Industrial Robot Systems and Industrial Robot System Safety
Table of Contents:
- Basic Components of Industrial Robot Systems
- Structure of Industrial Robots
- Collaborative, Non-Collaborative, and Mobile Industrial Robot Applications
- Hazards Associated with Industrial Robot Applications
- Safety Considerations for Employers and Workers
- Safety Considerations for Robot Manufacturers
- Safety Considerations for Robot System Integrators
- Safety Considerations for Robot System Operators and Maintenance Workers
- Safety Considerations during Planning of the Robot Application
- General Safety Requirements
- Additional Safety Requirements for Collaborative Robot Systems
- Risk Assessments (RAs)
- Risk Reduction Measures
- Applicable OSHA and Industry Standards Regarding Industrial Robot System Safety
- Considerations for Evaluating Robotic Safety Systems
List of Appendices
This OSHA Technical Manual chapter is written to provide technical information to help to prepare OSHA compliance officers and others, who may be performing inspections and investigations at facilities with robot systems. This chapter is intended as a guide to robot systems found in industrial applications.
Industrial robots are used in place of a worker to perform dangerous or repetitive tasks with a high degree of accuracy.1 An industrial robot system includes not only the industrial robot but also the end-effector attached to the robot manipulator; computers, processors, and programs (i.e., the control system); power sources; sensors; and, sequencing or monitoring communication interfaces (i.e., input/output devices). See the Basic Components of Industrial Robot Systems section of this chapter for more information about these parts. See Appendix 1 Glossary for Robots and Industrial Robot Systems for common acronyms and definitions used in the robotics industry.
Industrial robot systems have many different uses such as for materials handling, assembly operations, arc and resistance welding, machine-tool loading and unloading functions, painting, spraying, inspecting, testing, packaging, labeling. The development and use of robot systems in industry continues to advance with more and more companies finding more and more uses. Advances in artificial intelligence2 have also boosted the abilities and uses of robot systems, especially in industrial applications.
The International Federation of Robotics (IFR) estimates that as of the end of 2018, there were more than 2 million robots in workplaces worldwide (more than 40,000 installed in 2018 in the United States alone), and the numbers continue to increase yearly (with an anticipated growth of 12 percent per year through 2022).3 As robot systems appear in more workplaces, more workers are exposed to them, including in industries that historically have not used robot systems, but where technological advancements have introduced such systems (e.g. restaurants/food services, agriculture, and delivery services).
This chapter is not an all-inclusive document. Robot systems other than those discussed in this chapter may be found during inspections. In those cases, and when questions arise, consult with the area office, regional office, or national office for assistance. The OSHA Health Response Team (HRT) at Directorate of Technical Support and Emergency Management's Salt Lake Technical Center is also available as needed.
II. Basic Components of Industrial Robot Systems
Industrial robot systems have four major components:
- Control system, or robot controller (includes interfaces for communication and input/output (I/O); power is supplied to the controller)
- Teach pendant
- When an end-effector (such as a gripper, etc.) is added to the industrial robot, the result is an industrial robot system (Figure IV-1).
The industrial robot system is then typically integrated with additional equipment, such as conveyors, elevators, worktables (with clamps – manual or automated), process equipment (e.g., welding, cutting, assembly, inspection) and other machines to comprise an industrial robot application.
The robot's physical structure is essentially the manipulator. This manipulator is comprised of a structural frame with provisions for supporting mechanical linkage and joints, guides, actuators (linear or rotary), control valves, sensors, and communications within the manipulator. The physical dimensions, reach, and payload (weight carrying ability) depend on robot model and application. The application requirements determine the needed specifications. These specifications can introduce hazards to workers who may be integrating, operating, and/or maintaining the robot application. See the Hazards Associated with Industrial Robot Applications section of this chapter for more about these hazards.
Industrial robot control systems, or robot controllers, consist of several parts, including a power source, sensors, input signals from the sensors to a computer or microprocessor (wired or wireless), programming functions, and output command signals back from the computer or microprocessor to the manipulator and/or end-effectors (wired or wireless).
Energy is provided to various robot sensors, actuators, and their controllers as electrical, pneumatic, or hydraulic power. These power sources can be hazardous to workers depending on the energy infeed(s) and/or the resulting energy produced (e.g. motion, stored energy). Hazardous energy can exist in internal components such as capacitors, springs, pressurized cylinders, and other energy sources. See the Hazards Associated with Industrial Robot Applications section of this chapter for more about these hazards.
The robot's drives are usually electrically powered. Selection of the robot system is usually based upon application requirements. For example, pneumatic power (typically 80-90 psi air) is often used for end-effectors, and hydraulic power can be used for associated processes. Consideration should be given to potential hazards of fires from leaks if flammable materials are used as the hydraulic fluid.
Electrically-powered robots are by far the most prevalent in industry. Either AC or DC electrical power can be used to supply energy to electromechanical drives, sensors, and the robot's respective control systems. Electrical motion control is superior compared to pneumatic and hydraulic. In an emergency, an electrically-powered robot can be stopped or powered down more safely and faster than those powered pneumatically or hydraulically.
Sensors are used in robot systems to sense the location of mechanical portions of the manipulator and/or the end-effector, as well as to sense the location of objects exterior to the robot. Advancements in robot systems and in artificial intelligence would not be possible without advancements in sensor technology. Types of sensors available include (but are not limited to):
- Contact sensors, which require physical contact against an object. These include limit switches, button switches, bumper switches, touch sensors, etc. These sensors are easily implemented but require physical contact to actuate.
- Light sensors, which detect changes in light. These sensors include photovoltaic sensors and photoresistor sensors.
- Optical sensors, which are camera-based.
- Ultrasonic sensors, which emit ultrasonic pulses, that when contacting an object, bounce the signal back to the sensor.
- Proximity sensors, which can detect an object within a given distance. This functionality can be provided by light sensors, ultrasonic sensors, capacitive sensors, inductive (magnetic) sensors, etc. These sensors will only actuate when an object is sensed within a predetermined distance.
- Distance sensors, which can measure the distance the sensor is away from an object. This technology is similar to proximity sensors, but rather than actuating only when an object is within a certain distance, these provide an output of the distance an object is from the sensor. These include laser range sensors, light sensors, ultrasonic sensors.
- Tilt sensors, which measure the tilt of the robot, end-effector, or object.
- Navigation sensors, which can detect the location of the robot, end-effector, or object by use of a GPS or other localization technology.
- Motion sensors (encoders, resolvers), which detect the motion of the robot or object.
- Other sensors. Sensors to detect pressure, temperature, acceleration, gyro, inertial measurement, humidity, or gas.
Sensors or sensor circuits that malfunction can create additional hazards to workers during interventions to correct or replace parts. Therefore, sensors need to be properly selected for the environment (long, reliable life) and be properly and routinely maintained. See the Hazards Associated with Industrial Robot Applications section of this chapter for more about these hazards.
Computers and Microprocessors
Either computers or embedded microprocessors are used for control of industrial robot systems. These perform the required computational functions as well as interface with and control associated sensors, end-effectors, and other associated peripheral equipment (robot, system, and application). The control system performs the necessary sequencing and memory functions for on-line sensing and integration of other equipment. Programming of the controllers can be done on-line or optionally at remote off-line control stations.
Self-diagnostic capability for troubleshooting and maintenance greatly reduces robot system downtime. Some robot controllers have sufficient capacity, in terms of computational ability, memory capacity, and input-output capability to serve also as application controllers and may handle other machines and processes. Programming of robot controllers and systems has not been standardized by the robotics industry, and manufacturers often use their own proprietary programming languages or techniques, which can require special training of the workers.
Advancements in artificial intelligence also make it possible for robot systems to adjust or change programming functions based on sensory input changes.
These advancements are helping workers and industries in many ways, but can also introduce additional hazards that need to be recognized and addressed. See the Hazards Associated with Industrial Robot Applications section of the chapter for more about these hazards.
Most robot systems are set up for application by programming using a teach pendant (a portable control device) while in manual mode. In manual mode, a trained worker (programmer) typically uses a teach pendant to teach a robot its task(s) manually. During the manual mode of operation, the programmer performing the teaching must have control of the robot and associated equipment and should be familiar with the operations to be programmed, system interfacing, and control functions of the robot system, application, and other equipment. When systems and/or applications are large and complex, it could be possible to improperly activate functions. Since the programmer doing the teaching can be within the restricted space, such mistakes can result in injuries. See the Hazards Associated with Industrial Robot Applications section of the chapter for more about the hazards.
End-effectors are sometimes referred to as End-of-Arm Tooling (EOAT). Many industrial robot systems use robots that can be equipped with different end-effectors as required for the application. Common end-effectors include grippers, pickers, welding torches, cutting and trimming tools, material removal tools, drilling tools, collision sensors, force-torque sensors, inspection equipment, cameras, and adhesive dispensers.
Hundreds of end-effectors are available on the market. As with other components of the robot system, end-effectors can introduce hazards to workers. See the Hazards Associated with Industrial Robot Applications section of the chapter for more about these hazards.
III. Structure of Industrial Robots
Industrial robots are available in a wide range of sizes, shapes, and structures for use in different systems and applications. They can also have different numbers of axes or degrees of freedom. These factors influence their working space (i.e., the volume of working or reaching space). Four typical robot structures are shown in Figure IV-2 and discussed below.
Articulated robots are robots with at least three rotary joints. The number of joints on the robot determines its range of motion, which in most cases is relatively free motion. These robots can reach any point in their working space, very similar to the motion of a worker's arm. These can be designed to handle light to heavy loads in industrial applications.
