The Safe Control of Human-Friendly Robots - CiteSeerX

The Safe Control of Human-Friendly Robots Jochen Heinzmann and Alexander Zelinsky Research School of Information Science and Engineering The Australian National University Canberra ACT 0200, Australia [email protected]

Abstract This paper introduces a new approach to the control of robot manipulators in a way that is safe for humans in the robot's workspace. Conceptually the robot is viewed as a tool with limited autonomy. The limited perception capabilities of automatic systems prohibits the construction of failsafe robots with the capabilities of people. Instead, the goal of our control scheme is to make the interaction with a robot manipulator safe by making the robots actions predictable and understandable to the human operator. At the same time the forces the robot applies with any part of its body to its environment have to be controllable and limited. Experimental results are presented of a human-friendly robot controller that is under development for a Barrett Whole Arm Manipulator robot.

1 Introduction If robotics technology is to be introduced into the everyday human world, the technology must not only operate eciently executing complex tasks such house cleaning or putting out the garbage, the technology must be safe and easy for people to use. Industrial type manipulators are not suited for such applications considering both their mechanical design and their control mechanism, both designed to provide high stiness and path following accuracy. The design goals for a human-friendly robot are revolving around the safety of humans close to the robot. At the same time, the robot must be capable of performing meaningful tasks. This implies that the robot must be able to apply forces to it's environment which are potentially harmful to humans. A control scheme is required for human-friendly robots which allows the implementation of both apparently contradicting design goals. This research area is relatively new, however, with the advent of humanoid robots it is becoming increas-

ingly important. The main purpose of giving a robot a humanoid shape is to enable it to use our environment, which is tailored for humans with staircases, lifts, tables and chairs [1, 2]. However, little research has been reported on the control of robots that can be used safely with humans. This paper concentrates on the requirements for such control systems. The safety of humans is of major importance in the design of our control structure for a human-friendly robot.

2 Safety Philosophy Firstly we de ne what are the safety requirements for a human-friendly robot and what design implications do these requirements have. The goal of this development is to construct robots that are able to interact with humans, in particular that are safe for a human to be inside the robot's workspace while the robot is active. This is orthogonal to the current philosophy of safety in terms of robot applications. The most common solution to human safety is to separate robots and humans. Industrial robots usually work inside cages that keep persons from entering the robots workspace. Most accidents with robots are caused by people overriding the safety mechanisms and entering the work cell while the robot is in operation. The robot can easily injure the person without even noticing. The robot's position based controller will consider the resistance only as a disturbance and push harder to reach the set position! This control strategy is not human friendly by any standards. Safety goal: A human-friendly robot must be designed such that it can be operated without posing a threat when humans are inside the robot's workspace.

It is quite easy to make a safe robot by designing it's hardware in a way that it can not possibly cause harm to a person by making it small, light weight, ex-

ible, round, padded and weakly actuated. However, the tasks which such a robot could perform would be quite limited. A robot that is capable of performing everyday tasks has to be provided with actuators that are suciently strong enough. This usually makes the robot capable of harming humans. This does not necessarily mean that human-friendly robots have to be weak and useless toys. Instead, the research challenge in human-friendly robotics is to develop control strategies for potentially dangerous machines that achieve the safety goal. Industrial work cells are highly structured in a way that all objects are located in precisely de ned positions. Introducing humans into the workspace of robots makes the environment unstructured. A perfectly safe robot would have to respond to any situation in a way that minimises the possible threat to any person in it's environment. This would not only require the robotic system to be able to acquire all relevant information about it's environment, but also to draw the correct conclusions from this information, an impossible task with present and foreseeable technology. Presently the perception of robotic systems is limited, in particular the information that can be acquired reliably is restricted essentially to the state information of the robot.

Safety goal: In an unstructured environment which may have humans, any action autonomously taken by the robot must be safe even when the robot's sensor information about the environment is false.

This requirement implies major limitations for the possible actions available to the robot. Regarding reliable data available to the robot we include the robot's own state information, joint positions and cartesian positions, velocities and torques. These parameters provide the base for restricting the actions taken by the robot.

