Safety Functions Table

Description

Universal Robots safety functions and safety I/O are PLd Category 3 (ISO 13849-1), where each safety function has a PFH value less than 1.8E-07.

The PFH values are updated to include greater design flexibility for supply chain resilience.

For safety I/O the resulting safety function including the external device, or equipment, is determined by the overall architecture and the sum of all PFHs, including the UR robot safety function PFH.

If any safety function limit is exceeded or a fault is detected in a safety function or safety-related part of the control system, UR defines the safe state as a stop with removal of drive power (either a stop category 1 or 04 immediate removal of power).

The Safety Functions tables presented in this chapter are simplified. You can find the comprehensive versions of them here: https://www.universal-robots.com/support

SF1

1, 2, 3, 4

Emergency Stop (ISO 13850)

 
Description What happens? Tolerance Affects

Pressing the Estop PB on the pendant1 or the External Estop (if using the Estop Safety Input) results in a Stop Cat 14 with power removed from the robot actuators and the tool I/O. Controller I/O go “low”.

Command1 all joints to stop and upon all joints coming to a monitored standstill state, power is removed.

See Stop Time & Stop Distance Safety Functions5.

ONLY USE FOR EMERGENCY PURPOSES, not to be used for safeguarding because it requires a manual action.

Stop Category 1
(IEC 60204-1)

--

Robot, robot tool I/O, and controller I/O

SF2

3, 5

Safeguard Stop

(Protective Stop according to ISO 10218-1*)

*Prior to 2006, this was called “safety stop” or “safeguard stop”
Description What happens? Tolerance Affects

This safety function is initiated by an external protective device using safety inputs which will initiate a Stop Cat 24. The purpose is to protect people from injury, as compared to protecting the robot, equipment, or products.

The tool I/O are unaffected by the safeguard stop.

If an enabling device is connected, it is possible to configure the safeguard stop to function in automatic mode ONLY.

See the Stop Time and Stop Distance Safety Functions.5.

Stop Category 2

(IEC 60204-1)
SS2 stop

(as described in IEC 61800-5-2)

--

Robot

Safeguard Stop Reset
Description What happens? Tolerance Affects

When configured for Safeguard Reset and the external reset connections transition from low to high, safeguard stop resets. Safety input to initiate a reset of SF2.

Reset Input to SF2

--

Robot

SF3
Joint Position Limit (software-based axis limiting)
Description What happens? Tolerance Affects

Sets upper and lower limits for the allowed joint positions. Stopping time and distance is not a considered as the limit(s) will not be violated. Each joint can have its own limits.

Directly limits the set of allowed joint positions that the joints can move within. It is safety-rated soft axis limiting & space limiting, according to ISO 10218-1:2011, 5.12.3.

Will not allow motion to exceed any limit settings.

Speed could be reduced so motion will not exceed any limit.

A robot stop will be initiated to prevent exceeding any limit.

Joint (each)
SF4
Joint Speed Limit
Description What happens? Tolerance Affects

Sets an upper limit for the joint speed. Each joint can have its own limit. This safety function has the most influence on energy transfer upon contact (clamping or transient).

Directly limits the set of allowed joint speeds which the joints are allowed to perform. It is used to limit fast joint movements, e.g. risks related to singularities.

Will not allow motion to exceed any limit settings.

Speed could be reduced so motion will not exceed any limit.

A robot stop will be initiated to prevent exceeding any limit.

1.15 °/s

Joint (each)

Joint Torque Limit

Exceeding the internal joint torque limit (each joint) results in a Cat 0 Stop4. This safety function is not accessible to the user; it is a factory setting. It is NOT shown as here because there are no user settings.
SF5
Called various names:
Pose Limit
Tool Limit, Orientation Limit, Safety Planes, Safety Boundaries
Description What happens? Tolerance Affects

Monitors the TCP Pose (position and orientation) and will prevent exceeding a safety plane or TCP Pose Limit.

Multiple pose limits are possible (tool flange, elbow, and up to 2 configurable tool offset points with a radius)

Orientation restricted by the deviation from the feature Z direction of the tool flange OR the TCP.

