Is functional safety legally required for industrial robots?

Yes. The Machinery Directive requires a risk assessment and risk-reduction measures demonstrated to a verifiable integrity level. ISO 10218 and ISO/TS 15066 set out the specific requirements for industrial and collaborative robots respectively.

What is the difference between a category 0, 1 and 2 stop?

Category 0 cuts power immediately; category 1 brakes the robot in a controlled manner before cutting power; category 2 brakes without cutting power, maintaining torque on the axes. The right choice depends on the risk assessment and the process.

How often should functional safety be re-validated?

No universal interval is fixed by the standards, but re-validation is recommended after any change to the equipment or process, and at least every time a major overhaul of the installation is carried out. The guiding principle is that any change that could affect safety behaviour must be re-validated.

Functional safety for robots: zones, interlocks and validation

Installing a perimeter fence and an emergency stop button is not enough to ensure the safety of a robotic cell. Functional safety goes much further: it is the complete set of technical, organisational and validation measures that ensure the system responds correctly to any failure — including failure of the safety system itself.

On the plant floor, this concept rests on three pillars: work zone design, interlock configuration, and formal validation of the whole. Let us look at each in turn.

Why does functional safety matter now?

European regulation — particularly the Machinery Directive and standards ISO 10218 for industrial robots and ISO/TS 15066 for collaborative applications — requires integrators and end users to demonstrate that residual risks are controlled to a defined integrity level. That level is typically expressed as a performance level (PL) under EN ISO 13849 or a safety integrity level (SIL) under IEC 62061.

Non-compliance does not only mean fines: in the event of an accident, civil and criminal liability falls on whoever cannot demonstrate that risk assessment and mitigation were properly carried out.

Work zone design

A robotic cell can have several zones with different access and protection requirements:

Exclusion zone: the robot operates at rated speed and force; human access must be physically prevented or must trigger an immediate robot stop.
Collaboration or controlled-access zone: if the process requires it, an operator may enter while the robot is moving, but only under conditions of reduced speed, limited force and continuous distance monitoring.
Loading/unloading zone: the robot is stopped or in a safe waiting position while the operator handles parts. An interlock must prevent resuming the cycle until the operator has left and confirmed clearance.

The most common mistake is defining these zones on paper during design and then failing to translate them accurately into the controller configuration or the safety PLC.

Interlocks: what they are and how they work

An interlock is a circuit or logic function that prevents a hazardous action while a risk condition exists. In a robotic cell the most common ones are:

Access door with safety switch: opening the door generates a signal that sends the robot to a category 1 or 2 stop and locks out restart until the door is re-closed and the operator actively confirms clearance.
Light curtains or laser scanners: detect presence in real time and allow more gradual stops, useful where there is no physical guarding or frequent access is needed without opening doors.
Tool interlocks: confirm the end-effector is in a safe position before allowing movement of other axes or the advance of a press.
Redundant emergency stops: must be reachable from every operating point and wired to appropriate stop categories.

The key is not only to install these devices but to route them through a certified safety relay or module that can detect internal faults within the safety circuit itself (fail-safe principle).

Configuration in the robot controller

ABB, KUKA and FANUC all include built-in safety functions in their controllers — SafeMove, KUKA.SafeOperation and DCS respectively — that allow you to define monitored workspaces, supervised maximum speeds and software-defined stop zones. These functions complement but do not replace physical interlocks.

Correct configuration includes activating axis supervision, setting zone limits that match the physical cell design, and protecting safety parameters with a password or validation signature. Any subsequent change must be treated as a machinery modification and re-validated accordingly.

If you need to review or update these functions in your installation, our consulting and audit team can guide you through the process.

Validation: the step most often skipped

Designing and installing correctly is not enough: the standards require verification and validation that the safety system works as specified. This means:

Testing every safety function under real conditions (opening the door with the robot running, breaking a light curtain, activating the emergency stop from every point).
Measuring actual stop times and comparing them against those assumed in the safety distance calculations.
Documenting all tests with date, result and signature.
Periodic review: functional safety is not a one-off milestone but a continuous process that must be revisited after any change to the cell or process.

Common plant-floor mistakes

Temporary interlock bypasses that become permanent.
Safety distances calculated using theoretical stop times rather than measured ones.
Controller safety functions disabled or left at default parameters.
Missing documentation: if it is not recorded, it does not exist for an inspection or accident investigation.
Insufficient training for maintenance staff, who may inadvertently disable protections during interventions.

A solid preventive maintenance programme also helps keep functional safety in good shape. You can read more about this approach in our article on how often industrial robot maintenance should be carried out.

When should you carry out a safety audit?

A functional safety review is recommended after any change to the process or layout, when the person responsible for the installation changes, after any incident or near-miss, and periodically even when no apparent changes have occurred. Our robotic installation audit service covers all these scenarios, delivering a gap report and a prioritised action plan.