Robot Safety & Functional Safety: The Ultimate Guide

Q: Do stop categories tell me how fast the machine stops?

No — they describe how *power* is handled. Category 0 removes power immediately (uncontrolled stop, motor coasts). Category 1 brakes under power then removes it (controlled stop, then power off). Category 2 brakes and *keeps* power (controlled stop, machine stays energized). Stopping *time* is a separate measured quantity that feeds the ISO 13855 distance.

Q: How do I choose between ISO 13849 (PL) and IEC 62061 (SIL)?

Both are valid for machinery and now interoperate via PFHD. ISO 13849-1 (PL, with SISTEMA and the Category model) is the intuitive default for conventional and simpler architectures — most machine builders use it. IEC 62061 (SIL) is the better fit for complex, programmable, software-heavy safety systems where its rigorous treatment of systematic and software faults earns its keep. Pick one per project and stay in it.

Q: How far does a light curtain need to be from the hazard?

Use ISO 13855: `S = K·T + C`. With K = 2000 mm/s (hand approach), a total stop time T of, say, 0.28 s, and a 14 mm-resolution curtain (C = 0), S ≈ 560 mm. Coarser resolution increases C and pushes the curtain further back. Re-derive whenever stop time changes — and measure stop time periodically.

There is a comfortable lie in this industry that safety is a paperwork problem — that you buy a CE-marked robot, hire someone to fill in a risk-assessment template, glue a yellow fence around the cell, and the auditor goes away happy. That lie kills people. Not often, because the standards are good, but it kills people. The standards work precisely because somebody, somewhere, treated them as engineering — as a set of quantitative requirements about how reliably a stop function will execute when a hand is where it shouldn't be.

This guide is the long version for the people who actually own the risk: the controls engineers, the integrators, the machine builders, and the safety engineers who sign the Declaration of Conformity. We will walk the full stack — from why functional safety exists, through the standards map (ISO 12100 down to ISO/TS 15066), through risk assessment, the safety functions themselves (E-stop, protective stop, STO/SS1/SS2/SLS), guarding hardware, and then the quantitative core: Performance Level under ISO 13849-1 and SIL under IEC 62061, with worked examples. Real numbers with units, opinions with the reasons attached.

The take: Functional safety is engineering, not paperwork. The document trail is the evidence that the engineering happened — it is not the engineering. A safety function has a measurable probability of dangerous failure per hour, a measurable response time, and a measurable stopping distance, and if you cannot put numbers with units on all three, you have not designed a safety function — you have decorated a machine with safety-coloured components and hoped. Buy the architecture first (the redundancy, the diagnostics, the rated components), then let the paperwork record what you built.

Companion reading: collaborative robots (cobots), industrial robot arms, industrial automation: PLC, SCADA & fieldbus, and mobile robots: AMR & AGV.

Key takeaways
Why functional safety exists
The standards map (Type A/B/C)
The risk assessment process
Safety functions: E-stop, protective stop, STO/SS1/SS2/SLS/SOS
Guarding & safeguards
Performance Level (ISO 13849-1)
SIL (IEC 62061 / IEC 61508) and PL↔SIL mapping
Safety PLCs, safe I/O & safety fieldbuses
Minimum distance & guard placement (ISO 13855)
Cobots & collaborative safety vs traditional guarding
AMR / mobile machine safety (ISO 3691-4, R15.08)
Validation, documentation & CE compliance
Frequently asked questions

Key takeaways

Functional safety is a probability argument. A safety function is not "safe" or "unsafe" — it has a probability of dangerous failure per hour (PFH_D) or an average probability of dangerous failure on demand, and the whole discipline is about driving that number low enough for the risk you face. ISO 13849-1 calls the result a Performance Level (PL a–e); IEC 62061/61508 call it a Safety Integrity Level (SIL 1–4).
Three standard types, in order. ISO 12100 (Type A, principles) sits on top; ISO 13849-1 and IEC 62061 (Type B, generic functional safety) sit in the middle; ISO 10218-1/-2 and ISO 3691-4 (Type C, machine-specific) sit at the bottom and take precedence where they deviate.
ISO 10218 was revised in 2025. The new ISO 10218-1:2025 (robot) and ISO 10218-2:2025 (robot system/cell integration) folded the bulk of ISO/TS 15066's collaborative content into the normative standards and tightened requirements on safety-rated functions. They replaced the 2011 editions.
Risk assessment drives everything (ISO 12100). Identify hazards, estimate risk from severity × frequency/duration of exposure × probability × possibility of avoidance, then reduce by the hierarchy: inherently safe design → safeguarding → information for use. PL_r (the required PL) comes straight out of the ISO 13849-1 risk graph.
Stop categories (IEC 60204-1) are about power, not speed. Category 0 = immediate removal of power (uncontrolled stop). Category 1 = controlled stop then remove power. Category 2 = controlled stop with power maintained. E-stop must be Cat 0 or Cat 1 only.
Drive-integrated safety functions (IEC 61800-5-2) are the modern toolkit. STO, SS1, SS2, SLS, SOS, SLP, SDI and friends live in the servo drive itself, so you stop or limit motion without dropping a contactor. STO underpins Cat 0; SS1 underpins Cat 1.
Performance Level is an architecture, not a component. PL comes from Category (B/1/2/3/4) + MTTF_D + DC_avg + CCF, evaluated per channel. You cannot buy "PL e" — you build a Category 3 or 4 dual-channel structure with diagnostics and good components and then verify you reached PL e.
PL and SIL map, but are not identical. PL e ≈ SIL 3, PL d ≈ SIL 2, PL c ≈ SIL 1 — but the mapping is via PFH_D bands, and the two standards use different design methods. Pick one standard per project and stay in it.
ISO 13855 sets the standoff distance. S = K·T + C. The detection device must be far enough that the machine reaches a safe state before the body part reaches the hazard. Forget the C term (intrusion) and your light curtain is decorative.
Light curtains and scanners are governed by IEC 61496. Type 4 ESPE for the highest demands; resolution (14 mm finger, 30 mm hand, 40+ mm body) sets both the detection capability and the C term in the distance formula.
Cobots don't remove the safety case — they change it. Power & force limiting (ISO/TS 15066, now in ISO 10218) replaces separation with biomechanical force limits. Speed & separation monitoring replaces fences with safety-rated scanners. Both are more demanding to validate than a fence, not less.
Mobile machines have their own Type C standard. ISO 3691-4 (industrial trucks / driverless) and ANSI/RIA R15.08 (industrial mobile robots) govern AMRs — safety-rated speed, scanner fields that scale with speed, and stop performance under load.
Validation is half the job. ISO 13849-2 / IEC 62061 require you to prove the safety functions, including fault injection. A SISTEMA file and a stop-time measurement are evidence; an unverified calculation is a wish.

