CE Marking Strategy for Robot Systems
Regulation (EU) 2023/1230
1. Key Changes in Regulation 2023/1230
The EU's new Machinery Regulation (Regulation (EU) 2023/1230)
replaces the existing Machinery Directive (2006/42/EC) and takes effect from 20 January 2027.
It was drawn up to deal with the safety questions raised by newer digital technologies such as artificial intelligence (AI), the Internet of Things (IoT), and robotics. Crucially, it now takes the form of a 'Regulation', so it applies directly and identically in every Member State, closing the gaps in national interpretation that used to produce inconsistent application.
For robot and AI-based systems, the main points that have been tightened relative to the old Directive are these.
- Integration of digital technologies and AI risks: The Regulation now speaks directly to how digital technologies such as AI, machine learning, and autonomous systems affect machinery safety. Notably,
the risk assessment must also cover new risks that emerge from software updates or autonomous behaviour over the machinery's lifecycle (
Recital 12,Recital 32). - Expanded definition of safety component: 'Safety component', once restricted to physical devices, now also covers software that carries out a safety function and is placed on the market on its own.
In practice, the software that runs a robot system's safety logic falls under the Regulation too (
Recital 19,Article 3(3)). - Update to the list of high-risk machinery (Annex I): Safety components whose behaviour fully or partially self-evolves and that rely on machine learning to deliver safety functions now appear
on the list of high-risk machinery (
Annex I, Part A). Systems of this kind have to go through conformity assessment by a Notified Body (NB, No-Bo) (Recital 54). - Introduction of cybersecurity requirements: New Essential Health and Safety Requirements (EHSRs) guard against safety risks created by attacks from malicious third parties. The manufacturer has to
design the machinery's control system so that it stands up to deliberate or accidental external attempts at corruption (
Recital 25,Annex III, 1.1.9,Annex III, 1.2.1). - Introduction of the concept of 'Substantial Modification': When a machine, already on the market, is changed by physical or digital
means in a way the manufacturer never intended, and that change either introduces a new hazard or increases an existing risk, it counts as a 'substantial modification'. The party who made the change then takes on the manufacturer's obligations and must
run a fresh CE marking procedure (
Recital 26,Article 3(16),Article 18). - Allowance for digital documentation: Manufacturers may now supply the instructions for use and the EU Declaration of Conformity (DoC) in digital form. That said, if the user
asks for one at the point of purchase, a paper copy has to be supplied free of charge (
Recital 40,Article 10(7)).
2. CE Marking Procedure for Robots / Collaborative Robots (Cobots)
Before a robot or collaborative robot (cobot) can be placed on the EU market, the manufacturer has to show that the product meets every one of the Essential Health and Safety Requirements (EHSR) set out in Regulation 2023/1230 (Annex III).
The procedure works as follows.
Conformity Assessment Procedures the Manufacturer Must Perform
Which conformity assessment route applies comes down to whether the machinery appears on the list of high-risk machinery (Annex I).
| Machinery Category | Applicable Procedure (Article 25)
|
Description |
|---|---|---|
| High-risk machinery listed in Annex I, Part A (e.g., safety components with self-evolving behaviour) |
Notified Body involvement mandatory • EU type-examination (Module B) + conformity to type based on internal production control (Module C) • conformity based on full quality assurance (Module H) • conformity based on unit verification (Module G) |
The product has to be assessed by a designated Notified Body. In practice this will almost always catch robots that build in newer technologies such as AI-based safety systems. |
| High-risk machinery listed in Annex I, Part B | Manufacturer's choice • internal production control (Module A) - possible only where all relevant harmonised standards have been complied with • where harmonised standards are not complied with, the same Notified Body procedure as Part A applies |
Where the manufacturer has designed and built the product in full compliance with the relevant harmonised standards, it can self-declare conformity. If not, Notified Body certification is needed. |
| General machinery not listed in Annex I | Manufacturer self-assessment • internal production control (Module A) |
The manufacturer can declare conformity and affix the CE mark itself, on the basis of a risk assessment and the technical documentation it draws up. |
List of Items That Must Be Included in the Technical Documentation
The technical documentation has to be ready before the EU Declaration of Conformity is issued, and the manufacturer must keep it on file for at least 10 years, ready to hand over whenever the market surveillance authorities ask for it. Annex IV
sets out the minimum that this documentation has to cover, listed below.
- A full description of the machinery and its intended use
- Risk assessment documentation:
- A list of the applied Essential Health and Safety Requirements
- A description of the protective measures implemented to satisfy each requirement and of the residual risks
- Design and manufacturing drawings/schematics (components, subassemblies, circuits, etc.)
