What is the difference between ISO 10218-1 and ISO 10218-2?

ISO 10218-1 addresses the robot itself, that is the manipulator, its controller and the safety functions integrated by the robot manufacturer (protective stop, safety-rated speed limit, axis limiting, teach pendant requirements). ISO 10218-2 addresses the robot system and the integration into a cell or a line: layout, safeguarding, perimeter devices, validation of the entire installation. A robot can comply with part 1 and yet end up in a non-compliant cell if part 2 is not properly applied by the integrator. Both parts were revised in 2025 and replaced the 2011 editions.

Is ISO/TS 15066 still a separate document?

ISO/TS 15066 was published in 2016 as a Technical Specification complementing the 2011 editions of ISO 10218-1 and -2 for collaborative operation, in particular for Power and Force Limiting (PFL). With the 2025 revisions of ISO 10218-1 and -2, the bulk of the collaborative material is being folded into the ISO 10218 series. ISO/TS 15066 remains the practical reference for the biomechanical limits (Annex A tables of force and pressure per body region) as long as it has not been formally withdrawn, and is widely cited as the working basis for PFL design.

What are the four collaborative operation modes?

ISO 10218-2 and ISO/TS 15066 define four collaborative modes, which can be combined: Safety-rated Monitored Stop (the robot stops when an operator enters the collaborative space, motion resumes when the operator exits), Hand Guiding (the operator moves the robot via a dedicated guiding device, typically with a three-position enabling device), Speed and Separation Monitoring (the robot maintains a protective separation distance from the operator, with safety-rated speed reduction as distance shrinks), and Power and Force Limiting (the robot is designed and operated so that any contact stays below biomechanical limits). PFL is what most people mean by "cobot" but the term is broader and covers any of the four modes.

What Performance Level (PL) is required for robot safety functions?

ISO 10218-1 generally calls for PLd category 3 under ISO 13849-1 for the main safety functions, that is dual-channel with single fault tolerance, diagnostic coverage and protection against common cause failure. The protective stop and the safety-rated monitored stop are typical PLd Cat 3 functions. Equivalently, IEC 62061 SIL CL 2 with hardware fault tolerance one can be used. The integrator confirms the required PL through risk assessment under ISO 12100 and demonstrates the achieved PL through the safety controller and devices selected.

How is a cobot CE-marked in the EU?

A collaborative robot placed on the EU market is machinery under Directive 2006/42/EC, then under Regulation (EU) 2023/1230 from 20 January 2027. EN ISO 10218-1 is the harmonised type-C standard and carries the presumption of conformity with the applicable EHSRs of Annex I. EN ISO 10218-2 covers the robotic cell or application: the integrator is the manufacturer of the final machinery and issues the EU declaration of conformity and the CE marking for the cell. The robot manufacturer typically supplies its product as partly completed machinery with a declaration of incorporation when the robot is sold without an application.

Are AMRs and mobile robots covered by ISO 10218?

Mobile robots and autonomous mobile robots (AMR) are not within the strict scope of ISO 10218, which focuses on stationary industrial robots. The relevant standard for driverless industrial trucks is ISO 3691-4:2023, which replaced EN 1525 in the EU. In the United States, ANSI/RIA R15.08 covers industrial mobile robots. A mobile manipulator (an arm mounted on an AMR) requires applying both families: ISO 10218 for the manipulator part and ISO 3691-4 for the mobile platform part, with an integration-level risk assessment under ISO 12100.

Does the EOAT change require a new risk assessment?

Yes. The end-of-arm tooling (gripper, welding torch, dispensing head, vision sensor) directly affects mass, inertia, geometry and any sharp or hot surface of the moving payload. For Power and Force Limiting operation, changing the EOAT changes the contact area and therefore the pressure for a given force, which can move a previously compliant scenario above the ISO/TS 15066 Annex A limits. The integrator updates the risk assessment, the contact analysis, and where applicable repeats the force and pressure measurements. Skipping this step is one of the most common cobot non-conformities.

