Robot Control Room Integration: Operator Guide

Security managers who procure an autonomous robot without specifying the control room connection up front are buying a sensor without a receiver. The operations guide below describes how a patrol robot is connected technically and procedurally to an in-house guard control room or to an external emergency and service control room (NSL). It is written for managers in industrial and KRITIS operations who plan to go live within the next 6 months.

Robot Control Room Integration: Definition and Scope

Three control room types must be distinguished. The in-house guard control room is internal, usually sits on the plant site and responds to its own assets. The emergency and service control room (NSL) is certified to DIN EN 50518 and operates on contract for third parties. A pure service control room receives technical notifications without verifying police-relevant alarms. Connecting a robot differs across all three cases only in the contract structure, not in the protocol layer.

Integration runs on four layers. The video feed supplies images for visual verification. Telemetry transfers position, battery level, sensor status. The alarm channel carries classified events with timestamp. The control channel lets the operator command the robot bidirectionally, for example for loudspeaker addressing or for moving to a waypoint.

The robot is a sensor platform, not a decision maker. Every escalation, every police request, every plant-fire-brigade trigger runs through a human with proof of competence. This separation is not only legally required, it is also operationally sound: classifier scores are probabilistic, deployment decisions are binary.

Scope split: Quarero owns the robotics stack up to the API boundary, meaning hardware, detection, telemetry, cloud backend. The operator owns the control room processes, operator training and the escalation matrix. Typical triggers seen in practice: perimeter detection via LiDAR, thermal signature of a person outside operating hours, audio events such as glass break or gunshot, drone contact identified through LiDAR and drone detection with QR-3.

Next step: align the scope of the control room connection with the perimeter protection concept.

Interfaces: Which Protocols the Control Room Actually Needs

Quarero exports four formats by default. ONVIF Profile T serves video streams toward PSIM and VMS. MQTT transports events with topic hierarchy per robot and event class. SIA DC-09 is the classic for established NSL receiving equipment and is referenced in VdS 3138. The REST API delivers status queries synchronously, such as battery level, location cell, last patrol completion.

For live telemetry below 200 ms latency a WebSocket connection is available. This matters when the operator drives the robot manually or triggers an audio address in real time. Latencies above 500 ms make bidirectional voice unusable.

On the PSIM side, Genetec Security Center, Milestone XProtect and Advancis WinGuard are the three systems we encounter most often. For each, an integration description is available that allows standard mappings without custom engineering. Anyone running a proprietary PSIM plans 2 to 5 engineering days.

Encryption: TLS 1.3 for all data flows. The control channel additionally uses mTLS with two-sided certificate validation, so no unverified third party can issue movement commands. The OT network (robots, sensors) and the IT network (control room, office) are connected via separate VLANs, the transition runs exclusively over the firewall with explicitly whitelisted control room IPs.

Fallback is mandatory. Every robot carries an LTE modem with its own SIM and fixed APN. If the site Wi-Fi fails, the alarm channel remains available. The bandwidth is enough for event notifications and a reduced video clip of 10 seconds at 720p.

Next step: check the protocol matrix against your own VMS, details in the hybrid setup in the industrial park.

Alarm Verification: From Sensor Event to Deployment Decision

Two-stage verification is the core of the process. Stage 1: the robot detects an event, classifies it, sends a structured event plus a 10-second video clip to the control room. Stage 2: the operator views the clip, checks the classifier score and decides in under 30 seconds whether the result is false alarm, observation or escalation.

Observation means: the robot stays on site, keeps the optics on the event, sends continuous video. Escalation means: the operator triggers the matrix, police or plant fire brigade are notified, a human patrol responder moves in.

Bidirectional audio addressing via the robot loudspeaker is the most effective tool to reduce on-site deployments. In pilot projects we documented drops of 60 to 70 percent when the operator triggers an address within 20 seconds. People who do not belong on the site leave in more than two-thirds of cases without further action.

Thermal person detection on the QR-2 for 24/7 outdoor areas delivers a classifier score between 0 and 1. Values above 0.85 trigger an event but do not trigger an automatic alarm. The decision stays with the human. Hard triggers without verification produce false alarm rates in practice that every NSL rejects.

The escalation matrix is in writing. It lists four addressees in sequence for each event class: police (110 or direct KRITIS phone line), plant fire brigade, site manager with mobile number, executive management as the last stage. Every acknowledgement is stored in the audit log with timestamp, operator ID and event reference.

Next step: request the escalation matrix as a document and align it with your own guard operations.

Staffing: Who Sits at the Control Room at Night

The proof of competence under §34a GewO is mandatory for every operator at a security control room. The Sachkundeprüfung covers property offences, self-defence law and data protection. Anyone assessing alarms without Sachkunde puts the operator's trade licence at risk.

In our setup one operator monitors 4 to 8 robots in parallel without documented quality loss. Above 8 robots, response time rises measurably, verification under 30 seconds is no longer stable. Scaling is linear, not logarithmic: anyone running 16 robots plans two workstations.

Shift models are 3x8 or 2x12 with documented handover. The handover log lists open cases, technical anomalies, planned maintenance. Without handover, incidents are lost at shift change, this is the most common process error in the ramp-up phase.

External NSL versus internal control room: the decision criterion is response time SLA and incident volume. Anyone expecting under 5 escalations per month runs cheaper with an external NSL. Anyone expecting over 20 escalations or operating their own plant fire brigade builds in-house.

