Back To BlogsBy: Pauldurai Shanmugam – With 25+ years in embedded product design across defence, automotive, and MedTech, Paul specializes in safety-critical hardware and standards-driven compliance for autonomous mobile robots.
In an increasingly automated world, it’s easy to marvel at what robots can accomplish—but harder to appreciate the systems that keep them safe when things go wrong.
At Ati Motors, we recognize a fundamental axiom in engineering : no system is immune to failure. The real question is not if something will fail, but how well the system responds when it does.
To address this, Ati AMRs are engineered around three safety pillars:
- Fail-safe design
- Redundant systems, and
- Resilient engineering.
1. Fail-Safe Design: Safety by Default
A fail-safe system ensures that any fault automatically leads to a safe state rather than a hazardous one. Imagine an AMR transporting materials across a production floor. If its primary LiDAR sensor loses function, its perception is instantly compromised. A collision could damage property or endanger people.
Fail-safe design ensures that the robot’s control logic defaults to safety, not continuation:
- Sensor failure: The AMR halts movement until perception is restored or an operator intervenes.
- Communication loss: The robot stops and waits for reconnection or manual clearance.
- Controller fault: Drive motors enter a Safe Torque Off (STO) state to prevent unintended motion.
Safety actions always take precedence over productivity — a core design principle across all our systems.
How STO Circuits Work
Safe Torque Off (STO) is a hardware safety function that removes electrical power from motor windings without physically disconnecting the main supply. STO ensures the motor cannot generate torque—even if a control signal malfunctions—preventing unexpected motion while maintaining safe energy isolation. This is a foundational element in safety-rated motor drives compliant with IEC 61800-5-2.
2. Redundant Systems: No Single Point of Failure
Redundancy ensures that when one component fails, another immediately takes over critical functions. Ati AMRs incorporate multiple overlapping protection layers:
- Multi-sensor fusion for high redundancy: LiDARs, bump sensors, and cameras cover overlapping fields of view.
- Emergency Stop (E-Stop): Physical stop buttons and remote stop features allow human operators to intervene immediately.
- Controlled braking: The system transitions to passive braking or STO when electrical or communication faults occur.
- Standards compliance: Safety architecture follows international standards such as ISO 3691-4 and IEC 61508.
What ISO 3691-4 Covers
ISO 3691-4 defines functional-safety requirements for driverless industrial trucks and AMRs, including:
– Safe motion control and braking
– Detection-zone configuration
– Manual and automatic emergency-stop behaviour
– System validation and risk assessment
It is the global reference standard for AMR safety design and testing.
3. Resilient Engineering: Built to Recover
Resilience extends beyond redundancy; it ensures continuity under stress and controlled recovery after disturbances. Ati’s engineering framework builds resilience through:
- Rigorous validation: Components are tested for thermal, vibration, and electrical endurance.
- Fault-tolerant software: The control stack anticipates errors and executes controlled fallback routines.
- Continuous diagnostics: Real-time monitoring detects anomalies and activates the robot to safe operating modes.
- Predictive maintenance: Forecasting analytics identify signs of component wear and alert maintenance teams before a failure occurs.
Predictive Maintenance in AMRs
Modern AMRs leverage telemetry data, motor current profiles, battery impedance, and wheel slip ratios to predict mechanical wear or impending sensor drift. Early detection allows scheduled servicing, minimizing unplanned downtime and improving fleet reliability.
Safety and Innovation: Two Sides of The Same Coin
Safety should be an enabler in the world of AMRs— is not a constraint. Innovation in robotics is not always to avoid faults but about ensuring that every fault ends safely. Every circuit, algorithm, and mechanical interface needs to be built around the premise that performance and safety reinforce each other.
Through fail-safe design, redundancy, and resilience, Ati AMRs strive to transform potential chaos into controlled calmness—making every AMR a trusted co-worker in dynamic industrial environments.
