CONTROL SYSTEM FOR SURGICAL ROBOT SYSTEM WITH SAFETY DEVICE

BACKGROUND

[0001] It is known to use robots for assisting and performing surgery. FIG. 1 illustrates an example surgical robot system 100 comprising a surgical robot 102 which consists of a base 104, an arm 106, and an instrument 108. The base 104 supports the robot, and is itself attached rigidly to, for example, the operating theatre floor, the operating theatre ceiling or a trolley. The arm 106 extends between the base 104 and the instrument 108. The arm 106 is articulated by means of multiple flexible joints 110 along its length, which are used to locate the surgical instrument in a desired location relative to the patient. The surgical instrument is attached to the distal end 112 of the robot arm. The surgical instrument penetrates the body of the patient 114 at a port 116 so as to access the surgical site. At its distal end, the instrument comprises an end effector 118 for engaging in a medical procedure.

[0002] The surgical robot 102 is controlled remotely by an operator (e.g. surgeon) via an operator console 120 that may be located in the same room (e.g. operating theatre) as the surgical robot 102 or remotely from it. The operator console 120 may comprise input devices 122, 124 for controlling the state of the arm 106 and/or instrument 108 attached thereto. The input devices 122, 124 may be, for example, handgrips or hand controllers (e.g. one for each hand), with one or more buttons thereon, mounted on parallelogram linkages. The operator console 120 may also comprise a display 126. The display 126 may be arranged to be visible to an operator (e.g. surgeon) operating the input devices 122, 124. The display 126 may be used to display a video stream of the surgical site (e.g. a video stream captured by an endoscope, and/or a video stream captured another camera or microscope (such as those used in open surgery)) and/or other information to aid the operator (e.g. surgeon) in performing the surgery. The display may be two-dimensional (2D) or three-dimensional (3D).

[0003] A control system 128 converts the movement of (and actions performed on/via) the input devices into control signals to move the arm joints and/or instrument end effector of the surgical robot. In some cases, the control system 128 is configured to generate control signals to move the arm joints and/or instrument end effector based on the position in space of the input devices and their orientation.

[0004] Although the example surgical robot system of FIG. 1 comprises a single surgical robot, in other examples, a surgical robot system may comprise a plurality of surgical robots.

For example, FIG. 2 illustrates a surgical robot system 200 with multiple robots 202, 204, 206 operating in a common workspace on a patient 208.

[0005] As a surgical robot system 100, 200 is used to perform a surgical procedure on a patient it is important the component or elements of the system communicate with each other as expected and that the control system 128 issues accurate command to the surgical robot arm(s) in light of the state of the surgical robot arm(s) and the other components of the system, and the inputs received from the input devices. If the system is not operating as expected there can be severe, if not, catastrophic consequences. Accordingly, it may be desirable to implement one or more safety mechanisms which are able to determine if there is a fault with the surgical robot system, and the control system 128 in particular, and if a fault is detected, put the system, or one or more components of the system, into a safe state.

[0006] The embodiments described below are provided by way of example only and are not limiting of implementations which solve any or all of the disadvantages of known surgical robot system and/or method of controlling a surgical robot system.

SUMMARY

[0007] This summary is provided to introduce a selection of concepts that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

[0008] Described herein are control system for controlling a surgical robot system, the surgical robot system comprising a surgical robot, the surgical robot comprising a base, and an arm extending from the base to an attachment for an instrument, the arm comprising a plurality of joints whereby the configuration of the arm can be altered. The control systems include: a main controller configured to: receive communications identifying inputs from an operator of the surgical robot; generate control signals for controlling the movement of the surgical robot arm based on the inputs; and send communications to the surgical robot identifying the control signals; and a safety device situated such that communications to and from the main controller pass through the safety device, the safety device being operable to selectively filter the communications to and/or from the main controller.

[0009] A first aspect provides a control system for controlling a surgical robot system, the surgical robot system comprising a surgical robot, the surgical robot comprising a base, and an arm extending from the base to an attachment for an instrument, the arm comprising a

plurality of joints whereby the configuration of the arm can be altered, the control system comprising: a main controller configured to: receive communications identifying inputs from an operator of the surgical robot; generate control signals for controlling the movement of the surgical robot arm based on the inputs; and send communications to the surgical robot identifying the control signals; and a safety device situated such that communications to and from the main controller pass through the safety device, the safety device being operable to selectively filters the communications to and/or from the main controller.

