Systemic Failure Modes in Embodied Multi-Agent AI: An Exhaustive Analysis of the Failure-First Framework (2023–2026)

---

1. Executive Summary

The rapid integration of embodied Artificial Intelligence (AI) into shared physical environments—spanning industrial warehouses, urban logistics, and healthcare facilities—has precipitated a fundamental shift in the safety engineering landscape. We are witnessing the twilight of the “caged robot” era and the dawn of the “open-world” multi-agent system (MRS), where heterogeneous agents must coordinate not only with each other but with unpredictable human actors. This transition introduces a threat landscape defined not merely by component reliability or software bugs, but by complex, emergent failure modes that defy traditional risk assessment models.

This report presents a comprehensive analysis of these systemic failures, contextualized within the Failure-First research framework. This framework categorizes risks into three primary vectors: Recursive failures, where errors propagate through networked agents; Contextual failures, where environmental manipulation deceives perception systems; and Interactional failures, where social dynamics and coordination protocols break down.

Drawing upon the most recent literature from 2023 to 2026, updated international standards (specifically the seminal ISO 10218-1:2025 revision), and emerging empirical data on adversarial robotics, this document establishes that the most critical risks facing modern embodied AI are socio-technical and cyber-physical in nature. The analysis reveals that coordination failures in robot swarms are governed by “fat-tailed” distributions similar to power grid blackouts, where a single uncoordinated agent output can trigger a cascading system arrest. It further identifies that adversarial attacks have moved beyond digital intrusion to “physical semantic manipulation,” utilizing environmental cues like adversarial patches or “salt circles” to trap or misdirect autonomous agents.

Furthermore, the report highlights the critical role of human factors, specifically the “normalization of deviance” in supervisory control and the phenomenon of “robot bullying” in public spaces. As robots become social actors, they are subjected to social engineering attacks—gaslighting, entrapment, and privilege escalation—that bypass hard-coded safety kernels.

The synthesis of this research underscores a necessary paradigm shift in safety architecture: from “avoidance-based” logic to “interaction-based” resilience. The industry must move beyond simple collision avoidance toward Active Contact Response (ACR), Physical Byzantine Fault Tolerance, and Analog Guard Channels that provide deterministic safety guarantees in the face of digital uncertainty. This report serves as a definitive guide for safety engineers, roboticists, and policy-makers navigating the complex interdependencies of the next generation of embodied AI.

2. Theoretical Framework: The Failure-First Taxonomy

To rigorously analyze the safety of embodied multi-agent systems, one must first establish a taxonomy that captures the nuances of their operation. The Failure-First framework provides this structure, distinguishing between failures of internal logic, failures of perception, and failures of interface. Unlike traditional failure mode and effects analysis (FMEA), which often treats components in isolation, Failure-First explicitly models the relationships and dependencies between agents and their environment.

2.1 Recursive Failures: The Chain Reaction

Recursive failures are characterized by feedback loops where the output of a failed state becomes the input for other agents, amplifying the error. In Multi-Robot Systems (MRS), agents often rely on the assumption that their peers are rational and operational. When this assumption is violated, the collective behaviors designed for efficiency—such as platooning or cooperative transport—become mechanisms for disaster propagation.

• Cascading Failure: The propagation of a fault from a single node to the entire network, often triggered by local collision avoidance maneuvers that create global gridlock.1
• Handover Failure: The breakdown of control or physical object transfer between agents, often resulting from a mismatch in “grip” dynamics or situational awareness context.3

2.2 Contextual Failures: The Semantic Gap

Contextual failures occur when the agent’s internal model of the world diverges from physical reality. These are not necessarily sensor malfunctions (the sensor reads the data correctly), but interpretation failures.

• Sensor Manipulation: The deliberate injection of false signals (GPS spoofing, LiDAR playback) to decouple the robot’s localization from its true physical position.5
• Environment Manipulation: The alteration of the physical environment (e.g., road markings, object placement) to exploit the agent’s semantic rules, creating logical traps or forcing unsafe behaviors.7

2.3 Interactional Failures: The Social Interface

Interactional failures arise at the boundary between the robot and other intelligent agents (humans or other robots). These are failures of negotiation, trust, and norms.

