robotic surgery-ieee papers

Formal Verification of Plans

•By Riccardo Muradore,Davide Bresolin,Luca Geretti,Paolo Fiorini,and Tiziano Villa

In this article, we discuss formal methods for the verification of properties of controlsystems designed for autonomous robotic systems. In the last few decades, roboticsplayed a relevant role in the progress of surgery. The use of robots in the operatingrooms has given rise to new terminologies: robot-assisted surgery, medical robotics,rehabilitation robotics, telesurgery, robotic assistive systems, and so on [15], [25], [5].

Since robotic surgery is a relatively new field of investigation, there are no establishedmethods for bringing new concepts and operational procedures to the surgical practice,in spite of the interest and pressing requests of the medical community.

Teleoperated surgery has already proven its advantages by improving safety,accuracy, reproducibility, and decreasing human fatigue, but more is expected whenadvanced features, such as force feedback, will become a common place in commercialrobotic systems [8], [18], [12], [11]. Another challenging frontier is autonomousrobotic surgery (ARS), whose aim is to perform simple tasks without the presence or

24 • IEEE ROBOTICS & AUTOMATION MAGAZINE • SEPTEMBER 2011 1070-9932/11/$26.00ª2011 IEEE

Digital Object Identifier 10.1109/MRA.2011.942112

Date of publication: 13 September 2011 © INGRAM PUBLISHING & ISTOCK PHOTO.COM/PAUL FLEET

telepresence of surgeons [7]. Therefore, with ARS, basictasks will be executed by robots, allowing the surgeons tofocus only on the most difficult aspects of the intervention.This implies that we need to design an overall control archi-tecture, based on stabilizing controllers, that guarantees thesuccessful accomplishment of the surgical task, independentof uncertainties and unmodeled subsystems. Apart from theexecution of the nominal plan of the intervention, such acontrol architecture needs to analyze unforeseen and unex-pected events and take proper actions to ensure the safety ofthe patient, including informing the surgeon that humanintervention is necessary.

Although still far in the future, ARS is an area of strate-gic interest and high social impact. To make these newtechnologies acceptable for patients and surgeons, ARSdemands methods and models for assessing its quality andimpact on procedures, instrumentation, safety regulations,standards, and personnel training. The long-term objec-tives in ARS are:1) to identify the critical aspects of automation in robotic

surgery2) to develop a complete diagnostic-planning intervention

workflow3) to explore the connection among control theory, cogni-

tive science, and autonomous learning/reasoningto remove, mitigate, and quantitatively assess the potentialrisks for the patients. In this article, we will study the simula-tion of the automatic execution of a simple surgical actionsuch as puncturing. To carry out this surgical action, we willmodel the overall task as a finite sequence of atomic actionsthat should be accomplished to guarantee the success of thesurgical action. This model takes the form of hybrid automataconsisting of a discrete control part that operates in a contin-uous environment [1]. To formally prove that a sequence ofsubtasks planned on preoperative data can successfullyaccomplish the surgical operation despite model uncertain-ties and disturbances, we use a framework for hybrid systemverification called Ariadne, currently under development bya joint team of research institutes [2]–[4]. Ariadne is a devel-opment environment that provides data structures and algo-rithms for reachability analysis of hybrid systems; it differsfrom existing packages since it is based on the theory of com-putable analysis [26]. This theory provides a rigorous mathe-matical semantics for treating continuous and discrete eventsystems, i.e., hybrid systems, with formal verification algo-rithms operating on them. In addition, Ariadne handleshybrid automata with nonlinear dynamics and constraints.

ARS: A Bird’s-Eye ViewThe section introduces ARS and lists a set of questions thatsurgeons and engineers should answer together. ARS has thegoal of improving surgical tools with automatic functions,showing their potential to increase the quality of surgicalprocedures. Potential benefits of automated surgery wouldbe that the surgeon, freed from simple tasks, could focus onthe most difficult aspects of the procedure. Moreover, thanks

to the dexterity of the current robots, it is well possible toaccomplish several simple tasks with improved precisionand speed. The long-term goal would be to incorporate auto-mated tasks into telesurgical systems, where the surgeon isseparated from the patient by a long distance, as in naturaldisaster or battlefield situations.

Two key elements are required to automate the surgicalplan coding and action execution:1) a progress on the state of the art in knowledge represen-

tation, i.e., the formalization of control and cognitiverequirements of surgical actions

2) development of reasoning methods capable of dealing withvarious knowledge types in static and dynamic situations.

With such elements at hand, it is possible to identify,describe, and model the surgical process in a way thatallows automatic reasoning, control, and monitoring.Hybrid systems and automata theory provide the propermathematical tools to model and control surgical actionsby means of a suitable supervisor automaton. The automa-ton will specify the discrete task states (e.g., tissue ap-proach, contact and cut), continuous dynamics withineach state, and transitions between states. Adaptationmechanisms can also be introduced into the automaton sothat state parameters can reflect the real values of the envi-ronment parameters. The control of the surgical action willbe aware of the current medical situation, and therefore, itwill interact with the intraoperative reasoning process.