2.1 Safety Characteristics

The responsibilities between a human operator and a robot control system need to be distributed with the low perception capabilities of robotic systems in mind. Many technical and potentially dangerous systems are controlled exclusively by humans, using the support of simple, easy to understand and predictable technical control systems, e.g. cars, aircrafts, construction site machinery. An everyday example for such a technical system are motor vehicles, potentially dangerous technical systems for both the drivers and other persons in the environment. However, most people feel comfortable and safe while driving cars or walking on the side of streets. The driver speci es the overall behaviour

of the system by using the steering wheel, brake and throttle. Various electronic and mechanical systems are providing specialised functions such as clutch and gear handling in automatics and anti locking systems. Essentially these mechanisms work autonomous without even requiring the driver to know how they are implemented and what state these systems are in. Recently systems for autonomous highway driving are being developed [3, 4] that provide another level of autonomy. This approach is appropriate also for human-friendly robots. Similar to other technical systems a humanfriendly robot should have the following characteristics:  Ease of control by a human operator  Provide enough autonomy to make the system easy to use  The autonomous actions are predictable to the user and understandable from commands de ning the overall behaviour  Autonomous actions that are not threatening to the operator or other people Similar to motor vehicles the central coordinator in the system is the human operator. Instead of trying to build the perfectly safe car, the driver is responsible for safe operation of the system. Various safety measures are built into cars to protect people from the cases of human error e.g. safety belts and air bags. Instead of trying to build a human friendly robot that is failsafe, the robot should be controllable and predictable for the human operator. Similar to motor vehicles autonomy should be added in order to make it easier for the human operator to control the system. An example for such a system is the anti locking system. The driver does not control the braking force in the vehicle, only the desired rate of deceleration of the car is controlled. This makes the control of a car much easier during an emergency stop. In fact human-friendly robots can be compared to motor vehicles in another respect. A major problem with the introduction of autonomous driving devices into motor vehicles is the liability problem. Car manufactures can hardly aord to be held liable in cases when despite all safety measures an accident still occurs due to negligence or improper use of the vehicle by the driver. The same problem arises with robots to be used for human interaction. Only if the operator has sucient control over the system and is fully responsible for all of a robot's actions is it feasible for \outside of the lab" use of the robot.

2.2 Basic Behaviour For a manipulator system the safety requirements listed previously translate to certain mechanical and control speci cations. If a person is to control a robot's actions and is responsible also for it's safe operation, the operator must be able to restrain the robot from any particular motion and must be able to force the robot to execute any motion at any time. The basic behaviour of the robot should be to compensate for it's own weight at all times. A backdrivable robot in Zero-G oats passively. When not pushed or pulled by external forces the robot remains motionless in it's current con guration. The operator can pull or push the robot at any link to induce certain motions or place it in a certain con guration. This behaviour diers signi cantly from systems that use force-torque sensors (FT sensor) in the wrist and allows compliant motion when forces are applied to the hand. Such systems can not sense forces that are applied to the robot away from the FT sensor, such as the main part of the robot's body. This can pose safety risks since the robot's hand may not be in reach of the operator at all times, leaving the operator out of the control of the robots motions. When pulling a robot in Zero-G, the operator feels only inertial and frictional eects. When the robot is pushed it keeps oating until the inertial energy is consumed by the friction or the robot collides with an obstacle. This basic behaviour is perceived as passive and non-threatening by persons interacting with the robot. The robot does not prevent the operator from accelerating it to speeds that could be harmful if the robot did collide with another human. The predictability and controllability of the system still makes the robot safe to be operated with humans in it's workspace since it is the responsibility of the user to use the robot in a safe manner.