[0010] The safety device may be configured to filter at least a portion of the communications to and/or from the main controller in response to the surgical robot system being in a fault state.

[0011] The safety device may comprise one or more filters, and the one or more filters are configured to filter the communications to and/or from the main controller by comparing received communications to one or more filter criteria.

[0012] The one or more filters may comprise a receive filter and the one or more filter criteria may comprise one or more receive filter criteria, the receive filter may be configurable to filter the communications from the main controller by comparing the communications from the main controller to the one or more received filter criteria.

[0013] The receive filter may comprise a buffer to store the communications received from the main controller.

[0014] The receive filter may comprise a manifold and one or more matchers, the manifold configured to extract relevant information from the received communications prior to storing the received communications in the buffer, and the one or more matchers are configured to compare the relevant information to the one or more receive filter criteria.

[0015] The one or more receive filter criteria may comprise up to N receive filter criteria, wherein N is an integer based on a number of comparisons that can be performed between a communication and a filter criteria in a cycle and a number of cycles it takes to receive a communication.

[0016] It may take up to X cycles to receive a communication and N may be selected such that a communication can be compared with N filter criteria within X cycles.

[0017] The one or more filter criteria may comprise one or more transmit filter criteria and the at least one filter comprises a transmit filter, the transmit filter may be configurable to filter the communications to the main controller by comparing the communications to the main controller to the one or more transmit filter criteria.

[0018] The transmit filter may comprise a buffer to store the communications to the main controller.

[0019] The transmit filter may comprise a manifold and one or more matchers, the manifold may be configured to extract relevant information from the communications to the main controller prior to storing the communications to the main controller in the buffer, and the one or more matchers may be configured to compare the relevant information to the one or more transmit filter criteria.

[0020] The one or more transmit filter criteria may comprises up to K receive filter criteria, wherein K is an integer based on a number of comparisons that can be performed between a communication and a filter criteria in a cycle and a number of cycles it takes to receive a communication.

[0021] It may take X cycles to receive a communication and K may be selected such that a communication can be compared with K filter criteria within X cycles.

[0022] The one or more filter criteria may be configurable.

[0023] The one or more filter criteria may be configurable to cause the safety device to filter all communications to and from the main controller.

[0024] The one or more filter criteria may be configurable to cause the safety device to filter communications between the main controller and a specific device in the surgical robot system.

[0025] Each of the one or more filter criteria may comprise one or more of a source address, destination address, source port and destination port.

[0026] The safety device may comprise one or more registers and each filter criteria may be stored in a set of the one more registers.

[0027] The one or more filters may be configured to, in response determining that a communication matches at least one of the one or more filter criteria, reject the

communication.

[0028] The one or more filters may be configured to reject the communication by discarding the communication.

[0029] The one or mor filters may be configured to reject the communication by corrupting the communication.

[0030] The one or more filters may be configured to corrupt the communication by altering an error detecting portion of the communication.

[0031] The control system may further comprise a safety monitor and the safety device may be configured to send a copy of at least a portion of the communications to and/or from the main controller to the safety monitor.

[0032] The safety monitor may be configured to analyse the received communications to determine whether the surgical robot system is in a fault state, and in response to determining that the surgical robot system is in a fault state, cause the safety device to filter at least a portion of the communications to and/or from the main controller.

[0033] A second aspect provides a method of selectively filtering communications to and/or from of a main controller of a surgical robot system, the surgical robot system comprising a surgical robot, the surgical robot comprising a base, and an arm extending from the base to an attachment for an instrument, the arm comprising a plurality of joints whereby the configuration of the arm can be altered, the main controller configured to receive communications identifying inputs from an operator of the surgical robot, generate control signals for controlling the movement of the surgical robot arm based on the inputs, and send communications to the surgical robot identifying the control signals, the method comprising: receiving at a safety device a communication to or from the main controller; determining whether at least one filter criteria has been specified; in response to determining that at least one filter criteria has been specified, comparing the received communication to the at least one specified filter criteria; in response to determining that the received communication matches at least one of the at least one filter criteria, rejecting the receiving communication; and in response to determining that the received communication does not match any of the at least one filter criteria, outputting the communication to the relevant device.