- The descriptions needed to make sense of the drawings and how the machinery operates
- A list of the harmonised standards or other technical specifications applied: where applied only in part, specify the relevant parts
- Design calculations, tests, and inspection reports
- A description of the production procedures that keep the product consistently in conformity
- A copy of the instructions for use
- Where partly completed machinery has been incorporated: the assembly instructions and the EU Declaration of Incorporation (DoI) for that machinery
- A copy of the EU Declaration of Conformity for other products incorporated into the machinery
- The source code or programming logic of safety-related software: where the competent authorities request it on justified grounds
- For autonomous/remotely operated machinery: a description of the general characteristics, data, development, testing, and validation processes of the system
How to Draw Up the EU Declaration of Conformity (DoC)
The EU Declaration of Conformity (DoC) is the legal document in which the manufacturer states, on its own sole responsibility, that the product meets every requirement of the Regulation.
- Structure and content: It must follow the model structure specified in
Annex V, Part A. - Language: It has to be translated into the language or languages required by the Member State where the product is placed on the market.
- Means of provision: It must travel with the product and, rather than a printed sheet, may be supplied digitally through an internet address or a QR code (
Article 10(8)). - Single declaration: When the same product falls under several EU regulations at once (EMC, RED, and so on), a single DoC has to be drawn up that covers all of them together (
Article 21(3)).
Determining Whether a DoI or Notified Body (No-Bo) Certification Is Required, Where Applicable
- EU Declaration of Incorporation (DoI): This is for 'partly completed machinery', as opposed to finished machinery (
Article 3(10)). - Notified Body (No-Bo): Where the machinery falls within the high-risk category listed in
Annex I, bringing in a No-Bo is mandatory.
3. Integration of Peripheral Equipment and CE Marking of the System
An industrial robot rarely works alone. In practice it is paired with peripheral equipment such as grippers, conveyors, and safety fences to form a single 'robot system'. What matters here is the safety of that integrated whole, not of each element on its own, and the burden of demonstrating it falls on whoever integrates the system.
Scope of Legal Responsibility of the 'System Integrator' that Combines the Robot with Peripheral Equipment
Regulation 2023/1230 never uses the term 'System Integrator' as such, yet it pins down the integrator's obligations quite clearly through the provisions below.
- Manufacturer of an 'Assemblies of machinery': When several items of machinery, or partly completed machinery, are arranged and controlled to function together as an integral whole, the Regulation treats the result as a single 'machinery' (
Article 3(1)(d)). - Party performing a 'Substantial Modification': Anyone who carries out a 'substantial modification' that introduces a new hazard or increases an existing risk by altering existing machinery is treated as the 'manufacturer' of that
machinery (
Article 18).
How to Verify and Document the Standards Compliance of Peripheral Equipment
Before the technical documentation for the complete system can be assembled, the integrator has to collect and review the conformity paperwork for every component that goes into it.
| Component Type | Verification / Documentation Method | Considerations for Integration |
|---|---|---|
| CE-marked completed machinery / related product (e.g. safety sensor, standalone conveyor) |
• Obtain the EU Declaration of Conformity (DoC) • Verify the instructions for use |
Such a product already counts as compliant with the Regulation. The integrator's job is to install it correctly per the instructions for use and, during the risk assessment, to check whether new hazards emerge from how it interacts with the rest of the system. The DoC then becomes part of the technical documentation for the final system. |
| Partly Completed Machinery (e.g. the robot arm itself) |
• Obtain the EU Declaration of Incorporation (DoI) • Verify the assembly instructions |
Both the DoI and the assembly instructions go into the final technical documentation (Annex IV, Part A, (j)).
|
| General components without CE mark or DoI (e.g. machine frame, simple gripper) |
• No declaration of conformity is required for the component itself • Obtain technical specification data such as material and strength |
Here the integrator has to judge for itself whether the component undermines safety requirements such as the mechanical strength and stability of the whole system, and to file the supporting evidence in the technical documentation. |
Considerations for Risk Assessment as an 'Integrated Robot System as a Whole'
The integrator's risk assessment cannot stop at adding up the hazards of the individual parts; it has to examine the interactions and the compound hazards that only appear once those parts are combined.
- Interaction risk assessment: The assessment has to cover the hazards that arise from the way the items of machinery interact with one another (
Recital 33). - Safety of the control system: The safety and reliability of the control system as a whole need to be assessed (
Annex III, 1.2.1). - Operating Modes: A system's various operating modes may each call for their own protective measures (
Annex III, 1.2.5).