Why functional safety exists

Start with the physics, because the physics is why the law exists.

An industrial six-axis arm moving a 50 kg payload at 2,000 mm/s carries on the order of several hundred joules of kinetic energy in the payload alone, plus far more in the arm's own moving mass. A human skull fractures at impact energies in the tens of joules. The robot does not slow down because a person walked in; it has no idea the person is there unless you gave it a way to know. That gap — between what the machine can do and what a human body can survive — is the hazard, and it does not negotiate.

Safety rule: A machine is dangerous by default. Safety is a property you add through engineering. The absence of an accident yesterday is not evidence of safety today; it is evidence that nobody was in the wrong place yet.

The duty of care is both moral and legal. In the EU, the Machinery Regulation 2023/1230 (which replaces the Machinery Directive 2006/42/EC, with the Regulation applying from 20 January 2027) makes the machine builder legally responsible for placing a safe machine on the market — CE marking, a Declaration of Conformity, and a technical file that demonstrates conformity to the essential health and safety requirements. In the US, OSHA's general duty clause and the adoption of consensus standards (ANSI/RIA R15.06, NFPA 79) do the equivalent work. In both regimes the burden sits on whoever puts the machine into service.

Functional safety is the specific slice of this that concerns active protective measures — the ones that depend on a system correctly detecting a condition and reacting. A fixed fence is a safety measure but not a functional one: it works by being there, with no logic to fail. A light curtain that trips a stop is functional safety: it has sensors, logic, and outputs, every one of which can fail, and the question becomes how reliably does the protective function execute on demand? That word — reliably, quantified — is the whole game.

The historical arc matters. IEC 61508 (1998, revised 2010) was the foundational generic functional-safety standard, written largely from the process-industry tradition — it gave us SIL and the PFH_D framework. The machinery world found 61508 heavy and abstract, so it produced two machine-friendly children: ISO 13849-1 (evolving from the old EN 954-1 Categories into a probabilistic PL framework) and IEC 62061 (a machinery-sector application of 61508 keeping SIL). Robots, being machines with extra ways to hurt you, got their own Type C standard, ISO 10218, sitting on top of all of it.

The standards map (Type A/B/C)

If you take one structural idea from this guide, take this one: standards are layered, and the layer closest to your machine wins.

ISO classifies safety standards into three types:

Type A (basic safety standards) state general principles applicable to all machinery. There is essentially one: ISO 12100 — Safety of machinery — General principles for design — Risk assessment and risk reduction. It is the constitution.
Type B (generic safety standards) deal with one safety aspect (B1) or one safeguard (B2) across many machine types. The functional-safety heavyweights — ISO 13849-1/-2, IEC 62061, IEC 61508 — are Type B1. Guarding and device standards like IEC 60204-1 (electrical equipment), IEC 61496 (ESPE / light curtains & scanners), ISO 13855 (positioning of safeguards), ISO 13850 (E-stop), and ISO 14119 (interlocks) are Type B.
Type C (machine-specific safety standards) address a particular machine or machine group. ISO 10218-1 (robots) and ISO 10218-2 (robot systems and integration), ISO 3691-4 (driverless industrial trucks), and the ANSI/RIA R15.06 / R15.08 family are Type C for robotics.

Safety rule: Where a Type C standard deviates from a Type A or B standard, the Type C standard takes precedence for that machine. ISO 10218 beats ISO 13849 on any point where they conflict — but ISO 10218 uses ISO 13849 for the functional-safety maths, so in practice you apply both.

The conceptual flow for robotics is: ISO 12100 gives you the risk-assessment method and the risk-reduction hierarchy → ISO 10218-1/-2 tells you which safety functions a robot cell needs and what Performance Level each requires → ISO/TS 15066 (now largely absorbed into ISO 10218:2025) gives you the collaborative-operation detail and the biomechanical limits → ISO 13849-1 / IEC 62061 give you the method to engineer and prove each function to its required PL/SIL → the device standards (IEC 61496, ISO 13855, IEC 60204-1, IEC 61800-5-2) tell you how the components and distances must behave.