[0034] The above features may be combined as appropriate, as would be apparent to a skilled person, and may be combined with any of the aspects of the examples described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0035] Examples will now be described in detail with reference to the accompanying drawings in which:

[0036] FIG. 1 is a schematic diagram of an example surgical robot system comprising a surgical robot, an operator console and a control system;

[0037] FIG. 2 is a schematic diagram of an example surgical robot system comprising a plurality of surgical robots;

[0038] FIG. 3 is a block diagram of an example control system for a surgical robot system;

[0039] FIG. 4 is a schematic diagram of an example surgical robot arm;

[0040] FIG. 5 is a block diagram of an example implementation of the safety device of FIG. 3 which comprises Tx and Rx filters;

[0041] FIG. 6 is a block diagram of an example implementation of the Tx and Rx filters of FIG. 5;

[0042] FIG. 7 is a flow diagram of an example method of selectively filtering communications to and/or from the main controller of FIG. 3, which may be implemented by the safety device of FIG. 3;

[0043] FIG. 8 is a block diagram of an example implementation of the safety monitor of FIG.

3;

[0044] FIG. 9 is a flow diagram of an example method of monitoring the communications to and from the main controller to detect a fault in the system, which may be implemented by the safety monitor of FIG. 8; and

[0045] FIG. 10 is a schematic diagram illustrating a virtual pivot point of a port.

[0046] The accompanying drawings illustrate various examples. The skilled person will appreciate that the illustrated element boundaries (e.g., boxes, groups of boxes, or other shapes) in the drawings represent one example of the boundaries. It may be that in some examples, one element may be designed as multiple elements or that multiple elements may be designed as one element. Common reference numerals are used throughout the figures, where appropriate, to indicate similar features.

DETAILED DESCRIPTION

[0047] The following description is presented by way of example to enable a person skilled in the art to make and use the invention. The present invention is not limited to the embodiments described herein and various modifications to the disclosed embodiments will be apparent to those skilled in the art. Embodiments are described by way of example only.

[0048] Described herein are control systems for surgical robot systems that comprise a remote operator console by which an operator can provide inputs, and a surgical robot arm comprising a series of joints extending from a base to a terminal end for attaching a surgical instrument. The control systems comprise a main controller and a safety device. The main controller is configured to receive communications from the operator console identifying operator inputs, convert those operator inputs to control commands to control the movement of the surgical robot, and send communications to the surgical robot arm that identify the control commands. The safety device is situated between the main controller and other components of the system such that the communications to and from the main controller pass through the safety device. The safety device is operable to selectively filter communications to and/or from the main controller. The safety device may be configured to filter at least a portion of the communications to/from the main controller response to the safety device itself, or another device, detecting that the surgical robot system in a fault state. A fault state may be that the main controller or another device in the system is not acting as expected.

[0049] In some cases, the control system may further comprise a safety monitor which is configured to verify the operation of the main controller and/or one or more other components of the system. In these cases, the safety device may be configured to send a copy of, at least a portion, of the communications to and from the main controller to the safety monitor, and the safety monitor may analyse the received communications to verify that the main controller and/or one or more other components is/are operating as expected. In response to detecting that the main controller and/or one or more other components of the system is not operating as expected, the safety monitor may cause the safety device to filter at least a portion of the communications to and from the main controller.

[0050] Reference is now made to FIG. 3 which illustrates an example surgical robot system 300. The surgical robot system 300 comprise a surgical robot 302; an operator console 304 for providing operator inputs for controlling the surgical robot 302; and a control system 306 for driving the surgical robot 302 in accordance with the operator inputs. The surgical robot 302 comprises a base and an arm extending from the base to an attachment for an instrument. The arm comprises a plurality of joints whereby the configuration of the arm can be altered. An example surgical robot which may be used to implement the surgical robot 302 of FIG. 3 is described below with respect to FIG. 5.

