Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.

                           E. Dombre*, Ph. Poignet*, F. Pierrot*, G. Duchemin*, L. Urbain**

                       *LIRMM, UMR 5506 CNRS-Université Montpellier 2, 161 rue Ada,
                                  34392 Montpellier Cedex 05, France

              **SINTERS SA, BP 1311, Parc Technologique Basso Cambo, 5 rue Paul Mesplé,
                                 31106 Toulouse Cedex 1, France
                 Corresponding author:, Phone: (33) 4 67 41 85 58, Fax: (33) 4 67 41 85 00

                      1. Introduction                                      Up to now, robots used in an industrial environment are
                                                                           usually isolated from the workers who receive an adequate
The key objective of medical robotics is to design,                        training to interact with them. This is completely different
develop and operate intelligent devices aimed to improve                   with medical robots. In [2], the authors state the
health care and quality of life [1]. But it follows                        constraints of a surgical environment: i) the work has to
immediately that a major characteristic of a medical                       be done on a human being with soft tissue ii) the
system is to strongly interact with human environment i.e.                 environment is usually unstructured iii) each task and its
with possibly trained and/or especially not trained people                 execution is specific to the patient iv) the robot has to be
who could have extremely unpredictable behavior. A                         transportable in and out the operating room v) its
medical robot is usually a complex system (figure 1)                       dimensions have to be reduced and finally vi) each
including mechanical structure, man-machine interface                      component has to be sterilized. In [3], Davies suggests
(MMI), electronic components, software. All these                          detailed safety conditions. The first robots in surgery were
components are integrated to perform various tasks in a                    industrial robots modified to increase their safety [4], [5].
safe manner for daily medical applications. These                          Today from the safety point of view, mechanical arms
applications are performed          in a very cluttered                    involved in medical robotics applications are of three
environment i.e. with a limited workspace inside or                        types depending on the level of autonomy [6]: (i) passive
outside the patient body. It is easily understandable that                 arms, which are unactuated and have no autonomy; (ii)
any fault may become very critical. Safety is then a                       semi-active arms for which the power is cut-off during
challenging issue of medical robotics. Owing to their                      critical phases of the tasks, or for which the actuators are
interactions with human, medical robots must function                      not used directly to guide the robot, but rather, for
safely and with high reliability.                                          instance in PADyC [6] a synergistic robot, to dynamically
                                                           Patient         limit the workspace for cardiac puncturing; and (iii) active
                                                                           arms where all joints are actuated, and which can perform
                                                                           parts of planned tasks by themselves. When using an
                 Mechanical         Sensors                                active device, as required in many applications, it is better
                                                                           to consider intrinsically safe robots. Intrinsically safe
                                                                           here means that safety constraints are handled as soon as
                  Drives            Control                                the design of the robot is started.
                                                                           Since a few years, we have been designing and developing
                 Power supply       MMI
                                                                           various systems for medical applications. The first one –
                                                                           called Hippocrate – is a robotic system to assist doctor
                                                                           when they are moving ultrasonic probes on patient's skin
                                                                           while exerting a given effort. The probes are used to
                                                                           monitor arteries for cardiovascular disease prevention and
                                   Operator                                three-dimensional (3-D) arteries reconstruction [7]. Today
                                                                           current works concern an original active arm – called
     Figure 1: Medical mechatronic device (from [1])
                                                                           SCALPP – for automating skin harvesting under force
Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.

control [8]. All these systems are relevant to enhancing                                      3. Existing strategies
doctor's capabilities in terms of accuracy and
reproducibility but they are active systems. Therefore,                    As shown in [3], a medical device guaranteeing a high
they require special attention to satisfy safety constraints               level of safety may be designed considering mainly the
in order to be used in operating rooms. Thanks to                          following principles: i) the degree of redundancy in
SINTERS company's great experience in design and                           control and sensing ii) the possibility to design an
control of safety and test equipment for aeronautic                        intrinsically safe system iii) the tradeoff between
industry, we have developed a methodology based on a                       reliability and safety.
multi-criterion approach for designing intrinsically safe
medical devices.                                                           3.1 Redundancy

