CEN WORKSHOP AGREEMENT Date: 2021 - 06 - 01
CWA XXXXX: 2021
Secretariat: UNI
Safety in close human-robot interaction: procedures for validation tests
ICS:
CCMC will prepare and attach the official title page.
CWA XXXX:2021 (E)
Contents Page
1 European foreword ...... 3 2 Introduction ...... 4 3 1 Scope ...... 5 4 2 Normative references ...... 5 5 3 Terms and definitions ...... 6 6 4 Robot categories and general concepts of safety-related processes ...... 8 7 4.1 Robot categorization ...... 8 8 4.2 Robots under Machinery Directive ...... 9 9 4.2.1 Industrial robots ...... 9 10 4.2.2 Service robots ...... 10 11 4.2.3 Personal care robots ...... 10 12 4.3 Medical robots ...... 11 13 4.4 Transversal “System-level” safety validation ...... 12 14 5 Cross-category safety skills ...... 14 15 5.1 An example: Limit Range of Movement...... 14 16 5.2 Safety skills for CHRI ...... 16 17 5.2.1 Limit Physical Interaction Energy ...... 16 18 5.2.2 Maintain Safe Distance ...... 16 19 5.2.3 Dynamic Stability ...... 16 20 5.2.4 Limit Range of Movement ...... 17 21 5.2.5 Maintain Proper Alignment ...... 17 22 5.2.6 Limit Restraining Energy ...... 17 23 6 System-Level Validation Protocols ...... 17 24 6.1 SLVP identification ...... 18 25 6.2 Contents of a SLVP ...... 19 26 6.3 SLVP examples ...... 20 27 Annex A (informative)- Safety perspectives in modern robotics ...... 21 28 Annex B (informative) - List of test methods provided by standards ...... 23 29 Annex C - System-level validation protocol template ...... 24 30 Annex D - SLVP example: Test mobile platform to maintain a separation distance ...... 27 31 Annex E - SLVP example: Test manipulator in shared human-robot control to prevent spatial 32 overreaching for the subject ...... 41 33 Bibliography ...... 53
2
CWA XXXX:2021 (E)
34 European foreword
35 This CEN Workshop Agreement has been developed in accordance with the CEN-CENELEC Guide 29 36 “CEN/CENELEC Workshop Agreements – A rapid prototyping to standardization” and with the relevant 37 provisions of CEN/CENELEC Internal Regulations - Part 2. It was approved by a Workshop of 38 representatives of interested parties on YYYY-MM-DD, the constitution of which was supported by CEN 39 following the public call for participation made on YYYY-MM-DD. However, this Workshop 40 Agreement does not necessarily include all relevant stakeholders. 41 The final text of this CEN Workshop Agreement was provided to CEN for publication on YYYY-MM-DD. 42 Results incorporated in this CWA received funding from the European Union’s Horizon 2020 43 research and innovation programme under grant agreement No 779966. 44 45 The following organizations and individuals developed and approved this CEN Workshop 46 Agreement: 47 48 name organization/individual 49 50 name organization/individual 51
52 …. 53 54 55 Although the Workshop parties have made every effort to ensure the reliability and accuracy of technical 56 and non- technical descriptions, the Workshop is not able to guarantee, explicitly or implicitly, the 57 correctness of this document. Anyone who applies this CEN Workshop Agreement shall be aware that 58 neither the Workshop, nor CEN, can be held liable for damages or losses of any kind whatsoever. The 59 use of this CEN Workshop Agreement does not relieve users of their responsibility for their own 60 actions, and they apply this document at their own risk. The CEN Workshop Agreement should not be 61 construed as legal advice authoritatively endorsed by CEN/CENELEC. 62
3
CWA XXXX:2021 (E)
63 Introduction
64 The traditional concept of industrial robots refers to bulky machines, where robot workspace is 65 physically separated from the utilizer work environment. The concept of collaborative applications 66 reached the industrial domain and was elevated to one of the key-enabling technologies of the Industry 67 4.0 paradigm. Similar approaches can be nowadays applied to a wide variety of other machines, designed 68 to work closely with humans. 69 At the same time, we are witnessing increasing implementation of service robots in several domains, such 70 as rehabilitation, personal care, agriculture and logistics. Medical equipment and systems based on 71 robotic technologies are more and more implemented in current medical practice and rehabilitation and 72 assistance robots in particular have become relevant, as aging populations are increasingly affected by 73 chronic disabilities. 74 As consequences, human-robot interaction is becoming closer in industrial practice and, on the other 75 hand, the unstructured - and often close - human-robot interaction characterizing service robots is 76 becoming increasingly relevant as these machines spread in the different application fields. 77 In general, robot systems and applications characterized by close human-robot interaction (such as 78 collaborative applications in industrial robotics or rehabilitation robots in medical applications) are 79 accompanied by new challenges from the safety perspective (i.e. the potential - or intended - contact 80 between human and robot introduces a higher exposure to mechanical hazards). In such cases, the 81 assessment of safety can be highly complex and variable, depending on the specific implementation 82 scenario and the safety-related measures implemented. The new safety-related challenges need to be 83 properly addressed and validated. 84 According to robot categorization, standards provide different means to deal with safety assessment in 85 human-robot interaction, and several test methods are being recommended in the last few years, 86 characterized by different levels of detail and belonging to different robot categories. Considering the 87 common challenges characterizing close human-robot interaction for various domains, the objective of 88 this CWA is to provide a framework for compiling testing procedures for the validation of the residual 89 risks related to the mechanical hazards arising in close human-robot interaction, by using a transversal 90 approach based on standard and well-established best practices. The following stakeholders can benefit 91 from this CWA: 92 - for industrial robots: integrators or users when defining the specific application to implement a 93 robot or a robotic device; 94 - for the medical robotics field: manufacturers, for the residual risk evaluation (where not diversely 95 indicated by ISO 14971 and ISO/TR 24971), in the risk management process, or other users 96 willing to evaluate the mechanical risks in some usage scenarios; 97 - for service robots other than medical ones: manufacturers, or other professional users willing 98 to evaluate the mechanical risks in some usage scenarios. 99 The systematic pooling of practices and information belonging to different robot categories can 100 significantly expand the base of knowledge available for the stakeholders. As an example, ISO/TR 23482- 101 1 refers to ISO/TS 15066 for the data of pain onset for physical contacts and IEC 80601-2-78 refers to EN 102 ISO 13482 for the consideration of risk reduction measures for robot collision with safety-related 103 obstacles. The present CEN Workshop Agreement (CWA) intends to provide methodology and criteria to 104 support stakeholders in the consistent development and use of uniform, transversal testing procedures 105 for mechanical safety.
4
CWA XXXX:2021 (E)
106 1 Scope
107 The present CWA “Safety in close human-robot interaction: procedures for validation tests” intends to 108 outline a uniform framework, transversal with respect to the different robot categories and limited to 109 those robots and robotic applications characterized by close human-robot interaction, for the 110 development and/or use of testing procedures, possibly applicable to different robot categories and use 111 scenarios. 112 This framework is based on the concepts of “Safety skills”, as abstract representations of the capability of 113 a robotic system or application to be characterized as safe from a certain perspective, and “System level 114 validation protocols”, as step-by-step procedures to validate safety skills. 115 The evaluation of risks in close human-robot interaction may be variable and require specific assessment. 116 As main aim of the CWA, the “system level safety validation” targets the risks characterizing a robot 117 implementation or robotic application; although it is recognized that mechanical safety is not the only 118 relevant dimension of safety when dealing with close human-robot interaction [7], [8], the present work 119 is limited to the scope of mechanical hazards. Safety dimensions relevant for safe implementation of 120 collaborative robots beyond physical safety are listed and explained in Annex A (informative). 121 The current CWA is not aimed at substituting or simplifying verification and/or validation procedures 122 reported in standards, but to supplement the existing regulatory framework with practical guidance. 123 Therefore, the objectives of this work are the following: 124 define an approach for testing safety at a system level based on safety skills in close human-robot 125 interaction; 126 define a comprehensive list of application-driven, technology-invariant safety skills valid across 127 different domains; 128 provide a template for system level validation protocols; 129 by way of example, present two system-level validation protocols, applicable to multiple domains. 130 Note: The following devices, systems and applications are outside the scope of this CWA: autonomous 131 vehicles for the transportation of humans, drones, rescue robots (including ground, marine and aerial 132 vehicles), surgical robots in relation to the body of the patient. 133 Note: The proposed CWA does not propose any safety requirement, nor is it intended to provide 134 alternatives or simplification of the relevant standards for each robot category. It is aimed instead at 135 providing, with a transversal approach, integration and clarification on testing procedures to support 136 safety validation of the specific application scenario, supplementing those provided in the relevant 137 standards. Users of this document are expected to be proficient of directives, regulations and standards 138 applicable for the specific system. Accordingly, an overview of robot categorization is provided in §4.1. 139 Although care has been taken to address as many relevant standards as possible, the information here 140 included may not comprise all.
141 2 Normative references
142 The following documents are referred to in the text in such a way that some or all of their content 143 constitutes requirements of this document. For dated references, only the edition cited applies. For 144 undated references, the latest edition of the referenced document (including any amendments) applies. 145 EN ISO 10218-1:2011, Robots and robotic devices – Safety requirements for industrial robots – Part 1: 146 Robots;
5
CWA XXXX:2021 (E)
147 EN ISO 10218-2:2011, Robots and robotic devices – Safety requirements for industrial robots – Part 2: Robot 148 systems and integration;
149 EN ISO 13482:2014, Robots and robotic devices – Safety requirements for personal care robots;
150 EN ISO 12100:2010, Safety of machinery – General principles for design – Risk assessment and risk 151 reduction;
152 ISO/TS 15066:2016, Robots and robotic devices – Collaborative robots;
153 EN ISO 14971:2020, Medical devices – Application of risk management to medical devices;
154 ISO/TR 24971, Medical devices — Guidance on the application of ISO 14971;
155 EN IEC 60601-1:2020, Medical electrical equipment - Part 1: General requirements for basic safety and 156 essential performance;
157 IEC 80601-2-78:2019, Medical electrical equipment — Part 2-78: Particular requirements for basic safety 158 and essential performance of medical robots for rehabilitation, assessment, compensation or alleviation;
159 IEC 80601-2-77:2019, Medical electrical equipment — Part 2-77: Particular requirements for the basic 160 safety and essential performance of robotically assisted surgical equipment;
161 EN ISO 3691-4:2020, Industrial trucks — Safety requirements and verification — Part 4: Driverless 162 industrial trucks and their systems.
163 3 Terms and definitions
164 For the purposes of this document, the terms and definitions given in EN ISO 8373:2012, EN ISO 10218- 165 2:2011, ISO/TR 23482-2:2019 and the following apply. 166 167 3.1 168 close human-robot interaction (CHRI) 169 Human-robot interaction in a shared environment in which human body contact with robots is either 170 envisaged or avoided without using perimeter safeguarding. 171 172 3.2 173 close human-robot interaction application (CHRIA) 174 Robot application characterized by close human-robot interaction. 175 176 3.3 177 safety skill 178 Abstract representation (model) of the ability of a CHRIA to reduce a risk defined irrespective of the way 179 it is implemented, be it due to an inherent design feature or a dedicated risk reduction/risk control 180 measure/strategy/policy. 181 Note 1 to entry: safety skills have specific instances (i.e., actual implementation) depending on the 182 application domain and the applicable requirements. 183
6
CWA XXXX:2021 (E)
184 3.4 185 system-level safety validation (SLSV) 186 Test-based assessment of the behaviour of a complete system with regards to pre-defined pass/fail 187 criteria for a given safety skill, considering the real use conditions. 188 Note 1 to entry: The SLSV may be performed on a subsystem for practical reasons, if this is representative 189 of the behaviour of the complete system. 190 191 3.5 192 system-level validation protocol (SLVP) 193 Step-by-step instruction for executing validation measurements; it specifies testing procedures for 194 SLSV. 195 196 3.6 197 residual risk 198 Risk remaining after risk control measures or all the protective measures have been implemented. 199 Note 1 to entry: For the mere purposes of this document, this definition combines the “residual risk” 200 definitions provided in ISO/IEC Guide 63:2019, 3.9, and in EN ISO 12100, 3.13, in order to address both, 201 medical robots and robots within the scope of MD. 202 Note 2 to entry: For any other purposes, the above mentioned definitions apply. 203 204 3.7 205 utilizer 206 Either the operator of a robot or, if applicable, the beneficiary of the service/medical treatment provided 207 by a personal care robot or a medical robot 208 [Adapted from EN ISO 13482, 3.26] 209 210 3.8 211 collaborative application 212 an industrial robot application that contains one or more collaborative task(s) 213 Note 1 to entry: Collaborative applications can include collaborative tasks and non-collaborative tasks. 214 [Adapted from ISO/DIS 10218-2:2020] 215 216 3.9 217 integrator 218 Entity that designs, provides, or assembles robot systems, robot applications and oversees the safety 219 strategy, including the protective measures, control interfaces and interconnections of the control 220 system(s)
7
CWA XXXX:2021 (E)
221 Note to entry: The integrator can be a manufacturer, assembler, engineering company or the user 222 [SOURCE ISO/DIS 10218-2:2020]
223 ISO and IEC maintain terminological databases for use in standardization at the following addresses: 224 IEC Electropedia: available at http://www.electropedia.org/
225 ISO Online browsing platform: available at http://www.iso.org/obp
226
227 4 Robot categories and general concepts of safety-related processes
228 4.1 Robot categorization
229 Robots and robotic devices are used with different scopes and in different application fields. Based on 230 relevant definitions provided in EN ISO 8373 – and their updates, in some standards from the IEC 60601 231 series, in ISO/TR 23482-2, and considering the categorization reported in Figure 1 of the latter, the 232 comprehensive categorization reported in Figure 1 is obtained. 233
234 235 Figure 1 - Categorization of robots based on EN ISO 8373, IEC 60601 series and ISO/TR 23482-2 definitions. RASE 236 represent an exception among medical robots, as explained in §4.3. 237 With a few exceptions, robots fall within the scope of the Directive 2006/42/EC on machinery 238 (Machinery Directive, MD). Due to the different design and safety-related approaches, medical robots fall 239 primarily within the scope of Regulation 2017/745: Medical Device Regulation (MDR). According to 240 Article 1:12 of Chapter 1 of the MDR, they have to comply also with health and safety requirements of 241 Annex 1 of the MD, in cases in which hazards covered by MD are relevant and the MD requirements are 242 more specific than the general safety and performance requirements provided in Annex 1 of Chapter II 243 of MDR. 244 Other supplementary directives may also apply, such as: 2014/35/EU (Low Voltage Directive, LVD), 245 2014/30/EU (Electromagnetic Compatibility Directive, ECD), 2014/53/EU (Radio Equipment Directive, 246 RED). Robots dedicated to consumer markets shall also comply with 2001/95/EC (General Product 247 Safety Directive, GPSD) and 85/374/EEC (Directive on Liability of Defective Products, LDP). When meant 248 to be implemented in some hazardous environments, other directives may apply, such as ATEX Directive 249 2014/34/EU and Regulation 1907/2006 (REACH). Robot applications involving workers must comply 250 with 89/391/EEG (OSH Framework Directive).
