Risk Assessment and Functional Safety Analysis to Design Safety Function of a Human-Cooperative Robot

Human-cooperative robots (HCRs) are expected to benefit various industries, and many studies related to physical human-robot interactions have been conducted (Moore et al., 2003; Kim et al., 2005; Tsuji et & Tanaka, 2005); some HCRs have been gradually introduced in manufacturing and welfare fields. For instance, power-assist systems in manufacturing assist workers in carrying heavy modular parts to the target site (Konosu & Yamada, 2003; Santos et al., 2010). In the welfare field, power-assisted meal-carrying carts enable caregivers to move numerous dishes at once (Fujiwara et al., 2002), and electro-hybrid wheelchairs make it easier for caregivers to move a person with weakened leg muscles (Seki et al., 2006).


Introduction
Human-cooperative robots (HCRs) are expected to benefit various industries, and many studies related to physical human-robot interactions have been conducted (Moore et al., 2003;Kim et al., 2005;Tsuji et & Tanaka, 2005); some HCRs have been gradually introduced in manufacturing and welfare fields. For instance, power-assist systems in manufacturing assist workers in carrying heavy modular parts to the target site (Konosu & Yamada, 2003;Santos et al., 2010). In the welfare field, power-assisted meal-carrying carts enable caregivers to move numerous dishes at once (Fujiwara et al., 2002), and electro-hybrid wheelchairs make it easier for caregivers to move a person with weakened leg muscles (Seki et al., 2006).
Safety is regarded as a critical issue for HCRs. In particular, safety functions that can bring HCRs to a safe state in an emergency are essential because their hazardous movement may cause serious injuries to operators. The reliability of the safety functions must be sufficiently high in response to the estimated risk. Therefore, it is important to predetermine the required safety level for a HCR, to design a suitable safety function that ensures this safety level, and to analyze the validity of safety-function design.
Several attempts have been made to develop safety-design methodologies for HCRs in the related research fields. Ogorodnikova integrated several approaches related to risk estimation and safety design for a human-centered robotic work cell . Kazanzides reported a tutorial overview of safety design for medical robots with a discussion of high-level safety requirements and methods for risk assessment (Kazanzides, 2009). Guiochet et al. studied a model-based, user-centered risk assessment that estimates the associated risks of an HCR (Guiochet et al., 2010). However, these studies mainly introduce methodologies for the overall safety design for HCRs, especially focusing on the inherent safety design, and do not present details on safety-function design involving validity analysis. On the other hand, Laible et al. studied safety-function design with a multichannel voting architecture that is based on the top-down risk assessment of an HCR (Laible et al., 2004). Okada et al. reported an example of the application of international safety-standard concepts to a robot cell-production system and showed that safety devices can be effectively used within a safety architecture (Okada et al., 2007). Nakabo et al. developed an integrated safety-function module for an HCR, which is designed to be compliant with international safety standards . However, these studies neither predetermine the safety level required by the system nor assess whether the designed safety functions match the requirement. An established safety-function design for HCRs has become a very important issue, but a methodology involving the validity analysis of safety-function design has not yet been examined.
IEC 61508, an international standard of safety-critical systems, has been gradually introduced in various industrial fields that adopt programmable controllers (IEC 61508 Technical Committee, 1998;2002). This standard is concerned with functional safety, which is a part of the overall safety that depends on a system or equipment operating correctly in response to its inputs, and provides guidelines for not only determining the required safety-integrity level (SIL) but also analyzing the validity of safety-related system (SRS) design.
Therefore, we consider a methodology for safety-function design involving risk assesments and a functional safety analysis based on IEC 61508; this chapter introduces a case study that focuses on the system failures of an HCR in order to propose this methodology. The details of the methodology for Skill-Assist, an HCR we adopted as a platform system, are described in this chapter. Section 2 describes the outline of the Skill-Assist, and Section 3 explains the SIL determination for the Skill-Assist and risk assessments of the system failures. Section 4 describes an SRS designed on the basis of the risk-assessment results and the functional safety analysis of the SRS. The proposed methodology for safety-function design is discussed in Section 5, and the conclusion is presented in Section 6. Figure 1 shows performing a task with Skill-Assist. Skill-Assist is a power assist system which is able to allow the operator to perform his/her task without disturbing the human skill by varying the virtual mechanical impedance (Konosu & Yamada, 2003). The Skill-Assist has been introduced in automobile assembly lines of a motor company, and is also expected to be applied to welfare field. Figures 2 presents the schematic overview of Skill-Assist. Skill-Assist has three degrees of freedom (DOF) and can move in transverse, traveling, and elevated directions using electric-powered actuators installed on lanes. The displacement and velocity of Skill-Assist are recorded using pulse linear encoders (Numerik JENA, RIA-22) attached to the lanes. An operator grips the lever of analog-type force sensor (Nitta, IFS-100M40A50-I63) and can maneuver the end effector of Skill-Assist to pick up and move the workload. The control computer (Advantech, IPC-610) of Skill-Assist processes sensor signals for impedance control, generates analog command signals with a D/A converter (Interface, PCI-3310), and drives the actuators using AC servo controllers (Mitsubishi, MR-J2S-40AS).

