A fault-tolerant feedback (FTF) system has been integrated into a robot control system to prevent robot-arm runaways that could be caused by failure of one or more transducers such as joint-position, torque, and motor-temperature sensors, or in associated wiring harness channels. The FTF system responds to a transducer failure by commanding either safety shutdown or else continued operation of the robot in a degraded mode. The FTF system can detect errors in joint-position, velocity, and torque feedback signals far more quickly than older systems can, thereby reducing uncontrolled motion of the robot arm before a shutdown command is executed. The FTF system can help to ensure safe and efficient operation of a robot that must share its workspace with humans and with delicate materials and equipment.

The FTF system is implemented on a single processor circuit board that plugs into the backplane of the robot-control computer and that operates between the motion-controller and servo-processor subsystems of the robot-control system. An analog-to-digital input circuit board and analog buffer/filter circuit board are also used to acquire data. All additional data and control capability required by the FTF system are available through a servo-level interface circuit. The FTF system also includes a user interface that consists of a video display terminal and a keyboard (see figure).

The FTF System is an integral part of the robot-control system. It detects erroneous transducer signals and modifies the control laws accordingly to help ensure safe operation and increase reliability.

The FTF intercepts robot-joint-position commands from the motion controller to the servo processor. It also evaluates feedback information from the servo processor and the input board every 10 milliseconds. By use of a mathematical model of the servo system, the feedback signals are compared to each other to determine whether any transducers have failed.

The comparison of transducer signals occurs after the signals have been processed through second-order Butter-worth filters. The filter frequency is selected so that only information below the natural frequency of vibration of the robot-drive mechanism is evaluated. This is essential when motor and axis information are compared and helps to eliminate false error indications caused by noise, nonlinearities, and dynamical error in the mathematical model. The differences between the actual signals and the signals computed from the model are compared to predetermined tolerances specified by the operator. When one of these differences exceeds the applicable tolerance, an error (and thus a transducer failure) is deemed to have occurred, and the FTF responds accordingly.

When no transducer failure has been detected, the FTF passes the commands unchanged to the servo processor. When a transducer failure has been detected as described above, then depending on the current mode of operation, the FTF system either immediately disables the robot or else executes a different control law for the affected coordinate axis, eliminating the use of the faulty transducer. The execution of the different control law is accomplished by use of feedback information from the servo processor, information from the mathematical model of the servo system, and the position command from the motion controller. The FTF system then sends a motor-current command instead of a joint-position command for the affected axis to the servo processor. With respect to the remaining axes, for which transducer failures have not been detected, the control system operates normally.

The FTF system can be made to operate in any of three modes called "safe," "battlefield", and "disabled." In the safe mode, the FTF system immediately disables the robot upon detection of any error. This mode is used when it is crucial that the manipulator not collide with objects in the workspace and provides a great increase in safety over other robotic systems. The battlefield mode provides for continued operation, with some degradation of performance, after a transducer failure. This mode significantly increases the reliability of the robotic system but at the expense of performance and safety. The disabled mode is used for calibration of the FTF system and evaluation of the performance of the rest of the robotic system (that is, with the FTF system excluded).

This work was done by Paul H. Eismann, James P. Karlen, and Talt Blevins of Robotics Research Corp. for Johnson Space Center. MSC-22591