Robot Safety Standards: ISO 10218, ISO/TS 15066 & CE Marking Guide

ROBOTICS January 2026 28 min read Technical Depth: Advanced

Table of Contents

1. Executive Summary
2. ISO 10218-1 & ISO 10218-2: Industrial Robot Safety
3. ISO/TS 15066: Collaborative Robot Safety
4. Risk Assessment Process (ISO 12100)
5. Safety Control Systems & Components
6. CE Marking Process & Machinery Directive
7. Performance Level (PL) & Safety Integrity Level (SIL)
8. Safety System Architecture (ISO 13849 Categories)
9. APAC Safety Regulations
10. Common Safety Violations & How to Avoid Them
11. Safety Audit Checklist

1. Executive Summary

Industrial and collaborative robots are being deployed at unprecedented scale across manufacturing, logistics, and service sectors worldwide. The International Federation of Robotics (IFR) reports that the global operational robot stock surpassed 4.2 million units in 2025, with annual installations exceeding 590,000 units. As robot density increases and human-robot collaboration becomes the norm rather than the exception, the imperative for rigorous safety engineering has never been more critical.

Robot-related workplace incidents remain a serious concern. Data from the Occupational Safety and Health Administration (OSHA) and equivalent agencies across Asia-Pacific indicate that improper safeguarding, insufficient risk assessment, and non-compliant safety system design account for over 72% of robot-related injuries. The financial consequences extend far beyond immediate incident costs: a single serious robot safety incident can result in production shutdowns exceeding $500,000/day, regulatory penalties up to 2% of annual turnover in the EU, and reputational damage that impacts customer contracts for years.

This guide provides a comprehensive technical reference for engineers, safety managers, and integrators responsible for ensuring robot installations comply with international safety standards. We cover the complete regulatory framework from foundational standards (ISO 10218, ISO/TS 15066) through implementation (ISO 13849, IEC 62443) to regional compliance requirements across Vietnam, Singapore, Thailand, and Japan. Each section includes practical implementation guidance drawn from our experience across 60+ robot safety assessments in APAC manufacturing facilities.

4.2M

Operational Industrial Robots Worldwide (2025)

72%

Robot Incidents from Inadequate Safeguarding

PLd

Minimum Performance Level for Most Robot Applications

150N

Max. Transient Force (Chest) per ISO/TS 15066

Why Safety Standards Matter for APAC Manufacturers

For Vietnamese and Southeast Asian manufacturers exporting to the EU, CE marking compliance is not optional -- it is a legal market access requirement. Even for domestic operations, adopting international safety standards reduces insurance premiums by 15-30%, decreases workplace incident rates by 80%+, and positions companies for international certifications (ISO 45001) that multinational clients increasingly require of their supply chain partners. The cost of implementing safety standards at the design stage is 5-10x lower than retrofitting after deployment.

2. ISO 10218-1 & ISO 10218-2: Industrial Robot Safety

2.1 ISO 10218-1: Robots -- Safety Requirements for Industrial Robots

ISO 10218-1:2011 (currently under revision with the 2025 edition in committee draft) specifies safety requirements for the design and construction of industrial robots themselves -- the robot as a product, independent of its application. This standard applies to robot manufacturers (OEMs) such as FANUC, ABB, KUKA, Yaskawa, and Universal Robots, defining the baseline safety features that every industrial robot must incorporate before it leaves the factory.

Key requirements of ISO 10218-1 include:

Protective stop function (Category 0 or 1 per IEC 60204-1): Every robot must provide an emergency stop capability that either immediately removes power to actuators (Category 0) or brings the robot to a controlled stop before power removal (Category 1). The standard requires that protective stop circuits achieve at minimum Performance Level d (PLd) per ISO 13849-1.
Axis limiting (mechanical and software): Robots must provide both software-configurable axis limits and, where the risk assessment demands, mechanical hard stops to prevent motion beyond defined boundaries. These limits define the restricted space within which the robot can operate.
Speed and force monitoring: The robot controller must be capable of monitoring and limiting joint speeds and TCP (tool center point) velocity. For collaborative applications, the controller must enforce speed limits with safety-rated monitoring that meets PLd or higher.
Singular point and axis momentum limits: The standard specifies maximum momentum and static force thresholds at which the robot can be considered safe for certain collaborative modes, particularly power and force limiting.
Pendant and enable device requirements: Teach pendants must incorporate a three-position enabling device (deadman switch) that allows motion only when actively held in the middle position. Release or full squeeze must trigger an immediate stop.

2.2 ISO 10218-2: Robot Systems and Integration

While Part 1 addresses the robot itself, ISO 10218-2:2011 covers the complete robot system as installed in a production environment -- including end effectors, workpiece handling, peripheral equipment, and the physical integration within a facility. This is the standard most relevant to system integrators and end users, as it governs the safety of the application rather than the robot alone.

ISO 10218-2 mandates a comprehensive approach to system safety that encompasses:

Risk assessment per ISO 12100: A documented risk assessment is mandatory for every robot installation. The assessment must identify all reasonably foreseeable hazards, estimate risk severity and probability, and document the risk reduction measures applied.
Safeguarded space design: The standard defines requirements for perimeter guarding, safety-rated sensing, and restricted space configuration. The maximum space envelope must account for the robot's full reach plus any end-effector extension, workpiece dimensions, and potential ejection trajectories.
Safety-rated function validation: All safety functions relied upon for risk reduction must be validated against the required Performance Level. This includes safety-rated monitored stop, safety-rated speed monitoring, safety-rated position monitoring, and safety-rated force monitoring.
Collaborative workspace requirements: Section 5.11 of ISO 10218-2 defines four collaborative operation modes (later elaborated in ISO/TS 15066) and the requirements for each. Collaborative workspaces require specific signage, floor markings, and operational procedures.

