Safety Assessment of Robotics Systems Using Fault Injection in RobMoSys

This demonstrator explains how to use the safety related functionalities developed as part of the eITUS Project via a safety analysis use case scenario. A video is also presented, which goes through a demonstration of showing how to perform safety analysis in the context of RobMoSys by using and extending the Papyrus4Robotics toolchain and Gazebo.

eITUS Demonstrator in the context of RobMoSys User Stories

Figure 1. eITUS Evaluation Scenario

eITUS stands for Experimental Infrastructure Towards Ubiquitously Safe Robotics Systems using RobMoSys. Nowadays, safety is a becoming a crucial property of robotic systems. ISO 12100, ISO 13849 and IEC 62061 are some of the most accepted safety standards in robotics, covering aspects such as functional safety. Functional safety is the aspect of safety that aims to avoid unacceptable risks. The system should be designed to properly handle likely human errors, hardware failures and operational/environmental stress.

The safety analysis and validation steps are fundamental aspects to perform the safety assessment. Some of the commonly used risk assessment methods are Preliminary Hazard Analysis, Hazard Operability Analysis, Failure Modes and Effects Analysis and Fault Tree Analysis. Furthermore, fault injection simulations complete these analyses by finding unexpected hazards (fault forecasting) and verifying the implemented safety mechanisms. Figure 2 illustrates how safety analysis is related to RobMoSys’ views.

Figure 2. Safety Analysis with RobMoSys

The RobMoSys project defines structures which enable the management of the interfaces between different robotics-related domains, levels of abstraction and roles. eITUS will broaden the ecosystem by considering safety aspects such as the development of a safety view and the introduction of a new role called safety engineer (cf. Figure 3).

Figure 3. eITUS in terms of RobMoSys Composition Structures

The eITUS approach is explained by using a Cartesian Mode Control System as a use case scenario, whose model in Papyrus is depicted in Figure 4.

Figure 4. Cartesian Mode Control System modelled in Papyrus4Robotics

Afterwards, the safety engineers created and completes its associated FMEA.

Figure 5. Safety Analysis: FMEA view

Once the component failure modes are determined, fault injection simulations can be executed. The eITUS framework sets up, configures, executes and analyses the simulation results. Model-based design combined with a simulation-based fault injection technique and a virtual robot poses as a promising solution for an early safety assessment of robotics systems. The added value of including robots and environment models is that the maximum time before the robot dynamics are unsafely affected can be identified. In other words, it allows quantitatively estimating the relationship of an individual failure to the degree of misbehaviour on robot level.

Figure 6.Workflow of Fault Injection Simulations

Before starting the fault injection experiments, the Golden system model, which represents a model without any faults in place, and its corresponding simulations must exist.

Figure 7. Fault Injection View: Creation of the Fault List

Once the Golden results have been executed, the safety engineer starts by selecting the system model and the robotics scenario, which includes the operational situation and the robot.

After that, it is important to define the fault injection policy which is referred to as the fault list. This configuration process includes the definition of fault locations (where to inject the fault?), fault injection times (When to trigger the fault?), fault durations (For how long the fault present in the system is?) and the fault model (How does the component fail?).

The original system model is modified though the fault injector script according to the fault list. Out of these faulty models the deployed code is generated, and the simulations are run.

Finally, the obtained simulation traces are compared with respect to the Golden ones. This allows determining if a sufficient level of safety has been reached.

The following video shows:

  • A use case scenario based on Papyrus4Robotics and extended with safety concepts (e.g. failure mode) and safety analysis (FMEA and Fault Injection Views).
  • A safety analysis for a real time cartesian impedance controller.
  • A real time cartesian impedance controller designed by with RobMoSys Golden and faulty components in the Gazebo simulator.

It is important to highlight how this is an ongoing work and further improvements are planned to be released by the end of the project.

From a technical perspective, the benefits of the eITUS methodology and tools will lead to:

Figure 8. Benefits of the eITUS methodology from a technical perspective
  • Composable Components:
    • The already defined software components can be used to compose a certain application such as the real-time Cartesian Impedance Controller. The same applies to safety artefacts.
  • Replaceable Components:
    • eITUS uses a robot arm for the use case, however, replacing it with a different robot would be possible.
  • Re-Usable:
    • eITUS supports the modeling of reusable domain- and application-specific safety analyses.
  • Ease of Use:
    • eITUS provides an easy way to model safety related aspects and integrate them in the development Flow.
    • eITUS supports the separation of roles and views by defining a safety engineer responsable for the FMEA view completion.
  • Reliable Quality of Service:
    • eITUS addresses Safety aspects considered an integral part of quality
  • Standardisation of models and interfaces:
    • eITUS standardises safety nomenclature such as the definition of FMEAs or failure modes.
  • Certifyable Systems:
    • eITUS helps on developing and delivering safety analyses in a formal way, by creating FMEA and Fault Injection tests. Safety artefacts such as FMEA are totally required to proceed to the certification of safe robotics system.
  • Symplifying Usability and Integration:
    • eITUS integrates safety analysis views with fault injection simulations in a simple and trasparent way.

The main incentives from commercial point-of-view are described in Figure 9.

Figure 9. eITUS main incentives from commercial point-of-view


This demonstration has been performed by the eITUS consortium as a RobMoSys ( Integrated Technical Project (ITP). This project is a joint effort between AKEO Plus, Tecnalia Research and Innovation and CEA, which is a RobMoSys core partner.

community:safety-analysis:start · Last modified: 2019/05/20 10:49