Safety Functions Table

Description

Universal Robots safety functions and safety I/O are PLd Category 3 (ISO 13849-1), where each safety function has a PFH value less than 1.8E-07.

The PFH values are updated to include greater design flexibility for supply chain resilience.

For safety I/O the resulting safety function including the external device, or equipment, is determined by the overall architecture and the sum of all PFHs, including the UR robot safety function PFH.

If any safety function limit is exceeded or a fault is detected in a safety function or safety-related part of the control system, UR defines the safe state as a stop with removal of drive power (either a stop category 1 or 03 immediate removal of power).

The Safety Functions tables presented in this chapter are simplified. You can find the comprehensive versions of them here: https://www.universal-robots.com/support

SF1
1, 2, 3, 4 Emergency Stop
(ISO 13850)

 

See footnotes

Description What happens? Affects

Pressing the Estop PB on the pendant1 or the External Estop (if using the Estop Safety Input) results in a Stop Cat 14 with power removed from the robot actuators and the tool I/O. Controller I/O go “low".

Command1 all joints to stop and upon all joints coming to a monitored standstill state, power is removed.

See Stop Time & Stop Distance Safety Functions5.

ONLY USE FOR EMERGENCY PURPOSES,

not to be used for safeguarding.

Stop Category 1

(IEC 60204-1)

Robot, robot tool I/O, and controller IO

 

SF2
3, 4 Safeguard Stop 4
(Protective Stop according to ISO 10218-1*)

* Prior to 2006, this was called “safety stop” or “safeguard stop”
Description What happens? Affects

This safety function is initiated by an external protective device using safety inputs which will initiate a Stop Cat 24. The purpose is to protect people from injury, as compared to protecting the robot, equipment, or products.

The tool I/O are unaffected by the safeguard stop.

If an enabling device is connected, it is possible to configure the safeguard stop to function in automatic mode ONLY.

See the Stop Time and Stop Distance Safety Functions5 .

Stop Category 2

(IEC 60204-1)

SS2 stop

(as described in IEC 61800-5-2)

Robot

 

SF3 Joint Position Limit
(soft axis limiting)
Description What happens? Tolerance Affects

Sets upper and lower limits for the allowed joint positions. Stopping time and distance is not a considered as the limit(s) will not be violated. Each joint can have its own limits.

Directly limits the set of allowed joint positions that the joints can move within. It is a means of safety-rated soft axis limiting & space limiting, according to ISO 10218-1:2011, 5.12.3.

Will not allow motion to exceed any limit settings.

Speed could be reduced so motion will not exceed any limit.

A robot stop will be initiated to prevent exceeding any limit.

Joint (each)

 

SF4
Joint Speed Limit
Description What happens? Tolerance Affects

Sets an upper limit for the joint speed. Each joint can have its own limit. This safety function has the most influence on energy transfer upon contact (clamping or transient). Directly limits the set of allowed joint speeds which the joints are allowed to perform. It is set in the safety setup part of the User Interface. Used to limit fast joint movements, e.g. risks related to singularities.

Will not allow motion to exceed any limit settings.

Speed could be reduced so motion will not exceed any limit.

A robot stop will be initiated to prevent exceeding any limit.

1.15 °/s

Joint (each)

 

Joint Torque Limit
Description

Exceeding the internal joint torque limit (each joint) results in a Cat 03 Stop. This safety function is not accessible to the user; it is a factory setting. It is NOT shown as a safety function because there are no user settings.

 

SF5
Called various names:
 Pose Limit, Tool Limit, Orientation Limit, Safety Planes, Safety Boundaries
Description What happens? Tolerance Affects

Monitors the TCP Pose (position and orientation) and will prevent exceeding a safety plane or TCP Pose Limit.

Multiple pose limits are possible (tool flange, elbow, and up to 2 configurable tool offset points with a radius)

Orientation restricted by the deviation from the feature Z direction of the tool flange OR the TCP.

This safety function has two parts. One is the safety planes for limiting the possible TCP positions. The second is the TCP orientation limit, which is entered as an allowed direction and a tolerance. This provides TCP and wrist inclusion/ exclusion zones due to the safety planes.