3 A Testbed System The basic Zero-G behaviour for safe human-robot interaction has been implemented on a Barrett Technology WAM arm (whole arm manipulator), shown in Figure 1. The arm is a commercial version of the original MIT arm built by Townsend and Salisbury [5]. The WAM was designed as a whole arm manipulator. The WAM allows objects not only to be manipulated with the 3- ngered hand, but with any part of the arm, including the upper and lower link. This design idea is also appropriate for human-friendly robots where

Figure 1: The Barrett WAM (Whole Arm Manipulator) robot with 7DOF, equipped with a Barrett Hand with 4DOF. contacts with any part of the manipulator have to be considered as well as manipulation of the robot at any part of the robot by the operator. The controller of the robot allows direct access of the motor torques which is vital for the development of force control strategies. However, the robot software has few other features, therefore Zero-G and position-force control software, software safety systems, visualisation tools, homing functions etc. must be developed.

3.1 Safe Mechanical Design

The joints of the WAM are driven by cables transmissions instead of gears. The advantage of the cable drive technology is that there is no backlash which is present in gear trains. Even more importantly, the friction in the transmissions is very low. That has two important implications:  Each joint of the robot is easily backdrivable. A person interacting with the robot can change the con guration of the robot simply by pushing the links or the end tip of the robot. Forces applied to the end tip or any other part of the robot get re ected back to the motors with very low loss in the transmission. Thus, the robot is a lot more 'sensitive' than gear driven robots to external forces applied anywhere at the robot.  Torques applied to the motor get transmitted to the joint with negligible loss. This implies that the forces the robot is applying to it's environment with any of its parts can be derived with a high accuracy from the actual motor commands. The usually strict dividing line between actuators and sensors becomes blurred and the two merge into one.

The WAM is also a light weight design. Almost all of the parts in the arm are made of aluminium and magnesium, signi cantly reducing the weight of the arm. The weight of the robot's components from the shoulder joint is only 15kg. This allows the robot to move quickly with low kinetic energy. The low friction and light design of the WAM are advantageous, but not absolutely necessary for the proposed safety method. The low friction allows the user to move the robot with ease and it makes the robot more sensitive to external forces while the light weight design allows higher velocities. If a heavier manipulator is used the arm would have to move slower. However, this is a physical limitation rather than a limitation of the control strategy.

3.2 Safety Hardware Beside the mechanical design of the manipulator itself our system contains electronic safety measures. The ampli ers for the joint actuators of the WAM are digitally controlled and limit the current output to the motors. To prevent the maximum ampli er current being applied in the case of a catastrophic software failure the currents are limited to appropriate values. However, the robot must be able to overcome its own weight and the weight of all possible payloads that it needs to manipulate. Limiting the current does provides some protection from extreme robot motions. This is particularly important during the development of the control software. The joint velocities are continuously monitored by an analog circuit. If any of the joint velocities exceed the preset limit, the robot is shut down. This emergency shutdown procedure can also be issued by software if necessary. It disables all ampli ers and shortcuts the motor power wires with a solid state contactor. Just like a safety belt in a motor vehicle, the emergency shutdown prevents the worst consequences if an accident is already occurring. During normal operation the emergency shut-down should never be activated.

3.3 Safe Software The control software for the robot is structured in a hierarchical way, shown in Figure 2. At the lowest layer a passive module monitors cartesian space velocities of the robot. This is necessary since the hardware velocity limits are con guration independent and must be set to values that do not restrict the robot in normal operation. On the same level the safety "heartbeat" module monitors the output of the control program.

Robot programming layer

Dynamics / Space Conv.

Safety Envelope : Limit additional motor torques disable Zero-G (Grav. Comp.)

disable Torque Ripple Compensation

Velocity Guard

Safety Hearbeat

External Forces (Humans)