The decomposition of the surgical action into a set of sim-ple states can be obtained by formalizing the informationcoming from the medical literature and/or by interviews withexpert surgeons. The nominal plan will include the states ofthe surgical action, from the initial to final one, constraintconditions of each state, and rules for transitions between thestates. In addition, emergency states should be added to takeinto account unexpected and dangerous situations.

From this basic analysis, the critical aspects within ARSthat engineers and surgeons have to take care can be sum-marized with the following questions:l Question about the task description: How to model and

reason about a simple surgical action?l Questions about the environment description: How to

develop a correct physical representation of the surgicalarea? How to update the preoperative model of theorgan with intraoperative measurements?

l Question about the control architecture: How to developa control architecture and prove its safety property?

In this article, we concentrate on the last question. We willsee how formal verification methods, recently introducedalso within the control community [16], [24], can provideaccurate and reliable answers to help the designer whendeveloping the control architecture.

Problem StatementPuncturing is the surgical action selected as a test case inthis article. Together with other elementary tasks, such ascutting and suturing, this action can be used to build more

SEPTEMBER 2011 • IEEE ROBOTICS & AUTOMATION MAGAZINE • 25

complex surgical tasks. Puncturing is the act of penetratinga biological tissue with a needle, e.g., when performing abiopsy. The goal of this section is twofold:1) to describe the subtasks of puncturing in a qualitative

way as a surgeon would do2) to translate each subtask at the control level to ensure a

quantitative evaluation having the concepts of accuracy,precision, and robustness as performance criteria (forpositioning and forcing).

Before describing all the subtasks, we briefly recall thedynamical model of a robotic manipulator. A serial linkmanipulator with n degrees of freedom is described by thefollowing set of nonlinear differential equations:

M(q)€qþ C(q, _q) _qþ F(q, _q)þ G(q) ¼ u� JT (q)h, (1)

where q ¼ q1 . . . qn½ �T is the vector of generalized coordi-nates with the corresponding velocity _q and acceleration €q,

u ¼ u1 . . . un½ �T is the command torque vector, andh ¼ fTsT

� �Tis the force/torque vector applied by the end

effector when the robot is in contact with the environment.In the standard Lagrangian representation, M is the sym-metric nonsingular moment of inertia matrix, C is theCoriolis and centrifugal force matrix, F contains the fric-tional torques, whereas G is the gravitational part. Therelation between the external force and torque at the jointlevel is given by the transpose of the Jacobian JT (q) eval-uated at the current position q [10], [23], [21].

The measurement equation coupled with the stateequation (1) is y ¼ qT _qT hT

� �T, requiring encoders

and tachometers at the joints and a force sensor on the endeffector. The joint variables q are related to the operationalvariables x (position and orientation of the end effector,x ¼ pT u h w

� �T) by the direct kinematic function

x ¼ k(q).The knowledge of the robot model, task, and environ-

ment allows to design model-based hybrid force/positioncontrollers or impedance controllers as explained in [10]and [23]. The hybrid force/motion control is a sophisticatedmethod for controlling both contact force and motionsimultaneously (direct force control), whereas impedancecontrol guarantees the desired mechanical impedanceproperty for the overall system (indirect force control) [21].Vision can be successfully coupled with these strategies toimprove the movement and estimation of the environment.

The high-level architecture of the puncturing action isshown in Figure 1. The high-level controller switchesbetween five different subtasks, according to the nominaloperation conditions and constraints (maximum speed,force, and so on) and partition of the workspace depictedin Figure 2(a):l R1: region far away from the patientl R2: region near the patient’s tissuel R3: surface on the tissue where the tool could touch the

patient because of tracking errors and/or unmodeleddynamics

l R4: target surface on the tissue. It is assumed to be sur-rounded by the region R3. The difference between thesesurfaces lies in the tissue stiffness.

Fast MovementIn this phase, the end effector of the robot should approachthe patient’s tissue starting from its home position. Sincethe manipulator is assumed to be far away from the patientat the beginning (region R1), this movement should beplanned to be relatively fast. Figure 2(b) shows the uncon-strained movement defined by

cf : t 7! xTd _xT

d €xTd

� �T,

where xd , _xd , €xd describe position, velocity, and accelera-tion of the nominal trajectory cf . In free motion, only themotion control is active.

Surgical Robot + Sensors + Environment

FastMovement

Cf, γf

SlowMovement

Cs, γf

ProbingTissue

Ch, Κe

PerpendicularOrientation

Ch, h⊥

Puncturing

Ch, Fp

High-Level Control Architecture

Figure 1. High-level control architecture.

R 1R 2

R 4R 3

(a) (b)

(c) (d)

(e) (f)

Figure 2. Surgical action states. (a) Working space partitioning,(b) State 1: fast movement, (c) State 2: slow movement, (d)State 3: probing tissue, (e) State 4: perpendicular attitude, and(f) State 5: puncturing.

