Electronics Guide

Overview and Scope

ISO 10218 is the foundational international standard for industrial robot safety, published in two parts that address robot manufacturers and robot system integrators respectively. Part 1 (ISO 10218-1) specifies requirements for the inherent safe design, protective measures, and information for use of industrial robots, establishing what robot manufacturers must provide. Part 2 (ISO 10218-2) addresses the safe integration of robots into complete systems, including installation, safeguarding, commissioning, and maintenance requirements.

The scope of ISO 10218 encompasses industrial robots as defined in ISO 8373, including manipulating industrial robots that are automatically controlled, reprogrammable, multipurpose manipulators programmable in three or more axes. The standard covers single robots and multi-robot systems, addressing hazards arising from robot operation including those associated with robot programming, testing, maintenance, and repair. The standard applies throughout the lifecycle from design through decommissioning.

ISO 10218 establishes a risk-based approach to safety where specific safety measures are determined through comprehensive risk assessment rather than prescriptive rules. The standard requires that hazards be identified, risks estimated and evaluated, and appropriate protective measures implemented following the hierarchy of inherently safe design, safeguarding, and complementary protective measures. This methodology ensures that safety measures are proportionate to actual risks rather than being over or under-protective.

The relationship between ISO 10218 and other standards creates a comprehensive framework. ISO 12100 provides the fundamental risk assessment methodology. IEC 62443 addresses cybersecurity for industrial automation. Regional standards and directives such as the European Machinery Directive incorporate ISO 10218 requirements. Understanding these relationships is essential for comprehensive compliance.

Part 1: Robot Design Requirements

ISO 10218-1 establishes requirements that robot manufacturers must satisfy to enable safe integration and use. These requirements address both hardware and software aspects of robot design, including motion control, safety functions, stopping performance, and the information that manufacturers must provide to integrators.

Motion control requirements ensure that robot movements are predictable and controllable. Robots must have at least one operating mode suitable for programming and setup that limits speed and enables controlled movement. The control system must prevent unintended motion from control system faults. Stored energy in robot systems must be managed to prevent hazardous release.

Safety function requirements address the integrity of safety-related control functions. Functions such as emergency stop, protective stop, and speed limiting must meet specified performance levels determined by risk assessment. Safety functions may be implemented through hardware, software, or combinations, but must satisfy reliability and diagnostic coverage requirements appropriate to the required performance level. Safety integrity requirements follow the functional safety framework of IEC 62061 or ISO 13849-1.

Stopping performance is critical for robot safety and is categorized into three types. Category 0 stop removes power immediately, stopping motion as quickly as mechanically possible but without controlled deceleration. Category 1 stop provides controlled deceleration before removing power. Category 2 stop decelerates the robot to a standstill with power maintained for holding position. The standard specifies when each category is appropriate and the performance requirements for each.

Emergency stop function must be immediately available and meet ISO 13850 requirements. Activation must override all other control functions and result in removal of power from drive actuators. Reset must require deliberate action and must not itself initiate motion. The emergency stop system must be designed so that a single fault does not prevent the emergency stop function from operating when needed.

Manufacturers must provide comprehensive information for safe integration and use. This includes the robot's intended use and reasonably foreseeable misuse, space requirements including maximum envelope, stopping distance data under various conditions, load capacity and limitations, residual risks that integrators must address, and maintenance requirements. This information is essential for integrators to complete their risk assessment and design appropriate safeguarding.

Part 2: Integration and System Safety

ISO 10218-2 addresses the integration of robots into complete systems, recognizing that most hazards arise from the combination of robots with other equipment, workpieces, and human interaction. System integrators bear primary responsibility for the safety of the complete installation, even when using compliant robots.

Risk assessment for the complete system must consider all hazards arising from the robot application. This includes hazards from the robot itself, hazards from end effectors and tools, hazards from workpieces being processed, hazards from interaction with other equipment, and hazards from the physical environment. The assessment must consider all phases of the lifecycle including installation, programming, normal operation, maintenance, and foreseeable abnormal conditions.

Safeguarding requirements address protection of personnel from identified hazards. Perimeter guarding using fixed guards, interlocked guards, or presence sensing devices establishes the safeguarded space within which the robot operates. The safeguarded space must encompass the maximum space that can be used by all parts of the robot, including the end effector and any workpiece. Access points must be appropriately guarded to prevent exposure to hazards during operation.

Operating modes define how the robot system can be used safely. Automatic mode operates the programmed application with full safeguarding active. Manual reduced speed mode allows personnel within the safeguarded space for programming or setup while limiting robot speed and requiring enabling device operation. The standard specifies requirements for mode selection, including preventing unintentional mode changes and ensuring appropriate safeguarding for each mode.

Teaching and programming requirements address the hazards present when personnel must be near operating robots. Programming devices must include emergency stop and enabling devices. Speed during manual operation must be limited. Pendant operation should provide predictable, controllable motion. Programmers must have clear visibility of the robot and its surroundings.

Validation and verification ensure that safety requirements are properly implemented. Integrators must validate that all safety functions perform as intended under normal and fault conditions. Documentation must demonstrate compliance with requirements. Validation should include testing of safeguarding, verification of stopping performance, confirmation of safety function performance levels, and review of information for users.

Protective Stop Functions

Protective stop functions are safety functions that bring the robot to a stop in response to safety-related inputs. Unlike emergency stop, which is a manually initiated safety function, protective stops are typically initiated automatically by safeguarding devices when hazardous conditions are detected.

Safety-rated monitored stop is a protective stop function where the robot is brought to a stop and monitored to ensure it remains stationary. If unexpected motion is detected, a protective action such as emergency stop is triggered. This function enables scenarios where personnel can be present near a stopped robot, such as during collaborative applications or when personnel enter a safeguarded area with appropriate controls.

Protective stop timing and performance must be appropriate to the application risk. The total stopping time includes sensing time for the safeguarding device to detect the hazardous condition, signal transmission time, control system response time, and mechanical stopping time. Safeguarding geometry must account for this total response time to ensure that the robot has stopped before a person can reach the hazard.

Reset from protective stop must be designed to prevent hazards. Automatic restart is only permitted if there is no hazard from restart and the safeguarding device will immediately re-trigger if the hazardous condition persists. Manual reset is required when automatic restart could create a hazard. Reset devices must be positioned so that the operator can verify safety before initiating restart.

Multiple protective stop functions may be required for different safeguarding devices or zones. The control system must coordinate these functions appropriately, ensuring that the most protective response is always applied. Priority and interaction between protective functions must be clearly designed and documented.

Introduction to Collaborative Robots

ISO/TS 15066 is a technical specification that provides guidance on the implementation of collaborative robot operation as introduced in ISO 10218. Collaborative operation is defined as a state in which a purposely designed robot system and an operator work within a collaborative workspace. This specification provides the detailed technical basis for safely achieving collaboration that ISO 10218 enables but does not fully specify.

The fundamental concept underlying collaborative robotics is that traditional safeguarding separates humans from robot hazards either spatially (through guarding) or temporally (through interlocks that stop the robot when personnel are present). Collaborative operation aims to allow humans and robots to occupy the same space simultaneously while maintaining safety through alternative means. This requires either elimination of hazards or their reduction to tolerable levels.

Collaborative operation does not mean that all safeguarding is removed. Rather, it means that the specific safeguarding measures are appropriate to the collaborative nature of the task. A collaborative robot application may still use some traditional safeguarding for non-collaborative portions of the task while enabling collaboration where needed. The decision of where collaboration is appropriate and how to achieve it safely is based on risk assessment.

