Robot Safety Standards & Functional Safety — Robotics Reference

Robot Safety Standards & Functional Safety

1. At a glance

Robot safety engineering is the discipline of preventing human injury, environmental harm, and asset damage caused by a robotic system. It is not one activity but a stack of four interlocking layers, each of which must be evidenced before a machine can be CE-marked, UL-listed, or operated under OSHA jurisdiction:

1. Hazard identification + risk assessment — ISO 12100:2010 methodology; enumerate every hazard the machine presents to every person across the full lifecycle (commissioning, operation, maintenance, decommissioning).
2. Risk reduction by design (intrinsic safety) — eliminate or substitute hazards in mechanism design before adding controls. Brake-on-power-loss, rounded corners, low-energy motion profiles.
3. Safety-rated controls (functional safety) — hardware + software that detects faults and brings the system to a safe state with quantified failure rates. Governed by IEC 61508 (foundational), ISO 13849-1 (machinery), and IEC 62061 (machinery, complementary E/E/PE focus).
4. Procedures, training, signage, PPE — administrative controls, always the last resort per the NIOSH 1974 Hierarchy of Controls.

The global baseline for industrial robots is ISO 10218-1:2025 (manufacturer requirements) and ISO 10218-2:2025 (integrator + user requirements), which replaced the 2011 edition in late 2025. Collaborative operation — humans and robots sharing workspace without physical fencing — is governed by ISO/TS 15066:2025 (the 2025 update of the 2016 technical specification), which sets quasi-static and transient force limits per body region for power-and-force-limited (PFL) cobots. Driverless industrial trucks (AGV / AMR) follow ISO 3691-4:2020 plus ANSI/RIA R15.08-2020 in the US. Surgical robots add IEC 60601-1:2020 + IEC 60601-2-77:2019. Drones live under 14 CFR Part 107 + Part 89 (US) and EU Regulation 2019/947 (EU), with DO-178C / DO-254 for certified-category airframes.

First ask before any safety work: what is the intended use, what is the foreseeable misuse, and who is at risk? Skipping the risk assessment and starting from “I’ll add a light curtain” is the classic integrator failure mode — the curtain may not address the dominant hazard. See [[Robotics/manipulator-design]] §safety for the design-stage interlock, [[Robotics/impedance-control]] for PFL compliance control, and [[Engineering/realtime-embedded]] for the IEC 61508 software lifecycle that sits under every safety-rated controller.

2. First principles

Risk equation

Risk = Severity × Probability of occurrence × Exposure. Reducing any factor reduces risk; ISO 12100 §5.5 codifies the formal three-step iteration: (1) determine limits, (2) identify hazards, (3) estimate + evaluate risk. The 2010 revision aligned the European EN ISO 12100-1/-2/-14121 trio into one document and remains the umbrella above all machine-safety standards.

Hierarchy of controls (NIOSH 1974, adopted ANSI Z10, ISO 45001)

In descending preference:

1. Eliminate — remove the hazard entirely (e.g., delete the sharp tool from the cycle).
2. Substitute — replace with lower-energy alternative (servo press instead of pneumatic).
3. Engineering controls — guards, interlocks, light curtains, safety-rated speed limits.
4. Administrative controls — procedures, lockout-tagout (LOTO), training records.
5. PPE — gloves, safety glasses, hearing protection.

Engineering controls dominate robot safety because robots are inherently high-energy machines that cannot be fully eliminated from a productive cell. Administrative controls and PPE are complementary, never primary.

Functional safety

Functional safety is the property of a system to detect a fault and transition to a safe state within a bounded time, with the failure rate of that detection itself quantified. The two metrics that matter:

• Safety Integrity Level (SIL) — IEC 61508 / IEC 62061. Discrete 1–4 scale. SIL 2 demands a probability of dangerous failure per hour (PFH) of $10^{-7}\le \mathrm{PFH}<10^{-6}$, SIL 3 demands $10^{-8}\le \mathrm{PFH}<10^{-7}$. Robotics almost never needs SIL 4 (reserved for nuclear, aerospace flight-critical); the working range is SIL 1–3.
• Performance Level (PL) — ISO 13849-1. Discrete a–e scale derived from MTTFD (mean time to dangerous failure), DCavg (diagnostic coverage), and Category (architectural redundancy: B, 1, 2, 3, 4). PL e is the most stringent and corresponds roughly to SIL 3.

The two scales are interconvertible per the table in §6 but not identical: PL is risk-graph-driven, SIL is target-failure-rate-driven. Most robot integrators in the EU work in PL; safety-component vendors (Pilz, SICK, Siemens) publish both.

SIL is computed per IEC 61508-1 § 7.4 from the dangerous-failure rate ${\lambda }_D$, the diagnostic coverage $\mathrm{DC}={\lambda }_{DD}/{\lambda }_D$ (fraction of dangerous failures the on-line diagnostics detect), the proof-test interval $T_1$, and the architectural Hardware Fault Tolerance (HFT). For continuous-mode operation (which describes nearly all robotic motion control) PFH is the target metric; for low-demand operation (an e-stop pressed once a month) PFDavg replaces it. The two are numerically aligned per IEC 61508-1 Tables 2 and 3 so that SIL is consistent across operational modes.

Stop categories (IEC 60204-1:2016)

• Cat 0 — uncontrolled stop: drive power removed immediately. Joints coast to halt under brake + residual inertia. Used for e-stop when controlled deceleration is not trusted (fault in controller).
• Cat 1 — controlled stop, then power off: drive ramps speed to zero, then STO (Safe Torque Off) drops power. The standard cobot e-stop response — preserves trajectory tracking through the deceleration, then guarantees no torque post-stop.
• Cat 2 — controlled stop, power maintained: drive holds zero velocity while keeping power for position holding. Used for safety-rated monitored stop (SRMS) in ISO/TS 15066 cobot mode — the robot freezes and can resume on demand.

IEC 61800-5-2 safe motion functions

The cobot/servo-drive safety vocabulary is fixed across vendors:

• STO — Safe Torque Off: drive output transistors disabled, no torque possible. PL e / SIL 3 typical.
• SS1 — Safe Stop 1: ramp to zero then STO. Cat 1 stop.
• SS2 — Safe Stop 2: ramp to zero, position-hold under monitoring. Cat 2 stop.
• SOS — Safe Operating Stop: hold position; drive monitors that motion does not exceed a tolerance.
• SLS — Safely Limited Speed: monitor that speed stays below a configured limit; fault → STO.
• SSM — Safe Speed Monitoring: pure monitoring; output signal indicates whether speed is below threshold.
• SLP — Safely Limited Position: bound joint or Cartesian position; useful for virtual safety zones.
• SLT — Safely Limited Torque: bound joint torque for force-limited operation.
• SDI — Safe Direction: ensure motion only in permitted direction.
• SBC — Safe Brake Control: drive a holding brake under safety-rated control.