Standard	Type	Scope	What you use it for
ISO 12100	A	General principles, risk assessment	The master method: hazard ID, risk estimation, reduction hierarchy
ISO 13849-1 / -2	B	Functional safety (PL)	Designing & validating safety functions by Performance Level
IEC 62061	B	Functional safety (SIL) for machinery	Same job as 13849-1 but in SIL terms; complex/programmable systems
IEC 61508	B	Generic functional safety (SIL)	The parent standard; used directly for novel safety devices/PLCs
IEC 60204-1	B	Electrical equipment of machines	Stop categories 0/1/2, E-stop wiring, supply disconnection
IEC 61496-1/-2	B	Electro-sensitive protective equipment	Light curtains, laser scanners — types, performance
ISO 13855	B	Positioning of safeguards	Minimum distance `S = K·T + C`
ISO 13850	B	Emergency stop	E-stop function design, reset, categories
ISO 14119	B	Interlocking devices with guards	Guard interlock selection, defeat resistance
IEC 61800-5-2	B	Adjustable-speed drives — safety	STO, SS1, SS2, SLS, SOS, SLP and other drive safety functions
ISO/TS 15066	(TS)	Collaborative robots	Biomechanical force/pressure limits; folded into ISO 10218:2025
ISO 10218-1:2025	C	Industrial robots (the robot)	Requirements on the robot's built-in safety functions
ISO 10218-2:2025	C	Robot systems & integration	The cell: guarding, layout, validation, collaborative ops
ISO 3691-4	C	Driverless industrial trucks	AMR/AGV safety: speed, detection fields, stop performance
ANSI/RIA R15.06	C	Industrial robots (US)	US adoption aligned with ISO 10218
ANSI/RIA R15.08	C	Industrial mobile robots (US)	US standard for AMRs

The risk assessment process

Everything quantitative downstream — the required PL, the choice of stop category, the standoff distance — is an output of the risk assessment. Get this wrong and every number after it is wrong with confidence.

ISO 12100 defines the loop: determine the limits of the machine → identify hazards → estimate risk → evaluate risk → reduce risk → repeat until acceptable. Run it for every life-cycle phase (installation, operation, cleaning, maintenance, decommissioning), not just normal production. Maintenance is where most people die, because that's when the guards are open and the energy isn't always isolated.

Hazard identification for a robot cell is mechanical first — crushing, shearing, impact, entanglement, drawing-in at the robot, the end effector, the workpiece, and ancillary equipment (conveyors, positioners, presses). Then the rest: electrical, thermal (welding, hot parts), noise, radiation (laser, vision illuminators), and ergonomic. The end effector and the workpiece are part of the machine — a robot holding a knife is a different hazard than the same robot holding a foam pad. People forget this constantly.

Risk estimation combines, for each hazard, the severity of harm (S) with the probability of occurrence of that harm, where probability is built from three factors:

Frequency and duration of exposure (F) — how often and how long is someone in the danger zone?
Probability of occurrence of the hazardous event (O) — how likely is the thing to go wrong?
Possibility of avoidance (A) — can the person get out of the way, given the speed and warning?

ISO 13849-1 turns exactly these into a risk graph that outputs the required Performance Level, PL_r:

                                    P1 (possible to avoid)
                          F1 ──────► PL_r = a
              S1 ────────►           P2 ─────► PL_r = b
   Start ──►  (slight)               
              S2 ──────►  F1 ──────► P1 ─────► PL_r = c
              (serious/   (seldom)   P2 ─────► PL_r = d
               irreversible)
                          F2 ──────► P1 ─────► PL_r = d
                          (frequent) P2 ─────► PL_r = e

   S = severity   F = frequency/exposure   P = possibility of avoidance

Read it plainly: a serious, irreversible injury (S2) from a hazard you are exposed to frequently (F2) and cannot avoid (P2) demands PL_r = e — the highest. Most robot protective stops and E-stops land at PL_r = d; a few isolated, low-exposure functions sit at c.

Risk reduction then follows a strict, non-negotiable hierarchy — the three-step method:

Inherently safe design — eliminate the hazard or reduce it at the source. Lower the speed, lower the energy, round the edges, remove the pinch point, design out the trapped position. This is the cheapest and most reliable reduction because it removes the need for the function to work. A hazard that isn't there cannot fail to be guarded.
Safeguarding and complementary protective measures — guards, interlocks, light curtains, scanners, two-hand controls, E-stops. This is functional safety territory: you are now relying on systems that can fail, so you must quantify them.
Information for use — warnings, signs, training, PPE, safe working procedures. The weakest layer, because it relies on humans behaving. Never the primary measure for a serious hazard.

Safety rule: You may not skip up the hierarchy. If a hazard can be designed out, designing it out is mandatory before reaching for a light curtain. Safeguarding is what you apply to the residual risk after inherently safe design, not instead of it.

The output of the assessment is a list of required safety functions, each with a PL_r (or SIL_CL), a stop category, and the reaction time and distance constraints they must satisfy. That list is the specification for everything that follows.

Safety functions: E-stop, protective stop, STO/SS1/SS2/SLS/SOS

A safety function is a defined function whose failure increases risk — e.g. "when the light curtain is interrupted, the robot performs a Category 1 stop within 0.5 s." It has inputs (sensors), logic (safety controller), and outputs (actuators/drives), and the whole chain carries the PL/SIL.

Stop categories (IEC 60204-1)

The single most misunderstood concept in the field. Stop categories describe how power is handled, not how fast the machine stops.

Category	Behaviour	Power	Typical use
Category 0	Uncontrolled stop — immediate removal of power to the actuators	Removed immediately	E-stop where coasting is acceptable/safer; high-risk where you want power gone now
Category 1	Controlled stop — actuators powered to brake, then power removed once stopped	Removed after stop	Most servo machines: brake under control, then drop power. Cleanest for high inertia
Category 2	Controlled stop with power maintained (machine stays energized, holds position)	Maintained	Operational stops, not for emergency use; SOS-style standstill monitoring

Safety rule: An emergency stop must be Category 0 or Category 1 only (IEC 60204-1 / ISO 13850). Category 2 is never an E-stop, because it leaves the machine powered. A safety-rated monitored stop in a cobot SRMS mode is a Category 2 stop — it is a protective stop, not an emergency stop, and the two are not interchangeable.