Skill-Assist
As fundamental safety measures, an enable switch is attached to the lever of the force sensor and an emergency stop switch is within close reach of the operator. Signal logic around the control system and power supply to actuators is managed by a programmable logic controller (PLC, Keyence, KV series). When the enable switch is not pushed or the emergency stop switch is pushed, the PLC disables the contactor (Mitsubishi, SD-Q19) to shut down the power supply and activates the regenerative brake (Mitsubishi, MR-RB12) simultaneously to bring Skill-Assist to a halt. Overcurrent, overheat, and openload protective functions are incorporated in the AC servo controllers.

SIL determination for Skill-Assist
As the first step in the proposed safety-function design process, we determine the SIL for the Skill-Assist. SIL is defined in (IEC 61508 Technical Committee, 1998) as a relative level of risk reduction provided by a safety function, which is represented by SIL-1, SIL-2, SIL-3, and SIL-4. The most dependable level is SIL-4, which is required for an aircraft or a train, where catastrophic accidents can occur if the SRS fails. In general, the target SIL required for a system is determined by a qualitative or quantitative method; we use a risk graph, which is a qualitative method, for determining the target SIL from the information on risk factors (IEC 61508 Technical Committee, 1998). Fig. 3 shows the risk graph adopted in the proposed methodology and also used in the risk evaluation of a human-robot collaborative system (Behnisch, 2008;ISO Technical Committee 114, 2006). The risk graph is initiated at the start point on the left side and is implemented on the basis of risk parameters such as the severity of injury (S1, S2); the frequency of exposure to hazards (F1, F2); and the possibility of avoiding a hazard (P1, P2). The selection of the risk parameters leads to one of the five outputs on the right side, and the number at each output indicates the required SIL that must be achieved by the SRS.
3.1.1 Severity of injury (S1, S2) S1a n dS2 indicate "normally reversible injury" and "normally irreversible injury", respectively. Considering horizontal inertia (202 kg) and maximum velocity (1.43 m/s) of Skill-Assist, based on the results mentioned in (Haddadin et al., 2009), crushing or collision caused by its hazardous movement may result in a fracture-level or a serious permanent injury at worst. Hence, we select parameter S2atthestartpoint.

Frequency of exposure to hazards (F1, F2)
F1a n dF2 indicate "seldom-to-less-often" and "frequent-to-continuous", respectively. A work-space that includes the Skill-Assist can be regarded as a hazardous zone because the operator usually makes contact with the Skill-Assist while conducting tasks. Therefore, it Fig. 4. Simplistic version of FTA that focuses on potential system failures seems reasonable to assume that the operator is always exposed to the hazardous zone, and thus, we select parameter F2 at the second branch point.

Possibility of avoiding hazard (P1, P2)
P1a n dP2 indicate "possible under specific conditions" and "scarcely possible", respectively. Considering the implementation of the enable and emergency stop switches, crushing or colliding caused by the hazardous movement of the Skill-Assist can be avoided by using the safety switches. Therefore, we select parameter P1 at the third branch point.
As a result of these risk parameters, the target SIL required for the Skill-Assist is SIL-2.

