Dynamic safety system for collaboration of operators and industrial robots

Abstract There is an increasing need to have a safety system, which allows safe collaboration of operators and industrial robots. Industrial robots are powerful and therefore dangerous impacts and crashes need to be prevented by keeping safe distance between moving robot and the operator. Safe distance can be achieved by monitoring the position and speed of the robot and the position of the operator. Separation distance, speeds and performance of the control system, sensors and actuators are regulated by standards, which must be followed. VTT has developed a dynamic safety system, which monitors the speed and separation between persons and the robot in order to keep the stopping distance of the robot small enough to avoid impacts. The dynamic safety system enables safe continuous working beside the robot and automated restarting after a safety-rated monitored stop. An assistance system is applied to switch safety modes of the robot according to separation distance. Configuring and validating the safety system are safety-critical and time-consuming phases of design. Therefore, a configuration tool is required to get a coherent configuration, which support validation process.


Introduction
Collaboration between operators and robots is needed in semi-automated systems, which aim to utilize the best fea-tures of both humans and robots. There are small robots (cobots) for collaborating with human beings, but their tasks can be sometimes too limited for industrial work. More power is required, when heavy objects are handled or heavy tools are required for the work. Industrial robots are powerful and capable for many kind of heavy industrial work, but because of their power, risks like impact and crushing are present.
The traditional approach in industrial robot safety systems is to isolate human from industrial robots by applying fences, optical sensors and interlocking devices (at gates). Opening of the gate causes protective stop, which requires restart outside of the robot work area. This can be a safe procedure for all robots. For collaborative mode robots, there are more means to maintain safety (see Figure 1). The idea is that a person can work close to the robot, which may be moving if it is safe. However, one of the most common collaborative actions is safety-rated monitored stop, which enables quick start-up. This paper is related to traditional industrial robots, which by applying additional safety means can have a collaborative mode. Collaborative mode is hear either safe separation distance or safety-rated monitored stop. The dynamic safety system is presented in this text and it applies dynamically both safety and non-safety devices to provide adaptive safety for industrial robots. The response of the devices depend on the situation and it is not always the same. This means increased complexity, which is challenging from the safety point of view. The idea of the presented dynamic industrial robot safety system is that the robot stops before it can hit a person. The new technologies enable flexible fenceless safety systems and dynamic safety regions alongside a host of other attractive features for human-robot co-operation.
One challenge related modern industrial robots is that it takes long time and distance to stop a robot. Thirty years ago a typical maximum speed for a robot was 3 m/s and stopping distance was 40 cm for emergency stop and 90 cm for servo stop, which keeps the servo power on [1]. Currently typical maximum speed for a robot is 5 m/s, also capacity and outreach are higher, and then stopping distance (servo stop) can be 2 m. If we consider the complete work area of the robot, then 2 meters separation distance to all directions is almost half of the practical working area of the robot. It may hinder many kinds of collaboration. Reasonable solution to reduce separation distance is to reduce speed. For example, ABB IRB 4600, with 21.8 kg load and speed (TCP) 2500mm/s has stopping distance (servo stop) 65 cm, which is more convenient than 2 m. As the speed slows down the stopping distance drops dramatically. Emergency stop (and protective stop) is quicker than servo stop, since it initiates quick braking and cuts servo power. However, it does not provide quick start-up, which is required in human-robot collaboration. Servo stop or actually safety-rated monitored stop can provide also controlled braking without high deceleration, which could drop objects from the robot tool. Therefore, emergency stop is reserved only to emergency and failure situations.
One feature in separation distance monitoring is that human and robot position are measured separately and the data needs to be combined in a separate safety system. Another factor, which makes the design of separation distance more difficult is that the speed and position monitoring of an industrial robot is typically not safety certified without a separate safety controller. Without safety controller the worst case scenario need to be applied in defining separation distances. The robot program needs to be easily modified, without laborious safety validation and therefore, the basic features of the robot are without safety guarantee. The safety features can be bought optionally, like SafeMove (safety controller), but even then, it does not predict or conclude next moves from the program, but it measures position and speed and compares the values to the predefined safety limits. In practise, it means that the limits can be exceeded, but the violation of the limits causes protective stop. This text describes how the safety controller and the robot controller can operate together without compromising safety and at the same time protective stops can be turned to safety rated monitored stops, which provide easier restart. This paper is organised as follows. Section 2 describes examples of safety systems and features, which have been applied also in the dynamic safety system. Section 3 tells about requirements and modes of collaborative robots. Section 4 describes the principles and structure of dynamic safety system for industrial collaborative robots. Section 5 depicts the need for configuration tool and some properties of the tool. Section 5 describes pros and cons of the dynamic safety system and some ideas about the future.

