safety-rated soft axis and
space limiting configurations.
NOTE 3 Devices designed to protect the machine (e.g. over-current protection and collision sensors) are not suitable
as limiting devices unless they are specifically designed, tested and determined to be suitable as a safety device for the
purpose of limiting motion that complies with ISO 10218-1.
NOTE 4 Using a perimeter guard as a limiting device is normally practicable only when robots cannot cause hazardous
deformations of the guard.
5.4.4 Dynamic limiting
Dynamic limiting is the automatically controlled change of a robot system's restricted space that occurs during
a portion of the robot system's cycle. Control devices such as, but not limited to, cam-operated limit switches,
light curtains or control-activated retractable hard stops may be utilized to further limit robot movement withinthe restricted space while the robot performs its task programme. For this, mechanical limiting devices shall
be capable of stopping the robot motion under rated load and speed conditions. Associated safety-related
control systems shall comply with the performance requirements of 5.2.
The location of the dynamic limiting zones shall be identified in the information for use. For non-mechanical
limiting devices, these shall include both the zone boundary where a stop is initiated and the zone where the
robot actually stops (the restricted space).
NOTE Dynamic limiting can be useful in designing two alternately selectable restricted spaces to increase work cell
productivity by having one robot service two work stations.
5.5 Layout
5.5.1 Perimeter safeguarding
Perimeter safeguarding measures shall be implemented using guards or sensitive protective equipment in
accordance with 5.10. The protective devices selection shall consider:
- the expected operating stresses;
- the influence of the processed material, especially feeding and removing materials from the robot system;
- other relevant external influences (e.g. a very dusty atmosphere precludes the use of an opto-electronic
protective device).
Safety distances over and through mechanical guarding shall meet the requirements in ISO 13857. Minimum
distances from interlocking guards and other trip devices shall meet the requirements in ISO 13855. Where
crushing is prevented by the maintaining of minimum gaps, they shall meet the requirements in ISO 13854.
5.5.2 Access for interventions
When installing a robot system, a task-based risk assessment of the specific installation and anticipated tasks
shall be performed to determine possible trapping or pinch points within the robot restricted space.
Tasks requiring the use of manual high-speed mode shall be provided a minimum clearance of 500 mm. This
clearance is required between the calculated stopping location of the hazard and areas of the building,
structures, perimeter guarding, utilities, other machines and equipment not specifically supporting the robot function that may create trapping or a pinch (see ISO 13854).
EXAMPLE Support for the robot function can include fixtures, load station, material handling equipment and
process-related equipment.
Wherever practicable, the layout shall be designed to allow operator tasks to be performed from outside the
safeguarded space. Where it is necessary to perform tasks within the safeguarded space there shall be safe
and adequate access to the task locations. Access paths and means shall not expose operators to hazards,
including slipping, tripping and falling hazards.
The design for access inside the safeguarded space shall consider, for example:
- cable channels, stumble areas;
- frequency of the required access for manual loading/unloading;
- physical characteristics of the load;
- abidance and observation areas;
- service positions (e.g. tip change);
- easily accessible maintenance units (e.g. outside the safeguarded space).
Permanent means of access shall be provided, taking into account the frequency and the ergonomic aspects
of the task.
Controls (e.g. pendants, robot control cabinets) should be placed near the access means in order to improve
ease of use by the operators. When electrical equipment containing elements that require access (e.g. for
routine service) are mounted above the level of normal reach (e.g. on the roof of machine), a means for
access shall be provided (e.g. a work platform). The results of a risk assessment shall be used to determine
the appropriate means for providing access to the relevant devices between a height of 400 mm and
2 000 mm from the access level (see also IEC 60204-1).
Electric enclosures shall be mounted so that their doors can be fully opened and escape routes are always
available even when doors are opened. This is fulfilled when:
a) doors can be easily pushed to a closed position, taking escape direction into account;
b) the remaining clearance is not less than 500 mm when the door is fully open (see also IEC 60364-7-729).
Selection and design of platforms, walkways, stairs, stepladders and fixed ladders shall be in accordance with
the relevant parts of ISO 14122.
Safeguarding shall be provided to either prevent operator access between cells or to bring hazards in adjacent
cells to a safe state before an operator can reach them.
Safeguarding shall be provided to reduce risks to operators due to the transfer of materials into and out of
adjoining cells.
5.5.3 Material handling
The hazards associated with material handling (e.g. entanglement, falling material and the connections with
the robot system) shall be considered in the risk assessment.
Where materials enter or exit the safeguarded space, measures shall be taken to prevent persons entering
undetected into the hazard zone. These measures shall either prevent persons coming into contact with
hazards or shall bring the hazards to a safe state before the hazards can be reached without creating
additional hazards. The dimensions of the openings should be reduced to the minimum size required to allow
passage of the material. (See 5.10.7.)
5.5.4 Process observation
Process observation should be performed from outside the safeguarded space. This can be accomplished by
providing safe standing and observation locations (e.g. platforms, catwalks, remote vision systems), as
determined by the results of a risk assessment.
When process observation can only be performed from inside the safeguarded space, the operation modes in
accordance with 5.6.4.2 and 5.6.4.3 shall be used. When these operation modes are not applicable, a
separate control mode shall be provided. This mode shall provide the safeguarding necessary to ensure that
operators performing process observation are not placed in a hazardous situation. Additional information can
be found in Annex F.
5.6 Robot system operational mode application
5.6.1 General
In a cell with more than one robot system, the operational mode may be selected individually on each robot
system or common for all associated robot systems in the cell. If the operational mode is selected individually
on each robot system, it is not necessary that all robot systems be switched to manual mode. Robots that are
not operated manually shall remain in a safe state, independent of the operational mode selected, and not
create a hazard.
The following requirements apply to a robot system or a robot cell. They do not include requirements for
equipment within the robot cell that is not required for the robot task. A risk assessment shall be carried out to
determine any further measures that have to be taken due to the risks presented by this other equipment. It is
strongly recommended that when a robot system is operated in manual mode, all other equipment that is not
required for the robot task be placed in, and maintained in, a safe state.
