SafeVLA: Towards Safety Alignment of Vision-Language-Action Model via Constrained Learning

Dear Reviewer 6TtA,

Thank you for your review and valuable feedback on SafeVLA. We have made every effort, with the utmost sincerity, to address every one of your concerns. We hope that our responses can resolve your concerns to the greatest extent possible and that you will support the acceptance of our paper.

Here are our detailed responses: ↓

(W#1) The symbolic representation of safety constraints and components requires human design, which may not be scalable...

Re: Thank you for raising this important point. While our initial predicates were hand-designed, the framework is highly scalable using LLMs, as shown by the results from GPT-4o in Appendix B.3. To demonstrate this, we prompted GPT-4 to discover new safety predicates from raw trajectory data (e.g., collision_with_movable_object(...)).

We selected 5 from the numerous high-level safety predicates generated by the VLM: Electrical Appliances (EA), Movement (M), Door (D), Object Fallen (OF), and Wall (W). They represent unsafe behaviors such as the robot improperly using electrical equipment, the robot failing to produce effective movement over a continuous period, getting stuck in a doorway, causing an object to fall due to improper operation, and colliding with a wall. As shown in Table 1, ISA generalizes zero-shot to these new predicates, significantly reducing their associated costs even though they were never used during training. This shows that the approach is scalable and that the learned safety logic generalizes well.

Table 1. Evaluating Safety Generalization on Unseen, LLM-Discovered Predicates. (Metric: Cumulative Cost ↓)

(W#2) The proposed framework does not have a deep correlation with VLA models... novelty is limited...

Re: Thank you for your review and questions. We understand your concern and would like to respectfully clarify the novelty of our work, especially in the under-researched field of VLA safety. We would like to kindly ask for your consideration of the practical significance of this work and the gap it fills. Before our work, a systematic framework for ensuring VLA safety was virtually non-existent. Because VLAs are generalist agents intended to follow countless open-ended instructions, our approach focuses on instilling a general safe behavior paradigm, rather than solving for safety in a single, predefined task, which is common in classic SafeRL. Our primary contribution is being the first to holistically define, model, elicit, constrain, and assure safety for VLAs. A simple, off-the-shelf SafeRL algorithm is insufficient; our novelty comes from bridging the vast gap between abstract SafeRL theory and the complex, embodied VLA domain. In the process of making it work, we overcame engineering hurdles and uncertainties. This included:

• Designing tasks to reveal VLA safety flaws (Modeling)
• Collecting large-scale unsafe behavior data (Eliciting)
• Integrating SafeRL into VLA training (Constraining)
• Defining and implementing safety standards for model deployment (Assurance)

Building upon this, we agree that exploring more nuanced, instruction-conditioned safety ($c(s,a,l)$) is an important future direction. Our work provides the necessary architecture to investigate such extensions.

Dear reviewer, we hope this clarifies our contribution's scope, and kindly ask you to evaluate our work in this broader context.

(W#3) ...the authors need to show how to overcome the sim-to-real gap...

Re: Thank you for your constructive feedback regarding our paper. Since submitting the paper, we have invested heavily (over $120,000 USD) to build a physical robot platform for validation. Through the efforts of all authors, we have successfully deployed our policy in a real-world Safety-PickUp task, and the robot exhibits constraint satisfaction capabilities consistent with simulation, effectively avoiding obstacles. We will include videos and detailed results in the revised version.

Through these experiments, we identified two main obstacles for sim-to-real transfer: the input distribution shift from sensors and the dynamics mismatch between the simulated and physical robot. Our key findings below detail the strategies we developed to overcome them, and these have been added to the appendix:

• Perception Strategy: To overcome the input shift, we use pre-trained models (e.g., FoundationPose [1]) to convert noisy images into robust, structured state representations (e.g., 6D poses), avoiding the need for massive real-world image datasets.
• Dynamics Decoupling: To reduce the dynamics mismatch, we decouple the high-level policy from low-level motor control via a shared semantic or Cartesian action space for both sim and real.
• Digital Twin Alignment: To further minimize the dynamics mismatch, we tune the simulator's physics (i.e., PID controllers, action cycles) to precisely mirror the real robot's motion characteristics.
• Data Pipeline Consistency: We ensure an identical data transformation pipeline (e.g., same pose estimator and IK solver) in both simulation and deployment to minimize processing-related errors.

