How do I perform a compliant robot cell risk assessment using ISO 12100 and ISO 10218?

A compliant risk assessment follows ISO 12100’s three‑step process (identify hazards, estimate and evaluate risk, reduce risk) and documents conformance to ISO 10218 clauses for industrial robots. Start with a function-based inventory (robot, end‑effector, tooling, human tasks) and map hazardous events (collision, crushing, ejected parts, failure modes). Use structured techniques: FMEA for failure modes, task‑based HAZOP for human interaction, and the risk graph from ISO 13849‑1 to screen safety function severity. Apply the risk reduction hierarchy: inherently safe design, safeguarding, and information for use. Record target Performance Levels (PL) or SILs and residual risk justification. Deliverables should include the risk assessment file, control measures, verification plan, and traceability to standards (ISO 12100, ISO 10218‑1/2, ISO 13849, IEC 62061).

What factors determine choosing fences, light curtains, area scanners, or collaborative modes for safeguarding?

Selection depends on access frequency, required productivity, operator tasks, robot speed/reach, and residual risk. Fixed fencing with interlocked doors (forced‑guided locks such as Schmersal) is best for high‑speed, non‑frequent access. Light curtains (Keyence GL‑R / SICK) are suited to point access where approach direction is predictable, but you must calculate protective distance per ISO 13855 using robot stopping time. Area scanners or safety cameras (SICK SafetyEYE, Pilz SafetyEYE) enable dynamic zones and speed‑and‑separation monitoring, supporting shared spaces at reduced speed. Power and force limiting (ISO/TS 15066) is only appropriate if contact risk is tolerable and validated. Consider maintenance access (safety‑rated monitored stop or interlocked gate), and always verify the chosen safeguard against ISO 10218 requirements and the risk assessment.

How do I apply ISO/TS 15066 for collaborative robot contact testing and limits?

ISO/TS 15066 supplements ISO 10218 for collaborative applications by defining four collaborative modes and giving guidance for power/force limiting (PFL) testing. To apply it, first justify the collaborative mode (PFL, speed & separation, safety‑rated monitored stop, hand‑guiding) in the risk assessment. For PFL, conduct empirical contact tests with representative tooling and calibrated sensors (ATI Nano/Minimik force‑torque sensors or similar) against anthropomorphic test artifacts per TS 15066 Annex B. Measure peak force, pressure, and pressure–time curves for specific body regions and compare against the tissue tolerance values in the standard. Document instrumentation, test setup, sample size, and acceptance criteria. If measured values exceed limits, implement additional safeguards (reduced speed, padding, or interlocks).

How do I determine required Performance Level (PL) or SIL for robot safety functions?

Determine PL/SIL by: (1) specifying each safety function (e‑stop, guarded door interlock, speed reduction, safe stop), (2) assessing severity, frequency/exposure, and possibility of avoidance per ISO 13849‑1 or IEC 62061, and (3) using the ISO 13849 risk graph or IEC 62061 quantitative method to set a required PLr or SILr. Select architecture and components to achieve that PL (categories B, 1–4) and calculate diagnostic coverage, MTTFd and common‑cause factors using tools such as SISTEMA (for PL) or exida (for SIL). Choose devices with appropriate ratings (Pilz PSS, Siemens S7‑1500F, Rockwell GuardLogix) and include diagnostic diagnostics and redundancy as needed. Document calculations and verification evidence in the safety dossier.

What are the commissioning and validation tests required to sign off a robot cell per ISO 10218 and ISO 13849‑2?

Validation requires a structured verification and functional testing program per ISO 10218 and ISO 13849‑2. Typical tests: interlock and door function checks, emergency stop and safe stop timing and channel checks, safety‑function proof tests, protective distance verification (measure robot stopping time and confirm ISO 13855 distance), force/pressure testing for collaborative cells (ISO/TS 15066), reach/space mapping to confirm virtual fences, and software safety function tests (PL logic, diagnostics). Use calibrated measurement tools (oscilloscope, high‑speed camera, force/torque sensors, encoder logs). Produce FAT/SAT reports, a validation matrix mapping tests to requirements, and residual risk documentation. Maintain a safety dossier with test records, component certificates, V&V signoffs, and a maintenance/proof‑test schedule.

How do I implement speed and separation monitoring to allow safe human‑robot coexistence?

