Collaborative Robotics Under ISO 10218 and ISO/TS 15066

What the Standards Actually Require

ISO 10218-1 specifies safety requirements applicable to the industrial robot itself — the manipulator, the controller, the safety-related control functions. ISO 10218-2 extends those requirements outward to the integrator and to the application: the cell, the end-effector, the workpiece, the human task. ISO/TS 15066, published as a technical specification rather than a full standard, fills the gap that the original 10218 left open: how to operate a robot in a shared workspace with a human present, which is the defining condition of a collaborative robot.

The collaborative-operation taxonomy in 15066 is structurally explicit. It enumerates four collaborative modes — safety-rated monitored stop, hand guiding, speed and separation monitoring, and power and force limiting — and specifies, for each, the admissibility conditions under which the mode is permitted, the monitoring required to maintain those conditions, and the protective behavior required when conditions are violated. Power and force limiting in particular reaches further: it incorporates biomechanical limit data (the 15066 Annex A pain-onset thresholds) that bound permissible transient and quasi-static contact forces by body region.

ANSI/RIA R15.06 adopts ISO 10218 substantively for the United States and is enforced through OSHA general-duty-clause findings and through customer specifications that name R15.06 directly. The EU Machinery Directive 2006/42/EC has, since 2009, required CE marking on industrial robots and has incorporated the harmonized standards by reference. The Machinery Regulation 2023/1230 — applicable from January 2027 — replaces the Directive with binding regulation, expands scope to include software-defined safety functions and AI-assisted control, and introduces conformity-assessment obligations that explicitly contemplate post-market modification and learning. Across all of these layers the structural pattern is the same: safety is a decomposition into declared modes with declared rules.

How Vendor Architectures Currently Implement Modes

Universal Robots pioneered the modern cobot category with the UR3, UR5, and UR10 series and now operates under Teradyne ownership; FANUC's CRX series, ABB's GoFa and YuMi, Yaskawa's HC series, KUKA's LBR iiwa (the Lightweight Robot whose lineage runs back to the DLR research program), Doosan's M and H series, Techman's TM series, and the cobot-native entrants from Franka Robotics, Neura, Mecademic, and Productive Robotics each treat the 15066 mode set as an implementation requirement met inside their controller stack. Each vendor produces a safety-rated subsystem (typically a dual-channel safety controller distinct from the motion controller), each vendor defines proprietary parameter sets that map the mode taxonomy onto their kinematics, and each vendor engages a notified body — TUV, DEKRA, UL, Bureau Veritas — to certify that the controller meets the performance-level and safety-integrity-level requirements that 10218-1 cross-references from ISO 13849-1 and IEC 62061.

Each vendor likewise publishes a safety-function manual that enumerates the safety-rated I/O, the safety-rated tool-center-point limits, the safety-rated joint-torque limits, and the safety-rated zone-monitoring functions available on their controller, and each integrator is then expected to compose these vendor-specific functions into the application's risk-assessment per ISO 12100 (the parent risk-assessment standard) and to document the resulting cell against 10218-2.

The certification produces a controller-level conformity assessment. What it does not produce is portable compliance evidence at the application layer. Integrators building cells under 10218-2 must reconstruct, for their specific application, that the active mode at any given moment was the correct mode, that the transition into that mode was admissible, that the protective behavior on transition matched the declared rule, and that the biomechanical limits applicable in the active mode were not exceeded. Today this reconstruction is an evidentiary exercise: log files, parameter dumps, video review, integrator narrative.

Graduated Modes as Structural Primitive

Governed actuation's graduated-mode-set primitive is the architectural counterpart of the 15066 taxonomy. Each mode in the actuation substrate carries a declared admissibility predicate, a declared protective-behavior contract, and a declared transition rule. Mode entry, mode operation, and mode exit are not log lines emitted as a side effect — they are credentialed events recorded into the actuation lineage. The lineage is the audit artifact.

Mapping is direct. Safety-rated monitored stop becomes the mode whose admissibility predicate is "operator-zone occupancy detected and zone-boundary monitoring nominal" and whose protective-behavior contract is "drive power maintained, motion zero, monitored." Hand guiding admits under "enabling-device engaged, force-input within hand-guide envelope." Speed and separation monitoring admits under "separation distance greater than protective separation distance for current speed vector." Power and force limiting admits under "kinetic and quasi-static energy bounds per body-region map within Annex A thresholds." Each predicate is declared, each transition is credentialed, each exit is recorded.

The substrate change is significant. Under the architecture, a notified-body auditor reading the lineage can verify mode admissibility by reading the declared predicate against the recorded sensor state at transition time. There is no reconstruction step. The compliance question collapses from "did the integrator's evidence support the claim" to "does the architectural record show declared admissibility."

