Embed Size (px)
Citation preview
SPECIAL FEATURE MEDICAL SAFETY SYSTEMS
Applying software dependability principles to medical robotics
by Nicholas J. Dowler
Medical robotics is a relatively new branch of robotics and application to safety-critical system development. Traditional approaches to the development of robotic systems no longer suffice as many of the key robot-human safety principles are compromised due to the very nature of the application. It is therefore suggested that safety-critical system techniques be used, in conjunction with quantitative software measurement, in order to suf€iciently verify and validate the software against user and safety requirements and systematically demonstrate software safety to regulatory agency requirements. It will also provide useful and early feedback to software engineers on the quality of the software during construction.
T his article gives details of an investigation into how software dependability principles can affect the quality of safetyaitical medical robot software, where quality is
defined as a dependability attribute set, such as reliability, safety and security. The majority of research for safety-critical systems to date has been focused on formal methods, to show that the system software performs to, and only to, the system specification. This is an important and necessary task for safety-critical system development, but this approach is not always suitable to the development of medical device systems and software, especially if the development process is not adequately defined, implemented and documented.' The software in a safety-critical system may be formally proved to meet its specification, but may not be necessarily easy to maintain or reuse, as the requirements
for the system evolve, or provide developers ample opportunity to reuse modules.
In the past, software architectural design attempts for safety have been concerned with partitioning the system, and therefore the software, into crude non-safety-critical and safety-critical domains, as a way to reduce the amount of verification effort and constrain the functionality of the software. However, to provide adequate safety assurance in this manner, it is necessary to prove that faults in the non-critical domain cannot adversely affect system safety. When focusing on reliability specifically, system architectural design has concentrated on fault-tolerant architectures2 where bias is directed towards hardware and software redundancy, through design and algorithm diversity and physical redundancy, such as multiple processors and sensors.
It is suggested that dependability factors should be
COMPUTING & CONTROL ENGINEERING JOURNAL OCTOBER 1995
~
1 I
MEDICAL SAFETY SYS
addressed on the complete system, rather than Frequently, the resultant hole is imperfectly positioned traditionally critical subsystems, and reinforced through and the surgeon then has to try again. Sometimes many the use of design guideline implementation and attempts are necessary before a satisfactory pilot hole is evaluation. The rest of this article shows three made, down which the main drill and tap can be inserted application areas for medical robotics in which to secure the fixture. Apart from weakening the femur by Armstrong Projects is involved, what software these wrongly-positioned holes, and the consequent dependability methods are applicable, and how these extended operating time, the repeated need for X-ray principles and criteria can be applied to the construction shots creates a potential radiation exposure hazard to the and evaluation of dependable medical robotic systems. patient and surgical team.
The OrthoSista holds a guide Medical robotics tube m the correct position close
Medical robotics has now 1 to the femur, enabling the entered the arena of safety- surgeon to drill the pilot hole mtical systems development, accurately first time. The robot and has atypical features to that positions the guide tube based of other such systems. Uniquely on a desired trajectory drawn by for robots, and virtually by the surgeon on an imaging definition, medical robots have system linked to the X-ray to co-operate intimately with intensifier. This robot controller humans: indeed, frequently the can therefore calculate the human is the object of the robot’s geometric motions for the robot attention. Furthermore, the that are necessary to bring the humans concerned are often guide tube into alignment. This incapacitated through disability, robot provides a number of illness or anaesthesia and so are advantages over the traditional unable to operate an emergency manual m e t h d stop or take avoiding action in the event of malfunction. Safety 0 greatly reduce the X-ray dose is, therefore, a paramount to patient, surgeon and theatre requlrement for a medical robot. Staff This results in a number of desirable goals for a medical robot? These desirable features rule out industrial robots tailored for medicine. Industrial robots generally tend to be physically large, powerful, respond quickly to instructions and have a large working envelope. All of these factors can be dangerous and potentially lethal in medical applications. As Brian Davies4 points out, the development of surgical robots should be bespoke, and involve surgeons, to produce a unique solution to a surgical procedure.
applications of medical robotics OrthaSista*
The OrthoSista, as its name suggests, is an orthopaedic surgery robot for use in repair of the femur. The head, or condyle, of the femur forms the ball of the hip ball-and-socket joint. The condyle is joined to the femur by a narrow neck, and it is here that one of the commonest types of fracture occurs. Surgical repair involves stabilising the fracture with a stainless steel fixture secured in place by screws.
Currently, the insertion of this fixture is canid out by a surgeon, usingrepeated X-ray snapshots to align a pilot drill, used to guide the l a r p fixation pin into position.
*The OrthoSista, EndoSista and NeuroSista have patents applied for.
