SAFETY ORIENTED DESIGN FOR SURGICAL ROBOTIC...

UNIVERSITÀ DEGLI STUDI DI TRENTO

FACOLTÀ DI INGEGNERIA

Corso di Laurea Specialistica in Ingegneria delle Telecomunicazioni

SAFETY ORIENTED DESIGN FORSURGICAL ROBOTIC SYSTEM

Relatore:

Prof. Roberto PasseroneLaureando:

Correlatore: Gabriele Gatti

Prof. Paolo Fiorini

Anno Accademico 2007 - 2008

As far as the laws of mathematics refer to reality, they are not certain;

and as far as they are certain, they do not refer to reality.

Albert Einstein

We automate what we understand and can predict,

and we hope the human supervisor will take care

of what we don’t understand and cannot predict.

Thomas Sheridan

Contents

1 Introduction 11.1 Safety in Automotive . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1.1 Convenience Systems . . . . . . . . . . . . . . . . . . . . . . . 2

1.1.2 Safety Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Safety in Industrial Robot Manufacturing . . . . . . . . . . . . . . . . . 4

1.2.1 Robot safety standards . . . . . . . . . . . . . . . . . . . . . . . 6

1.3 Safety in Service Robotics . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.4 The Thesis Aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.5 Thesis Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 State of the Art 112.1 Service Robotics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1.1 Service Robots . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.1.2 Human-Robot Interaction . . . . . . . . . . . . . . . . . . . . . 15

2.2 Medical Robotic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.2.1 Acceptance of Robots in Medical Environment . . . . . . . . . . 17

2.2.2 Telemedicine and Teleoperation . . . . . . . . . . . . . . . . . . 18

2.2.3 Surgical CAD/CAM . . . . . . . . . . . . . . . . . . . . . . . . 20

2.2.4 Surgical Assistants . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.2.5 Advantages/Disadvantages of Robot-Assisted Surgery . . . . . . 23

2.2.6 Safety in Medical Robotics . . . . . . . . . . . . . . . . . . . . . 25

i

2.2.7 Clinical and Social Aspects . . . . . . . . . . . . . . . . . . . . 26

2.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3 Safety in Teleoperation 293.1 Teleoperation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.1.1 General Issues in Teleoperation . . . . . . . . . . . . . . . . . . 32

3.1.2 Bilateral Teleoperation . . . . . . . . . . . . . . . . . . . . . . . 33

3.1.3 Teleoperation in Medicine . . . . . . . . . . . . . . . . . . . . . 34

3.1.4 Safety Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.2 Safety Critical Approach . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.2.1 Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.2.2 Additional Safety Devices . . . . . . . . . . . . . . . . . . . . . 43

3.2.3 Fail-Operate Systems . . . . . . . . . . . . . . . . . . . . . . . 45

3.2.4 Evaluating Safety-Critical Systems . . . . . . . . . . . . . . . . 46

3.3 Fault Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.3.1 Plant Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.3.2 System Identification . . . . . . . . . . . . . . . . . . . . . . . . 50

3.3.3 Fault Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.3.4 Plant Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4 6DoF Manipulator 574.1 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.1.1 System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4.1.2 Mechanical Subsystem . . . . . . . . . . . . . . . . . . . . . . . 59

4.1.3 Electronic Subsystem . . . . . . . . . . . . . . . . . . . . . . . . 64

4.1.4 Servo Control Subsystem . . . . . . . . . . . . . . . . . . . . . . 66

4.1.5 High-Level Software Subsystem . . . . . . . . . . . . . . . . . . 66

4.2 Redesign Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

4.2.1 Safety Teleoperation . . . . . . . . . . . . . . . . . . . . . . . . 68

4.2.2 Haptic Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

ii

5 Electrical Design 735.1 Motor Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5.1.1 Calculation of Motor Required Torque . . . . . . . . . . . . . . . 75

5.1.2 Peak Torque Considerations . . . . . . . . . . . . . . . . . . . . 77

5.1.3 Motor Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

5.1.4 Brushless Motors . . . . . . . . . . . . . . . . . . . . . . . . . . 79

5.2 Motion Control Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

5.2.1 Precision MicroControl . . . . . . . . . . . . . . . . . . . . . . . 81

5.2.2 Delta Tau Turbo PMAC2 . . . . . . . . . . . . . . . . . . . . . . 82

5.2.3 Galil Accelera DMC 40x0 . . . . . . . . . . . . . . . . . . . . . 83

5.2.4 Motion Controller Selection . . . . . . . . . . . . . . . . . . . . 84

5.3 Onboard Safety Features . . . . . . . . . . . . . . . . . . . . . . . . . . 84

5.3.1 Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . 85

5.3.2 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.3.3 Motor Protection Features . . . . . . . . . . . . . . . . . . . . . 87

5.4 Teleoperation Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

5.4.1 Chassis Description . . . . . . . . . . . . . . . . . . . . . . . . . 88

5.4.2 High-Voltage and Supply-Voltage Sections . . . . . . . . . . . . 88

5.4.3 Power and Signal Interfaces . . . . . . . . . . . . . . . . . . . . 90

5.5 Failure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.5.1 Internal Safety Devices . . . . . . . . . . . . . . . . . . . . . . . 92

5.5.2 Error Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 94

5.6 Test cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

5.6.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . 96

5.6.2 Position Error Test . . . . . . . . . . . . . . . . . . . . . . . . . 99

5.6.3 Encoder Failure Test . . . . . . . . . . . . . . . . . . . . . . . . 100

5.6.4 Watchdog Test . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

5.6.5 Network Error Test . . . . . . . . . . . . . . . . . . . . . . . . . 102

5.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6 Conclusions 1056.1 Remarks in Medical Robotics . . . . . . . . . . . . . . . . . . . . . . . . 107

6.2 Comments on Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

iii

6.3 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Bibliography 111

iv

1Introduction

A lmost all branches of the service industry already use communication technolo-gies and highly modern information to carry out administrative tasks efficientlyand in a customer friendly manner. However, the full range of possibilities of

(semi-) automated implementation of services through robot systems is still barely ap-parent to the supplier and manufacturer. Due to often strict requirements with respect tosafety associated with robot autonomy or navigation in partially or entirely unknown en-vironments, the use of robots for carrying out service tasks has been very limited [86].These criteria are responsible for the uncertainty of the service supplier in the evaluationof innovative attempts at the (semi-) automation of services.

In the last years robotic researches move their attention from the industrial scenarioto a more globalized and pervasive field, the service robotic. Essentially a service robotcan be every automated appliances that works and shares its environment with humans.This new, and very intuitive concept puts a drastic change in the designing and conceivingprocess that robot manufacturers where used to. Robot cannot anymore be isolated in aseparated area, and we need to discover the best way to accomplish such a safe interaction,as Asimov depicted in the mid-century with the “Three Law of Robotics”.

For the case of service robotic, the scenario is different to other growing filed of in-terest. We are going to study, as example, the automotive and the industrial robot manu-facturing scenario. That is showing these field have an aged experience, and even safetyis still evolving, much more has been done in comparison to the service robotic scenario.In service robotic there is no regulation about what safety is and what safety need to beachieved, so researches try to give their contribute.

1

CHAPTER 1. Introduction

1.1 Safety in Automotive

In automotive safety is directly related to crash avoidance. In developed countries trafficfatalities range is into the tens of thousands and the number of crashes are in the millions.The development of safety systems can be implemented via autonomous or cooperativesystems [79]. Autonomous systems rely upon onboard sensors to provide raw data for aparticular application, whereas cooperative systems augment onboard sensors data withinformation flowing to the vehicle from an outside source. We focus here on autonomoussystems, also called as “convenience systems” rather than safety systems.

1.1.1 Convenience Systems

The term “convenience system” came into being in the late nineties when auto companieswere ready to offer intelligent vehicle driver-assist systems to their customers but were notyet ready to take on the legal implications and performance requirements that would comewith introducing a new product labeled as a “safety system”. Fundamentally, conveniencesystems are driver-support products that may assist the driver in vehicle control to reducethe stress of driving [79]. In some cases these products are safety-relevant, but they are notmarked as safety systems. Example of convenience systems are parking assist, adaptivecruise control, lane keeping assistance and automated vehicle control.

1.1.2 Safety Systems

Given the massive societal costs, governments are highly motivated to promote activesafety systems for crash avoidance. Based on experience with airbag systems, it has beenwell established that they have a good business case for offering active safety systems onnew cars.

Active safety systems application are many and varied. Anyway in this research fieldit has to take into account the legal and regulation implications that come by overcomingor modifying human decisions. The following is only an example list of collision coun-termeasures, therefore in common automotive research every aspect of vehicle crashes isrepresented.

Assisting driver perception can enhance the driver’s perception of the driving environ-ment, leaving any interpretation or action to the driver’s judgment. Adaptive head-

2


lights provide better illumination when vehicle is turning; night vision provides anenriched view of the forward scene; roadside systems can alert drivers to the presenceof wildlife; and headway advisory provides advice to the driver regarding followingdistance.

Crash prevention systems essentially augment the driver’s monitoring for the road andtraffic conditions to detect imminent crash conditions. Basic systems provide a warn-ing to the driver, using a variety of means alerts such as audible, visual, seat vibra-tion, slight seat-belt pretensioning. More advanced systems add automatic brakingof the vehicle if the driver is not responding to the situation. An initial version ofactive braking systems is termed “collision mitigation system” [22] which defer tothe driver control and brake to reduce the impact velocity of a collision if the driveris not responding appropriately to an imminent crash situation.

Lane departure Warning system use machine vision techniques [51] to monitor the lat-eral position of the vehicle within its lane and the drives is warned if the vehicle startsto leave the lane inadvertently. This kind of systems can improved with Lane depar-ture avoidance, which goes one step further by providing active steering to keep thevehicle in the lane, and alerting the driver to the situation.

Driver impairment monitoring can detects degraded driving conditions and acts at theearly signs of the onset of drowsiness, so that a driver can effectively respond toa warning before drowsiness is severe. These systems can take the form of a “fa-tigue meter” that provides continuous feedback to the driver, or a warning that soundwhen dangerous fatigue conditions are detected. First generation products targets atlong-haul truck, and driver-monitoring products are currently in development for theautomobile market.

Other crash prevention systems in currently research are: curve speed warning, side objectwarning, lane change support, rollover countermeasures, parking assist, pedestrian detec-tion and warning [79]. In addition, the precrash domain refers to the case where sensingsystems (typically using Adaptive Cruise Control [97]) have determined that a crash is in-evitable; therefore, action is taken to optimally protect the vehicle occupants via seatbeltpretensioning and prearming or prefiring airbags. In addition, the breaking system can beprecharged so that maximum breaking force is provided immediately upon initiating by

3


the driver. Precrash systems are generally seen as precursors to more advanced collisionavoidance systems, as a bridge between occupant protection measures, which are in earlierstages of development and product maturity.

1.2 Safety in Industrial Robot Manufacturing

Robots are often viewed as an ideal solution to many industrial safety and health problemsbecause they can perform tasks in dangerous work environments that previously were per-formed by humans. Robot welders and painters eliminate the need to expose workersto toxic fumes and vapor; robots load presses, modulate object in outer space, can workin radioactive environments and so on. At the same time, as the use of robot and otherautomated systems increases, become clear that such systems pose unique and significantsafety problems. Part of the problems is that robots are powerful devices that move quicklyover considerable distances. People often have difficulty predicting robot motions and con-sequently accidents occur when people enter the robot’s work area. Thus by excluding thephysical interaction between human and the autonomous device, this can be powered tothe maximum performance.

In response to the recognition that robot systems pose a safety problem, governmentaland consensus organizations have developed several robot safety standards. Many com-panies have also developed in-house safety standards and programs. Concurrently, manymethods of robot safeguarding have been developed by manufacturers and industrial usersof robots. Such methods include:

Robot Safety Features. A well-engineered robot will include, to the greatest extent pos-sible, practical safety features that take into account all modes of operation: normalworking, programming and maintenance. Some features are common to all robot;other are peculiar to the type of robot, with particularly regard to its motive power.There are many steps that can be taken to increase the safety of a robot system. Ta-ble 1.1 summarizes some common safety features of robots and their intended func-tions. Their features and their intended functions can be grouped into categories,such as: design for reliability features (fault avoidance and fault tolerance), set-upand programming mode features, power transmission and point-of-operation guards,maintenance affordances, emergency features.

4


Feature Function

power disconnect switch removes all power at machine junction box

power-on-button energizes all machine power

stop button removes control and manipulator power

hold/run button stop arm motion, but leaves power on

slow speed control permits program execution at reduced speeds

teach/playback mode selector provides operator with control over operating mode

program reset drops system out of playback mode

condition indicator and messages

provides visual indication by lights or display screens of system

condition

parity checks, error detectiong, etc. computer techniques for self checking a variety of functions

servo motor brake maintains arm position at stand-still

hydraulic fuse protects against high speed motion/force in teach mode

software stops computer controlled travel limit

hardware stops absolute travel limit control

Table 1.1: Common robot safety features [69]

Perimeter Safeguards. Most robot accidents are caused by (or in some way) involvecareless or people intentional entry into robot work area. Such entry is inherentlyhazardous because the point of operation (the effector and its tooling) of a robot isessentially unguarded. Perimeter safeguards implement a number of different ap-proaches intended to prevent entry into the work envelope. Such approach can be,for example, barriers and fencing, presence sensing and interlocks; warning signs,markings, signals, and lights.

Intelligent Collision-Avoidance and Warning systems. Such systems process informa-tion from a wide variety of sensors to make real-time decisions. Traditionally, suchsystems make use of sophisticated ultrasound, capacitive, infrared, or microwavepresence sensing systems and, in some cases, computer vision to detect the presenceof obstacles and then react appropriately to their presence by stopping, replanningtheir motions, or giving alarm signals. An intelligent warning systems, rather thenindiscriminately provide warnings, will consider both systems states and the pastbehavior of the target audience and adjust its behavior accordingly by appropriatelybalancing of the expected cost of false alarm against the expected cost of correctdetections.

5


Employee Selection, Safety, Training, and Supervision. As a consequence of selectingqualified personnel, training, and supervisions, workers should know and followsafe procedures when working with robots. Particularly critical procedures includestartup and shutdown procedures, maintenance procedures, diagnosis, programmingand teaching, and numerous procedures specific to particular applications. The em-ployee selection and training courses in robot safety is a standard function of indus-trial and safety engineering in most plants.

Workcell design for Safety. Safeguards should be considered an integral part of the work-cells design. They should be provided for at the planning stages. To do otherwisecould occur extra expense later on and might compromise safety effectiveness. Asafety engineered systems will only be as safe as people permit it to be. Part of thecommissioning of the installation should include a safety check of all the built-infeatures of the robot and the related machinery. Thereafter the safety system shouldbe periodically tested for functionality to be sure that no aspect has been aborted,intentionally or unintentionally, with the passage of time.

1.2.1 Robot safety standards

Numerous standards, codes, and regulations are potentially applicable to manufacturingrobot systems. The best known standard in the United States that addresses robot safetyis ANSI/RIA R15.06. This standard was first published in 1986 by the Robotics IndustriesAssociation (RIA) and the American National Standards Institute (ANSI) as a safety re-

quirements. Other potentially relevant standards developed by nongovernmental groups in-clude the National Electric Code, the Life Safety Code, and the proposed UL1740, “Safetystandards for industrial robots and robotics equipment”. Literally thousands of consensusstandards contain safety provisions.

The best known governmental standards in the United States applicable to robot appli-cations are the general industry standards specified by the Occupational Safety and HealthAdministration (OSHA) which published the Guidelines for Robotic Safety. Several otherstandards developed by ANSI are potentially important in robot applications and addressa wide variety of topics, for example, safety signs and labels are addressed by the ANSI

Z535 series. Companies often start with the ANSI/RIA R15.6 robot safety standards andthen add detailed information that are relevant to their particular situation.

6


1.3 Safety in Service Robotics

While many authors recognize the importance of human-safe robots [47, 103, 5] only fewresearches address the problem to some extent [98]. Thus, safety is one of the most poorlyaddressed area in robotics, despite being critical for the progress of many other applications[80, 83], particularly in medicine [21].

The safety issues for service robot have to be researched in the analysis of the inter-

action between human and robot, and the model to be chosen in design should be basedon an understanding of the context where the robot is to be used. This includes consid-eration of the research group involved, their goals and activities, as well as the sharedphysical environment. For example, a rehabilitation robot must operate more slowly andbe more compliant to facilitate safe user interaction, and special attention must be paid tohuman-machine interfaces that have to be adapted for disabled or people with special needsoperating a specific programming device. Examples of rehabilitation and service robot forelderly and disabled are exposed in [48, 58, 59, 77]. It is also recognized that there is a needfor research and development in robotics to focus on developing more flexible systems foruse in unstructured environments [29].

System reliability and safety have not been a major issue in research institutions sofar because it is believed that industrial companies, when they will actually market ser-vice or personal robot products, will eventually deal with this question. Researchers inlaboratories have always been satisfied if their robot performed well once or twice un-der specific conditions or at end-of-project demonstrations, which enabled them to writea publication about their perfectly performing robot. However, these performances makepeople (sponsors, public) believe that most of the robotic community’s problems are al-ready solved, which is certainly not true. On the contrary, much research is still needed toimprove considerably not only system reliability and safety concepts, but also design con-cepts, locomotion and manipulation capabilities, cooperation and communication abilities,reliability, and probably most importantly adaptability, learning capabilities and sensingskills [5].

Robots that work with people must be safe. Injury commonly occurs through unex-pected physical contact, where forces are exerted through impact, pinching and crushing[44, 43]. Therefore, impact forces are the most dangerous, depending on the velocity, themass and the compliance of the manipulator. So when we carry the robot next to a hu-

7


man, we must be very clear about safety criteria. The concept of safety are studied in[31] divided in two aspects: “physical” safety and “mental” safety of humans. Physicalsafety means that the robot does not physically injure humans. Mental safety, on the otherhand, means that the motions of the robot do not cause any discomfort or inconveniencelike fear, shock, and surprise to humans. This concept has been reexamined in [70] inwhich the authors try to add some boundary in the safety criteria. This regard a statisti-

cally determined safeguarding zone, that is examine the possibilities to better protect thepersonnel and equipment by identifying safety regions around the robot, safe planning and

control, which may reduce likelihood of impact and the impact force in case of unexpectedhuman-robot collision, and a safe mechanical design that reduces the manipulator’s linkinertia and weight by using lightweight but stiff materials and compliant components inthe overall structure.

As it can be see from the few example exposed, the application area for service robotand robot assistant can vary from manufacturing to services and home settings, from struc-tured to unstructured environment. Current development in this area can not yet guaranteeabsolute fail-safe, reliable robot systems. This is also remarked by a lack of regulation,that may come needed as soon as service robot will enter in the global market.

1.4 The Thesis Aim

As stated in Section 1.3, safety issue is not a trivial problem. A system provided with themuch higher redundancy possible and designed to satisfy all presumable safety require-ments will probably have prohibitive costs and its plenty security software and hardwareprocedures and devices can impede the work still with no guarantee to be hazard free. Inevery sector safety is a matter of trade-off: where does security is needed, or even com-pulsory, and where it is only a constraints and an obstruction for a fast and fertile workingprocess?

The concept of how adequate the safety must be and how safe “is safe” is a matter thatneeds to be discussed by the community at large. The key point that designer, researcherand engineer are studying is the borderline between safety and performance, and this thesiswant to give its contribute in this challenging task. In particular there are designed a SixDegree of Freedom (DoF) robot control electronic prototype by focusing the safety andsecurity issues, planned for entering in a surgical room environment. The robot is going to

8


have high dexterity and high precision, with a fine movement on the order of microns, thusattention should be put on choosing proper electric motor, equipped with feedback device.The electronic design is going to be based on a mechanical structure already developedthat the ALTAIR Robotic Lab will obtain in the next months. In the following Section thereare exposed the structure of the thesis.

1.5 Thesis Structure

In Chapter 1 the introduction states an overview of the safety criteria adopted in somemain field of interest, that is the automotive field and the industrial robotic field. The thesisscope is introduced by addressing the safety issue concerning the service robotics field.

In Chapter 2 we present the current research topic in the service robotics. Then wefocus on a specific subfield of service robotics, the medical scenario. Robots entered thisarea over twenty years ago, but in recent years the research provided lots of contributes.We concentrate on how robotic research affects the surgical operating room, by means ofthe teleoperation.

In Chapter 3 we argue the teleoperation background context, by showing the mainissue that needs to be solved while conceiving a telerobot. From the medical point ofview attention should be put on safety, then we discuss the design feature that a safety-critical device needs to satisfy. Moreover, the safety-critical approach should to be takenin consideration still from the first stages of the design process.

In Chapter 4 we overview a six Degree-of-Freedom dexterity-enhanced telerobotic ma-nipulator early developed and a new set of design criteria that should be applied for match-ing and addressing the safety issues, by the point of view of the servo-electronic hardwaresubsystem. We explain the mechanical design and its feature and the choice that drivenus to maintain this design untouched. Then justifications for the electronic re-design areexposed.

Chapter 5 delineate the design process, starting from the electric motor dimensioning.We select different motors for the prototype version and the final version of the manipula-tor, for economic and simplicity reasons. Then we choose the device control board that willreceive commands from a computer and address voltages and current to each motor joint.The board selection strategy consist in analyzing three possible candidates suitable for ourpurposes, and finding the one that can best fits performance, electronics, economical but

9


also safety requirements.The teleoperation layout are also described, by focusing on the internal chassis layout

for the control electronic of the slave system and the internal safety devices provided byboth built-in function of the controller and proper design solution.

The design work and the new hardware realization were oriented to the given spec-ifications but sometimes economical and/or technological constraints did not allow thecomplete fulfillment of these requirements. In the final Sections of Chapter 5 test casesof how to avoid mishap events are exposed with reference to the requirements specifiedin the previous Chapters, while conclusion and issues about future work are the subject ofChapter 6.

1.6 Conclusion

This Chapter delineates the thesis scope. First has been introduced some aged and ex-perienced research field, the automotive scenario and the industrial robot manufacturingscenario. Here the experience about safety has many decades. For the service roboticscenario the case is different, it has caught research attention only recently. The lack ofregulation on how a robot should interact with humans needs to be covered for avoidingand preventing human injuring.

Chapter 2 describe the service robotic field state of the art, showing how wide can besuch a filed. We focus on a specific subfield, that is the medical environment. Also wedescribe how robot can modify the operating room for improve human surgical operationswith the technology of teleoperation.

10

2State of the Art

T he previous Chapter introduced the thesis scope by addressing the lack of safetyregulation of the growing field of service robotics. That has been comparedwith two aged field of automation and industrial robotic, showing that even if

researcher have not yet solved all issues, their experience can be dated many decades.

In this Chapter we are introducing aspects of service robotics focusing mainly on theinteraction between the robot and the human environment. After an introduction of whatservice robotic means, we are delineating the link between robotic regulation and humansafety, discovering that actual standards are applicable only to a certain scenario, the in-dustrial one. The area where safety may be the main and first criteria for the designingprocess is the healthcare scenario, in which robotic has been slowly entering during thelast decade. The reason is an augmenting and increasing quality of service that robots canperform, but attention should be also given to safety and security in overall point of view,from the patient, the surgeon demands, and clearly the robot design.