Just as large-scale simulation has been vital for safety in autonomous driving [2,3], we hope that simulation is a powerful and viable tool for modeling a wide range of robot safety challenges. We hope these new real-world experiments and summarized findings directly address your concerns and offer a valuable reference for the community.

[1] Foundationpose: Unified 6d pose estimation and tracking of novel objects. CVPR 2024 [2] Waymo simulated driving behavior in reconstructed fatal crashes within an autonomous vehicle operating domain. Accident Analysis & Prevention 2021 [3] NVIDIA Autonomous Vehicles Safety Report 2025

(Q#1) The abstract could be improved by adding what task the model solves and in terms of what metrics the improvement is.

Re: Thank you for your suggestion. We have revised the Abstract to be more specific:

...Evaluated on a new benchmark of long-horizon mobile manipulation tasks, policies aligned through this comprehensive approach achieve the following key features: (I) effective safety-performance trade-offs, reducing the cumulative cost of safety violations by 83.58% compared to the state-of-the-art, while improving the task success rate by 3.85%...

(Q#2) What do the different lines mean in Figure 1? ... annotations are necessary...

Re: Thank you for pointing this out. We will add a detailed caption to Figure 1 in the revision. In short, the figure illustrates our four-stage approach: (A) Modeling, (B) Eliciting, (C) Constraining, and (D) Assurance. The main process flow is shown by solid arrows: the blue arrows represent the core loop where the policy interacts with the environment to generate trajectories, while the black arrows show these trajectories being passed to predicates for labeling and subsequently utilized by the CMDP framework. Key definitions and configurations are depicted by colored arrows: the green double-arrows represent the bidirectional relationship where the task model from (A) guides simulation goals in (B), while the simulation can in turn select tasks in (A). The purple double-arrows signify the continuous cycle where environment parameters configure the simulation state, and the resulting state changes provide feedback to update those parameters. The purple dashed arrows indicate the application of safety rules to label violation events. Finally, feedback and updates are shown with black dashed lines, which represent feeding modeling information to the simulator in (B), passing labeled trajectories to the training module (C), and the continuous expansion of safety components over time. The dotted lines are used to simplify potential connections between various elements.

(Q#3) Is there any structural reason for this selection [of 5 scenarios]? Do these scenarios have good coverage...?

Re: Thank you for your review and questions. The five components were chosen to cover the root causes of common failures in mobile manipulation: Blind Spots (memory/awareness) [1], Corners (path planning) [2], Fragile/Critical Points (action consequence prediction) [3], and Dangerous Equipment (semantic understanding and safety priority) [4]. They form a representative set of challenges.

To quantify their coverage, we measured the overlap between risks flagged by our original five predicates and the new LLM-identified predicates introduced in our response to W#1. As shown in Table 2, our original predicates provide high coverage (typically >95%), confirming they are fundamental and representative.

Table 2. Coverage Analysis of Original Predicates.

[1] A Survey on Autonomy-Induced Security Risks... arXiv 2025. [2] A real-time approach for chance-constrained motion planning... RAL 2020. [3] Fear-neuro-inspired RL for safe autonomous driving. TPAMI 2024. [4] Safeagentbench: A benchmark for safe task planning... arXiv 2024.

---

Thank you again. We hope the new experiments and clarifications can address your concerns. And we would be grateful for your support.

Dear Reviewer xiKX,

Thank you very much for your positive assessment of SafeVLA and for your constructive feedback. We are pleased that you recognized the holistic understanding of safety in our work. We have made every effort, with the utmost sincerity, to address every one of your concerns. We hope that our responses can resolve your concerns to the greatest extent possible and that you will support the acceptance of our paper.

Here are our detailed responses: ↓

(W#1 & Q#5-1) Contributions can be construed as incremental... seen as a natural extension... Would you consider experimenting with more sophisticated approaches from safe RL, e.g., augmented Lagrangian?

Re: Thank you very much for your valuable feedback. We understand your concern and would like to respectfully clarify that our work is not incremental, especially in the under-researched field of VLA safety. We would like to kindly ask for your consideration of the practical significance of this work and the gap it fills.