Is cybersecurity in scope for industrial robots?

Increasingly yes. ISO 10218-1:2025 starts to address protection of safety functions against unintended modification via the network. Regulation (EU) 2023/1230 will require, from 20 January 2027, that machinery connected to a network cannot have its safety altered by a cyber attack (Annex III). On top of the machinery framework, IEC 62443 is the reference series for industrial automation cybersecurity (operator level for the installation, integrator level for the cell, component level for the robot and PLCs). The Cyber Resilience Act (Regulation (EU) 2024/2847) adds a horizontal baseline for products with digital elements applicable from 11 December 2027.

ISO 10218 and ISO/TS 15066: robotics and cobot safety

Author Hugues Orgitello Last updated 27 May 2026 ~14 min read

Guide, robotics safety

Industrial robots and collaborative robots placed on the EU market are machinery within the meaning of Directive 2006/42/EC, then Regulation (EU) 2023/1230 from 20 January 2027. The harmonised reference for safety is the ISO 10218 series: part 1 covers the robot itself, part 2 covers the integration of the robot into a cell or a line. The 2025 revisions of ISO 10218-1 and ISO 10218-2 replaced the 2011 editions and started absorbing the collaborative material previously held in ISO/TS 15066:2016. This guide walks through scope (industrial robot, robot system, cobot), the four collaborative operation modes (Safety-rated Monitored Stop, Hand Guiding, Speed and Separation Monitoring, Power and Force Limiting), biomechanical limits per body region, the functional safety chain via ISO 13849-1 PLr a-e or IEC 62061 SIL CL, the articulation with Machinery, the US route under ANSI/RIA R15.06 and R15.08, mobile robots under ISO 3691-4, EMC and cybersecurity (IEC 62443), and the recurring pitfalls observed in cell validation.

Scope: robot, robot system, robot application

Three concepts must be distinguished from the outset, because they govern who carries the CE marking and which part of ISO 10218 applies.

Object	Definition (ISO 10218)	Standard	Who declares conformity
Industrial robot	Multipurpose manipulator with multiple degrees of freedom and its controller	ISO 10218-1	Robot manufacturer
Robot system	Robot plus end-effector, workpiece, auxiliary equipment, peripheral devices	ISO 10218-2	Integrator
Robot application	Robot system plus the production task, layout and operating procedures	ISO 10218-2	Integrator or end user

A bare robot sold without an end-effector and without an application is typically supplied as partly completed machinery under Annex II 1 B of Directive 2006/42/EC, with a declaration of incorporation and assembly instructions. The integrator that builds the cell becomes the manufacturer of the final machine and carries the CE marking. The articulation with the broader EU framework is detailed in the Machinery Directive guide.

ISO 10218-1: the robot itself

ISO 10218-1 lays down the safety requirements that the robot manufacturer designs into the product. The 2025 edition restructured the document around explicit safety functions and integrated several concepts previously held in ISO/TS 15066.

Mandatory safety functions

Function	Purpose	Typical PLr
Protective stop	Bring the robot to a stop on an external stop signal, with power kept available	PLd Cat 3
Emergency stop	Independent stop with removal of power, per EN ISO 13850	PLe Cat 3 or 4
Safety-rated monitored stop	Stop the robot motion while keeping drives energised, for collaborative operation	PLd Cat 3
Safety-rated speed limit	Limit the TCP or axis speed below a safety-validated threshold	PLd Cat 3
Safety-rated soft axis limiting	Limit axis range below the mechanical end-stop, software-based with safety rating	PLd Cat 3
Safety-rated input and output	Dedicated safety I/O for fences, light curtains, mats, with dual-channel monitoring	PLd Cat 3

The teach pendant is a specific concern: it must include an enabling device with three positions (pressed lightly to enable motion, fully released or fully pressed to stop), an emergency stop, and a hold-to-run motion command for manual high-speed operation. The 2025 edition also tightens requirements on indication of the active operating mode (automatic, manual, manual high speed).