Fault Tree Analysis (FTA)
To examine the potential system failures and the appropriate safety measures against failures with unacceptable risk levels, we implement fault-tree analysis (FTA) (IEC 61025 Technical Committee, 2006). Fig. 4 presents a simplistic version of the FTA, which focuses on the potential system failures that may cause the hazardous movement of the Skill-Assist. Note that we have omitted minor details, which are summarized in representative terms in Fig. 4, to focus on the sequence of safety-function design, because the actual FTA we conducted is more complex and too large to be represented in this chapter. The top event of the FTA is the hazardous movement of the Skill-Assist, which links to the lower-level events through IF and OR gates. The cumulative failure and simultaneous failure of multiple components are not considered in the FTA. An abnormal actuator current can be prevented if a human operator correctly pushes the power management switches or the switches normally work; otherwise, the abnormal current directly affects the movement of the Skill-Assist, resulting in crushing or colliding. The abnormal actuator current that occurs because of the failure of actuator, PLC, servo controller or contactor affects the hazardous movement of the Skill-Assist. We assume the actuator failure can be neglected if overcurrent, overheat, and openload protective functions incorporated in the AC servo controller normally work. The abnormal command signal can be  The FTA result enables us to easily trace the failures. Hence, we can develop safety measures for failures that may cause the hazardous movement of the Skill-Assist. For effectiveness, it is important to prioritize safety measures according to the effects and risks of the failures.

Failure Mode and Effects Analysis (FMEA)
To examine the potential failures and the appropriate safety measures against unacceptable risk levels estimated for the Skill-Assist, we next conduct a risk assessment based on a failure mode and effects analysis (FMEA) (IEC 60812 Technical Committee, 2006) on the basis of the FTA results.
In the FMEA, the consequences of a part failure are evaluated using three criteria: severity (S), likelihood of occurrence (O), and undetectability (U). The overall risk of each type of failure is called the risk priority number (RPN), which is the product of severity, occurrence, and undetectability ratings. S, O, and U have simplified ratings of low (1), medium (2), and high (3) in the proposed methodology. The ratings are each determined to suit the FMEA on the basis of the method mentioned in (IEC 60812 Technical Committee, 2006) and the experience of the control-system designers. The incidents of failure in the control system are graded on an RPN scale of 1-27, where a failure with a rating of 27 is regarded as the most hazardous. Fig. 5 shows a simplistic version of the FMEA that especially focuses on failure modes with high risk-priority number (RPN) values. In Fig. 5, we have omitted the minor details and summarized in representative terms. The basic function of FMEA is to describe the parts of a system and to list the consequences of a part failure. The RPN threshold was determined to be four by several control-system designers. They consider it as the most suitable threshold value in the FMEA from a safety perspective, i.e., the failure modes with RPN more than the threshold are considered to be sufficiently serious to require safety measures. In Fig. 5, we categorize the severity of failure effects that may cause runaway, unstable operations, and no operation as high, medium, and low, respectively. The likelihood of the occurrence of noise and incorrect coding failure modes is rated as high. The undetectability of actuator failures are rated as low, while that of PLC is rated as high.
We then define a safety measure for each failure mode with a high RPN. For instance, a combination of dual-channel voting and diverse programming (Mitra et al., 1999;Littlewood, 2000;IEC 61508 Technical Committee, 1998) is adopted as an effective safety measure for sensor and computer failures, because it can address some common mode failures and is also recommended by a safety standard (BSR/T15.1 Technical Committee, 2002). A Fig. 6. Improved control system with the designed SRS signal-monitoring function that utilizes dual-channel voting architecture is required for detecting abnormal command signal the control computer generates through the D/A converter. Safety PLC is adopted as an alternative of the PLC incorporated in the conventional control system of Skill-Assist.