Four collaborative operation methods are defined in the standards: safety-rated monitored stop, hand guiding, speed and separation monitoring, and power and force limiting. These methods may be used individually or in combination, selected based on the application requirements and risk assessment. Each method has specific technical requirements that must be satisfied for safe implementation.

Safety-Rated Monitored Stop

Safety-rated monitored stop for collaborative operation is an extension of the protective stop function where the robot stops before an operator enters the collaborative workspace and remains stationary while the operator is present. This method enables collaboration by ensuring that no robot motion occurs while humans are in proximity.

Implementation requires presence detection to identify when operators enter the collaborative workspace. This may be accomplished through safety scanners, safety mats, light curtains, or other presence sensing means. The detection must be safety-rated, meaning it satisfies the required performance level for the application. Detection must cover the entire workspace where the operator might be exposed to robot hazards.

When presence is detected, the robot must stop and remain stopped. The stop must be a safety-rated monitored stop that monitors for unexpected motion and triggers a protective action if motion is detected. The monitoring function must be implemented with appropriate safety integrity, typically requiring redundant sensing and monitoring of position.

Restart after the operator has left the collaborative workspace may be automatic if the risk assessment supports this, or may require manual reset. For automatic restart, the presence detection system must reliably confirm that no personnel remain in the workspace. Restart timing and velocity should not create hazards for personnel who may be nearby.

This method is appropriate when collaboration involves the operator working near the robot during stopped states, such as loading or unloading workpieces, inspecting work in progress, or performing manual operations within the workspace. It provides clear spatial separation of human and robot tasks, with humans active when the robot is stopped and the robot active when humans are outside the workspace.

Hand Guiding Operation

Hand guiding operation allows an operator to directly move the robot using a hand-operated device located at or near the end effector. This method provides intuitive programming and guidance of robot motion by direct physical interaction, enabling skilled operators to teach paths and positions through demonstration rather than programming.

Safety requirements for hand guiding include a hand-operated device that the operator uses to command motion. This device must include an emergency stop and an enabling device that the operator must activate for the robot to move. The device should be positioned so the operator has a clear view of the robot and workspace. Force and ergonomic requirements ensure that operation does not strain the operator.

Speed during hand guiding must be safety-rated low speed appropriate to the application. ISO/TS 15066 specifies that hand-guided motion should typically be limited to 250 millimeters per second, though higher speeds may be acceptable based on risk assessment considering factors such as visibility, predictability, and operator training.

Entry into hand guiding mode must be controlled. The robot must be in a safe state before hand guiding begins, typically achieved through safety-rated monitored stop. Mode selection must be deliberate and secure against unintended activation. Return to automatic operation must require specific action and confirmation.

Hand guiding differs from manual control through a teach pendant in that the operator is in direct physical contact with the robot. This proximity creates certain hazards, particularly from robot components other than the guided portion. The risk assessment must address these hazards and implement appropriate measures such as limiting motion of non-guided joints or providing appropriate clearance.

Speed and Separation Monitoring

Speed and separation monitoring is a collaborative method where the robot control system maintains a protective separation distance between the robot and the operator. If the separation decreases below the protective threshold, the robot stops or slows. This method allows the robot to operate at higher speeds when no operator is nearby while ensuring safety when operators approach.

The protective separation distance is calculated considering the robot's stopping distance at its current speed, the operator's potential movement during the stopping time, and additional margins. The formula accounts for the robot's position, speed, and direction, the operator's detected position and potential movement, response times of the detection and control systems, and uncertainty in position measurements.

Operator detection for speed and separation monitoring typically uses area scanning devices that provide location information, not just presence detection. This may include safety-rated laser scanners, 3D vision systems, or other technologies capable of locating operators within the workspace. Detection must be reliable and provide position data with sufficient update rate and accuracy.

The robot control system must continuously calculate the required separation based on current conditions and compare this to measured separation. If measured separation is less than required separation, the robot must reduce speed or stop to restore safe separation. The control system must handle multiple operators if more than one person may be in the workspace.

Implementation complexity is significant because the required separation depends on the robot's speed, which depends on the separation. Algorithms must manage this interdependence while ensuring safety. Real-time performance requirements are demanding because the control loop must respond faster than operators can move. Validation must demonstrate that the system maintains safe separation under all operating conditions.

Speed and separation monitoring is appropriate when the task requires robot motion while operators are in the vicinity but does not require direct human-robot contact. Applications include large workpiece handling where operators need access for inspection or additional operations, palletizing where operators may enter the area, and machine tending where the robot and operator share a work zone.

Power and Force Limiting

Power and force limiting is the collaborative method that allows intentional or unintentional contact between the robot and operator, with safety achieved by limiting forces and pressures to levels that do not cause injury. This method enables the closest collaboration, including direct physical interaction with the robot during operation.

The safety principle relies on biomechanical research establishing human tolerance to impact and clamping forces. ISO/TS 15066 provides specific force and pressure limits for different body regions, derived from pain onset thresholds in research studies. These limits represent the maximum forces and pressures that should occur during contact to avoid injury.

Force limiting may be achieved through inherent design or control means. Inherent design uses compliant mechanisms, low-mass construction, or torque-limiting joints that physically cannot generate hazardous forces. Control-based limiting uses force or torque sensing with control loops that limit output when contact is detected. Many collaborative robots combine both approaches.

Two contact scenarios are considered: transient contact where the operator's body part can recoil from the contact, and quasi-static contact where the operator's body part is trapped or clamped. Quasi-static contact is more hazardous because energy continues to be applied. The limits for quasi-static contact are approximately half those for transient contact.

The complete robot system including the end effector and any workpiece must be considered, not just the robot itself. Sharp edges, corners, or protrusions can concentrate force into dangerous pressure even if total force is acceptable. End effector design must ensure that contact surfaces maintain forces and pressures within limits. Workpiece handling must not create pinch points or clamping hazards.

Power and force limiting is appropriate when the task inherently requires human-robot contact or when contact is likely during normal operation. Applications include hand-guided assembly, ergonomic lifting assistance, direct teaching through physical demonstration, and tasks where operators must reach past the robot.

Scientific Basis for Limits

The force and pressure limits in ISO/TS 15066 are derived from biomechanical research on human tolerance to mechanical loading. This research identifies pain onset thresholds, the point at which applied force or pressure begins to cause pain, as the criterion for acceptable contact. Pain onset is used rather than injury threshold because it provides a conservative margin and because people naturally withdraw from painful stimuli.

Research methods included controlled application of forces and pressures to test subjects using standardized contact areas. Subjects reported when they first experienced pain, establishing the pain onset threshold for each body region. Statistical analysis determined appropriate limit values from the distribution of individual thresholds.

Body region variation is significant. Some body regions tolerate considerably more force than others. The hand and fingers are relatively tolerant, while the throat and neck are highly sensitive. The eyes are extremely sensitive and require separate consideration. Different limits for different body regions enable design optimization while ensuring safety.

Contact area affects the relationship between force and pressure. A given force spread over a large area creates lower pressure than the same force concentrated on a small area. Both force and pressure limits apply, with the more restrictive limit governing. This dual criterion addresses both blunt impacts and contacts with edges or protrusions.

The research has limitations that should be understood. Test subjects were adults, and children may have different tolerances. Tests were conducted on healthy subjects, and people with medical conditions may be more vulnerable. The laboratory conditions may not fully represent industrial contact scenarios. These limitations support conservative application of the limit values.

Body Region Limits

ISO/TS 15066 Annex A provides specific limit values for body regions organized into major areas: skull and forehead, face, neck, back and shoulders, chest, abdomen, pelvis, upper extremities, and lower extremities. Each region has maximum permissible force and maximum permissible pressure for both transient and quasi-static contact.