2.1 Service Robotics

The field of robotics is considered a growing market in the near future. The International

Federation of Robotics (IFR) Statistical Department [42] states that in the year 2007 about1 million industrial robots and 5.5 million service robots were operating worldwide infactories, in dangerous or tedious environments, in hospitals, in private houses, in publicbuildings, underwater, underground, on fields, in the air, in space. Up to the end of 2011more than 17 million service robots and 1.2 million industrial robots will populate the

11

CHAPTER 2. State of the Art

world. The highest robot density is in Japan, where 1 robot per 5 production workers wereoperating in the automotive industry in Japan. In Europe the largest market for industrialrobots is lead by Germany, while Italy classified as the second largest market grew by14%, to 5,800 units. This was the result of strong demand from the automotive industryand a remarkable increase in supply in almost all other industries.

Research projects are concerned with the development of robots assisting in industrialmanufacturing or performing domestic works. Such robots have to accomplish many com-plex tasks like localization and navigation in highly dynamic environments, reliable objectrecognition and manipulation and natural human-robot interaction. A lot of progress hasbeen made in these fields in recent years. In this context a possible definition of a servicerobot has been suggested in [87] by IPA (Institute for Manufacturing, Engineering and

Automation):

A service robot is a freely programmable kinematic device which performs services semi-or fully automatically. Services are tasks which do not contribute to the industrialmanufacturing of goods but are the execution of useful work for humans and equip-ment.The actual execution of tasks by the service robot can be a series of complex move-ments, which can also be carried out when influenced by unforeseeable occurrencesor environmental conditions. A service robot must therefore be able to act, withincertain limits, independently.

2.1.1 Service Robots

From this definition, and IFR [41] the following classification is adopted, dividing servicerobots in three main fields:

1. Servicing humans (personal safeguarding, health care, entertainment etc.)

2. Servicing equipment (maintenance, repair, cleaning etc.)

3. Other performing an autonomous function (surveillance, transport, data acquisition,etc.) and/or service robots that can not be classified in the two groups above.

At the first category belong, for example, the Care-O-Bot of Fraunhofer IPA, which helpsachieve greater independence for elderly or mobility impaired persons from outside help,

12


Figure 2.1: Front view of ASIMO humanoid robot

and therefore contributes to longer remaining at home. Care-O-Bot offers multimedia com-munication, video-phoning in emergency situations, operation of home electronics, activeguiding or support of persons, fetching and carrying every day’s objects such as meals orbooks (Figure 2.2). In the entertainment market Japan is the leader with AIBO (ArtificialIntelligence roBOt), one of the robotic pets designed and manufactured by Sony from 1999to 2006 and ASIMO (Figure 2.1), a humanoid robot created by Honda’s Research & De-velopment Wako Fundamental Technical Research Center which stands at 120 centimetersand weight 52 kilograms, it resembles a small astronaut wearing a backpack and can walkor run on two feet at speeds up to 6 km/h. Officially, the name is an acronym for "AdvancedStep in Innovative MObility". Honda’s official statements [82] claim that the robot’s nameis not referred to the science fiction writer and inventor of the “Three Laws of Robotics”,Isaac Asimov.

To the first category belong also the field of medical robotics which major example arethe Da Vinci surgical system from Intuitive Surgical, Inc. [33], which is the most famoussurgical telerobot to provide enhanced dexterity to doctors performing minimally invasivesurgical procedures. Another example is the ROBODOC, first introduced in 1992 [75]and used to perform prostatic surgery by using CAD/CAM in a pre-operative planning and

13


Figure 2.2: The Care-O-bot of Fraunhofer IPA, version II and III.

Figure 2.3: The PARO interactive robot, used for animal therapy.

robotics for surgical operation. This is the setting where this thesis is mainly addressed, soit is going to be explained in detail in Section 2.2.

From 2005 the Japanese social welfare had seen the entering of the PARO robot. ThePARO robot is designed to look like a baby harp seal, as shown in Figure 2.3. Coveredin pure white synthetic fur, the built-in intelligence provides psychological, physiological,and social effects through physical interaction with human beings. PARO not only imitatesanimal behavior, but it also responds to light, sound, temperature, touch and posture, andover time develops its own character. As result, it becomes a “living” pet that providesrelaxation, entertainment, and companionship to the owner. In January 2009 it entered inthe U.S. market at the list price of 6.000 USD.

In the second category, the service equipment, a note has to be put on refueling robots.Reis Robotics, in Germany, developed an automated way of accomplish such task. The

14


customer inserts a card, enters a PIN-code and the refilling order. The robot locates thecar, opens the tank flap and docks onto the tank cap. Once it is open, the robot selects theright octane number and quantity of fuel. Such a system may be a good choice for a fuelstation located in uninhabited environs or hot desert.

To the third category belong machinery as the HACOmatic or the CyberGuard. Theformer, from Hako-Werke, is designed for cleaning great surfaces (supermarket, trainsta-tion, airport, etc.); and it has a completely autonomous navigation system. The latter,distributed by Cybermotion Inc., is a powerful tool for granting security, fire preventionand camera monitoring. Also this device is equipped with autonomous navigation andcan automatically attach to its battery recharging station and handle an instrument set forsurveillance.

All of the robot described above relate in their own way with the human environment.In the next Section we figure out what has been done to define this kind of relation.

2.1.2 Human-Robot Interaction

The contiguity of robot to human living space increases the needing of identify in whichway the robot has to behave. For industrial robots the know-how is becoming relativelylarge, and robot systems have been standardized from several point of view. It is possible todescribe them as a mechanical device, and this is done by the EN 292, Safety of machinery,or define the electric/electrical device as asserted in EN 60204-1, Safety of machinery -

Electrical equipment of machines. The criteria accepted worldwide as safety is to describethe relation people-robot by means of structures and actions that need to be taken to protecthuman health. The main rule that describe such approach are:

• ISO 10218-1 Robots for Industrial environment, safety requirements

• ANSI/RIA R15.06 American National Standard for Industrial Robots and RobotSystems. Safety Requirements.

The common denominator for the requirements listed in these standards is the relationbetween robots and people working and interacting with. In the manufacturing scenariothis kind of relation is specifically focused in the minimization of contacts between the twoentities (Figure 2.4), which permits manipulators to develop and extend themselves to themaximum performance. The operator cooperates with robot by means of control panels,

15


Figure 2.4: Example of a safety-delimited area in manufacture scenario

teach pendants (a hand-held control terminal) and observing the robot at a well-definedand regulated security distance. Among these factors are the proper design of barriers,interlocks and warning devices; design of the enhancement of the physical integrity andreliability of the robot hardware; sensory system development; and software reliabilityenhancement. Infact the majority of robot accident occurred because of the victim enteredthe robot’s work area to perform programming or maintenance tasks, and often involvedunexpected movement of the robot. The unexpected movements are, in most cases, causedby equipment failures or human errors.

Robots are to be viewed as a solution for safety and health problems, because theycan substitute the human operator in dangerous environment, or augment quality of hand-processes. With the advances in computer science and robotics, robots are now moreapplicable to our everyday life, and much researches are currently studying what has beentermed service robotics [89, 25]. Service robots demand a different design philosophy [49]from the conventional industrial robot because, unlike their counterparts in industrial fields,robots in service fields cannot be physically isolated from, but must coexist and cooperatewith human beings, while sharing a working area. Service robots should be thought as achance to improve human life, rater than as a danger for nearby people when inadequatesecurity measures are called for [34].

If safety regulation is absent in general purpose service robotics, what about robotsused in health scenarios? In these field safety, or even more safety-critical is the first

criteria used to design medical appliances, as we are going to discuss in detail in Section3.1.4. In the following an overview about how robot modified, and will modify the medical

16


scenario will be taken.

2.2 Medical Robotic

Medical robots have a potential to fundamentally change interventional medicine, improveassistance quality and reduce patient’s trauma. Within this context, surgical robots androbotic systems can enable human surgeons to treat individual patients with improved ef-ficiency, greater safety, and less morbidity than would otherwise be possible. Further,the automation-information knows how that the research has reached has the potential tomake “computer-integrated surgery” (CIS) [94] as important to health care as computer-integrated manufacturing is to industrial production.

The reason for the quick progress of surgical applications is the large technology basethat has been developed in robotics research from the past two decades. Results in me-chanical design, kinematics, control algorithms, and programming developed for industrialrobots are directly applicable to many surgical applications. In research it has also beenworked to enhance robotic capabilities through adaptability (the use of sensory informa-tion to respond to changing conditions) and autonomy (the ability to carry out tasks withouthuman supervision). The resulting sensing and interpretation techniques that are provinguseful in surgery include methods for image processing, spatial reasoning and planning,and real-time sensing and control.

2.2.1 Acceptance of Robots in Medical Environment

Just as manufacturing robots, medical robots must provide real advantages if they have tobe accepted and widely deployed. The first factor driving acceptance of medical robots isthe ability of improving surgeon’s technical capability. This obvious requirements is themost important aspects, that will concretize on the improvements of precision, velocity,and less invasive interventions. Also state-of-the art technologies can make it possible toperform previous infeasible interventions. For example, the combination of 3D imagingdata, computers, and intrasurgical sensors allows robots to accurately guide instrumentsto pathological structures deep within the body. Another important difference is that spe-cialized manipulator designs allow robots to work through incisions that are much smallerthan would be required for human hands or to work at small scales, where hand tremor

17


poses fundamental limitations.

As stated in [95] a second, closely related, advantage is the potential of computer-integrated systems to promote surgical safety by

• improved technical performance of difficult procedures

• on-line monitoring and information supports for surgical procedures

• active assists and preventions from moving robots tools into dangerous proximity todelicate anatomical structures.

A third advantage is the implicit ability of guided informatics systems to promote consis-tency by storing detailed information for every taken procedure. This information, alsocalled as a “flight data recording”, is unique and valuable material for evaluation and in-vestigation in cases of serious incidents, but even useful for more future applications. Astatistical comparison between outcome measures and procedure setting may lead to a bet-ter knowledge of what is most important to control and in the long term to a safer, moreeffective interventions.

2.2.2 Telemedicine and Teleoperation

The concept of telemedicine, telesurgery and telepresence in surgery date from the 1970s.Since then, the potential for telesurgical systems to facilitate effective interventions in re-mote or hostile environments such as the battlefield, space, or thinly populated areas hascontinued to be recognized and there have been some spectacular demonstrations includinga transatlantic cholecystectomy [63] in 2001, as well as other routine use in Canada [2, 1].However, the primary use of telesurgical systems has done with the surgeon and patient inthe same operating room.

Regardless of location, in a teleoperation setup the surgeon specifies the desired mo-tions directly through a separate human interface device and the robot moves in the sameway. These medical robots can be divided in four groups, passive robots, active robots,synergistic systems and master-slave systems [14].

Passive robots are used as tool-holders and do not have an operative task. Their advan-tage is that they do not get tired and keep tools accurately in position for a long time. Anactive robot must be able to carry out more complex motions then passive robots. They

18


have an operative task, which they perform autonomously. For this reason most activerobots are developed for one specific task within the total operation procedure. The safetydemands are high for active robots. Some examples of active robots are laparoscopiccameras or robots used for arthroscopy. About of the third group synergistic system arecontrolled by both the surgeon and the computer. The surgeon is able to use the machinewithin a predefined motion and force region. Unlike active robots, in synergistic systemthe operational task is preformed by the surgeon, but the synergistic systems constrains thesurgeon. This reduces the risk of failures without the surgeons skills and judgment.

The fourth group consists of the master-slave systems, also called teleoperation sys-tems. Master-slave systems are also non autonomous. At the master side there are thesurgeon, the master robot and visual and haptic displays. The master robot is controlledby the surgeon. At the slave side there are the patient, the slave robot, haptic sensors andcameras. The slave robot is in contact with the patient and follows the instructions ofthe master robot. In this way the salve robot preforms the actual surgical operation. Thesurgeon controls the master robot on the basis of visual feedback and, if present, hapticfeedback from the operation area. Visual feedback can either be two or three dimensionaland is established with cameras at the operation area. The slave robot can use instrumentsfor conventional surgery, instrument for Minimally Invasive Surgery (MIS) or instrumentfor microsurgery.

The small incisions of MIS are used to introduce special instruments with a long rodtransmission mechanism through a cannula into the body of the patient. The term mini-mally invasive surgery covers all surgery with small incisions and endoscopes [3].

With microsurgery the technology scales down the surgeon’s motion and force andscales up the filed of view, allowing surgeons to skillfully operate on microscopic anatomywith relative ease. The technology enables the surgeon to has a more accurate view and abetter control of motion and forces than it is possible with his own eyes and hands. Humanperception is not lost, thus enables opportunities for new micro-surgical procedures andan improved performance. For example a tumor can be approached and removed moreaccurately without damaging surrounding tissues, because of the small forces and motionsused in microsurgery cannot be achieved with conventional hand-held surgical tools.

Surgical robotic systems can be classified into two broad families: surgical CAD/CAM

and surgical assistants. As with industrial robots, the first consideration in design of med-ical robots is identifying the advantages provided by the robot that would justify its incor-

19


Figure 2.5: Information flow of CIS systems [96]

poration into a clinical system. The next paragraphs introduce this two broad family andbriefly discuss technical design issues.

2.2.3 Surgical CAD/CAM

The basic idea of CAD/CAM is that of using a computer to design a part and then create adigital blueprint of the part. Thus it is straightforward to use a digital system to control andmanufacture the atlas, that means to translate it from digital into physical. For example,images obtained in preoperative stage can be combined with general information about hu-man anatomy and variability to produce a computer model of the individual patient, whichis then used in surgical planning. In the operating room, this information is registered to theactual patient using intraoperative sensing, which typically involves the use of a 3D local-ization, X-ray or ultrasound images, or the use of the robot itself. If necessary, the surgicalplan can be updated and then one or more key steps in the procedure are carried out withthe help of the robot. Additional images or sensing can be used to verify that the surgicalplan is successfully executed and to assist in postsurgical follow-up. The closed-loop jointof generating a patient-specific model and interventional plan, registering the model andplan to the patient, using technology to assist the therapy delivery and assessing the resultcan be called “surgical CAD/CAM”, in analogy to computer-integrated manufacturing inthe industrial case. A scheme that clarify these steps is depicted in Figure 2.5.

The advantages provided by robotic execution in surgical CAD/CAM depend somewhaton the individual application, but include:

• accurate registration to medical images;

20


• consistency;

• the ability to work in imaging environments that are not friendly to human surgeons;

• the ability to quickly and accurately reposition instruments through complex trajec-tories or onto multiple targets.

In addition to the technical issues inherent in constructing systems that can provide theseadvantages, one of the biggest challenges is finding ways to reduce the setup overheadassociated with robotic interventions. A second challenge is to provide a modular familyof low-cost robots and therapy delivery devices that can be quickly configured into fullyintegrated and optimized interventional systems for use with appropriate interventionalimaging devices for a broad spectrum of clinical conditions with convenience comparableto current outpatient diagnostic procedures.

2.2.4 Surgical Assistants

Surgery is a highly interactive process and many surgical decisions are made in the operat-ing room. The goal of surgical robotics is not to replace the surgeon with a robot [96], butto provide the surgeon with a new set of very versatile tools that extend his (or her) abilitiesto treat patients. We thus often speak about medical robot systems as surgical assistant thatwork cooperatively with surgeons by providing intelligent, additional tools that augmentthe physician’s ability to treat patients. There are many forms of technological assistance[50], but the two augmentation strategies are:

• improving the physician’s existing sensing and/or manipulation

• increasing the number of sensors and manipulations available to the physician

The first variety, also called as surgeon extenders, are operated directly by the surgeon andaugment or supplement the surgeon’s ability to manipulate surgical instruments in surgery.The target of this systems is to obtain such a superhuman capabilities like elimination ofhand tremor or ability to increase the accuracy in the minimum performable movement forperforming dexterous operations inside the patient’s body. A special subclass is remote

telesurgery systems, which permit the physician to operate on patients at distances rangingfrom a few meters to several thousand kilometers [60].

21


Figure 2.6: The da Vinci surgical system (courtesy Intuitive Surgical, Inc.)

Figure 2.7: Overview of the da Vinci surgical system, master, slave and control unit.

The second variety, called auxiliary surgical supports, generally work side-by-sidewith the surgeon and perform such functions as endoscope holding or retraction. Thesesystems typically provide one or more direct control interfaces such as joysticks, headtrackers, voice control, or the like. However, there have been some efforts to make thesesystems "smarter" so as to require less of the surgeon’s attention during use, for exampleby using computer vision to keep the endoscope aimed at an anatomic target or to track asurgical instrument.

For example, the da Vinci system (Intuitive Surgical, Inc.) is a telesurgery systemthat demonstrates both of these augmentation approaches [33]. As shown in Figure 2.6,the system consists in a patient-side slave robot and a master control console. The slaverobot has three or four robotic arms that manipulate a stereo endoscope and dexteroussurgical instruments such as scissors, grippers, and needle holders. The surgeon sits at the

22


master control console and grasps handles attached to two dexterous master manipulatorarms, which are capable of exerting limited amounts of force feedback to the surgeon.The surgeon’s hand motions are sensed by the master manipulators, and these motionsare replicated by the slave manipulators. A variety of control modes may be selectedby foot pedals on the master console and used for such purposes as determining whichslave arms are associated with the hand controllers. Stereo video is transmitted from theendoscope to a pair of high-quality video monitors in the master control console, thusproviding high fidelity stereo visualization of the surgical site. The display and mastermanipulators are arranged so that it appears to the surgeon that the surgical instruments(inside the patient) are in the same position as his or her hands inside the master controlconsole, as remarked in Figure 2.7. Thus, the da Vinci system improves the surgeon’seyes and hands by enabling them to (remotely) see and manipulate tissue inside the patientthrough incisions that are too small for direct visualization and manipulation. By providingthree or four slave robot arms, the da Vinci system also endows the surgeon with more thantwo hands.

2.2.5 Advantages/Disadvantages of Robot-Assisted Surgery

To understand the advantages of using robots in surgery, it is helpful to consider the differ-ences between human and machine characteristics [95], whose complementary strengthsare summarized in Table 2.1. An augmented servo-machine like a robot may increase dex-terity, restore proper hand-eye coordination and an ergonomic position, and improve vi-sualization. In addition, these systems make now possible surgeries that were technicallydifficult or unfeasible previously. These robotic systems enhance dexterity in several ways.Instruments with increased degrees of freedom greatly enhance the surgeon’s ability to ma-nipulate instruments and thus the tissues. These systems are designed so that the surgeon’stremor can be compensated on the end-effector motion through appropriate hardware andsoftware filters. They can scale motion so that large movements of the control grips canbe transformed into micro-motions inside the patient [57]. These robotic systems elimi-nate the fulcrum effect, making instrument manipulation more intuitive. With the surgeonsitting at a remote, ergonomically designed workstation, current systems also eliminatethe need to twist and turn in awkward positions to move the instruments and visualize themonitor. The 3-dimensional view with depth perception is a marked improvement over the

23


Strengths Limitations

Humans Excellent judgmentExcellent hand-eye coordinationExcellent dexterity (at natural“human” scale)Able to integrate and act onmultiple information sourcesEasily trainedVersatile and able to improvise

Prone to fatigue and inattentionTremor limits fine motionLimited manipulation ability anddexterity outside natural scaleCannot see through tissueBulky end-effectors (hands)Limited geometric accuracyHard to keep sterileAffected by radiation infection

Robots Excellent geometric accuracyUnturing and stableImmune to ionizing radiationCan be designed to operate at manydifferent scales of motion andpayloadAble to integrate multiple sourcesof numerical & sensor data

Poor judgmentHard to adapt to new situationsLimited dexterityLimited hand-eye coordinationLimited haptic sensing (today)Limited ability to integrate andintercept complex information

Table 2.1: Complementary Strengths and Limitations of Robots and Human (from [96]).

conventional laparoscopic camera views [33]. One advantage is also the surgeon’s abilityto directly control a stable visual field with increased magnification and maneuverability.All of this creates images with increased resolution that, combined with the increased de-grees of freedom and enhanced dexterity, greatly enhances the surgeon’s ability to identifyand dissect anatomic structures as well as construct microanastomoses.

The overall pros factors described have a main issue related to all new technologies:its uses and efficacy has not yet been well established. Nowadays, a lot of research groupsare conducting studies about feasibility, human safety and guessing the future of OperatingRoom [10], but almost no long-term follow up studies have been performed. The reuse ofan industrial robot to build a medical robot is a good starting point especially for this kindof still new technologies; however, procedures need to be redesigned to optimize the use ofrobotic arms in surgical situations and increasing the efficiency. For example, think aboutan industrial robot designed for high speed assembling operations that work in a delimitedarea where no human can be present: it can have the advantage of already designed highprecision movement but all procedure have to be reformulated for using it in a humanenvironment without hurting collision.

Another disadvantage of these systems is their price. Whit a price tag of a million

24


euros, their cost is nearly prohibitive. Whether the price of these systems will fall or riseis a matter of conjecture. Some people believe that with improvements in technology andas more experience is gained with robotic systems, the price will fall [52]. Others believethat improvements in technology, such as haptics, increased processor speeds and morecomplex and capable software, will increase the cost of these systems [84].

Another disadvantage is the size of these systems. In general they have relatively largefootprints and relatively cumbersome robotic arms, again due to the design origins fromthe manufacturer field. This is an important disadvantage for the usage in operating room,which are usually small and crowded by people (assistants and surgeons) and devices (allelectronic and safety and surgical tools). It may be necessary to build a personalized op-erating room especially designed for the robot housing and its associated devices such asworkstation, power supply and control system. This will lead to an extra cost for the hos-pital and to properly redefine the building structure, with consequent long time delay in theinstallation process. An obvious strategy may be the miniaturization of the robotic armsand instruments for addressing the problem associated with their current size.

Building a robot with size, structure and characteristics suitable for surgical operationrequire to conceive and design also a series of surgical tools (or micro-tools) for properlyoperate and manipulate tissue. This can lead to a lack of compatible instrument and equip-ment, by considering the large amount of different tools that surgeons need in commonsurgery. This, however, is a transient disadvantage because new technologies have andwill develop to address these shortcomings, with an additional attention about safety, asaddressed in the next Section.

2.2.6 Safety in Medical Robotics

Medical robots, unlike industrial robots, do not have clear safety guidelines. If medicalrobot were to operate under the same requirements as industrial robots, they would be verylimited in their capability and application, because it is generally necessary for humanbeings, including the patient and the medical staff, to be inside the robot’s workspace.

Medical robots, like domestic robots, are a new application. They need totally differentsafety requirements than the industrial application, because they belong to a totally differ-ent scenario. To be fully effective, they must operate in contact with people and appropriatesafety procedures have yet to be defined that allow them to carry out other functions with

25


adequate safety levels. In the design of human-related and life-related devices, the conceptof safety is a difficult task to achieve. In such places where safety is of overriding impor-tance, for example in a Space Shuttle, there is no such thing as 100% safety and errorsin software and hardware do occur, despite duplication of system and the very high costthat ensue. Safety consideration are, and should be, of crucial importance in the designof such systems. The challenge from a surgeons perspective is especially great, as suchsystems can seem both complex and mysterious in their internal workings. What is neededis recognition that the benefits to be obtained from medical robots are such that a smallamount of risk is inherent in their use. This is justifiable and acceptable [15]. This is notto say that unsafe or unsound medical robot systems should be utilized. Of course, everyeffort should be taken to ensure that the system is as safe as possible.