Obstacles

Figure 2: Safety software architecture for the control of the WAM robot. It's main purpose is to shut down the robot in case the control software does not respond, e.g. when the control software in higher levels is incorrect. The module is triggered by a watchdog timer. Unless the control software resets the watchdog timer the robot is shut down. This routine is regarded as the \heartbeat" of the robot. On the next level two modules are responsible for eliminating the eects of gravity and the torque ripple of the motors. Torque ripple is the eect of changing torque output of the motor in dierent rotor positions as a result of the motor's geometry. For torque control this eect has to be compensated for in software. The Zero-G module generates the motor torques based on the current position together with the robot's kinematic model to counteract the gravitational forces acting on the links. The torque outputs of both modules are compensation torques and can not aect the robot's environment. Therefore, the torques are not subject to safety restrictions. Above the Zero-G level the Safety Envelope provides the lowest level programming interface. Its main purpose is to limit the torques that can be added to the outputs of the Zero-G level by any controller implemented above. These limits are not static but change according to the current joint and cartesian space velocities. Since the robot is already oating in Zero-G, constant torques could accelerate the robot beyond the safe limits. In contrast to the other limits discussed previously, the software limits in the Safety Envelope are meant to be reached during normal operation of the robot, and even exceeding them will not cause a shut down of the robot.

Figure 3: Image sequence from a Zero-G experiment Above the Safety Envelope any control strategy can be implemented to control the robot. The limitations in the safety envelope will always guarantee safe operation conditions. For convenience a module may be implemented which oers a programming interface with modi ed robot dynamics or cartesian space control rather than the joint space control oered by the Safety Envelope. Since we only want to permit the robot to autonomously move slowly the control program may ignore dynamic eects like centrifugal and coriolis forces. However, when moving slowly the effects of stiction and friction become signi cant and have to be considered either in a conversion module hiding the eects or in the controller itself. The control algorithm to be used on the top level can be any algorithm used for conventional robots. The Safety Envelope always guarantees safe and humanfriendly operation. To achieve a point-to-point motion a PID controller can be used. If the robot is in a con guration far away from the goal con guration, the PID controller outputs large torques. These will be clipped in the Safety Envelope to levels that will accelerate the robot slowly towards its goal con guration. At any time instance a person can interfere with the arm, change its con guration, block its motion, but eventually the robot will reach its goal if it's path is not permanently blocked. To evade permanent obstacles and joint limits and to exploit the redundancy of the manipulator the well known path planning algorithms must be applied.

4 Zero-G Implementation The Zero-G module has been successfully implemented on the WAM. To reduce the computational complexity, the 7DOF are split into two groups, the 4 degrees of the base and the 3 degrees of the wrist. The

derivation of the joint torques required to compensate for the gravitational eects for the rst 4 joints of the robot are described below. The four Denavit-Hartenberg transformation matrices are 2 3 cos(t1 ) ? sin(t1) 0 0 6 cos(t1 ) 0 0 77 1) T01 = 64 sin(t 0 0 1 05 0 0 1 3 2 0 cos(t2 ) ? sin(t2) 0 0 6 0 0 ?1 0 77 T12 = 64 sin(t cos(t2 ) 0 0 5 2) 0 0 0 1 2 3 cos(t3) ? sin(t3 ) 0 0 6 0 0 1 L1 77 T23 = 64 ? sin(t 0 5 3 ) ? cos(t3 ) 0 0 0 0 13 2 cos(t4 ) ? sin(t4 ) 0 0 6 0 0 ?1 0 77 T34 = 64 sin(t cos(t4) 0 0 5 4) 0 0 0 1 where t1 : : :t4 are the joint positions. Assuming that the centre of gravity of the rst link is in the xy-plane of frame 2 with coordinates (x2; y2 ; 0; 0) the height h1 of the centre of gravity of the rst link is h1 = [0 0 1 0]T01T12 [x2 y2 0 1] = sin(t2 )x2 + cos(t2 )y2 Similarly the height h2 of the centre of gravity of the second link can be derived assuming it lies within the xy-plane of frame 4 at (x4; y4 ; 0; 0) h2 = [0 0 1 0]T01T12 T23T34 [x4 y4 0 1] = (sin(t2 ) cos(t3 ) cos(t4 ) + cos(t2 ) sin(t4 ))x4 + (? sin(t2) cos(t3 ) sin(t4 ) + cos(t2 ) cos(t4 ))y4 + cos(t2 )L3 t

