EN-ISO-10218-1

Machine Translated by Google
UNE-EN ISO 10218-1

rule
Spanish
May 2012
Corrected version, February 2014
QUALIFICATION Robots and robotic devices
Safety requirements for industrial robots
Part 1: Robots
(ISO 10218-1:2011)
Robots and robotic devices. Safety requirements for industrial robots. Part 1: Robots. (ISO 10218-1:2011)
Robots and robotic devices. Security requirements for industrial robots. Part 1: Robots.
(ISO 10218-1:2011)
CORRESPONDENCE This standard is the official version, in Spanish, of the European Standard EN ISO 10218-1:2011,
which in turn adopts the International Standard ISO 10218-1:2011.
OBSERVATIONS This standard replaces EN ISO 10218-1:2008 (ratified by AENOR).
BACKGROUND This standard has been developed by the technical committee AEN/CTN 116 Systems
automated industrial plants whose Secretariat is held by AER ATP.
Edited and printed by AENOR COMMENTS ON THIS DOCUMENT SHOULD BE DIRECTED TO:
Legal deposit: M 3456:2014
55 Pages
© AENOR 2014 Genoa, 6 info@aenor.es Tel.: 902 102 201

Reproduction prohibited 28004 MADRID-Spain www.aenor.es Fax: 913 104 032
This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

This corrected version of the UNE-EN ISO 10218-1:2012 Standard incorporates the following corrections:
Where it says:
5.10.1 Generalities
Robots designed to work cooperatively shall provide a visual indicator when the robot is operating cooperatively and shall meet the
requirements of 5.10.2 through 5.10.5.
It should say:
5.10.1 Generalities
Robots designed to work cooperatively shall provide a visual indicator when the robot is operating cooperatively and shall meet one or more
of the requirements in 5.10.2 through 5.10.5.

EUROPEAN STANDARD
EUROPEAN STANDARD EN ISO 10218-1
EUROPEAN STANDARD
EUROPEAN STANDARD July 2011
ICS 25.040.30 Replaces EN ISO 10218-1:2008
Spanish version
Robots and robotic devices

Safety requirements for industrial robots
Part 1: Robots
(ISO 10218-1:2011)
Robots and robotic devices. Safety Robots and robotic devices. Demands Industrial robot.
requirements for industrial robots. security for industrial robots. Sicherheitsanforderungen. Teil 1: Roboter.
Part 1: Robots. Part 1: Robots. (ISO 10218-1:2011)
(ISO 10218-1:2011) (ISO 10218-1:2011)
This European standard was approved by CEN on 2011-04-21.
CEN members are bound by the CEN/CENELEC Internal Regulations which define the conditions under which the European standard must be
adopted as a national standard without modification. The relevant up-to-date lists and bibliographical references relating to these national
standards can be obtained from the CEN Management Centre or from its members.
This European Standard exists in three official versions (English, French and German). A version in another language produced under the
responsibility of a CEN member in its national language and notified to the Management Centre has the same status as the former.
CEN members are the national standards bodies of the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands,
Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom.
CEN
EUROPEAN COMMITTEE FOR STANDARDIZATION
European Committee for Standardization
European Committee for Normalization
Europäisches Komitee für Normung
MANAGEMENT CENTRE: Avenue Marnix, 17-1000 Brussels
© 2011 CEN. Reproduction rights reserved to CEN Members.

EN ISO 10218-1:2011 -4-
Prologue
The text of EN ISO 10218-1:2011 has been prepared by Technical Committee ISO/TC 184, Automation
systems and integration, in collaboration with Technical Committee CEN/TC 310, Advanced automation
technologies and their applications, whose Secretariat is held by BSI.
This European Standard shall be given the status of a national standard by publication of an identical text.
or by ratification before the end of January 2012, and all technically conflicting national rules must be withdrawn
before the end of January 2012.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN and/or CENELEC is not responsible for identifying any such patent rights.
This standard cancels and replaces EN ISO 10218-1:2008.
This European standard has been prepared under a Mandate addressed to CEN by the European Commission and the European Free
Trade Association and supports the essential requirements of the European Directives.
The relationship with the EU Directives is included in the informative annex ZA, which forms an integral part of this standard.
According to the Internal Regulations of CEN/CENELEC, the standardisation bodies of the following countries
are obliged to adopt this European Standard: Austria, Belgium, Bulgaria, Cyprus, Croatia, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Slovakia, Slovenia, Spain,
Ireland, Iceland, Italy, Latvia, Lithuania, Luxembourg, Malta, Norway, Netherlands, Poland, Portugal, United
Kingdom, Czech Republic, Romania, Sweden and Switzerland.
Statement
The text of ISO 10218-1:2011 has been approved by CEN as EN ISO 10218-1:2011 without any modification.

-5- ISO 10218-1:2011
Index
Foreword....................................................................................................................................................... 6
0 Introduction ................................................................................................................................. 7
1 Purpose and scope................................................................................................................. 7
2 Rules for consultation....................................................................................................................... 8
3 Terms and definitions................................................................................................................. 8
4 Hazard Identification and Risk Assessment ................................................................................. 12
5 Design requirements and protective measures................................................................................. 13

5.1 Generalities........................................................................................................................ 13
5.2 General requirements................................................................................................................. 13
5.3 Drive controls........................................................................................................................ 14
5.4 Operation of the security control system (hardware/software)........................................ 14
5.5 Robot stop functions................................................................................................................. 16
5.6 Speed control ....................................................................................................................... 17
5.7 Operating modes........................................................................................................................ 18
5.8 Guidance Console Controls ....................................................................................................... 19
5.9 Control of simultaneous movements................................................................................................. 21
5.10 Requirements for cooperative operation .................................................................................22
5.11 Protection of singularities................................................................................................................. 23
5.12 Limitation of the axes....................................................................................................................... 23
5.13 Movement without drive power................................................................................................. 25
5.14 Robot charging provisions................................................................................................. 25
5.15 Electrical connectors........................................................................................................................ 25
6 Verification and validation of security requirements and measures

protection ....................................................................................................................................... 25
6.1 General................................................. .................................................. ................................ 25
6.2 Verification and validation methods................................................................................................. 25
6.3 Verification and validation required................................................................................................. 26
Usage information................................................................................................................................. 26
7 Generalities........................................................................................................................ 26
7.1 7.2 Instruction manual........................................................................................................................ 26
7.3 Signaling. ................................................................................................................................. 28
Annex A (Informative) List of significant hazards........................................................................................29
Annex B (Normative) Stopping times and metric stopping distances.................................................35
Annex C (Informative) Features of the three positions of the device

validation........................................................................................................ 37
Annex D (Informative) Optional Features ........................................................................................ 38
Annex E (Informative) Labeling ................................................... .................................................. ...40
Annex F (Normative) Means for verifying security requirements and their measures.......... 41
Bibliography ................................................................................................................................................. 54

ISO 10218-1:2011 -6-
Prologue
ISO (International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies).
The work of preparing International Standards is normally carried out through ISO technical committees. Each member body
interested in a subject for which a technical committee has been established has the right to be represented on that committee.
International organizations, both public and private, in liaison with ISO, also participate in the work. ISO collaborates closely with
the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International standards are drawn up in accordance with the rules set out in Part 2 of the ISO/IEC Directives.
The main task of technical committees is to prepare international standards. Draft international standards adopted by technical
committees are sent to member bodies for voting.
Publication as an international standard requires approval by at least 75% of voting member bodies.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not
be held responsible for identifying any or all such patent rights.
ISO 10218-1 was prepared by Technical Committee ISO/TC 184, Automation systems and integration, Subcommittee SC 2,
Robotic devices and robots.
This second edition cancels and replaces the first edition (ISO 10218-1:2006) which has been technically revised. It also includes
the Technical Corrigendum ISO 10218-1:2006/Cor.1:2007
ISO 10218 consists of the following parts, under the general title Robots and robotic devices - Safety requirements for industrial
robots:
Part 1: Robots.
Part 2: Robot systems and integration.

ÿ

-7- ISO 10218-1:2011
0 Introduction
ISO 10218 has been developed in response to the risks presented by industrial robots and industrial robotic systems.
This part of ISO 10218 is a type C standard according to ISO 12100.
Where the provisions of a type C standard are different from those set out in type A or type B standards, the provisions of the type C standard take
precedence over the provisions of the other standards for machinery which has been designed and constructed in accordance with the provisions
of the type C standard.
The machinery covered and the extent of its associated hazards and risk situations are indicated in the scope and field of this part of ISO 10218.
The hazards associated with robots are well known, but the sources of these hazards are usually unique to a particular robotic system. The number
and type(s) of hazard(s) are directly related to the nature of the automation process and the complexity of the installation. The hazards associated
with these risk situations vary with the type of robot used and its function, as well as the way it is installed, programmed, operated, and maintained.
NOTE Not all hazards identified by ISO 10218 apply to all robots, nor does the level of risk associated with a particular robot apply to all robots.
A given risk situation will be the same from one robot to another. Therefore, the safety requirements, or protective measures,
or both, may vary from what is specified in ISO 10218. A risk assessment can be carried out for
determine the relevant protection measures.
In recognition of the varying nature of risks in different uses of industrial robots, ISO 10218 is divided into two parts. This part of ISO 10218 provides
guidelines for ensuring safety in robot design and construction. Since the safety in use of industrial robots is influenced by the particular design and
integration of the robot, ISO 10218-2 provides guidelines for the safety of personnel during robot integration, installation, testing, programming,
operation, maintenance and repair.
This part of ISO 10218 has been updated based on the experience gained in developing the ISO 10218-2 guidelines on system requirements and
integration, to ensure that it remains in line with the minimum requirements of a type C standard for industrial robots. The revised technical
requirements include, but are not limited to, the definition and requirements for singularities, safety of hazards in
transmissions, power loss requirements, safe behavior of control circuits, addition of a Category 2 stop function, mode selection, limits on power
and force, signaling, and updated metric stop times and distances and their characteristics.
This part of ISO 10218 is not applicable to robots manufactured before its publication date.
1 Object and field of application

This part of ISO 10218 specifies requirements and guidelines for inherently safe design, safeguards and information for the use of industrial robots.
The standard describes the basic risks associated with robots and provides requirements to adequately eliminate or reduce the hazards associated
with these risks.
This part of ISO 10218 does not cover the robot in its entirety. Noise emission is generally not considered a significant hazard from the robot itself,
so noise is excluded from the scope of this part of ISO 10218.
This part of ISO 10218 is not applicable to non-industrial robots, although the safety principles set out in ISO 10218 can be used for these other
robots.

