BY 4.0 license Open Access Published by De Gruyter September 17, 2020

Catalogue of hazards: a fundamental part for the safe design of surgical robots

Lukas Theisgen, Florian Strauch, Matías de la Fuente and Klaus Radermacher


Risk classes defined by MDR and FDA for state-of-the-art surgical robots based on their intended use are not suitable as indicators for their hazard potential. While there is a lack of safety regulation for an increasing degree of automation as well as the degree of invasiveness into the patient’s body, adverse events have increased in the last decade. Thus, an outright identification of hazards as part of the risk analysis over the complete development process and life cycle of a surgical robot is crucial, especially when introducing new technologies. For this reason, we present a comprehensive approach for hazard identification in early phases of development. With this multi-perspective approach, the number of hazards identified can be increased. Furthermore, a generic catalogue of hazards for surgical robots has been established by categorising the results. The catalogue serves as a data pool for risk analyses and holds the potential to reduce hazards through safety measures already in the design process before becoming risks for the patient.


According to IEEE Robotics & Automation Society, the stage of maturity of medical robots is equal to how it was for manufacturing robots in 1980 [1]. Whereas in manufacturing industry, robots can be segregated from the human, a surgical robot intrinsically shares its workspace with the patient and operating room staff. In active or synergistic automation [2] the robot even modifies the patient in a similar manner to how an industrial robot modifies a workpiece. This is why in case of failure, a surgical robot can be a serious hazard for patient and staff. Both arguments, the low stage of maturity of the technology in combination with increasing system complexity as well as the high risk potential due to direct patient contact, demand robust safety measures for surgical robots.

In practice, the number of malfunctions and adverse events due to robotic systems increased in the US between 2004 and 2013 by 2.2% [3]. Although literature is inconsistent regarding safety issues of surgical robots, Ferrarese et al. [4] helped to clarify by collecting data from 18 articles about robotic system malfunctions in surgery between 2005 and 2014. They discovered that 20.9% were caused by robotic instruments and arms. In some cases, such as mastectomy procedures, survival rates that were lower in robotic-assisted minimally invasive surgery (MIS) than in open surgery [5] led in 2019 to public safety warnings against robotical-assisted devices by the Federal Drug Administration (FDA). These circumstances hint at the lack of standard metrics for the measurement of safety of surgical robots, and the current situation of self-regulation by industry [6].

Since 1976, the FDA grants either Approval based on a Pre-Market Application (PMA) or Clearance based on Pre-Market Notification (510(k)) for medical devices used in the United States. The latter applies for devices substantially equivalent to a device already placed into risk class I or II. As the 510(k) process for FDA Clearance usually comes along with significantly lower costs and less process duration [7], applicants tend to declare substantial equivalence towards the FDA. Thus, no surgical robot has ever received FDA Approval [8]. In other words: All surgical robots available to date base on medical products, which were legally marketed in the US before 1976!

This is why the da Vinci Xi surgical system from Intuitive Surgical Inc., Sunnyvale (US) is not classified as a robot but under the product code NAY which stands for “endoscope and accessories”. Orthopaedic robots such as ROSA Spine from Zimmer Biomet Holdings Inc., Warsaw (US), the MAKO robots from Stryker Corp., Kalamzoo (US) or the TCAT system (formerly ROBODOC) from Think Surgical Inc., Freemont (US) are declared as “orthopaedic stereotactic instrument” (OLO).

Hines et al. [9] have termed this effect as “predicate creep”. Manufacturers can demonstrate that a device is safe simply by showing that it is substantially equivalent to an existing “predicate” device, based on the intended use, even if the device is a notably different product. The FDA reacted by publishing recommendations for a “Safety and Performance Based Pathway” of the 510(k) process in 2019, which is going into the right direction, but not legally binding.