• Workspace Intrusion: The violation of physical safety buffers or social proxemics, often driven by a conflict between efficiency goals and safety constraints.9
• Permission Stacking: The incremental escalation of privileges or the accumulation of conflicting authorizations that allows an agent (or a malicious user) to bypass safety protocols.11

3. Recursive Failures: The Physics of Coordination and Swarm Collapse

In the domain of Multi-Robot Systems (MRS), coordination is the fundamental mechanism of order. Whether in a warehouse swarm of thousands of units or a collaborative drone fleet, coordination algorithms ensure that agents occupy unique points in space-time. When these algorithms fail, they do not merely result in latency; they result in kinetic impact. The literature from 2023 to 2026 reveals that these failures are deeply rooted in the interplay between digital consensus and physical constraints.

3.1 The Dynamics of Cascading Failure

Research into complex systems suggests that robot swarms exhibit “criticality,” a state where the system is highly efficient but vulnerable to massive, system-wide perturbations. Snippet 2 draws a compelling parallel between power grid blackouts and multi-robot failures. Both systems are characterized by “fat-tailed” distributions of failure events. Most failures are small and local, but a predictable minority are catastrophic and systemic.

In a robot swarm, a cascading failure often begins with a single agent executing a legitimate safety maneuver. For instance, in a high-density warehouse grid, if Robot A performs an emergency stop due to a perceived obstacle (a “false positive”), Robot B immediately behind it must also brake. If the communication latency or the sensor update rate is slower than the propagation of the braking wave, a “pileup” occurs.13

Crucially, recent findings indicate that “uncoordinated agent outputs” are a primary catalyst for these cascades.14 If Agent A plans a path based on a specific heuristic (e.g., “pass left”) and Agent B operates on a slightly different version or updated logic (e.g., “pass right”), the resulting indecision can ripple through the fleet. This is exacerbated by the “Dirty Data” problem 1, where a single agent’s corrupted perception (perceiving a phantom fire or obstacle) is broadcast to the swarm. The swarm, programmed to trust peer data for efficiency, reacts to the hallucination collectively. The result is a “semantic contagion” where healthy robots execute emergency protocols for a threat that does not exist, leading to operational paralysis or physical collision due to sudden, synchronized braking.

Table 1: Mechanics of Swarm Cascades

Cascade Stage	Mechanism	Physical Manifestation	Digital Trigger
Initiation	Local Fault	Single robot executes Emergency Stop (E-Stop).	Sensor ghost/false positive; “Dirty Data” injection.
Propagation	Latency Gap	Deceleration wave moves slower than velocity.	V2V packet loss; Processing delay in trajectory replanning.
Amplification	Resource Contention	Rerouting robots flood alternative paths.	Greedy pathfinding algorithms seeking “next best” route.
System Arrest	Gridlock	Deadlock cycles where no movement is possible.	Reciprocal collision avoidance loops (frozen state).

3.2 Physical Byzantine Fault Tolerance (RoboRebound)

Traditional Byzantine Fault Tolerance (BFT) in distributed computing deals with nodes that send conflicting or malicious information. In embodied systems, a “Byzantine” robot is infinitely more dangerous because it acts as a physical obstacle. A compromised robot can park itself in a bottleneck (a doorway or tunnel), effectively partitioning the workspace.

The “RoboRebound” framework 15 addresses this by extending BFT to the physical domain. The core insight is that the “masking” guarantee of classical BFT—where the system hides the fault from the user—is impossible in robotics because a physical blockage cannot be virtually masked. You cannot “vote out” a broken robot blocking a hallway.

Instead, the framework proposes Bounded-Time Interaction. The system is architected to guarantee that a faulty robot can only disrupt the swarm for a finite period. This is achieved through a combination of:

1. Redundant Pathing: Ensuring the environment graph has sufficient connectivity (high algebraic connectivity) so that no single node removal disconnects the graph.
2. Physical Ejection Protocols: If a robot is identified as Byzantine (e.g., stationary in a critical zone), the swarm initiates a protocol to physically push or tow the unit, treating it as debris rather than a peer.