This paper is organized as follows: section 2 states the                   Increasing information by redundancy should decrease the
problem of safety within the frame of medical robotics;                    hazard rating. This redundancy may concern hardware
section 3 presents some strategies currently used for                      components such as sensors, as well as software with, for
medical applications; section 4 is devoted to our                          instance, a handshaking by two independent systems. But
methodology developed with SINTERS company. It will                        three major disadvantages may be underlined: firstly, the
be enlightened through the practical examples of                           cost is dramatically increased, secondly, increasing the
Hippocrate and SCALPP.                                                     component number increases the complexity of the
                                                                           system, which finally decreases its reliability.
                  2. Problem statement                                     3.2 Intrinsically safe

When analyzing the risks due to a robot, it is necessary to                An intrinsically safe design may be currently provided by
distinguish different levels of hazard [9]:                                classical components such as:

•    Level 1: the robot has insufficient "strength" to cause               •    Actuators with limited power and/or speed which
     injury to a human;                                                         guarantee safe behavior in case of fault;

•    Level 2: the robot has the potential to inflict minor                 •    High reduction gears such as harmonic drives, as for
     trauma to a human;                                                         instance in Neuromate [11], a 5-dof robot of
                                                                                Integrated Surgical System [12] dedicated to
•    Level 3: the robot has the potential to disable a                          stereotactic neurosurgery. But high reduction ratios
     human;                                                                     leads to irreversible arms which is unacceptable in
                                                                                many cases, typically for remote minimally invasive
•    Level 4: the robot has the potential to kill a human.                      surgical applications;
Industrial robots belong to category 3 or 4, but the risks                 •    "Dead Man Switch" (DMS) pedal, used by the
are usually avoided by preventing machine workspace                             surgeon to validate the task execution in automatic
from human intrusion. However, it is possible for an                            mode;
operator to enter this workspace under specific conditions
without stopping the machine and after disconnecting                       •    Watchdog board checking the activation of the
protection devices, for instance in manual mode with                            control system.
limited speed for maintenance purpose [10].
                                                                           Other specific elements can be added without involving
In medical robotics, these levels are still valid but the key              redundancy but guaranteeing safety in active systems.
difference is that human is always cooperating (surgeon)
or interacting (patient) with the robot. Therefore, harsh                  3.3 Tradeoff between reliability and safety
constraints and specifications have to be considered in the
design itself. In the past decade, different strategies have               As mentioned in section 3.1, redundancy induces system
emerged especially based on technological solutions                        complexity which in turn limits its reliability. Therefore,
added to existing industrial robots, as indicated in the next              the designer has to define a tradeoff between reliability
section.                                                                   and safety. In [13], the authors propose the development
                                                                           of a safety kernel software able to guarantee the respect of
                                                                           some safety rules.
Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.

    4. Our methodology through two examples                                     are wired to the control desk, the other is wired to the
                                                                                controller front panel). Any action on one of these
Our methodology will be illustrated through two practical                       buttons immediately switches off the arm power. The
systems – Hippocrate and SCALPP – developed jointly by                          arm is powered on only when a software initialization
SINTERS company and the LIRMM.                                                  procedure and a restart button are activated.

4.1 Hippocrate [7]                                                         •    A watchdog board has been developed in order to
                                                                                manage the security from a software point of view.
Hippocrate is a medical robot used at Broussais Hospital                        Two redundant circuits wired on the board improve
in Paris for pathology diagnosis and 3-D reconstruction of                      security;
arteries with ultrasonic probe. Special attention has been
                                                                           •    Five software processes are running. If one of them is
paid for designing arm architecture and choosing
                                                                                stopped or blocked, the watchdog is deactivated and
technological components guaranteeing safety. Each part
                                                                                the process is switched off.
or sub part of the robot has been designed considering
safety constraints.                                                        •    If the effort exerted on the probe exceeds a given
                                                                                threshold, the watchdog is immediately deactivated
4.1.1 Arm technology                                                            and the power is switched off as well.
Various components contribute to guarantee the safety of                   •    Software joint limits have been implemented in order
the active arm:                                                                 to limit the workspace;

•    In order to limit the robot velocity, a "harmonic                     •    If a tracking error is detected, the watchdog is
     drive" is mounted on each motor ouput shaft, with                          immediately stopped and the power is switched off
     high reduction ratios (from 80 up to 160);                            •    The action on the Dead Man Switch foot pedal is
•    The first four joints are also equipped with                               necessary to authorize any motion;
     mechanical torque limiters. Practically, the external                 •    The multiple configuration problem of the arm is
     force on the probe is limited to about 30N;                                prevented in both Cartesian and force control modes.
•    A parking brake is mounted on joints 2 and 3 in order                      When the robot reaches the vicinity of a singularity,
     to prevent the robot from collapsing when the power                        the motion is stopped until it is moved away by the
     is off;                                                                    operator.