ISO 10218-1:2011 -8-
NOTE 1 Examples of non-industrial robot applications include, but are not limited to, aquatic, military and space robots,
teleoperated manipulators, prosthetics and aids for the physically disabled, micro-robots (with movements less than 1 mm),
surgical or medical robots, service robots, and consumer product robots.
NOTE 2 Requirements for robot systems, their integration and installation are covered in ISO 10218-2.
NOTE 3 Specific applications may produce additional hazards (e.g. welding, laser cutting, machining). These hazards
associated with their respective systems must be considered in the robot design phase.
2 Rules for consultation

The following standards are essential for the application of this standard. For dated references, only the edition cited
applies. For undated references, the latest edition of the standard (including any amendments to it) applies.
ISO 9283:1998, Industrial manipulator robots - Performance analysis criteria and related test methods.
ISO 10218-2, Robots and robotic devices – Safety requirements for industrial robots – Part 2: Robot systems and
integration.
ISO 12100, Safety of machinery - Basic concepts, general principles for design - Evaluation and
risk reduction.
ISO 13849-1:2006, Safety of machinery - Safety-related parts of control systems - Part 1: General principles for
design.
ISO 13850, Safety of machinery - Emergency stopping - Principles for design.
IEC 60204-1, Safety of machinery - Electrical equipment of machines - Part 1: General requirements.
IEC 62061:2005, Safety of machinery - Functional safety of safety-related electrical, electronic and programmable
electronic control systems.
3 Terms and definitions

For the purposes of this document, the terms and definitions included in ISO 12100 apply in addition to the following:
3.1 Drive control:

Mechanical mechanism within a control device.
EXAMPLE A bar that opens contacts.
3.2 automatic mode:

Operating mode in which the robot control system operates according to the task program.
[ISO 8373:1994, definition 5.3.8.1]
3.3 automatic operation:

State in which the robot executes its programmed task as expected.
NOTE Adopted from ISO 8373:1994, definition 5.5.

-9- ISO 10218-1:2011
3.4 cooperative operation: A state in

which a robot specifically designed for the task works directly in cooperation with a human within a defined workspace.
3.5 cooperative workspace: Workspace within

the safety space in which during operation the robot and a human can perform tasks simultaneously.
3.6 drive power: Power source(s) for the

robot actuators.
3.7 terminal element: Device,

specifically designed to be attached to the mechanical interface of the wrist, that allows the robot to perform its work.
EXAMPLE Pliers, welding gun, paint gun.
[ISO 8373:1994, definition 3.11]
3.8 energy source: Source

of electrical, mechanical, hydraulic, pneumatic, chemical, thermal, potential, kinetic or any other energy.
3.9 dangerous movement:

Movement that can cause personal physical damage or health damage.
3.10 industrial robot:

Automatically controlled, reprogrammable and multifunctional manipulator, programmable in three or more axes, which can be fixed or mobile and
is used in automated industrial applications.
NOTE 1 The industrial robot includes:

– the manipulator, including the actuators;
– the control system, including the guidance console and any communication interfaces (hardware and software).
NOTE 2 This includes any additional integrated axle(s).
NOTE 3 For this part of ISO 10218 the following devices are considered industrial robots:
– manually guided robots;
– manipulating parts of mobile robots; –
cooperative robots.
NOTE 4 Adapted from ISO 8373:1994, definition 2.6.
3.11 industrial robotic system: System

comprising:
– the industrial robot;
– the terminal element(s);
– any machinery, equipment, devices, auxiliary external axes or sensors that assist the robot in performing
your task.
NOTE 1 Requirements for the robotic system, including those for controlling risks, are found in ISO 10218-2.
NOTE 2 Adapted from ISO 8373:1994, definition 2.14.

ISO 10218-1:2011 - 10 -
3.12 limiting devices: Means that restrict

the maximum space by stopping or causing all robot movements to stop.
3.13 local control: State

of the system or parts of the system in which the system is operated solely from a control panel or guidance console of the particular machine.
3.14 manual mode:

Operating mode that allows direct control of the robot by an operator.
NOTE 1 Occasionally cited as a learning mode in which program points are fixed.
NOTE 2 Adapted from ISO 8373:1994, definition 5.3.8.2.
3.15 guidance console: Hand-

held element connected to the control system with which the robot can be programmed or moved.
3.16 Program
3.16.1 control program: Set of

inherent instructions that define the capabilities, actions, and responses of a robot.
NOTE The program type is fixed and is usually not modified by the user.
[ISO 8373:1994, definition 5.1.2]
3.16.2 task program: Set of motion

instructions and auxiliary functions that define the specific work to be performed by the robotic system.
NOTE 1 This type of program is normally generated by the user.
NOTE 2 An application is a general area of work; a task is specific within the application.
[ISO 8373:1994, definition 5.1.1]
3.16.3 Program verification: Execution of

the task program with the intention of confirming the robot's trajectory and its behavior.
NOTE Verification may include all or a segment of the path defined by the terminal element reference point during the task program or only a
segment of the path. Instructions may be executed in a single instruction or in a continuous sequence of instructions. Verification is
used in new applications and for the enhancement and modification of existing applications.
3.17 safety stop: Type of

interruption or stop that allows, for safety reasons, the cessation of movements and stops the logical program to facilitate its resumption.
3.18 robot actuator: Motor-driven

mechanism that converts electrical, hydraulic, or pneumatic energy into motion.
3.19 safety-related: Characterized by

having a safety function with a specified safety behavior.

- 11 - ISO 10218-1:2011
3.19.1 safety controlled speed: Safety function that

causes a safety stop when either the Cartesian velocity of a point on the robot (for example, the TCP) or the velocity of one or more of its axes
exceeds a specified limit value.
3.19.2 reduced safety speed: Safety speed control

that limits the robot speed to 250 mm/s or less.
NOTE 1 The safety reduced speed is not necessarily the value set in the reduced speed control function.
NOTE 2 The difference between the controlled safety speed and the reduced safety speed is that the speed limit
safety controlled can be greater than 250 mm/s.
3.19.3 Safety-related programmed axes and space limitation; Safety-programmed limit: Limit on the range of robot movement set by
software or a system based on factory-fixed programming that has a specified and sufficient safety behavior
NOTE The programmed safety limit could be the position where the stop begins, or it could ensure that the robot does not move past the limit.
3.19.4 safety output: Output signal

having a specified and sufficient safety performance.
3.19.5 safety zone exit: Safety output that

indicates the status of the robot's position relative to a programmed safety limit.
NOTE For example, the robot position can be inside the zone or outside the zone
3.19.6 safety controlled stop: Condition in which

the robot is stopped with the drive power active, while a control system with a safety function ensures that the robot does not move.
3.20 simultaneous motion: Movement

of two or more robots at the same time under the control of a single control station, and which may be coordinated or synchronized by
mathematical correlation.
NOTE 1 The guidance console is an example of a control station.
NOTE 2 Coordination can be of master-slave type.
3.21 single point control: Ability to operate

the robot in such a way that initiation of robot motion is only possible from a single control source and cannot be overridden by any other
initiation source.
3.22 singularity: Situation

in which the rank of the Jacobian matrix has a rank less than the maximum rank.
NOTE Mathematically, in a singular configuration, the joint velocity in joint space can be infinite to maintain Cartesian velocity. In real applications, motions
defined in Cartesian space and whose path passes close to a singularity can produce high joint velocities. These high velocities may be
unexpected by the operator.
3.23 reduced speed control; low speed control: Robot motion control mode in
which the speed is limited to 250 mm/s or less.
NOTE The reduced speed is intended to give people enough time to avoid a dangerous movement or to
stop the robot.

ISO 10218-1:2011 - 12 -
3.24 space:
Three-dimensional volume.
3.24.1 maximum clearance:

Space that can be reached by the moving components of the robot as defined by the manufacturer plus the space that can be reached by the
robot end element and the workpiece.
[ISO 8373:1994, definition 4.8.1]
3.24.2 restricted space: Part of

the maximum space that is restricted by limiting devices that establish limits that will not be exceeded.
NOTE Adopted from ISO 8373:1994, definition 4.8.2.
3.24.3 safety space: Space around

the safety perimeter.
3.25 guided programming; task programming: Programming of the

task performed:
a) by manual guidance of the robot terminal element; or
b) by manual guidance of a mechanical simulation device; or
c) using a guide console to move the robot step by step through the desired positions
NOTE Adapted from ISO 8373:1994, definition 5.2.3.
3.26 terminal element reference point, TCP: Point defined for a

given application relative to the mechanical interface coordinate system.
3.27 user: Entity

that uses the robots and is responsible for the personnel associated with the operation of the robot.
4 Hazard identification and risk assessment

Annex A contains a list of hazards associated with robots. A hazard analysis must be carried out to identify any other hazards that may arise.
A risk assessment must be carried out on those hazards identified in the hazard identification. This risk assessment must consider in
particular:
a) the operations planned for the robot, including guided programming, maintenance, adjustment and
cleaning,
b) unforeseen start-ups,
c) access by any type of personnel,
d) foreseeable misuses of the robot,
e) the effect of a failure in the control system, and,
f) where necessary, the hazards associated with the specific application of the robot.

- 13 - ISO 10218-1:2011
Risks due to the design or replacement must be eliminated or reduced by protective or other complementary
measures. Any residual risk must be reduced by other means (e.g. warnings, signs, training).
The requirements of Chapter 5 are derived from the iterative process of applying the protective measures described
in ISO 12100 for the hazards identified in Annex A.
NOTE 1 ISO 12100 provides requirements and guidance for carrying out hazard identification and risk assessment.
NOTE 2 Requirements for hazard identification and risk assessment in a robotic system, integration and installation are
shown in ISO Standard 10218-2.
5 Design requirements and protective measures
5.1 Generalities
The robot shall be designed according to the principles of ISO 12100 for the relevant hazards. This part of ISO
10218 does not address significant hazards such as sharp edges.
Robots must be designed and built to meet the requirements of sections 5.2 to 5.15.
5.2 General requirements
5.2.1 Power transmission elements
Exposure to hazards caused by elements such as motor shafts, gears, drive belts or gear trains that are not fully
protected by their covers (e.g. a cover on a gearbox) must be avoided by fixed or movable guards. Fixing systems
for fixed guards that are to be removed during normal robot operations must be kept close to the machine or guard.
Movable guards must be interlocked from hazardous movements so that the hazardous functions cease before the
guards are reached. The behaviour of the safety control system of the interlocking system must comply with the
requirements of section 5.4.
5.2.2 Power loss or energy change
Losses or changes in power must not cause any danger.
Restarting the power supply does not have to involve any movement.
Robots must be designed and constructed so that loss or change in electrical, hydraulic, pneumatic or vacuum
power does not result in a hazard. If there are any hazards that are not protected by design, other protective
measures must be implemented to protect against these hazards. Unprotected hazards must be identified in the
user information.
NOTE See IEC 60204-1 for power supply requirements.
5.2.3 Component failure
Robot components shall be designed, constructed, fixed or integrated in such a way that the hazards caused by
their breakage, loss or the release of stored energy are reduced to a minimum.
5.2.4 Energy sources
The robot must be provided with means to isolate any hazardous energy source. These means must be capable of
blocking or ensuring that the position of the robot disconnected from the energy source is safe.