8
CWA XXXX:2021 (E)
251 Close human-robot interaction (CHRI) occurs when the spaces designated for the simultaneous operation 252 of human beings and robots are either not defined or there are intentional overlaps among them and 253 there is any possibility of contact (whether intended or not) between human and robot. The possibility 254 of human-robot contact is translated to the onset of further mechanical hazards related to human-robot 255 mutual movements and the forces the robot may exert. Depending on the specific hazardous scenario, 256 these hazards can consist in simple impacts, crushing, trapping, pinching, shearing, entanglement, 257 involving different parts of the human body and of the robot.
258 4.2 Robots under Machinery Directive
259 Robots are within the scope of the MD defined as composed of “linked parts or components, at least one 260 of which moves” and being actuated by a drive system. A programmable robot supplied by a robot 261 manufacturer is regarded by the Machinery Directive as a “partly completed machinery” if it is not 262 intended to perform a specific application (i.e. industrial robots). This means that the robot itself is not 263 CE-marked for the MD, but all information needed by integrators to ensure safety, such as the assembly 264 instructions, is provided by the robot manufacturer. To be considered as a “completed” machinery, it 265 must be designed or integrated for a specific application (i.e. an industrial robot equipped with a specific 266 end-effector and programmed for a specific application). 267 The Machinery Directive sets out the “Essential health and safety requirements relating to the design and 268 construction of machinery”. Fulfilling these requirements is based on an “iterative process of risk 269 assessment and risk reduction” for which one shall rely on the harmonized standard EN ISO 12100 (type 270 A standard), which builds, in turn, on the IEC 60204-1 (type B). Such an iterative process starts with the 271 risk assessment, which is strictly related to the defined limits and the intended use of the machine, 272 including reasonable foreseeable misuse, and relies on the protective measures implemented by the 273 manufacturer, the integrator (if present) and the user. The former are responsible of i) inherently safe 274 design measures, ii) safeguarding and complementary protective measures and iii) information for use, 275 to be applied with this hierarchical order. The user, in turn, shall implement protective measures based 276 on information provided by the manufacturer and adopts other measures, being responsible of 277 organization, provision and use of additional safeguards, use of personal protective equipment, training, 278 etc. The implementation of all the risk reduction measures does not prevent the existence of residual 279 risks; these must be assessed to verify the acceptability for the specific application.
280 4.2.1 Industrial robots
281 Working Group 3 of ISO TC 299 – Robotics deals with Industrial Safety. The most relevant type C 282 standards that shall be considered are EN ISO 10218-1, and EN ISO 10218-2, focused on robot (1) and 283 robot system and integration (2), respectively. 284 EN ISO 10218-1 reports a list of relevant hazards and related design requirements and protective 285 measures, obtained by applying the protective measures described in EN ISO 12100. The required modes 286 for the verification and validation of safety requirements and protective measures are expressed with 287 reference to such hazards. 288 In the verification and validation of safety requirements and protective measures addressed by EN ISO 289 10218-2 a list of “verification and validation methods” (in §6.2 of the same standard) is provided, 290 specified depending on the specific safety measures (as per Annex G of the same standard). Instructions 291 on how to conduct “practical tests”, “measurement” or “observation during operation” are out of the 292 scope of ISO 10218-1 and -2. 293 Collaborative applications are outlined in EN ISO 10218-1 and EN ISO 10218-2; ISO/TS 15066 shall be 294 considered for a more detailed description of collaborative operation modes, including also the definition 295 of the acceptable biomechanical limits for human-robot contact scenarios. The ISO/DIS 10218-2:2020 296 incorporates some of those information in several informative Annexes, dedicated to calculation and tests
9
CWA XXXX:2021 (E)
297 for collaborative applications. In its Annexes, also other relevant information is reported as an update to 298 the current versions of ISO 10218-1 and 10218-2, such as the list of significant hazards (Annex A of 299 ISO/DIS 10218-2), the illustration of spaces (ISO/DIS 10218-2, Annex B), safety function performance 300 requirements (ISO/DIS 10218-2, Annex C) and the means of verification and validation of the design and 301 protective measures (ISO/DIS 10218-2, Annex H). 302 The Subcommittee 2 of the ISO TC 110 deals with Safety of powered industrial trucks. The EN ISO 3691- 303 4 (type C) shall be considered for safety requirements and verification of driverless industrial trucks and 304 their systems, including also autonomous mobile robots. Safety requirements and/or protective risk 305 reduction measures are described. In Clause 5 of EN ISO 3691-4, dedicated to the verification of safety 306 requirements and/or protective measures, some testing procedures are described, which can be relevant 307 considering the CHRI perspective.
308 4.2.2 Service robots
309 Working Group 2 of ISO TC 299 deals with service robot safety, while Working Group 4 deals with service 310 robot performance. Service robots perform tasks that are useful for humans and traditionally differ from 311 industrial robots due to the following aspects: 312 The level of HRI, which can be higher in physical and cognitive terms; 313 The type of task, which is much more heterogeneous; 314 The environment, which can be unstructured; 315 The possibility of interacting with non-expert utilizers. 316 Due to the variety of applications in which service robots are implemented according to the existing 317 subcategories, safety requirements can vary substantially. Accordingly, there are no Type C standard 318 dealing with safety requirements applicable to all service robots. 319 In standards from the ISO 18646 series, several test methods are reported for the performance 320 assessment of service robots. In those standards, the user is explicitly warned that the provided 321 performance criteria are not to be interpreted for the verification or validation of safety requirements. 322 However, some of the performance criteria may influence the safety, and some of the test methods may 323 be considered when testing safety.
324 4.2.3 Personal care robots
325 Working Group 2 of ISO TC 299 issued standards related to Personal care robot safety. Personal care 326 robots are aimed at enhancing the quality of life of utilizers and are characterized by the following 327 features (Source: ISO/TR 23482-2): 328 — personal care robots are usually mobile and work among humans without being separated by guards; 329 — interaction between human and robot, including physical contact, is often an essential part of the robot’s 330 task; 331 — personal care robots often have a certain degree of autonomy which enables them to act and decide 332 without human intervention. 333 The reference type C standard which shall be considered is the EN ISO 13482:2014, addressing risk 334 assessment, safety requirements and protective measures, safety-related control system requirements, 335 verification and validation methods, among which there are also “practical tests” and “observation during 336 operation”. The standard specifically states that “after all inherently safe design and protective measures 337 have been adopted, the residual risk of the personal care robot shall be evaluated and proven that it is 338 reduced to an acceptable level.” 339 ISO/TR 23482-1 describes several test methods to verify the compliance to requirements of EN ISO 340 13482. ISO/TR 23482-2 provide “Application guidelines” for ISO 13482. The proper risk reduction
10
CWA XXXX:2021 (E)
341 methodology is contextualized within the ISO 12100 approach and several working examples are 342 provided.
343 4.3 Medical robots
344 The MDR emphasizes safety and performance during the entire lifetime of medical devices, including 345 post-market evaluation. The level of detail needed for this post-market evaluation depends on the risk 346 classification of the medical device (class I, IIa, IIb, or III) and the methodology has to be adequately 347 defined by the manufacturer before the device can receive CE marking. The MDR focusses also on the 348 performance of the medical device: how medical claims of the device can be proven, how to conduct 349 clinical investigation in the pre-market phase, and extending it to post-market surveillance as well. This 350 latter aspect aims at: i) providing a support based on clinical data to clinical performance defined by the 351 manufacturer and ii) improving and refining the initial risk analysis, thus providing additional 352 information for the benefit-risk analysis. These processes shall be properly described for the risk 353 management process, as per EN ISO 14971. Risk management is under the responsibility of the sole 354 manufacturer, as medical devices are produced with specific intended use(s). The risk management plan 355 shall cover: i) risk analysis, ii) risk evaluation, iii) risk control, iv) evaluation of the overall residual risk, 356 v) risk management review and vi) production and post-production activities. ISO/TR 24971 shall be 357 considered as a guide on the application of EN ISO 14971. 358 The concept of benefit-risk analysis is fundamental for the characterization of medical robots. The use of 359 a medical robot is expected to generate a certain benefit, in terms of clinical outcome after a treatment 360 or improvement of the quality of life; benefits could also be related to diagnostic outcomes. This 361 introduces a counterweight to the risks related to the use of the medical robot by the patient, as the final 362 aim is not the execution of a working task, but patient health. A benefit-risk analysis is particularly useful 363 when the residual risks related to the use of a medical device are not considered acceptable. The 364 assessment of benefits related to a specific medical device should consider several factors, such as the 365 type of expected benefits, their magnitude, the probability of effectiveness of the medical device, the 366 duration of the effects. A benefit-risk comparison should be then performed, and the results recorded in 367 the risk management file. ISO/TR 24971 reports a guidance on how to perform a benefit-risk analysis. 368 The clinical data to support the clinical performance claims can be collected during clinical studies. In 369 essence, the requirements in the MDR for conducting clinical studies follow the Good Clinical Practice 370 (GCP) guidelines for medical devices. The MDR also contains a clear definition for clinical data to support 371 the clinical performance claims, which is also more prescriptive than in the MDD (Directive 93/42/EEC 372 on Medical Devices, amended by the MDR). GCP for clinical investigations with medical devices is set out 373 in EN ISO 14155. 374 NOTE: At the moment of preparing this document, there are no standards harmonized under the MDR. 375 The mentioned standards are harmonized under the MDD. 376 Committees dealing with medical devices are: IEC/TC 62 (Electrical equipment in medical practice), 377 ISO/TC 210 (Quality management and corresponding general aspects for medical devices), CEN/CLC/JTC 378 3 (Quality management and corresponding general aspects for medical devices). The ISO Joint Work 379 Group 5 (Medical robot safety) with IEC/SC 62A (Common aspects of electrical equipment used in 380 medical practice) and IEC/SC 62B (Diagnostic imaging equipment) is focused on medical robots in 381 particular. 382 For active medical devices, the standards from the IEC 60601 series apply. Concerning mechanical 383 hazards associated with moving parts, IEC 60601-1, which shall be considered as the main reference, 384 states that the “The residual risk associated with moving parts is considered acceptable if exposure is needed 385 for the ME” (medical electrical) “equipment to perform its intended function, and risk control measures have 386 been implemented (e.g. warnings)”.
11
CWA XXXX:2021 (E)
387 Particular standards from the IEC 60601 series, focused on specific categories of medical electrical 388 equipment, may modify, replace or delete requirements reported in IEC 60601-1, as well as adding 389 further basic safety and essential performance requirements. IEC 80601-2-78 shall be considered for the 390 “Particular requirements for basic safety and essential performance of medical robots for rehabilitation, 391 assessment, compensation or alleviation” (RACA robots), that are not clearly addressed in the IEC 60601- 392 1 or for which interpretation can be complicated. Although a number of tests are specified related to the 393 integrity of the device, no testing procedures are provided concerning the mechanical hazards that may 394 affect the safety of the utilizer directly. 395 In IEC 80601-2-77, which shall be considered as a reference for robotically assisted surgical equipment 396 (RASE), it is explicitly specified that RASE are characterized by zero autonomy, being aimed at assisting 397 the surgeon, and, accordingly, “could not be equivalent to a medical robot”. Likewise, no specific conditions 398 for which this document may be relevant were individuated at the drafting stage. However, its relevance 399 it is not excluded on purpose, but limited to the interaction between the robot and the operator. It is also 400 worth observing that IEC TR 60601-4-1 widely addresses the concept of “degree of autonomy”, providing 401 also a classification method (IEC TR 60601-4-1, Table C.1); according to IEC TR 60601-4-1 §A.6, the 402 manufacturer may decide to label a medical electrical equipment or a medical electrical system as a 403 medical robot whenever the definition of robot is satisfied.