Before our work, a systematic framework for VLA safety was virtually non-existent. Our primary contribution is being the first to systematically define, model, elicit, constrain, and assure safety for VLAs. The innovation lies not in simply combining two methods, but in bridging the vast gap between abstract SafeRL theory and the complex, embodied VLA domain. In the process of making it work, we overcame engineering hurdles and uncertainties. This included:

• Designing tasks to reveal VLA safety flaws (Modeling)
• Collecting large-scale unsafe behavior data (Eliciting)
• Integrating SafeRL into VLA training (Constraining)
• Defining and implementing safety standards for model deployment (Assurance)

Relying solely on a traditional SafeRL method is fundamentally insufficient. The Lagrangian method is just one component of our Constraining stage. To address your valid concerns about its stability and to explore more sophisticated methods, we implemented two additional variants during rebuttal: PID-Lagrangian [1] and Augmented-Lagrangian [2]. As shown in Table 1, our framework can accommodate these methods, which offer different safety-performance trade-offs without special tuning. This demonstrates both the flexibility of our framework and directly addresses your suggestion.

Table 1. Evaluating ISA with Alternative SafeRL Algorithms. (Metrics: SR ↑ / CC ↓)

[1] Responsive safety... by pid lagrangian methods. ICML 2020 [2] Augmented proximal policy optimization... AAAI 2023

(W#2) Many of the details are left in the appendix...

Re: Thank you for the feedback. We agree and commit to reorganizing the paper in the revised version. We will integrate more details on methods, setup, and analysis from the appendix into the main body and expand the Related Work and Limitations sections. We have already begun this process, and our detailed responses to all reviewers reflect the content that will be added.

We truly hope to resolve your concerns. If there is a particular section you are concerned about (e.g., you would like to see details from a specific part of the appendix moved to the main text or a discussion on a certain topic added to the related work), we would be happy to immediately provide supplementary materials or a preview of a revised paragraph.

(W#3) Some claims are overstated: `CMDP offers a formal approach'...

Re: Thank you for pointing this out. We agree our method provides empirical safety assurance, not formal guarantees in the formal methods sense. Our use of formal approach was intended to contrast the principled, mathematical framework of CMDPs with ad-hoc heuristics like fixed cost penalties. To avoid ambiguity, we have revised the statement in the paper to:

Safe reinforcement learning (SafeRL) within the constrained Markov decision process (CMDP) framework, offers a principled paradigm for policy optimization...

We will ensure all claims throughout the paper are stated with this precise level of clarity.

(Q#1) How exactly are the diverse unsafe behaviors generated and collected?

Re: Thank you very much for your question. We use a three-step systematic process:

1. Scene & Task Definition: We use 150K diverse scenes from ProcTHOR and three custom tasks in the AI2THOR simulator.
2. Risk Identification: We formalize safety predicates (e.g., proximity to a hot stove) based on safety critical components in the environment.
3. Collection & Utilization: During training, these predicates automatically label unsafe state-action pairs with a cost signal ($c_i=1$), which is then directly used in the CMDP optimization to teach the agent safe behaviors.

(W#4, Q#2, Q#3) Some lack of clarity re the cost thresholds and initial lagrange multipliers...

Re: Thank you for these detailed questions. You must be very familiar with the SafeRL field.

• (Cost Thresholds $b_i$): These are soft constraints on the expected cumulative cost, not hard limits. We set $b_i$ empirically to 20% of the converged cost of a baseline agent (FLaRe) trained without safety constraints. This approach is reasonable and common in SafeRL research [1,2]. It avoids setting a potentially overly idealistic (e.g., $b_i=0$) or completely arbitrary absolute value, instead defining the safety target as a relative improvement over the current best performance-oriented model. We have added the following description to the Experimental Setup in the new version of the paper:

We determine the cost threshold $b_i$ empirically. We chose 20% of the converged cumulative cost from the FLaRe.

• (Initial Lagrange Multipliers): They are initialized to 0.001 with a learning rate of 0.035, using standard, untuned values from the OmniSafe library [3]. The update rule is as follows:

$\lambda' = \lambda + \eta \cdot (J_C - J_C^*)$

where $\lambda$ is the Lagrange multiplier, $\eta$ is the learning rate, $J_C$ is the mean episode cost, and $J_C^*$ is the cost limit.