The distinction between emergency stop and protective (safeguarding) stop matters legally and functionally:

Emergency stop is a complementary measure — the manual, last-resort red mushroom. It is not a primary safeguard and you cannot count on a human to press it in time. It exists for the case where everything else failed. Requires manual reset.
Protective stop (also "safeguarded stop") is the automatic stop triggered by a safeguard — light curtain broken, gate opened, scanner field violated. This is your workhorse safety function. It may auto-resume (SRMS) or require reset depending on the mode.

Drive-integrated safety functions (IEC 61800-5-2)

The old way to stop a servo was to drop a contactor between the drive and the motor — crude, slow to reset, and hard on the hardware. Modern servo drives implement safe motion functions inside the drive electronics, certified to IEC 61800-5-2, so you stop or constrain motion without breaking the power path. These are the building blocks of every modern robot safety architecture:

STO — Safe Torque Off. The drive stops delivering torque-producing energy to the motor. The motor coasts (or is held by a mechanical brake). STO is the foundation of a Category 0 stop. It does not by itself decelerate the load — a vertical axis will drop unless a brake holds it.
SS1 — Safe Stop 1. Commanded deceleration along a ramp, then STO once standstill (or a time limit) is reached. This is the Category 1 stop. Best choice for high-inertia robot axes — you brake under control, then remove torque.
SS2 — Safe Stop 2. Commanded deceleration to standstill, then transition to SOS with power maintained. This is the Category 2 stop.
SOS — Safe Operating Stop. The drive holds the motor at standstill and monitors that it stays there, reacting if the position deviates beyond a safe window — without removing power. This is what lets a cobot hold position safely while a human loads a part.
SLS — Safely Limited Speed. The drive monitors that speed stays below a safe limit and reacts (typically SS1/SS2) if exceeded. The backbone of reduced-speed teach modes and speed-&-separation monitoring.
SLP — Safely Limited Position (safe zones / soft axis limits), SDI — Safe Direction, SLA — Safely Limited Acceleration, SBC — Safe Brake Control, SBT — Safe Brake Test round out the toolkit.

For the control-loop side of how these execute deterministically, see real-time control systems and, for the drive internals, motor controllers & FOC.

Safety rule: STO removes torque; it does not stop motion. On any axis with stored energy — gravity, springs, momentum — STO without a safe brake (SBC) or a controlled deceleration (SS1) is a dropping load waiting to happen. Choose SS1 for high-inertia axes and verify the brake with SBT.

A robot's typical safety-function set: an E-stop (Cat 1 via SS1, PL d/SIL 2), a protective stop from the cell's safeguards (Cat 1 or 2, PL d), safely-limited speed for teach/manual mode (SLS at 250 mm/s TCP, a hard ISO 10218 limit for manual reduced speed), safe zones (SLP) to keep the arm out of a neighbouring cell, and — on a cobot — safe force/power limiting.

Guarding & safeguards

Safeguards are the physical and sensing layer that implements the protective stop. The choice between them is dictated by whether the operator needs access and how often.

Fixed guards — bolted or welded enclosures, removable only with a tool. No logic, no failure mode, the most reliable thing you can install. Use them wherever routine access isn't needed. A fixed perimeter fence is still the cheapest, most robust safeguard for a fast industrial arm, and the engineering snobbery against fences is misplaced — a fence that's always there beats a scanner that might be misaligned.

Interlocked movable guards (ISO 14119) — gates and doors whose opening triggers a stop. The interlock device (the bit that detects the guard's position) must itself be selected for the required PL and for defeat resistance — coded magnetic or RFID interlocks resist the classic "tape a spare actuator to the frame" defeat that plagues simple mechanical switches. Add guard locking (power to unlock) where the machine takes time to reach a safe state, so the gate cannot open until the robot has actually stopped.

Electro-sensitive protective equipment (ESPE) under IEC 61496 — the non-contact safeguards:

Light curtains (IEC 61496-1/-2): arrays of infrared beams forming a detection plane. Specified by resolution — 14 mm (finger detection), 30 mm (hand), 40+ mm (body/access). Resolution sets the detection capability and feeds the C term in the ISO 13855 distance formula. Type 4 is the highest performance/integrity class (suitable up to PL e / SIL 3); Type 2 is for lower-demand applications. Add muting (for material to pass while people can't) and blanking carefully — both are classic ways to defeat a curtain.
Safety laser scanners (IEC 61496-3, which covers active opto-electronic protective devices responsive to diffuse reflection — AOPDDR): a rotating beam sweeps a 2D plane, defining warning and protective fields you can shape to the cell. The workhorse for floor-level access detection and for AMRs. Resolution is coarser (typically 30–70 mm), so the C term is larger.
3D / vision-based protective devices: time-of-flight and stereo systems creating safety-rated volumes. The enabling tech for speed-&-separation monitoring around cobots. Newer, more expensive, and more demanding to validate.

Two-hand control devices (ISO 13851 / IEC 60204-1) — both hands occupied on widely-spaced buttons that must be pressed within ~0.5 s of each other and held, so the operator's hands cannot be in the hazard during the dangerous motion. Type III C is the high-integrity form. Protects only the operator pressing the buttons — not a colleague reaching in.

Safety mats and edges (ISO 13856) — pressure-sensitive floor mats and trip edges that detect presence by weight or contact. Robust and intuitive, but bulky and prone to nuisance trips; largely displaced by scanners for new cells.

Safety rule: Every non-contact safeguard has a way to be defeated, and operators will find it if the machine is annoying to use. The most common cause of a guarded machine becoming unsafe is not component failure — it is a frustrated operator who muted, blanked, taped, or bypassed the safeguard to keep production moving. Design the safeguard so the easy path is the safe path.