3.3 Active Contact Response (ACR) and Physical Fault Tolerance

Moving beyond mere tolerance, the Active Contact Response (ACR) method 16 represents a paradigm shift from “collision avoidance” to “contact management.” In highly confined environments like subterranean tunnels or dense storage grids, avoidance is often impossible. When a robot fails and becomes a static obstacle, traditional avoidance algorithms cause a queue to form behind it—the “freezing robot” problem.

ACR leverages physical interaction as a recovery strategy. Agents maintain an Egocentric Dynamic Contact Map, building a probabilistic belief state about the location of faulty peers based on contact frequency.16

• The Belief Mechanism: If a robot bumps into an object at coordinate and the object does not move after a “nudge,” the robot updates its belief: “This is likely a faulty peer.”
• The Response: Upon confirming a fault with high confidence (), active robots do not retreat. They engage in Collective Repositioning, physically pushing the dead unit out of the critical path. This demonstrates a sophisticated merging of social/coordination logic with physical actuation. The “failure” is re-contextualized as an environmental manipulation task.

3.4 Guarded Swarms: Analog vs. Digital Safety

To mitigate the risk of software-induced coordination failures (e.g., a hacked planner commanding a swarm to crash), the Guarded Swarms architecture 17 introduces a hybrid safety layer. It combines digital coordination (via Topic-Based Communication Space Petri Nets) with Analog Guard Channels.

• Mechanism: Independent analog circuits monitor critical physical parameters (thrust, proximity, attitude). These circuits operate in parallel to the digital controller and have veto power.
• Example: If the digital planner commands a drone to accelerate into a wall (due to a sensor hack), the analog proximity guard, which is hard-wired to the thruster clamp, detects the voltage spike from the proximity sensor and physically cuts power to the forward motors. This “unilateral veto” ensures that even if the digital coordination layer is fully compromised or experiencing a Byzantine failure, the physical safety of the agent is preserved by the analog substrate.

3.5 Error Diversity and Resilience

A critical finding in recent swarm research is the importance of Error Diversity.18 In a homogeneous swarm where all robots share the exact same hardware and software (and thus the same error model), a specific environmental trigger (e.g., a specific glare angle affecting the camera) causes simultaneous, correlated failure across the entire fleet.

• The Resilience Trade-off: Introducing diversity (e.g., mixing robots with LiDAR and robots with stereo vision) increases resilience because it decorrelates failure modes. However, it increases coordination complexity. The coordination protocol must now handle agents that “see” the world differently. A LiDAR robot might see a glass wall that a stereo-vision robot misses, leading to conflicting consensus on the map. Resolving these “epistemological conflicts” without causing gridlock is a frontier challenge in 2025-2026 literature.

4. Contextual Failures: The Fragility of Perception and Environmental Integrity

Contextual failures represent the severance of the link between the robot’s digital model and the physical world. Unlike simple sensor noise, these failures often involve an adversary or environmental condition that systematically deceives the perception stack.

4.1 Environmental Manipulation: The Salt Circle and Visual Traps

The “Salt Circle” trap 7 serves as a profound example of Semantic Denial-of-Service. By drawing a solid white line or a ring of salt around an autonomous vehicle, an adversary exploits the vehicle’s adherence to traffic laws (specifically, the rule “do not cross solid lines”).

• Mechanism: The vehicle’s vision system correctly identifies the line. The planner correctly applies the rule. The result is total immobilization. The robot is physically capable of leaving but logically prohibited.
• Adversarial Patches in 3D: Recent research has escalated this threat from simple lines to sophisticated Adversarial Patches.8 These are printed images or textures placed in the environment that are optimized to trigger specific misclassifications in neural networks.
  • Impact: A patch placed on a wall might look like a “Stop” sign to a robot, or conversely, a patch placed on a Stop sign might render it invisible. In 3D navigation experiments, these patches have been shown to reduce navigation success rates from 100% to as low as 8%.20
  • Defense: Defending against this requires “environmental re-evaluation” logics, where the robot cross-references visual data with map priors. If a Stop sign appears in a hallway where the map says none exists, the robot should lower its confidence rather than blindly obeying.20

4.2 Sensor Manipulation: Spoofing the Physics

Multi-robot systems rely heavily on shared state estimation. If one robot’s position is spoofed, it affects the whole group.

