Robotics RFP Template: Model for Auditable Tenders

Security robotics tenders rarely fail on price. They fail on undefined mandatory fields, missing SLA definitions, and evaluation matrices that make technology interchangeable with price. This post provides a robotics RFP template with concrete formulations that security managers and procurement managers can adopt directly into their own specification documents.

Robotics RFP Template: Structure of an Auditable Tender

A security robot tender requires seven mandatory fields. First: deployment scenario (perimeter patrol, indoor patrol, drone detection). Second: terrain type (paved, unpaved, mixed). Third: operating hours (24/7, night-only, weekends). Fourth: interfaces to the control room (fire alarm system, access control, video management). Fifth: SLA expectation (response time, availability). Sixth: contract duration. Seventh: pilot phase.

Separate technical mandatory requirements from commercial criteria. Technical mandatory requirements are binary: LiDAR range of at least 40 metres, thermal detection distance for persons of at least 80 metres, protection class IP65 or higher. Commercial criteria are scalable: OpEx per month, contract duration, notice periods, penalties.

Name the normative basis. EN ISO 13482 is the normative basis for the safety of personal care and service robotics. For autonomous outdoor systems, the EU Machinery Regulation 2023/1230 with CE conformity and risk assessment applies in addition. Both standards belong in the patrol robot specification document, not as recommendations, but as exclusion criteria.

The evaluation matrix follows four weightings. 40 percent technology (sensors, detection performance, interfaces). 25 percent law and compliance (KRITIS, NIS-2, GDPR, CE). 20 percent SLA (response time, availability, escalation). 15 percent price. Any buyer weighting price above 20 percent ends up purchasing on a person-based model.

Pilot phase between 30 and 90 days before the full contract. No pilot, no full contract: this belongs as a clause in the RFP cover letter. Next step: TCO comparison with Wachschutz for justifying the robotics option to the supervisory board.

Technical Answer Modules for QR-1, QR-2, and QR-3

A RaaS specification document requires model-specific answers. For QR-1 the standard answer is: RGB camera with 4K resolution, audio sensors with glass-break and gunshot detection, deployment area indoors and light outdoor areas (covered areas, warehouses, parking decks). Monthly rate €3,200 including maintenance.

For QR-2: 24/7 outdoor operation, thermal imaging camera with person detection up to 80 metres, IP65 protection, autonomous navigation on paved and partially paved routes. Monthly rate €3,500. Details on sensor specifications and deployment profile in the QR-2 for 24/7 outdoor operation data sheet.

For QR-3: LiDAR with 360-degree coverage, drone detection via RF sensors and acoustic classification, and KRITIS suitability per BSI IT-Grundschutz. Monthly rate €3,800. Specifications at QR-3 with drone detection.

Interfaces are non-negotiable. Integration with existing control rooms is via open protocols (ONVIF Profile S/T, MQTT, REST API with OAuth2). No proprietary lock-in. Any RFP response offering proprietary cloud connectivity without a local bridge is eliminated from the shortlist.

Power supply via autonomous charging station, inductive or contact-based. Availability above 98 percent annually including charging times. Maintenance windows are fixed in the SLA, not decided during operations.

Legal and Regulatory Answers

A KRITIS robotics tender examines five compliance areas. The KRITIS-Dachgesetz requires operators to implement structural and technical resilience and incident reporting. The RFP response must address Section 9 of the draft: documented resilience evidence, redundancy of the patrol function, protection against physical sabotage of the robot itself.

NIS-2 conformity concerns the IT side. The NIS-2 Directive defines reporting obligations within 24 hours for significant security incidents. Answer module: network segmentation of the robot in its own VLAN, complete logging of all sensor events and operator actions for at least 12 months, automated incident reporting to the internal SOC within 24 hours. Details at NIS-2 requirements.

GDPR conformity is Privacy by Design. Local processing of image data on the robot, no transfer to third countries without an adequacy decision, encryption in transit (TLS 1.3) and at rest (AES-256). The processing register and data protection impact assessment are available before contract conclusion.

Machinery Regulation 2023/1230: CE marking, declaration of conformity, risk assessment per EN ISO 12100, technical documentation archived for at least 10 years. BSI IT-Grundschutz reference for safety-critical components, in particular modules APP.4.4 (Kubernetes), NET.1.1 (network architecture), SYS.4.5 (removable media).

Checklist with audit points for preparation: KRITIS-Dachgesetz checklist.

SLA Answers: Response Time, Availability, Escalation

SLA clauses determine operational quality. Response time on alarm: under 8 seconds from sensor event to control room notification. Measured via automatic telemetry, not spot checks. Penalty for breach: €500 per hour during which response time exceeds 8 seconds.

Availability of the patrol function: at least 98 percent monthly. Graduated penalties for shortfall: 98–95 percent means monthly fee minus 10 percent, 95–90 percent minus 25 percent, below 90 percent triggers extraordinary termination rights. Unplanned outages due to hardware failure count against availability; scheduled maintenance windows do not.