Two parts. (1) is the safety planes for limiting the possible TCP positions. (2) is the TCP orientation limit, which is entered as an allowed direction and a tolerance. This provides TCP and wrist inclusion/ exclusion zones due to the safety planes.

Will not allow motion to exceed any limit settings. Speed or torques could be reduced so motion will not exceed any limit set for SF 5, SF 6, SF 7 or SF 8.

3° 40 mm

TCP

Tool flange

Elbow
SF6
Speed Limit TCP & Elbow
Description What happens? Tolerance Affects

Monitors the TCP and elbow speed to prevent exceeding a speed limit. Equivalent to monitoring the whole arm as the sections between the TCP and elbow cannot move faster than the endpoints of these sections.

A robot stop will be initiated to prevent exceeding any limit.

 

Will not allow motion to exceed any limit settings.

 

50 mm/s

  

TCP

SF7
Force Limit (TCP)
Description What happens? Tolerance Affects

The Force Limit is the force exerted by the robot at the TCP (tool center point) and “elbow”. The safety function continuously calculates the torques allowed for each joint to stay within the defined force limit for both the TCP & the elbow.

The joints control their torque output to stay within the allowed torque range. This means that the forces at the TCP or elbow will stay within the defined force limit.

When a stop is initiated by the Force Limit SF, the robot will stop. The UR standard controller will cause motion to “back-off” to the position before the force limit was exceeded. This “back-off” is not part of the safety function as it is done by the standard controller. The safety controller has a fixed time (part of the response time) allowed before a robot stop is initiated.

A robot stop will be initiated to prevent exceeding any limit.

 

Will not allow motion to exceed any limit settings.

25 N

TCP

wrist clamping torque

Force Limits may be exceeded by the three wrist joints if the "wrist clamping torque" safety function is disabled.
SF8
Momentum Limit
Description What happens? Tolerance Affects

The momentum limit is very useful for limiting transient impacts.

The Momentum Limit affects the entire robot.

A robot stop will be initiated to prevent exceeding any limit.

 

Will not allow motion to exceed any limit settings.

 

3 kg m/s

  

Robot

SF9
Power Limit
Description What happens? Tolerance Affects

This function monitors the mechanical work (sum of joint torques times joint angular speeds) performed by the robot, which also affects the current to the robot arm as well as the robot speed. This safety function dynamically limits the current/torque but maintains the speed.

Dynamic limiting of the current/torque

10 W

Robot

SF10
UR Robot Stop Outputs
Description What Happens

Tolerance

 Affects

When configured for a robot stop output and there is a robot stop, the dual outputs are LOW. If there is no robot stop initiated, dual outputs are high. Pulses are not used but they are tolerated. For an integrated safety function, see footnote.6

These dual outputs change state for any external Estop that is connected to configurable safety inputs where this input is configured as an Emergency Stop input.

For the Stop Output, validation is performed at the external equipment, as the UR output is an input to this external stop safety function for external equipment.

This stop output is not connected to the IMMI (Injection Moulding Machine Interface), to prevent having an unrecoverable stop.

 Dual outputs go low in event of a stop if configurable outputs are set N/A

External connection to logic and/or equipment

SF11
”Moving” Safety Function with Digital Outputs
Description What Happens

Tolerance

 Affects

Whenever the robot is moving (motion underway), the dual digital outputs are LOW. Outputs are HIGH when no movement. Functional safety is for what is within the UR robot. For an integrated safety function, see footnote6.

Dual outputs are low during motion and high when no movement.

 

 N/A

External connection to logic and/or equipment

SF12
”Not stopping” Safety Function with Digital Outputs
Description

What happens?

Tolerance

 Affects

Whenever the robot is STOPPING (in process of stopping or in a stand-still condition) the dual digital outputs are HIGH. When outputs are LOW, robot is NOT in the process or stopping and NOT in a stand-still condition. For an integrated safety function, see footnote6.

 Dual outputs are high when robot is either in the process of stopping or at a stand-still state

N/A

External connection to logic and/or equipment

SF13
”Reduced Active” Safety Function with Digital Outputs
Description What happens?

Tolerance

 Affects

 

When reduced settings are active (or initiated) for safety functions, the dual digital outputs are LOW. The functional safety is for what is within the UR robot. For the integrated safety function, see footnote6.