5.6.2 Selection
Unauthorized and/or inadvertent mode selection shall be prevented by suitable means.
These means shall only enable the selected mode and shall not by themselves initiate robot system operation
or other hazardous operations from associated machinery. A separate actuation shall be required to initiate
robot system operation.
Unambiguous indication of the selected operating mode shall be provided.
Changing the mode of operation shall not create a hazardous situation.
5.6.3 Automatic mode
5.6.3.1 General
Entering the safeguarded space in automatic mode shall lead to a protective stop of all equipment that could
present a hazard or hazardous situation.
5.6.3.2 Selection of automatic mode
Selection of automatic mode of the robot system(s) shall not override or reset any protective stop or
emergency stop condition.
Selection of automatic mode shall be done outside the safeguarded space. If using the pendant or teaching
control to select automatic mode, a separate deliberate action outside the safeguarded space shall be
required for initiation of automatic operation.
Switching from automatic mode shall result in a protective stop or emergency stop.
5.6.3.3 Initiation of automatic operation
Automatic operation shall be initiated from outside the safeguarded space.
Initiation of automatic operation shall only be possible when all associated safeguards are active.
5.6.3.4 Manual reset, start/restart and unexpected start-up
5.6.3.4.1 The start and the restart of the robot system shall be a perspicuous and simple operation. Start
and restart shall require that relevant safety functions and/or protective measures be functional.
Safety-related control functions shall comply with at least the requirements in 5.2.2 unless the risk assessment
determines that another performance criterion is appropriate.
5.6.3.4.2 A start interlock shall be provided to prevent automatic starting of hazardous operations when the
power supply is switched on, or is interrupted and restored. The start interlock shall be reset by a deliberate
human action.
A restart interlock shall be provided to prevent automatic restarting of hazardous operation after either:
a) actuation of a safeguarding function;
b) a change in operating mode of the cell.
Personnel shall be protected from start and restart of the robot cell when they are inside the safeguarded
space, in accordance with ISO 14118.
Start and restart controls shall be manually actuated, located outside the safeguarded space and shall not be
possible to activate from inside the safeguarded space.
The manual reset function shall fulfil all of the following:
- be provided through a separate and manually operated device within the safety-related control systems;
- only be achieved if all safety functions and safeguards are operative;
- not initiate motion or a hazardous situation by itself;
- be by deliberate action;
- enable the control system for accepting a separate start command;
- only be accepted by disengaging the actuator from its energized (on) position.
From each control position, the operator shall be able to ensure that no-one is in the safeguarded space. The
location of start and reset actuating controls should allow a clear and unobstructed view of the safeguarded
space.
If this is not practicable, presence sensing shall be provided to detect operators throughout the safeguarded
space.
5.6.3.4.3 If presence sensing is not practicable, unexpected start-up shall be prevented by providing other
protective measures. These protective measures can include:
a) multiple means for the isolation and lockout of the hazardous equipment located within the safeguarded
space;
b) measures to lock a guard (gate) in the open position;
c) additional time-limited reset devices located inside the safeguarded space.
If this is not practicable, an audio-visual pre-start warning signal shall be provided that is:
- sufficient to be seen and heard from within the safeguarded space, and
- provided with a duration of the pre-start delay that is sufficient to allow egress by the operators from the
safeguarded space.
A sufficient number of readily identifiable and easily accessible emergency stop devices shall be located
within the safeguarded space to allow their operation during the pre-start delay.
NOTE For the hierarchy of selecting protective measures, see 4.5.
5.6.4 Manual mode
5.6.4.1 General
When manual intervention is required, local control shall be effected by a single pendant or similar control
station meeting the requirements of ISO 10218-1.
NOTE This applies to any device used to control a robot from within the safeguarded space while drive power is
applied to any of the robot axes or end-effector. This includes robots with powered lead-through teach controls, whether
using robot-mounted manual controls or main/secondary teaching controls.
Whenever practicable, control devices and control stations shall be located so that the operator is able to
observe the working area or hazard zone.
A stop control device shall be placed near each start control device.
The system shall be designed and constructed so that when the system is placed under local control, initiation
of motion or change of local control selection from any other source is prevented.
5.6.4.2 Manual reduced speed
In manual reduced speed mode the velocity of the selected TCP shall not exceed 250 mm/s. It should be
possible to select speeds lower than 250 mm/s. The results of a risk assessment shall determine if a
maximum reduced speed lower than 250 mm/s is required and if other equipment in the robot system needs
to be operated at a reduced speed.
In manual reduced speed mode, motion of the robot or any part of the robot system shall be possible only in
conjunction with an enabling device in accordance with ISO 10218-1. The safety-related control performance
of the enabling function shall be in accordance with 5.2.
5.6.4.3 Manual high-speed
This mode is intended to be restricted to programme verification only, and shall not be used for production. All
manual jogging shall be at reduced speed. This mode shall only be provided in exceptional circumstances
where the application requires the robot system to be operated in the manual high-speed mode. In manual
high-speed mode, the speed of the selected TCP may exceed 250 mm/s. The robot system shall conform with
the requirements of automatic operation mode of ISO 10218-1 and be provided with a pendant conforming to
the requirements of ISO 10218-1, and require, in the information for use, that the pendant's enabling device
be functionally tested for proper operation prior to initiating motion.
5.6.5 Remote access for manual intervention
A robot system may be network enabled (e.g. LAN, modem, and internet) which allows remote access for
diagnostics, technical consultation and testing, etc.