For where the safeguards live in the broader control architecture — the safety PLC, the safe I/O, the network — see industrial automation: PLC, SCADA & fieldbus.

Performance Level (ISO 13849-1)

This is the quantitative heart of machinery functional safety, and the part most people fudge. ISO 13849-1 assigns each safety function a Performance Level (PL) from a (lowest) to e (highest), defined by the average probability of a dangerous failure per hour:

PL	PFH_D (per hour)	Rough equivalent
a	≥ 10⁻⁵ to < 10⁻⁴	Low risk reduction
b	≥ 3×10⁻⁶ to < 10⁻⁵
c	≥ 10⁻⁶ to < 3×10⁻⁶	≈ SIL 1
d	≥ 10⁻⁷ to < 10⁻⁶	≈ SIL 2
e	≥ 10⁻⁸ to < 10⁻⁷	≈ SIL 3

The achieved PL of a safety function is not a property you buy on a component. It emerges from the architecture of the function — the whole chain from sensor to logic to output — characterised by five parameters:

Category (B, 1, 2, 3, 4) — the structural architecture and its behaviour under fault. This is the dominant lever.
MTTF_D — Mean Time To dangerous Failure of each channel, capped and binned: Low (3 to <10 years), Medium (10 to <30 years), High (30 to 100 years). Built up from component B10_D values and duty cycles.
DC (Diagnostic Coverage) — the fraction of dangerous failures the diagnostics detect, binned: None (<60%), Low (60 to <90%), Medium (90 to <99%), High (≥99%). DC_avg is the averaged figure across the function.
CCF (Common Cause Failure) — for redundant architectures, the score that confirms your two channels won't fail together from one cause (shared power supply, shared connector, overtemperature). ISO 13849-1 requires a CCF score ≥ 65 points from its checklist.
Systematic failures — design and implementation faults, controlled by measures (not a number you compute).

The five Categories describe how the architecture behaves:

Category B — basic. A single channel; a fault can cause loss of the safety function. PL a–b only.
Category 1 — single channel using well-tried components and principles. Higher reliability than B but still single-fault-vulnerable. PL b–c.
Category 2 — single channel with periodic testing by the logic. A fault is detected at the next test, not instantly, so there's a window of vulnerability. The test rate must be ≥ 100× the demand rate. PL up to d.
Category 3 — redundant, dual-channel, so a single fault does not lose the safety function and (where reasonable) is detected. Single-fault tolerant. PL up to e.
Category 4 — redundant with high diagnostic coverage, so a single fault is detected and an accumulation of faults still doesn't lose the function. The gold standard. PL e.

The PL is then read off the ISO 13849-1 bar chart (Annex K / Figure 5) from Category, DC_avg, and MTTF_D. In practice everyone uses the free SISTEMA tool from the German IFA, which holds the component library and does the maths.

A worked example

Specify a robot protective stop: light curtain → safety relay/PLC → two contactors (or STO via SS1) cutting motion. Risk graph gave PL_r = d.

Architecture: Category 3 (dual channel, single-fault tolerant)
  Channel 1: Type 4 light curtain (B10d = 2.0e6 ops)
  Channel 2: identical, diverse routing
  Logic:     dual-channel safety controller (PFHd ≈ 1e-9 /h, certified PL e)
  Output:    redundant STO inputs on the servo drive (PFHd ≈ 1e-9 /h)

MTTFd per channel:  capped at HIGH (30–100 years)
DCavg:              MEDIUM–HIGH (cross-monitoring + drive STO diagnostics)
CCF:               score = 70 points  (≥ 65 required → pass)

Category 3 + DCavg medium + MTTFd high  →  PL e achieved
PFHd (system, series sum)  ≈  3e-8 /h    →  well inside PL d band, reaches PL e

PL_r was d; the architecture achieved e, so the function passes with margin. Note the maths is a series sum of the subsystem PFH_D values — sensor + logic + output add up, and the weakest link dominates. A PL e controller wired to a single-channel Category B sensor is a Category B function. The chain is only as good as its worst subsystem.

Safety rule: You cannot specify your way to PL e by buying a PL e controller. PL is an end-to-end property of sensor + logic + actuator. Compute the whole chain, every time, and let the lowest subsystem set the ceiling.

SIL (IEC 62061 / IEC 61508) and PL↔SIL mapping

IEC 62061 does the same job as ISO 13849-1 but in the language of Safety Integrity Level (SIL), inherited from IEC 61508. For high-demand / continuous-mode operation (which is what robot safety functions are), SIL is defined by the same PFH_D bands:

SIL	PFH_D (per hour, high-demand mode)	≈ PL
SIL 1	≥ 10⁻⁶ to < 10⁻⁵	PL c (and part of b)
SIL 2	≥ 10⁻⁷ to < 10⁻⁶	PL d
SIL 3	≥ 10⁻⁸ to < 10⁻⁷	PL e
SIL 4	≥ 10⁻⁹ to < 10⁻⁸	(not used in machinery)

SIL 4 belongs to the process and rail worlds; machinery functions top out at SIL 3 (= PL e). IEC 62061 reaches its SIL via a SIL Claim Limit (SIL_CL) per subsystem, built from architectural constraints (the hardware fault tolerance, HFT, and the safe failure fraction, SFF) plus the PFH_D. It is generally the better fit for complex, programmable, software-heavy safety systems; ISO 13849-1 is the better fit for conventional electromechanical and simpler architectures.

Both standards are listed as harmonised / valid for the Machinery Regulation, and as of the 2021/2024 revisions each now explicitly permits using the other's results — you can mix subsystems characterised in PL with subsystems characterised in SIL, as long as you convert through PFH_D.

