Skip to content
Talk to engineering
THE PLATFORM

One platform.
Five subsystems.
Every robot in scope.

SafeKernels is a full-stack safety platform, from wire protocol to multi-factory coordination.

Explore the Stack
01 · SEMANTIC ADAPTER LAYER

The protocol zoo becomes one typed schema.

OPC-UA, Modbus, ROS 2, FOCAS2: whatever your robots speak comes in through a vendor-specific adapter and leaves as one normalised stream. The kernel and everything downstream never see the source protocol.

UR3e · Shipping Dobot Nova · Shipping KUKA · Roadmap FANUC · Roadmap ABB · Roadmap Siemens · Roadmap ROS 2 · Roadmap
Request a vendor on the roadmap
vendor protocols → one stream2 adapters live
Robot
Motion & pose
Joint angles, velocities, payload, tool centre. Sampled at the controller's native rate.
Tool
End-effector
Gripper state, contact force, discrete IO. Whether it's a Robotiq or a vendor-native tool.
Cell
Spatial context
Proximity, occupancy zones, AGV pose. The adapter resolves coordinate frames to one factory frame.
Process
Program & alarms
Program step, mode, vendor alarms. Mapped to a small set of typed events the kernel can reason about.
02 · KNOWLEDGE GRAPH DIGITAL TWIN

A live, typed model of your factory.

A live, typed model of every robot, fixture, workpiece, and zone on the floor, refreshed at sensor rate (125 Hz on UR3e). Proximity, contact, and hand-offs are tracked as first-class relationships, not numbers on a dashboard.

Safety checks reason over this model directly, so a violation is something the cell is doing, not a threshold being crossed. Verification runs on a snapshot; the live state is never touched mid-check.

See the architecture
cell-A · live model125 Hz · 3/3
CELL-A · LIVE COPY RUN 0x7C2A occupies occupies near_to contains grasps targets ROBOT ur3e_a ROBOT kuka_b ZONE cell-A WORKPIECE panel-7c isolated copy · safety checks run here
03 · DETERMINISTIC COGNITIVE KERNEL

Every command passes a 3-replica quorum before it reaches hardware.

Confident commands clear in tens of microseconds against pre-compiled rules running on the live model. Anything else falls to the slow path, where a formal solver has to prove the command can't violate a joint or velocity bound. Whatever survives gets a signed, short-lived approval, and the hardware layer accepts nothing else.

The slow path has a 200 ms ceiling. A solver that doesn't finish in time never lets the command through. The cell rejects it and steps down to a safe stop until an operator clears the state.

  1. FAST PATH

    Microseconds

    Pre-compiled rules running on the live model of the cell. Tens of microseconds typical, under 2 ms worst case. No solver in the loop, no memory allocations on the hot path.

  2. SLOW PATH

    Formal solver, bounded

    Joint and velocity bounds turned into a formal proof obligation. 200 ms hard ceiling. If the solver doesn't finish in time the command is rejected and the cell steps down to a safe stop. Never fails open.

  3. BOUNDARY

    Signed approval

    Every approval is short-lived (500 ms) and tamper-resistant. It is the only thing the hardware layer will execute. Nothing else crosses the kernel-to-hardware boundary.

04 · TRUST & DEGRADATION

Agents earn their autonomy.

Every agent carries a trust score that moves with its track record. Violations pull it down; safe commands push it back up. Once an agent drops below the threshold, every command it issues goes through formal verification, no matter how confident the agent claims to be.

If violations keep coming (three within ten seconds), the cell degrades step by step instead of slamming to a stop. The deepest level is a hard E-stop that only an operator can clear, in person.

Read the failure model
cell-A · degradation ladderL0 active
L0
Normalcurrent
Fast path open. Confident agents act in microseconds.
L1
Degraded
Every command goes through the solver. Throughput drops, safety holds.
L2
Safe stop
Motion halts on the next safe pose. The cell waits for an operator to acknowledge.
L3
Operator E-stop
Hardware-cut power. Only a physical reset on the floor brings the cell back.
05 · FEDERATION HUB

Factories coordinate without exposing their internals.

Each factory publishes a compact summary of its load and capacity every five seconds. The hub spots cross-factory opportunities (overload relief, shared inventory, capacity arbitrage) without any bilateral integrations and without exposing what's running inside.

Productisation · Roadmap

See deployments by industry

See the platform running on your robots.

30-minute call. Bring your fleet inventory and your hardest safety requirement.

Talk to engineering