[0051] The operator console 304 may be located in the same room (e.g. operating theatre) as the surgical robot 302 or remotely from it. The operator console 304 allows the operator to provide input commands to the control system 306 to control the movement of the surgical robot 302. The operator console 304 may comprise input devices for controlling the state of the surgical robot arm and/or the instrument attached thereto. The input devices may be, for example, handgrips or hand controllers (e.g. one for each hand), with one or more buttons thereon, mounted on parallelogram linkages. Each input device may comprise an input device controller 305 that is configured to transmit the inputs received via the input device to the control system 306. The operator console 304 may also comprise a display. The display is used to display a video stream of the surgical site (e.g. a video stream captured by an endoscope, and/or a video stream captured another camera or microscope (such as those used in open surgery)) and/or other information to aid the operator (e.g. surgeon) in performing the surgery. The display may comprise a display controller 307 that is configured to receive display information from the control system 306 and provide inputs related thereto to the control system 306. An example operator console, which may be used to implement the operator console 304 of FIG. 3, was described above with respect to FIG. 1.

[0052] The control system 306 is coupled to the operator console 304 (e.g. the input device controller(s) 305 and the display controller 307 thereof) via one or more communications links 308 and receives communications from the operator console 304 (e.g. the input device controller(s) 305 and the display controller 307 thereof) identifying operator inputs via the one or more communications links 308. The operator inputs may be generated by the input devices (e.g. hand controllers) and/or other components of the operator console such as a foot pedal(s) inputs, voice recognition system, gesture recognition system, eye recognition system etc. The control system 306 is also coupled to the surgical robot 302 (e.g. an arm controller 309 thereof, which may also be referred to as an arm base controller (ABC)) via one or more communications links 310. The control system 306 may receive communications from the surgical robot 302 identifying the state or status of the surgical robot 302 via the one or more communications links 310. The state of the surgical robot 302 may, for example, be identified by one or more of: sensor data from position sensors and/or torque sensors located on the robot arm joints, force feedback data, and data from or about the surgical instrument attached thereto.

[0053] The control system 306 is configured to cause the surgical robot 302, and the instrument attached thereto, to move in response to the operator inputs it receives from the operator console 304 and the surgical robot state data received from the surgical robot 302. The control system 306 comprises a main controller 312 that is configured to: receive communications from the operator console 304 identifying the operator inputs and communications from the surgical robot 302 comprising surgical robot state data; generate control signals from the operator inputs and the surgical robot status data which cause the surgical robot, and/or any instrument attached there to move; and send communications to the surgical robot identifying the command signals. In other words, the main controller 312 is responsible for causing the surgical robot, and any instrument attached thereto to move in accordance with the user inputs. In the example described herein the main controller 312 is configured to receive inputs from the operator console 304 and generate a desired robot wrist position therefrom, and the desired position of drive elements to cause an instrument end effector to achieve a desired yaw, pitch and/or spread. The desired wrist pose and the drive element positions are then provided to the surgical robot arm (e.g. a surgical robot arm controller). As described in more detail below, the surgical robot arm (e.g. an arm controller thereof) may then determine the joint positions to achieve the desired wrist pose based on the joint information received form the torque and/or position sensors, and issue commands to individual joint controllers to move to the desired joint positions. However, this is an example only, and that in other surgical robot system the main controller 312 may perform different and/or additional functions.

[0054] For example, in some cases, the main controller 312 may perform one or more additional functions. For example, in some cases the main controller 312 may also be configured to provide and/or control at least part of a graphical user interface provided to the operator for providing input. The main controller 312 may comprise one or more processors (not shown) and a memory (not shown). The memory stores, in a non-transient way, software code that can be executed by the one or more processors to generate control signals for the surgical robot 302 and, optionally perform one or more additional functions.

[0055] In the example of FIG. 3 the control system 306 also comprises a safety device 314, and, optionally, a safety monitor 316. The safety device 314, which may also be referred to as the core safety supervisor (CSS), is a hardware device situated between the main controller 312 and the other components 302, 304 of the surgical robot system 300 such that communications to and from the main controller 312 pass through the safety device 314. Since the communications to and from the main controller 312 pass though the safety device 314, the safety device 314 can control the communications to and from the main controller 312. Specifically, the safety device 314 can prevent communications between the main controller 312 and one or more of the components 302, 304 (or parts or components thereof) when it has been detected that the surgical robot system 300 is in a fault state. In some cases, the components or devices in the system that communicate with the main controller 312 may be configured to: receive communications from the main controller at a predetermined interval or frequency, and automatically transition into a safe state if they cease to receive such communications for a period of time (e.g. a predetermined number of intervals). Accordingly, cutting off communication between the main controller and a component or device may automatically cause that component or device to transition to a safe state.