2.2.7 Clinical and Social Aspects

The reason why robots integrate more slowly into the surgical theater than in industrialenvironments is not only due to technical aspects. The most important social aspect issafety. The safety requirements for medical robots are a lot more stringent than industrialrobots. Safety of a system can be achieved by active and passive safety mechanisms inthe mechanical design of the system. Passive mechanisms include the materials used andpassive joints. An example of an active mechanism is a switch that turns off the instru-ment when force or motion limits are exceeded. Safety concepts can also be programmedinto the software of the robot. Another possibility to ensure safety is to keep the robotunder supervision of the surgeon. Synergistic robots are good examples of this possibility[6]. Another way is supervision of the progress of the operation by surgeons on a screen,while they are able to stop the robot in an easy way. The startup times of most medicalrobots, especially master-slave systems, is quite long, sometimes up to fifteen minutes.Every time the system is stopped for safety reasons, it takes another quarter of an hourto continue the operation. Robots are only used for operations when their advantages inoutcome above conventional techniques are proven. This can take some time. For examplethe advantage of hip replacement by use of a robot can only be proved after several years[78]. Another example is the use of master-slave systems. Master-slave systems have thepotential to perform the same endoscopic operations than conventional endoscopic opera-tions and even more sophisticated ones. However, with the current master-slave systems

26


the operating and anastomosis time are not decreased. Improvements of the instrumentand manipulator design have the ability to perform operations that are not possible withconventional endoscopic techniques and to decrease the operating time [8, 56]. The costof a medical robot is high with respect to conventional instruments. When the benefits ofa robot are not really clear, this might set up a threshold to invest in medical robots. Fur-thermore, acceptance by patients, who may not be used to robots, as well as acceptance bysurgeons, who have to get familiar with working with robots, are important aspects for theintroduction of robots into the surgical theater.

2.3 Conclusion

In these Chapter we have seen an overview of the service robotic application area. Asubfield of it is the medical robotic and the robotic surgery. We discussed the advantagesand disadvantages that a surgical robotic assistant can involve and introducing the safetyissues that such devices needs to take into consideration, emphasizing the lack of regulationdue to the young field.

In the following Chapter we will discuss the teleoperation scenario. Starting from thedefinition of teleoperation and the general design issue that affect the teleoperation, thenwe argue guidelines for a safety-critical system by focusing the problem for the medicalrobotics.

27


28

3Safety in Teleoperation

T eleoperation, or Telerobotics is one of the earliest aspect of robotics. Literallymeaning robotics at a distance, it is generally understood to refer to robotics witha human operator in control or human-in-the-loop. Any high-level, planning, or

cognitive decisions are made by the human user, while the robot is responsible for theirmechanical implementation.

While in the previous Chapter we presented a general overview of medical robots andtheir area of interest, the surgical scenario, here we focus on the teleoperation outlook.First we present an overview and definitions, then we focus on teleoperation in medicine.Research community safety consideration are then examined and guidelines for designinga safety-critical system are provided, with an emphasis on what fault detection is and howcan be done.

3.1 Teleoperation System

Teleoperation is defined as the control over a distance of one or more robots by a humanoperator. The term tele, which is derived from Greek and means “distant”, is generalizedto imply a barrier between the user and the environment. As introduced in Section 2.2.2,usually it refers to a system with a master/slave configuration, where the operator works ona joystick that is kinematically compatible with the slave manipulator (see Figure 3.1). Ithas been shown that operator performance is improved by providing force information tothe human operator [13]. Force information can be presented visually to the operator on amonitor, but the most significant performance improvement is achieved by providing force

29

CHAPTER 3. Safety in Teleoperation

Figure 3.1: Overview of a telerobotic system [92]

feedback to the operator, i.e. by generating forces directly with the motors of the masterdevice. In this case the operator is said to be kinesthetically coupled to the slave and theteleoperator system is said to have bilateral control or to be force reflecting [6].

Before proceeding, we first define some basic terminology. Indeed many other termsare used nearly synonymously with telerobotic, in particular teleoperation and telemanip-ulation. Telerobotics is the most common, emphasizing a human’s (remote) control of arobot. Teleoperation stresses the task-level operations, while telemanipulation highlightsobject-level manipulation.

Telerobots can be used for application areas that require the flexibility of a human, butcannot be performed by a human for one or more of the following reasons:

• The environment is too hazardous for human health or survival. Examples: deepwater, outer space, toxic environments, mines, constructions sites, fires, and policeor military operations.

• The worksite is not directly accessible for humans because of small passages. Ex-amples: telerobots that examine and repair pipelines; minimal invasive surgery.

• The task is out of human scale. Examples: drilling bones for artificial hip jointimplants (requires high precision), excavators and cranes on construction sites (largeforces and scale).

• Telerobots can extend the capabilities of humans. Examples: artificial limbs, assis-

30


tive devices for people with special needs.

• Transporting humans to the task site would be too expensive or too time consum-ing. Examples: exploration of other planets (Mars) or deep water, maintenance ofunderwater cables; telediagnostics and telesurgery which require specialists who arein high demand and whose valuable time should not be wasted with traveling.

• The presence of humans would harm the environment. Examples: exploration ofsensitive environments or archaeological sites. Telerobots can be built much smallerthan vehicles that transport humans. Telerobots can stay longer on site thus reducingthe amount of traffic.

Telerobots also support applications that are not based on a one-to-one connection betweenone operator and one telerobot [26]:

• A single operator could control a large number of telerobots.

• Several locally separated operators could jointly control one telerobot by controllingdifferent aspects of the task.

• Several users can experience presence at a remote location at the same time. Thiscould lead to new concepts of tourism and entertainment. Example: The lunar rover[62].

An important property of a telerobotic system is the method by which it is controlled.Conway in [11] defines the following classification of telerobotic control schemes:

Direct control: the remote device follows the inputs from the controller; also known asmaster/slave control.

Shared control: control is at a higher level than direct position servoing; i.e. the devicemay vary from course if it encounters an obstacle.

Discrete control: the controller is able to carry out discrete commands without interven-tion. This implies a higher level of capability in the remote portion of the controlleras it must be able to carry out the command without help.

Supervisory control: the remote device operates in a largely autonomous mode and onlyinteracts with the human when it encounters an unexpected situation.

31


Learning control: the remote device is given intelligence that allows it to learn from hu-man inputs and sensor information and subsequently to generate behavior in similarsituations without human intervention.

The role of computers in telerobotics can be classified according to how much task-loadis carried compared to what the human operator alone can carry [91]. They can trade orshare control. Trading control includes the following cases:

• The computer replaces the human. It has full control over the system;

• The computer backs up the human;

• The human backs up the computer;

The last one is the more common case in telerobotics: sharing control, meaning that thehuman and the computer control different aspects of the task:

• The computer relieves the human operator from certain tasks. This is very commonin telerobotics when the remote system performs subtasks according to the plansspecified by the human operator.

• The computer extends the human’s capabilities. This typically occurs in teleroboticswhen high precision of movements and applied forces is required.

The layout of the components of a telerobotic system depends on the application. Slowand time delayed communication requires more autonomy for telerobots and reduces thequality and quantity of up-to-date information available at human-interactive systems.

3.1.1 General Issues in Teleoperation

A teleoperation system is a chain of complex components. Each component adds con-straints that have to be compensated by software and computational effort and/or by addingor replacing other components. The choice of each of the components influences the designof the others [12].

32


Time delay and bandwidth. The communication link in many telerobotic applicationsimposes time delay and limits bandwidth. For example in space telerobotics the minimaltime delay is determined by the distance to the telerobot and the speed of light. For probesto other planets the time delay is in the magnitude of minutes. Similarly the speed of soundin water imposes a distance dependent time delay for tetherless underwater telerobots.Continuous closed-loop manual control of a telerobot over a finite time delay will resultin inherent instability [91]. In such systems the time for a human operator to accomplisheven simple manipulation tasks can increase manifold, because operators tend to adopt a“move and wait strategy” to avoid instability.

Sensing and display. The remote location of an operator either precludes or diminishesmany sensory cues at the operator interface that would be available if the operator wereactually present at the remote site. When these cues are sensed through sensors at the re-mote site and then displayed to the operator there is always some loss of information. Thisloss occurs because the sensors do not pick up all the cues adequately, the communicationlink does not provide enough capacity to transfer the information, or the cues cannot bereproduced for the operator with a sufficient degree of fidelity.

Autonomy and operation safety. One of the biggest concerns during teleoperation isthat the telerobot should not collide with other objects in its environment, to avoid damageto the telerobot, to other objects or even living beings in the telerobots environment. Thelatter requirement is better known as Asimov’s (1950) first law of robotics: “A robot maynot injure a human being [. . . ]”, and this are discussed in detail in Section 3.1.4. Thedegree of autonomy also determines the nature of task allocation between the telerobotand the human operator. Supervisory control implies a certain degree of autonomy.

3.1.2 Bilateral Teleoperation

Including a force feedback in teleoperation procedure and the possibility to perceive re-mote sensation enrich the experience and augment the user ability in accomplish complexoperations [38]. In a master-slave system, this is done by using a master robot that notonly measures motions but also displays forces to the user. The user interface becomesfully bidirectional and such telerobotic systems are often called bilateral, like in Figure

33


Figure 3.2: A typical bilateral teleoperator can be viewed as a chain of elements reachingfrom user to environment.

3.2. In the closed loop that arise the requested action concern straightly the resulting hap-tic sensation and affect the following action. The major issue concerns that this closedloop system is affected by the delay in transmission of the data. In 1965 Ferrel [23, 90]introduces the time delay in teleoperation problems. When the master and slave devicesoperate at very long transmission distances, such as between earth and moon or across sea,a delay is introduced in both the forward and feedback paths. The delay is primarily dueto the signal propagation time, but for example also the resource sharing between multipleusers affects the performance.

Moreover, if the transmission channel is the global Internet network the delay cannotbe neglected [36, 61]. The issue of using the Internet is that if the time delay is unknownor variable, the overall system performance get worse and may quickly degradate to insta-bility. If the operator, for example, does not feel any force within a certain amount of time,the actions performed in the meantime may produce unpredictable dangers and at worstthe systems become unstable and action and reaction are no longer synchronized.

In control theory this problem is faced by appying the scattering and passivity theoryand using wave variables for increasing systems stability [99]. This variables are used tosubstitute common variables of force and velocity. In [68] was discovered that using wavevariables for dataflow from both master and slave, the system remained stable even whentime delay occurred.

3.1.3 Teleoperation in Medicine

The original idea of telemedicine was to provide medical care over long distance throughthe use of telecommunications. Now efforts are underway in the world to develop telesurgery,

34


where a surgeon operates, by means of a telerobotic device and a communication link, ona patient who is at an arbitrary distance away. Telesurgery is a special application of tele-operation that requires good telerobotic devices to perform the remote operations and agood quality of telepresence (visual, audio and haptic feedback) to enhance the surgeon’smedical performance.

Robot-based surgical systems are starting to support surgeons during traditional as wellas experimental procedures. These systems usually consist of a control console from whichthe surgeon issues manual or vocal commands to a robot which then executes them at thenearby surgical scenario. Images from the surgery are returned to the console as the onlysensory feedback available to the surgeon. In certain systems, a separate display shows agraphical representation of the forces applied by the robot to the patient body during theprocedure. One of today’s main challenges is to determine the correct force feedback tothe user. In the following we describe the features of telepresence, by focusing on surgeryapplications.

Telepresence. Telepresence is an enhanced form of teleoperation that employs an im-mersive and transparent user interface, permitting the user to work with high effectivenessin inaccessible or remote environments. In telepresence surgery, the surgeon works at atelepresence surgeon’s workstation, using familiar instruments and intuitively respondingto the stereoscopic view, proprioceptive and haptic cues and sounds that are provided asfeedback from the actual surgical site. With telepresence, the user can remotely performcomplex tasks without the need of specialized training. Using modern telemanipulator,control and imaging capabilities, systems enable the full spectrum of surgical tasks nor-mally performed by surgeons such as cutting, suturing and dissecting. Systems with therequired dexterity, speed and delicate force feedback have not been previously developed,nor has a human interface methodology for making their use natural and effective.

The application of telepresence principles to surgery has several potential benefits [37]:

• in minimally invasive surgery (MIS), restoring the hand–eye coordination that is lostwhen surgeons use conventional instruments, thus speeding up a slow and fatiguingmanual process and bringing the benefits of MIS techniques to more patients;

• in microsurgery, scaling small motions and forces to the optimal range of human per-ception, thereby enabling improved performance and new microsurgical procedures;

35


• bringing lifesaving surgical care to isolated patients in rural areas, aboard ship, or onthe battlefield;

• in all surgery, opening surgical procedures to the benefits of telemedicine;

• in training of medical students, interacting with computer simulations through a nat-ural, immersive interface;

• in preparation for surgery, allowing the surgeon to practice surgery on a “virtualpatient” computer model created from patient-specific medical image data.

The presence of humans within the application environment has a profound bearing onsafety issues, especially as they may well be disabled or anesthetized. In an industrialapplication, the major strategy for ensuring operator safety is to physically separate therobot from vulnerable humans by creating a safe robot workspace from which humans areexcluded. In the case of intrusion, robot movements can be disabled until the robot spaceis vacated. As introduced in Section 2.1.2, such strategy is obviously inappropriate fora medical robot for which the application demands interaction with humans in their ownworkspace and even direct operation on human subjects. The safety issues differ dependingon the type of application but some generalizations can be made, as the following Sectionargue.

3.1.4 Safety Issues

The implications for safety are considerable since the additional scope extends to ensuringthe correct and reliable operation of the robot in its intended function, in some respectsplacing medical telerobots on par with the most demanding of safety-critical systems. Withsome specific exceptions however, medical robots enjoy the luxury of a safe state whichcan be entered in case of failure. This is usually achieved by withdrawing power from theeffectors and ensuring that the robot can be safely removed, allowing the procedure to becompleted manually.

To be truly useful in an unstructured environment, medical robots must be vested witha high level of autonomy and rich sensory capability, requirements which not only pushthe limits of technology but dramatically increase the difficulty of ensuring safe operation.In the case of robots controlled by expert (based on rules derived from human experts) or

36


heuristic (learning by experience) systems, analytical proof of the safeness of the entiresystem is unlikely to be achievable.

The consequences of a medical robot behaving inappropriately could be serious, rang-ing from mild operator inconvenience to permanent disability or death of a patient, thoughthis has not yet happened [19]. Every reasonable effort must therefore be made to elimi-nate or minimize safety hazards. There is however a cost attached and if the cost of safetyultimately pushes the price of a medical robot beyond the value of its benefit, the designbecomes unviable.

In IEC601-1 "Medical electrical equipment - general standards for safety" [39], asafety hazard is defined as "A potentially detrimental effect on the patient, other persons,animals or the surroundings arising directly from equipment." These criteria can be gener-ally applied to every medical system involved in data gathering and processing, diagnosisand treatment. In the teleoperation context part of procedure may be automated whilst otherparts are performed by, or under direct control of medical practitioners. Safety hazardsmay therefore arise from one or a combination of hardware, software or human-computerinterfaces problems.

In order to optimize safety, it is needed to undertake the safety concepts starting fromthe first step of conceiving a medical structure, thus from the design level, and even earlierfrom the specification level. This approach tries to avoid the main hazard issue: the failure

of hardware components. This three points will be extended in the following.

As the top level document, the system specification has a key role in ensuring safety.Ideally, specifications should be complete, unambiguous and consistent. There are consid-erable difficulties in generating a solid specification, particularly in relation to ensuring itscompleteness. As the complexity of tasks and the environment increases, there is a corre-sponding increase in the number of variables to which an “intelligent” robot must respond.The combinations of possible environmental events rapidly approach infinity, so that thetask of identifying appropriate responses in all cases is virtually impossible. As exposedby Ellenby in [19] the best that can be done at present is to attempt to group combinationsof inputs to reduce the size of the problem and to specify a safe response to conditionswhich lie outside of the defined scope. Tackling the same problem in a bottom-up strategy,potentially hazardous output can be identified by studying a virtual or simulated final prod-uct and the specification drawn up to specifically exclude them from the range of allowedresponses.

37


The specification must also clearly define the human-computer interface and ensurethat it is clear and unambiguous. If the operator is not entirely clear as to what inputis required from him/her, the safety of the system may be compromised. An exampleillustrating this issue is the incorrect inputs to a radiotherapy treatment system, which mayresult in incorrect doses to patients. IEC601-1 identifies that “Adequate construction and

layout which serve to prevent human errors are regarded as safety aspects”.

Design flaws are the result of incorrect or incomplete implementation of the specifica-tion. The likelihood of such flaws is influenced by the following factors:

• Complexity

• Novelty

• Level of design expertise

• Methodology (appropriateness and maturity)

• Availability of guidelines (Standards etc.)

• Quality of specification.

Design flaws may arise in mechanical, electrical/electronic or software components of asystem. Of these, the issues of hardware design validation, whilst far from trivial, areat least comparatively well understood. The difficulties of software validation howeverpresent developers with a massive problem. Ellenby shows that software systems cannot betested for correctness, because theirs complexity is such that the number of states requiringtesting would be preposterous even for a small system.

For the most part, design integrity in software must be built into the design process,for example, by the appropriate use of formal methods and highly structured code anddocumentation. This does at least reduce the chance of error and offers the reviewer amechanism to assess the quality of the design structure and the rationale for decision mak-ing.

Component failure is a relatively straightforward issue. Any physical component hasa finite probability of failing and this can be calculated in various well established ways.For example, in IEC601-1 it is required that equipment remains safe even if a single faultcondition occur. It is also asserted that the probability of simultaneous occurrence of two

38


single faults is considered small enough to be negligible provided that one or more of thefollowing is also true:

• the probability of a single fault is also small;

• the single fault causes operation of a safety device which prevents a hazard;

• the single fault is made obvious to the operator (e.g. alarm);

• the single fault is identified and remedied by periodic inspection.

A detailed and well structured failure mode and effect analysis on each components maybe followed by design modifications to ensure that single point failures cannot result insafety hazards. This brings to the generation of safety-critical systems.

3.2 Safety Critical Approach

Traditional areas that contribute in developing safety-critical systems include commercialaircraft, medical care, nuclear power, and weapons. Failure in these areas can quickly leadto human life being put in danger, loss of equipment, and so on. Computers are used inmedicine far more widely than most people realize. The idea of using a microprocessorto control an insulin pump is quite well known. The fact that a pacemaker is largely acomputer is less well known [53]. The extensive use of computers in surgical proceduresis almost unknown except by specialists. Computerized equipment is making inroads inprocedures such as hip replacement, spinal surgery, and ophthalmic surgery. In all threeof these cases, computer controlled robotic devices are replacing the surgeons traditionaltools, and providing substantial benefits to patients.

There are plenty of definitions of the term safety-critical system but the intuitive notionactually works quite well. The concern both intuitively and formally is with the conse-quences of failure. If the failure of a system could lead to consequences that are determinedto be unacceptable, then the system is safety-critical. In essence, a system is safety-criticalwhen we depend on it for our well being. In this Section, the implications of this idea areexplored in terms of the classes of systems that should be viewed as safety-critical.

Relating to safety-critical, the US Department of Defense defines the threat of a mishap

as an unplanned event or series of events that result in death, injury, occupational illness,

39


damage to or loss of equipment or property, or damage to the environment [67]. Themishap risk assesses the impact of a mishap in terms of two primary concerns: its potentialseverity and the probability of its occurrence. For example, an airliner crash would affectan individual more severely than an automobile fender-bender, but it’s much less likelyto happen. This assessment captures the important principle that systems such as cars,airliners, and nuclear plants are never absolutely safe. It also provides a design principle:given our current knowledge, we can never eliminate the possibility of a mishap in a safety-critical system; we can only reduce the risk that it will occur.

Risk reduction adds to system cost, however. Indeed, in some applications, ensuringsafety can dominate total system cost, such as nuclear power plant, but also medicine.When creating a safe system, minimizing this expense forces to compromise to the extentthat resources are expended to reduce mishap risk, but only to a level considered generallyacceptable.

3.2.1 Hazard Analysis

Typically, any computer system virtually contains five primary components [17], whetherit’s a fly-by-wire aircraft controller, an industrial robot, a radiation therapy machine, or anautomotive antiskid system. These points will be described in the following.

The application is the physical entity that the system monitors and controls. The sensor

converts an application’s measured physical property into a corresponding electrical signalfor input into the computer. The effector converts an electrical signal from the computer’soutput to a corresponding physical action that controls an application’s function. Theoperator is the human or humans who monitor and activate the computer system in realtime. The computer consists of the hardware and software that use sensors and effectors tomonitor and control the application in real time.

The safety issues and design methodology associated with complex structures stronglyresemble those that apply to any simple computer system. Thus, we can study such asystem to gain insights about basic design techniques that we would apply to more complexsystems.

In the basic computer system, developers fully define the application, including allhardware, software, and operator functions that are not safety related. Because the basiccomputer system employs no safety features, it probably will exhibit an unacceptably high

40


Figure 3.3: Mishap causes. System designers identify the application’s attendant hazardsto determine how system-component failures can result in mishaps [17].

level of mishap risk. When this occurs, solving the design problem requires modifying theoperator, computer, sensor, and effector components to create a new system that will meetan acceptable level of mishap risk. The design solution begins with the question: “Howcan this basic computer system fail and precipitate a mishap?” The key element connectinga failure in the basic system to a subsequent mishap is the hazard [67], defined as any realor potential condition that can cause:

• injury, illness, or death to personnel;

• damage to or loss of a system, equipment, or property;

• damage to the environment.

Hazard examples include loss of flight control, nuclear core cooling, or injuring a patientduring a robotic surgical teleoperation. All such hazards reside in the application. Thus,system design focuses first on the application component of the system to identify its at-tendant hazards. Then designers turn their attention to the operator, sensor, computer, andeffector components. To determine how these components can fail and cause a mishap,the designers perform a failure-modes analysis to discover all possible failure sources ineach component. These include random hardware failures, manufacturing defects, pro-gramming faults, environmental stresses, design errors, and maintenance mistakes.

These analysis provide information for use in establishing a connection between allpossible component failure modes and mishaps, as Figure 3.3 shows. Given the system’s

41


Figure 3.4: Risk mitigation measures. Designers can modify a system to reduce its inher-ent risk by improving component reliability and quality and by incorporating internal orexternal safety and warning devices [17].

high risk of mishap, designer attention turns to modifying it to mitigate this risk. This canbe done in three ways:

• improve component reliability and quality,

• incorporate internal safety and warning devices,

• incorporate external safety devices.

Figure 3.4 shows how and where applying these mishap-risk-mitigation measures can al-leviate the computer system mishap causes shown in Figure 3.3. Improving reliabilityand quality involves two measures: improving component reliability and exercising qual-ity measures that will avoid or eliminate the sources of component failure. Reliabilityimprovement seeks to reduce the probability of component failure, which in turn will re-duce mishap probability. A widely used and effective approach for improving reliabilityemploys redundant hardware and software components. Redesign can remove componentreliability problems that stem from environmental conditions.