•    Step-by-step actuators have been selected. With                       All these elements contribute to the intrinsic safety of the
     conventional DC or AC motors, the rotation speed of                   active robot.
     the motor shaft depends on the voltage output level of
     the servo amplifier. If a default occurs, the motor still             4.2 SCALPP [8]
     continues to rotate. On the contrary, step-by-step
                                                                           This current research program concerns the design of a
     actuators need pulse to rotate;
                                                                           dedicated robot for skin harvesting in reconstructive
•    Each joint is equipped with absolute sensors                          surgery which has been developed for Lapeyronie
     (resolvers);                                                          Hospital in Montpellier. Skin harvesting on human body
                                                                           in order to graft or to culture the sample requires a high
•    Electrical leads (including Force/Torque sensor lead)                 accuracy in the gesture and is physically very demanding
     have been integrated inside the robot arm;                            for the surgeon due to the efforts he has to exert. It aims at
•    Gravity compensation by a passive counterbalancing                    harvesting a constant thickness strip of skin (few tenths of
     payload.                                                              millimeter) with a “shaver-like” device. Besides, it
                                                                           requires a long period of training and has to be practiced
4.1.2 Controller securities                                                regularly (for orthopedic physicians for instance, this
                                                                           gesture is not completely mastered since it may not be a
Several additional hardware and software securities within                 daily operation). According to the burn degree, skin strips
the controller, providing very good reliability and safety                 may be harvested on different locations on the patient:
to the whole system have been implemented. In the                          thighs, buttocks, head (thus, scars are hidden by hair),
following, we present a description in order of importance                 under sole or armpit. Owing to their shape, some of these
of these securities:                                                       locations are more difficult to harvest. All these reasons
•    Three emergency buttons are available (two of them                    have been analyzed and justify robotization of the
                                                                           harvesting task.
Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.

A short list of the main security functions or components                          independent entities by analyzing the mechanical
included in the SCALPP system is given below. It should                            design. For instance, the robot arm (Figure 2) is
be noticed that mechanical, electrical and software safeties                       constituted of n axes ending with a force sensor and
are very similar to the "Hippocrate" system:                                       supporting a probe holder, the probe being in contact
                                                                                   with the patient:
Mechanical safeties

•    "Harmonic drives" with high reduction ratios (from                                                                                        Probe
                                                                                Robot             Axis 1 to             Force
     80 up to 160) mounted on each motor in order to limit                       Arm                N                  sensor
                                                                                                                                               Holder        Patient

     the robot velocity;
                                                                                    Figure 2: Mechanical analysis of the Hippocrate
•    Step-by-step actuators;
                                                                                                      robot arm
•    Absolute sensors (resolvers) for each joint;
•    Gravity compensation.                                                 2.      The second step is to divide each part into several
Electrical safeties                                                                functional blocks. Details of one axis of Figure 2 lead
                                                                                   to the following decomposition (Figure 3):
•    Emergency button;
•    Two redundant circuits wired on a watch-dog board;                                                                             Resolver
                                                                                                           Bearing                   drive i
•    DMS pedal.
                                                                                                                       Torque                  Reducer      Resolver
Software safeties                                                               Axis i           Drive i             limitation i               axis i       axis i

•    Handshaking of five running processes by the
     watchdog board;                                                                                                                            axis i

                                                                                                                                                           Joint limit
     Tracking error analysis;
•    Fast Fourier Transform analysis to detect jamming of                                       Figure 3: Block decomposition
     the cutter blade;
•    Motion planning for clearing;                                         3.      A systematic study of all possible block failures on
4.3 Discussion                                                                     the scheme of Figure 3 is then carried out (Figure 4)
                                                                                   in order to establish the consequences on the whole
From our experience in these two systems, some key                                 system:
recommendations emerge to enhancing safety of medical
                                                                                Failure    Failure description and         Evaluation of the failure      Level of
robots without extra cost:                                                                          effect                   effect on the system         hazard

