VIEWS: 36 PAGES: 6 POSTED ON: 3/11/2010
Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4. INTRINSICALLY SAFE ACTIVE ROBOTIC SYSTEMS FOR MEDICAL APPLICATIONS E. Dombre*, Ph. Poignet*, F. Pierrot*, G. Duchemin*, L. Urbain** *LIRMM, UMR 5506 CNRS-Université Montpellier 2, 161 rue Ada, 34392 Montpellier Cedex 05, France **SINTERS SA, BP 1311, Parc Technologique Basso Cambo, 5 rue Paul Mesplé, 31106 Toulouse Cedex 1, France Corresponding author: firstname.lastname@example.org, Phone: (33) 4 67 41 85 58, Fax: (33) 4 67 41 85 00 1. Introduction Up to now, robots used in an industrial environment are usually isolated from the workers who receive an adequate The key objective of medical robotics is to design, training to interact with them. This is completely different develop and operate intelligent devices aimed to improve with medical robots. In , the authors state the health care and quality of life . But it follows constraints of a surgical environment: i) the work has to immediately that a major characteristic of a medical be done on a human being with soft tissue ii) the system is to strongly interact with human environment i.e. environment is usually unstructured iii) each task and its with possibly trained and/or especially not trained people execution is specific to the patient iv) the robot has to be who could have extremely unpredictable behavior. A transportable in and out the operating room v) its medical robot is usually a complex system (figure 1) dimensions have to be reduced and finally vi) each including mechanical structure, man-machine interface component has to be sterilized. In , Davies suggests (MMI), electronic components, software. All these detailed safety conditions. The first robots in surgery were components are integrated to perform various tasks in a industrial robots modified to increase their safety , . safe manner for daily medical applications. These Today from the safety point of view, mechanical arms applications are performed in a very cluttered involved in medical robotics applications are of three environment i.e. with a limited workspace inside or types depending on the level of autonomy : (i) passive outside the patient body. It is easily understandable that arms, which are unactuated and have no autonomy; (ii) any fault may become very critical. Safety is then a semi-active arms for which the power is cut-off during challenging issue of medical robotics. Owing to their critical phases of the tasks, or for which the actuators are interactions with human, medical robots must function not used directly to guide the robot, but rather, for safely and with high reliability. instance in PADyC  a synergistic robot, to dynamically Patient limit the workspace for cardiac puncturing; and (iii) active Operator arms where all joints are actuated, and which can perform parts of planned tasks by themselves. When using an Mechanical Sensors active device, as required in many applications, it is better Structure to consider intrinsically safe robots. Intrinsically safe here means that safety constraints are handled as soon as Drives Control the design of the robot is started. Since a few years, we have been designing and developing Power supply MMI various systems for medical applications. The first one – called Hippocrate – is a robotic system to assist doctor when they are moving ultrasonic probes on patient's skin while exerting a given effort. The probes are used to monitor arteries for cardiovascular disease prevention and Operator three-dimensional (3-D) arteries reconstruction . Today current works concern an original active arm – called Figure 1: Medical mechatronic device (from ) SCALPP – for automating skin harvesting under force Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4. control . All these systems are relevant to enhancing 3. Existing strategies doctor's capabilities in terms of accuracy and reproducibility but they are active systems. Therefore, As shown in , a medical device guaranteeing a high they require special attention to satisfy safety constraints level of safety may be designed considering mainly the in order to be used in operating rooms. Thanks to following principles: i) the degree of redundancy in SINTERS company's great experience in design and control and sensing ii) the possibility to design an control of safety and test equipment for aeronautic intrinsically safe system iii) the tradeoff between industry, we have developed a methodology based on a reliability and safety. multi-criterion approach for designing intrinsically safe medical devices. 3.1 Redundancy This paper is organized as follows: section 2 states the Increasing information by redundancy should decrease the problem of safety within the frame of medical robotics; hazard rating. This redundancy may concern hardware section 3 presents some strategies currently used for components such as sensors, as well as software with, for medical applications; section 4 is devoted to our instance, a handshaking by two independent systems. But methodology developed with SINTERS company. It will three major disadvantages may be underlined: firstly, the be enlightened through the practical examples of cost is dramatically increased, secondly, increasing the Hippocrate and SCALPP. component number increases the complexity of the system, which finally decreases its reliability. 