Selective Compliance Assembly, or Articulated, Robot Arm (SCARA) robots include two parallel rotary joints to provide compliance in a plane. That is, the arms are flexible in the XY axis, but are rigid in the Z-axis. These robots are typically used in assembly operations.
Cartesian robots are designed with joints and axes that allow the robot to operate in a Cartesian coordinate system (i.e., either two or three dimensional movement). These are also known as linear robots, XYZ robots, or gantry-style robots. They have a rigid structure that can carry heavy loads and include pick and place, loading and unloading, material handling, plotting, molding, and 3D printing.
Parallel robots are designed with chains, cables, rods, or other strands that connect to a single point or tool. Each chain, cable, rod, or strand is controlled separately. These robots can be used in a variety of applications including very high-speed pick and place, assembly, platform movements, etc.
IV. Collaborative, Non-Collaborative, and Mobile Industrial Robot Applications
Industrial robot systems and applications are further divided into collaborative and non-collaborative, based on the degree of interfacing capability with workers. A relatively new type of industrial robot is the mobile robot, which can navigate throughout the workplace.
Collaborative Industrial Robot Applications
Collaborative industrial robot applications,4 are those that are designed for direct interaction with workers.5 Although other definitions are found, which define robot applications that interact with other robots as collaborative, this chapter uses the definition that requires direct interaction with workers. Applications where robots interact with other robots are included in the non-collaborative group of industrial robot applications.
Non-Collaborative Industrial Robot Application
Non-collaborative industrial robot applications include all other types and structures of robots used in industry. They are designed without the need for direct interaction with workers and are typically separated from workers by means of traditional machine safeguarding.
Industrial Mobile Robots
Industrial Mobile Robots (IMRs) are introduced here because they can be either collaborative or non-collaborative. IMRs can navigate autonomously within their operating environment to reach specified locations, and are designed to automate transport tasks. They are integrated with other technologies that identify obstacles that can hinder their trajectory, and can use obstacle avoidance and/or collision avoidance to prevent possible impacts.
In contrast with an industrial truck, an IMR is not intended for a seated or standing driver and does not transport drivers or passengers.
Industrial robot systems can be mounted to an IMR, enabling a manipulator-based robot system that is mobile and capable of moving from one application (or use) to another.
IMRs can be used as single units or in IMR fleets.
V. Hazards Associated with Industrial Robot Applications
The hazards associated with industrial robot systems are best categorized based on the industrial robot system's application, or the application for which it was designed, as well with the stage of the robot application.
Robot Application Hazards
Hazards can be grouped into the following major types:
Impact, Collision, or other "Struck-by/Caught-between" Hazards
Unpredicted or unexpected movements, component malfunctions, or unexpected program changes related to the robot manipulator, end-effector, or peripheral equipment can result in contact injuries. An IMR could also drive into a worker, similar to struck-by/caught-between hazards posed by vehicles.
Crushing and Trapping Hazards
Similar to above, a worker's limb or other body part can be trapped within or between a robot, end-effector, or workpiece and another robot, or other peripheral equipment, resulting in potential crushing injuries.
Struck-by Projectiles Hazards
Similar to above, the breakdown of the end-effector, workpiece, peripheral equipment, or its power source is a mechanical failure. Parts release, gripper mechanism failure, or end-effector power tool failure (e.g., grinding wheels, buffing wheels, deburring tools, power screwdrivers, and nut runners) are also sources for mechanical failure hazards and injuries.
Breakdown or fatigue failure of the robot manipulator is unlikely when the robot is maintained and used within its specifications.
A robot system's power supply and cords can present arc flash, shock, fire, and/or other electrical hazards and injuries.
Ruptured hydraulic lines can create dangerous high-pressure cutting streams and injury hazards from whipping hoses. Ruptures or leaks can also result in fires or worker exposures if the fluids are flammable, toxic, or otherwise hazardous.
Ruptured or leaking hydraulic lines can also result in pressure losses that could result in struck-by or crushing hazards if, for example, an arm drops on a worker.
Ruptured pneumatic lines can create injury hazards from whipping hoses.
- Slipping, Tripping, and Falling Hazards
Slipping, tripping and falling hazards and injuries are common in almost any workplace. Spills or leaks can result in slipping hazards. Equipment, power cables, and hoses can present tripping and falling hazards. General housekeeping is an element that should be maintained in all workplaces.
Hazards of the environment in which the robot application is operating such as, but not limited to: exposure to chemicals (including fumes, such as from welding), heat, hot surfaces, dust, overhead hazards, equipment orientation hazards, radiation or other potentially hazardous light, sparks, and noise.
Robot Application Hazards by Process
The hazards of industrial robot applications can occur during any of the stages or processes associated with the typical lifecycle.
Manufacturing the Robot Systems and Applications
The hazards associated with the manufacturing of individual parts for use in robot systems are specific to those industries. It is typically during the assembly, installation, and testing of the robot applications where many of the above listed hazards are introduced. The following hazards must be considered:
- Impact, struck-by and caught between hazards, or struck-by projectiles hazards. Assembly, installation, and testing are where workers are first exposed to the robot application. These stages are when errors in design, assembly, and installation will present themselves.
- Electrical, hydraulic, or pneumatic hazards. Assembly and installation can also result in termination or connection errors that may not be discovered until the initial testing.
- Other listed hazards are also possible depending on where and how the assembly, installation, and testing are being performed.
Integrating Robot Applications
The total functionality of the robot application often cannot be fully completed until the robot system is integrated for use in company facilities. The completed robot application should include any end-effectors, sensors, safeguarding, control equipment, or other fixtures needed for the robot application to perform its intended task(s). Some robot manufacturers and some users (employers) also act as the integrator of their robots by providing robot integration for specific applications.
This is often the first place where human interaction occurs in accordance with the robot's application. As a result, any of the hazards listed above are possible during the final assembly and integration process, and all must be considered.
Operating and Maintaining Robot Applications
The operational characteristics of robot applications can be significantly different from other machines and equipment. Robots are capable of high-energy (fast and/or powerful) movements through a large volume of space beyond the base dimensions of the robot (see Figure IV-3). However, even low-energy robots that look harmless (i.e., robots with payloads as low as 6-1/2 pounds or 3 kilograms) can be used in very dangerous applications.
The pattern and initiation of movement of the robot application is predictable if the item(s) being worked and the environment are held constant. However, it is typical for application programs to be complex with some movements or actions happening infrequently, such that they might be unexpected. Also, any change to the object being worked (i.e., a physical model change) or the environment can affect the movements and activities.
Key: 1 maximum space 5 end-effector 2 restricted space 6 manipulator 3 operating space 7 safeguarded space 4 workpiece 8 protective device or barrier (safety scanner shown)
Figure IV-3. Robot Application Spaces (Source: Robotics Industries Association, RIA)
As discussed above, collaborative robot applications are specifically designed for direct interaction with workers, which can increase the hazards and risks to workers involved with the specific application task(s).
Some workers (i.e., programmers, operators, maintenance) can be required to be within the restricted space while power is available to actuators, valves, sensors, end-effectors, or other energy sources. The restricted space of one robot application can also overlap a portion of the restricted space of other robot applications, or work zones of other industrial machines and related equipment. Thus, a worker can be hit by one robot system or workpiece while working on another, trapped between them or peripheral equipment, or hit by flying objects (projectiles) released by an end-effector or other materials.
A robot application of two or more programs can have the current operating program calling another existing program with different operating parameters such as velocity, acceleration, deceleration, or position within the robot's restricted space. This occurrence might not be expected by workers performing other functions within the robot's restricted space.
Although robot applications are equipped with safety functions that monitor and/or limit robot capabilities such as speed, position, acceleration, etc., a component malfunction could cause an unexpected movement and/or robot velocity change.
Additional hazards can also result from the malfunction of, or errors in, interfacing or programming of other process or peripheral equipment. The operating changes with the process being performed or the breakdown of conveyors, clamping mechanisms, or process sensors could cause reactions that are unexpected, even if everything is working as designed and validated.
Sources of Robot Application Hazards
The list below describes some common source(s) of hazards, of which some or all can be addressed by the proper design, testing, integration, operation, and maintenance of the robot and the robot application.
Human Errors of Integration and/or Programming
A common misunderstanding with the robot is "direction of movement". The worker could be looking at the robot and tell it to move left but it moves right from the perspective of the worker. This situation is because the robot pose could be different from the worker's perspective of the pose, e.g. robot mounted overhead.
Existing programming, interfacing peripheral equipment, or processing of live inputs-outputs by the robot controller or a peripheral controller can cause dangerous, unpredicted movement or action. The incorrect activation of the teach pendant or control panel is a frequent worker error. The most common problem, however, is over familiarity with the application so that a worker places themselves in a hazardous position while programming, integrating, troubleshooting, or performing maintenance.
Faults within the control system of the robot application, errors in software, electromagnetic interference, and/or radio frequency interference are control errors or faults. In addition, these can occur due to faults in the hydraulic, pneumatic, or electrical sub-controls associated with the robot, robot system, or application.
While current robot systems are designed to minimize faults and to tolerate interference, it can happen. For safety-related parts of the control system, which include all safety functions, there are more stringent requirements for design, implementation, and testing such that these attributes are assured to the extent of the functional safety performance.
Entry into the restricted space is hazardous because the worker involved may not be familiar with the hazards, the safeguards in place, or their activation status.