26 • IEEE ROBOTICS & AUTOMATION MAGAZINE • SEPTEMBER 2011

Slow MovementWhen the end effector is close to the tissue (region R2), themovement should slow down to approach the target posi-tion on the patient by reducing the tracking error andimproving robustness (i.e., large stability margins anddisturbance rejection are more important in this phase thanthe execution time). The change of logical state from fast toslow movement needs to be set before the intervention bydefining the region above the patient’s tissue (i.e., a layer),where the control architecture should change parameters ofthe motion control. Figure 2(c) displays the free movementin this second region, which still follows a nominal trajec-tory cs defined in advance. Such trajectory features differentdynamical characteristics compared to that of cf .

Probing TissueThe previous subtask ends when the end effector of the surgi-cal manipulator touches the tissue. A sensor is located on thetip of the end effector to measure the corresponding contactforce. Figure 2(d) shows the touching moment. Model uncer-tainty and disturbances may bring the end effector to touchthe patient in a wrong position. We assume that the targetregion has a different stiffness than the surrounding tissue.

The force sensor sends force and torque measurementsto the high-level control architecture. By comparing theposition–force measurements when the probe touches thetissue for the first time (x1, h1) with the ones whenthe probe has penetrated more in depth without harmingthe patient (x2, h2), it is possible to have a rough estimateK̂e of the stiffness matrix Ke from the relation

h1 � h2 ¼ Ke(x1 � x2): (2)

Figure 3 shows the two positions from which data are col-lected. This information can be used to determine whetherthe probe is in the target area (region R4) or not (regionR3). In the first case, the high-level control architectureswitches to the next subtask; otherwise, it designs a newtrajectory to reach the target region.

Perpendicular AttitudeAs needle deflection and tissue deformation are majorproblems for accurate puncturing, with no loss of general-ity we assume that the end effector of the surgical robotneeds to be perpendicular to the tissue before puncturing.Keeping fixed the touching point, the robot should moveits wrist to have the tool orthogonal to the surface. Thiscan be achieved by forcing the force sensor measurementto match the reference value:

h? ¼ 0 0 Fz 0 0 0½ �T , (3)

where Fz is an upper bound on the force that the tool cansafely apply to the patient. When the reference value ismatched, the only component of the force is along thez axis of the sensor (i.e., its symmetric axis) with no torques.

The force sensor measurements are the signals that allowus to reach this goal. Figure 2(e) shows the final positionafter the rotation of the tool.

PuncturingThe last subtask consists of changing the tool at the endeffector and executing the puncturing. The robot shouldremove the force sensor and insert the mechanical structurehosting the needle. During this phase, the position and ori-entation should be stored to keep the optimal conditionsobtained during the previous steps. Figure 2(f) shows thisfinal subtask of the puncturing test case, although one couldimagine a more complex scenario where the robot wouldextract the needle from the patient and return to its homeposition, possibly after having thrown out the used needleand brought the tissue for the biopsy to a proper place.

Modeling with Hybrid AutomataThe automaton-based model of the surgical action is basedon the high-level control architecture depicted in Figure 1.We assume that the controller for each task stabilizes theplant, while the switching between controllers preservesthe stability. Several stability results can be found in theliterature [14], [17]. Our goal is not to prove the stability ofthe overall system (that it is assumed) but to prove in aformal way that the task itself can be executed correctly.The focus of the analysis is more on the feasibility of thetask than on the stability of the plant.

The test case under consideration is a typical example ofa hybrid system, i.e., a system mixing discrete and continu-ous behaviors that cannot be characterized faithfully usingeither discrete or continuous models. A hybrid system con-sists of a discrete part that operates in a continuous environ-ment, and for this reason, it is sensitive not only to time-driven phenomenon but also to event-driven phenomenon.In our case, it is the integration of high-level tasks (i.e.,discrete actions) together with local (continuous) controllersthat gives to the system its hybrid nature.

To model and verify hybrid systems in a formal way,the notion of hybrid automaton has been introduced [1].Intuitively, a hybrid automaton is a finite-state automatonwith continuous variables that evolve according to dynam-ics specified at each discrete node. In our test case, eachdiscrete state or location of the automaton corresponds toone of the subtasks identified for the surgical action. Tran-sitions describe the switching from one subtask to another

h1

x1 x2

h2

(a) (b)

Figure 3. Comparison of two configurations (a) and (b) for theestimation of the stiffness matrix.


and yield a sequence of states that models the completesurgical action.