If a robot system is to be remotely controlled by an operator who is physically away from the robot (e.g. in a
distant office), the following shall be required:
a) manual remote control shall only be possible when the robot system is in manual mode;
b) at any one time, only one source of control – local or remote – shall be active (single point of control);
c) the type of control listed in b) shall not override local selection and cause any local hazardous situation;
d) activation of the manual remote control function shall be possible only from the local control;
e) all controller functions that may cause a hazard (e.g. motion of robot, forcing outputs that control
hazardous equipment, changing values that influence the robot in a hazardous way, acknowledgement of
safety functions, hold to run, etc.) shall be possible only from the single selected source of control;
f) it shall not be possible for remote changes to the parameters, related to limiting robot motion by means of
safety-rated soft axis and space limiting as described in 5.4.3, to take effect without local action to confirm
the acceptability of the change and that it did not create a hazard;
g) an indication at the local control (control panel, teach pendant, etc.) shall show that the robot system is
being remotely controlled;
h) attended manual intervention shall only be possible when the robot system is in manual reduced speed;
i) if no one is in the safeguarded space and safeguards are active, remote functions may be performed
without any local activities;
j) when a person is required to be in the safeguarded space, control functions by a remote operator that
may cause a hazard can only be performed when the local operator enables the function by pressing an
enabling device;
k) any equipment not needed for the remote action that could create a hazard shall be maintained in a safe
state.
The information for use shall include appropriate requirements for training both the remote and local operators
for the remote tasks.
5.7 Pendants
5.7.1 General
Pendants and teaching control devices used inside the safeguarded space shall conform to the requirements
in ISO 10218-1.
The emergency stop function on the pendant shall comply with 5.3.8.2.
Teach pendants equipped with a cable shall have a cable that is of sufficient length to allow the teacher to
perform expected tasks in a safe manner (e.g. not going over the equipment to get to the teach point due to
insufficient cable length). The cable shall be capable of withstanding the anticipated environmental conditions
of the location in which it is to be used.
Provision for proper storage of the pendant shall be made in such a manner as to minimize the possibility of
damage which may result in a hazard. Storage of detached pendants or cableless pendants shall minimize the
possibility of mistaking an inactive emergency stop device as being active.
5.7.2 Requirements for cableless or detachable installations/communications
When cableless or detachable teach pendants are used with the robot system, the following shall apply:
a) pendant(s) shall be in compliance with ISO 10218-1;
b) the emergency stop function and the enabling device on the pendant shall comply with the requirements
of ISO 10218-1;
c) the possibility of unintentionally controlling a robot system shall be avoided by:
1) unambiguous means that identify the robot being operated,
2) connection means to ensure integrity of communication (e.g. login, encryption, firewalls),
3) unambiguous means to indicate connection continuity (e.g. screen display);
d) a single cableless teach pendant shall not be simultaneously connected to more than one robot system;
this system can be composed of a single or multiple robots;
e) when in the manual mode, loss of communication (e.g. out of range, loss of battery power) on any active
pendant (i.e. paired to a robot system) shall result in a protective or emergency stop for all controlled
equipment; restoration of communication shall not allow a restart without a separate deliberate action
(see ISO 10218-1 and IEC 60204-1);
f) an unambiguous means shall be provided to disconnect robot control from the pendant (e.g. a positive
action by the operator), and when devices are logged out, it shall be clearly recognizable that the relevant
safety functions are not active anymore; confusion between active and inactive emergency stop devices
shall be avoided by providing appropriate storage or design; information for use shall contain a
description of the storage or design;
g) the pendant shall provide a single point of control in accordance with ISO 10218-1.
5.7.3 Control of simultaneous motion
A single pendant may control simultaneous motion of a system with multiple robots. Each robot shall be
selected before it can be activated. To be selected, all robots shall be in the same operational mode
(e.g. manual reduced speed). An indication of which robots will be activated (selected to be moved) shall be
provided in accordance with ISO 10218-1. Only the selected robots shall be activated.
Any robot in the system
not selected shall not move and shall not present hazards by means in accordance with 5.2.2.
NOTE This can be achieved by remaining in a protective stop condition.
5.7.4 Hand guiding of robot systems (collaborative robots)
Robot systems designed for collaborative operation may use hand guiding controls for the collaborative
portion of the task. These same controls may be used for “lead through teach” methods. When such controls
are included, they shall meet the requirements described in ISO 10218-1.
5.8 Maintenance and repair
5.8.1 General
The robot system shall be designed to include procedures for inspection and maintenance to ensure
continued safe operation of the robot and robot system. The inspection and maintenance programme shall
take into account the manufacturer's recommendations.
Information for use shall include requirements for periodic functional testing of the safety-related parts of
equipment (e.g. emergency stop device, enabling device) to ensure proper operation.
5.8.2 Safeguarding requirements for maintenance
The robot system shall be designed and constructed in such a way as to allow safe access to all areas where
intervention is necessary during operation, adjustment and maintenance. Maintenance should be performed
from outside the safeguarded space. When it is necessary to perform maintenance within the safeguarded
space, selection of the preferred means of safeguarding shall be as follows:
a) the system shall be provided with the local means of controlling and isolating hazardous energy
(e.g. disconnector, pressure relief device, energy isolation control system); information for use shall
contain details about maintenance tasks that require energy control and isolation, and those that are
anticipated when hazardous energy would be required;
b) effective alternative protective measures shall be provided for minor servicing tasks that are anticipated
and integral to production, performed without energy isolation; control measures for control of hazardous
energy or position monitoring include one or more of the following:
1) safeguard to allow safe performance of the task;
2) placing the equipment in a predetermined safe monitored position or condition (deviations shall result
in a protective stop condition);
3) providing exclusive control for personnel entering the safeguarded space (procedures for exclusive
control shall be defined and provided in the information for use);
4) providing a specific operating mode meeting at least the requirements in 5.2.2 for specific identified
tasks.
5.8.3 Safeguarding of maintenance access points
When guards are provided to allow access for maintenance or servicing tasks, the guards shall be of sufficient
size to allow easy access for the necessary tools, materials and personnel.
When fixed guards are provided for infrequent maintenance or servicing tasks, these shall be removable only
by the use of a tool.