0 automatically perform complex orientation improve the precision of the implant position
0 reduce the time required under anaesthetic.
EndoSista In traditional minimally invasive surgery, the surgeon
manipulates instruments through small ports in the patient. The surgeon is able to view the operating site using an endoscopic camera mounted on a rigid tube known as a laparoscope. As both the surgeon’s hands are used for the manipulation of instruments an assistant is required to support and control the laparoscope under verbal direction from the surgeon. This presents a number of communication problems between an assistant and the surgeon, resulting in surgeon frustra- tion and frequently the assistant second guessing the surgeon’s requirements. The EndoSista is a four degree of freedom telemanipulator, intended to replace the assistant and return control of the laparoscope to the surgeon. The telemanipulators movements consist of pan, tilt, zoom and swivel which are controlled through a set of surgeon defined head gestures. A six degree of freedom magnetic field head tracker, worn by the surgeon, is used to learn and identify the surgeon’s gestures. Movement of the EndoSista can only be achieved by first pressing a footswitch before a gesture is made, and stopped by releasing the footswitch.
COMPUTING & CONTROL ENGJNEElUNG JOURNAL OCTOBER 1995
MEDICAL SAFETY SYSTEMS
NeuroSista The NeuroSista provides
acmrate positioning and navigation during cranial or spinal surgery, by reference to pre- or intra-operative CT and MRI images. The NeuroSista has two variants, passive and active, both with a five degree of freedom SCAM (selective compliance assembly robot arm) articulation. The passive variety has an unpowered freely jointed arm which holds a surgical tool. As the surgeon moves the tool by hand, encoders measure the anmlar disDlacement of each
great trochanter nfixator pin
- -1 holding screws
Fig. 1 Hip repair schematic diagram
- of the robot joints. These angles are then used to calculate the absolute position of the surgical tool tip, with respect to a known datum. Additional image processing software can he used to display the robot position on a series of images, allowing the surgeon to identify and navigate to a selected feature, such as a tumour. The active NeuroSista is motorised and directed by the surgeon, who specifies a target and an approach path on patient images (although a passive mode is also available). The robot can be used to orient a surgical tool holder into the specified position, so as to provide a guide for the manual insertion of instruments. This approach to stereotaxy, especially within the brain, provides significant advantages over traditional methods, such as removing physical localisation fixtures, surgically attached to the patient?
Dependability rctqulrements Potential mishaps associated with medical robotics are
generally regarded to be associated with registration and calibration procedures* because these require the greatest amount of human intervention in initialisation and determining correctness. Other areas of concern for dependability include electromechanical failures. However, for the purposes of this article attention is directed towards the software dependability of the medical robot controller and its software architecture. Armstrong's main requirements for the software within the controller are:
0 Safety:' Failures within the software cannot lead to
*Registration and calibration of medical robots to patients, medical images and surgical tools are by far the greatest safety hazards of a medical robotic system. Poor registration and calibration can lead to inaccuracies which have the potential of being fatal for patients, although the specific identification of these hazards and their remedies are not within the scope of this article. 'It is universally accepted that safety cannot be tackled purely through the prevention and elimination of hazards within a setZion of the system design. Mechanical and electrical devices have also been included to eliminate or control hazards.
mishaps which can com- promise the safety of the user (surgeon), theatre staff or the patient. The safety re- quirements for medical robots are substantially different from those for traditional robotics? and therefore the requirements and safety hazards of such systems are not fully understood. The identification of hazards in such systems should he of prime concern to developers, using safety- critical techniques such as fault-tree analvis and risk analysis.
.Reliability is not a great requirement of the robotic system, as the fundamental design requires the surgical procedure to be intervened by the surgeon in case of robot failure, albeit with reduced benefit to the patient. Therefore typical reliability figures for a safety critical failure in the controller could be well below those of other safety-critical systems. However, other applica- tion areas can be identified in which reliability would be of a higher importance. For example if surgery is required within a critical section of the brain, it may not he possible to remove the robot or allow human intervention without some detrimental outcome for the patient. In these particular cases the risk of system failure must be balanced against the benefit of such a procedure.
0 Maintainability: It is anticipated that a large number of robots will he used in medicine by the year Zoo0 and, therefore, maintenance will become increasingly important. As potential improvements to the software are discovered or enhancements are made in order to increase the benefit of use to patients, the overall system safety and reliability must he retained through modifications. Reusability: It is commercially beneficial to reuse as much of the controller software as possible within as many products as possible in order to: (i) reduce the repetition of costly effort in the validation and verification of the software to dependability require- ments, and (ii) to allow the familiarity of the software architecture to he retained by development engineers, so that the task of identifying errors is reduced, enhancements are more easily introduced and the architecture can be applied to robots for emerging application areas.