The skull and forehead tolerate 130 newtons maximum force for transient contact and 65 newtons for quasi-static contact, with corresponding pressures of 190 and 145 newtons per square centimeter. These limits reflect the relatively robust structure of the skull while protecting against impacts that could cause concussion or injury.

The face has lower limits at 65 newtons transient and 45 newtons quasi-static force. The sensitive structures of the face, including the nose, cheekbones, and jaw, require this additional protection. Pressure limits are 110 and 110 newtons per square centimeter respectively.

The neck is among the most sensitive regions with limits of 150 newtons transient and 35 newtons quasi-static force. The critical structures in the neck including the airway and blood vessels, combined with limited tissue padding, demand conservative limits. The low quasi-static limit reflects the severe consequences of sustained pressure on the neck.

The chest and abdomen have moderate limits recognizing the protection provided by the rib cage and tissue padding, while accounting for the vital organs within. Chest limits are 210 newtons transient and 140 newtons quasi-static. Abdomen limits are 180 newtons transient and 110 newtons quasi-static.

The hands and fingers are the most tolerant body region, with limits of 280 newtons transient and 140 newtons quasi-static force. This reflects the robust structure and frequent use of hands for manipulation. However, the fingers and hand are often in the immediate work zone, making these limits practically significant.

Lower extremities including upper leg, knee, lower leg, and foot have varying limits. The upper leg tolerates 500 newtons transient, the highest force limit among body regions. The knee and lower leg are more sensitive with limits around 220 and 400 newtons respectively.

Contact Scenario Analysis

Applying the biomechanical limits requires analyzing the contact scenarios that may occur in a specific application. This analysis identifies which body regions may be contacted, whether contact will be transient or quasi-static, and what effective contact area applies.

Body region identification considers the task layout and operator positioning. For a collaborative assembly task, the hands are most likely to contact the robot during normal operation. However, abnormal situations could result in contact with the arm, torso, or head. Risk assessment must consider not just normal operation but also reasonably foreseeable abnormal contacts.

Transient versus quasi-static determination depends on the geometry of the workspace. If the operator can recoil freely from contact, the contact is transient. If surrounding equipment, other parts of the robot, or workplace structures could trap the operator, the contact is quasi-static. Conservative design assumes quasi-static contact when there is any doubt.

Effective contact area depends on robot and end effector geometry. Curved surfaces distribute force over larger areas than flat surfaces. Edges and corners concentrate force into small areas. The analysis must determine the minimum contact area that could result from the most unfavorable geometry and orientation.

Pressure calculation divides the maximum force by the effective contact area. If calculated pressure exceeds limits for the body region even though force is within limits, design modifications are needed. Options include increasing the contact area through padding or curved surfaces, reducing maximum force, or changing geometry to prevent contact with edges.

Multiple contact points must be considered when the robot has complex geometry. The total force applied to the operator may be the sum of forces at multiple contact points. Each contact point must individually satisfy limits, and the combined effect must not exceed overall tolerance.

Measurement and Verification

Verification of force and pressure limits requires measurement of actual contact forces in representative scenarios. Measurement confirms that the robot system performs within limits and provides data for risk assessment documentation.

Measurement devices include force-measuring instruments that record impact and clamping forces. Biofidelic measurement devices that simulate human tissue compliance provide more accurate representation of actual contact conditions than rigid force sensors. ISO/TS 15066 describes measurement approaches and references appropriate instrumentation.

Test scenarios should represent the identified contact possibilities from the contact scenario analysis. Testing should include various body regions at risk of contact, various robot positions and orientations, maximum speeds and accelerations, and expected payload conditions. Both transient impact and quasi-static clamping should be tested.

Measurement location affects results significantly. The contact point on the robot, the orientation of the measurement device, and the compliance of the simulated body region all influence recorded values. Standardized test conditions enable comparison and repeatability.

Data interpretation requires understanding measurement uncertainty. Peak forces during dynamic impacts may exceed steady-state values. Averaging or filtering choices affect reported maximums. Conservative interpretation of measurements provides margin for variability in actual contacts.

Documentation of measurements should include test conditions, measurement equipment and calibration, results with analysis, and conclusions about compliance. This documentation supports the risk assessment and demonstrates due diligence in safety verification.

Risk Assessment Methodology

Risk assessment for collaborative robot applications follows the general methodology of ISO 12100 while addressing the specific hazards and scenarios inherent in human-robot collaboration. The assessment is an iterative process of hazard identification, risk estimation, risk evaluation, and risk reduction that continues until risks are acceptably low.

Hazard identification must comprehensively cover all hazards that could arise from the collaborative application. This includes mechanical hazards from robot motion, impact, and clamping; electrical hazards from the robot and associated equipment; thermal hazards from processing operations; hazards from end effectors and tooling; hazards from workpieces being handled; ergonomic hazards from operator posture and repetitive motion; and psychological hazards from working alongside robotic equipment.

Task analysis provides the foundation for hazard identification. Each task involving collaboration must be analyzed to understand what the robot does, what the operator does, where and when they interact, and what could go wrong. Tasks include not just normal production but also setup, programming, maintenance, cleaning, and fault recovery.

Risk estimation considers the severity of potential harm and the probability of that harm occurring. Severity estimation considers the nature of the harm, from minor discomfort to serious injury or death, and the extent or duration of the harm. Probability estimation considers exposure frequency, the likelihood of a hazardous event occurring during exposure, and the possibility of avoiding or limiting harm.

Risk evaluation compares estimated risks against risk acceptance criteria. For collaborative robots, the criteria may include compliance with ISO/TS 15066 limits as a necessary condition for acceptability. Risks that exceed criteria must be reduced through protective measures. Risks that meet criteria should still be reduced further if reasonably practicable.

Hazard Identification Specific to Cobots

Collaborative applications have specific hazards that must be systematically identified. These hazards arise from the close proximity of operators to moving robots and the possibility of direct contact.

Impact hazards occur when the robot or end effector strikes the operator during motion. Impact can result from normal motion, unexpected motion due to control errors, or motion initiated when the operator is unexpectedly in the path. Impact severity depends on robot speed, mass, and the body region contacted.

Clamping and crushing hazards occur when body parts are caught between the robot and fixed structures, between robot segments, or between the robot and workpieces. Clamping can result from normal motion or from uncontrolled motion. The quasi-static nature of clamping means force is applied continuously, potentially causing more severe injury than transient impact.

Shearing and cutting hazards arise from sharp edges on robot surfaces, end effectors, or workpieces. Even low forces can cause lacerations when concentrated on sharp edges. End effector design requires particular attention because it is the most likely point of contact during normal operation.

Stabbing and penetration hazards come from pointed features that can puncture skin. End effectors may have pointed features for their functional purpose. Workpieces may have sharp points. The robot's approach direction affects whether pointed features are presented toward the operator.

Entanglement hazards occur when loose clothing, hair, or jewelry becomes caught in moving parts. The rotational motion of robot joints creates entanglement possibilities. End effectors with rotating components, such as screwdrivers or grippers, present specific entanglement risks.

Projection hazards arise from parts or materials ejected from the process. End effectors may drop workpieces. Processing operations may generate chips or sparks. Pneumatic systems may release compressed air. These hazards may affect not just the immediate operator but others in the vicinity.

Secondary hazards result from the operator's response to robot motion or contact. Startle responses may cause the operator to fall or collide with other equipment. Attempts to avoid the robot may move the operator into other hazards. The psychological impact of sharing workspace with robots can affect attention and decision-making.