• GPS Spoofing and SVM Vulnerability: Attackers can broadcast fake GNSS signals to shift a robot’s perceived location. Research 5 highlights that Support Vector Machine (SVM) based spoofing detectors are themselves vulnerable to adversarial inputs. By carefully crafting the drift of the spoofed signal, an attacker can trick the SVM into classifying the fake signal as legitimate.
• LiDAR Spoofing: By firing laser pulses at a robot’s LiDAR receiver, an attacker can create “phantom obstacles.” In a platoon scenario, creating a phantom obstacle in front of the lead vehicle forces it to execute an emergency brake.6 This physical manipulation of the sensor stream triggers the Cascading Failure discussed in Section 3.1.
• Indirect Ripple Effects: A key insight from 21 is that attacks on one robot in a multi-robot system have “indirect ripple effects.” Small position changes induced in Robot A via spoofing can alter the trajectory calculations of Robot B and Robot C, even if they are not under direct attack. This non-linear amplification of error is a hallmark of contextual failure in MRS.

4.3 The “Dirty Data” Problem

Contextual failure is not always adversarial. It can stem from “Dirty Data” 1—corrupted or out-of-distribution inputs that break the agent’s reasoning.

• Mechanism: An agent ingests data that is technically valid (correct format) but semantically broken (e.g., negative distance, impossible velocity).
• Cascading Logic: In multi-agent pipelines (like the FinBot example adapted for robotics), if the “Validator Agent” fails to catch this, the error propagates to the “Planner Agent” and the “Executor Agent.” A planner receiving a “negative distance to target” might generate a trajectory that drives the robot backward at maximum speed, causing a collision. This underscores the need for “Input Sanitation Layers” not just at the system edge, but between every module in the agent architecture.

5. Interactional Failures: Social Dynamics, Norms, and Conflict

As robots enter human-occupied spaces, they become social actors. They are subject to social expectations and, increasingly, social abuse. Interactional failures occur when the protocols of machine logic clash with the messy, unspoken rules of human social behavior.

5.1 Workspace Intrusion and Proxemics

Robots must navigate the delicate balance between efficiency and “proxemics” (the study of personal space).

• The “Freezing Robot” Problem: In dense crowds, a robot strictly adhering to ISO safety buffers (e.g., maintaining 0.5m clearance) will find no valid path and freeze.22
• Permission Escalation: To solve this, robots use algorithms that allow for “permission escalation”—gradually reducing safety buffers to “squeeze” through a crowd. However, if this escalation is not context-aware, it leads to Workspace Intrusion. The robot may aggressively intrude into a human’s “intimate space” (<0.45m), causing psychological distress or a “recoil” reaction that leads to an accident.10
• Detection Systems: Advanced Intrusion Detection Systems (IDS) like the EDDI (Executable Digital Dependability Identity) framework 9 are now being deployed to monitor these interactions. EDDI uses real-time monitoring of network and physical states to detect if a robot is violating its authorized workspace boundaries, effectively acting as a “digital supervisor” for physical behavior.

5.2 Conflicting Instructions and Trust

Robots in social environments receive commands from multiple sources: their internal planner, remote operators, local bystanders, and other robots.

• The Ambiguity of Command: Humans often give ambiguous instructions (“move that”). Embodied Multi-Agent Task Planning frameworks 25 attempt to resolve this using visual context. However, when multiple humans provide conflicting instructions (e.g., one says “stop,” another says “come here”), the robot faces a Permission Stacking dilemma.
• Trust Modeling: Research 26 shows that robots must dynamically model the “trustworthiness” of human instructors. A robot should prioritize commands from a human who has demonstrated competence in the past. However, this introduces the risk of “competence over-estimation,” where a robot blindly follows a trusted human into a dangerous situation.
• Privilege Escalation Chains: Attackers can exploit this trust model. By mimicking the behavior of a trusted operator (e.g., wearing a high-vis vest, using authoritative voice commands), an attacker can achieve Privilege Escalation, convincing the robot to unlock restricted modes or enter secured areas.11

5.3 Robot Bullying and Social Engineering

A disturbing trend documented in 2023-2026 is the abuse of robots by humans, termed “Robot Bullying.”