•    Firstly, the need of active robot in various                             No torque
                                                                                            No torque transmitted          Free axis motion without
                                                                                                                                 motor power
                                                                                                                                                          Level 2

     applications leads to the necessity of designing
     intrinsically safe robot without using redundancy
                                                                               Integral      Torque completely          Total transmitted motor power.    Level 3
     which increases drastically the cost;                                      torque          transmitted                  Transmitted torque =
                                                                            transmission                                   Maximum motor torque
•    Secondly, our methodology complies with the
     FMECA method (Failure Mode Effects and Critically                      Mechanical No transmitted torque.              Free axis motion without       Level 2
     Analysis, an official safety method in the aeronautic                  breakdown Axis under gravity effect                  motor power

     industry) applied at every step of the industrial
     project and the Fault Tree Analysis. We will detail
     hereafter the different steps of this analytical                                          Figure 4: Block failure analysis
     technique applied to the mechanical and electrical
                                                                           The risk levels are defined with respect to the levels
     design and the software design of the Hippocrate
                                                                           described in section 2.
                                                                           4.      The possible events are then classified depending on
4.3.1 Mechanical analysis
                                                                                   the level of danger. Considering for instance the
1.   The first step is to split the complete system in small                       mechanical structure, three levels may be
Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.

       distinguished:                                                                  •   Level 3:
       •     Level 4: the robot is knocking over                                           −    Patient strangulation (by static force)
       •     Level 3:                                                                      −    Patient or     operator   collision   (uncontrolled
             −      The probe is falling down
                                                                                       •   Level 2: Static force exerted on the patient
             −      A robot component is falling down
                                                                                       4.3.3 Software analysis
       •     Level 1: the robot is vibrating
Level 1 looks like uncomfortable for the patient; Level 3                              The identified critical software events are:
may result in severe injury and Level 4 may cause the                                      −    Bad use of the MMI
patient or operator death, which is simply unacceptable.
                                                                                           −    Error in the model calculation
5.     Looking a step further and going through each
       possible events, the Fault Tree is established.                                     −    Process stop
       Detailing the "Level 4", the event "Robot knocking                              As the worst case is always considered, all these events
       over" may be due to 3 causes: i) there is an external                           are classified in Level 4.
       overload ii) the arm is breaking down iii) the gravity
       center is outside the basis of the support. Such a Fault                        4.3.4 Failure management
       Tree is represented on Figure 5.
                                                                                       Depending on the occurring event and its degree of
                                                                                       danger, it is managed computing one of the following
                                                                                       three "stop" procedures:
                            Robot knocking over
                                                                                       •   Arm deceleration with stop and/or current work
     Structure whose                                                                   •   The system is placed in a waiting position with
     gravity center is                                                                     immobile arm until the problem is solved;
     outside the basis               Arm breakdown                External overload
      of the support
                                                                                           Emergency stop with power off. The arm and the
                                                                                           controllers are stopped. It is necessary to reinitialize
                         Figure 5: Fault tree analysis                                     all variables. Power on is possible when the problem
                                                                                           is solved.
4.3.2 Electrical analysis                                                              Issuing from these multi-domain analysis, the benefit of
                                                                                       the analysis interaction between mechanical, electrical and
Briefly, without detailing the complete electrical scheme                              software components is exhibited through the multi
of the axis boards and its security functions, Figure 6                                criterion approach.
exhibits the block decomposition of one axis board:
                                                                                       4.3.5 Multi-criterion approach
                            Resolver / encoder i                    Resolver axis i
                                 Converter                                             The multi-criterion approach guarantees safety without
                                                                   Resolver motor i
                                                                                       adding local redundancy systematically; here safety
                                                                                       components (hardware and software) interact to provide
Axis board                   Converter             Translator i         Motor i        the required safety at the system level. More practically,
                                motor i
                                                                                       for example, the contact between the robot end-effector
                             Watchdog                                                  and the patient (or the operator) is monitored by the force
                                                                                       sensor; the force information is used in the control
                                                                        Brake axis i
                             Relay                                                     computer software, but a threshold is also built into the
                                                                                       force sensor controller itself; in addition, the maximum
        Figure 6: Block decomposition of an axis board                                 force that the robot can apply is limited both at the
                                                                                       mechanical level (torque limiters) and at the electrical
                                                                                       level (size and technology of the actuators, total installed
The consequences of critical electrical events occurring                               electrical power). Figure 7 illustrates this failure case
on one block of Figure 6 may be classified as follows:                                 analyzed by the multi-criterion approach:
•      Level 4: Patient or operator electrocution
Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.