However, a risk analysis is mandatory for FDA Clearance as well as it is for the declaration of conformity according to the Medical Device Regulation (MDR) in the European Union. But it becomes particularly clear that risk classes are not an indicator for the actual hazard potential of surgical robots. The following orthopaedic robots currently belong to risk class II in the US and IIb in the EU: Excelsius GPS from Globus Medical Inc., Audubon (US), ROSA Spine and ROSA Brain, the MAKO robots, TCAT, Cirq from Brainlab AG, Munich (DE), and to mention a non-orthopaedic robot, the da Vinci Xi. The systems Mazor X from Medtronic, Dublin (IRL) and NAVIO from Smith & Nephew PLC, London (UK) belong to risk class II in the US and IIa in the EU. Despite being in the same risk classes (in the US), these robots have huge differences in their degree of automation, complexity and invasiveness, representing the variety of different potential hazards. The effect of “predicate creep”, the occurrence of safety warnings (as presented above) and the fact that the high diversity of robots implies many case-specific types of safety hazards, emphasizes the relevance of comprehensive risk analyses for surgical robots already in early phases of product design.


With this paper we present an approach to better integrate risk identification into the design process of surgical robots. A three-stages procedure is used, as illustrated in Figure 1:

  1. Identification of hazards from different perspectives,

  2. Cataloguing of hazards,

  3. Risk assessment,

Figure 1: Three-stages approach towards a catalogue of hazards.

Figure 1:

Three-stages approach towards a catalogue of hazards.

Identification of hazards

According to DIN EN ISO 14971:2020, the first step of risk management, after defining and refining the intended use, is the identification of hazards, often referred to as Preliminary Hazard Analysis (PHA). Our PHA approach aims to gather as many hazards as possible by taking multiple perspectives in order to satisfy the demand for maximum completeness. Our Point-of-View (PoV) approach is based on defined perspectives that overlap, to be rather redundant than incomplete. Additionally, we have brought the perspectives into a more or less chronological order. PoV1 and PoV2 can be conducted at an early stage of development without knowing the functioning of the system to be designed whereas PoV5–PoV7 is most valuable when combined with concrete concepts.

For each perspective, we have identified hazards by means of brainstorming and workshops, literature and standard operating procedures (SOP), international standards and regulations, public databases, observations from surgeries and manufacturer information.

The first perspective PoV1 Conventional includes the analyses of the surgical procedure as it is usually conducted. Established SOPs should be complemented by onsite workflow analyses as well as literature reviews. The aim is to consider hazards that can occur even without robotics.

Hazards and risks can be characteristics of the surgical procedure but can also be linked to the patient himself or herself. PoV2 Patient aims to consider patient-related risk factors such as age, anatomy, pre-existing conditions or implants, obesity and accompanied complications such as difficult accessibilities or sclerotic bones.

In PoV3 Retrospective, all available data and documents are used to identify hazards that already occurred in similar and existing mechatronic assistance devices. The FDA provides two databases for that. Recalls of medical devices published by manufacturers or enforced by the FDA are assigned to one of three classes and published in the “Recalls Database”. Class I indicates the highest severity of a potential risk. Incidents reported particularly by users relating to a medical device are published in the Manufacturer and User Facility Device Experience Database (MAUDE), categorised according to the most severe consequence: malfunction, serious injury or death.

Baseline requirements for the design of surgical robots can be found in directives such as the MDR and the Machinery Directive 2006/42/EC as well as in international standards. This perspective is represented by PoV4 Standards. DIN EN ISO 14971:2020 provides a checklist for hazard identification in Annex C.

Every robot is a mechatronic system that comes along with inherent hazards (PoV5), regardless of the exact functionality of the system. As a mechatronic system it consists of sensors, processors, actuators and connecting structures with characteristic types of potential malfunctions.

However, risks cannot only occur due to the existence of mechatronic components but also because of their spatial arrangement to each other and to external physical entities such as patient, staff, equipment or devices (PoV6 Spatial).

For PoV7 Human–Machine Interaction (HMI), use-cases can be comprehensively modelled along the perception-cognition-action information processing sequence. As part of the mAIXuse method [10], relevant use-scenarios can be modelled and analysed in order to identify human-centred hazards when interacting with a surgical robot.