A state of a hybrid automaton is defined as a pairt; rh i, where t is a location and r is an assignment of values

for the continuous variables. An execution of a hybridautomaton corresponds to a sequence of transitions fromone state to another and alternating continuous and discreteevolutions. In continuous evolution, the location does notchange while the time passes and evolution of the state vari-ables follows the dynamic law associated with the currentlocation. A discrete evolution step consists of the activationof a discrete transition that can change both the currentlocation and value of the state variables, in accordance withthe reset function associated with the transition. The inter-leaving of continuous and discrete evolutions is decided bythe invariant of the location, which must be true for thecontinuous evolution to keep on going, and guard predi-cates, which must be true for a discrete transition to beactivated. Guards and invariants are not necessarily comple-ments of each other: when both the invariant and one ormore guards are true, both the continuous evolution andactivation of discrete transitions are allowed, and the behav-ior of the automaton becomes nondeterministic.

The hybrid automaton that describes the puncturingtest bench is shown in Figure 4. Each location of theautomaton corresponds to one of the subtasks identified in

the “Problem Statement” section, with the exception oflocations Change and Stop; the former represents the factthat the manipulator touched the patient in the wrongregion, and it now changes its position following a newtrajectory cc using the slow-motion controller Cs.

Locations are labeled with the name, controller and refer-ence trajectory/force, and invariant. Edges are labeled with theguard that activates the transition. Since after any transitionthe values of the variables are preserved, the reset function isthe identity function and it is consequently omitted for brevity.For instance, let’s consider the location Slow: it is labeled withthe slow-motion controller Cs and reference trajectory cs,defining the continuous evolution of the system inside the loca-tion. The system is allowed to stay in Slow until it touches thepatient tissue, as formally specified by the invariant k h k¼ 0.The initial state of the automaton is the pair Fast, x0h i,where x0 is the home position for the robot. The transitionsbetween the different locations are defined as follows:l The transition from Fast to Slow becomes active when

the Cartesian coordinate of the end effector computedby using the direct kinematic [x ¼ k(q)] tells us that theend effector is now inside R2.

l The transition from Slow to Probing is activated as soonas the end effector touches the tissue, i.e., when the forceat the end effector becomes positive.

l When the automaton is in location Probing, it can eithergo to location Perp if the estimated tissue stiffness is cor-rect or to location Change.

l The transition from Change to Probing is activated assoon as the end effector touches the tissue again.

l The manipulator remains in location Perp until the toolis perpendicular to the tissue; then the transition is acti-vated and the automaton moves to Puncturing.

l The last transition becomes active after the puncturingaction is executed.

Figure 5 shows a graphical representation of the forcemeasured by the sensor versus displacement along the nee-dle-puncturing direction [20]. The corresponding guard gp

of the transition from Puncturing to Stop is defined as trueif the measured force decreases w.r.t. the maximum valueFp, whereas the displacement still increases along the punc-turing direction, false otherwise.

Fast

x ∈ R1 x ∈ R3 < R4

x ∈ R2Slow

� h � = 0

� h � > 0

� h � > 0� Ke – Ke � < εT

� h – h ⊥� ≥ ε⊥

� h – h ⊥� < ε⊥

Probing

Change

PerpPuncturingStop

∧

� Ke – Ke � ≥ εT∧

Cf, γf Cs, γs

� h � = 0

Cs, γc

Ch, Ke

Ch, h ⊥Ch, Fp¬gp

gp

Figure 4. Automaton for the surgical test bench.

Fp

xt xp

Fi

Displacement (mm)

For

ce (

N)

Figure 5. Force versus displacement during the puncturing test.


Formal Verification of Hybrid AutomataOf particular importance in the verification of hybrid systemsis the reachable set, which consists of all the states that can bereached under the dynamical evolution starting from a giveninitial state set. In the following, given a hybrid automaton H,we will distinguish between two kinds of reachable sets:l Finite-time reachable set: given a set of states X0 and a

time point t, we denote with ReachSetH (X0, t) the setof all states that can be reached from X0 by a finitetrajectory with the total time length t.

l Infinite-time reachable set: given a set of states X0, we denotewith ReachSetH (X0) the set of all states that can bereached from X0 by a trajectory of arbitrary time length.

Finite-time and infinite-time reachability are the main toolsto verify properties of hybrid automata. Indeed, checkingsafety properties (i.e., “something bad never happens”)reduces to the infinite-time reachability problem. Supposewe wish to verify that a safety property u holds for a hybridautomaton H; in other words, that u remains true for all pos-sible executions starting from a set X0 of initial states. Thenwe only need to prove that ReachSetH (X0) � Sat(u),where Sat(u) is the set of states where u is true. Finite-timereachability can be used to verify timed safety properties, thatis, whether the property u is true at some execution time t.Finally, by pairing finite-time and infinite-time reachability,also timed stability properties can be verified, by checkingwhether u is always true after some execution time t.

Other properties, such as liveness (i.e., “something goodeventually happens”) and general stability properties (i.e.,“the system eventually reaches the good region and neverleaves it”), require more complex techniques to be verified,based on transformations on the model [6], [19].

In this article, we concentrate on the verification of thefollowing properties for the automatic puncturing test case:1) The force applied to the patient by the end effector is always

less than a given threshold, except for the puncturing sub-task. This can be formally stated by the following property:

Always(:Puncturing ! kfk < fmax),

where f is the force component of the combined force/torque vector h, and it can be verified by proving that,for all states in ReachSetH (X0), if the location is dif-ferent from Puncturing then kfk < fmax.