Speed and separation monitoring combines a detection system (safety camera, 3D scanner, or safety PLC with area scanner) and the robot controller’s Safe Motion functions. Standards: ISO 13855 for protective distances and ISO/TS 15066 for collaborative interaction. Implement using products such as Pilz or SICK SafetyEYE with a certified safety controller (Pilz PSS, Siemens S7‑1500F). Calculate protective distance S = K × T + C (K = approach speed, T = stop/perception time, C = intrusion allowance) per ISO 13855, and set dynamic speed reductions as the human enters the monitored zone. Validate with real‑world tests—measure end‑effector stopping time, sensor latency, and ensure the combined system achieves the required PL/SIL and prevents hazardous contact.

What software and robot‑side measures reduce risk through task segregation and safe programming?

Safe programming reduces risk by segregating hazardous motions and enabling predictable robot behavior. Use soft axis limits, cartesian virtual fences, reduced speed zones, and task sequencing to ensure human tasks occur only in safe states. Implement safety functions in the robot controller (Universal Robots Safety features, FANUC/Yaskawa OEM safety packages or controller safety options) and supervise with a safety PLC for interlocks and mode selection. Employ tool center point (TCP) monitoring, collision detection with low latency, and dwell checks for tool changes. Version control, change management, and certified libraries for safety functions are essential. Document safe states, operator procedures, and include simulated validation (robot cell simulation and offline programming) before live commissioning.

What are best practices for emergency stop design, wiring, and testing to meet ISO 13850 and ISO 13849?

Emergency stop design must follow ISO 13850 and be implemented as a safety function under ISO 13849. Use dual‑channel, monitored E‑stop circuits wired to a safety controller or redundant safety relays (Pilz PNOZ, Schmersal, Sick Flexi Soft), ensuring category and PL meet the risk assessment (often Category 3/4, PL d or e). Locate E‑stop devices for immediate reach; provide local and remote E‑stop points and visible status indicators. Validate response times by measuring from push to monitored stop with an oscilloscope and robot encoder logs; include debouncing and diagnostics to detect short‑circuits and cross faults. Establish routine proof‑test intervals and maintain test records in the safety dossier to satisfy functional safety requirements and regulatory audits.

Robot Cell Safety Design: Standards & Best Practices

Robot Cell Safety Design

This guide describes standards, technical requirements, and proven engineering practices for designing safe robotic workcells. It synthesizes the latest revisions of robot-specific standards (including ISO 10218-1:2025 and ISO 10218-2), collaborative robot guidance (ISO/TS 15066), mobile-robot integration (ANSI/RIA R15.08), and recent autonomous-systems guidance (IEEE 7009‑2024). The material targets automation engineers, integrators, and safety specialists who must deliver compliant, maintainable, and auditable robot cells in manufacturing and research environments.

Key Concepts

Effective robot cell safety begins with a disciplined application of standards and a risk-based engineering process. The core technical principles are:

Hierarchy of risk control—prioritize inherent safety by design, then guards and protective measures, and finally information for safe use (training, procedures). This hierarchy aligns with ISO 12100 and the flow used across ISO 10218 parts.[1]
Lifecycle thinking—consider hazards during commissioning, normal operation, maintenance, foreseeable misuse, and decommissioning. ISO 10218 and ANSI/RIA guidance explicitly require lifecycle analysis and documentation.[1]
Standards layering—apply type A standards (general principles, e.g., ISO 12100), type B standards (generic safety requirements for specific technologies, e.g., IEC 60204‑1 for electrical safety), and type C standards (robot-specific such as ISO 10218) with precedence for Type C when robot-specific hazards exist.[1]
Functional safety and fault tolerance—implement redundant detection and safe degradation strategies following IEEE 7009 recommendations for fail-safe design of semi-autonomous systems.[2]
Collaborative operation boundaries—define clear collaboration and non-collaboration zones, enforce speed/force limits, and validate contact forces against biomechanical thresholds from ISO/TS 15066.[1][3]

Standards and Regulatory Framework

Several international and industry standards direct robot cell safety. Key documents and their roles:

ISO 10218‑1:2025—specifies safety requirements for industrial robots as partly completed machinery, focused on inherent design, error detection, and protective device interfaces. Use this for design and manufacturer responsibilities.[4]
ISO 10218‑2—covers system integration: risk assessment, safeguarding of the workcell, validation, and operator interfaces. This part governs integrators and end users for safe installation and operation.[1]
ISO/TS 15066—provides biomechanical data and practical limits for collaborative robots including power/force limiting thresholds and guidance for hand-guiding modes. It specifies transient/contact thresholds (e.g., torso contact guidance) and how to test force-limiting systems.[1][3]
ANSI/RIA R15.08—addresses industrial mobile robots and integration in mixed systems; includes navigation safety and partitioning of responsibilities between manufacturers, integrators, and operators.[1]
IEEE 7009‑2024—recommends methods for fail-safe and fault-tolerant behaviors of autonomous/semi-autonomous systems to ensure safe degradation and anomaly detection in robot cells with autonomy aspects.[2]

Implementation Guide

Implementing a safe robot cell follows a repeatable engineering process: risk assessment, architecture selection, hardware and control implementation, validation, and documentation. The steps below expand each phase with standards-aligned detail.