Will not allow motion to exceed any limit settings.

Speed or torques could be reduced so motion will not exceed any limit set for SF 5, SF 6, SF 7 or SF 8.

A robot stop will be initiated to prevent exceeding any limit.

Will not allow motion to exceed any limit settings

3° 40 mm

TCP

Tool flange

Elbow

 

SF6
Speed Limit TCP & Elbow
Description What happens? Tolerance Affects

Monitors the TCP and elbow speed to prevent exceeding a speed limit. Equivalent to monitoring the whole arm as the sections between the TCP and elbow cannot move faster than the endpoints of these sections.

Will not allow motion to exceed any limit settings.

Speed or torques could be reduced so motion will not exceed any limit set for SF 5, SF 6, SF 7 or SF 8.

A robot stop will be initiated to prevent exceeding any limit.

Will not allow motion to exceed any limit settings.

 

50 mm/s

  

TCP

 

SF7 Force Limit (TCP & Elbow)
Description What happens? Tolerance Affects

The Force Limit is the force exerted by the robot at the TCP (tool center point) and “elbow”. The safety function continuously calculates the torques allowed for each joint to stay within the defined force limit for both the TCP & the elbow.

The joints control their torque output to stay within the allowed torque range. This means that the forces at the TCP or elbow will stay within the defined force limit.

When a stop is initiated by the Force Limit SF, the robot will stop. The UR standard controller will cause motion to “back-off” to the position before the force limit was exceeded. This “back-off” is not part of the safety function as it is done by the standard controller. The safety controller has a fixed time (part of the response time) allowed before a robot stop is initiated (regardless of “back-off”).

Will not allow motion to exceed any limit settings.

Speed or torques could be reduced so motion will not exceed any limit set for SF 5, SF 6, SF 7 or SF 8.

A robot stop will be initiated to prevent exceeding any limit.

Will not allow motion to exceed any limit settings.

25N

TCP

 

SF8 Momentum Limit
Description What happens? Tolerance Affects

 

The momentum limit is very useful for limiting transient impacts.

The Momentum Limit affects the entire robot.

Will not allow motion to exceed any limit settings.

Speed or torques could be reduced so motion will not exceed any limit set for SF 5, SF 6, SF 7 or SF 8.

A robot stop will be initiated to prevent exceeding any limit.

Will not allow motion to exceed any limit settings.

 

3kg m/s

  

Robot

SF9 Power Limit
Description What happens? Tolerance Affects

This function monitors the mechanical work (sum of joint torques times joint angular speeds) performed by the robot, which also affects the current to the robot arm as well as the robot speed. This safety function dynamically limits the current/ torque but maintains the speed.

Dynamic limiting of the current/ torque

10W

Robot

 

New SF15 Stopping Time Limit
Description What happens? Tolerance Affects

Real time monitoring of conditions such that the stopping time limit will not be exceeded. Robot speed is limited to ensure that the stop time limit is not exceeded.

The stopping capability of the robot in the given motion(s) is continuously monitored to prevent motions that would exceed the stopping limit. If the time needed to stop the robot is at risk of exceeding the time limit, the speed of motion is reduced to ensure the limit is not exceeded. A stop will be initiated to prevent exceeding the limit.

Will not allow the actual stopping time to exceed the limit setting.

Causes decrease in speed or a robot stop so as NOT to exceed the limit.

  

50 ms

  

Robot

 

New SF16 Stopping Distance Limit
Description What happens? Tolerance Affects

Real time monitoring of conditions such that the stopping distance limit will not be exceeded. Robot speed is limited to ensure that the stop distance limit will not be exceeded.

The stopping capability of the robot in the given motion(s) is continuously monitored to prevent motions that would exceed the stopping limit. If the time needed to stop the robot is at risk of exceeding the time limit, the speed of motion is reduced to ensure the limit is not exceeded. A stop will be initiated to prevent exceeding the limit.

Will not allow the actual stopping time to exceed the limit setting.

Causes decrease in speed or a robot stop so as NOT to exceed the limit.

  

40 mm

  

Robot

 

New SF17 Safe Home Position ”monitored position”
Description What happens? Tolerance Affects

Safety function which monitors a safety rated output, such that it ensures that the output can only be activated when the robot is in the configured and monitored “safe home position”.