Other sources of component failure such as personnel error, design inadequacies, andprocedural deficiencies are more elusive. IEC61508 [40] includes these sources of failure

42


in a general category described as systematic failures and recommends various quality-oriented approaches for avoiding or eliminating them.

Although reliability and quality measures can reduce mishap risk, they normally willnot lower it to an acceptable level because component failures will still occur. When aproject requires additional risk mitigation steps, internal safety devices form the next lineof defense. An example of an internal safety device is the thermocouple circuit, whichshuts off the gas supply in a home heating furnace should its flame go out. Developersimplement these devices in both hardware and software. Internal safety devices not onlyreduce the effects of hardware and software faults but also provide a barrier against system-atic failures, including personnel errors, design inadequacies, and procedural deficiencies.

Even after designers have taken these measures, system failures can still occur, result-ing in mishaps. External safety devices, which can range from simple physical contain-ment to computer-based safety-instrumented systems, provide a last line of defense againstthese residual failures. These devices provide protection when the application experiencesa hazardous event.

To achieve effective mishap risk mitigation, developers usually strive to apply all threeof these mitigation measures concurrently to create a layered approach to system protec-tion. Because even the most lavish project has limited development resources, designersshould apply all three types of risk mitigation in a balanced way to reduce mishap risk.In addition, risk mitigation efforts must be distributed evenly across the system’s sensor,effector, computer, and operator components because a single neglected failure in any onepart of the system can make the aggregate mishap risk totally unacceptable.

3.2.2 Additional Safety Devices

Figure 3.5 generalizes the risk mitigation method by showing a basic computer systemthat has been modified to include risk-mitigation techniques found in real-life applica-tions. One such technique, the emergency stop circuit, inhibits effector outputs by forcingthe system into a safe state, as shown by the line in Figure 3.5 that connects the operatorcomponent to the diamond-enclosed E. Systems often employ interlocks that will inhibiteffector action unless some specific external physical conditions are satisfied. The switchthat stops the cooking when a user opens a microwave oven door is one example of aninterlock. Designers can reduce mishap risk in a system by using a computer to detect

43


Figure 3.5: Risk mitigation methods. Designers have added several risk-mitigation devicesto this system, including a watchdog timer, emergency stop circuit, and interlocks thatinhibit effector actions unless specific external conditions are satisfied.

component failures and modifying effector controls to bring the system to a safe state.The design can incorporate various approaches to detecting failures in individual sensors,including reasonableness tests, informational redundancy, state estimators, and analyticalredundancy [17]. Another interesting approach concern the fault detection and fault iso-

lation procedure, which will be explained in detail in Section 3.3. As Figure 3.5 shows,to detect effector failures, the design can use a wraparound in which the effector outputfeeds back into the computer to verify that the output matches the system command. Thesame basic approach uses endarounds to verify computer I/O integrity. When the systemdetects wraparound or endaround mismatches, it signals the effector to shift to a safe state.A failure in the forward computer-to-effector path may, however, prevent the shift. For thisreason, developers usually build an additional, independent safety control into the systemto neutralize the effector output when it detects wraparound or endaround mismatches. Fi-nally, most industrial controllers employ a watchdog timer circuit between the computerand effector output. The computer continuously refreshes this circuit with hardware- andsoftware-generated electrical pulses. As long as these pulses continue, the circuit keepsthe effector output connected to the application. If the pulses cease through hardware orsoftware failure, the circuit times out, and the system inhibits further effector output.

44


3.2.3 Fail-Operate Systems

In fail-safe systems, hardware, software, or an operator detects a failure and modifies effec-tor output so that the system enters a safe, generally non-operating state. Most real-worldapplications are fail-safe systems. Many computer systems, however, such as fly-by-wireaircraft control systems and in some critical surgical operation, must continue safe op-eration after one or more components have failed. These fail-operate computer systemsachieve their fault-tolerance capability through redundancy.

One fail-operate approach uses a backup system that can take over the computer’ssafety-critical functions should the system fail. A second approach simply replicates com-ponents so that if a given component fails, the system includes one or more duplicates tocontinue the required function.

Although component redundancy is a simple concept, the details of implementing it arenot. First, the design must replicate virtually every critical component in a system, includ-ing computers, sensors, effectors, operators, power sources, and interconnects. Second, thedesign must incorporate a redundancy-management process into the fail-operate system’shardware, software, or operator components to detect failures when they occur, isolate thefailed component, and reconfigure the system so that one or more healthy components willreplace or mask the failed counterpart.

These failure, detection, isolation, and reconfiguration processes can quickly becomecomplex, resulting in system development costs that far exceed those of the correspondingbasic computer system [16]. For this reason, component redundancy becomes a practi-cal design option only when a backup system is infeasible or when performance must bemaintained following one or more component failures.

To design a fail-operate system, many developers use a two-step process in whichthey first select a redundant hardware structure or architecture and subsequently flesh outthis framework with the appropriate redundancy management hardware and software pro-cesses. This two-step process is impractical, however, not due to the redundant structure,but because the system’s redundancy-management scheme primarily governs the achiev-able risk level associated with a redundant computer system.

Consequently, designers must resort to a cut-and-try process that will meet a requiredrisk level and, at the same time, satisfy the usual engineering economies of cost, power,weight, and so on. The preferred approach therefore begins with the basic, non-redundant

45


system hardware structure and incrementally introduces redundancy and redundancy man-agement processes until a fail-operate system emerges that meets the desired safety goal[16].

3.2.4 Evaluating Safety-Critical Systems

After the designers have applied measures to mitigate mishap risk to a basic system, theymust determine if the modified system design meets an acceptable level of mishap risk.They can use three analytical techniques to make this determination.

In failure modes and effects analysis (FMEA), the designer or analyst looks at eachcomponent in the system, considers how that component can fail, then determines theeffects each failure would have on the system [30]. This analysis seeks first to verify thatthere is no mishap-producing single point of failure in the system because such a potentialpoint of failure would nullify the benefits of applying mitigation measures elsewhere in thesystem.

Fault tree analysis (FTA) reverses this process by starting with an identified mishapand working downward to identify all the components that can cause a mishap and all thesafety devices that can mitigate it [81]. This downward decomposition process builds agraphical structure called a fault tree.

In contrast to FMEA and FTA, which are both qualitative methods, risk analysis (RA)is a quantitative measure that yields numerical probabilities of mishap. To perform RA,the analyst must determine the component failure probabilities for the hardware, software,and operator components in the fault tree [4]. In accordance with standards such as Mil-Std-882D3 and IEC61508 [67, 40], designers usually estimate failure probabilities on aper-hour basis.

If the system consists of redundant components, designers calculate its unreliability,that is the probability that it will not operate over the span of one hour. Next, they determinemitigation failure probabilities for the fault tree’s hardware, software, and operator safetydevices. If a mitigation device includes redundant components, designers determine itsunavailability, thus the probability that it will not mitigate if required.

The designers assign these component- and mitigation- failure probabilities to elementsin the fault tree, then propagate them upward to yield a figure for mishap risk. If this resultsin an unacceptable figure, they must implement additional mitigation measures. As a side

46


Control/Strategyadaptation

eventstatus

inputs

Discrete-Event system (DES)

Fault Detection and Isolation

Plant + Controller

Fault Accommodation

outputs

Figure 3.6: Safety-based control architecture

benefit, the fault tree shows where to add these measures in the system. If, on the otherhand, the risk calculation yields an acceptable result, the design is ready for additionalvalidation steps [93] such as in-depth risk assessment, testing, and field trials to assure thatthe system, when implemented, will be safe.

Although it may seem obvious, a developer’s concerns about a safety-critical system’scontinuing safety do not end with design and implementation. Indeed, a vigorous systemsafety program must be in place throughout the system’s operational life to ensure thatmishap risk is maintained at or below the level achieved in the original design.

One of the major field that address the problem of safety concern the auto-capabilitiesof a system to being able to detect eventual failure by itself. In the next Section we willdescribe this concept, by introducing also some mathematical concepts.

3.3 Fault Detection

Fault detection and plant monitoring techniques have a long history in robotics and au-tomation control. The more autonomous a system is, the more important is the need ofhigh-level tools that can detect failures and are able to face them. In robotic surgery thesesafety requirements are even more important and ask for robustness and very sensitivetools. Unsafe operating conditions due to component degradation and/or failure must bedetected as early as possible in order to guarantee reliability and fault tolerance. A three-layer supervisory control framework was proposed in [46]. Modifying a little bit theirnomenclature, we may assume a high level architecture designed in Figure 3.6.

47


Any fault adaptive control scheme should have modules allowing to perform the fol-lowing actions:

1. fault detection: monitoring in real time the state of the system,

2. fault isolation: locate the source of the fault whenever a fault is detected,

3. fault identification (or diagnosis): qualify and quantify the size of the fault(s),

4. fault accommodation: take decisions to minimize the effect of the fault by reconfig-uring the control system.

Fault detection and isolation (FDI) are usually reported in literature as a single problem.FDI is usually based on comparison of measurements and estimated values on the samesignal, [64]. This comparison approach is known in literature also as analytical redundancy(AR), [35]. We talk of model-based detector when a model of the plant is involved in theFDI design phase. For other cases other tools such as learning complex mappings, neuralnetworks, on-line approximators (polynomials, splines, wavelets) are used to estimate acritical signal [101].

The model approximating the plant can be linear or non linear, time-variant or timeinvariant according to the kind of system under analysis. In any case such model is used toproduce an estimation of known values. The comparison is done by using a threshold-likefunction to improve robustness and make the detection as much as possible independent tomodel uncertainty and measurement noises.

The last part of the scheme in Figure 3.6 is the fault accommodation. The high-levelcontrol architecture, called discrete event system (DES) in the picture, has to decide either:

• to halt the system because the fault is too dangerous and it would be unsafe to pro-ceed; or

• to accommodate the fault by adapting the control strategy.

Usually, the DES is designed as a hybrid supervisory-control architecture allowing tomodel a switched dynamical system [46]. According to the current status given by theFDI module, whenever a “manageable” fault occurs the DES can: select the proper con-troller amongst a set of controllers designed in advance using different actuators and/orsensors resources. Of course any controller deals with different faults combination, adapt

48


the controller on line by optimizing in real time the actual performance index. In [46], theauthors also point out the fact that when a fault is detected and a more fitting controller isselected, also the fault detector and isolation filter should be adopted accordingly.

In the following Sections we introduce the basic concepts of how fault detection andplant monitoring can be done. This strategies needs essentially to simulate a mathemat-ical model of the system, called plant, which runs in parallel with the “real” plant. Thesimulated model allow us to estimate the output behavior of the system, and compare thesimulated output with the effective output. If the plant behavior estimation and the compar-ison are done correctly, it is possible to detect unexpected or unwanted system reactions,thus detect faults.

The first step of building a mathematical model of the system is done by the plant

modeling, a procedure which allow us to write the equations that drive our plant.

3.3.1 Plant Modeling

In this Section we will not go into detail of the plant modeling procedure, because this isnot the scope of our thesis. A more detailed reviews can be shown in [88]. We can start bythe dynamic model defined over the joint space, which express the dynamic parameters infunction of the motion parameter of position, speed, and acceleration:

B (q) q̈ (q) + C (q, q̇) q̇ + Fdq̇ + Fssgn (q̇) + g (q) = τ (3.1)

for this equation we only need to know that B and C are matrices that contain the dynamicmodel parameter, Fs and Fd are the static and dynamic frictions, and q (t) , q̇ (t) , q̈ (t) arerespectively positions, speeds and accelerations as function of time. τ is the vector of thetorques applied to each joint and its dimension is (p× 1) where p is the number of joints.

This complex equation has the important propriety of being linear respect to the dy-namic parameters proper to the arm of the manipulator. By means of the Newton-Eulerequations we can rewrite the linear model in a compact form [88]:

τ = Y (q, q̇, q̈) θ (3.2)

where τ (t) represent again the known torque value applied to each joint, the matrix Y isa matrix (n× p) which contain all the data about positions q (t), speeds q̇ (t), and acceler-

49


ations q̈ (t). n represent the number of time measurement. Finally, θ is a vector (12p× 1)

of the unknown system parameters to be estimated. More in detail:

τ =

τ1

τ2...τp

∈ Rp θ =

θ1

θ2

...θp

∈ R12p θi =

mi

mici

Ixxi

Ixyi

...Izzi

Fsi

Fdi

∈ R12 (3.3)

Note that each θ contain all the dynamic parameter of a joint, that is mass, center of mass,the inertia and the static and dynamic friction. For properly simulate the plant behavior itis needed to find this dynamic parameters for θi, i = 1, . . . , p, a task that can be done bysystem identification.

3.3.2 System Identification

Generally the identification technique permit to mathematically estimate the parameter thatdescribe a model by knowing the inputs and the measured output data obtained from thesystem[102].

In the case of a manipulator, knowledge of the inertial parameters loads and links ispotentially important for precise control of movement. This parameters are mass, center ofmass, and moments of inertia. For the link inertial parameters, not even the robot manufac-turers typically know their values. Because the robust controllers usually provided by themanufacturers do not take link dynamics into account, there is no inducement to determinethese parameters, and disassembling the robot and weighting and balancing every compo-nents is complex and time consuming. System identification can potentially estimate thisparameters. Indeed, system identification help in determining such parameters by buildinga mathematical model of the dynamical system, based on measured data and driven inputs.

Also, load inertial parameters must be redetermined every time a new load is pickedup. In addition the load inertial parameters are an integral part of the grasped object’sdescription, hence load identification can assist object recognition and plant monitoring

50


help the system in detecting such event. Moreover, the estimated location of the centerof mass and the orientation of the principal axes of inertia can be used to verify that themanipulator has grasped the object in the desired manner.

The identification procedure allow to estimate the vector of parameter θ by means ofthe equation 3.2:

τ = Y (q (t) , q̇ (t) , q̈ (t)) θ + n (t) , (3.4)

Where the n (t) is an error which contain the non modeled dynamics, the measure errors,ed estimate errors. Once the data matrix is defined, this system is resolved by performingan inversion method, which can range from the well known least square minimizationprocedure to other advanced statistical minimization strategies, yielding

θ̂ = Y+[1,N ]τ[1,N ] (3.5)

Where the plus symbol means pseudo-inversion. The matrix Y is also defined in a slightlydifferent manner, for take advantages of all the input and output measured data. It is definedas the regression matrix [102]:

Y[1,N ] =

Y (q (t1) , q̇ (t1) , q̈ (t1))

...Y (q (tN) , q̇ (tN) , q̈ (tN))

τ[1,N ] =

τ (t1)

...τ (tN)

(3.6)

Note that now in 3.5 the theta has an hat symbol, which means that we are making anestimation. We want to emphasize that the dynamic parameters are estimated becausewe have not a full knowledge about the data matrix Y[1,N ]. Infact by an experimentalsetup the positions values q (t) are easy to measure, and the speed values q̇ (t) can also beobtained with some calculations from the positions. For the acceleration values, a directmeasure is difficult, and may lead to noisy data. Thus usually it is performed a numericalreconstruction, which can be done by using Euler formulas or similar numerical method,or more elegantly by a strategy very common in control engineering, which uses Kalmanfiltering [88].

This procedure can be executed off line if the hypothesis that the dynamic estimatedparameters do not change can be done. In some cases, such as in plant monitoring and load

51


identification techniques, this assumption is not valid anymore, as we will discuss furtherin Section 3.3.4.

Once system parameters are obtained, we can proceed with the fault detection strategy.

3.3.3 Fault Detection

In the fault detection behavior, the equation (3.5) is used for a constant monitoring of thetorque values τ . The FDI system monitor the computed-estimated torque value for eachjoint τ̂ , obtained by the relation

τ̂ (t) = Y (q (t) , q̇ (t) , q̈ (t)) θ̂, (3.7)

and compare them with the real-time measured values of τ . This generate an error that canbe expressed as

ε (t) = τ (t)− τ̂ (t) (3.8)

and will be a very useful information. As a matter of fact, by monitoring these error, faultdetection can be done. Let us explain why. By the estimated model parameters θ̂ and aseries of collected data of positions, speeds and acceleration, we can simulate the modeland obtaining an estimated torque, as eq. (3.7) shows. Then, by comparing this result ineq. (3.8), we obtain an error. By analyzing the behavior of this error, we can define athreshold over which the system behavior remain bounded, that is:

D (εi) =

{yes, |εi (t)| ≥ µ0

no, |εi (t)| < µ0

,

where we have used µ0 for representing the threshold, and εi is the resulted error for eachtorque values τi, τ̂i, with i = 1, . . . , p. D (εi) represent the decision function which told usif a fault occurred. An example of the behavior of the torque error computed with eq 3.8can be shown in Figure 3.7 .

In case of a fault, the real system will not be the same as the modeled system, causingso the error in (3.8) to have a peak. Such a peak is a clear result that a fault happen, and thusactions should be taken to overcome the problem. An example of how the error functionbecome is depicted in figure 3.8 .

52


Figure 3.7: Behavior example of the error signal for fault detection. If the error is belowthe threshold value than the system is working correctly.

Figure 3.8: Behavior example of the error signal during a fault. Note the peak of the errorfunction exceeded the threshold

53


Figure 3.9: Behavior example of the error used in plant monitoring. The two signals showsas a change in the system is happened.

3.3.4 Plant Monitoring

Another situation may happen when the error in eq. (3.8) change, but without exceedingthe threshold value. For, example, the error value will always have the shape of a noise-like signal, with mean and variance well defined. When this two value change but do notexceed the µ0 threshold, this means that something happens at our system. This differentbehavior can inform the FDI that there is not a failure, but that the system dynamics haschanged. Also an information to the DES system can be given, so that it will be able totake the right action. For example, such a system is capable to detect when the manipulatorend-effector grasped an object, or also it can communicate frictions changes due to systemwear. This detection processes are also called as plant monitoring and, as introduced inSection 3.3.2, it a useful application of system identification techniques. In Figure 3.9we can show an example of how a system change can be detected. A change in the errorbehavior of eq. (3.8) can be observed as an offset or also as a change in the variance, butthis variation is always bounded inside the threshold limits.

3.4 Conclusion

In this Chapter we delineated the teleoperation environment, focusing on the medical tele-operation setup. We explained the issues that could be related to the safety design of ateleoperation system, defining the meaning of safety-critical and what should be consid-ered in such a system. We concluded showing the need for regulation constraint.

In the following Chapter we will present the experimental setup of our telerobotic sys-tem. There will be described the mechanical design of a Six Degree-of-Freedom manipu-

54


lator. Reasons for this choice are that at least 6-DoF are necessary to command arbitrarypositions and orientations in a three dimensional space. We will show the advantage ofmaintain the mechanical design and the advantage of re-design the control servo-electronicsubsystem with a more powerful interface and an attention to safety requirements.

55


56

46DoF Manipulator

P revious Chapter yield us the teleoperation background and face the safety issuesthat a designer has to deal with in a teleoperation systems. In addition we de-scribed a safety-critical approach that should be taken at every design phase. In

this Chapter we present and describe a 6 degree-of-freedom (DoF) telerobotic platformdeveloped the last decade in a collaboration between NASA-JPL and MicroDexterity Sys-tems, Inc. The DoF number is motivated by the reason that at least 6-DoF are necessary tocommand arbitrary positions and orientations in a three dimensional space. In addition thelightweight and compact master-slave system has a better precision compared to humanhands yet it maintains a very high working space. Its servo-mechanical design is a validcompetitor in the robot market, but the control electronic sections needs to be enhanced tomatch current safety principles. Also new features can be added, like a position trajectorycontrol.

In this Chapter we describe in detail the telerobotic system, with particular attentionto the slave robotic device. Note that this robotic arm is patented [71, 72, 73]. We alsodescribe the previous electronic and servo-control design, while in Section 4.2 the newrequirements are delineated.

4.1 System Description

The Robot Assisted MicroSurgery (RAMS) telerobotic workstation [85] is a prototype ofa system designed to be completely under the manual control of a surgeon. The system,shown on Figure 4.1, has a slave robot that holds surgical instruments. The slave robot

57

CHAPTER 4. 6DoF Manipulator

Figure 4.1: Overview of RAMS system working

motions replicate in six degrees of freedom those of the surgeon’s hand measured usinga master input device with a surgical instrument shaped handle. The surgeon commandsmotions for the instrument by moving the handle in the desired trajectories. The trajectoriesare measured, filtered, and scaled down then used to drive the slave robot.

4.1.1 System Overview

As exposed in [9], the RAMS system can be decomposed into four main subsystem:

1. the mechanical subsystem

2. the electronics subsystem

3. the servo-control subsystem

4. the high-level software subsystem

The mechanical subsystem consists of a master input device and a slave robot arm with as-sociated motors, encoders, gears, cables, pulleys and linkages that cause the tip of the robotto move under computer control and to measure the surgeon’s hand motions precisely. Theelectronics subsystem consists of the motor amplifiers, a safety electronics circuit and re-lays within the amplifier box shown on Figure 4.2. These elements of the subsystem ensurethat a number of error conditions are handled gracefully. The servo-control subsystem isimplemented in hardware and software. The relevant hardware parts of the subsystem

58


Figure 4.2: teleoperated robot system, from [73]

are the servo-control boards and the computational processor boards. Servo-control soft-ware functions include setting-up the control parameters and running the servo-loop onthe servo-control board to control the six motors, implementing the communication be-tween the computation and servo-control boards, initializing the servo-control system andcommunicating with the electronics subsystem and communicating with the high-levelsoftware subsystem. The high-level software subsystem interfaces with a user, controlsinitialization of the system software and hardware, implements a number of demonstrationmodes of robot control and computes both the forward and inverse kinematics.

4.1.2 Mechanical Subsystem

The RAMS manipulator is a six degrees-of-freedom tendon-driven robotic arm designed tobe compact and exhibit very precise 10 micron relative positioning capability as well asmaintain a very high work volume.

Physically, the arm measures 2.5 cm in diameter and is 25.0 cm long from its base totip. It is mounted to a cylindrical base housing which measures 12 cm in diameter by 18cm long that contains all of the drivers that actuate the arm. A drawing of the arm appearson Figure 4.3. The joints of the arm are a torso joint rotating about an axis aligned withthe base axis and positioned at the point the arm emerges from its base, a shoulder jointrotating about two axis that are in the same plane and perpendicular to the preceding links,

59


Figure 4.3: Drawn of slave robot system ([72])

an elbow joint that also rotates about two axis that are in the same plane and perpendicularto the preceding links, and a wrist with pitch, yaw and roll joints. The master device,kinematically similar to the slave robot, also has six tendon driven joints. It is 2.5 cm indiameter and 25 cm long.

The slave wrist design utilizes a dual universal joint to give a three degrees-of-freedom,singularity free, mechanically decoupled joint that operates in a full hemisphere of motion(up to 90 degrees in any direction). The master wrist design uses a universal joint totransmit rotation motion through the joint while allowing pitch and yaw motions about thejoint resulting in singularity free motion over a smaller range of motion in three degrees-of-freedom. The fourth and fifth axis of the master and slave robots are unique jointsthat rotate about 2 axis and allow passage of cables to pass through the joint for actuatingthe succeeding joints without affecting their cable lengths. The sixth axis are torso jointswhich simply rotates the manipulators relative to their base housing. For the slave robotthe torso range of motion is 330 degrees. Features resulting from the mechanical design ofthe arms are:

Drive Unit Separability. Autoclaving of the robot is possible by removing the motor/encoderunits at the base, prior to sterilization. This is done by integrating the mo-tor/encoders into two distinct sets of three on a common mount, and regis-tering these packages via alignment pins. The resulting two packages can beeasily removed. The mechanism can then be autoclaved. In normal oper-

60


ation, the motors are contained inside the robot’s base, protecting anythingthey might contaminate.

