Certifying the safe design of a virtual fixture control algorithm for a surgical robot
Proceedings of the 16th international conference on Hybrid systems: computation and control - HSCC '13
We applied quantified differential-dynamic logic (QdL) to analyze a control algorithm designed to provide directional force feedback for a surgical robot. We identified problems with the algorithm, proved that it was in general unsafe, and described exactly what could go wrong. We then applied QdL to guide the development of a new algorithm that provides safe operation along with directional force feedback. Using KeYmaeraD (a tool that mechanizes QdL), we created a machine-checked proof that
... rantees the new algorithm is safe for all possible inputs. can be prone to subtle, unexpected errors. It is easy to see how safety critical such systems are; a bug in the implementation or error in the algorithm that controls the surgical tool might cause it to make the wrong incision, with devastating consequences for the patient. The usual approach today for ensuring the safety of complex systems is careful design, thoughtful examination of the algorithms, and testing. This approach was applied in  , where the authors built the system and tested the final product with a surgical procedure on a cadaver. Testing is useful, but only shows the presence of bugs, not their absence. This paper describes the analysis of one safety property of a skull-base surgery (SBS) robot algorithm, described in  , to help ensure its safe and predictable operation. Rather than taking a testing approach, we apply formal methods to analyze the control algorithm of interest. This rigorous analysis ensures that the algorithm and the hardware that it controls behave predictably and safely for all possible inputs, rather than only for finitely many test cases. The guarantee we seek is much more comprehensive, and can lead to much safer and more predictable systems. The contribution of this work is that it helps explore how to usefully apply newly developed formal approaches to practical systems. This has two benefits: first, it helps guide the development and refinement of logics and tools, by identifying what is necessary to put these techniques into widespread use; second, it helps the development of practical robotic systems by introducing new formal methods as a powerful and maturing set of design tools.