Industrial Robot Safety Beyond Binary Permit-Suppress
by Nick Clark | Published April 25, 2026
Industrial robotics safety has been built on a binary architecture. Either the robot operates inside a certified envelope, or it halts. ISO 10218-1 and -2 (the 2025 revision), ISO 13849, IEC 62061, ISO/TS 15066 for collaborative force-and-power-limiting, ISO 13482 for personal-care robots, ANSI/RIA R15.06 for industrial systems, ANSI/RIA R15.08 for autonomous mobile robots, OSHA 29 CFR 1910 general industry rules, and the EU Machinery Regulation (EU) 2023/1230 all impose this binary structure with varying envelopes and varying safety integrity levels. The architecture worked when robots were fenced and humans were excluded. It cannot scale to the human-collaborative manipulation, mobile manipulation, and shared-space autonomy that the next industrial wave requires. Confidence-governed actuation is the architectural extension that adds graduated authority above the certified safety floor, preserving the existing certification regime while enabling operational regimes the binary architecture cannot reach.
Regulatory Framework
Industrial robotics is one of the most heavily and most maturely regulated automation domains. ISO 10218-1:2025 (robots) and ISO 10218-2:2025 (robot systems and integration) are the principal international safety standards for industrial robots, harmonized under the EU Machinery Regulation (EU) 2023/1230 (which replaced the Machinery Directive 2006/42/EC and applies fully from January 2027). ISO 13849-1 specifies performance levels for safety-related parts of control systems with a probabilistic-failure framework (PL a through PL e). IEC 62061 specifies functional safety of safety-related electrical control systems with safety integrity levels (SIL 1 through SIL 3) for the machinery sector. ISO/TS 15066 specifies the four collaborative-operation modes (safety-rated monitored stop, hand guiding, speed and separation monitoring, and power and force limiting) that ISO 10218 references for human-collaborative work.
ISO 13482:2014 covers personal care robots in three classes (mobile servant, physical assistant, person carrier) and applies a parallel safety-integrity regime adapted to non-industrial environments. ANSI/RIA R15.06-2012 (and the harmonized R15.06-2024 revision) is the US national adoption of ISO 10218 with national deviations. ANSI/RIA R15.08-1, -2, and -3 (2020-2023) extend the regime to industrial mobile robots, with -1 covering the robot itself, -2 the system integration, and -3 the user obligations. OSHA 29 CFR 1910 general industry rules, particularly subpart O for machinery and machine guarding, supply the US enforcement framework. EU Machinery Regulation (EU) 2023/1230 introduces explicit obligations for AI-enabled and self-evolving safety functions and for the machinery whose safety depends on them, which is the regulatory hook that brings AI-driven robotics into the conformity-assessment regime.
Across these instruments the structural commitments are consistent. Safety functions must achieve a specified PL or SIL with documented architectural and probabilistic justification. Safety functions must be deterministic, validatable, and independent of the non-safety control path. Operating modes must be explicit, transitions between them must be monitored, and the worst-case fault response is a controlled stop (Category 0, 1, or 2 per IEC 60204-1) that brings the machinery to a safe state.
Architectural Requirement
The economic case for the next generation of industrial robotics depends on operational regimes the binary architecture cannot reach. Human-collaborative manipulation in shared workspaces requires robots to perform meaningful work alongside humans whose positions, intentions, and interactions evolve continuously. Mobile manipulation requires platforms that move through unstructured environments, manipulate objects, and interact with humans without the geometric guarantees a fixed cell provides. Programming-by-demonstration and teleoperation skill transfer require a robot that participates actively in a learning loop while remaining safe under conditions the binary architecture cannot characterize in advance.
None of these regimes is well-served by a binary permit-suppress architecture, because the architecture cannot distinguish between expected and unexpected contact, between a verified human-presence observation and an ambiguous one, or between a planned motion that is safe under current conditions and one that is safe only under a more constrained regime. The binary architecture's failure mode is to collapse the distinction: any uncertainty becomes a halt, and the operational envelope shrinks to the conditions under which uncertainty is structurally absent. The resulting envelope is too narrow to support the economic case.
The architectural requirement is therefore graduated authority: a structure in which the robot can operate at full authority under verified conditions, in stage-gated mode under conditions that require per-motion verification, in shadowed mode where commanded motion is shadowed by independent verification, and in advisory mode where the robot proposes but does not execute. The graduated authority must compose with rather than replace the certified safety floor, because the regulatory regime has been built around that floor and replacing it would invalidate decades of safety jurisprudence and conformity-assessment infrastructure.
Why Procedural Compliance Fails
The dominant industry response to the binary-architecture limitation has been procedural: speed and separation monitoring with conservative geometric envelopes, application-specific risk assessments per ISO 12100, integrator-supplied safeguarding around the cell, and operator training. Each of these is necessary, and none extends the operational envelope structurally. The procedural layer does not change what the robot can compute about its situation; it changes the human-supplied parameters that the binary architecture consumes.
The result is a structural ceiling on collaborative-robot performance. Power and force limiting under ISO/TS 15066 supplies a hardware-enforced safety floor at low force and low speed, and the procedural risk assessment governs how close to that floor the application is permitted to operate. Above that floor there is no architectural mechanism for distinguishing routine variation from genuine hazard, so the conservative envelope dominates and the robot's effective work rate is a fraction of its mechanical capacity. ISO 10218-2:2025 incorporates the lessons of the prior decade of collaborative deployment by tightening the integrator obligations and by formalizing the four collaborative modes, but it does not add a graduated-authority architectural mechanism because that mechanism is outside the scope of the safety standard.
