Risk Analysis
for MRC-II System
This document contains the Risk Analysis (also called Hazard Analysis) for the MRC-II System (Modular Robot Controller – II). The MRC-II System will replace the MRC Software that is currently in use.
The MRC-II System is not an application, but rather an infrastructure for implementing Computer-Integrated Surgery applications. Therefore, it is not possible to perform a Risk Analysis in the classical sense; for example, we cannot determine the severity of a particular failure.
This document contains a Failure Modes and Effects Analysis (FMEA) of the MRC-II System in a standard tabular format, with the following columns:
• Ref.#: a reference number
• Item/Function: the component or function being analyzed
• Failure Mode: the potential failure
• Effect on System: the effect of the failure on the system
• Cause: the potential cause(s) of the failure; unrelated causes are listed in separate rows
• Methods of Control: the design features that prevent or mitigate the failure mode or cause
The following risk assessment items, normally present in a Failure Modes Effects and Criticality Analysis (FMECA), are not included:
• Severity (S): the seriousness of the effect of the potential failure mode
• Occurrence (O): the likelihood that a particular fault will occur
• Detection (D): the ability to detect the failure mode or its cause
• Risk Priority Number (RPN): the product (S)x(O)x(D)
The RPN is used to prioritize the safety design process. It is not uncommon for a FMECA to contain an initial risk assessment (before the design and implementation of Methods of Control) and a final risk assessment that includes the effect of the Method of Control.
|
Rev |
Date |
Description |
|
1 |
2/10/03 |
Initial Version (changes tracked by date for now) |
|
Ref.# |
Item/Function |
Failure Mode |
Effect on System |
Cause |
Methods of Control |
|
1 |
Incorrect system configuration |
Unpredictable robot operation |
Error in creation of configuration file |
Parsing software checks for entry errors |
|
|
2 |
|
|
Corrupted value in configuration file |
None (could add CRC or checksum to file) |
|
|
3 |
Invalid command or parameters |
Incorrect robot operation |
Data corruption in network |
Data integrity check on network packets |
|
|
4 |
Conflicting commands |
Unpredictable robot operation |
More than one User Application attempting control |
Only allow one application to serve as Controller; others can be Observers. |
|
|
5 |
Incorrect feedback data |
Incorrect user display; incorrect robot action |
Data updated by real-time loop in middle of read |
Software mutual exclusion mechanism |
|
|
6 |
Ceases to execute |
Robot does not respond to commands |
Computer or software failure; loss of trigger (interrupt) |
Servo Control Loop acts as external watchdog and disables motor power |
|
|
7 |
Does not finish in time |
Loss of control performance |
Unreliable interrupt source; too much computation; interference from other tasks |
Check for loop overrun; system performance measurements; choice of operating system |
|
|
8 |
Invalid command or parameters |
Incorrect robot operation |
Read data in middle of Robot Server write |
Software mutual exclusion mechanism |
|
|
9 |
Incorrect joint goals |
Incorrect robot motion |
Software error in trajectory generation |
Check for reasonable joint goals (e.g., within velocity limits) |
|
|
10 |
Loss of joint coordination |
Incorrect robot motion |
Failure in one or more joints |
Disable power to all robot joints |
|
|
11 |
Ceases to execute |
Robot continues last commanded motion |
Computer or software failure; loss of trigger (interrupt) |
External watchdog to disable motor power if not refreshed |
|
|
12 |
Does not finish in time |
Loss of control performance |
Unreliable interrupt source; too much computation; interference from other tasks |
Check for loop overrun; system performance measurements; choice of operating system |
|
|
13 |
Incorrect setpoints |
Incorrect robot motion |
Incorrect joint goals, interpolation error |
Check maximum tracking error |
|
|
14 |
|
|
Read data in middle of Trajectory Control Loop update |
Software mutual exclusion mechanism |
|
|
15 |
Incorrect position feedback |
Incorrect robot motion |
Failed sensor or interface hardware |
Check maximum tracking error; redundant sensors; encoder error detection |
|
|
16 |
Joint stops moving |
Incorrect robot motion |
Failed motor or power amplifier |
Check maximum tracking error; check amplifier status |