KANBrief 2/23
Advances in recent years in materials science and developments in automation and drive technology have made industrial robots more powerful, versatile and cost-effective. To bring the safety requirements into line with these developments, the EN ISO 10218 series of standards has been thoroughly revised. A new approach to risk assessment was taken here.
Industrial robot systems are increasingly being used in a much wider range of applications beyond the familiar uses in automotive production, such as welding, painting or palletizing. Reasons for this include improvements to sensor technology and the application of control systems with greater performance, including those implementing artificial intelligence.
EN ISO 10218, Robotics – Safety requirements, Industrial robots, describes and explains safety requirements suitable for application in the field. Part 1 of the series of standards contains requirements for industrial robots, Part 2 requirements for applications such as robot systems, robot cells, etc. Owing to their status as harmonized standards, both parts give rise to a presumption of conformity with the essential health and safety requirements of the Machinery Directive 2006/42/EC.
Revision of EN ISO 10218, which has now been in progress for almost five years, had the following objectives:
Both parts will become longer and more detailed as a result of the revision. Firstly, many requirements have been added that reflect certain essential health and safety requirements of the Machinery Directive. Secondly, the supporting documents ISO/TS 15066 (containing additional requirements concerning the safety-related design of collaborative robot applications) and ISO/TR 20218-1 and -2 (containing additional information and guidance on the safe design of gripper end-effectors and manual load/unload stations of robot systems) – have been incorporated into Part 2 of the series of standards.
Owing to the wide range of applications for industrial robot systems, it is not always possible to list all significant hazards, hazardous situations or incidents that may arise. Furthermore, applications of the same type may differ in their risk levels, depending on their design and the application scenario. This may lead to differences in the requirements for the performance of safety functions which appear at first glance to be at variance with the rigid requirements of the current standard.
It follows that revision of the standard should not result in a rigid requirement being stated for the safety function's performance. Nor should the standard specify which of the possible methods is to be used to determine the required Performance Level, since this would constrain users of the standard unnecessarily. Instead, the Performance Level should be derived from a risk assessment that takes account of the risk elements described in ISO 12100. A normative annex sets out the ranges, thresholds and other parameters to be applied for this purpose. This new standardization approach is intended to resolve the discrepancies described above and permit scalable solutions for safe industrial robot applications.
The revised standards now include requirements concerning the mechanical strength and the materials used. The materials selected must be suitable for the use of the robot and the robot application, including its foreseeable misuse, its properties, etc. The design must reduce corners, edges and protrusions to a minimum, and give consideration to wear and fatigue of the material.
The standards now include requirements concerning safe handling, storage, transport and packaging of robots and components, and their stability. These measures are intended to reduce hazards arising during the handling of components to a minimum. Also new are the requirements for limiting the temperature of touchable surfaces and providing protection against fire.
Safety requirements have been added for the use of electrical, pneumatic and hydraulic energy. These requirements govern the scenario of power loss or change. They also govern behaviour in the event of component malfunction or failure, particularly where a combination of power failure and gravity may cause unexpected hazardous movement of the manipulator (the moving part of the robot to which the tool is attached). Where necessary for safety reasons, a safety function must be provided to check the position holding function. It must be possible for robots to be locked or secured in the de-energized position.
The standards further contain specific requirements governing, for example, adjustment of the tool centre point (TCP), safety settings determined by the load, and special equipment to be supplied with the robot where required for safe adjustment and maintenance and for safe use.
Part 1 of the standard defines two robot classes. Class I covers robots with a maximum total manipulator mass of 10 kg, a force of 50 N and a velocity of 250 mm/s. All robots with higher values are covered by Class II. Class I robots, the testing methodology for which is described in Annex E, are subject to much lower requirements.
Should the cybersecurity assessment reveal that unauthorized access to the control system presents security risks, appropriate protective measures must be taken. Part 1 lists appropriate measures to be taken by the robot manufacturer. For further information and requirements, Part 1 makes reference to the IEC 62443 series of standards, Security for industrial automation and control systems. Security Level 2 to IEC 62443 is generally assumed adequate for parts of the control system that may affect safety (start, stop, change of safety settings, etc.), Security Level 1 for other parts.
