ANSI/RIA R15 - Electrical Supplies and Services R15.06 - an introduction to Robot and Robot System Safety. ... 2014 ANSI/ RIA Tech Reports ... Verification & validation of safety requirements

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC

PUBLIC - 5058-CO900H

ANSI/RIA R15.06- an introduction to Robot and Robot System Safety

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

ANSI/RIA R15.06-2012

Update of R15.06 – 1999

1999 withdrawn: end of 2014

(+TR R15.106 and TR R15.206)

R15.06 – 2012 is a national adoption of

ISO 10218-1 and ISO 10218-2

ANSI/RIA R15.06-1999 was used as

basis for ISO 10218

With an ANSI/RIA Introduction• RIA (print) www.robotics.org

+ “old” standards & technical reports

• ANSI (PDFs): note that Technical

Reports are NOT available from

ANSI.


Who is addressed by standards?

WHO ANSI ISO and ENOSHA

Regulations

EU Machinery

Directive

Manufacturer X X X

Integrator X X X

User X X

Could be directed to all entities X Suppliers ONLY

ANSI: guidance to Manufacturers, Integrators & Users of machinery (depends on scope).

ISO & EN standards: SUPPLIERS , NOT Users except when Users also have role of

supplier, of industrial machinery. Allows movement of like goods into and within Europe.

OSHA standards provide requirements only to Users (Employers) for occupational safety, but

can include responsibilities to Employees (ex. Lock-out).


1970 Occupational Health & Safety Act created

1982 R15.06 drafting started

1986 Publication of ANSI/RIA R15.06 – 1986

1986 R15.06 update started

1992 Publication of ANSI/ RIA R15.06 – 1992

1993 R15.06 update started

1999 Publication of ANSI/ RIA R15.06 – 1999

~2000.. ISO 10218 started based on ANSI/ RIA R15.06 – 1999

~2004 R15.06 update started (working with draft ISO 10218-1 & -2)

2006 Publication of ISO 10218-1 AND ISO 10218 revision started

2007 Publication of ANSI/ RIA ISO 10218-1 – 2007 & RIA TR to enable its use

2011 Publication of ISO 10218-1 and ISO 10218-2: 2011

2012 ANSI/ RIA R15.06 adopts ISO 10218-1 and -2:2011

2014 ANSI/ RIA Tech Reports published (TR R15.306, .406, .506)

2015 Publication of updated TR R15.306 w/minor revs & ISO TS 15066

History of ANSI/ RIA R15.06

1961

2014

ANSI

Top Seller

over the years


What’s new with R15.06-2012?

Standard structure

Part 1: Robot (comes from robot manufacturers)

Part 2: Integration: requirements placed on the integrator (role of

integrator – not necessarily the business purpose)

Normative references to ISO & IEC standards

Safety features embedded in robot systems (some optional)


R15.06 – 2012: 7 Top changes

1. Terminology (limited changes)

2. Risk assessment REQUIRED!

3. Functional safety (quantifiable)

4. Floor space optimization due to new features (some OPTIONAL) & changes to CLEARANCE

5. Detachable & wireless pendants

6. Perimeter guarding changes (min/max)

7. Collaborative operation (4 types identified)

The issue is collaborative application – not just the robot. This topic is GREATLY misunderstood!

SeverityFrequency of

EXPOSURE

Probability of

AVOIDANCERisk Level

S1

Minor

E0 preventedNegligible

E1 low

A1 likely

E2 high

A2 or A3 not likely or not

possible

Low

E0 prevented

S2

Moderat

e

E1 low

MediumA1 likely

E2 high

A2 or A3 not likely or not

possible High

E0 prevented

S3

Serious

Low

E1 low

High

E2 high

A1 or A2 likely or not likely

A3 not possible Very High


Terminology changes

New Terms Explanation

RobotRobot arm & robot control (does NOT include end effector or part)

Robot CAD files do NOT include tooling or parts.

Robot System Robot, end effector and any task equipment

Robot Cell Robot System and safeguarding (inside safeguarded space)

Reduced speed Called Slow speed in the 1999 standard

Protective StopCalled Safety Stop in the 1999 standard

Purpose: protection of people. This is different from Estop.