Operating modes

Three operating modes are recognised:

T1, manual reduced speed: TCP speed limited to a safety-validated value (commonly cited at 250 mm/s, the figure to be re-confirmed by risk assessment) for teaching and programming with the operator inside the safeguarded space.
T2, manual high speed: full speed in manual control, restricted to qualified personnel, requires explicit risk assessment and supplementary safeguarding.
Automatic: full speed under program control, operator outside the safeguarded space, perimeter safeguarding active.

The transition from one mode to another is itself a safety-rated function. A key switch or equivalent restricts mode selection to authorised personnel.

ISO 10218-2: the robot system and integration

ISO 10218-2 addresses the cell. The integrator combines the robot, the end-effector, the workpiece, the safeguarding devices and the layout into a single machine, then performs an integration-level risk assessment under ISO 12100.

Safeguarding hierarchy

The standard restates the design hierarchy of ISO 12100 in the robotic context:

Inherent design: layout that puts hazardous motion out of operator reach, fixed guards, soft envelope (collision avoidance by design).
Engineering controls: fixed and movable interlocked guards per EN ISO 14120 and EN ISO 14119, light curtains per IEC 61496, safety laser scanners per IEC 61496-3, pressure-sensitive mats and edges.
Administrative controls: procedures, training, signage, work permits.
Personal protective equipment.

A purely fenceless cell is possible only if the residual risk has been driven down through inherent design and engineering controls (typically SSM or PFL); administrative controls alone are not a substitute.

Safety distances and reach

Where light curtains, scanners or sensitive mats define the protective stop trigger, EN ISO 13855 governs the minimum distance between the detection plane and the hazard, computed from the body or hand approach speed and the worst-case stop time. A common pitfall is to underestimate the stop time once the robot is loaded with a heavy EOAT, which moves the curtain closer to the hazard than safe.

The emergency stop devices must be reachable from any position where an operator may be exposed. EN ISO 13850 sets a reach criterion frequently cited as the operator never being more than a step away from an e-stop; a 600 mm rule of thumb is widely used but not normative. The integrator confirms the reach via the cell-level risk assessment.

Cell validation

The integrator validates the cell before placing it on the market. The validation file holds:

Drawing of the cell with hazard zones and safeguarding layout.
Risk assessment per ISO 12100 with hazard list, severity, frequency, probability, retained measures.
Safety function list with required PL, achieved PL, ISO 13849-2 validation method (or IEC 62061 verification).
Functional tests of each safety function (e-stop, protective stop, light curtain trip, scanner field switching, mode selection).
Measurement of stop time and stop distance under worst-case payload and speed.
For PFL operation, force and pressure measurement per ISO/TS 15066 Annex A.

Collaborative operation: the four modes

ISO 10218-2 and ISO/TS 15066 define four collaborative operation modes. They can be combined in time and space within the same application.

Mode	Principle	Typical use case
Safety-rated Monitored Stop (SMS)	The robot stops when the operator enters the collaborative space, motion resumes automatically when the operator leaves	Manual loading of a station, the robot waits, then resumes the cycle
Hand Guiding (HG)	The operator moves the robot via a guiding device with a three-position enabling device, drives kept under safety-rated speed limit	Teaching, lead-through programming, assisted handling
Speed and Separation Monitoring (SSM)	The robot maintains a protective separation distance from the operator, with safety-rated speed reduction as distance shrinks	Shared workspace with sporadic operator presence, safety scanner-based zoning
Power and Force Limiting (PFL)	The robot is designed and operated so that any contact stays below ISO/TS 15066 biomechanical limits	True cobot operation, no fence, intentional or accidental contact tolerated

Most consumer-marketed "cobots" (UR, Doosan, Techman, Franka Emika, Yaskawa HC, Kuka iiwa, Fanuc CR / CRX) are designed for PFL and can also be configured for SSM. The mode is a property of the application, not of the robot: a PFL-capable robot operated at full speed with a heavy EOAT is no longer in PFL operation.