Operating programs do not account for cumulative mechanical part failure, resulting in potentially faulty or unexpected operation occurring. Inspection and maintenance activities should be performed in accordance with the manufacturer's requirements and in accordance with industrial standards.
Often employers and sometimes the workers themselves can impose pressure to resume operations as soon as possible. When workers feel rushed to resume operations as quickly as possible, critical safety functions can be overlooked, maintenance steps can be missed, shutdown and/or startup steps can be neglected, the position of other workers can be unnoticed, and other critical steps could be overlooked resulting in hazards and injuries.
Exposure to water, heat, dust, combustible or flammable atmospheres, and/or other environmental sources in the area can adversely affect robot operation or result in failure of the robot application. If not designed for the environment, a robot's exposure to these sources can result in electrical shock, fire, or explosion, and can increase the potential for injury to workers in the area.
Electromagnetic or radio-frequency interference (transient signals) should be considered to exert an undesirable influence on robot operation and increase the potential for injury to any workers in the area. Solutions to environmental hazards should be documented prior to equipment start-up. Current designs should also be sufficiently robust, and consider that the environment can introduce unique and/or extreme conditions on occasion.
Power System Failures or Malfunctions
Pneumatic, hydraulic, or electrical power sources that have malfunctioning control or transmission elements in the robot power system can disrupt electrical signals to the control and/or power source lines. Fire risks are increased by electrical overloads or by use of flammable hydraulic oil. Electric shock and release of stored energy from accumulating devices can also be hazardous to workers.
Improper Assembly and Installation
The design requirements, and layout of equipment, utilities, and facilities of a robot application, if inadequately done per applicable safety codes and standards, can lead to hazards and injuries.
Accidents: Past Studies
Studies in Sweden and Japan indicated that many robot accidents do not occur under normal operating conditions, but instead during assembly, installation, and testing where workers are first exposed to the robot application. These stages are when errors in design, assembly, and installation will present themselves – during initial programming (and program touch-up or refinement) and maintenance (repair, testing, setup, or adjustment).6
During many of these activities, the workers can be within the robot application's reach, as well as within hazard zones of other machines and/or components.
Examples of accidents have included the following:
- A robot application functioned as integrated, but the motion was unexpected during a programming sequence and struck a worker.
- The worker did not know the program or expected motions of the program.
- The application did not have pre-determined task locations for programming such that the worker was positioned with poor visibility.
- The worker did not have a teach pendant with an enabling device while programming.
- A worker entered a restricted space during automatic operation of a material handling and robot application. The worker was pinned between the back end of the manipulator and a post (called a "safety pole" in the report).
- Inadequate perimeter guarding such that a worker could enter the safeguarded space and not cause a protective stop.
- The "safety pole" was not well positioned and introduced a crushing hazard.
- A fellow worker accidentally tripped the power switch while another maintenance worker was servicing an assembly robot. The manipulator struck the maintenance worker's hand.
- Lockout/tagout was not applied or was not properly applied, which would have prevented repowering the assembly robot.
- The application did not meet applicable electrical safety standards because turning on power is not to cause operation or movement of the robot application.
- The power switch accessibility (location and ease of changing power state) was inappropriate.
- A service company worker cleaned the optical surface of a photobeam reflector (sensor) while in automatic mode. Once cleaned, the sensor provided a signal for the robot system to resume the programmed path in auto mode, and the worker was struck.
- There is no servicing allowed during automatic operation unless there is safeguarding that will prevent operation or cause a stop (and not allow restart).
- Insufficient safeguarding was provided.
- Lockout/tagout was not considered for the operation.
- A robot application functioned as integrated, but the motion was unexpected during a programming sequence and struck a worker.
VI. Safety Considerations for Employers and Workers
In order to protect workers involved in robotic industries, employers should implement a safeguarding strategy as follows, using a hierarchy of controls (Figure IV-4).
It should be noted that the term, "hierarchy of controls" is not used in current robot system/application industry standards. Instead of the hierarchy above, a "3-step approach" is used as outlined in Figure IV-5.
With this 3-Step process, the safeguarding requirements are placed primarily on the machine manufacturer and the robot application integrator (see Designer Impact and Integrator Impact in the figure), and finally on the employer (see User, i.e. employer, Impact in the figure).
While administrative controls and PPE are listed as least effective in the two hierarchy of controls figures above (Figures IV-4 and IV-5), there can be situations where they are effective and best to use (e.g., for thermal hazards and protective gear). The above User (employer) requirements include the typical requirements for all machinery in workplaces, including:
- Organizational measures (e.g. administrative controls)
- Safe working procedures
- Permit-to-work systems
- Provision and use of additional administrative safeguards
- Use of PPE
Safety Considerations for Robot Manufacturers
Employers and the workers involved in developing robots should understand, design, and implement robot applications that comply with applicable safety regulations and standards. The safety standard for robots is Part-1 and Part-2 of American National Standards Institute (ANSI)/Robotic Industries Association (RIA) R15.06-2012, Industrial Robots and Robot Systems – Safety Consideration. Among other things, ANSI/RIA R15.06-2012 requires that relevant, safe operating and maintenance information be provided with the robot (Part 1) and the robot system/application (Part 2).
Safety Considerations for Robot System Integrators
Integrators and other workers involved in integrating robotic systems (to meet customer needs) should comply with relevant regulations and standards. The safety standard for integrating robot systems into robot applications is Part-2 of ANSI/RIA R15.06-2012. Other standards can also apply depending on the specific application or task of the robot. For compliance with ANSI/RIA R15.06-2012, and for collaborative application also, RIA Technical Report (TR) R15.606-2016, Robots and Robotic Devices – Safety Requirements for Collaborative Robots, requires that integrators must conduct comprehensive hazard analyses and risk assessments for each application, ideally with participation from the employer and workers. For example, a company under contract to integrate systems for an employer should explain the risk assessment process to the employer’s management and any workers who will work with or near the robot applications. In addition, RIA TR R15.306-2016, Task-Based RA Methodology, offers a risk assessment methodology that complies with the requirements of ANSI/RIA R15.06-2012. See Appendix 2 Example RA.
Employers should ensure that the integrator has designed and implemented a safe robot application. This requirement is typically accomplished by including the ANSI/RIA R15.06-2012 and RIA TR R15.606-2016, Collaborative Robot Safety, compliance requirements in the Statement of Work (SOW) for a robotic integration contract. It must then be verified that compliance has been achieved (usually during site acceptance).
Safety Considerations for Robot System Operators and Maintenance Workers
Employers and workers involved in operating and maintaining systems should understand and have general working knowledge of robot system and application safety standards, as well as specific understanding and knowledge of regulations and standards that apply to their specific robotic application(s). The safety standard for robot systems and applications is Part-2 of ANSI/RIA R15.06-2012. Other standards can also apply depending on the robot application or task. Some employers integrate robot systems themselves. When this situation is the case, employers are acting as integrators and should meet the integration requirements, as discussed above.
Site acceptance testing (SAT) confirms that the equipment performs as expected with the sites utilities, services, machine interfaces and environmental characteristics. These tests should be performed by the integrator and verified by the user. Employers should ensure that site acceptance is performed before initial startup of a robot application. Then, even after the application has undergone site acceptance, employers have a responsibility to maintain the application in a compliant state. This can be done through periodic robot system performance testing to verify that conditions of use are unchanged from the original installation. Stopping-ability performance, and the appropriateness of the application's safety distances, should also be checked as well as safety function settings to ensure that they are properly set. The employer, or often companies, can be used to check and monitor the checksums7 of safety parameters, as this is a quick way to see if the safety settings have changed since the last inspection.
Testing and verification services are often provided by third-party companies who must also comply with the applicable requirements. ANSI/RIA R15.06-2012, lists requirements for performance testing, how often to do them, and how to interpret the results of the tests.
RIA TR R15.706, User Responsibilities, provides user responsibilities guidance for robot applications.
Maintaining records of the testing performed and the results is an effective way to track robotic system safety. Users may also consult these records during safety and/or other checks and inspections.
Safety Considerations during Planning of the Robot Application
For the planning stage, prior to the beginning of assembly, installation, integration, and subsequent operation of a robot or robot application, the following should be considered:
At each stage of development of the robot application (design, manufacturing, integrating, operating, and maintaining), a risk assessment should be performed. There are different system and worker safety requirements to be considered at each stage. The appropriate level of safety and safeguarding determined by the risk assessment(s) should also be applied. In addition, the risk assessment for each stage of development should be documented for future reference. See the Risk Assessments (RAs) and Risk Reduction Measures sections, as well as Appendix 2 Example RA.
Workers should be safeguarded from hazards associated with the restricted space through the use of one or more safeguarding devices such as:
- Presence-sensing safeguarding devices
- Fixed barrier/perimeter guards (which prevent access and contact with moving parts)
- Interlocked barrier guards
Limiting the space requirements of a robot application can also be accomplished with:
- Mechanical limiting devices
- Non-mechanical limiting devices, which can include soft-axis and space-limiting safety function(s).
Typical awareness devices include chain or rope barriers with supporting stanchions or flashing lights, signs, whistles, and horns. They are used in conjunction with other safeguarding devices. The effectiveness of these devices must be evaluated with the level of risk for each hazard.
Safeguarding the Teacher (Programmer)
Special consideration must be given to the teacher or worker who is programming the robot. In manual mode, a trained programmer programs the robot, typically using a portable control station (a teach pendant). Robot speeds during these programming sessions are at a reduced speed, less than 10 inches (250 mm) per second.