Background related to protective systems of industrial robots
Cui, Zhang and Rosen [2] present at their guidelines the applicable means to make safety systems and the systems are in line with standard ISO 10218-2. They present that safeguards are: mechanical limiting devices, non-mechanical limiting devices, presence-sensing safeguarding devices, fixed barriers and interlocked barrier guards. They show also four examples how to use safety controller (SafeMove by ABB) in safety systems. In all of the cases, each safety device cause always similar safety function, which is relevant for the operation mode. Also, safety standards like, ISO 10218-2, present applications with safety devices and warning means. This is state-of-the-art safeguarding for industrial robots. Safety controller can provide also some collaborative features for the robot system [2] but, typically, actual small collaborative robots apply monitored force and power control. Halme et al. present at their review [3] several (15 cases) collision avoidance systems, which apply visionbased technology. There are both pre-and post-collision control methods, but in the text, the focus is on precollision control methods. The described systems are based on sensor fusion, triple stereovision, stereo cameras, RGB-D cameras (image with depth image), TOF cameras (time of flight), three dimensional models and simulated robot trajectory prediction. The text tells also that the systems have not been widely adopted and standardized. The certified (type examined) safety device SafetyEye by Pilz is mentioned [3]. Sensor fusion has been under discussion a long time and technical specification IEC TS 62998-1 "Safety of machinery -Electro-sensitive protective equipment -Safety-related sensors used for protection of person" presents some ideas of the sensor fusion, but uncertified multitude of sensors would be accepted only to relatively low risk applications. The specification will be published soon.
Michalos et al. [4] describes how SafetyEye is applied in safety system, which provides protective stop and safety speed/warning zone. The safety speed is 250 mm/s and it is applied together with warning to prevent a person to initiate protective stop accidentally. In their three case studies have been applied, among others, safety-rated monitored stop, soft axis and reduced speed (in all cases), enabling device and force control. Also Tsarouchi et al. [5] depict safety system, which applies SafetyEye, protective stop and warnings. Here collaborative mode is selected with a manual switch that enables a person to go closer to the robot. In all of these cases safety components, like Safety-Eye and robot safety functions/safety controller, have been mentioned. These devices can provide adequate safety for the suitable cases.
Bdiwi et al. [6] show a safety strategy, which takes into account human robot interaction (HRI). Depending on the interaction level different safety strategy is applied, but safety-rated monitored stop is mentioned in all levels. In addition, static and dynamic modes are mentioned in all interaction levels. Cameras and safety devices are mentioned, but they are related more to HRI than safety. The paper points out that HRI is important factor in defining safety of collaborative robot cell and the human intention can be revealed with many kind of devices.
VTT has developed an adaptive industrial robot safety system already at 1986. At that time there were no EN robot or functional safety standards. The system is based on separation distance and it applies limit switches for robot position detection and tactile mats for human detection. The control utilizes PLC, relays and robot controller. Stopping is monitored with sensors and robot modes (stop, protective stop, safety speed or automated mode) are controlled and supervised by PLC. Safety speed mode can be set with a pushbutton, before entering the robot work area. Safety system is duplicated (PLC and relays) and would probably fulfil Cat 3 requirements according to ISO 13849-1. The robot controller (there is no safety controller) does not fulfil current safety requirements, and therefore speed limit could be a safety issue. Some additional means would be needed to fulfil current safety requirements [1,7].
Risto Kuivanen presented in his doctor thesis (1995) robot cell example, which is designed by applying three different safety systems and layouts: basic level design, advanced safety level design and production-adapted safety level design. The basic level design describes safety system, which stops the robot system when a person enters the work area of the running robot by opening a gate. Advanced safety level design describes safety system, which is divided into several monitored areas, it has limit switches for robot position detection and enabling device for entering robot work area. The production-adapted safety level design applies, in addition, reduced speed (250 mm/s) and more versatile use of the monitored areas. The last approach allows a person to go relatively close to robot, when enabling device is applied. At that time, collaborative robot modes or robot safety controllers were not yet presented and, for collaboration, only human robot separation with gates and light curtains, fixed reduced speed and enabling devices were applied. However, the example showed how to realise human robot separation in a production friendly way [8].