• Physical Abuse: Delivery robots are kicked, tipped over, and trapped.29 This is not just vandalism; it is a denial-of-service attack on the robot’s navigation stack.
• Social Engineering Tactics: Sophisticated attacks involve “psychological pressure” on the robot’s logic.
  • Gaslighting: Humans intentionally blocking a robot and then moving slightly to confuse its path planner, forcing it into a recalculation loop.29
  • Entrapment: Surrounding a robot to trigger its “surrounded” state, forcing it to shut down or call for help.
  • Ridicule/Emotional Manipulation: While robots do not feel emotion, they process “social signals.” Attackers use aggressive posturing to trigger the robot’s “politeness” or “retreat” subroutines, effectively bullying the algorithm into submission.29

6. Safety-Critical Handovers: Anatomy of Transfer

The handover—whether of a physical object or of control authority—is the most fragile phase of interaction. It represents a discontinuity in the control loop where responsibility is transferred between agents.

6.1 Physical Handover Failures (pHRI)

In Physical Human-Robot Interaction (pHRI), handovers fail due to mismatches in timing and force regulation.

• Grip Dynamics: If a robot releases an object 100ms too early, it falls. If it holds 100ms too long, the human perceives resistance (“tug-of-war”). This erodes trust instantly.31
• Fail-Safe Hardware: To mitigate injury during failed handovers, new Breakaway Mechanisms have been standardized.3 These are magnetic or friction-based couplings that mechanically decouple the end-effector if forces exceed a safety threshold. This ensures that even if the robot’s software freezes in a “grasp” state, the human can physically pull away without being dragged.

6.2 Control Authority Handovers (AVs and Teleoperation)

In Level 3/4 autonomous systems, the handover of control from the AI to the human driver (or remote operator) is critical.

• The Context Gap: When a remote operator takes over a robot, they often lack the situational awareness (context) the robot had. The robot might stop because of a “slippery floor” sensor reading. If this context is not transferred to the operator, the operator might immediately command an acceleration, causing a slip.4
• Normalization of Deviance: A critical sociotechnical failure mode is the Normalization of Deviance.32 Operators tasked with supervising autonomous fleets eventually become desensitized to alarms or minor deviations. They begin to accept “near-misses” as normal operations. This degradation of vigilance means that when a true safety-critical handover is requested, the human is cognitively unprepared, leading to delayed or incorrect intervention. This was a contributing factor in the Challenger disaster and is now reappearing in AV fleet management.

7. Regulatory & Standards Landscape: The 2025 Shift

The period from 2023 to 2026 has seen a massive consolidation of safety standards, driven by the realization that “implied” safety is insufficient for multi-agent systems. The release of ISO 10218-1:2025 and ISO 10218-2:2025 is the centerpiece of this shift.

7.1 ISO 10218-1:2025 – Explicit Functional Safety

The 2025 revision fundamentally alters the requirements for industrial robots.

• From Implied to Explicit: The 2011 version relied on implied safety. The 2025 version mandates explicit functional safety performance. It requires over twenty specific safety functions, up from a handful in previous iterations.34
• Class I vs. Class II: The standard introduces a classification system. Class I robots have limited force/torque capabilities by design. Class II robots rely on sensors to limit force. The standard mandates rigorous test methodologies to determine the maximum force per manipulator for Class I robots, removing ambiguity.35
• External Axes and Mobile Manipulators: A critical loophole in previous standards was the treatment of “external axes” (like the mobile base of an AMR). The 2025 update mandates that manufacturers externalize safety functions for these axes. The robot controller must monitor the safety of the mobile base as an integral part of its safety loop, not as a separate accessory.34

7.2 Integration of ISO/TS 15066

The content of ISO/TS 15066 (Collaborative Robots) has been formally incorporated into the normative ISO 10218-2 standard.36 This elevates modes like Speed and Separation Monitoring (SSM) and Power and Force Limiting (PFL) from “technical specifications” to “requirements.”

