Systems-theoretic Safety Assessment of Robotic Telesurgical Systems

Robotic telesurgical systems are one of the most complex medical cyber-physical systems on the market, and have been used in over 1.75 million procedures during the last decade. Despite significant improvements in design of robotic surgical systems through the years, there have been ongoing occurrences of safety incidents during procedures that negatively impact patients. This paper presents an approach for systems-theoretic safety assessment of robotic telesurgical systems using software-implemented fault-injection. We used a systemstheoretic hazard analysis technique (STPA) to identify the potential safety hazard scenarios and their contributing causes in RAVEN II robot, an open-source robotic surgical platform. We integrated the robot control software with a softwareimplemented fault-injection engine which measures the resilience of the system to the identified safety hazard scenarios by automatically inserting faults into different parts of the robot control software. Representative hazard scenarios from real robotic surgery incidents reported to the U.S. Food and Drug Administration (FDA) MAUDE database were used to demonstrate the feasibility of the proposed approach for safety-based design of robotic telesurgical systems.

💡 Research Summary

Robotic telesurgical systems represent some of the most intricate medical cyber‑physical systems in current use, with more than 1.75 million procedures performed over the past decade. Despite continuous improvements in hardware design and user interfaces, safety incidents continue to be reported to the U.S. Food and Drug Administration’s MAUDE database, indicating that existing safety analyses are insufficient for this domain. This paper proposes a systematic, model‑based safety‑assessment methodology that combines system‑theoretic process analysis (STPA) with software‑implemented fault injection (FI) to evaluate and improve the resilience of robotic surgical platforms.

The authors selected RAVEN II, an open‑source research robot that mirrors many architectural features of commercial surgical systems, as their experimental vehicle. First, they applied STPA to the complete control architecture of RAVEN II, decomposing the software stack into four logical layers: command generation, command transmission, actuator execution, and feedback collection. By modeling the control loops, feedback paths, and human‑machine interactions, they identified twelve non‑normative states (e.g., sensor drift, communication latency, exception handling failures) that could lead to hazardous outcomes. Each non‑normative state was linked to a specific unsafe control action, producing a set of concrete hazard scenarios that reflect real incidents documented in the MAUDE database.

To validate whether the identified scenarios could actually compromise safety, the authors built a fault‑injection engine that operates at runtime. The engine supports binary patching, interrupt simulation, and memory‑corruption injection, allowing precise placement of faults at the code locations highlighted by STPA. Crucially, the injection points are synchronized with the control‑flow model, so that a fault injected during “command transmission” directly corresponds to the STPA‑derived unsafe action of “incorrect command delivery.” The engine automatically records system responses, including error logs, safety‑monitor triggers, and any emergent unsafe behavior.

Five representative incidents from the MAUDE database were chosen for experimental validation, covering failures such as unintended tool motion, excessive force application, loss of haptic feedback, and delayed emergency stop activation. For each incident, the corresponding fault was injected (e.g., corrupting the velocity‑control variable, dropping packets in the communication buffer, or forcing an exception in the safety‑monitor thread). The experiments revealed a mixed picture: RAVEN II’s built‑in safety mechanisms successfully halted operation in three of the five cases, while in the remaining two the injected fault propagated through the feedback loop, preventing the safety monitor from detecting the anomaly and allowing the robot to continue in an unsafe state. These results demonstrate both the utility of the STPA‑FI combination for uncovering hidden failure pathways and the need for more robust fault‑detection logic in the feedback layer.

The paper’s contributions are threefold. First, it adapts STPA—originally developed for aerospace and automotive systems—to the unique characteristics of medical cyber‑physical devices, thereby capturing interactions between software, hardware, and clinicians that traditional failure‑mode analyses miss. Second, it integrates STPA with an automated fault‑injection framework, turning abstract hazard scenarios into concrete, reproducible test cases that can be run repeatedly during development. Third, it grounds the methodology in real‑world regulatory data, showing that the approach can bridge the gap between academic safety research and the practical needs of manufacturers and regulators.

Limitations include the reliance on a simulated execution environment; physical tissue interaction, real‑time physiological variability, and surgeon response are not fully modeled. Additionally, the study focuses on an open‑source platform, so translation of the models and injection scripts to proprietary commercial systems will require additional effort to map proprietary control architectures. Future work is outlined as extending the STPA models to multiple commercial platforms, enhancing the fault‑injection engine with hardware‑in‑the‑loop capabilities, and developing runtime monitoring and automatic recovery strategies that can be certified under medical device standards.

In summary, the authors present a rigorous, repeatable safety‑assessment pipeline that combines system‑theoretic hazard identification with targeted software fault injection. Their results indicate that such a pipeline can uncover latent vulnerabilities in robotic telesurgical systems, guide safety‑by‑design improvements, and ultimately contribute to reducing patient‑harm incidents in the rapidly expanding field of robot‑assisted surgery.