Achiewing dependability Generally, medical robotics has relied on one of two
methods in order to reduce failure rates and increase medical robot controller safety:
224 COMPUTING & CONTROL ENGINEERING JOURNAL OCTOBER 1995
MEDICAL SAFETY SYSTEMS
Kernelisation: This method is sometimes referred to as will allow the software engineer to determine a safety monitor, a system which monitors or gives the integrity of the software through the development consent to actions taken by the rest of the system. This life cycle, and react early enough to dependability safety kernel can be much smaller than the main problems without adding significant development system and it can therefore be easier to test, and effort. This is the design philosophy to the development perhaps small enough for traditional formal verifi- of systems, including software, within Armstrong cation techniques to be effective. It is usual for this type Projects. of architecture to be mandatory on many surgical robots where the robot and its control system are third Summary party (i.e. a retrofitted industrial robot). Designing dependable software for critical applica- Reduced functionality: By deliberately reducing, tions is a skilful process, requiring expert judgment on through mechanical and electrical means, the system's the part of the software engineer. Although design functionality or performance, methodologies contribute towards areas of safety concern can be structuring software designs eliminated or reduced. Essen- within established guidelines, the tially this method is used to application of quality metrics to aid Traditional reduce the complexity of the system, and has been cate- methods of decisions made at design time
would urovide useful earlv gorised for medical robots? reducing failure feedback to software engineers, This approach to development and would help reduce the effort not only provides improved involved with safety assurance and rates and safety, but also is similar to a safety case preparation. The prototyping exercise. For increasing traditional methods of reducing
failure rates and increasing medical robot controller safetv will
example, if the first robot a developer produced was a
medical robot surgeon manipulated localiser, Controller Safem not suffice in the future. AS the
a ~ ~ ~~ ~~~~~ ~~~~-~ this can be tried and tested, functionality of the robot extends with significantly less risk than will not suffice in to accommodate new surgical a fully active neurological intervention system. The the future results of the first localiser (and perhaps the software) can be included into the next generations, leading to the fully active version. This approach allows the developers and users to identdy requirements, potential hazards and the feasibility of the robotic procedure.
Development methodologies, such as fault tolerance, defensive programming, n-version programming and formality, commonly used for other high-integrity systems, are infrequently used by medical device (robotic) developers. Fault-tolerance, n-version program- ming, and to some degree forma.1 methods require effort which is usually untransferable to the cost of the medical device. Exceptionally safe and reliable medical devices will be beyond the means of many potential customers, and therefore the benefit of these devices to patients is lost. Medical robotic developers require cost-effective development methods, which provide a level of integrity comparable to the risk associated with the robotic procedure. The responsibility for the choice of these methods should be that the software development engineers (safety assurance should be external to the development team), with quality management systems for development control, and combine additional feed- back in the form of quantitative software measurement6 and extensive test results.? This measurement feedback
procedures, the complexity of the control svstem will become increas- ingly difficult to verify and validate against dependability require-
ments in this manner, while retaining the cost- effectiveness of the devices for the benefit of patients. It will be important, in future developments, to take a holistic view of the system with regard to dependability, and especially safety, and may therefore require medical device developers to change their development philosophy.
R O f O ~ ~ . 1 PARNAS, D. L., and COIRTIOS, P J.: 'Documentation for safety-
critical systems', Proceedings of the 15th International Conference on Software Engineering, IEEE Press, 1993. pp.315323
2 AVIZIENIS, A., and LAPRIE, J. C.: 'Dependable computing: from concepts to design diversity', Proc IEEE, 1986,74, (3, pp.629d38
3 FINLN, P. A.: 'Robotics in healthcare technology: prtgent and future trends', 1988, Armstrong Projects Ltd, Beamnsfield, HP9 2JL
4 DAVIES, B L.: 'Safety critical problems in medical systems', Proceedings of the Safety-Critical Systems Club, The Belfry, Birmingham, March 1994
5 THOMAS, D. G. T., and KITCHEN, N.: 'Minimally invasive surgay- neurosurgery', B Y M I Medicaljournd, 1994,308, pp.12&128
6 KITCHENHAM, 8.: 'Software metria', in 'Software Reliability Handbook (ROOK, P., Ed.) (Elsevier, London, 1990)
7 LITTLEWOOD, B.: 'Limits to evaluation of suitware dependability', Proceedings of the 7th Annual Conference on Software Reliability and Metrics, London, 1990
0 IEE: 1995
The author is with Armstrong ProjeaS Ltd., kaconsfield, UK. He may be contacted via E-mail: ndowler@?mstrong. co.uk.
COMF'LJTING & CONTROL ENGINEERING JOURNAL. OCTOBER 1995
~~ ~ _ _ ~