When frequent access for maintenance or routine servicing tasks is required, the access points shall be
safeguarded by protective devices, preferably movable guards. These movable guards shall not initiate a
starting command by reaching the safeguard position.
If it is possible to remain in the safeguarded area when the movable guard is closed, additional measures
shall be used to prevent a restart. These include restart interlock, presence sensing, or facilities for locking the
guard open. If a restart interlock in conjunction with presence sensing is provided, then, depending on the risk
assessment, the presence-sensing device shall meet at a minimum the requirements of Type 2 from
IEC 61496-1.
5.8.4 Safeguarding adjacent cells for maintenance
When electro-sensitive protective equipment (ESPE) with vertical detection fields is used to prevent
unintended access to adjacent cells from within a cell for maintenance intervention, the approach speed and
penetration factor used for the calculation of the minimum distance (safety) may, based on the risk
assessment, deviate from those of ISO 13855.
NOTE When fixed guarding is used instead of ESPE, guidance can be found in 5.10.6.1.
5.9 Integrated manufacturing system (IMS) interface
5.9.1 General
Other machinery and equipment that is associated with the robot system but not directly controlled by the
robot controller shall be included in the risk assessment, the zoning configurations, safeguarding and span of
control implementation as presented in ISO 11161. Other machine specific “C” standards may also be
applicable. The integration of the robot system shall also take into account hazards that are both controlled
and not controlled by the robot, but are due to associated machinery and equipment that are inside the
safeguarded space or entering/exiting the safeguarded space.
5.9.2 Emergency stop
Robot systems shall have a single emergency stop function affecting all relevant parts of the machine. The
emergency stop function shall comply with 5.3.8.2.
The span of control may include multiple zones. Information for use shall include information on the span of
control of each emergency stop device.
5.9.3 Safety-related parts of the IMS
Any safety-related control interfaces between the IMS and the robot system(s) shall comply with the
requirements of 5.2.2. Protective devices shall protect against access to hazards within each zone of an IMS
and additionally at the interfaces to adjacent zones (e.g. conveyors) when they are hazardous (see also 5.10).
5.9.4 Local control
Operational requirements shall determine the need for local control. When local control is selected, the IMS
control system shall be notified of this condition and shall not be able to override the local control. The
emergency and protective stop functions shall remain operational during local control.
Means of selecting and deselecting local control shall be in close proximity to the robot or machine or
sub-assembly being placed under local control. Means of deselecting local control from within the
safeguarded space shall not initiate hazardous conditions. If local control can be deselected from within the
safeguarded space, a separate confirmation from outside the safeguarded space shall be necessary prior to
any hazardous conditions being present.
5.9.5 Enabling device
When there is a need for additional enabling devices they shall comply with 5.3.15. The enabling device
function shall be interlocked consistent with zones of the IMS where the incorporated robot systems,
machinery or related processes are capable of concurrent movement during manual operation.
5.9.6 Mode selection
Mode selection shall comply with ISO 10218-1.
5.9.7 Task zone implementation
The IMS shall be designed to facilitate safe manual interventions, including maintenance. For some manual
interventions, it can be impractical to stop the whole IMS, in which case the IMS shall be segregated into
zone(s) where operators can perform their tasks safely while the remainder of the IMS can be operating in
different operational modes.
The integration of the robot system into a task zone shall be in accordance with ISO 11161.
5.10 Safeguarding
5.10.1 General
When design does not either remove hazards or adequately reduce the risks, safeguarding shall be applied.
Access to hazardous areas shall be protected by safeguards such as guards and protective devices.
Complementary protective measures, for example, personal protective equipment, training and information for
use, can also be required. See also 4.5.
Guards and protective devices can be used to:
- prevent access to the hazard(s);
- cause hazard(s) to cease before access;
- prevent unintended operation;
- contain parts and tooling;
- limit other process hazards (noise, laser, radiation, etc.).
Guards and protective devices shall meet the requirements of ISO 12100.
ISO 12100 gives further requirements for the selection of safeguarding and further complementary measures.
Annex B shows an overview of some of the standards applicable to protective measures.
5.10.2 Perimeter safeguarding
Guards (distance or enclosure, see also 5.10.4) or sensitive protective devices (see also 5.10.5) shall be used
for perimeter safeguarding.
The selection of perimeter safeguarding shall take into account all the hazards within the safeguarded space –
not just those associated with the robot system. Examples of hazards include:
a) other machinery, equipment and processes;
b) falling or ejected objects;
c) erratic or excessive machine stopping time;
d) inability of the machinery to stop part way through a cycle;
e) emission hazards (e.g. noise, vibration, radiation, harmful substances).
Selection shall also consider the task requirements, for example:
- frequency of access;
- loading and unloading of materials;
- maintenance;
- quality inspection;
- proximity to the hazard;
- process requirements.
5.10.3 Minimum (safety) distances
5.10.3.1 General
All safeguards shall be securely installed and located at a distance such that the hazard cannot be accessed,
i.e. personnel cannot reach over, under, around or through the safeguard.
5.10.3.2 Minimum (safety) distances for guards
Fixed and moveable guards shall meet the requirements of ISO 14120 and their minimum distance from any
hazard shall be determined according to the relevant requirements of ISO 13857. When preventing access
with guards, ISO 13857 shall be used to determine the minimum safe distance.
The minimum distances associated with openings in guards shall meet the relevant requirements of
ISO 13857.
5.10.3.3 Minimum (safety) distances for protective devices
The minimum distance for protective devices providing a trip function (for example, interlocking devices,
sensitive protective equipment which signal a protective stop when actuated) shall be determined according to
the relevant requirements of ISO 13855.
When protective devices provide a presence-sensing function to prevent starting or restart (for example,
when they continually sense a person or part of a person in their detection zone and maintain a protective
stop), minimum distance is not a requirement, but the devices shall comply with 5.10.5.3.
NOTE When presence-sensing safeguarding devices solely safeguard against start or restart hazards, other
safeguarding devices are used to prevent access or cause the hazard to cease before access.