[0056] In some cases, the safety device 314 may be operable to selectively filter the communications to and/or from the main controller 312 based on one or more filter criteria. In some cases, the safety device 314 may comprise one or more programmable filters which can be programmed or configured to filter certain communications to and/or from the main controller 312. In some cases, the filters may be programmed to: filter none of the communication to and from the main controller 312; filter all communications to and from the main controller 312 (i.e. to cut off communications between the main controller 312 and the other components and devices of the system); and/or filter communications between the main controller 312 and one or more specific components or devices (e.g. between the main controller 312 and the operator console 304 or a part thereof, or between the main controller 312 and the surgical robot 302 or a part of thereof). As described in more detail below, where the components and devices in the surgical robot system 300 communicate with the main controller 312 using TCP/IP packets, the one or more filters may be configurable to filter communications based on IP source, IP destination address, source UDP port and/or destination UDP port.

[0057] In some cases, the safety device 314 may be configured to filter at least a portion of the communications to and/or from the main controller in response to it being detected that the surgical robot system 300 is in a fault state. The surgical robot system 300 may be deemed to be in a fault state if, for example, the main controller 312 is sending control signals to the surgical robot 302 that are not consistent with the state of the surgical robot 302. Further examples of surgical robot system 300 fault states which may be detected are described below. In some cases, the safety device 314 itself may be configured to detect when the surgical robot system 300 is in a fault state. In other cases, another device, such as the safety monitor 316 (described below) may also, or alternatively, be configured to detect when the surgical robot system 300, is in a fault state.

[0058] In some cases, the main controller 312 may be implemented using a field-programmable gate array (FPGA). However, it will be evident to a person of skill in the art that this is an example only. An example implementation of the safety device 314 is described below with respect to FIG. 5.

[0059] In some cases, as shown in FIG. 3, the control system 306 may also comprise a safety monitor 316, which may also be referred to as a core safety monitor (CSM). The safety monitor 316 is configured to independently verify the operation of the main controller 312, and/or one or more other components and devices in the system, by monitoring the communications to and from the main controller 312. In these cases, the safety device 314 may be configured to send a copy of, at least a portion, of the communications to and/or from the main controller 312 to the safety monitor 316. The safety monitor 316 is then configured to analyse the received communications to determine if the surgical robot system 300 is in a fault state. If the safety monitor 316 detects that the surgical robot system 300 is in a fault state, the safety monitor 316 may be configured to cause the safety device 314 to filter at least a portion of the communications to and/or from the main controller 312. An example implementation of the safety monitor 316 is described below with reference to FIG. 8.

[0060] The communications links 308, 310 between the control system 306 and the other components (e.g. operator console 304 and surgical robot 302) may be any suitable communications links that enables data communications between the control system 306 and the component. The communications links 308, 310 may all be of the same type, or at least two of the communications links 308, 310 may be of different types. Examples of suitable communications links include, but are not limited to, a wired communications link (e.g. an Ethernet, Token Ring, or RS232 link), or a wireless communications link (e.g. a WiFi, Bluetooth, Bluetooth LE, or NFC link).

[0061] While the example surgical robot system 300 of FIG. 3 comprises a single surgical robot 302 with a single arm, it will be evident to a person of skill in the art that this is an example only and that the methods and techniques described herein are equally applicable to surgical robot systems with more than one surgical robot or surgical robots with more than one arm.

[0062] While the example control system 306 of FIG. 3 comprises a safety device 314 and a safety monitor 316, in other examples the control system 306 may only comprise a safety device 314, or may only comprise a safety monitor 316.

[0063] In some cases, the control system may physically form part of the operator console 304. In some cases, the main controller 312, safety device 314 and safety monitor 316 may be on a single printed circuit board (PCB).