Control system for securing functional safety with the designed SRS
We design a SRS based on the risk assessment results and Fig. 6 shows an improved control system with the SRS. The designed SRS (shaded blocks in Fig. 6) consists of primary and secondary control computers, FSFDD (see also the Appendix), a safety PLC (JTEKT, TOYOPUC-PCS series), a contactor, and a regenerative brake.
The two control computers function as a dual-channel voter, diversely process sensor signals, and transfer two equivalent analog commands to the FSFDD. A force-sensor-based control algorithm is built into the primary computer and operates the Skill-Assist. Therefore, the command signal of the primary computer is also transferred to the servo controller. A diversely-programmed control algorithm is built into the secondary computer and calculates the redundant command signal to be compared with the command signal of the the primary computer. Unlike the command signal of the primary computer, that of the secondary computer is not transferred to the servo controller. Power is supplied to the DC servo motor through a contactor. The motor current is monitored by the servo controller by using the Hall-effect device.
When a fault is detected because of a difference in the command signals on the basis of the preset threshold, the FSFDD automatically shuts the power supply down and locks the drive wheels by using the contactor and regenerative brake through the safety PLC. Fig. 7 depicts the architecture of the designed SRS. For the convenience of the functional safety analysis to be hereinafter described, the SRS is divided into the following sub-systems:

Configuration of the designed SRS
• Input sub-system: primary and secondary control computers The input sub-system, which is expressed by 1 out of 2 (1oo2), enables the FSFDD to detect a fault in the command signals generated from the primary or secondary control computers. 1oo2 consists of dual channels connected in parallel, such that either channel can process the safety function. The logic sub-system comprises 1 out of 1 (1oo1) devices, where any dangerous failure leads to the failure of the safety function when a demand arises (IEC 61508 Technical Committee, 1998); therefore, in particular, the FSFDD and safety PLC involved in the logic sub-system should be highly reliable from the viewpoint of functional safety. The output sub-system comprises 1oo1 devices that can be actuated in a complementary manner in order to enhance the reliability of an emergency stop.

Process of functional safety analysis
To analyze the validity of the SRS design, we conduct functional safety analysis according to the approach mentioned in (IEC 61508 Technical Committee, 1998). We adopt the SIL, previously determined in subsection 3.1, as the quantitative criterion. Fig. 8 provides an overview of the functional safety-analysis process. First, the component failure rates, failure modes and failure mode distributions of the SRS are obtained. Second, failure modes, effects, and diagnostic analysis (FMEDA) 1 is implemented to examine the effects of the failure modes on the SRS (Goble et al., 1999). Next, the safety-failure fraction (SFF) and the probability of failures per hour (PFH) are calculated on the basis of the result of FMEDA in order to examine whether the target SIL has been achieved (IEC 61508 Technical Committee, 1998). Note that the evaluation process for the SRS software is not considered in Fig. 8, and we only consider the hardware of the designed SRS.  FMEDA is one of the steps required for analyzing the functional safety of a device. Fig.  9 shows a part of the FMEDA conducted for the FSFDD. Failure-in-time (FIT) denotes the unit of failure rate, and 1 FIT represents 10 −9 failures per hour. In the FMEDA, we refer to (MIL-HDBK-217F Technical Committee, 1991) and (IEC 62380 Technical Committee, 2004) as references for the failure rate, failure mode, and failure mode distribution. The safe detectable, safe undetectable, dangerous detectable, and dangerous undetectable failure rates are denoted by λ sd , λ su , λ dd and λ du respectively and calculated as the result of the FMEDA. Furthermore, the safe failure rate λ s , dangerous failure rate λ d , and total failure rate λ of a component have the following relationships: A failure that gives an FSFDD output of 0 V and shuts down the power source of the actuator is considered to be a detectable failure, irrespective of whether it is safe or dangerous. A failure that does not change the output signal is considered to be a safe undetectable failure, whereas a failure that causes oscillations, drift, or surge in the output signal is considered to be a dangerous undetectable failure. A circuit simulator Micro-Cap 9.0 (Spectrum Software) is utilized for examining the effects of the failure modes.
FMEDA for the simply configured electrical components such as power switch and EM brake is conducted in a manner similar to that for the FSFDD. However, for complex components such as the control computer, where a detailed analysis of each failure where ∑ denotes the summation of the failure rates of the components involved in each sub-system.

SFF
SFF is a parameter that specifies the architectural constraints required for an SRS (IEC 61508 Technical Committee, 1998). SFF can be calculated as follows: Table 1 shows the architectural constraints determined by SFF and SIL. A hardware fault tolerance of N indicates that N + 1 faults can cause a loss of the safety function. Because even a single fault cannot be allowed in the lool and loo2 architectures, in order to maintain the safety function, the architectures of all sub-systems in the designed SRS should meet an SFF in the range of 90%-99% to satisfy the target requirements of SIL-2.