Here is the honest mapping, the table everyone wants:

Performance Level (ISO 13849-1)	PFH_D band (/h)	SIL (IEC 62061/61508)
PL a	10⁻⁵ to <10⁻⁴	— (below SIL 1)
PL b	3×10⁻⁶ to <10⁻⁵	SIL 1 (lower part)
PL c	10⁻⁶ to <3×10⁻⁶	SIL 1
PL d	10⁻⁷ to <10⁻⁶	SIL 2
PL e	10⁻⁸ to <10⁻⁷	SIL 3

Safety rule: PL and SIL map through PFH_D, but they are different design methods with different architecture rules. Choose one standard per project and stay in it. Quoting "PL d / SIL 2" on a datasheet is fine for components; running half your analysis in one method and half in the other is how mistakes hide.

The practical guidance: most machine builders default to ISO 13849-1 because SISTEMA and the Category model are intuitive and the component data is everywhere. Reach for IEC 62061 when the safety logic is genuinely complex — large safety PLC programs, lots of interacting functions, mixed technologies — where 62061's more rigorous treatment of systematic and software failures earns its keep.

Safety PLCs, safe I/O & safety fieldbuses

The logic layer of a modern robot cell is a safety PLC (or the safety processor inside the robot controller), with safe I/O modules, talking over a safety fieldbus. All of it is certified hardware — you do not build PL e logic out of a standard PLC.

A safety PLC differs from a standard PLC in that the whole device — dual processors running in lockstep with cross-checking, self-test on every scan, certified safety function blocks — is rated to a PL/SIL (typically PL e / SIL 3). You program it in a restricted, certified subset (often per IEC 61131-3 with a safety-qualified compiler and locked-down function blocks). The safety program is separate from, and protected against, the standard control program.

Safe I/O modules apply the same rigour to the edges: dual input channels with discrepancy monitoring (so a stuck or shorted contact is detected), test pulses on outputs to verify they can actually de-energize, and OSSD (output signal switching device) outputs that pulse-test continuously.

Safety fieldbuses carry safety data over standard industrial networks using the black channel principle: the safety protocol wraps each safety message in its own integrity layer — sequence numbers, time stamps/watchdogs, a safety CRC, and a unique connection ID — so the transport network underneath can be ordinary, uncertified, even shared with non-safety traffic. The safety layer detects corruption, repetition, loss, delay, insertion, and misrouting of messages on its own. The three dominant flavours:

PROFIsafe — the safety layer over PROFINET (and PROFIBUS). Certified to SIL 3 / PL e.
CIP Safety — the safety layer over EtherNet/IP (and DeviceNet). SIL 3 / PL e. The Rockwell / ODVA ecosystem.
FSoE (Fail Safe over EtherCAT / Safety over EtherCAT) — the safety layer over EtherCAT. SIL 3 / PL e. Common in motion-centric and robot systems for its low latency.

Safety rule: The black channel means the network's reliability is irrelevant to the safety integrity — the safety protocol detects every relevant communication fault itself. This is why you can run safety and standard traffic on one cable. But the safety endpoints (the F-Host and F-Devices) still carry the full PL/SIL, and the network's worst-case latency still counts against your stop-time budget.

That last point bites people: the fieldbus adds latency to the safety function's reaction time, and that latency goes straight into the ISO 13855 distance calculation below. A 30 ms scanner response plus a 20 ms network round-trip plus a 200 ms stop time is a 250 ms total — and at 1.6 m/s walking speed that's 0.4 m of travel you must account for. For more on how these networks behave and their determinism, see industrial automation: PLC, SCADA & fieldbus.

Minimum distance & guard placement (ISO 13855)

A light curtain or scanner is only as good as its placement. The whole point is that the machine reaches a safe state before the body part reaches the hazard. ISO 13855 gives the formula for the minimum standoff distance:

S = (K × T) + C

where
  S = minimum distance (mm) from the detection zone to the hazard
  K = approach speed of the body part (mm/s)
        — 2000 mm/s for hand/arm approach (perpendicular, normal case)
        — 1600 mm/s often used for walking/whole-body approach
  T = total system stopping time (s)
        T = t1 (detection + safety system response) + t2 (machine stop time)
  C = intrusion distance (mm) — how far a body part can reach
        through/past the field before detection

The C term is where light curtains and scanners diverge sharply, because it depends on the detection capability (resolution) of the device:

For a light curtain detecting fingers/hands (resolution d ≤ 40 mm), the perpendicular intrusion term is C = 8 × (d − 14) mm, with C not less than 0. A 14 mm finger curtain gives C = 0; a 30 mm curtain gives C = 128 mm.
For body-detection devices with resolution > 40 mm (and for floor-mounted scanners), C is larger — a flat 850 mm for reaching over a horizontal scanner field, and additional height-dependent terms for scanners detecting an approaching person standing up.

A worked perpendicular hand-approach case, vertical light curtain, d = 14 mm:

K = 2000 mm/s        (hand/arm approach)
T = t1 + t2 = 0.030 s (ESPE response) + 0.250 s (robot SS1 stop) = 0.280 s
C = 8 × (14 − 14) = 0 mm

S = (2000 × 0.280) + 0 = 560 mm

→ The light curtain plane must sit at least 560 mm from the nearest hazard.

Now make the curtain coarser (30 mm hand resolution) and watch the distance jump:

C = 8 × (30 − 14) = 128 mm
S = (2000 × 0.280) + 128 = 688 mm

Safety rule: If you measured the machine's stop time once at commissioning and never again, your distance is fiction. Stop time degrades as brakes wear, hydraulics age, and loads change. ISO 13855 standoff is only valid against the current stopping performance — measure it periodically with a stop-time analyzer and re-derive S.