While in manual mode, the teacher must have control of the robot and associated equipment. The teacher should be familiar with what needs to be programmed, system interfacing, and control functions of the robot and other equipment in the application. When systems are large and complex, it could be possible to improperly activate functions. Since the teacher can be within the restricted space, mistakes can result in injuries. Mistakes in programming can result in unintended movement or actions with similar results. For this reason, robot speeds should be placed at a reduced speed of 10 inches per second (250 mm/second) or less on any part of the application during teaching to decrease the likelihood of contact and minimize the potential of injuries.
The operator should be protected from all hazards during automatic operation. When in automatic mode, all safeguarding devices should be activated, and at no time should the operator have access to or be exposed to hazards. For additional operator safeguarding information, see the ANSI/RIA R15.06-2012 Part 2 standard, Section 5.10.
Safeguarding Maintenance, Repair, and Troubleshooting Workers
Safeguarding maintenance, repair, and troubleshooting workers can be difficult to detail because their job tasks are so varied. Troubleshooting faults or problems with the robot, controller, tooling, or other associated equipment is part of these workers' job. Program touchup is another task as are scheduled maintenance, adjustments of tooling, gauges, recalibration, and much more.
Power and other hazardous energy sources should be controlled in accordance with 29 CFR 1910.147, The Control of Hazardous Energy (Lockout/Tagout), or 29 CFR 1910.333, Selection and Use of Work Practices.
When maintenance, repairs, and/or troubleshooting must be performed with power on and with maintenance workers performing their work within the safeguarded space, the robot should be in manual mode. Additional hazards can be present during this manual mode because some of the robot application safeguards may not be active and functioning as during automatic mode. To protect maintenance and repair workers, safeguarding techniques and procedures as stated in the ANSI/RIA R15.06-2012 Part 2, Sections 5.9.7, 5.10.2, 5.12.1, 7.2.7 are recommended.
Power and other hazardous energy sources should be controlled in accordance with 29 CFR 1910.147, The Control of Hazardous Energy (Lockout/Tagout), or 29 CFR 1910.333, Selection and Use of Work Practices.
Maintenance can occur during the regular and periodic inspection program for a robot or robot system. An inspection program should include, but not be limited to, the recommendations of the robot manufacturer and manufacturer of other associated robot system equipment such as conveyor mechanisms, parts feeders, end-effectors, fixtures, gauges, sensors, and the like. These inspection and maintenance programs are essential for minimizing the hazards from component malfunction, wear, breakage, changes (documented and undocumented), and unexpected movements or actions by the robot or other system equipment. To ensure proper maintenance, periodic maintenance and inspections should be documented along with the identity and/or skill profile of workers performing these tasks. Many computerized maintenance management systems (CMMSs) are available that can perform these documentation functions.
Specific procedures should be considered during the risk assessment(s). At a minimum, procedures should be written for:
- Activities that must be done in specific sequences or order.
- Activities that create unique, unusual, or significant hazards (beyond the ordinary) such as for collaborative tasks, startups, shutdowns, and emergency events.
- Complex jobs, tasks, or activities such as equipment replacements or overhauls.
Procedures also should be considered for integrating, operating, and maintaining activities and should be written. See the Risk Assessments (RAs) and Risk Reduction Measures sections, as well as Appendix 2 Example RA.
In addition, workers should be trained to the procedures prior to job assignment(s), as follows.
Procedure and Safety Training
Workers who assemble, install, program, integrate, operate, maintain, or repair robots, robot systems, or robot applications should receive adequate safety training, and they should be able to demonstrate their competency to perform their jobs safely. A safety training program should be developed and provided to the workers prior to their assignment(s) on robot applications. Employers can refer to OSHA's homepage under "Help and Resources", "Training", "OSHA Training Requirements and Resources".
General Safety Requirements
The proper selection of an effective robot safety system should be based upon risk assessments of the robot application(s) considering its design, use, programming, operation, and maintenance. See the Risk Assessments (RAs) and Risk Reduction Measures sections, as well as Appendix 2 Example RA. Among the factors to be considered are:
- Tasks that will be programmed
- Start-up and command or programming procedures
- Environmental conditions
- Location and installation requirements
- Possible worker errors
- Scheduled and unscheduled maintenance
- Possible robot and system malfunctions
- Normal mode of operation and procedures
- Emergency conditions and procedures
- All worker functions and duties
- Hazards typical of the specific robot application
Integrators, robot application operators, maintenance workers, and others working near robot applications need to have an understanding not only of the nature and severity of the hazard, but also of how these hazards are addressed and safeguarded. With this understanding, integrators and workers are likely to choose controls and safeguards, and implement systems that work well with their specific applications and processes.
Controls and safeguards selected during the risk assessment(s), including alternative risk reduction methods selected (e.g., procedures, training, daily toolbox talks) for each stage or process (e.g., assembling, integrating, operating, and maintaining), should be reviewed and approved by employers, and should be fully implemented to protect workers.
To ensure safe operating controls and safeguards are adequately evaluated and selected for industrial robots and robot applications, refer to ANSI, ANSI/RIA, and RIA Standards,which contain specific information about robot system safety.
Robot applications shall also comply with the applicable OSHA regulations, including those listed in Section IX Applicable OSHA and Industry Standards Regarding Industrial Robot System Safety.
A combination of controls and safeguarding should be used. Reliable systems and timely maintenance, performed to industry standards and manufacturer recommendations, are especially important, particularly if a robot application is operating in hazardous conditions or handling hazardous materials/chemicals. The safeguarding devices should not themselves constitute or act as a hazard or curtail necessary vision or viewing by workers. However, sometimes a view can be obstructed by equipment and objects. If viewing is important, there is an increased use of camera systems to enable a view yet keep a distance.
An effective control and safeguarding strategy protects not only operators and maintenance workers, but also engineers, programmers, and any others who work on or with robot system applications and/or could be exposed to hazards associated with an application.
Additional Safety Requirements for Collaborative Robot Applications
A collaborative robot application uses one or more of the following technologies while operating in automatic mode:8
Speed and Separation Monitoring (SSM)
A protective device (i.e., presence-sensing safeguarding device) is integrated with the robot application such that intrusion of workers is detected. At a minimum, the robot application stops during the intrusion and then operation can resume after all workers have left the area and no further intrusion is detected. Even now, there are integrations that cause the robot application to slow down upon initial intrusion detection, but if the worker(s) get closer to another detection zone, the robot stops before contact by the robot application can happen. For example, a robot may change to a lower speed based on how close it is to a worker, or change direction to move away from workers. Using the same example as above, the robot application's motion of the nozzles would slow if the worker's hand approached within a certain distance and then stop completely before the hand can access the hazard. It is important to note that when speed is being used for safety purposes, the speed should have an associated safety function that monitors that the needed speed will not be exceeded.
Hand-Guided Controls (HGC)
The robot system moves under a worker's direct control while in automatic mode and executing its program. The worker controls the motion for the collaborative portion of the task (similar to powered-assist tools/machinery). With HGC, a worker can guide a robot system to grasp a heavy box. The worker may then guide the robot system to place the box onto a truck. The robot application in this case is doing all the heavy lifting, but will not move without the worker physically directing it while the worker presses (or actuates) a hold-to-run control device.
Power and Force Limited (PFL)
Physical contact between a robot application (i.e., robot, end-effector, and workpiece) and a worker is expected and permitted in this mode. It is permitted when the forces and pressures of contact are limited such that there will be no injury to the worker(s). PFL robots limit the incurred forces and pressures when such contact is made from the robot application to the worker.
There are two ways that PFL capability can be provided. One is by inherently safe design of the robot (e.g., low energy potential due to very low payload and/or speed capability). Another is by control means, which is described as by safety functions using sensors and safety-related parts of the control system (SRP/CS) (e.g., torque sensors on all joints to safety logic that will slow or stop the robot). PFL robots that have the capability to limit energy transfer have safety functions that are configured, so contact pressures and forces do not exceed acceptable limits. The typical safety functions are speed limiting, force limiting, and power limiting. Collaborative applications using PFL robots usually operate at much lower speeds and payloads than they are physically capable. This is so that when the robot contacts a worker, not only does the robot stop quickly, but also the robot is not moving with enough energy to cause injury. [Note: robot contact with sensitive body regions (e.g., the face, temples, and throat) is to be prevented or avoided per RIA TR R15.606-2016.]
ISO 10218-2:2011, and RIA 15.06 Clause 188.8.131.52, requires that parameters of power, force, and ergonomics pertaining to power and force limited robot systems are to be determined by a risk assessment. Limits for quasi-static and transient contact must be evaluated as part of the risk assessment, and by determining pressure and force threshold limit values on the collaborative robot system utilizing Tables A.1 and A.2 in Annex A of RIA TR15.606.
It is common to see SSM combined with PFL for collaborative applications so that the application can run at high speed when no workers are nearby, but then slow such that contacts would be permissible according to PFL above.
Safety-rated Monitored Stop
The concept of Safety-rated Monitored Stop (SMS) is included in ANSI/RIA R15.06-2012, where it is referred to as a fourth type of collaborative technology. However, this mode is not used alone but must be used in conjunction with SSM, HGC and/or PFL. This type of stop is also called a monitored standstill and is a stop which is activated when the system detects an intrusion. This type of stop is also called a "Category 2 Stop" according to National Fire Protection Association (NFPA) 79-2017, Electrical Standard for Industrial Machinery.