These functions are exposed by ABB ACS880 + FSO-12, Siemens SINAMICS S210 Safety Integrated, B&R ACOPOSmulti, Rexroth IndraDrive Mi, and integrated into every cobot torque controller (Franka FCI, KUKA SunriseOS, UR PolyScope, Doosan).

Risk graph methodology (ISO 13849-1 Annex A)

Three inputs select required PL:

• S — severity: S1 = slight reversible injury, S2 = serious irreversible / death.
• F — frequency / duration of exposure: F1 = seldom or short, F2 = frequent or long.
• P — possibility of avoiding the hazard: P1 = possible under specific conditions, P2 = scarcely possible.

The path through the decision tree maps {S, F, P} → required PL ∈ {a, b, c, d, e}. Industrial robot e-stop typically resolves to PL d (S2 / F2 / P2 → PL d, sometimes PL e for high-energy machines).

Categories — architectural redundancy (ISO 13849-1 § 6.2)

Categories B, 1, 2, 3, 4 describe how the safety-related control system is structured against faults — independent of component quality:

• Cat B — basic; well-tried principles, no redundancy. A single fault can lead to loss of the safety function.
• Cat 1 — well-tried components + well-tried principles. Same architecture as B but with documented reliability history (e.g., positively-opening contacts, force-guided relays).
• Cat 2 — single channel with periodic test by a separate test channel. A fault is detected by the next test cycle, not necessarily before harm; suitable for slow-onset hazards.
• Cat 3 — single fault tolerant. Two channels; a single fault does not lead to loss of the safety function and is detected at or before the next demand. The dominant cobot / industrial e-stop architecture.
• Cat 4 — single fault tolerant with fault accumulation tolerance. Two channels with continuous mutual monitoring; faults are detected immediately and the system tolerates accumulation between exposures. Required for the highest-risk applications.

The combination of Category, MTTFD, and DCavg yields PL via ISO 13849-1 Figure 5 (the bar chart). Higher quality components can lift PL within a category but cannot exceed the architectural ceiling — Cat 1 caps at PL c regardless of MTTFD; Cat 3 caps at PL e only with DCavg ≥ 99 % and MTTFD “high”.

3. Standards landscape

Standard	Scope	Current edition
ISO 10218-1 / -2	Industrial robots — manufacturer / integrator	2025 (replaces 2011)
ISO/TS 15066	Collaborative robots — collision limits	2025 (refresh of 2016)
ISO 12100	Risk assessment + reduction methodology	2010
ISO 13849-1	Safety-related parts of control systems — design	2023
ISO 13849-2	Safety-related parts of control systems — validation	2012
ISO 13855	Positioning of safeguards w.r.t. human approach	2010
ISO 14119	Interlocking devices associated with guards	2024
IEC 60204-1 + AMD 1	Electrical equipment of machines	2016 + 2021 amend
IEC 61496-1 / -3	ESPE (light curtains, AOPDDR scanning)	2020 / 2018
IEC 61508 (parts 1–7)	Functional safety of E/E/PE safety-related systems	2010
IEC 62061	Functional safety of machinery — E/E/PE	2021
IEC 62443 (series)	Industrial cybersecurity (now safety-adjacent)	2018–2024
ANSI/RIA R15.06	US adoption of ISO 10218	2012
ANSI/RIA R15.08	Industrial mobile robots (IMR)	2020 (Part 1), 2023 (Part 2)
ISO 3691-4	Driverless industrial trucks (AGV/AMR)	2020
ISO 22166-1	Modularity for service robots	2021
ISO 13482	Personal care robots (PCR)	2014
IEC 60601-1	Medical electrical equipment — general	2020 (4th ed.)
IEC 60601-2-77 / -78	Surgical robotic equipment	2019
EU 2023/1230	EU Machinery Regulation (replaces 2006/42/EC)	effective 2027-01
EU 2019/947 + 2019/945	UAS operations + product requirements	2019
14 CFR Part 107 / Part 89	US small UAS / Remote ID	2016 / 2021
DO-178C / DO-254	Avionics software / complex hardware	2011 / 2000
MIL-STD-882E	DoD system safety	2012
ANSI Z244.1 / OSHA 1910.147	Lockout-Tagout (LOTO)	2003 / 1989
MISRA C:2012 / C++:2023	Coding rules for safety-critical C / C++	2012 / 2023

The EU Machinery Regulation 2023/1230 is the largest near-term change: it replaces Directive 2006/42/EC on 2027-01-20, introduces explicit rules for AI components affecting safety, removes the “comparable safety” exemption for cobots, and requires digital instructions for use. Every manufacturer placing a robot on the EU market needs to re-evaluate its CE technical file before that date.

4. Cobot safety methods — ISO/TS 15066 in depth

ISO/TS 15066:2025 defines four collaborative operation modes; any cell may use one mode or combine several across regions or task phases.

4.1 Safety-Rated Monitored Stop (SRMS)

The robot moves at full industrial speed while no human is in the collaborative workspace. Safety-rated sensors (light curtain, area scanner, pressure mat) detect intrusion → robot enters SS2 (Cat 2) stop and holds. Operator may approach, perform a hand task, then leave; robot resumes only on a deliberate reset. SRMS is functionally identical to a fenced cell with door interlocks — the “collaboration” is sequential, not simultaneous.

4.2 Hand Guiding (HG)

The operator physically moves the robot via a force-sensing handle, while a deadman switch (3-position enabling device per IEC 60204-1) is held. Robot is in SLS (safely limited speed, typically ≤ 250 mm/s tool-tip) and STO drops on any switch release. Used for path teaching on KUKA iiwa, ABB YuMi, Franka Panda.

4.3 Speed and Separation Monitoring (SSM)

Robot speed is modulated as a function of measured distance to the nearest human, such that the robot can always stop before contact. The required protective separation distance is

$S_p(t_0)=S_h+S_r+S_s+C+Z_d+Z_r$

where, per ISO/TS 15066:2025 §5.5.4:

• $S_h$ — distance the human travels during the robot’s reaction + stop time at the human approach speed (ISO 13855 default: 1.6 m/s walking, 2.0 m/s running).
• $S_r$ — distance the robot travels during its reaction time before stopping begins.
• $S_s$ — distance the robot travels during the stop itself (Cat 1 ramp).
• $C$ — intrusion distance (how far a hand penetrates the sensing field before being detected; 850 mm default per ISO 13855 for finger detection through a vertical curtain).
• $Z_d$ — measurement uncertainty of the human-position sensor.
• $Z_r$ — measurement uncertainty of the robot-position estimate.

When $S_p$ is breached the robot ramps to zero (SS1 or SS2). Production deployments use safety-rated 2D LiDAR (SICK microScan3, Keyence SZ-V), 3D stereo (Pilz SafetyEye), or active sensor fences (Veo Robotics FreeMove, Fortrobotics).

In production, SSM is the dominant cobot mode for material-handling and machine-tending cells where the robot must move at productive speed (1–2 m/s) most of the time and the operator enters only occasionally. The capital cost is the safety-rated 3D perception stack (Pilz SafetyEye + safety PLC ≈ USD 25 000, Veo FreeMove subscription ≈ USD 15 000 / robot / year) — substantially less than fencing a comparable footprint.