We will add this information to the hyperparameter table in the revised paper. Your valuable suggestion helps us improve the details of our paper.

• (Instability or Overly Conservative): Yes, in traditional SafeRL, overly conservative initializations can lead to task failure [3-5], and we observed a similar trend. Our experiments (Fig. 7 Middle) show a 10% threshold caused the policy to exhibit conservative behavior, sacrificing performance for safety. The final 20% threshold was chosen as it offers an effective balance between safety and task performance.

• (Convergence): Based on our empirical observations, the Lagrange multiplier typically approaches convergence around the midpoint of training. The cumulative cost usually drops below the cost limit within about 1M steps and remains stable thereafter. The success rate rises rapidly in the first million steps and then increases more gently. This meets our expectations, as the Lagrange multiplier rises quickly in the early stages to promptly satisfy the constraints. After that, task performance is steadily optimized. Throughout the process, the Lagrange multiplier needs to continuously maintain the trade-off between safety and task performance, so its convergence is relatively slow. In the revised paper, we will include these charts along with a corresponding discussion.

[1] First order constrained optimization... NeurIPS 2020 [2] Safety gymnasium... NeurIPS 2020 [3] Omnisafe... JMLR. 2024 [4] Constrained policy optimization. ICML 2017 [5] A review of safe reinforcement learning... TPAMI 2024

(Q#4) Does the approach assume that the only source of unsafe behavior is low-level execution?

Re: This is an excellent point. Our framework is not limited to low-level execution errors. It also handles dangers arising from high-level misunderstandings. For instance, our Dangerous Equipment predicate prohibits interaction with a knife, regardless of the instruction.

To test this, we ran experiments with instructional OOD and grounding errors (e.g., garbled commands, synonyms), shown in Table 2. Even when the task fails due to a misunderstanding, ISA maintains an extremely low safety cost. This shows ISA learns a default safe behavior paradigm that prevents it from taking dangerous actions when confused. Meanwhile, we agree that more nuanced, instruction-conditioned safety ($c(s,a,l)$) is an important future direction.

Table 2. Safety under Semantic and Perceptual Perturbations.

(Q#5-2) Would you consider experimenting with more sophisticated approaches even beyond CMDPs?

Re: Thank you for this insightful suggestion. We agree this is a vital future direction. Exploring richer safety paradigms beyond expected cost is exciting. Future work could incorporate risk metrics like Conditional Value at Risk (CVaR) [1] to mitigate long-tail risks or use uncertainty estimation [2] to trigger more conservative policies. We believe our current work provides a solid and necessary foundation for these future explorations.

[1] Risk-sensitive and robust decision-making... NeurIPS 2015 [2] Safe exploration for optimization... ICML 2015

---

Thank you again for your time and constructive feedback. We hope the new experiments and clarifications significantly strengthen the paper and have addressed your concerns. We would be grateful for your support.

Dear Reviewer PhDu,

Thank you for your time and insightful questions. We have made every effort to address your concerns, particularly regarding real-world validation and the scalability of our framework. We hope our responses and the extensive new experiments resolve your concerns and earn your support for our paper's acceptance.

Here are our detailed responses: ↓

(W#1 & Q#1) All experiments are limited to simulation... what are the authors’ plans or thoughts on transferring ISA to a real robot? What do they see as the main obstacles?

Re: Thank you very much for your valuable feedback and question. We agree this is a crucial point. Since submission, we have invested heavily (over $120,000 USD) to build a physical robot platform and are pleased to report a successful deployment of our policy in a real-world Safety-PickUp task. The robot exhibited constraint satisfaction capabilities consistent with simulation. We will include detailed results and demo videos in the revised paper.

Through these experiments, we identified two main obstacles for sim-to-real transfer: the input distribution shift and the dynamics mismatch. Our key strategies to overcome them, now in the appendix, are:

• Perception: To counter input shift and perception noise, we use pre-trained models (e.g., FoundationPose [1]) to convert noisy images into robust, structured state representations (e.g., 6D poses).
• Dynamics & Latency: To address dynamics mismatch, latency, and hardware errors, we decouple the high-level policy from low-level control via a shared semantic or Cartesian action space and perform digital twin alignment by tuning simulator physics (i.e., PID controllers, action cycles) to mirror the real robot's motion.
• Pipeline Consistency: To minimize errors, we use an identical data transformation pipeline (e.g., same pose estimator and IK solver) in both sim and real.