Oskar Henriksson [9] describes in his master thesis how stopping distance is crucial, when trying to avoid exceeding virtual fences defined in safety controller, SafeMove. Protective stop is initiated, when speed limit or virtual fence is exceeded, but the robot stops according to stopping distance. Henriksson has developed an algorithm, which helps designer to define actual speed limits in the programmed trajectory, in order to avoid exceeding the virtual fence. One observation is that the safety controller program is more laborious to validate than robot controller program, since for each robot trajectory there are many wrong trajectories or directions to validate. On the other hand, the robot perimeter or limits do not change so often as the robot controller program [9]. The stopping distance is taken into account also in the dynamic safety system by optimizing speed limit and separation distance. The optimization does not need to be very accurate, since reducing speed reduce also stopping distance dramatically. However, better accuracy would allow a person enter a little bit closer to the robot.
The conclusion of this section is that traditional static industrial robot safety systems, with fences, are the most common solution, but these examples provide different kind of solutions taking into account the human robot collaboration. Safety devices like SafetyEye and laser scanners can provide safety area division into smaller areas and furthermore to a dynamic safety system [4,5]. The division to safety areas can be done also with safety light curtains or mats, but then a specific safety system is required to track persons and the robot [1,7]. It is recognized in some cases that all industrial robots provide safe protective stop, but currently (usually) an additional safety controller [9] is needed to provide safety-rated monitored stop, speed limits and monitored areas. The actual collaborative robots provide more safety functions than the industrial robots. It is practical/productive to predict human intentions to provide smooth system performance without unnecessary protective stops [9]. Human can depict his intention e.g. with a switch (mode selection), gesture, face orientation or walking position/direction. The mode selection switch is a safety device, but the others require, usually, an additional safety argument.

Collaborative robot requirements and modes
International safety requirements for industrial robots were published already 1992 (EN 775), which means that there is already a long tradition for safety requirements of the robots. The basic rule is that, the operator stays outside of the safeguarded area during automatic run, but during teaching, the operator may be beside a slow moving robot. The old standard does not mention collaboration of humans and robots, but the idea is to keep them separate. The current robot safety standards (ISO 10218-1:2011 and ISO 10218-2:2011) define collaboration modes of humans and robots [10,11]. The collaboration is defined more specifically in the first edition of "ISO/TS 15066 Robots and robotic devices -Collaborative robots" [12]. It was published at February 2016. The technical specification de-fines requirements, especially, to lightweight collaborative robots. The approach of this text is related to speed and separation monitoring, which is defined at ISO 10218-2. By following harmonized standards, a robot designer can assume that the relevant requirements of the Machinery Directive are also fulfilled. The ISO 10218-1 [10] and ISO 10218-2 [11] standards are harmonized standards (actually EN version of the standard), and they are the basis for robot safety systems. Collaborative robots are described more detailed in ISO/TS 15066 [12], but it is not a harmonized standard. Other essential standards related to robot safety system are: In addition, other standards have been applied, but they are more related to robot application or devices of the safety system.
According to ISO 10218-1 section 5.4.2: "Safety related parts of control systems shall be designed so that they comply with PL=d with structure category 3 as described in ISO 13849-1:2006 or so that they comply with SIL 2 with a hardware fault tolerance of 1 with a proof test interval of not less than 20 years, as described in IEC 62061:2005". Furthermore, the PL and Cat are described at ISO 13849-1 as follows [13]: Performance level (PL): "discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions". Category (Cat): "classification of the safety-related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability". Category 3 means (simplified description) that a single fault does not lead to the loss of the safety function. PL d describes that the average probability of dangerous failure per hour (PFH D ) is below 10 −6 /hour. The value is calculated by using factors MTTF D (mean time to dangerous failure), DC (diagnostic coverage) and architecture (correspondence to category). Furthermore, there are a lot of qualitative requirements related to e.g. software and systematic failures. According to Machinery Directive (2006/42/EC) Annex IV paragraph 19 "Protective devices designed to detect the presence of persons" must be EC type examined or two of other described procedures must be applied. In this text safety components refer to these PL d, Cat 3, EC type examined devices (detectors).