2. Problem statement 3.2 Intrinsically safe When analyzing the risks due to a robot, it is necessary to An intrinsically safe design may be currently provided by distinguish different levels of hazard : classical components such as: • Level 1: the robot has insufficient "strength" to cause • Actuators with limited power and/or speed which injury to a human; guarantee safe behavior in case of fault; • Level 2: the robot has the potential to inflict minor • High reduction gears such as harmonic drives, as for trauma to a human; instance in Neuromate , a 5-dof robot of Integrated Surgical System  dedicated to • Level 3: the robot has the potential to disable a stereotactic neurosurgery. But high reduction ratios human; leads to irreversible arms which is unacceptable in many cases, typically for remote minimally invasive • Level 4: the robot has the potential to kill a human. surgical applications; Industrial robots belong to category 3 or 4, but the risks • "Dead Man Switch" (DMS) pedal, used by the are usually avoided by preventing machine workspace surgeon to validate the task execution in automatic from human intrusion. However, it is possible for an mode; operator to enter this workspace under specific conditions without stopping the machine and after disconnecting • Watchdog board checking the activation of the protection devices, for instance in manual mode with control system. limited speed for maintenance purpose . Other specific elements can be added without involving In medical robotics, these levels are still valid but the key redundancy but guaranteeing safety in active systems. difference is that human is always cooperating (surgeon) or interacting (patient) with the robot. Therefore, harsh 3.3 Tradeoff between reliability and safety constraints and specifications have to be considered in the design itself. In the past decade, different strategies have As mentioned in section 3.1, redundancy induces system emerged especially based on technological solutions complexity which in turn limits its reliability. Therefore, added to existing industrial robots, as indicated in the next the designer has to define a tradeoff between reliability section. and safety. In , the authors propose the development of a safety kernel software able to guarantee the respect of some safety rules. Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4. 4. Our methodology through two examples are wired to the control desk, the other is wired to the controller front panel). Any action on one of these Our methodology will be illustrated through two practical buttons immediately switches off the arm power. The systems – Hippocrate and SCALPP – developed jointly by arm is powered on only when a software initialization SINTERS company and the LIRMM. procedure and a restart button are activated. 4.1 Hippocrate  • A watchdog board has been developed in order to manage the security from a software point of view. Hippocrate is a medical robot used at Broussais Hospital Two redundant circuits wired on the board improve in Paris for pathology diagnosis and 3-D reconstruction of security; arteries with ultrasonic probe. Special attention has been • Five software processes are running. If one of them is paid for designing arm architecture and choosing stopped or blocked, the watchdog is deactivated and technological components guaranteeing safety. Each part the process is switched off. or sub part of the robot has been designed considering safety constraints. • If the effort exerted on the probe exceeds a given threshold, the watchdog is immediately deactivated 4.1.1 Arm technology and the power is switched off as well. Various components contribute to guarantee the safety of • Software joint limits have been implemented in order the active arm: to limit the workspace; • In order to limit the robot velocity, a "harmonic • If a tracking error is detected, the watchdog is drive" is mounted on each motor ouput shaft, with immediately stopped and the power is switched off high reduction ratios (from 80 up to 160); • The action on the Dead Man Switch foot pedal is • The first four joints are also equipped with necessary to authorize any motion; mechanical torque limiters. Practically, the external • The multiple configuration problem of the arm is force on the probe is limited to about 30N; prevented in both Cartesian and force control modes. • A parking brake is mounted on joints 2 and 3 in order When the robot reaches the vicinity of a singularity, to prevent the robot from collapsing when the power the motion is stopped until it is moved away by the is off; operator. • Step-by-step actuators have been selected. With All these elements contribute to the intrinsic safety of the conventional DC or AC motors, the rotation speed of active robot. the motor shaft depends on the voltage output level of the servo amplifier. If a default occurs, the motor still 4.2 SCALPP  continues to rotate. On the contrary, step-by-step This current research program concerns the design of a actuators need pulse to rotate; dedicated robot for skin harvesting in reconstructive • Each joint is equipped with absolute sensors surgery which has been developed for Lapeyronie (resolvers); Hospital in Montpellier. Skin harvesting on human body in order to graft or to culture the sample requires a high • Electrical leads (including Force/Torque sensor lead) accuracy in the gesture and is physically very demanding have been integrated inside the robot arm; for the surgeon due