Functional Safety in Humanoid Joints: Sourcing for ISO 10218:2025 & ISO 25785-1

For the past several years, the humanoid robotics industry has been singularly focused on performance: maximizing torque density, expanding the range of motion, and fine-tuning dynamic walking algorithms. Procurement teams have traditionally evaluated actuator suppliers based entirely on peak torque, weight, and unit cost. However, as humanoid platforms transition from R&D laboratories into real-world industrial environments, factory floors, and logistics centers in 2026, the procurement paradigm has shifted. The primary question is no longer "Can it walk?" but rather, "Is it legally permitted to operate around humans?"

This shift is driven by a major update in international robotics safety standards, primarily the publication of ISO 10218:2025 and the concurrent committee draft ISO/CD 25785-1 for dynamically stable industrial mobile robots with actively controlled stability.

For buyers, procurement teams, and hardware engineers sourcing integrated joint modules, these regulatory changes dictate a fundamental restructuring of the Bill of Materials (BOM). You can no longer purchase a standard brushless motor and a harmonic drive and simply wrap it in software to claim collaborative safety. Functional safety, specifically compliance with ISO 13849-1 Performance Levels (PL), must be baked directly into the actuator's hardware architecture.

This comprehensive guide details the exact hardware requirements you must specify in your Request for Quotations (RFQs) to ensure your humanoid joint modules can achieve system-level safety certification. We will dissect the necessity of dual-encoder architectures, the physics of fail-safe power-off brakes, and the integration of Safe Torque Off (STO) at the motor driver level.

The Regulatory Landscape: ISO 10218:2025 and ISO/CD 25785-1

To understand why your actuator specifications must change, you must understand the regulatory frameworks that are actively redefining "collaborative robotics."

ISO 10218:2025: The Collaborative Application Standard

The recently updated ISO 10218-1 and ISO 10218-2 (2025 editions) have replaced the aging 2011 standards. The most critical change for procurement is the shift from "collaborative robots" to "collaborative applications." An inherently safe robot arm does not exist if it is wielding a scalpel. Therefore, the entire system must undergo a rigorous risk assessment.

For humanoid robots, ISO 10218:2025 mandates stringent limitations on transferred energy during a collision (Speed and Separation Monitoring, Power and Force Limiting). To achieve this, the joints must have hardware-level redundancy to detect position, velocity, and torque anomalies before the software even registers an error.

ISO/CD 25785-1: Actively Controlled Stability

While ISO 10218 covers industrial arms, humanoids present a unique, terrifying hazard: they can fall over. A 70kg bipedal robot losing power is essentially a heavy, uncontrolled pendulum.

ISO/CD 25785-1 is under development for dynamically stable industrial mobile robots, including bipedal, quadrupedal, wheeled balancing, and other robots that require active control to remain stable. Unlike Automated Guided Vehicles (AGVs) that sit firmly on four wheels, a humanoid requires continuous high-frequency torque adjustments just to stand still. The draft scope makes "loss of power equals loss of balance" a procurement issue, not only a controls issue. Joint hardware must support a defined safe state such as controlled descent, guarded stance holding, or brake-assisted load retention rather than simply going limp.

The EU Machinery Regulation 2023/1230

Operating concurrently with ISO standards, the European Union's Machinery Regulation 2023/1230 applies from 20 January 2027 and replaces the Machinery Directive for covered machinery and related products. Its health and safety requirements increase the burden on OEMs that use software or AI in safety-related functions. For humanoid programs, this makes deterministic, hardware-based safety circuits such as STO, safe brake control, and independent position feedback central to the compliance argument instead of optional premium features.

The Physics of the "Safe State" in Humanoids

In traditional industrial automation, the ultimate safety mechanism is the Emergency Stop (E-Stop). When a human breaches a light curtain, a contactor drops, cutting all three-phase power to the servo motors. This is known as a Category 0 Stop (immediate removal of power to the machine actuators).

For a robotic arm bolted to a one-ton steel table, a Category 0 stop is perfectly safe. The arm stops moving, and gravity may cause it to sag slightly against its internal friction.

For a humanoid robot, a Category 0 stop is catastrophic. If you immediately cut power to the leg joints of a dynamically balancing biped, the robot will instantly collapse, potentially crushing a human operator or causing tens of thousands of dollars in damage to its own chassis and the surrounding environment.