Aspect	ISO 10218-1 (Robot)	ISO 10218-2 (Robot System)
Scope	Robot as a product (OEM responsibility)	Complete robot cell/system (integrator responsibility)
Applies To	Robot manufacturers	System integrators and end users
Risk Assessment	Product-level hazard analysis	Application-specific risk assessment per ISO 12100
Safeguarding	Built-in safety functions	Perimeter guards, sensors, interlocks, restricted spaces
Performance Level	Minimum PLd for protective stop	PLd or PLe based on risk assessment outcome
Documentation	Robot safety data sheet, instruction manual	Technical file, risk assessment, validation report
Collaborative Modes	Specifies robot capabilities for collaborative use	Defines workspace requirements and 4 collaborative modes
CE Marking	Robot as partly completed machinery	Complete machinery requiring full CE assessment

3. ISO/TS 15066: Collaborative Robot Safety

ISO/TS 15066:2016 is the foundational technical specification for collaborative robot (cobot) safety. It provides detailed guidance for implementing the four collaborative operation modes introduced in ISO 10218-2, including specific biomechanical force and pressure thresholds for human-robot contact. This document is essential for any organization deploying cobots from Universal Robots, FANUC CRX, ABB GoFa/SWIFTI, Doosan, or any other collaborative platform.

3.1 The Four Collaborative Operation Modes

Mode 1: Safety-Rated Monitored Stop (SMS)

In this mode, the robot operates at normal industrial speed when a human is not present in the collaborative workspace. When a human enters the workspace (detected by safety-rated sensors such as laser scanners or light curtains), the robot comes to a complete safety-rated stop. The robot remains stationary while the human is present and resumes operation only after the human exits and the safety system confirms the workspace is clear. This mode is appropriate for tasks where human and robot operations are sequential rather than simultaneous -- for example, a human loading parts into a fixture while the robot waits, then the robot performing a machining or welding operation after the human withdraws.

Mode 2: Hand Guiding

Hand guiding allows a human operator to physically move the robot by applying forces to a hand-guiding device (typically an instrumented end-effector flange or handle). The robot must be in a safety-rated monitored stop before hand guiding can be activated, typically via an enabling device. While being guided, the robot follows the operator's hand movements for programming or positioning tasks. Safety requirements include force/torque sensing at the guiding point, an emergency stop accessible from the guiding position, and a maximum speed limit during guided motion (typically 250 mm/s).

Mode 3: Speed and Separation Monitoring (SSM)

Speed and separation monitoring is the most technically sophisticated collaborative mode. The robot and human can operate simultaneously in the collaborative workspace, but the system continuously monitors the separation distance between them and adjusts the robot's speed (or stops the robot) to maintain a protective separation distance at all times. The minimum separation distance is calculated dynamically using the formula defined in ISO/TS 15066:

# ISO/TS 15066 - Speed & Separation Monitoring
# Minimum Protective Separation Distance Formula

S_p = S_h + S_r + S_s + C + Z_d + Z_r

Where:
  S_p = Minimum protective separation distance (mm)
  S_h = Human contribution to distance change:
        S_h = 1600 * (t_r + t_s)  [for walking speed 1.6 m/s]
  S_r = Robot contribution to distance change:
        S_r = v_r * (t_r + t_s)   [robot speed * reaction + stop time]
  S_s = Stopping distance of the robot after stop command
  C   = Intrusion distance before detection (sensor resolution)
  Z_d = Position uncertainty of the detection system
  Z_r = Position uncertainty of the robot system

# Example Calculation:
# Robot TCP speed: 1.0 m/s
# System reaction time (t_r): 0.1 s
# Robot stopping time (t_s): 0.4 s
# Sensor resolution (C): 70 mm (laser scanner)
# Detection uncertainty (Z_d): 50 mm
# Robot position uncertainty (Z_r): 10 mm

S_h = 1600 * (0.1 + 0.4) = 800 mm
S_r = 1000 * (0.1 + 0.4) = 500 mm
S_s = 0.5 * 1000 * 0.4   = 200 mm  [1/2 * v * t_s]
C   = 70 mm
Z_d = 50 mm
Z_r = 10 mm

S_p = 800 + 500 + 200 + 70 + 50 + 10 = 1,630 mm

# Minimum required separation distance = 1.63 meters
            

Mode 4: Power and Force Limiting (PFL)

Power and force limiting is the mode most commonly associated with collaborative robots. In PFL mode, the robot is designed so that contact between the robot and a human does not result in injury. This is achieved through a combination of low robot mass, rounded surfaces, padding, and active force/torque monitoring that limits contact forces below biomechanically determined thresholds. ISO/TS 15066 provides comprehensive tables of maximum permissible forces and pressures for 29 body regions.

3.2 Biomechanical Force and Pressure Limits

ISO/TS 15066 Annex A defines two types of contact: quasi-static (clamping) and transient (impact). Transient contact limits are higher because the human body can absorb short-duration impacts more readily than sustained forces. The following table shows limits for commonly referenced body areas:

Body Region	Quasi-Static Force (N)	Transient Force (N)	Quasi-Static Pressure (N/cm2)	Transient Pressure (N/cm2)
Skull / Forehead	130	130	--	--
Face	65	65	--	--
Neck (side)	150	150	--	--
Back / Shoulders	210	420	70	140
Chest	140	280	35	70
Abdomen	110	220	35	70
Upper arm / Elbow	150	300	50	100
Forearm / Wrist	160	320	50	100
Hand / Fingers	140	280	60	120
Thigh / Knee	220	440	50	100
Lower leg	130	260	60	120

Critical Implementation Note

The biomechanical limits in ISO/TS 15066 apply to the resultant force and pressure at the point of contact between the robot system (including end-effector and workpiece) and the human body. A robot arm that is inherently force-limited can still exceed thresholds if the end-effector concentrates force on a small contact area. Always calculate the effective pressure using the minimum contact area of the tool or workpiece geometry. Sharp edges, pointed tools, and narrow contact surfaces can produce pressures that exceed limits even at very low forces.

4. Risk Assessment Process (ISO 12100)

ISO 12100:2010 (Safety of machinery -- General principles for design -- Risk assessment and risk reduction) provides the overarching framework for risk assessment that underpins all robot safety standards. Every robot installation, whether traditional industrial or collaborative, requires a documented risk assessment following this methodology. Failure to conduct and maintain a current risk assessment is the single most common finding in safety audits and the primary reason for regulatory non-compliance.