1. Initial Risk Assessment

Perform a documented risk assessment per ISO 10218‑2 and ISO 12100. Key steps include:

Identify hazards: mechanical (crush, impact, shear), electrical, pneumatic, thermal, falling objects, human error, and software anomalies.
Estimate risk: consider severity, frequency, exposure time, and possibility of avoidance. Use the conservative metrics recommended by ISO/TS 15066 for collaborative contacts (force/pressure vs. body region).
Apply risk reduction hierarchy: redesign to eliminate hazards where possible; if not, add guards and protective devices; finally, apply administrative measures.
Document foreseeable misuse and all lifecycle phases (commissioning, maintenance, cleaning, emergency scenarios).

According to recent analyses, a robust risk assessment will explicitly enumerate failure modes, the assumed operator experience level, and frequency of exposure for each task to support selection of appropriate safeguarding categories.[1]

2. Architectural and Safeguarding Selection

Select safeguards based on the determined risk reduction needed. Common solutions and requirements include:

Fixed guards and interlocked doors—use to prevent access during hazardous robot motion. Comply with EN ISO 14120 for guard design and ensure interlocks meet safety category requirements described in ISO 10218‑2.[1]
Light curtains/area scanners—employ safety-rated devices (e.g., SIL or PL-certified) for presence detection; confirm safety distances using calculated stopping times and speeds per ISO 13855 guidance and ISO 10218 stop-time requirements.[1]
Speed and separation monitoring—for collaborative cells, implement speed-reduction or separation monitoring so that approach speeds near humans remain within validated limits (for example, speeds <250 mm/s are commonly used as reduced-speed thresholds in proximity).[1]
Power and force limiting—for collaborative robots apply ISO/TS 15066 limits (force and pressure thresholds). Typical guidance notes transient contact force targets (e.g., peaks <150 N for torso impacts in some scenarios and commonly <220 N for power/force limiting strategies) and require validation testing.[1][3]
Control architecture—use safety-rated controllers, dual-channel E-stops, safety-rated encoders or position sensors, and redundant safety paths to meet required performance levels (e.g., PL d/PL e or SIL 2/SIL 3 depending on risk outcome).

3. Hardware and Control Implementation

Implement control logic and hardware to achieve required performance levels (PL/SIL). Practical measures include:

Safety PLCs or safety-rated motion controllers with separate safety I/O channels.
Redundant position feedback (safety-rated encoders) for speed and position monitoring consistent with ISO 10218‑1 requirements for error detection.[1]
Dual-channel emergency stop circuits and monitored contactors that provide safe torque off (STO) for drives where applicable.
Validated sensor fusion for presence detection (e.g., 3D cameras + LIDAR + safety scanners) when using AI or SLAM components—follow IEEE 7009 guidance to detail fail-safe reactions for sensor anomalies.[2]

4. Commissioning and Validation

Validation must demonstrate that implemented safeguards achieve the risk reduction predicted in the assessment. Required actions include:

Functional safety tests: verify stop times, safe stop behavior, muting/unmuting logic, and E-stop response. Record measured stop times and safety distances.
Force and pressure validation: for collaborative modes, conduct contact force tests across the range of expected payloads and approach velocities and record results quarterly or after major changes as recommended in industry best practices.[1][3]
Failure mode testing: simulate sensor failures, network faults, and drive faults to verify safe degradation strategies described in IEEE 7009.[2]
Operator acceptance and training: document training curricula and competency evaluations per ISO 10218‑2 requirements for information for use.