On-site service within 48 hours of hardware failure in DACH. Replacement unit on site within 72 hours, identical configuration and firmware version. Without a replacement-unit clause, a security robot tender cannot be accepted for delivery.

Firmware updates without operational interruption. Maintenance windows outside sensitive shifts, defined by the operator's shift model, not by the supplier's standard windows. Updates for security-critical CVEs (CVSS above 7.0) within 14 days, documented in the monthly security report.

Escalation path in three levels. Level 1: control room handles alarm verification and initial response. Level 2: Quarero Operations for technical faults, response time 30 minutes 24/7. Level 3: technical lead for security-critical incidents, response time 60 minutes. Escalation to senior management on both sides within 4 hours for incidents with KRITIS relevance.

Commercial Answers: RaaS Instead of CapEx

The commercial model follows OpEx logic. Monthly rate between €3,200 and €3,800 depending on model. No acquisition cost, no depreciation, no reinvestment after 5 years. Accounted for as other operating expenses, not as fixed assets.

Contract duration 24 months, renewal in 12-month increments. Extraordinary termination for SLA failure below 90 percent availability or upon closure of the site. Ordinary termination with 3 months' notice at the end of the contract term.

Comparison with a person-based 24/7 Posten: €15,000 to €25,000 monthly depending on collective agreement area and qualification level. The BDSW documents collective wage rates and full costs in person-based Wachschutz. The robot does not fully replace the Posten; it relieves it. Realistic scenario: one QR-2 plus reduced staffing presence instead of two full Posten.

Delivery within 48 hours of contract signature for the pilot phase. No long-lead-time risk as with capital-binding systems with 6–12 months delivery time. This is relevant for KRITIS operators who must respond quickly to a BSI directive or a new threat situation.

Included services at no additional charge: hardware, maintenance, firmware updates, training for control room personnel (8 hours initial, 4 hours annually), public liability insurance up to €5 million, cyber liability insurance up to €2 million. More at Robotics-as-a-Service.

References, Security Concept, and Pilot Phase

References are not optional. Requirement for the supplier: at least three documented references from comparable sectors (energy, logistics, hospitals, industrial chemicals). A reference means: site name available on request, deployment duration in months, model deployed, documented incidents. Marketing logos without detail do not count.

Security concept per BSI methodology is included with the RFP response. Contents: threat analysis for the specific site (not generic), technical and organisational measure catalogue, residual risk assessment, contingency plan for robot failure. Without a site-specific concept, the response is incomplete.

Pilot phase with defined KPIs. Detection rate in standardised test scenarios (person intrusion day and night, vehicle intrusion, drone approach for QR-3): at least 95 percent. False alarm rate below 2 percent per patrol kilometre. Patrol kilometres per shift: at least 12, documented via telemetry.

Termination criteria for the pilot phase must be fixed in writing. Detection rate falling more than 10 percentage points below target over two consecutive weeks, false alarm rate above 5 percent, three or more hardware failures. If a termination criterion is met, the agreement unwinds without penalty for the operator. No verbal commitments: everything goes into the pilot agreement.

Handover workshop with the site manager, security manager, and works council. Co-determination under Section 87(1)(6) of the BetrVG is mandatory when technical monitoring equipment is deployed. Any operator who informs the works council only after contract signature risks an injunction and reputational damage.

Evaluation Matrix and Award Decision

The evaluation matrix is part of the RFP, not an internal document. Points awarded per criterion on a scale of 0 to 10, multiplied by the weighting. Transparent documentation of the weighting in the RFP cover letter.

Concrete distribution. Technology 40 percent: sensors (15), detection performance (15), interfaces (10). Law and compliance 25 percent: KRITIS evidence (10), NIS-2 (8), GDPR (7). SLA 20 percent: response time (8), availability (7), escalation (5). Price 15 percent: monthly rate (10), penalties (5). Total 100.

Exclusion criteria are binary and cannot be offset. Missing CE conformity: exclusion. No GDPR conformity declaration: exclusion. No guaranteed 24-hour incident reporting per NIS-2: exclusion. No references from the required sector: exclusion. These four points belong in the RFP cover letter, not in the evaluation matrix.

Minimum score per category prevents compensation between price and technology. Example: a supplier may not fall below 60 percent of the maximum points in technology, even if it achieves 100 percent on price. Without this rule, procurement ends up with the cheapest supplier who cannot deliver technically.

Two-stage award is standard. Stage 1: shortlist based on documentation, maximum three suppliers. Stage 2: final selection after on-site demonstration with a standardised test scenario (same site, same time of day, same scenarios for all suppliers). The demonstration protocol is countersigned by both parties.

Documentation obligation for the award decision covers internal audit and the supervisory board. Contents: points awarded per criterion and supplier, reasoning for any deviation from the arithmetically highest-scoring supplier, demonstration protocol, evidence of works council involvement. KRITIS operators add a note on the resilience assessment per Section 9 of the KRITIS-Dachgesetz.

Any operator adopting this RFP template into their own procurement process has a solid basis for RFP answers in security technology. For a concrete pilot agreement with defined KPIs and termination criteria: submit a pilot request.