ANSI/RIA R15.06: 2012 - an introduction to Robot and Robot System Safety

ANSI/RIA R15.06: 2012 - an introduction to Robot and Robot System Safety Roberta Nelson Shea Global Marketing Manager, Safety Components March 2016-5058-CO900H

ANSI/RIA R15.06-2012 RIA (print) www.robotics.org + old standards & technical reports ANSI (PDFs): note that Technical Reports are NOT available from ANSI. Update of R15.06 1999 1999 withdrawn: end of 2014 (+TR R15.106 and TR R15.206) R15.06 2012 is a national adoption of ISO 10218-1 and ISO 10218-2 ANSI/RIA R15.06-1999 was used as basis for ISO 10218 With an ANSI/RIA Introduction

Who is addressed by standards? WHO ANSI ISO and EN OSHA Regulations EU Machinery Directive Manufacturer X X X Integrator X X X User X X Could be directed to all entities X Suppliers ONLY ANSI: guidance to Manufacturers, Integrators & Users of machinery (depends on scope). ISO & EN standards: SUPPLIERS, NOT Users except when Users also have role of supplier, of industrial machinery. Allows movement of like goods into and within Europe. OSHA standards provide requirements only to Users (Employers) for occupational safety, but can include responsibilities to Employees (ex. Lock-out).

History of ANSI/ RIA R15.06 1970 Occupational Health & Safety Act created 1982 R15.06 drafting started 1986 Publication of ANSI/RIA R15.06 1986 1986 R15.06 update started 1992 Publication of ANSI/ RIA R15.06 1992 1993 R15.06 update started ANSI 1999 Publication of ANSI/ RIA R15.06 1999 Top Seller over the years ~2000.. ISO 10218 started based on ANSI/ RIA R15.06 1999 ~2004 R15.06 update started (working with draft ISO 10218-1 & -2) 2006 Publication of ISO 10218-1 AND ISO 10218 revision started 2007 Publication of ANSI/ RIA ISO 10218-1 2007 & RIA TR to enable its use 2011 Publication of ISO 10218-1 and ISO 10218-2: 2011 2012 ANSI/ RIA R15.06 adopts ISO 10218-1 and -2:2011 2014 ANSI/ RIA Tech Reports published (TR R15.306,.406,.506) 2016 Publication of ISO TS 15066 and updated TR R15.306 w/minor revs 1975 2014

What s new with R15.06-2012? Standard structure Part 1: Robot (comes from robot manufacturers) Part 2: Integration: requirements placed on the integrator (role of integrator not necessarily the business purpose) Normative references to ISO & IEC standards Safety features embedded in robot systems (some optional)

R15.06 2012: 7 Top changes Frequency of Probability of Severity Risk Level EXPOSURE AVOIDANCE E0 prevented Negligible A1 likely E1 low S1 Minor A2 or A3 not likely or not possible E2 high Low E0 prevented E1 low S2 A1 likely Medium Moderat E2 high e A2 or A3 not likely or not possible High E0 prevented Low E1 low S3 A1 or A2 likely or not likely High Serious E2 high A3 not possible Very High 1. Terminology (limited changes) 2. Risk assessment REQUIRED! 3. Functional safety (quantifiable) 4. Floor space optimization due to new features (some OPTIONAL) & changes to CLEARANCE 5. Detachable & wireless pendants 6. Perimeter guarding changes (min/max) 7. Collaborative operation (4 techniques identified) The issue is collaborative application not just the robot. This topic is GREATLY misunderstood!

Terminology changes New Terms Robot Robot System Robot Cell Reduced speed Protective Stop Manual Mode Operator(s) reduced speed high speed Explanation Robot arm & robot control (does NOT include end effector or part) Robot CAD files do NOT include tooling or parts. Robot, end effector and part, plus any task equipment Robot System and safeguarding (inside safeguarded space) Called Slow speed in the 1999 standard Called Safety Stop in the 1999 standard Purpose: protection of people. This is different from Estop. Often called T1, was called Teach Mode in 1999 standard. (Teach is a task using manual reduced speed mode) Often called T2, but also called APV in the 1999 standard All personnel, not simply production operators. Maintenance, troubleshooting, setup, production