Zero/Low Backlash. The backlash is the clearance between mating components, describedas the amount of lost motion due to clearance or slackness when movementis reversed and contact is re-established. Low backlash is essential to finemanipulation, especially when position sensors are on the motor shafts. Fiveof the robot’s six degrees of freedom have zero backlash, and the sixth hasabout 20 microns. Zero backlash is achieved by using dual drive-trains thatare preloaded relative to one another. The one axis that does not have zerobacklash is a result of the wrist design, which makes the low backlash possiblebut zero backlash difficult, especially if stiction is a concern, as with this robot.

Low Stiction. Stiction is the static friction that tends to prevent relative motion betweentwo movable parts at their steady position. Stiction must be minimized toachieve small incremental movements without overshooting or instability. Stic-tion was minimized by incorporating precision ball bearings in every rotatinglocation of the robot (pulleys, shafts, joint axes, etc.), so as to eliminate metal-to-metal sliding.

Decoupled Joints. Having all joints mechanically decoupled simplifies kinematics com-putations, as well as providing for partial functionality, should one joint fail.Developing a six-axis, tendon-driven robot that has all joints mechanically de-coupled is very difficult. Decoupling requires driving any given joint withoutaffecting any other joint. The shoulder and elbow joints incorporate a uniquedouble-jointed scheme, that allows passage of any number of activation ca-bles completely decoupled from these joints. The three-axis wrist is basedon a concept that not only decouples the joints, but also has no singularities.Further, the torso simply rotates the entire robot base to eliminate coupling. Ifany one of the joints were to fail mechanically, the remaining five would beunaffected.

Large Work Envelope. A large work volume is desirable, so that the arm’s base will nothave to be repositioned frequently during tasks. To achieve a large work enve-lope, each joint needs to have a large range of motion. The torso was designed

61


with 330° of motion, while the shoulder and elbow have a full 360°. This highrange of motion in the shoulder and elbow is attained by the unique double-jointed scheme mentioned above. The wrist design has 180° of pitch and yawwith 540° of roll.

High Stiffness. A stiff manipulator is necessary for accurate positioning under gravita-tional or environmental loads, especially when position sensing at the motordrives. When a robot changes its orientation relative to gravity, the arm de-flect, due to its own weight. As well, if a force acts on the arm, it will alsodeflect. Furthermore, if position sensing is done at the motor drive, this de-flection will not be known. Therefore, such deflections must be minimized byincreasing stiffness. The stiffness of the arm is about 15 lb/inch (268 g/mm) atthe tip. This high stiffness is achieved by using high spur gear reductions offthe motors, combined with a large diameter, and short-path-length stainlesssteel cables to actuate each joint.

Fine Incremental Motions. Human dexterity limitations constrain surgical procedures tofeature sizes of about 50 to 100 microns. This arm is designed to achieve 10microns relative positioning. By combining many of the features mentionedabove (low backlash, low stiction, high stiffness, etc.), this arm is designedto make very small incremental movements. This means that the manipulatorcan make incremental steps of 10 microns.

Tool Wiring Provisions. Some tools require electrical or pneumatic power that can be routedthrough the arm in some cases. The arm is designed to allow running a limitedamount of wiring or hoses from the base to the arm’s tip. This passageway isabout .35 cm in diameter through the wrist, and exits through the center of thetooling plate.

Both master and slave devices use kinematic algorithms for computation of the forward andinverse kinematics. The forward kinematics computation refers to the determination of thetip position and orientation given known joint angle positions of the robot. The inversekinematics is the determination of the joint angle positions given a desired tip position andorientation [88]. The kinematic computation are for the combined manipulator formed bythe wrist, together with the articulated mechanism, consisting of torso, shoulder, and elbow

62


Figure 4.4: Kinematic axis diagram for the slave manipulator ([73])

joints, that supports the wrist. Kinematic algorithms that was used in the first robot modelare described in [32].

Specifically, the robot is modeled as a 10-joint serial linkage due to the unique shoulderand elbow joint design that has two points of rotation and the wrist design that also has adouble rotation transformation similar to a universal joint for both the y and z axis degreeof freedom. There are a total of 10 transformation matrices, each mapping a coordinateframe from a base coordinate to the first joint, from each succeeding joint to the next, andfinally to the tip of the robot. Since the robot has three degrees of freedom in the decoupledjoints (torso, shoulder and elbow joints) and three degrees of freedom in the wrist joint,there are a total of 10 transformations. The kinematic axis diagram for the slave componentis illustrated in Figure 4.4. Each angle of each joint is represented by θ (k) as follows:

• θ (10) is the ROLL angle of rotation of the torso about an axis perpendicular to thebase of the manipulator.

• θ (9) is the PITCH angle of rotation of the FIRST SHOULDER JOINT about the pitchaxis.

• θ (8) is the PITCH angle of rotation of the SECOND SHOULDER JOINT about the pitchaxis. This joint and the previous one are coupled in the sense that the two angles ofrotation are equal to each other, so that θ (8) = θ (9).

63


• θ (7) is the PITCH angle of rotation of the FIRS ELBOW JOINT about the pitch axis.

• θ (6) is the PITCH angle of rotation of the SECOND ELBOW JOINT about the pitchaxis. This joint and the previous one are coupled in the sense that the two angles ofrotation are equal to each other, so that θ (6) = θ (7).

• θ (5) is the ROLL angle of rotation of the WRIST about the roll axis. This angle isalso associated with the first universal joint of the wrist.

• θ (4) is the PITCH angle of rotation of the WRIST about the pitch axis. This angle isalso associated with the first universal joint of the wrist.

• θ (3) is the YAW angle of rotation of the WRIST about the yaw axis. This angle isalso associated with the first universal joint of the wrist.

• θ (2) is the YAW angle of rotation of the WRIST about the yaw axis. This angle isassociated with the second universal joint of the wrist. This angle is identical to theprevious one so that θ (2) = θ (3).

• θ (1) is the PITCH angle of rotation of the WRIST about the pitch axis. This angle isalso associated with the second universal joint of the wrist. This angle is identical tothe pitch angle of the first universal joint, so that θ (1) = θ (4).

For every joint k, there is a coordinate transformation matrix defined in terms of the anglesof rotation, which can be shown in [73].

4.1.3 Electronic Subsystem

For the previous design process [85], the main components of the electronic’s RAMS sub-system was a VME chassis, an amplifier chassis and safety electronics, as shown in Figure4.5. The VME chassis houses two Motorola MVME-167 computer boards used for highlevel system control. The computer board can deal with an external device by means ofa serial communication port RS-232. In the same chassis was also contained the PMAC

servo control cards, which generate phase drive signals for sinusoidal commutation of thesystems brushless dc motors. The PMAC receives optical encoder feedback from the motorshafts and provides low level control of the motors.

64


Figure 4.5: Electronic components and cables previously used

The AMP amplifier chassis contains the six slave robot motor and three master robotdrive amplifiers, system control electronic board and amplifier power supply. The am-plifier chassis has interfaces to the VME chassis (analog inputs and control signals), theSlave robot (motor drive signals) and to the CTRL panel subsystem (panic-stop, run andinitialize). The AMP chassis main power is provided by the VME chassis. The Amplifiersubchassis secures the individual amplifiers to the AMP chassis. This was designed to pro-vide a thermal path to the chassis and to provide a favorable orientation with respect tothe chassis air flow pattern. The individual amplifiers should run cool. The frame of theAmplifier sub-chassis contains all necessary amplifier interface wiring. This makes thedesign modular to facilitate rapid checkout and trouble-shooting.

The safety control electronics consists of the control electronics board and the brakerelay board. The purpose of the braking function is to hold the motors in place when theyare not under amplifier control. Discrete integrated circuits in the safety control electronicsmodule monitor amplifier power, operator control buttons and the PANIC-HALT button, anda watchdog signal from the high-level software and control processors (indicating that theyare healthy). Any anomaly triggers brakes to be set on the slave robot joint and a faultLED to be lighted. The operator must reset the safety control electronics to re-activate thesystem.

65


4.1.4 Servo Control Subsystem

The RAMS servo-control system is implemented on processor boards and servo-controlboards installed in the VME chassis. Two Motorola MVME-167 boards, named Proc0 andProc1, are installed on the VME chassis and run under the VxWorks operating system.Proc0 performs kinematic, communication and high-level control functions. These func-tions are described in the High Level Software Architecture Section. Calls to subroutinesthat read and set joint angle positions of the robot are made from the high-level real-timesoftware on Proc0. These routines, through shared memory implemented between Proc0

and Proc1, provide setpoints and read current joint angles of the robot. Proc1, in turn,passes the setpoints for controlling the robot to the servo control board and retrieves thejoint angles measured by the servo-control board. The servo level control system uses thePMAC-VME board by Delta Tau.

Communication between Proc0, Proc1 and the PMAC-VME boards is through sharedmemory. The PMAC board has a large variety of features for motor control, mainly predis-posed for satisfying industrial installations. The key features used for control of the RAMSrobot include digital sine-wave commutation, automatic trajectory generation, shared mem-ory interface, built-in amplifier/encoder interface and robust closed loop control.

4.1.5 High-Level Software Subsystem

There are a number of components to the high-level software for the RAMS slave robot.The two mian components of the real-time software are a state transition controller and thekinematic algorithms. The real-time software, implemented using a proprietary systemsnamed Control Shell, is in charge to handle the operator commands, the transition betweenstates of control, changes in data flow due to transitions of states in the software and mon-itor the algorithm executed within computation blocks. The kinematic control algorithmsare embedded in the computational blocks of the real-time control software, and they arebased on algorithms developed for the unique geometry of the robot [85].

A system state corresponds to a subset of software computational modules used toperform computations for it. The user specifies the control modes of the system through agraphical user interface (GUI) residing on the Unix host machine. The GUI interacts withthe user and communicates user input to the Proc0 board through socket interface. TheUnix workstation is coupled to the Proc0 board in the VME chassis through an Ethernet

66


connection, and the message passing between the two parts of the system is done by theNDDS software [45].

4.2 Redesign Approach

The 6DoF manipulator described above was designed one decade ago. Despite the systemage, it can be noted from the description in Section 4.1.2 that the mechanical arrangementis still at leading edge. Moreover, from the overview in Chapter 2, it can be seen thata competing device is still absent: in fact surgical robots developed nowadays lack incompactness, sensitivity and accuracy proper of the RAMS robot. The precision of themechanical components can reach a minimum movement of 10 micron, further than thehuman accuracy. in addition, it is developed for the specific case of being teleoperated.

On the other hand, the electronic subsystem can be improved in some aspects. Forexample, the only way of interacting with the outside world is a serial RS-232 communi-cation link, while today it is possible to adopt higher throughput links, even at low costs.

Our scope is to totally redefine its electronic chassis. Because of costs and differentopinions, we are not going to use a VME architecture, instead we want to build a relativelysmall desk chassis that includes motion controller, power amplifiers and all the safety andadd-on circuitry. There will not be the need for shared memory structure for the servo-control subsystem, so we will essentially exchange data from the motion controller to apersonal computer.

The data exchange method depends on the controller structure. We have selected twokind of interaction candidates between the motion controller and the personal computer. Avalid choice is by means of the PCI bus of the computer itself. In this case the controllerwill obviously be located inside the computer box. The other possibility is a stand-alonecontroller device, equipped with a high speed connection link, like an 100Mbps Ethernetinterface.

These are the concepts that is driving the design phase, as we detail in Chapter 5. Inthe next Section we delineate the safety principles of our teleoperated systems.

67


4.2.1 Safety Teleoperation

A teleoperation system is a complex system, composed by many element. Our effort tryto develop the slave side and in this Section we are delineating what we mean as safety at

the design level. We will start to aim at safety by providing a set of run-level customizablefeatures. For example, the slave robot are going to operate in either position, velocity, andforce control modes for working in accordance with the constraints imposed by the datafrom the sensors, achieving so a compliant motion.

As another example we have decided to provide both brake and free play movementwhen the manipulator is powered off. In fact it not always clear if it is better to brake themotor joint or to let them moveable when the manipulator power is off. This choice mayhave serious safety involvement. If the robot is powered off during a surgical operationand needs to be manually removed for safety reasons, free play of the joints is required.But also a brake function may be useful because a shutdown of the system may disable thegravity compensation causing the robot arm to fall off, causing tissue damaging.

For the scope of this project, what we define as safety is related to the components ofthe system. For the moment it will not be related to the overall system. Our idea is to designeach system component by attention at its faulty conditions. As in conjunction with theguidelines given in Section 3.2.1, we want to pay attention at the internal safety devices by,at first, employ hardware components with reliability superior to that of common-marketcomponents. At second, we are concentrating our effort in including internal and externalsafety devices. This consists in all hardware that can help in reducing the mishap risk, inaddition safety protection can be ceded into the software. Many mishaps can be avoidedby including safeguarding routines embedded in the motion controller. For example, acontinuous check of motor encoder states, with measure of the reliability of their signal,can promptly detect an encoder or motor faulty condition, bring the system in a safe stateand inform the user about the status. Generally, a safety software can detect failures in thevarious hardware and software components by means of endaround and wraparound, andcut power to the effector when a failure is detected.

The next Section gives the basis of an important requirement that should be meet forensuring not only safety but also stability of the control system and that is strictly relatedto the control loop speed rate that needs to be met in a bilateral teleoperation with hapticfeedback.

68


4.2.2 Haptic Feedback

The design of a robot for teleoperation requires special attention by the point of view ofthe returning feedback cues. The main parameter that we need to take into account is theforce perception on the master side. Many papers describe the technical requirements thata master device should meet [7, 24, 66], but few of them address the problem of how thesefeatures can developed in the whole telerobotic system and, more importantly, how thesefeatures reflect and needs to be implemented in the slave system. For example, it is wellknown that the human actuator can move his/her hands at a maximum rate of 10-20Hz,and so issuing commands to a master-manipulator device at this speed.

On the other hand, the human user has asymmetric perceptual and manipulable capabil-ities, thus it is an asymmetric input/output system. A human operator can perceive inputsat frequencies up to 400Hz and discriminate inputs at frequencies up to 320Hz [7]. Thesesensory information can be divided into four categories, each of them strictly related to aclass of receptors:

• compressive stress, around 10Hz;

• skin motion stimulus, around 30Hz;

• vibrations (50-400Hz);

• skin stretch (very low frequency).

In a teleoperated system any of these tactile receptors could be stimulated. Literaturereports that sensing of remote vibrations is useful for analyzing task progress, whereasother forms of sensory inputs are ambiguous and difficult to measure directly.

By these consideration we can conclude that on master side the control loop should bedone at a frequency rate multiple of 320Hz. We still have provided no information aboutthe slave side, but we can observe that, for the moment, the value of the slave control loopshould not be lower that the one on the master side.

During the control loop difficulties arise when the tip at slave side encounter a stiffmaterial, such as metal or glass, which commonly generates vibrations during the contacttransient. Being able of capturing this vibration information allows human to detect thestiffness of an object. Nevertheless, choosing a lower update time will result in instability

69


Material Vibration Frequency (Hz)

Wood 67

Acrylic 128

Delrin 93

Aluminum 1471

Glass 1721

Cast iron 1668

Steel 1682

Table 4.1: Frequency values for the vibrations extracted form the elastic model in tappingexperiments.

and non-linear oscillation in the force, velocity, and position of the human operator’s handand the controller and the robot manipulator end point [36].

Thus, to recreate the feel of a real manipulation we need to capture force and accel-eration transient information around 1kHz [54, 55]. This frequency band is due to thevibrations that arise during the impact transient with the material. In [74] a detailed anal-ysis of vibrotactile feedback is exposed, with collections of vibration, forces, accelerationand velocities data. Since these analysis is not the scope of this thesis, we only summarizein Table 4.1 the vibration frequency that arises when tapping on an object’s surface withsome selected material. As table shows, the frequency is largely dependent on the materialstiffness, and increases with it.

With these information we can conclude that, at the slave side, a controller feedbackand position update should be done at the rate of 1-2kHz. Note that a more detailed analysison the vibration that arises when impacting with a material will be done in the designingphase of the master device. For now we are only interested in collecting the essentialinformation for a correct design of the slave side of the teleoperation system.

4.3 Conclusion

In this Chapter we described a 6 DoF telerobotic system previously developed. As wediscussed the mechanical design, thus the physical slave robot itself, can still be used,

70


but some modification of the system should be done. The mechanical components areassembled achieving fine incremental motions, better than human hand capabilities, andthe main features for obtaining this are low backlash and low stiction.

We chose to redesign the servo and electronic subsystem, to match a different set of re-quirements, like more compacteness, higher data exchange rate and to take a safety drivendesign approach. Also we define also in detail what is intended for safety, from a fault-freedesign of the devices as low as logically achievable, to the safety of the overall teleoper-ation system. Another important aspect that should be kept in mind during the design ishaptic feedback that should be provided at the master device, with the consequent designissues that reflects on the slave side.

The next Chapter describe the core of the design process, from the motor dimensioningto the motion controller selection, and describe in detail the teleoperation layout.

71


72

5Electrical Design

T his Chapter leads us to the design phases of the salve telerobotic system, focusingon the dimensioning of the electric motors that are driving each decoupled joint.We describe the approach used for choosing the motion controller board. For

completeness we propose three motion controller, analyzing their capabilities and electingthe optimum candidate to be used in a teleoperation scenario. Then we explain in detailhow we build up the teleoperation layout and what features we implemented for preventingfailures and ensuring safety. Last Section shows the test cases carried out to check the faultdetection capabilities of the slave teleoperation system.

5.1 Motor Design

The electric motors need to be correctly dimensioned in order to achieve an adequatetorque, speed and power at robot terminals. The electrical motor converts electrical powerPel (current I and voltage U ) into mechanical power Pmech (speed n and torque M ). Thelosses that arise are divided into frictional losses, due to Pmech and in Joule power losses Pjof the winding (resistance R). Iron losses do not occur in coreless DC motors. In brushlessmotors, they are treated formally like an additional friction torque. The power balance cantherefore be formulated as:

Pel = Pmech + Pj (5.1)

73

CHAPTER 5. Electrical Design

Figure 5.1: Speed profile for motor movement in a common positioning task

The detailed result is as follows

U · I =π

30 000n ·M +R · I2 (5.2)

Where the number a constant is due to the conversion of mNm ·rpm to W . Because everyjoint has different requirements, motors can be different for every joint; but we chooseto adopt all motors of the same type thus reducing designing and product ordering times.After some consideration about every joint, we’ll keep the worst-case setup as reference.

It is supposed that the usual movement of a joint is a position-target movement. Thespeed diagram is like Figure 5.1 where the motor accelerates until it reaches a maximumspeed, then decelerates to reach the target position and then stop. We want to underlinethat the motion profile usually supposed by the engineer for a motion task are called trape-

zoidal curve, where the motor accelerate to a given speed, maintain such speed for thetime required for the task operation and decelerate to a stop. In our case the situation isdifferent, thus the motion curve is triangular because the motor has no time to reach themaximum speed that it already needs to decelerate and stop. This assumption is based onthe relatively high motor speed, and on the relatively short length of the arm, which causesthe motor not to reach a constant speed in the worst case.

For our prototype we made the following assumptions for weight and speed:

• Maximum Load Lmax = 1.5kg

• Average angular speed ωmax = π/4 rad over 1 s

74


5.1.1 Calculation of Motor Required Torque

For computing the torque motor characteristic velocity profile should be known. The mostused profile used in robot movements is shown in Figure 5.1, where we suppose an averageangular speed

ωav =π

2

rad

s(5.3)

that is a movement of 90 degrees in one second, an arbitrary “fast” movement for a smallsized robot arm. Then the maximum speed due to the prescribed profile is

ωmax = 2ωav = πrad

s(5.4)

and the angular acceleration α:

α =ωmaxt1

=π

0.5= 2π

rad

s2(5.5)

where t1 is the acceleration time (that is equal to the deceleration time), that is 0.5 s. Nowwe can compute the inertia of load. We supposed a velocity profile suitable for each motor,but the load inertia depends on the arm length, so we have

Shoulder, JL = m · r2 = 70 · 10−3 kg ·m2;

Elbow, JL = 25 · 10−3 kg ·m2;

Pitch/Yaw/Roll, JL = 40 · 10−3 kg ·m2.

We do not keep in consideration the Torso movement, because of its high reduction ra-tio and its different configuration in comparison to other joints. The torque required foracceleration and braking are calculated omitting motor and gearhead inertia:

Shoulder, Mα = JL · α = 440mNm;

Elbow, Mα = 158mNm;

Pitch/Yaw/Roll, Mα = 24mNm.

Now the inertial torque has to be considered in conjunction with the static torque, which is:

75


[unit] Shoulder Elbow Pitch/Yaw Roll

Length [mm] 241.1 131.6 50.8 50.8

Joint Torque M [mNm] 3150 1935 747 747

Load Inertia JL [kg m2] 0.069 0.026 0.004 0.004

Dynamic Torque Mα [mNm] 432 163 24 24

RMS Torque MRMS [mNm] 3179 1942 748 748

Gear ratio [−] 623 370 94 59

Motor Torque [mNm] 5.06 5.23 7.95 12.67

Table 5.1: Torque values on motors shaft

Shoulder, M = 3150mNm;

Elbow, M = 1930mNm;

Pitch/Yaw/Roll, M = 735mNm.

The RMS torque of a work cycle is the resulted weighted torque squared for every motionphases i, that is

MRMS =

√√√√ 1

ttot

(i∑1

tiM2i

), (5.6)

we have two motion phases: the acceleration phase and the deceleration phase. In usualmotion profiles for industrial servo driver also a constant speed phase is present, where themachine reach the required speed, perform the operation and decelerate. As we explainedbefore, by considering the worst case for position-target motion profiles the constant speedphase are not used.

We can observe that in the computation of eq (5.6) the Mα has almost no influence,because the static torque is relatively higher than the inertial torque, that is

MRMS∼= M. (5.7)

These results are summarized in Table 5.1, where the gear ratio used is provided. Theworst value for the torque obtained on motor shaft is for the Roll movement of the wrist,

76


where M = 12.67 mNm. We are using this value for choose a suitable motor and inSection 5.1.3 some candidates are examined.

5.1.2 Peak Torque Considerations

Every manufacturer of servomotors today publish specifications for their products thatshow a peak torque rating usually ten times of the continuous torque specification. Theirspecifications and ratings are all well documented and correct. The problem is that nomanufacturer of servo amplifiers is able to offer for sale an amplifier that has a peak currentrating that is ten times the continuous current specification. The reason is very simple, noone in industry would be able to justify the sizeable difference in cost [100]. So the mostprevalent peak current capability is twice to three times the continuous value.

Our requirements do not specify peak torque or peak load requirements. Neverthelesswe can assume that a peak load of twice or three times the continuous load specificationsis reasonable.