 

 Dual outputs are low when reduced settings are active

N/A

External connection to logic and/or equipment

SF14
“Reduced Not Active” Safety Function with Digital Outputs
Description

What happens?

Tolerance

 Affects?

Whenever the robot reduced settings for safety functions are NOT active (or not initiated), the digital outputs are LOW.

The functional safety rating is for what is within the UR robot.

For the integrated safety function, see below footnote.6

 Dual outputs are low when reduced settings are NOT active. N/A

External connection to logic and/or equipment.
“Reduced Active” Input SF parameter settings change
Description Affects

Reduced is not a mode. It is a change of settings initiated:

  • internally by a safety plane/ boundary (starts when at 2cm of the plane and reduced settings are achieved within 2cm of the plane) or

  • externally by use of an external input, which will achieve reduced settings within 500ms of the triggering input.

When the external connections are Low, Reduced Mode is initiated. “Reduced Active” means that all reduced limits are ACTIVE.

Reduced is not a safety function. Reduced is a means of parameterization of safety functions.

Reduced is a state change affecting the settings of the following safety functions: joint position, joint speed, TCP pose, TCP speed, TCP force, momentum, power, stopping time, & stopping distance.
Verify and validate all parameter settings for the robot application.

Robot

SF15
Stopping Time Limit
Description What happens? Tolerances Affects

Real time monitoring of conditions such that the stopping time limit will not be exceeded. Robot speed is limited to ensure that the stop time limit is not exceeded. 7

Will not allow the actual stopping to exceed the limit setting.

50 ms

Robot

SF16
Stopping Distance Limit
Description What happens? Tolerances Affects

Real time monitoring of conditions such that the stopping distance limit will not be exceeded. Robot speed is limited to ensure that the stop distance limit will not be exceeded. 7

Causes decrease in speed or a robot stop so as NOT to exceed the limit.

40 mm

Robot

SF17
Safe Home Position "monitored position"
Description What happens? Tolerances Affects

Safety function which monitors a safety-rated output, such that it ensures that the output can only be activated when the robot is in the configured and monitored “safe home position”.

A stop cat 0 is initiated if the output is activated when the robot is not in the configured position.

The “safe home output” is only activated when the robot is in the configured “safe home position”

 1.7 °

External connection to logic and/or equipment

Mode switch INPUT
Description What happens? Affects

When the external connections are Low, Automatic Mode (running) is active.  When High, mode is programming/ teach.

Recommendation: Use with an enabling device, i.e. UR Teach Pendant with an integrated 3-position enabling device.

When in teach/program, initially the TCP speed is limited to 250mm/s. Speed can manually be increased using the TP “speed-slider”, but upon activation of the enabling device, the speed limitation will reset to 250mm/s.

Input to SF2

Robot
SF18
(3-position enabling) Safety Function 8 Inputs
Description What happens?

Tolerance

 Affects

A 3-position enabling device 9 has 3 switch positions: off, on, off (in order of actuation when squeezing).

When released completely, the device is off. When pressed/squeezed to the centre position, it is on. Completely pressing (squeezing) results in an off state.

When the 3P enabling device is “ON”, motion is enabled.

When in Manual Mode and when an external Enabling Device connection is OFF, internally the safety system initiates SF2, which is a Stop Category 2.

Recommendation: Use with a mode switch as a safety input.10

In manual mode, when the SF18 Input is LOW, SF2 is triggered internally

Stop Category 2 (IEC 60204-1) SS2 (IEC 61800-5-2)

N/A

Robot and external connection to SF19 & SF20

SF19

3PE (3-position enabling)

Safety Function8 with Digital Outputs
Description What happens?

Tolerance

 Affects

In Automatic Mode (“running”), SF19’s outputs are HIGH.

In Manual Mode and when any Enabling Device11 is in the OFF state (not in the centre-ON position, meaning the enabling device is released or fully pressed), a SF2 is triggered causing a Stop Category 2 (SS2) and SF19’s outputs are Low. 8

In Manual mode, when Freedrive and the 3PE are used:

  • If Freedrive is activated and

    • ALL 3PE are in the OFF state, SF19’s outputs are HIGH.