4. Conclusion: A Practical Checklist
Checklist for Robot/Component Manufacturers
| Step | Task Description | Relevant Provision |
|---|---|---|
| 1. Product Classification | □ Pin down exactly what your product is: 'completed machinery', a 'related product', a 'safety component', or 'partly completed machinery'. | Article 3
|
| 2. Requirement Identification | □ Work through the Essential Health and Safety Requirements (EHSRs) in Annex III and pick out every item that applies to your product. | Article 10(1),
Annex III
|
| 3. Risk Assessment | □ Using those requirements as your starting point, run a risk assessment across the product's full lifecycle and build the resulting risk reduction measures into the design. | Annex III, General Principles
|
| 4. Drawing Up Technical Documentation | □ Compile the technical documentation, covering everything Annex IV calls for: the risk assessment results, drawings, calculations, test results, and instructions for use. | Article 10(2),
Annex IV
|
| 5. Conformity Assessment | □ Check whether the product is covered by Annex I and, where it is (high-risk machinery), bring in a Notified Body (No-Bo) for assessment. | Article 25,
Annex I
|
| 6. Drawing Up the Declaration | □ With every procedure wrapped up, draw up the EU Declaration of Conformity (DoC) for 'completed machinery', or the EU Declaration of Incorporation (DoI) for 'partly completed machinery'. | Article 21 (DoC),
Article 22 (DoI)
|
| 7. Marking and Document Provision | □ Affix the CE mark to the 'completed machinery' and ship the instructions for use and the DoC (or an accessible link to it) alongside the product. | Article 10,
Article 24
|
| 8. Post-Market Management | □ Keep the technical documentation and the declaration on file for at least 10 years, and respond to any requests from the market surveillance authorities. | Article 10(3)
|
Checklist for System Integrators / Users (where a substantial modification is involved)
| Step | Task Description | Relevant Provision |
|---|---|---|
| 1. Determine Scope of Responsibility | □ Work out whether what you are doing amounts to a new 'assembly of machinery' or a 'substantial modification' of existing machinery, and be clear that this makes you a 'manufacturer'. | Article 3(1)(d),
Article 18
|
| 2. Secure Component Documentation | □ For each component you bring into the system (robots, peripherals, and so on), obtain the relevant paperwork from the supplier, such as the DoC, DoI, assembly instructions, and technical specifications. | - |
| 3. Integrated System Risk Assessment | □ Assess the risk of the 'integrated system as a whole' rather than its individual parts. Pay particular attention to new hazards that emerge from the way components interact. | Annex III, General Principles, 1
|
| 4. Drawing Up Technical Documentation for the Overall System | □ Put together fresh technical documentation for the integrated system, and fold the documentation you collected for each individual component (DoC, DoI, etc.) into it. | Article 10(2),
Annex IV
|
| 5. Integrated System Conformity Assessment | □ Take a fresh look at whether the integrated system falls under Annex I and, where it does, have a Notified Body (No-Bo) assess it (for instance, when you pair a robot with an AI vision system). | Article 25,
Annex I
|
| 6. Drawing Up the Final Declaration | □ Issue a new EU Declaration of Conformity (DoC) for the integrated system as a whole. | Article 21
|
| 7. Marking and Document Provision | □ Affix the CE mark to the integrated system and hand the end user both the instructions for use for the system as a whole and the new DoC. | Article 10,
Article 24
|
| 8. Post-Market Management | □ Keep the final system's technical documentation and DoC on file for at least 10 years, and meet all the post-market obligations that fall to a manufacturer. | Article 10(3)
|
5. AI Safety System Certification Considerations (Based on the ISO/IEC TR 5469 Technical Report)
When you need to assess and certify safety-related systems that rely on AI, it pays to work from the ISO/IEC TR 5469 technical report. The items below are the ones worth walking through, one by one, before a Notified Body (No-Bo)
takes a look.
Step 1: Classification of the AI System and Determination of Scope
Certification really begins with pinning down what the AI system actually does and what makes it tick technically. Two axes drive this classification, the AI Usage Level and the AI Technology Class, and together they set both the functional safety standards that come into play and how much verification you will need.
AI Usage Level
AI falls into the following categories depending on how the technology is put to work inside the system.
| Level | Description |
|---|---|
| Level A1 | AI is used for automated decision-making within a safety-related system. |
| Level A2 | AI is used within a safety-related system, but automated decision-making is not possible (e.g., diagnostic functions). |
| Level B1/B2 | AI technology is used as an offline support tool only during the development stage of a safety-related system. |
| Level C | AI is not part of the safety function but may have an indirect effect on the function. |
| Level D | AI is sufficiently separated so that it has no effect on the safety function. |
AI Technology Class
AI is also classified by how fully the technology meets the safety properties that have been identified.
| Class | Description |
|---|---|
| Class I | AI technology that can be fully reviewed using existing functional safety standards (e.g., the IEC 61508 series) |
| Class II | AI technology for which existing standards alone are insufficient, but whose safety properties can be achieved through additional supplementary requirements (e.g., verification and validation methods) |
| Class III | AI technology whose safety properties cannot be satisfied even with existing standards and related techniques |
Key insight: In practice, most machine learning-based systems heading into certification will land at Level A1, Class II. That means meeting the existing standards is not enough on its own; you also have to make the safety case using the additional techniques described in this document.