Therefore, humanoid robots require Category 1 or Category 2 Stops:

• Category 1 Stop: A controlled stop with power available to the machine actuators to achieve the stop, followed by the removal of power when the stop is achieved. (e.g., The robot lowers itself to a kneeling position, then cuts power).
• Category 2 Stop: A controlled stop with power left available to the machine actuators. (e.g., The robot freezes in its current pose, utilizing motor torque and brakes to hold position).

To execute Category 1 and 2 stops safely, the integrated joint module must possess specific hardware components that cannot be bypassed or simulated by software.

Core Hardware Requirements for Procurement

When drafting an RFQ for humanoid joints intended for commercial deployment, procurement teams must mandate the following three architectural pillars.

1. Dual-Encoder Architecture (Motor-Side and Link-Side)

A single absolute encoder is entirely insufficient for ISO 13849-1 Performance Level d (PLd) or SIL 2 compliance. If a single encoder fails, slips, or sends a corrupted packet, the motor controller will immediately drive the joint to a catastrophic velocity, assuming it is trying to correct a massive position error.

Safety-rated humanoid joints require a Dual-Encoder Architecture:

1. Motor-Side Encoder (High Speed): Mounted before the harmonic or cycloidal reducer. It tracks the high-speed rotation of the rotor for field-oriented control (FOC) commutation.
2. Link-Side / Output-Side Encoder (High Resolution Absolute): Mounted after the reducer. It tracks the actual, physical position of the robot's limb.

Why Procurement Must Care: By comparing the expected output position (Motor Position / Gear Ratio) against the actual output position (Link Encoder), the safety hardware can instantly detect catastrophic mechanical failures, such as a sheared output shaft, stripped reducer gear teeth, or a loose coupling. If a discrepancy is detected, the drive immediately triggers a hardware fault. You must specify that both encoders support deterministic safety protocols (e.g., Safety over EtherCAT - FSoE, or BiSS Safety).

2. Fail-Safe Power-Off Holding Brakes

Because humanoids cannot safely endure a Category 0 stop without collapsing, the joints—particularly in the hips, knees, and ankles—must be equipped with fail-safe holding brakes.

A "fail-safe" brake operates on an inverted principle: it requires active electrical power to release. When power is lost, or when an E-stop drops the 48V bus, powerful mechanical springs immediately clamp the brake pads against the rotor, locking the joint in place.

Procurement Warning: Do not confuse holding brakes with dynamic brakes. Most compact electromagnetic brakes sourced for humanoid joints are designed solely to hold a static load once the robot has already stopped moving. If the robot is falling at 3 meters per second and the brake engages, the kinetic energy will vaporize the friction material or shatter the harmonic drive. Your RFQ must demand the brake's Dynamic Emergency Stop Energy Rating (Joules) to ensure it can survive a specified number of emergency dynamic braking events before requiring replacement.

3. Safe Torque Off (STO) and Safe Brake Control (SBC)

STO is the foundational hardware safety function. It is a dual-channel, redundant hardware circuit wired directly into the motor driver. When the STO circuit is broken, the driver physically interrupts the pulse-width modulation (PWM) signals to the MOSFETs/IGBTs. The motor is physically prevented from generating torque, regardless of what the main CPU or the software firmware commands.

Safe Brake Control (SBC) works alongside STO. It ensures that the fail-safe brake is safely engaged before or immediately after STO is triggered, preventing the robot from collapsing under its own weight.

Procurement Table: Standard vs. Safety-Rated Joint Specs

When shifting your RFQ from R&D prototyping to commercial scaling, the line items change drastically. Use this structural breakdown to evaluate whether your current supplier can support your compliance roadmap.

The Hidden Costs: Statistical Reliability Data (B10d / MTTFd)

Perhaps the most overlooked aspect of functional safety procurement is data dependency. To certify a humanoid robot under ISO 13849-1, the OEM's safety engineers must calculate the overall Performance Level (PL) of the entire safety function.

This mathematical calculation requires statistical failure data for every component in the critical path. Specifically, you need:

• MTTFd (Mean Time to Dangerous Failure): For electronic components like the motor driver and encoders.
• B10d Data: The number of cycles until 10% of the mechanical components (like the fail-safe brake) fail dangerously.

If your actuator supplier cannot provide certified MTTFd and B10d data sheets, your safety engineers will be forced to use highly conservative "worst-case" generic values provided by ISO standards. Using generic values often destroys your mathematical model, making it mathematically impossible to achieve the required PLd or PLe ratings, effectively blocking your robot from being sold in Europe or North America.

