ISO 10218, third edition, was released at the start of 2025. This standard covers industrial robot safety. Typically, this means fixed industrial robots, including what are known as cobots. A HAS consultant assessed the standard, which will hopefully be published shortly in the OJEU (official journal of the European Union) giving a presumption of conformity with all relevant machinery directive clauses.
Note – ISO TC 299 WG 3: avoid using the word cobot, as there is no such thing. The assertion is that the application is collaborative and not the robot. Any robot can work in a collaborative application with the right external equipment, e.g., a laser scanner or 3D TOF may allow implementation
Figure 1: Two parts of the new industrial robot safety standard
I think I started on this committee in 2018, and Ireland hosted a meeting on the committee in 2019, but I believe WG3 was already working on this revision well before that time. The convenor was Roberta Nelson Shea of Universal Robots, which meant we had much experience right there, but there was a lot. I mean a lot, of experience in both the application and design of robots within the group. It also included health and safety professionals, independent assessors, and a human factors expert. It was a well-attended group, with over 50 in some cases, leading to restrictions on how many from each country were allowed to attend. Countries with big teams attending included Canada, Japan, Korea, Sweden, Germany, the USA, the UK, Ireland, Denmark, and Italy……
Figure 2: Excerpt from the Irish papers dated November 2019
I must admit, I’m a robot safety expert who has never used a robot. My other major functional safety contributor is on the IEC 61508 committee, where I lead the semiconductor group, including the new IEC 61508-2-1. Therefore, once we strayed into the use of robots, as opposed to their design, I was out of my depth. For this reason, I am sure that the highlights I have chosen below from the new version would be very different from those chosen by someone with a different background.
My highlights are:
Let’s start with the mandatory redundancy requirements. The older 2011 version required a default SIL 2 with HFT=1 or PL d CAT 3 safety function. This offended me on several levels, including:
Even after many years of debate (yes years and I am not exaggerating) the following was agreed.
Figure 3: New text allowing a non-redundant safety function if the dangerous failure rate for the safety function is sufficiently low
If you weren’t involved, the number of 4.43e-7/h might seem random. Both PL d and SIL 2 require a failure rate in the range 1e-6/h to 1e-7/h, so it’s just below the midpoint of the range. It’s in the better half, indicating lower-than-average risk. But if lower-than-average was all we required, we could have used 5.0e-7/h.
Figure 4: Graphic showing the 4.43e-7/h portion of the SIL 2, PL d range
Shown another way, it can be compared to what is traditionally achieved with a CAT 3 architecture.
Figure 5: 4.43e-7/h shown in comparison to the traditional CAT 3 architecture
The graphic above also shows it exceeds what is generally considered possible with a CAT 2 (non-redundant) architecture. However, the best way to show it is by highlighting it using ISO 13849-1:2015 Annex K.
Figure 6: Row for a PFH of 4.43e-7/h from Annex K of ISO 13849
To get to this number with a CAT 2 architecture (single channel with diagnostics) you need an MTTFd (mean time to failure dangerous) of 62 years and a DC of 90%. It also shows that previously with your CAT 3 architecture a DC of 60% would have been acceptable but that would deliver a much worse PFHd unless you got your MTTFd to at least 43 years and that with CAT 3 and a DC of 90% you can easily reach down into PL e type performance.
It’s good to write this down while I still remember the reasoning. These changes will make it easier to adopt new technologies into robots but reduce the robot cost and increase the robot's capabilities, which hopefully will all contribute to a higher adoption of robots. Such new technologies might include 3D TOF and novel encoders.
My next highlight is the new cyber security guidance. It's always controversial whether safety standards should include anything on cyber security or whether the two disciplines should remain separate. However, it is good that we added something as the new EU machinery regulation (replacing the old machinery directive) places more emphasis on cyber security than the old machinery regulation. We also now have the CRA (Cyber Resiliency Act). I would have liked to add more emphasis on IEC 62443 compliance, but what we got is good. A cyber security risk assessment is now required (shall), and IEC TS 63074:2023 is called out, which then defers to IEC 62443. I spoke on cyber security for robots at last year's international robot safety conference in Cincinnati. Unfortunately, the presentations from this excellent conference are not available on the web.
Figure 7: Extract from the scope of IEC 63074
Lastly, in a world with more and more requirements for always being connected, data is the new oil; it is good that the standard now includes requirements for industrial communications. There was nothing in the old version on safety data to be transmitted over a network. Previously, the best guidance would have been in IEC 61508-2010 7.4.11, which mentions a white channel design with no further details and defers to either IEC 61784-3 or IEC 62280/EN 50519 for the black channel designs. The new version of ISO 10218 concentrates on the more common black channel approach and, despite being short, shows how the black channel requirements can be tailored differently for the internal robot network (controller to the various axes) and the external robot network, e.g., controller to a PLC.
This is an area I continue to work on; we are revamping IEC 61508-2 7.4.11 with more details on the white channel in particular, which I think might be especially relevant for robot internal networks since it is more suitable in my view for hard real-time requirements. I have also, for my sins, been appointed as the liaison between IEC TC 65 SC65A(system) and SC 65C(communications). The black channel will continue to be the most important for the controller to the PLC network, and the 1km range offered by 10BASE-T1L and even Ethernet APL / 2-WISE could be important here.
Figure 8: An extract from ISO 10218-1 5.3.6 covering communications
Other information I like in the new version includes:
ISO TC 299 WG 3 is continuing to work on ISO 20218-3, which will give more guidance on the limited information on cyber security within ISO 10218. I don't know whether ISO 10218 already needs a refresh to allow for machinery regulation.
Thanks to all those who participated internationally and within the Irish national committee. It was a great opportunity to participate. Thanks especially to Fergal and, later, Barry from the NSAI (National Standards Authority of Ireland) for their support. I now have a colleague, Declan, who knows far more about robots and machinery than me. For now, it’s on to getting IEC 61508 revision 3 released, and perhaps I can convince more people that they should use IEC 61508 for their detailed robot design!
Check back next month on the second Tuesday for the next blog in this series. Until then, I hope to post “mini-blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
For previous blogs in this series, see here
For the full suite of ADI blogs on the EngineerZone platform, see here
For the full range of ADI products, see here