Step 2: Analysis of the AI System's Properties and Associated Risk Factors
Assessors will want to see how rigorously you have analyzed and managed the system's inherent properties and the risk factors that flow from them.
- Level of automation and control: Look at how far the system runs on its own without human oversight, what options exist for human intervention and control, and how you keep the risk in check when the system changes its own behaviour (learns) and starts to drift from its original specification.
- Transparency and explainability: Provide 'transparency', which gives stakeholders insight into the system's internal processes, and 'explainability', which presents the system's decisions in terms humans can actually follow.
- Environment-related issues: Analyze risks such as the uncertainty that crops up in complex environments, data drift, where the data distribution at runtime no longer matches what the model saw during training, and concept drift, where the input-output relationship itself shifts, then put a mitigation plan in place.
- Resilience to adversarial inputs: Weigh the threat of adversarial machine learning attacks, which trip up the model using tiny input perturbations that people would never spot, and apply countermeasures such as adversarial training.
Step 3: Application of Verification and Validation (V&V) Techniques
Verifying and validating data-driven AI models calls for a different playbook than conventional software. The behavioural rules live implicitly in the dataset rather than in a written specification, which makes requirements traceability hard, and the sheer size of the input space makes test coverage tough to pin down.
- Linking risk analysis with data: Confirm that every safety-related scenario surfaced in the risk analysis is well represented in the training and test datasets, and that those datasets capture a wide range of variations.
- Data preparation and model-level V&V: Detect and strip out bias within the datasets, cross-validate to guard against overfitting, and regularize to make the model more robust.
- System-level testing: Lean on simulation (MIL, SIL, HIL), digital twins, and real-environment testing so they reinforce one another, and show that the simulation environment is faithful to reality.
- Monitoring and feedback: Gather performance data while the system runs to keep watch on safety over time, and close the loop by feeding lessons from any incidents back into your test scenarios.
Step 4: Implementation of Control and Mitigation Measures
Sharpening the AI model itself only goes so far; the architecture also needs to tolerate faults and hold the system safe.
- Supervisory monitor function: Build in a mechanism that watches the AI model's inputs, outputs, and internal states and, the moment it spots potentially unsafe behaviour, drives the system into a predefined safe state (e.g., functional shutdown, switching to a non-AI-based backup safety function).
- Setting a safety envelope: Design a constraint function that keeps the AI system's output inside a predefined safe range.
- Ensuring diversity: Cut down the chance of Common Cause Failure with N-version programming, where independent models come from different teams, data, and algorithms, ensemble methods that combine several models, and diversity in sensors and hardware, among others.
Step 5: Establishment of Processes and Methodology
The functional safety of an AI system has to be earned through a disciplined process that runs across the whole lifecycle.
- Lifecycle management: Bring the AI system lifecycle and the functional safety lifecycle (such as
IEC 61508) together under one roof, and run regression validation whenever something changes. - Documentation: Spell out the deliverables for each lifecycle stage in detail, with enough information about the learning process, where the data came from and whether it is adequate, and the training/validation/test data.
- Safety analysis methodology: Build a fault model to work through the AI system's failure modes systematically, and apply techniques such as Process Failure Mode and Effects Analysis (PFMEA) to dig into potential faults in the offline training process itself.
6. Simplifying Regulatory Compliance with SafetyDesigner
Built by Safetics, the SaaS safety analysis tool SafetyDesigner takes the sting out of the demanding CE marking procedures that Regulation (EU) 2023/1230 imposes. All you need is an internet connection to analyze and document the safety of your robot system.
Systematic Risk Assessment and Documentation
SafetyDesigner comes with a risk assessment questionnaire and risk reduction measures built on ISO 12100, the international machinery safety standard, and ISO 10218-2, the standard written specifically for robot systems. Working through the questionnaire, you can
identify, analyze, and evaluate the hazards of a robot system, decide on the right risk reduction measures, and have the whole process captured digitally as you go.
Collaborative Robot (Cobot) Collision Safety Analysis Simulation (ISO/TS 15066 Compliant)
Running a collaborative robot (cobot) in Power and Force Limiting (PFL) mode without protective measures such as safety fences or sensors calls for objective proof that a collision with an operator stays within safe limits. SafetyDesigner
runs a collision safety analysis simulation against the force and pressure limits set out in the ISO/TS 15066 standard.
The resulting report goes into the technical documentation, where it stands as the key evidence that the collaborative application is safe.
Saving Time with Integrated Report Generation
Of the documents called for in the technical documentation (Annex IV), both the risk assessment report and the robot system's collision safety analysis report export with a single click. That lets manufacturers and system integrators put together the core technical documentation for CE marking quickly and accurately, cutting the time and cost of the whole certification process down to a fraction.
Regulation (EU) 2023/1230
Original PDF