404 4.4 Transversal “System-level” safety validation
405 CHRI is characteristic for the majority of applications belonging to all the service robotics subcategories. 406 Concerning industrial robots, CHRI is typical of collaborative robot operations. It follows that CHRI- 407 related hazards may occur with different types of robotic devices and in diverse scenarios and 408 environment, including working or daily living activities, indoor or outdoor applications, involving expert 409 or non-expert – trained or untrained – utilizers. 410 Depending on the specific category and application, there are different available guidelines on how to 411 conduct risk assessment, design, verification and/or validation, normally provided in harmonized 412 standards. Focusing on safety in CHRI, from the perspective of the mechanical hazards, some verification 413 and/or validation processes indicate some test methods, which, considering the different robot 414 categories separately, are provided in different types of documents and presenting different levels of 415 detail. 416 Regardless the category they belong to, in all CHRI applications (CHRIA) there are mechanical risks, 417 unavoidable for the implementation of the specific task or activity. This introduces a common perspective 418 between industrial and service robots, as one fundamental difference, which is the different level of HRI, 419 lapses. At the same time, some mechanical hazards related to the operation of medical robots can be 420 analogue to ones characterizing personal care service robots or industrial collaborative robots, especially 421 when considering both patient and therapist/doctor perspectives during operation of a medical robot. 422 Such an approach is supported by the cross-reference examples between standards belonging to different 423 robot categories (i.e. ISO/TR 23482-1 referring to ISO/TS 15066 and IEC 80601-2-78 referring to EN ISO 424 13482). 425 The mentioned risk is diverse and highly variable, as the CHRI, sometimes even occurring in an 426 unstructured operational space, can be extremely variegated. This can generate uncertainty about the 427 safety-related assessment of the risk when the change in use conditions may lead to different risk levels. 428 The concept of “system-level safety validation” (SLSV), as a further level besides the ones prescribed by 429 the applicable standards, aims at providing users and – where relevant - integrators with a tool for the 430 assessment of the residual risk for a specific implementation. The SLSV aims at testing the application as 431 a whole, considering its implementation and the modalities of human-robot interaction, in the actual 432 hazardous scenarios (i.e. configuration, state of the involved bodies, conditions, etc.) individuated in the 433 risk assessment phase. 434 NOTE: in case of robots within the scope of MD, the risk here considered is the one after all the protective 435 measures have been implemented and SLSV may be suitable for users or – where relevant - integrators
12
CWA XXXX:2021 (E)
436 supplementing the risk reduction process provided by the EN ISO 12100. In the case of medical robots, 437 the SLSV may be either part of the evaluation of the residual risk as per the risk management process 438 prescribed by the EN ISO 14971 and detailed in the ISO/TR 24971, or conducted on a released product 439 in use. 440 In order to respond to the significant variability of applications and related hazards, the testing 441 procedures for SLSV - referred to as “system-level validation protocols” (SLVP) and described in Clause 442 6 - can be technically based, in order of priority, on (see Figure 2): 443 Verification and/or validation tests described in standards or technical reports related to the 444 specific robot category and subcategory under examination; 445 Verification and/or validation tests described in standards or technical reports non-specific for 446 the robot category under examination, but relevant for the application from the perspective of 447 the type of CHRI and related hazards; 448 Well-established best practices and technologies relevant for the specific application. 449 A list of test methods available in standard documents is reported in Annex B (the list may not be 450 exhaustive). Exploiting specific procedures transversally with respect to robot categories copes with the 451 continuous increase of types of CHRIA. To characterize SLSV requirements, and thus, identify appropriate 452 cross-correlation between application of different categories and related testing procedures, the concept 453 of “safety skills” is introduced, described in Clause 5. 454
455 456 Figure 2 – SLVP development for SLSV 457
13
CWA XXXX:2021 (E)
458 5 Cross-category safety skills
459 For simplifying system level safety validation and enabling a cross-category approach, the concept of 460 safety skills is introduced. Safety skills are defined as abstract representations of an ability of a CHRIA to 461 reduce a risk (§3.3). A safety skill is abstract as it does not depend on the way it is implemented but only 462 on the safe target behaviour it describes. 463 Abstracting safety skills is a way to be transversal to different types of devices, and to be technically 464 neutral. This concept is used here to define a unified framework for SLVP and mutualise their 465 development. 466 NOTE: The MD and MDR are committed to be technically neutral. Whenever possible, this is also a 467 concern in the writing of the related safety standard where requirements are expressed, in terms of 468 objectives and associated performance. 469 NOTE: The safety skills can be considered as functional specifications for technical risk reduction 470 measures. Functional specification is generally well adopted in engineering, and has been developed in 471 value analysis [32], [33] and design engineering methods [34].
472 5.1 An example: Limit Range of Movement
473 Considering a generic robotic manipulator for which a certain zone is forbidden for safety reasons, the 474 appropriate safety skill to be applied is “Limit Range of Movement” (LRM), where the limit is defined as 475 a 3D space. 476 The hazards covered by a LRM safety skill may be of different nature, such as: 477 a) collision of the robot or of the robot tool with the operator or other humans passing in this zone; 478 b) operator working with the robot in non-ergonomic posture, involving possibly hazardous 479 movements; 480 c) over-stretching the limbs of the utilizer of a rehabilitation robot. 481 These three cases are illustrated in Figure 3. 482 Before being implemented and validated, the safety skill has to be described more precisely for the 483 considered robotic system and use application scenario. For the LRM safety skill, the nature of the limit, 484 its shape and position have to be defined. In the case of a 3D space limit, it is important to define also to 485 which parts of the robot system it applies; e.g. to the end-effector, or to all the robot parts. The safety skill 486 description translates the safety skill into a specification of the safety-related behavior, but is still neutral 487 with respect to the technical solution. 488 The implementation of the safety skill can rely on different means and technical solutions, from 489 inherently safe design measures to safeguarding measures, control system safety functions. The range of 490 possible solutions is wide, although at a stage of technological development, some may be predominant 491 for a given type of robot. The LRM safety skill can be achieved, for instance, by positioning the robot 492 manipulator so that the maximum space of the robot does not overlap the hazard zone. This can be 493 considered as an inherently safe design measure. Similarly, when using a rehabilitation robot, the patient 494 position with respect to the robot may be a way to forbid overstretching. Limiting the robot joint(s) range 495 of movement can be realized by mechanical stops or by software (axis limiting in ISO 10218-1). Cartesian 496 space limiting is indeed commonly provided by robot manufacturers, but other solutions using an 497 external device are also possible. Finally, a given safety skill can be implemented by combining different 498 technical solutions. 499 Then, before using the system, it shall be checked if the technical solution is in place and is ensuring the 500 safety skill as it is specified in the safety skill description. This can be done by a physical test, i.e. 501 performing a SLSV.
14
CWA XXXX:2021 (E)
502 Even if the LRM safety skill is implemented by an inherently safe design measure (i.e. based on the 503 positioning of the robot), it is still possible that the safety skill is not properly achieved, due to some 504 differences in the effective placement of the robot at the installation, or the region to be forbidden may 505 be not appropriate due to some changes in the environment. Testing in the real use condition, even with 506 a simple test, can be relevant. It is worth to test the safety skill also if it is implemented by using a safety 507 function. The aim is not to test the performance level of the safety function (provided by the 508 manufacturer) but to check that the safety function has been adequately programmed or configured. 509 What is particularly useful in the safety skill concept is that the same test method may be used for a given 510 safety skill, independent of the technical solution used in the safety skill implementation.
511 512 Figure 3 - Example of the LRM safety skill, with three application cases corresponding to different hazards.
15
CWA XXXX:2021 (E)
513 5.2 Safety skills for CHRI
514 The safety skills identified so far [35] include: 515 Limit Physical Interaction Energy (LIE); 516 Maintain Safe Distance (MSD); 517 Dynamic Stability (DYS); 518 Limit Range of Movement (LRM); 519 Maintain Proper Alignment (MPA); 520 Limit Restraining Energy (LRE). 521 By properly considering the safety skills from this list, it is possible to address the CHRI-related risks 522 arising in the different collaborative operation modes (as per ISO/TS 15066), as well as those possibly 523 generated and relevant in several CHRIA (i.e., some mechanical risks listed in IEC 80601-2-78 are 524 covered). 525 Each safety skill can be valid for several robot categories, robotic devices and their applications. Safety 526 skills are suitable for the SLSV. They are described in the following sub-sections. 527 As further explained in §6.1, not all robot categories are expected to benefit from the application of each 528 safety skills, as their applicability depends on the specific use application scenario and safety 529 requirements (i.e., the relevance of safety skills in the rehabilitation robotics domain described in [36]).
530 5.2.1 Limit Physical Interaction Energy
531 The LIE safety skill aims to ensure the absence of injuries in case of physical contact between the robot 532 and humans involved in the interaction. It includes all the unintended contact situations, either transient 533 or quasi-static, which are identified in the risk assessment - due to intended use or foreseeable misuse. 534 At the moment of writing of this document, pain onset thresholds for human-robot collision have been 535 proposed for forces and pressure in ISO/TS 15066, based on biomechanical studies. The same thresholds 536 are reported in ISO/DIS 10218-2 in Annex M (informative). Energy thresholds are not defined 537 independently but are resulting from the force thresholds. However, the energy can be a more physically 538 appropriate measure to describe the risk for some injuries such as fractures. 539 NOTE: when the physical contact is part of the operating mode (i.e. in hand guided mode), the limitation 540 of forces is not aimed for safety but rather for usability, and as such is not considered as part of the LIE 541 safety skill.
542 5.2.2 Maintain Safe Distance
543 The MSD safety skill defines the ability of the robotic system to maintain a safe distance with respect to 544 humans. It can be based on monitoring the distance, and avoiding contact by stopping or modifying its 545 path, possibly adapting the speed to the distance. The skill includes also the basic ability to stop following 546 a safety signal or the activation of an emergency stop button. 547 In all robots, a stop function shall be implemented.
548 5.2.3 Dynamic Stability
549 The DYS safety skill defines the ability of the robot system to avoid to fall over, possibly harming a person. 550 It generally concerns mobile robots, possibly equipped with a robot arm or an effector. The word 551 “dynamic” here means that the robot will be stable under dynamic conditions, during movement of the 552 robot itself and/or that of the integrated robotic devices.
16
CWA XXXX:2021 (E)
553 NOTE: this safety skill includes the static case as a subcase.
554 5.2.4 Limit Range of Movement
555 The LRM safety skill is applicable either to limit the space reached by the robot, or to limit some of its 556 trajectory features such as speed, acceleration, curvature and jerks. 557 When dealing with space limiting, the limit can be defined in various ways. For instance, the limit can be 558 based on axis position or can be defined based on end-effector position. It can be also applied to different 559 parts of the robot (all or some segments, end-effector or work piece). Space limits and other LRM limits 560 can be linked, for instance when a speed limit is defined for certain spaces of the robot workspace.
561 5.2.5 Maintain Proper Alignment
562 The MPA safety skill aims to ensure a kinematic compatibility between the movement provided by the 563 system and the human joint axes. 564 This skill is relevant when a robotic device or joint with limited degrees of freedom acts in parallel with 565 a human joint. This configuration is found in particular in exoskeletons, those used as physical assistants 566 in different application domains and those used as rehabilitation robots. However, it can also be applied 567 in rehabilitation robotics with a robot that is not an exoskeleton, when a human joint is mobilized by the 568 robot. 569 This is challenging, as the human joints have complex kinematics depending on bone geometry, but also 570 varying based on many biomechanical and neurological factors. From the design perspective, it is 571 addressed by manufacturers of rehabilitation robots and exoskeleton with various strategies, such as 572 joint design characterized by human-like kinematics and accurate placement and design of the brackets 573 between human limbs and the rehabilitation system, including some compliance to compensate for any 574 kinematic mismatch. 575 When misalignment occurs, it produces forces in the attachment; limiting these forces is considered 576 within the concept of LRE safety skill. MPA considers the misalignment itself and possible effects on the 577 musculoskeletal system. 578 NOTE: In rehabilitation robotics, MPA safety skill address the mechanical hazard indicated by IEC 80601- 579 2-78, Clause 201.9.101.
580 5.2.6 Limit Restraining Energy
581 When one or more limbs of the utilizer are strapped to a robot to be either moved by the robot or the 582 movement is the result of a shared human-robot control, forces and pressures are transmitted to the 583 restrained part of the human body, possibly causing harm. This can either be at the interface, where 584 continuous/repetitive pressure and shear can cause discomfort or injuries, or at the musculoskeletal 585 level, where excessive forces and torques can also cause injuries. The LRE safety skill corresponds to 586 limiting the level of those loads. 587
588 6 System-Level Validation Protocols
589 A SLVP is a step-by-step instruction for executing validation measurements that specifies procedures for 590 SLSV. As per their definition and scope, safety skills are abstract concepts applying to different CHRI 591 scenarios. Their proper and effective application depends on several operation features, such as the 592 domain in which they are tested, the design of the robotized operation, and the type of robotic system 593 involved.
17
CWA XXXX:2021 (E)
594 SLSV requires to assess the safety features of the application from the perspective of the specific safety 595 skill, providing evidence of the effectiveness of the combined safety measures implemented, possibly 596 with reference to the relevant standards. Such an assessment is not a trivial task, as it requires, in order: 597 1) a comprehensive knowledge of the applicable regulation landscape, 598 2) critical awareness of the relevant physical metrics and performance data to be measured, 599 3) technical knowledge of the most appropriate testing equipment and methodologies, 600 4) the production of clear, complete, and self-explanatory reports. 601 Depending on the robot category, risk assessment or risk management are fundamental preliminary 602 steps for identifying the residual risk, which is the input information of the SLSV. The relevant hazardous 603 situation and testing conditions depend on the specific installation, environment, task, utilizer awareness, 604 protective or risk control measures, etc. 605 A SLVP reflects the current state of the art in the validation of a specific safety skill for a CHRIA. It 606 describes SLSV in context of an application. It gives contextual information on assumptions and factors 607 which are critical for the validation. Furthermore, it formalizes both target metrics and how to measure 608 against those. It outlines procedures for how to perform experiments and gives a way to structure the 609 measurement results.