PFL biomechanical limits

ISO/TS 15066 Annex A holds tables of force and pressure limits per body region (skull, face, neck, shoulder, upper arm, forearm, hand, finger, thorax, abdomen, pelvis, thigh, knee, lower leg, foot). Two contact types are distinguished:

Quasi-static (clamping) contact: the body part is trapped between the robot and a fixed surface, the energy is absorbed over a long duration.
Transient (impact) contact: the body part is free to move away after impact, the energy is dissipated quickly.

The limits are lower for quasi-static than for transient contact for the same body region. The PFL design must demonstrate that, under worst-case payload, speed and tool geometry, neither quasi-static nor transient limits are exceeded. Measurements are performed with calibrated force and pressure sensors, typically with a layered cushion simulating the body region under test.

The Annex A values are presented in ISO/TS 15066 as provisional, derived from biomechanical research that continues to evolve. Some users adopt them as hard limits, others apply additional margins. Either way, traceability to the Annex A method is expected by surveillance.

Functional safety chain

Robot safety functions are designed and verified using one of two main functional safety frameworks.

ISO 13849-1 route

ISO 13849-1 structures safety-related parts of control systems by Performance Level (PL) from PLa (lowest) to PLe (highest), itself derived from category (B, 1, 2, 3, 4), MTTFd, diagnostic coverage and common cause failure protection. The required PL (PLr) is determined from severity, frequency and avoidability per the risk graph in Annex A.

For industrial robots, the typical mapping:

Safety function	Typical PLr
Emergency stop	PLe
Protective stop	PLd
Safety-rated speed limit	PLd
Safety-rated soft axis limit	PLd
Safety-rated monitored stop	PLd
Enabling device	PLd

Dual-channel category 3 architecture with diagnostic coverage above 90 percent is the standard implementation, typically using a Pilz, Sick, Siemens, Schmersal or B&R safety controller paired with safety-rated I/O modules.

IEC 62061 route

IEC 62061 covers the same safety functions through Safety Integrity Level Claim Limit (SIL CL) from SIL CL 1 to SIL CL 3, aligned with IEC 61508. The 2021 revision broadened the scope from electrical to all safety-related control systems, making the two routes (13849 and 62061) effectively interchangeable for most machinery applications. The mapping is approximate: PLd corresponds roughly to SIL CL 2, PLe to SIL CL 3.

For the foundational IEC 61508 framework behind both, see the IEC 61508 and SIL guide. For the automotive-specific application of functional safety, see the ISO 26262 guide.

EN ISO 10218 under Machinery: harmonisation and presumption

EN ISO 10218-1 and EN ISO 10218-2 are listed in the Official Journal of the European Union under Directive 2006/42/EC. Compliance with the listed editions of these standards confers presumption of conformity with the applicable Essential Health and Safety Requirements of Annex I. The OJEU listing is updated as new editions are published; the integrator verifies which edition is currently cited at the date of placing on the market.

The standards play the role of type-C standards in the ISO 12100 typology: they cover a defined machine category (industrial robots) and refer back to type-A (ISO 12100) for risk assessment and to type-B (ISO 13849-1, IEC 62061, IEC 61496, EN ISO 13855, EN ISO 14119, EN ISO 14120, EN ISO 13850) for transversal concepts and devices.

Under Regulation (EU) 2023/1230 applicable from 20 January 2027, EN ISO 10218 is expected to be re-cited in the new OJEU list. The regulation reshuffles the high-risk machinery list: industrial robots performing a safety function via AI may end up in the new Annex I high-risk category, triggering notified-body involvement.

US route: ANSI/RIA R15.06 and R15.08

In the United States, the reference is the ANSI/RIA R15.06-2012 standard, which is an adoption of ISO 10218-1 and -2 with US deviations. R15.06 is not federally mandatory in the way CE marking is in the EU, but it is the de facto industry baseline cited by OSHA, insurance carriers and end users.