5.10.3.4 Minimum (safety) distances for providing clearances
When protective devices provide a trip function to provide protection against lack of clearance (see 5.5.2), the
minimum distance shall be calculated using ISO 13855 with the robot speed as the approach speed
(i.e. K = the robot speed).
When protective devices provide a presence-sensing function to provide clearance (see 5.5.2), minimum
distance is not a requirement, but the devices shall comply with 5.10.5.3.
5.10.4 Requirements for guards
5.10.4.1 General
All guards shall meet the applicable requirements of ISO 12100 and ISO 14120. Interlocking devices
associated with guards shall meet the requirements of ISO 14119.
Fixed guards shall only be removable by the use of a tool. Their fixing systems shall remain attached to the
guards or to the machinery when the guards are removed. The requirement does not necessarily apply to
fixed guards that are only liable to be removed, for example, when the machinery is completely overhauled, is
subject to major repairs or is dismantled for transfer to another site.
The perimeter safeguarding shall not be installed closer to the hazard than the restricted space, unless either:
- the perimeter safeguarding is designed to be the limiting device in accordance with 5.4.3, or
- a risk assessment determines that other safeguarding is appropriate.
5.10.4.2 General requirements for fixed distance guards
The openings in any fixed guard shall not allow a person to reach over, under, around or through (an opening
or gap) the guard and access a hazard.
ISO 13857 shall be used to determine the appropriate dimensions for the opening from the bottom of the
guard to adjacent standing surfaces and any openings in the guards. For minimum safety distances,
see 5.10.3.2.
The height of the guard shall be at least 1 400 mm from adjacent walking surfaces.
5.10.4.3 General requirements for interlocked movable guards
Interlocking devices associated with moveable guards shall meet the requirements of ISO 14119.
Movable guards at their closed position shall prevent operators reaching hazardous areas.
Movable guards shall open laterally or away from the hazard, and not into the safeguarded space.
Interlocking shall be provided to bring any hazards to a safe state before an operator can gain access to the
hazard through the guard. To achieve this, movable guards shall be positioned in accordance with ISO 13855
(see also 5.10.3.2).
Movable guards used to initiate starting on closure (control guards) shall meet the requirements of ISO 14120.
The interlocking function shall meet at least the requirements of 5.2.2. The reset actuators shall be in
accordance with 5.6.3.4.
5.10.4.4 General requirements for movable guards with guard locking
When it is possible for the operator to open an interlocked movable guard and reach the hazard area before
the hazard is brought to a safe state, guard locking shall be provided in addition to the control interlock.
This guard locking shall comply with the following:
a) only permit the actuation of hazardous machine function as long as the guard is closed and locked (e.g. a
door in a fence);
b) keep the guard in the closed and locked position as long as the risk of harm due to hazardous functions
of the machine exists.
When process parameters, such as speed, are being used as a condition for locking or unlocking, then this
forms part of the safety function and shall meet the same functional safety requirements as the interlocking
function.
5.10.4.5 Movable guards allowing access into the safeguarded space
The safeguarded space shall be designed, constructed or fitted with a means of preventing a person from
being trapped inside. For example, this may be accomplished by providing for manual opening of movable
guards from inside the safeguarded space, regardless of the state of the energy supply, or providing a means
of locking access gates in their open position.
5.10.5 Sensitive protective equipment
5.10.5.1 General
Sensitive protective equipment is typically selected when an application requires frequent access, personnel
interaction with the machine, good visibility of the machine or process, or when it is not ergonomic to provide
fixed guarding. However, some characteristics of particular applications can preclude the use of sensitive
protective equipment as the sole protective measure. Examples of these characteristics are:
a) possibility that the machinery will eject materials, swarf or component parts;
b) risk of injury from thermal or other radiation;
c) unacceptable noise levels;
d) an environment likely to adversely affect the function of the protective equipment;
e) a material being processed which can influence the effectiveness of the protective measure.
Where such situations exist, additional or other safety measures can be required.
ESPE, such as light curtains and laser scanners, shall comply with the relevant parts of IEC 61496-1.
Pressure-sensitive protective equipment, such as mats, edges and bumpers, shall meet the relevant
requirements of ISO 13856.
The applications of these devices should comply with IEC/TS 62046.
5.10.5.2 Sensitive protective equipment used to initiate a protective stop
Where the sensitive protective equipment is used to initiate a protective stop, it shall be positioned at a
distance from each hazard sufficient to ensure the hazard is removed or otherwise obtains a safe condition
before any part of an approaching operator can reach the hazard.
NOTE 1 Hazards can exist at different locations within the safeguarded space and the distance needs to ensure that
each hazard is controlled.
Sensitive protective equipment shall be securely installed and located such that an operator cannot
circumvent (i.e. cannot reach over, under, around or through) the detection zone and reach a hazard. The
following functionality shall be provided:
a) a protective stop shall be initiated if the sensitive protective equipment is actuated while the hazardous
conditions are operating;
b) following an actuation, the hazardous conditions being safeguarded by the sensitive protective equipment
shall be prevented from any hazardous motion or situation until the sensitive protective equipment is
reset;
c) when the sensitive protective equipment is reset, the hazardous conditions being safeguarded by the
sensitive protective equipment can operate, but the reset of the sensitive protective equipment does not
by itself initiate their operation.
The formulae in ISO 13855 shall be used to determine the minimum distance from the hazard (danger zone)
to the sensitive protective equipment for all directions of approach.
NOTE 2 The minimum value of K used for calculating minimum distances in accordance with ISO 13855 is 1 600 mm/s.
Where an operator, or part of an operator, can remain in the safeguarded space, additional measures shall be
provided to prevent hazardous situations arising, such as unexpected start-up. Such measures can include,
for example:
- provision of a restart interlock;
- sensing the presence of an operator in the safeguarded space (e.g. ESPE or pressure mats) to maintain
a protective stop.