ISO standards: special words Shall Should May Can Normative or mandatory requirement Recommendation or good practice Permissive or allowed Possible or capable statement of fact Notes are informative: used to provide additional information or explain concepts. If you see a shall, should or may in a note it is an error. We (standards writers) try, but we still make mistakes. ANNEXES can be NORMATIVE or INFORMATIVE All annexes can contain shalls/ shoulds/ mays and cans. If you CHOOSE to use an informative annex, you use all of it as written (no cherry picking what is liked)

R15.06 2012, Part 1 Robot Mfgers! Part 1: Annex D describes OPTIONAL features. Robot manufacturers are NOT required to provide any of these features, however if they are provided, they have to meet the stated requirements in Part 1. Annex D options: Emergency stop output functions Enabling Device features (common enabling device functionality and connecting additional) Mode selection (providing mode information as a safety related functions) Anti-collision sensing awareness signal (not safety-related function but helpful) Maintaining path accuracy across all speeds, so that using T2 is not needed Safety-rated soft axis and space limiting (allows smaller cell footprints) Ex: FANUC DCS, Kuka Safe Operation, ABB SafeMove, Yaskawa FSU Stopping performance measurement Do NOT presume that these features are provided. OPTIONS! Part 2 is for the integration of robots into systems and cells.

Impact to Integrators & Users Part 2 (ISO 10218-2 = R15.06 Part 2) This is the BIGGY for Integrators (and Users to know) Users are not specifically addressed User acts as integrator, then integrator requirements apply to User. Users need to use the information provided by the integrator. Users address the residual risks: typically developing procedures & training, training personnel, adding warnings/ signs and safety management. Integrators/ Users: options in Part 1, Annex D needed? Know before buying robots, see options in Part 1, Annex D. Are they needed? A robot that meets ISO 10218-1 (which is ANSI RIA R15.06 Part 1), only has these optional features if you request them or if the manufacturer states that their robot has these options. Validation & verification, Clause 6, requires Annex G (p 127 Part 2) Then START READING the standard!

R15.06: 2012 Part 2 Clause 1: Scope Clause 2: Normative References ISO to be used for global (including US) compliance while some ANSI standards can be used instead of ISO if compliance is for US only. Clause 3: Terms and definitions Clause 4: Hazard Identification & Risk Assessment (see TR R15.306) Clause 5: Safety Requirements and protective measures 5.2: Functional safety (ISO 13849-1 & IEC 62061) requirements and equivalency to Control Reliability 5.10: Safeguarding (Use ISO & IEC standards or if ONLY US, TR R15.406 can be used) Clause 6: Verification & validation of safety requirements and protective measures (NORMATIVE reference to ANNEX G in Part 2) Clause 7: Information for Use (page 101, Part 2)

Part 2: 5.2 Functional safety ISO 13849-1:2006 and IEC 62061 provide metrics for functional safety Can quantify performance, determine requirements, and validate Control Reliable : concept in 1999 standard PL=d with structure category 3 is equivalent to the requirements in the 1999 for control reliability : A single fault does not lead to the loss of the safety function; The fault shall be detected before the next safety function demand; When the fault occurs, the safety function is performed and a safe state shall be maintained until the detected fault is corrected; Reasonably foreseeable faults shall be detected. Functional safety applies to all safety features which include a control system/ logic (SRP/CS)

Optimize Your Floor Space Using safety-rated soft axis and space limiting feature of the robot control (optional feature) See Part 1: 3.19.3, Part 1: 5.12.3 and Part 1: Annex D This is a type of Limiting Device (safety function) that reduces the maximum space to the restricted space. When used,, movement is limited. Maximum, Restricted, and Operating Spaces include the robot, end-effector, & part Side View Top View

Optimize Your Floor Space: Clearance IF ONLY Manual Reduced Speed (T1) and NO T2, then clearance is required for tasks inside the safeguarded space where there is an exposure to hazard(s) due to lack of space (pinch, crush, trapping). No task no need for clearance! Be real in the risk assessment. If there is a lack of space for a task, then 20in (500mm) needed for trapping (body/ chest). For other body parts, use ISO 13854. 1999: 18-inch clearance from the operating space was required. 2012: Silent whether distance is from the restricted or operating space. Case studies: up to a 30-40% reduction in footprint! Important: If the robot system has high-speed manual (T2), then 20in (500mm) clearance is required regardless of risk assessment (Part 2, 5.5.2) Photo courtesy Assa Abloy