Certain requirements have been added for control of the robot functions. Only one control station may be active at any one time (including the control stations for remote access). Operating modes and their safety requirements are now described more clearly in both standards. Mere selection of the operating mode is not considered a safety function, only its activation. These requirements prevent hazards from being caused by incorrect mode selection, without the need for additional, complex measures to be implemented on the programming devices.
Robots must have at least two operating modes: manual mode (programming) and automatic mode (execution of the program). The option of manual high-speed operation with protective devices partially de-activated (process observation), as provided for in previous editions of the standard, is no longer permitted.
Any portable control station (teach pendant, control panel, smartphone, tablet, etc.) capable of initiating motion or other potentially hazardous situations must possess an emergency stop function to ISO 13850 and a 3-stage enabling button (normal machine operation, disabling of movable guards, machine stop when the button is released or fully depressed). These requirements do not apply to control stations that perform monitoring functions only and are not able to initiate any movements or functions or control the robot (e.g. smartphones or tablets used for quality control purposes). An enabling button is now mandatory for all portable operator stations for Class II robots.
The additional functional safety requirements are among the significant changes to the series of standards. Some of the safety functions stated in Part 1 are mandatory, others are dependent on whether a particular functionality is provided, and others still are optional. A new feature is the normal stop function, as required by Annex I (1.2.4.1) of the Machinery Directive.
Annex C describes all safety functions required to mitigate significant risks. For this purpose, the respective triggering event and intended result are stated, i.e. the response of the safety-related parts of the control system to detection of a fault.
For a robot compliant with Part 1 of the standard, the Performance Levels to ISO 13849-1 stated in Annex C must be used. For robot applications compliant with Part 2, two alternatives exist. Each safety function must meet either the requirements of Annex C1, or the required Performance Level (PLr) resulting from a risk assessment based on the detailed risk parameters and threshold values according to Annex C2.
Application of these risk parameters is mandatory. Users of the standard are however free to choose which risk assessment method they use for this purpose. The method must satisfy the requirements of ISO 12100, sub-clause 5.5. This approach results in the required performance of the safety-related parts of the control system being specified uniformly and verifiably, and yields similar results for comparable applications.
"Collaborative operation" and similar terms have been deleted from both documents, as they describe only the type of application and not the mode or a property of the robot. Experts agree that there is no such thing as a "collaborative robot" or a "collaborative mode," and certainly no such thing as a speed that can be termed "collaborative".
For safe collaborative applications, the series of standards now describes only three different safety functions: hand guiding control (HGC), speed and separation monitoring (SSM) and power and force limiting (PFL). The fourth function originally described, "monitored safe stop", is no longer listed, as it is also required in many non-collaborative applications for the avoidance of unintended starting.
Part 1 describes in detail the requirements for the PFL, SSM and HGC safety functions provided by robot manufacturers. Part 2 contains the requirements for incorporating these safety functions into collaborative applications that use PFL, SSM, or HGC.
Both parts of the standard contain numerous annexes. In particular, the annexes concerning safety functions and the associated requirements, verification and validation of risk-reduction measures, test methods for stopping time and stopping distance, and the test methodology for Class I robots are normative and thus binding for compliance with the standard.
Final drafts of the two parts were submitted in March 2022 to the HAS Consultant for evaluation. Should the result of the evaluation be favourable, they will be submitted to ISO and CEN for final voting. The time from adoption to publication and harmonization depends on ISO and the European Commission. In the best-case scenario, publication of the ISO standard can be anticipated for the second or third quarter of 2023. A time frame for listing of the standards in the Official Journal of the EU cannot be stated at present.
The final drafts also contain content consistent with certain additional requirements of the new EU Machinery Directive. However, some requirements are not supported, for example concerning the application of self-developing AI in safety functions, or certain requirements concerning mobile autonomous machinery and the cybersecurity of hardware.
Otto Görnemann, Expert for machine safety – standards and guidelines
SICK AG – Waldkirch
otto.goernemann@sick.de