With SMS, power to the actuators is retained, which enables a quicker resumption of operation and less wear on contactors and other hardware. For SMS to work, continued detection of the worker(s) is requires in the safeguarded space (e.g., usually by motion sensors). The robot application is permitted to automatically resume operation if assured that no workers are within the space without the need for the worker(s) to press a restart button. When an SMS is activated, the power to the robot system remains on, but the stop is automatically held in a monitored standstill state. While in the standstill state, any movement from within the safeguarded space will result in an immediate stop (similar to an emergency stop).
VII. Risk Assessments (RAs)
Preparation and implementation of thorough risk assessments (RAs) with workers are critical for worker safety. RAs identify the hazards, potential exposures, potential risks, likelihood of risks, risk avoidance, and the risk-reduction protective measures needed to safely control and/or safeguard a robot application.
A provision of ANSI/RIA R15.06-2012 is that each robot application should have an RA performed and documented prior to commissioning. However, the presence of an RA is not by itself sufficient to ensure that the application meets the intended purpose of ANSI/RIA R15.06-2012, which is to protect workers from injury. Refer to ANSI/RIA R15.06-2012 and to RIA TR R15.306-2016 for guidance on the RA process.
It is the responsibility of integrator to ensure that an RA is completed and documented prior to commissioning. It is also their responsibility to provide the results of the RA to the employer (user). Further, it is recommended that the integrator and user include the affected workers in the RA process. It is also recommended that RAs be completed for hazardous tasks within each stage of the robot application process (i.e., assembly, integration, operation, and maintenance).
Further, since it is the employer's responsibility under OSHA to maintain a safe work place for their employees, the employer should require the integrator to provide and train the integrator's RA to the employees prior to commissioning. If not provided by the integrator, the employer should provide these functions.
Robot Application RA General Process
An effective RA process starts with including knowledgeable employees in the process.
A leader with expertise in process operations, the specific robotic application, and with knowledge of the RA process should be selected.
Employees with specific or specialized expertize should also be invited to participated on the team. Meetings of the RA team should be arranged so that all of the team members can attend.
The team should identify all of the tasks to be performed as part of the job, including any tasks that may be particularly hazardous or complicated. In order to keep RAs from becoming overly long and/or burdensome to the team, splitting some jobs into separate RAs may be advisable.
The specific tasks that are important to safely complete the job or that present hazards to the workers should be listed on the RA. For example, "collecting tools" may not need to be listed as a task on the RA.
Once the tasks have been listed, the RA team should identify the hazards of each task and list each identified hazard next to the task(s) to which the hazard(s) apply.
Once the hazards have been identified, the team should consider the risks associated with each task and hazard.
For each task/hazard, the most appropriate risk reduction techniques (controls and/or safeguards) should be identified for implementation.
The team should welcome open discussion during preparation of the RA, and the final RA should be documented in writing.
Each team member and the team leader should sign the RA as acceptable to them. If signing presents a challenge, then the risk assessment document should include the statement that agreement was reached.
After the RA is completed and accepted by the team, it should be distributed and made available to all affected employees, and to other affected employers. The documentation should also be retained for future reference and reviewed if any changes are made to the robot application.
Robot Application RA Additional Requirements
Similar applications in the same plant should each have their own individual RAs. Though the equipment may be identical, the robot applications may be working on different parts or processes, so the robot's path, pose, and possibly end-effector(s) may be different from another one that appears otherwise identical. Additionally, their physical placement in the facility may introduce unique hazards (e.g., a particular application may be next to a wall, while another otherwise-identical application is next to a walkway).
RIA TR R15.306-2016 provides detailed steps for conducting a task-based RA for each robot application. See Appendix 2 Example RA.
The Annexes of ANSI/RIA R15.06-2012 also include examples of hazards, risks, controls, and safeguards that could apply to many common robot applications.
RA Implementation, Validation, and Review
As discussed above, RAs should periodically be reviewed and validated per ANSI/RIA R15.06-2012 once the required risk-reduction measures (e.g., controls, guards, protective devices, safety procedures, training, signs, PPE) identified in the RA have been implemented. This will ensure the measures are effective and the robot application safety functions are correct for the application. It is not enough to simply trust the integrator or to perform a simple visual inspection alone. A formal and thorough verification and validation is crucial to ensure all requirements of the RA have been implemented and function as intended. Effective periodic validations should include review of:
- The documented RA(s)
- Electrical and mechanical drawings
- Manuals and training documentation
- Safety-related parts of control system (SRP/CS) reviews, which include checking safety function settings as well as other safeguards and their integration
- In the case of PFL, contact event testing results (e.g., pressures and other forces)
- Sensor operation testing
Keeping validation assessments and reviewing documentation provides several benefits, including:
- Allowing more efficient internal and external checks and inspections
- Ensuring that workers stay current on technical information by involving them in the process
- Driving continuous improvement for both safety and performance
VIII. Risk Reduction Measures
As discussed above, comprehensive, task-based RAs will identify potential hazards and risks, and will then prioritize risk reduction measures for each robot application in a workplace. A critical part of the process is then to implement the risk reduction measures selected.
The risk reduction measures will vary based on industry, robot application type, process, and work practices. Each risk reduction measure has its own strengths and limitations. Users (employers) must be able to demonstrate that they understand the implemented measure(s). This demonstration should extend to understanding what hazard is mitigated by which risk reduction measure. Effective risk reduction, based on task-based RAs, will align with the standard hierarchy of controls. In general, elimination, substitution, and engineering controls are preferred over administrative controls and PPE.
Risk reduction measures can vary between collaborative and non-collaborative robot applications, and between the different processes each robot application is performing. Some risk reduction measures can be external to the robot application and will need to be verified visually, validated, and documented that they are present and functioning correctly (e.g., interlocked guards, light curtains, and laser scanners). Some risk reduction measures can be internal to the robot itself and not readily apparent, requiring a view of the safety configuration on the display. For example, some robots have built-in safety functions providing capabilities or software that are not visible (e.g., safety functions for PFL). The configuration and settings of safety functions should be verified by trained professionals.
Non-Collaborative Robot Application Risk Reduction
Risks are reduced by physically separating workers from robot applications during automatic operation (in automatic mode). This risk reduction is achieved through safeguards such as guards (fences, barriers), interlocked guards, and presence-sensing devices (e.g., light curtains, safety mats, safety scanners, and safety vision systems) (Figure IV-6).
In most circumstances, the robot application automatically achieves a safe state when a worker enters the safeguarded space (Figure IV-7). However, there are some circumstances in which a worker needs to perform a task that will require them to interact with a robot application that is still active (e.g., programming or teaching the system). In an industrial robot application, worker safety while within the safeguarded space is based on the application being in manual mode while using an enabling device (often integrated into the teach pendant) with the robot operating at a reduced speed. The application layout design needs to provide adequate clearance. Because the enabling device is typically a 3-position device, the worker must hold it in the center-ON position, otherwise the robot system's motion will be inhibited. If the enabling device is interconnected with other equipment in the application, then the other equipment will be similarly inhibited from operation.
As already explained, enabling devices are used during manual mode, sometimes also known as teach or T1 mode. In this mode, the robot system operates at a reduced speed, slow enough for a person to avoid hazardous contact, but not greater than 10 inches/second (250mm/second).
In addition to physical safeguards, protective devices, and other engineering controls, risk can be further reduced through administrative controls such as:
- Written robot application entry and exit procedures and training
- Lockout/tagout standard operating procedures (SOPs) and training
PPE may include:
- Hand protection for the intended use (sharp edges, heat, cold)
- Safety glasses
- Protective footwear
- Hearing protection
- Arc-flash protection
OSHA's PPE standards (29 CFR 1910 Subpart I) require employers to provide workers with appropriate PPE, and train them on how to properly don, use, doff, clean, maintain, and dispose of such equipment.
Administrative controls and PPE should be implemented after attempts to design out (i.e., eliminate) the hazard and safeguards have been exhausted as required by the RA process.
Once all of the above risk reduction measures have been implemented, the question should be asked, "Does this robot application have sufficient measures in place to adequately protect workers?"
Collaborative Robot Application Risk Reduction
Collaborative robot applications operate with workers in shared, safeguarded spaces. The following questions should be answered to determine if collaborative operation is necessary, and to what extent:
- Is the presence of a person integral to the application?
- Do the robot and person have to share a workstation?
- Do the robot system and person have to work on the same workpiece simultaneously?
- Have task locations been identified and made known?
- Is there safe access to the task location(s)?
- Does the person need to be in physical contact with the robot, end-effector, or workpiece while the robot system is in motion?
Due to the expectation of possible worker interaction, collaborative applications can require specific risk reduction measures. Some key questions to ask before using a robot in a collaborative application include:
- Is the robot system and end-effector designed for use in a collaborative application?
- Does the robot application have the needed safety functions?
- Does this robot application have adequate risk reduction measures in place?
- Has this collaborative robot application considered contact events?
These questions are expanded with further discussion, below.
Is this robot application designed for use as a collaborative application?
Typically, the manufacturer's manual will list the safety functions provided that can be used to enable the implementation of collaborative application (e.g. safety functions that limit speed, force, positions, and momentum which would be needed for PFL). Additionally, a third-party can certify the safety functions that are provided with a robot and robot application. A robot application can use one or more safety functions to achieve a SSM, HGC, PFL or SSM/PFL application, or a combination of these.
Does this robot application have the needed safety functions?