Man

ual

Mo

de

reduced

speed

Often called T1, was called Teach Mode in 1999 standard.

(Teach is a task using manual reduced speed mode)

high speed Often called T2, but also called APV in the 1999 standard

Operator(s)All personnel, not simply production operators.

Maintenance, troubleshooting, setup, production…


Standard “special” words

Shall Normative or mandatory requirement

Should Recommendation or good practice

May Permissive or allowed

Can Possible or capable – statement of fact

Notes are informative: used to provide additional information or explain concepts.

If you see a “shall,” “should” or “may” in a note – it is an error.

We (standards writers) try, but we still make mistakes.

ANNEXES can be NORMATIVE or INFORMATIVEAll annexes can contain shalls/ shoulds/ mays and cans. If you CHOOSE to use an

informative annex, you are required to use all of it as written (including SHALLs…)


R15.06 – 2012, Part 1 Robot Mfgers!

Part 1: Annex D describes OPTIONAL features. Robot manufacturers are NOT required to provide any of these features, however if they are provided, they have to meet the stated requirements in Part 1. Here are the optional features listed in Annex D

Emergency stop output functions

Enabling Device features (common enabling device functionality and connecting additional)

Mode section (providing mode information as a safety related functions)

Anti-collision sensing awareness signal (not safety-related function but helpful)

Maintaining path accuracy across all speeds, so that using T2 is not needed

Safety-rated soft axis and space limiting (allows smaller cell footprints)Ex: FANUC DCS, Kuka Safe Operation, ABB SafeMove, Yaskawa FSU…

Stopping performance measurement

Do NOT presume that these features are provided. OPTIONS!

Part 2 is for the integration of robots into systems and cells.


Impact to Integrators & Users

Part 2 (ISO 10218-2 = R15.06 Part 2)

This is the BIGGY for Integrators (and Users to know)

Users are not specifically addressed

User acts as integrator, then integrator requirements apply to User.

Users need to use the information provided by the integrator.

Users address the residual risks: typically developing procedures & training, training personnel, adding warnings/ signs and safety management.

Integrators/ Users: options in Part 1, Annex D needed?

Know before buying robots. A robot that meets ISO 10218-1 (which is ANSI RIA R15.06 Part 1), only has these optional

features if you request them or if the manufacturer states that their robot has these options.

Validation & verification, Clause 6, requires Annex G (p 127 Part 2)

Then START READING the standard!


R15.06: 2012 – Part 2

Clause 1: Scope

Clause 2: Normative References

ISO to be used for global (including US) compliance while some ANSI standards can be used instead of ISO if compliance is for US only.

Clause 3: Terms and definitions

Clause 4: Hazard Identification & Risk Assessment (see TR R15.306)

Clause 5: Safety Requirements and protective measures

5.2: Functional safety (ISO 13849-1 & IEC 62061) requirements and equivalency to “Control Reliability”

5.10: Safeguarding (Use ISO & IEC standards or if ONLY US, TR R15.406 can be used)

Clause 6: Verification & validation of safety requirements and protective measures (NORMATIVE reference to ANNEX G in Part 2)

Clause 7: Information for Use (page 101, Part 2)


Part 2: 5.2 Functional safety

ISO 13849-1:2006 and IEC 62061 provide metrics for functional safety

Can quantify performance, determine requirements, and validate

“Control Reliable”: concept in 1999 standard

PL=d with structure category 3 is equivalent to the requirements in the 1999 for “control reliability” : A single fault does not lead to the loss of the safety function;

The fault shall be detected before the next safety function demand;

When the fault occurs, the safety function is performed and a safe state shall be maintained until the detected fault is corrected;

Reasonably foreseeable faults shall be detected.

Functional safety applies to all safety features which include a control system/ logic (SRP/CS)


Optimize Your Floor Space

Using safety-rated soft axis and space limiting feature of the robot control

(optional feature)

See Part 1: 3.19.3, Part 1: 5.12.3 and Part 1: Annex D

This is a type of “Limiting Device” (safety function) that reduces the

“maximum space” to the restricted space.

Maximum, Restricted, and

Operating Spaces include the

robot, end-effector, & part


Optimize Your Floor Space: Clearance

IF ONLY Manual Reduced Speed (T1) and NO T2, then clearance is required for tasks inside the safeguarded space where there is an exposure to hazard(s) due to lack of space (pinch, crush, trapping).