Two more traps. First, the stopping time T must be the worst case — heaviest load, full speed, fastest approach geometry. Second, you must prevent reaching over, under, or around the field; the perpendicular formula assumes straight-on approach, and a low light curtain you can step over or reach above is worthless. ISO 13855 has additional terms for angled and parallel approach — use them.

Cobots & collaborative safety vs traditional guarding

Collaborative operation does not delete the safety case. It replaces separation in space (a fence) with separation in time, or with biomechanical force limits — and both replacements are harder to validate than a fence, not easier. The four collaboration modes (defined in ISO 10218-2, detailed in ISO/TS 15066 and now in ISO 10218:2025):

Mode	Mechanism	Human–robot contact	Key safety function	Standard limit
Safety-rated monitored stop (SRMS)	Robot stationary (Cat 2 / SOS, power on) while human is present	Only when robot stopped	SOS + presence detection	Robot motion = 0 while human in workspace
Hand guiding (HG)	Operator moves the robot via a safety-rated guiding device + enabling switch	Yes — via the handle	SLS + enabling device + emergency stop	Safety-rated reduced speed (e.g. 250 mm/s)
Speed & separation monitoring (SSM)	Robot speed scales with measured distance to human; stops if too close	No — separation maintained	SLS + safety-rated distance sensing	Protective separation distance maintained continuously
Power & force limiting (PFL)	Contact forces/pressures held below biomechanical limits	Yes — intended or incidental	Safe force/torque monitoring	ISO/TS 15066 force & pressure tables, 29 body regions

The PFL force limits are the part that makes collaboration quantitative. ISO/TS 15066 publishes maximum permissible quasi-static (clamping) and transient (free-impact) forces and pressures for 29 body regions — the skull/forehead being the most restrictive at roughly 130 N quasi-static. You validate against them physically, with a calibrated force/pressure gauge, at the actual speed and with the actual end effector and workpiece. A spreadsheet does not close a PFL safety case; a force measurement does.

The SSM separation distance is essentially the ISO 13855 logic generalised to a moving robot: the protective separation distance must account for the robot's stopping distance, the human's approach speed, the sensor latency, and the robot's own contribution to closing speed. It scales dynamically with the robot's velocity.

Safety rule: "Collaborative" describes an application validated by risk assessment, not a robot you bought. The end effector, the workpiece, and the actual run speed all leave the collaborative envelope independently — a force-limited arm holding a knife, a hot part, or a sharp blank is not a collaborative application. Re-validate whenever any of them changes.

The honest deployment reality: a large fraction of "cobots" in production run fenced, at full speed, used purely as cheap, easy-to-program light industrial arms — a completely legitimate choice that is simply not collaborative operation. The full treatment, including the biomechanical tables and the joint hardware that makes contact sensing possible, is in collaborative robots (cobots); the conventional six-axis arm and its guarding live in industrial robot arms.

AMR / mobile machine safety (ISO 3691-4, R15.08)

A robot that moves through shared floor space is a different animal. There is no fence to stand behind because the hazard zone travels with the machine. Mobile machines get their own Type C standards: ISO 3691-4 (driverless industrial trucks and their systems) in the international regime, and ANSI/RIA R15.08 (industrial mobile robots) in the US — the latter created precisely because the existing R15.06 (fixed robots) and the truck standards didn't cleanly cover AMRs carrying manipulators.

The core safety function for an AMR is safety-rated speed and obstacle detection via safety laser scanners (IEC 61496-3) whose protective fields scale with speed: the faster the vehicle, the longer its stopping distance, so the protective field must extend further ahead. A well-designed AMR switches field sets dynamically — a long forward field at speed, narrowing on turns, a tight field at creep speed near a docking station. The scanner detects a person or obstacle and commands a safety-rated stop with a stopping distance the field was sized to cover, accounting for the loaded mass (a laden AMR stops slower than an empty one).

Other mobile-specific functions: safety-rated speed limiting (SLS analogue), tip-over and load stability, safe steering/braking, and — where the AMR carries a manipulator — the full ISO 10218 arm safety case on top of the mobile base case, because the arm can reach a person the base scanner doesn't see. That composite (mobile base + manipulator) is exactly what R15.08 was written to address.

Safety rule: An AMR's safe stopping distance is a function of speed and payload and floor friction. The scanner protective field must be sized for the worst-case combination, and the field set must change with commanded speed. A fixed field sized for empty-and-slow is unsafe the moment the vehicle is loaded-and-fast.

The detailed treatment of AMR/AGV navigation, drivetrains, and safety architecture is in mobile robots: AMR & AGV.

Validation, documentation & CE compliance

Designing the safety functions is half the job. Proving they work — and recording the proof — is the other half, and it is the half that separates a real safety system from a hopeful one.

Validation (ISO 13849-2 / IEC 62061) is the systematic confirmation, by analysis and testing, that every safety function performs as specified and reaches its required PL/SIL. It is not a code review and it is not a calculation. It includes:

Verification of the PL/SIL calculation — the SISTEMA file or equivalent, with the real component data, MTTF_D, DC, CCF, confirming achieved PL ≥ PL_r for every function.
Functional testing — trip each safeguard and confirm the correct stop category and reaction. Open the gate, break the curtain, violate the scanner field, press every E-stop.
Fault injection — this is the part people skip and shouldn't. For Category 3/4 functions you must demonstrate single-fault behaviour: short a channel, disconnect a wire, force a contact, and confirm the function still performs (Cat 3) and/or the fault is detected (Cat 3/4). If a single fault silently defeats your "redundant" function, it was never Category 3.
Stop-time measurement — measure the actual total stopping time with a stop-time analyzer, under worst-case load and speed, and confirm the ISO 13855 standoff distances are still valid against it.
Environmental and EMC — confirm the safety functions hold up under the temperature, vibration, and electrical noise of the real installation.