Risk Reduction Strategies

Risk reduction follows the three-step method hierarchy: inherently safe design measures, safeguarding and complementary protective measures, and information for use. Higher-level measures are preferred because they are more reliable and less dependent on user behavior.

Inherently safe design eliminates hazards or reduces risks through design choices. For collaborative robots, this includes limiting robot speed, acceleration, and force capabilities to levels that cannot cause injury even in worst-case contact. It includes designing end effectors and fixtures without sharp edges or pinch points. It includes workspace layout that minimizes exposure and provides escape routes.

Safeguarding implements the collaborative methods from ISO/TS 15066 to manage residual risks. Safety-rated monitored stop prevents contact by stopping when operators are present. Speed and separation monitoring maintains safe distance while allowing motion. Power and force limiting reduces contact forces to tolerable levels. The selection of collaborative method depends on application requirements and risk levels.

Complementary protective measures include additional safety devices such as emergency stop buttons accessible to operators, presence sensing to detect unexpected personnel, and indicators that communicate robot status. These measures support the primary collaborative method rather than replacing it.

Information for use addresses residual risks through operator training, warning signs, work procedures, and documentation. Operators must understand the collaborative system, their role in maintaining safety, and how to respond to abnormal situations. Information measures are essential but should not be the primary defense against significant hazards.

Iterative risk reduction continues until all risks are adequately controlled. After implementing initial measures, the assessment should be repeated to verify effectiveness and identify any new hazards introduced by the protective measures. The iterative process continues until the assessor determines that risks have been reduced as far as reasonably practicable.

Documentation Requirements

Risk assessment documentation provides evidence of the systematic process and supports verification that all risks have been adequately addressed. Documentation should be sufficient to enable third-party review and to support ongoing management of the robot system.

Scope definition documents the system boundaries, included hazards, lifecycle phases, and applicable standards. Clear scope definition ensures comprehensive assessment and enables reviewers to understand what was and was not considered.

Hazard identification documentation lists all identified hazards with descriptions of the hazardous situation, how the hazard could cause harm, and which personnel could be affected. The list should demonstrate systematic consideration of hazard categories rather than random identification.

Risk estimation documentation shows how severity and probability were assessed for each hazard. Estimation methods may be quantitative or qualitative depending on available data and the nature of the hazard. Assumptions underlying estimates should be stated and justified.

Risk evaluation documentation shows how estimated risks were compared against acceptance criteria and what conclusions were drawn. For risks initially exceeding criteria, the documentation should show the progression of risk reduction measures and the resulting reduced risk.

Protective measure documentation describes each safety measure, explains how it reduces risk, references applicable standards, and identifies any residual risks. For collaborative methods, documentation should address compliance with ISO/TS 15066 requirements including force and pressure limits.

Validation documentation records the testing and verification performed to confirm that protective measures function as intended. This includes force and pressure measurements, stopping distance tests, response time verification, and functional tests of safety systems.

Approval and revision documentation shows who conducted and approved the assessment, when it was completed, and what revisions have occurred. The risk assessment is a living document that should be updated when changes occur to the system, application, or operating environment.

Collaborative Workspace Definition

The collaborative workspace is the portion of the safeguarded space where the robot and a human can perform tasks simultaneously during production operation. Defining this workspace precisely is essential for applying appropriate protective measures and for operators to understand where collaboration occurs.

Spatial boundaries of the collaborative workspace should be clearly established through physical markers, visual indicators, or both. The boundaries may correspond to physical limits of robot reach, to designated work zones within a larger area, or to task-specific regions where collaboration is needed. Clear boundaries help operators maintain awareness of their position relative to the robot.

Temporal aspects of collaboration should be defined when the collaborative workspace is not continuously active. Some applications involve collaboration only during specific phases of the task cycle, with other phases using traditional safeguarding. The transition between collaborative and non-collaborative operation must be clearly signaled and safely managed.

Vertical extent of the collaborative workspace is often overlooked but may be significant. Operators may need to reach over or under the robot, creating exposure at different heights. The floor area alone may not fully represent the collaborative region. Three-dimensional analysis ensures complete consideration.

Adjacent areas outside the collaborative workspace may still require consideration. Operators in adjacent areas could inadvertently enter the collaborative workspace. The robot's motion could project beyond intended collaborative boundaries during abnormal conditions. Buffer zones or transitional safeguarding may be appropriate.

Layout Design Principles

Workspace layout significantly influences the risks and efficiency of collaborative operation. Good layout design reduces exposure to hazards, supports efficient task completion, and provides operators with clear awareness of the robot and their environment.

Visibility ensures that operators can see the robot and its immediate surroundings. Obstructions that block sight lines should be minimized. Lighting should be adequate to see robot motion clearly. The robot's current position and motion direction should be apparent to operators in the collaborative workspace.

Predictability of robot motion supports operator awareness and reduces startle responses. Consistent motion patterns allow operators to anticipate robot behavior. Sudden direction changes or unexpected stops are disconcerting and should be minimized. When the robot must make rapid movements, these should be outside the collaborative workspace or clearly signaled.

Separation of flow paths for humans and robots reduces the likelihood of contact during transit. Where both must use the same paths, clear rules about priority or alternating access should be established. Physical separation using different levels or designated lanes is more reliable than procedural separation.

Escape routes ensure that operators can move away from hazards. The workspace should not trap operators between the robot and fixed structures. Multiple exit directions provide options depending on the hazard location. Escape routes should remain clear during all phases of operation.

Ergonomic design reduces physical strain on operators. Work heights should be comfortable. Reaching distances should be minimized. The need to bend, twist, or stretch should be reduced. Good ergonomics also improves safety by reducing distraction from discomfort and enabling faster response to hazards.

Accessibility for maintenance and recovery must be maintained. The layout should allow safe access for maintenance personnel. Recovery from jams or errors should not require operators to reach into hazardous positions. Lockout/tagout procedures should be implementable for maintenance activities.

Task Allocation Between Human and Robot

Effective collaboration requires appropriate allocation of tasks between human and robot capabilities. Each should perform the tasks best suited to their capabilities, with the division supporting both efficiency and safety.

Robot strengths include consistent repetitive motion, precise positioning, handling heavy or unwieldy loads, maintaining quality under fatigue conditions, and working in environments uncomfortable for humans. Tasks that leverage these strengths are good candidates for robot assignment.

Human strengths include adaptability to variation, judgment in ambiguous situations, fine dexterity in unstructured tasks, problem solving when things go wrong, and communication with other workers. Tasks requiring these capabilities are better performed by humans.

Safety-driven allocation considers which tasks can be performed safely within collaborative constraints. Tasks requiring high force or speed may exceed collaborative limits and need non-collaborative implementation. Tasks with hazardous tooling or materials may not be suitable for collaborative execution. The allocation should minimize the need for collaboration during the most hazardous operations.

Cycle time balancing ensures that human and robot tasks are coordinated efficiently. If the robot must wait for the human or vice versa, productivity suffers. Balanced allocation keeps both human and robot productively engaged. However, safety should not be compromised to achieve balance.

Variation handling should be considered in task allocation. If product or process variation is expected, tasks should be allocated to whichever agent can best handle that variation. Humans generally handle variation better than robots, though well-designed robot systems can accommodate significant variation.

Integration with Existing Equipment

Collaborative robots are often integrated into existing manufacturing cells or production lines, creating additional considerations for safe workspace design.

Existing safeguarding may not be compatible with collaborative operation. Traditional perimeter guards that prevented all personnel access must be modified to allow controlled access to the collaborative workspace. Integration should maintain protection from non-collaborative equipment while enabling collaboration with the robot.

