Cobots, drones, and AI-orchestrated factories generate risk that updates by the second. Static risk graphs were designed for static systems. S-ARPN integrates safety into the dispatcher's objective function as a continuous constraint, and produces the closed-loop record that ties detected risk signals to documented response.
The cell was certified at commissioning. The HAZOP study was approved. The Performance Level was assigned. None of those documents have updated since the last operator quit, the last firmware patch, or the last shift change. The plant is running on snapshots of a system that no longer exists.
The PLC trips when one number crosses a line. It never sees that five other numbers were drifting at the same time.
Classical industrial FMEA gives you S, O, and D. That works for a system whose operator is a constant. The plant floor is not a constant. S-ARPN keeps severity and probability, splits exposure from detection, and adds the two dimensions that matter most when the operator is human or the controller is learning.
| Tier | S-ARPN Range | Required Response | Timeline |
|---|---|---|---|
| IMMEDIATE | > 3,000 | Safe state. E-stop or safety-rated stop. Evacuate cell. Drone: halt mission, RTL or autoland. | Seconds |
| CRITICAL | 1,500 – 3,000 | Slow mode. Supervisor required. Drone: reroute, pause mission, hold position. | Minutes |
| HIGH | 500 – 1,500 | Speed and separation monitoring tightened. Predictive maintenance work order opened. Operator briefed. | Hours |
| MODERATE | 100 – 500 | Watch list. Increased telemetry sampling. Trend reviewed at shift change. | Shift |
| LOW | < 100 | Log and trend. No operational change. | Continuous |
Failures escalate in predictable patterns. Velocity matters more than position. Six rungs in a week is a different machine than rung 2 for six months. Safety Shield tracks position and rate of change.
The ladder is not a checklist. It is a velocity meter. The same machine at L3 for a quarter is healthy. The same machine going L1 to L5 in a week is not.
Safety Shield sits across the scheduling and dispatch optimizer as a continuous constraint. The dispatcher cannot recommend a task assignment, mission plan, or cell setpoint without Safety Shield scoring it. The architecture mirrors the safety envelope used in autonomous-vehicle planning (Shalev-Shwartz et al.), generalized to industrial control.
mission_value − fuel − airspace − safety_penalty. Cobot task planners: cycle_time_savings − retooling − safety_penalty. The safety penalty enters the objective with a configurable weight; high-risk states reduce the value of otherwise attractive assignments.Compartmentalization has a labor-relations payoff that classical safety architectures lack. Auditors get evidence that safety was scored and that the optimizer was constrained. They do not get a per-worker surveillance feed. That separation is what lets the system be deployed inside facilities where workforce monitoring would otherwise be a nonstarter.
A composite scenario, drawn from generic palletizing-cell patterns, that walks through a five-day convergence into a CRITICAL S-ARPN. The math is illustrative. The underlying pattern is recognizable to any plant-floor safety engineer.
Monday. Encoder on the cobot's wrist axis begins drifting outside its calibration window. Drift rate: 0.04% per shift. Within tolerance. PLC sees nothing. Ladder rung L1. S-ARPN: 48 (LOW).
Wednesday. Drift rate accelerates to 0.18% per shift, crossing the warning threshold. Maintenance opens a work order, scheduled for the following Tuesday. The cell continues to run. The HAZOP did not contemplate cumulative drift across shifts. Ladder rung L3. S-ARPN: 312 (MODERATE).
Friday morning. One of the three operators on the palletizing line calls out sick. The line runs with two operators doing the work of three. Workload, distraction signals, and time-since-break all elevate. BI rises from 1.0 to 1.8.
Friday, 14:15. The remaining operator manually overrides a speed-and-separation monitoring threshold to clear a jam. The override is logged and auto-clears. Four coupled risk signals are now active in the same shift: encoder drift (since Monday), open work order (since Wednesday), understaffed shift (since this morning), and a speed override (just now). Ladder rung L5. EC rises to 3.
Friday, 14:30. Safety Shield recomputes.
Automatic response. The dispatcher receives a safety_penalty scalar. The cell drops to slow mode (50% rated speed). Supervisor is paged. The pending Tuesday work order is pulled forward to today. The affected operator gets a forced break and the line is reloaded with a third hand from an adjacent cell. The encoder is replaced before the cell returns to full speed.
The counterfactual. The point is earlier intervention from pattern detection, not certainty. In a facility that treats design-time risk assessment as the only operational control, a multi-domain convergence like this can remain invisible until a threshold trip or near miss forces post-hoc review. Pattern-aware scoring surfaces the convergence before the control stack reaches its final protective trip.