Cost anchor per BDSW industry data: personnel costs in the security sector run well above 15 euro per hour gross cost. A 24/7 post costs between 15,000 and 25,000 euro per month depending on tariff region and Manteltarifvertrag. This figure is the benchmark for every robot calculation.

Next step: run your own staffing model against the guard service TCO comparison.

Legal Framework: NIS-2, KRITIS Umbrella Act and Control Room Duties

NIS-2 obliges affected entities to report security-relevant incidents within defined deadlines (Directive EU 2022/2555). The initial report is due within 24 hours, the full report within 72 hours. The control room is the operational place where this deadline is missed or met. Anyone without automatic incident classification misses the 24-hour mark.

The KRITIS-Dachgesetz (KRITIS Umbrella Act) defines physical protection duties and proof requirements for operators of critical facilities. It complements the KritisV with thresholds for classification as critical infrastructure. A robot control room connection is a physical-digital protection measure within the meaning of the law, it must be evidenced.

The audit trail is not negotiable. Every alarm, every acknowledgement, every escalation is stored with operator ID, timestamp, event reference and decision rationale. Retention period 1 to 3 years depending on incident category, longer for criminal relevance.

GDPR ties video data to a purpose. Standard retention in the robot backend is 72 hours. Anyone storing longer needs a documented legal basis, usually a risk assessment coordinated with the supervisory authority. EN ISO 13482 is the reference for safety requirements for personal care and service robots and supplies arguments for the risk assessment of mobile robotics.

Works council: codetermination under §87 BetrVG applies to any technical device suitable for monitoring behaviour or performance of employees. Person detection by robots is subject to codetermination, even if it technically targets intruders. Works agreement before rollout, not after.

Next step: check compliance status against the NIS-2 compliance requirements.

Implementation in 14 Days: Practical Rollout Plan

Day 1 to 3: network assessment. IT and OT owners define VLAN structure, firewall rules, static IP for the control room endpoint. LTE fallback is tested with APN and SIM activation. Output: network diagram with all data flows.

Day 4 to 7: API mapping. The Quarero backend is connected to the PSIM, standard mappings for Genetec, Milestone, Advancis are available. Test alarms run in maintenance mode, they reach the control room as a marked test event, not as a real alarm. Latency measurement across all paths.

Day 8 to 10: operator training. Two full days per operator, not two hours. Content: robot-specific event types, classifier score interpretation, audio address, escalation matrix, audit log. Completed with a knowledge test and a practical exam.

Day 11 to 13: live trial alarms. At least three alarms per 24-hour cycle, distributed across day, dusk and night. Documentation of response times, verification duration and escalation decisions. Deviations above target values are recorded in a defect list.

Day 14: acceptance protocol. It confirms the SLA values, the defect list is closed, regular operations start. From this point on, incidents count as KRITIS-relevant and are subject to the NIS-2 reporting deadline.

Next step: request the rollout plan template and align it with your own IT.

Cost Calculation: What the Integration Costs in Total

A QR-2 with full control room connection costs 3,500 euro per month under the Robotics-as-a-Service model. This figure covers hardware, maintenance, software updates, cloud backend and NSL connection per SIA DC-09. No CapEx applies, the contract typically runs 36 months.

One-time integration costs are 0 euro for standard PSIM connection (Genetec, Milestone, Advancis). For custom setups or proprietary VMS systems, the operator plans 2 to 5 engineering days at standard daily rates. This investment occurs once, not per robot.

The benchmark remains the conventional 24/7 post. With gross cost per BDSW data and Manteltarifvertrag, a staffed guard post around the clock comes to around 18,000 euro per month. A QR-2 does not replace a post one-to-one, it supplements it and shifts the task profile from Streife to verification.

Hybrid solutions cut total cost most strongly. A QR-2 plus reduced human patrol service (about 2 instead of 4 posts) reduces TCO by 40 to 55 percent compared to the pure personnel model. The effect is robust across several industrial park pilot projects we supported between 2023 and 2025.

ROI break-even falls at 6 to 9 months, depending on baseline personnel cost level and the number of posts replaced or reduced. Sites with night and weekend surcharges reach break-even earlier.

Next step: mirror your own cost calculation against the guard service TCO comparison.

Common Mistakes and How to Avoid Them

Mistake 1: procuring a robot without NSL connection. Consequence: improvised escalation by phone via operator, no audit trail conformity, NIS-2 deadline at risk. Counter: close NSL contract and API mapping before hardware delivery.

Mistake 2: compressing operator training to 2 hours. Consequence: false verifications, late escalations, operator frustration. Counter: 2 full training days with live scenarios, written knowledge test, annual refresher.

Mistake 3: no written escalation matrix. Consequence: in a real incident it is unclear who notifies whom and when. Responsibility shifts to the last available supervisor, legal liability becomes diffuse. Counter: matrix as a signed document with executive management, head of guard operations and NSL.

Mistake 4: video retention above 72 hours without documented legal basis. Consequence: GDPR risk with fine potential, reputational damage in a supervisory authority procedure. Counter: set retention to 72 hours, handle exceptions case-by-case with justification.

Mistake 5: false alarm rate not measured. Consequence: detector thresholds are not optimised, operator gets used to false reports, real alarms are statistically masked. Counter: monthly review with rate report, threshold adjustment on a quarterly cycle.

From Pilot to Regular Operations

Control room integration is the point where a robot stops being a demo device and starts being a security trade. Anyone who sets up the interfaces, verification processes and escalation matrix cleanly runs an auditable security service per VdS 3138 and DIN EN 50518. Anyone who cuts corners builds incident risks and compliance gaps into their own operations.