Interactions between the collaborative robot and other equipment must be considered. Conveyors, fixtures, and other machines may create pinch points with the robot. The robot's motion may interfere with other equipment operations. Coordinated control may be needed to prevent conflicts.

Control system integration ensures that safety functions are properly coordinated. Emergency stop circuits should connect all equipment in the cell. Protective stops on the collaborative robot should not leave other equipment in hazardous states. Mode selection affecting multiple systems should be consistent.

Traffic patterns established for existing equipment may need revision. Workers accustomed to certain access routes may be affected by the collaborative robot installation. Training must address changes to established patterns. Physical modifications may guide workers toward safe routes.

Retrofitting constraints may limit design options. Existing floor space, ceiling height, utility routing, and structural elements constrain what is achievable. The ideal collaborative layout may not be feasible within retrofitting constraints, requiring compromise solutions that still meet safety requirements.

Validation Planning

Validation demonstrates that the collaborative robot system meets its safety requirements in the intended application. A systematic validation plan ensures that all requirements are addressed and provides structured evidence of compliance.

Validation objectives should be clearly stated, identifying what must be demonstrated and what criteria apply. Objectives typically include verification of safety function performance, confirmation that force and pressure limits are met, demonstration of adequate stopping distance and response time, and verification that safeguarding provides intended protection.

Test methods for each objective should be specified, including the test setup, equipment to be used, procedures to follow, and acceptance criteria. Standard test methods from ISO/TS 15066 or other applicable standards should be used where available. Custom test methods should be documented in sufficient detail to enable repetition.

Test conditions should represent the range of operating conditions under which the system will be used. Testing at single conditions may miss variations that affect performance. Parameters that affect safety function performance should be varied across their operational range.

Test personnel qualifications should be defined. Safety validation requires competence in test methods, measurement techniques, and interpretation of results. Independence of test personnel from designers may be required for critical assessments.

Documentation requirements should be specified in the validation plan. The level of detail required for test records, the format for results presentation, and approval requirements for validation reports should be established before testing begins.

Safety Function Testing

Safety function testing verifies that each safety function performs correctly under normal conditions and responds appropriately to faults. Testing should cover all safety functions identified in the risk assessment.

Functional testing confirms that safety functions operate as intended. Emergency stop testing verifies immediate response to activation and proper stopping performance. Protective stop testing confirms correct response to safeguarding device activation. Speed limiting testing verifies that maximum speeds are as specified.

Performance testing quantifies safety function performance characteristics. Stopping distance and time measurements under various load and speed conditions verify manufacturer specifications. Response time measurements from triggering event to completed response verify that total system response is within limits assumed in the risk assessment.

Fault testing verifies that faults are detected and that appropriate protective action occurs. Single fault injection should demonstrate that the safety function either continues to operate or achieves a safe state. The range of faults tested should cover the fault modes considered in the safety function design.

Environmental testing verifies operation under expected environmental conditions. Temperature extremes, electrical noise, and other environmental factors that could affect safety function performance should be tested. Testing should verify both that the function operates and that it detects relevant faults under environmental stress.

Documentation of safety function testing should include test conditions, equipment calibration records, raw data and calculated results, comparison against acceptance criteria, and conclusions about compliance. Traceability from test results to specific safety requirements supports completeness verification.

Force and Pressure Measurement

Measurement of contact forces and pressures verifies compliance with ISO/TS 15066 biomechanical limits. Measurements should cover the contact scenarios identified in the risk assessment using appropriate measurement techniques.

Measurement equipment should be capable of capturing peak forces during transient impacts. Force sensors should have adequate bandwidth to capture impact dynamics, typically requiring response frequencies of several hundred hertz. Calibration should be traceable to recognized standards.

Test configurations should represent identified contact scenarios. The measurement device should simulate the relevant body region, including appropriate compliance for biofidelic measurement. The robot should be operating under representative conditions of speed, payload, and trajectory.

Impact testing measures transient contact forces. The measurement device is positioned in the robot's path, and the robot approaches at representative speed. Multiple impacts should be measured to characterize variability. Results are compared against transient contact limits for the relevant body region.

Clamping testing measures quasi-static forces. The measurement device is positioned to simulate trapped body parts, and the robot moves to compress the device against a fixed surface. Force is recorded throughout the compression. Results are compared against quasi-static limits.

Contact area measurement determines effective contact area for pressure calculation. Contact pressure paper or electronic pressure mapping can measure actual contact area during test impacts. Alternatively, minimum contact area can be calculated from geometry. Pressure is calculated by dividing measured force by contact area.

Analysis of measurements should consider uncertainty and variability. Statistical treatment of multiple measurements provides confidence in conclusions. Uncertainty analysis identifies whether observed values confidently meet limits or whether margins are insufficient. Conservative interpretation addresses measurement limitations.

Commissioning and Acceptance

Commissioning is the systematic process of verifying that the installed system meets its specifications and is ready for production use. Acceptance testing confirms that the system satisfies customer requirements and contractual obligations.

Pre-commissioning checks verify that installation is complete and correct. Physical installation of the robot, guarding, and ancillary equipment should be verified against drawings. Electrical connections should be verified for correctness and integrity. Pneumatic and other utility connections should be checked.

Functional commissioning tests all functions of the system. Motion testing verifies that the robot moves correctly through its programmed paths. End effector operation is verified. Safeguarding devices are tested for correct operation. Interface with other equipment is verified.

Safety commissioning specifically addresses safety functions and safeguarding. All safety functions should be tested and verified. Safeguarding effectiveness should be demonstrated. Emergency procedures should be verified. Safety documentation should be reviewed for completeness.

Operator training verification confirms that operators have been trained in safe operation. Training records should demonstrate that required training was completed. Operators should demonstrate competence in normal operation, abnormal situation response, and emergency procedures.

Documentation handover provides the customer with all necessary documentation. This includes risk assessment, validation reports, operating instructions, maintenance requirements, and any other documentation required by applicable standards or regulations.

Formal acceptance formalizes the transfer of responsibility from the integrator to the end user. Acceptance criteria should be clearly defined, and acceptance should be documented with signatures from authorized representatives. Any open items or conditions should be clearly stated.

Role of the System Integrator

The system integrator is the entity that combines the robot with other equipment to create a complete robot system for a specific application. Under ISO 10218-2, the integrator is responsible for the safety of the complete system, even when all components are individually compliant with applicable standards.

Integration hazards arise from combining components that were not designed together. A compliant robot combined with a compliant end effector may create pinch points or cutting hazards that neither component alone would present. The integrator must identify and address these combination hazards.

Application-specific hazards depend on what the robot system does. The same robot hardware may be safe in one application and hazardous in another depending on speeds, tooling, workpieces, and operator interaction. The integrator assesses hazards for the specific application and implements appropriate measures.

Safeguarding design is primarily the integrator's responsibility. While robot manufacturers may provide guarding options, the integrator designs the complete safeguarding system appropriate to the installation. This includes perimeter guarding, access controls, presence sensing, and the implementation of collaborative methods.

Compliance demonstration for the complete system is the integrator's responsibility. This includes the risk assessment, safety function design, validation testing, and documentation required by applicable standards and regulations. The integrator must maintain records and provide documentation to end users.

Contractual and Legal Obligations

Integrators have contractual obligations to customers and legal obligations under applicable regulations. Understanding these obligations is essential for business management and risk management.

Supply contract terms define specific obligations to the customer. Contracts typically specify functional requirements, safety requirements, applicable standards, delivery obligations, and warranty provisions. Integrators should ensure contracts clearly define responsibilities and acceptance criteria.