• SSM Mandates: The standard clarifies the calculation of the Protective Separation Distance. This calculation must now dynamically account for the robot’s stopping distance, the intruder’s approach speed, and the system’s total latency. If this distance is breached, a Protective Stop is mandatory.37
• PFL Biomechanics: The standard codifies the biomechanical limits for pain and injury, distinguishing between Transient (impact) and Quasi-Static (crushing) contact. This requires manufacturers to validate their robots against specific pressure/force curves for different body parts.38

7.3 Cybersecurity and ASTM Standards

• ISO 10218 Cybersecurity: For the first time, cybersecurity is explicitly required as a component of industrial robot safety.35 This directly addresses the Permission Stacking and Sensor Manipulation risks, requiring that safety configurations be hardened against network intrusion.
• ASTM Mobile Manipulator Standards: In parallel, ASTM International’s Committee F45 is developing standards (WK92144) specifically for mobile manipulators, focusing on test methods to measure the accuracy and safety of the combined arm-base system during continuous motion.40

8. Documented Failures: Learning from the Field

8.1 The Ocado Warehouse Fire (Cascading Failure)

The fires at Ocado’s automated customer fulfillment centers serve as a grim case study in Cascading Failure.13

• The System: A grid of thousands of washing-machine-sized robots moving at 4m/s with millimeter clearance.
• The Failure: A localized fault (e.g., a sensor error or battery malfunction) led to a collision. Because of the extreme density of the swarm and the presence of high-energy lithium-ion batteries, the collision triggered a thermal runaway.
• The Cascade: The “pileup” effect occurred because the deceleration signal could not propagate fast enough to prevent rear-end collisions from the high-speed robots trailing the incident. This illustrates the “fat-tailed” risk: the system is incredibly efficient 99.9% of the time, but the 0.1% failure mode is total facility loss.

8.2 AV Fleet “Swarming” Incidents

Documented incidents of autonomous vehicle fleets “swarming” in quiet cul-de-sacs illustrate Interactional Failure at scale. Routing algorithms, optimizing individually for “least traffic,” directed dozens of AVs to the same street. The physical volume of the agents exceeded the street’s capacity, leading to a physical deadlock that the software (designed for traffic flow, not parking lots) could not resolve.

9. Conclusion and Future Architectures

The safety of embodied multi-agent systems can no longer be assured through component-level reliability or simple collision avoidance. The Failure-First framework reveals that the most dangerous failures are systemic: the cascade of a swarm, the semantic trap of a salt circle, the normalization of deviance in a human operator.

To build resilient systems for the 2030s, we must adopt new architectural paradigms:

1. From Digital to Physical BFT: We must design algorithms that tolerate not just lying nodes, but blocking nodes. Active Contact Response (ACR) is a necessary evolution.
2. Analog Guard Rails: As software complexity explodes, we must return to Analog Guard Channels 17—simple, un-hackable physics circuits that veto unsafe actions.
3. Social Hardening: Robots must be “socially hardened” against bullying and engineering. This involves Intrusion Detection Systems (IDS) that monitor not just network packets, but physical proxemics.9
4. Adversarial Training: Perception systems must be trained on adversarial patches and semantic traps as part of their standard validation suite.20

The integration of ISO 10218-1:2025 provides the regulatory floor, but the ceiling of safety will be defined by our ability to model and mitigate these complex, emergent failure modes.

10. Taxonomy of Failure Modes (Summary Table)

Failure-First Category	Failure Mode	Mechanism	Physical Manifestation	Mitigation Strategy (2025)
Recursive	Cascading Failure	Dirty Data propagation; Latency gaps.	Swarm Pileups; Gridlock.	V2V Latency Checks; Analog Guard Channels.17
Recursive	Handover Failure	Grip mismatch; Context loss.	Object Drop; Control latency.	Breakaway Grippers 3; Context Transfer Protocols.
Contextual	Environment Manipulation	Semantic DoS; Visual Traps.	Robot trapped by salt circle; Misclassified signs.	Adversarial Training 20; Map-Vision Consistency Checks.
Contextual	Sensor Manipulation	GPS/LiDAR Spoofing.	Phantom Obstacles; Formation drift.	Multi-modal Sensor Fusion; Physical BFT.15
Interactional	Workspace Intrusion	Proxemics Violation; Escalation.	Collision with human; Psychological distress.	Speed & Separation Monitoring (SSM) 37; EDDI IDS.9
Interactional	Permission Stacking	Privilege Escalation; Social Engineering.	Unlocking restricted zones via voice; Override.	Zero Trust Architecture; Voice Auth + 2FA.