610 6.1 SLVP identification
611 To exploit the potential of the cross-category approach, SLVPs should be general procedures, applicable 612 in several domains and individuated only by two fundamental variables, that are the safety skill to be 613 validated and the robotic device involved in the specific task to be used for the validation. A first nucleus 614 of robotic devices which can be implemented in CHRIA is the following: 615 – Robotic arm (i.e. an industrial manipulator or a robot arm used for rehabilitation), ROB; 616 – Mechanical Gripper (an end-effector type considered separately as it may be characterized by 617 specific hazards), GRI; 618 – Mobile platform (i.e. an industrial autonomous truck or a “highly automated agricultural 619 machine” as per EN ISO 18497), MOB; 620 – Mobile robot (i.e. a mobile platform with a manipulator or a mobile servant robot), MRO; 621 – Exoskeleton (i.e. RACA type or intended for augmentation, support etc.), EXO; 622 – Balance trainer (for rehabilitation), BAT; 623 – Weight support (i.e. body weight support for rehabilitation), WSU. 624 In Table 1, a correlation matrix is reported, identifying the possible relevance of each safety skill in 625 relation to the different robotic devices. The correlation dots indicate the possible necessity of a SLVP, 626 identified by the correspondent safety skill and robotic device. The actual relevance of each combination 627 depends then on the specific use application scenario (i.e. the nature of CHRI-related risks identified). 628 More SLVPs may be developed based on the same robotic device–safety skill combination, considering 629 the use of different measuring equipment. Likewise, there can be specific operation conditions, which can 630 vary depending on task design or the context of use, leading to different testing approaches. These aspects 631 result in the development of SLVP variants for the same robotic device–safety skill combination. 632 633 634
18
CWA XXXX:2021 (E)
LIE MSD DYS LRM MPA LRE
ROB • • • •
GRI • •
MOB • • • •
MRO • • • •
EXO • • • •
BAT • • • • •
WSU • • • • •
635 Table 1 – Correlation matrix between safety skills and robotic devices. 636
637 6.2 Contents of a SLVP
638 The SLVP structure is defined in Table 2. A detailed suitable template for a SLVP is reported in Annex C. 639
Section Contents
Introduction – Scope and limitations – Definition and terms
Concept and objectives – Characterization of hazards to consider for safety skill validation – Target metrics: physical, measurable quantities that the validation of the safety skill depends on in relation to a specific risk reduction level
Conditions – System, environment, other relevant aspects
Test setup – Description of test equipment and test method
Procedure – Test plan – Test preparation – Step-by-step testing procedure – Practices for data analysis – Instruction on how to document the validation of the safety skill
Annexes – Bibliography, relevant regulations, and standards – Reporting templates and eventual further relevant information 640 Table 2 – General contents of a SLVP
641 An “introduction” section defines the safety skill, the system under test (e.g. a robot arm), a sub-system 642 (if any, e.g. an end-effector), conditions – in terms of environment – and importantly the measurement 643 devices required for validation.
19
CWA XXXX:2021 (E)
644 The “concepts and objectives” section has information on relevant hazards and parameters (e.g. joint 645 angles of a robot, velocities etc.). Furthermore, one or more metrics are defined, based either on 646 observation (Boolean variables) or on physical and measurable quantities. These quantities are the 647 output variables for the validation. The SLVP shall identify target metrics, whose values are the 648 benchmarks indicating if the residual risk is actually acceptable for the CHRIA under examination. They 649 sometimes represent a criterion, such as a threshold, that test output values must not exceed 650 for considering the test as passed (predicates). 651 The “conditions” section reports the conditions influencing the hazardous situation and the factors that 652 have a significant impact on the test results (output values). If there are sub-systems (e.g. a robotic arm 653 on a mobile platform), then a description of conditions (sub-system parameters) that have a significant 654 impact on the target metrics shall be included. The environment is described through the environmental 655 conditions which have a significant influence on the validation results (e.g., inclination or surface 656 conditions). 657 The “test setup” section describes how the test is to be performed. That is accomplished through a 658 description of the test arrangement (e.g. how to arrange the sensors and the system within the test 659 environment) and the sensing devices (e.g. load cells, photo sensors, etc.). 660 The “procedure” section gives the step-by-step procedure for the test execution and the data acquisition, 661 including instructions for recording, logging, and pre-processing (filtering, offset compensation) sensor 662 data. Furthermore, it defines which data analysis to perform, including instructions for interpreting the 663 results. Finally, reporting is exemplified. 664 The “annexes” section contains a bibliography, reporting templates and other relevant information.
665 6.3 SLVP examples
666 In Annex D, an SLVP example is reported, for the SLSV of a mobile robot application to validate the safety 667 skill MSD by measurement. It can be applied for example to mobile robot systems used in logistics and 668 manufacturing. The application of MSD in this case is in the form of preventing collisions between the 669 robot and human bodies. The SLVP validates that the stopping time or distance is never exceeded by a 670 mobile robot system detecting objects and triggering a stop consequently. 671 The scope of another SLVP example reported in Annex E is to validate the safety skill LRM for a 672 manipulator used either for a hand guiding application or for rehabilitation purposes, with a limb of a 673 subject having a connection point with the robot (either free or restrained) and that point can move 674 within a 3D volume under a shared human-robot control. 675
20
CWA XXXX:2021 (E)
676 Annex A (informative)- Safety perspectives in modern robotics
677 Traditionally, the definition of safety has been interpreted to exclusively apply to risks that have a 678 physical impact on persons' safety, such as, among others, mechanical or chemical risks. The 679 developments in cyber-physical systems such as (collaborative) robots and integration of Artificial 680 Intelligence (AI) in those systems, increase interconnectivity with several devices and cloud services. This 681 influences the growing human-robot interaction challenges and affects the current, rather narrow, 682 conceptualisation of safety from the mechanical perspective. 683 To address safety comprehensively, robotics demands a broad understanding of safety, extending beyond 684 physical interaction, also covering aspects such as cybersecurity, and mental health. Moreover, the 685 expanding use of machine learning techniques will more frequently demand evolving safety mechanisms 686 to safeguard the substantial modifications taking place over time as robots embed more AI features. In 687 this sense, it is important to expand the different dimensions of the concept of safety beyond physical 688 safety, including interaction (consisting of physical and social aspects), psychosocial, cybersecurity, 689 temporal, and societal dimensions. 690 As depicted in Figure A.1, these different dimensions interact with each other, at different moments in 691 time (and simultaneously), and affect one another. Depending on the context of use, the robot 692 embodiment, and the type of (C)HRI involved, the dimension interplay will vary. 693
694 695 696 Figure A.1 - The different dimensions of safety in context of collaborative robots and AI 697 These dimensions can help robot developers understand the concept of safety in context of cobots’ and 698 AI's increasing capabilities, including human-robot interactions, cybersecurity, and machine learning.
21
CWA XXXX:2021 (E)
699 A.1 Interaction dimension
700 Physical interaction between a robot and a human operator creates a physical safety dimension related 701 to the protection of utilizers from injuries related to such interaction. Interaction can extend further 702 than the physical dimension. Social robots interact with utilizers socially, often with zero-contact between 703 the robot and the utilizer, which challenges the applicability of current safeguards focussing solely on 704 physical HRI. Recent advances in social and industrial robots allow robots to read social cues, anticipate 705 behaviour, and even predict emotions, therefore giving them sophisticated social abilities.
706 A.2 Cyber dimension
707 The integration of AI in cyber-physical systems such as (collaborative) robots, the increasing 708 interconnectivity with other devices and cloud services, and the growing human-machine interaction 709 challenge the narrow concept of physical system safety. Cloud services allow robots to offload heavy 710 computational tasks such as navigation, speech, or object recognition on the cloud, and mitigate this way 711 some of the limitations posed by their physical embodiment. However, the more functions are performed 712 across interconnected systems and devices, the more opportunities for weaknesses in those systems to 713 arise, and the higher the risk of system failures or malicious attacks.
714 A.3 Temporal dimension
715 Safety has a temporal dimension. For instance, harm can appear after the continuous use of a device. In 716 the case of wearable gait exoskeletons, abnormal joint loading could cause a problem at a later stage, 717 causing what is called prospective liability. 718 Machine learning provides machines with the possibility to learn from experience and adapt over time - 719 something that is keeping busy certification agencies and policymakers around the world. Safety concepts 720 should explicitly address protection against risks related to subsequently uploaded software and 721 extended functions acquired by machine learning. 722 The ability to make decisions based on predictive analytics is also a new element added to the temporal 723 dimension that may challenge the utilizer’s safety - in case of wrongly predicted or inferred actions (i.e., 724 a wrong future). These capabilities can lead to very unfortunate, but that have also ulterior consequences 725 at the cybersecurity level.
726 A.4 Societal dimension
727 The societal dimension of safety refers to the societal challenges and consequences of introducing robots 728 in society. One societal challenge is how education is changing due to the introduction of these robots, 729 either in factories or in hospitals where the treatment success does not depend just on the surgeon, 730 physician or therapist any longer but on the complex interaction and interplay between the clinicians, 731 the supporting staff, the client, and the robot (i.e., the manufacturer).
22
CWA XXXX:2021 (E)
732 Annex B (informative) - List of test methods provided by standards
733 A list of test methods related to mechanical hazards in robot applications is reported in Table B.1.
Standard Clause/ Test Relevance Section (Safety skill – device/s)
EN ISO 3691-4:2020 Clause 5.2 Tests for detection of persons MSD - MOB, MRO
Clause 5.3 Stability tests DYS - MOB, MRO
EN ISO 18497:2018 Clause 5.4 Verification of minimum performance of MSD - MOB, MRO (outdoor) the system perception and safety
ISO/TR 23482-1: Clause 7 Physical hazard characteristics (for mobile LIE - MOB, MRO 2020 robots)
Clause 8 Physical hazard characteristics (for LRE - ROB restraint-type physical assistance robots)
Clause 11 Static stability characteristics DYS - MOB, MRO
Clause 12 Dynamic stability characteristics with DYS - MOB, MRO respect to moving parts (mobile robot)
Clause 13 Dynamic stability characteristics DYS - MOB, MRO with respect to travel (for mobile robot)
Clause 14.2 Test of operation in slippery environments DYS - MOB, MRO
Clause 15 Response to safety- related obstacles on MSD - MOB, MRO the ground (mobile robot)
ISO/DIS 10218- Annex N Power and force limited robot applications LIE – ROB 2:20201 (informative) – Pressure and force measurements
ISO/WD 53631,2 - Test Methods for Exoskeleton-type Early stage of document walking RACA robot development - EXO
ISO 18646-1:20162 Clause 6 Stopping characteristics MSD - MOB, ROB
Clause 7 Maximum slope angle DYS - MOB, ROB
Clause 9 Mobility over the sill DYS - MOB, ROB
ISO 18646-2:20192 Clause 6 Obstacle detection MSD - MOB, ROB
Clause 7 Obstacle avoidance MSD - MOB, ROB
ISO/DIS 18646-31,2 Clause 5.4 Grasp strength LIE - GRI
ISO/FDIS 18646-41,2 Clause 5 Test method for assistive torque index and LRE - EXO lumbar compression reduction
734 1 Standard under development and not issued in its approved final version 735 2 Not explicitly safety-related, but potentially relevant 736 Table B.1 – Robot test methods provided in standards related to mechanical hazards
23
CWA XXXX:2021 (E)
737 Annex C - System-level validation protocol template
738 C.1 Introduction
739 The purpose of the SLVP shall be described in this section, detailing objective, scenario and safety skill to 740 be tested. Possibly, generic figures of the real scenario and the corresponding test setup should be 741 included. 742 C.1.1 Scope and limitation 743 This SLVP is specifically limited to the following profile:
Safety Skill Name the safety skill (e.g., limit physical interaction energy during collision)
System Name the system (e.g., robot arm)
Sub-System Name the type of sub-system here (e.g., end-effector)
Domain Possible application domain (e.g., manufactring)
Conditions List the set of environmental conditions here which are considered by this SLVP
Measurement List here the measurement devices required for the validation Device(s) 744 Table C.1 – Profile of the specific SLVP 745 C.1.2 Definitions and Terms 746 Only definition used in the document. Source of the definition to be included 747 Definition 1 (source: ref. to standard/local to the document) 748 Description: 749 Definition 2 (source: ref. to standard/local to the document) 750 Description:
751 C.2 Concept and Objectives
752 This section shall describe the concept of the validation. It gives the reader an understanding of the target 753 behavior characterizing the safety skill and the target metrics (quantities and values representing the 754 validation results) for successful SLSV. 755 C.2.1 Hazardous Situations 756 The risk assessment specifies for which hazardous situations the SLVP user must validate by test whether 757 the applied risk reduction or risk control measures to mitigate the risk effectively or not. For the test, the 758 occurrence of the hazardous situation characterizes the main event. A certain state of the robot always 759 precedes the hazardous situation. A state describes the axes position and velocity in the moment the 760 hazardous situation occurs. Therefore, it is necessary to ensure that the robot is in the same state for the 761 test as it will be in the real setting (for instance, but not limited to, the same position) when the hazardous 762 situation occurs. This section shall indicate criteria for identifying the relevant hazardous situations 763 based on the risk assessment. 764
24
CWA XXXX:2021 (E)
765 C.2.2 Target Behavior and Metrics of the Safety Skill 766 The target behavior of the safety skill to be validated shall be indicated in this section. 767 The target metrics are based on physical and measurable quantities. These quantities are the output 768 variables for the validation. The values of the target metrics indicate if the system behavior, from the 769 perspective of the safety skill, is effective enough to achieve the specified level of risk reduction. They 770 represent a threshold that the output values of test must not exceed for considering the test as passed. 771 The expected outputs are figures to measure for computing target metrics or Boolean variables indicating 772 whether a condition is met or not. If relevant, physical units for output quantities should be defined, for 773 example: 774 – Force, continuous measurement of collision force [N] 775 or 776 – Stopping distance of a mobile robot [m].
