Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hazard Analysis of Collaborative Automation Systems: A Two-layer Approach based on Supervisory Control and Simulation

Tom P. Huck, Yuvaraj Selvaraj, Constantin Cronrath, Christoph Ledermann, Martin Fabian, Bengt Lennartson, Torsten Kröger

TL;DR

A two-layer approach that combines the benefits of exhaustive analysis using formal methods with detailed analysis using simulation on an industrial human-robot collaboration system is proposed.

Abstract

Safety critical systems are typically subjected to hazard analysis before commissioning to identify and analyse potentially hazardous system states that may arise during operation. Currently, hazard analysis is mainly based on human reasoning, past experiences, and simple tools such as checklists and spreadsheets. Increasing system complexity makes such approaches decreasingly suitable. Furthermore, testing-based hazard analysis is often not suitable due to high costs or dangers of physical faults. A remedy for this are model-based hazard analysis methods, which either rely on formal models or on simulation models, each with their own benefits and drawbacks. This paper proposes a two-layer approach that combines the benefits of exhaustive analysis using formal methods with detailed analysis using simulation. Unsafe behaviours that lead to unsafe states are first synthesised from a formal model of the system using Supervisory Control Theory. The result is then input to the simulation where detailed analyses using domain-specific risk metrics are performed. Though the presented approach is generally applicable, this paper demonstrates the benefits of the approach on an industrial human-robot collaboration system.

Hazard Analysis of Collaborative Automation Systems: A Two-layer Approach based on Supervisory Control and Simulation

TL;DR

A two-layer approach that combines the benefits of exhaustive analysis using formal methods with detailed analysis using simulation on an industrial human-robot collaboration system is proposed.

Abstract

Safety critical systems are typically subjected to hazard analysis before commissioning to identify and analyse potentially hazardous system states that may arise during operation. Currently, hazard analysis is mainly based on human reasoning, past experiences, and simple tools such as checklists and spreadsheets. Increasing system complexity makes such approaches decreasingly suitable. Furthermore, testing-based hazard analysis is often not suitable due to high costs or dangers of physical faults. A remedy for this are model-based hazard analysis methods, which either rely on formal models or on simulation models, each with their own benefits and drawbacks. This paper proposes a two-layer approach that combines the benefits of exhaustive analysis using formal methods with detailed analysis using simulation. Unsafe behaviours that lead to unsafe states are first synthesised from a formal model of the system using Supervisory Control Theory. The result is then input to the simulation where detailed analyses using domain-specific risk metrics are performed. Though the presented approach is generally applicable, this paper demonstrates the benefits of the approach on an industrial human-robot collaboration system.
Paper Structure (10 sections, 3 equations, 5 figures)

This paper contains 10 sections, 3 equations, 5 figures.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. TWO-LAYER HAZARD ANALYSIS
  4. First Layer: Synthesis of Unsafe Behaviours
  5. Second Layer: Simulation of Unsafe Behaviours
  6. APPLICATION EXAMPLE
  7. EXPERIMENTS
  8. Experimental Setup
  9. Test Runs and Results
  10. DISCUSSION AND FUTURE WORK

Figures (5)

  • Figure 1: Illustration of supervisor synthesis. The marked states are indicated by double circles. The grey states and transitions in $G\parallel K$ are disabled by the minimally-restrictive non-blocking supervisor.
  • Figure 2: EFA models of human worker $\mathcal{H}$ (left), robot $\mathcal{R}$ (middle), and safety specification $\mathcal{SP}$ (right). Guards are denoted in blue, actions in red. Marked locations are denoted by double circles. A transition can only be taken if the guard expression evaluates to true. When the transition is taken, variables are updated according to the action.
  • Figure 3: HRC system from the application example (A: centre area, B: parts storage, C: robot station, D: control panel, E: laser scanner zone)
  • Figure 4: Second HRC scenario from the experiments. Here, the workflow is as follows: the worker retrieves parts from a shelf (A), inserts them into a housing and activates the robot with a button (D) which then inserts a gearwheel (E) into the housing. Meanwhile, the worker inserts a part into the cover (C) and finally mounts the cover onto the housing. Potential hazards consist in the hand being crushed between gearwheel and housing, and the head colliding with the robot's elbow joint. (further details on on GitHub and in the accompanying video).
  • Figure 5: Results from the test runs. Left: number of unsafe sequences found, right: average risk of unsafe sequences.

Theorems & Definitions (1)

  • Definition 1