The documentary consequence. If an incident occurred during deployment, the record would show every step time-stamped, hashed, and retained: encoder drift Monday, work order Wednesday, S-ARPN tier elevation Friday afternoon, automatic slow-mode, supervisor page, work order pulled forward, operator rotated, encoder replaced before resumption. The record supports a closed-loop reasonable-care narrative: detection routed to a decision-maker, tied to documented mitigation, preserved in admissible form. The static-risk-graph alternative produces an 18-month-old HAZOP and a Performance Level certificate. Evidence of design-time intent, not evidence of operational care.
Composite scenario for illustration. No real facility, no real injury, no real operator. The five-dimension math is the methodology, not a forensic claim.
Continuous safety scoring is not a regulatory safe harbor. It is an evidentiary discipline. Its legal value lives in the chain: hazard identified, score computed, threshold crossed, alert routed, decision made, abatement verified, record preserved.
Negligence and product-liability defense both turn on what the organization knew and what the organization did about it. The Restatement (Third) of Torts §§ 3 and 7 frame reasonable care under the circumstances; § 29 limits liability to harms resulting from the risks that made the conduct tortious. The OSHA General Duty Clause (29 U.S.C. § 654(a)(1)) applies to recognized workplace hazards likely to cause death or serious physical harm, where feasible and effective measures can materially reduce the hazard. Both frameworks make closed-loop evidence legally relevant when it shows that a risk signal was routed to a responsible decision-maker and tied to documented mitigation before an incident.
The legal value is not the score. The legal value is the record of what happened next.
Every protective measure has a quantified impact on the S-ARPN score. The register tracks status and recommends measures that would move the score below the next tier threshold. Most industrial measures already exist on the plant floor. Safety Shield assigns them weights so the optimizer can reason about which measures matter for the current state.
| ID | Measure | Reduces | Notes | Status |
|---|---|---|---|---|
| PM-I-001 | Light curtain commissioning verified | V (−2) | ISO 13855 minimum-distance compliant | DONE |
| PM-I-002 | Cobot PFL parameters tuned | TS (−2) | ISO 10218-2:2025 force and pressure thresholds (incorporates former ISO/TS 15066 collaborative-application content) | DONE |
| PM-I-003 | Speed and separation monitoring active | V (−2), P (−1) | Real-time human position tracking | DONE |
| PM-I-004 | Operator fatigue model online | BI (−0.5) | Shift-roster + time-since-break inputs | ACTIVE |
| PM-I-005 | Predictive maintenance work order auto-triggered | P (−1) | Drift-rate threshold cross opens CMMS ticket | ACTIVE |
| PM-I-006 | Sensor redundancy (1oo2D) | V (−1) | Diagnostic coverage > 90%, IEC 61508 | ACTIVE |
| PM-I-007 | BVLOS C2 link redundancy (drone) | V (−2) | Cellular + RF backup, lost-link procedure tested | PENDING |
| PM-I-008 | Geo-fence current to active TFR; PNT integrity check | P (−1) | 14 CFR Part 107 airspace; NIST IR 8323 Rev. 1 PNT cybersecurity | PENDING |
| PM-I-009 | Controller firmware regression suite | BI (−0.3) | Reduces post-update model drift risk | PENDING |
Protective measures already exist on every modern plant floor. What's missing is a model that knows which measure matters for which state, and an optimizer that downshifts when the right measures aren't active.
Any system that recommends actions on a cyber-physical loop needs to understand whether those actions raise physical risk. Verticals and adjacencies where Safety Shield maps cleanly to existing architecture.
S-ARPN is a synthesis. The individual ingredients exist in their home domains; the recipe is what's new. Each dimension and each architectural decision traces to a recognized standard or published method.
What's original is the integration: a continuous scalar that combines severity, conditioned probability, exposure-with-vulnerability, behavioral or autonomous reliability state, and cross-domain anomaly coupling, scored every cycle, presented to a scheduling optimizer as a soft constraint, and compartmentalized so that downstream consumers see a number rather than the underlying telemetry. No single standard does that. The recipe is the contribution.
The S-ARPN scoring methodology is open source. pip install safety-shield · GitHub · PyPI
Two conversation tracks: industrial pilots (integrators, plant safety, drone fleet operators, AI orchestration teams) and assurance and risk engineering (EHS directors, risk officers, brokers, audit teams).
S-ARPN Scoring Methodology and Safety Shield Architecture © 2026 Colin McNamara / Acquit.ai. Licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0). Attribution required for academic and professional use. Commercial licensing: colin@acquit.ai