Perimeter Guard Dimension Comparison R15.06-1999 ISO 10218 & R15.06-2012 CSA Z434 Lower Dimension 12 in. 7 in. 6 in. Upper Dimension 60 in. 55 in. 72 in. Upper Dimension MINIMUM Lower Dimension, MAXIMUM Only if hazards cannot be accessed by reach over, under and through. Example, if there is a hazard within 43 of the bottom, then the guard must have a lower dimension smaller than 7. (see ISO 13855 or RIA TR15.406)

Collaborative philosophical discussion The basis is why not have a human contact a robot system if the result is no harm to the human? When is the contact similar to a person walking into a wall? When does repeated contact, that is initially without pain or injury, become painful and not acceptable? Human factors, ergonomics If the robot is wimpy (or called safe ) and it is juggling explosives or knives, is this is collaborative application? NO

Collaborative Operation 4 techniques for collaborative operation (Part 1, 5.10; Part 2, 5.11) for collaborative applications (can be a mix of the following) in AUTOMATIC: Safety-rated monitored stop: Operator may interact with robot system when the robot system is stopped (drive power may be ON). Automatic operation resumes when the human leaves the collaborative (shared) workspace. Safeguarding detects entry, presence & leaving area. Hand-guiding operation: Operator has direct contact & control of robot system Speed & separation monitoring: Robot system / hazard speed reduces as an operator gets closer. Protective stop is issued before contact. Power & force limiting: Incidental contact between robot and person will not result in harm to person. Reference ISO TS 15066. Requires a risk assessment per each body region. Applications where WORST CASE is ONLY SLIGHT INJURY! A collaborative application could be implemented using 1 or more of the above capabilities. NOTE: Additional guidance for collaborative operations can be found in ISO TS 15066. The most attention is to Power & Force Limited and Speed & Separation Monitoring.

RIA Technical Reports R15.306, R15.406, and R15.506 were developed for the US because the 1999 standard included these details and the 2012 edition does not. TR R15.306 update of 1999 risk assessment methodology and matrix (from 2x2x2 to 3x3x3) to required protective measures. TR R15.406 Safeguarding, pulls many (but NOT all). requirements from various ISO safety standards. For EU or global compliance, use ISO standards. TR R15.506 Applicability of R15.06-2012 for existing robots, robot systems and applications. Needed because ISO standards only look forward (new).

TR R15.306 Risk assessment (task-based) Excerpt from ISO 12100, figure 1 risk assessment risk analysis Risk evaluation (see 5.6) Adequate risk reduction see 5.6.2 If no, repeat Has the risk been adequately reduced? Clause 6 Risk reduction Conduct a risk assessment (required now, option in 1999). Consider task locations & access requirements. See Part 2, clause 4.3 Identify tasks & hazards & the needed protective measures for all phases of operation Provide access to task locations & space to perform tasks, plus provide clearance if needed. 3 x 3 x 3 Matrix Severity, Exposure, and Possibility of Avoidance: See TR R15. 306, Table 1

RIA TR R15.306 2014 Factor Rating Criteria (Examples) choose most credible Injury Severity Serious S3 Moderate S2 Minor S1 Normally non-reversible: Read criteria from the top fatality and down, for each factor limb amputation long term disability, chronic illness, permanent health change If any of the above are applicable, the rating is SERIOUS Normally reversible: broken bones, severe laceration, fingertip amputation (not thumb) short hospitalization, short term disability lost time (multi-day) If any of the above are applicable, the rating is MODERATE First aid: bruising, small cuts no loss time (multi-day) does not require attention by a medical doctor If any of the above are applicable, the rating is MINOR