Collaborative robot is defined in standard ISO 10218-2 as follows: Robot designed for direct interaction with a human within a defined collaborative workspace i.e. workspace within the safeguarded space where the robot and a human can perform tasks simultaneously during production operation [11]. Basically, the idea is that robot does not hurt a person and the means to protect a person are controlled force and speed, separation monitoring, hand-guiding and safety-rated monitored stop. Figure 1 shows the means that can be applied in manual or collaborative operation. Black lines represent manual operations and blue lines collaborative mode. The thick blue lines represent the collaborative modes: hand guiding, safety-rated monitored stop, control of speed and separation and limiting (control) of power and force [10]. The rounded rectangle represents the target of the dynamic safety system. In emergency stop, servo power is cut off, whereas in collaborative modes the servo power is on. This means that restarting is easier and it can be automated if the risk assessment allows it. Collaborative modes cannot be realised with any robot with simple safety system, but it requires a specific robot and/or a safety system for separation and robot control. Typically, in automated mode protective stop is applied when a person enters the robot workspace. This means that servo power is off and restart is made outside of the robot workspace.
The standard specification ISO/TS 15066 allows an impact of a robot against a human being, if the force and pressure are limited. The standard defines the maxim forces and pressures (biomechanical limits) that may occur in collaborative mode. For example, maximum force against face is 65 N (pressure 110 N/cm 2 ; actually impact against face is not allowed) and kneecap 220 N [12]. The maximum forces against other body parts are between those two values. This means that the risk assessor must estimate, which parts of the human body can be exposed to the force. The specification gives both maximum force and pressure limits and neither limits may be exceeded. Pressure value exceeds easily when the part touching a person is sharp or small. It is difficult say exactly, which force would be harmful to a person, and therefore values presented at the standard specification may change in the future. It is interesting that now it is allowed for a robot to hit a person on specific conditions. It causes ethical issues and a problem, how to measure and define acceptable pain.
The presented limit force values can be applied very seldom to industrial robots, because they are so heavy and insensitive to contacts. In our case, i.e. the dynamic safety system, control of speed and separation is applied to ensure safety. The idea is that robot may be moving towards a person, which is moving walking speed (1.6 m/s) towards the robot [14]. Robot must be able stop before a collision. The robot speed is reduced in order to have acceptable stopping distance. There are delays, braking takes time and human hand may be reaching forward, which all need to be considered.
Aaltonen et al. present four levels of collaboration [15]. Here are presented the levels and comments how separation and speed control, like the dynamic safety system can be related to the level.
-There is no need for dynamic safety system, since simpler safety system is adequate.
-Coexistence: human works in (partially or completely) shared space with the robot with no shared goals -Dynamic safety system can be applied in this kind of systems, if the worker needs to be relatively close to the robot.
-Cooperation: human and robot work towards a shared goal in (partially or completely) shared space.
-Human often needs to be close to the robot and dynamic safety system is targeted to this kind of cooperation.
-Collaboration: human and robot work simultaneously on a shared object in shared space. Physical contact is allowed, possibility for hand-guiding).
-Human need to be so close to the robot that the dynamic safety system is applicable to some cases or as a partial solution, but not all. More suitable measures for the intensive collaboration can be force and power control or handguiding.

Dynamic safety system
The aim has been to generate solutions that are built according to the current safety regulations. The target is bigger and traditional industrial robots. The aim has also been to enable well-functioning work processes. One of the key principles is to avoid unnecessary emergency and protective stops after human detection and to make the system restart easier. Several features of the suggested con- Figure 2: Devices used at the dynamic safety system [17].
ceptual solutions have been demonstrated. Core demonstration has been an advanced safety arrangement to enable collaboration between human and a large industrial robot in shared workspace, where a human and a robot are working in the same system as described in Figure 2.
The system is detecting human motions by two separate systems. The primary system is based on non-safety parts (two Microsoft Kinects, PC and robot controller) and the secondary system is based on safety components (two laser scanners and robot safety controller: SafeMove). Microsoft Kinects are placed so that they cover needed approach area in front of the robot and they are used to detect worker's distance to danger zone of the robot. X-and Y-coordinates of the worker location are transferred to the master computer and predicted position of the worker is calculated based on the speed and direction of the worker. Speed of the robot is reduced according to the predicted position of the worker. The speed can be altered according to workers distance to the TCP (Tool Center Point). Respectively, robot speed is increased according to the separation distance. The corresponding safety area for human detection, ToolSafeZone (the robot allowed zone) and robot safe speed limit are defined and the safety controller checks that the selection match each other. The speed and sepa-ration distance command itself is duplicated, but it comes from unsafe PC and it is not here a safety feature. The safe separation distance is calculated by applying the safe robot speed limit (not actual speed), separation distance from the border of robot allowed area (not actual robot position) to the safety area (for human detection) border (not actual human position). In practice, the separation distance calculated by PC, from human to robot must be a little bit bigger than the distance calculated by safety system, in order to avoid futile protective stops (see Figure 4). The secondary system, which applies only safety components, initiate protective stop only, if the primary system fails or operates too slowly. Figure 2 shows the applied configuration of the dynamic safety system. The applied safety controller (SafeMove) is a part of the safety system. It monitors that the set speed limit is not exceeded and that the robot stays at the allowed work area (ToolSafeZone). The robot safety controller does not control the position and speed of the robot according to the robot program, but according to predefined limits. Therefore, the safety does not depend on the program of the robot, but the defined limits of the safety controller. In addition, the robot controller monitors the program performance and also it can stop the robot in case of a failure. The safety controller is separate from  the robot controller and it cannot predict the next movements of the robot. The robot can exceed the limits, but this causes immediately protective stop. The exceeding of any limit is counted to the safety distance [16].