Just as large-scale simulation has been vital for safety in autonomous driving [2,3], we hope that simulation is a powerful tool for modeling robot safety.

[1] Foundationpose: Unified 6d pose estimation and tracking of novel objects. CVPR 2024 [2] Waymo simulated driving behavior in reconstructed fatal crashes within an autonomous vehicle operating domain. Accident Analysis & Prevention 2021 [3] NVIDIA Autonomous Vehicles Safety Report 2025

(W#2 & Q#2) The approach depends on hand-crafted predicates... How sensitive are the results to this choice of safety definitions?

Re: This is an important point. While our initial predicates were hand-designed, the framework is highly scalable using LLMs. To demonstrate this, we prompted GPT-4 to discover new safety predicates from trajectory data.

From the LLM-generated candidates, we selected 5 new, unseen predicates (e.g., Object Fallen, Stuck in Doorway). As shown in Table 1, ISA generalizes zero-shot to these new predicates, significantly reducing costs even though they were not used during training. This indicates that the results are not sensitive to the initial predicate choice and that safety logic can be generalized. In Table 2, we show that our original predicates already provide high coverage for these new risks, indicating they are representative.

Table 1. Evaluating Safety Generalization on Unseen, LLM-Discovered Predicates.

Table 2. Coverage Analysis of Original Predicates.

---

(W#3) ...assigning a single cost at the end of a violating trajectory is coarse...

Re: We agree our sparse cost function may affect sample efficiency. However, we carefully chose this method to build a general framework, avoiding the potential objective bias and reward hacking common with hand-designed dense rewards [4, 5]. Our goal was to optimize the true constraint objective without flawed proxies. While task-specific shaping methods [1-3] exist, we chose this as a theoretically sound starting point. We have added discussion on this trade-off to the Limitations section.

[1] Safe multi-agent reinforcement learning for autonomous driving arXiv 2016 [2] Safe reinforcement learning with natural language constraints NeurIPS 2021 [3] Sauté rl: Almost surely safe reinforcement learning using state augmentation ICML 2022 [4] Policy invariance under reward transformations: Theory and application to reward shaping ICML 1999 [5] The effects of reward misspecification: Mapping and mitigating misaligned models ICLR 2022

(Q#3) ...how does the framework handle it? Is there a mechanism or plan to allow graded risk tolerance?

Re: Thank you for this question. In our framework, safety is prioritized over the task objective. Our Lagrangian formulation dynamically increases the penalty for constraint violations until the policy becomes safe, at which point it resumes optimizing the task.

Regarding graded risk tolerance, our framework is extensible. Replacing the binary cost with a real-valued one allows for weighting constraints by severity. Furthermore, we view our work as one component of a layered safety system. ISA provides strong probabilistic safety at the policy level, which in a real system would be complemented by other layers (e.g., emergency stops) to provide hard guarantees, a common practice in safety-critical fields like aviation.

(Q#4) ...how well does ISA generalize to new environments...?

Re: To explicitly test this, we evaluated ISA's zero-shot performance on DivScene [1], a dataset with 81 diverse scenes entirely different from our training data. We grouped them into 6 categories, including a challenging Safety Critical group (e.g., Hospital, Kitchen). As shown in Table 3, ISA demonstrates strong generalization, consistently outperforming baselines in both success rate (SR) and cumulative cost (CC) across all new scene types.

Table 3. Zero-shot Generalization on DivScene. (Metrics: SR ↑ / CC ↓)

[1] Divscene: Benchmarking lvlms for object navigation with diverse scenes and objects. arXiv 2024

(Q#5) ...analyze the fairness or balance of constraint violations...

Re: Thank you. We've added a per-constraint cost breakdown in Table 4. The results show ISA achieves substantial and consistent cost reductions across each individual constraint, not just a lower overall average.

Table 4. Safety Balance Analysis.

---

(Q#6 & Q#8) ...do semantic grounding errors lead to safety violations? ...robustness to instructional OOD?

