An independent battery circuit breaking module for autonomous robots

By operating at the power level with an independent battery circuit breaker module, the dependence and unreliability of existing robot emergency stop systems are solved, achieving fast and reliable power interruption and lossless recovery, which is suitable for autonomous robot safety systems.

CN122246942APending Publication Date: 2026-06-19洪晓恒

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
洪晓恒
Filing Date
2026-04-20
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing robot emergency stop systems rely on the robot's own control stack, are designed for fixed infrastructure, are single-use, lack independent power supplies, lack independent signal channels, or operate at the command level rather than the power level, resulting in the inability to reliably, quickly, and without damage interrupt the robot's power supply.

Method used

An independent battery disconnect module is provided, which is physically connected in series between the robot's battery pack and the power distribution bus. It uses an independent power supply and radio frequency receiver, and operates at the power level through an independent controller. It can quickly and reliably disconnect and restore the robot's power supply, and has reversibility and multiple failure response modes.

Benefits of technology

It achieves complete isolation between the robot and the independent battery circuit breaker module, has a fast response speed, can disconnect the contactor within 10 milliseconds, complete the power outage process within 600 milliseconds, has the ability to restore power supply without loss, and has multiple failure response modes to adapt to different environmental requirements.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122246942A_ABST
    Figure CN122246942A_ABST
Patent Text Reader

Abstract

This invention relates to an independent battery disconnect module for an autonomous robot. The module is connected in series in the main power path between the robot's battery pack and the power distribution bus, and includes a disconnect component, a module controller, an independent power supply electrically isolated from the robot's battery pack, and an independent radio frequency receiver powered by the independent power supply. The module controller disconnects the disconnect component in response to a certified disconnect command and reversibly closes the disconnect component in response to a certified reconnect command, without replacing any components. Optional features include a physical failure mode selector for selecting between at least two preset failure response modes, dual series contactors, a braking circuit, an authentication protocol including a rolling counter and a message authentication code, tamper-proof detection, and an event log. The module provides human priority control independent of robot software, and the disconnection cannot be prevented, delayed, or overridden by either robot hardware or software.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of autonomous robot safety system technology, and more specifically, to a battery disconnection device that operates independently of the robot's main power and control architecture. Background Technology

[0002] The widespread deployment of autonomous robots (especially humanoid robots and autonomous mobile platforms) capable of performing manual labor tasks has created a new safety challenge. Unlike software-based artificial intelligence systems, whose erroneous outputs ("illusions") can be interrupted by terminating the software process, a physical autonomous robot in a sequence of erroneous actions cannot be reliably interrupted by software-level means alone. The robot's control system may be busy processing the erroneous behavior, may be in a degraded operating state, or may be designed to resist interruption of actions it believes it has "committed." Existing robot emergency stop solutions in this technical field suffer from at least one or more of the following deficiencies: Defect 1: It relies on the robot's own control stack. Many modern humanoid and mobile robots implement emergency stop functionality as a software command sent via the robot's main communication bus (e.g., Ethernet, CAN bus, proprietary wireless protocol). Stop commands routed via the robot's communication stack can be delayed, disrupted, or suppressed by the software malfunction intended to interrupt them. This architecture often fails to meet the requirements for independence of safety-critical functions in functional safety scenarios, such as the independence principle emphasized in IEC 61508. Flaw 2: The assumption of fixed infrastructure. Industrial robot emergency stop systems conforming to ISO 10218-1 are designed for AC mains-powered, fixed-base robots. They cut off power by driving a safety-grade contactor through a hard-wired, dual-channel safety relay circuit. Such systems cannot be directly applied to battery-powered mobile robots—which lack mains power and operate in changing environments. Defect 3: Disposable pyrotechnic interruption device. Automotive fire battery disconnectors (PBDs) manufactured by companies such as Autoliv or Daicel can quickly disconnect the battery without software intervention, but they are irreversible, one-time-use devices triggered by collision detection signals. Once triggered, they cannot be reset and are unsuitable for situations where the robot needs to resume operation after an emergency stop. Defect 4: Lack of a power supply for the robot's safety system. Traditional robot safety circuits draw power from the robot's own power distribution system. If the robot's power system fails or is intentionally disabled by the robot's software, the safety circuit will immediately lose power and may fail in unpredictable ways. Defect 5: Lack of an independent signal receiving channel. Traditional wireless emergency stop remote controllers send stop commands via communication protocols such as Bluetooth, Wi-Fi, or proprietary 2.4 GHz protocols. The frequency bands used by these protocols overlap with the frequency bands used by the robot's own communication system. If the robot's communication hardware is maliciously or erroneously controlled, it may suppress, interfere with, or block stop signals transmitted on the shared channel. Defect 6: Dedicated weapon safety systems are not applicable to general-purpose robots. Existing technologies, such as weapon interruption modules for armed unmanned ground vehicles, while employing independent power supplies and wireless links, are strictly limited to the one-way task of "preventing the weapon from firing." These systems operate only in fail-safe mode, requiring no remote recovery capabilities (the vehicle remains stationary after the weapon is rendered safe), and do not address issues such as high-current DC bus disconnection, motor back EMF handling, or configurable failure behaviors. Such systems cannot be adapted for commercial autonomous robots—for commercial robots, resuming operation after an emergency stop is a normal and necessary operational capability. Defect 7: Command-level wireless security system that relies on robot functions. Existing wireless safety systems, typically designed to meet functional safety requirements such as IEC 61508 and supplied by specialized robot safety system vendors, operate at the command level: a wireless safety receiver mounted on the robot receives a stop command, forwards it to the robot's safety controller, which then commands the robot's motor drives to stop. These systems are powered by the robot's own power supply, and their effectiveness depends on the continuous operation of the robot's safety controller, motor drives, and communication bus. They do not physically interrupt the power path and therefore cannot prevent robots from operating if the safety controller or motor drives themselves are faulty. Therefore, this technical field needs a reusable, independently powered, and independently controlled battery disconnect device: this device is physically connected in series in the main power path between the robot's battery pack and all of the robot's loads, operates at the power level (rather than the command level), and provides true isolation between human priority control and the robot's own computing and electrical systems. Summary of the Invention