No task no need for clearance! Be real in the risk assessment.

If there is a lack of space for a task, then 20in (500mm) needed for trapping (body/ chest). For other body parts, use ISO 13854.

1999: 18-inch clearance from the operating space was required.

2012: Silent whether distance is from the restricted or operating space.

Case studies: up to a 30-40% reduction in footprint!

Photo courtesy Assa Abloy

Important: If the robot has high-speed manual (T2), then 20in (500mm)

clearance is required regardless of the risk assessment (Part 2, 5.5.2)


Perimeter Guard Dimension Comparison

R15.06-1999 ISO 10218 & R15.06-2012 CSA Z434

Lower Dimension 12 in. 7 in. 6 in.

Upper Dimension 60 in. 55 in. 72 in.

Lower Dimension, MAXIMUM

Upper Dimension

MINIMUM

Only if hazards cannot be accessed by reach over, under and through.

Example, if there is a hazard within 43” of the bottom, then the guard must

have a lower dimension smaller than 7”. (see ISO 13855 or RIA TR15.406)


Collaborative Operation

4 types of collaborative operation (Part 1, 5.10; Part 2, 5.11) for collaborative applications (can be a mix of the following) – all while in AUTOMATIC:

Safety-rated monitored stop: Operator may interact with robot system when it is stopped (drive power may be ON). Automatic operation resumes when the human leaves the collaborative workspace.

Hand-guiding operation: Operator in direct contact with the robot system, using hand controls.

Speed and separation monitoring: Robot/hazard speed is reduced the closer an operator is to the hazard. Protective stop is issued before contact.

Power and force limiting: Incidental contact between robot and person will not result in harm to person. Reference ISO TS 15066. Requires a risk assessment per each body region. Applications where WORSE CASE is ONLY SLIGHT INJURY!

A collaborative application could include 1 or more of the above capabilities.

NOTE: Additional guidance for collaborative operations can be found in ISO TS 15066, with the most attention to Power & Force Limited and Speed & Separation Monitoring. TS 15066 is available by the end of Feb 2016 from ISO and ANSI.


RIA Technical Reports…

R15.306, R15.406, and R15.506 were developed for the US because the

1999 standard included these details and the 2012 edition does not.

TR R15.306 update of 1999 risk assessment methodology and matrix

(from 2x2x2 to 3x3x3) to required protective measures.

TR R15.406 Safeguarding, pulls many (but NOT all)

requirements from various ISO safety standards.

For EU or global compliance, use ISO standards.

TR R15.506 Applicability of R15.06-2012 for existing robot

applications. Needed because ISO standards only look forward (new).


TR R15.306 Risk assessment (task-based)

Conduct a risk assessment (required now, option in 1999).

Consider task locations & access requirements. See Part 2, clause 4.3

Identify tasks & hazards & the needed protective measures for all phases of operation

Include the need for access to tasks and providing space to perform tasks, including clearance if needed.

3 x 3 x 3 Matrix Severity, Exposure, and Possibility of Avoidance: See TR R15. 306, Table 1

risk analysis

risk assessment

Risk evaluation (see 5.6)

Adequate risk reduction – see 5.6.2

Has the risk been

adequately reduced? Clause 6 Risk reduction

Excerpt from ISO 12100, figure 1

If no, repeat


RIA TR R15.306 – 2014Factor Rating Criteria (Examples) – choose most credible

Injury

Severity

Serious

S3

Normally non-reversible:

– fatality

– limb amputation

– long term disability

– chronic illness

– permanent health change

If any of the above are applicable, the rating is SERIOUS

Moderate

S2

Normally reversible:

– broken bones

– severe laceration

– short hospitalization

– short term disability

– lost time (multi-day)

– fingertip amputation (not thumb)

If any of the above are applicable, the rating is MODERATE

Minor

S1

First aid:

– bruising

– small cuts

– no loss time (multi-day)

– does not require attention by a medical doctor

If any of the above are applicable, the rating is MINOR

Read criteria from

the top and down,

for each factor


RIA TR R15.306 with E0

Exposure

Prevented

E0

– Exposure to hazard(s) is eliminated/ controlled/ limited by inherently safe design measures.