ISO 10218-1:2011 - 14 -
5.2.5 Stored energy
A means of controlling the release of potentially hazardous stored energy must be provided. A label must be affixed to identify this stored energy.
NOTE This energy accumulation can occur in air pressure accumulators and in hydraulic pressure accumulators, in
capacitors, batteries, springs, counterweights, flywheels, etc.
5.2.6 Electromagnetic compatibility (EMC)
The design and construction of the robot must prevent any dangerous movements or risk situations caused by electromagnetic interference (EMI),
radio frequency interference (RFI) and electrostatic discharge (ESD).
NOTE See IEC 61000 for design information.
5.2.7 Electrical material
The electrical material of the robot must be designed and constructed according to the relevant requirements of IEC 60204-1.
5.3 Drive Controls

5.3.1 Generalities
Drive controls that initiate power or motion shall be designed and constructed in accordance with the performance criteria in 5.3.2 through 5.3.5.
5.3.2 Protection against unintended operations
Actuating controls must be constructed or located so as to prevent unintended operation. For example, appropriately designed and located push
buttons or switches may be used.
5.3.3 Status indication
The status of the drive controls must be clearly indicated, for example, on, fault detected, automatic operation.
If a light signal is used as an indicator, it must be suitable for its location and its colour must be in accordance with IEC Standard 60204-1.
5.3.4 Labeling
Actuating controls must be labeled to clearly indicate their function.
5.3.5 Control from a single point
The robot control system shall be designed and constructed so that when the robot is controlled by the local guidance console or by control from
another command device, initiation of robot motion or changing of the local control selection from any other source is prevented.
5.4 Operation of the security control system (hardware/software)

5.4.1 Generalities
Safety control systems (electrical, hydraulic, pneumatic and software) shall be in accordance with 5.4.2 unless the results of the risk assessment
determine that an alternative operating criterion as described in 5.4.3 is appropriate. The operation of the safety-related control system for the robot
and any other installed equipment shall be clearly stated in the user information.
NOTE 1 Safety control systems may also be called SRP/CS (safety related components of the safety control system).
control).

- 15 - ISO 10218-1:2011
For the purpose of this part of ISO 10218, the operation of the security control system is addressed
as:
ÿ Performance Levels (PL) and categories described in ISO 13849-1:2006, section 4.5.1;
ÿ Safety Integrity Levels (SIL) and hardware fault tolerance requirements as described in the
IEC 62061:2005 standard, section 5.4.4.
These two standards address functional safety using similar but different methods. The requirements in these standards should be used for the
respective safety control systems for which they are intended. The designer may choose to use either standard. The information and reasoning
necessary to determine the safety-related control system must be included in the usage information.
NOTE 2 The comparison between ISO 13849-1 and IEC 62061 is described in ISO/TR 23849.
Other standards that offer alternative performance requirements, such as the term “sustainability control” used in North America, may also be
used. When these alternative standards are used for the design of safety control systems, an equivalent level of risk reduction must be achieved.
Any failure in the safety-related control system must result in a category 0 or 1 stop according to IEC 60204-1.
5.4.2 Operating requirements
The safety-related control system components shall be designed to meet PL = d with structure category 3 as described in ISO 13849-1:2006, or to
meet SIL 2 with a hardware failure tolerance of 1 with a mechanical endurance test interval of not less than 20 years as described in IEC
62061:2005.
In particular this means that:
a) a single failure in any of these components cannot lead to a loss of the safety function;
b) whenever reasonably practical the failure must be detected during or before the next request for the
safety function;
c) When the failure occurs, the safety function must be activated and the safety state maintained until
the fault is corrected; and
d) all reasonably foreseeable failures must be detected.
Requirements a) to d) are considered equivalent to structure category 3 as described in ISO 13849-1:2006.
NOTE The requirements for detecting a single fault do not mean that all faults will be detected. Consequently, the accumulation of
Undetected faults can lead to unintended machine output and a dangerous situation,
5.4.3 Other criteria for the operation of the control system
The results of a thorough risk assessment of the robot and its intended applications may determine that a safety-related control system other than
that presented in section 5.4.2 is recommended for the application.
The selection of one of these other safety-related performance criteria must be specifically identified, and its associated limitations and notices
must be included in the usage information with the appropriate material.

ISO 10218-1:2011 - 16 -
5.5 Robot stop functions

5.5.1 Generalities
Every robot must have a safety stop function and an independent emergency stop function. These functions must have a means for the
connection of external safety devices. An emergency stop output signal can optionally be provided. Table 1 shows a comparison of emergency
and safety stop functions.
Table 1 – Comparison of emergency and safety stops
Parameters Emergency stop Safety strike
Location of initiation media The robot operator has easy and clear For safety devices the location is determined by the
access minimum (safety) distance formulas described in ISO 13855
Initiation Manual Manual, automatic or can be started automatically by a

safety function
Operation of the security It must be in accordance with the It must be in accordance with the operating requirements
control system operating requirements of section 5.4 of section 5.4
Resumption Manual only Manual or automatic
Frequency of use Infrequent Variable; from every operation to infrequent
Purpose Emergency Caution or risk reduction
Effect Remove the power source from all hazards Safety control of prevented hazards
5.5.2 Emergency stop
The robot must have one or more emergency stop functions (stop category 0 or 1, according to IEC 60204-1).
Each control unit capable of initiating a robot movement or any other risk situation must have a manual emergency stop function such that:
a) meets the requirements of section 5.4 and IEC Standard 60204-1;
b) takes precedence over all other robot controls;
c) causes the shutdown of all controlled risks;
d) disable the drive power of the robot actuators;
e) provide resources to control robot hazards;
f) remains active until it is reset; and
g) should only be restored by a manual action that does not cause a restart after returning to the normal state.
initial, but should only allow one reboot to occur.
The risk assessment should determine the selection of a category 0 or 1 stop function (according to IEC 60204-1).

- 17 - ISO 10218-1:2011
When an output signal is provided for emergency stop:
ÿ the output must continue to operate when power is no longer supplied to the robot; or
ÿ an emergency stop signal must be generated if the output does not continue to function when the power is stopped
power to the robot.
The emergency stop device must be in accordance with IEC 60204-1 and ISO 13850.
5.5.3 Safety stop
The robot shall have one or more safety stop functions designed for connection to external safety devices. The
operation of the safety stop shall satisfy the requirements of section 5.4.
This stop function shall cause all robot motion to stop, remove or control power to the robot's actuators, and allow the
robot to control any other type of hazard. This stop may be initiated manually or by the control logic.
There shall be at least one category 0 or 1 safe stop function as described in IEC 60204-1. The robot may have an
additional category 2 safe stop function as described in IEC 60204-1 that does not result in the removal of drive power
but requires monitoring of the robot's immobilized condition after the robot has stopped. Any unexpected movement of
the robot in its immobilized condition or the detection of a failure in the performance of the safety function shall trigger
a category 0 stop in accordance with IEC 60204-1. The performance of the controlled stop function shall comply with
5.4. This function may also be initiated from external devices.
(a stop signal for safety devices).
NOTE The power unit electrical system can provide a Category 2 controlled stop function in accordance with Standard
IEC 60204-1, corresponding to a functional safety stop (SOS) according to IEC 61800-5-2.
The manufacturer must include in the user information the stop or any safety stop circuit.
5.6 Speed control
5.6.1 Generalities
The speed of the robot end element holder and the end element reference point (TCP) shall be controllable by
selectable speeds. An offset (defining the location of the TCP relative to its mounting flange) shall be provided to allow
the speed of the TCP to be controlled.
5.6.2 Reduced speed control operation
When operating at low speeds the TCP speed should not exceed 250 mm/s. It should be possible to select speeds
below 250 mm/s and set these as speed limits.
5.6.3 Safety reduced speed control
Where provided, the safety reduced speed control shall be designed and constructed in accordance with 5.4.2 so that
if a fault occurs the speed of the TCP does not exceed the reduced speed limit (see 5.6.2) and a safe stop occurs.
5.6.4 Safety controlled speed
When provided, the speed of the TCP or one of its axes must be controlled according to section 5.4.2. If the speed
exceeds the selected limit, a safety stop must be generated.

ISO 10218-1:2011 - 18 -
5.7 Operating modes
5.7.1 Selection
The operating modes must be selectable by means of a mode selector that can be locked in each position (for example
a selector that requires a key to change the position). Each sector position has
must be clearly identifiable and must allow only one mode of operation or control.
The selector can be replaced by other selection means that restrict the use of certain robot functions (for example,
access codes).
These media must:
a) clearly indicate the selected operating mode; and
b) not to initiate any robot movement or other hazards on your own.
One or more additional outputs may be provided to indicate the selected mode. Where provided for safety-related
purposes the output(s) shall comply with the requirements of paragraph 5.4 (see Annex D).
NOTE Methods for labelling modes are illustrated in Annex E.
5.7.2 Automatic
In automatic mode the robot must execute the task program and the safety measures must be working.
If any stop condition is detected, the automatic mode must be stopped.
Switching this mode should cause a stoppage.
5.7.3 Reduced manual speed
The reduced manual speed mode must meet the requirements of sections 5.3.4 and 5.6 and must allow one operator to operate the robot.
Automatic operation is prohibited in this mode. This mode is used to guide, command, program and verify the programming of the robot; it may be
the mode selected during maintenance tasks.
The robot must be operated from within the safety space with manual control of the robot in one of these
situations:
a) sustained action controls together with a validation device in accordance with section 5.8, or
b) for program verification only, a start/stop control together with a validation device
according to section 5.8.
The operating information must contain appropriate instructions and warnings so that, wherever possible, the manual
control mode must be in operation with all persons outside the safety space. The operating information must also
highlight that when the manual mode is selected all safety measures
that are not working must be fully reactivated.
NOTE Previously this mode was also known as T1 or guiding.

- 19 - ISO 10218-1:2011
5.7.4 High manual speed
If this mode is provided, speeds of more than 250 mm/s can be achieved. This mode is used only for program
verification. In this case the robot must:
a) have means to select high-speed manual control that requires deliberate action (e.g.
a key-operated selector on the robot control panel) and an additional confirmation action;
b) provide a guidance console in accordance with paragraph 5.8 with a sustained action function
in addition to devices that allow the robot's movements to continue;
c) set an initial limit for the speed of up to, but not exceeding, 250 mm/s when selecting manual mode.
high speed.
d) provide a means on the guidance console for the operator to adjust the speed incrementally
and in multiple steps from the initial value to the programmed value.
e) provide an indicator of the set speed on the hanging panel;
f) ensure that:
ÿ the speed is limited to the initial speed when the validation device is reset by positioning the
selector in its central position after it has been released or fully pressed, and
ÿ a separate deliberate action is required to return to the selected high speed before release or
compression, and
ÿ the option to return to high speed by a separate action must be inactive after no more than
five minutes after the validation device is released.
The option to continue with high speed and dead time is not safety-related. The operating information must contain
appropriate instructions and warnings so that, wherever possible, the manual operating mode should be in operation
with people outside the safety space. The operating information must also highlight that when manual mode is selected
all safety measures that are not operating must be fully reactivated.
NOTE This mode was previously also known as T2 or assisted high-speed program verification.
5.8 Guidance Console Controls

5.8.1 Generalities
When the guidance console control or any other control device has the capability to control the
robot from within the safety space, the requirements of sections 5.3.5 and 5.8.2 to 5.8.7 shall apply.
NOTE This applies to any device used in manual mode to control the robot within the safety space while applying
drive power to any of the robot's axes. This includes robots with a motorized manual guidance mode, either
using manual controls mounted on the robot or the primary or secondary controls to command the robot.
5.8.2 Motion control
Robot motion initiated from the guidance console or from a guidance control device must be in reduced speed mode
as described in section 5.6. Where the motion control allows selection of the high speed control mode the robot must
meet the requirements of section 5.7.4.