When a robot and end-effector are confirmed to be designed for collaborative use, the next step in safe operation is confirming and using its safety functions. Additional safety functions can also be provided in the overall robot control system.The appropriate safety functions required for a given collaborative robot application depend on the potential contact situations. For example, if the collaboration expects contact to occur with the robot moving then the robot selected for use in this application should have PFL capabilities. On the other hand, if the type of collaboration is intended to have no contact while the robot is moving, then SSM or SSM/PFL capabilities can be used. Other safety functions could also be required, including:
- Protective stop
- Force limiting
- Speed limiting
- Soft axis-limiting
- Space limiting
- Position limiting
These safety functions can have safety inputs and/or safety outputs. The specific safety functions selected for a given collaborative application can differ according to the collaborative technique(s) used in the application. That is, most of the safety functions required for SSM are different than those for PFL. If a given application utilizes both collaborative SSM and PFL techniques, then all of the safety functions above would be required.
The required safety functions should be determined during the RA. Then, for each safety function, the RA establishes the functional risk reduction measures for each function. See Appendix 2 Example RA for more details about this process.
Does this robot application need additional risk reduction measures?
Beyond the active safety functions listed above, a collaborative robot application typically requires both active and passive protective measures to provide added protection. These may include:
- Rounded corners and edges on the end-effector and fixture
- Padding on sharp corners and edges
- Eliminating projections on surfaces
- Compliant elements such as springs that limit force
- Smooth protective covers
- Presence-sensing interlocked coverings around the robot manipulator and/or end-effector that initiate a protective stop
Similarly, as with non-collaborative robot applications, administrative controls and PPE can add protection to further reduce risk to workers. Appropriate administrative controls may include:
- Written application entry and exit procedures and training
- Lockout/tagout SOPs and training
- Collaborative space delineation (i.e., where can the robot system and application move?) [Delineation may be a diagram on the wall, painted lines on the floor, or something else that conveys the information]
- Safety signs that warn workers that this is a collaborative robot application [Signs should be designed and mounted per OSHA 29 CFR 1910.145]
- Post signs stating mandatory PPE [The RA should identify required PPE]
- Have contact events been considered in collaborative robot applications?
Contact events can be either transient or quasi-static. Transient contact occurs when the worker's movement is not restricted at the time of contact (e.g., the worker's body part can move in free-space at the time of contact). Quasi-static contact occurs when a worker’s body part is unable to move at the time of contact due to being restricted by a fixed object (e.g., trapped or pinched between the robot and a fixture).
Contact events are usually expected in collaborative operations utilizing PFL safety functions, but can occur during other collaborative operation types, especially during non-routine tasks. During the RA, determine the expected contact areas on the worker body, possible contact types (i.e., transient or quasi-static), and the allowable force (see RIA TR R15.606-2016) for that body part and type of contact. Measure the pressure and/or other forces for each contact event prior to factory acceptance testing. Compare the measured pressure/force with the allowable pressure/force. For example, if the worker leans into the manipulator, would they be struck? If yes, then where on the body would the worker be contacted (e.g., hand, shoulder, or thigh)?
For each of these combinations (type of contact event and body region contacted), RIA TR R15.606-2016 provides the permissible biomechanical limits for force and contact pressure based on the location of the body being contacted. These limits are intended to avoid pain during contact events. [Note: robot contact with sensitive body regions (e.g., the face, temples, and throat) is to be prevented or avoided per RIA TR R15.606-2016.]
RIA TR R15.606-2016 also provides guidance on the allowable speed to stay within the biomechanical limits during a transient contact event. See also RIA TR R15.806-2018, Testing Methods for Power & Force Limited Collaborative Applications, for specific guidance on how to measure pressure and forces. Then use this guidance to compare the pressures and other forces to the permissible biomechanical limits. The integrator should use the robot manufacturer's information (i.e., moving mass of the manipulator, speed capabilities) combined with the payload mass of the end-effector and/or workpiece to determine the maximum allowable speed for contact events.
For PFL applications, the integrator should confirm that contact events do not exceed the force and pressure biomechanical limits. The user should periodically verify that the safety-function settings are still valid (e.g., speed limit has not increased or workpiece attributes changed). These measurements are performed by a competent worker and the results documented. If a biomechanical limit is exceeded, safety function settings should be adjusted by adding risk reduction measures and/or by modifying or replacing the application.
IX. Applicable OSHA and Industry Standards Regarding Industrial Robot System Safety
The following OSHA and industry standards are identified as most likely to be relevant to current industrial robot applications. However, industrial robot applications continue to grow and, as a result, other standards may apply.
- 29 CFR 1910.22 General Requirements Walking Working Surfaces. Requires employers to adequately protect walking and working surfaces from hazards such as slips, trips, falls, and other hazards.
- 29 CFR 1910 Subpart I – Personal Protective Equipment. Requires that employers perform a PPE hazard assessment, establish PPE requirements as a result of the hazard assessment, and use PPE as required.
- 29 CFR 1910.95 Occupational Noise Exposure. Requires that employers evaluate and protect against the effects of noise exposure in the workplace.
- 29 CFR 1910.147 The Control of Hazardous Energy (Lockout/Tagout). Requires the use of lockout/tagout when performing maintenance or servicing activities on equipment with hazardous energy sources, or during limited operating activities as outlined in 1910.147(a)(2)(ii)(A) & (B).
- 29 CFR 1910.212 General Requirements for all Machines. Requires employers to provide protections such as machine guards to protect workers from the moving parts of operating machines. States that any machines that creates a hazard must be safeguarded in order to protect the operator and other employees.
- 29 CFR 1910 Subpart S – Electrical. Requires employers to provide and install electrical equipment such as wiring, conduit, boxes, breakers, motors, etc., to safe standards. Also establishes marking, labelling, safe distances, and working requirements based on voltages and other hazards.
ANSI, ANSI/RIA, and RIA Standards
ANSI requires that standards be reaffirmed or revised on roughly a 5-year schedule. RIA policy is to develop and revise ISO standards and then nationally adopt the revised ISO standards as an ANSI/RIA or RIA standard. As a result, ANSI/RIA R15.06-2012 will be updated following the revision of ISO 10218-1 and ISO 10218-2, which is in progress.
Use of current standards and their accompanying technical reports is a best practice since both robot system and application technology and safety functions continue to make advancements.
- ANSI/RIA R15.06-2012, Industrial Robots and Robot Systems - Safety Requirements. Provides safety requirements for industrial robot manufacture, remanufacture, and rebuild (Part 1); and robot system integration/installation (Part 2). This standard is the U.S. National Adoption of ISO 10218-1:2011 and ISO 10218-2:2011.
- RIA TR R15.306-2016, Task-Based RA Methodology. Describes one method of performing an RA that would comply with the R15.06-2012 requirements.
- RIA TR R15.506-2014, Applicability of R15.06-2012 for Existing Industrial Robot Applications. The R15.06-2012 standard is forward-looking; that is, its primary topic is the installation of an all-new robot systems and applications. Explains how to take the R15.06-2012 standard into account for existing robot systems and applications.
- RIA TR R15.606-2016, Collaborative Robot Safety. Explains safety requirements specific to collaborative robot systems and applications, and is supplemental to the guidance in ANSI/RIA R15.06-2012. This standard is the U.S. National Adoption of ISO/TS 15066:2016.
- RIA TR R15.706-2019, User Responsibilities. Describes the responsibilities of the user (employer) that are in the other standards. Describes requirements for RA and training of workers. Offers suggestions for interaction with integrators and the supply chain.
- RIA TR R15.806-2018, Testing Methods for Power & Force Limited Collaborative Applications. Describes methods to test and verify that the pressure and other forces exerted by a collaborative robot application remain within the allowable limits described in TR R15.606-2016.
International Organization for Standardization (ISO) Standards
- ISO TC 299, Robotics. Develops high quality standards for the safety of industrial robots and service robots to enable innovative robotic products to be brought onto the market. In addition, ISO TC 299 develops non-safety standards in fields like terminology, performance measurement, and modularity.
- ISO 10218-1:2011, Robots for industrial environments - Safety requirements - Part 1: Robots. Specifies requirements and guidelines for inherently safe design, safeguards and other protective measures, and information for use of industrial robots. It describes basic hazards associated with robots, and provides requirements to eliminate or adequately reduce the risks associated with these hazards.
- ISO 10218-2:2011, Robots for industrial environments – Safety requirements – Part 2: Robot systems and integration. Specifies requirements and guidelines for the safe integration of an industrial robot system into a complete robot application, which includes end-effectors and other related equipment. This document describes basic hazards associated with robot systems, and provides requirements to eliminate or adequately reduce the risks associated with these hazards.
- ISO/TS 15066:2016, Collaborative Robot Safety. Gives information about how to implement a collaborative robot application so that safety for the worker is provided.
- ISO/TR 20218-1:2018, Safety Design for End-effectors. Provides guidance on the design and implementation of end-effectors (EOATs) and end-effector exchange systems for safety of workers, in both collaborative and non-collaborative applications.
- ISO/TR 20218-2:2017, Safety Design for Manual Load/ Unload Stations. Provides guidance on the design of manual load/unload stations that will be safe for workers.
American Welding Society (AWS)
- AWS D16.1M/D16.1, Specification for Robotic Arc Welding Safety. Identifies hazards involved in maintaining, operating, integrating, and setting up arc welding robot applications.
X. Considerations for Evaluating Robotic Safety Systems
The following is a summary of the content found in this chapter that may be useful when evaluating robotic safety systems and associated safety and health programs elements.
- Review the Robot Application Hazards by Process section of this chapter for lists of the common hazards found in each process.