Aspect	EU (EN ISO 10218)	US (ANSI/RIA R15.06)
Legal status	Harmonised under Machinery, presumption of conformity	Voluntary consensus standard, OSHA general duty clause
Edition	2025 (EN adoption of ISO 10218 2025 expected)	2012 (adoption of ISO 10218 2011)
Mobile robots	ISO 3691-4	ANSI/RIA R15.08
Collaborative operation	ISO/TS 15066 absorbed into ISO 10218 2025	TR R15.606 (US adaptation of ISO/TS 15066)

A US-market cell is typically validated against R15.06 with a separate UL listing for the control panel electrical aspects (UL 508A or equivalent NRTL listing).

Mobile robots and AMR

Autonomous mobile robots and mobile manipulators sit outside the scope of ISO 10218 strictly speaking. Three reference standards cover the mobile side:

Standard	Scope	Status
ISO 3691-4:2023	Driverless industrial trucks (AGV, AMR for goods movement)	Current, replaced EN 1525 in the EU
ANSI/RIA R15.08	Industrial mobile robots, US	Current, three parts (R15.08-1 the robot, R15.08-2 the system, R15.08-3 the user)
EN 1525	Driverless industrial trucks	Withdrawn, superseded by ISO 3691-4

For a mobile manipulator (arm mounted on an AMR), the integrator applies ISO 10218 for the manipulator and ISO 3691-4 (or R15.08 in the US) for the mobile platform, with a unified risk assessment under ISO 12100. The interaction between manipulator motion and platform motion is the typical failure point: an arm in motion while the platform is also in motion can defeat both individual safety functions if the combined behaviour was not assessed.

EMC and cybersecurity

EMC

Industrial robots are subject to the EMC Directive 2014/30/EU. The relevant generic standards in industrial environments are EN IEC 61000-6-2 (immunity) and EN IEC 61000-6-4 (emission). For safety-related electronics, EN 61326-3-1 sets immunity requirements specific to safety functions, with reduced tolerated upsets compared to general industrial immunity. EMC failures of safety I/O can be missed in a generic 61000-6-2 test that ignores the safety implications; the 61326-3 family addresses that gap.

For the broader EMC framework, see the CE versus FCC EMC guide.

Cybersecurity

ISO 10218-1:2025 starts to require that safety functions cannot be modified via the network. The horizontal cybersecurity reference for industrial automation is the IEC 62443 series, which structures requirements across three actor levels:

IEC 62443-2-1 and -2-4: operator and integrator security programmes,
IEC 62443-3-3: system security requirements and security levels (SL 1 to SL 4),
IEC 62443-4-1 and -4-2: secure development lifecycle and component security requirements (relevant to the robot manufacturer and PLC vendor).

Regulation (EU) 2023/1230 imposes from 20 January 2027 that machinery connected to a network cannot have its safety altered by a cyber attack (Annex III section 1.1.9). The Cyber Resilience Act, Regulation (EU) 2024/2847, adds a horizontal baseline for products with digital elements from 11 December 2027. The three texts (ISO 10218 / 62443, Machinery 2023/1230, CRA) coexist for a connected robot.

For radio-enabled robots (Wi-Fi, Bluetooth, 5G modem on board), the Radio Equipment Directive 2014/53/EU also applies, with cybersecurity articles 3(3)(d), (e) and (f) effective since 1 August 2025.

Risk assessment under ISO 12100

The integrator follows the three-step method of ISO 12100 already presented in the Machinery Directive guide:

Hazard identification per lifecycle phase (commissioning, normal operation, teaching, fault clearance, cleaning, maintenance, dismantling).
Risk estimation with severity (S1 light, S2 serious), frequency and duration of exposure (F1 rare, F2 frequent), and possibility of avoiding harm (P1 possible, P2 hardly possible).
Risk evaluation and reduction by the design hierarchy, then re-estimation until tolerable.

For each safety function, the risk graph in ISO 13849-1 Annex A maps (S, F, P) onto a PLr from PLa to PLe. The integrator records the PLr, designs the function to achieve it, then validates the achieved PL with ISO 13849-2 fault analysis.