Procedural compliance also fails the velocity of mobile manipulation. ANSI/RIA R15.08 sets the safety expectations for industrial mobile robots, and the integrator's procedural risk assessment governs deployment, but the robot's behavior in a shared aisle with a human pedestrian whose trajectory is unpredictable cannot be procedurally enumerated in the way a fixed-cell hazard can. The procedural regime addresses this by requiring conservative speeds and large clearance margins, which are precisely the parameters that erode the economic case for mobile manipulation in dense human environments. The architectural extension is the only path that preserves the safety floor while restoring operational density.
What AQ Primitive Provides
Confidence-governed actuation supplies graduated authority as a structural architectural property that sits above the ISO 10218 / 13849 / 62061 / 15066 safety floor. The architecture maintains an explicit confidence state for each contemplated motion, with the confidence state computed from human-presence observations, planned-motion details, observed and predicted environmental dynamics, and the credentialed governance policy applicable to the current operating context. The confidence state gates the operating mode rather than gating execution directly, with the certified safety floor remaining as the absolute bound that suppresses any motion exceeding the binary safety envelope.
Four operating modes compose with the safety floor. Full mode applies under verified conditions equivalent to the fenced configuration the binary architecture was designed for. Stage-gated mode applies under human-collaborative manipulation, where each contemplated motion is verified against the human's observed state and the verification is logged. Shadowed mode applies under teleoperation skill transfer, where the operator's commanded motion is shadowed by an independent verification path and divergences trigger advisory escalation. Advisory mode applies during programming-by-demonstration, where the robot proposes motion and a human commits the proposal. The mode selection is governance-credentialed and is itself an audited variable, with credentials carrying signed authority for specific mode-context combinations.
Reversibility-aware commitment and post-actuation verification complete the primitive. Before any commitment to motion, the architecture evaluates the reversibility class of the contemplated action under the current confidence state and the active mode, with low-reversibility actions requiring higher confidence and higher governance authority than high-reversibility ones. After actuation, the architecture verifies that the achieved state is consistent with the planned state and that the integrity bounds were respected, with deviations producing both an immediate corrective response and a record in the audit log. The architecture is additive to the certified safety floor rather than replacing it, which preserves existing ISO 10218 / 13849 / 62061 conformity assessments and brings the graduated authority into the regulatory regime as a higher-layer functional capability rather than as a replacement safety function.
Compliance Mapping
The architectural primitive maps onto the existing safety regime through composition rather than displacement. ISO 10218-1:2025 robot-level safety requirements continue to apply to the robot's certified safety functions; the confidence-governed actuation layer consumes the safe-state outputs of those functions as its floor and never permits motion that the certified layer would suppress. ISO 10218-2:2025 robot-system requirements continue to govern the integration and the application risk assessment per ISO 12100; the graduated-authority layer is documented as a non-safety functional capability whose mode-selection logic is independent of the safety control path.
ISO 13849-1 PL and IEC 62061 SIL ratings of the certified safety functions are unaffected because the graduated-authority layer is architecturally segregated from the safety control path and contributes no failure modes to it. ISO/TS 15066 collaborative modes (SMS, HG, SSM, PFL) continue to apply to the collaborative envelope; the graduated-authority layer adds operational granularity within the collaborative envelope but does not alter the force, separation, or stop-monitoring obligations that the technical specification imposes. ISO 13482 personal-care robot safety requirements are similarly preserved, with the graduated-authority layer adding mode structure to the personal-care application.
ANSI/RIA R15.06-2024 industrial robot adoption and ANSI/RIA R15.08 mobile robot adoption inherit the same composition relationship for the US market. OSHA 29 CFR 1910 general-industry obligations continue to flow through the integrator and end user. EU Machinery Regulation (EU) 2023/1230 conformity assessment is performed against the certified safety functions; the AI-enabled functional capability of graduated authority is documented in the technical file as a non-safety-function that consumes safety outputs, with the regulation's specific obligations for self-evolving safety functions inapplicable because the safety functions themselves are not self-evolving. The audit log produced by the graduated-authority layer supports post-market monitoring and accident-investigation obligations that the regulation imposes.
Adoption Pathway
The adoption pathway tracks the operational regimes whose economic case is most constrained by the binary architecture. The first wave is collaborative-robot deployments operating under ISO/TS 15066 power-and-force-limiting where the conservative envelope materially reduces work rate. Universal Robots, FANUC CR series, ABB YuMi, Doosan, and Techman platforms are the natural integration targets, with the graduated-authority layer added as a higher-level controller above the certified robot safety functions. The integration preserves the existing CE conformity assessment and the R15.06 alignment, with the graduated-authority capability documented as a non-safety functional layer.
The second wave is industrial mobile robots and autonomous mobile manipulators operating under ANSI/RIA R15.08, where the binary architecture forces conservative speeds and clearances that erode the economic case in dense human environments. Symbotic, Locus Robotics, Boston Dynamics' Stretch, Agility Robotics' Digit, and the broader autonomous-mobile-manipulator category face the same architectural mismatch and admit the same composition. The third wave is the high-power industrial layer (FANUC, ABB, KUKA, Yaskawa) where graduated authority extends operation outside the historically fenced regime into supervised collaborative work in unfenced cells, with the certified safety floor continuing to gate the worst-case fault response.
For integrators and end users, the strategic implication is that the binary-architecture ceiling is no longer the limit of achievable performance. The graduated-authority layer is added once, composed with the existing certified safety functions, and deployed across the full operating envelope, with the audit log supplying the post-market evidence that the EU Machinery Regulation and the US OSHA enforcement framework increasingly demand. The competitive frontier shifts from safety-integrity certification, which the certified layer continues to supply, to architecture-fit-for-shared-operation, which determines which platforms can address the operational regimes the next industrial wave requires.
