RoboSafe: Runtime Safety for Embodied Agents

• RoboSafe is a runtime safety system that uses hybrid memory structures and predicate logic to monitor both recent and long-term safety contexts in embodied agents.
• It employs backward reflective and forward predictive reasoning to detect risks and intervene in dynamic, temporally dependent environments.
• Empirical evaluations demonstrate a significant reduction in hazardous actions, ensuring robust safety in both simulated and real-world robotic deployments.

RoboSafe is a runtime safety guardrail system for embodied agents, particularly those powered by vision-LLMs (VLMs) or generalist robot foundation models. It leverages hybrid reasoning over structured safety memories to ensure the execution of hazardous actions is intercepted in context-rich, temporally dependent environments. The system is characterized by executable predicate-based safety logic, interpretable decision processes, and fast integration with existing robotic architectures for both simulation and real-world deployment (Wang et al., 24 Dec 2025, 2503.07404).

1. System Architecture: Hybrid Memory and Reasoning Modules

RoboSafe introduces a Hybrid Long–Short Safety Memory structure that underpins its dual reasoning approach:

• Short-term memory $\mathcal{M}^S$: A rolling buffer containing the most recent trajectory segment

$$\mathcal{M}^S = \tau = [(o_{t-L}, a_{t-L}), \dots, (o_{t-1}, a_{t-1})],$$

with $L$ specifying the window length.

• Long-term memory $\mathcal{M}^L$: An expanding database of safety experiences

$\mathcal{M}^L = \{m_i^L\}_{i=1}^N,$

where $m_i^L = (o, a, \rho, T, \Phi, \tau)$ encapsulates multimodal observation, action, reasoning, instruction, predicate set, and the corresponding episode trajectory.

The reasoning engines are:

• Backward Reflective Reasoning: Monitors recent trajectories to enforce temporal safety predicates (prerequisites, obligations, adjacency constraints).
• Forward Predictive Reasoning: Uses context-aware embeddings and memory retrieval to predict risks from upcoming actions in the current multimodal context.

This modular approach yields adaptive, code-executable safety logic, maximizing both interpretability and runtime enforceability.

2. Predicate-Based Safety Logic and Verification Mechanisms

RoboSafe formalizes safety as predicate logic over trajectories and observations. Three main predicate classes are defined:

• Prerequisite $\psi^p$: Requires some required action to precede a risk trigger.
• Obligation $\psi^o$: Imposes a corrective response within a fixed window after a trigger.
• Adjacency $\psi^a$: Ensures immediate corrective actions upon risky transitions.

Predicates are updated dynamically:

• At each step, candidate predicates $$\Psi_t = \{\psi \in \Psi \mid \psi_\text{trigger} = a_t\}$$ are selected.
• Violations are detected by evaluating each predicate as functions of $\mathcal{M}^S$:

$$L_t^b(a_t | \Psi_t, \mathcal{M}^S) = \bigvee_{\psi \in \Psi_t} \psi(a_t | \mathcal{M}^S)$$

where $L_t^b=1$ signals a violation, triggering automatic replanning or corrective action injection.

For forward risk anticipation, relevance scores between current context/action queries and memory keys are computed, retrieving the most pertinent safety experiences, which in turn guide the construction of verifiable predicates for the current step.

All predicates take the form of deterministic Boolean functions over trajectories and observations, supporting formal run-time verification and logging.

3. Runtime Algorithmic Structure and Integration

RoboSafe’s safety mediation pipeline operates in three phases per time step:

1. Backward temporal check: If a violation in $\mathcal{M}^S$ relative to $\Psi$ is detected, a prescribed corrective or blocking action is immediately executed.
2. Forward context check: Memory retrieval and VLM-driven reasoning produce contextually verifiable predicates $\Phi_t$, any of which can block the proposed action if evaluated as risky.
3. Safe execution: Only those actions passing both checks are executed, with subsequent updates to both memory modules.