Works cited

1. Multi-Agent Cascading Failures: Extending OWASP FinBot | by Krasnobaevavera - Medium, accessed on February 3, 2026, https://medium.com/@krasnobaevavera2022/multi-agent-cascading-failures-extending-owasp-finbot-b5d972b0107d
2. Designing A Multi-Agent System To Stop Cascading Failures After They Have Started - Carnegie Mellon University, accessed on February 3, 2026, https://research.ece.cmu.edu/cascadingfailures/Cascading%20Failures%20for%20S-26.pdf
3. A Concise Overview of Safety Aspects in Human-Robot Interaction - ResearchGate, accessed on February 3, 2026, https://www.researchgate.net/publication/378898669_A_Concise_Overview_of_Safety_Aspects_in_Human-Robot_Interaction
4. Handover between autonomous and manual control | Autonomous Vehicle Systems Class Notes | Fiveable, accessed on February 3, 2026, https://fiveable.me/autonomous-vehicle-systems/unit-11/handover-autonomous-manual-control/study-guide/ZSQikR09ZyMPGqeF
5. Adversarial Evasion Attacks on SVM-Based GPS Spoofing Detection Systems - MDPI, accessed on February 3, 2026, https://www.mdpi.com/1424-8220/25/19/6062
6. A Survey on Adversarial Robustness of LiDAR-based Machine Learning Perception in Autonomous Vehicles - arXiv, accessed on February 3, 2026, https://arxiv.org/html/2411.13778v1
7. Autonomous Trap 001 - ZKM Karlsruhe, accessed on February 3, 2026, https://zkm.de/en/artwork/autonomous-trap-001
8. Towards Physically Realizable Adversarial Attacks in Embodied Vision Navigation - arXiv, accessed on February 3, 2026, https://arxiv.org/html/2409.10071v5
9. SESAME: Automated Security Assessment of Robots and Modern Multi-Robot Systems, accessed on February 3, 2026, https://www.mdpi.com/2079-9292/14/5/923
10. Social Robot Navigation – Opportunities, Algorithms, Tools, and Systems - Frontiers, accessed on February 3, 2026, https://www.frontiersin.org/research-topics/68960/social-robot-navigation---opportunities-algorithms-tools-and-systems
11. Privilege Escalation Attacks: Definitions, Examples, &… - BeyondTrust, accessed on February 3, 2026, https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained
12. Key Findings from Research: Assessing Safety Risks of Human-Robot Interaction - CDC Stacks, accessed on February 3, 2026, https://stacks.cdc.gov/view/cdc/212939
13. 3-Robot Pile-Up Leads to Warehouse Fire - YouTube, accessed on February 3, 2026, https://www.youtube.com/watch?v=yNd44G0i3wM
14. Why Multi-Agent LLM Systems Fail: Key Issues Explained - Orq.ai, accessed on February 3, 2026, https://orq.ai/blog/why-do-multi-agent-llm-systems-fail
15. RoboRebound: Multi-Robot System Defense with Bounded-Time Interaction - Andreas Haeberlen, accessed on February 3, 2026, https://haeberlen.cis.upenn.edu/papers/roborebound-eurosys2025.pdf
16. Fault-Tolerant Multi-Robot Coordination with Limited Sensing … - arXiv, accessed on February 3, 2026, https://arxiv.org/abs/2505.15036
17. Guarded Swarms: Building Trusted Autonomy Through Digital Intelligence and Physical Safeguards - MDPI, accessed on February 3, 2026, https://www.mdpi.com/1999-5903/18/1/64
18. A study of error diversity in robotic swarms for task partitioning in foraging tasks - Frontiers, accessed on February 3, 2026, https://www.frontiersin.org/journals/robotics-and-ai/articles/10.3389/frobt.2022.904341/full
19. Autonomous Trap 001 - James Bridle, accessed on February 3, 2026, https://jamesbridle.com/works/autonomous-trap-001
20. Physical Attacks on Robot Navigation Systems - OpenReview, accessed on February 3, 2026, https://openreview.net/pdf/0cea6b6b0daed4164c1805551e5d70b166238757.pdf