PFH
The SIL of an SRS in high demand or continuous operational modes is measured by the PFH of the safety function, which must be low enough to achieve the required SIL (IEC 61508 Technical Committee, 1998). According to Table 2, which shows the relationship between the SIL and the PFH, the designed SRS must satisfy a PFH in the range of 10 −7 -10 −6 to achieve the target requirements of SIL-2.
The PFHs of the lool and loo2 architectures, PFH 1oo1 and PFH 1oo2 , respectively, are obtained by the following equations (IEC 61508 Technical Committee, 1998): where β and β d represent the fraction of common-cause failures that are undetected and detected by the diagnostic tests, respectively. The channel-equivalent mean down time, the interval of the periodic diagnostic test, and the total elapsed time from the initial failure to the reinitialization of the system status (mean time to repair) are represented by t ce , T 1 ,a n d MTTR, respectively. Note that the unit of measurement for t ce , T 1 ,andMTTR is h. Table 3 summarizes the failure rates, SFF, and PFH that are acquired as a result of the functional safety analysis for the designed SRS. Each λ is provided by the manufacturers or determined by the failure-rate data obtained from (MIL-HDBK-217F Technical Committee, 1991;IEC 62380 Technical Committee, 2004). On the basis of the FMEDA results, we can determine λ s , λ dd ,a n dλ du for the SRS components. The SFFs of all the sub-systems are calculated using Eqs. (1), (3), and (5). The PFH of the input sub-system, which is configured with the loo2 architecture, is calculated using Eqs. (7) and (8), where β = 20% and β d = 10% as the worst case, T 1 = 8760 h (one year), and MTTR = 8 h, on the basis of the parameter range in a typical example of the functional safety analysis (IEC 61508 Technical Committee, 1998). The PFHs of the logic and output sub-systems, which are configured with the lool architecture, are calculated using Eq. (6). The result of the functional safety analysis in Table 12 Will-be-

Discussion
The sources of hazards in HCRs can be largely divided into human errors, the environment in which humans and robots interact, and the robot itself (Dhillon & Fashandi, 1997;Yamada et al., 1999;Alvarado, 2002). This research introduced a case study that focused on a robot, especially with regard to its system failures. The system failures of the robot could be identified by relatively simple risk assessments such as FTA, and the functional safety analysis was conducted by calculating the failure rates of different sub-systems the designed SRS comprises. Moreover, all equations in the functional safety analysis were deterministic and linear and all parameters in these equations took constant values; the parameters determined the SFF and PFH. However, if an operator and a robot are treated as a man-machine system, a human-robot cooperative system is stochastic and nonlinear, and in this case, human factors should be addressed by more sophisticated safety-analysis approaches. Therefore, the proposed methodology is limited to the design of the safety function for system failures and cannot be directly applied to other safety functions that can prevent hazardous events caused by human factors. To design the safety function for an HCR in consideration of human factors, human-behavior analysis must be considered, and the risk-analysis techniques proposed in related studies such as (Guiochet, 2003;Ogure et al., 2009) may give us some hints for doing so.
From the viewpoint of safety-design issues of HCRs, conventional studies such as Kazanzides, 2009;Guiochet et al., 2010) mainly present methodologies that focus on the inherent safety design based on risk assessments. For instance, (Guiochet et al., 2010) proposes an approach based on a combination of well-known safety-analysis techniques and applies this approach to the safety design for an HCR. However, these studies do not present details of how to design the safety function for HCRs. On the other hand, (Laible et al., 2004), (Okada et al., 2007), and  propose design methodologies for the safety function for HCRs. However, they neither predetermine the safety level required by the system nor assess whether the designed safety functions match the requirement. The significance of our study compared to conventional studies is that the proposed methodology for safety-function design systematically evolves from a process of predetermining the safety level to that of analyzing it; the methodology enables the design of an adequate safety function for an HCR and provides an analysis process with the required safety level. We believe that the proposed methodology can be applied to safety-function design for system failures of HCRs such as power-assist systems or industrial robots with a hands-on control mode. A dual-channel architecture can detect a fault that occurs in any one channel at a time. Therefore, if a component that is commonly connected to both channels causes a fault, a dual-channel voter such as FSFDD cannot detect the fault, because the same abnormal signals would be generated from the channels. Furthermore, the analog voting architecture proposed in this study limits the flexibility of the system configuration and has low performance in terms of noise tolerance. In the future, we will investigate the design of a dual-channel architecture that can address the simultaneous failure of both channels using digital processing.
A functional safety analysis of the software also needs to be implemented for an SRS involving programmable controllers. Unlike the case of hardware, which adopts a probabilistic approach as introduced in this paper, a software analysis is generally conducted by deterministic approaches and a specified software-development lifecycle (IEC 61508 Technical Committee, 1998).
In particular, the method described in (IEC 61508 Technical Committee, 1998) concretely suggests software techniques, including safety specifications, architecture design, and programming languages, to be adopted in an SRS according to the required SIL. Such a functional safety analysis for software is also necessary for the proposed methodology, and the integration of safety-function design approaches for hardware and software should be discussed in the future.
System stability is an important issue related to the safety of HCRs. To stabilize a human-robot cooperative system constantly, it is primarily required to design a robust controller that can minimize the effects of uncertain factors in the system. As an additional safety measure, it is also required to establish a safety guideline for operators that prohibits aggressive maneuvering, which can cause the unstable movements of the system. The proposed methodology does not include the analysis for system stability because it focuses on the validity analysis of the safety-function design based on IEC 61508. To introduce the system-stability problem to the proposed methodology, it is necessary to analyze the maneuvering patterns of operators and the dynamics in the physical human-robot interaction, to quantify the analysis results to numerical parameters, and to apply these parameters to the process of safety-function design. Further discussion of how to implement system-stability analysis in the proposed methodology is an issue in the future.

