Regulatory Challenges in Service Robotics

Introduction

Lately, there has been a surge in the use of service robots that function as cleaning, advertising, and delivery bots. They can be found at restaurants, airports, and office spaces. While startups can quickly launch their products into the market, it raises concerns about whether these designs meet the legal requirements and the potential consequences of non-compliance. Additionally, designing a robot that complies with regulations can be a challenging task.

Regulatory Requirements

Developers of service robots must accomplish many requirements that usually fall into categories like functional, performance, transportation, environmental, interface, human factor, physical, product assurance, verification, safety, and regulatory. Although some may assume that designing a robot that is safe according to their understanding is sufficient, it is not entirely accurate. The difficulty comes from the complex nature of robots and the ambiguous interpretation of what it means to have a safe product. To achieve the right safety levels, countries and unions implement regulations that must be met. While in many areas of industries, the regulations are solid and interpretation is straightforward, the situation is distinct in robots designated for consumer space. In this case, mandatory regulations usually define the requirements in a generic sense, and regulatory bodies and courts advise achieving the highest level of safety by following safety standards and implementing state-of-the-art solutions.


What are the consequences of non-compliance?

The consequences of non-compliance depend on many factors, including the country of operation, the level of non-compliance, how the non-compliance was found, the inspection authority if an accident happens, and most importantly…what a judge eats for breakfast (unfortunately, you are at the mercy of higher authorities if you do not obey the law).

This table may help you understand the possible consequences of non-compliance.


Why are service robots challenging to design?

When it comes to service robots, there are a lot of safety factors to consider, especially since they can navigate around untrained individuals and operate in constantly changing environments. On the contrary, industrial robot cells are located in manufacturing plants, where people are trained, and robots are constrained into cages. This kind of setup dramatically reduces the risk of hazardous situations.

An ideal approach to assure the safety of service robots is to use risk-based safety analysis with the requirements to verify safety-related functions and performance. The main challenge in achieving full compliance comes from the complexity of the system and the complicated nature of recommended practices.

Achieving functional and performance requirements in service robots is complex enough already, as it often requires autonomous decision-making like SLAM and interacting with people and the environment. A robotic system must be designed with considerations not only in kinematic or dynamics attributes but also in thermal and EMC domains, and product assurance requirements should also be included. Adding additional regulatory requirements makes the job much more complicated, as it demands a safe working methodology, a more sophisticated control architecture, and full verification of the achieved performance-related safety functions.

For instance, we can look into ISO 13482 (Robots and robotic devices – Safety requirements for personal care robots), where in section 6 (Safety-related control system requirements) we find the performance level requirements for crucial safety functions used in service robots, including emergency and protective stop functions, workspace-limited functions, safety-related speed and force control and hazardous collision avoidance. If the service robot is classified as a mobile fast servant robot or with manipulators (Type 1.2), the minimum performance level of these functions is d. However, if the robot is an autonomous person carrier robot (Type 3.2), then the performance level should be e. These performance levels are very demanding and comparable to aviation, space, and medical devices.

Extracting the requirements to be compatible with selected standards starts with risk assessment, as only relevant requirements must be considered. ISO 13482 gives detailed information on how to extract the requirements from the standard in the introduction section. The most important points are:

1.       ISO 13482 includes additional information in line with ISO 12100 (Safety of machinery – General principles for design – Risk assessment and risk reduction) and adopts the approach proposed in ISO 13849-1 (Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design) and IEC 62061 (Safety of machinery – Functional safety of safety-related control systems).

2.       A risk assessment is conducted to determine the protective measures needed.

3.       ISO 13482 complements ISO 10218-1 (Robots and robotic devices – Safety requirements for industrial robots – Part 1: Robots).

4.       As usual, the following verbs are used to determine the level of required compatibility:

a.       “shall” indicates a requirement;

b.       “should” indicates a recommendation;

c.       “may” indicates permission;

d.       “can” indicates a possibility or a capability.

5.       After finishing the risk assessment, we can extract the requirements from each chapter of the standard.

ISO 13482 stipulates that the risk assessment must be carried out according to ISO 12100 (section 4.1). It also provides specific examples of hazards that shall be considered when carrying out the risk assessment. Once the hazards associated with the service robot have been identified, the robot must be designed to bring all the risks to an acceptable level.