4.4 Power and Force Limited (PFL)

The robot is designed and controlled so that any unintended contact remains below body-part-specific force and pressure thresholds. Two collision regimes are bounded separately:

• Quasi-static (clamping) — body part trapped between robot and a fixed surface. Force builds to a sustained value; the limit prevents crush injury.
• Transient (impact) — free-space collision with a moving body part; force spikes and decays. The limit prevents acute bruising or laceration.

Table A.2 (transient) and A.3 (quasi-static) of ISO/TS 15066:2025 list 29 body-region limits derived from Mainz pain-onset studies. Representative values:

Body region	Quasi-static force limit (N)	Transient force limit (N)	Pressure (N/cm²)
Skull / forehead	130	175	30
Face	65	90	20
Neck	35	35	5
Back / shoulders	210	420	70
Chest	140	280	45
Abdomen	110	220	35
Pelvis / sacrum	180	360	75
Upper arm	150	300	50
Forearm / wrist	160	320	50
Hand / fingers	140	280	140
Thigh	220	440	80
Knee	220	440	80
Lower leg	130	260	50
Foot / toes	140	280	110

The transient limit is typically 2× the quasi-static value (factor adjusted per region for damping). Pressure limits scale with the contact-area cross-section. Enforcement requires either (a) intrinsic design — limited inertia and torque → physically incapable of exceeding limits — or (b) joint-torque sensing with collision detection algorithms (Haddadin / De Luca / Albu-Schäffer 2017, “Robot Collisions: A Survey on Detection, Isolation, and Identification”, IEEE TR 33(6)) that trigger Cat 0/1 stop within the impact duration (~10–50 ms).

The KUKA LBR iiwa, Franka FR3, and ABB YuMi achieve PFL through torque sensors in every joint plus the impedance control of [[Robotics/impedance-control]]. UR e-series and Doosan H-series achieve it through current-based estimation and tuned compliance.

Modes can be combined: a cell may run SSM at full speed when the operator is distant, transition to PFL ≤ 250 mm/s when the operator enters a defined inner zone, and SRMS when contact is imminent.

5. Practical math — three worked examples

Example A — PFL transient-force check on a cobot striking a torso

Setup: ABB GoFa CRB 15000-5/0.95 with a 2 kg gripper, commanded Cartesian velocity 800 mm/s. Pendulum collision test (per ISO/TS 15066 Annex B test rig) using a 2.5 kg pendulum mass simulating the chest impedance (175 N/mm spring, 12 N·s/m damper) measures a peak transient force of $F_{\mathrm{peak}}=310$ N at the end-effector.

Check against Table A.2:

• Hand impact — limit 280 N transient. Measured 310 N → FAIL by 11 %.
• Chest impact — limit 280 N transient. Measured 310 N → FAIL by 11 %.
• Back / shoulders — limit 420 N transient. PASS.

Mitigation: reduce commanded speed. Impact force in the small-deformation regime scales approximately as $F\propto v$ for a fixed effective mass + spring; to bring 310 N below 280 N requires $v\le 800\cdot (280/310)=723$ mm/s. Reprogram the trajectory at 700 mm/s and re-test; in practice integrators target 30 % margin → 540 mm/s. Use ABB SafeMove2 Safe Speed Monitoring to enforce the limit at PL d.

Example B — SSM protective separation distance for a fenceless cobot cell

Setup: UR10e on a stand with a SICK microScan3 scanner monitoring the floor in a 2 m × 2 m collaborative zone. Robot Cartesian speed during productive motion = 1.0 m/s. Human approach speed $S_h$ = 1.6 m/s (ISO 13855 default).

Time and distance contributors:

• Robot reaction time $T_r$ (controller → drive STO request) = 80 ms.
• Robot stopping distance $S_s$ from 1.0 m/s under SS1 ramp at 5 m/s² → $S_s=v^2/(2a)=1/10=0.10$ m = 100 mm.
• Scanner response time $T_s$ = 80 ms (microScan3 with 2-scan filter at 30 ms scan period).
• Network + safety PLC = 30 ms.
• Total robot stop time post-detection: $T_r+T_{\mathrm{stop}}\approx 80+200=280$ ms; total reaction $T_R=280+80+30=390$ ms.

Distances:

• $S_h=1.6m/s\cdot 0.390\mathrm{s}=624$ mm.
• $S_r$ ≈ 0 (robot already moving — counted in $S_s$).
• $S_s$ = 100 mm.
• $C$ = 850 mm (finger detection through vertical sensing per ISO 13855).
• $Z_d$ = 50 mm (microScan3 measurement uncertainty per datasheet at 2 m range).
• $Z_r$ = 40 mm (UR10e Cartesian pose uncertainty under SLP).

$S_p=624+0+100+850+50+40=1664\mathrm{mm}\approx 1.66\mathrm{m}$

The microScan3 sensing field around the robot must extend ≥ 1.66 m radially. If the cell footprint cannot accommodate that, reduce robot speed (linear payoff: 0.5 m/s halves $S_h$ and $S_s$) or stage operator-only zones via reduced-resolution outer fields (slow-down warning at 2.0 m, stop at 1.7 m).

Example C — Functional safety design for a cobot e-stop circuit to PL d

Application: dual-channel hardwired e-stop mushroom button (Schmersal ZQ900-11) on a UR10e cell. Required PL determined by ISO 13849-1 Annex A risk graph: S2 (serious injury possible — 1 m/s robot with 10 kg payload), F2 (operator interacts frequently), P2 (impact happens too fast to avoid) → required PL d.

Architecture (Cat 3 — single fault tolerance):

• Two redundant normally-closed contacts in the e-stop head, mechanically positive-opening (IEC 60947-5-1).
• Dual-channel wiring to two inputs of a Pilz PNOZ s5 safety relay (or equivalent SICK Flexi Soft FX3-CPU0).
• PNOZ s5 monitors cross-fault between channels (a short-to-supply or short-to-ground in one channel is detected as a discrepancy within 50 ms → unit drops both output contactors).
• Output: two redundant safety contactors (Schneider LC1D09 with mirror contact, or Pilz PMUT X1P) in series on the drive STO enable line. Each contactor’s auxiliary mirror contact wires back to the PNOZ for feedback (positively driven contact monitoring).
• Reset: manual, monitored (IEC 13849-1 § 5.2.2) — operator must press a separate reset button; the PNOZ requires a rising edge after the e-stop is released.

PL calculation via SISTEMA (free tool from IFA, the German social-accident insurance institute):

• Button MTTFD: 100 years (datasheet B10d = 1×10⁶ ops, 1 op/hour → MTTFD ≈ 110 years; truncated to 100 per ISO 13849-1).
• Relay PNOZ s5: PFH = 2.31×10⁻⁹ /h (datasheet), PL e.
• Contactor MTTFD: 167 years (B10d = 1.3×10⁶ at 1 op/min).
• Architecture: Cat 3 with DCavg “high” (cross-monitor + feedback contacts → > 99 %).
• Combined channel MTTFD → “high” range (≥ 30 years) under ISO 13849-1 Table 5 → PL e achieved, exceeding the PL d target.