NOTE 3 If presence-sensing protective equipment is used, it is advisable to ensure that operators cannot circumvent
the detection zone, e.g. by climbing on to parts of the machinery.
If it is possible for an operator to be hidden from view at the reset control, supplementary protective measures
to prevent resetting the restart interlock shall be provided (e.g. time-limited additional reset control inside the
safeguarded space). Resetting of the restart interlock shall be performed by a deliberate human action, for
example operation of a manual actuator. See also 5.6.3.3.
5.10.5.3 Sensitive protective equipment used for presence sensing to prevent a start
Where the sensitive protective equipment is only used for a presence-sensing function (i.e. it continually
senses the presence of a person or part of a person in its detection zone), it shall be used in conjunction with
other safety measures (for example, interlocking guards), as necessary to ensure that the machine(s) is/are in
a non-hazardous state before hazards can be reached.
The detection zone of presence-sensing devices shall be positioned and configured so that a person or part of
a person will be detected throughout the detection zone. Where necessary, supplementary measures shall be
provided to ensure that the detection zone cannot be circumvented, for example by operators remaining
between the detection zone and the hazard zone or by reaching over the detection zone into the hazard zone.
Examples of measures to prevent persons remaining between the detection zone and the hazard zone are:
- use of sloping surfaces to prevent standing on machine frame/feet;
- making the inside surfaces of fencings free of protrusions that can be climbed on.
5.10.6 Safeguarding at manual loading, unloading or handling stations (manual stations)
5.10.6.1 General
Measures shall be provided to ensure that operators are not exposed to further hazards due to the operation
of the manual production interface station (for example, crushing, shearing, entanglement hazards).
Allowable gaps and openings shall follow the guidance in 5.10.4.1. Manual stations shall be designed to
ensure that the operator cannot access hazards within the safeguarded space. [See also a), b), c) below.]
NOTE 1 Requirements for collaborative workspaces are given in 5.11.
For heights up to 1 400 mm additional protective measures can be taken to:
a) prevent the exposure of the operator to application-related hazards within the safeguarded space,
e.g. ejected parts, welding sparks, etc.;
b) prevent the operator from accessing hazards inside the safeguarded space or bring these hazards within
the safeguarded space to a safe state before they can be accessed;
c) ensure that when a robot system and an operator have access to the same (shared) workspace, they
cannot occupy the workspace at the same time; this can be accomplished by:
1) preventing any part of a robot system from entering a workspace occupied by an operator, or
bringing the robot system to a safe state before it can reach the operator; and
2) preventing the operator from entering a workspace occupied by any part of the robot system, or
bringing the robot system to a safe state before the operator can reach it.
NOTE 2 For ergonomic reasons, heights between 1 000 mm and 1 400 mm might be acceptable depending on the
protection effect given by the shape of the barrier and the results of the risk assessment.
5.10.6.2 Additional requirements for moving manual stations
Moving manual stations (for example, rotating turntables, sliding jigs) can themselves be hazardous.
Measures shall be provided to prevent the operator accessing these hazards or to bring these hazards to a
safe state before they can be accessed.
The gap between the moving station and any fixed elements (for example, machine parts, guards), including
additional protective measures, shall not exceed 120 mm. Additional measures might be necessary to prevent
shearing and trapping hazards.
5.10.6.3 Additional requirements for manual stations with a shared workspace
When presence sensing is used to detect the operator in the shared workspace, the detection zone of the
device shall include the entire shared workspace area.
When presence sensing is not practicable, a restart interlock shall be provided. Other measures shall be
provided to prevent inadvertent resetting of the restart interlock, so preventing the robot system from moving
into the workspace while the operator remains in the workspace. Such measures can include the provision of
a separate manual reset.
When manual reset is provided, the whole of the shared workspace shall be visible from the reset device. If
this is not possible, further measures shall be applied, for example, time-limited additional reset control inside
the safeguarded area.
5.10.7 Safeguarding of openings for material flow
Openings into the safeguarded space to allow material entry and exit shall be the minimum dimensions
necessary to allow the material to pass. Possible crushing/shearing hazards between the material and the
sides of the opening shall be avoided or supplementary protective measures shall be taken to avoid them (for
example by the use of hinged interlocked doors).
If access to a hazard is possible, measures depending on the risk assessment shall be taken to prevent
access or detect a person or a part of a person entering and bring the hazard to a safe state before it can be
reached. (See ISO 13857 for partial body entry and Annex C.)
Where openings for material entry and exit are guarded using ESPE, the ESPE shall allow the passage of
materials either by one of the following functions, and access to the safeguarded space shall be prevented by
the material itself, or by other means (see also IEC/TS 62046):
a) a muting function that temporarily deactivates the ESPE function allowing material to pass through
(entry/exit);
b) a change in protection area (e.g. blanking) that enables materials to pass through; in this case the
minimum distance indicated by the manufacturer of the ESPE shall be observed (see IEC/TS 62046).
The muting function shall fulfil the requirements of ISO 13849-1.. The performance level of the muting and
blanking functions shall not adversely affect the performance level of the safety function determined by the
risk assessment for the ESPE. See also 5.10.10.
5.10.8 Safeguarding multiple adjacent robot cells
Measures shall be provided to ensure that operators in a cell are not exposed to hazards from adjacent cells.
Measures shall be provided to either prevent operator access to adjacent cells from within a cell, or bring
hazards within adjacent cells to a safe state before operators would be exposed to hazards in or caused by
adjacent cells.
When fixed guards are used for this purpose, the required height depends on the hazards in both cells
(because access can be gained from either cell to the other) but it shall be a minimum of 1 400 mm.
Measures other than fixed guards can apply, for example:
- electro-sensitive protective equipment;
- pressure mats;
- simultaneous shut-down of adjoining cells.
The selection of the appropriate measures shall be in accordance with 4.5.
When the protective devices need to be muted for production operations, the functional safety level for muting
shall be at least the same level as the functional safety level determined by the risk assessment.