– Use of guards prevents exposure or access to the hazard(s)

(see Part 2, 5.10). If an interlocked guard is selected, the following bullet must also be met.

– If functional safety is used as a risk reduction measure, the functional safety performance (PL)

meets or exceeds the required functional safety performance (PLr). See Part 2, 5.2.

If any of the above are applicable, the rating is PREVENTED

High

E2

– Typically more than once per day or shift

– Frequent or multiple short duration

– Durations/situations which could lead to task creep and does not include teach

If any of the above are applicable, the rating is HIGH

Low

E1

– Typically less than or once per day or shift

– Occasional short durations

If either of the above are applicable, the rating is LOW

FACTORwith E0

Rating Criteria (Examples) – choose most credible

NOTE: E0 is used during validation as E0 is only available as a selection

AFTER the 1st round as it requires risk reduction (which happens after the initial assessment)

E0

added

Read criteria from the top for each factor


RIA TR R15.306

Factor Rating Criteria (Examples) – choose most credible

Avoidance

Not

Possible

A3

• Insufficient clearance to move out of the way and safety-rated reduced speed control is not used

• The robot system or cell layout causes the operator to be trapped, with the escape route toward the hazard

• Safeguarding is not expected to offer protection from the process hazard (e.g. explosion or eruption hazard)

If any of the above are applicable, the rating is NOT POSSIBLE

Not Likely

A2

• Insufficient clearance to move out of the way and safety-rated reduced speed control is used

• Obstructed path to move to safe area

• Hazard is moving faster than reduced speed (250 mm/sec)

• Inadequate warning/reaction time

• The hazard is imperceptible

If any of the above are applicable, the rating is NOT LIKELY

Likely

A1

• Sufficient clearance to move out of the way

• Hazard incapable of moving greater than reduced speed (250mm/sec)

• Adequate warning/reaction time

• Positioned in a safe location away from the hazard

If any of the above are applicable, the rating is LIKELY

Tweaking of

A2 and A3

examples

Read criteria from the top for each factor


TR R15.306: PLe not typically applicable to robot system

RISK REDUCTION – Table 2 without E0

Sev

erit

yEXPOSURE

Probability of

AVOIDANCERisk Level

If applicable

Min PL & Cat

of SRPCS

S1

Min

or

Negligible bE1 low

A1 likely

E2 high

A2 or A3

not likely or not possible

Low c2

S2

Mo

der

ate E1 low

Medium d2A1 likely

E2 high

A2 or A3


High d3

S3

Ser

iou

s E1 low

E2 high

A1 or A2

likely or not likely

A3 not possible Very High e4

RISK REDUCTION – Table 2

Sev

erit

y

EXPOSUREProbability of

AVOIDANCERisk Level

If applicable

Min PL & Cat

of SRPCS

S1

Min

or

E0 preventedNegligible b

E1 lowA1 likely

E2 high

A2 or A3


Low c2E0 prevented

S2

Mo

der

ate E1 low

Medium d2A1 likely

E2 high

A2 or A3

not likely or not possible High d3

S3

Ser

iou

s

E0 prevented Low c2

E1 low

High d3E2 high

A1 or A2

likely or not likely

A3 not possible Very High e4


Risk reduction measures – 3 Step Method

Inherently safe design measures

by the designer/ supplier

Guards

Protective Devices

Warnings & Awareness Means

Administrative ControlsTraining & supervision

Personal protective equipment (PPE)

Safeguarding* * designer & user

Complementary

Protective Measures See Supplier 3 Step Method

developed from

Information for Use

1

2

3

risk

resi

du

al r

isk


Hierarchy of risk reduction measures

Inherently Safe

Design Measures

Elimination

Substitution

Limit interaction (by inherently safe design)

Safeguarding

and

Complementary

Protective

Measures

Safeguards & if applicable, Safety-Related

Parts of the Control System (SRP/CS)

Complementary Protective Measures• Emergency stop devices and functions

• Platforms and guard railing (fall prevention) & safe

access – building codes & standards can apply

• Measures for escape & rescue of people, isolation

& energy dissipation, handling heavy parts

Information for

Use

Warnings & Awareness Means

Administrative Controls

Personal Protective Equipment Use

r Im

pac

t

Des

ign

er Im

pac

t

Inte

gra

tor

(Su

pp

lier)

Imp

act

See TR R15.306 for a detailed Hierarchy of Risk Reduction Measures

Most

Least

Effective


RIA TR R15.306

Assess residual risk (6.6). Will acceptable risk be achieved (6.7). If not achieved, repeat.