Validation per ISO 13849-2: FMEA on each component, functional test of cross-monitoring (short channel A to 24 V → relay must drop within 50 ms), endurance test on the contactors at rated current. Document in the technical file. TÜV Süd or Bureau Veritas third-party assessment for CE marking.

6. Design heuristics

Risk assessment is iterative

ISO 12100 § 6 requires the assessment to be repeated after every design change that affects hazards. Maintain the hazard log as a living document, version-controlled alongside the CAD and firmware repositories.

Engineering controls beat administrative controls

Always. Procedures rely on humans being awake, trained, and not in a hurry — never simultaneously true on a production floor. Codify safety in hardware: brake-on-power-off (servo brakes are spring-engaged, electromagnetically released — failsafe by default), dual-channel redundant inputs, safety-rated absolute encoders (Heidenhain ECN/EQN FS variants, Renesas R3DA, Hengstler AC58S/RA58S safety series) so that the controller can self-verify position rather than relying on operator-defined home positions.

Cobot vs industrial decision

Criterion	Cobot (PFL or SSM)	Industrial + fence
Payload	≤ 10–35 kg	up to 2300 kg
TCP speed	≤ 250 mm/s in PFL; up to ~2 m/s in SSM with clearances	up to 8 m/s
Reach	0.5–1.8 m	0.5–4 m
Cycle proximity	human within < 1 m	human always outside fence
Cost per axis	1.5–3× industrial	baseline
Footprint	minimal	fence-determined
Use it when	cycle requires frequent operator interaction or ergonomic loading	high speed, isolated cycle, heavy parts

Speed reduction is the single highest-leverage safety upgrade. Cutting tool-tip speed in half quarters the kinetic energy and roughly halves transient impact force. ISO/TS 15066 § 5.4.3 codifies 250 mm/s as the upper bound for PFL mode without per-application validation.

Sensor selection — safety-rated only

A consumer-grade camera or LiDAR is not a safeguard. Only devices certified to IEC 61496-1 (ESPE — Electro-Sensitive Protective Equipment) and corresponding IEC 61496-3 (AOPDDR — Active Opto-electronic Protective Devices responsive to Diffuse Reflection) qualify. Production-grade choices:

• SICK microScan3 / nanoScan3 / S3000 / S300 — 2D safety LiDAR, PL d / SIL 2, scanning angles up to 275°.
• Pilz SafetyEye — 3D stereo camera, PL d, configurable volumetric protection zones.
• Veo Robotics FreeMove — multi-camera 3D, PL d, dynamic SSM.
• Keyence SL-V / GL-R — safety light curtains, PL e, 14 mm / 25 mm / 40 mm resolution.
• Banner Engineering EZ-SCREEN LP/LS — light curtains, PL e.
• Omron OS32C / F3SG-SR — scanner / light curtain, PL d / e.
• Leuze RSL400 — safety scanner, PL d, 8.25 m range.
• ASO Safety Solutions / Lardner — safety mats (pressure-sensitive floor).

Light curtains require correct positioning per ISO 13855: minimum distance $S=K\cdot T+C$ where $K=2000$ mm/s for hand approach perpendicular to the curtain plane, $T$ = total stop time, $C$ = intrusion depth (850 mm finger / 14 mm beam, 1200 mm hand / 30 mm beam, 850 + 8(d − 14) mm general).

Safety PLC selection

For anything beyond a single e-stop loop a safety PLC is mandatory (multi-zone monitoring, dependent logic, mode-switching). Mainstream choices:

• Siemens SIMATIC F-CPU (S7-1200F / S7-1500F) with PROFIsafe — integrates with TIA Portal, the dominant choice in EU automotive.
• Allen-Bradley GuardLogix 5570 / 5580 with CIP Safety — dominant in NA automotive + heavy industry.
• Pilz PNOZmulti 2 / PSS 4000 with SafetyNET p — modular, vendor-neutral.
• SICK Flexi Soft FX3 — paired with SICK safety sensors.
• Phoenix Contact PSRtrip / PSR-Trisafe — economical, IEC 62061-rated.
• B&R X20 SafeLOGIC with openSAFETY.
• Beckhoff TwinSAFE with FSoE — for EtherCAT-centric architectures.

Safety bus protocols: PROFIsafe over PROFINET (Siemens), CIP Safety over EtherNet/IP (Rockwell), FSoE over EtherCAT (Beckhoff), openSAFETY over POWERLINK (B&R). Black-channel principle — the safety protocol is layered above an arbitrary unsafe bus, with end-to-end CRC + sequence numbering + timeout. See [[Robotics/comm-buses]] for the underlying transport.

Safety-rated speed selection — rule of thumb

For a cobot operating in PFL mode, the conservative starting speed limit is 250 mm/s tool-tip Cartesian (ISO/TS 15066:2025 § 5.4.3 informal benchmark). Validate against the actual end-effector geometry and payload via Annex B pendulum testing — sharper or heavier tools may require dropping to 150–180 mm/s. In SSM mode the speed envelope is set by the separation calculation of §5 Example B; treat the result as an upper bound and apply 30 % margin. For mixed-mode cells, configure two SLS limits in the safety controller (one PFL-zone, one SSM-zone) and switch via a safety-rated zone signal from the area scanner.

Brake architecture

Servo brakes in industrial robots are spring-engaged, electromagnetically released (SEER). At loss of power the spring engages — fail-safe by default. Two failure considerations:

1. Brake holding torque margin — typical specification is 2× joint static-load torque. Marginal designs slip under load if the brake disc wears or oil contamination reduces friction. Mitigation: brake test cycle at every controller boot (drive the joint against the engaged brake at ~50 % rated torque, monitor encoder for movement; fail → service required).
2. Stored kinetic energy at brake engagement — a heavy joint moving at 2 m/s carries J/2·ω² of energy. Cat 0 stop dumps this through the brake; repeated abuse glazes the friction material. Prefer Cat 1 (controlled deceleration, then brake at rest) for routine stops; reserve Cat 0 for true emergencies.

Workspace virtualisation

Modern safety controllers (KUKA SafeOperation, ABB SafeMove2, Fanuc DCS — Dual Check Safety, UR Safety Functions) expose configurable virtual planes / boxes / cylinders that bound the robot in joint or Cartesian space. The safety processor independently verifies pose against the bound at the joint-control rate; violation triggers SS1. Used to enforce keep-out zones around fixtures, define collaborative inner zones, and prevent reach into adjacent cells without physical barriers. PL d / SIL 2 typical. Always validated by deliberate boundary-overrun testing during commissioning.