777 C.3 Conditions
778 By reading this section, SLVP user shall be informed about the necessity of developing a test plan 779 containing all the relevant combination of conditions affecting the hazardous situation. The test plan shall 780 cover all the combinations. 781 C.3.1 System 782 This section shall report a short description of conditions which can change for the hazardous situation 783 and which have a significant impact on the test results (output values). Such conditions are somehow 784 related to system parameters, which compromise the ability and performance of the relevant safety skill. 785 It might also reasonable to consider the actions as a condition the robot performs before the hazardous 786 situation occurs. 787 C.3.2 Environment 788 This section shall describe the environmental conditions which have a significant influence on the 789 validation results (e.g., inclination or surface conditions). 790 C.3.3 Miscellaneous 791 If there are other relevant conditions to consider, they shall be illustrated in this section.
792 C.4 Test setup
793 C.4.1 Equipment 794 In this section, the description of the sensors (e.g., load cell) and other devices (e.g., photo sensors) 795 required for the validation test shall be reported. Commercially available sensor types should not be 796 specifically mentioned. Thus, the description shall be limited to the base measurement principle. 797 C.4.2 Method 798 Instructions for arranging the sensors and the system within the test environment shall be reported in 799 this section. Possibly a drawing supporting the description should be included. 800 Instructions for recording, logging, and pre-processing (filtering, offset compensation) sensor data shall 801 be included if relevant.
802 C.5 Procedure
803 C.5.1 Test Plan 804 Instructions for creating the test plan that varies the identified test conditions in a systematic manner 805 shall be reported in this section.
25
CWA XXXX:2021 (E)
806 C.5.2 Preparation 807 This section shall provide instructions to prepare each part of the setup and all conditions with a 808 significant influence on the target metrics. 809 Test arrangement 810 Instructions for preparing the validation setup shall be provided. 811 System Conditions 812 Instructions for preparing the relevant system (and – if available – sub-system) conditions shall be 813 provided. This also includes the documentation of the applied conditions for the test. 814 Environmental Conditions 815 Instructions for preparing and documenting the environmental conditions shall be provided. 816 C.5.3 Test Execution 817 The test procedure to be carried out for each test case shall be described. 818 C.5.4 Data Analysis 819 Instructions for interpreting the results, e.g. pass/no-pass, interval analysis (provide confidence), etc. 820 shall be provided. 821 C.5.5 Report 822 Instructions for creating the report using the form annexed to the protocol can be provided.
823 C.6 Bibliography
824 If necessary, the relevant bibliography shall be reported in this section.
825 C.7 Annexes
826 The SLVP may include one or more annexes (i.e. the appendix with report forms to track tests and 827 results).
828
26
CWA XXXX:2021 (E)
829 Annex D - SLVP example: Test mobile platform to maintain a 830 separation distance
831 CWA internal note: some of the images will be likely modified and updated.
832 D.1 Introduction
833 This SLVP describes how to validate the ability of a mobile robot platform able to navigate under its own 834 control to maintain a safety distance with respect to a static object. It can be a stationary human that is 835 on its path. This SLVP is applicable to all mobile robot platform that have collision avoidance functionality 836 realized by non-contact sensors to operate a protective stop. 837 It is checked that the robot stops and that the minimal distance between an operator and the robot after 838 its full stop remains above a predefined distance. 839 This SLVP is specific for stationary operator detection and avoidance in the robot's navigation space. 840 Example: A small mobile robot platform in a factory, performs a navigation task. It operates in a 841 workspace with objects, humans, and other robots next to it. A coworker stands in the way of the robot’s 842 workspace. In that situation, unintended collisions between the robot and the coworker must be avoided. 843
844 Figure D.1 - A stop due to a risk of collision (left) and a general test setup to analyze stop distance (right) 845 846 D.1.1 Scope and limitation 847 This SLVP is specifically limited to the following profile:
Safety Skill maintain safe distance
System mobile platform
Sub-System Optional. Examples: an effector, such as a forklift; a trailer. Note: In case of a robot arm mounted on the mobile platform, a SLVP dedicated to a mobile robot (MRO) shall be considered.
Domain manufacturing, public, consumer, logistics
Environment Indoor: factory, warehouse, indoor- public place, non-medical professional, medical - open places;
27
CWA XXXX:2021 (E)
Outdoor: warehouse; The safety-related object/obstacle is fixed (no dynamic/moving obstacles).
Measurement A distance measurement device, ground markers, a test piece for Device(s) simulating human body parts
848 Table D.1 – Profile of the SLVP “Test mobile platform to maintain a separation distance” 849 850 D.1.2 Definitions and Terms 851 Autonomy (source: EN ISO 8373:2012, 22) 852 Ability to perform intended tasks based on current state and sensing, without human intervention. 853 Collision (source: EN ISO 19649:2017) 854 Dynamic contact resulting in momentum exchange. 855 Obstacle avoidance (source: EN ISO 19649:2017) 856 Preventing interference, such as approaching, contacting or collision, with obstacles by detecting them 857 with external state sensors and adjusting trajectory planning. 858 Collision avoidance (source: EN ISO 19649:2017) 859 Preventing collision using external state sensors and reacting accordingly. 860 Mobile robot (local to the SLVP, adapted from: EN ISO 19649:2017, 3.1.1) 861 Robot able to travel under its own control. 862 Note: for the purposes of this SLVP, the definition is restricted to a mobile platform without manipulators. 863 Mobile platform (source: EN ISO 19649:2017) 864 Assembly of all components of the mobile robot which enables locomotion. 865 Application (source: EN ISO 10218-2) 866 Intended use of the robot system, i.e. the process, the task and the intended purpose of the robot system 867 (e.g. spot welding, painting, assembly, palletizing).
868 D.2 Concept and Objectives
869 The verification simulates a risk of collision of the robot, using an obstacle that mimics the human body. 870 The resulting clearance is measured with a distance measurement device. During the test, the robot must 871 operate under the same conditions as it would in a real application, considering whether the scenario 872 falls under the category a) intended use or b) foreseeable misuse. 873 The objective of the test is to measure whether the safety skill “maintain safe distance” prevents the robot 874 from exceeding the applicable minimum distance limit value. 875 D.2.1 Hazardous Situation 876 The risk assessment specifies under which hazardous situations the robot may operate. The validation 877 measurement determines whether the applied safety skill and ultimately the chosen safety functions 878 mitigates the risk sufficiently. 879 The test conditions shall be as representative as possible of the operating scenario, characterized by an 880 approach path to the obstacle, the speed of the mobile robot, environmental conditions, etc. 881 D.2.2 Target Behavior and Metrics of the Safety Skill
28
CWA XXXX:2021 (E)
882 The target behavior of the safety skill to be validated is to maintain a minimal safety distance between 883 the mobile robot and the safety-related object. The distance shall not be less than a limit specified in the 884 risk assessment. 885 For this SLVP, the output is: 886 The distance after a full stop of the robot between the robot and the safety-related object [m] 887 The target metric is the limit value determined during the risk assessment: 888 The minimum acceptable distance between the robot and the safety-related object [m] 889 The target metric may vary depending on size and weight of the obstacle. The values of the target metric 890 for each test should be reported by using the report table in the Appendix. 891 NOTE 1: If the scenario involves a human entering the robots transport/workspace then the additional 푚 892 required stopping distance can be evaluated as 푆 = 1.6 [ ] ∗ 푇[푠] where T is the overall stopping ℎ 푠 893 performance in seconds (time interval between sensing and the termination of the hazardous machine 894 function). Refer to EN ISO 13855for further details. 895 NOTE 2: If the mobile platform has a geometry that involve steady objects reaching over the footprint of 896 the robot, then this distance should be added to the required target metric. 897 Safety related object Obstacle
Height [m] 2.1 m
Safety clearance [m] 0.5 m
898 Table D.2 – Example of report of the target metric: detection of persons in the traveling path of an 899 autonomously guided truck
900 D.3 Conditions
901 In case the conditions under which the hazardous situation may occur can change, the utilizer of this 902 SLVP shall develop a test plan containing all their reasonable and relevant combinations. The applied 903 safety skill is tested for each relevant combination of this list. Therefore, it is important to know the 904 significant conditions that influence the target metric most e.g., high speed and load. 905 D.3.1 System 906 The term system refers to the robot system, identified by the type of mobile robot with its payload and, if 907 present, the subsystem(s). The category of subsystems comprehends a variety of tools and additional 908 functionalities that can be installed onto the mobile robot. The subsystem can be a mechanical, electro- 909 mechanical or robotic device working in coordination with the mobile robot. To this latter category 910 belong actuators installed on the mobile robot and used to carry out different tasks, mainly related to 911 grasping. Also trailers eventually drawn by the mobile robot are to be considered subsystems and 912 described. 913 The task-related conditions shall be previously identified in the risk assessment. The form in §D.7 shall 914 be used to report the system composition for each single test. It should be noted that the payload may 915 affect the risk evaluation. 916
29
CWA XXXX:2021 (E)
Mobile robot
Type of mobile robot Four-wheel drive platform with front steering
Manufacturer The Robot Company
Model Mobile robot platform 10
System Configuration Safety Package, Sensors (i.e. Lidar, front bumper, etc.)
Control Software MoCoControl, version 2.3.1
Footprint on the ground and dimensions (picture or drawing)
Payload
Manufacturer My Company
Model Transport box
Description (mass, shape, 20 cm x 50 cm long, 30 cm high, 10 kg etc.)
Subsystem
Type of system Payload trailer
Manufacturer The Trail Company
Model Logistics 100
System Configuration Drawn by standard tow hook
Control Software None
Footprint on the ground and dimensions (picture or drawing)
917 Table D.3 – Example of system configuration 918 919 The following system- and behavior-related conditions influence the target values: 920 mobile robot velocity (identified in the risk assessment), [mm/s] 921 Note: consider 110% of pre-determined speed as per EN ISO 3691-4; 922 mobile robot payload (identified in the risk assessment), [kg]
30
CWA XXXX:2021 (E)
923 Note: consider 110% of actual capacity as per EN ISO 3691-4. 924 The mobile robot shall be tested in the worst-case condition(s) (e.g. loaded, unloaded, lift height, slope, 925 turn, forward, backward, floor/ground slope) in combination with mobile robot predetermined 926 parameters in those case conditions (e.g. emergency braking deceleration, speed, controlled acceleration, 927 deceleration, and lifting speed). Test shall be performed without creating a hazard (e.g. tipping or sliding). 928 Besides the configuration of the robot system, the trajectory of the robot prior to the stop also has a 929 significant influence on the output target. The following describe the robot state: 930 – Direction and magnitude of platform velocity (linear and/or rotational, see Figure D.2). 931
932 933 Figure D.2 - Left: Linear velocity and Right: the angular velocity 934 935 These conditions are part of the robot path, which is technically a time dependent sequence of states. For 936 a proper validation test, it is necessary to establish the same robot state as the robot will have in the 937 moment a safety distance could be crossed, whereby the safety skill takes over control. Therefore, the 938 point of interest for the test is the point along the robot path at which the distance to the safety-related 939 object is minimum. The risk assessment should clarify the exact moment and position of this point. 940 Therefore, the risk assessment is the primary source to identify the robot state for the test. 941 Please report the robot state (if available) for each single test using the form in §D.7.
Nominal mobile robot Absolute X Y velocity
Linear velocity [mm/s] 250 0 250
Angular velocity ω [rad/s] 0
Turning radius (if available) 0 [mm]
942 Table D.3 - Example of system state reporting for the mobile robot 943 D.3.2 Environment 944 The following environmental conditions have an influence on the target values: 945 Shape of the navigation area: (e.g. slope less than 3%) [%];
31
CWA XXXX:2021 (E)
946 Adhesion properties of the navigation area (e.g. dry standard industrial surfaces ); 947 Floor/ground slope; 948 Safety-related object dimensions [mm]. 949 Since the environment conditions in many cases will have an ineligible influence on the target metric, it 950 is worth running the validation tests under the same environmental conditions which are expected 951 during actual operations. 952 D.3.3 Miscellaneous 953 Other relevant conditions are: 954 Surface of the mobile robot that will come the closest to the test piece; 955 Endangered body parts (parts of the test piece which the robot can affect); 956 Testing route features (length and width of the navigation area, transversal position of the mobile 957 robot). 958 The form from §D.7 shall be used to record the location and shape of the contact area on the robot 959 structure.
Closest area to safety-related object (on robot structure)
Location Lower side of the mobile platform (bumper surface)
Photo (insert a photo here)
Endangered parts
Type of body (human, type of Human object)
Part Lower leg
Testing route features
Length [m] 50
Width [m] 2
Mobile robot transversal position Center axis misaligned by 40 cm on the left
960 Table D.4- Example of miscellaneous conditions
961 D.4 Setup
962 D.4.1 Equipment 963 According to the target metric, it is necessary to measure the distance between the mobile robot and the 964 test piece collision point. The following instruments are required to measure the target metric: 965 An accurate device for distance measurement (i.e. a laser meter with error below 5%) 966 Variants of this SLVP may be based on the use of a different type of distance sensor or a motion tracking 967 system. 968 The form in §D.7 shall be used to report the capabilities of the sensor used for the validation.