EOAT (gripper, dispenser, welding torch, vision head) is supplied separately from the robot and is integrated by the system builder. Changes to the EOAT after cell commissioning are frequent and rarely re-assessed in full. The impact list:

Mass and inertia: change the stop time, therefore the safety distance for light curtains and scanners.
Geometry: change the contact area, therefore the pressure for a given force in PFL operation.
Sharp or hot surfaces: introduce new hazards not covered by the original PFL force and pressure assessment.
Energised tooling (electric, pneumatic, hydraulic): introduce additional hazards in the collaborative space (pinching, ejection, heat).

A change-management procedure must trigger a partial re-validation whenever the EOAT changes. Documenting EOAT versions in the cell technical file is the practical mitigation.

Common pitfalls

Pitfall	Consequence	Mitigation
PFL force and pressure not measured under worst-case payload	Annex A limits exceeded in production conditions	Measure with calibrated sensor under maximum payload and speed
EOAT change after cell commissioning, no re-assessment	Previously compliant cell now non-conformant for PFL	Trigger partial re-validation on every EOAT change
SSM safety distance computed without worst-case stop time	Operator reaches hazard before robot stops	Measure stop time with loaded EOAT, recompute distance per EN ISO 13855
E-stop reach not validated for all operator positions	Operator unable to reach e-stop in time	Map operator positions, install enough e-stop devices per EN ISO 13850
Safety controller firmware updated without re-validation	Achieved PL no longer demonstrated, certificate invalidated	Lock safety controller configuration, version-control changes, repeat validation tests
Fenceless cell relying on administrative controls only	Risk reduction hierarchy violated, surveillance non-conformity	Add engineering control (SSM, PFL, light curtain), redo risk assessment
Conveyor interaction not covered (EN 619 ignored)	Trapping or shearing hazard at the cell boundary	Apply EN 619 for the conveyor side, integrate into the cell risk assessment
Mobile manipulator combined motion not assessed	Arm and platform safety functions defeated by their interaction	Treat the combined system in a single risk assessment under ISO 12100
ISO 10218 2011 edition cited after 2025 OJEU update	Loss of presumption of conformity	Verify the OJEU citation at the date of placing on the market
Cybersecurity of safety network ignored	Annex III 1.1.9 (Regulation 2023/1230) not met from 2027	Apply IEC 62443 segmentation and authentication for safety I/O

The spilma glossary defines the key terms (cobot, PFL, SSM, SMS, hand guiding, EOAT, PLr, SIL CL, partly completed machinery, declaration of incorporation).

Going further

Machinery Directive 2006/42/EC and Regulation (EU) 2023/1230: the EU CE marking framework into which ISO 10218 fits.
IEC 61508 and SIL: the foundational functional safety framework behind ISO 13849-1 and IEC 62061.
ISO 26262 automotive functional safety: the neighbouring sector application.
IEC 61010 laboratory and measurement equipment safety: the safety standard for lab and measurement equipment that often surrounds a robotic cell.
Cyber Resilience Act: horizontal cybersecurity baseline applicable to connected robots from 2027.
CE versus FCC EMC: EMC mapping for a robot placed on both EU and US markets.

Sources

Sources & references

ISO 10218-1:2025, Robotics, safety requirements, part 1, industrial robots , ISO www.iso.org/standard/73933.html
ISO 10218-2:2025, Robotics, safety requirements, part 2, robot systems and integration , ISO www.iso.org/standard/73934.html
ISO/TS 15066:2016, Robots and robotic devices, collaborative robots , ISO www.iso.org/standard/62996.html
ISO 12100:2010, Safety of machinery, general principles for design , ISO www.iso.org/standard/51528.html
ISO 13849-1:2023, Safety-related parts of control systems , ISO www.iso.org/standard/73481.html
IEC 62061:2021, Functional safety of safety-related control systems , IEC webstore.iec.ch/publication/59927
ISO 3691-4:2023, Industrial trucks, driverless industrial trucks , ISO www.iso.org/standard/82235.html