2) The task is feasible, and the position of the needle at theend of the task is always inside the target region R4. In themost general case, this is a liveness property, and thus itcan be very hard to verify. To simplify the verificationprocedure, we impose the task to be completed before amaximum time tmax. In this simplified case, the propertycan be formally stated as a timed safety property:

Always(t ¼ tmax ! (Stop ^ x 2 R4)),

and formally verified by proving that, for all states inReachSetH (X0, tmax), the location is Stop and positionof the end effector is such that x 2 R4.

In particular, we study the dependence of the truth ofthese properties from the value of a particular designparameter, namely, the uncertainty on the position ofthe patient. Unfortunately, the reachability problem is notdecidable in general; there is no algorithm that can com-pute ReachSetH (X0) in an exact way without imposingstrong restrictions on the dynamics of the automaton [13].Nevertheless, formal verification methods can be appliedto hybrid automata also in the general case. Suppose wecan compute an overapproximation S to ReachSetH

(X0), that is, a set S � ReachSetH (X0). Then if S is a sub-set of Sat(u), so is the reachable set, and automaton Hrespects the property. Conversely, if we can compute anunderapproximation S to ReachSetH (X0) (that is, a setS � ReachSetH (X0)) that turns out to contain at leastone point outside Sat(u), we have proven that our hybridautomaton H does not respect the safety property u. Forthese reasons, many tools for reachability analysis of gen-eral hybrid automata are based on approximation techni-ques. The challenge is to find the best approximations.

AriadneAriadne is a development environment to construct algo-rithms for hybrid system verification [2]–[4], jointly devel-oped by The Centrum voor Wiskunde en Informatica(Amsterdam), the University of Maastricht, University ofVerona, University of Udine, and company PARADES/ALES (Rome). Given a hybrid automaton H and an initialset X0, it can compute two kinds of approximations to thereachable set:l an outer approximation O of the reachable set using upper

semantics, for both finite-time and infinite-time evolu-tions. Formally, a closed set O such that the closure ofReachSetH ðX0Þ is strictly contained in the interior of O

l an e-lower approximation Le of the reachable set usinglower semantics, for both finite-time and infinite-timeevolutions. Formally, Le is an open set where for everypoint x 2 Le, there exists a point y 2 ReachSetH (X0)such that k x � y k< e.

The reachability algorithm of Ariadne takes as inputs thehybrid automaton, initial set, and some numerical parame-ters, particularly a grid that sets the desired precision of theresults, an integration step to control the accuracy of theapproximations, and, for lower evolution, the value of e.Then it proceeds as follows:1) If the initial set X0 is larger than a grid cell, outer

approximate it on the grid, and let W be the obtainedset of cells. Otherwise, letW ¼ fX0g.

2) Extract a new working cell W fromW :l Compute an approximation of the continuous

evolution R(W, t) and final set F(W, t) for a time step t.l If F(W, t) is outside the invariant of the current loca-

tion, discard it.l Check if some discrete transition is active in R(W, t). If

this is the case, compute an approximation of thediscrete evolution D(R(W, t)) for all active transitions.


l Approximate R(W, t), F(W, t), and D(R(W, t)) on thegrid, using the correct approximation type.– If computing an outer approximation, put the newly

reached cells of F(W, t) and D(R(W, t)) inW.– If computing an e-lower approximation and the

diameter of F(W, t) is smaller than e, add F(W, t)toW. Otherwise, do nothing.

– If computing an e-lower approximation and thediameter of D(R(W, t)) is smaller than e, addD(R(W, t)) toW. Otherwise, do nothing.

3) Repeat recursively until w is empty or no new cells canbe found.

The output of the reachability routine converges to the bestpossible approximations (in the sense defined in [9]) whenthe size of the grid, the integration step, and the value of econverge to zero. Termination of the algorithm is guaran-teed even for systems that diverge, by providing a bound onthe evolution time (for finite-time reachability) or on thestate space of the system (for infinite-time reachability).

Outer approximations are used to formally prove that asystem respects a safety property u, as discussed in the“Formal Verification of Hybrid Automata” section. However,if an outer approximation of the reachable set does not respectthe safety property, then we cannot say anything about thesafety of the system: it could be the case that the system is safe,but unsafe behaviors have been included in O because ofoverapproximation errors. To prove that a system does notrespect a property in a formal way, an underapproximation ofthe reachable set is needed. Unfortunately, in most cases it isnot possible to compute such an underapproximation, or theonly possible underapproximation is the empty set (this is thecase, for instance, of single point and trajectory). To overcomethis problem and establish when a system does not respect asafety property in a sufficiently large class of practical applica-tions, we use e-lower approximations instead. Let u be asafety property and X0 be an initial set. If Le is a lower-approximation of ReachSetH (X0) and there exists a pointx 2 Le with distance from SatðuÞ larger than e, we can con-clude that there exists at least one point of ReachSetH (X0)that lies outside Sat(u), implying that the system is unsafe.