to the efforts he has to exert. It aims at • Gravity compensation by a passive counterbalancing harvesting a constant thickness strip of skin (few tenths of payload. millimeter) with a “shaver-like” device. Besides, it requires a long period of training and has to be practiced 4.1.2 Controller securities regularly (for orthopedic physicians for instance, this gesture is not completely mastered since it may not be a Several additional hardware and software securities within daily operation). According to the burn degree, skin strips the controller, providing very good reliability and safety may be harvested on different locations on the patient: to the whole system have been implemented. In the thighs, buttocks, head (thus, scars are hidden by hair), following, we present a description in order of importance under sole or armpit. Owing to their shape, some of these of these securities: locations are more difficult to harvest. All these reasons • Three emergency buttons are available (two of them have been analyzed and justify robotization of the harvesting task. Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4. A short list of the main security functions or components independent entities by analyzing the mechanical included in the SCALPP system is given below. It should design. For instance, the robot arm (Figure 2) is be noticed that mechanical, electrical and software safeties constituted of n axes ending with a force sensor and are very similar to the "Hippocrate" system: supporting a probe holder, the probe being in contact with the patient: Mechanical safeties • "Harmonic drives" with high reduction ratios (from Probe Robot Axis 1 to Force 80 up to 160) mounted on each motor in order to limit Arm N sensor Holder Patient the robot velocity; Figure 2: Mechanical analysis of the Hippocrate • Step-by-step actuators; robot arm • Absolute sensors (resolvers) for each joint; • Gravity compensation. 2. The second step is to divide each part into several Electrical safeties functional blocks. Details of one axis of Figure 2 lead to the following decomposition (Figure 3): • Emergency button; • Two redundant circuits wired on a watch-dog board; Resolver Bearing drive i • DMS pedal. Torque Reducer Resolver Software safeties Axis i Drive i limitation i axis i axis i • Handshaking of five running processes by the Resolver watchdog board; axis i • Joint limit Tracking error analysis; • Fast Fourier Transform analysis to detect jamming of Figure 3: Block decomposition the cutter blade; • Motion planning for clearing; 3. A systematic study of all possible block failures on 4.3 Discussion the scheme of Figure 3 is then carried out (Figure 4) in order to establish the consequences on the whole From our experience in these two systems, some key system: recommendations emerge to enhancing safety of medical Failure Failure description and Evaluation of the failure Level of robots without extra cost: effect effect on the system hazard • Firstly, the need of active robot in various No torque transmission No torque transmitted Free axis motion without motor power Level 2 applications leads to the necessity of designing intrinsically safe robot without using redundancy Integral Torque completely Total transmitted motor power. Level 3 which increases drastically the cost; torque transmitted Transmitted torque = transmission Maximum motor torque • Secondly, our methodology complies with the FMECA method (Failure Mode Effects and Critically Mechanical No transmitted torque. Free axis motion without Level 2 Analysis, an official safety method in the aeronautic breakdown Axis under gravity effect motor power industry) applied at every step of the industrial project and the Fault Tree Analysis. We will detail hereafter the different steps of this analytical Figure 4: Block failure analysis technique applied to the mechanical and electrical The risk levels are defined with respect to the levels design and the software design of the Hippocrate described in section 2. system; 4. The possible events are then classified depending on 4.3.1 Mechanical analysis the level of danger. Considering for instance the 1. The first step is to split the complete system in small mechanical structure, three levels may be Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4. distinguished: • Level 3: • Level 4: the robot is knocking over − Patient strangulation (by static force) • Level 3: − Patient or operator collision (uncontrolled motion) − The probe is falling down • Level 2: Static force exerted on the patient − A robot component is falling down 4.3.3 Software analysis • Level 1: the robot is vibrating Level 1 looks like uncomfortable for the patient; Level 3 The identified critical software events are: may result in severe injury and Level 4 may cause the − Bad use of the MMI patient or operator death, which is simply unacceptable. − Error in the model calculation 5. Looking a step further and going through each possible events, the Fault Tree is established. − Process stop Detailing the "Level 4", the event "Robot knocking As the worst case is always considered, all these events over" may be due to 3 causes: i) there is an external are classified in Level 4. overload ii) the arm is breaking down iii) the gravity center is outside the basis of the support. Such a Fault 4.3.4 Failure management Tree is represented on Figure 5. Depending on the occurring event and its degree of danger, it is managed computing one of the following three "stop" procedures: Robot knocking over • Arm deceleration with stop and/or current work cancellation; Structure whose • The system is placed in a waiting position with gravity center is immobile arm until the problem is solved; outside the basis Arm breakdown External overload éi • of the support Emergency stop with power off. The arm and the controllers are stopped. It is necessary to reinitialize Figure 5: Fault tree analysis all variables. Power on is possible when the problem is solved. 