[0003] As mentioned above, existing robot emergency stop systems suffer from drawbacks such as reliance on the robot's own control stack, design for fixed infrastructure, single-use, lack of independent power supply, lack of independent signal channels, or operation at the command level rather than the power level. This invention aims to provide a fully independent, reusable robot battery disconnect device that physically operates at the power level, achieving: (a) human priority control independent of robot software; (b) the ability to restore robot operation non-destructively after an emergency disconnect; and (c) configurable fault response behavior to adapt to different operating environments. Reference numerals: 100 — Independent battery circuit breaker module; 110 — Circuit breaker assembly; 110a, 110b — DC contactors (first contactor, second contactor); 120 — Braking circuit; 120a — Semiconductor switch; 130 — Module controller; 140 — Independent RF receiver; 150 — Independent power supply; 160 — Physical failure mode selector; 170 — Tamper-proof detection circuit; 180 — Non-volatile event log memory; 190 — Status indicator; 200 — Robot battery pack; 300 — Robot power distribution bus; 400 — Remote transmitter To solve the above-mentioned technical problems, the present invention provides an independent battery disconnect module (100), which is physically connected in series in the main power path between the robot battery pack (200) and the robot power distribution bus (300). When a command is received from an independent signal channel, the independent battery disconnect module (100) provides a fast, reliable, and software-independent disconnection of the battery power supply, and the power supply can be restored in a lossless manner by a subsequent command without replacing any components. The technical solution of this invention is composed of the following three basic structural elements: The first element is the physical power path in series: the circuit breaker (110) is arranged in series with the main battery bus, and its action is able to remove all electrical power to the robot, regardless of the state of the robot's software, safety controller or motor driver. The second element is an independent power supply: The module controller (130) and the independent radio frequency receiver (140) draw power only from an independent power supply (150) that is physically separate from and electrically isolated from the robot battery pack (200) so that the independent battery disconnect module can still operate in the event that the robot battery is depleted, short-circuited, or disconnected by the robot system. The third element is reversible RF reconnection: Upon receiving an authenticated reconnection command via an independent RF receiver (140), the module controller (130) closes the circuit breaker assembly (110) to restore power to the robot without replacing or physically intervening in any component of the circuit breaker module. In a further aspect, the present invention provides a physical failure mode selector (160), which is not accessed by the robot software system and is configurably selectable between at least two preset failure response modes. Each of the preset failure response modes specifies the closing, holding, or opening logic of the circuit breaker component (110) when at least one of the following events occurs: module power-on, loss of a valid heartbeat signal, receipt of an authorized explicit disconnect command, and receipt of an authorized reconnect command. Preferably, the at least two preset failure response modes include a fail-safe mode (requiring continuous heartbeat signals to maintain power supply) and a fail-hold mode (maintaining the last commanded state unless an explicit command is received); in a further embodiment, a power-on default disconnect mode may also be included. Additional features of the preferred embodiment include: a braking circuit (120) for dissipating the back EMF of the motor, two series DC contactors (110a, 110b) for redundant disconnection, a communication protocol using symmetric key message authentication (preferably AES-128-CMAC), a tamper-proof detection circuit (170), and a non-volatile event log memory (180). Compared with the prior art, the present invention achieves at least the following technical effects: (1) The independent battery circuit breaker module is completely isolated from the robot. Independent power supply, independent radio frequency channel and independent controller make it impossible for the robot's software and hardware to block, delay or override the circuit breaker command. This solves the fundamental defect of existing command-level safety systems that rely on the robot's own control stack. (2) In a preferred embodiment, the contactor can be disconnected within 10 milliseconds after receiving a certified disconnect command, and the complete power-off process can be completed within 600 milliseconds. This response speed helps to meet the safety response time requirements of ISO 13482 for personal care robots. (3) Power restoration without damage: The contactor closes upon receiving the reconnection command, and the robot restarts according to its normal power-on procedure. No module or robot component needs to be replaced. This contrasts sharply with disposable pyrotechnic interruption devices. (4) The braking circuit closes before or simultaneously with the contactor disconnects, providing a dissipation path for the back electromotive force generated by the motor regeneration. This prevents the bus voltage from rising suddenly and damaging the motor controller and other