The Savioke Approach to Safety

Two years ago, Savioke put its first generation of Relay, our delivery robot, into service at the Aloft Cupertino Hotel. The robot had gone through a rigorous and comprehensive safety protocol to watch for obstacles in its path and avoid them. Within the first week the robot captured images of a child’s bare feet with its downward camera (the one that looks for small obstacles to avoid), graphically reminding us of why we take such care to avoid obstacles. Robots attract people of all ages, but especially children, and as a company we are committed to making safety the highest priority.

The robotics industry takes a very conservative approach to safety for good reason: the industrial robot arms that work in factories are inherently strong, fast, and therefore dangerous. For decades, industrial robots were only run inside locked safety cages, designed to keep people away from harm. In the last few years, new industrial robot arms that work safely around people (so-called “co-bots”) have become more popular. It is also increasingly common for robots to use sensors so they deactivate automatically when people come near. According to the Robotics Industry Association, the best practice for deploying robots around people is to do a risk assessment then implement safety measures to minimize the risk of harm.

NASA has one of the most stringent safety processes in the industry, since they produce systems in which people depend on numerous automated systems for their survival in space. Since 2012, Robonaut 2, a general purpose humanoid robot, has been in operation on the International Space Station. Robonaut 2 is strong enough to cause damage to the space station or the people inside it, so how did it pass the NASA safety reviews? The answer, in a word, is redundancy. NASA never relies on a single component or safety path to protect astronauts, but assumes that any sensor or connector or component can fail. Robonaut needs to be safe in the face of such failures.

At Savioke, we take safety seriously and have incorporated both the Robotics Industry Association and NASA best practices in the safety analysis and implementation of our robots. When we deployed our early robots, a human “wrangler” was always nearby, monitoring the robot’s performance and ensuring the safety of people it came in contact with. The wrangler used a wireless run-stop, that allowed him or her to stop the robot with a button press. Remembering those little toes near the robot, we embarked on what became a six-month risk assessment study, then added redundant systems and re-engineered whatever was needed to make sure that the risks identified in the assessment were addressed. Not until the risk assessment and all of the implied engineering was completed did we remove the requirement for a wrangler with a run-stop.

One of the possible risks identified by the assessment was the risk of a robot bumping into a person. Our approach to this risk also followed NASA’s safety guidelines: make sure we have incorporated redundant layers of safety into the robot to minimize the risk of harm ever occurring. 

Like most mobile autonomous systems today, we use sensors to create a virtual bumper around the robot. This required us to place the robot’s sensors so that it can avoid obstacles.  However, since today’s sensors have strengths and weaknesses, we also added redundant sensors that complement each other. But because our virtual bumper is essentially high-level software, there is no way to guarantee that both the software and hardware will be bug free, so we added a redundant layer of safety: a physical bumper. Adding a robust, reliable physical bumper was not a simple process. It took significant engineering resources to design, added time to our schedule and cost to our final product, but the resulting system independently stops the drive motors if the robot ever bumps into something. 

Going one step further, we asked ourselves what harm could be caused if both the physical bumper and the virtual bumper failed. It turns out that the answer to that question has to do with a combination of physics and design. The speed and mass of the robot play an important role, as does the shape of the robot. We partnered with an independent safety assessment company to evaluate the physiological ramifications of impacts at different speeds with bumpers disabled.  We then set the maximum speed for our robot based on those results. We also built the robot with flowing, rounded surfaces with no sharp edges or exposed screws to minimize harm in case there is an impact.

Safety is a fundamental pillar of the robotics industry. At Savioke, we will continue to implement the best practices in the industry: risk assessments, and redundant safety systems. People love Relay, and we want to make sure that he gives the love back!