4.1 Risk Assessment Methodology

The ISO 12100 risk assessment process follows a structured iterative approach:

Determine machine limits: Define the scope of the assessment including spatial limits (maximum reach, safeguarded space), temporal limits (machine lifetime, maintenance intervals), use limits (intended use, reasonably foreseeable misuse), and environmental limits (temperature, dust, humidity, electromagnetic environment).
Hazard identification: Systematically identify all hazards associated with the robot system across all phases of its lifecycle: transport, installation, commissioning, normal operation, teach/programming mode, maintenance, cleaning, troubleshooting, and decommissioning. Hazard categories include mechanical (crushing, shearing, cutting, entanglement, impact, stabbing), electrical, thermal, noise, vibration, radiation, material/substance, ergonomic, and environmental hazards.
Risk estimation: For each identified hazard, estimate the risk as a combination of severity of harm (S), frequency/duration of exposure (F), probability of occurrence (P), and possibility of avoidance (A). These parameters are used to determine the required Performance Level (PLr) per ISO 13849-1 using the risk graph method.
Risk evaluation: Determine whether the estimated risk is acceptable or requires further reduction. Apply the ALARP (As Low As Reasonably Practicable) principle: risk must be reduced to a level where further reduction would require disproportionate effort relative to the risk reduction achieved.
Risk reduction: Apply the three-step method in priority order: (a) inherently safe design measures (eliminate hazards), (b) safeguarding and complementary protective measures (guards, sensors, safety functions), (c) information for use (warnings, instructions, training requirements).

# Risk Assessment Matrix - ISO 12100 Parameters
# Used to determine required Performance Level (PLr)

RISK PARAMETER DEFINITIONS:
==========================================================
S - Severity of Injury
  S1 = Slight (normally reversible): bruises, minor cuts
  S2 = Serious (normally irreversible): fractures, amputation, death

F - Frequency and/or Duration of Exposure
  F1 = Seldom to less often and/or short exposure time
  F2 = Frequent to continuous and/or long exposure time

P - Probability of Occurrence of Hazardous Event
  P1 = Low (hazardous event unlikely in machine lifetime)
  P2 = High (hazardous event likely in machine lifetime)

RISK GRAPH (ISO 13849-1 Figure 3):
==========================================================
Start --> S1 --> F1 --> P1 --> PLr = a
                        P2 --> PLr = b
                  F2 --> P1 --> PLr = b
                        P2 --> PLr = c
          S2 --> F1 --> P1 --> PLr = c
                        P2 --> PLr = d
                  F2 --> P1 --> PLr = d
                        P2 --> PLr = e

TYPICAL ROBOT APPLICATION PLr DETERMINATIONS:
==========================================================
Emergency stop (industrial robot):     S2-F2-P1 = PLd
Safety-rated monitored stop:           S2-F2-P1 = PLd
Collaborative robot PFL mode:          S2-F2-P2 = PLe
Perimeter guard interlocking:          S2-F1-P2 = PLd
Speed & separation monitoring:         S2-F2-P2 = PLe
Light curtain / laser scanner:         S2-F2-P1 = PLd
            

4.2 Hazard Identification for Robot Systems

A thorough hazard identification for a robot cell must consider hazards that are not immediately obvious. Common hazard categories specific to robot systems include:

Crushing hazards: Between robot and fixed structures, between end-effector and workpiece fixtures, at pinch points between robot joints. Assess for all possible robot positions including during restart from fault conditions.
Impact hazards: From the robot arm moving at speed, from ejected workpieces or broken tools, from unexpected robot movement during power-up or error recovery.
Entanglement hazards: Cables, hoses, and pneumatic lines on the robot arm. Loose clothing or hair being caught in rotating joints or spindle tools.
Ejection hazards: Workpieces, tools, or fasteners ejected due to grip failure, tool breakage, or centrifugal forces. Particularly critical for grinding, milling, and high-speed assembly applications.
Stored energy hazards: Gravity loads on vertical axes when power is removed (axis drop), pneumatic/hydraulic energy in gripper systems, spring-loaded mechanisms, and capacitor discharge.
Restart and recovery hazards: Unexpected motion during automatic restart after power interruption, error acknowledgment, or safety function reset. The risk assessment must address every mode transition.

5. Safety Control Systems & Components

The safety control system is the engineered realization of safety functions identified during risk assessment. Modern robot safety systems employ dedicated safety-rated hardware and software that is architecturally independent from the standard machine control system, ensuring that safety functions remain operational even when the primary control system fails.

5.1 Safety PLCs and Controllers

Safety PLCs provide the computational backbone for implementing safety logic in robot cells. Unlike standard PLCs, safety PLCs employ redundant processors, diverse processing, internal diagnostics, and watchdog monitoring to achieve the fault tolerance required for PLd and PLe applications.

Safety PLC	Manufacturer	Max PL / SIL	Safety I/O	Communication	Best For
PSS 4000	Pilz	PLe / SIL 3	Up to 256	SafetyNET p, PROFIsafe	Complex multi-robot cells
PNOZ m B1	Pilz	PLe / SIL 3	Up to 48	Standalone / fieldbus	Single robot cells
Flexi Soft	SICK	PLe / SIL 3	Up to 48	EFI, EtherNet/IP CIP Safety	Sensor-integrated solutions
GuardLogix 5580	Rockwell	PLe / SIL 3	Up to 256+	CIP Safety over EtherNet/IP	Large-scale integrated lines
F-CPU S7-1516F	Siemens	PLe / SIL 3	Up to 1024	PROFIsafe	Siemens-ecosystem plants
SmartGuard 600	Rockwell	PLe / SIL 3	Up to 16	DeviceNet Safety	Compact standalone cells

5.2 Safety-Rated Sensing Devices

Safety-rated sensors form the detection layer of the safety system, providing the inputs that trigger safety functions when hazardous conditions are detected. Key sensor categories include:

