Changes to the Industrial Robot Safety Standard ISO 10218

Changes to the Industrial Robot Safety Standard ISO 10218

I had hoped that ISO 10218, the industrial robot safety standard, revision 3 would be released before I wrote this blog. However, while the technical content has been agreed by the ISO TC 299 WG 3 committee since the start of 2022 the standard is waiting for review by a HAS consultant to confirm it will be accepted as an EU harmonized standard so that a robot developed to this standard benefits from a presumption of conformity with the EU’s machinery directive.

I shared a link below to a presentation by Roberta Nelson Shea of Universal robots (and convenor of ISO TC 299 WG 3) at this year’s international robot safety conference, but you will note my list of changes is different to Roberta’s as I work for a semiconductor company and therefore our customers are robot designers as opposed to robot users. Therefore, the changes that seem significant to me are different to those of someone who buys or uses robots. I’m very much an ISO 10218 part 1 (design of industrial robots) guy as opposed to a part 2 (use of industrial robots) guy. However, things like the rules relating to single point of control are still interesting to me as I have a keen interest in industrial networking and functional safety in general. However, it still doesn’t make my list.

Even if you work for a semiconductor developer, you do need to know how to integrate and apply robots to make sure you produce semiconductors and modules with the right set of features to solve the end user’s problems. In effect you need to know your customers and reading standards is a great way to see what needs to be done.

While I highlight what I see as the big changes below there were literally thousands of comments received and debated by ISO TC 299 WG 3 so that almost every part of the standard has changed in some regard and the two parts of the standard have grown substantially in length. The 3 things I have decided to highlight are removal of the mandatory requirement for CAT 3 or HFT=1, cyber security, and networking.

Removal of mandatory CAT 3 or HFT=1 requirement

ISO 10218-1:2011 5.4.2 requires that “Safety-related parts of control systems shall be designed so that they comply with PL=d with structure category 3 as described in ISO 13849-1:2006, or so that they comply with SIL 2 with a hardware fault tolerance of 1”. In effect you need to be single fault tolerant and normally this is achieved with redundancy or in some cases with ideal fault detection.

The new revision 3 will allow a third option, without the architecture requirements, provided the PFHd is in the lower part of the PL d/SIL 2 range (<4.43e-7/h for the complete safety function). Older technologies using electromechanical solutions will not be able to benefit from this relaxation but I believe the mandatory CAT 3 or HFT=1 requirements are not suitable for systems based on highly integrated technology and semiconductor technology such as ADI’s new magnetic sensors (see a previous blog here) or even our new 3D TOF cameras (see a previous blog here). For the cameras the type 3 requirements from IEC 61496 are still an issue. However my opposition to the mandatory HFT and CAT requirements predates these technologies, for instance see here. In my view both ISO 13849 and IEC 61508 indicate the required level of safety with either a PL or a SIL and the designer should not be restricted by insisting on a given architecture.

Figure 1 - New technologies which should benefit from the relaxed architecture requirements include AMR, TMR and GMR sensors to act as encoders

Cyber Security

I am a firm believer that if you are not secure you are not safe. In addition, for robot a cyber security attack might not just impact on the safety of your robot but could also be an attack to destroy the robot or even reduce the quality of the finished product to destroy the reputation of the company using the robots.

The older 2011 version had no mention of cyber security, but the new revision requires a cybersecurity assessment and features to be added to the robot if threats are identified. The standard informatively mentions ISO TR 22100-4:2018, IEC TR 63074:2019 and the IEC 62443 series of industrial cyber security standards.

Personally, I like IEC 62443 and have been a largely non participating member of ISA99 for many years. For most robots I think the sweet spot will be SL (security level) 2 with perhaps some requirements for SL 3. SL 3 being more appropriate perhaps if the robot can be accessed remotely.

Security level

Tom’s description of who you are protected against at each SL

1

Someone who is bored at work

2

Someone who thinks it would be cool if they could make the robot dance and knows more about robots that the individual from SL 1 description

3

Someone who knows industrial automation systems, robots, and cyber security and has access to some software tools to insist on a hack

4

A hostile government

 

In 2021 Analog Devices acquired Maxim Integrated and with them came a very nice family of security products including security authenticators such as the DS28C50 which should facilitate a solution for some of the new security features. This will help maintain my interest in robot cyber security.

Networking

These days many robots will be networked to a remote controller, a PLC or to an external sensor. In addition, there is a network within the robot where the controller board talks to the individual axis controllers and the end effector. If these networks transmit safety data, there was no guidance given in ISO 10218. Revision 3 of ISO 10218-1:202X (hopefully/surely 2023) 5.3.6 refers you to IEC 61508-2:2010 7.4.11. That clause in IEC 61508 allows the network to be implemented as either a white channel (everything developed to IEC 61508) or a black channel (uses standard components with an SCL - safety communication layer- on each end). In addition, ISO 10218 gives you guidance on network categories. Network categories come from the rail networking standards (IEC 62380/EN 50159) and depending on how open the network is modulates the effort you need to use to protect against the usual threats. While it may seem unusual to refer to a rail standard from a robot safety standard, IEC 62380 is one of the two options given in IEC 61508 and contains guidance, such as the network categories, not found in the more well-known IEC 61784 standard.

Most networks will probably use the black channel concept as shown below with the defences implemented in an SCL on each end.

Figure 2 - Example of a black channel and a threat defences table

An internal robot network would probably be considered as a category 1 network, due to the limited access, known number of members etc and therefore while protection against corruption might need to be implemented with high effort the effort put into protection against the other threats might be less.

The network to connect a robot to an external PLC would probably meet the definition for a category 2 network, with additional effort required to protect against repetition, deletion, insertion, and delay compared to a category 1 network.

I promised a link to Roberta Nelson Shea’s presentation at the Industrial robot safety conference 2022. It is available at ISO/DIS 10218-1.2:2021 vs ISO 10218-1:2011 and ISO/FDIS 10218-2:2021 vs ISO 10218-2:2011 Significant changes (automate.org). With this and my blog above you will have a more complete overview including the new robot classes which have reduced requirements for small lightweight robots.

This blog is number 11 in a series of 12 industrial robot safety blogs – see here for the full series including another 70 blogs which cover functional safety, but not necessarily robot safety.

Anonymous