Robot Operating Manual: Template for Plant Managers

A patrol robot without an operating manual is not a security gain when damage occurs. It is a liability risk. Anyone running an autonomous platform on a plant site must fix deployment limits, responsibilities and responses in writing. This article delivers the chapter structure that a plant manager can adopt directly as a template.

Legal basis for the robot operating manual

The legal basis is unambiguous. The EU Machinery Regulation 2023/1230 requires full operating instructions in the language of the country of use. For autonomous mobile robots that means: a German version on site, not just English in the manufacturer PDF.

Then there is the product standard. EN ISO 13482 defines safety and documentation requirements for personal care robots. Even though a patrol robot does not assist a person, expert assessors routinely apply the standard to staffed outdoor areas where the robot meets people. Anyone ignoring the standard argues without a foothold in dispute.

Third, BetrSichV §12 demands an operating instruction for every work equipment with residual risk. An 80 kg outdoor robot at 6 km/h maximum speed clearly meets this requirement. Fourth, property insurers check after damage whether operation was documented and trained. No signature, no coverage.

Fifth, and this affects plant managers in regulated sectors: at KRITIS sites the manual becomes part of the protection concept. The KRITIS Umbrella Act draft (KRITIS-Dachgesetz) obliges operators to document protection measures under the all-hazards approach. The robot documentation is an annex to the protection concept, not a separate document.

Next step: review the KRITIS requirements for your site and map robot functions to them.

Mandatory chapters in the robot operating manual

An audit-ready manual contains at least twelve numbered chapters. The order is not arbitrary, it follows an auditor's reading path.

1. Platform identification: serial number, configuration level (QR-1, QR-2 or QR-3), installed sensor package, current firmware version with date.
2. Intended use: defined patrol corridors, permitted outdoor temperature window (standard QR-2: minus 10 to plus 45 degrees Celsius), maximum terrain gradient, ground conditions.
3. Foreseeable misuse: passenger transport excluded, towing loads prohibited, operation outside the geofence forbidden. This negative list protects in liability cases.
4. Residual risks: approach to moving hall gates, weather-related failure of the thermal camera in heavy rain, radio shadow zones in underground garages or behind steel facades.
5. Emergency stop concept: physical mushroom button on the device, radio stop via handheld transmitter with defined range, control room override with documented latency limit.
6. Maintenance schedule: intervals for sensor cleaning (daily), battery replacement (cycle count), LiDAR calibration (semi-annual).
7. Deployment parameters (detail chapter, see next section).
8. Interface to the protection concept.
9. Personnel qualification.
10. Incident and maintenance logs.
11. Versioning.
12. Annexes: declaration of conformity, risk assessment, wiring diagrams.

This structure covers EN ISO 13482, the EU Machinery Regulation and BetrSichV. Anyone deviating should justify the deviation.

Documenting deployment parameters

Chapter 7 is the operational core. Most operators fail here because they rely on manufacturer defaults.

The map version is logged with version number and date of the last SLAM update. Example: map v2.4, updated 12.09.2025, released by the technical officer. Patrol routes are stored as polygon exports with waypoints and dwell time. A route without dwell time is not a route, it is a drive-through.

Detection thresholds are recorded per zone. Person detection at the north yard: sensitivity level 3 of 5. Vehicle detection at the entrance: level 4. Drone detection above the tank farm (only QR-3 with LiDAR and drone detection): level 5.

The escalation matrix shows which trigger creates which alert to which recipient role. Person in restricted zone between 22:00 and 06:00: immediate alert to the control room dispatcher, parallel SMS to the on-duty plant security manager. Day/night profiles with different sensitivities and defined blocking periods prevent false alarms during legitimate daytime traffic.

The handover point to the control room belongs in the manual, not in a separate IT document: protocol format (for example MQTT with TLS 1.3), latency limit (standard 2 seconds), acknowledgment requirement within 60 seconds. Without these three values the interface is not auditable.

Next step: clarify whether your deployment profile fits the QR-2 for 24/7 outdoor use or whether you need QR-3.

Interface to the KRITIS protection concept

Under KRITIS obligation the operating manual is not an island. It refers to the threat analysis under §11 of the KRITIS-Dachgesetz draft and maps robot functions as protection measures.