Some variations in configuration were tested to see how modifications can be applied and how different sensors operate. The tested sensors were laser scanner instead of Kinect and Pilz SafetyEye instead of laserscanner, an experimental radar and additional Safety PLC. The safety controller could also allow the switch between different allowed work areas of the robot. This enables change to robot workflow, if a person is working at the area of next task. The robot work program need to have specific branching points if the feature is needed. These modifications were not thoroughly validated, but they were proof of concept for different configurations, sensors and devices.
One feature is that the detection of the worker is shown via informative graphical display ( Figure 5). The figure shows detected person, safety zone and robot allowed zone. The laser scanners can be seen beside the robot.
The safety philosophy of the dynamic safety system is that two (or more) safety cases are determined so that the safety level is similar to each other. The two opposite cases are large safety area and high speed or small safety area and slow speed. The non-safe device (Kinect) is applied only to choose the relevant safety case. If the safety case is wrong, then either 1) Kinect fails to detect a person then the robot is stopped by the safety device (too large safety area), or 2) Kinect detects a person continuously, because of a failure and only slow speed is applied. In both cases, the robot is functioning safely, but production is not practical and the failure can be revealed. The benefit is that when a person enters the robot working area, the robot is moving at the slow safety speed and the person can go safely near the robot according to pre-calculated safety distance. The safety distance depends (among others) on the speed of the robot. The robot is stopped (safety-rated monitored stop), if the distance between human and robot is close to the distance needed for stopping the robot before impact. If a person rushes to the area the stopping distance becomes equal to the distance between human and the robot, a protective stop will be triggered. Protective stop is initiated also, if there is an area behind the detection zone (e.g. on a table), where a person could hide without detection. These cases should be avoided, since protective stop requires acknowledgement outside of the robot workspace. Safety controller is needed to verify the robot speed, TCP position (allowed area) and stopping performance. The primary safety device is needed to stop the robot accord-ing to the pre-defined safety distances. This safety philosophy makes it possible to work beside a robot safely without stopping the robot. Figure 3 describes the function when a person is approaching the robot. When a person is detected, then the separation distance to the robot is evaluated and the stop area and speed are controlled accordingly. If the distance from a person to the robot becomes shorter (or almost) than stopping distance, then the robot speed and stop area are reduced to allow a person to work closer to the robot. Also safety-rated monitored stop can be applied, since it allows a person to work beside the robot without protective stop. If a person is walking away, then speed and stop area can be increased accordingly. This is made without actual safety system. If the safety limits, for speed or separation, are exceeded, then the protective stop is initiated. This can happen, for example, if a person enters the robot area so quickly that the speed and stop area has not yet reduced to match safety distance of the safety system. Figure 4 shows the relation between speed and stop area. It shows also the difference between the distance between robot and person and the safety distance. The safety distance here is measured from stop area (light scanners) to robot allowed area (ToolSafeZone; blue rounded rectangle in the figure). The distance from a robot to a person is measured with devices, which are not safety-related and therefore the value is not trusted, whereas the safety dis-tance depends on safety controller (speed limit and Tool-SafeZone) and safety/stop area (laser scanner), which are associated to safety components. The real separation distance is here larger than safety distance, in order to guarantee that the robot can stop before impact. The safety distance is defined according to standards (e.g. ISO 13855).