Documentation required for CE / UL

1. Hazard identification report (ISO 12100 § 5.5).
2. Risk assessment worksheet with required PL/SIL per hazard.
3. Schematics including safety circuit detail.
4. SISTEMA / SET project file with PL/SIL calculation per safety function.
5. Validation test report (ISO 13849-2 / IEC 62061 § 8).
6. Software lifecycle evidence if safety functions involve programmable logic (IEC 61508-3 / IEC 62061 § 6.11).
7. User manual including residual-risk warnings, intended use, foreseeable misuse.
8. Declaration of Conformity (DoC) under the EU Machinery Regulation 2023/1230 + harmonised standards list.
9. CE marking + manufacturer’s nameplate.
10. For US: UL 1740 or NRTL listing, OSHA-compliant signage.

Automotive overlay — ISO 26262 + SOTIF

Robots installed in automotive plants inherit OEM-specific safety requirements layered above ISO 10218. Tesla, BMW, Toyota each publish supplier safety guidelines. Mobile robots delivering parts between stations interact with manned forklifts, so the cell-level risk assessment includes mixed-traffic considerations per VDI 2510 (Germany) or industry-specific addenda. Autonomous on-road vehicles operating inside a plant (yard tractors, logistics shuttles) cross into the ISO 26262 functional-safety regime with ASIL A–D classifications and the ISO/PAS 21448 SOTIF (Safety Of The Intended Functionality) framework covering performance limitations of the sensing + ML components. See [[Engineering/realtime-embedded]] for the ISO 26262 V-model and ASIL decomposition rules.

Cyber-physical safety (IEC 62443)

A safety system that can be remotely disabled is not safe. IEC 62443 (the industrial automation cybersecurity series, parts -2-1 through -4-2 most relevant) defines Security Levels SL 1–4 analogous to SIL. Robot integrators now must demonstrate:

• Network segmentation between safety and control LANs (often air-gapped or firewalled at L2).
• Authenticated firmware updates (Franka, UR, KUKA all sign firmware as of 2023+).
• Defense in depth against malicious motion commands.
• Audit logging of safety configuration changes.

The 2023 EU Machinery Regulation cross-references IEC 62443 explicitly — cybersecurity is now a safety prerequisite, not an adjacent concern.

Drone-specific safety

Multirotor and fixed-wing UAS sit under aviation authorities. See [[Robotics/multirotor-design]]. Key gates:

• 14 CFR Part 107 (US) — small UAS commercial operation, < 25 kg, daylight, line-of-sight, ≤ 400 ft AGL, ≤ 100 mph. Remote pilot certificate required.
• 14 CFR Part 89 — Remote ID broadcast (2023 mandate).
• EU 2019/947 — three categories: Open (low risk, no auth required), Specific (SORA — Specific Operations Risk Assessment), Certified (manned-aviation-equivalent).
• SC-VTOL-01 — EASA special condition for eVTOL.
• DO-178C for certified-category flight software (DAL A–E), DO-254 for complex electronic hardware.
• ASTM F3322 (parachute recovery), F3411 (Remote ID protocol).

Lockout-Tagout (LOTO)

ANSI Z244.1:2003 + OSHA 29 CFR 1910.147 (US) and EN 1037:2008 (EU). Energy isolation during maintenance — apply and verify zero-energy state before opening any guard. Robots have multiple energy sources: 3-phase main, 24 V control, pneumatic, hydraulic, stored spring (counterbalance), potential energy in raised arm. LOTO procedure must address all of them. Standard practice: pad-lockable main disconnect on the controller cabinet; arm in safe pose (folded or supported) before isolation.

7. Reference data

PL ↔ SIL ↔ Category mapping (informal cross-reference)

ISO 13849-1 PL	IEC 61508 / 62061 SIL	PFH range (1/h)	Typical Category	Robotics use
PL a	—	$10^{-5}\le \mathrm{PFH}<10^{-4}$	B / 1	rarely sufficient
PL b	SIL 1 (low end)	$3\times 10^{-6}\le \mathrm{PFH}<10^{-5}$	1 / 2	low-risk guards
PL c	SIL 1	$10^{-6}\le \mathrm{PFH}<3\times 10^{-6}$	1 / 2 / 3	moderate-risk guards
PL d	SIL 2	$10^{-7}\le \mathrm{PFH}<10^{-6}$	2 / 3	cobot e-stop, safety scanner
PL e	SIL 3	$10^{-8}\le \mathrm{PFH}<10^{-7}$	3 / 4	high-energy industrial robot e-stop, STO

Stop-time budgets (typical, from datasheet)

Robot	TCP speed	Reaction time	Stop time	Stop distance
UR10e	1.0 m/s	80 ms	200 ms (SS1)	100 mm
KUKA LBR iiwa 14	1.0 m/s	50 ms	150 ms (SS1)	75 mm
Franka FR3	1.0 m/s	30 ms	120 ms (SS1)	60 mm
ABB GoFa CRB 15000	2.2 m/s	70 ms	250 ms (SS1)	280 mm
KUKA KR 210 R2700 (industrial)	2.0 m/s	100 ms	500 ms (Cat 1)	700 mm
Fanuc M-710iC/50	2.0 m/s	100 ms	450 ms	650 mm

Safety scanner — representative specifications

Sensor	Type	Scan angle	Range (safety)	Response time	PL / SIL	Use
SICK microScan3 Core I/O	2D LiDAR	275°	5.5 m	30 ms / scan	PL d / SIL 2	cobot perimeter
SICK nanoScan3	2D LiDAR	275°	3.0 m	40 ms	PL d / SIL 2	AGV / low-profile
SICK S3000 Professional	2D LiDAR	190°	7.0 m	30 ms	PL d / SIL 2	legacy industrial
Leuze RSL400	2D LiDAR	270°	8.25 m	40 ms	PL d / SIL 2	large workspace
Pilz SafetyEye	3D stereo	volumetric	5 m	250 ms	PL d / SIL 2	volumetric zones
Keyence SZ-V32N	2D LiDAR	270°	8.0 m	60 ms	PL d / SIL 2	scanning
Omron OS32C-BP-DM	2D LiDAR	270°	4.0 m	80 ms	PL d / SIL 2	scanning
SICK deTec4 Core	light curtain	linear	9 m	13 ms	PL e / SIL 3	finger / hand
Keyence GL-R	light curtain	linear	9 m	14 ms	PL e / SIL 3	finger / hand
Banner EZ-SCREEN LP	light curtain	linear	12 m	11 ms	PL e / SIL 3	finger / hand

Response time is the time from intrusion to safety output drop; the integrator adds robot reaction + stop time to compute total stop time for ISO 13855 distance calculation.