                                                                           [4] Lavallee S., Troccaz J., Gaborit L., Cinquin Ph.,
                                                                              Benabid A.L. and Hoffman D., Image guided robot: a
    Failure          Failure          Effect evaluation       Level
                                                                              clinical application in stereotactic neurosurgery,
                    Description          on system              of
                                                                              Proc. IEEE Int. Conf. on Robotics and Automation,
                    And Effect                                                Nice, France, pp. 618-625, 1992.
     Force >      Force threshold +    Arm stopped and        Level 2      [5] Paul H.A., Bargar W.L., Mittlestadt B., Musit B. et al.,
    Threshold     30% > force value   waiting for the cause                    Development of a surgical robot for cementless total
                  > Force threshold       suppression
                                                                               hip arthroplasty, Clinical Orthopaedics and related
                                                                               research, (285), pp. 57-66, December 1992.
                     Force sensor
                          or                                               [6] Troccaz J. and Delnondedieu Y., Semi-active guiding
                    Torque limiter
                                                                              systems in surgery. A two-DOF prototype of the
                                                                              passive arm with dynamic constraints, Mechatronics,
 Force >1.3*        Force value >     Securities activated    Level 2
                  Force threshold +     and power off                         6, pp. 399-421, 1996.
    Threshold           30 %
                                                                           [7] Pierrot F. et al., Hippocrate: a safe robot arm for
                          ⇓                                                    medical applications with force feedback, Medical
                     Force sensor
                          or                                                   Image Analysis, 3(3), pp. 285-300, 1999.
                    Torque limiter
                                                                           [8] Duchemin G. et al., SCALPP: a 6-dof robot with a
                                                                               non-spherical wrist for surgical applications,
DMS inactive      The DMS signal      Arm deceleration if a   Level 2          Advances in Robot Kinematics, Piran-Portoroz,
                  becomes inactive    motion was going on                      Slovenia, pp. 165-174, 2000.
                  when the pedal is    and current action
                      pressed              cancelled                       [9] Corke P.I., Safety of advanced robots in human
                                                                              environments. A discussion paper for International
                 Figure 7: Multi-criterion approach                           Advances Robotics Program, 1999.
                5. Conclusion and Perspectives
                                                                           [10] prEN954-1, Design of control components related to
In the future, the objectives are:                                            the safety.
                                                                           [11] Badano F. and Danel F., The neuro-skill robot: a new
•      Testability: the use of self testable devices, able to                 approach for surgical robot development, Proc.
       detect or predict faults at the servo level, will improve              MRCAS 95, Medical Robotics and Computer Assisted
       safety control and will guarantee faster stop                          Surgery, Baltimore, USA, pp. 318-323, November
       procedures;                                                            1995.
•      Logical and timing software analysis: thanks to a                   [12] Integrated Surgical System,
       modelisation with Petri Networks of the real time
       softwares, it is now possible to get information about              [13] Wika K.G. and Knight J.C., Software safety in a
       the execution of the program. Current works are in                     medical application, Proc. MRCAS 94, Medical
       progress.                                                              Robotics and Computer Assisted Surgery, Pittsburgh,
                                                                              PA, pp. 218-223, September 1994.

                           6. References
[1] Dario P., Report by the discussion group on medical
    robotics, EURON, Las Palmas, January 2001.
[2] Fadda M., Wang T., Allota B., Dario P., Marcacci M.
    and Martelli S., Safety requirements in a robotic
    surgical system: first analysis and approach, Proc. 3
    Int. Symp. on Measurement and Control in Robotics,
    Torino, Italy, September 21-24, 1993.
[3] Davies B.L., Safety of medical robots, Proc. 6th ICAR,
    Tokyo, pp. 311-317, 1993.

To top