5.10.9 Safeguarding of tool changing systems
End-effectors and tool changing systems shall be selected or designed such that loss or restoration of energy
supply does not lead to a hazard. If this is not practicable, other safety measures shall be provided to mitigate
against any hazards.
If a tool changing system is used, then the tool changing system design shall ensure that misuse does not
lead to a hazardous situation. Release or disconnection of the end-effector(s), using the tool change function,
shall be prevented at positions where release would lead to a hazard.
The tool changing system shall withstand the expected static and dynamic requirements (e.g. emergency-
stop-situation, loss of energy).
5.10.10 Muting
Muting is the temporary automatically controlled suspension of the safeguarding function during a portion of
the robot system's cycle.
Muting shall only be provided when it is necessary for the process being performed on the machine. It shall be
implemented such that a person cannot remain undetected in the hazardous zone when muting is terminated.
Muting may be used in conjunction with any safeguarding device that electrically signals a protective stop.
Muting is permitted when at least one of the following conditions is met:
a) safety is maintained by other means (e.g. the access to the hazardous area is obstructed by the passing
material);
b) personnel are not exposed to a hazard;
c) the hazard cannot be accessed without a stop being initiated.
The muting function shall be initiated and terminated automatically. This may be achieved by the use of
appropriately selected and placed sensors or, in some cases, by signals from the safety-related control
system (which may include safety-rated soft axis and space limiting in accordance with ISO 10218-1).
Incorrect signals, sequence, or timing of the muting sensors or signals shall not allow a mute condition (see
IEC 61496-1).
The muting function shall achieve an equivalent level of safety-related control system performance as
determined by the risk assessment for the protective function being muted. The performance level of the
muting function shall not adversely affect the performance level of the protective function. In the event of a
failure, subsequent muting shall be prevented until the failure is corrected.
Depending on the risk assessment, an indicator to show when the muting function is active can be required.
This indicator warns that the normal protective function is suspended.
Muting information, including the means, location, zones, and functionality, shall be included in the information
for use.
5.10.11 Suspension of safeguards
Tasks that require the suspension of safeguards, for example robot teaching, shall have a dedicated mode of
operation that automatically selects the appropriate safeguards, as determined by the risk assessment, for the
task.
The selection of the mode of operation shall be by secure means (e.g. by a lockable selection device,
password, access code) and shall meet the requirements of 5.2.2.
The following requirements shall be met:
a) it shall not be possible to resume automatic operation with the mode activated;
b) automatic operation shall only be initiated from outside the safeguarded space;
c) the control mode function shall have an equivalent level of performance to the protective function being
suspended;
d) in the event of a fault in the suspending function, subsequent suspension shall be prevented until the fault
is corrected;
e) a visual indication that safety devices are suspended shall be provided at the mode selection device, the
cell entrance(s) and any affected operator stations;
f) alternative protective measures shall be activated to control all hazards; these alternative protective
measures shall provide an equivalent level of protection.
Where safeguards are to be suspended, the following shall be applicable:
- machinery and equipment not required for the task shall be in the protective stop condition;
- machinery and equipment required for the task shall be under the direct control of the operator.
The integrator shall provide information for use for critical situations when it is necessary to manually suspend
safeguards, e.g. troubleshooting and exchange of a safeguarding device.
5.11 Collaborative robot operation
5.11.1 General description of purpose
Collaboration is a special kind of operation between a person and a robot sharing a common workspace. It is
only:
- used for predetermined tasks;
- possible when all required protective measures are active; and
- for robots with features specifically designed for collaborative operation complying with ISO 10218-1.
NOTE See Annex E for examples of application.
The integrator shall include in the information for use the safeguards and mode selection required for
collaboration operation.
5.11.2 General requirements
Due to the potential reduction of the spatial separation of human and robot in the collaborative workspace,
physical contact between the human and the robot can occur during the operation. Protective measures shall
be provided to ensure the operator's safety at all times.
The following requirements shall all be fulfilled.
a) The integrator shall conduct a risk assessment as described in 4.3 (see Annex E for examples of
applications). The risk assessment shall consider the entire collaborative task and workspace, including,
as a minimum:
1) robot characteristics (e.g. load, speed, force, power);
2) end-effector hazards, including the workpiece (e.g. ergonomic design, sharp edges, protrusions,
working with tool changer);
3) layout of the robot system;
4) operator location with respect to proximity of the robot arm (e.g. prevent working under the robot);
5) operator location and path with respect to positioning parts, orientation to structures (e.g. fixtures,
building supports, walls) and location of hazards on fixtures;
6) fixture design, clamp placement and operation, other related hazards;
7) design and location of any manually controlled robot guiding device (e.g. accessibility, ergonomic,
etc.);
8) application-specific hazards (e.g. temperature, ejected parts, welding splatters);
9) limitations caused by the use of necessary personal protective equipment;
10) environmental considerations [e.g. chemical, radio frequency (RF), radiation, etc.];
11) performance criteria of the associated safety functions.
b) Robots integrated into a collaborative workspace shall meet the requirements of ISO 10218-1.
c) Protective devices used for presence detection shall meet the requirements of 5.2.2.
d) Additional protective devices used in a collaborative workspace shall meet the requirements of 5.2.
e) The safeguarding shall be designed to prevent or detect any person from advancing further into the
safeguarded space beyond the collaborative workspace. Intrusion into the safeguarded space beyond the
collaborative workspace shall cause the robot to stop and all hazards to cease.
f) The perimeter safeguarding shall prevent or detect any person from entering the non-collaborative portion
of the safeguarded space.
g) If other machines, which are connected or attached to the robot system and present a potential hazard,
are in the collaborative workspace itself then the safety-related functions of these machines shall comply,
at a minimum, with the requirements of 5.2.
Robots configured for collaborative operation should be labelled with the symbol shown in Figure 2.