- Obtain and review the applicable robot system risk assessment(s) prior to robot system evaluation(s).
- Review and evaluate relevant OSHA standards as listed in Section IX Applicable OSHA and Industry Standards Regarding Industrial Robot System Safety.
- Evaluate that all robots, end-effectors, and the completed robot applications meet the requirements necessary to ensure safe operation by operators and workers. Refer to ANSI/RIA R15.06-2012.
- Evaluate if older or obsolete robots, robot systems, and/or applications are rebuilt or remanufactured to determine if they should be upgraded to conform to current industry standards. Refer to RIA TR R15.506-2014.
- Review and evaluate assembly, installation, and testing procedures.
- Review work areas to assure that assembly, installation, and testing are, or have been performed safely and per established procedures.
- Review that robot systems and robot applications are installed in accordance with the manufacturer's requirements, industry standards, and applicable OSHA general industry and/or construction standards.
Review that temporary risk reduction measures should be used to minimize the hazards associated with the installation of new equipment. The facilities, peripheral equipment, and operating conditions which should be considered are:
- Installation specifications
- Physical facilities
- Electrical facilities
- Action of peripheral equipment integrated with the robot
- Identification requirements
- Collaborative or non-collaborative robot application
- Mobile robot applications
- Control and emergency stop requirements
- Special operating procedures or conditions
- Review that the recommended minimum requirements of Part 2, Clause 5 of ANSI/RIA R15.06-2012 are followed to ensure safe operating practices and safe installation of robots and robot systems.
- Review the task-based risk assessment (RA) that should have been completed by integrator and with the involvement of the users and workers prior to commissioning. See Section VI Safety Considerations for Employers and Workers, and Section VII Risk Assessments (RAs).
- Review that the integrator utilized the RA(s) developed during the integration process to ensure that safeguards and other risk reduction measures have been adequately selected and put into place. See Section VIII Risk Reduction Measures.
- Review that during initial commissioning of robot systems, as well as after remanufacture, rebuild, maintenance, and/or servicing, that adequate safeguards and other risk reduction measures are in place and functioning as designed. See Section VI Safety Considerations for Employers and Workers, and Section VII Risk Assessments (RAs).
- Review that all hazards have been properly identified. See Section V Hazards Associated with Industrial Robot Applications.
- Review that the RA(s) received from the integrator have been reviewed, modified as necessary, and followed by the users. Review that additional task-based risk assessments have been prepared for any new or modified operating or maintenance tasks before they are performed. See Section VII Risk Assessments (RAs).
- Based on the results of the RA and manufacturer's information, review that maintenance plans which include identifying critical components and the frequency of inspections and testing have been developed.
- Review that safeguards and other controls are not disabled or removed and that they are functioning properly before any worker exposure to the robot application is permitted.
- Review that employees are adequately trained to understand the hazards, risks, and risk reduction measures that are in place and that they are followed before working on or with industrial robot systems.
- Review that employees are adequately trained to understand the procedures to follow for safe operation and maintenance, including means for reducing risks, before working on or with industrial robot applications.
- Review that the training includes awareness training for those employees who are not affiliated with the operation of the robot system but who may pass the perimeter guarding as part of their job duties (e.g. housekeeping or warehousing employees).
- Review that the software was designed, written, and tested in accordance with ISO 13849-2 and ISO 10218-2 2011 Section 7.2.1.
- Review the ANSI, ANSI/RIA, and RIA Standards section above for the applicable standards and technical reports associated with operations and maintenance activities.
- 29 CFR 1910 OSHA General Industry Standards
- OSHA Robotics Safety and Health Topics Page
- OSHA Control of Hazardous Energy (Lockout/Tagout) Safety and Health Topics Page
- OSHA Publication No. 3170. Amputations: Safeguarding Equipment and Protecting Employees from Amputations
- OSHA Publication No. 3071. Job Hazard Analysis
- OSHA Machine Guarding Safety and Health Topic Page
- OSHA Training Requirements and Resources
- OSHA Working Safely with Electricity Fact Sheet
It is recommended to use the most current edition of ANSI, RIA and ISO documents as they are revised periodically to reflect changing technology, safety capabilities, and safety requirements.
- ANSI/ISO 12100-2012, Safety of Machinery – General Principles for Design, RA and Risk Reduction
- ANSI/RIA R15.06-2012, Industrial Robots and Robot Systems - Safety Requirements
- ANSI/UL1740-2019, Standard for Safety: Robots and Robotic Equipment
- RIA TR R15.306-2016, Technical Report for Industrial Robots and Robot Systems — Safety Requirements — Task-Based RA Methodology
- RIA TR R15.506-2014, Technical Report for Industrial Robots and Robot Systems — Safety Requirements — Applicability of R15.06-2012 for Existing Industrial Robot Applications
- RIA TR R15.606-2016, Technical Report for Industrial Robots and Robot Systems — Safety Requirements — Collaborative Robots
- RIA TR R15.706-2019, Technical Report for Industrial Robots and Robot Systems — Safety Requirements — User Responsibilities
- RIA TR R15.806-2018, Technical Report for Industrial Robots and Robot Systems — Safety Requirements — Testing Methods for Power & Force Limited Collaborative Applications
- Robotics Industries Association Resource Page
- ISO TC 299, Robotics
- ISO 10218-1:2011, Robots and robotic devices — Safety requirements for industrial robots — Part 1: Robots
- ISO 10218-2:2011, Robots and robotic devices — Safety requirements for industrial robots — Part 2: Robot systems and integration
- ISO 13849-1:2015, Safety of Machinery, Safety-related parts of control systems, Part 1: General Principles of Design
- ISO 13849-2:2015, Safety of Machinery, Safety-related parts of control systems, Part 2: Validation
- ISO/TS 15066:2016, Robots and robotic devices — Collaborative robots
- ISO/TR 20218-1:2018,Robotics — Safety design for industrial robot systems — Part 1: End-effectors
- ISO/TR 20218-2:2017, Robotics — Safety design for industrial robot systems — Part 2: Manual load/unload stations
- AWS D16.1M/D16.1, Specification for Robotic Arc Welding Safety.
- CSA Z434-14, Industrial Robots and Robot Systems.
- NFPA 79, Electrical Standard for Industrial Machinery
- National Institute of Standards and Technology Robotics in Manufacturing Page
- National Institute of Standards and Technology Robotics Test Facility
- National Science Foundation – Robotics
- NIOSH Robotics Workplace Safety and Health Topics Page
Appendix 1. Glossary for Industrial Robot Systems and Applications
Application Program – The set of instructions that defines the specific intended tasks of robots and robot systems. This program may be originated and modified by the robot user.
Attended Program Verification – The time when a person within the restricted envelope (space) verifies the robot's programmed tasks at programmed speed.
Automatic Guided Vehicle (AGV) systems – Advanced material-handling or conveying systems that involve a driverless vehicle which follows a guide-path.
Axis – A direction that is used to state the motion of a robot in a linear or rotary mode; the line about which a rotating body (such as a tool) turns.
Coordinated Straight Line Motion – Control wherein the axes of the robot arrive at their respective end points simultaneously, giving a smooth appearance to the motion wherein the motions of the tool center point moves along a pre-specified linear path.
Enabling Device – A manually operated device that permits motion when continuously activated. ANSI/RIA R15.06-2012 requires a 3-position enabling device where release of, or compression of, the device stops robot system motion and motion of associated equipment that may present a hazard.
End-effector – An accessory device or tool specifically designed for attachment to the robot wrist or tool mounting plate to enable the robot to perform its intended task. Examples may include gripper, spot-weld gun, arc-weld gun, spray-paint gun, inspection camera, adhesive dispenser, or any other application tools.
End-effector Manufacturer – A company or business involved in the design, fabrication and assembly of end-effectors (EOAT) and/or end-effector exchange systems.
Industrial Robot – A reprogrammable, multifunctional manipulator designed to move material, parts, tools, or specialized devices through variable programmed motions for the performance of a variety of tasks.
Industrial Robot Application – An application that includes industrial robot systems, the end-effector, the workpiece, and safeguards.
Industrial Robot System – A system that includes industrial robots, the end-effectors, and the devices and sensors required for the robots to be taught or programmed, or for the robots to perform the intended automatic operations, as well as the communication interfaces required for interlocking, sequencing, or monitoring the robots.
Joint Motion – A method for coordinating the movement of the joints such that all joints arrive at the desired location simultaneously wherein the motion of the tool center point travels along a curved path.
Kinematics – The actual arrangement of rigid members and joints in the robot, which determines the robot's possible motions. Classes of robot kinematics include articulated, Cartesian, parallel, and SCARA.
Limiting Device – A device that restricts the maximum envelope (space) by stopping or causing to stop all robot motion and is independent of the control program and the application programs.
Manual Mode – A mode of operating the robot in which a trained operator (programmer; teacher) typically uses a portable control device (a teach pendant) to teach a robot its task(s) manually. Robot speeds during manual mode are limited to less than 10 inches (250 mm) per second, to reduce hazards to the teacher.
Maximum Space – The volume of space encompassing the maximum designed movements of all robot parts including the end-effector, workpiece, and attachments.
Mobile Robot – A self-propelled and self-contained robot that navigates autonomously within its operating environment to reach specified locations; designed to automate transport tasks.
Muting – The deactivation of a presence-sensing safeguarding device during a portion of the robot cycle.
Numerically Controlled Machine Tools – Operated by a series of coded instructions comprised of numbers, letters of the alphabet, and other symbols. These are translated into pulses of electrical current or other output signals that activate motors and other devices to run the machine.