32
CWA XXXX:2021 (E)
969
Feature Distance Measurement Sensor
Manufacturer and type TheSensorCompany, TheSensor10
Dimensions [mm] 120 x 50 x 30 mm
Weight [g] 100 g
Working Range [m] 0.05-15 m
Relative error [mm] ±2mm more 0.05mm/m
Resolution [mm] 1 mm
970 Table D.5 - Example of report about the sensing device. 971 The test piece is an object with surface condition and dimensions that simulates body parts that the robot 972 is likely to encounter under the projected conditions of use. EN ISO 3691-4 mentions a cylindrical test 973 piece with a diameter of 200mm and a length of 600mm that can be placed horizontally and a test piece 974 of diameter 70mm and a length of 400mm that is placed vertically. EN ISO 3691-4 shall be considered for 975 the test setup. Considering usual operating conditions, tests may be performed with these cylinders 976 positioned at different heights. 977 D.4.2 Method 978 This test measures the distance between a robot and a simulated safety-related object at the moment the 979 robot finishes a protective stop in order to verify that the system “maintain minimum required safety 980 distances” (with reference to EN ISO 3691-4). 981 The SLVP consists of three steps: (1) setup, (2) performing the test with the mobile robot moving, and (3) 982 measuring the distance when the mobile robot has stopped. This test requires a distance measuring 983 device, a defined travel path, and test pieces. 984 Testing procedure: 985 the mobile robot and the test piece are placed on a test road at a distance longer than the related 986 sensor range of the mobile robot; 987 the robot is set to travel at its typical speed under intended use conditions; 988 the mobile robot shall approach the test piece and shall stop before contact is made between the test 989 piece and the rigid parts of the mobile robot or its intended load; 990 the distance between the robot and the test piece is measured after the stop is completed; 991 this test shall be repeated three times, once at the center-line of the detection zone and once at each 992 end. Then, the same test can be done for other diameter and length values of the test piece. 993 The measurement is executed only after the mobile robot is fully stopped. The distance sensor is placed 994 on the mobile robot at the closest position to the object collision area and the distance is measured 995 (Figure D.3).
33
CWA XXXX:2021 (E)
996 Figure D.3 - Left: Example of laser distance sensor. Right: Measurement on the mobile robot
997 D.5 Procedure
998 D.5.1 Test Plan 999 The test plan is a summary of all situations identified as hazardous in the risk assessment, due to the 1000 distance between robot and a safety-related object along its path, including all combinations of applicable 1001 conditions. Therefore, the test plan provides a detailed summary which tests are necessary to validate 1002 the safety skill for the considered application. 1003 All combinations of the conditions introduced above that are applicable and may change in the considered 1004 situation result in a list of concrete test cases. 1005 The following conditions can be identified for the application of this SLVP. 1006 System: 1007 type of system, payload if applicable; 1008 direction and magnitude of velocity; 1009 sensor settings (if relevant). 1010 Sub-system: 1011 sub-systems installed or not; 1012 sub-systems actually in function or not; 1013 sub-system configuration (if relevant). 1014 Environment: 1015 obstacles; 1016 ground (grip conditions, slope). 1017 Miscellaneous: 1018 location and shape of the area on the robot structure the closest to the safety-related object; 1019 endangered parts (parts of the human or fixed object which the robot can affect); 1020 testing route features (length and width of the navigation area, transversal position of the 1021 mobile robot. 1022 It is recommended to prepare this list before beginning the tests. Clauses D.5.2 to D.5.5 should be applied 1023 for each test case and run each test at least three times. 1024 D.5.2 Preparation 1025 Before executing a concrete test from the test plan, it is necessary to prepare the setup and the conditions 1026 properly. The following sections give instruction to prepare each part of the setup and all conditions with 1027 a significant influence on the target metric. 1028 1029
34
CWA XXXX:2021 (E)
1030 Test arrangement 1031 The defined travel path shall be large enough to enable the robot to accelerate up to the normal operating 1032 speed (as defined in the risk assessment), i.e. the cruise speed (see Figure D.4).
1033
1034 Figure D.4 - An acceleration time ta, is followed by a cruise time tc, a braking time tb, and a full stop at ts 1035 1036 If the braking distance differs according to the surfaces in the real environment, the surface characterized 1037 by the longest braking distance should be used. The environment should be large enough to enable the 1038 robot to slow down and stop after it has reached its cruise speed. 1039 The dimensions of the cylindrical test piece shall be chosen considering the actual obstacle to be 1040 considered for the safety validation. The indications reported in EN ISO 3691-4 shall be considered. Each 1041 case of the test plan is related to a particular orientation of the mobile robot with regard to the object. 1042 System Conditions 1043 The SLVP utilizer shall configure the robot in the exact way that it will run in the application. This includes 1044 at least the following steps:
1045 the mobile robot shall be switched on one hour before beginning the tests (warm-up phase); 1046 the mobile robot shall be configured with its payload and any sub-systems in accordance with the 1047 real working conditions to be tested; 1048 the program containing all movements and actions the robot will execute in the application shall 1049 be installed; 1050 all available safety-functions shall be configured.
Warning
The safety configuration, and therefore the safety skill, is often a part of the robot program or inseparable connected with it. For this reason, the SLVP utilizer shall not change the robot program after successfully completing the validation. It is highly recommended to store a backup of the positively tested program and to
lock the robot control unit so that only authorized people can modify the program or the safety configuration. Any modification to the program requires a new validation of the safety skill. 1051
35
CWA XXXX:2021 (E)
1052 NOTE: If the mobile robot has no safety functions to monitor its states (such as platform speed), the SLVP 1053 user shall perform all tests at maximum speed, even if this speed is not required for the application. 1054 The following instructions are related to the conditions which may change for the different use 1055 conditions, as identified in the risk assessment. 1056 Robot velocity (tests are performed with at least at 110% of pre-determined speed): 1057 Payload (tests are performed with at least at 110% of actual capacity, ensuring that no parts can 1058 fall off during the test); 1059 The parameters values of the applied safety functions shall be adjusted in accordance to the 1060 values specified for the test case. 1061 Environmental Conditions 1062 It is recommended to perform these tests on the usual mobile robot operating ground, which shall be 1063 identified in the test plan. The following conditions are particularly relevant: 1064 if slopes are present in the operating area, tests with several different slope conditions must be 1065 carried out; 1066 adhesion properties of ground (the test should be preferably performed on the usual mobile robot 1067 operating ground). 1068 D.5.3 Test Execution 1069 Apply the following test procedure for each specified test case separately. Make sure that the proper 1070 speed setpoint and proper orientation of the mobile robot with respect to the safety-related object are 1071 configured before running a test. 1072 1) Move the robot slowly to the initial start position and orientation point, on the proper ground with 1073 chosen slope. Use a position from which the robot has enough space for accelerating to desired speed 1074 before reaching the collision area. Pause the program with the robot in start position. 1075 2) Configure speed according to the real scenario. 1076 3) Take a photo of test situation (optional). 1077 4) Start the mobile robot autonomous navigation. 1078 5) Wait for a complete mobile robot stop after the safety-related object detection and measure the 1079 minimum distance between the mobile robot and the fixed safety-related object. 1080 6) After the stop take another photo of the situation (optional). 1081 7) Check if the minimum distance value is lower than the limit value: 1082 If limit value is exceeded: decrease robot speed slightly and repeat the entire test, to obtain an 1083 acceptable speed value; 1084 If the limit value is satisfied: keep the same robot speed and repeat measurement three times. 1085 D.5.4 Data Analysis 1086 The test can be considered successful if the maximum value acquired in the three tests does not exceed 1087 the applicable limit value. In case of fail, it is recommended to modify the robot program (for instance 1088 reducing the speed) in the actual task and to start over with the validation process. Other options could 1089 be a modification of the safety configuration or conditions. 1090
Test 1 Test 2 Test 3 MAX
Maximum distance [mm] 159 145 165 165 1091 Table D.7 – Example: results from data analysis. 1092
36
CWA XXXX:2021 (E)
1093 D.5.5 Report 1094 The form in §D.7 shall be used to report all conditions and results of the tests. Once the SLSV is completed, 1095 the forms can be added to the risk assessment documentation, proving the effectiveness of the robot 1096 system concerning the MSD safety skill in the given scenario.
Test 1 Test 2 Test 3 Test Pass
Pass yes yes no no 1097 Table D.8 – Example: test result summary.
1098 D.6 Bibliography
1099 [D.1] EN ISO 8373:2012, Robots and robotic devices - Vocabulary 1100 [D.2] ISO 10218-1:2011, Robots and robotic devices – Safety requirements for industrial robots – Part 1101 1: Robots 1102 [D.3] EN ISO 10218-2:2011, Robots and robotic devices – Safety requirements for industrial robots – 1103 Part 2: Robot systems and integration 1104 [D.4] ISO 3691-4:2020 Industrial trucks - Safety requirements and verification - Part 4: Driverless 1105 industrial trucks and their systems 1106 [D.5] EN ISO 13857:2020 Safety of machinery — Safety distances to prevent hazard zones being 1107 reached by upper and lower limbs 1108 [D.6] ISO 19649:2017 Mobile robots — Vocabulary 1109 [D.7] ISO 13855:2010 Safety of machinery — Positioning of safeguards with respect to the approach 1110 speeds of parts of the human body.
1111 D.7 Appendix - Report Form
1112 Use the form on the next page to record the data for each test.
Test ID / Test no
Hazard ID
Description
Photo
1113 Target metrics
Safety-related object Obstacle
Height [m]
Safety clearance [m]
1114
37
CWA XXXX:2021 (E)
1115 Setup 1116 Sensors
Feature Distance Measurement Sensor
Manufacturer and type
Dimensions [mm]
Weight [g]
Working Range [m]
Relative error [mm]
Resolution [mm]
1117 1118 System Configuration
Mobile robot
Manufacturer
Model
System Configuration
Control Software
Footprint on the ground and dimensions (picture or drawing)
Payload
Manufacturer
Model
Description (mass, shape, etc.)
Subsystem
Type of system
Manufacturer
Model
System Configuration
38
CWA XXXX:2021 (E)
Control Software
Footprint on the ground and dimensions (picture or drawing)
1119 1120 Test Specifications 1121 System State
Nominal mobile robot Absolute X Y velocity
Linear velocity [mm/s]
Angular velocity [rad/s]
Turning radius (if available)
[mm]
1122 Misc. Conditions
Closest Area to Safety-Related Object (on robot structure)
Location
Photo
Endangered parts
Type of body (human, type of
object)
Part
Testing route features
Length [m]
Width [m]
Mobile robot transversal
position
1123 1124 Test Result 1125 Result from Data Analysis
39
CWA XXXX:2021 (E)
Test 1 Test 2 Test 3 MIN
Minimum distance [mm]
1126 Summary
Test 1 Test 2 Test 3 ALL yes
Pass
1127 1128 1129
40
CWA XXXX:2021 (E)
1130 Annex E - SLVP example: Test manipulator in shared human-robot 1131 control to prevent spatial overreaching for the subject
1132 CWA Internal Note: Some of the images will be likely modified and updated.
1133 E.1 Introduction
1134 The purpose of this SLVP is to validate the safety skill “limiting range of movement” (LRM) in 3D of a 1135 manipulator used as a RACA robot or in a Hand Guiding collaborative application by restricting spatial 1136 range of motion for both its end-effector as well as any other part of the robot system (i.e. soft axis space 1137 limiting as per EN ISO 10218-1), in order to avoid physical damage to the person connected to the robot 1138 system. 1139 The primary hazardous situation considered is an over stretching of the utilizer limbs, where the distance 1140 between a proximal and a distal joint is too large. 1141 A secondary hazardous situation considered in this SLVP is that parts of a robotic system may collide 1142 with parts of the body of the subject.
1143 Figure E.1: Examples: ROM related to the robot system in a rehabilitation application (top left) and related test setup 1144 (top right); a hand-guiding collaborative application (bottom left) and related test setup (bottom right). 1145 E.1.1 Scope and limitation 1146 This SLVP is specifically limited to the following profile:
41
CWA XXXX:2021 (E)
Safety Skill Limit range of movement
System Manipulator
Sub-System Mounting platform for the robot arm that stabilizes the position of the robot relative to the body of the subject
Domain Manufacturing, Healthcare
Conditions 3D movement Hand-guiding or Human/robot shared control (active movement for the human)
Measurement Optoelectronic measurement system/motion tracking system Device(s) 1147 Table E.1 - Profile of the SLVP 1148 1149 1150 E.1.2 Definitions and Terms 1151 Active movement 1152 A movement of parts of a human body, produced by muscles of that human, not by external forces applied 1153 to these parts of the human body. 1154 Direct path 1155 A movement trajectory between two points, where the path is depending on robot path planning (can be 1156 linear in space or not if interpolation is done on joint coordinate) 1157 Emergency stop (adapted from the definitions in ISO 12100 and IEC 80601-2-78) 1158 Manually initiated interruption of operation intended to stop the robot to avert arising or reduce existing 1159 hazards to persons, damage to machinery or to work in progress 1160 End-effector (source: EN ISO 8373) 1161 Device specifically designed for attachment to the mechanical interface to enable the robot to perform its 1162 task. For RACA robots this is also described as the (actuated) applied part (IEC 80601-2-78). 1163 Hand guiding (described in EN ISO 10218-1, clause 5.10.3 and EN ISO 10218-2, clause 5.11.5.3) 1164 Collaborative operation in which robot motion is controlled by an operator by means of a dedicated hand- 1165 guiding control (HCG) device. 1166 Human Tester 1167 Qualified person who executes the test 1168 Monitored point 1169 Either a point on the robot or defined as a point in space in relation to a specific point on the robot. For 1170 example, if the monitored point is to match by the subjects’ hand, it might be defined as a point in a fixed 1171 distance from the arm splint. 1172 Marker 1173 Active or passive spatial element used by an optoelectronic measurement system to determine a spatial 1174 position within a predefined volume. 1175 Motion tracking system 1176 A system used to detect spatial coordinates of objects in a restricted volume as a function of time.