Safety light curtains (Type 2 and Type 4 per IEC 61496): Photoelectric presence-sensing devices that detect objects (typically human limbs or bodies) crossing an infrared light beam array. Type 4 light curtains provide the highest safety level (PLe achievable) with finger detection resolution from 14mm. Leading manufacturers include SICK (deTec4, C4000), Pilz (PSENopt II), Keyence (SL-V), and Banner (EZ-SCREEN LS). Mounting distance from the hazard is calculated per ISO 13855.
Safety laser scanners (Type 3 per IEC 61496-3): 2D LiDAR-based area scanners that monitor configurable protective fields and warning fields. When a person enters the protective field, a safety output triggers. SICK microScan3, Pilz PSENscan, and OMRON OS32C are common choices. Maximum achievable level is PLd. Ideal for irregular cell geometries where light curtains are impractical.
Safety mats and floors (per IEC 61496-4): Pressure-sensitive surfaces that detect when a person is standing in a hazardous area. Commonly used around robot bases and in collaborative workspaces where the floor area constitutes the detection zone. SICK, Schmersal, and ASO Safety provide certified safety mat systems achieving PLd.
Safety-rated 3D camera systems: Emerging technology using depth cameras (time-of-flight or structured light) for volumetric presence detection. SICK safeVisionary2, Pilz SafetyEYE, and Veo Robotics FreeMove provide 3D protective field monitoring. These systems enable more flexible collaborative workspaces by monitoring the entire volume rather than a single plane.
Safety interlock switches: Electromechanical or transponder-coded switches that monitor the position of guards (doors, panels, gates). Per ISO 14119, interlock switches must be selected to resist defeat and must achieve the required PL. Trapped-key interlocks (Fortress, KIRK) provide additional protection by enforcing sequential access procedures.

5.3 Safety Distance Calculation

The minimum distance between a safety sensor and the nearest hazard point is calculated per ISO 13855 to ensure the robot stops before a person can reach the hazard. The general formula is:

# Safety Distance Calculator per ISO 13855
# For light curtains, laser scanners, and other sensing devices

def calculate_safety_distance(sensor_type, params):
    """
    Calculate minimum safety distance per ISO 13855
    S = (K * T) + C

    Where:
      S = Minimum distance (mm)
      K = Approach speed of human body or part (mm/s)
      T = Overall system stopping time (s)
      C = Supplementary distance / intrusion allowance (mm)
    """

    K = params.get('approach_speed', 1600)  # 1600 mm/s for walking
    T = params['total_stopping_time']  # Controller + valve + robot braking

    if sensor_type == 'light_curtain':
        resolution = params['resolution_mm']
        # C for light curtain per ISO 13855 Table 1
        if resolution <= 40:
            # Finger detection: C = 8(d-14) where d = resolution
            C = 8 * (resolution - 14)
            C = max(C, 0)
            K = 2000  # Hand/finger approach: 2000 mm/s
        else:
            # Body detection: C = 850 mm (for resolution > 40mm)
            C = 850
            K = 1600  # Body approach: 1600 mm/s

    elif sensor_type == 'laser_scanner':
        # C = 850 mm for body detection (2D horizontal plane)
        C = 850
        K = 1600

    elif sensor_type == 'safety_mat':
        # C = 1200 mm (allows for stride + reach)
        C = 1200
        K = 1600

    elif sensor_type == 'two_hand_control':
        # C = 250 mm (hand movement from control to hazard)
        C = 250
        K = 1600

    S = (K * T) + C
    S_minimum = max(S, 100)  # Absolute minimum 100mm

    return {
        'minimum_distance_mm': round(S_minimum),
        'minimum_distance_m': round(S_minimum / 1000, 2),
        'approach_speed_mm_s': K,
        'stopping_time_s': T,
        'supplementary_distance_mm': C,
        'formula': f'S = ({K} x {T}) + {C} = {S_minimum} mm'
    }

# Example: Light curtain with finger detection
result = calculate_safety_distance('light_curtain', {
    'resolution_mm': 14,
    'total_stopping_time': 0.25  # 250ms total stopping time
})
# Output: S = (2000 x 0.25) + 0 = 500 mm

# Example: Laser scanner for body detection
result = calculate_safety_distance('laser_scanner', {
    'total_stopping_time': 0.35  # 350ms total
})
# Output: S = (1600 x 0.35) + 850 = 1,410 mm
            

6. CE Marking Process & Machinery Directive

CE marking is the legal requirement for placing machinery on the European Economic Area (EEA) market. For robot systems, the primary legislative framework is the Machinery Directive 2006/42/EC (being replaced by the Machinery Regulation EU 2023/1230, with mandatory application from January 2027). Understanding this process is essential for Vietnamese and APAC manufacturers exporting to Europe, as well as for multinational companies standardizing their safety practices globally.

6.1 Machinery Directive 2006/42/EC Essentials

The Machinery Directive establishes Essential Health and Safety Requirements (EHSRs) that all machinery placed on the EU market must satisfy. For robot systems, the most relevant EHSRs include:

EHSR 1.1.2 -- Principles of safety integration: Machinery must be designed to eliminate or reduce risks as far as possible (inherent safety), take appropriate protection measures for risks that cannot be eliminated, and inform users of residual risks.
EHSR 1.2.1 -- Safety and reliability of control systems: Control systems must be designed so that they do not lead to hazardous situations. This directly maps to ISO 13849-1 Performance Level requirements and ISO 13849-2 validation requirements.
EHSR 1.3 -- Protection against mechanical hazards: Detailed requirements for guards, protective devices, and measures against risks from moving parts, falling/ejected objects, and stability.
EHSR 1.6.1 -- Maintenance: Machinery must be designed so that maintenance, adjustment, and cleaning can be carried out without risk. Access to hazardous areas during maintenance must be addressed through lockout/tagout procedures and maintenance safety modes.

6.2 Conformity Assessment Route

Robot systems typically follow the conformity assessment procedure in Annex VIII (full quality assurance) or the combination of internal checks per Annex VIII with type examination per Annex IX for higher-risk applications listed in Annex IV. Standard industrial robot cells generally do not fall under Annex IV, meaning the manufacturer/integrator can self-declare conformity without involving a Notified Body.