RIA TR R15.306 with E0 FACTOR with E0 E0 added Exposure Rating Prevented E0 High E2 Low E1 Criteria (Examples) choose most credible Read criteria from the top for each factor Exposure to hazard(s) eliminated/ controlled/ limited by inherently safe design measures Use of guards prevents exposure or access to the hazard(s) (see Part 2, 5.10). For interlocked guard(s), the following bullet must also be met. If functional safety is a risk reduction measure, the functional safety performance (PL) meets or exceeds the required functional safety performance (PLr). See Part 2, 5.2. If any of the above are applicable, the rating is PREVENTED Typically more than once per day or shift Frequent or multiple short duration Durations/situations which could lead to task creep and does not include teach If any of the above are applicable, the rating is HIGH Typically less than or once per day or shift, Occasional short durations If either of the above are applicable, the rating is LOW NOTE: E0 is used during validation as E0 is only available as a selection AFTER the 1 st round as it requires risk reduction (which happens after the initial assessment)

RIA TR R15.306 Factor Rating Criteria (Examples) choose most credible Tweaking A2 & A3 examples Avoidance Not Possible A3 Not Likely A2 Likely A1 Read criteria from the top for each factor Insufficient clearance to move away & safety-rated reduced speed not used Robot system or cell layout traps operator with the escape route to the hazard(s) Safeguarding does not protect process hazard(s) (e.g. explosion or eruption) If any of the above are applicable, the rating is NOT POSSIBLE Insufficient clearance to move away & safety-rated reduced speed is used Obstructed path to move to safe area Hazard is moving faster than reduced speed (250 mm/sec) Inadequate warning/reaction time. The hazard is imperceptible If any of the above are applicable, the rating is NOT LIKELY Sufficient clearance to move out of the way Hazard incapable of moving greater than reduced speed (250mm/sec) Adequate warning/reaction time. Positioned in a safe location away from hazard If any of the above are applicable, the rating is LIKELY

Risk reduction measures 3 Step Method 1 Inherently safe design measures by the designer/ supplier risk 2 Safeguarding* * designer/supplier & user Guards Protective Devices Complementary Protective Measures See Supplier 3 Step Method 3 Information for Use* * designer/ suppliers provide information for use to enable the User to develop and implement Warnings & Awareness Means Administrative Controls Training & supervision Personal protective equipment (PPE) residual risk

Risk reduction measures supplier perspective 1 2 3 Inherently safe design measures Safeguarding guards, protective devices, safety-related functions using the safety-related parts of the control system Complementary Protective Measures Emergency stop devices and functions Platforms and guard railing (fall prevention) & safe access Measures for escape & rescue of people, isolation & energy dissipation, handling heavy parts Information for Use from the Supplier to ENABLE the User to reduce risks to an acceptable level risks Risk reduction by supplier(s)

Risk reduction measures user perspective 1 2 3 Inherently safe design measures Risk reduction by supplier(s) risks Provision & use of additional safeguarding (guards & protective devices) & complementary protective measures Emergency stop devices and functions Platforms and guard railing (fall prevention) & safe access Measures for escape & rescue of people, isolation & energy dissipation, handling heavy parts Organization Safe working procedures, Supervision (safety management), Permit-to work systems (and similar) Training Personal Protective Equipment User risk reduction

Hierarchy of risk reduction measures Most Least Effective Designer Impact Integrator (Supplier) Impact User Impact Inherently Safe Design Measures Safeguarding and Complementary Protective Measures Information for Use Elimination Substitution Limit interaction (by inherently safe design) Safeguards & if applicable, Safety-Related Parts of the Control System (SRP/CS) Complementary Protective Measures Emergency stop devices and functions Platforms and guard railing (fall prevention) & safe access building codes & standards can apply Measures for escape & rescue of people, isolation & energy dissipation, handling heavy parts Warnings & Awareness Means Administrative Controls Personal Protective Equipment See TR R15.306 for a detailed Hierarchy of Risk Reduction Measures