Catalogue of hazards

By using the PoV Approach, more than 200 hazards have been identified and collected in the Catalogue of Hazards for an exemplary use-case in spinal orthopaedics. The systematic data collection technique provides the ability of categorising, filtering, sorting and refining data.

According to ISO/IEC Guide 63:2019 (E), a hazard is a potential source of harm, which is defined as injury or damage to the health of people, or damage to property or environment. A hazardous situation is the circumstance in which people, property or the environment are exposed to one or more hazards. Obviously, a single hazard can lead to multiple hazardous situations which themselves can lead to multiple harms. The causal link between hazard and hazardous situation is a sequence of events. In order to follow this common line of reasoning and to ease hazard identification, these definitions form the basic categories of the catalogue, as illustrated in Figure 2.

Figure 2: Basic categories of the catalogue of hazards in accordance with ISO/IEC Guide 63:2019 (E) and ISO DIN EN 14971:2020.

Figure 2:

Basic categories of the catalogue of hazards in accordance with ISO/IEC Guide 63:2019 (E) and ISO DIN EN 14971:2020.

All input fields are free text fields, except Harm/Consequence. Similar to the MAUDE database, we categorise into Malfunction, Injury or Death but also Delay, as another negative consequence for patient and hospital.

The transformation of potential harm into risks by combining the probability of occurrence of hazardous situations and harm with the severity of the latter (ISO/IEC Guide 63:2019(E)) is part of risk assessment and excluded from the catalogue. The catalogue provides a database of hazards adaptable to different variants of risk assessment techniques.

The catalogue is sortable by dropdown lists, as shown in Figure 3. With these four dropdown categories, the user is able to filter for a specific perspective, type of component or hazard category and to select relevant rows. Filters regarding sources can be useful, to review reported hazards from the selected sources such as e.g. the MAUDE database.

Figure 3: Additional categories of the catalogue of hazards to ease applicability for case-specific risk assessment.

Figure 3:

Additional categories of the catalogue of hazards to ease applicability for case-specific risk assessment.

As an example, identified hazards for PoV3 Retrospective are presented in this section. We have searched in the MAUDE database for all adverse events that were linked to the product code OLO. We examined the last 500 entries. Three hundred and thirty (330) entries could be associated with robots, of which we assigned 95 (36%) to the keyword Mechanical, 49 (19%) to Material, 38 (14%) to Detachment, 23 (9%) to Precision Failure, 23 (9%) to Software, 20 (8%) to Contamination and 12 (5%) to Use of Device. Additional data, analysed and categorised by Alemzadeh et al. [3], was also taken into consideration. They discovered that 50% of all incidents reported as deadly occurred in robotic-assisted surgeries. However, they also emphasised that the number of reported incidents depends on the actual reporting practice and must be seen critically.

To prepare the next step of risk analysis we transferred the detected hazards into a Failure Mode and Effects Analysis (FMEA) notation by using the CARAD software (SurgiTAIX AG, Herzogenrath, DE) and generated a preliminary Risk Priority Number (RPN) to show compatibility with techniques for risk assessment. After risk assessment, countermeasures would have to be defined. For assistance, Table 1 provides a list of international standards that may help with the formulation of appropriate safety measures for surgical robots.

Table 1:

Selection of international standards and technical reports relevant for the design of surgical robots.

Reference no.Topics
EN 556Sterilization of medical devices
ISO 10218-1Safety requirements for industrial robots
ISO/TR 15066Collaborative robots
EN 27740Surgical instruments
IEC 60601-1Safety of med. electrical devices (MED)
IEC 60601-1-4Software for MED
IEC 60601-1-6Usability requirements for MED
IEC/TR 60601-4-1MED with autonomy
IEC/ISO 80601-2-77Medical robots for surgery
IEC 62304Medical software
IEC 62366Usability engineering for medical devices


A new method for hazard identification and the framework of a Catalogue of Hazards have been presented. The PoV Approach was performed on a very basic level but helped to identify more than 200 hazards in a first attempt. These hazards have been added to the elaborated catalogue and have been specified by including hazardous situations and consequences.