5.1.3 Motor Selection

Electric motors available for the industrial market are manifold, permitting to choose thebest way to fit an application requirements. By means of the know-how of the ALTAIR

Laboratory we choose two branches, Faulhaber [20] and Maxon Motor [65]. By using thevalue obtained in Section 5.1.1 we are able to select a restricted number of motors thatcan best fits our requirements. The main characteristics of these motors are exposed inTable 5.2. As we can view in this table, the nominal torque values of the exposed motorsare closer to the required value. All of these motor have a diameter that can fit in ourmanipulator structure, that is from 23 to 26 mm.

The choice of the motor is made in a different manner than usual motor selection meth-ods exposed in technical manuals. The reason is motors for industrial application supposea totally different way of working, as explained in Section 5.1.1. Designer supposes, forexample, that the motor is driving mostly of the time at higher speed, reduced afterwordby gearhead or harmonic driver. That enables the assumption of a constant air ventilationof the inner rotor. In the case of our application, our basic assumption are totally different.In fact we suppose that the motor are going to stand still most of the time, because the

77


Manufacturer Maxon Faulhaber Faulhaber Maxon Faulhaber

model RE 25 2642 2342 A-max 26 2444S

Conduction Type Brush Brush Brush Brush Brushless

Nominal Power [W ] 20 19 19 4.5 36

Nominal Voltage [V ] 24 24 24 24 24

No Load Speed [rpm] 9550 6400 8500 4510 23000

Nominal Toque [mNm] 26.7 28 16 15.4 11.8

Stall Torque [mNm] 257 139 85.4 40.1 111

Nominal Current [A] 1.17 0.98 0.720 0.312 1.37

Stall Current [A] 11.0 4.15 3.38 1.62 12

max Efficiency % 86 79 81 81 77

Table 5.2: Technical characteristics of motor candidates

manipulator is moving to the desired point and then stop and withstand a weight for a longtime. We need to remember this in choosing the motor driving method.

DC motors equipped with precious metal brushes allow precision movement and lesselectromagnetic interferences. This is the case of the Maxon A-max 26, but this kind ofbrush are not suitable for high currents, as we can expect if the motor needs to withstand aweight at low speeds. Also the stall torque is a low value in comparison to other selectedmotors.

On the other hand, a motor equipped with graphite brushes ensure a good power trans-fer for high current loads and it is typically used in start-stop operations. Usually it iscontrolled by a PWM power stage. A graphite brushed motor can cause spikes and gener-ate high frequency interferences. Graphite brushed motors candidates are the Maxon RE25, Faulhaber 2342 and Faulhaber 2642. The differences between them are the maximumtorque reachable at slow speed and the maximum speed with no load. What we need is acompact motor ables to reach in shorter time an high torque value, so that the best choicethat can fit our requirements falls into the Faulhaber series 2342. This motor has an highertorque value than the one calculated in Section 5.1.1, so we expect that it should underpina higher load then supposed.

In the next Section we expose the advantages and disadvantages that can gives the

78


choice of a brushless motor.

5.1.4 Brushless Motors

Motors without brush place the windings in the stator, while the rotor consists essentiallyin a permanent magnet. Such displacement enables the lack of brush, reducing spikesand mechanical frictions, thus the moving in complexity for the phase commutation in anelectronic behavior [76].

Compared to brushed DC motors and induction motors, brushless motors have manyadvantages and few disadvantages. Brushless motors require less maintenance, so theyhave a longer life compared with brushed DC motors. Brushless motors produce moreoutput power per frame size than brushed DC motors and induction motors. Because therotor is made of permanent magnets, the rotor inertia is less, compared with other typesof motors. This improves acceleration and deceleration characteristics, shortening operat-ing cycles. Their linear speed/torque characteristics produce predictable speed regulation.With brushless motors, brush inspection is eliminated, making them ideal for limited ac-cess areas and applications where servicing is difficult. Brushless motors operate muchmore quietly than brushed DC motors, reducing Electromagnetic Interference (EMI). Low-voltage models are ideal for battery operation and portable equipment.

The main difference in a brushless motor is the lack of brushless. This feature enablea series of advantages as described above, but obviously there are some drawbacks. Themain drawback of a brushless motor is that the lack of brushes needs to perform the phasecommutation electronically. This increases time and production costs because a propercontrol device needs to be designed. Depending on the designer this feature can be seenon different point of view. Indeed an electronic control nowadays is widely used, becauseenable to reconfigure an application (inside some ranges) as the demanded requirementschange.

Another disadvantage in these servomotor is the method of construction. Since thelamination and windings must be capable of saturation at all commutating positions, lami-nation and shell design and fabrication is more complex than other servomotors.

79


Motors for clean operating environment

An electric motor that uses brushes causes electromagnetic interferences (EMI) and brushdust particles in the environment, which are not negligible when designing a clean-roomsurgical device. The needing of a brushless motor is then mandatory in that setting wherehigher cleaning is required, because of the lack of brush. In the case of our designingprototype it does not enter in surgical room, but we are going to made all the designing cri-teria for allowing the further versions to be upgraded for satisfying cleaning and hygieniccriteria.

A brushless candidate for our manipulator is the Faulhaber brushless motor series2444S, a compact motor with 24mm of diameter and nominal torque of 11.8 mN m. Notethat its continuous torque is below the estimated torque value required, but considering thestall torque value of 111 mN m, that is one order higher in magnitude, we conclude that themotor are going to work in a working point with a lower speed respect to the nominal one,giving so the required torque. Moreover a brushless motor is able to tolerate excursion intothe peak torque range for extended periods of time, providing the continuous rating is notexceeded.

For economic and design simplicity reasons, we choose to adopt DC brushed motorin our prototype. But this is not the final sentence, because for the reason exposed in thisSection, we are going to use brushless motors for the final design. This leave us to gatherour attention to other design problem, like the motion controller board. Such a board iscapable to drive both kind of motors, allowing to perform the exchange later.

5.2 Motion Control Board

Today’s electronic devices are able to satisfy a large portion of the motion control market,from small and economical single output setup, to the most complex application that re-quire handling of severe devices. Our research focused on a specific motion control field,the axis control, keeping out all the general purpose devices, which should have providedcost-effective solution, but a large programming time will be needed for configuring tothe specific requirements. Axis control boards provide all the state of the art motion con-trol features that our requirements should meet like trajectory generation, servo controlalgorithm and robust control PID, motion compensation, dedicated I/O for feedback-like

80


Figure 5.2: Precision Micro Control DCX-PCI300 controller board

devices. The following Sections introduce an overview of candidate devices. We are ana-lyzing three different motion controller board, which address the same situation but solveit in different ways.

5.2.1 Precision MicroControl

The top of the line product of PMC is the DCX-PCI300 board, that combines state of the artDSP motion control technology with flexible and modular multi-processing architecture.The DCX-PCI300 series motion controller consists of an intelligent PCI control card pop-ulated with any mix of up to eight intelligent plug-in function modules. Function modulesare available for servo and stepper control, AC brushless servo control, digital I/O, andanalog I/O. Dual Axes modules are also available for controlling two servo or stepper axesper module, for a total of up to 16 axes per control card. An images of the DCX-PCI300controller is exposed in Figure 5.2. Key interesting features of the board are:

• one DSP dedicated to each axis module

• up to ten concurrently routines can run in multi-tasking

• sine commutating servo module for controlling AC brushless sine motors

• on the fly parameter and trajectory changes

The main drawbacks of this powerful controller are its high cost and the connecting busthat require a full-featured PC. Also looking in the manual we found that every on-the-fly parameter changes will take affect within 8 msec and this is a relatively big delay, in

81


Figure 5.3: Delta Tau Turbo PMAC2 controller in PCI bus version

a configuration where each module has its dedicated elaboration unit. This latency is nottrivial in a teleoperation setting, when severe changes can be sent to the salve robot needingto be accomplished in a real-time behavior.

5.2.2 Delta Tau Turbo PMAC2

The PMAC PCI family is Delta Tau’s latest version of multi-axis board level machine con-trollers, comparable to a powerful computer. Its core architecture is featured with real-timemultitasking capabilities with a reliable task priority management. The PMAC2 familymainly differs from the PMAC family in the programmable clock signalling rates, and iscapable to driving process at a user defined frequency speed. In Figure 5.3 a PCI motioncontroller model of Delta Tau is shown. The main benefit that we can enjoy with thiscontroller are:

• Very low level programming and hardware configuration

• Sine commutation for AC brushless motors

• Loop update speed proportional to cpu speed

The PID loop update can be selectable in a wide range, from 1kHz to 30-40kHz for anordinary DSP, even more if a higher clock rate DSP are used. Phasing and servo updatetimes are on the order of µsec, but for a full latency overview a carefully study on allinvolved modules needs to be taken. Delta Tau boards use a very low level programmingand configuration approach, which allow to configure the board to user preferences by

82


Figure 5.4: Galil DMC 4080 8-axis controllers

hardware jumpers and memory addresses. Anyway ,this full featured configuration canincrease designing time due to a longer learning time.

5.2.3 Galil Accelera DMC 40x0

The DMC-40x0 motion controller is Galil’s highest performance, stand-alone motion con-troller. It belongs to Galil’s latest generation motion controller family: the Accelera Series,which accepts encoder inputs up to 22 MHz, provides servo update rates as high as 32 kHz,and processes commands as fast as 40µsec. It is a full-featured motion controller pack-aged with optional multi-axis drivers in a metal enclosure. The unit operates stand-aloneor interfaces to a PC with Ethernet or RS232. An image of the controller can be view inFigure 5.4. Programming the DMC-40x0 is simplified with two-letter intuitive commandswhich may reduce the programming times. It is able to update the position information atevery sample, by generating a profiled point every other sample and linearly interpolatesone sample between each profiled point. This board is equipped with integrated PWM am-plifier, maintaining a compact enclosure, which can be a good choice for our requirements.

The main drawbacks of DMC controller series is the needing of two axes for driv-ing brushless motors when driven with sinusoidal commutation feature, this because it isequipped with one DAC (Digital-to-analog converter) for each axis, while the AC brush-less commutation require two phase generated signals and thus two DAC. The third signalis easily generated by the amplifier by difference.

83


5.2.4 Motion Controller Selection

The board selected is the Galil Accelera controller series, because it satisfy better thefollowing criteria:

Compact interface: which permits to the system to be easily transportable.

Integrated amplifier: which also contributes to a compact system and may reduce sys-tem setup time. The integrated amplifier provided with Galil enable the access to anumber of motors, with different power consumption.

Amplifier configuration: the chosen board allows to use also external amplifier, whichgives the possibility to reconfigure the system to other design criteria. Also it can bepossible to change the integrated amplifier, for driving other type of motor such asstepper motor.

Speed and performance: the possibility to install in the board a fast firmware versiongives the possibility to even increase the performance and response time.

Software simplicity: the well-known Galil language gives the opportunity to a immediateaccess to Galil low level programming.

Cost performance tradeoff: the chosen board has a cost affordable in the constructionphase of a prototype. Further manipulator model may have different constraints orrequirements.

The board was ordered with a special option about the isolation of the internal amplifier.With this feature the eight integrated amplifier are powered separately four by four. Alsothe controller section is powered separately. This permits a safety design with a securityswitch that can disconnect the electric motors from supply, while preserving the digitalcontroller section to be constantly connected. In this case the controller generate com-mands for the power amplifier but the amplifier will not, of course, issue the command.

5.3 Onboard Safety Features

The Galil DMC 4080 has several hardware and software features to check for error con-ditions and inhibit the motor output on error, which needs to be suitably implemented for

84


matching the safety criteria exposed in Chapter 3. This features enable to undertake someprotection features, such as protect the various system component from system damaging,but also protect people from hazard. Some are common to all motion control application,while other needs to be personalized based on the application. For example the panic

stop switch must be disposed in all automated application, while an intrusion detection

procedure depends on the environment and on the given appliance.

5.3.1 Hardware Features

In the following we expose the hardware safety features that the motion controller hasbuilt-in:

Reset. Force the controller to reboot. In the rebooting phase are repeated all the diagnosticroutines that check the internal hardware status. There are a lot of way to reset thecontroller: hardware reset and software reset. The only command that keep theconnection up with the Ethernet is the software reset.

Limit switch. The forward and reverse limit switch inhibits motion in the correspondingdirection immediately upon activation of the switch. If a limit switch is activatedduring motion, the controller makes a decelerated stop using the setted decelerationrate. In addition, when a limit switch is activated, the current application programautomatically jump to a subroutine called #LIMSWI, which can be personalized bythe user.

General Abort. The function of the Abort input is to immediately stop the commandedmotion upon transition of the abort input logic state. The response of this commandis significantly different from the response of a limit switch, that is, when the abortinput is activated, the controller stops generating motion commands immediately,without deceleration. The abort command can be issued also via software, and inthis way can be choose to abort motion and program, or motion only.

Electronic lock out. Triggering this input allows the user to shutdown the internal Galilamplifier at a hardware level. The motors will be essentially in a Motor Off state.A bit on the amplifier feedback data will be setted and a routine called #AMPERRruns when the ELO input is triggered.

85


5.3.2 Software Features

The features exposed above are some of the input capabilities of the controller. That is aproper hardware connection needs to be established in order to implement the feature. Inthe following list we expose the software protection function that the controller provides.

Selective Abort. The controller can be configured to provide an individual abort for eachaxis. Activation of the selective abort signal act as the same of a General Abortbut only on the specific axis, thus it stops commanded motion instantly without acontrolled deceleration.

Error Limit. This command set a position error in quadrature encoder count for eachaxis. The error is the difference between the command position and actual encoderposition. If the absolute value exceed the value specified by this limit, the controllerwill generate several signals to warn the host system of the error condition. Thesesignals include an automatic subroutine, an error red light, the deactivation of theamplifier enable signal, and the shutdown of the motor.

Programmable position limits. The controller provides programmable forward and re-verse position limits. These are set by programmable variables. Once a positionlimit is specified, the controller will not accept position commands beyond the limit.Motion beyond the limit is also prevented.

Off-On-Error. This is a built-in function which can turn off the motors under certainconditions. This function is known as “Off-On-Error”. Once it is enabled for a givenaxis, the specified motor will be disabled under the following three conditions:

1. The position error for the specified axis exceeds the limit set with the commandError Limit;

2. The abort command is given;

3. The abort input is activated.

Watchdog. The controller provide an internal watchdog timer which checks for proper mi-croprocessor operation. If the microprocessor ceases to function properly, or in caseof a serious hardware failure, the error line will be turned on and the amplifier will

86


be switched off. Unfortunately Galil does not specify the behavior of the watchdogsystem, so we do not know if it is a hardware protection, like a dedicated integratedcircuit, or a software protection implemented into the microprocessor. If necessary,for granting more reliability, an external watchdog circuit can be designed, by usingthe controller’s digital outputs and by switching off the amplifiers by means of theElectronic lock out. Even more can be done, by acting direct on the power cut of themotor connections.

Off-On-Encoder failure. With this feature the controller can detect a failure on either orboth channels of the encoder. The controller monitors the encoder signals; when thecontroller applies torque, if motor movement is not detected within a user specifiedtime, than an encoder failure is assumed. Note that the torque and time thresholdsneeds to be specified by the user. When the Off-On-Encoder failure feature is en-abled and the malfunction is detected, the axis goes in the Motor Off state and a stopcode is issued.

5.3.3 Motor Protection Features

The Galil’s integrated amplifier is protected against over-voltage, under-voltage, over-temperature and over-current for brush and brushless operation. The controller also moni-tor for illegal Hall-effect sensor states in case of brushless motors. The controller monitorthe error conditions and respond as programmed in the application. In addition a specialsubroutine can be added in a program to handle soft or hard amplifier errors. Note that theunder-voltage, over-voltage, over-temperature and over-current protection are designed forprotect the amplifier from damaging and do not protect the motors from such hazards. Inorder to protect the motors from damaging the Torque Limit feature is provided, whichcan be programmed via software. This command sets the maximum voltage output of thecontroller and can be used to avoid excessive torque or in a servo system. When operatingan amplifier in torque mode, the voltage output of the controller is directly related to thetorque output of the motor and the torque limit can be set to a value that limits the motorsoutput torque. When operating an amplifier in velocity or voltage mode, the voltage outputof the controller is directly related to the velocity of the motor and the torque limit can beset to a value that limits the speed of the motor.

87


PS1

PS2

220V~ 50Hz

F1

24V

24V

S1

F1: Fuse 1S1: Bipolar Swtch 1PS1: Power Supply 1PS2: Power Supply 2

Figure 5.5: High Voltage section functional scheme

5.4 Teleoperation Layout

In the following Section we describe in a bottom-up fashion our experimental layout. Firstwe delineate how the devices are powered, describing also the safety tools used for protect-ing from a short-circuiting or an overload. Then we describe how the signalling interfaceis cabled and how the motion control board are controlled.

5.4.1 Chassis Description

The electronic system is organized in a single chassis, which contain the Galil motion con-trol board equipped with integrated amplifier, the high voltage section, the supply voltage

section, the power interface and the signal interface.

The high voltage section brings supply to the power supply. The supply voltage sectionbrings supply to the overall appliances inside the chassis. The power interface brings powerto the motor and the signal interface connects motor encoders to the control board.

5.4.2 High-Voltage and Supply-Voltage Sections

The high voltage section connects the power supply to the outside power source. It uses aproperly dimensioned fuse and a bipolar switch to ensuring a full isolating while poweredoff. The high voltage section powers two power supply with 220V alternate voltage at50Hz. In Figure 5.5 is shown the functional scheme [18] of the high voltage section.Power supplies transform the voltage to 24V DC. We choose to use two power supplyto the safety reason of isolated supply. As described in Section 5.2.4, with this setupwe power the two integrated amplifier (four axes each) and the digital controller section

88


A1 AT1 A2 A

T2

Galil

F2 F3 F4 F5

F6

0V

0V

24V

K1

F2-F5: Amp FusesF6: controller FuseS2: Arm buttonS3: Halt buttonK1: Relay coilA1-A2: Galil AmpA

T1-A

T2: Tool Amp

S3

S2

Figure 5.6: Low Voltage section functional scheme

separately, as can be shown in the functional scheme of Figure 5.6. In this scheme canbe shown the supply voltage section, which provides power to the overall circuits, thatis, the motion control board, the relay coil and two other small power amplifiers. Thissmall amplifiers drive another device that is attached to the tip of the manipulator and isconnected to two axis of the Galil controller. In the following we call this device simplyend-tool. The functional scheme of figure 5.6 also shows the fuse connection for everydevice. The Galil controller, Galil amplifier one and two, end-tool’s amplifier one and two,have each a fuse properly dimensioned. This ensures a protection of the internal overallcircuitry if a problem like a short circuit condition arise in some device. A single fuseconfiguration is not sufficiently secure, because could only protect the power supply frombeing overloaded while the downstream appliances are never protected.

Motor power can be disconnected immediately by pressing the panic-stop button. Thisred button is bigger than the others and can be eventually replicated with a series con-nection. It uses a normally-closed (NC) connection for avoiding the problem of broken

89


cables. For example, in case of an open circuit fault in a panic-button’s connection the ac-tion is going to be the same as pressing the button. The power relay is connected so that apressure on the stop button opens the relay coil power supply so that the overall appliancesconnected downstream to the relays are disconnected. This appliances consist of the poweramplifiers, the Galil integrated amplifiers and the end-tool’s amplifiers.

For powering the system two operations are needed. First powering the power supplyby turning on the bipolar switch, second arming the motor amplifier by pushing the button.The chassis has only three button: the bipolar switch, the motor arm button and the panic-stop switch.

5.4.3 Power and Signal Interfaces

The power interface perform the connection from Galil amplifier output to the motor. By anoutside point of view this is done by a single multi-wire cable, which connect the chassisdirectly to the robot. From the inside of the chassis the motor cable is connected to theGalil amplifier. This is done by connecting each axis power output from the Galil to amulti-pin connector which secure the motor cable to the chassis. The multi-wire cabling isdone by taking into account the maximum possible flexibility. This is realized in practiceby assuming to connect to Galil eight brushless motors, which need the maximum possiblewiring number. Note that for connecting standard brush-type motor the wiring behaviordoes not need to be chanced, but only some wire remain unused.

The signal interface performs the connection from Galil signalling inputs to the en-coders circuitry. Again this is done with a single cable in the outside, from the chassis tothe manipulator. We choose a unique cable for minimizing cabling time and complexity,moving so the complexity in the internal chassis connections. In figure 5.7 is shown thefunctional scheme of these connections. Not all wiring connections are shown, but onlythe behavior because we are not interested on the cabling details here, but only in focusingthe overall meaning. From the chassis connector, encoder signals are provided to the Galilfor each motor with a separate connector, due to the Galil layout. Thus there are eightconnector form motion board that convey in a single connector in the chassis. This is asophisticated scheme inside the chassis, but from the outside gives the possibility to usethe only combination of two cable for connecting the manipulator.

Note that the encoder connections may include those of the hall sensors. Indeed the

90


A2

Galil

A1AT1 A

T2

SIGNAL CABLEPOWER CABLE

ETH

ER

NET

Figure 5.7: Device connection’s functional scheme. Although the Galil controller boardand the Power Amplifiers A1, A2 are shown separately, they are built in the same packageof the motion controller device. AT1, AT2 are the linear amplifier for the eventual grabtool that can be attached to the manipulator’s tip.

Galil motion control board can drive both brush and brushless motors. Each axis can beconfigured independently and, in case of a brushless motor, the sensors could be either anoptical encoder and the hall-effect sensor located inside the motor.

For driving the Galil an Ethernet plug is provided in the front panel, as shown in Figure5.7. The board also has a serial RS-232 connection interface, but we choose to do not pro-vide this connection outside the chassis, because once the IP address is set on the Ethernetconnection, it does fully replace the serial connection. Also the serial interface should beinteresting only for testing purposes, because its connection speed is not suitable for ourrequirements.

As we stated in Chapter 3, the design process is strongly dependent on the safety criteriathat the engineer choose to apply. For the case of our prototype, we choose to predisposeall the basic parameters for building a system able to detect failures, which is the scope ofthe next Section.

5.5 Failure Analysis

We have identified three risk-mitigation categories: systematic failures, internal safety de-

vices and external safety devices, explained in detail in Section 3.2.1. In this thesis wefocus our attention on the internal safety devices that is the firs step towards the systemfailure analysis. Moreover, designing a system taking into consideration the internal safetydevices does not only reduces the inner fault conditions that might happen, but also pro-vide a barrier for systematic failures, including personnel errors, design inadequacies and

91


procedural deficiencies. Other risk-mitigation procedures will be addressed in future steps,with the advancing in the project.

The internal safety has to be developed for the hardware and the software design. For aclear hardware design it is first necessary to subdivide our system in main hardware parts:

• Power supply;

• Motion Controller;

• Power amplifiers;

• Motors and Encoders.

• Control Computer, which drive the motion controller board by issuing commands;

Proceeding with the hazard analysis discussed in Chapter 3, we should suppose that eachof these components can fail. For example, a potential mishap that should be avoided is afull power given to the motors due to an amplifiers failure. Because in a complex systemthis mishap can be due to different occurrence, many possible design solutions has to betaken into account. Other failures can compromise encoder functioning. This can cause themotor, thus the robot, to move in an unpredictable way which should create several hazards.Despite these examples, in the following Section we delineate the safety devices that canassist each system component, or the safety features that can be taken when implementinghardware parts.