Surgical Robot

[0064] Reference is now made to FIG. 4 which illustrates an example surgical robot 400 which may be used to implement the surgical robot 302 of FIG. 3. The surgical robot 400 comprises an arm 402 which extends from a base 404 which is fixed in place when a surgical procedure is being performed. In some cases, the base 404 may be mounted to a chassis. The chassis may be a cart, for example a bedside cart for mounting the robot at bed height. Alternatively, the chassis may be a ceiling mounted device, or a bed mounted device.

[0065] The arm 402 extends from the base 404 of the robot to an attachment 406 for a surgical instrument 408. The arm is flexible. It is articulated by means of multiple flexible joints 410 along its length. In between the joints are rigid arm members 412. The arm in FIG. 4 has seven joints. The joints include one or more roll joints (which have an axis of rotation along the longitudinal direction of the arm members on either side of the joint), one or more pitch joints (which have an axis of rotation transverse to the longitudinal direction of the preceding arm member), and one or more yaw joints (which also have an axis of rotation transverse to the longitudinal direction of the preceding arm member and also transverse to the rotation axis of a co-located pitch joint). However, the arm could be jointed differently.

For example, the arm may have fewer or more joints. The arm may include joints that permit motion other than rotation between respective sides of the joint, for example a telescopic joint. The robot comprises a set of drivers 414, each driver 414 drives one or more of the joints 410.

[0066] The attachment 406 enables the surgical instrument 408 to be releasably attached to the distal end of the arm. The surgical instrument 408 has a linear rigid shaft and a working tip at the distal end of the shaft. The working tip comprises an end effector for engaging in a medical procedure. The surgical instrument may be configured to extend linearly parallel with the rotation axis of the terminal joint of the arm. For example, the surgical instrument may extend along an axis coincident with the rotation axis of the terminal joint of the arm.

The surgical instrument 408 could be, for example, a cutting device, a grasping device, a cauterising device or image capture device (e.g. endoscope).

[0067] The robot arm comprises a series of sensors 416, 418. These sensors comprise, for each joint, a position sensor 416 for sensing the position of the joint, and a torque sensor 418 for sensing the applied torque about the joint’s rotation axis. One or both of the position and torque sensors for a joint may be integrated with the motor for that joint.

Safety Device

[0068] Reference is now made to FIG. 5 which illustrates an example implementation of the safety device 314 of FIG. 3. As described above, the safety device 314 is situated between the main controller 312 and the other components of the surgical robot system 300 such that communications to and/or from the main controller 312 pass through the safety device 314. The safety device 314 is operable to selectively filter the communications to and/or from the main controller 312.

[0069] In the example, of FIG. 5 the safety device 314 comprises a receive (Rx) filter 502 and a transmit (Tx) filter 504 which are programmable filters which can be configured to selectively filter communications from and to the main controller 312, respectively. Where the main controller 312 uses UDP to communicate with the other components in the surgical robot system 300, the Rx and Tx filters may be configured to filter UDP packets. However, it will be evident to a person of skill in the art that this is an example only.

[0070] The Rx filter 502 receives communications from the main controller 312, and either: passes all communications to the other components if no Rx filter criteria are specified, or filters the communications in accordance with one or more specified Rx filter criteria. The Rx filter criteria specify the rules for selecting which communications to filter, reject or disallow to pass through the safety device 314. In some cases, the one or more Rx filter criteria may specify that all communications from the main controller 312 are to be filtered, or the one or more Rx filter criteria may specify that only communications matching specified criteria (e.g. a source/destination IP address, a source/destination UDP port or combination thereof) are to be filtered. When the Rx filter criteria specifies that all communications from the main controller 312 are to be filtered, the Rx filter 502 may simply reject all communications it receives. When, however, the Rx filter criteria specify that only communications matching specified criteria are to be filtered, the Rx filter 502 may be configured to compare each received communication against the specified criteria to determine if there is a match.

Specifically, in some cases the Rx filter 502 may be configured to compare each

communication (e.g. packet) with up to N different Rx filter criteria wherein N is an integer greater than or equal to one. As described in more detail below, N may be selected based on the number of comparisons that can be performed each cycle and the number of cycles it takes to receive a communication (e.g. packet).