Our focus was to develop a systematic approach towards comprehensive hazard identification and to illustrate its feasibility and practical applicability. However, further validation of this approach is necessary. Hazards identified from PoV1 Conventional to PoV2 Patient were based on a limited number of observations of surgical procedures performed without robotics. For all PoV, workshops with diverse groups will be required. Moreover, it could be useful to evaluate whether all stakeholders are involved appropriately. PoV5 Inherent should be further detailed as the technical layout of the specific robot is evolving. The proposed chronological order of taking different perspectives as well as their overlapping characteristics still needs to be evaluated in more detail.

In conclusion, we think that our approach using PoV based risk identification and the Catalogue of Hazards supports a systematic risk management process. Next steps will be further elaboration of the catalogue, a usability evaluation and practical validation with more detailed use-cases.

Corresponding author: Lukas Theisgen, Chair of Medical Engineering at Helmholtz-Institute for Biomedical Engineering of RWTH Aachen University, Pauwelsstr. 20, Aachen, Germany, E-mail:

  1. Research funding: The author state no funding involved.

  2. Author contributions: All authors have accepted responsibility for the entire content of this manuscript and approved its submission.

  3. Competing interests: Authors state no conflict of interest.

  4. Informed consent: None declared.

  5. Ethical approval: The conducted research is not related to either human or animals use.


1. IEEE Robotics & Automation Society. Technical committee for surgical robotics: scope. . 2020.Search in Google Scholar

2. Troccaz, J, Peshkin, M, Davies, B. Guiding systems for computer-assisted surgery. Introducing synergistic devices and discussing the different approaches. Med Image Anal 1998;2:101–19. in Google Scholar

3. Alemzadeh, H, Raman, J, Leveson, N, Kalbarczyk, Z, Iyer, RK, et al. Adverse events in robotic surgery: a retrospective study of 14 years of FDA data. PLoS One 2016;11:e0151470. in Google Scholar

4. Ferrarese, A, Pozzi, G, Borghi, F, Marano, A, Delbon, P, Amato, B. Malfunctions of robotic systems in surgery: role and responsibility of surgeon in legal point of view. In: Wierzchowiecka, M, Darzynkiewicz, Z, editors. Open med. Berlin: De Gruyter; 2016, vol 11. 286–91.Search in Google Scholar

5. Ramirez, P, Frumovitz, M, Pareja, R, Lopez, A, Vieira, M, Ribeiro, R, et al. Minimally invasive versus abdominal radical hysterectomy for cervical cancer. N Engl J Med 2018;379:1895–904. in Google Scholar

6. Grespan, L, Fiorini, P, Colucci, G. The route to patient safety in robotic surgery. Cham: Springer International Publishing; 2019.Search in Google Scholar

7. Yang, G-Z, Cambias, J, Cleary, K, Daimler, E, Drake, J, Dupont, PE, et al. Medical robotics-regulatory, ethical, and legal considerations for increasing levels of autonomy. Sci Robot 2017;2:8638. in Google Scholar

8. Lefkovich, C. The use of predicates in FDA regulation of medical devices: a case study of robotic surgical devices. Rochester: Rochester Institute of Technology; 2018.Search in Google Scholar

9. Hines, JZ, Lurie, P, Yu, E, Wolfe, S. Left to their own devices: breakdowns in United States medical device premarket review. PLoS 2010;7:e1000280. in Google Scholar

10. Janß, A. Modellbasierte Risikoanalyse und -behandlung sicherheitskritischer Mensch-Maschine-Schnittstellen in der Medizintechnik. Aachen: Shaker Verlag GmbH; 2016.Search in Google Scholar

Published Online: 2020-09-17

© 2020 Lukas Theisgen et al., published by De Gruyter, Berlin/Boston

This work is licensed under the Creative Commons Attribution 4.0 International License.