Best Practices

From field experience and standards guidance, these best practices increase reliability and reduce long-term risk:

Document everything—maintain a traceable file: risk assessment, design decisions, validation test results, change history, and maintenance logs. This supports regulatory audits and product liability defense.
Use measurable acceptance criteria—define pass/fail criteria numerically: stopping distance ≤ X mm at Y speed, contact force ≤ Z N, encoder position accuracy ±X mm, etc.
Quarterly validation for collaborative cells—perform force-limiting retests whenever cobot payloads, end-effectors, or software changes; many integrators adopt quarterly schedules for active collaboration cells.[1][3]
Integrate ergonomics into handoffs—for collaborative or humanoid systems, design tooling and transfer geometry to avoid awkward postures and unstable loads; the Robot Report recommends expanding standards to cover ergonomics and stability explicitly.[3]
Plan for maintainability—design safe access points for routine maintenance that avoid placing personnel in high-risk zones; add lockout/tagout (LOTO) procedures consistent with ISO 10218 and local regulations.
Apply performance metrics—measure mean time between safety-related incidents, time-to-recover-safe-state, and false-positive detection rates for presence sensors to drive continuous improvement.

Safeguarding Technologies Comparison

Safeguard Type	Typical Use	Standards / Notes	Key Performance Metrics
Fixed Guarding & Interlocks	High-speed traditional robots	EN ISO 14120; ISO 10218‑2	Interlock response ≤ required stop time; mechanical strength per EN 953
Light Curtains	Access point protection	ISO 13855 placement; safety category per ISO 13849	Resolution, response time, protection field height
Safety Scanners / Area Detection	Speed & separation monitoring	ISO 10218‑2; ISO/TS 15066 for collaborative zones	Detection range, field muting logic, false alarm rate
Power & Force Limiting (Cobots)	Direct human–robot contact	ISO/TS 15066	Peak contact force (N), pressure (N/cm²), contact duration
Safety PLC / Controller	Centralized safety logic	IEC 61508 / ISO 13849 for PL/SIL mapping	Diagnostic coverage, reaction time, voting architecture

Specification Example: Collaborative Limits

Parameter	Typical Guidance	Source
Maximum transient contact force (upper body)	<150 N for some torso contacts; site-specific biomechanical assessment required	ISO/TS 15066 guidance
Power/Force Limiting threshold	Typically <220 N for power/force limiting applications; validated per task	ISO/TS 15066
Reduced approach speed	<250 mm/s in close-proximity collaborative zones (common engineering practice)	Industry best practices informed by ISO/TS 15066 and integrator guidance
Validation frequency	Initial commissioning + quarterly revalidation or after system changes	Integrator best practice; recommended by industry analyses

Validation and Commissioning

Commissioning must produce repeatable, auditable evidence that safety requirements are met:

Recordings of safety tests: video plus log files showing stop times, sensor states, and safety event timestamps.
Force-measurement data archive for collaborative contacts: load cell traces and calibration certificates for measurement equipment.
Failure simulations and corrective actions: documented test cases used to exercise sensor faults, network outages, and drive errors, and confirmation of safe fallback behaviors per IEEE 7009 recommendations.[2]
Operator training signoffs and maintenance checklists with periodic inspection intervals.

Mobile and Autonomous Systems

When robots are mobile or semi-autonomous (e.g., AGVs with manipulators, mobile cobots), integrate additional controls and follow ANSI/RIA R15.08 and IEEE 7009:

Partition responsibilities: manufacturer for base vehicle, integrator for manipulator and cell-level interaction, operator for procedures—this aligns with ANSI/RIA parts 1–3.[1]
Navigation safety: use certified obstacle detection, speed-limiting in shared zones, and clear right-of-way rules; designate charging/maintenance bays with physical separation.
Autonomy fail-safe: implement anomaly detection with safe-stop behaviors and safe-state fallbacks defined and exercised as described in IEEE 7009‑2024.[2]

Summary

Designing safe robot cells requires a structured, standards-aligned approach: adopt ISO 10218 parts 1 and 2 for robot and cell requirements, apply ISO/TS 15066 for collaborative interactions, use ANSI/RIA guidance for mobile robots, and incorporate IEEE 7009 methods for fail-safe behavior of autonomous functions. Execute a thorough risk assessment, select appropriate safeguarding technologies, implement safety-rated control architectures, and validate with measurable acceptance criteria. Maintain auditable documentation and periodic revalidation to ensure ongoing compliance and safe operation.

References and Further Reading

From Safety Standards to Safe Operation with Mobile Robots — arXiv (2502.20693v1) (summary tables of ISO 10218, ISO/TS 15066, ANSI/RIA R15.08 and lifecycle analysis). [1]
IEEE Standards Initiative: Autonomous/Intelligent Systems (includes IEEE 7009‑2024 guidance on fail-safe design for autonomous systems). [2]
Related Platforms
ABB FANUC Omron
Related Services
Safety Systems Industrial Robotics

Robot Cell Safety Design: Standards and Best Practices