Machinery directives and regulations in many jurisdictions impose legal obligations on those who place machinery on the market. In the European Union, the Machinery Directive requires CE marking and conformity assessment. In other jurisdictions, similar regulations may apply. Integrators must understand and comply with regulations in their markets.

Product liability laws impose responsibility for harm caused by defective products. Integrators may be liable for injuries resulting from inadequate safety measures, failure to warn of hazards, or other defects in the robot system. Proper risk assessment, safety design, and documentation provide evidence of due care.

Professional liability may arise from negligent engineering or consulting services. Integrators who provide engineering services may be held to professional standards of care. Professional liability insurance may be appropriate to manage this risk.

Insurance requirements may be specified by customers, by lenders, or by prudent business practice. Liability insurance, professional liability insurance, and project-specific coverage may be needed. Insurance underwriters may have specific requirements regarding safety practices and documentation.

Technical Documentation Requirements

Technical documentation demonstrates compliance with requirements and provides information for safe use of the robot system. Integrators must create and maintain documentation throughout the project and deliver required documentation to customers.

Risk assessment documentation is the foundation of the technical file. This includes hazard identification, risk estimation and evaluation, and evidence of risk reduction through protective measures. The risk assessment should be specific to the application and address all identified hazards.

Design documentation describes the robot system configuration. This includes layout drawings, electrical schematics, pneumatic diagrams, control system architecture, and other technical descriptions. Documentation should enable understanding of how the system works and how safety is achieved.

Safety function specifications describe each safety function, its required performance level, and how it is implemented. Functional block diagrams, component specifications, and parameter settings should be documented. The basis for performance level requirements should be traceable to the risk assessment.

Validation records provide evidence that safety requirements are met. Test procedures, results, and conclusions should be documented. Traceability from tests to requirements demonstrates completeness. Validation records should be retained for the expected life of the equipment.

Operating instructions provide information for safe operation. This includes description of intended use, operating procedures, safety information, and warnings about residual risks. Instructions must be provided in languages appropriate to the users and must cover all aspects of operation including setup, normal operation, and maintenance.

Declaration of conformity is required in many jurisdictions to attest that the equipment meets applicable requirements. The declaration identifies the equipment, the applicable directives and standards, and the responsible entity. The declaration is a legal document with significant implications.

Support and Service Obligations

Integrator responsibilities typically continue after initial delivery through warranty obligations, service agreements, and ongoing support. These continuing obligations should be clearly defined and properly resourced.

Warranty obligations require the integrator to correct defects discovered within the warranty period. Warranty terms should clearly define what is covered, the duration, and the remedies available. Response time and availability commitments should be realistic and achievable.

Spare parts availability ensures that customers can maintain the system over its useful life. Critical components should be available promptly. Long-term availability of specialized parts should be planned. Obsolescence management addresses components that become unavailable.

Technical support helps customers resolve issues and optimize system performance. Support may be provided remotely or on-site depending on the issue. Support personnel should have access to system documentation and engineering resources.

Training services may be offered for initial operators and for personnel changes over time. Training should address safe operation, routine maintenance, and troubleshooting. Refresher training may be appropriate for long-installed systems.

System upgrades and modifications may be requested over the life of the system. Modifications affecting safety must be properly assessed and documented. The integrator should advise customers when proposed modifications affect safety and should decline to implement modifications that cannot be made safely.

Maintenance Hazards

Maintenance activities on robot systems present distinct hazards that differ from production operation hazards. Workers performing maintenance may need to access areas normally protected by safeguarding, work near energized equipment, and operate the robot in ways that differ from normal production modes.

Unexpected startup is a primary maintenance hazard. If the robot starts while a worker is in the hazardous zone, serious injury can result. Startup could occur from control system commands, from manual controls, or from release of stored energy. Lockout/tagout procedures are the primary protection against this hazard.

Stored energy in robot systems includes gravitational energy in elevated components, elastic energy in springs and tensioned elements, pressurized fluids in pneumatic and hydraulic systems, and electrical energy in capacitors and batteries. Maintenance procedures must address dissipation or control of stored energy.

Inadvertent motion during maintenance may occur when workers manipulate joints or components. Gravity can cause elevated components to fall. Springs can release unexpectedly. Manually moving joints may cause motion of linked components. Workers should understand the kinematic connections when working on any part of the robot.

Electrical hazards during maintenance include shock from energized components and arc flash from high-energy circuits. Maintenance often requires work on energized equipment that would normally be enclosed or guarded. Proper procedures, personal protective equipment, and qualified personnel are required.

Ergonomic hazards arise from awkward positions required to access components. Maintenance may require reaching, bending, or working overhead. Heavy components may need to be lifted or supported. Poor ergonomics contribute to both acute injuries and chronic musculoskeletal disorders.

Lockout/Tagout Procedures

Lockout/tagout procedures prevent unexpected energization of equipment during maintenance. These procedures are required by occupational safety regulations in most jurisdictions and are essential for protecting maintenance workers.

Energy source identification is the first step in developing lockout/tagout procedures. All energy sources that could cause hazardous motion or energy release must be identified. This includes electrical power, pneumatic pressure, hydraulic pressure, and stored mechanical energy. Energy sources may be obvious or may be hidden within equipment.

Isolation devices are the means of disconnecting energy sources. Electrical disconnects, pneumatic valves, and hydraulic valves serve as isolation points. Each isolation device should be lockable, meaning a lock can be attached to hold it in the safe position. Locks should be individually keyed so only the worker who applied the lock can remove it.

Lockout procedures specify the steps for achieving a safe state. The general sequence is notify affected employees, shut down equipment using normal procedures, isolate all energy sources, apply locks and tags, dissipate stored energy, and verify isolation before work begins. Specific procedures for each piece of equipment should be documented.

Verification of isolation confirms that energy has been effectively controlled. After isolation, attempt to start the equipment using normal controls to verify it cannot operate. Test for residual energy in pneumatic and hydraulic systems. Verify absence of voltage in electrical systems using appropriate test equipment.

Tagout procedures use warning tags when locks cannot be applied. Tags alone provide less protection than locks because they can be removed without tools. When tagout is used, additional protective measures should compensate for the reduced protection. Locks should be used whenever physically possible.

Release from lockout follows completion of maintenance. Only the worker who applied a lock should remove it. Before removing the last lock, verify that all workers are clear of the equipment and that all guards are replaced. Notify affected employees that equipment is being returned to service.

Safe Maintenance Procedures

Safe maintenance procedures provide step-by-step instructions for common maintenance tasks. Well-designed procedures anticipate hazards and specify appropriate precautions.

Procedure development should involve personnel with knowledge of both the technical aspects of maintenance and safety requirements. Procedures should be reviewed by safety professionals and tested by maintenance personnel before adoption. Input from robot manufacturers can help identify less obvious hazards.

Procedure content should include the scope of work, required tools and materials, personal protective equipment, applicable lockout/tagout requirements, step-by-step instructions, verification steps, and return to service requirements. Hazard warnings should be prominently displayed where workers need them.

Energized work procedures address situations where maintenance must be performed on energized equipment. Such work should be minimized through good design and planning. When unavoidable, energized work requires specific justification, qualified personnel, appropriate personal protective equipment, and heightened precautions.

Team maintenance procedures address situations where multiple workers are involved. Each worker should apply their own lock when working on equipment. Coordination procedures prevent one worker from re-energizing equipment while others are still working. Group lockout devices can be used when many workers are involved.

Emergency procedures address situations where normal procedures cannot be followed. Equipment failure may trap workers or create other emergencies. Emergency procedures should prioritize worker safety over equipment protection. Emergency contacts and response resources should be identified.