If residual risks are low or negligible, this is sufficient. Perform verification and validation (6.8).

Document (7.9). And be aware of Updates (7)

Table 4 – Min risk reduction as a function of the risk level

Risk Reduction

Measure

Risk Level

VERY HIGH HIGH MEDIUM LOW NEGLIGIBLE

Most Elimination

Use of one or a combination of these

risk reduction measures are required

as a primary means to reduce risks. Use of one or a

combination of any of

the risk reduction

measures that would

reduce risks to an

acceptable level may be

used.

Preferred Substitution

Limit Interaction

Safeguarding/

SRP/CS

Complementary

Protective MeasuresUse of one or a combination of these

risk reduction measures may be used

in conjunction with the above risk

reduction measures but shall not be

used as the primary risk reduction

measure.

Warnings and

Awareness Means

Least

Administrative

ControlsPreferred PPE


TR R15.306, table 5

Risk LevelMinimum functional safety performance

PLr Structure Category

NEGLIGIBLE

(see 5.6.1)b --

LOW c 2

MEDIUM d 2

HIGH d 3

VERY HIGH (see 5.6.2)

did not exist in R15.06-1999e 4

Robot safety standards require PLd, Cat 3 unless a risk assessment determines another PL and Cat is needed.

Functional safety could be lower or higher, based on application – with end-effector and part(s). A higher requirement

is not expected due to hazards associated with a robot system but could be required for other application risks.

PLd, Cat 3 is equivalent to Control Reliable & can be validated!


TR R15.406-2014

TR R15.406 Safeguarding, pulls many

(but NOT all) requirements from various

ISO safety standards.

For EU or global compliance,

use the EN/ ISO standards.


TR R15.506 Scope

ANSI/RIA R15.06-2012 provides

forward-looking guidance for industrial

robots and industrial robot systems/cells

effective at the time of its publication

and contains no requirements for

change or retrofit.

This TR provides guidance as about

what applies to existing equipment built

to an earlier version of the standard.


TR R15.506

Figure 1 –

Flowchart outlining various requirements


TR R15.506

Table 2 – Risk assessment and standard requirements for each scenario


Challenges moving ahead…

Change is difficult. We have a new standard (and TRs) to learn.

Risk assessment is now required. Some people are not yet comfortable with risk assessment. But also many have

become quite comfortable.

Drive for new TR15.306 to have 3 levels of severity: slight, moderate, serious.

ISO 13849-1 and IEC 62061 are relatively new to the US.

Functional safety can seem scary because it includes equations.

Math can be easily done by free software (Sistema for ISO 13849-1).

Combines reliability with diagnostics coverage (to detect a failure), rather than simply relying on an architecture

(categories).

Functional safety requires understanding components (machine and safety-related), then integrating properly and

lastly validating. More expected … progress

This design, integration and use needs to reflect the entire lifecycle of the robot system and application. It

requires a discipline – the discipline of functional safety management, akin to quality management.

We have PLe which didn’t exist in EN954 plus “Control Reliable” was the “best”.


What’s Next?

Collaborative Operations / Applications: ISO TS 15066 approved!(expected to become an ANSI registered Technical Report by RIA -> TR R15.606)

Manual load station (ISO TR)

when is a load station a “hindrance device” that prevents entry

End-effectors (ISO TR) for collaborative applications

New Projects: R15.08

Robot/AGV combination

Other…

UL1740 revision to go to ballot in 2016

How do we write a

safety standard for this sort of

mobile robot and not conflict

with other standards?

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC

PUBLIC - 5058-CO900H

www.rockwellautomation.com

Intro to Robot / Robot System Safety

Documents

ANSI/RIA R15 - Electrical Supplies and Services R15.06 - an introduction to Robot and Robot System Safety. ... 2014 ANSI/ RIA Tech Reports ... Verification & validation of safety requirements