Operating Space – That portion of the restricted envelope (space) that is actually used by the robot while performing its programmed motions.
Presence-Sensing Safeguarding Device – A device designed, constructed, and installed to create a sensing field or area to detect an intrusion into the field or area by workers, robots, or other objects.
Repeatability – How well the robot will return to a programmed position.
Restricted Space – That portion of the maximum envelope (space) to which a robot is restricted by limiting devices. The maximum distance that the robot can travel after the limiting device is actuated defines the boundaries of the restricted envelope of the robot. (Note: the safeguarding interlocking logic and robot program may redefine the restricted envelope as the robot performs its application program. See Part 2, Clause 5.4.4 of the ANSI/RIA R15.06-2012 standard).
Robot Manufacturer – A company or business involved in the design, fabrication, and/or assembly of robot systems.
Robot Integrator – A company or business who either directly or through a subcontractor will assume responsibility for the design, fabrication, and integration of the required robot, robotic peripheral equipment, and other required ancillary equipment for a particular robot application.
Single Point of Control – The ability to operate the robot such that initiation or robot motion from one source of control is possible only from that source and cannot be overridden from another source.
Tele-operators – Robotic devices comprised of sensors and actuators for mobility and/or manipulation and are controlled remotely by a worker operator.
Teach – The generation and storage of a series of positional data points effected by moving the robot arm through a path of intended motions.
Tool Center Point (TCP) – The origin of the tool coordinate system.
Appendix 2. Example Risk Assessment (RA)
This appendix outlines key steps to perform during a RA with examples of how to determine the necessary risk reduction measures needed to adequately reduce risk. This appendix is based on RIA TR R15.306-2016 and does not necessarily cover all RA aspects that may be needed for a robot system and/or application. See the Risk Assessments (RAs) and Risk Reduction Measures sections.
- Analyzes the tasks, usage, and hazards associated with a robot application and the area in which it is installed and used (or to be installed and used). For example, the robot application can be installed under overhead lighting that requires periodic lamp replacement. This task would also be included.
- Provides a method to understand, rate (estimate the risk), and eliminate or reduce risk(s) associated with the hazards.
- Identifies all activities of workers exposed to, operating, or maintaining the robotic application. It should include expected activities within the application workspace, even if the activities are not associated with the robot application, e.g. changing the overhead light.
- Results in risk reduction measures that need to be implemented to comply with applicable standards and regulations.
RA - 7 Key Steps (Figure IV-A2.1)
- Define the operation, including normal sequence(s) and alternate (non-typical) sequences.
- Define the expected worker interaction required for the operation, reasonably expected misuse and maintenance, repair, cleaning, emergency conditions, etc.
- Determine and document the operating space and restricted space.
- Determine the desired restricted space, considering possible limits such as hard stops, travel limit sensors, safety-rated soft-axis limits, etc.
Task Determination Based On Intended Use
- Define and document all the tasks that each worker will perform. Workers may perform assembly, testing, integration, material infeed and take-away, quality control, operations, observation, maintenance, etc. related to the robot system and application. And there can be other nearby workers who are bystanders or passers-by. Example task can include:
- Path teaching
- Debugging, troubleshooting, or adjusting
- Repairing or replacing components
- Define and document all the tasks that each worker will perform. Workers may perform assembly, testing, integration, material infeed and take-away, quality control, operations, observation, maintenance, etc. related to the robot system and application. And there can be other nearby workers who are bystanders or passers-by. Example task can include:
Hazard Determination for Each Task
- With the tasks identified, define and document the hazards related to each task (Figure IV-A2.2). Examples include:
- Mechanical: Crushing, caught-between, struck-by, shearing, cutting, projectiles, etc.
- Electrical: Shock, spark/arc flash, electrostatic, etc.
- Thermal: Heat, cold, burns, etc.
- Ergonomic: Reach, weight, posture, motion, etc.
- Slips, trips, and falls: Objects on floors or in pathways, wet surfaces, etc.
- Machinery instability: Falling equipment, tools, etc.
- Environmental: Chemicals (including as fumes, such as from welding), heat, dust, radiation or other potentially hazardous sources such as light, sparks, noise, etc.
- Note: ANSI/RIA R15.06-2012 Part 1, Annex A, Table A.1 — List of significant hazards, provides additional information on hazards typically associated with robots and robot systems.
Figure IV-A2.2: Example Task and Associated Hazard Sheets (Source: RIA)
- With the tasks identified, define and document the hazards related to each task (Figure IV-A2.2). Examples include:
Risk Estimation for Each Task & Hazard
- For each task/hazard combination estimate and document the risk factors:
- Possible injury severity (Figure IV-A2.3)
- Exposure frequency (Figure IV-A2.4)
- Possibility for avoidance (Figure IV-A2.5)
- These factors determine the risk level for each task/hazard combination:
- The risk level is used in the risk reduction step and drives what safeguarding measures need to be applied to the system.
- The risk levels are also used to determine the required performance level (PLr) of each safety function.
RIA TR R15.306-2016 section 184.108.40.206 describes injury severity as the degree of estimated harm due to each hazard while the operator is performing the associated task.
- RIA TR R15.306-2016 section 220.127.116.11 describes exposure as a function of the estimated incidence of operator exposure (frequency or duration), and takes into consideration the following:
- How frequently the operator would be in the hazard zone
- The duration in which the operator would be in the hazard zone
Whether the task is routine or non-routine or other task frequency considerations
RIA TR R15.306-2016 section 18.104.22.168 describes avoidance as an assessment of the operator's ability to sense and elude a hazardous situation.
Use the risk factors (severity, exposure, and avoidance) to derive the risk level using RIA TR R15.306-2016 Table 2 (Figure IV-A2.6).
Using the determined risk level for each task from Figure IV-A2.6, identify the performance level for each task using RIA TR R15.306-2016 Table 5 (Figure IV-A2.7).
- For each task/hazard combination estimate and document the risk factors:
Risk Reduction Measure Determination for Each Task
The hierarchy of risk reduction measures should comply with RIA TR R15.306-2016 Table 3 (Figure IV-A2.8).
- Select risk reduction measures for each task based on the determined risk level for the task.
Risk reduction measures should comply with risk level requirements shown in RIA TR R15.306-2016 Table 4 (Figure IV-A2.9).
- For all risks with a very high, high or medium initial risk level, inherently safe design (elimination, substitution, or limiting interaction) or safeguarding should be used as a primary means to reduce risks. Complementary protective measures or information for use should not be used as the primary risk reduction measure for very high, high or medium initial risk levels.
After the risk reduction measures are selected for each of the tasks, determine the performance level that has been achieved as the result of the risk reduction measures selected using RIA TR R15.306-2016 Table 5 (Figure IV-A2.10).
- Now compare the task-risk performance level (Step 4) to the reduction-risk performance level (this Step 5).
- Modify risk reduction measures as necessary until the risk-reduction performance levels are at least as high as the task-risk performance levels.
- This is often an iterative process that must be continued until reduction-risk performance levels are at least as high as the task-risk performance levels.
Evaluation of Risk Reduction Measures
- First, each member who participated in development of the RA should evaluate that the right risk levels and performance levels have been assigned to each task (Step 4).
- Second, each member who participated in development of the RA should evaluate that the right risk reduction measures have been selected for each task (Step 5).
- Members should ensure that the hierarchy of risk reduction measures has been followed (Figure IV-A2.8). For example, if the risk cannot be eliminated by design, then measures to mitigate the risk by less preferred measures should be applied in order of hierarchy.
- Members should then evaluate each risk reduction measure to ensure that the measure selected in each case is in line with the task risk level (Figure IV-A2.9).
- Finally, members should ensure that the selected performance levels are in line with the risk reduction measures selected (Figure IV-A2.10).
- Once each member has evaluated the RA, the team should meet and discuss each issue found with the RA.
- Each issue should be resolved with the team to ensure that residual risk is acceptable and that the RA will provide the highest degree of safety and protection for the workers.
Validate the RA, Train Workers, Review RA Effectiveness, and Update the RA as Needed.
- The completed RA should be documented in writing. See Examples 1 and 2 below of completed RAs (Figures IV-A2.11 and 12).
- Once the RA is acceptable to the team, team members should sign the RA as evidence of validation.
- Validated RAs should be provided to all affected workers and also made accessible for their future reference.
- Employers should train workers on the tasks, the hazards and risks associated with each tasks, and the risk reduction measures that have been put in place and that the workers must follow.
- No work should be performed for any hazardous task(s), until an RA has been validated, issued and trained to.
- Once work begins, employers should ensure that the risk reduction measures are effective and continually practiced.
- Field observations are required while tasks are being performed.
- When risk reduction measures are found to be ineffective or not continually practiced, the work should be immediately stopped.
- Any risk reduction measures that are found to be ineffective should be incorporated into the RA.
- The modified RA should be revalidated and workers should be retrained before work is allowed to continue.
1 See Robotics Industries Association (RIA): https://www.automate.org/robotics.
2 Artificial intelligence in robotics refers to programming functions that can "learn" and adjust outputs based on inputs received from the robot or from workers.
4 Some robots are referred to as "cobots" in an effort to state that the robot is "ready" or "enabled" to be used in a collaborative application.
5 See ANSI/RIA TR R15.606-2016, Robots and Robotic Devices – Safety Requirements for Collaborative Robots.
6 Source: RIA.
7 Sums of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
8 See ANSI/RIA R15.06-2012 and RIA TR R15.606-2016.