In line of principle, it could be the case that we areunable to prove or disprove a given property, no matterhow accurate the approximations are. However, thisusually happens for badly modeled systems that are closeto instability. Hence, for reasonable control and mechani-cal designs, an answer is eventually obtainable. In practice,since the increase in computation time is exponential inthe number of refinement iterations, the amount of timerequired to reach a definite answer could become unaf-fordable. In this case, it is advisable to modify the systemparameters or simplify the model.

Formal Verification of the Case StudyIn this section, we show how the verification capabilities ofAriadne can be applied to our test case. To focus on theverification part without entering into the robotics details,

we assume that an inner controller has been designed insuch a way that the variables in the operational space canbe described by a set of second-order linear differentialequations [22]. Moreover, we consider a simplified versionof the model given in Figure 4, where only the Slow andPerp locations are present.

In free motion (location Slow), the robot and propor-tional-derivative controller are expressed by

Ms€x ¼ u,

u ¼ Ms€xd þ Ds( _xd � _x)þ Ks(xd � x),

where (Ms, Ds, Ks) are the mass-damping-stiffness matricesdescribing the controlled robot, x the position/orientationof the end effector, and xd the reference trajectory.

When the end effector touches the patient, the automa-ton switches to location Perp. An external force control loopis activated to guarantee a safe value for the applied force interms of both absolute value and orientation. The imped-ance controller and environment are then modeled by

u ¼ �Ms€xd þ Ds( _xd � _x)þ Ks(xd � x)þ Kf Ke(x � xe),

where Ke is the stiffness matrix describing the tissue, Kf theproportional gain of the force loop, and xe the end effectorposition when the patient is touched for the first time.

The reference trajectory in free motion considers onlythe x, z and / variables, representing the position and ori-entation of the end effector on the (x, z) plane; the remain-ing variables are kept constant. The reference trajectory xd

starts in x0 ¼ 0, zo ¼ 0, and /0 ¼ p=2, with zero velocity,and should end in xf ¼ 1, zf ¼ 0:2, and /f ¼ 0 after 5 sfollowing a polynomial trajectory.

The patient is assumed to lie on a plane, with theunknown target position in the range ½�xe � dx, �xe þ dx�,where dx is the uncertainty and �xe ¼ 0:95 is the nominalposition. This is formally modeled by pairing an invariantx � �xe þ dx in location Slow with a guard x � �xe � dx onthe transition from Slow to Perp. In this way, the transitioncan be activated anywhere in the range ½�xe � dx, �xe þ dx�.

In the first step of this verification example, we determinethe values of dx for which the task is feasible in 5 s: that is,after 5 s of evolution, the location must be Perp, / ¼ 0, andz 2 ½0:185, 0:195�. The procedure starts from a range ofpossible values for dx, ½dmin, dmax� ¼ ½0, 0:06�. This range isthen refined by bisection: at each step, Ariadne computes anouter approximation O of ReachSetH (X0, 5:0 s) ford ¼ (dminþdmax)=2. If O respects the desired conditions on/ and z, then d is a safe value for the uncertainty and thenext range for dx is ½d, dmax�. Otherwise, d is a possiblyunsafe value and the next range for dx is ½dmin, d�. Theprocedure stops when dmin � dmaxj j is under a threshold ofacceptable precision given by the user.

Figure 6, left column, shows the outer approximationcomputed by Ariadne for d ¼ 0:03, projected on the (x, t),(z, t), and (/, t) planes, respectively. The yellow areas on


Figure 6(a) and (c) depict the range ½�xe � d, �xe þ d� and z-safe region ½0:185, 0:195�, respectively. The transition fromSlow to Perp is nondeterministic, being active inside theyellow area. This, in turn, produces a bundle of trajectoriesshown in black in the figures. In this case, since it is notpossible to prove that the system respects the safetyproperty, the value of dmax is decreased.

Figure 6, right column, instead shows the outer approx-imation computed by Ariadne for the final value of d. Inthis case, we set the approximation threshold to be 10�2,and the final safe value of the parameter turns out to be0:020625. Figure 6(d) shows that the final position of theend effector at the end of the task (t ¼ 5 s) is indeed insidethe required range for z.

Once a safe value for the uncertainty on the position ofthe patient has been determined, we focus our attention onanother design parameter: the proportional gain vector Kf

of the force loop. We are now interested in finding underwhich values of Kf , the force applied to the patient by theend effector is always less than fmax ¼ 1:2 N . The value ofKf used in the previous analysis was Kf ¼ ½ 1 0:25 0 �T .

We first show that, under this particular condition, it ispossible to formally prove that the system is unsafe. Namely,that there exists at least one trajectory of the automaton anda time point in it such that k f k>f max. This can be done byexploiting the e-lower approximation capabilities of Ariadneas discussed in the “Ariadne” section.