Each robot function is assigned to a protection measure in the all-hazards approach. Thermal camera patrol: measure against arson and unauthorised entry. LiDAR perimeter detection: measure against intrusion. Acoustic anomaly detection: measure against sabotage of equipment. This assignment documents why the robot is part of the security architecture and not a gimmick.

Proof of redundancy is mandatory. A single robot is not a KRITIS-compliant measure. The fallback level is named: a second robot (for example rotating QR-2 platforms), a stationary camera with overlapping coverage, or a physical guard within a defined response window. The manual states who activates the fallback and after what time.

BBK-compliant reporting channels belong as an annex to the manual. The BBK publishes reporting channels and incident classifications for KRITIS operators. These templates are adopted 1:1, not paraphrased.

The data transmission link from robot to control room falls under NIS-2 Article 21. The manual documents the encryption, the key management and the patch regime of the radio link separately. Writing only "encrypted" here means failing the audit.

Next step: read the KRITIS-Dachgesetz checklist 2026 and reconcile the points with your draft manual.

Personnel qualification and induction

Three roles are defined. Operator: performs visual checks, starts and stops the robot, documents shift handovers. Control room dispatcher: receives alarms, escalates per matrix, acknowledges incidents. Technical officer: releases maps, authorises firmware updates, schedules maintenance.

Initial training lasts at least four hours (minimum requirement per DGUV Regulation 1 §4). Content: design and function, emergency stop, escalation matrix, incident documentation, residual risks. Closing with a documented knowledge test, at least ten questions, pass mark 80 percent. Anyone who fails the test does not operate the robot.

The annual refresher covers the current revision status of the manual. If the patrol route was changed in February, it is examination material in May. Training records contain signature, date and chapter list. A blanket "was trained" note is not enough.

The deputy rule for holidays and sickness is set in writing. Without a named deputy with valid training, the robot is taken out of service during the main operator's holiday. This consequence is stated in the manual.

Next step: compare personnel effort with the guard service cost comparison to map the business case cleanly.

Incident and maintenance logs

The logbook is the plant manager's operational life insurance. Each entry contains date, shift, event, response and follow-up action. A false alarm at 03:14 with no documented response is an audit finding.

Classification is four-tier. False alarm: system triggered, cause was not a security-relevant event. True alarm: person, vehicle or anomaly was correctly detected. Technical fault: sensor, drive or radio failed. Maintenance: scheduled or unscheduled work. These four categories are the statistical basis for the quarterly review.

The retention period is at least five years (BetrSichV §14), ten years for KRITIS sites (KRITIS-Dachgesetz draft §21). Digital logs are secured with timestamp and hash so that later manipulation is visible. Paper logs are signed by the dispatcher at shift end.

The quarterly review of the false alarm rate is a mandatory instrument. If the rate exceeds 5 percent of total events (internal limit per VdS 3138), thresholds or routes are adjusted. The adjustment is documented in the manual as a change and re-released.

The maintenance history contains every replaced component with serial number and every firmware version with installation date. After damage the employers' liability insurer reconstructs the configuration at the time of incident. Without a maintenance history this fails.

Versioning and audit readiness

The cover page carries the change index. Columns: sequence number, date, affected chapter, trigger of the change (incident, maintenance, update, audit finding), approver. Without a change index the manual is a snapshot, not a tool.

The distribution list names who holds which version. Plant manager, technical officer, control room, plant security, external auditors. When a new version is issued, the old copies are recalled or locked in the system. Parallel versions in circulation are the most common cause of operator error.

Digital filing sits in the DMS with role-based access rights. A paper emergency copy is kept in the control room in case the IT network fails. The emergency copy is checked quarterly for currency.

Audit readiness comes from a table of contents that references the relevant regulatory requirement. Example: Chapter 5 (emergency stop) fulfils EN ISO 13482 section 5.7 and BetrSichV §10. These cross-references save hours during the audit.

For Quarero fleet updates, automatic version notices from the manufacturer are integrated. In the Robotics-as-a-Service model this update integration is part of the service level. The plant manager must review the notices, approve them and enter them into the change index. The responsibility stays with the operator.

Next step: if you want an existing manual reviewed against this structure, or need support with first-time drafting for perimeter protection for industrial parks, request the operating manual template via the contact form.