Compliance Audit Under the Architecture

Notified-body audits, customer audits, post-incident regulatory audits, and OSHA inspections each traverse the same logical path: which mode was active, what sensor state triggered the mode, what protective behavior executed, whether mode transitions complied with declared rules, and whether biomechanical limits applicable to the active mode held throughout. Under conventional architectures that path is reconstructed from heterogeneous evidence. Under governed actuation it is read directly from the lineage.

The shift matters most at three audit boundaries. First, post-incident: when a contact event occurs, the lineage shows whether the active mode was admissible, whether sensing was nominal, and whether the protective behavior fired on rule. Second, post-modification: when an integrator changes end-effector mass, payload, or workspace geometry, the architecture re-evaluates declared admissibility against the new parameters and surfaces any mode that no longer admits — without waiting for a violation. Third, post-update: when the controller firmware or the safety-function software is revised, the architecture preserves the declaration history, so an auditor can trace which version of which rule governed which transition.

Cobot OEMs that adopt the primitive gain structurally-supported compliance audit at the controller layer. Integrators that build on those controllers gain the same property at the application layer. Customers — automotive bodyshops, electronics-assembly lines, pharmaceutical packaging cells, the small-and-medium manufacturers who buy cobots precisely to avoid the integration cost of caged industrial robots — gain audit evidence without the integrator-narrative reconstruction step.

The Machinery Regulation 2023/1230 Inflection

The transition from Machinery Directive 2006/42/EC to Machinery Regulation 2023/1230 changes the compliance landscape in ways that favor architectural decomposition. The Regulation is binding rather than transposed, narrowing member-state interpretive variance. It expands scope to include software updates that alter safety functions, requiring re-assessment when post-market changes affect declared safety properties. It adds explicit obligations around cybersecurity of safety functions, recognizing that a safety controller's integrity depends on the integrity of the channels that command it. It introduces a category for "high-risk machinery" that includes machines with safety-related AI components and obligates third-party conformity assessment for those.

Each of these changes pulls compliance toward a model in which the architectural record is the audit artifact. A graduated-mode-set substrate that records declared admissibility and credentialed transitions answers each new obligation in the same vocabulary the Regulation uses. Software-update reassessment becomes a re-evaluation of declarations against the new code; cybersecurity of safety functions becomes a property of the credentialing layer that admits commands into modes; AI-assisted control becomes a learnable predicate inside an otherwise unchanged admissibility framework.

Where Cobot Procurement Is Heading

Three procurement trends converge on the architectural primitive. The first is the migration of cobots out of the lab-and-pilot zone into production lines that previously used caged industrial robots: Volkswagen, BMW, Tesla, Foxconn, and the Tier-1 automotive suppliers all run cobot programs at scale, and at scale the integration-narrative compliance model becomes the bottleneck. The second is the rise of cobot-as-a-service offerings from Formic, Rapid Robotics, and similar providers, where the service operator is the duty-holder under 10218-2 and needs compliance evidence that survives customer churn and equipment redeployment. The third is the EU Machinery Regulation's January 2027 applicability date, which forces a re-assessment cycle across the installed base.

Cobot OEMs adopting the graduated-mode-set primitive at the controller layer position their products for each of these trends. Integrators adopting it at the application layer position their cells the same way. The compliance regime is already structured around declared modes; the architecture matches the structure the standards have always required.

A further dimension worth naming is the convergence with functional-safety standards adjacent to 10218. ISO 13849-1 (performance levels for safety-related parts of control systems), IEC 62061 (safety integrity levels for machinery), IEC 61508 (the parent functional-safety standard), and ISO 13855 (positioning of safeguards relative to approach speeds) each contribute requirements that bear on cobot mode operation. The performance-level rationale that 13849-1 demands — a justified PL claim with diagnostic coverage, common-cause failure analysis, and category determination — is, structurally, a declaration about the mode's protective behavior under failure. Graduated modes carry exactly that declaration as a first-class architectural property. The cross-standard composition that integrators currently assemble through engineering documentation packages becomes a property of the architectural record.

The implication for the wider safety-of-machinery ecosystem is that the mode-decomposition primitive generalizes beyond cobots. Mobile robots under ISO 3691-4, autonomous mobile manipulators under the in-development ISO 25785 series, surgical and rehabilitation robots under the IEC 80601-2-77 and IEC 80601-2-78 family, and outdoor field robots under ISO 18497 each define mode taxonomies with the same structural shape. A substrate that handles graduated modes for industrial cobots handles graduated modes across these families with the same architectural vocabulary, which is the property that makes the primitive worth standing up at the substrate layer rather than rebuilding it inside each vertical.