A stop cat 0 is initiated if the output is activated when the robot is not in the configured position.

The “safe home output” can only be activated when the robot is in the configured “safe home position”

  

1.7°

  

External connection to logic &/or equipment

 

SF10 UR Robot <Estop> Output
Description What Happens Affects

When configured for a Robot <Estop> output and there is a robot stop, the dual outputs are LOW. If there is no Robot <Estop> Stop initiated, dual outputs are high. Pulses are not used but they are tolerated. For an integrated safety function, see below

These dual outputs change state for any external Estop that is connected to configurable safety inputs where this input is configured as an Emergency Stop input.

For the Estop Output, validation is performed at the external equipment, as the UR output is an input to this external Estop safety function for external equipment.

NOTE: With the IMMI (Injection Moulding Machine Interface), the Estop output is NOT connected to the IMMI (no Estop output signal from the UR robot to the IMMI) to prevent an unrecoverable stop.

 Dual outputs go low in event of an Estop if configurable outputs are set

External connection to logic and/or equipment

 

SF11 UR Robot Moving: Digital Output
Description What Happens Affects

Whenever the robot is moving (motion underway), the dual digital outputs are LOW. Outputs are HIGH when no movement.

Functional safety is for what is within the UR robot. The integrated functional safety performance requires adding this PFH to the PFH of any external logic & its components.

If configurable outputs are set:

When the robot is moving (motion underway), dual digital outputs are LOW. When not moving, HIGH

External connection to logic &/or equipment

 

SF12 UR Robot Not stopping OUTPUT: Digital Output
Description Affects

Whenever the robot is STOPPING (in process of stopping or in a stand-still condition) the dual digital outputs are HIGH. When outputs are LOW, robot is NOT in the process or stopping and NOT in a stand-still condition. Functional safety is for what is within the UR robot. For the integrated safety function, see 6.

External connection to logic and/or equipment

 

SF13 UR Robot Reduced "Mode": Digital Output
Description Affects

Whenever the robot is in reduced mode (or reduced mode is initiated), the dual digital outputs are LOW.

See below.

The functional safety is for what is within the UR robot. For the integrated safety function, see 6.

External connection to logic and/or equipment.

SF14  UR Robot Not Reduced "Mode" OUTPUT: Digital Output
Description Affects

Whenever the robot is NOT in reduced mode (or the reduced mode is not initiated), the dual digital outputs are LOW.

The functional safety rating is for what is within the UR robot. For the integrated safety function, see 6.

External connection to logic and/or equipment.

 

Table 1 footnotes

1Communications between the Teach Pendant, controller & within the robot (between joints) are SIL 2 for safety data, per IEC 61784-3.

2Estop validation: the pendant Estop pushbutton is evaluated within the pendant, then communicated1 to the safety controller by SIL2 communications. To validate the pendant Estop functionality, press the Pendant Estop pushbutton and verify that an Estop results. This validates that the Estop is connected within the pendant, the estop functions as intended, and the pendant is connected to the controller

3If a robot safety function is “integrated” or “connected” with external equipment, devices or logic, the resulting integrated safety function has a PFH that is the sum of all PFH values, including the PFH value of the robot safety function.

4Stop Categories according to IEC 60204-1 (NFPA79). For the Estop, only stop category 0 and 1 are allowed according to IEC 60204-1.

  • Stop Category 0 & 1 result in the removal of drive power, with stop cat 0 being IMMEDIATE & stop cat 1 being a controlled stop (e.g. decelerate to a stop then removal of drive power).

  • Stop Category 2 is a stop where drive power is NOT removed. Stop category 2 is defined in IEC 60204-1. Descriptions of STO, SS1 & SS2 are in IEC 61800-5-2. With UR robots, a stop category 2 maintains the trajectory, then retains power to the drives after stopping.

5Stop Time & Stop Distance Safety Functions should be used. When used, there is no need for periodic verification of stopping performance.

6For the integrated functional safety rating with an external safety-related control system, add the PFH of this safety-related output to the PFH of the external safety-related control system.