t

t

t

The potential energy U of the manipulator is U = m 1  h1 + m2  h2 (1) where m1 and m2 are the masses of the rst and second link respectively. Using Lagrange's method the joint torques 1 : : :4 compensating for the gravity are the partial derivatives of U with respect to t1 : : :t4 . The sin(t ) and cos(t ) are substituted by s and c for compactness. @U = 0 1 = @t 1 @U 2 = @t 2 = m1 x2c2 ? m1 y2 s2 + m2 x4 (c2 c3c4 ? s2 s4 ) ? m2 y4 (c2 c3s4 + s2 c4 ) ? m2 L3s2 @U = ?m x s s c + m y s s s 3 = @t 2 4 2 3 4 2 4 2 3 4 3 @U 4 = @t 4 = m2 x4(c2 c4 ? s2 c3 s4 ) ? m2 y4 (s2 c3 c4 + c2 s4 ) In the regressor form the matrix containing the trigonometric functions is separated from the vector of unknowns containing the products of masses and the coordinates of the centre of masses.2 2 3 2 3 m1 x2 3 1 0 0 0 0 0 66 2 77 66 c2 ?s2 q1 q2 ?s2 77 666 m1 y2 7 7 7 4 3 5 = 4 0 0 q3 q4 0 5 64 m2 x4 7 m 2 y4 5 4 0 0 q 5 q6 0 mL i

i

i

i

2 3

where q1 = c2 c3c4 ? s2 s4 q2 = ?c2 c3s4 ? s2 c4 q3 = ?s2 s3 c4 q4 = s2 s3 s4 q5 = c2 c4 ? s2 c3 s4 q6 = ?s2 c3 c4 ? c2 s4 The vector of unknowns can be determined experimentally from joint torque measurements in at least two dierent con gurations of the arm. Least squares minimisation can be used to determine the unknown vector from those measurements. Figure 3 shows a sequence of frames from a 5 second sequence showing the robot in Zero-G mode. The motion of the robot is not precalculated at any instance. Only the velocity guard, the TR compensation and the Zero-G module are active. In the rst image the robot is being pushed by a person and it keeps oating over the next four snapshots until it bumps into the foam rubber tabletop. When the person is pulling the robot back by its upper link, note that despite the low velocity the inertial eects ex the lower arm. The arm oats again and is nally caught by the person in the last frame.

5 Conclusion We have presented a new approach to control humanfriendly robots. The basic philosophy is to make the robot a tool with limited autonomy. Instead of aiming at a perfectly safe, self-responsible system the robot should be viewed as a sophisticated tool. Since the human is responsible to use the robot in a safe way, the actions of the robot have to be intuitively understandable and predictable. The control of the robot must consider the forces applied by the robot to it's environment and, thus, force control of the robot is imperative. The overall behaviour of the robot must be perceived as non-threatening by a human operator. The presented control scheme achieves these design goals. The base of the control scheme is formed by the Zero-G module. The safety envelope ensures that the safety characteristics are not altered by any control scheme implemented on top of it.

References [1] Rainer Bischo. HERMES - A Humanoid Mobile Manipulator for Service Tasks. In Proceedings of the International Conference on Field and Service Robotics, pages 508{515. FSR'96, Dezember 1996.

[2] Rodney A. Brooks. Prospects for Human Level Intelligence for Humanoid Robots. In Proceedings of the First International Symposium on Humanoid Robots. HURO-96, October 1996.

[3] Todd Jochem, Dean Pomerleau, and Charles Thorpe. MANIAC: A next generation neurally based autonomous road follower. In Proceedings of the International Conference on Intelligent Autonomous Systems: IAS{3, 1993.

[4] F. Thomanek and E. D. Dickmanns. Autonomous road vehicle guidance in normal trac. Lecture Notes in Computer Science, 1035:499{516, 1996. [5] W. T. Townsend and J. K. Salisbury. Mechanical design for whole-arm manipulation. Robots and Biological Systems: Toward a New Bionics?, pages 153{164, 1993.