Figure 7(a) shows the e-lower approximation of k f kcomputed by Ariadne for the initial value of Kf . Note thatk f k is zero when the automaton is in location Slow andbecomes positive when the end effector touches the tissue.By the uncertainty on the position of the patient xe, differenttrajectories touch the patient at different time instants.

The value of e for the force component is 0:55. The saferegion (i.e., the set of all points such that k f k � f max) is pic-tured in green, whereas the tolerance allowed for the e-lowerapproximation is in yellow. In this particular case, there existsat least one point outside both the green and yellow areas,and thus, we can say that the system is definitely unsafe.

To obtain a safe value for Kf (i.e., a value such that thecondition on the force is respected), we proceed in a verysame manner as the previous analysis. We start from aninitial range of possible values for Kf and refine it by bisec-tion. We set the approximation threshold to be 10�1, andthe final safe value of the proportional gain vector turnsout to be Kf ¼ 2:69 0:67 0½ �T .

Figure 7(b) shows the outer approximation computedby Ariadne for the final value of Kf . Note that in thiscase, there is no e-tolerance since we are interested in apositive answer.

Conclusions and Future WorkIn this article, we discussed the application of formal meth-ods for the verification of properties of autonomous surgerydevices and verification of a plan for a simple puncturingaction to demonstrate the feasibility of this concept. To

prove that a sequence of subtasks planned on preoperativedata can successfully complete the surgical operation despitemodel uncertainties, we chose a specification of the systemby hybrid automata. Then we stated the requirements ofinterest as questions about reachability properties of themodel and answered those questions using the libraryAriadne. Particularly, we investigated, with respect to signif-icant parameters, the properties that the task is performed

0

x (m

)z

(m)

1

0Time (s)

5 0Time (s)

5

0Time (s)

5 0Time (s)

5

0Time (s)

5 0Time (s)

(a) (b)

(c) (d)

(e) (f)

5

0

0.2

0

π /2

0

x (m

)z

(m)

1

0

0.2

0

φ (r

ad)

φ (r

ad)

π /2

Figure 6. Outer approximation of the reachable set for twovalues of d. (a) Projection on the (x; t) plane with d ¼ 0:03,(b) projection on the (x, t) plane with d ¼ 0:020625,(c) projection on the (z, t) plane with d ¼ 0:03, (d) projection onthe (z, t) plane with d ¼ 0:020625, (e) projection on the (/, t)plane with d ¼ 0:03, and (f) projection on the (/, t) plane withd ¼ 0:020625.

0

2

0Time (s)

0

2

0Time (s)

5

�f� (

N)

(a) (b)

5

�f� (

N)

Figure 7. Force at the end effector for different values of Kf . (a)Kf ¼ (1, 0:25, 0) and (b) Kf ¼ (2:69, 0:67, 0).


within a certain time and force applied to the patient by theactuator is less than a given threshold. The parametric anal-ysis yielded intervals on the chosen parameters where theproperties held.

Regarding future work, we envision extending ourmethodology to more complex hybrid models. In addition,we plan to exercise infinite-time reachability analysis toprove safety properties without relying on timing assump-tions, thus resulting in a more robust verification frame-work, requiring less intervention from the user.

AcknowledgmentsWe thank Pieter Collins, University of Maastricht, for assis-tance in the experiments on the case study. The researchleading to these results has received funding from the Euro-pean Union Seventh Framework Programme FP7/2007-2013 via the projects CON4COORD, grant agreement num-ber 223844, and I-SUR, grant agreement number 270396.

References[1] R. Alur, C. Courcoubetis, T. A. Henzinger, and P. H. Ho, “Hybrid

automata: An algorithmic approach to the specification and verification

of hybrid systems,” in Hybrid Systems (LNCS), R. Grossman, A. Nerode,

A. Ravn, and H. Rischel, Eds. Berlin: Springer, 1992, pp. 209–229.

[2] Ariadne: An open tool for hybrid system analysis. [Online]. Available:

http://ariadne.parades.rm.cnr.it

[3] A. Balluchi, A. Casagrande, P. Collins, A. Ferrari, T. Villa, and A. Sangio-

vanni-Vincentelli, “Ariadne: A framework for reachability analysis of hybrid

automata,” in Proc. 17th Int. Symp. Mathematical Theory of Networks and

Systems (MTNS’06), 2006, pp. 1261–1267.

[4] L. Benvenuti, D. Bresolin, A. Casagrande, P. Collins, A. Ferrari, E.

Mazzi, A. Sangiovanni-Vincentelli, and T. Villa, “Reachability computa-

tion for hybrid systems with Ariadne,” in Proc. 17th IFAC World Congr.,

Seoul, South Korea, July 2008, pp. 8960–8965.

[5] P. Berkelman and J. Ma, “A compact modular teleoperated robotic sys-

tem for laparoscopic surgery,” Int. J. Robot. Res., vol. 28, no. 9, pp. 1198–

1215, 2009.