Hierarchy of risk reduction See TR R15.306 for a detailed Hierarchy of Risk Reduction Measures Most Effective Least Description Risk Reduction Measures (Protective Measures) Description Elimination Substitution Limit Interaction Safeguards (guards & protective devices) & when applicable SRP/CS -------- Warnings and Awareness Means Administrative Controls PPE Process design, redesign or modification including changing layout to eliminate hazards (e.g. falls, hazardous materials, noise, confined spaces, eliminating pinch points, or reduce manual handling) Use of less hazardous materials Intrinsically safe (energy containment) Reduce energy (e.g. lower speed, force, amperage, pressure, temperature, volume or noise) Eliminate or reduce human interaction in the process Automate tasks, automate material handling (e.g. lift tables, conveyors, balancers) Guards Interlocks or interlocking devices, Sensitive protective equipment, Two-hand control devices Safety controls and logic Safety-related functions and safety parameters or configurations, (e.g. safety-rated speed, position, location, axis limits) Integration of protective devices, possibly including complementary protective measures Platforms and guard railing (fall prevention) & safe access building codes & standards can apply Measures for escape & rescue of people, isolation & energy dissipation, handling heavy parts Controlled selection of operating modes, enabling devices, emergency stop devices and functions Flashing lights, beacons or strobes; Audible alarms, beepers, horns or sirens; Signs, placards, markings or labels Training and safe job procedures; Rotation of workers, changing work schedule; Safety equipment inspections Control of hazardous energy (lock-out) see isolation & energy dissipation above Hazard communications; Confined space entry PPE: Safety glasses, face shields, respirators, hearing protection; Safety harnesses or lanyards; Gloves, hard hats, clothing or footwear used for specific safety purposes Inherently safe design measures Safeguards guards & protective devices Complementary protective measures Information for Use (and USER risk reduction measures)

RIA TR R15.306 Table 4 Min risk reduction as a function of the risk level Most Preferred Least Preferred Risk Reduction Measure Elimination Substitution Limit Interaction Safeguarding/ SRP/CS Complementary Protective Measures Warnings and Awareness Means Administrative Controls PPE Risk Level VERY HIGH HIGH MEDIUM LOW NEGLIGIBLE Use of one or a combination of these risk reduction measures are required as a primary means to reduce risks. Use of one or a combination of these risk reduction measures may be used in conjunction with the above risk reduction measures but shall not be used as the primary risk reduction measure. Use of one or a combination of any of the risk reduction measures that would reduce risks to an acceptable level may be used. Assess residual risk (6.6). Will acceptable risk be achieved (6.7). If not achieved, repeat. If residual risks are low or negligible, this is sufficient. Perform verification and validation (6.8). Document (7.9). And be aware of Updates (7)

TR R15.306, table 5 Risk Level Minimum functional safety performance PL r Structure Category NEGLIGIBLE (see 5.6.1) b -- LOW c 2 MEDIUM d 2 HIGH d 3 VERY HIGH (see 5.6.2) did not exist in R15.06-1999 e 4 Robot safety standards require PLd, Cat 3 unless a risk assessment determines another PL and Cat is needed. Functional safety could be lower or higher, based on application with end-effector and part(s). A higher requirement is not expected due to hazards associated with a robot system but could be required for other application risks. PLd, Cat 3 is equivalent to Control Reliable & can be validated!

TR R15.306: PLe not typically applicable to robot system Severity S1 Minor EXPOSURE E1 low E2 high RISK REDUCTION Table 2 without E0 Probability of AVOIDANCE A1 likely A2 or A3 not likely or not possible Risk Level Negligible Low If applicable Min PL & Cat of SRPCS b c2 Severity S1 Minor EXPOSURE E0 prevented E1 low E2 high E0 prevented RISK REDUCTION Table 2 Probability of AVOIDANCE A1 likely A2 or A3 not likely or not possible Risk Level Negligible Low If applicable Min PL & Cat of SRPCS b c2 S2 Moderate E1 low E2 high A1 likely A2 or A3 not likely or not possible Medium d2 S2 Moderate E1 low E2 high A1 likely Medium d2 A2 or A3 not likely or not possible High d3 S3 Serious E1 low E2 high A1 or A2 likely or not likely High d3 A3 not possible Very High e4 S3 Serious E0 prevented E1 low E2 high A1 or A2 likely or not likely Low High c2 d3 A3 not possible Very High e4

Example:1 st round No safeguarding / IGNORE safeguarding Severity S1 Minor S2 Moderate S3 Serious EXPOSURE E1 low E2 high E1 low E2 high E1 low E2 high RISK REDUCTION Table 2 without E0 Probability of AVOIDANCE A1 likely A2 or A3 not likely or not possible A1 likely A2 or A3 not likely or not possible A1 or A2 likely or not likely Risk Level Negligible Low Medium High If applicable Min PL & Cat of SRPCS b c2 d2 d3 A3 not possible Very High e4 TASK: Load part to end-effector Hazards (not all presented here): Impact by robot system (impact of robot arm or end-effector or part) Pinch/ crush by tooling clamps Sharp edges on tooling/ robot/ part Task/ Hazard pair example: Load part/ Impact by robot system: S3 serious injury potential E2 high exposure (multiple times/ shift) A2 not likely (possible though) HIGH risk: SRPCS must meet PLd Cat 3