6.3 Technical File Requirements

The technical file is the central documentation package that demonstrates compliance. For a robot system, the technical file must include:

General description: Overview of the robot system, its intended use, and operational parameters
Overall drawings and control circuit diagrams: Mechanical layout, electrical schematics, pneumatic/hydraulic circuits, and safety circuit architecture
Risk assessment documentation: Complete risk assessment per ISO 12100 including hazard identification, risk estimation, risk evaluation, and documentation of all risk reduction measures applied
Harmonized standards list: List of all EN/ISO standards applied with clause-by-clause compliance mapping
Safety function specification: Detailed specification of each safety function including required PL/SIL, implemented architecture (Category B/1/2/3/4), MTTFd, DCavg, and CCF measures
Validation and verification reports: Test reports demonstrating that each safety function achieves the required Performance Level, including FMEA results and functional test protocols
Installation instructions: Requirements for site preparation, utility connections, and anchoring
Operating instructions: User manual covering all operating modes, safety procedures, and maintenance schedules
Declaration of Incorporation: For robot sub-systems delivered as partly completed machinery (per Annex II Part B)

Machinery Regulation EU 2023/1230 -- Upcoming Changes

The new Machinery Regulation becomes mandatory on January 20, 2027. Key changes impacting robot systems include: (1) digital format for Declaration of Conformity and instructions, (2) explicit requirements for cybersecurity of safety functions, (3) mandatory third-party conformity assessment for "high-risk" machinery categories including some robot configurations, and (4) updated requirements for AI-based safety functions and machine learning systems. Organizations should begin transition planning now, as technical files created after January 2027 must comply with the new Regulation.

7. Performance Level (PL) & Safety Integrity Level (SIL)

Performance Level (PL) per ISO 13849-1 and Safety Integrity Level (SIL) per IEC 62061 are two parallel methods for specifying and validating the reliability of safety control systems. While both frameworks can be used for robot safety applications, ISO 13849-1 is more commonly applied in the machinery sector due to its broader applicability to electromechanical, hydraulic, and pneumatic safety components.

7.1 Performance Levels Defined

Performance Level	PFH_d (1/h)	Equivalent SIL	Typical Robot Application
PL a	≥ 10^-5 to < 10^-4	--	Warning indicators, non-critical signals
PL b	≥ 3 x 10^-6 to < 10^-5	SIL 1	Low-severity access control, auxiliary stops
PL c	≥ 10^-6 to < 3 x 10^-6	SIL 1	Speed limiting (low exposure), reduced mode
PL d	≥ 10^-7 to < 10^-6	SIL 2	Emergency stop, guard interlocking, light curtains
PL e	≥ 10^-8 to < 10^-7	SIL 3	Collaborative PFL mode, high-exposure safeguarding

7.2 PL Calculation Parameters

Achieving a target PL requires satisfying requirements across three quantitative parameters and one qualitative parameter:

MTTFd (Mean Time to Dangerous Failure): The statistical average time before a dangerous failure occurs in each channel. Classified as Low (3-10 years), Medium (10-30 years), or High (30-100 years). Calculated from component B10d values (for switching components) or published failure rates (for electronic components). A single channel with MTTFd > 100 years is capped at 100 years for calculation purposes.
DCavg (Average Diagnostic Coverage): The fraction of dangerous failures that are detected by automatic diagnostics. Classified as None (0%), Low (60-90%), Medium (90-99%), or High (≥99%). Achieved through techniques such as cross-monitoring of redundant channels, test pulses through safety outputs, input signal plausibility checks, and watchdog monitoring.
CCF (Common Cause Failure): Measures taken to prevent a single cause from simultaneously defeating both channels of a redundant system. Evaluated using a scoring system where at least 65 out of 100 points must be achieved. Measures include physical separation of channels, diversity of components, environmental protection, and design reviews.
Category (Architecture): The structural arrangement of safety-related components determines the system's fault tolerance and diagnostic behavior. Covered in detail in Section 8.

# PL Verification Calculation Example
# Safety Function: Emergency Stop on Robot Cell

# ARCHITECTURE: Category 3 (dual-channel with diagnostics)

# Channel 1: E-Stop button --> Safety relay input 1
# Channel 2: E-Stop button --> Safety relay input 2
# Common: Safety relay --> Robot controller STO input

# === MTTFd CALCULATION ===
# E-Stop button: B10d = 100,000 operations
# Estimated operations/year: 365 (1/day average)
# MTTFd_button = B10d / (0.1 * n_op) = 100000 / (0.1 * 365) = 2,740 years
# Capped at 100 years per ISO 13849-1

# Safety relay (Pilz PNOZ s7):
# MTTFd = 1,150 years (from manufacturer data sheet)
# Capped at 100 years

# Per channel MTTFd (series):
# 1/MTTFd_ch = 1/100 + 1/100 = 1/50
# MTTFd_channel = 50 years --> Classification: HIGH

# === DCavg CALCULATION ===
# E-Stop monitoring: Cross-monitoring by safety relay = 99% (High)
# Safety relay internal: Self-testing + cross-channel = 99% (High)
# STO input monitoring: Feedback circuit monitoring = 90% (Medium)
# DCavg = (99 + 99 + 90) / 3 = 96% --> Classification: MEDIUM

# === CCF SCORE ===
# Separation/segregation:             15 points
# Diversity (different manufacturers): 20 points
# Design review/FMEA:                 5 points
# Competence/training:                5 points
# Environmental protection (IP rating): 25 points
# Total CCF score:                    70 / 100 >= 65 PASS

# === RESULT ===
# Category 3 + MTTFd HIGH + DCavg MEDIUM + CCF PASS
# --> Achieved PL = d (per ISO 13849-1 Table K.1)
# Required PLr = d
# COMPLIANT
            

8. Safety System Architecture (ISO 13849 Categories)

ISO 13849-1 defines five architectural categories (B, 1, 2, 3, 4) that describe the structural behavior of safety-related parts of a control system. The category determines how the system responds to faults -- whether a single fault can lead to loss of the safety function, and whether faults are detected by diagnostics. Category selection is driven by the required Performance Level and the available diagnostic coverage.

