Industrial Automation Meets Functional Safety: How the Cobot Revolution Is Creating New Requirements Engineering Demands

The pitch is straightforward: deploy a cobot, improve throughput, reduce ergonomic injury, and stay competitive with larger manufacturers. Universal Robots, Fanuc CRX, ABB GoFa, and a dozen other vendors have made collaborative robots genuinely accessible to factories that once couldn’t afford or staff traditional industrial automation. Global cobot installations are growing at roughly 20 percent annually, and most of that growth is happening at small and mid-size manufacturers — companies with 50 to 500 employees, lean engineering teams, and no dedicated functional safety staff.

What the pitch leaves out is the compliance reality waiting on the other side of installation.

When a cobot operates in a shared workspace with human workers — which is the entire point — the deploying manufacturer becomes the system integrator in the eyes of IEC 62061 and ISO 13849. That designation carries specific legal and technical obligations: conduct a hazard and risk analysis, define safety functions, verify that those functions achieve the required Performance Level or Safety Integrity Level, and maintain documented evidence of all of it. The cobot vendor certifies the hardware. They do not certify your application.

This gap between what cobot vendors deliver and what end-user manufacturers are obligated to produce is the central problem in industrial cobot deployment right now. It is generating safety incidents, failed audits, and in several documented European cases, regulatory enforcement actions. It is also generating a new category of engineering demand: functional safety requirements management at the application level, in organizations that have never practiced it.

What IEC 62061 and ISO 13849 Actually Require

Both standards address the same problem from slightly different angles. ISO 13849-1 is the machinery standard — it defines a Performance Level (PL) framework, from PLa through PLe, based on probability of dangerous failure per hour. IEC 62061 applies specifically to electrical and electronic safety-related control systems and uses Safety Integrity Level (SIL 1–3) as its metric. For most cobot deployments, both are relevant, and a competent integrator needs to understand how they interact.

What both standards mandate, without exception, is a structured process:

Hazard and Risk Analysis (HARA). Before a single safety requirement is written, the deployer must identify every reasonably foreseeable hazard in the intended operating scenario. This includes not just the obvious risks — pinch points, collision forces, unexpected motion — but contextual factors: the presence of untrained workers, maintenance access modes, partial automation states, and foreseeable misuse. ISO 12100 provides the underlying risk assessment methodology that feeds this step.

Safety Function Definition. Each identified hazard that requires a protective measure must be addressed by a defined safety function. A safety function is not “the robot stops when someone gets too close.” It is a specified function with defined inputs, outputs, response time, safe state, and failure behavior. Safety functions are requirements, and they must be written as such: precise, testable, and traceable.

Performance Level or SIL Determination. Based on the risk assessment — severity of injury, frequency of exposure, possibility of avoidance — each safety function must be assigned a required PL or SIL. This is not an engineering judgment call made informally; the standards provide structured methods (risk graphs, LOPA) for deriving the target level.

Verification and Validation. The implemented safety function must be demonstrated to achieve its required PL or SIL. This means architectural analysis (Category 2, 3, or 4 under ISO 13849), quantitative PFHD calculation, and documented test evidence. Everything must trace from hazard to requirement to implementation to verified evidence.

The documentation burden here is substantial. For a moderately complex cobot cell with four or five defined safety functions, a complete technical file can run to hundreds of pages of structured documentation. For manufacturers deploying cobots as a productivity measure with a two-person engineering team, this is not a natural workflow.

The Vendor Certification Misunderstanding

The most dangerous misconception in this space is that buying a CE-marked, ISO/TS 15066-compliant cobot means you’re covered. It doesn’t, and the confusion is understandable — cobot vendors market their safety certifications prominently because those certifications are genuine and significant.

Universal Robots’ UR series, for example, is certified to PLd/Category 3 for its safety-rated I/O and speed/force limiting functions. That certification means the hardware and firmware, as tested in isolation, meets the specified performance level. It says nothing about your application’s risk profile, your safety function definitions, your control system architecture, or whether your specific deployment achieves PLd for the hazards present in your factory.

The vendor delivers a safety-capable platform. What you do with it — how you configure it, what safeguards you add, how you define and verify the safety functions in your specific cell — is entirely your engineering problem.

ISO/TS 15066, which governs human-robot collaboration specifically, is even more application-specific. It defines force and pressure limits for different body regions during contact, but it requires the integrator to verify that their deployment actually stays within those limits under the full range of operating conditions. That verification requires biomechanical measurement, not vendor data sheets.

For manufacturers accustomed to buying a machine, bolting it to the floor, and putting up a safety fence, this is a paradigm shift. Cobots are sold partly on the promise of not needing the fence — which is true — but that promise transfers more engineering responsibility to the buyer, not less.

Where Small and Mid-Size Manufacturers Are Failing

Working through what’s actually going wrong in the field, several failure patterns repeat across regions and industries.

No formal HARA process. The most common gap is the absence of a structured hazard analysis altogether. Many SME manufacturers conduct an informal walkthrough, identify obvious hazards, add a presence-sensing mat or light curtain, and consider the job done. This is not HARA. It does not identify latent hazards, does not document severity and exposure judgments, and produces no traceability to safety function requirements.