Standards by application

Application	Primary standard(s)	Required PL/SIL (typical)	Notes
Industrial fenced arm	ISO 10218-1/-2:2025	PL d / SIL 2 e-stop	+ ISO 13849 + ISO 13855
Cobot PFL	ISO 10218 + ISO/TS 15066:2025	PL d / SIL 2	+ force test per Annex B
Cobot SSM	ISO 10218 + ISO/TS 15066:2025	PL d / SIL 2	+ scanner per IEC 61496
AGV / AMR indoor	ISO 3691-4:2020 + R15.08-2020	PL d / SIL 2	+ ISO 13849 + safety scanner
Surgical robot	IEC 60601-1 + 60601-2-77 + IEC 62304 + ISO 14971	Class C (62304)	+ FDA 21 CFR 820 / EU MDR
Service / personal-care robot	ISO 13482:2014	application-dependent	type 1/2/3 mobile servant
Small UAS (US commercial)	14 CFR Part 107 + Part 89	n/a (cert by aircraft class)	remote pilot cert
Certified UAS (EU)	EU 2019/947 + DO-178C + DO-254	DAL A–E	SC-VTOL-01 for eVTOL
Autonomous vehicle (road)	ISO 26262 + ISO/PAS 21448 (SOTIF) + UNECE R155/R156	ASIL A–D	SAE J3016 level
Industrial cybersecurity	IEC 62443-3-3 + IEC 62443-4-2	SL 1–3	conduit + zone model

Sourcing and validation tools

• SISTEMA — IFA (DGUV) free tool for ISO 13849-1 PL calculation. Includes vendor databases for Pilz, SICK, Schmersal, Schneider, Banner.
• SET — Safety Evaluation Tool — Siemens free tool for IEC 62061 SIL calculation.
• Pilz PAScal / PAS4000 — architectural simulation + project documentation.
• TÜV Rheinland / TÜV Süd / Bureau Veritas / SGS / UL Solutions — accredited certification bodies for CE, UL, FM.
• DEKRA / VDE — German notified bodies for the Machinery Regulation.

Cobot vendor force-test datasets

Most cobot manufacturers publish pre-validated ISO/TS 15066 Annex B test data covering common configurations (default payload, manufacturer’s reference tool, range of speeds). When the integrator’s tool and payload fall within these published envelopes, the cell-level pendulum test can be waived — the integrator instead documents that the configuration is bounded by the manufacturer’s data. UR publishes the “Universal Robots e-series force/torque test results” appendix; KUKA includes per-axis force charts in the iiwa Operator Manual; Franka publishes biomechanical limit charts vs joint configuration. The integrator’s risk assessment must cross-reference the published data to the specific tool and trajectory.

Cost-of-safety reference (order of magnitude, 2026)

• E-stop button + dual-channel safety relay: USD 200–400.
• Safety contactor pair + monitoring: USD 250–500.
• Single-zone safety scanner (SICK microScan3 Core I/O): USD 4 500–6 500.
• Multi-zone safety PLC (Pilz PNOZmulti 2 base + expansion): USD 3 500–8 000.
• Light curtain (4 m height, 14 mm res): USD 1 500–3 000.
• 3D safety perception (Pilz SafetyEye or Veo FreeMove): USD 15 000–30 000 / cell.
• Third-party PL d / SIL 2 certification (TÜV / UL): USD 8 000–40 000 depending on scope.
• Full risk assessment + technical file by external consultancy: USD 15 000–60 000 / robot cell.

Cobot premium over an equivalent industrial arm: ~50–150 % depending on torque-sensing depth. PFL torque-sensor cobots (iiwa, Panda) sit at the top; current-based PFL cobots (UR, Doosan) at the lower end of the premium.

8. Failure modes (safety-relevant) & debugging

• Unexpected restart after e-stop release — manual-monitored reset (ISO 13849-1 § 5.2.2) is required for any e-stop. The safety relay’s reset input must require a rising edge after the e-stop contacts return. Auto-reset is permitted only for guard interlocks where no human can be trapped (rare).
• Common-cause failure (CCF) in dual-channel safety — two channels share a power supply, EMI source, or mechanical pivot → both fail together. ISO 13849-1 Annex F scores CCF via a 100-point checklist (physical separation, diversity of components, environmental protection, training, qualification). ≥ 65 points required for Cat 3/4.
• Brake fade in a held position — joint counterbalance fails, brake slowly slips under gravity load. Mitigation: brake monitoring (ABB SafeMove2 includes Safe Brake Test), periodic test cycle during shift changeover.
• Software bug in safety function — IEC 61508-3 SC 3 (Safety Capability 3) software process required: formal requirements, V-model, MISRA C compliance, defensive coding, structural coverage testing (statement, branch, MC/DC for SIL 3). See [[Engineering/realtime-embedded]].
• Configuration error in safety PLC — wrong zone geometry, missing input, incorrect speed limit. Mitigation: version control of safety project file, CRC verification, paper sign-off by a second engineer (four-eyes rule).
• Sensor mis-detection — 2D LiDAR fails on optically black absorbent surface (carbon-fibre fixture, matte rubber boot), or sees through dust as if clear. Mitigation: multi-modal redundancy — scanner + light curtain at the entry, or 3D camera + 2D LiDAR. Validate during commissioning with the actual fixtures present.
• Cyber attack disables safety — IT-network intrusion reaches the OT layer, modifies SLS limit. Mitigation: IEC 62443 zone + conduit model, dedicated safety LAN, no remote write access to safety project, signed firmware.
• Tool breakage during force-limit operation — drill snaps, end-effector geometry changes, robot continues into part. Force-limit assumes tool integrity. Mitigation: integrated tool-load monitoring (Schunk EGI / OnRobot HEX-E F/T sensors), torque-based tool-break detection.
• Workspace breach by undetected human — child below scanner mounting height, person crawling, operator lying on the floor for maintenance without LOTO. Mitigation: multi-height scanning (floor scanner + waist-height curtain), procedural LOTO before any access below scanner.
• AGV / AMR collision with unexpected obstacle — cable lying across the path, foot extending into aisle, forklift fork at scanner height. Mitigation: ISO 3691-4 § 4.7 requires 360° detection at the lowest practical height; SICK nanoScan3 mounted at ≤ 200 mm above floor + upper sensor for chest-height obstacles.
• Cobot stops in “thinking” state while operator removes part — robot is in SOS, operator assumes machine is off, leans in to inspect. Mitigation: visual + audible mode indicator (RGB ring light + sound), require deliberate enabling-switch press to resume.
• Outdated standard reference in the technical file — ISO standards revise on a ~5–10 year cycle; an integrator citing ISO 10218-1:2011 in 2026 is non-compliant under the 2025 edition. Maintain a standards-watch process.
• Lack of training records — OSHA 29 CFR 1910.178 + 1910.147 require documented training; absent records, an injury exposes the employer regardless of robot safety design.
• Inverter STO bypass during commissioning — temporary jumper installed for setup, left in place. Mitigation: STO bypass plugs are forbidden in production safety standards (UR + KUKA + Franka explicitly call this out); use the controller’s commissioning mode + 3-position enabling switch instead.
• Mode-switch latency — controller switches from “automatic” to “manual reduced speed” but the speed-monitor enforces the new limit only on next cycle, allowing one-cycle overshoot. Mitigation: configure mode-switch to first enter SOS, then enable the new mode with limits already active.
• Encoder zero loss after battery failure — multi-turn absolute encoders rely on a backup battery; depleted battery loses the turn count, joints re-home to wrong position. Mitigation: battery monitoring + scheduled replacement; mechanical home-position dowel pins; safety-rated absolute encoders (single-turn with mechanical reference).
• F/T sensor drift — wrist force/torque sensor drifts over temperature; PFL collision-detection threshold becomes unreliable. Mitigation: zero on every cycle start, monitor environmental temperature, recalibrate per manufacturer interval (Schunk FT-AXIA recommends 12-month recalibration).
• Light curtain reflection — adjacent reflective surface (steel panel, glass guard) bounces the curtain beam around an obstruction, defeating detection. Mitigation: minimum reflective-surface distance per IEC 61496-2 (typically > 1 m); install matte non-reflective enclosures inside the curtain field.