ISO 10218-1:2011 - 20 -
5.8.3 Validation device

The guidance console or guidance control device must have a device with three positions of
according to IEC 60204-1. When continuously maintained in its central position, the validation device shall allow the
movement of the robot and any other hazards controlled by the robot. The validation device shall have the operating
characteristics specified below:
NOTE 1 It is important to consider the ergonomics of sustained activation in the design and installation of the validation device.
NOTE 2 Additional information on activation can be found in Annex C.
a) The validation device may be integrated with, or physically separate from (e.g. a grip type validation device) the
guidance console control and must be operated independently of any other motion control function or device.
b) Releasing or compressing the center position of the device must stop the hazards (e.g.
robot movement) according to sections 5.4 and 5.5.3.
c) After pushing the validation device beyond the central position, this device must be fully released. Moving from the fully pressed position to the
central position must not allow the robot to move.
d) Where two or more validation selectors are provided on a single validation device or guiding console to permit
alternate left- or right-hand operation, any or all of the selectors may be in their centre position:
1) When only one of the selectors is being used and it is in its central position, it must
operate as described in point b).
2) Where the validation device design allows both selectors to be in their central position to permit switching
from left to right hand use, releasing one of the selectors shall not cause a safety stop, but fully depressing
either selector shall override control of the other selector and cause a safety stop.
The usage information must have a description of this feature and a warning that there may be a potential hazard.
NOTE 3 If multiple selectors are in the center position it is not possible to distinguish whether one has been intentionally released or whether it has been accidentally released.
been unconsciously due to an accident.
e) When one or more validation devices are operating (i.e. more than one person is in the safety space with a
validation device) movement must only be possible when each device is in its central (activated) position at the
same time.
f) The fall of the validation device must not cause a failure that could allow the activation of a
motion.
g) If a validation signal is provided, it shall indicate a stop condition when the safety power supply system is switched
off and shall satisfy the requirements of section 5.4.
h) When changing the mode while the validation device is in its central position, a stop must be initiated.
safety. The control system shall require that the enabling device be released and reactivated before drive power
is applied to the actuators. See IEC 60204-1 for guidance on preventing a enabling device from failing.
5.8.4 Guidance console stop function

The guidance console or guidance control device must have a stop function according to section 5.5.2.

- 21 - ISO 10218-1:2011
5.8.5 Starting automatic operation
It must not be possible to activate automatic operation of the robot using only the guidance console or the guidance control device. There must
be some means of confirmation separately from outside the robot.
the safety zone, prior to activating the automatic mode.
5.8.6 Wireless or detachable guidance controls
When the guidance console or other guidance devices do not have cables connected to the robot controller, or when they can be separated, the
following applies:
a) A visual indicator must be provided to show that the guidance console is active, for example, with a
display device on the same panel.
b) Loss of communication shall cause a safety stop on all controlled robots when
is in reduced manual speed or high manual speed modes. Reestablishing communication should not restart robot motion without separate
deliberate action.
c) To avoid confusion between active and inactive emergency stop devices, suitable storage or layout must be provided. Usage information must
contain a description of the storage or layout.
d) Where applicable, the maximum response times for communication of information must be indicated in the usage information.
data (including error correction).
5.8.7 Control of multiple robots
When the guidance console has the ability to control multiple robots, the requirements of the
section 5.9.
5.9 Control of simultaneous movements
5.9.1 Control by a single guidance console
One or more robots can be linked by a single guidance console. When this is the case, the guidance console must be capable of moving one or
more robots with independent or simultaneous motion. When working in manual mode, all functions of the robot system must be under the control
of this single guidance console.
5.9.2 Requirements for a safe design
All robots in a robotic system designed for simultaneous motion should normally be in the same operating mode, for example manual or
automatic, and in the same state, for example powered on or off. The ability for one or more robots to be in an off state should be provided for
the purpose of
to be reset or to resolve errors or to perform tests. Therefore, these disconnected robots will not be included in the simultaneous movement.
In order to include robots in a simultaneous movement each robot must be selected before it can move. To be selected the robots must be in the
same operating mode (for example, in reduced manual speed). An indicator must be provided at the selection point (for example, on the guidance
console, control cabinet, or robot) of the robot(s) that have been selected. Only the robot(s) that have been selected need to be moved.
selected robots.
It must also be possible to deactivate any robot, for example by cutting off power. An indicator for activated robots must be provided, clearly
visible from within the safety space.
Unintended start-up of any of the non-selected robots must be prevented. This function must satisfy the requirements of section 5.4.

ISO 10218-1:2011 - 22 -
5.10 Requirements for cooperative operation

5.10.1 Generalities
Robots designed to work cooperatively shall provide a visual indicator when the robot is operating cooperatively
and shall meet one or more of the requirements in 5.10.2 through 5.10.5.
5.10.2 Safety controlled stop
The robot must stop when a person is in the cooperative workspace. The stop function must meet the requirements
of sections 5.4 and 5.5.3. The robot can return to automatic mode when the person has left the cooperative
workspace.
Alternatively the robot may decelerate, resulting in a category 2 stop in accordance with the Standard.
IEC 60204-1. Once stopped, this stop shall be supervised by the safety control system in accordance with clause
5.4. A failure in the safety controlled stop function shall result in a category 0 stop.
NOTE This may include a Category 2 controlled stop function according to IEC 60204-1 provided by a controlled stop system.
power supply corresponding to an SOS according to IEC 61800-5-2.
5.10.3 Manual guidance
When supplied, the manual guiding equipment must be located close to the terminal element and must be equipped
with the following components:
a) an emergency stop that satisfies sections 5.5.2 and 5.8.4, and
b) a validation device that satisfies section 5.8.3.
The robot must be operated with an active safety controlled speed function (see 5.6.4). The limit of the safety
controlled speed must be determined by the risk assessment.
5.10.4 Monitoring speed and separation distance
The robot must maintain a given speed and safety distance from the operator. These objectives can be achieved
by integral features or by a combination of external input signals. Detection of a failure to maintain a given speed
or safety distance must result in a robot stop.
safety (see 5.5.3). The speed and separation distance monitoring functions shall comply with section 5.4.2.
The robot is simply one component within a cooperative robot system and is not in itself sufficient for safe
cooperative work. Cooperative work applications are dynamic and must be determined by the risk assessment
developed in the application design phase. Usage information should include guidelines for setting speeds and
separation distances. ISO 10218-2 should be used for the design of cooperative applications. More information will
be provided in Technical Specification ISO/TS 15066 (currently in development).
When calculating the minimum safe separation distance, the relative speeds between the operator and the robot
need to be considered. Minimum distance requirements can be found in Standard 13855.
5.10.5 Power and force limitation by inherent design or control
The robot's power or force limiting function must comply with section 5.4. If any parameter limit is exceeded, a
safety stop must be triggered.
The robot is only one component within a cooperative robotic system and is not in itself sufficient for safe cooperative
work. Cooperative work applications are dynamic and must be determined by the risk assessment developed in the
application design phase. Usage information should include guidelines for setting speed values and separation
distances. ISO 10218-2 should be used for the design of cooperative applications. More information will be provided
in Technical Specification ISO/TS 15066 (currently in development).

- 23 - ISO 10218-1:2011
5.11 Protection of singularities

Motions defined in Cartesian space passing close to singularities can result in high axis velocities. These high velocities can be unpredictable for
the operator. When the robot is in reduced velocity mode or being manually guided (see 5.10.3) the robot controller must perform one of the
following actions:
a) stop the robot motion and provide a warning before the robot passes close to the singularity during coordinated control (control in which the
robot axes reach their respective end points simultaneously, giving a perception of smoothness to the robot motion while the axis motions are
such that the
TCP moves on a predefined path) initiated at the pendant panel; or
b) generate an auditory or visual warning signal and continue passing through the singularity at the speed of each link
of the robot arm limited to a maximum speed of 250 mm/s; or
c) in the case that the singularity can be controlled without causing any dangerous movement, it is not required
no additional protection.
5.12 Limitation of axes

5.12.1 Generalities
A means shall be provided to establish a restricted space around the robot by means of limiting devices. A means shall be provided to install an
adjustable mechanism to limit the movement of the axis that causes a larger displacement (principal axis) of the robot. The robot shall comply with
5.12.2 or 5.12.3, or both. This does not apply to robots with a structure limited by construction, for example in a parallel kinematics robot.
When the robot reaches the limit of an axis the robot has to stop. Whether the robot movement continues from the axis limit position or not should
be specified in the usage information.
NOTE These means can be met by engineering project information and instructions for obtaining and installing the stops.
external mechanics. Use of the optional feature of programmed safety limits and limitation space (see 5.12.3)
can also meet these requirements.
5.12.2 Mechanical and electro-mechanical axis limiting devices
Mechanical and non-mechanical limiting adjustment devices shall be provided for axes two and three (the axes with the second and third largest
displacement).
Mechanical stops must be able to stop the robot movement for the nominal load, maximum speed conditions, and for the maximum and minimum
extensions. Mechanical stop tests must be carried out without the assistance of any other stop.
Alternative methods of limiting range of motion may be provided only if they are designed, constructed and installed to meet the performance
specified in Section 5.4.2.
The operation of the control circuit of electro-mechanical limit devices must meet the requirements of section 5.4. Robot control and task programs
must not change the configuration of the electro-mechanical limit device.
Adjustable devices allow the user to minimize the size of the restricted space. The degree of adjustment should be indicated in the required usage
information as specified in section 6.2.
The usage information must include information on the maximum speed stopping time of electro-mechanical limiting devices, including the time
and distance travelled before the stop is completed. Additional information can be found in Annex B.