4.3.2 Electrical analysis Issuing from these multi-domain analysis, the benefit of the analysis interaction between mechanical, electrical and Briefly, without detailing the complete electrical scheme software components is exhibited through the multi of the axis boards and its security functions, Figure 6 criterion approach. exhibits the block decomposition of one axis board: 4.3.5 Multi-criterion approach Resolver / encoder i Resolver axis i Converter The multi-criterion approach guarantees safety without Resolver motor i adding local redundancy systematically; here safety Frequency components (hardware and software) interact to provide Axis board Converter Translator i Motor i the required safety at the system level. More practically, motor i for example, the contact between the robot end-effector Watchdog and the patient (or the operator) is monitored by the force sensor; the force information is used in the control Brake axis i Relay computer software, but a threshold is also built into the force sensor controller itself; in addition, the maximum Figure 6: Block decomposition of an axis board force that the robot can apply is limited both at the mechanical level (torque limiters) and at the electrical level (size and technology of the actuators, total installed The consequences of critical electrical events occurring electrical power). Figure 7 illustrates this failure case on one block of Figure 6 may be classified as follows: analyzed by the multi-criterion approach: • Level 4: Patient or operator electrocution Proc. 1st IARP/IEEE-RAS Joint Workshop on Technical Challenge for Dependable Robots in Human Environment, Seoul, May 21-22, 2001, Paper III-4.  Lavallee S., Troccaz J., Gaborit L., Cinquin Ph., Benabid A.L. and Hoffman D., Image guided robot: a Failure Failure Effect evaluation Level clinical application in stereotactic neurosurgery, Description on system of Proc. IEEE Int. Conf. on Robotics and Automation, hazard And Effect Nice, France, pp. 618-625, 1992. Force > Force threshold + Arm stopped and Level 2  Paul H.A., Bargar W.L., Mittlestadt B., Musit B. et al., Threshold 30% > force value waiting for the cause Development of a surgical robot for cementless total > Force threshold suppression hip arthroplasty, Clinical Orthopaedics and related ⇓ research, (285), pp. 57-66, December 1992. Force sensor or  Troccaz J. and Delnondedieu Y., Semi-active guiding Torque limiter failed systems in surgery. A two-DOF prototype of the passive arm with dynamic constraints, Mechatronics, Force >1.3* Force value > Securities activated Level 2 Force threshold + and power off 6, pp. 399-421, 1996. Threshold 30 %  Pierrot F. et al., Hippocrate: a safe robot arm for ⇓ medical applications with force feedback, Medical Force sensor or Image Analysis, 3(3), pp. 285-300, 1999. Torque limiter  Duchemin G. et al., SCALPP: a 6-dof robot with a failed non-spherical wrist for surgical applications, DMS inactive The DMS signal Arm deceleration if a Level 2 Advances in Robot Kinematics, Piran-Portoroz, becomes inactive motion was going on Slovenia, pp. 165-174, 2000. when the pedal is and current action pressed cancelled  Corke P.I., Safety of advanced robots in human environments. A discussion paper for International Figure 7: Multi-criterion approach Advances Robotics Program, 1999. http://www.international-robotics.org/wg/safety 5. Conclusion and Perspectives  prEN954-1, Design of control components related to In the future, the objectives are: the safety.  Badano F. and Danel F., The neuro-skill robot: a new • Testability: the use of self testable devices, able to approach for surgical robot development, Proc. detect or predict faults at the servo level, will improve MRCAS 95, Medical Robotics and Computer Assisted safety control and will guarantee faster stop Surgery, Baltimore, USA, pp. 318-323, November procedures; 1995. • Logical and timing software analysis: thanks to a  Integrated Surgical System, http://ww.robodoc.com modelisation with Petri Networks of the real time softwares, it is now possible to get information about  Wika K.G. and Knight J.C., Software safety in a the execution of the program. Current works are in medical application, Proc. MRCAS 94, Medical progress. Robotics and Computer Assisted Surgery, Pittsburgh, PA, pp. 218-223, September 1994. 6. References  Dario P., Report by the discussion group on medical robotics, EURON, Las Palmas, January 2001.  Fadda M., Wang T., Allota B., Dario P., Marcacci M. and Martelli S., Safety requirements in a robotic rd surgical system: first analysis and approach, Proc. 3 Int. Symp. on Measurement and Control in Robotics, Torino, Italy, September 21-24, 1993.  Davies B.L., Safety of medical robots, Proc. 6th ICAR, Tokyo, pp. 311-317, 1993.
Pages to are hidden for
"INTRINSICALLY SAFE ACTIVE ROBOTIC SYSTEMS FOR MEDICAL APPLICATIONS"Please download to view full document