Documentation and review of maintenance activities support continuous improvement. Records of maintenance performed, time required, and any problems encountered provide data for procedure improvement. Periodic review of procedures should incorporate lessons learned.

Maintenance Personnel Training

Maintenance personnel require specific training on the robot systems they will maintain. Training should address both the technical aspects of the equipment and the safety procedures required for safe maintenance.

Technical training covers the design and operation of robot systems. Understanding how systems work enables effective troubleshooting and helps maintenance personnel anticipate hazards. Training should address mechanical systems, control systems, safety systems, and application-specific equipment.

Safety training specifically addresses hazards and protective procedures. Lockout/tagout training is required by regulation and should be specific to the equipment. Electrical safety training is required for personnel who may be exposed to electrical hazards. Training on safe work practices during robot maintenance should cover the specific equipment involved.

Manufacturer training may be available for specific robot models. Manufacturer training provides in-depth knowledge of design details, common failure modes, and maintenance best practices. Certification programs may be offered that verify maintenance competence.

Hands-on training develops practical skills for maintenance tasks. Classroom training provides knowledge, but hands-on practice develops proficiency. Initial hands-on training should be supervised by experienced personnel. Progressive complexity allows skills to develop before tackling difficult tasks.

Refresher training maintains skills over time. Periodic retraining on safety procedures is typically required by regulation. Technical skills should also be refreshed, particularly when equipment is modified or when personnel have not worked on particular equipment for extended periods.

Training documentation provides evidence of competence and compliance. Records should show what training was received, when, and by whom. Training records may be required for regulatory compliance and may be relevant in the event of incidents.

Teaching Pendant Functions

The teaching pendant is a portable control device used for programming, setup, and manual operation of robots. Because pendant operation typically requires personnel to be near the robot while it moves, specific safety requirements apply to pendant design and use.

Manual control functions allow the operator to command robot motion directly. Jog functions move individual axes or the tool center point in selected directions. Speed selection allows choosing among available speed levels. Motion commands require continuous operator action to maintain motion.

Programming functions allow creation and modification of robot programs. Point teaching records positions that the robot moves through during automatic operation. Parameter editing adjusts motion characteristics and application settings. Program testing executes programs at reduced speed to verify correct operation.

Monitoring functions display robot status and diagnostic information. Position displays show current joint angles or Cartesian coordinates. Status indicators show operating mode, error conditions, and safety system status. Diagnostic screens support troubleshooting of equipment problems.

Safety functions on the pendant provide protection during manual operation. Emergency stop buttons must be immediately accessible. Enabling devices must be activated to permit motion. Mode selection may be controlled from the pendant. These safety functions are critical because pendant operation often bypasses normal safeguarding.

Enabling Device Requirements

The enabling device is a safety function that allows motion only while the operator maintains continuous activation. Releasing the enabling device stops motion, providing immediate protection if the operator is startled or loses control.

Three-position enabling devices are required by ISO 10218. The three positions are off, active, and panic (also off). In the middle active position, motion is enabled. Releasing to the off position or pressing through to the panic position both disable motion. This design accounts for the natural human reaction to grip tightly in an emergency.

Positioning and ergonomics of the enabling device affect usability and safety. The device should be accessible to the grip used for holding the pendant. It should be possible to maintain activation during extended programming sessions without excessive fatigue. Activation should not interfere with access to other pendant functions.

Reliability requirements for enabling devices are specified in safety standards. The device must fail safely, meaning a failure results in motion being disabled. Redundancy and monitoring provide fault detection. The required safety integrity depends on the risk level associated with pendant operation.

Training on enabling device use is essential. Operators must understand the function and behavior of the three-position device. Practice in a safe environment develops the instinct to release rather than grip in emergency situations. Misunderstanding of enabling device function has contributed to serious accidents.

Speed Limitations During Teaching

Speed limitations during teaching and manual operation reduce the severity of potential contact. ISO 10218 specifies requirements for reduced speed operation when personnel are within the safeguarded space.

Reduced speed limits are specified as 250 millimeters per second for the tool center point. This speed allows an operator reasonable time to react if unexpected motion occurs. Higher speeds are permitted only in specific circumstances with additional protective measures.

Speed limiting implementation must be safety-rated. The control system must prevent exceeding the speed limit regardless of commands or faults. Speed monitoring with protective action if limits are exceeded provides defense in depth. The speed limiting function must achieve the performance level determined by risk assessment.

Override of speed limits may be necessary for specific testing purposes. Override should require deliberate action such as a key switch. When override is active, additional protective measures should apply. Override should automatically revert to normal limits after a defined time or when the pendant is released.

Speed selection by the operator should be available within the safe limits. Different speeds may be appropriate for different operations, from slow careful positioning to faster traverse movements. The operator should understand current speed selection and its implications.

Pendant Operation Training

Training for pendant operation addresses both the technical skills needed for effective robot programming and the safety awareness needed to avoid incidents during manual operation.

Technical training covers pendant controls and functions. Operators learn to command motion, select speeds and modes, create and modify programs, and interpret displays. Practice develops proficiency in control operation and program creation.

Safety training addresses hazards during pendant operation. Operators learn safe positioning relative to the robot, maintaining escape routes, awareness of pinch points and other hazards, and recognition of abnormal conditions. The specific hazards of each robot and application should be covered.

Emergency response training prepares operators to respond to unexpected situations. Practice using emergency stop in realistic scenarios develops quick response. Understanding enabling device behavior prevents inappropriate responses. Knowledge of what to do after an emergency stop prevents premature restart.

Supervised practice provides experience under guidance. Initial pendant operation should be observed by experienced personnel. Progressive complexity allows skills to develop before attempting difficult tasks. Feedback helps operators improve technique and awareness.

Qualification verification confirms that operators have achieved necessary competence. Practical tests demonstrate skill with pendant operation. Knowledge tests verify understanding of safety requirements. Qualification should be documented and may need periodic renewal.

Scope and Application

ISO 3691-4 specifies safety requirements for driverless industrial trucks, commonly known as automated guided vehicles (AGVs) or autonomous mobile robots (AMRs). These vehicles operate in areas where personnel may be present, creating unique safety challenges that differ from fixed-base robots.

The scope includes industrial trucks that are driverless and operate without manual control during normal operation. This encompasses vehicles following defined paths, vehicles with natural navigation capability, and vehicles operating under centralized or distributed control systems. The standard applies to trucks that travel, transport loads, or perform other industrial functions.

Application environments range from structured warehouses with controlled traffic to dynamic manufacturing floors with frequent human presence. The standard addresses both environments through a risk-based approach that matches protective measures to the specific hazards present.

Relationship to other standards includes reference to ISO 10218 for robots mounted on mobile bases, to ISO 12100 for risk assessment methodology, and to IEC 62443 for cybersecurity. The AMR may be a component in a larger system that must comply with multiple standards.

Navigation and Control Safety

Safe navigation requires that the mobile robot avoid collisions with personnel, other vehicles, and facility structures. Navigation safety encompasses path planning, obstacle detection, collision avoidance, and control system integrity.

Path planning should route vehicles away from areas of high personnel activity when possible. Predictable paths allow personnel to anticipate vehicle location. Consistent paths reduce the likelihood of unexpected encounters. Path modifications in response to detected obstacles must not create new hazards.

Position determination must be accurate and reliable. Loss of position awareness could cause the vehicle to enter prohibited areas or collide with structures. Position determination methods including LIDAR, vision systems, and reference markers should be appropriate to the required accuracy. Position verification should detect errors before hazardous situations develop.