ISO 10218-1:2011 - 24 -
NOTE 1 Examples of non-mechanical limiting devices include devices whose stops are electrically actuated,
pneumatically or hydraulically, limit switches, light curtains, laser scanners and tensioned cables when used to limit
the movement of the robot and define the restricted space.
NOTE 2 Mechanical stops include mechanical stops that are adjusted and subsequently secured by means of fasteners.
5.12.3 Scheduled axes and safety limitation space
Programmed boundaries are software-defined limits to the robot's motion. Space constraint is used to define any
geometric shape that can be used as an inclusion or exclusion zone, either limiting the robot's motion within the
defined space or preventing it from entering the defined space.
Programmed safety limits are allowed as a means to define and reduce the restricted space provided that they can
cause the robot to stop at maximum load and speed. The restricted space has to be defined at the expected stopping
position that takes into account the travelled stopping distance. The manufacturer has to inform this.
in the usage information and you have to disable the scheduled safety axes if they are not implemented.
Control programs that control and execute programmed axis and limitation space functions based on programmed
safety limits shall comply with Section 5.4 and may only be changed by authorized personnel. If the programmed
safety limit is exceeded, a safety stop shall be initiated.
The robot movement while the limit is being exceeded must be commanded by the reduced speed control as
described in section 5.6.3. It must be possible to document and display information on the use of safety limit settings
and configuration with a unique identifier so that changes to the configuration can be easily identified.
Safety programmed limits must be set as a stationary zone that cannot be changed without restarting the safety
subsystem, and must not be reconfigured during automatic execution of the task program. Authorization to change a
safety programmed limit must be protected and secure, for example by requiring authorized personnel to enter a
password. Once set, safety programmed limits must always be active while the robot is in operation.
Usage information must include information on the maximum speed stopping time for the programmed axle limits, including the time and distance
travelled before the stop is completed. Additional information can be found in Annex B.
Safety zone exits for use in dynamic confined spaces shall comply with Section 5.4.
The hardware configuration of the outputs must be specified in the usage information.
NOTE 1 Programmed safety axis limits can be particularly useful for controlling the motion of axes that do not
have limiting devices as described in section 5.12.2.
NOTE 2 Programmed safety axis limits can be particularly useful for controlling movement in work areas with
irregular shapes or to protect against obstructions.
NOTE 3 An example of a unique identifier is a checksum, a value that is automatically generated by the robotic system when
the settings for the programmed limits are defined. Any changes to the settings will cause a new value to be generated.
5.12.4 Dynamic limiting devices
Dynamic constraining is the automatically controlled change of a robot's restricted space during a portion of the
robotic system's application. Control devices such as, but not limited to, camera-operated limit switches, light curtains,
or retractable, control-activated mechanical stops may be used to contain the robot's motion within the restricted
space while the robot executes its program.
To achieve this, the device and associated control systems must be capable of stopping the robot's motion under
rated load and speed, and the associated safety control systems must satisfy section 5.4.2, unless the risk
assessment determines that another category is required.

- 25 - ISO 10218-1:2011
5.13 Movement without drive power

The robot must be designed so that the axes can be moved without the use of drive power in emergency or abnormal
situations. Where possible, a single person should move the robot's axes. Controls must be easily accessible but
protected from unintended operation. Instructions for doing this must be included in the user information together with
recommendations for training personnel on how to respond in emergency or abnormal situations.
Operating information should include warnings that the force and release of the brakes can create hazardous situations.
Warning notices should be placed near the activation controls where possible.
5.14 Provisions for charging the robot

Instructions and provisions for lifting the robot and its components must be provided and must be suitable to handle the
intended load.
EXAMPLE Lifting hooks, eye bolts and threads.
NOTE For very small robots that can be easily manipulated, appropriate lifting instructions may be sufficient.
safely.
5.15 Electrical connectors

Electrical connectors that may be hazardous if separated or detached must be designed or constructed to prevent
unintended separation.
Connectors shall be provided with a means to prevent cross-connection.
6 Verification and validation of security requirements and protection measures
6.1 General
The robot manufacturer must take into account the verification and validation of the design and construction of the robots
including the appropriate safety devices with the principles described in chapters 4 and 5.
The risk assessment should be reviewed to determine whether all reasonable hazards have been identified and
appropriate corrections made.
NOTE Because not all risks identified in Annex A can be applied to any robot, the level of risk associated with a robot varies depending on the type of risk identified.
A given risk situation will not be the same from one robot to another. A risk assessment must be carried out to determine which
should be the appropriate protective measures for the specific robot.
6.2 Verification and validation methods

Verification and validation can be accomplished by the following methods including, but not limited to:
ÿ Visual inspection;
ÿ B practical tests;
ÿ C measures;
ÿ D observation during operation;
ÿ Review of schematics, circuit diagrams and design documents;
ÿ F review of risk assessment by tasks;
ÿ G review of specifications and usage information.
See Table F.1.

ISO 10218-1:2011 - 26 -
6.3 Necessary verification and validation
Specific performance requirements that have been identified as essential for the safety of the robot and that must be verified, validated, or both are
listed in Annex F. Using appropriate methods, the requirements must be evaluated to determine whether they have been adequately met in the
design and construction of the robot.
NOTE 1 The points listed in Table F.1 may not be applicable to every robot. There may be cases where it is impossible to verify and/or
validate certain points.
NOTE 2 Table F.1 is neither exhaustive nor restrictive. There may be additional verification requirements depending on the specific robot design.
NOTE 3 It is the manufacturer's responsibility to ensure that all points are verified, validated, or both.
NOTE 4 If Table F.1 is used as a checklist, it is necessary to review and restrict the content to represent the configuration.
actual robot performance evaluated and the corresponding evaluation methods.
7 Usage information
7.1 Generalities
The manufacturer must provide markings (e.g. signs, symbols) and instructional material (operating, maintenance manuals)
according to ISO 12100 and IEC 60204-1.
Where provided, machine warning devices (e.g. audible and visual signals) shall be in accordance with ISO 12100 and IEC
60204-1.
7.2 Instruction manual
In addition to the requirements of section 6.1, each robot must come with an instruction manual or an appropriate medium
containing:
a) the company name, full address, and necessary contact information of the manufacturer and, if applicable
necessary, from the authorized supplier or authorized representative;
b) instructions for commissioning, programming and restart procedures, including installation requirements such as needs, floor
loads, environmental conditions, etc.;
c) instructions for, prior to the first use of the robot and its integration into the production system, carrying out the first test and
examination of the robot and its safety measures, including operational tests using reduced speed control;
d) instructions for any tests or examinations necessary after the change of any component or the
inclusion of additional equipment (hardware and software) to the robot that may affect the safety functions, including the
emergency stop signals according to section 5.5.2 and the activation circuit according to point d) of section 5.8.3;
e) instructions for safe operation, setup and maintenance, including safe work practices, hazardous energy control procedures
and the training necessary for robot operators to achieve the level of skill required for its handling;
f) instructions for the location and operation of all control systems, including interface diagrams of the electrical, hydraulic and
pneumatic systems necessary for their commissioning and installation;
NOTE This does not include robot schematics or other controls, components, or proprietary property.
g) information for selecting high speed control using the pendant panel;

- 27 - ISO 10218-1:2011
h) instructions to inform the machine designer that a restricted space must be provided
when the robot is expected to work at high manual speed;
i) information for the installation of the limiting devices, including the number, location and degree of
adjustment of mechanical limits;
j) information on the number, location and existence of any non-mechanical limiting devices;
k) the possibilities for dynamic limitation, where included;
l) information on the intended stopping position in response to stopping distance when programmed safety limits are
used;
m) information on the number and operation of validation devices and instructions for the installation of additional
equipment including the information and criteria necessary to determine the operation of the security control
system;
n) information on the stopping time and the distance or angle from the start of the stop signal of the three axles of
greatest displacement according to the metric of Annex B;
o) the operation of the safety control system of the robot's safety functions as defined
specified in section 5.4;
p) the specifications of any type of fluid or lubricant used in the lubrication, braking, or internal transmission system of
the robot, including a guide for the correct selection, preparation, application and maintenance of single-use
consumables;
q) a guide on the means for the release of persons trapped within or by the machine;
r) instructions for the movement of the robot axes without drive power, including warnings that the
gravity and the release of braking devices can cause hazardous situations;
s) recommendations for staff training on how to react in emergency situations or

anomalous;
t) information defining the limits of movement and maximum loads, including maximum mass, position of the
center of gravity of the workpiece and any gripping accessories;
u) procedures to avoid adjustment errors during robot maintenance;
v) information about the regulations that the robot complies with, including those certified by third parties;
w) the response to detect loss of communication signal on wireless guidance consoles;
x) information on unprotected risks due to the intended use of the robot;
y) instructions and notices informing that manual operations must be carried out with all personnel outside the safety
space;
z) instructions that any measure must be fully activated before selecting automatic mode
security feature that may be disabled;

ISO 10218-1:2011 - 28 -
aa) instructions for proper storage of wireless guidance consoles, if applicable;
bb) information about the response time and loss of communication of wireless hanging panels, if
proceeds;
cc) information on the stop category of each safety stop circuit input signal.
The entity responsible for any change or added functionality to the robot system must provide the change or
added information with respect to that provided by the manufacturer.
7.3 Signaling
Each robot must clearly, legibly and durably signal:
a) the name and full address of the manufacturer and, where applicable, the authorised supplier.
b) the designation of the type of machine (i.e. an industrial robot) and the model or reference number (if applicable);
c) the month and year of manufacture;
d) the mass and/or weight of the machine;
e) the maximum range and maximum load;
f) information on the data of the electrical system and, where possible, the hydraulic and pneumatic systems (for example minimum and
maximum pneumatic pressures);
g) the points for lifting and installing the equipment, if applicable.
The purpose of barriers, safety devices and other components that are part of the robot but not attached to it
must be clearly stated. Any information necessary for installation must be provided.

- 29 - ISO 10218-1:2011
Annex A (Informative)
List of significant hazards
Table A.1 provides a list of significant hazards for the robot and its system.
NOTE The list in Table A.1 is derived from ISO 12100.
Table A.1 – List of significant hazards
Examples of dangers Chapter/

No. Type or group
Origin Possible consequences Paragraph
1 Mechanical ÿ movements (normal or unexpected) of - crushing Chapter 4

hazards any part of the robot arm (including its back)
- shearing 5.2.1
ÿ movements (normal or unexpected) of the - cutting or sectioning 5.2.3

terminal element or any moving part of the robot
- entanglement 5.5
ÿ movements (normal or unexpected) of external axes - attraction or capture 5.6
- impact 5.7
ÿ terminal element failure (separation)
- puncture or puncture 5.8.4
ÿ movement of the terminal element in the
service position - friction, abrasion 5.9
ÿ unwanted movement of the robot or its parts during ÿ expulsion or injection of high 5.10
handling operations pressure fluids/gases
5.11
ÿ expulsion or detachment of materials and products
5.12
ÿ unwanted movements of the tweezers or the

5.13
guides
5.14
ÿ unwanted release of the tool
ÿ unwanted movements of associated machinery
ÿ handling of products and materials, including the

ejection
ÿ movement or rotation of a cutting tool in the terminal

element
ÿ movement of robot parts
ÿ movement of a component with sharp edges held by

the robot

ISO 10218-1:2011 - 30 -

No. Type or group
ÿ rotation of the terminal element
ÿ rotation or movement of the associated machinery

or its robot tools
- rotational motion of any axis of the

robot
- loose clothing, long hair
ÿ between the robot arm and any fixed object
ÿ between the terminal element and any fixed object

(barriers, etc.)
ÿ impossibility of exiting the robot cell (through the door) for

an operator trapped in automatic mode.
- between clamping devices; transport, utility
ÿ handling of products and materials,

including their expulsion
ÿ movement or rotation of tools

Shears on the robot terminal element or on external axes,
on the manipulated parts, or the corresponding
equipment
ÿ unexpected movements of the robot terminal element

(specific polishing process, etc.)
ÿ unexpected movements or activation of the terminal

element or its corresponding equipment
(including external axes controlled by the robot)
ÿ unforeseen release of accumulated potential energy

- 31 - ISO 10218-1:2011

No. Type or group
2 Electrical ÿ contact with live components or connections - electric shock Chapter 4

