Safety, Redundancy & Standards Alignment
Triple-redundant sensor architecture, Category 3 PL d functional safety, ISO 13482 / IEC 60601-1 compliance, and watchdog-MCU brownout detection.
Safety functions are partitioned across a dedicated dual-channel safety MCU running a SIL-2-rated micro-kernel. The primary E-stop circuit (Category 1 stop, IEC 60204-1) is wired in series across both safety relays; loss of either channel forces the manipulator brakes engaged within 25 ms.
The collision-avoidance layer fuses (a) per-joint motor current observers — a 2σ deviation triggers a Cartesian stop, (b) a capacitive proximity skin around joints 5–7 with detection range 5–20 mm, and (c) the F/T sensor with 0.4 N collision threshold. All three are wired into the safety MCU’s 2oo3 voting logic.
The system targets Performance Level d (PL d) per ISO 13849-1 with hardware fault tolerance HFT = 1. It is being qualified to IEC 60601-1 third edition (general medical electrical equipment) plus the 60601-2-77 collateral for robotic surgical equipment.
| Parameter | Value | Unit | Tolerance / Note |
|---|---|---|---|
| Functional safety target | PL d | ISO 13849-1 | |
| Hardware fault tolerance | 1 | HFT | |
| Safety MCU | Dual-channel lockstep | SIL-2 micro-kernel | |
| E-stop category | 1 | IEC 60204-1 | |
| Brake engage time | <25 | ms | |
| Collision threshold (F/T) | 0.4 | N | |
| Capacitive prox. range | 5–20 | mm | |
| Encoder redundancy | 2× abs. per joint | ||
| Standards | IEC 60601-1, 60601-2-77, ISO 13482, ISO 14971 | ||
| Cyber-security | IEC 81001-5-1 | Premarket |
Three independent watchdogs: motion controller (1 ms), safety MCU (200 µs), and supervisor PC (50 ms). A single watchdog timeout demotes the system to a configurable safe-state; two within 100 ms forces a hard E-stop.