Speed control must be appropriate to the environment. Maximum speed in areas without personnel detection may be higher than in areas where personnel may be present. Speed should be reduced when approaching intersections, turns, or areas with limited visibility. Speed limiting functions must be safety-rated.

Control system integrity ensures that commands are executed correctly and that faults are detected. Safety-related control functions must meet required performance levels. Communication between vehicles and central control must be reliable and secure. Cybersecurity measures prevent unauthorized control or disruption.

Personnel Detection Systems

Detection of personnel in the vehicle's path is essential for preventing collisions. Detection systems must identify personnel reliably under the conditions present in the operating environment.

Detection technologies include laser scanners that detect objects by reflected light, vision systems that identify personnel through image analysis, radar that detects moving objects, and ultrasonic sensors for close-range detection. Selection depends on range requirements, environmental conditions, and required reliability.

Detection zone geometry must cover the area the vehicle could enter during stopping. Forward detection must extend at least to the stopping distance at current speed plus margin. Side detection protects against personnel stepping into the vehicle's path. Rear detection may be required when backing.

Performance requirements include detection reliability, response time, and immunity to false triggers. Safety-rated personnel detection requires appropriate redundancy and diagnostic coverage. Detection must function reliably under environmental variations including lighting, temperature, and dust.

Response to detection typically involves stopping or slowing the vehicle. Stopping distance at current speed determines the minimum detection range required. The response must be reliable and appropriately fast. Resume criteria after detection should prevent restart while personnel remain in the path.

Limitations of detection systems must be understood and addressed. No detection system is infallible. Certain conditions may impair detection. Personnel training should address proper behavior around mobile robots. Warning devices supplement detection by alerting personnel to vehicle presence.

Operational Safety Requirements

Operational safety requirements address the management of mobile robot operations to maintain safety during deployment, normal operation, and abnormal situations.

Deployment preparation includes route survey to identify hazards, marking of vehicle paths if required, training of personnel who will work in the area, and verification that detection and control systems function correctly. Changes to the operating environment may require reassessment.

Traffic management coordinates vehicle movements with personnel and other vehicles. Intersection control prevents conflicts. Right-of-way rules establish priority. Scheduling can reduce traffic density in congested areas. Segregation of vehicle and pedestrian paths where possible reduces exposure.

Emergency procedures address situations where normal operation cannot continue safely. Manual stop capability must be accessible. Procedures for removing disabled vehicles should prevent creating additional hazards. Communication of vehicle status supports appropriate response.

Maintenance requirements address keeping vehicles in safe operating condition. Inspection schedules should verify detection systems, brakes, and safety functions. Performance degradation should be detected before safety is compromised. Maintenance records support systematic equipment management.

Documentation requirements include operating procedures, maintenance procedures, and safety information for personnel working in the area. Documentation should be accessible to those who need it and should be maintained current as the operation evolves.

Service Robot Categories

Service robots operate outside traditional industrial environments, interacting with the general public in applications such as healthcare, hospitality, retail, and public services. Different categories of service robots present different safety considerations.

Personal care robots provide direct physical assistance to humans, including rehabilitation robots, mobility aids, and assistive devices. These robots may be in physical contact with users during operation. The vulnerability of the user population, which may include elderly or disabled individuals, demands conservative safety approaches.

Medical robots perform or assist with medical procedures. Surgical robots manipulate instruments inside the body. Rehabilitation robots guide therapeutic movements. Medical robots are subject to medical device regulations in addition to robot safety standards.

Professional service robots perform commercial services such as cleaning, delivery, and security. These robots may operate in public spaces with uncontrolled personnel. Users may be unfamiliar with robot technology and unable to assess hazards.

Public environment robots operate in spaces open to the general public, including museums, airports, and shopping centers. These environments include children, elderly persons, and people with disabilities who may be more vulnerable to robot hazards or less able to avoid them.

ISO 13482 Personal Care Robot Safety

ISO 13482 specifies safety requirements for personal care robots, addressing the unique challenges of robots that physically interact with people in non-industrial settings. The standard covers mobile servant robots, physical assistant robots, and person carrier robots.

Hazard categories specific to personal care robots include hazards from physical contact during assistance, hazards from robot mobility in home environments, hazards from the robot's interaction with furniture and household objects, and hazards from malfunction while the user depends on the robot for mobility or safety.

Design requirements address inherent safety through limits on robot capabilities. Force limits during contact protect users from injury. Speed limits reduce collision severity. Stability requirements prevent tip-over. Emergency stop and other safety functions provide protection when inherent safety is insufficient.

Application-specific requirements recognize that different personal care applications present different risks. A mobility assistance robot presents different hazards than a domestic service robot. The standard provides guidance for risk assessment that addresses the specific application.

User interface requirements address the needs of users who may not be technically sophisticated. Controls must be easy to understand and operate. Feedback must communicate robot status clearly. Users must be able to stop the robot easily and reliably.

Testing and validation requirements ensure that robots meet safety requirements under realistic use conditions. Testing should include foreseeable misuse by users who do not fully understand robot capabilities and limitations. Long-term reliability testing addresses degradation over the expected service life.

Public Environment Safety Considerations

Robots operating in public environments encounter people who may be unaware of proper behavior around robots. Safety design must account for unpredictable human behavior and vulnerable populations.

Pedestrian interaction presents challenges because people may not respond predictably to robots. Children may approach out of curiosity. Adults may not notice slow-moving robots. People with disabilities may be unable to move out of the robot's path. Detection and avoidance systems must function reliably despite unpredictable human behavior.

Physical design should minimize injury potential during contact. Rounded surfaces, compliant materials, and elimination of pinch points reduce injury from collisions. Maximum speed in pedestrian areas should be appropriate to the stopping capability and detection system performance.

Communication to bystanders helps establish appropriate behavior. Visual indicators show the robot's status and intended direction. Audio signals can alert people to robot presence. Clear labeling identifies the robot's purpose and operator.

Supervision requirements may be appropriate for robots in some public environments. Remote monitoring allows human oversight of robot operation. Intervention capability enables humans to stop or redirect robots when needed. On-site personnel may be required for certain applications or environments.

Liability considerations for public environment robots are complex. Who is responsible if a robot injures a member of the public? The robot operator, deployer, manufacturer, and facility owner may all have potential liability. Clear allocation of responsibilities and appropriate insurance protect all parties.

Regulatory Developments

Regulation of service robots is evolving as the technology becomes more widespread. Understanding current and anticipated regulatory requirements is essential for developers and deployers of service robots.

Current regulations vary by application and jurisdiction. Medical robots are regulated as medical devices in most jurisdictions. Consumer robots may be subject to product safety regulations. Autonomous vehicles, including delivery robots, face emerging transportation regulations. The regulatory landscape is fragmented and evolving.

Emerging regulations are addressing gaps in current frameworks. The European Union is developing comprehensive AI and robotics regulation. United States agencies are examining regulatory needs for autonomous systems. Industry standards are developing faster than formal regulation in many areas.

Standards development continues to address new robot applications. ISO technical committees are developing standards for various service robot categories. Regional standards bodies are contributing to harmonization efforts. Industry consortia are developing best practices that may eventually become standards.

Compliance strategies should anticipate regulatory evolution. Designing to exceed current requirements provides margin for future changes. Participation in standards development provides insight into coming requirements. Flexible designs allow adaptation as regulations evolve.

International considerations affect service robots that may be deployed globally. Different markets have different regulatory requirements. Certification in one jurisdiction may not transfer to others. Global compliance strategies must address the full range of markets where products will be deployed.