9. Case studies

9.1 Universal Robots e-series — PFL + SSM cobot certified to PL d / SIL 2

The UR3e / UR5e / UR10e / UR16e / UR20 / UR30 family (UR Universal Robots, Odense, Denmark — acquired by Teradyne 2015) implements ISO/TS 15066 PFL via dual-encoder torque estimation (motor-side incremental + output-side absolute encoder, both safety-rated) plus a dual-MCU safety controller running in lockstep. The safety processor monitors 17 safety functions: STO, SS1, SS2, joint torque limit, joint speed limit, TCP speed limit, TCP force limit, momentum limit, power limit, TCP position limit (virtual planes), elbow position limit, tool flange position, pose limit (joint angles), orientation limit, robot stopping time, robot stopping distance, and the safe home position. Each is configurable in PolyScope; SISTEMA project file is published per release.

Certification: TÜV Nord assessed PL d / SIL 2 / Cat 3 for the safety functions, documented in the UR Service Manual e-series § 3 and the UR Safety Function Manual. UR also publishes representative force/pressure test data per Annex B of ISO/TS 15066, allowing integrators to skip in-cell pendulum testing for many configurations.

Limitations: PFL force limits assume the published payload (3 / 5 / 10 / 16 / 20 / 30 kg) is respected and the tool geometry is sane. A heavy custom end-effector with sharp corners breaks the certification — the integrator must re-run the collision test.

9.2 Boston Dynamics Spot Enterprise — not a certified cobot

Spot (Boston Dynamics, Waltham MA, US) is a 32.5 kg quadruped intended for industrial inspection. Boston Dynamics deliberately does not market Spot under ISO 10218 or ISO/TS 15066 — it is sold as an “industrial inspection robot” with the integrator responsible for the cell-level risk assessment. The robot has no torque-sensing joint impedance certified to PL d; its perception stack is not IEC 61496 safety-rated.

Site deployment requires the customer to overlay safety: keep-out zones via geofence (Spot’s GPS + AprilTag fiducials), procedural exclusion (humans evacuate the inspection route), or escort. For industrial uses near humans, integrators bolt on safety-rated zone scanners and a safety PLC that issues an estop-equivalent via the Spot SDK’s EStopClient. The user manual Spot Safety Information (latest 2024-Q4) explicitly documents this division of responsibility.

This is the standard service-robot pattern under ISO 13482:2014 (Personal Care Robots) — the manufacturer provides the platform with documented safety properties; the deployer integrates it under their own risk assessment.

9.3 Intuitive Surgical da Vinci Xi / SP — IEC 60601 medical robotics

Functional safety architecture in detail

The da Vinci Xi (Intuitive Surgical, Sunnyvale CA) is regulated as a Class IIb medical electrical equipment in the EU and as a 510(k)-cleared device in the US (K131861 + subsequent submissions). The full safety stack:

• IEC 60601-1:2020 (general medical electrical equipment) — covers electrical safety, leakage currents, mechanical hazards, alarms.
• IEC 60601-1-2 — EMC.
• IEC 60601-2-77:2019 — robotic surgical equipment particular standard, replacing the older 60601-1-9 informal practice. Covers force limits at end-effector, master-slave latency budgets, view/motion concordance, instrument exchange safety.
• ISO 13485 — quality management system for medical devices.
• IEC 62304:2006/AMD1:2015 — medical device software lifecycle, Class C for the surgeon-controlled motion software.
• ISO 14971:2019 — risk management for medical devices (the medical-device counterpart of ISO 12100).
• FDA 21 CFR Part 820 — Quality System Regulation; EU MDR 2017/745 — Medical Device Regulation.

Functional safety in surgical robotics centres on the master-slave teleoperation loop: a 1 kHz position-velocity-force loop between surgeon console and patient-side cart. Any timeout > 100 ms triggers an instrument freeze. Tremor filter and motion scaling are safety functions — failure modes include scale jump (sudden 1:1 from 5:1) which has been documented in MAUDE adverse-event reports and triggered firmware advisories. The system performs continuous self-test on every encoder, motor current, and force-sensor channel; loss of any redundant signal aborts the procedure to a “safe pause” state with instruments held stationary.

Annual independent safety audits + biomed engineering preventive maintenance (every ~750 hours of cumulative arm motion) are part of the post-market surveillance plan.

9.4 KUKA LBR iiwa 7/14 — torque-sensing PFL cobot, PL d / SIL 2

The LBR iiwa (Leichtbau-Roboter, KUKA AG Augsburg) was the first commercial cobot to ship with strain-gauge joint torque sensors in all seven joints — the architectural commitment that makes ISO/TS 15066 PFL achievable by control law rather than mass limitation. The safety platform (Sunrise.OS + Sunrise.Workbench + SafeOperation 3.x) exposes 14 configurable safety functions including Cartesian and joint velocity monitors, force / torque limits per axis, Cartesian workspace planes (up to 18 simultaneously), and orientation cones. Each is independently certified PL d / SIL 2 / Cat 3 by TÜV Süd.

The iiwa’s collision detection runs the residual-based algorithm of De Luca & Mattone 2005 at the 1 kHz joint torque loop: an observer estimates external joint torque from motor current, commanded torque, and the dynamic model; deviation beyond a configured threshold triggers Cat 1 stop within one to two control cycles (1–2 ms). Whole-arm-collision energies down to ~3 J are reliably detected. Documented in KUKA Sunrise.OS 1.16 Safety Operating Manual + Albu-Schäffer et al. 2007, “The DLR lightweight robot — design and control concepts for robots in human environments”, Industrial Robot 34(5).

The trade-off is cost — joint torque sensors at PL d add roughly USD 4 000–6 000 per axis to the bill of materials; the iiwa 14 lists around USD 110 000 versus a similarly sized UR10e at USD 45 000. The choice is application-driven: tasks needing instantaneous force feedback (surgical, polishing, sensitive assembly) justify the iiwa; tasks tolerating ~50 ms detection latency from current-based estimation save the premium with UR / Doosan / GoFa.