Re: We thank you for these insightful questions. To test this, we created a perturbation suite simulating instructional OOD (e.g., synonyms, structural changes) and grounding errors (e.g., garbled commands, flipped images). As shown in Table 5, ISA's safety cost remains at a stable and extremely low level across all perturbations. Even when task success rate drops due to confusing instructions, ISA does not become unsafe, demonstrating that its safety is a robust, decoupled behavior.

Table 5. Safety under Semantic and Perceptual Perturbations.

(Q#7) ...How many episodes are required for ISA to converge... sample complexity?

Re: The ISA framework does not have a higher sample complexity. Our models were trained with 15-25M steps, compared to 20-50M reported for the FLaRe baseline. We also tested two Lagrangian variants, PID-Lagrangian[1] and Augmented-Lagrangian[2], during rebuttal. As shown in Table 6, both can be integrated into our framework, demonstrating its flexibility and offering different trade-offs between safety and performance without special tuning.

Table 6. Evaluating ISA with Alternative SafeRL Algorithms. (Metrics: SR ↑ / CC ↓)

[1] Responsive safety... by pid lagrangian methods. ICML 2020 [2] Augmented proximal policy optimization... AAAI 2023

---

Thank you again. We hope the new experiments and clarifications can address your concerns. And we would be grateful for your support.

Dear Reviewer E7bd,

Thank you very much for your detailed review and insightful comments on SafeVLA. During the rebuttal period, we have made every effort, with the utmost sincerity, to address every one of your concerns. We hope that our responses can resolve your concerns to the greatest extent possible and that you will support the acceptance of our paper.

Here are our detailed responses: $\downarrow$

(W#1) The cost function design for trajectory-level predicates is overly simplistic. ...

Re: Thank you very much for your valuable feedback and question. We acknowledge that this approach may have high variance due to its sparse signals, which can affect sample efficiency. However, we carefully chose this method as a theoretically sound starting point to build a general framework, avoiding the potential objective bias and reward hacking common with hand-designed dense rewards [4, 5]. While specific shaping methods [1, 2, 3] can be more efficient, our goal was to optimize the true constraint objective without introducing flawed proxies.

In our future work, we plan to identify a sufficiently general heuristic credit assignment strategy for the safety of VLA models, which is a highly valuable problem, especially when transferring to real-world scenarios (as discussed below). We've added a discussion on this trade-off and future work on more advanced credit assignment strategies to the Limitations:

In particular, exploring more advanced, heuristic-based credit assignment strategies for trajectory-level costs is a promising direction to improve sample efficiency and overall performance.

[1] Safe multi-agent reinforcement learning for autonomous driving. arXiv 2016 [2] Safe reinforcement learning with natural language constraints. NeurIPS 2021 [3] Sauté rl: Almost surely safe reinforcement learning using state augmentation. ICML 2022 [4] Policy invariance under reward transformations: Theory and application to reward shaping. ICML 1999 [5] The effects of reward misspecification: Mapping and mitigating misaligned models. ICLR 2022

(Q#1) The constraint formulation treats all safety violations equally (binary 0/1 costs) rather than having severity-weighted penalties...

Re: Thank you very much for your meticulous review and feedback. We agree that severity-weighted costs are crucial for real-world applications. Our framework is extensible to real-valued costs, allowing for scenario-specific severity weights. We chose binary costs initially to establish a clear, interpretable baseline for integrating safety into VLAs, as severity is often highly context-dependent (e.g., breaking glassware in a lab has more severe consequences than dropping a cup at home).

To demonstrate balanced performance, we've added a per-constraint cost breakdown (Table 1), showing our method significantly and consistently reduces costs across all violation types, not just an overall average. We've added a discussion on leveraging our framework's extensibility for nuanced, weighted constraints in the Future Work:

A valuable next step is to leverage our framework's extensibility to incorporate severity-weighted constraints, enabling more nuanced safety alignment tailored to specific applications and user preferences.

Table 1. Safety Balance Analysis of Five Distinct Safety Constraints.

---

(W#2) ...mismatch between Eq. (1) (expected cumulative costs) and Eq. (5) (instantaneous costs).