[0071] The Rx filter criteria is configurable. For example, in some cases, as shown in FIG. 5, the safety device 314 may comprise a set of registers 506 which specify the Rx filter criteria. For example, where the main controller 312 uses UDP to communicate with the other components in the surgical robot system 300, the Rx filter 502 may be able to filter communications (e.g. packets) based on one or more of source IP address, destination IP address, source UDP port, and destination UDP port. In these cases, the set of registers 506 may comprise a register that indicates whether or not all communications are to be filtered; and one or more registers for each possible comparison that indicates which combination of source IP address, destination IP address, source UDP port and destination port that is to be compared against each communication (e.g. packet); and identifies the source IP address, destination IP address, source UDP port and/or destination UDP port to be used for the comparison. For example, Table 1 illustrates an example set of four 32-bit registers which can be used to specify a combination of source IP address, destination IP address, source UDP port and destination UDP port to be compared against each communication (e.g. packet). The set of registers 506 may comprise four registers for each of the N comparisons that the Rx filter can perform on each communication (e.g. packet).

Table 1

[0072] In some case, as shown in FIG. 5, the Rx filter 502 may comprises a buffer 508, such as a first in first out (FIFO) queue, which is used to store received communications before they are forwarded to the main controller 312. As described in more detail below with respect to FIG. 6, a complete communication (e.g. packet) may be received over several cycles (e.g. clock cycles). So as to not introduce any latency in re-transmitting the communications to the other components or devices, the Rx filter 502 may be configured to complete its filter determination by the time the complete communication has been received. For example, if it takes 8 cycles to receive a communication then the Rx filter 502 may be configured to determine whether the communication is to be filtered within 8 cycles.

[0073] When the Rx filter 502 identifies a communication (e.g. packet) that is to be filtered out (i.e. any communication if all communications to the main controller 312 are to be filtered, or a communication that matches the specified filter criteria otherwise) the Rx filter 502 is configured to reject that communication. In some cases, the Rx filter 502 may reject a communication by discarding the communication - i.e. not outputting or forwarding the communication to the appropriate device. However, in other cases, the Rx filter 502 may be configured to reject a communication by invalidating or corrupting the communication. In

some cases, the Rx filter 502 may be configured to invalidate or corrupt a communication by altering an error detecting portion of the communication, such as, but not limited to a cyclic redundancy check (CRC) portion of the communication. Invalidating or corrupting the communication, as opposed to discarding the communication, may allow the filtering to be performed faster (e.g. in real time).
CLAIMS

1. A control system (306) for controlling a surgical robot system (300), the surgical robot system (300) comprising a surgical robot (302, 400), the surgical robot (302, 400) comprising a base (404), and an arm (402) extending from the base (404) to an attachment (406) for an instrument (408), the arm (402) comprising a plurality of joints (410) whereby the configuration of the arm (402) can be altered, the control system (306) comprising:

a main controller (312) configured to:

receive communications identifying inputs from an operator of the surgical robot;

generate control signals for controlling the movement of the surgical robot arm based on the inputs; and

send communications to the surgical robot identifying the control signals; and

a safety device (314) situated such that communications to and from the main controller pass through the safety device (314), the safety device (314) being operable to selectively filter the communications to and/or from the main controller (312).

2. The control system (306) of claim 1 , wherein the safety device (314) is configured to filter at least a portion of the communications to and/or from the main controller (312) in response to the surgical robot system (300) being in a fault state.

3. The control system (306) of claim 1 or claim 2, wherein the safety device (314) comprises one or more filters (502, 504), and the one or more filters (502, 504) are configured to filter the communications to and/or from the main controller (312) by comparing received communications to one or more filter criteria.

4. The control system (306) of claim 3, wherein the one or more filters comprises a receive filter (502) and the one or more filter criteria comprises one or more receive filter criteria, the receive filter (502) configurable to filter the communications from the main controller (312) by comparing the communications from the main controller (312) to the one or more receive filter criteria.

The control system (306) of claim 4, wherein the receive filter (502) comprises a buffer (508) to store the communications received from the main controller (312).

The control system (306) of claim 5, wherein the receive filter (502) comprises a manifold (602) and one or more matchers (606, 608), the manifold (602) configured to extract relevant information from the received communications prior to storing the received communications in the buffer (508), and the one or more matchers (606, 608) are configured to compare the relevant information to the one or more receive filter criteria.