Hazards
- burn or scald 5.2.4
- confusion between the various voltages of a system
5.2.5
- smoke inhalation
- contact with circuit components toxic 5.2.6
electrical (electronics), i.e. capacitors
5.2.7
- eye damage from
- exposure to an electric arc electrical sparks
5.15
ÿ processes using high voltages or high frequencies, i.e. - effect on the

electrostatic painting, induction heating pacemaker
ÿ welding applications using high voltages
3 Thermal ÿ hot surfaces on the robot terminal element, its associated - burns Chapter 4
Hazards equipment or the workpiece
- fire, explosion
ÿ cold surfaces or cold objects - radiation from heat sources
ÿ explosive atmosphere caused by processes, i.e. painting

(atomized particles, - smoke inhalation
powder coating), flammable solvents, powder toxic
crushing and grinding
- dehydration
- exposure to extreme temperatures required in the process
4 Dangers ÿ loss of balance, disorientation in the work area of the ÿ effect on hearing, Noise is
caused by robot cell balance and attention
noise excluded
ÿ inability of two people assigned to a task to coordinate their from the

actions through normal conversation scope
- effect on spoken of this part of the
communication, perception Rule
of acoustic signals ISO 10218
ÿ a noise level so high or so distracting that it prevents hearing
or understanding auditory warnings of danger

ÿ hearing loss
ÿ prolonged exposure to high noise levels
5 Vibration Hazards ÿ loosening of connections, closures, components - fatigue Chapter 4

due to unwanted stops or ejections of
components - neurological damage 5.2.3
ÿ vascular disorders

ISO 10218-1:2011 - 32 -

No. Type or group
6 Radiation Hazards ÿ EMF interference with the operation of the - burns Chapter 4
robot
- diseases
ÿ exposure to specific radiation from certain processes,
for example, arc welding, laser
7 Hazards due ÿ inspection, lubrication or replacement of components - poisoning Chapter 4

to bathed in fluids; cooling fluids
substances/ ÿ inhalation of corrosive
materials smoke and dust
ÿ unforeseen failures in the mechanical and electrical
components of the robot system and its safety - burns
systems
8 Ergonomic ÿ poorly designed guidance console, - fatigue Chapter 4

Hazards Human machine interface touch screen or other operator
panel too far or too high - impact 5.3.3
- fall 5.3.4
ÿ poor loading and unloading design; too much distance
between the location of the components 5.14
ÿ loss of attention
and the loading and unloading area
- stress
ÿ poorly designed validation devices
- human errors
ÿ inappropriate location of controls
ÿ unnoticed operation of controls
ÿ difficult to reach, exposure to additional hazards due to

inadequate location of controls
ÿ difficult to reach, exposure to dangers

additional due to inadequate location of components
requiring access for early maintenance actions
(troubleshooting, repair, adjustments)
ÿ reduced ability to recognise hazards and dangerous

situations due to poorly lit areas
ÿ light-blocking components
ÿ human-machine interfaces located at

too high or too low height for proper viewing

- 33 - ISO 10218-1:2011

No. Type or group
9 Dangers ÿ design considerations for the environment, for example, - force majeure Chapter 4
associated with installation in areas with seismic movements
the environment - failures caused
in which the
robot operates ÿ failure to identify a problem or set of problems due to ÿ dangerous reflex
incorrect or unnecessary actions actions
ÿ an action or failure increases the degree of damage,

for example, trying to avoid a sharp surface
and instead contacting a hot surface
10 Combinations ÿ unexpected movements of the robot or its end ÿ restoration of power Chapter 4
of Hazards element or its components supply after an interruption
5.2.2
ÿ unpredictable behavior of the control system due to
electromagnetic interference or power surges 5.2.3
- external influences
about the power 5.2.4
- a person has been determined to put in place supply

5.2.5
The robot starts, but it is not contemplated that this action
can be carried out by another person. - unexpected start
5.2.6
ÿ misinterpretation of the functioning of cooperative

5.2.7
robots or simultaneous movements
neos
5.3.2
ÿ a stop command for the robot on an incomplete cycle

5.3.3
5.3.5
ÿ The speed of the robot can be adjusted, resulting in
multiple tasks at multiple speeds
5.4
ÿ release with residual forces (inertia, gravity,

5.5
accumulated potential energy)
due to malfunction of the gripping device control or the
5.7
robot terminal element
5.8
ÿ release of the robot brakes due to a malfunction of the

5.9
control; the release of
The brakes cause the robot elements to move in an
unpredictable way due to residual forces (inertia,
gravity, accumulated potential energy)
ÿ unexpected movements of the robot, the end

element, the auxiliary axes or their components
ÿ failure in the expected behavior of a safety device

ISO 10218-1:2011 - 34 -

No. Type or group
- failure in the expected behavior of a component
ÿ loose hoses and loose components
ÿ components installed inappropriately causing hazards or

unforeseen movements
ÿ components with high rotation speeds that are released or

disengaged from the components that held them
ÿ Overloading of the robot arm or its equipment resulting in

breakage or bending of mechanical components
ÿ contact with explosions due to some type of process (e.g.

spot welding)
ÿ failures in retention devices
ÿ failure in the robot or any of its components

due to lack of brakes
ÿ beware of setbacks during start-up or shutdown
ÿ Robot components may fall if not installed or coupled

properly
ÿ insufficient lighting in the operating area

robot cell door
ÿ obstacles in the robot cell
- slippery floor
- poor location of the material
ÿ task-specific hazards

- 35 - ISO 10218-1:2011
Annex B (Normative)
Stopping times and metric stopping distances
This is a metric to be used when presenting the required usage information in point n) of section 7.2 to ensure standardization of information
from all manufacturers. This information is necessary to calculate the safety distance for safety devices. For this information to be practical and
useful, it is necessary to:
It is necessary to provide the necessary values for the different steps and even their most demanding situations, in order to predict the operating
conditions.
Tests shall satisfy the test conditions described in ISO 9283:1998, Clause 6, as applicable. This includes the following areas:
a) the manipulator must be warmed up before testing;
b) the robot must be assembled according to the manufacturer's requirements;
c) the requirements of power supply environment, temperature, etc. must be met;
d) an appropriate methodology for testing must be established;
e) the measurement method must be described.
The manufacturer must anticipate the degradation and stoppage of the robot's operation due to normal use and recommend when it should be
renewed.
The data requirements are as follows:
ÿ the stop time must be determined from the start of a stop signal until the cessation of all movements
of the manipulator;
ÿ if validated simulation values are available then these values can be obtained by simulation.
NOTE These data vary depending on added delays due to configuration or control system failures, for example,
hanging panel cables.
This stopping distance must be determined as the total distance traveled after the start of the stop signal. The distance must be presented in
linear or angular units, as appropriate.
For category 0 stops according to IEC 60204-1, the measurement procedures at maximum
conditions (i.e. maximum speed, maximum load and maximum displacement) are sufficient. If the robot has a category 1 stop, additional
information or correction factors must be provided. For category 1 stops, the values for stopping times and distances depending on speed, load
and extension must be set at 33%, 66% and 100% of their maximum, unless these design-based values can be derived from their maximum
values.
In that case, the maximum values at 100% have to be provided with the formula to obtain the intermediate values.
The values used for speed, load and extension must represent maximum values. The manufacturer must provide a description of how the
integrator must carry out his own measurements of distances and stopping times in a real cell with a real robot and real tool and loads.
Data must be provided for the three axes of greatest displacement. An example of a possible presentation is shown in Figure B.1.

ISO 10218-1:2011 - 36 -
Legend
X Speed, in mm/s
And Stop Time, in s
to
Load, in %
NOTE Stopping time of axis 1 as a function of speed and load, for a category 1 stop.
Figure B.1 – Example graph for downtime

- 37 - ISO 10218-1:2011
Annex C (Informative)
Features of the three positions of the validation device
Legend
1 Position 1
2 Position 2
3 Position 3
4 ON
5 OFF
6 Press
7 Release
8 Weak grip
9 Strong grip
to
When the operator part is pressed to position 3 the contacts must remain open.
b
When the operator part is moved from position 3 to position 1, the contacts must remain open and not operating when passing through the
position 2.
Figure C.1 – Characteristics of the three positions of the validation device

ISO 10218-1:2011 - 38 -
Annex D (Informative)
Optional Features
D.1 Generalities
The requirements specified in Chapters 4 to 7 are the minimum requirements to ensure the safety of the robot. Many additional features can be
added to the robot to improve its safety, but they are not necessary safety requirements, in a traditional sense, or do not require specific safety
performance criteria according to Standard 13849-1 or similar standards.
The optional features described in this annex are listed in no particular order of importance or convenience. Robots
implementing these features will have greater flexibility in their use and reuse, and increased potential for safety
performance.
NOTE 1 The features in chapters D.2, D.3 and D.4 are very important to provide flexibility to the installation, if ever needed.
reinstalls the robot in an application other than the one for which it was originally designed and configured.
NOTE 2 The features of chapters D.5, D.6 and D.7, although not specific safety features, provide an improvement in
robot safety.
D.2 Emergency stop functions

a) Capability for emergency stop functions as mentioned in section 5.5.1: This provides a common emergency stop
(enables the robot emergency stop to stop the operation of the entire robot system).
b) Ability for emergency stop devices to operate without power supply from the control.
robot according to section 5.5.2.
D.3 Validation device characteristics

a) Ability of the validation device to be interconnected in a common circuit that controls several robots and
teams.
b) Ability to connect multiple validation devices to a single validation circuit.
D.4 Mode selection
a) Ability to provide information from the selection mode status to the control system
security.
b) The output must satisfy section 5.7.1.
D.5 Anti-collision detection
To more effectively prevent harm to people when a collision is detected the robot should stop and display a warning
signal and not move to any other position without operator intervention.
D.6 Maintaining trajectory accuracy for all speeds

This would limit the need to monitor the robot's movement in a dangerous position.

- 39 - ISO 10218-1:2011
D.7 Scheduled axes and safety space limitation

As described in section 5.12.3, these limits would allow the creation of programs with exclusion and inclusion zones.
D.8 Measuring the operation of the stop

Where possible, monitoring and measurement of robot stop performance should provide one or more
more of the following features:
a) selection of a mode to measure and record the stop operation on the next request;
b) select the input event that defines the start of the stop (for example, a signal on a safety device,
a stop sign);
c) set limits on warnings when these limits are exceeded.

ISO 10218-1:2011 - 40 -
Annex E (Informative)
Labeled
Table E.1 shows examples of symbols that may be used to highlight the operating modes identified in Section 5.7. Additional descriptive text may
be added next to the symbols to more explicitly provide information on the mode of selection and the expected operation.
Table E.1 – Labels for robot operation modes
Paragraph Mode Symbol ISO 7000 Reference
5.7.2 Automatic 0017
5.7.3 Reduced manual speed 0096

- 41 - ISO 10218-1:2011
Annex F (Normative)
Means to verify security requirements and their measures
Table F.1 lists specific performance requirements that have been identified as essential for robot safety and that need to be verified, validated, or
both.
See section 6.3 for information on how to use this table.
Table F.1 – Means for verifying security requirements and their measures
Verification and/or validation

Paragraph Applicable requirements and/or security measures
method (see 6.2)
ABCDEFG
5.2 General requirements
Fixed or movable covers have been installed to prevent exposure

5.2.1 to motor shafts, gears, drive belts or transmissions. X X
Fixed guards, which will be removed during normal robot

5.2.1 operation, have their own hardware. X X
Mobile guards are coupled to the dangerous

5.2.1 movements in such a way that the dangerous XXXX
movements are stopped before the dangers are
reached.
The operation of the safety control system of the

5.2.1 system that relates the movable covers and the X
dangerous movements satisfies section 5.4
Loss or instability of power supply does not result in any

5.2.2 X XX
danger
5.2.2 Power supply reset does not start any movement X XX
Loss or change in electrical, hydraulic,

5.2.2 pneumatic or vacuum power does not cause X X
any hazard.
Additional safety measures have been

5.2.2 implemented to protect against hazards not X X
protected by design.
Unprotected hazards that may arise from normal operation

5.2.2 are presented in the user information. XX
Robot components are designed,

5.2.3 constructed, protected, or contained in such a XX X
manner as to minimize hazards caused by
their breakage, misalignment, or release of stored energy.