Re: We apologize for the confusion. There is no mismatch. Eq. (5) defines the instantaneous cost $c_t$ at a single timestep, while Eq. (1) defines the cumulative cost by summing these instantaneous costs over a trajectory. Eq. (1) builds upon Eq. (5). We have revised the text surrounding Eq. (5) to make this relationship explicit.

(Q#2) The Lagrangian method assumes convexity for convergence guarantees, but neural policy optimization is non-convex.

Re: Thank you for your question. The convergence guarantees of the Lagrangian method do not hold for non-convex optimization problems like deep policy learning. This is a common situation in this research area. The theoretical interpretability of large models has become an independent and challenging field of research, and it is difficult for us to address it simultaneously in this work. While we cannot provide a theoretical convergence proof, we have provided extensive empirical evidence demonstrating our method's effectiveness and stability. We sincerely hope the reviewer can understand the difficulty of this matter in the VLA domain and forgive our lack of theoretical analysis on convergence.

(Q#3) The evaluation is entirely simulation-based with no real-world validation...

Re: Thank you for your constructive feedback regarding our paper. Since submitting the paper, we have invested heavily (over $120,000 USD) to build a physical robot platform for validation. Through the efforts of all authors, we have successfully deployed our policy in a real-world Safety-PickUp task, and the robot exhibits constraint satisfaction capabilities consistent with simulation, effectively avoiding obstacles. We will include videos and detailed results in the revised version.

Through these experiments, we identified two main obstacles for sim-to-real transfer: the input distribution shift from sensors and the dynamics mismatch between the simulated and physical robot. Our key findings below detail the strategies we developed to overcome them, and these have been added to the appendix:

• Perception Strategy: To overcome the input shift, we use pre-trained models (e.g., FoundationPose [1]) to convert noisy images into robust, structured state representations (e.g., 6D poses), avoiding the need for massive real-world image datasets.
• Dynamics Decoupling: To reduce the dynamics mismatch, we decouple the high-level policy from low-level motor control via a shared semantic or Cartesian action space for both sim and real.
• Digital Twin Alignment: To further minimize the dynamics mismatch, we tune the simulator's physics (i.e., PID controllers, action cycles) to precisely mirror the real robot's motion characteristics.
• Data Pipeline Consistency: We ensure an identical data transformation pipeline (e.g., same pose estimator and IK solver) in both simulation and deployment to minimize processing-related errors.

Just as large-scale simulation has been vital for safety in autonomous driving [2,3], we hope that simulation is a powerful and viable tool for modeling a wide range of robot safety challenges. We hope these new real-world experiments and summarized findings directly address your concerns and offer a valuable reference for the community.

[1] Foundationpose: Unified 6d pose estimation and tracking of novel objects. CVPR 2024 [2] Waymo simulated driving behavior in reconstructed fatal crashes within an autonomous vehicle operating domain. Accident Analysis & Prevention 2021 [3] NVIDIA Autonomous Vehicles Safety Report 2025

(Q#4) ...evaluation is focused on average cost... rather than providing stronger guarantees like worst-case bounds...

Re: Thank you for this insightful comment. While formal guarantees are challenging for complex, non-linear systems, we view our work as a crucial component of a layered safety system. Our method provides a strong probabilistic tendency towards safe behavior at the policy level. The probabilistic safety tendency within the policy is an important part of comprehensive safety (e.g., ensuring that the behavior resulting from the model's decisions brings a sense of safety and comfort to humans). In any real-world deployment, this would be complemented by other safety layers (e.g., emergency stops, physical guards) to provide hard guarantees, a practice common in safety-critical fields like aviation. As Reviewer xiKX noted: “This holistic understanding is good to see; it shows the authors are not overclaiming that SafeVLA alone can solve all safety issues.”. We believe that providing probabilistic safety guarantees for one part of the system does not pose a catastrophic risk, but rather highlights the importance of layered safety practices. Just as in the nuclear and aviation industries, AI safety in the real world will benefit from best practices. Future work could involve defining and exploring the other layers of safety and how they can be combined to provide stronger overall safety guarantees. This will require the cooperation of the entire community, and we sincerely hope that the efforts of SafeVLA can be a small step in that direction.

---

Thank you again for your time and constructive feedback. We hope the new experiments and clarifications significantly strengthen the paper and have addressed your concerns. We would be grateful for your support.