The control system (306) of any of claims 3 to 6, wherein the one or more receive filter criteria comprises up to N receive filter criteria, wherein N is an integer based on a number of comparisons that can be performed between a communication and a filter criteria in a cycle and a number of cycles it takes to receive a communication.

The control system (306) of claim 7, wherein it takes up to X cycles to receive a communication and N is selected such that a communication can be compared with N filter criteria within X cycles.

The control system (306) of any of claims 4 to 8, wherein the one or more filter criteria comprises one or more transmit filter criteria and the at least one filter comprises a transmit filter (504), the transmit filter (504) being configurable to filter the communications to the main controller (312) by comparing the communications to the main controller (313) to the one or more transmit filter criteria.

The control system (306) of claim 9, wherein the transmit filter (504) comprises a buffer (510) to store the communications to the main controller.

The control system (306) of claim 10, wherein the transmit filter (504) comprises a manifold (604) and one or more matchers (610, 612), the manifold (604) configured to extract relevant information from the communications to the main controller (312) prior to storing the communications to the main controller (312) in the buffer (510), and the one or more matchers (610, 612) are configured to compare the relevant information to the one or more transmit filter criteria.

The control system (306) of any of claims 9 to 11 , wherein the one or more transmit filter criteria comprises up to K receive filter criteria, wherein K is an integer based on a number of comparisons that can be performed between a communication and a filter criteria in a cycle and a number of cycles it takes to receive a communication.

The control system (306) of claim 12, wherein it takes up to X cycles to receive a communication and K is selected such that a communication can be compared with K filter criteria within X cycles.

The control system (306) of any of claims 3 to 13, wherein the one or more filter criteria is configurable.

The control system (306) of claim 14, wherein the one or more filter criteria is configurable to cause the safety device (314) to filter all communications to and from the main controller (312).

The control system (306) of claim 14 or claim 15, wherein the one or more filter criteria is configurable to cause the safety device (314) to filter communications between the main controller (312) and a specific device in the surgical robot system (300).

The control system (306) of any of claims 3 to 16, wherein each of the one or more filter criteria comprises one or more of a source address, destination address, source port and destination port.

The control system (306) of any of claims 3 to 17, wherein the safety device (314) comprises one or more registers and each filter criteria is stored in a set of the one more registers.

The control system (306) of any of claims 3 to 17, wherein the one or more filters are configured to, in response determining that a communication matches at least one of the one or more filter criteria, reject the communication.

The control system (306) of claim 19, wherein the one or more filters are configured to reject the communication by discarding the communication.

The control system (306) of claim 19, wherein the one or more filters are configured to reject the communication by corrupting the communication.

The control system (306) of claim 21 , wherein the one or filters are configured to corrupt the communication by altering an error detecting portion of the communication.

The control system (306) of any preceding claim, further comprising a safety monitor (316) and the safety device (314) is configured to send a copy of at least a portion of the communications to and/or from the main controller (312) to the safety monitor (316).

The control system (306) of claim 23, wherein the safety monitor (316) is configured to analyse the received communications to determine whether the surgical robot system (300) is in a fault state, and in response to determining that the surgical robot system (300) is in a fault state, cause the safety device (314) to filter at least a portion of the communication to and/or from the main controller (312).

A method (700) of selectively filtering communications to and/or from of a main controller of a surgical robot system, the surgical robot system comprising a surgical robot, the surgical robot comprising a base, and an arm extending from the base to an attachment for an instrument, the arm comprising a plurality of joints whereby the configuration of the arm can be altered, the main controller configured to receive communications identifying inputs from an operator of the surgical robot, generate control signals for controlling the movement of the surgical robot arm based on the inputs, and send communications to the surgical robot identifying the control signals, the method (700) comprising:

receiving at a safety device a communication to or from the main controller (702);

determining whether at least one filter criteria has been specified (704);

in response to determining that at least one filter criteria has been specified, comparing the received communication to the at least one specified filter criteria (708);

in response to determining that the received communication matches at least one of the at least one filter criteria, rejecting the receiving communication (710, 712); and

in response to determining that the received communication does not match any of the at least one filter criteria, outputting the communication to the relevant device (710, 706).