Contents
Safety Design Pathway
Safety design for a robot cell is a structured process, not a single step. The full pathway runs from hazard identification through to Declaration of Conformity:
- Define the machinery boundary — establish what falls inside your CE/UKCA marking scope
- Risk assessment (ISO 12100) — identify hazards across all lifecycle phases: installation, operation, foreseeable misuse, maintenance
- Determine PLr (ISO 13849-1) — use the risk graph to set the required Performance Level for each safety function
- Select circuit Category — PLd requires at minimum Category 3; PLe requires Category 4
- Design and wire the safety circuit — dual channels, cross-monitoring, EDM feedback, robot controller interface
- Calculate achieved PL using SISTEMA — achieved PL must meet or exceed PLr
- Functional testing at commissioning — including single-fault simulation and EDM verification
- Compile the Technical File and Declaration of Conformity
The PDF guide covers each step in detail with the relevant standard referenced at every point.
The Regulatory Framework
Robot cell safety in the UK and EU sits within a hierarchy of legislation and harmonised standards. Applying the harmonised standards gives presumption of conformity with the Machinery Directive — meaning you don't have to prove compliance independently, the standards do it for you.
- Machinery Directive 2006/42/EC — primary legal instrument in the EU; UKCA marking applies in Great Britain under the same technical requirements
- ISO 10218-1 / -2 — robot manufacturers (Part 1) and system integrators (Part 2)
- ISO 12100 — the master risk assessment standard
- EN ISO 13849-1 — safety-related parts of control systems; Performance Level methodology
- IEC 62061 — SIL-based functional safety; applies where complex programmable electronic systems are used
- ISO/TS 15066 — collaborative robots; additional requirements beyond ISO 10218
Safety PLCs do not require IEC 62061. A Pilz PNOZmulti or Siemens Safety CPU is fully certifiable under ISO 13849-1 alone. IEC 62061 is not a more rigorous alternative — it is a different route for different system architectures.
Risk Assessment and PLr Determination
For each safety function in the cell, the ISO 13849-1 risk graph uses three parameters to determine the required Performance Level:
- S — Severity: S1 slight/reversible injury · S2 serious/irreversible injury including death
- F — Frequency: F1 seldom to less often · F2 frequent to continuous
- P — Possibility of avoidance: P1 possible under specific conditions · P2 scarcely possible
For a standard robot cell e-stop the assessment gives S2 (robot at full speed, crushing injury), F2 (operators in proximity regularly), P2 (no realistic means of avoidance) — which maps to PLe. Safety door interlocks on a running cell typically reach the same conclusion. Guard locking functions and enabling devices for teach mode commonly land at PLd.
PLr is assigned to individual safety functions, not to the machine as a whole. A robot cell will typically have several safety functions each with their own PLr — e-stop, door interlock, guard locking, and enabling device are assessed separately.
Circuit Architecture and Categories
ISO 13849-1 defines five circuit Categories (B through 4), each setting different architectural requirements. Category determines the maximum achievable PL regardless of component quality.
- Cat B / PLb — single channel, basic safety principles only
- Cat 1 / PLc — single channel using proven safety components (positive-opening contacts)
- Cat 2 / PLd — single channel with periodic automatic testing by a monitoring channel
- Cat 3 / PLd — dual channel; a single fault does not cause loss of safety function, detected on next demand
- Cat 4 / PLe — dual channel with continuous cross-fault monitoring; fault detected before or during next demand
The most common serious error: correctly determining PLe is required, then wiring to Category 3. A single-channel fault in a Category 3 circuit is detected on the next demand — in a Category 4 circuit it is detected immediately. For PLe safety functions this distinction is a legal requirement under the Machinery Directive, not a design preference.
Wiring Example — PLe / Category 4
The following is taken from a real KUKA KR120 R2700 robot cell installation. Safety relay: Pilz PNOZ S4 (Category 4, PLe, cross-fault detection, manual monitored reset).
Circuit topology
Channel 1: +24V → S1 NC → S3 NC → S4 NC → S10 NC → PNOZ S4 terminals S11/S12
Channel 2: +24V → S1 NC → S3 NC → S4 NC → S10 NC → PNOZ S4 terminals S21/S22
S1, S3, S4 are e-stop buttons (dual NC contacts). S10 is the coded magnetic door interlock (dual NC contacts). Each device contributes one NC contact to CH1 and one to CH2 — all wired in series on their respective channel.
- Reset: momentary NO button S5 → PNOZ S4 terminal S34 (manual monitored reset)
- EDM feedback: NC auxiliary contacts from KM1 and KM2 in series → PNOZ S4 terminal Y32
- KRC4 outputs: PNOZ S4 output 13/14 → X11/1 + X11/2 · output 23/24 → X11/19 + X11/20
To achieve PLd / Category 3 with identical external wiring, substitute the PNOZ S4 for a PNOZ X3. All terminal connections are the same — the Category difference is internal to the relay. The PNOZ X3 does not perform cross-fault detection on the input channels.
The EDM (External Device Monitoring) loop is critical: if either output contactor KM1 or KM2 fails to drop out, the NC auxiliary contacts open, the PNOZ S4 detects the discrepancy via Y32, and the relay locks out — preventing restart with a welded contactor. This is a Category 4 requirement.
Integrating Legacy Machines
Risk assess the interface, not the whole machine
When connecting a robot cell to existing machinery, the legal requirement is to risk assess the point of integration — what new hazards does combining these machines create? If the connection does not introduce new hazards relating to the legacy machine's existing safety systems, those systems do not need redesigning to current standards. The obligation is proportionate to the change.
E-stop strategy — link or label
Two valid approaches: link the e-stop circuits so that activating either stops both, or keep them separate and label every button to indicate which equipment it controls. Linking is appropriate where a hazardous interaction zone exists between the two machines. Separate circuits are acceptable where the machines can safely continue operating independently.
If e-stop circuits are not linked, labelling is a legal requirement under ISO 13850 — not a recommendation. An operator in an emergency cannot be expected to know from memory which button covers which equipment. Photographs of all labelled buttons belong in the Technical File.
The PL myth
There is no requirement in ISO 13849-1, ISO 10218-2, or the Machinery Directive that a connected legacy machine must have its safety circuits upgraded to match the PLe of the robot cell. Performance Level is assigned to individual safety functions, not to machines or installations as a whole. This misreading has led to companies unnecessarily replacing entire legacy control panels.
Validation and Documentation
SISTEMA (free from the German IFA institute) is the standard tool for calculating achieved PL under ISO 13849-1. For each safety function it takes the circuit Category, component PFHD values, MTTFd, Diagnostic Coverage, and CCF score — and outputs the achieved PL. Component PFHD values are published in manufacturer datasheets; Pilz and Siemens both provide SISTEMA libraries for direct import.
Functional testing at commissioning must verify: each e-stop de-energises the safety relay, door interlock opens the circuit, single-channel fault simulation confirms the safety function is maintained, EDM locks out on contactor failure, and manual reset is required after every event. Test records — signed and dated — go into the Technical File alongside the SISTEMA report, wiring diagrams, and component datasheets.
Referenced Standards
- Machinery Directive 2006/42/EC
- ISO 10218-1:2011 · ISO 10218-2:2011
- ISO 12100:2010
- EN ISO 13849-1:2015 · EN ISO 13849-2:2012
- IEC 62061:2021
- ISO 13850:2015 — emergency stop devices
- ISO 14119:2013 — interlocking devices
- ISO/TS 15066:2016 — collaborative robots
- IEC 60947-5-5 — electrical emergency stop devices