10. Cross-references

• [[Robotics/manipulator-design]] — physical design choices (joint topology, brakes, counterbalance) that determine intrinsic safety properties.
• [[Robotics/end-effectors]] — gripper geometry (rounded corners, force-limited fingers) for PFL compliance.
• [[Robotics/mobile-base-wheeled]] — AGV/AMR drive train and ISO 3691-4 stopping-distance compliance.
• [[Robotics/impedance-control]] — the control law that makes PFL achievable on torque-controlled cobots.
• [[Robotics/sensors-force-tactile]] — joint torque sensors and wrist F/T sensors used in collision detection.
• [[Robotics/sensors-perception]] — safety-rated LiDAR and camera selection.
• [[Robotics/comm-buses]] — PROFIsafe, CIP Safety, FSoE, openSAFETY transports.
• [[Robotics/power-systems]] — STO line architecture, brake control circuits, mains contactors.
• [[Robotics/multirotor-design]] — UAS airspace safety regulation (Part 107, EU 2019/947).
• [[Robotics/path-planning]] — virtual zones and safety-rated workspace boundaries.
• [[Engineering/realtime-embedded]] — IEC 61508 software lifecycle, MISRA C, ISO 26262, DO-178C; the firmware substrate under any safety controller.
• [[Engineering/fpga-design]] — DO-254 complex-hardware certification, safety FPGAs (Microchip SmartFusion2, Xilinx Versal AI Edge with SIL).
• [[Engineering/microcontrollers]] — safety-rated MCUs (STM32H7 / Infineon AURIX TC3xx / TI Hercules TMS570 SIL 3 ready).
• [[Engineering/state-space-methods]] — formal verification of control laws under safety constraints.
• [[Engineering/classical-control]] — closed-loop stability margins under safety-induced quantisation.
• [[Languages/Tier3/robotics-control]] — URDF + ros2_control schema fragments.
• [[Languages/Tier3/ros2-robotics-config]] — ROS 2 launch + parameter files including safety configurations.

11. Citations

• ISO 10218-1:2025, Robotics — Safety requirements — Part 1: Industrial robots. International Organization for Standardization, Geneva.
• ISO 10218-2:2025, Robotics — Safety requirements — Part 2: Industrial robot applications and robot cells.
• ISO/TS 15066:2025, Robots and robotic devices — Collaborative robots. (Refresh of ISO/TS 15066:2016 — Annex A transient/quasi-static force limits.)
• ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction.
• ISO 13849-1:2023, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design.
• ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation.
• ISO 13855:2010, Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body.
• ISO 14119:2024, Safety of machinery — Interlocking devices associated with guards.
• IEC 60204-1:2016 + AMD1:2021, Safety of machinery — Electrical equipment of machines — Part 1: General requirements.
• IEC 61496-1:2020 / IEC 61496-3:2018, Electro-sensitive protective equipment.
• IEC 61508:2010, Functional safety of electrical / electronic / programmable electronic safety-related systems (parts 1–7).
• IEC 62061:2021, Safety of machinery — Functional safety of safety-related control systems.
• IEC 62443 series, Industrial communication networks — Network and system security.
• ANSI/RIA R15.06-2012, Industrial Robots and Robot Systems — Safety Requirements. Robotic Industries Association.
• ANSI/RIA R15.08-2020 (Part 1) / R15.08-2023 (Part 2), Industrial Mobile Robots — Safety Requirements.
• ISO 3691-4:2020, Industrial trucks — Safety requirements and verification — Part 4: Driverless industrial trucks and their systems.
• ISO 22166-1:2021, Robotics — Modularity for service robots — Part 1: General.
• ISO 13482:2014, Robots and robotic devices — Safety requirements for personal care robots.
• IEC 60601-1:2020 (4th ed.), Medical electrical equipment — General requirements for basic safety and essential performance.
• IEC 60601-2-77:2019, Particular requirements for the basic safety and essential performance of robotically assisted surgical equipment.
• IEC 62304:2006/AMD1:2015, Medical device software — Software life cycle processes.
• ISO 14971:2019, Medical devices — Application of risk management to medical devices.
• EU Regulation 2023/1230, Machinery Regulation (replaces Directive 2006/42/EC, effective 2027-01-20).
• EU Regulation 2019/947 + 2019/945, Rules and procedures for the operation of unmanned aircraft + UAS product requirements.
• 14 CFR Part 107 (Small Unmanned Aircraft Systems) + Part 89 (Remote Identification of Unmanned Aircraft).
• SAE J3016:2021, Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles (levels 0–5).
• DO-178C / ED-12C (2011), Software Considerations in Airborne Systems and Equipment Certification.
• DO-254 / ED-80 (2000), Design Assurance Guidance for Airborne Electronic Hardware.
• MIL-STD-882E (2012), System Safety.
• MISRA C:2012 + Amendments / MISRA C++:2023, Guidelines for the use of the C / C++ language in critical systems.
• ANSI Z244.1-2003 (R2014), Control of Hazardous Energy — Lockout/Tagout and Alternative Methods.
• OSHA 29 CFR 1910.147, The control of hazardous energy (lockout/tagout).
• ASTM F3322-22, Standard Specification for Small Unmanned Aircraft System (sUAS) Parachutes.
• ASTM F3411-22a, Standard Specification for Remote ID and Tracking.
• Haddadin, S., De Luca, A., Albu-Schäffer, A. (2017). Robot Collisions: A Survey on Detection, Isolation, and Identification. IEEE Transactions on Robotics 33(6), 1292–1312.
• Hogan, N. (1985). Impedance Control: An Approach to Manipulation, Parts I–III. ASME J. of Dynamic Systems, Measurement, and Control 107(1), 1–24.
• Macenski, S., Foote, T., Gerkey, B., Lalancette, C., Woodall, W. (2022). Robot Operating System 2: Design, architecture, and uses in the wild. Science Robotics 7(66), eabm6074.
• Corke, P. (2023). Robotics, Vision and Control (3rd ed.), Springer Tracts in Advanced Robotics — Ch. 9 Safety + cobot operation.
• Pilz GmbH (2024). PNOZmulti 2 + PNOZ s-series operating manual; PASmotion + PAScal documentation.
• SICK AG (2024). microScan3 / nanoScan3 / Flexi Soft FX3 system documentation.
• Universal Robots A/S (2024). UR e-series Safety Function Manual + Service Manual.
• KUKA AG (2024). LBR iiwa Safety Operating Manual + KUKA.SafeOperation 3.x.
• Franka Robotics (2024). FR3 Product Manual + libfranka safety architecture.
• ABB Robotics (2024). SafeMove2 Application Manual.
• IFA (Deutsche Gesetzliche Unfallversicherung) (2024). SISTEMA Cookbook 1–6 + tool documentation.
• TÜV Rheinland / TÜV Süd / UL Solutions (2024). Robot Safety Assessment whitepapers.
• Latombe, J.-C. (1991). Robot Motion Planning. Kluwer.
• Choset, H. et al. (2005). Principles of Robot Motion: Theory, Algorithms, and Implementations. MIT Press.