Courtesy: ANALOG DEVICES
ISO 10218, third edition, was released at the start of 2025. This standard covers industrial robot safety. Typically, this means fixed industrial robots, including what are known as cobots. A HAS consultant assessed the standard, which will hopefully be published shortly in the OJEU (official journal of the European Union) giving a presumption of conformity with all relevant machinery directive clauses.
Note – ISO TC 299 WG 3: avoid using the word cobot, as there is no such thing. The assertion is that the application is collaborative and not the robot. Any robot can work in a collaborative application with the right external equipment, e.g., a laser scanner or 3D TOF may allow implementation
I think I started on this committee in 2018, and Ireland hosted a meeting on the committee in 2019, but I believe WG3 was already working on this revision well before that time. The convenor was Roberta Nelson Shea of Universal Robots, which meant we had much experience right there, but there was a lot. I mean a lot, of experience in both the application and design of robots within the group. It also included health and safety professionals, independent assessors, and a human factors expert. It was a well-attended group, with over 50 in some cases, leading to restrictions on how many from each country were allowed to attend. Countries with big teams attending included Canada, Japan, Korea, Sweden, Germany, the USA, the UK, Ireland, Denmark, and Italy…. I must admit, I’m a robot safety expert who has never used a robot. My other major functional safety contributor is on the IEC 61508 committee, where I lead the semiconductor group, including the new IEC 61508-2-1. Therefore, once we strayed into the use of robots, as opposed to their design, I was out of my depth. For this reason, I am sure that the highlights I have chosen below from the new version would be very different from those chosen by someone with a different background.
My highlights are:
- Removal of mandatory redundancy requirements
- New security guidance
- New comms requirements
Removal of Mandatory Redundancy Requirements
Let’s start with the mandatory redundancy requirements. The older 2011 version required a default SIL 2 with HFT=1 or PL d CAT 3 safety function. This offended me on several levels, including:
- With complex technology, systematic failure modes are more of a concern than random hardware failures
- HFT= 1 and CAT 3 are not even the same thing (CAT 3 allows the impact of diagnostics in achieving single fault tolerance to be considered, HFT does not)
- Modern technology based on semiconductors can be far more reliable than older mechanical technology and with higher diagnostic rates and lower diagnostic test intervals
Even after many years of debate (yes years and I am not exaggerating) the following was agreed. If you weren’t involved, the number of 4.43e-7/h might seem random. Both PL d and SIL 2 require a failure rate in the range 1e-6/h to 1e-7/h, so it’s just below the midpoint of the range. It’s in the better half, indicating lower-than-average risk. But if lower-than-average was all we required, we could have used 5.0e-7/h. Shown another way, it can be compared to what is traditionally achieved with a CAT 3 architecture. The graphic above also shows it exceeds what is generally considered possible with a CAT 2 (non-redundant) architecture. However, the best way to show it is by highlighting it using ISO 13849-1:2015 Annex K. To get to this number with a CAT 2 architecture (single channel with diagnostics) you need an MTTFd (mean time to failure dangerous) of 62 years and a DC of 90%. It also shows that previously with your CAT 3 architecture a DC of 60% would have been acceptable but that would deliver a much worse PFHd unless you got your MTTFd to at least 43 years and that with CAT 3 and a DC of 90% you can easily reach down into PL e type performance.
It’s good to write this down while I still remember the reasoning. These changes will make it easier to adopt new technologies into robots but reduce the robot cost and increase the robot’s capabilities, which hopefully will all contribute to a higher adoption of robots. Such new technologies might include 3D TOF and novel encoders.
New Security Guidance
My next highlight is the new cyber security guidance. It’s always controversial whether safety standards should include anything on cyber security or whether the two disciplines should remain separate. However, it is good that we added something as the new EU machinery regulation (replacing the old machinery directive) places more emphasis on cyber security than the old machinery regulation. We also now have the CRA . I would have liked to add more emphasis on IEC 62443 compliance, but what we got is good. A cyber security risk assessment is now required, and IEC TS 63074:2023 is called out, which then defers to IEC 62443. I spoke on cyber security for robots at last year’s international robot safety conference in Cincinnati. Unfortunately, the presentations from this excellent conference are not available on the web.
New Comms Requirements
Lastly, in a world with more and more requirements for always being connected, data is the new oil; it is good that the standard now includes requirements for industrial communications. There was nothing in the old version on safety data to be transmitted over a network. Previously, the best guidance would have been in IEC 61508-2010 7.4.11, which mentions a white channel design with no further details and defers to either IEC 61784-3 or IEC 62280/EN 50519 for the black channel designs. The new version of ISO 10218 concentrates on the more common black channel approach and, despite being short, shows how the black channel requirements can be tailored differently for the internal robot network (controller to the various axes) and the external robot network, e.g., controller to a PLC.
This is an area I continue to work on; we are revamping IEC 61508-2 7.4.11 with more details on the white channel in particular, which I think might be especially relevant for robot internal networks since it is more suitable in my view for hard real-time requirements. I have also, for my sins, been appointed as the liaison between IEC TC 65 SC65A(system) and SC 65C. The black channel will continue to be the most important for the controller to the PLC network, and the 1km range offered by 10BASE-TIL and even Ethernet APL / 2-WISEcould be important here.
Other information I like in the new version includes:
- The long list of safety functions in Annex C
- The allowances for small robots in 5.1.17 (<10kg, <250mm/s, <50N)
- The nice figure in Annex B shows maximum, restricted, operating, and safe-guarded spaces
ISO TC 299 WG 3 is continuing to work on ISO 20218-3, which will give more guidance on the limited information on cyber security within ISO 10218. I don’t know whether ISO 10218 already needs a refresh to allow for machinery regulation.