8.1 Category Definitions

Category	Architecture	Fault Behavior	Max Achievable PL	Diagnostic Requirement	Example in Robot Systems
Cat. B	Single channel, no diagnostics	Single fault can lead to loss of safety function	PL b	None	Basic stop circuits on low-risk auxiliary equipment
Cat. 1	Single channel, well-tried components	Same as Cat. B but uses proven components reducing fault probability	PL c	None	Mechanical hard stops, direct-wired e-stops on small actuators
Cat. 2	Single channel with periodic testing	Loss of safety function between diagnostic tests possible	PL d	Low to Medium	Guard monitoring with periodic test (limited robot applications)
Cat. 3	Dual-channel (redundant)	Single fault does not lead to loss of safety function; some faults detected	PL e	Low to Medium	Emergency stop, guard interlocking, safety-rated speed monitoring
Cat. 4	Dual-channel with high diagnostics	Single fault detected before next demand; accumulation of faults does not lead to loss	PL e	High (≥99%)	Collaborative robot safety functions, high-exposure safeguarding

8.2 Practical Architecture Selection

For typical robot applications, the following guidelines apply:

PLd / Category 3: Sufficient for the majority of industrial robot safety functions including emergency stop, perimeter guard interlocking, light curtain-based access protection, and safety-rated monitored stop. This is the most common architecture in standard robot cell installations.
PLe / Category 3 or 4: Required for collaborative robot applications where humans are in continuous close proximity, particularly Power and Force Limiting mode and Speed and Separation Monitoring. Category 4 is preferred when the accumulation of latent faults must also be addressed.
PLc / Category 1: May be acceptable for low-exposure, low-severity applications such as robot speed limiting during maintenance modes where additional procedural safeguards are in place.

# Safety Architecture - Category 3 Dual-Channel Wiring
# Typical Robot Cell Guard Door Monitoring

# WIRING DIAGRAM (simplified):
#
# [Guard Door] --+-- [Safety Switch CH1] ---> [Safety PLC Input 1]
#                |
#                +-- [Safety Switch CH2] ---> [Safety PLC Input 2]
#
# [Safety PLC Output 1] ---> [Robot Controller STO Input A]
# [Safety PLC Output 2] ---> [Robot Controller STO Input B]
#
# Feedback loop: [Contactor Aux NC] ---> [Safety PLC Feedback Input]

# DIAGNOSTIC MEASURES (achieving DCavg Medium):
# - Cross-monitoring of dual switch contacts by safety PLC
# - Output contactor feedback monitoring (EDM)
# - Automatic test pulse on safety outputs at each cycle start
# - Plausibility check: both channels must agree within 500ms window

# SAFE TORQUE OFF (STO) per IEC 61800-5-2:
# - Dual-channel removal of power stage enable
# - Robot drive motors de-energized within 10ms of STO activation
# - Achieves PLe / SIL 3 when implemented in Category 4 drive
            

8.3 Common Architecture Mistakes

Through our safety assessment work across APAC facilities, we observe recurring architectural errors that compromise safety system integrity:

Single-channel e-stop circuits: Wiring the emergency stop through a single contactor without redundancy. This creates a Category B architecture at best and fails to meet the PLd requirement for emergency stop functions.
Missing feedback monitoring: Omitting External Device Monitoring (EDM) on output contactors. Without feedback monitoring, a welded contactor (common failure mode) is not detected, and the safety function silently fails.
Shared wiring channels: Routing both channels of a redundant safety circuit through the same cable or conduit, defeating the common cause failure protection that redundancy is intended to provide.
Incorrect safety relay configuration: Using a safety relay with Category 2 internal architecture for an application requiring Category 3 or 4. Always verify the internal category of safety components against the system-level requirement.

9. APAC Safety Regulations

While ISO standards provide the technical foundation, each APAC country maintains its own regulatory framework for machinery and workplace safety. Understanding these regional requirements is essential for robot deployments across Southeast Asian and East Asian markets.

9.1 Vietnam -- QCVN and Labor Safety

Vietnam's regulatory framework for machinery safety is governed by the Ministry of Labour, Invalids and Social Affairs (MOLISA) under the Law on Occupational Safety and Hygiene (No. 84/2015/QH13). Key regulations include:

QCVN 09:2012/BLDTBXH: National technical regulation on occupational safety for machinery and equipment, covering general safety requirements applicable to industrial robots. Largely aligned with IEC and ISO principles but with Vietnam-specific documentation and inspection requirements.
Circular 36/2019/TT-BLDTBXH: Lists equipment and machinery subject to strict safety requirements including industrial robots exceeding specific payload thresholds. Requires pre-use safety inspection by an authorized inspection body.
QCVN 01:2008/BLDTBXH: National technical regulation on safety of electrical equipment, applicable to robot control systems and power distribution for robot cells.
Inspection requirements: Robot systems classified as "equipment with strict safety requirements" must undergo initial safety inspection before commissioning, and periodic reinspection every 2-3 years by a MOLISA-authorized inspection organization. The inspection covers mechanical integrity, electrical safety, protective devices, and operator training documentation.
Practical note: While Vietnam does not mandate CE marking for domestic use, many Vietnamese manufacturers targeting export markets implement ISO 10218 / ISO/TS 15066 compliance as a baseline. International companies operating in Vietnam typically apply their corporate safety standards, which usually reference or exceed ISO requirements.

9.2 Singapore -- WSH Act and SS ISO Standards

Singapore maintains one of the most comprehensive workplace safety frameworks in APAC through the Workplace Safety and Health (WSH) Act and its subsidiary regulations:

WSH Act (Chapter 354A): Overarching legislation requiring all employers to take reasonably practicable measures to ensure safety. Penalties for non-compliance include fines up to SGD 500,000 and imprisonment.
WSH (General Provisions) Regulations: Specific provisions for machinery safety, requiring risk assessments, safe work procedures, and trained operators for robot systems.
SS ISO 10218-1 and SS ISO 10218-2: Singapore has adopted ISO 10218 as Singapore Standards, giving them regulatory standing when referenced in WSH guidelines.
WSH Guidelines on Safe Use of Machinery: Ministry of Manpower (MOM) guidance document specifically referencing industrial robot safety requirements, collaborative robot deployment considerations, and recommended safeguarding approaches.
Approved Code of Practice (ACOP) for Robotic Systems: Industry code providing practical implementation guidance aligned with ISO 10218 and ISO/TS 15066 in the Singapore context. Includes specific requirements for risk assessment documentation and safety validation for installations.