Safety configurator
The configuration of the dynamic safety system is manually made a laborious task, and as there are so many cases to consider, one makes easily mistakes. For each case the robot's maximum speed, maximum workload and allowed work area has to be set. To facilitate this, a database of robot stopping distances in different speeds and workloads has been gathered. A tool based on this database has been created to aid in configuration of the dynamic safety system. In the software tool, the user can place different sensors and robots from the library to a layout representing the dynamic environment. The scanning areas of the sensors are shown with automatically generated safety areas and possible warnings in areas that should be but are not covered by the safety sensors. The automatic generation of safety areas take into account given robot speed and workload, that can be configured as needed. In addition, any obstacles in scan areas are cut off automatically in the generated safety areas. Several different safety configurations according to different parameters can be automatically generated and configured where (the parameter can be e.g. speed of the robot or worker locations beside the robot). Also allowed robot work areas can be defined. The configuring tool shows the needed separation distance thus all created configurations are according to the safety regulations. The tool can import and export safety configurations to some devices. The devices that cannot be accessed by the tool are configured manually by the instructions provided by the software tool. The tool also supports configuration of MS Kinect cameras of system described in previous chapter.
Bolmsjö, Bennaulf and Zhang have noticed in their research that it is difficult to configure a safety system for collaborative robots in flexible production [18]. The complexity of the configuration can be imagined by calculating possible combinations of the dynamic safety system. For example, the safety system can apply four safety speeds, four robot allowed areas and 16 safety areas for each laser scanner (e.g. 2 pieces). All the combinations need to be configured and there can be thousands of combinations (here 4096). The large amount of cases allows a person to walk safely near the robot. If the amount of combinations were smaller, then, in some cases, the robot must stop from a longer distance to ensure safety. Actually, this is exchange between complexity with laborious configuration and safety distance with possibility to go near the robot. The amount of devices is often the same, since the safety sensors must cover the robot work area, anyway. The difference is on the work demanded on the configuration and testing. One should not underestimate the needed work and therefore pointless complexity is futile and laborious/expensive. It is difficult to configure dynamic safety system reliably manually. Therefore, the safety configurator tool is required, but there is still a lot of testing to ensure that the model at the configuration tool is realised correctly to the real robot system. Nearly all mistakes result in too slow speed or long safety distance, since most of the wires are duplicated and discrepancy causes protective stop, and many conditions need to be fulfilled before an unsafe situation can occur i.e. increased speed or reduced stopping area. However, there is a possibility of undetected dangerous fault in the realisation of the configuration.

Discussion
One problem related to configuration is that collaborative robot cells are modified relatively often and reconfiguration should not be an exhausting process. It can be a time-consuming process to consider, each time a system is changed, new risks and related safety measures [16]. Currently, the safety devices and robot safety controller use predefined discrete safety areas and speeds, but not a seamless, smoothly changing performance according to the safe distance equation. In the future, it may be possible to configure the safety system just by applying simple rule for robots to keep the stopping distance adequate all the time. This could reduce many faults related to configuration and also reduce the need for considering new safety measures for new risks.
Currently, the dynamic safety system for robots is too expensive for many possible collaborative industrial robot applications, because the interface between robot and safety controller, sensors and safety sensors is complex from the safety point of view. In the future, safety and robot controllers should be unified and dynamic safety system should be able to support configuration and validation tools.
The advantage of the dynamic safety system is that it can provide safety without fences, production almost without protective stops and human-robot collaboration, in cases, where the industrial robot can do the hard or monotonous work and humans can observe, make decisions and do flexible tasks. We do not know yet all the possibilities for human-robot collaboration, since the accepted (described in standards) concept is relatively new and still evolving (e.g. ethical problems related to collisions) and also the robots and their accessories develop continuously. Especially, the development of robot safety controllers could provide new possibilities to robot safety systems. Safety is currently limiting factor for humanrobot collaboration, since designers would like to have immediate responses for safety functions and simultaneously perfect reliability. Unfortunately, novel sensors do not detect all they should and human hand can move a long way before robot brakes realise stopping.
Apparently, economy is one enabling factor in emerging technologies. Large number of successful applications would decrease the application costs (design, material and safety) and furthermore make the application more attractive.

Conclusions
The dynamic safety system enables use of industrial robots in collaborative tasks by applying human -robot separation strategy. Non-safe technology is applied when a person is approaching the robot and safe technology when robot needs to be stopped for safety purposes. The dynamic safety system for robots is a versatile and complex system. Since it is versatile, several sensors can be applied in the system and safety areas, robot allowed speed and positions can be configured according to the system. For simple systems safety PLC is not always required, but robot safety controller and safety sensors are, in order to have reliable information about the robot and persons. The dynamic safety system shows that, currently, safety systems for collaborative heavy industrial robots are complex. The complexity can be a safety issue and the validation process is laborious. These factors require more development in the future. Apparently, many strategies will be applied to ensure safe collaboration of robots and human beings.