electronic components. (5) Multiple configurable failure response modes can be selected via physical DIP switches. It can be used in scenarios with extremely high requirements for reliable shutdown (fail-safe mode: disconnection upon signal loss), as well as scenarios with low tolerance for unexpected shutdown (fail-hold mode: disconnection only upon explicit command), and can also require a clear reconnection command to be sent manually before each power restoration through the default disconnection mode upon power-on. (6) An independent power supply (preferably a primary lithium battery) provides at least three years of standby life, ensuring that the module remains operational even if the robot is parked for a long time, the battery is depleted, or the robot system fails. (7) The tamper-proof shell and non-volatile event log provide incident tracing capabilities and provide audit data for regulatory compliance and incident investigation. - Detailed Implementation The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings. These preferred embodiments are illustrative of the invention and are not intended to limit its scope. Figure 1 The system block diagram of the present invention shows an independent battery circuit breaker module (100) arranged in series between the robot battery pack (200) and the robot power distribution bus (300), and its connection to the ground of the robot chassis. Figure 2 The electrical schematic diagram is for the circuit breaker assembly (110) (dual contactor) and the braking circuit (120) (power resistor network + controlled switching device). Figure 3 The functional block diagram of the module controller (130) shows power management, RF receiver interface, contactor drive, brake circuit drive, failure mode selector input, event log interface and tamper detection input. Figure 4 This is a communication protocol state machine that shows the preferred state transitions in a fault-safe mode, a fault-hold mode, and a power-on default disconnect mode, including: normal operation, heartbeat monitoring, circuit breaker sequence, and reconnection sequence; other preset failure response modes can be implemented by adding state conditions or changing state transition conditions. Figure 5 This is a physical layout diagram of the module, showing the location of the connection points, the failure mode selector access port, the manual overwrite button, the status indicator, and the tamper-proof housing features. Figure 6 The timing diagram shows the sequence from receiving the circuit breaker command, closing the braking circuit, opening the contactor, the bus voltage decaying, to the actuator de-energizing. I. System Architecture Overview Reference Figure 1 An independent battery disconnect module (100) is connected in series in the main power path between the robot battery pack (200) and the robot power distribution bus (300). The independent battery disconnect module (100) includes: Circuit breaker assembly (110): Two high-current DC contactors (110a, 110b) connected in series on the positive bus of the battery. The dual contactors provide redundancy against a single contactor soldering failure. Braking circuit (120): a network of power resistors connected across the two ends of the robot power distribution bus (300), and an independent controlled switching device (120a); the controlled switching device is preferably a semiconductor switch, more preferably a power MOSFET or IGBT, and in other embodiments may be an electromechanical switch or a hybrid switch consisting of an electromechanical switch and a semiconductor switch; the controlled switching device closes when or before the contactor is opened, providing a dissipation path for the back electromotive force of the motor. Module controller (130): Low-power microcontroller (e.g., ARM Cortex-M0+ class) with formally verified firmware, powered by a separate power supply (150) only. Independent RF receiver (140): A dedicated RF receiver operating at 433 MHz or 915 MHz (LoRa or FSK modulation), physically separate from any receiver used in the robot control system. Independent power supply (150): a sealed primary lithium battery (e.g., CR123A, 3 V, 1500 mAh) or a small lithium polymer battery with rechargeability, providing a standby life of not less than 3 years at a quiescent current not exceeding 50 µA. Physical Failure Mode Selector (160): Physical DIP switch assembly, sets the failure mode of the module operation; cannot be accessed without physical opening. Anti-tampering detection circuit (170): Detects damage to the outer casing by using a continuous conductive circuit inside the module casing. Non-volatile event log storage (180): Non-volatile flash memory (e.g., 1 Mbit NOR flash memory) stores timestamped records of all open and reconnection events. Status indicator (190): LED and audio indicator powered by an independent power supply (150) to provide module status indication without relying on robot power supply. II. Circuit Breaker Components The circuit breaker assembly (110) employs two high-current DC contactors (110a, 110b) connected in series on the positive bus of the main battery. Applicable contactors include models with rated DC arc breaking capacity matching the relevant bus voltage (typically 36 V to 80 V for mobile robots based on 13S to 15S lithium-ion battery configurations, with transient peaks up to 90 V during regenerative braking), and continuous current ratings from 100 A to 600 A depending on application requirements. Designed as a series dual contactor to address single-point failure modes. A single contactor may fail in a welded-closed state under high-current arc-breaking conditions. When two contactors are connected in series, the probability of simultaneous welded-close failure is the product of their individual failure probabilities, thus significantly improving the reliability of the disconnect (power-off) state. Both contactors are driven by the module controller (130) through an electrically isolated contactor coil drive circuit. Normally open contactors (closed when energized) are preferred so that the contactors automatically disconnect when the module controller is de-energized, which conforms to the fail-safe design principle. III. Braking Circuit When the circuit breaker (110) is disconnected, the actuators (motors) in the robot that are still in motion continue to generate electrical energy (regenerative braking / back electromotive force). If the battery pack is no longer acting as an energy absorber, this energy will cause voltage anomalies on the robot's power distribution bus (300), which may damage the motor controller, capacitors and other electronic components. The braking circuit (120) includes one or more power resistors (with a rated energy dissipation E = ½ × C_bus × ΔV², typically tens to hundreds of joules) connected in parallel across the robot power distribution bus (300) via a controlled switching device (120a). The controlled switching device is preferably a normally open semiconductor switch (e.g., a power MOSFET or IGBT), but in alternative embodiments it may be an electromechanical switch or a hybrid switch. The controlled switching device (120a) is commanded to close by the module controller (130) when or slightly before the contactor opens, thus immediately providing an energy dissipation path. The selection principle for resistance value and rated power dissipation is to limit the peak voltage of the bus to an acceptable range and dissipate the stored kinetic and electromagnetic energy within the expected time (typically 100 to 500 milliseconds). IV. Independent power supply An independent power supply (150) is a battery or energy storage device characterized by: (a) Physically separated from the robot battery pack (200); (b) There is no electrical connection to the robot's power distribution bus (300); (c) In the preferred primary battery implementation, it cannot be charged by a robot charging system; (d) It can continuously power the module controller (130) and the independent RF receiver (140) in standby mode for at least three years without replacement. In a preferred embodiment, a 3 V, 1500 mAh lithium primary battery (e.g., CR123A) is used to power the module. When the overall quiescent current of the module is controlled to approximately 50 µA or less, this battery provides approximately 30,000 hours (approximately 3.4 years) of standby life; when the quiescent current is further reduced to approximately 30 µA or less, the standby life can be extended to more than 5 years. Alternative embodiments employ small lithium polymer batteries in conjunction with a dedicated solar or inductive charging subsystem electrically isolated from the robot system. The low battery detection circuit generates a warning signal (audio-visual) when the independent power supply (150) is close to being depleted, providing an early warning for battery replacement; in some embodiments, the detection result can also be used as input to a preset failure response mode to prohibit new reconnection actions, trigger controlled circuit breaking, or enter a protection state that retains only the ability to break the circuit. V. Independent RF Receiver and Communication Protocol The independent radio frequency receiver (140) operates at a selected carrier frequency to avoid the frequency bands commonly used by the robot control system: - Excluded: 2.4 GHz (IEEE 802.11, Bluetooth, many proprietary robotic protocols) - Excluded: 5 GHz (IEEE 802.11ac / ax) - Preferred: 433 MHz ISM band or 915 MHz ISM band (LoRa or FSK modulation) The advantages of using a sub-GHz physical layer include: - Better penetration capability for buildings and robot chassis - Lower interference sensitivity to 2.4 / 5 GHz robotic systems - Compatible with established long-range low-power radio technologies (LoRa, GFSK) The communication protocol adopted is: - Anti-replay mechanism: Each command contains a rolling counter, and the module controller (130) refuses to accept commands whose counter value is not greater than the most recently accepted value to prevent replay attacks. - Message authentication: Message authentication code (MAC) is calculated using a pre-shared key to verify the source of the command and the integrity of the content, preferably using AES-128-CMAC. - Command confirmation: The module controller (130) sends a confirmation via the return channel to confirm that the command has been executed. - Heartbeat mechanism (fail-safe mode): The remote transmitter (400) sends periodic "live" messages at configurable intervals (1 to 10 seconds); if no heartbeat is received for 2 to 3 consecutive heartbeat cycles, a circuit breaker is triggered. - Optional payload confidentiality: In some implementations, the command payload may also be protected with symmetric encryption, preferably AES-128. The remote transmitter (400) (handheld controller) is a standalone device and is not integrated into the robot. It has its own power supply and can be held by a human operator or safety officer, or installed at a fixed safety position. VI. Failure Mode Selector The physical DIP switch assembly (160) (or an equivalent physical selector not accessible by software) selects between at least two preset failure response modes. Each preset failure response mode specifies the closing, holding, or opening logic of the circuit breaker assembly (110) upon the occurrence of at least one of the following events: module power-on, loss of heartbeat signal, receipt of a certified explicit circuit-breaking command, and receipt of a certified reconnection command. Preferred implementations include the following three modes: Fail-safe mode (e.g., DIP code = 01): The module controller (130) holds the contactors (110a, 110b) in the closed position only when a valid heartbeat signal is received from the independent RF receiver (140) within a configured time interval. An interruption of the heartbeat signal (due to power failure of the remote transmitter, RF interference, or intentional triggering) will cause the module controller (130) to disconnect the contactors after 2 to 3 heartbeat cycles. This mode provides maximum safety at the expense of potential false triggering risk. Fault-hold mode (e.g., DIP code = 00): The module controller (130) maintains the contactors (110a, 110b) in their last commanded state, regardless of the presence of a heartbeat signal. The contactors only disconnect upon receiving an explicit, certified disconnect command. This mode prioritizes operational stability and is suitable for environments with known risks of radio frequency interference or where false triggering is intolerable. Power-on default disconnect mode (e.g., DIP code = 10, or implemented by another combination of codes for other physical selectors): After the module is powered on, the independent power supply is restored, or the module is reset, the module controller (130) keeps the contactors (110a, 110b) open and does not automatically close them even if a valid heartbeat signal is present. The contactors are only allowed to close upon receiving an explicit, certified reconnection command; after closing, the module controller (130) maintains the contactors in the last commanded state until an explicit disconnect command is received. This mode is suitable for maintenance, transportation, handover, or scenarios where manual explicit confirmation is required for each power restoration. In addition to the three preferred modes described above, in other embodiments, the preset failure response mode may also include one or more of the following: Grace period for disconnection mode: After the first loss of a valid heartbeat signal, the module controller (130) maintains the current closed state of the circuit breaker component (110) for a predetermined grace period or a predetermined number of additional heartbeat cycles. If a valid heartbeat signal is received again during this grace period, the closed state is maintained. If the signal is not received by the end of the grace period, the circuit breaker component (110) is disconnected. Regardless of whether it is during the grace period, the module controller (130) immediately performs a circuit breaker operation upon receiving a certified explicit circuit breaker command. This mode is suitable for scenarios where short-term disruptions are common in the RF environment, but automatic circuit breaker operation is still required after a loss of connection. Local manual reset mode: The circuit breaker assembly (110) remains disconnected after being disconnected due to an explicit circuit breaker command, loss of heartbeat signal, tamper-proof event, low battery protection event, or module reset, until a local manual reset operation is performed on the module housing. The local manual reset operation can be performed via a key switch (not shown), a sealed reset button, a jumper pin, or other physical components not accessible to the robot software; in some embodiments, after a local manual reset, a certified explicit reconnection command is still required before the module controller (130) allows the circuit breaker assembly (110) to close. This mode is suitable for high-risk maintenance, personnel handover, long-distance transportation, or scenarios requiring "double confirmation" before power-on. Low battery protection mode: When the low power detection circuit indicates that the independent power supply (150) is nearing depletion, the module controller (130) prohibits new reconnection actions, or actively disconnects the circuit breaker component (110) after a predetermined delay, maintaining at least the ability to respond to explicit circuit breaker commands, while generating an alarm and event log. The purpose of this mode is to prioritize the availability of the circuit breaker function when the independent power supply margin is insufficient, and to avoid allowing the module to enter a continuously connected state when the independent power supply cannot reliably support the control, receive, and hold logic. In all the above modes, the manual overlay button (hardwired directly to the contactor coil drive circuit, completely bypassing the module controller) provides an instant circuit breaking function unaffected by firmware status. VII. Anti-tampering and Event Log The module housing is fitted with a tamper-proof seal and a continuous conductive loop monitored by the module controller (130). Damage to the housing's continuous loop generates a log entry and, in a preferred embodiment, triggers an open-circuit event. The non-volatile event log storage (180) stores the following records: - All circuit breaker events (timestamp, trigger source: command / heartbeat loss / manual / tamper-proof) - All reconnection events (timestamps, authenticated command identifiers) - Module power-on event - Low battery warning The timestamp is provided by a real-time clock (RTC) inside the module controller (130) and maintained by a separate power supply (150). The log entries can only be read via a dedicated physical interface (such as a USB-C port within a sealed container) and are accessible only to authorized personnel. VIII. Physical Integration The stand-alone battery disconnect module (100) is designed as a compact module integrated between the robot battery pack (200) and the robot chassis power distribution point. In a preferred embodiment, the module is connected to the robot via a standardized high-current DC connector (e.g., Anderson Powerpole, XT90, or application-specific connector). The module housing has an IP65 or higher protection rating, providing dust and water resistance consistent with the robot's working environment. The module is mechanically secured to the robot chassis using vibration-resistant fasteners, as the walking robot's working environment exerts continuous mechanical vibration on the module. IX. Work Sequence Normal operation: 1. The module controller (130) is powered by an independent power supply (150). 2. Read the failure mode from the DIP switch (160). 3. In fail-safe mode: The independent battery disconnect module awaits the first heartbeat signal from the remote transmitter (400); the contactor remains open until the heartbeat is established. In power-on default disconnect mode: The contactor remains open until an explicit, authenticated reconnection command is received. 4. Upon receiving a valid, certified reconnection command, the contactors (110a, 110b) close, connecting the robot battery pack (200) to the robot power distribution bus (300). 5. The robot is powered on and works normally. Emergency circuit closure: 1. The operator presses the circuit breaker button on the remote transmitter (400) (or interrupts the heartbeat in fail-safe mode). 2. The independent battery disconnect module receives an authenticated disconnect command (or detects a loss of heartbeat). 3. The module controller (130) closes the brake circuit switch (120a). 4. The module controller (130) simultaneously disconnects the contactors (110a, 110b) (or disconnects them within 5 milliseconds after the braking circuit is closed). 5. The robot power distribution bus (300) is isolated from the battery pack (200). 6. The back electromotive force generated by the robot actuator is dissipated in the braking resistor (120). 7. The robot de-energizes within 100 to 500 milliseconds. If the robot is equipped with a fail-safe brake, the robot joints will lock; otherwise, the robot will enter a passive position determined by gravity. 8. The module controller (130) writes the events with timestamps to the event log storage (180). 9. Status indicator (190) indicates the open circuit status. Power restored: 1. The operator confirms that the robot and the environment are in a safe condition. 2. The operator sends an authenticated reconnection command from the remote transmitter (400). 3. The module controller (130) receives and authenticates the command. 4. The module controller (130) disconnects the brake circuit switch (120a). 5. Contactors (110a, 110b) close to restore power supply to the robot's power distribution bus (300). 6. The robot restarts according to its normal power-on procedure. 7. The module controller (130) writes the reconnection event to the log. 10. Other Implementation Methods The scope of protection of this invention is not limited to the preferred embodiments described above. Those skilled in the art can make the following substitutions and modifications without departing from the concept of this invention: (1) The circuit breaking component (110) may be a solid-state power device (e.g., SiC or GaN MOSFET or IGBT component) instead of a mechanical contactor to achieve faster switching speed or longer life. (2) The independent power supply (150) can be a combination of supercapacitors and self-powered generators (e.g., piezoelectric vibration power extraction or thermoelectric power extraction devices) to eliminate the need for periodic battery replacement. (3) The carrier frequency of the independent radio frequency receiver (140) is not limited to 433 MHz or 915 MHz; other sub-GHz ISM bands (e.g. 169 MHz, 868 MHz) are also applicable. (4) Failure mode selector (160) In addition to DIP switches, key switches, jumpers, rotary encoders or other physical selection devices that are not accessible to robot software may also be used. (5) The remote transmitter (400) can be a handheld remote control, a fixed security post control console, or a wearable alarm button; multiple remote transmitters can simultaneously perform authentication operations on the same module. (6) The independent battery circuit breaker module (100) can be manufactured as a built-in module (integrated into the original robot battery pack) or an external module (installed on the existing robot chassis). (7) The preset failure response mode selected by the failure mode selector (160) is not limited to the fail-safe mode, the fault hold mode and the power-on default disconnect mode; without modification by the robot software, other circuit-breaking logic can also be defined according to the application scenario for module power-on, heartbeat signal loss, reconnection command, explicit circuit-breaking command, low power state or local manual reset event, such as grace period disconnection mode, local manual reset mode, low power protection mode and its combination variants. Any modifications, substitutions, or improvements made in accordance with the concept and principles described above shall be considered to fall within the scope of protection of this invention.