ISO 10218-1:2011 - 42 -

method (see 6.2)
ABCDEFG
Ability to block or secure hazardous energies isolated

5.2.4 from the robot when it is de-energized XXX X
5.2.5 Means for controlled release of stored hazardous energy X X X
Label to identify the dangers associated with stored energy

5.2.5 X
The expected effects due to electromagnetic

5.2.6 interference (EMF), radio frequency interference XX X
(RFI) and electrostatic discharge (ESD) do not
cause dangerous movements.
The robot's electrical equipment is designed and

5.2.7 constructed according to the relevant requirements of IEC 60204-1. XX X X
5.3 Drive controls
Drive controls are constructed or located so as to prevent

5.3.2 unintended operation. XX
The status of the drive controls is clearly indicated

5.3.3 XX X
If a light indicator is used, its location and color

5.3.3 must meet the requirements of the Standard. X X
IEC 60204-1
The drive controls are labeled and clearly indicate their

5.3.4 X
function.
While the robot is being controlled by the guidance console or
5.3.5 other guidance control device, any other source is prevented X XX

from initiating a robot movement or changing the local control
selection.
5.4 Operation of the security control system (hardware/software)
The operation of the safety control system implemented by the

5.4.1 robot is clearly detailed in the user information. X X
The information and criteria necessary to determine the

5.4.1 operation of the security control system are included in the usage X
information.

- 43 - ISO 10218-1:2011

method (see 6.2)
ABCDEFG
The safety components of the control system

comply with PL = d, with structure category 3,
5.4.2 SIL 2 with a hardware fault tolerance of 1, and with a mechanical X X
endurance test of no less than 20 years
5.4.2 The safety function detects isolated failures X XX

during or before the next request
When a fault occurs the safety function will always

5.4.2 be activated and a safe state will be maintained X XX
until the fault is corrected.
5.4.2 All reasonably foreseeable faults are detected X XXX
The information for use includes the selection of

5.4.3 alternative safety operating criteria and their X XXXX
corresponding limitations and precautions.
5.5 Robot stop functions
All robots have a safety stop function and an

5.5.1 independent emergency stop function. X X
5.5.1 Stop functions provide connection to external X X

safety devices
5.5.2 The robot has one or more emergency stop X

circuits
5.5.2 Each control unit has a manual emergency stop XX X

function
Emergency stop functions can only be reset by

5.5.2 a manual action that allows the reset but does not XX XX X
cause it to occur.
5.5.2 The selection of category 0 or 1 is determined by X

the risk assessment.
When an emergency stop signal occurs, the signal

5.5.2 remains present even when power is removed from X X
the robot, or a stop signal is generated.
emergency if the signal stops working
5.5.2 Emergency stop devices meet the requirements XX XX

IEC 60204-1 and ISO 13850 standards
5.5.3 The robot has one or more safety stop functions X X

with external connection capability
5.5.3 The operation of the safety stop function satisfies X X

the requirements of section 5.4

ISO 10218-1:2011 - 44 -

method (see 6.2)
ABCDEFG
This stop function causes a stop of all robot

5.5.3 movements, cuts or controls power to the X XX
actuators, and allows control of any other hazards
in the robot system.
At least one safety stop function is category 0 or 1

5.5.3 X XX
When an additional category 2 safety stop function is

provided, any unintentional movement of the robot in
the safety position or any detected fault in the safety stop function
5.5.3 X X
causes a category 0 stop in accordance with IEC 60204-1.
5.5.3 In case the safe stop and monitoring function is X

provided, it satisfies section 5.4
Usage information includes description of the stop category

5.5.3 of all safety stop circuit inputs X
5.6 Reduced speed control
The speed of the mounting flange and the selected TCP

5.6.1 can be controlled at different speeds XX X
An offset is provided to allow control of the TCP speed.

5.6.1 XXX X
5.6.2 When working with reduced speed control, the XX

speed of the TCP does not exceed 250 mm/s
Where provided, safety reduced speed control satisfies
5.6.3.1 section 5.4.2 to ensure that the reduced speed limit is not XX X
exceeded during a fault.
When provided, TCP speed is monitored according to

5.6.4 X XX
section 5.4.2
5.6.4 If the speed exceeds the selected limit, a safety X XX

stop is activated.
5.7 Operating modes
Operating modes can be selected using a selector that remains

5.7.1 locked in each position. XX
Each selector is clearly identified and only allows the selection

5.7.1 XX
of one mode.

- 45 - ISO 10218-1:2011

method (see 6.2)
ABCDEFG
The alternative selection means provide an

5.7.1 unambiguous indication of the selected mode and XX XX
do not in themselves initiate any robot
movement or danger.
5.7.1 Optional safety signs to indicate the selected mode X X

comply with section 5.4
5.7.2 Safety measures work when the robot's scheduled X XX

task operates in automatic mode
5.7.2 Automatic operation stops if any stop condition is X X

detected
5.7.2 Switching to automatic mode causes a stop X XX
The reduced manual speed mode satisfies the requirements

5.7.3 XX X
of sections 5.3.4 and 5.6
5.7.3 Reduced manual speed mode allows the robot to be operated X XX

by human intervention
Manual control from within the safety space is performed

at reduced speed and with a sustained action control and a X X
5.7.3
validation device.
The usage information contains the order that

5.7.3 whenever possible manual operations are carried X
out with all personnel outside the safety space.
The usage information contains the order that the disabled

security measures have to be fully reactivated before X
5.7.3
selecting the automatic mode.
5.7.4 Selection requires intentional action and additional confirmation X XX
The initial speed after selection does not exceed 250 mm/s XXXXX
5.7.4
The guidance console provides, according to

5.7.4 section 5.8, an additional sustained action function XX XX
in addition to the validation device
Means are provided for adjusting the speed incrementally from

5.7.4 its initial value to the programmed value in multiple steps. XX XX
5.7.4 The guidance console indicates the set speed XX X

ISO 10218-1:2011 - 46 -

method (see 6.2)
ABCDEFG
The speed of the robot is limited to the initial speed when the
validation device is reset by placing it in its central position after
5.7.4 X XX
being fully pressed or released.
Optionally, an intentional action is required to return to the

high speed, which was selected before the validation device was
5.7.4 X XX
released or pressed.
The option to return to high speed using separate actions is

disabled after no more than five minutes after the validation
5.7.4 X XX
device is released.
The operating information contains appropriate

5.7.4 instructions and warnings so that, whenever X
possible, the manual mode of operation is
used with all personnel outside the safety space.
Usage information orders that all disabled security measures return

to their full operation before selecting automatic mode
5.7.4 X
5.8 Guidance console controls
Robot motion initiated from the guidance console or a guidance

control device is performed under reduced speed control as
5.8.2 XX X
described in section 5.6
When the control provides means to select high

5.8.2 manual speed the robot satisfies the requirements X XX
of section 5.7.4
The guidance console has a three-position validation

5.8.3 XX X
device
When held continuously in its central position, the

5.8.3 validation device allows robot movement and any X XX
other hazards controlled by the robot.
The validation device works independently of other

5.8.3 a) motion control devices and functions. X X
Releasing or compressing the validation

5.8.3 b) device from its central position stops the X XX
hazards
Moving from the maximum compression position X XX

5.8.3 c)
to the central position does not allow the robot to move.

- 47 - ISO 10218-1:2011

method (see 6.2)
ABCDEFG
Multiple selectors on one validation device: When only one

selector is in the center position, releasing or depressing
5.8.3 d) X XX X
the selector from its center position causes a stop.
Multiple selectors on one validation device:

5.8.3 d) Compression of any selector from its center X XX X
position causes a safety stop
Multiple selectors on one validation device: When

more than one selector is in its central position X XX X
5.8.3 d)
the release of other selectors does not cause a
safety stop
The user information contains a description of

5.8.3 d) the operation of the dual selector and warnings X
that there are potential risks.
Multiple validation devices: movement is not possible

5.8.3 e) unless all validation devices are in the center X XX
position
The fall of the activation device does not result in a X

5.8.3 f)
failure that allows the activation of the movement
When there is no safety-related power supply, X X

5.8.3 g)
the activation signal indicates a stop.
The validation output signals comply with section X X

5.8.3 g)
5.4
The safety stop is initiated when the mode is

5.8.3 h) changed while the validation device is in the X XX
central position.
After a mode change with the validation device in

the center position, the validation device needs X XX
5.8.3 h)
to be released and reactivated before drive power
can be applied.
5.8.4 The guidance console has a stop function XX X

according to section 5.5.2
The presentation of the emergency stop function

5.8.4 of the guidance console is that of an emergency X X X
stop device according to ISO 13850 Standard
5.8.5 Automatic operation cannot be enabled from the X XX

guidance console alone
5.8.5 A means is provided for separate confirmation X XX

from outside the security space

ISO 10218-1:2011 - 48 -

method (see 6.2)
ABCDEFG
5.8.6 A visual indicator has been provided to XX XX

identify that the pendant panel is active
5.8.6 Loss of guidance console communication results X X

in a safety shutdown
Re-establishing communication does not restart robot movement
5.8.6 without separate intended action X X
Confusion between active and inactive stop devices is avoided

5.8.6 by proper storage or design. XX X
Usage information contains a description of the storage or

5.8.6 X
design
Usage information includes the maximum response

5.8.6 time for data communication and for loss of X X X
communication.
5.8.7 The ability to control multiple robots satisfies the X XX

requirements of section 5.9
5.9 Control of simultaneous movements
The guidance console has the ability to move one or more robots
5.9.1 independently or through simultaneous movements. X XX
In manual mode all robot functions are under control of a

5.9.1 single guidance console. XX XX
The ability is provided to allow one or more robots to be in a servo

5.9.2 state X XX
disconnection
All robots in a robot system selected to move simultaneously

5.9.2 are in the same operating mode before the movement. XX XX
Each robot must be selected before it can be

5.9.2 moved and an indicator is provided at the selection XX X
point of the robot(s) that has(have) been
selected.
A clearly visible indication is provided from

5.9.2 within the safety space indicating which robot(s) XX X
has(have) been activated.
Unexpected start of any unselected robot has been

5.9.2 prevented; this function meets the X X
requirements of section 5.4

- 49 - ISO 10218-1:2011

method (see 6.2)
ABCDEFG
5.10 Requirements for cooperative operation
Robots designed for cooperative operation