9.3 Thailand -- TIS Standards and Factory Act

Factory Act B.E. 2535 (1992): Requires all factories to implement safety measures for machinery. The Department of Industrial Works (DIW) oversees compliance for robot installations in factory settings.
TIS 2570: Thai Industrial Standard for safety of machinery -- largely harmonized with ISO 12100 principles. Applicable to robot system risk assessments.
Ministerial Regulation on Machinery Safety B.E. 2564 (2021): Updated regulation requiring safety devices on machinery posing hazards to workers, with specific provisions for automated and robotic systems. Mandates safety training for operators and maintenance personnel.
BOI compliance: Robot systems imported under Board of Investment incentive programs must demonstrate compliance with applicable safety standards as part of the project approval process.

9.4 Japan -- JIS Standards and MHLW Guidelines

Japan has the world's highest robot density and correspondingly mature safety regulations:

Industrial Safety and Health Act (ISHA): Article 150 and associated Ordinance on Industrial Robots (Article 150-3 through 150-4) establish specific requirements including restricted area controls, speed limitations during teaching mode (250 mm/s for manual teaching), and qualifications for robot operators and maintenance technicians.
JIS B 8433-1 and JIS B 8433-2: Japanese translations of ISO 10218-1 and ISO 10218-2 adopted as Japanese Industrial Standards. Compliance with JIS B 8433 is the de facto standard for all robot installations in Japan.
JIS B 8433-1:2023 Amendment: Japan's adoption includes supplementary requirements for collaborative robot safety that go beyond ISO/TS 15066 in certain areas, particularly regarding operator training requirements and safety validation frequency.
MHLW Guidelines for Collaborative Robots (2016, revised 2023): Ministry of Health, Labour and Welfare guidelines specifying conditions under which collaborative robots can operate without physical guarding, including power/force limits aligned with ISO/TS 15066 and additional requirements for risk assessment review frequency.
Robot operator qualifications: Japan requires specific training and certification for robot operators (robot teaching) and maintenance personnel. The Japan Robot Association (JARA) and Japan Industrial Safety and Health Association (JISHA) provide standardized training programs recognized by MHLW.

Aspect	Vietnam	Singapore	Thailand	Japan
Primary Authority	MOLISA	MOM / WSH Council	DIW / Ministry of Labour	MHLW
Robot-Specific Standard	QCVN 09:2012 (general)	SS ISO 10218-1/2	TIS 2570 (general)	JIS B 8433-1/2
Cobot Guidelines	No specific regulation	WSH Guidelines + ACOP	No specific regulation	MHLW Guidelines (2023)
Mandatory Inspection	Yes (periodic)	Risk-based approach	Yes (factory license)	Yes (annual)
Operator Certification	General safety training	WSH training framework	General safety training	Specific robot certification
Penalty Severity	Moderate	Severe (up to SGD 500K)	Moderate	Severe (criminal liability)
CE/ISO Recognition	Accepted, not mandatory	SS ISO adopted standards	TIS references ISO	JIS adopts ISO

10. Common Safety Violations & How to Avoid Them

Based on our safety assessment experience across manufacturing facilities in Vietnam, Singapore, Thailand, and broader APAC, the following are the most frequently observed safety violations in robot installations. Each violation is accompanied by the corrective action required to achieve compliance.

10.1 Risk Assessment Deficiencies

Violation: No documented risk assessment exists, or the risk assessment was performed at initial installation but never updated after process changes, tool changes, or layout modifications.
Corrective Action: Conduct a comprehensive risk assessment per ISO 12100 for the current system configuration. Establish a Management of Change (MOC) procedure that triggers risk assessment review whenever hardware, software, tooling, or layout changes are made to the robot system. Review the risk assessment at minimum annually even without changes.
Violation: Risk assessment does not cover all lifecycle phases, particularly maintenance, error recovery, and teach mode operations.
Corrective Action: Extend the hazard identification to explicitly cover every operational mode including teach/manual, automatic, maintenance/service, error recovery, power loss and recovery, and emergency conditions. Document specific risk reduction measures for each mode.

10.2 Safeguarding Failures

Violation: Physical guards have gaps that allow access to the robot's hazard zone. Common examples include gaps under fencing (exceeding ISO 13857 Table 4 limits), missing infill panels replaced with cable ties or zip ties, and guard doors that can be opened without tools while the robot is running.
Corrective Action: Audit all physical guards against ISO 13857 safe distance tables. Gaps at floor level must not exceed 180mm (for body access from standing) or must be reduced to prevent finger access (<4mm) at reachable heights. All access doors must have safety-interlocked switches with guard locking where the risk assessment identifies a rundown hazard.
Violation: Safety sensors (light curtains, laser scanners) are mounted at incorrect distances, allowing a person to reach the hazard point before the robot stops.
Corrective Action: Recalculate safety distances per ISO 13855 using the actual measured stopping time of the robot system (not the specification value). The stopping time must be measured at the worst-case speed and payload configuration. Add appropriate margin and document the calculation in the technical file.
Violation: Defeated or bypassed safety devices -- interlocks jumpered, light curtain beams blocked with tape, safety mat connectors bridged.
Corrective Action: Implement tamper-resistant safety devices (coded safety switches per ISO 14119, high-coding level). Establish a safety device bypass management procedure that requires documented authorization, temporary bypass monitoring, and restoration verification. Consider safety system monitoring that logs and alerts on unusual safety device behavior.

10.3 Collaborative Robot Errors

Violation: Deploying a collaborative robot in Power and Force Limiting mode without validating that contact forces remain within ISO/TS 15066 limits for the specific end-effector and workpiece geometry. A UR10e with a sharp-edged metal workpiece can easily exceed pressure limits even at reduced speed.
Corrective Action: Measure actual contact forces and pressures using calibrated force measurement equipment (such as the PILZ PRMS system or the Robotiq FT 300) for all reasonably foreseeable contact scenarios. Calculate effective pressure using the actual contact area. Add padding, chamfer edges, or implement additional safeguarding (SSM mode) if PFL limits cannot be met.
Violation: Assuming that a collaborative robot is inherently safe and does not require a risk assessment. Marketing materials from cobot manufacturers sometimes inadvertently create this impression.
Corrective Action: Every collaborative robot application requires a full risk assessment per ISO 12100, regardless of the robot's inherent safety features. The risk assessment must consider the complete application including end-effector, workpiece, process forces, and environmental context. A cobot welding application, for example, has very different safety requirements than a cobot performing light assembly.

