Hazard Management in Robot-Assisted Mammography Support

1. Introduction: Bridging the Care Gap in Breast Cancer Screening

Breast cancer screening via X-ray mammography is the global gold standard for early detection, yet it remains a physically prohibitive procedure for a significant portion of the population. To achieve diagnostic-quality images, patients must maintain strenuous and precise postures. For individuals with reduced upper-body strength, restricted mobility, or those who use wheelchairs, these requirements often represent an insurmountable barrier to care.

The inequity is compounded by a clinical safety paradox: while radiographers are experts in positioning, they are strictly prohibited from providing manual physical support during the procedure due to the risks of cumulative radiation exposure. Consequently, the patients who need the most assistance are often the ones most likely to be excluded from life-saving screening.

“In the UK alone, the North Yorkshire Breast Screening Service estimates that tens of thousands of eligible women face substantial barriers to accessing mammography due to restricted mobility, highlighting a critical need for assistive technology that maintains both clinical standards and patient dignity.”

To solve this, the MammoBot system—an embodied AI platform—is being developed to provide stable, compliant physical support, effectively closing the care gap through safety-driven robotics.

2. Meet MammoBot: A Bimanual Approach to Clinical Support

MammoBot is not merely a robotic arm; it is a bimanual manipulation platform engineered for high-stakes, close-contact interaction. Unlike traditional industrial robots, its architecture is designed to handle the “socio-technical” complexities of a clinical workflow.

The system comprises three primary subsystems:

• Bimanual Manipulation Platform: Featuring two Franka Research 3 collaborative arms. Initial testing on a 50kg human-weighted mannequin confirmed that a bimanual configuration is essential to safely support the weight and stability required for clinical postures. The arms operate within a payload range of 8–14 kg, modulated by six-axis force/torque (F/T) sensors at the wrists.
• Patient Tracking Module: To protect patient privacy, MammoBot eschews RGB cameras in favor of thermal imaging. These sensors capture heat signatures to reconstruct the patient’s posture non-invasively, providing the data necessary for precise positioning without collecting personally identifiable visual information.
• Bespoke End-Effectors: These 3D-printed, multi-contact tools were co-designed with NHS radiographers. They are ergonomically shaped to support both Craniocaudal (CC) views (top-down) and Mediolateral Oblique (MLO) views (angled side-on, including the axilla).

The Synergistic Control Loop: Safety in MammoBot is driven by a dual-feedback mechanism. The thermal perception module provides high-level positional targets to guide the patient into a clinical pose, while the F/T sensors modulate the robot’s actions in real-time. This synergy ensures the robot applies enough force for security while remaining compliant and gentle enough to avoid patient discomfort.

3. Beyond Broken Parts: A New Methodology for AI Safety

In the domain of “failure-first” AI safety, we recognize that hazards in clinical robotics rarely stem from component failure. Instead, they emerge from unsafe control actions (UCAs) and state desynchronization between the robot, the patient, and the clinician. To address this, the MammoBot project utilizes a two-pronged analytical approach:

• SHARD (Software Hazard Analysis and Resolution in Design): This technique analyzes information flow and identifies deviations using adapted guide words. In a robotic context, we look for Omission (service not delivered), Commission (unintended motion/untriggered service), Early/Late (timing errors), and Value (misinterpreted sensor data or excessive force).
• STPA (Systems-Theoretic Process Analysis): This systems-thinking approach focuses on the coordination between human operators and automation, identifying how correctly functioning components can still produce hazardous interactions.

Key Concept: Clinical robotics must move beyond hardware reliability to “Interaction Management.” Interaction-based accidents occur when the robot and human are out of sync—such as the robot initiating a trajectory before the radiographer has verified the patient’s readiness.

4. Uncovering Failure Modes: Timing, Mismatches, and Human Error

Our analysis reveals that clinical hazards are dominated by timing mismatches and the misinterpretation of system states. We categorized these into Radiographer-related errors (interpretation and attention) and Patient-related errors (unexpected movement and communication barriers).

Hazard Category	Typical Cause	Clinical Impact	UCA/CUE Mapping
Timing Mismatches	Robot initiates motion before patient is stable.	Startle response; loss of balance.	UCA08, CUE04
Premature Actions	X-ray triggered during robot settling time.	Motion blur; unnecessary radiation retake.	UCA28, CUE04
State Desynchronization	Radiographer acts on provisional/stale data.	Unsafe trajectory; misalignment.	UCA10, CUE03
Automation Bias	Over-reliance on system self-checks.	Undetected physical distress or obstruction.	UCA19, CUE05

Common User Errors (CUE01–CUE07): The safety of the system is often compromised by recurring behavioral patterns:

• CUE01/02: Omitted steps or reacting to ambiguous feedback.
• CUE03/04: Misreading status indicators or acting at the incorrect time.
• CUE05: Automation Bias—assuming the robot will detect all hazards automatically.
• CUE06/07: Physical/cognitive limitations of the patient or misinterpretation of instructions.

5. From Analysis to Action: Refining the Safety Architecture

The theoretical hazards identified were translated into the Safety Executive, a set of non-bypassable requirements (R20–R27) that constrain the robot’s behavior:

1. Multi-Step Confirmation (R20): Safety-critical actions like motion initiation cannot be triggered by a single action; they require multi-source verification.
2. Stabilization Periods (R21): The system enforces a mandatory dwell time after any posture change before allowing planning or X-ray exposure.
3. Automation Transparency (R22): The UI must explicitly indicate when data (like posture detection) is “provisional” or “unstable.”
4. Revalidation Protocols (R23): Any interruption or unexpected movement mandates a full re-verification of posture and readiness.
5. X-ray Interlocks (R24): Exposure remains electronically locked until posture stability, arm immobility, and patient assent are simultaneously satisfied.
6. Fault-State Compliance (R25): Upon any fault detection, the system must transition to a predefined low-force, low-rigidity posture to allow for safe patient egress.
7. Control Authority (R26): The system must clearly signal whether the human or the robot has the current responsibility for progression to prevent control ambiguity.
8. Instruction Acknowledgment (R27): Critical patient-facing instructions require explicit confirmation of understanding before the system proceeds.

6. Conclusion: The Future of Trustworthy Clinical HRI

For MammoBot, safety is the primary design driver, not an add-on. In clinical environments where patients may only encounter a robot once every three years, the system must be immediately intuitive and context-aware. By focusing on socio-technical hazards rather than just “broken parts,” we ensure that robotic assistance is safe, trustworthy, and maintains the dignity of the patient.

---

Final Takeaways

• Interaction-Focused Safety: Most clinical failures stem from timing and coordination errors (UCAs) between the human and machine, rather than mechanical faults.
• Privacy-First Perception: Thermal imaging reconstructions protect patient dignity while providing the high-level targets needed for the control loop.
• Safety Gating: Requirements R20–R27 ensure that critical actions like radiation exposure are gated by multi-source confirmation and verified stability.
• Failure-First Engineering: By anticipating state desynchronization and automation bias, we build systems that remain safe even when human users are stressed or distracted.

[END OF DOCUMENT]

Read the full paper on arXiv · PDF