42
CWA XXXX:2021 (E)
1177 Optoelectronic measurement system 1178 A system used to detect spatial coordinates of objects in a restricted volume by camera like sensors. 1179 Overreaching 1180 A movement that results in the monitored point exceeding the range of motion. Can be harmful to the 1181 subject as the movement can exert an excessive strain on joints. 1182 Passive movement 1183 A movement resulting from an external force working on parts of a human body (e.g. limb), without any 1184 voluntary contribution to that motion by that human. So, the passive aspect is viewed from the human 1185 perspective. 1186 Predefined path 1187 A movement trajectory that is specified with more parameters, possibly a set of spatial coordinates. 1188 Protective stop (adapted from the definitions in ISO 8373 and IEC 80601-2-78) 1189 Type of interruption of operation that allows a cessation of motion for safeguarding or basic safety and 1190 essential performance purposes and which retains the program logic to facilitate a restart 1191 RACA robot (source: IEC 80601-2-78:2019 – clause 201.3.212) 1192 Medical robot intended to perform Rehabilitation, Assessment, Compensation and Alleviation robot, 1193 comprising an actuated applied part. 1194 Range of Motion (ROM) 1195 A combination of linear and angular distance that a defined monitored point may move in relation to a 1196 defined reference point. The monitored point can be either a point on the robot, or a point on the body of 1197 a human subject defined relatively to a point on the robot. The ROM can be limited to a straight line (one- 1198 dimensional ROM), a plane (two-dimensional ROM) or a space (three-dimensional ROM) in any shape. 1199 Has to be defined in relation to a reference point. 1200 Reference point 1201 Either a point on the robot or defined as a point in space in relation to a specific point on the robot. For 1202 example, if the reference point shall represent the expected location of the subjects’ shoulder joint centre, 1203 it might be set at a fixed distance from the robot surface. Please note that the reference point has to be a 1204 spatial location, which keeps a known position in relation to proximal parts of the robot. 1205 Rehabilitation robot 1206 RACA robot used in rehabilitation 1207 Single fault condition (adapted from: IEC 60601-1 definition 3.116), SFC 1208 A condition of a robot system in which a single means for reducing a risk is defective or a single abnormal 1209 condition is present 1210 Target point 1211 Location of a point in a certain volume, relative to the reference point, the robot will be instructed to 1212 move the monitored point to.
1213 E.2 Concept and Objectives
1214 E.2.1 Hazardous Situations
43
CWA XXXX:2021 (E)
1215 During the rehabilitation or working task, the robot system will be either attached to a human, in order 1216 to mobilize a limb or to assist the use of the impaired limb in daily life, or equipped with a HGC device. 1217 Based on the initiated movement by the utilizer, the robot will support that movement with a support 1218 level that can be set either during installation or by a therapist to suit the required levels during a 1219 rehabilitation session. Based on anthropometric properties and physical restraints of the human as well 1220 as the required movement types, some specific boundaries to the movements of the robot arm are likely 1221 to be set. The distance between a proximal joint centre (e.g. shoulder or hip) and a distal joint centre (e.g. 1222 wrist or ankle) should stay indeed within a certain area. Likewise, in a hand-guided collaborative robotics 1223 application, safety-rated soft axis and space limiting function may be used to limit the range of motion for 1224 safety and ergonomic purposes.
1225 1226 Figure E.2: Example of an application scenario – in case of a rehabilitation task, subject may also be seated 1227 The hazardous situations considered in this SLVP are: 1228 over-stretching of the human joints/limbs, where the distance between a proximal and a distal 1229 joint is too large; 1230 a link of the robot moving through a space where human’s body parts are located. 1231 E.2.2 Target Behavior and Metrics of the Safety Skill 1232 The target behavior of the safety skill to be validated concerns whether the robot system keeps the 1233 relative displacement between a reference point and the monitored point within the specified ROM. 1234 The movements of a robot system performing an active rehabilitation task or a hand-guiding application 1235 are mainly defined by the input of the human and the shared control settings for this robot, i.e. the range 1236 of motion restrictions and possible support levels set for the robot controller. The movements carried 1237 out can usually be described by a direct path between two points or, more likely, a more variable 1238 trajectory between two points. 1239 The shape of the ROM for which this test needs to be performed has to be based on the use specifications 1240 of the robot, so it represents a proper normal use situation. During the definition of a representative ROM 1241 description for the tests it should be considered that: 1242 The ROM can take any shape and does not have to be symmetrical to the reference point.
44
CWA XXXX:2021 (E)
1243 The shape and size of the volume will have a large impact on the validation results. Therefore a 1244 matching description of the ROM volume used by the robot should be used during data analysis. 1245 The target metrics are based on physical and measurable quantities. These quantities are the output 1246 variables for the validation. The values of the target metrics indicate if the validated safety skill is effective 1247 enough to achieve the specified level of risk reduction. They represent a threshold that the output values 1248 of the test must not exceed for considering the test as passed. These values for the ROM in a 3D space can 1249 be variable during intended use and may be determined i.e. by a therapist for the individual utilizer in a 1250 rehabilitation setting. Therefore, the systems’ ability to keep the end-point within the set safe area needs 1251 to be validated using different settings for both the endpoint setting and the area where the other parts 1252 of the body would be. 1253 It may also be possible that other parts of the robot system move through spatial areas where other body 1254 parts of the human being are. It should be observed during this test whether parts of the robot system 1255 are kept clear from other body parts of the utilizer. 1256 For this SLVP, the target metrics are defined as follows: 1257 Does the monitored point move outside the defined ROM? [YES/NO] 1258 Does any part of the robot enter an area where it may collide with any part of the body? [YES/NO] 1259 Please report the values of the target metrics for each test using the form in §E.7.
1260 E.3 Conditions
1261 In case the conditions under which the hazardous situation may occur can change, the utilizer of this 1262 SLVP shall develop a test plan containing all their reasonable and relevant combinations. The applied 1263 safety skill is tested for each relevant combination of this list. Therefore, it is important to know the 1264 significant conditions that influence the target metric most e.g., high speed and load. Please report all 1265 conditions, represented by values, for each test using the form in §E.7. 1266 E.3.1 System 1267 The term system refers to the robot system consisting of: 1268 a robot arm, that is intended to move a body part within a specified workspace (ROM); 1269 a base the robot is mounted on (which, in case of a RACA robot, is also connected to the support base 1270 for the subject); 1271 optionally a cuff or splint attached to the end-effector of the robot arm to fixate a single body part; 1272 optionally a HCG device; 1273 optionally a tool used as end-effector and, if relevant, a payload. 1274 The SLVP applies to the complete system as it is normally used. This can include an applied part 1275 connected to the end-effector of the robot, e.g. a splint, which, in normal use, is connected to a body part 1276 of the subject with the intention to move that body part and which movements are predictable in relation 1277 to the motions of the robot arm. Besides normal use conditions, the utilizer of this protocol may consider, 1278 depending on the requirements of the specific application, to perform the tests in relevant SFCs which 1279 may influence the safety skill, like: 1280 when an emergency stop or a protective stop is initiated; 1281 when the payload is released accidentally; 1282 a SFC where an invalid sensor data that may influence the controller behaviour or the applied risk 1283 reduction measure or risk control measure;
45
CWA XXXX:2021 (E)
1284 a SFC where failure of an actuator that may influence the behaviour of the controller or the risk 1285 reduction measure or risk control measure. 1286 During the risk assessment, special attention should be paid to properly identify relevant SFCs. 1287 E.3.2 Environment 1288 Environmental conditions may influence the safety skill, depending on the implementation. When 1289 applicable the validation tests should be performed under various environmental conditions, that are 1290 considered normal use conditions and that may have an influence on the performance of the safety skill. 1291 Examples of this could be: 1292 inclination angle of the robot’s base (e.g. when the robot arm is mounted on a mobile robot); 1293 externally induced motions/accelerations of the total combination of robot system and the human 1294 (e.g. when both the robot system and the human are on the same moving platform e.g. wheelchair), 1295 since these may have a significant influence on the inertia of the entire system.
1296 E.4 Setup
1297 E.4.1 Equipment 1298 For the validation of this safety skill, a motion tracking system is used. With this system, it is possible to 1299 measure spatial coordinates of multiple markers over time. 1300 The required accuracy of the motion tracking is determined by the required accuracy of the 1301 measurements that is derived from the risk assessment. As a general guideline, an acceptable accuracy 1302 can be about 10 mm, but other values can be acceptable if based on a proper risk assessment. 1303 The acquisition rate used by the motion tracking system should be at least a factor 10 higher than the 1304 highest expected frequency component of principal motion of the robot during the test. For normal 1305 human movements, an acquisition rate of 100 fps will usually suffice. 1306 E.4.2 Method 1307 For the validation of the ROM, a motion tracking system is used to measure spatial coordinates of multiple 1308 “markers”. Using these markers, the spatial coordinates of objects can be directly measured or derived. 1309 The robot system must be positioned in such a manner that all robot movements can be properly detected 1310 with the measurement system (see Figure D.3). 1311 Markers will be placed on the robot system at the monitored point and the reference point or, should this 1312 not be feasible, markers should be placed at locations on the robot system from which, during any 1313 movement of this robot, the location of the monitored point and the reference point can be reconstructed. 1314 Since the robot arm motion control depends on the movements of the utilizer, when safely possible, the 1315 movements can be applied by a human tester. 1316 However, a proper risk analysis should be performed on the entire test setup before the decision can be 1317 made that the test movements can be performed by a human tester. The main measures to ensure the 1318 safety of the human tester can be: 1319 possibility for the human tester to remain out of reach of the robot arm during the test; 1320 during the execution of the test, use of a 3-stage enabling switch by the human tester, which should 1321 be connected to the robot system as an emergency stop so the robot can be stopped immediately 1322 when a dangerous situation would arise. 1323 After data acquisition, the data has to be processed to determine whether during the test the monitored 1324 point was located outside the predefined ROM volume. The measured location data can be filtered to 1325 remove high frequency measurement inaccuracies, but this filter shall not use a cut-off frequency lower
46
CWA XXXX:2021 (E)
1326 than 5 times the highest expected frequency component of the principal motion of the robot during the 1327 test. For normal human movements a cut-off frequency for filtering the marker data of about 10Hz, using 1328 a zero lag filter, should be sufficient. 1329 The shape and size of the volume will have a large impact on the validation results. Therefore, a clear 1330 definition of the ROM volume used by the robot system during the tests should be available and used 1331 during data analysis. 1332
1333 1334 Figure D.3: General structure of the test arrangement with a (3D) motion tracking system and a Human Tester
1335 E.5 Procedure
1336 E.5.1 Test Plan 1337 The test plan shall cover all situations, which the risk assessment identified as hazardous due to moving 1338 the monitored point outside a predefined ROM volume, including all combinations of applicable 1339 conditions. Therefore, the test plan provides a detailed summary of the necessary tests to validate the 1340 safety skill for the considered application. 1341 The test plan should at least cover the motion paths identified by the risk assessment as potentially 1342 hazardous. This means that by moving the arm of the robot system, it should be provoked to move the 1343 monitored point into or through a spatial area that is outside of the predefined ROM volume. The purpose 1344 of the test is to validate whether the robot system exceeds this volume or not. 1345 The SLVP must consider the following conditions. 1346 For defining the motion trajectories, consider that motions should at least cover: 1347 trajectories of the monitored point to locations outside the specified ROM; 1348 trajectories of the monitored point to either locations inside or outside of the specified ROM 1349 volume, where a part of the direct path could cross an area outside of the specified ROM 1350 volume, should this be the shortest route;
47
CWA XXXX:2021 (E)
1351 trajectories where parts of the robot system may collide with parts of the subject’s body 1352 during normal operation. 1353 Tests must be run as much as possible at maximum speed with specified maximum allowed payload 1354 for the robot system and under otherwise normal use conditions. This load should be positioned in 1355 such a way that its centre of mass would be close to the end-effector of the robot, unless another 1356 location is more conform to normal use conditions. 1357 If ROM settings can be modified by the utilizer, these tests have to be performed with a selection of 1358 different ROM settings that are a proper representation of the range of different settings. 1359 If applicable, these tests also have to be performed under system inclinations that may affect the 1360 safety skill. 1361 If applicable, the tests mentioned above should be repeated also under SFCs that may have an effect 1362 on the safety skill. 1363 E.5.2 Preparation 1364 Before executing a particular test from the test plan, it is necessary to prepare the setup and the 1365 conditions properly. The following sections give instructions to prepare each part of the setup and all 1366 conditions with a significant influence on the target metrics. 1367 Test arrangement 1368 For preparing the validation setup: 1369 the environmental conditions such as lighting shall be appropriate for the used measurement 1370 technique; 1371 the motion tracking system shall be calibrated as described in its utilizer manual, or existing 1372 calibration shall be checked. The calibration accuracy shall meet the required accuracy. 1373 the robot system shall be positioned within the capture range of the motion tracking (e.g. 3D electro- 1374 optical measurement) system. 1375 The reference point and monitored point as defined by target behavior need to be tracked by the (3D) 1376 motion tracking system. The tracking of the reference point can be achieved by one of the following: 1377 by placing a marker on a stand so that it is positioned in the reference point; 1378 by defining points in the environment, either on the robot system or in the room, from which the 1379 location of the reference point can be accurately reconstructed; 1380 by reconstructing the reference point from marker points placed on the robot system (this has to be 1381 done if the reference point can move due to movements of the robot). 1382 Optionally, for the detection of the possibility of undesired collisions with other body parts by any part 1383 of the robot: 1384 an object representing the relevant artificial body parts can be positioned to easily detect potential, 1385 undesired contact between the robot system and a human. Make sure these objects do not obstruct 1386 visibility of relevant optical markers. 1387 The tracking of the monitored point can be achieved in a number of ways, i.e.: 1388 by attaching a marker directly on the robot system, if the monitored point is defined as a point on the 1389 robot system; 1390 or, if the monitored point is not defined as a point on the robot system, either by attaching a marker 1391 on a clamp or dummy limb segment attached to the robot system, or by defining points on the robot 1392 arm from which the location of the monitored point can be accurately reconstructed. 1393 System Conditions
48
CWA XXXX:2021 (E)
1394 Please report the system composition for each single test using the form in §E.7. 1395 The specific use conditions of the CHRIA may envisage a “free” (or, equivalently, “transparent”) mode, in 1396 which the robot system only supports its own weight/inertia, and/or a “shared control” mode, in which 1397 robot control contributes to robot movements, based on utilizer inputs. 1398 If possible, tests should be performed with the device in “transparent” mode. The test should be 1399 performed both, without added load as well as with the maximum normal use payload which should 1400 be positioned at the end-effector (unless another location is more usual during normal use). 1401 If relevant for the specific use conditions, a further round of tests should be performed with the robot 1402 system set for “shared control", e.g. support level for compensation for weight of the relevant body 1403 parts of a utilizer: 1404 the tests should be performed with the maximum normal use payload that should be 1405 positioned at the end-effector (unless another location is more usual during normal use); 1406 the tests should be performed at the maximum safe velocity as set within the robot system 1407 safety settings. If that is not specified, the tests should be performed at the maximum velocity 1408 that the robot can achieve. 1409 If applicable, in both modes also tests of the robot system under the SFC(s) identified in the risk 1410 analysis that may influence the safety skill and perform these test under these SFC(s) should be 1411 performed. 1412 In case of an emergency stop or a protective stop, a system may behave differently. When a robot may 1413 actively move the monitored point back to a predefined location, and if it might be possible that the 1414 monitored point moves through an area that is not allowed by the ROM area setting, this situation 1415 should be validated as well. 1416 In case during movements, if other parts of the robot may also move through an area that is 1417 potentially hazardous, these situations should be noted. The safety of these impacts should be 1418 validated, e.g. via a suitable SLVP, which validates a limited interaction energy. 1419 Environmental Conditions 1420 The validation tests should be performed under conditions similar to the normal use conditions. 1421 However, if the risk analysis indicates that environmental conditions could have an effect on the safety 1422 skill, the test should be performed under these relevant environmental conditions, or simulated versions 1423 of these conditions as well. 1424 E.5.3 Test Execution 1425 The measurement equipment shall be preliminarily activated: 1426 make sure the measurement equipment is calibrated (if calibration is required); 1427 make sure data logging is ready for recording on all recording devices; 1428 make sure all sensors are attached properly, especially when a previous execution of the 1429 SLVP resulted in a collision or sudden stop of the RACA robot 1430 The following test procedure applies for each specified test case separately. 1431 1) Move the monitored point to a predefined starting position. 1432 2) Make sure the monitored point of the robot system is stationary for at least 1 second. 1433 3) Move the monitored point either via a direct or an indirect path or a target point, which is either 1434 inside or outside the predefined ROM. 1435 4) After a successful motion, make sure that the monitored point on the robot system is stationary for 1436 at least 1 second before continuing.