[6] S. Bogomolov, C. Mitrohin, and A. Podelski, “Composing reachability

analyses of hybrid systems for safety and stability,” Automated Technol-

ogy for Verification and Analysis (LNCS 6252), A. Bouajjani and W. Chin,

Eds. Berlin: Springer-Verlag, 2010, pp. 67–81.

[7] D. Botturi and P. Fiorini, “Optimal control for autonomous task exe-

cution,” in Proc. 44th IEEE Conf. Decision and Control and European

Control Conf., 2005, pp. 3525–3530.

[8] K. Cleary and C. Nguyen, “State of the art in surgical robotics: Clinical

applications and technology challenges,” Comput. Aided Surgery, vol. 6,

no. 6, pp. 312–328, 2001.

[9] P. Collins, “Optimal semicomputable approximations to reachable

and invariant sets,” Theory Comput. Syst., vol. 41, no. 1, pp. 33–48, 2007.

[10] J. Craig, Introduction to Robotics Mechanics and Control. Upper Sad-

dle River, NJ: Pearson Prentice Hall, 2005.

[11] J. Desai and N. Ayache, “Editorial special issue on medical robotics,”

Int. J. Robot. Res., vol. 28, no. 9, pp. 1099–1100, 2009.

[12] E. Guglielmelli, M. J. Johnson, and T. Shibata, “Guest editorial spe-

cial issue on rehabilitation robotics,” IEEE Trans. Robot., vol. 25, no. 3,

pp. 477–480, June 2009.

[13] T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s

decidable about hybrid automata?,” in Proc. 27th ACM Symp. Theory of

Computing (STOCS’95). New York: ACM, 1995, pp. 373–382.

[14] J. Hespanha and A. Morse, “Switching between stabilizing con-

trollers,” Automatica, vol. 38, no. 11, pp. 1905–1917, 2002.

[15] P. Kazanzides, G. Fichtinger, G. Hager, A. Okamura, L. Whitcomb,

and R. Taylor, “Surgical and interventional robotics—Core concepts,

technology, and design,” IEEE Robot. Automat. Mag., vol. 15, no. 2,

pp. 122–130, 2008.

[16] H. Kress-Gazit, G. Fainekos, and G. Pappas, “Temporal-logic-based

reactive mission and motion planning,” IEEE Trans. Robot., vol. 25, no. 6,

pp. 1370–1381, 2009.

[17] H. Lin and P. Antsaklis, “Stability and stabilizability of switched lin-

ear systems: A survey of recent results,” IEEE Trans. Automat. Contr.,

vol. 54, no. 2, pp. 308–322, 2009.

[18] C. Marohn and C. Hanly, “Twenty-first century surgery using

twenty-first century technology: Surgical robotics* 1,” Current Surgery,

vol. 61, no. 5, pp. 466–473, 2004.

[19] A. Podelski and S. Wagner, “Region stability proofs for hybrid

systems,” in Formal Modeling and Analysis of Timed Systems (LNCS

4763), J. F. Raskin and P. Thiagarajan, Eds. Berlin: Springer-Verlag, 2007,

pp. 320–335.

[20] H. Saito and T. Togawa, “Detection of needle puncture to blood ves-

sel using puncture force measurement,” Med. Biol. Eng. Comput., vol. 43,

no. 2, pp. 240–244, 2005.

[21] B. Siciliano, L. Sciavicco, L. Villani, and G. Oriolo, Robotics Model-

ling Planning and Control. Berlin: Springer-Verlag, 2008.

[22] S. Sirouspour and A. Shahdi, “Model predictive control for transpar-

ent teleoperation under communication time delay,” IEEE Trans. Robot.,

vol. 22, no. 6, pp. 1131–1145, 2006.

[23] M. Spong, S. Hutchinson, and M. Vidyasagar, Robot Modeling and

Control. New York: Wiley, 2005.

[24] P. Tabuada and G. Pappas, “Linear time logic control of discrete-

time linear systems,” IEEE Trans. Automat. Contr., vol. 51, no. 12,

pp. 1862–1877, 2006.

[25] R. Taylor, “A perspective on medical robotics,” Proc. IEEE, vol. 94,

no. 9, pp. 1652–1664, Sept. 2006.

[26] K. Weihrauch, Computable Analysis—An Introduction. (Texts in

Theoretical Computer Science). Berlin: Springer-Verlag, 2000.

Riccardo Muradore, Department of Computer Science,University of Verona, Italy. E-mail: [email protected].

Davide Bresolin, Department of Computer Science,University of Verona, Italy. E-mail: [email protected].

Luca Geretti, Department of Computer Science, Univer-sity of Verona, Italy. E-mail: [email protected].

Paolo Fiorini, Department of Computer Science, Univer-sity of Verona, Italy. E-mail: [email protected].

Tiziano Villa, Department of Computer Science, Univer-sity of Verona, Italy. E-mail: [email protected].


robotic surgery-ieee papers

Documents