    • Any 3PE is in the ON state, SF19’s outputs are LOW.

  • If Freedrive is not activated, and

    • ALL 3PE are in the ON state, SF19’s outputs are HIGH.

    • Any 3PE is in the OFF state, SF19’s outputs are LOW.

In manual mode, when the 3PE is in the Off state, the outputs are LOW and SF2 is triggered internally
Stop Category 2 (IEC 60204-1) SS2 (IEC 61800-5-2)

N/A

External connection to logic and/or equipment

SF20
3PE (3-position enabling) ”NOT state” Safety Function8 with Digital Outputs
Description What happens?

Tolerance

 Affects

In Automatic Mode (“running”), SF20’s outputs are LOW.

In Manual Mode and when any Enabling Device11 is in the OFF state (not in the centre-ON position, meaning the enabling device is released or fully pressed), SF20’s outputs are High.7

In Manual mode, when Freedrive and the 3PE are used:

  • If Freedrive is activated and:

    • ALL 3PE are in the OFF state, SF20’s outputs are LOW.

    • Any 3PE is in the ON state, then SF20’s outputs are HIGH.

  • If Freedrive is not activated, and:

    • ALL 3PE are in the ON state, SF20’s outputs are LOW.

    • Any 3PE is in the OFF state, SF20’s outputs are HIGH.

Note: SF20 is an inverted version of the SF19 where the output state is logically reversed compared to SF19.

In manual mode, when the 3PE is in the Off state, the outputs are HIGH.

N/A

External connection to logic and/or equipment

Table 1 footnotes

1Communications between the Teach Pendant, controller & within the robot are SIL 2 for safety data (per IEC 61784-3).

2Estop validation: The pendant Estop pushbutton is evaluated within the pendant, then communicated1 to the safety controller by SIL2 communications. To validate the pendant Estop functionality, press the Pendant Estop pushbutton and verify that an Estop results. This validates that the Estop is connected within the pendant, the estop functions as intended, and the pendant is connected to the controller.

3If a robot safety function is “integrated” or “connected” with external equipment, devices or logic, the resulting integrated safety function has a PFH that is the sum of all PFH values, including the PFH value of the robot safety function.

4Stop Categories according to IEC 60204-1 (NFPA79). For the Estop, only stop category 0 and 1 are allowed.

  • Stop Category 0 & 1 result in the removal of drive power, with stop cat 0 being IMMEDIATE & stop cat 1 being a controlled stop (e.g. decelerate to a stop then removal of drive power).

  • Stop Category 2 is a stop where drive power is NOT removed. Stop category 2 is defined in IEC 60204-1. Descriptions of STO, SS1 & SS2 are in IEC 61800-5-2. With UR, a stop category 2 maintains the trajectory & retains power to the drives after stopping.

5 Stop Time & Stop Distance Safety Functions should be used. When used, there is no need for periodic verification of stopping performance.

6 If a robot safety function is “integrated” or “connected” with external equipment, devices or logic, the resulting integrated safety function has a PFH that is the sum of all PFH values, including the PFH value of the robot safety function.

7 The stopping capability of the robot in the given motion(s) is continuously monitored to prevent motions that would exceed the stopping limit. If the time needed to stop the robot is at risk of exceeding the time limit, the speed of motion is reduced to ensure the limit is not exceeded. A stop will be initiated to prevent exceeding the limit.

8 For the integrated functional safety rating with an external safety-related control system, add the PFH of this safety-related output to the PFH of the external safety-related control system. The safety function and its triggering of a stop are included in the PFH value for this SF.

9 The enabling device can be on the teach pendant or external connected to the Enabling Function input (SF18).

10 Use of an external mode switch is recommended when using a 3-position enabling device. If an external mode switch is not used and connected to the safety inputs, then the robot mode will be determined by the User Interface. If the User Interface is in

  • “run mode”, the enabling function will not be active.

  • “programming mode”, the enabling function will be active. Password protection for changing the mode can be configured.

11 If any 3PE enabling device is released or fully pressed, the 3-position enabling safety function is OFF (not in the Center ON position).

12 ISO 10218:2025 removed the term “collaborative operation”.

13 Tools attached to the robot's tool flange may still come into contact with the robot's lower arm link