Procurement Rule: During the supplier audit, demand B10d and MTTFd certificates upfront. If the supplier does not know what these acronyms mean, they are not ready for commercial OEM production.

Sourcing Audit & Engineering Checklist

Before signing a long-term supply agreement for humanoid joints, your cross-functional team (Procurement, Hardware Engineering, Safety Validation) must execute this checklist:

• Dual Encoder Verification: Does the joint utilize both a motor-side and output-side encoder, and does the driver firmware cross-reference them for mechanical slip detection?
• STO Implementation: Is the Safe Torque Off circuit implemented purely in hardware (bypassing the MCU), and is it dual-channel to prevent a single point of failure?
• Brake Dynamic Rating: What is the maximum kinetic energy (in Joules) the power-off brake can absorb during an emergency dynamic stop without permanently damaging the friction pad?
• Data Availability: Can the supplier provide comprehensive MTTFd data for the drive electronics and B10d cycle data for the braking mechanisms?
• Thermal Limits under Braking: Does engaging the fail-safe brake generate internal heat that exacerbates the joint's thermal wall limitations?
• Safety Protocol Support: Does the onboard motor controller support safety-certified fieldbuses like FSoE, or will it require a separate external safety PLC?

Frequently Asked Questions (FAQ)

Q: Do we need fail-safe brakes on every single joint in the humanoid? A: Not necessarily. Safety risk assessments (ISO 12100) often dictate that load-bearing joints responsible for maintaining upright stability against gravity (hips, knees, ankles, waist) absolutely require holding brakes. Upper extremity joints (wrists, neck) may not require brakes if their mass and potential energy do not pose a crushing hazard, allowing you to save weight and cost in those locations.

Q: Can we achieve Power and Force Limiting (PFL) using only motor current sensing? A: Relying solely on current sensing (calculating torque via current draw) is notoriously inaccurate in humanoid joints due to the high, non-linear friction and hysteresis inherent in harmonic and cycloidal reducers. To meet strict PFL collision thresholds under ISO 10218:2025, a physical joint torque sensor (strain gauge) mounted at the output is highly recommended.

Q: Does adding dual encoders and brakes ruin the joint's torque-to-weight ratio? A: It undeniably impacts it. A safety-rated joint will be heavier and axially longer than a "barebones" prototype joint. This is the engineering reality of commercial robotics. OEMs must recalibrate their payload and battery life expectations to account for the added mass of necessary safety hardware.

Q: What is the timeline for ISO/CD 25785-1 enforcement? A: ISO/CD 25785-1 is still in committee draft status as of June 2026, so it is not a ratified procurement requirement yet. However, OEMs are tracking its scope now because a humanoid architecture typically takes 2-3 years to redesign, validate, and certify. Treat the draft as a risk input for actuator architecture, then confirm the final requirement set with your safety assessor before freezing production hardware.

Q: Why can't we just write better software to prevent falls? A: Safety standards like the EU Machinery Regulation explicitly mandate that software (including AI and neural networks) cannot be the sole layer of protection for high-risk hazards. Deterministic hardware redundancy is legally required to catch and mitigate software faults.

Closing the Loop on Compliance and Sourcing

Navigating the transition from agile R&D to strict, heavily regulated industrial production is the most dangerous phase for a humanoid robotics OEM. Sourcing joints that lack fundamental safety architectures will result in catastrophic delays during final product certification.

By demanding dual encoders, power-off brakes, STO integration, and rigorous B10d statistical data, procurement teams transition from merely buying parts to proactively engineering compliance.

At HumanoidJoint.com, our Integrated Humanoid Joint Modules are designed from the ground up for commercial deployment. We integrate high-resolution dual encoders, low-inertia fail-safe brakes, and driver architectures built to support strict safety certifications, complete with transparent reliability data for your engineering team.

If you are upgrading your BOM for ISO 10218:2025 compliance or preparing for ISO/CD 25785-1 actively controlled stability requirements, contact our applications engineering team at [email protected] or via WhatsApp at +86 18857971991 to review our safety integration specifications.

Sources and Regulatory References

The compliance frameworks and hardware prerequisites discussed in this guide are synthesized from standards catalog pages, EU legislation, and drive-safety references available as of June 2026. Standards text is copyrighted and final certification decisions should be made with a qualified machinery safety assessor.

---

For further insights into humanoid scaling, explore our guide on In-House Assembly vs. Pre-Integrated Modules, or review our comprehensive RFQ Checklist.