There are many acceptable methodologies to carry on the risk assessment. One of the most powerful approaches is to combine principles of risk assessment from ISO 12100, IEC 61508, and ISO 14971 (Medical devices – application of risk management to medical devices) while working under well-established quality assurance methods, e.g. ISO 13485.

The approach should be to use inherently safe design measures first to reduce risk; and if it is not possible, the second approach is adding safeguards or protective measures to reduce risks.

Let’s consider a service robot, a type of mobile servant that is designed to carry packages in an office space. This robot will be subject to risks associated with hazards due to incorrect autonomous decisions. When considering the hazardous situation of the robot crashing somebody, we should start by trying to implement the inherently safe design principles, for example, designing a robot to be small, lightweight, and implement slow motion so it does not harm anybody when crashing into a person. If it is not possible, we can still try to limit the power of the robot to reduce the crushing force. If designing an inherently safe robot is not possible, in the second step, we must consider safety control measures in the form of safeguards, for example:

-          emergency button,

-          protective stop based on signals fusion from at least two different sensors, e.g., Lidar, camera, and radar,

-          safeguard around the robot based on at least two different sensors, e.g., tactile switch and force sensors.


Functional Safety

If protective measures are implemented through a control system, safety aspects are more complicated and must be assured by incorporating functional safety principles. Functional safety should ensure the correct operation of the system in all kinds of situations, including failures of sensors, actuators, and controllers or failure in a predictable way. It is a standard approach in industries like aviation, automotive, aerospace, medical, explosive, and others.

One of the most important functional safety standards is IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems). This standard has been adapted to various industries where the most relevant for service mobile robots are probably IEC 62061 (machinery-specific implementation) and ISO 26262 (Automotive).

It has been shown in the previous section that the required performance level for common service robots will be “d” or higher. Detailed analysis of ISO 13849-1 (Safety of machinery – safety-related parts of control systems – Part 1: General principles for design) points out that a commonly used control architecture with an input sensor and output actuator controlled by a microcontroller without additional consideration cannot be used. Performance levels “d” and “e” correspond to a high level of risk reduction. Safety functions must be designed to detect and prevent hazardous situations or reduce the risks to an acceptable level; the safety-related part of the control system must be built by using suitable components. The function must go via a validation and verification process as per standard, and everything must be properly documented. The whole development should be carried out by using a well-established development methodology with a quality management system, for example, as per ISO 13485.

Performance Level “e” would require the use of Category 3 or 4 architecture so that a single fault does not lead to the loss of the safety function. These are redundant architectures. Additionally, the requirement for sensory information redundancy is to use two different types of sensors (as per UL-3300). These architectures require the proper design of diagnostic functions for sensors, actuators, and logic units and expert knowledge of how to test and document the system. The code must follow stringent requirements; for example, it should be written following MISRA C guidelines.

This is why designing a robot for consumer space is such a complicated task and it is difficult to find suitable engineers as only a few universities touch the regulatory and system architecture topics.


Summary

The consequences of launching a product to the market that could harm people are severe. Even, without a harmful incident, the consequences for the company and its leaders include fines, penalties, and even criminal prosecution. The purpose of this harsh law is to avoid the risk of harming innocent people. In order to avoid problems, it is important to carry on the development as per regulatory requirements.


References

·       ISO 13482 - Robots and robotic devices – Safety requirements for personal care robots)

·       IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems

·       ISO 26262 Road vehicles – Functional safety

·       ISO 12100 - Safety of machinery – General principles for design – Risk assessment and risk reduction

·       ISO 13485 – Medical devices – Quality management systems – Requirements for regulatory purposes

·       UL-3300 – UL LLC Outline of Investigation for Service, Communication, Information, Education and Entertainment Robots

·       ISO 13849-1 - Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design

·       IEC 62061 - Safety of machinery – Functional safety of safety-related control systems)

·       ISO 14971 – Medical devices – Application of risk management to medical devices

·       ISO 10218-1 - Robots and robotic devices – Safety requirements for industrial robots – Part 1: Robots