5.5.1 Internal Safety Devices

Our analysis start with the power supply unit. The task of this unit is to provide energyto the chassis devices. The mishap that can occur if this device fails is an open-circuitor a short-circuit at the downstream terminals. An open-circuit means that the connectedappliances could not get power, thus we suppose that this mishap does not cause an hazard,because it is the same situation as the device is powered-off. In the case of a short-circuitthe connected appliances could either not receive power, because the current flows throughthe short-circuit path. As described in Section 5.4.2, in this case the designed fuses willoperate, yielding the system out-of-order until a maintenance operation. We can notice that

92


Figure 5.8: Electrical scheme for detecting partial encoder failure

even with a simple device like a fuse, we can bring the system in a safe-state if a mishaparise.

For other power supply mishap we can rely on the Galil’s power amplifier protection,described in Section 5.3.3, which protect the motors, the manipulator movements, and thenearby people.

The power amplifiers and the motion controller board can be considered as the samedevice, indeed they are enclosed in the same package. With these devices a number of soft-ware safety features can be enabled in order to avoid unexpected situations. An excessivetorque value given to the motors can be avoided by setting the torque limit command. Inthis way we can prevent, for example, actions that can break a contact material.

One of the main drawback of our robotic system is the lack of redundancy. Although itcan be always possible in the future to introduce redundancy in the motion controller board,or in the control computer, we cannot use redundant devices for the encoder signallingsystem. This because of the mechanical design of the manipulator, which, due to its featureof compactness, do not have the space for housing auxiliary encoders. This drawback canbe overcome by hardware and software encoder fault detection features. From the softwarepoint of view, the controller monitors the encoder signals: when the controller appliestorques, if motor movement is not detected within a user specified time, the controllerdisables all the motors. Note that this feature needs to be suitably programmed by choosingthe minimum torque value and the minimum time interval that the controller needs beforeexamining the encoder status. Those parameters needs to be carefully selected in order toavoid false-positive.

From the hardware point of view a fault condition in a differential encoder can bedetected by the circuit depicted in Figure 5.8. This circuit is able to detect if one differentialline is broken because it identifies when the signal shape differs from the other differentialline [27]. Clearly, if a fault condition affects both lines (for example a structural fault in

93


the rotating disc), this circuit will not be not useful, but in this case the software protectionmakes the work. However, in this prototype we do not have differential encoders, and sothis option are going to be implemented in the next version of the manipulator.

Another important failure situation that needs to be considered is a failure in the poweramplifiers output given to the motors. If an amplifier output goes in open-circuit, thenthe motors could not receive the voltage signals and the manipulator will not moves. Onthe other way, if the amplifier output goes in short-circuit, that is a hard connection fromsupply to motors occurs, then motors could run at full speed without control. This case isnot trivial, and the action that should be taken depends on the nature of failure. Also, sucha condition is only a special situation related to the error between the command positionand the actual encoder position. As we describe in Section 5.5.2, the built-in diagnosticroutines and error monitoring features of the controller allow us to discern what kind offault arise, and automatically to take actions to bring the system in a safe state.

Unrecognized error could occur in case of a serious controller failure, that is a hardwarefailure inside the controller that cannot be detected by the built-in monitoring. In such caseswe need to rely on other monitoring devices. For example the control computer that drivesthe motion controller can periodically check the controller status and display to the userthat a fault condition arises. Basing on the controller response, also the seriousness of thefault can be detected.

Regardless all the monitoring condition that we can provide, providing safety is nottrivial and sometimes the human judgment is the last possibility. If the human operatordetects an unsafe situation he/she can at anytime inhibit the robot movement by pressingthe panic-stop button. This button does not rely on controller capabilities, despite it opensthe motor connection circuit at a hardware level.

5.5.2 Error Monitoring

The Galil DMC 4080 provide many monitoring features. Essentially the controller canprovide a number of status messages when it is interrogated. The kind of messages canvarying and permits to monitor the onboard amplifiers, the controller status, or the motorstatus. Also the interrogation method can be implemented in different ways.

With the onboard amplifier, the computer connected at the Ethernet cable can query thestatus of:

94


• Amplifier protection: under-voltage, over-voltage, over-current, and over-temperature,

• Hall sensor error when brushless motors are used1

• Amplifier current supply and peak,

• Electronic-Lock-Out.

The monitoring capabilities of the motion controller are:

Status byte. This command returns status information from the controller. It specifies ifthe device is executing a program, an error routine or an interrupt routine.

Error code. This command returns a code that reflects why a command was not acceptedby the controller. It is useful when the controller halts executions of a program orwhen it is issued a non valid command.

Tell error. This command returns the current position error of the motor(s).

Tell switches. This command returns status information of the Forward Limit switch, Re-verse Limit switch, error conditions, motion condition and motor state. For the motorcondition it returns if the axes is in motions, if an error limit occurs, if the motor isin off state.

Stop code. This command allows the user to determine why a motor stops. The controllerinforms if the motor has been stopped by a normal condition such as a deceleratedstop, or an error condition such as an abort command or a fault amplifier condition.

There are many others monitoring instructions that can be used, but those exposed here arethe most important.

There are two commands exposed in Section 5.3.2 that are really useful for preventinghazards. The former is the Off-On-Encoder failure which can help on detecting a faultencoder: it disables the motor signals if a movement is not detected within a specifiedtime, as we described in the previous Section. The latter is the On-Off-Error, which canbe useful for interrupting the motion as soon as a condition error occurs. This command isessential for protecting any unexpected motor movement that can arise if any kind of fault

1Brushless motors are usually equipped with built-in hall effect sensor, which sense the rotor position inrelation to the stator winding phases and are essential for brushless driving

95


occur to the amplifiers, to the controller, but also to the driving computer. For example ifa joint in the manipulator structure fails, the commanded position could be different to thedetected position by means of the encoders. When this cause a position error out of thethreshold value, then a motor off command is issued automatically by the controller. Themanipulator is brought to a safe state, until the problem are solved or the controller arerebooted.

Note also that for every error-state condition the motion controller has a specific routinethat is scheduled to run automatically. This routine can be customized by the user to matchthe proper application.

5.6 Test cases

In this Section we show some example of how we have tested the motion controller boardcapabilities. The board can be programmed in many ways: by upload a program file intothe controller’s memory or by running a program by means of the provided software in apersonal computer. A great advantage of this controller is the availability of a numbers oflibrary for integrating in other operating system. This Communication Libraries providefunction calls for communicating to Galil controllers with C++ and COM enabled librariessuch as Visual Basic, C#, and LabView.

For the moment we had used the Galil two-letter programming language, which essen-tially is an assembler language. A useful interface for issuing commands to Galil is the theGalilTools software provided with the controller. A snapshot of this program is shown inFigure 5.9 . This software can be useful for starting using the controller, for programmingand testing basic features and for uploading programs to the board’s non-volatile memory.For the case of our test this Graphical User Interface (GUI) is enough, but in the future,where a more structured work will be needed, we are going to use the C++ ApplicationProgramming Interface (API) communication libraries.

5.6.1 Experimental Setup

The experimental setup is composed by three element: a computer running a Unix-likeoperating system equipped with a real-time kernel, and the GalilTools software interface.The personal computer has a minimalistic graphic interface. We choose to equipped it with

96


Figure 5.9: Snapshot of the GalilTools software provided with the motion controller

97


three separated Ethernet port for providing future use with two Galil controller devices, onefor a slave robot and one for a master robot and the remaining Ethernet board will interfacewith another computer that runs the graphical tools for interfacing with the human operator.

The second element of our setup is the Galil chassis, equipped as described in Section5.4, and the third element is a DC brush motor with optical encoder connected to the Galil.

For the first connection to the Galil we prepared a set of commands that runs at everyboot phase of the controller. This settings can also be saved into the controller’s nonvolatile memory. The code is shown in the following algorithm.'

&

$

%

#AUTO ’ routine label

BR 1,0,0,0,0,0,0,0 ’ set the A-axis as Brush type

AU 0.5 ’ set amplifier in chopper mode

AG 0 ’ set amplifier gain to 0.4A/V

TL 2.5 ’ set torque limit

AC 500000 ’ set acc for A-axis in count/sec^2

DC 500000 ’ set dec for A-axis in count/sec^2

SP 100000 ’ set speed for A-axis in count/sec

EN ’ end program

The commands AU is used for setting the amplifier to working with low-inductancemotor. We choose the chopper mode, while the other operation, called inverter mode, isbetter for preserving the MOSFET power transistor’s life, but causes a large heat dissipancein low-inductance motor.

The commands AG and TL set the maximum torque out of the motor, and so can limitthe maximum current flow to the motor. The maximum current that the Faulhaber 2342motor can absorb in stall mode is of 3.38A (see Table 5.2). Although, for safety reasons,we limit the current up to 1A maximum for the testing phase. This is done by:

MaxCurrent output = AG · TL = 0.4A

V· 2.5V = 1A

This equation means that the controller will output at maximum 2.5V to the amplifier, andthe amplifier will the output at maximum 1A.

From the Faulhaber datasheet [20], the maximum acceleration possible to the motor is140 · 103rad/s2, and the maximum speed is 8500rpm in no-load conditions. By the waywe choose to limit those values for the test cases. In fact we observe that these value cannotbe reached with the torque limit imposed here, and the motor do not move smoothly if anhigher speed is chosen with a low torque limit.

For obtaining the correct value of AC (acceleration) and SP (speed) commands, we need

98


to transform the value in the datasheet in encoder counts, the position measurement unit ofGalil controller. Our encoders are equipped with 1000 lines per revolution, but due to thequadrature waveform shape of its output circuitry, the controller detect 4000 counts for 1revolution, then:

AC

[count

s2

]= AC

[rad

s2

]· 4000

2π= 89 · 106

We choose to lower this value to 500 · 103 .For the maximum speed the procedure is the same. The motor has a no-load speed of8500rpm, then

SP

[count

s

]= SP [rpm] · 4000

60= 500 · 103

We choose to lower this value to 100 · 103.

5.6.2 Position Error Test

The On-Off-Error command provides the capability to turn off the motor command assoon as the controller detect a difference between the command position and the actualencoder position. We discussed in detail this feature in Section 5.3.2 and 5.5.2. The uniqueparameter that needs to be set out is the amount of count that will trigger a position errorcondition. For this testing purposes we choose the value of 50 encoder count, which isa relatively small value. In order to avoid false-positive this limit should be carefullycalibrated, based on the inertia of the load connected to the motor.

For testing the On-Off-Error, we need to simulate a condition where the motor doesnot move to the desired position issued by the controller. This is done simply by holdingwith hands the motor shaft. Note that it is important to further decrease the Torque Limit

threshold to a very low value, such as TL 1.

The code is shown in the following algorithm.

99


'

&

$

%

#POSITION_ERROR_TEST

’ Set Parameters

TL 1 ’ set torque limit

OE 1 ’ enable On-Off-Error

ER 50 ’ set A-axis error limit to 50 count

’ Movements

PR 100000 ’ relative movement in count

BG ’ begin motion

AM ’ after motion is complete

PR -100000 ’ relative movement in count

BG ’ begin motion


MG "ENC POS=",_TPA ’ echo encoder position

EN ’ end program

’

#POSERR ’ jumps to automatic excess position error subroutine

MG "Position Error detected"

MG "Error=",_TEA ’ echo encoder error

STA ’ stop motor

AMA ’ after motor stops

SHA ’ servo motor here to clear error

RE ’ return to main program

The subroutine #POSERR runs automatically as a position error is detected, and can po-tentially implement lots of features. For example an output bit can be set to fire a relay thatopens the motors connection. We observe that the error limit function work as expected,by echoing the encoder error string to our GUI and by turning on the controller’s red light.Also the motor is brought to a Motor Off state.

5.6.3 Encoder Failure Test

The Off-On-Encoder failure command can potentially detect on either or both channelsof the encoder. This is accomplished by checking on whether motion of at least 4 countsis detected whenever the torque exceeds a preset level, setted by the command OV, for aspecified time, setted by the command OT.

The board user manual [28] also emphasize that for having this function to work prop-erly it is necessary to have a non-zero value for the Integrative block of the controller’sPID loop. This because the integral term is in charge to detect small value errors, likea steady-state error. As time increases, the action of the integral term increases, becauseit sums the instantaneous error over time, given so the accumulated offset that should becorrected previously.

100


Although it is not exposed in this results, we have properly configured the PID param-eters during the first tests.

For testing the Off-On-Encoder failure command we choose very low values for theOV and the OT command such that, as the example before, we can test this feature byholding with hands the motor shaft. Nevertheless this values have to be properly calibrated,because a wrong setting may lead to false-positive situation to come up. For example ifthe manipulator encounter an obstacle, the torque threshold should be carefully chosen toyield the possibility to touch the object, but without straining.

The assembler code that implement such example is shown in the following algorithm.

'

&

$

%

#ENCODER_FAILURE_TEST

XQ #ENCFAIL,2 ’ launch concurrent thread

’ Set parameters ’

TL 1 ’ set torque limit

OE 0 ’ disable On-Off-Error

ER 1000 ’ set A-axis error limit to 1000 count

’ Set encoder failure:

OT 5 ’ set time to 5 milliseconds

OV 0.2 ’ set voltage threshold to 0.2

OA 1 ’ enable Off-On-Encoder failure

’ Movements ’

PR 100000 ’ relative movement in count

BG ’ begin motion


PR -100000 ’ relative movement in count

BG ’ begin motion


MG "ENC POS=",_TPA ’ echo encoder position

EN ’ end program

’

#ENCFAIL ’ echo detected error type subroutine

IF (_SCA=8) ’ watch stop code

MG "OE detected" ’ echo if position error

JP #END ’ end subroutine

ENDIF ’

IF (_SCA=12) ’ watch stop code

MG "ENC FAILURE" ’ echo if encoder fails

JP #END ’ end subroutine

ENDIF ’

JP #ENCFAIL ’ loop thread

#END ’

EN ’ end program

101


5.6.4 Watchdog Test

The DMC 4080 provides an internal watchdog timer which checks for proper microproces-sor operation. The user manual [28] explain that the timer is able to toggles the Amplifier

Enable Output which is used to switch the amplifiers off in the event of a serious controllerfailure. The watchdog timer also checks the microprocessor during normal operation andduring power-up operation.

However, we have not the possibility to ensure the watchdog timer capabilities, be-cause simulating a microprocessor failure is not possible, and obviously we do not want tocreate a real microprocessor failure. Moreover, supplementary watchdog systems could beimplemented, for example by using one of the available output to refresh an external timer.This feature should be used for testing the controller state, or also for testing the networkstate if the watchdog signal travel over the Ethernet cable. Anyway, for testing the networkavailability another feature can be used, as exposed in the following Section.

5.6.5 Network Error Test

A problem that may often occur is a connection error on the Ethernet communication.In order to overcome such a trouble, the controller provide a routine that automaticallyruns when a command is sent to a failed Ethernet connections. Such routine allows thepossibility to implement a number of emergency operation. In the algorithm below wesimply stop the motion on all output axes, without breaking the program execution. Alsoit can be possible to switching to another communication interface, such as a serial port, oran I/O port.'

&

$

%

#NETWORK_ERROR_TEST ’ simple program loop

MG {EA} "L" ’ send a string on the Ethernet handle

WT 1000 ’ wait one second

JP #NETWORK_ERROR_TEST

’

#TCPERR ’ jumps to automatic network error subroutine

’ Stop motion. Note that in this way the program execution is not stopped

ST ABCD ’ stop motion on first four axes

ST EFGH ’ stop motion on other four axes

’ echo on the serial port the number of the handle that lost

’ the communication last

MG {P1} "TCPERR. Dropped handle", _IA4

RE ’ end routine

102


5.7 Conclusion

This Chapter address the design process that has been adopted for the servo subsystem theelectronic subsystem, and the control subsystem of a 6DoF robot manipulator. The electricmotor are properly dimensioned by taking into account the different task behavior that amanipulator should satisfy, for example the motion profile is not the common trapezoidalcurve that engineer use in the motor selection process, but it is a triangular curve. Inaddition, the kind of motor strongly affect the design procedure. For a faster, cheaper, andstreamlined approach we select a DC brush motor for the prototype manipulator, but weplan to use brushless motors for the final model, because brushless motors have a series ofadvantages that make them the better choiche for operating in clean environments.

The motion controller board has been selected based on economic, user-friendly learn-ing, safety features and connection features criteria. We choose a fully-featured axes con-troller device rather than a free programmable microprocessor or FPGA, to take advantagesof the industrial progress and reduce the time that a semi-custom design may lead to. Thedesign process continues with an analysis of the safety features that the selected controllerhas onboard, then describing the teleoperation layout for the slave controller device.

We apply the study evaluated in Chapter 3 by carry out an analysis of the failure andmishap that our device can complain, emphasizing the monitoring condition that can beimplemented to overcome mishap. Finally we test out and verify some of the manifoldfeature that the controller has built in, to make sure of their safety capabilities.

103


104

6Conclusions

I n this Thesis we have developed a safety approach in the process design ofthe electronic system control that drive a teleoperated robot system. Our studystarted with a detailed analysis of what are the safety principles in some interest-

ing areas such as the automotive and the industrial robot manufacturing scenario. We learnthat the Service Robotic scenario, while is sharing and inheriting the same advancementin robot technology, belong to a totally different environment. This is related to the dif-ferent scope that concerns a service robot, that is the interaction with the human, sharingthe same workspace, assisting him/her during normal life being. This approach is rathernew, because in other scenarios the robots can be enclosed in a safeguarding perimeter,preventing human hazards.

To the service robotic branch belong the medical robotic field, where robots are ser-vicing the healthcare since two decades. Despite this long time, there are no lineguidesdeveloped nor rule to follow in developing a robot for medical environment, a field wheresafety is the main scope. The next Section delineate our remarks concerning this subject.

Although the lack of regulation, our work try to give some guidelines that should befollowed by the engineer when developing a system that has safety-critical involvementlike in medicine. Note that we do not relate our study to the safety-critical rules addressedand highly discussed in the military environment, because such field usually do not takecare of system costs; anyway the notions are based on the same principles.

Because in this thesis we have addressed the low-level design and programming issues,we face the problem of obtaining a safety system by focusing on the fault detection andfault tolerance analysis of the system components. In addition we concentrate on each

105

CHAPTER 6. Conclusions

system component and the mishap that it can lead to, rather than the overall system con-figuration. A comprehensive mishap analysis is coming with the fulfillment of the designprocess of the whole teleoperation system.

Our project is based on a 6DoF telerobotic platform early developed, which showsinteresting feature by the mechanical point of view but needs to be refurbished in thecontrol-electronic part. The number of the manipulator’s degree-of-freedom is the min-imum necessary to command arbitrary positions and orientations in a three dimensionalspace. The design phase takes into account the proper requirements that should be met ina teleoperation layout, which are the major concern in the haptic feedback on the masterside. To ensure such a feedback it has been considered also the implication that involve theslave side.

The design starts with the proper motor dimensioning for being employed in such arobot. The dimensioning procedure for both motors and driving amplifiers considered thespecial needs and uncommon motion profiles that a manipulator is performing, leadingso to assumption like triangular motion profiles rather than trapezoidal, and high currentdriving amplifiers. Afterward we have selected the proper motion controller device, thedriving criterion was the safety and fault detection capabilities that it can provide. Also weconsidered economic, simplicity and connectivity principles.

The last part of the design process argue in detail the safety strategies that we adoptedin relation to the system component designed. In order to achieve a suitable level of safety,we proposed a number of method that can be adopted to avoid mishap. When fault cannot be avoided, a number of procedures and software strategies are developed in orderto control the situation and bring the system to a safe state. Test cases verify the correcthandling of these procedures.

The underlying theme that driven this thesis is ensuring safety in a surgical roboticsystem. To fulfill this requisite engineers do their best in the design of the machinery, withthe scope of do not introduce trouble or mishap, rather provide an increased quality ofsolving tasks and so improving quality of life. A special attention about safety needs to beconsidered when designing a medical robots, as we remark in the following Section.

106


6.1 Remarks in Medical Robotics

There are three major factors which influence the design of medical robots: safety, perfor-mance, and cost. Typically any two of these can be satisfied by a given design solution.The third can only be achieved at the expense of one or both of the other desirable goals.The task of balancing these factors is not simply an engineering question. The issues areethical, legal, medical, political and philosophical.

If for example, a robotic system is capable of facilitating an otherwise intractable sur-gical procedure, the medical decision would be based on a comparison of the patientsprognosis without treatment with the quantified risks of robot assisted surgery. From thelegal standpoint however, the supplier of the robotic system would be at risk of litigationin the event of an unsuccessful outcome resulting from equipment failure.

Clearly there is a need for an appropriate set of guidelines. Such guidelines would needto take into account the interests of all the relevant stakeholders including patients, manu-facturers, designers, government bodies, medical practitioners and the legal and insurancecommunity.

6.2 Comments on Results

The last part of Chapter 5 shows the test cases performed to validate the safety consider-ation achieved during our work. Indeed the whole teleoperation system has not yet fullyoperational, we has been able to perform a number of tests for ensuring that the safety fea-tures we can provide in both hardware and software works as expected. We find out alsothat the low-level software capabilities of the selected motion controller may implementlots of aspects to solve safety issues and to monitoring connected devices. It can preventcomponents failures to create unexpected situations and in the worst case, it brings thesystem to a controlled halt.

Another important aspect to point out concern the design choice of the right electricmotor that is driving the manipulator. For the prototyping model we has chosen DC brush-type electric motors and we has figured out that this kind of motors well meets our require-ments, despite we have planned to equip the final exemplary with other kind of motors,more suitable to be used in the medical environment. We discussed in detail in Section5.1.4 the reasons that drive us in choosing a brushless motor for the final robot and the

107


reasons for choosing a brush-type DC motor for the prototype robot. Up to now we canconclude that our analysis are appropriate, and the project will continue.

6.3 Future Work

The design process addressed in this thesis deal with the selection and dimensioning ofmotors and the control electronic for drive a 6 DoF teleoperated robot. In order to have thewhole teleoperation system working, some other work need to be done.

The first task is the programming of the motion control board. Lots of feature has beenexamined in this study, so the next phase is concerning the implementation of these featureby means of the Galil low level programming language and integrate them with the robotduties. In such work care should be put also in the high level software architecture. Indeedthe high level software and the low level software requires to be strictly interacting, so thatone knows the behavior of each other. For this purposes a real-time application software

is adopted, running in a multi-core elaboration unit. Anyway, when the number of ma-nipulator will increase, it has been planned to adopt a totally different computer hardwarearchitecture. It is going to be designed a multi-board and multi-processor elaboration sys-tem where each elaboration unit separately control a manipulator and all of the manipulatorcontrol unit lead to a main supervisor unit.

As stated before, the high level software architecture is another important task to beaddressed. It is in charging to control the overall teleoperation system, issuing commandsto the master device and to the slave device, perform kinematics and inverse kinematicsalgorithms and coordinate the whole system. It is in charge also to manage the haptic forcefeedback, which require lots of study for ensuring the stability in an active loop feedback.

For ensuring safety at the overall system, a separated control unit will be implemented,and it will be in charge to run an independent software architecture that monitors all otherdevice of the teleoperation system for ensuring they are healthy. Such device can be calledheartbeat.

The last and important work to be addressed is a study on the risk analysis of thesystem. This can be done with the technique introduced in Chapter 3, like Risk Analysis,or Fault Tree Analysis, and also with the calculation of the MTBF, Mean Time Between

Failures.