Safety functions defined in prose, not as requirements. Even manufacturers who do conduct risk assessments often capture the results in a Word document narrative rather than structured requirements. A sentence like “the robot will stop when a person enters the cell” is not a safety function specification. It specifies no sensor type, no response time, no safe state, no failure behavior, no PL target, and no verification method. If this document becomes part of the technical file, it provides no actual compliance foundation.

No traceability. IEC 62061 explicitly requires that safety requirements are traceable through design to verification. Most SME manufacturers have no requirements management infrastructure at all — their “traceability” is a shared Excel sheet, if that. When an auditor asks for evidence that Safety Function 3 achieves the required PL through a documented chain from hazard to implementation to test, there is nothing to show.

Integration of multiple vendors without system-level analysis. A typical cobot cell might include the robot, a vision system from one vendor, a collaborative gripper from another, a safety PLC from a third, and safety I/O modules from a fourth. Each component has its own certifications. No single vendor is responsible for the integrated system’s performance level. The system integrator — which is often the manufacturer itself — must conduct the system-level analysis. Many don’t.

Modification without re-analysis. Once a cell is deployed and validated, changes to task, payload, speed, or workspace layout can change the risk profile and invalidate existing safety function certifications. Cobot cells get modified routinely as production needs change. The requirement to re-assess and re-verify after significant modifications is frequently ignored.

How Requirements Engineering Needs to Change

The practices that close these gaps are not exotic. They are established systems engineering disciplines — hazard analysis, structured requirements authorship, model-based traceability, verification management — applied to a new context. The challenge is organizational adoption, not technical invention.

The first shift is treating functional safety as a requirements engineering discipline, not a documentation exercise. HARA is requirements elicitation. Safety function definition is requirements authorship. Performance level verification is requirements verification. Framing it this way connects functional safety to practices that engineering teams can learn and execute, rather than treating it as a compliance checkbox handled by a consultant at the end of a project.

The second shift is adopting structured traceability infrastructure. Safety-related requirements cannot live in document silos. The connection from hazard to requirement to architecture decision to verification evidence must be explicit, navigable, and maintainable over the system lifecycle. This is precisely the problem that model-based and graph-linked requirements tools are designed to solve.

The third shift is integrating safety requirements into the broader system requirements baseline. Cobot deployments sit at the intersection of mechanical, electrical, and software engineering. Safety functions span all three domains. Requirements that exist only in a safety-specific silo, disconnected from electrical design documents and software control logic, produce compliance documentation that cannot be maintained and does not reflect actual system behavior.

How Modern Tooling Is Responding

Until recently, the tooling available for functional safety requirements management was either prohibitively expensive for SME manufacturers — IBM DOORS, Polarion, and Jama Connect are capable platforms but carry enterprise price tags and implementation overhead — or inadequate for the task, leaving teams to manage safety requirements in generic office tools.

That gap is narrowing. AI-native platforms designed specifically for hardware and systems engineering teams are now capable of supporting the full functional safety workflow at a cost and complexity level accessible to smaller organizations.

Flow Engineering is one example of this newer approach. Built as a graph-based requirements management platform, it supports explicit traceability linking — connecting hazard nodes to safety function requirements, those requirements to architectural and design elements, and design elements to verification evidence — without requiring the elaborate data modeling and administrative overhead of legacy PLM-integrated systems. For a manufacturer deploying two or three cobot cells and needing to produce a defensible technical file, the ability to construct and navigate that traceability graph without a dedicated tools administrator is material.

The AI-assistance layer matters here as well. Generating HARA documentation from structured inputs, flagging safety requirements that lack PL targets, identifying traceability gaps between requirements and test evidence — these are tasks where AI augmentation can meaningfully compress the timeline for a small engineering team working without dedicated safety staff.

The broader point is that the tool category is maturing to match the problem. Functional safety requirements management for cobot deployments is not a niche need — it’s a growing, legally obligated engineering discipline affecting thousands of manufacturers. Tool vendors who address it with purpose-built workflows will displace the consultant-and-spreadsheet model that currently dominates SME practice.

An Honest Assessment

The cobot industry is not going to slow down because compliance is hard. The productivity and ergonomic benefits are real, and the competitive pressure on SME manufacturers is relentless. What is going to happen — and is already happening in jurisdictions with active market surveillance — is increasing regulatory scrutiny of deployed systems.

The EU Machinery Regulation, which fully replaces the Machinery Directive starting in 2027, strengthens conformity assessment requirements for safety-rated automation and increases obligations for market surveillance authorities. Manufacturers who have deployed cobot cells without adequate functional safety engineering are carrying undocumented liability. The question is when, not whether, that exposure becomes consequential.

For the engineering teams caught in this gap, the path forward is not to become functional safety experts overnight. It is to build the process infrastructure that makes functional safety tractable: structured HARA workflows, safety requirements authorship standards, traceability tooling that connects hazard to evidence, and verification planning that is part of project scope from the beginning.

The standards exist. The methods are well-documented. The tooling is now accessible. What remains is organizational will, and the recognition that the compliance obligation transferred to the deployer the moment the cobot left the vendor’s warehouse.