5.10.1 provide a visual indicator when the robot is in XX XX
cooperative operation.
5.10.1 Robots meet one or more of the requirements in X XX

sections 5.10.2 to 5.10.5
5.10.2 The robot stops when a human is inside the X XX

cooperative space
The stop function complies with sections 5.4 and 5.5.3 X

5.10.2 XX
If a category 2 stop is used, the stop status is

5.10.2 monitored by a safety control system according to X XX
section 5.4.
5.10.2 A failure in the safety stop supervision function X XX

results in a category 0 stop.
The manual guidance equipment is located near the terminal X X

5.10.3
element
5.10.3 The manual guidance equipment has a stop XX XX

function that complies with sections 5.5.2 and 5.8.4
5.10.3 The manual guidance equipment has a XX XX

validation device that complies with section 5.8.3
The robot operates with an active speed

5.10.3 monitoring safety function, with the speed limit XXXXX
determined by the risk assessment.
5.10.3 The speed monitoring function complies with X XX

section 5.4
5.10.3 A safety stop is activated if a controlled X X

speed exceeds its limit
5.10.4 The robot is able to maintain a certain XX X

speed and separation distance
5.10.4 The speed and separation distance X X

monitoring functions comply with section 5.4.2
Failure to maintain a certain speed or safe distance results
5.10.4 in a safety stop. XX X
5.10.4 The application of cooperative operation has been XX

determined by risk assessment

ISO 10218-1:2011 - 50 -

method (see 6.2)
ABCDEFG
The usage information contains guidelines

5.10.4 for implementing safety values and safety X
distances.
5.10.4 ISO 10218-2 has been used to design cooperative X X X

operations
The robot limits dynamic power outputs, static

5.10.5 forces, speed or energy according to section 5.4 XX X
5.10.5 A safety stop is activated if any parameter limit is XX X

exceeded
The risk assessment carried out during the design

5.10.5 phase determines the application of cooperative X XX
operation
5.10.5 Usage information includes details for setting X

parameter limits on the robot controller.
5.11 Protection of singularities
Robot control stops robot motion and provides a

5.11 warning before the robot passes through a XXX
singularity during coordinated motion initiated from
the teach pendant.
The robot controller generates an audible or visible warning
5.11 signal and continues the path through the singularity with the XXX X
speed of each axis of the robot arm limited to 250 mm/s.
No additional protection is necessary, provided

5.11 that the singularity can be controlled without X XXX
creating any dangerous motion.
5.12 Limitation of axes
A means is provided to install adjustable

5.12.1 mechanical stops to limit the movement of the main XX X
shaft.
The robot complies with section 5.12.2 or section

5.12.1 5.12.3 or both (unless an exception can be XX X
made due to a construction limitation structure)
5.12.1 The robot stops when it reaches the limit of an axis X X
Means are provided to adjust the devices

5.12.2 of mechanical and non-mechanical limitation of the two axes and X X X
three

- 51 - ISO 10218-1:2011
Verification and/or validation method (see

6.2)
ABCDEFG
Mechanical stops are capable of stopping

5.12.2 the movement of the robot with its nominal XXX X
load, under maximum speed conditions, and
for minimum and maximum extensions.
5.12.2 Tests of mechanical stops have been carried out X X

without any additional assistance stop.
The operation of the control circuit of the electro-

5.12.2 mechanical limiting devices complies with the requirements of X X
section 5.4
Robot control and scheduled tasks do not change the

5.12.2 settings of the electromechanical limit devices X X
Usage information includes information about stopping time

under maximum speed conditions for electromechanical
limit devices including monitoring time and distance
5.12.2 X
traveled before complete stop is reached.
When programmed safety limits are used, the restricted space

is defined at the expected stopping positions, which
5.12.3 XXXX
consider the distance traveled at the stop.
The ability to activate scheduled security limits, if available, is

5.12.3 described in the usage information. X
5.12.3 Control programs using programmed safety limits X X

comply with section 5.4
Only authorized personnel can change the scheduled safety

5.12.3 X X
limitation programs.
If a programmed limit is exceeded, a safety stop is initiated.

5.12.3 X X
Movement during recovery from violation of a programmed safety

5.12.3 limit occurs under reduced speed control XX
Information about active settings and security limit

configuration can be viewed and documented with a unique
5.12.3 identifier so that configuration changes can be easily identified. X X

ISO 10218-1:2011 - 52 -
Verification and/or validation method (see

6.2)
ABCDEFG
Usage information includes information on the time spent stopping

at maximum speed for the programmed safety limits,
5.12.3 including monitoring time and distance traveled before the stop X
is fully reached.
Safety zone exit signs used in dynamically restricted space

5.12.3 applications comply with Section 5.4 X X
The hardware configuration of the output signals is displayed in

5.12.3 X
the usage information
A scheduled security limit cannot be changed without

restarting the security subsystem, and it cannot be reconfigured
5.12.3 X X
during automatic execution of the scheduled task.
Authorization to change programmed safety limits is protected

5.12.3 X X
and secured
If used, programmed safety limits are always activated at

5.12.3 X X
power-up.
Dynamic limit devices and their associated control

systems are capable of stopping the robot from moving at its
rated load and speeds, and their associated safety
5.12.4 control systems comply with 5.4.2, unless the risk XXXX
assessment has determined that another category is
required.
5.13 Movement without driving power
The robot is designed so that a single person is able to move
5.13 the axes without the use of drive power in emergency or XX XX

abnormal situations.
Controls are accessible but protected from unintended

5.13 X
operation
Instructions for this are included in the user information
5.13 along with recommendations for training personnel in responding X

to emergency or abnormal situations.
The usage information includes warnings that gravity and

5.13 brake release can cause hazardous situations. X
5.13 When possible, notices are placed near activation controls. X

- 53 - ISO 10218-1:2011

method (see 6.2)
ABCDEFG
5.14 Provisions for charging the robot
Instructions and provisions are provided for loading

5.14 the robot and its components, and are suitable for XX X X
handling the corresponding weight.
5.15 Electrical connectors
Electrical connectors that may cause hazards if

5.15 separated or broken are designed and constructed XX
to prevent unintentional separation.
5.15 Connectors are provided with means to prevent cross- X

connection.

ISO 10218-1:2011 - 54 -
Literature
[1] ISO/IEC Guide 51, Safety aspects. Guidelines for their inclusion in standards.
[2] ISO 7000, Graphical symbols for use on equipment. Index and synopsis.
[3] ISO 8373:1994, Manipulating industrial robots. Vocabulary.
[4] ISO 9409 (all parts), Manipulating industrial robots. Mechanical interfaces.
[5] ISO 9946, Manipulating industrial robots. Presentation of characteristics.
[6] ISO 13851, Safety of machinery. Two-hand control devices. Functional aspects and design principles.
[7] ISO 13855, Safety of machinery. Positioning of safeguards with respect to the approach speeds of parts of the
human body.
[8] ISO 14118, Safety of machinery. Prevention of unexpected start-up.
[9] ISO 14119, Safety of machinery. Interlocking devices associated with guards. Principles for design and
selection.
[10] ISO 14120, Safety of machinery. Guards. General requirements for the design and construction of fixed and
movable guards.
[11] ISO/TS 150661), Robots and robotic devices. Safety requirements. Industrial collaborative workspace.
[12] ISO/TR 23849, Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control
systems for machinery.
[13] IEC 61000-6-2, Electromagnetic compatibility (EMC). Part 6-2: Generic standards. Immunity for industrial
environments.
[14] IEC 61000-6-4, Electromagnetic compatibility (EMC). Part 6-4: Generic standards. Emission standard for industrial environments.
[15] IEC 61496-2, Safety of machinery. Electro-sensitive protective equipment. Part 2: Particular requirements for
equipment using active opto-electronic protective devices (AOPDs).
[16] IEC 61800-5-2, Adjustable speed electrical power drive systems. Part 5-2: Safety requirements. Functional.
1) In progress.

- 55 - EN ISO 10218-1:2011
Annex ZA (Informative)
Chapters of this European Standard related to the essential

requirements or other provisions of Directive 2006/42/EC
This European Standard has been prepared under a Mandate addressed to CEN by the European Commission and the European Free Trade
Association, to provide a means of giving effect to the essential requirements of Directive 2006/42/EC.
Once this standard is cited in the Official Journal of the European Union under this directive, and is implemented as a national standard in at least
one Member State, compliance with the clauses of this standard, within the limits of the scope of this standard, is a means of giving presumption of
conformity with the specific essential requirements of this directive and the associated EFTA regulations.
WARNING: Products within the scope of this standard may be affected by other EU requirements or directives.

EN-ISO-10218-1

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

EN-ISO-10218-1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EN-ISO-10218-1

Uploaded by

Copyright:

Available Formats

Machine Translated by Google

UNE-EN ISO 10218-1

QUALIFICATION Robots and robotic devices

Safety requirements for industrial robots

OBSERVATIONS This standard replaces EN ISO 10218-1:2008 (ratified by AENOR).

© AENOR 2014 Genoa, 6 info@aenor.es Tel.: 902 102 201

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

ICS 25.040.30 Replaces EN ISO 10218-1:2008

Robots and robotic devices

This European standard was approved by CEN on 2011-04-21.

© 2011 CEN. Reproduction rights reserved to CEN Members.

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

EN ISO 10218-1:2011 -4-

This standard cancels and replaces EN ISO 10218-1:2008.

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

-5- ISO 10218-1:2011

1 Purpose and scope................................................................................................................. 7

2 Rules for consultation....................................................................................................................... 8

3 Terms and definitions................................................................................................................. 8

4 Hazard Identification and Risk Assessment ................................................................................. 12

5 Design requirements and protective measures................................................................................. 13

6 Verification and validation of security requirements and measures

Annex A (Informative) List of significant hazards........................................................................................29

Annex B (Normative) Stopping times and metric stopping distances.................................................35

Annex C (Informative) Features of the three positions of the device

Annex D (Informative) Optional Features ........................................................................................ 38

Annex E (Informative) Labeling ................................................... .................................................. ...40

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

ISO 10218-1:2011 -6-

Part 2: Robot systems and integration.

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

-7- ISO 10218-1:2011

This part of ISO 10218 is a type C standard according to ISO 12100.

1 Object and field of application

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

ISO 10218-1:2011 -8-

2 Rules for consultation

ISO 13850, Safety of machinery - Emergency stopping - Principles for design.

3 Terms and definitions

3.1 Drive control:

EXAMPLE A bar that opens contacts.

3.2 automatic mode:

[ISO 8373:1994, definition 5.3.8.1]

3.3 automatic operation:

NOTE Adopted from ISO 8373:1994, definition 5.5.

This document is part of the library of UNIVERSIDAD POLITECNICA MADRID

-9- ISO 10218-1:2011

3.4 cooperative operation: A state in

3.5 cooperative workspace: Workspace within

3.6 drive power: Power source(s) for the

3.7 terminal element: Device,

EXAMPLE Pliers, welding gun, paint gun.

[ISO 8373:1994, definition 3.11]

3.8 energy source: Source

3.9 dangerous movement:

3.10 industrial robot:

NOTE 1 The industrial robot includes: