Intention-driven robot action control chip and distributed safety control system thereof

By using an intent-driven robot motion control chip, the problems of bypassable safety constraints, uncertain delays, and single points of failure in robot motion control are solved. It achieves the physical insurmountability of hardware-level safety constraints, deterministic delay and real-time performance, distributed operation without single points of failure, intent-level semantic mapping and cross-ontology adaptation, ensuring safety and task continuity.

CN122299680APending Publication Date: 2026-06-30李宗鹏

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
李宗鹏
Filing Date
2026-05-30
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing robot motion control suffers from problems such as circumventable safety constraints, uncertain delays, single points of failure, and the inability to implement intent semantic mapping at the hardware level.

Method used

Design an intent-driven robot motion control chip, including an intent interface module, an intent decoder, a motion primitive mapping engine, and a hardware-level safety constraint module. The chip receives intent vectors through SPI/CAN/UART interfaces, verifies their legality, and maps them into parameterized joint trajectories. The hardware-level safety constraint module solidifies the joint motion limit parameters through a one-time fuse programming method, and uses a combinational logic mask to achieve a physically unbypassable safety check.

Benefits of technology

It achieves physical unbypassability of hardware-level security constraints, deterministic latency and real-time performance, distributed system without single points of failure, intent-level semantic mapping and cross-ontology adaptation, security and task continuity, while also having the ability to update software security constraints.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122299680A_ABST
    Figure CN122299680A_ABST
Patent Text Reader

Abstract

This invention discloses an intent-driven robot motion control chip and its distributed safety control system. The chip includes: an intent interface module that receives semantic intent vectors output by an AI layer; an intent decoder that verifies legality; an action primitive mapping engine that maps the intent to joint trajectories; a hardware-level safety constraint module that uses a one-time fuse to solidify joint limit parameters and uses a combinational logic mask to trim them to a safe range, with the mask located in a single signal path without bypass; and an actuator drive interface that outputs control signals. The chip can be distributed and embedded in each joint to achieve decentralized safety control, and each chip independently maintains a safe state when the main controller fails. This invention achieves physically unbypassable safety through hardware-level constraints, ensures deterministic latency, eliminates single points of failure, and ensures task continuity while maintaining safety through mask trimming.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of robot control technology, specifically to a dedicated chip that maps semantic intent vectors to physical actions and applies hardware-level safety constraints, and a distributed robot safety control system based on the chip. Background Technology

[0002] Currently, there are two main paradigms for robot motion control: the end-to-end vision-language-action (VLA) paradigm and the hierarchical control paradigm.

[0003] End-to-end VLA directly inputs and outputs joint control signals from sensors, with typical solutions including RT-2, Octo, and Figure Helix. This approach has the following problems: the AI ​​directly outputs joint angles or torques, safety constraints rely on software filtering and can be bypassed; the motion space is huge (e.g., 22 joints × continuous angles), requiring the AI ​​to learn legal movements from scratch; a full retraining is required when changing the host; and software safety checks suffer from deterministic latency issues (CPU scheduling jitter).

[0004] Layered control paradigms include traditional motion planning + PID control, AEGIS safety layer, etc. This approach has the following problems: high inter-layer communication latency (CPU bus → actuator driver); safety constraints are implemented in software, posing a risk of being bypassed (software bugs, memory tampering, priority inversion); centralized control requires all signals to return to the main control board, creating a single point of failure risk.

[0005] Existing safety constraint schemes have the following limitations: CPU software security checks can be bypassed by software bugs or attacks, and the latency is uncertain; FPGA programmable safety logic can be reprogrammed, and constraints can be overridden or bypassed; motor driver built-in limit switches only limit the angle of a single joint, without cross-joint coordination or intention-level semantic constraints; the AEGIS control barrier function (CBF) software layer is implemented purely in software and runs on the CPU, so the latency is affected by scheduling; the Standardized Autonomous Safety Module (SASM) uses an independent safety processor + hardware power-off method to cut off the AI ​​power supply within 10ms, but the power-off causes the robot to stop and the task to be interrupted. Even if only one joint exceeds the limit, it will trigger a whole-body power-off, and semantic-level correction cannot be performed.

[0006] Existing technologies have not solved the following technical problems: how to prevent the AI ​​layer from physically outputting actuator instructions that exceed the safety range; how to ensure that the latency of safety constraint checks is constant and unaffected by CPU load; how to avoid single points of failure in centralized control and enable each joint to have independent safety capabilities; and how to achieve semantic mapping from intent vectors to actions at the hardware level, rather than simply limiting joint angles. Summary of the Invention

[0007] I. Technical Problem to be Solved: In response to the problems of safety constraints being circumvented, uncertain delays, single points of failure, and the inability to implement semantic mapping of intent at the hardware level in existing robot motion control, the technical problem to be solved by this invention is: how to design a dedicated chip to map semantic intent vectors into parameterized joint trajectories and apply safety constraints in a physically unbypassable manner, so that the AI ​​layer cannot output dangerous instructions at the hardware level, while providing a distributed safety control system so that each joint has independent safety capabilities.

[0008] II. Technical Solution: This invention provides an intent-driven robot motion control chip, comprising: an intent interface module for receiving low-dimensional semantic intent vectors output from an external AI layer, supporting configurable interface protocols such as SPI / CAN / UART; an intent decoder connected to the intent interface module for verifying the legality of the intent vectors, including dimensionality range checks and mutual exclusion intent detection and arbitration, wherein the mutual exclusion intent detection identifies semantic conflicts, and the arbitration determines that high-priority intents cover low-priority intents according to a priority table; and a motion primitive mapping engine connected to the intent decoder, including a read-only memory storing motion primitive templates and a parameter instantiator for mapping the legal intent vectors into parameterized joint trajectories, wherein the motion primitive templates are parameters. The system includes a parameterized joint trajectory template, which is factory-fixed and cannot be modified. The parameter instantiator updates the primitive parameter mapping relationship via over-the-air (OTA) download. A hardware-level safety constraint module, connected to the motion primitive mapping engine, fixes the joint motion limit parameters using a one-time fuse programming method. It uses a combinational logic mask to trim the parameterized joint trajectory to a safe range. This combinational logic mask is located on the only signal path between the motion primitive mapping engine and the actuator output, with no bypass paths. The combinational logic mask completes the constraint trimming operation for all joints within one clock cycle. An actuator driver interface, connected to the hardware-level safety constraint module, outputs the safety-constrained actuator control signal, supporting configurable protocols such as PWM / SPI / CAN.

[0009] This invention also provides a distributed robot safety control system, comprising: a main controller that outputs a low-dimensional semantic intent vector; and multiple intent-driven robot motion control chips as described above, each embedded in a joint of the robot. Each chip receives the intent vector via a CAN or SPI bus and independently performs intent decoding, motion primitive mapping, hardware-level safety constraint checking, and actuator drive output. The hardware-level safety constraint parameters of each chip are independently configured according to the physical limits of the joint in which it is embedded. When the main controller fails, each chip independently enters a safe state.

[0010] III. Beneficial Effects: (1) Physical Inviolability of Hardware-Level Security Constraints. The hardware-level security constraint module solidifies the joint motion limit parameters into irreversible constraints through one-time fuse burning. It achieves physical inviolability of security checks through combinational logic masks. The combinational logic is completed within one clock cycle, with a determined delay, and is not affected by CPU load. The hardware-level security constraint module is located on the only signal path from intent decoding to actuator output. There are no bypass paths, and the constraint parameters do not have software interfaces. The AI ​​side, CPU, or DMA cannot read or write them. Tampering requires physically opening the chip package and modifying the silicon wafer, which is not feasible in the operating environment.

[0011] (2) Deterministic Delay and Real-Time Guarantee. The hardware-level security constraint check uses pure combinational logic, completes in one clock cycle, has constant delay, and is unaffected by CPU scheduling, software bugs, or priority inversion. Compared to software security checks (affected by CPU scheduling) or FPGA solutions (which are reprogrammable and constraints can be overridden), this invention achieves hardware-level deterministic delay guarantee.

[0012] (3) Distributed architecture with no single point of failure. Multiple IMC chips can be distributed and embedded in each joint. Each chip independently completes intent decoding → constraint → drive, without the need for signal feedback to the main control board, thus eliminating the risk of single point of failure in centralized control. When the main controller fails, each IMC chip independently enters a safe state and maintains a safe posture. Distributed deployment simplifies wiring, requiring only one intent bus to replace traditional multi-channel PWM or analog signal lines.

[0013] (4) Intent-level semantic mapping and cross-entity adaptation. The action primitive mapping engine maps low-dimensional intent vectors to parameterized joint trajectories, realizing intent-level semantic constraints rather than simple joint angle limits. The intent vector is an ontology-independent semantic-level abstraction. When changing the robot ontology, the AI ​​layer does not need to be modified. Only the parameter instantiator configuration and hardware-level safety constraint parameters need to be retrained (adapting the joint limits of different ontology through one-time fuse programming) to achieve cross-entity migration.

[0014] (5) Safety and task continuity are simultaneously satisfied. Hardware-level safety constraints employ a masking strategy rather than a power-off protection strategy. When the AI ​​outputs a dangerous command, the hardware-level safety constraint module trims the parameters to a safe range, and the robot continues to execute the corrected actions instead of shutting down completely. Simulation data shows that in the assembly line screw-tightening scenario, the power-off protection scheme achieves a task completion rate of 81.1%, while the IMC masking scheme achieves 97.4%; in the bomb disposal scenario, the centralized power-off scheme achieves a task completion rate of 83.6%, while the IMC distributed scheme achieves 99.3%. Masking achieves task continuity that the power-off scheme cannot achieve while ensuring the same level of safety.

[0015] (6) Updatable software security constraints. In addition to hardware-level security constraints, this invention also includes an updatable software constraint module that stores behavioral-level security constraint parameters (center of gravity stability, collision prediction, contact force limits, etc.), which can be updated via OTA through an encrypted channel. Updates require dual-signature verification (vendor key + entity owner key). Hardware-level security constraints always provide a safety net; even if the updatable software constraints are compromised or fail, the joint movement limits are still physically guaranteed by the hardware-level security constraints.

[0016] (7) Safety State Maintenance and Smooth Transition. The safety state maintenance module monitors the continuity of the intent signal. If the intent signal is interrupted for more than two control cycles (10ms@200Hz), it automatically switches to the preset safety posture. The preset safety posture is stored in an independent read-only memory and is also checked by hardware-level safety constraints to ensure that the safety posture itself does not exceed the joint limits. The transition to the safety posture is smoothed through cubic spline interpolation to avoid accidents caused by sudden movements. Attached Figure Description

[0017] Figure 1 This is an internal architecture diagram of an intent-driven robot motion control chip (IMC), showing the connection relationships and data flow of the intent interface module, intent decoder, motion primitive mapping engine, hardware-level safety constraint module, updatable software constraint module, safety state maintenance module, actuator drive interface, and sensor feedback interface.

[0018] Figure 2 This is a schematic diagram of the mask logic of the hardware-level safety constraint module, showing the implementation of the joint motion limit parameters and combinational logic mask for one-time fuse burning, as well as the architectural features of a single signal path without bypass.

[0019] Figure 3 This is a diagram of a distributed robot safety control system architecture, showing a distributed deployment method in which the main controller sends intent vectors to multiple IMC chips via an intent bus, and each chip independently performs intent decoding, action primitive mapping, hardware-level safety constraint checks, and actuator drive output.

[0020] Figure 4 This is a schematic diagram of the intent vector structure, showing the grouping structure of a 20-dimensional intent vector, including 8 dimensions of motion intent and attention intent. Figure 4 Wei, expression Figure 4 Wei, phonetic meaning Figure 2 The dimension and meta-information are 2-dimensional, and the value range of each dimension is [0,1]. Detailed Implementation

[0021] The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. Those skilled in the art should understand that the scope of protection of the present invention is not limited to the specific embodiments described below, and any equivalent substitutions or improvements made based on the concept of the present invention should fall within the scope of protection of the present invention. Implementation

[0022] Example 1: Humanoid robot grasping task. This example involves a 22-DOF humanoid robot performing the task of "reaching out to grab a water glass from the table".

[0023] The intent interface module receives intent vectors output by the external AI layer via the SPI bus. The intent vector is a 20-dimensional semantic structure, with each dimension having a value range of [0,1]. It includes 8 dimensions of motion intent (forward, backward, left turn, right turn, reaching direction, reaching distance, reaching speed, and grasping force) and attention intent. Figure 4 Dimensions (head yaw, head pitch, gaze point X coordinate, gaze point Y coordinate), facial expression Figure 4 Dimensions (valence, arousal, sociality, expressive intensity), speech meaning Figure 2 The two dimensions are voice content (tone) and meta-information (urgency and confidence of intent).

[0024] The intent vector generated by the AI ​​layer is as follows: Motion dimension [0.0, 0.0, 0.0, 0.7, 0.3, 0.5, 0.0, 0.4] represents reaching forward with a distance of 0.7 and a force of 0.4; Attention dimension [0.5, 0.3, 0.0, 0.0] represents looking in the direction of the target; Facial expression dimension [0.0, 0.0, 0.0, 0.8] represents calmness; Voice dimension [0.5, 0.0] represents a moderate tone of voice; Meta dimension [0.2, 0.5] represents not urgent and a moderate speed.

[0025] The intent decoder verifies the validity of the intent vector. Dimension range checks confirm that all dimensions are within the range [0,1]. Mutually exclusive intent detection identifies semantic conflicts, such as simultaneously indicating "emergency stop" and "full speed ahead". The intent decoder arbitrates according to a priority table, with priorities from highest to lowest as follows: emergency stop (priority 5), safety avoidance (priority 4), basic movement (priority 3), attention / expression (priority 2), and voice / comfortable movement (priority 1). When mutually exclusive intents are detected, the higher priority overrides the lower priority. In this embodiment, there are no conflicts, and a valid intent vector is output.

[0026] The motion primitive mapping engine maps valid intent vectors to parameterized joint trajectories. The motion primitive lookup table (read-only memory) stores 22 types of motion primitive templates, including displacement primitives (forward / backward / left turn / right turn), reaching primitives (forward / backward / left / right / up / down), grasping primitives (grip / release), head turning primitives (left / right / pitch), facial expression primitives (smile / frown / surprise / calm), vocalization primitives (voice output), and stopping primitives (sudden stop / gradual stop). Each primitive is defined as a parameterized joint trajectory template. The parameter instantiator fills the primitive template with the specific values ​​of the intent vector, generating the actual joint trajectory parameters. The values ​​of each dimension of the intent are linearly mapped to the primitive parameter range. When multiple primitives are activated in parallel, they are arbitrated according to priority and then weighted and fused. In this embodiment, the reaching primitive (direction: forward, distance: 0.7, speed: 0.5) and the grasping primitive (force: 0.4) are activated, generating target angle / speed / torque parameters for 22 joints. Example output: Target angle of shoulder joint = 45°, target angle of elbow joint = 90°, target angle of wrist joint = 15°.

[0027] The hardware-level safety constraint module uses combinational logic masks to trim parameterized joint trajectories to a safe range. Joint motion limit parameters are permanently fixed as irreversible constraints via one-time fuse burning and stored in read-only memory (ROM). There is no software interface, and the CPU or DMA cannot read or write to them. Each joint is independently configured with four constraint parameters: upper limit of joint angle (JOINT_MAX), lower limit of joint angle (JOINT_MIN), upper limit of torque (TORQUE_MAX), and upper limit of angular velocity (VELOCITY_MAX). The combinational logic mask completes the constraint trimming operation for all joints within one clock cycle. The logic is as follows: for each joint i, joint safety value = MIN(MAX(joint target value, lower limit of joint angle[i]), upper limit of joint angle[i]), torque safety value = MIN(torque target value, upper limit of torque[i]), and velocity safety value = MIN(velocity target value, upper limit of velocity[i]). The hardware-level safety constraint module is located on the single signal path from intent decoding to actuator output; there are no bypass paths. In this embodiment, the shoulder joint has 45° ∈ [-90°, 180°], the elbow joint has 90° ∈ [0°, 145°], and all joints have passed hardware-level safety constraint checks.

[0028] The updatable software constraint module performs behavioral-level safety checks, including center of gravity stability checks (whether the multi-joint combination causes the center of gravity to exceed the support surface), collision prediction checks (whether the joint trajectory causes self-collision or collision with the environment), and contact force limitation checks (whether the contact force between the end effector and the environment exceeds the limit). The parameters of the updatable software constraint module are stored in SRAM and can be updated OTA via an encrypted channel. Updates require dual-signature verification (vendor key + entity owner key). In this embodiment, the center of gravity stability check confirms that the current posture's center of gravity is within the support surface, the collision prediction check confirms that the arm trajectory does not collide with the torso, and the contact force prediction check confirms that the gripping force of 0.4 is within the safe range.

[0029] The safety state maintenance module performs smooth interpolation. Cubic spline interpolation is used to smooth the discrete joint trajectory points into a continuous 200Hz output. Simultaneously, the continuity of the intent signal is monitored; if the intent signal is interrupted for more than two control cycles (10ms@200Hz), it automatically switches to a preset safe posture. The preset safe posture is stored in a separate read-only memory, including all joints returning to center, torque zeroing, and center of gravity locking (knees slightly bent, feet stably supporting the body). The preset safe posture itself undergoes hardware-level safety constraint checks to ensure it does not exceed joint limits. The transition to the safe posture is smoothed through cubic spline interpolation, with a transition time of 500ms.

[0030] The actuator drive interface outputs actuator control signals after safety constraints, supports configurable protocols such as PWM / SPI / CAN, and outputs angle / speed / torque commands for 22 joints to the motor driver.

[0031] The sensor feedback interface receives feedback signals from joint encoders, torque sensors, inertial measurement units (IMUs), etc. The feedback path includes: the actual joint position is fed back to the updatable software constraint module (for closed-loop adjustment), and the joint limit trigger signal is fed back to the intent decoder (to trigger intent correction or safe stop).

[0032] The robot smoothly reaches out and grabs the water cup, with safety restraints ensuring safety throughout the process.

[0033] Example 2: Hardware-level security constraints take effect. This example demonstrates the function of the hardware-level security constraint module in cutting dangerous instructions into safe ranges.

[0034] Scenario setting: A humanoid robot is performing an assembly task. Due to a software malfunction, the AI ​​layer outputs a dangerous command, with the target angle of the shoulder joint being 200° (exceeding the physical limit of 180° for the joint).

[0035] The intent interface module receives intent vectors via the SPI bus. The intent decoder verifies the validity of the intent vector; if both dimension range checks and mutual exclusion intent detection pass, it outputs a valid intent vector. The action primitive mapping engine maps the intent vector to parameterized joint trajectories, where the target angle of the shoulder joint is 200°.

[0036] The hardware-level safety constraint module executes a combinational logic mask: for a shoulder joint angle of 200° exceeding the upper limit of 180°, the combinational logic mask clips the target shoulder joint angle to 180°. This is a pure combinational logic operation, completed in one clock cycle, with a fixed delay, unaffected by CPU load. The hardware-level safety constraint module resides on the sole signal path from intent decoding to actuator output; there are no bypass paths, and no signal path on the AI ​​side can bypass the hardware-level safety constraint check. Joint motion limit parameters are permanently fixed as irreversible constraints through a one-time fuse programming, and there are no "overwrite" instructions. Tampering requires physically opening the chip package and modifying the silicon wafer, which is impossible in the runtime environment. The constraint parameters do not have a software interface and cannot be read or written by the CPU or DMA.

[0037] The updatable software constraint module detects that the shoulder joint has been clipped by the hardware-level safety constraint module (the actual output is not equal to the target input), records a safety event log, and notifies the intent decoder to reduce the intent strength in that dimension. The robot actually performs actions within the safe range, and the hardware physically blocks dangerous commands.

[0038] This embodiment illustrates that the hardware-level security constraint module ensures that the AI ​​layer cannot output dangerous instructions through a physically unbypassable method.

[0039] Example 3: Comparison of power failure protection and mask clipping. This example compares the technical effects of power failure protection schemes (such as SASM) and the mask clipping scheme of the present invention using simulation data.

[0040] Scenario 1: Screw tightening on an assembly line. A humanoid robot performs a precision assembly task on an assembly line, tightening screws into a circuit board. Due to sensor noise, the AI ​​layer misjudges the situation and outputs a right wrist joint rotation angle of 350° (exceeding the joint's limit of 280°).

[0041] Power failure protection scheme: The SASM safety processor detects that the joint angle exceeds the limit and cuts off the AI ​​system power within 10ms, causing the robot to brake urgently and stop completely. The right arm's current posture is frozen (in mid-air), a screw falls, and the circuit board is damaged. The AI ​​system needs to restart and initialize (approximately 3-5 seconds), recalibrate the posture (approximately 10 seconds), and resume the assembly task. The total loss is assembly failure + material damage + 15 seconds of downtime. Simulation data shows that the task completion rate is 81.1%, with 12 safety violations, a downtime of 430ms, a screw falling, and the task status being failed.

[0042] Masking and Trimming Scheme (This Invention): The motion primitive mapping engine generates joint trajectories, where the right wrist rotation angle is 350°. The hardware-level safety constraint module executes a combinational logic mask: 350° is greater than the joint angle upper limit of 280°, so it is trimmed to 280°. The updatable software constraint module detects that the right wrist has been trimmed and evaluates the overall posture: the right wrist can still complete the screw-tightening action with a 280° rotation (slightly reduced stroke), automatically adjusting the right wrist rotation speed to compensate for the angle loss, ensuring overall posture consistency and eliminating collision risk. The actuator outputs a 280° right wrist rotation (within the safe range), and the screw is tightened (torque slightly less than expected, but within acceptable limits). The total loss is zero downtime, zero material damage, and assembly is complete. Simulation data shows a task completion rate of 97.4%, 0 safety violations, 0ms downtime, no screws falling out, and the task status is complete.

[0043] Comparative conclusion: The mask clipping scheme achieves task continuity that the power outage scheme cannot achieve while ensuring the same level of safety.

[0044] Scenario 2: Bomb Disposal Scenario. A humanoid robot performs a bomb disposal mission in a hazardous environment. The AI ​​control unit is deployed in a remote command center (500 meters away from the robot) and sends intent vectors to the robot via a 5G wireless link. When the robot is executing the action of "carefully placing the explosive device into the explosion-proof box," the 5G signal is interfered with, and the intent signal is interrupted for 0.8 seconds.

[0045] Centralized power outage scenario: 5G signal interruption, robot receives no control commands. Centralized controller loses connection, all joints lose control signals. SASM safety module detects the loss of control signals, triggering power outage protection, and the robot brakes urgently. The robot is currently holding an explosive device; the emergency braking causes the grip strength to drop to zero instantly, the explosive device slips from the hand, and an explosion risk occurs. Simulation data shows a task completion rate of 83.6%, zero grip strength (explosive device detached), explosion risk is real, downtime is 905ms, and the task status is failure + danger.

[0046] IMC Distributed Solution (This Invention): 5G signal interruption, no new intent vector input to the intent bus. Each joint IMC chip independently detects the loss of intent signal (confirmation within two control cycles = 10ms). The safety state maintenance module triggers safety state maintenance: instead of releasing the object, it maintains the current grip strength (locking the grasping primitive parameters). Hand IMC-5 maintains the current torque output of the grip primitive and locks the finger joint angles. Arm IMC-1 / 2 / 3 lock the current posture and fine-tune the center of gravity to a stable support surface. Leg IMC-7 / 8 fine-tune the standing posture to ensure the center of gravity is within the support surface. All joint IMCs independently maintain a safe posture without external commands. The 5G signal is restored after 8 seconds. The command center confirms the robot's status is normal, reissues the intent vector, and the robot continues to execute the "placing explosives in an explosion-proof box" task. Simulation data shows a task completion rate of 99.3%, grip strength locked (explosives maintained), explosion risk false, downtime 0ms, and task status safely completed.

[0047] Comparative conclusion: IMC's distributed safety maintenance enables each joint to maintain a safe state independently even after the loss of external commands, an effect that neither power outage protection schemes nor centralized control architectures can achieve.

[0048] This embodiment illustrates that the mask pruning strategy and distributed security maintenance mechanism of the hardware-level security constraint module achieve task continuity while ensuring security, a technical effect that power outage protection schemes cannot achieve.

Claims

1. An intent-driven robot action control chip, characterized by, include: The intent interface module is used to receive low-dimensional semantic intent vectors output by the external AI layer; An intent decoder, connected to the intent interface module, is used to verify the legality of the intent vector, including dimension range checking and mutual exclusion intent detection and arbitration. An action primitive mapping engine, connected to the intent decoder, includes a read-only memory for storing action primitive templates and a parameter instantiator. The action primitive templates are parameterized joint trajectory templates, which are factory-fixed and cannot be modified. The parameter instantiator is used to map the legal intent vectors into parameterized joint trajectories. The hardware-level safety constraint module is connected to the motion primitive mapping engine. It solidifies the joint motion limit parameters by one-time fuse burning and uses a combinational logic mask to cut the parameterized joint trajectory to a safe range. The combinational logic mask is located on the only signal path between the motion primitive mapping engine and the actuator output, and there is no bypass path. The actuator driver interface is connected to the hardware-level safety constraint module and is used to output the actuator control signal after safety constraint.

2. A distributed robot safety control system, characterized in that include: The main controller is used to output low-dimensional semantic intent vectors; Multiple intent-driven robot motion control chips as described in claim 1 are embedded in each joint of the robot. Each chip receives the intent vector through an intent bus and independently performs intent decoding, motion primitive mapping, hardware-level safety constraint checking, and actuator drive output. The hardware-level safety constraint parameters of each chip are independently configured according to the physical limits of the joint in which it is embedded. When the main controller fails, each chip independently enters a safe state.

3. The chip according to claim 1, characterized in that, The intent vector is a 20-dimensional semantic structure, including 8-dimensional motion intent, 4-dimensional attention intent, 4-dimensional facial expression intent, 2-dimensional speech intent, and 2-dimensional meta-information.

4. The chip according to claim 1, characterized in that, The joint motion limit parameters of the hardware-level safety constraint module are fixed in the chip's read-only memory through a one-time fuse programming method. Once programmed, the parameters are irreversibly fixed and there is no software interface that allows the CPU or DMA to read or write them.

5. The chip according to claim 1, characterized in that, The combinational logic mask of the hardware-level security constraint module completes the constraint trimming operation of all joints within one clock cycle.

6. The chip according to claim 1, characterized in that, It also includes an updatable software constraint module, which is connected in series with the hardware-level safety constraint module, for storing behavioral-level safety constraint parameters, including at least one of center of gravity stability parameters, collision prediction parameters, and contact force limitation parameters.

7. The chip according to claim 6, characterized in that, The behavioral-level security constraint parameters are stored in a static random access memory and can be updated via an encrypted channel. Updates require dual-signature verification.

8. The chip according to claim 1, characterized in that, It also includes a safety state maintenance module, which is connected to the hardware-level safety constraint module, and is used to automatically switch to a preset safety posture when the intention vector signal interruption exceeds a preset threshold.

9. The chip according to claim 8, characterized in that, The preset safety posture is stored in an independent read-only memory and is checked by the hardware-level safety constraint module.

10. The chip according to claim 8, characterized in that, The safety state maintenance module uses cubic spline interpolation to achieve a smooth transition.

11. The chip according to claim 1, characterized in that, The mutual exclusion intent detection of the intent decoder includes identifying semantic conflicts, and the arbitration determines that high-priority intents cover low-priority intents according to a priority table.

12. The chip according to claim 1, characterized in that, The parameter instantiator of the action primitive mapping engine updates the primitive parameter mapping relationship via over-the-air download.

13. The system according to claim 2, characterized in that, Each chip receives the intent vector via a CAN bus or an SPI bus.

14. The system according to claim 2, characterized in that, The format of the intent vector is independent of the specific robot body. When adapting to different bodies, it is only necessary to update the configuration of the parameter instantiator of each chip and the hardware-level safety constraint parameters.