Claims

1. An independent battery disconnect module (100) for an autonomous robot, characterized in that, include: A circuit breaker assembly (110) is arranged in series in the main power path between the robot battery pack (200) and the robot power distribution bus (300); Module controller (130); An independent power supply (150) is physically separate from and electrically isolated from the robot battery pack (200) and is configured to supply power to the module controller (130) without drawing power from the robot battery pack (200) or the robot power distribution bus (300); as well as An independent radio frequency receiver (140), powered by the independent power supply (150), is configured to receive control signals from a remote transmitter (400) located outside the autonomous robot and to provide the control signals to the module controller (130). The module controller (130) is configured as follows: Upon receiving a certified circuit-breaking command via the independent radio frequency receiver (140), the circuit-breaking component (110) is disconnected; and Upon receiving an authenticated reconnection command via the independent radio frequency receiver (140), the circuit breaker assembly (110) is closed to restore power to the autonomous robot, without requiring replacement of any component of the independent battery circuit breaker module (100).

2. A method for providing human priority control over the power supply of an autonomous robot, characterized in that, include: The circuit breaker component (110) is connected in series in the main power path between the robot battery pack (200) and the robot power distribution bus (300); The module controller (130) and the independent radio frequency receiver (140) are powered only by a separate power source (150) that is physically separate from and electrically isolated from the robot battery pack (200); The independent radio frequency receiver (140) receives a certified circuit-breaking command from a remote transmitter (400) located outside the autonomous robot; In response to the certified circuit breaker command, the circuit breaker assembly (110) is disconnected to sever the electrical connection between the robot battery pack (200) and the robot power distribution bus (300); as well as Upon receiving an authenticated reconnection command from the remote transmitter (400), the circuit breaker assembly (110) is closed to restore power to the robot power distribution bus (300), and the closure does not require replacement of any component of the stand-alone battery circuit breaker module (100).

3. An independent battery disconnect module (100) for an autonomous robot, characterized in that, include: A circuit breaker assembly (110) is arranged in series in the main power path between the robot battery pack (200) and the robot power distribution bus (300), and includes a first DC contactor (110a) and a second DC contactor (110b) connected in series along the main power path. A braking circuit (120) is connected across the two ends of the robot power distribution bus (300) and includes an energy-consuming element and a controlled switching device (120a). Module controller (130); An independent power supply (150), which is physically separate from and electrically isolated from the robot battery pack (200), is configured to supply power to the module controller (130) and the independent radio frequency receiver (140); An independent radio frequency receiver (140), powered by the independent power supply (150), is configured to receive control signals from a remote transmitter (400) located outside the autonomous robot; as well as A physical failure mode selector (160), which is not accessed by the software system of the autonomous robot, is connected to the configuration input terminal of the module controller (130). The module controller (130) is configured as follows: Based on the settings of the physical failure mode selector (160), at least two preset failure response modes are selected, each of which specifies the closing, holding or opening logic of the circuit breaker component (110) when at least one of the following events occurs: module power-on, loss of valid heartbeat signal, receipt of certified explicit circuit breaker command, and receipt of certified reconnection command. as well as Before or at the same time as the circuit breaker assembly (110) is disconnected, the controlled switching device (120a) is controlled to operate, so that the energy-consuming element is connected across the two ends of the robot power distribution bus (300).

4. A safety system for autonomous robots, characterized in that, include: Independent battery circuit breaker module (100) according to claim 1 or 3. as well as A remote transmitter (400) is physically separate from the autonomous robot and is not controlled by the autonomous robot's software system; the remote transmitter (400) is configured to transmit certified disconnect commands and certified reconnect commands to the independent radio frequency receiver (140).

5. The independent battery circuit breaker module (100) according to claim 1, characterized in that, The circuit breaker assembly (110) includes a first DC contactor (110a) and a second DC contactor (110b) connected in series along the main power path, and each of the DC contactors is independently driven by the module controller (130) through a corresponding contactor coil drive circuit.

6. The independent battery circuit breaker module (100) according to claim 1, characterized in that, It also includes a braking circuit (120); the braking circuit (120) is connected across both ends of the robot power distribution bus (300) and includes energy-consuming elements and a controlled switching device (120a); the controlled switching device (120a) is controlled by the module controller (130) and is turned on before the circuit breaker component (110) is disconnected or at the same time as the circuit breaker component (110) is disconnected, so as to provide a dissipation path for the regenerative power generated by the autonomous robot actuator.

7. The independent battery circuit breaker module (100) according to claim 3 or 6, characterized in that, The energy-consuming element includes a power resistor network, and the controlled switching device (120a) is a semiconductor switch.

8. The independent battery circuit breaker module (100) according to claim 3 or 6, characterized in that, The energy-consuming element includes a power resistor network, and the controlled switching device (120a) is an electromechanical switch or a hybrid switch formed by combining an electromechanical switch and a semiconductor switch.

9. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that... The module controller (130) implements an authentication protocol for commands received via the independent radio frequency receiver (140), the authentication protocol including at least a replay protection mechanism for rejecting expired or duplicate commands.

10. The independent battery circuit breaker module (100) according to claim 9, characterized in that, The anti-replay mechanism includes a monotonically increasing rolling counter in each sent command, and the module controller (130) rejects commands whose counter value is not greater than the most recently accepted counter value.

11. The independent battery circuit breaker module (100) according to claim 9, characterized in that, The authentication protocol also includes a message authentication code used to verify the source of the command or the integrity of the content.

12. The independent battery circuit breaker module (100) according to claim 11, characterized in that, The message authentication code is calculated based on a pre-shared key and using the AES-128-CMAC algorithm.

13. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, The module controller (130) is configured to disconnect the circuit breaker component (110) within 50 milliseconds after receiving the certified circuit breaker command.

14. The independent battery circuit breaker module (100) according to claim 13, characterized in that, The module controller (130) is configured to disconnect the circuit breaker component (110) within 20 milliseconds after receiving the certified circuit breaker command.

15. The independent battery circuit breaker module (100) according to claim 14, characterized in that, The module controller (130) is configured to disconnect the circuit breaker component (110) within 10 milliseconds after receiving the certified circuit breaker command.

16. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, The independent radio frequency receiver (140) operates at a carrier frequency in the range of 400 MHz to 1000 MHz.

17. The independent battery circuit breaker module (100) according to claim 16, characterized in that, The carrier frequency is one of the industrial, scientific, or medical bands: 433 MHz, 868 MHz, or 915 MHz.

18. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, The independent power supply (150) includes a primary lithium battery; the primary lithium battery has a capacity to continuously power the module controller (130) and the independent radio frequency receiver (140) for at least three years in standby mode without needing to be recharged from the robot battery pack (200).

19. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, The independent power supply (150) includes a rechargeable battery that is electrically isolated from the robot battery pack (200) and the robot power distribution bus (300).

20. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, It also includes a manual override actuator; the manual override actuator is directly connected via a hardwire to the drive circuit of the circuit breaker assembly (110), the hardwire bypassing the module controller (130) and configured to disconnect the circuit breaker assembly (110) when manually actuated, without depending on the current state of the module controller (130) or its firmware.

21. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, It also includes an anti-tamper detection circuit (170); the anti-tamper detection circuit (170) is configured to detect physical damage to the housing of the independent battery circuit breaker module (100); and the module controller (130) is configured to disconnect the circuit breaker component (110) and record the anti-tamper event when the anti-tamper detection circuit (170) detects the damage.

22. The independent battery circuit breaker module (100) according to claim 1 or 3, characterized in that, It also includes a non-volatile event log memory (180); the non-volatile event log memory (180) is configured to record timestamped circuit break events, reconnection events and module power-on events; the non-volatile event log memory (180) is read via a dedicated diagnostic port located on the housing of the independent battery circuit breaker module (100), the dedicated diagnostic port being electrically unconnected to the robot power distribution bus (300) and the main signal bus of the autonomous robot.

23. The independent battery circuit breaker module (100) according to claim 3, characterized in that, The at least two preset failure response modes include a fail-safe mode; in the fail-safe mode, the module controller (130) keeps the circuit breaker (110) closed only when it continuously receives a valid heartbeat signal via the independent radio frequency receiver (140) within a predetermined timeout period, and disconnects the circuit breaker (110) if it does not receive the valid heartbeat signal for more than the predetermined timeout period.

24. The independent battery circuit breaker module (100) according to claim 3, characterized in that, The at least two preset failure response modes include a fault hold mode; in the fault hold mode, the module controller (130) holds the circuit breaker component (110) in the last commanded state unless an authorized explicit circuit breaker command is received via the independent radio frequency receiver (140).

25. The independent battery circuit breaker module (100) according to claim 3, characterized in that, The at least two preset failure response modes include a power-on default disconnect mode; in the power-on default disconnect mode, the module controller (130) keeps the circuit breaker component (110) disconnected after the module is powered on, the independent power supply is restored, or the module is reset, and only allows the circuit breaker component (110) to close after receiving an authenticated explicit reconnection command via the independent radio frequency receiver (140). Reference numeral: 100 Independent battery circuit breaker module; 110 Circuit breaker assembly; 110a, 110b DC contactors; 120 Braking circuit; 120a Semiconductor switch; 130 Module controller; 140 Independent RF receiver; 150 Independent power supply; 160 Physical failure mode selector; 170 Anti-tampering detection circuit; 180 Non-volatile event log memory; 190 Status indicators; 200 Robot battery pack; 300 Robot power distribution busbar; 400 Remote transmitter.