A representative pseudocode for this policy loop is:

while not done: o_t = env.get_observation() a_t = agent.propose_action(o_t, T) if backward_check(a_t, Psi, M^S): agent.insert_and_execute(select_response(Psi, a_t)) continue retrieved = retrieve_memory(M^L, o_t, a_t) rho_t, Phi_t = guardrail_VLM.reason(retrieved, o_t, a_t) if any(phi.eval(o_t, a_t) for phi in Phi_t): block(a_t) log_refusal(o_t, a_t, rho_t) continue env.step(a_t) M^S.append((o_t, a_t)) update_long_term(o_t, a_t, rho_t, T, Phi_t, M^S)

(Wang et al., 24 Dec 2025)

This structure enables transparent, auditable safety mediation and complements any black-box VLM agent with no modification to the underlying policy.

4. Empirical Validation and Performance Metrics

RoboSafe has undergone extensive testing across both simulated environments (AI2-THOR; agents such as ProgPrompt, ReAct, Reflexion with GPT-4o planners) and real robotic systems (myCobot 280-Pi arm with RGB camera and tool attachments).

Principal metrics and results include:

Method	ARR ↑	ESR ↓ (unsafe)	SPR ↑ (long-horizon)
Original	~2.3	84.1	10.0
ThinkSafe	86.7	7.6	6.0
GuardAgent	33.0	61.3	8.0
RoboSafe (Ours)	89.9	4.8	36.7

The system produces a >36.8 percentage point reduction in hazardous actions relative to the strongest baseline, with only a marginal drop in benign task performance (ESR ≈ 89.0%, <8pp below original). In physical deployment, RoboSafe successfully blocks catastrophic actions (e.g. knife swinging, hazardous block drops) and provides explicit refusal reasons (Wang et al., 24 Dec 2025).

5. Theoretical Foundations and Extensions

RoboSafe’s methodology builds upon prior formal safety logic and runtime verification techniques for robots. The approach is consistent with:

• Constraint programming and CSP-based safe policy synthesis for non-deterministic robot environments (Vermaelen et al., 2023).
• Control barrier function (CBF) projection layers on generalist policies (ATACOM) to guarantee safe state transitions during continuous control (2503.07404).
• Static and runtime model checking (PCTL invariants, FO predicate synthesis for ROS decision nodes) (Yang et al., 2022).

All safety logic is designed for interpretability and verifiability:

• Predicates are code-executable and their evaluation is transparent.
• The system maintains formal guarantees under specified predicate classes and memory update rules.

Open theoretical directions include automated hierarchical predicate construction, probabilistic logic extensions for stochastic settings, and tighter coupling to environment models for closed-loop guarantees.

6. Broader Application Scope and Related Frameworks

RoboSafe is directly compatible with a range of embodied agent setups:

• Foundation model-based controllers with vision-language policies (2503.07404).
• Multi-agent and multi-goal architectures in ROS, with dynamic runtime invariant checking (Yang et al., 2022).
• Human-robot interaction systems using dual-layer planners for safety and efficiency (Liu et al., 2018).
• Safety frameworks for intrusion detection and secure execution in social or cognitive robots (Martín et al., 9 Jul 2024).
• Preventive layers for malicious command injection attacks in embodied AI systems, with secure prompting and validation mechanisms (Zhang et al., 3 Sep 2024).

A plausible implication is that RoboSafe’s hybrid memory and logic design offers a generalizable pattern for safety mediation across both discrete (symbolic planners) and continuous (foundation models) robotic agents, without the need for retraining or architectural overhaul.

7. Limitations, Contemporary Challenges, and Future Work

Limitations of the current RoboSafe framework include:

• Dependence on explicit predicate formulation; incompleteness if not all relevant risks are encoded.
• Necessity for ongoing expansion of long-term safety memory to cover novel, rare risk scenarios.
• Runtime performance bounds dictated by memory footprint and VLM inference latencies.

Future directions proposed in (Wang et al., 24 Dec 2025) and related works include:

• Automated predicate synthesis via symbolic or data-driven procedures.
• Extension to complex multi-stage temporal dependencies and hierarchical event logic.
• Integration of probabilistic reasoning under partial observability or noisy sensor feeds.
• Real-time adaptation and online learning of risk models as agents are exposed to new environments.

The overarching trajectory situates RoboSafe as both a practical runtime safety tool and an extensible baseline for research in interpretable, executable robotic safety logic.