Functional Safety Standards for Robotics Architecture
Functional safety standards define the engineering requirements that robotic systems must satisfy to operate without causing unacceptable risk to people, equipment, or the environment — even when hardware fails or software behaves unexpectedly. These standards span industrial manipulators, mobile platforms, surgical systems, and autonomous vehicles, and they carry legal and contractual weight in procurement, certification, and liability contexts. The frameworks discussed here are published by recognized international and national standards bodies, including the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and ANSI/RIA in the United States.
Definition and scope
Functional safety, as defined by IEC 61508, is the part of the overall safety of a system that depends on the correct functioning of safety-related systems and external risk-reduction facilities. IEC 61508 — the foundational generic standard — establishes Safety Integrity Levels (SILs) ranging from SIL 1 through SIL 4, where SIL 4 demands the highest reliability and is typically reserved for systems where failure could result in catastrophic, irreversible harm.
For robotics specifically, ISO 10218 (Parts 1 and 2) governs the safety requirements for industrial robots and robot systems, addressing design, construction, and integration. ISO 10218-1 covers robot manufacturers; ISO 10218-2 covers system integrators. Complementing these, ISO/TS 15066 extends the framework to collaborative robot operations, specifying biomechanical limits for contact forces and pressures — for example, setting transient contact force thresholds for specific body regions to prevent injury during human-robot collaboration.
The scope of functional safety does not encompass all safety engineering. It explicitly excludes safety hazards arising from non-functional causes such as toxic materials or electrical shock (addressed by separate directives), focusing instead on failures in the logic-solving and actuation chain. The safety architecture for robotics intersects functional safety at every layer of the control stack, from sensor inputs through to actuator commands.
How it works
Functional safety implementation follows a structured lifecycle defined in IEC 61508 and its sector-specific derivatives. The process unfolds in discrete phases:
- Hazard and Risk Assessment — Identify hazards, estimate the probability and severity of harm, and determine whether risk reduction is required. ISO 12100 provides the methodology for machinery risk assessment that feeds this phase.
- Safety Requirements Specification — Document what the safety function must achieve and assign a target SIL or Performance Level (PL).
- Architecture Design — Select hardware and software structures — redundancy, diversity, diagnostics — sufficient to achieve the target integrity level.
- Implementation and Verification — Code, configure, and test safety-related software against the specification. IEC 61508-3 mandates specific software development practices including formal methods and structured testing for higher SIL targets.
- Validation — Confirm that the complete integrated system meets the original safety requirements under representative conditions.
- Operation, Maintenance, and Modification — Maintain functional safety through the operational life, with re-assessment triggered by any significant change.
ISO 13849, a machinery-specific standard, translates the SIL framework into Performance Levels (PL a through PL e), using Mean Time to Dangerous Failure (MTTFd), Diagnostic Coverage (DC), and Common Cause Failure (CCF) as the three quantitative pillars. PL e — the highest level — requires MTTFd of 30 years or greater per channel, diagnostic coverage above 99%, and stringent CCF mitigation. This standard is particularly prevalent in industrial robotics architecture where EU Machinery Directive compliance is required.
Fault tolerance in robotics design is the architectural mechanism through which these requirements are physically realized — through dual-channel monitoring, watchdog timers, safe-state logic, and category-rated stop functions.
Common scenarios
Three domains generate the highest volume of functional safety certification activity in the robotics sector:
Industrial manipulation and integration — Robot cells governed by ISO 10218-2 require integrators to conduct risk assessments and implement safeguarded spaces with interlocked perimeter guards or safety-rated area scanners. A Category 3, PL d safety-rated monitored stop is the minimum typical requirement for collaborative operation entry points.
Collaborative robotics (cobots) — ISO/TS 15066 defines four permitted collaboration modes: safety-rated monitored stop, hand guiding, speed and separation monitoring, and power and force limiting. Each mode imposes different architectural constraints on the robot control systems design, including the use of certified safe-speed monitoring modules and force/torque sensing with safety-rated signal processing.
Surgical and medical robotics — IEC 62304 governs medical device software lifecycle processes and applies directly to surgical robotics architecture. Class C software — where failure could result in death or serious injury — demands the most rigorous development, verification, and change management processes under this standard.
Decision boundaries
The choice between applying IEC 61508 directly, using ISO 13849, or invoking a sector-specific derivative (such as IEC 62061 for machinery) depends on the system category and the market into which the product is placed.
| Standard | Primary application | Integrity metric |
|---|---|---|
| IEC 61508 | Generic electrical/electronic/programmable systems | SIL 1–4 |
| ISO 13849 | Machinery safety-related control systems | PL a–e |
| IEC 62061 | Complex programmable machinery safety systems | SIL 1–3 |
| ISO 10218 | Industrial robots | Derived PL requirements |
| IEC 62304 | Medical device software | Class A/B/C |
A critical distinction exists between Type A standards (generic, foundational — IEC 61508) and Type B/C standards (group/product-specific — ISO 10218, IEC 62304). Type A standards set the underlying framework; Type B and C standards take precedence for covered product categories when fully harmonized with applicable regulatory directives. The functional safety and ISO framework for robotics page maps these relationships in greater detail.
The robotics architecture overview at the site index provides the broader structural context within which these standards operate across platform types and deployment environments.
References
- IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems
- ISO 10218-1 & 10218-2: Robots and Robotic Devices — Safety Requirements for Industrial Robots
- ISO/TS 15066: Robots and Robotic Devices — Collaborative Robots
- ISO 13849-1: Safety of Machinery — Safety-Related Parts of Control Systems
- IEC 62304: Medical Device Software — Software Life Cycle Processes
- ISO 12100: Safety of Machinery — General Principles for Design
- ANSI/RIA R15.06: Industrial Robots and Robot Systems — Safety Requirements