Meeting hard real-time communication and safety requirements with industrial Ethernet protocols for medical robotic systems

Medical robotic systems as those used in surgery consist of many components like sensors, IOs, motors and embedded controllers, as well as additional devices like endoscopes or surgical instruments, all being controlled by a central control system. These robotic systems must fulfill many requirements like real-time communication capabilities, meet performance goals, and guarantee very precise motions, all in combination with a sound safety concept. While making no tradeoffs in the before mentioned objectives, cost effectiveness and reliability also play a central role.

Industrial Ethernet technology for fast data transmission

EtherCAT (Ethernet for Control Automation Technology) is an industrial Ethernet technology that offers high performance with extremely short cycle times (one millisecond and below) on the one hand and a high data transfer rate (100 MBit / second) on the other. From our point of view, EtherCAT and FSoE (Functional Safety over EtherCAT) protocols are particularly suited as communication systems to meet today's extensive medical and technological demands.

ITK Engineering is member of the EtherCAT Technology Group (ETG) since 2013, takes part at ETG events and cooperates closely with EtherCAT software and device vendors. Our engineers have been using EtherCAT and FSoE for more than a decade when developing medical software and systems. During this period, we have gained deep experience in the configuration, operation and diagnosis of large EtherCAT networks and also with changing EtherCAT network topologies at runtime by means of so-called hot connect groups. ITK Engineering employs both commercial and open source EtherCAT stacks supporting various real-time operating systems like QNX, Windows, Xenomai and Linux with RT Preempt Patch.

We are familiar with motion control on basis of CiA402, with synchronization by means of distributed clocks and with the following EtherCAT mailbox protocols:

• CAN application protocol over EtherCAT (CoE)
• File Access over EtherCAT (FoE)?
• Ethernet over EtherCAT (EoE)

In addition, our experience of residual bus simulation can be of great value for our customers, especially in early project phases. To share our knowledge with the next generation of great engineers, we also support and supervise student research projects that are using the EtherCAT technology.

Functional safety in the healthcare domain

In nowadays’ industrial production plants, robots operate in separate cages or behind other physical barriers to ensure safe operation. However, this option does not exist for medical robots that work in closest contact with patients and hospital staff. It is of utmost importance to guarantee safety while at the same time the robotic system must move very precisely and sometimes even with high velocities. Unintended and dangerous movements, e.g., caused by a hardware or a software fault, must be detected and prevented within milliseconds. One solution could be to transit the robotic system into a temporary safe state from which it can recover in case the reason for the fault can be resolved. Safety and risk assessments must be regarded from the beginning of development.

Our robotics engineers develop safety system architectures and complex safety applications within the scope of international standards like IEC 61508. The safety application can be either centralized or decentralized and is independent from the control application. Functional Safety over EtherCAT (FSoE) is a protocol that is certified for safety critical applications up to Safety Integrity Level SIL 3. For our customers we configure, operate and diagnose large FSoE networks consisting of many certified safety devices from different vendors. Safe motion control functions like safe torque off, safe brake control and safe stop are realized. FSoE networks are configured in a modular way, combining related parts to manage complexity. Also the safe deactivation of FSoE devices is supported to properly shutdown the system. To develop safety applications, we use tools that are certified by TüV Süd. Besides this we have also successfully developed our own FSoE MainInstance stack and FSoE SubordinateInstance stack according to the official FSoE specification ETG.5100 S (D) V1.2.0.

Supervising the medical robotic control system

Besides the detection of communication errors, it is also necessary to supervise the control application. Redundancy is essential to meet safety requirements. To detect faulty control outputs, we develop diagnosis and supervision applications that check the computations of the control application. We are developing plausibility and other technical checks as well as comparators to check the consistency of the control system and the supervisor system in each single execution cycle. Time synchronization between control system and supervisor system poses a challenge that we also address. In case of a critical error or at least a potential faulty behavior of the control system, the supervisor system can immediately transfer the whole system into a safe state.

This approach has been successfully realized by our engineers during the last years and the evidence of regulatory compliance is proven.

ITK Engineering has profound knowledge and longtime experience in developing control and safety systems for advanced medical robots using EtherCAT technology and FSoE protocol. Please do not hesitate to get in touch with our experts to discuss your use cases: [email protected]

EtherCAT? and Safety over EtherCAT? are registered trademarks and patented technologies, licensed by Beckhoff Automation GmbH, Germany.

?

Curious? Then don't miss the next issues and subscribe to our?newsletter?here and follow?ITK-Engineering.