49
CWA XXXX:2021 (E)
1437 This procedure should be repeated with various start and target point combinations. During these tests, 1438 attempts to move the robot system in areas where it is not allowed to move should be made. 1439 These tests shall be repeated under the different environmental and system conditions and those 1440 identified during the risk analysis that may affect the safety skill. 1441 E.5.4 Data Analysis 1442 Results from the data analysis will result in a pass or no-pass. A pass will be when the results of the 1443 validation tests show that at no instant the monitored point moved outside of the ROM volume. During 1444 the data analysis the ROM limitation settings should be known. A no-pass will occur when the monitored 1445 point moves outside the ROM volume, taking the accuracy of the measurement system into account. 1446 Very short “overshoots” in movement may be allowable. However, these acceptability criteria should be 1447 specified and properly documented by the manufacturer. These criteria should consist of a maximum 1448 overshoot magnitude, combined with a maximum duration of the overshoot. 1449 E.5.5 Report 1450 The following data need to be present in the documentation: 1451 if applicable: description of the support settings of the robot system; 1452 descriptions of the various test sequences executed; 1453 start/end point + direct path/prescribed path; 1454 robot speed under which the tests were performed; 1455 load applied to the robot system; 1456 system conditions (e.g. normal use, SFC, or even functional stop/reset, emergency stop); 1457 pass or no pass result derived from analyzed data (yes/no); 1458 Within ROM: Provide logging/tracking information.
1459 E.6 Bibliography
1460 [E.1] EN ISO 8373:2012, Robots and robotic devices - Vocabulary 1461 [E.2] ISO 10218-1:2011, Robots and robotic devices – Safety requirements for industrial robots – 1462 Part 1: Robots 1463 [E.3] EN ISO 10218-2:2011, Robots and robotic devices – Safety requirements for industrial robots 1464 – Part 2: Robot systems and integration 1465 [E.4] IEC 80601-2-78:2019, Medical electrical equipment — Part 2-78: Particular requirements for 1466 basic safety and essential performance of medical robots for rehabilitation, assessment, 1467 compensation or alleviation 1468 [E.5] IEC 60601-1:2021, Medical electrical equipment – Medical electrical equipment - Part 1: 1469 General requirements for basic safety and essential performance 1470 1471
1472 E.7 Appendix - Report Form
1473
Test date ID of tester: Sequence ID (Seq#) Hazard ID
50
CWA XXXX:2021 (E)
Description of robot system under validation Measurement system used: Measurement system Measurement Calibration date: accuracy: Condition Normal/SFC Description (SFC): Functional stop? Emergency stop? Max velocity (m/s) Applied load (kg) Inclination angle (˚) Total system acc (m/s2)
Reference point location (relative to robot system position) X Y Z
Support level settings of the robot system Support level:
ROM description: Location of ROM description file / description of ROM limits:
Test ID Start End Stayed in ROM Collisions Pass? (Seq#-id) point point (Y/N) (Y/N) (Y/N)
Motion path datafile:
Seq#-ID Start End In ROM collisions Pass?
Motion path datafile:
51
CWA XXXX:2021 (E)
Seq#-ID Start End In ROM collisions Pass?
Motion path datafile … Seq#-ID Start End In ROM collisions Pass?
Motion path datafile:
1474 1475 Final information about the test
Date of testing Name of tester
Overall conclusion
Signature 1476 1477
1478 1479
52
CWA XXXX:2021 (E)
1480 Bibliography
1481 [1] EN ISO 14971:2020, Medical devices – Application of risk management to medical devices;
1482 [2] ISO/TR 24971, Medical devices — Guidance on the application of ISO 14971;
1483 [3] ISO/TR 23482-1:2020, Robotics — Application of ISO 13482 — Part 1: Safety-related test methods;
1484 [4] ISO/TS 15066:2016, Robots and robotic devices – Collaborative robots;
1485 [5] IEC 80601-2-78:2019, Medical electrical equipment — Part 2-78: Particular requirements for basic 1486 safety and essential performance of medical robots for rehabilitation, assessment, compensation or 1487 alleviation;
1488 [6] EN ISO 13482:2014, Robots and robotic devices – Safety requirements for personal care robots;
1489 [7] Martinetti, A., Chemweno, P., Nizamis, K., & Fosch-Villaronga, E. (2021) Redefining safety in light 1490 of human-robot interaction. Manuscript submitted to Applied Sciences, MDPI.
1491 [8] Fosch-Villaronga, E. and Virk, G. S. (2016) Legal Issues for Mobile Servant Robots. In: Rodić, A. and 1492 Borangiu, T. (2016) Proceedings of the 25th Conference on Robotics Alpe-Adria-Danube Region. 1493 Advances in Robot Design and Intelligent Control, Springer.
1494 [9] EN ISO 8373:2012, Robots and robotic devices – Vocabulary;
1495 [10] EN ISO 10218-2:2011, Robots and robotic devices – Safety requirements for industrial robots – Part 1496 2: Robot systems and integration;
1497 [11] ISO/TR 23482-2:2019, Robotics — Application of ISO 13482 — Part 2: Application guidelines;
1498 [12] ISO/IEC Guide:2019, Guide to the development and inclusion of aspects of safety in International 1499 Standards for medical devices;
1500 [13] EN ISO 12100:2010, Safety of machinery – General principles for design – Risk assessment and risk 1501 reduction;
1502 [14] ISO/DIS 10218-2:2020, Robotics — Safety requirements for robot systems in an industrial 1503 environment — Part 2: Robot systems, robot applications and robot cells integration;
1504 [15] European Parliament. Directive 2006/42/EC on Machinery; European Parliament: Brussels, 1505 Belgium, 2006;
1506 [16] European Parliament. Regulation (EU) 2017/745 on Medical Devices; European Parliament: 1507 Brussels, Belgium, 2017;
1508 [17] European Parliament. Low Voltage Directive 2014/13/EU; European Parliament: Brussels, 1509 Belgium, 2013;
1510 [18] European Parliament. Directive 2014/30/EU on the Harmonization of the Laws of the Member 1511 States Relating to Electromagnetic Compatibility; European Parliament: Brussels, Belgium, 2014;
53
CWA XXXX:2021 (E)
1512 [19] European Parliament. Radio Equipment Directive 2014/53/EU; European Parliament: Brussels, 1513 Belgium, 2014;
1514 [20] European Parliament. Directive 2001/95/EC on General Product Safety; European Parliament: 1515 Brussels, Belgium, 2001;
1516 [21] Council of the European Communities. Directive 85/374/EEC on the approximation of the laws, 1517 regulations and administrative provisions of the Member States concerning liability for defective 1518 products, 1985;
1519 [22] European Parliament. Directive 2014/34/EU on the harmonisation of the laws of the Member 1520 States relating to equipment and protective systems intended for use in potentially explosive 1521 atmospheres; European Parliament: Brussels, Belgium, 2014;
1522 [23] European Parliament. Regulation 1907/2006 concerning the Registration, Evaluation, 1523 Authorisation and Restriction of Chemicals (REACH); European Parliament: Brussels, Belgium, 1524 2014;
1525 [24] Council directive 89/391/EEG on the introduction of measures to encourage improvements in 1526 the safety and health of workers at work, 1989;
1527 [25] EN 60204-1:2018, Safety of machinery - Electrical equipment of machines - Part 1: General 1528 requirements;
1529 [26] EN ISO 10218-1:2011, Robots and robotic devices – Safety requirements for industrial robots – Part 1530 1: Robots;
1531 [27] EN ISO 3691-4:2020, Industrial trucks — Safety requirements and verification — Part 4: Driverless 1532 industrial trucks and their systems;
1533 [28] EN ISO 14155:2020, Clinical investigation of medical devices for human subjects — Good clinical 1534 practice;
1535 [29] IEC 60601-1:2020, Medical electrical equipment - Part 1: General requirements for basic safety and 1536 essential performance;
1537 [30] IEC 80601-2-77:2019, Medical electrical equipment — Part 2-77: Particular requirements for the 1538 basic safety and essential performance of robotically assisted surgical equipment;
1539 [31] IEC TR 60601-4-1:2017, Medical electrical equipment - Part 4-1: Guidance and interpretation - 1540 Medical electrical equipment and medical electrical systems employing a degree of autonomy;
1541 [32] EN 1325:2014, Value Management - Vocabulary - Terms and definitions;
1542 [33] EN 16271:2013, Value management - Functional expression of the need and functional performance 1543 specification - Requirements for expressing and validating the need to be satisfied within the process 1544 of purchasing or obtaining a product;
1545 [34] ISO/IEC/IEEE 24765:2017, Systems and software engineering — Vocabulary.
1546 [35] Valori M.; Scibilia A.; Fassi I.; Saenz J.; Behrens R.; Herbster S.; Bidard C.; Lucet E.; Magisson A.; 1547 Schaake L.; Bessler J.; Prange-Lasonder G.B.; Kühnrich M.; Lassen A.B.; Nielsen K. (2021). 1548 Validating Safety in Human–Robot Collaboration: Standards and New Perspectives. Robotics 10, 1549 no. 2: 65.
54
CWA XXXX:2021 (E)
1550 [36] Bessler J., Prange-Lasonder G.B., Schaake L., Saenz J.F., Bidard C., Fassi I., Valori M., Lassen A.B. and 1551 Buurke J.H. (2021). Safety Assessment of Rehabilitation Robots: A Review Identifying Safety Skills 1552 and Current Knowledge Gaps. Frontiers in Robotics and AI, Vol. 8.
1553 [37] EN ISO 18497:2019, Agricultural machinery and tractors – Safety of highly automated agricultural 1554 machines - Principles for design;
1555 [38] ISO/WD 5363, Robotics — Test methods for Walking RACA Robot;
1556 [39] ISO 18646-1:2016, Robotics — Performance criteria and related test methods for service robots — 1557 Part 1: Locomotion for wheeled robots;
1558 [40] ISO 18646-2:2019, Robotics — Performance criteria and related test methods for service robots — 1559 Part 2: Navigation;
1560 [41] ISO/DIS 18646-3, Robotics — Performance criteria and related test methods for service robots — 1561 Part 3: Manipulation;
1562 [42] ISO/FDIS 18646-4, Robotics — Performance criteria and related test methods for service robots — 1563 Part 4: Lower-back support robots;
1564 [43] EN ISO 19649:2017, Mobile robots – Vocabulary;
1565 [44] EN ISO 13857:2020, Safety of machinery — Safety distances to prevent hazard zones being reached 1566 by upper and lower limbs;
1567 [45] EN ISO 13855:2010 Safety of machinery — Positioning of safeguards with respect to the approach 1568 speeds of parts of the human body.
1569
55