Documentation is the technical file: the risk assessment, the list of safety functions with their PL_r/SIL targets and achieved values, the validation records, the wiring and circuit diagrams of the safety system, the stop-time measurements, and the component certificates. This is your evidence, and in the event of an incident it is what an investigator (and a court) will read.

CE compliance under the EU Machinery Regulation 2023/1230 (applicable from 20 January 2027, replacing Directive 2006/42/EC): the integrator of the robot cell is the manufacturer of the machine, responsible for the assembly's conformity even though the robot arm arrived with its own partial documentation (a Declaration of Incorporation for partly completed machinery). You assess the whole cell against the essential health and safety requirements, compile the technical file, issue the Declaration of Conformity, and affix the CE mark. Some machinery in the Regulation's higher-risk categories requires involvement of a Notified Body — check whether your configuration falls in scope.

Safety rule: The CE mark certifies the cell as integrated and installed, not the robot you unboxed. The robot vendor's documentation gets you to a partly completed machine; the integrator owns the conformity of the finished cell — including every modification made after commissioning. Change the gripper or move a scanner, and the conformity argument must be revisited.

In the US the equivalents are NFPA 79 (electrical), ANSI/RIA R15.06 for the robot, and the risk-assessment discipline of ANSI B11. Different paperwork, same engineering. The standards diverge in administrative detail; the physics of a 50 kg payload at 2 m/s does not care which continent you are on.

Frequently asked questions

Is a CE-marked robot safe to use out of the box? No. CE on the robot covers the robot as a component (often as partly completed machinery with a Declaration of Incorporation). The cell — robot plus end effector, workpiece, guarding, and layout — is a new machine that the integrator must assess and CE-mark in its own right. The robot's CE mark is necessary, not sufficient.

What's the difference between an emergency stop and a protective stop? An emergency stop is a manual, last-resort complementary measure (the red mushroom), Category 0 or 1, requiring manual reset — you cannot rely on a human to press it in time, so it is never a primary safeguard. A protective (safeguarded) stop is the automatic stop triggered by a safeguard (curtain, gate, scanner); it is the workhorse safety function and may auto-resume or require reset depending on the mode.

Do stop categories tell me how fast the machine stops? No — they describe how power is handled. Category 0 removes power immediately (uncontrolled stop, motor coasts). Category 1 brakes under power then removes it (controlled stop, then power off). Category 2 brakes and keeps power (controlled stop, machine stays energized). Stopping time is a separate measured quantity that feeds the ISO 13855 distance.

Is STO the same as an emergency stop? No. STO (Safe Torque Off, IEC 61800-5-2) is the drive function that removes torque-producing energy — it is the mechanism underneath a Category 0 stop. STO does not decelerate a load; on a vertical or high-inertia axis you need SS1 (controlled ramp then STO) or a safe brake, or the load drops/coasts dangerously.

How do I choose between ISO 13849 (PL) and IEC 62061 (SIL)? Both are valid for machinery and now interoperate via PFH_D. ISO 13849-1 (PL, with SISTEMA and the Category model) is the intuitive default for conventional and simpler architectures — most machine builders use it. IEC 62061 (SIL) is the better fit for complex, programmable, software-heavy safety systems where its rigorous treatment of systematic and software faults earns its keep. Pick one per project and stay in it.

What PL does a robot protective stop usually need? It comes out of the risk assessment, but most robot protective stops and E-stops land at PL_r = d (≈ SIL 2), and high-exposure, unavoidable, serious-injury hazards push to PL_r = e (≈ SIL 3). Low-exposure functions can be PL c. Never assume — derive it from the ISO 13849-1 risk graph.

Why can't I just buy a PL e safety relay and be done? Because PL is an end-to-end property of the whole function — sensor + logic + actuator in series. A PL e controller wired to a single-channel Category B sensor is a Category B function. The achieved PL is set by the weakest subsystem and the architecture (Category, MTTF_D, DC, CCF), not by any single component's rating.

How far does a light curtain need to be from the hazard? Use ISO 13855: S = K·T + C. With K = 2000 mm/s (hand approach), a total stop time T of, say, 0.28 s, and a 14 mm-resolution curtain (C = 0), S ≈ 560 mm. Coarser resolution increases C and pushes the curtain further back. Re-derive whenever stop time changes — and measure stop time periodically.

Does a safety fieldbus need a special, ultra-reliable network? No — that's the point of the black channel. The safety protocol (PROFIsafe, CIP Safety, FSoE) wraps each message in its own integrity layer (sequence number, watchdog, safety CRC, connection ID) and detects corruption, loss, delay, repetition, and misrouting itself, so it runs over ordinary networks shared with standard traffic. But the network's worst-case latency still counts against your stop-time budget.

Are collaborative robots inherently safer than fenced robots? No — they shift the safety case rather than remove it. PFL replaces separation with biomechanical force limits you must validate physically; SSM replaces fences with safety-rated scanners. Both are harder to validate than a fence. The end effector, workpiece, and run speed each leave the collaborative envelope independently. Many "cobots" run fenced at full speed in practice.

What's different about AMR safety? The hazard zone travels with the machine, so there's no fence. ISO 3691-4 (and R15.08 in the US) require safety-rated obstacle detection via scanners whose protective fields scale with speed and account for loaded stopping distance, plus tip-over/stability and safe braking. An AMR carrying a manipulator stacks the ISO 10218 arm case on top of the mobile base case.

What does validation actually require — is the calculation enough? No. ISO 13849-2 / IEC 62061 require functional testing and fault injection: trip every safeguard, confirm the correct stop, and for Category 3/4 prove single-fault behaviour by injecting faults (short a channel, pull a wire) and confirming the function still performs and/or detects the fault. Plus a measured stop time. An unverified calculation is a wish, not validation.