10.4 Electrical and Control System Issues

Violation: Emergency stop circuits that do not meet the required Performance Level (typically PLd). Common issues include single-channel wiring, missing feedback monitoring on contactors, and use of non-safety-rated relay modules.
Corrective Action: Replace with a certified safety relay or safety PLC architecture achieving the required PL. Implement dual-channel e-stop circuits with EDM (external device monitoring) on all power contactors. Use only safety-rated components with published MTTFd values.
Violation: Safety functions implemented in the standard robot controller software rather than in safety-rated hardware/software. Standard PLC programs are not designed or validated for safety-critical functions.
Corrective Action: Migrate all safety functions to safety-rated controllers. Robot OEMs provide safety-rated functions (STO, SLS, SLP, SOS) within the robot controller that are pre-validated to PLd or PLe. Additional safety logic must run on safety PLCs, not standard PLCs.

11. Safety Audit Checklist

The following checklist provides a structured framework for conducting safety audits on industrial and collaborative robot installations. This checklist is organized by assessment area and references the applicable standards for each item. Use this as a starting point and customize based on your specific application and regional requirements.

11.1 Documentation Review

Risk assessment per ISO 12100 exists, is current, and covers all lifecycle phases
Risk assessment has been reviewed/updated after any system modifications
Safety function specification documents the required PLr for each safety function
PL verification calculations demonstrate achieved PL meets or exceeds PLr
Electrical schematics including safety circuits are current and accurate
CE Declaration of Conformity (or Declaration of Incorporation) is available
Technical file is complete per Machinery Directive Annex VII requirements
Operating instructions cover all modes including teach, automatic, maintenance, and recovery
Maintenance schedule including safety device inspection intervals is documented
Training records for robot operators and maintenance personnel are current

11.2 Physical Safeguarding

Perimeter guards are intact with no gaps exceeding ISO 13857 limits
Guard height is adequate to prevent reaching over (minimum 1400mm, typically 1800mm or higher based on risk assessment)
Floor-level gaps comply with ISO 13857 Table 4 (max 180mm for foot/leg access prevention)
All access doors have safety interlock switches that meet required PL
Guard locking is provided where rundown hazard exists (robot takes >0s to reach safe state after guard opening)
Safety interlock switches are tamper-resistant with appropriate coding level per ISO 14119
No evidence of safety device bypass or defeat
Safety signage is present at all access points per ISO 3864-1
Emergency stop devices are accessible from all operator positions and clearly identified
Emergency stop devices are tested at documented intervals and results recorded

11.3 Safety Control System

Safety functions are implemented on safety-rated hardware (safety PLC, safety relay, or robot safety controller)
Emergency stop circuits achieve minimum PLd with Category 3 or 4 architecture
Dual-channel architecture is verified with correct cross-monitoring
External device monitoring (EDM) is implemented on all safety output contactors
Safety PLC/relay firmware version matches the validated configuration
Safety parameters (speed limits, force limits, zone boundaries) match risk assessment requirements
No safety-critical functions are running on standard (non-safety) controllers
Safe Torque Off (STO) or equivalent drive safety function is correctly wired and validated
Safety system response time has been measured and documented (not just specification value)
All safety-rated components have valid certificates (TUV, BG, or equivalent)

11.4 Collaborative Robot Specific

Collaborative operation mode is clearly defined (SMS, Hand Guiding, SSM, or PFL)
Contact force measurements have been performed for all foreseeable contact scenarios
Measured forces and pressures are within ISO/TS 15066 Annex A limits for relevant body regions
End-effector design minimizes contact pressure (rounded edges, compliant surfaces)
Workpiece geometry has been assessed for concentrated force/pressure risk
Speed and separation monitoring configuration has been validated against ISO/TS 15066 formula (if SSM mode)
Collaborative workspace boundaries are clearly marked on the floor
Collaborative workspace is free from additional hazards (sharp edges, hot surfaces, chemical exposure)
Operator training specifically covers collaborative operation procedures and emergency response
Re-assessment is triggered when end-effector, workpiece, or process parameters change

11.5 Periodic Verification Schedule

Verification Item	Frequency	Method	Reference Standard
Emergency stop function test	Daily (per shift) or weekly	Manual activation from each e-stop station	ISO 10218-2 Clause 5.4
Guard interlock function test	Weekly or monthly	Open each guard door, verify robot stops	ISO 14119
Light curtain / laser scanner test	Daily or weekly	Prescribed test object per manufacturer	IEC 61496-1 Clause 5.4
Safety mat function test	Weekly	Step on each mat zone, verify robot stops	IEC 61496-4
Robot stopping time measurement	Annually or after changes	Calibrated timing measurement at full speed/load	ISO 13855
Collaborative force/pressure measurement	Annually or after changes	Contact force measurement system	ISO/TS 15066 Annex A
Safety distance verification	Annually or after changes	Physical measurement + calculation review	ISO 13855
Complete risk assessment review	Annually minimum	Document review + on-site verification	ISO 12100
Safety system comprehensive audit	Every 2-3 years	Full audit by qualified safety engineer	ISO 10218-2, regional regulations

80%+

Incident Reduction with Proper Safety Implementation

15-30%

Insurance Premium Reduction from ISO Compliance

5-10x

Lower Cost: Design-Stage vs. Retrofit Safety

2027

EU Machinery Regulation Mandatory Date

Need a Robot Safety Assessment?

Seraphim Vietnam provides comprehensive robot safety assessments covering risk assessment per ISO 12100, safeguarding design per ISO 10218-2, collaborative robot validation per ISO/TS 15066, CE marking technical file preparation, and regional compliance audits for APAC markets. Our safety engineers hold TUV Functional Safety Engineer (FSEng) and Certified Machinery Safety Expert (CMSE) credentials. Contact us to schedule an assessment or discuss your compliance requirements.

Robot Safety StandardsISO 10218, TS 15066 & Compliance Guide