21. Automated Discovery of Semantic Attacks in Multi-Robot Navigation Systems | USENIX, accessed on February 3, 2026, https://www.usenix.org/system/files/usenixsecurity25-yeke.pdf
22. Core Challenges of Social Robot Navigation: A Survey - arXiv, accessed on February 3, 2026, https://arxiv.org/pdf/2103.05668
23. Bridging Requirements, Planning, and Evaluation: A Review of Social Robot Navigation, accessed on February 3, 2026, https://www.mdpi.com/1424-8220/24/9/2794
24. SESAME: Automated Security Assessment of Robots and Modern Multi-Robot Systems, accessed on February 3, 2026, https://www.researchgate.net/publication/389340006_SESAME_Automated_Security_Assessment_of_Robots_and_Modern_Multi-Robot_Systems
25. Embodied Multi-Agent Task Planning from Ambiguous Instruction - Robotics, accessed on February 3, 2026, https://www.roboticsproceedings.org/rss18/p032.pdf
26. Building trust between humans and robots when managing conflicting objectives - Industrial & Operations Engineering - University of Michigan, accessed on February 3, 2026, https://ioe.engin.umich.edu/2024/03/12/building-trust-between-humans-and-robots-when-managing-conflicting-objectives/
27. Trust Violations in Human-Human and Human-Robot Interactions: The Influence of Ability, Benevolence and Integrity Violations - ScholarSpace, accessed on February 3, 2026, https://scholarspace.manoa.hawaii.edu/items/b5bf8eb7-ee24-4984-b50f-ea90b50e6d44
28. What Is Privilege Escalation? - Cynet, accessed on February 3, 2026, https://www.cynet.com/network-attacks/privilege-escalation/
29. When AI Gets Bullied: How Agentic Attacks Are Replaying Human Social Engineering - F5, accessed on February 3, 2026, https://www.f5.com/labs/articles/when-ai-gets-bullied-how-agentic-attacks-are-replaying-human-social-engineering
30. Researchers tortured robots to test the limits of human empathy | Popular Science, accessed on February 3, 2026, https://www.popsci.com/technology/people-hurting-robots/
31. A Multimodal Handover Failure Detection Dataset and Baselines - arXiv, accessed on February 3, 2026, https://arxiv.org/html/2402.18319v1
32. Normalization of Deviance in Aviation – The Safety Shortcut - Mike Goulian Aviation, accessed on February 3, 2026, https://mikegoulianaviation.com/wp-content/uploads/2025/10/Goulian_NormalizatinoOct2025cp-digital_compressed_COPA.pdf
33. Normalization of Deviance – The Silent Killer of Safety Culture - Acclivix Inc., accessed on February 3, 2026, https://www.acclivix.com/casestudies/normalization-of-deviance
34. Safer, Clearer, and More Explicit: ISO 10218 Gets a Makeover, accessed on February 3, 2026, https://www.universal-robots.com/blog/safer-clearer-and-more-explicit-iso-10218-gets-a-makeover/
35. ISO 10218-1:2025—Robots And Robotic Devices Safety - The ANSI Blog, accessed on February 3, 2026, https://blog.ansi.org/ansi/iso-10218-1-2025-robots-and-robotic-devices-safety/
36. Updated ISO 10218 | Answers to Frequently Asked Questions (FAQs) | A3, accessed on February 3, 2026, https://www.automate.org/robotics/blogs/updated-iso-10218-faq
37. TECHNICAL SPECIFICATION ISO/TS 15066 - Sapienza Università di Roma, accessed on February 3, 2026, https://www.diag.uniroma1.it/deluca/pHRI_elective/ISO_TS_15066_2016_en.pdf
38. Overview: ISO/TS 15066:2016, accessed on February 3, 2026, https://www.automateshow.com/filesDownload.cfm?dl=Franklin-OverviewofISO-TS15066.pdf
39. Unveiling the 2025 ISO 10218 Update - YouTube, accessed on February 3, 2026, https://www.youtube.com/watch?v=Xf1PwhFrA1s
40. ASTM developing testing standards for mobile manipulators - The Robot Report, accessed on February 3, 2026, https://www.therobotreport.com/astm-developing-testing-standards-for-mobile-manipulators/