Conclusion
In this chapter, we introduced a methodology for safety-function design involving functional safety analysis by using a case study on the system failures of the Skill-Assist. First, the target SIL required for the Skill-Assist was determined and the top-down and bottom-up risk assessments were then conducted. An SRS with two control computers, an FSFDD, and a safety PLC was designed on the basis of the risk-assessment results. We conducted a functional safety analysis for the designed SRS and found that it satisfied the target SIL.

Appendix -Fail-Safe Fault Detection Device (FSFDD): Signal-monitoring function for the analog voting architecture
Because an analog command signal is used in conventional control system of the Skill-Assist, we use an analog signal voting scheme to simplify the dual-channel architecture of the control computers. The analog voting scheme is also beneficial in simplifying the safety-related signal process once adequate measures are taken against noise. A fail-safe fault detection device (FSFDD) that we have developed can detect a fault by comparing the analog command signals generated by the dual-channel control computer, and it reflects the result of the fault detection in the output signal 2009). By monitoring the command signals, the FSFDD is able to indirectly detect not only computer hardware/software failures, but also sensor failures that can cause hazardous movement of Skill-Assist. Fig. 10 shows the current version of the FSFDD. The fail-safe devices that dominate the FSFDD have the unique characteristic of generating an AC signal when the preset conditions for the input signals are met, and a constant DC signal otherwise (Kato, 1993;Sakai et al., 2000). The characteristics of fail-safe devices used in the FSFDD limit the effects of an internal failure on the output signal. Thus, the possibility of the FSFDD output signal reaching the inactive state of 0 V is high if if a fault is detected in the command signals or its components fail. A noise filter circuit is incorporated into the input terminal of the FSFDD to smoothen the high-frequency noise in the command signals. More details on the FSFDD have been completely documented in studies 2009;Kato, 1993;Sakai et al., 2000). In this book, the reader will find a set of papers divided into two sections. The first section presents different proposals focused on the human-machine interaction development process. The second section is devoted to different aspects of interaction, with a special emphasis on the physical interaction.

How to reference
In order to correctly reference this scholarly work, feel free to copy and paste the following: Suwoong Lee and Yoji Yamada (2012). Risk Assessment and Functional Safety Analysis to Design Safety Function of a Human-Cooperative Robot, Human Machine Interaction -Getting Closer, Mr Inaki Maurtua (Ed.), ISBN: 978-953-307-890-8, InTech, Available from: http://www.intechopen.com/books/human-machineinteraction-getting-closer/risk-assessment-and-functional-safety-analysis-to-design-safety-function-of-ahuman-cooperative-robo