Example: 2 nd round with perimeter guard, light curtains Severity S1 Minor S2 Moderate S3 Serious EXPOSURE E0 prevented E1 low E2 high E0 prevented E1 low E2 high RISK REDUCTION Table 2 Probability of Risk Level AVOIDANCE A1 likely A2 or A3 not likely or not possible A1 likely Negligible Low Medium If applicable Min PL & Cat of SRPCS b c2 d2 A2 or A3 not likely or not possible High d3 E0 prevented Low c2 E1 low E2 high A1 or A2 likely or not likely High d3 A3 not possible Very High e4 Task/ Hazard: Load part / Impact by robot system Risk reduced: perimeter guard and light curtain with muting where SRPCS meets PLd Cat 3 S3 serious injury potential Does not change. If impact, then serious E0 exposure prevented A not applicable Residual risk of this task/hazard is LOW May use: Complementary Protective Measures, Warnings & Awareness Means, Administrative Controls, PPE. SRCPCS (if applicable) meets PLc, Cat 2

Verification of Risk Reduction Example: Load part to robot end-effector 1 st Round: Perimeter guarding, light curtain with muting for load/unload where SRPCS meets PLd Cat 3. 2 nd Round: Complementary Protective Measures Estop pushbutton at load station Guard rail at load station platform (prevent fall), step has long run for large safety shoes, slip resistant floor Energy isolation & dissipation means to be addressed at entry to cell (cross reference to where this is addressed in the risk assessment) Warnings & Awareness Means Indicator OK to load/ unload Drawing to show the span of control of the Estop PB and light curtain (end-effector, robot, and clamps) Sign that reminds of any required PPE Administrative Controls Safe operating procedures for task, recovery, maintenance Training All personnel about task, operation of equipment, protective measures, span of control, PPE Maintenance & troubleshooting (plus if additional PPE needed)

TR R15.406-2014 TR R15.406 Safeguarding, pulls many (but NOT all) requirements from various ISO safety standards. For EU or global compliance, use the EN or ISO standards.

TR R15.506 Scope ANSI/RIA R15.06-2012 provides forward-looking guidance for industrial robots and industrial robot systems/cells effective at the time of its publication and contains no requirements for change or retrofit. This TR provides guidance as about what applies to existing equipment built to an earlier version of the standard.

TR R15.506 Figure 1 Flowchart outlining various requirements

TR R15.506 Table 2 Risk assessment and standard requirements for each scenario

Challenges moving ahead Change is difficult. We have a new standard (and TRs) to learn. Risk assessment is now required. Some people are not yet comfortable with risk assessment. But also many have become quite comfortable, wanting more granularity (3 levels of severity). ISO 13849-1 and IEC 62061 are relatively new to the US. Functional safety can seem scary because it includes equations. Math can be easily done by free software (Sistema for ISO 13849-1). Combines reliability with diagnostics coverage (to detect a failure), not simply relying on an architecture (categories). Functional safety requires understanding components (machine and safety-related), then integrating properly and lastly validating. More expected progress Design, integration and use must reflect the entire lifecycle of the robot system & application. The discipline of functional safety management, akin to quality management, is needed. PLe did not exist in EN954 plus Control Reliable was the best.

What s Next? Collaborative Operations / Applications: ISO TS 15066 approved! (expected to become an ANSI registered Technical Report by RIA -> TR R15.606) Manual load station (ISO TR) when is a load station a hindrance device that prevents entry End-effectors (ISO TR) for collaborative applications New Projects: R15.08 Robot/AGV combination Other UL1740 revision to go to ballot in 2016 How do we write a safety standard for this sort of mobile robot and not conflict with other standards?

Roberta Nelson Shea Global Marketing Manager, Safety Components Rockwell Automation Chelmsford, MA, USA +1 978-446-3494 RNelsonShea@ra.Rockwell.com

Intro to Robot / Robot System Safety www.rockwellautomation.com - 5058-CO900H