5.11.3 Requirements for collaborative workspaces
The collaborative workspace where the operator(s) can interact directly with the robot shall be clearly defined
(e.g. floor marking, signs, etc.).
Persons/operators shall be safeguarded by a combination of protective devices and compliance with robot
performance features allowed in ISO 10218-1, which will cause all hazards to cease in accordance with 5.2.2.
In any case where more than one person (operator) is involved in a collaborative operation, each person shall
be protected with controls complying with 5.2.2.
The design of the collaborative workspace shall be such that the operator can easily perform all tasks and the
location of equipment and machinery shall not introduce additional hazards. Safe-rated soft axes and space
limiting should, whenever possible, be used to reduce the range of possible free motions.
The robot system should be installed to provide a minimum clearance of 500 mm (20 in) from the operating
space of the robot (including arm, any attached fixture and the workpiece) to areas of building, structures,
utilities, other machines, and equipment that allow whole body access and may create a trapping or a pinch
point. Where this minimum clearance is not provided, additional protective measures to stop robot motion
shall be taken to provide protection while personnel are within 500 mm of the trapping or pinch hazard in a
static environment. If there is dynamic motion (e.g. line tracking), special considerations may be needed.
(See ISO 13854.)
NOTE These parameters can be different for systems designed to comply with 5.11.5.4 and 5.11.5.5.
5.11.4 Change between autonomous operation and collaborative operation
The change point between autonomous operation and collaborative operation is a particularly critical part of a
collaborative application.
It shall be designed in a way that the robot cannot endanger personnel when
changing from the autonomous operation to the collaborative operation and back to the autonomous operation.
5.11.5 Operation in the collaborative workspace
5.11.5.1 General
When designing a collaborative operation, one or more of the safety features in 5.11.5.2 to 5.11.5.5 shall be
appropriately selected to ensure a safe work environment for all personnel exposed to potential hazards in the
workcell. ISO 10218-1 provides requirements and performance features for robots used in collaborative
operation, as described in 5.11.5.2 to 5.11.5.5.
Any detected failure of the selected safety features of the collaborative operation shall result in a protective
stop in accordance with 5.3.8.3. Autonomous operation shall not be resumed after such a stop until reset by a
deliberate restart action outside the collaborative workspace.
5.11.5.2 Safety-rated monitored stop
If there is no person in the collaborative workspace the robot operates autonomously. If a person enters the
collaborative workspace the robot shall stop moving and maintain a safety-rated monitored stop in accordance
with ISO 10218-1 in order to allow direct interaction of an operator and the robot (e.g. loading a part to the
end-effector).
5.11.5.3 Hand guiding
Hand-guided operation shall be permitted, provided that the following requirements are met:
a) when the robot reaches the hand-over position, a safety-rated monitored stop, in accordance with
ISO 10218-1, is issued;
b) the operator shall have a guiding device that meets the requirements of ISO 10218-1 to move the robot to
the intended position;
c) the operator shall have clear visibility of the entire collaborative workspace;
d) when the operator releases the guiding device, a safety-rated monitored stop in accordance with
ISO 10218-1 is issued.
5.11.5.4 Speed and separation monitoring
Robot systems designed to maintain a safe separation between the operator and the robot in a dynamic
manner shall use robots that comply with the requirements of ISO 10218-1.
Robot speed, minimum separation distance and other parameters shall be determined by risk assessment.
NOTE Additional information and guidance on collaborative robot operations will be contained in ISO/TS 15066
(currently under preparation).
5.11.5.5 Power and force limiting by design or control
Robot systems designed to control hazards by power or force limiting shall use robots which comply with
ISO 10218-1.
Parameters of power, force, and ergonomics shall be determined by risk assessment.
NOTE Additional information and guidance on collaborative robot operations will be contained in ISO/TS 15066
(currently under preparation).
5.12 Commissioning of robot systems
5.12.1 General
A commissioning plan shall include information for protective measures for persons during commissioning of
robot systems. These measures may also apply to robot systems after significant changes or after
maintenance that could affect their safe operation.
5.12.2 Selection of interim safeguards
Interim safeguards shall protect personnel against the same hazards as originally identified by the risk
assessment. If the intended safeguards are not yet available or in place prior to initiating power-on start-up
testing and verification, an appropriate means of safeguarding shall be in place before proceeding.
NOTE During the initial assembly of a robot cell, protection might be required before all the final safeguards are
installed. Therefore, it is advisable that alternative safeguarding, such as chains or portable walls, be put in place to
provide effective protection for personnel during the initial start-up of the equipment. Factors to consider in selecting the
alternative safeguards can include: training level of personnel involved, time period of this interim situation, accessibility of
this cell to other personnel, the type of equipment operating, which equipment is operating at a given time, and hazards
presented by this equipment.
As a minimum, awareness barriers shall be installed to define the restricted space.
All interim safeguards shall be identified in information commissioning, and included in the information for use.
Interim safeguards and protective measures could include:
a) the same as for the finished system, but installed in an interim manner;
b) different devices used in optional applications;
c) temporary obstructions;
d) specific written procedures;
e) awareness means;
f) specific training.
5.12.3 Initial start-up procedure plan
An initial start-up procedure shall be established and shall include, but not necessarily be limited to, the
following:
a) It shall be verified before applying power, that the following have been installed as intended:
1) mechanical mounting and stability;
2) electrical connections;
3) utility connections;
4) communications connections;
5) peripheral equipment and systems;
6) limiting devices for restricting the maximum space.
b) Instructions shall be provided that all persons shall exit the safeguarded space prior to applying drive
power.
c) It shall be verified after applying power that:
1) emergency stop circuit/devices are functional;
2) each axis moves and is restricted as intended;
3) robot responds to basic operating system motion commands as expected;
4) awareness means (audio/visual) function as expected;
5) all safeguarding devices or interim safeguards function as expected;
6) reduced speed control is activated and functioning as expected.
NOTE This is especially critical during initial power-on to ensure that the robot and equipment move/operate in the
expected manner.
|