108

Ringraziamenti

Ringraziare sarà sempre troppo poco, piuttosto spero di aver l’occasione per Ricambiare!Ringrazio il prof. Passerone, che mi ha egregiamente assistito a distanza dandomi

sempre validi consigli. Ringrazio il prof. Fiorini, che mi ha accolto con professionalità sindalla prima volta in cui mi sono presentato spontaneamente nel suo ufficio (chi ha appesoquell’annuncio seminascosto su un pilastro di Mesiano?). Grazie del supporto in tuttiquesti mesi e grazie per non avermi mai negato il tempo di una chiacchierata. Un doverosograzie alla dott.ssa Debora, che mi ha salvato dalle irresistibili distrazioni tecnologicamenteavanzate del laboratorio lasciandomi una grande postazione nel suo ufficio; e mi scuso peraver dittatorialmente preso il controllo della finestra. Anche Riccardo va ringraziato, peravermi fornito tutto il materiale necessario, e per aver sopportato tutti i miei momenti di“non so cosa scrivere”. Non voglio dimenticare Lorenzo e le sue battute, Marco Linuxguru, Davide e tutti i film che magicamente condividiamo, Sonia e il suo costante sorriso,e tutto lo staff del Laboratorio ALTAIR dell’Università di Verona, ad ogni ora del giorno edella notte vi troverai qualcuno.

Ringrazio i miei genitori, che mi hanno dato la possibilità di studiare tutti questi annifuori casa. Quando sono tornato per concludere i miei studi con una tesi vicino casa sisono dimostrati bravissimi nel viziarmi, lasciandomi il tempo di studiare quanto volevosenza sobbarcarmi delle faccende casalinghe, ne dei loro problemi. Ringrazio il papà per iconsigli tecnici mai banali che mi ha dato, la mamma per l’ottimo supporto da infermieranell’ultimo mese dove ero sempre malato. Ricordatevi che questa Laurea è anche meritovostro!

Il penultimo ringraziamento è il più importante, poiché se siete arrivati a leggere finoqua significa che veramente vi interessa (almeno questa pagina). E va a Giorgia, grazie peressermi accanto, grazie per tutto il supporto che mi hai dato, senza di te mai ce l’avrei fattaa superare tutte queste difficoltà. È merito della tua energia se riesco sempre ad andareavanti.

Ringrazio per ultimo il mio computer, anche se lui non può sentirmi, che è resistitosenza mai abbandonarmi. Si vede che il suo MTBF non è ancora giunto. Vedremo quellodel rams.

109

Bibliography

[1] M. Anvari. Remote telepresence surgery: the canadian experience. Surgical En-

doscopy, 21(4):537–541, apr 2007.

[2] M. Anvari, T. Broderick, H. Stein, T. Chapman, M. Ghodoussi, D.W. Birch,C. Mckinley, P. Trudeau, S. Dutta, and C.H. Goldsmith. The impact of latency onsurgical precision and task completion during robotic-assisted remote telepresencesurgery. Computer Aided Surgery, 10(2):93–99, 2005.

[3] BL Bauer and D. Hellwig. Minimally invasive endoscopic neurosurgery–a survey.Acta Neurochirurgica. Supplement, 61:1–12, 1994. PMID: 7771214.

[4] T. Bedford and R. Cooke. Probabilistic Risk Analysis: Foundations and Methods.Cambridge University Press, 2001.

[5] R. Bischoff. System reliability and safety concepts of the humanoid service robothermes. In Proceedings First IARP/IEEE-RAS Joint Workshop on Technical Chal-

lenge for Dependable Robots in Human Environments, 2001.

[6] D. Botturi. An Optimization Approach to Hybrid System Control. PhD thesis, 2005.

[7] T.L. Brooks. Telerobotic response requirements. Systems, Man and Cybernetics,

1990. Conference Proceedings., IEEE International Conference on, pages 113–120,Nov 1990.

111

[8] Claudio Casadei, Sandra Martelli, and Paolo Fiorini. A workcell for the develop-ment of Robot-Assisted surgical procedures. J. Intell. Robotics Syst., 28(4):301–324, 2000.

[9] S. Charles, H. Das, T. Ohm, C. Boswell, G. Rodriguez, R. Steele, D. Istrate, M.D.S.Inc, and TN Memphis. Dexterity-enhanced telerobotic microsurgery. In Advanced

Robotics, 1997. ICAR’97. Proceedings., 8th International Conference on, pages 5–10, 1997.

[10] K. Cleary. Medical robotics and the operating room of the future. In Engineering in

Medicine and Biology Society, 2005. IEEE-EMBS 2005. 27th Annual International

Conference of the, pages 7250–7253, 2005.

[11] L. Conway, R.A. Volz, and M.W. Walker. Teleautonomous systems: projectingand coordinating intelligent action at a distance. Robotics and Automation, IEEE

Transactions on, 6(2):146–158, Apr 1990.

[12] Barnaby Dalton. Techniques for Web Telerobotics. PhD thesis, Department of Me-chanical and Materials Engineering, University of Western Australia, 2001.

[13] H. Das, H. Zak, W. S. Kim, A. K. Bejczy, and P. S. Schenker. Operator performancewith alternative manual control modes in teleoperation. Presence: Teleoper. Virtual

Environ., 1(2):201–218, 1992.

[14] B. Davies. A review of robotics in surgery. Proceedings of the Institution of Me-

chanical Engineers, Part H: Journal of Engineering in Medicine, 214(1):129–140,2000.

[15] Brian L. Davies. Computer-Integrated Surgery, volume Computer-IntegratedSurgery, chapter A discussion of safety issues for medical robots, pages 287–296.MIT Press, Cambridge, MA, USA, 1996.

[16] W.R. Dunn. Practical Design of Safety-Critical Computer Systems. 2002.

[17] W.R. Dunn. Designing safety-critical computer systems. Computer, 36(11):40–46,Nov. 2003.

112

[18] Edizioni Cremonese. Manuale Cremonese di Elettrotecnica, parte specialistica, vol.

III.

[19] S.B. Ellenby. Safety issues concerning medical robotics. Safety and Reliability of

Complex Robotic Systems, IEE Colloquium on, pages 3/1–3/4, Apr 1994.

[20] Faulhaber. Faulhaber, servosistemi miniaturizzati, 2008-2009.

[21] B. Fei, W.S. Ng, S. Chauhan, and C.K. Kwoh. The safety issues of medical robotics.Reliability Engineering and System Safety, 73(2):183–192, 2001.

[22] A. Ferrara. Automatic pre-crash collision avoidance in cars. Intelligent Vehicles

Symposium, 2004 IEEE, pages 133–138, June 2004.

[23] WR Ferrell. Delayed force feedback. Hum Factors, 8(5):449–55, 1966.

[24] P. Fischer, R. Daniel, and K.V. Siva. Specification and design of input devices forteleoperation. Robotics and Automation, 1990. Proceedings., 1990 IEEE Interna-

tional Conference on, pages 540–545 vol.1, May 1990.

[25] M. Fritzsche, E. Schulenburg, N. Elkmann, A. Girstl, S. Stiene, and C. Teutsch.Safe human-robot interaction in a life science environment. Safety, Security and

Rescue Robotics, 2007. SSRR 2007. IEEE International Workshop on, pages 1–6,Sept. 2007.

[26] Harald Friz. Design of an Augmented Reality User Interface for an Internet based

Telerobot using Multiple Monoscopic Views. PhD thesis, Institute for Process andProduction Control Techniques, Technical University of Clausthal, 1998.

[27] Galil. Application note 1417. Galil Motion Control, 2008.

[28] Inc. Galil Motion Control. Galil DMC-40x0 User Manual, rev 1.0b edition, 2008.

[29] E. Garcia, M.A. Jimenez, P.G. De Santos, and M. Armada. The evolution of roboticsresearch. Robotics & Automation Magazine, IEEE, 14(1):90–103, 2007.

[30] WM Goble. Control Systems Safety Evaluation and Reliability, ISA. Reference on

FMEDA methods, 644, 1998.

113

[31] Michael A. Goodrich, Dan R. Olsen, Jacob W. Cr, and Thomas J. Palmer. Experi-ments in adjustable autonomy. In in Proceedings of the IJCAI Workshop on Auton-

omy, Delegation and Control: Interacting with Intelligent Agents, pages 1624–1629,2001.

[32] Rodriguez Guillermo, Kreutz, Kenneth K, and Jain Abhinandan. Pat5303384, highlevel language-based robotic control system, April 1994.

[33] GS Guthart, JK Salisbury Jr, I.S. Inc, and M. View. The intuitive (tm) telesurgerysystem: overview andapplication. In Robotics and Automation, 2000. Proceedings.

ICRA’00. IEEE International Conference on, volume 1, 2000.

[34] M. Haegele, J. Neugebauer, and R.D. Schraft. From robots to robot assistants. InProc. of the 32nd ISR (International Symposium on Robotics), pages 19–21, 2001.

[35] Bibhrajit Halder and Nilanjan Sarkar. Robust Fault Detection of a Robotic Manipu-lator. The International Journal of Robotics Research, 26(3):273–285, 2007.

[36] B. Hannaford and P. Fiorini. A detailed model of bi-lateral teleoperation. Systems,

Man, and Cybernetics, 1988. Proceedings of the 1988 IEEE International Confer-

ence on, 1:117–121, Aug. 1988.

[37] J.W. Hills and J.F. Jensen. Telepresence technology in medicine: principles andapplications. Proceedings of the IEEE, 86(3):569–580, Mar 1998.

[38] P.F. Hokayem and M.W. Spong. Bilateral teleoperation: An historical survey. Auto-

matica, 42(12):2035–2057, 2006.

[39] IEC601-1. Medical electrical equipment . International Electrotechnical Commis-

sion.

[40] IEC61508. functional safety of electrical/electronic/programmable electronicsafety-related systems. International Electrotechnical Commission, 2000.

[41] IFR. International federation of robotics. http://www.ifr.org.

[42] World Robotics IFR Statistical Department. Technical report. 15 October 2008.

114

[43] K. Ikuta, M. Nokota, and H. Ishii. Safety evaluation method of human-care robotcontrol. Micromechatronics and Human Science, 2000. MHS 2000. Proceedings of

2000 International Symposium on, pages 119–127, 2000.

[44] Koji Ikuta, Hideki Ishii, and Makoto Nokata. Safety Evaluation Method of De-sign and Control for Human-Care Robots. The International Journal of Robotics

Research, 22(5):281–297, 2003.

[45] R.T. Innovations. NDDS: Network Data Delivery Service, The Real-Time Publish-Subscribe Middleware.

[46] M. Ji and N. Sarkar. Supervisory fault adaptive control of a mobile robot andits application in sensor-fault accommodation. Robotics, IEEE Transactions on,23(1):174–178, Feb. 2007.

[47] N. Karlsson, M.E. Munich, L. Goncalves, J. Ostrowski, E. Di Bernardo, and P. Pirja-nian. Core technologies for service robotics. Intelligent Robots and Systems, 2004.

(IROS 2004). Proceedings. 2004 IEEE/RSJ International Conference on, 3:2979–2984 vol.3, Sept.-2 Oct. 2004.

[48] K. Kawamura and M. Iskarous. Trends in service robots for the disabled and theelderly. Intelligent Robots and Systems ’94. ’Advanced Robotic Systems and the

Real World’, IROS ’94. Proceedings of the IEEE/RSJ/GI International Conference

on, 3:1647–1654 vol.3, Sep 1994.

[49] K. Kawamura, R.T. Pack, and M. Iskarous. Design philosophy for service robots.Systems, Man and Cybernetics, 1995. Intelligent Systems for the 21st Century., IEEE

International Conference on, 4:3736–3741 vol.4, Oct 1995.

[50] P. Kazanzides, G. Fichtinger, GD Hager, AM Okamura, LL Whitcomb, and RH Tay-lor. Surgical and interventional robotics-core concepts, technology, and design.Robotics & Automation Magazine, IEEE, 15(2):122–130, 2008.

[51] Sam-Yong Kim and Se-Young Oh. A driver adaptive lane departure warning systembased on image processing and a fuzzy evolutionary technique. Intelligent Vehicles

Symposium, 2003. Proceedings. IEEE, pages 361–365, June 2003.

115

[52] V.B. Kim, W.H.H. Chapman III, R.J. Albrecht, B.M. Bailey, J.A. Young, L.W.Nifong, and W.R. Chitwood Jr. Early Experience with Telemanipulative Robot-Assisted Laparoscopic Cholecystectomy Using da Vinci. Surgical Laparoscopy,

Endoscopy & Percutaneous Techniques, 12(1):33, 2002.

[53] John C. Knight. Safety critical systems: challenges and directions. In ICSE ’02:

Proceedings of the 24th International Conference on Software Engineering, pages547–550, New York, NY, USA, 2002. ACM.

[54] K.J. Kuchenbecker, J. Fiene, and G. Niemeyer. Improving contact realism throughevent-based haptic feedback. Visualization and Computer Graphics, IEEE Transac-

tions on, 12(2):219–230, March-April 2006.

[55] K.J. Kuchenbecker and G. Niemeyer. Improving telerobotic touch via high-frequency acceleration matching. Robotics and Automation, 2006. ICRA 2006. Pro-

ceedings 2006 IEEE International Conference on, pages 3893–3898, May 2006.

[56] Y.S. Kwoh, J. Hou, E.A. Jonckheere, and S. Hayati. A robot with improved absolutepositioning accuracy for ct guided stereotactic brain surgery. Biomedical Engineer-

ing, IEEE Transactions on, 35(2):153–160, Feb. 1988.

[57] A.R. Lanfranco, A.E. Castellanos, J.P. Desai, and W.C. Meyers. Robotic surgery: Acurrent perspective. Annals of Surgery, 239(1):14, 2004.

[58] A. Lankenau, O. Meyer, and B. Krieg-Brückner. Safety in robotics: The bremen au-tonomous wheelchair. In Proceedings of the 5th Int. Workshop on Advanced Motion

Control (AMC ’98), pages 524 – 529, 1998.

[59] A. Lankenau, T. Röfer, and B. Krieg-Brückner. Self-localization in large-scale envi-ronments for the bremen autonomous wheelchair. In C. Freksa, W. Brauer, C. Habel,and K. F. Wender, editors, Spatial Cognition III, number 2685 in Lecture Notes inArtificial Intelligence, pages 34–61. Springer; http://www.springer.de/, 2003.

[60] Marilynn Larkin. Transatlantic, robot-assisted telesurgery deemed a success. Sci-

ence and Medicine, The Lancet, Vol 358:1074, September 29 2001.

116

[61] Dongjun Lee, O. Martinez-Palafox, and M.W. Spong. Bilateral teleoperation ofmultiple cooperative robots over delayed communication networks: Application.Robotics and Automation, 2005. ICRA 2005. Proceedings of the 2005 IEEE Inter-

national Conference on, pages 366–371, April 2005.

[62] LunaCorp. http://www.lunacorp.com/. August 3, 1998.

[63] J. Marescaux, J. Leroy, M. Gagner, F. Rubino, D. Mutter, M. Vix, S. E. Butner, andM. K. Smith. Transatlantic robot-assisted telesurgery. Nature, 413:379–80, 2001.

[64] R. Mattone and A. De Luca. Nonlinear fault detection and isolation in a three-tankheating system. Control Systems Technology, IEEE Transactions on, 14(6):1158–1166, Nov. 2006.

[65] Maxon. Maxon motor, motorizzazioni e controlli di alta precisione, 2007-2008.

[66] D.A. McAffee and P. Fiorini. Hand controller design requirements and performanceissues in telerobotics. Advanced Robotics, 1991. ’Robots in Unstructured Envi-

ronments’, 91 ICAR., Fifth International Conference on, pages 186–192 vol.1, Jun1991.

[67] Mil-Std-882D. Standard practice for system safety. US Dept. of Defense,(http://www.geia.org/sstc/G48/882d.pdf), 2000.

[68] G. Niemeyer and J.-J.E. Slotine. Stable adaptive teleoperation. Oceanic Engineer-

ing, IEEE Journal of, 16(1):152–162, Jan. 1991.

[69] Shimon Y. Nof. Handbook of Industrial Robotics. Wiley, 1999.

[70] O. Ogorodnikova. Robot introduction in human work environment. developments,challenges and solutions. Computational Cybernetics, 2007. ICCC 2007. IEEE In-

ternational Conference on, pages 167–172, Oct. 2007.

[71] Timothy Ohm. Pat5828813, six axis force feedback input device, October 1998.

[72] Timothy Ohm, Boswell Curtis, Das Hari, Paljug Eric, Rodriguez Guillermo,Schenker Paul, Lee Sukhan, Barlow Ed, and Charles Steve. Pat5710870, decou-pled six degree-of-freedom robot manipulator, January 1998.

117

[73] Timothy Ohm, Das Hari, Guillermo Rodriguez, Boswell Curtis, Paljug Eric,Schenker Paul, Barlow Ed, and Steve Charles. Pat5784542, decoupled six degree-of-freedom teleoperated robot system, July 1998.

[74] A.M. Okamura, J.T. Dennerlein, and R.D. Howe. Vibration feedback models forvirtual environments. Robotics and Automation, 1998. Proceedings. 1998 IEEE

International Conference on, 1:674–679 vol.1, May 1998.

[75] H.A. Paul, W.L. Bargar, B. Mittlestadt, P. Kazanzides, B. Musits, J. Zuhars, P.W.Cain, B. Williamson, and F.G. Smith. Robotic execution of a surgical plan. Systems,

Man and Cybernetics, 1992., IEEE International Conference on, pages 1621–1623vol.2, Oct 1992.

[76] P. Pillay and R. Krishnan. Application characteristics of permanent magnet syn-chronous and brushless dc motors for servo drives. Industry Applications, IEEE

Transactions on, 27(5):986–996, Sep/Oct 1991.

[77] E. Prassler, J. Scholz, and P. Fiorini. A robotics wheelchair for crowded publicenvironment. Robotics & Automation Magazine, IEEE, 8(1):38–45, Mar 2001.

[78] K. Radermacher, HW Staudte, and G. Rau. Computer Assisted Orthopaedic Surgeryby Means of Individual Templates-Aspects and Analysis of Potential Applications.DiGioia III, A. et al.(eds.): Medical Robotics and Computer Assisted Surgery.Carnegie Mellon University Pittsburgh, 1(995):1–463.

[79] Bishop Richard. Intelligent Vehicle Technology And Trends (Artech House Its Li-

brary). Artech House Publishers, May 2005.

[80] M. Riley, A. Ude, C. Atkeson, and G. Cheng. Coaching: An approach to efficientlyand intuitively create humanoid robot behaviors. Humanoid Robots, 2006 6th IEEE-

RAS International Conference on, pages 567–574, Dec. 2006.

[81] NH Roberts. Fault Tree Handbook. United States Nuclear Regulatory Commission,1981.

[82] Honda ASIMO Humanoid robot. http://en.wikipedia.org/wiki/asimo.

118

[83] M. Saerbeck and A.J.N. van Breemen. Design guidelines and tools for creating be-lievable motion for personal robots. Robot and Human interactive Communication,

2007. RO-MAN 2007. The 16th IEEE International Symposium on, pages 386–391,Aug. 2007.

[84] RM Satava, JC Bowersox, M. Mack, and T. Krummel. Robotic surgery: state of theart and future trends. Contemp Surg, 57:489–499, 2001.

[85] Paul S. Schenker, Hari Das, and Timothy R. Ohm. A new robot for high dexteritymicrosurgery. In CVRMed ’95: Proceedings of the First International Conference

on Computer Vision, Virtual Reality and Robotics in Medicine, pages 115–122, Lon-don, UK, 1995. Springer-Verlag.

[86] R.D. Schraft. Mechatronics and robotics for service applications. Robotics & Au-

tomation Magazine, IEEE, 1(4):31–35, Dec 1994.

[87] R.D. Schraft, E. Degenhart, M. Hagele, and M. Kahmeyer. New robot applicationsin production and service. Advanced Robotics, 1993. ’Can Robots Contribute to

Preventing Environmental Deterioration?’. Proceedings., 1993 IEEE/Tsukuba In-

ternational Workshop on, pages 15–23, Nov 1993.

[88] L. Sciavicco and B. Siciliano. Robotica Industriale: Modellistica e Controllo di

Manipolatori. 2000.

[89] Kerstin Severinson-Eklundh, Anders Green, and Helge HÃŒttenrauch. Social andcollaborative aspects of interaction with a service robot. Robotics and Autonomous

Systems, 42(3-4):223 – 234, 2003.

[90] T.B. Sheridan and W.R. Ferrell. Remote manipulative control with transmissiondelay. Human Factors in Electronics, IEEE Transactions on, HFE-4(1):25–29, Sept.1963.

[91] Thomas B. Sheridan. Telerobotics, Automation, and Human Supervisory Control.1992.

[92] Bruno Siciliano and Oussama Khatib, editors. Springer Handbook of Robotics.Springer, 2008.

119

[93] N.R. Storey. Safety Critical Computer Systems. Addison-Wesley Longman Publish-ing Co., Inc. Boston, MA, USA, 1996.

[94] R.H. Taylor. Computer-Integrated Surgery: Technology and Clinical Applications.MIT Press, 1996.

[95] RH Taylor. A perspective on medical robotics. Proceedings of the IEEE,94(9):1652–1664, 2006.

[96] RH Taylor and D. Stoianovici. Medical robotics in computer-integrated surgery.IEEE Transactions on Robotics and Automation, 19(5):765–781, 2003.

[97] S. Tokoro, K. Moriizumi, T. Kawasaki, T. Nagao, K. Abe, and K. Fujita. Sensorfusion system for pre-crash safety system. Intelligent Vehicles Symposium, 2004

IEEE, pages 945–950, June 2004.

[98] V.J. Traver, A.P. del Pobil, and M. Perez-Francisco. Making service robots human-safe. Intelligent Robots and Systems, 2000. (IROS 2000). Proceedings. 2000

IEEE/RSJ International Conference on, 1:696–701 vol.1, 2000.

[99] Massimo Trevisan. Teleoperazione con l’utilizzo delle variabili d’onda: inmple-mentazione in penelope. Master’s thesis, Università degli Studi di Verona, 2006.

[100] C. Vangsness. Comparison of brush and brushless servo motor designs. Electrical

Engineering Problems in the Rubber and Plastics Industries, 1988., IEEE Confer-

ence Record of 1988 Fortieth Annual Conference of, pages 60–65, Apr 1988.

[101] A.T. Vemuri, M.M. Polycarpou, and S.A. Diakourtis. Neural network based faultdetection in robotic manipulators. Robotics and Automation, IEEE Transactions on,14(2):342–348, Apr 1998.

[102] M. Verhaegen and V. Verdult. Filtering and system identification: a least squares

approach. Cambridge University Press, 2007.

[103] M. Zinn, O. Khatib, B. Roth, and J.K. Salisbury. Playing it safe [human-friendlyrobots]. Robotics & Automation Magazine, IEEE, 11(2):12–21, June 2004.

Dissertation edited with LYX, Bibliography edited with BiBTEX and JabRef

120

SAFETY ORIENTED DESIGN FOR SURGICAL ROBOTIC...

Documents

Transcript of SAFETY ORIENTED DESIGN FOR SURGICAL ROBOTIC...