IEEE Proof IEEE SYSTEMS JOURNAL 1 Bilateral Teleoperation System Using QoS and Secure Communication Networks for Telemedicine Applications 1 2 3 Anas Abou El Kalam, Antoine Ferreira, Member, IEEE, and Frédéric Kratz 4 Abstract—The next generation of telesurgical robotics systems 5 presents significant challenges related to network performance 6 and data security. It is known that packet transmission in wide 7 area networks is a complex stochastic process; thus, low band- 8 width as well as high delay, jitter, and packet loss will greatly 9 affect the quality of service (QoS) of teleoperation control, which is 10 unacceptable in this kind of sensitive application. Furthermore, a 11 relevant but more serious issue is the network attacks, particularly 12 denial of service as well as data alteration or disclosure. The main 13 motivation of this study is to deploy suitable security mechanisms 14 while preserving the QoS of network-based bilateral teleoperation. 15 We propose and apply a protocol that secures our teleoperation 16 system while preserving its real-time constraints. More precisely, 17 we present in this paper a bilateral generalized predictive con- 18 troller coupled to a QoS-friendly IP security protocol. The ex- 19 perimental results demonstrate that the telerobotic system is able 20 to satisfy both QoS and security requirements of real-time and 21 sensitive teleoperation tasks. In fact, our teleoperation security 22 protocol provides priority treatment while preventing attacks and 23 avoiding potential deadline misses due to increased security cost. 24 Index Terms—Predictive control, quality of service (QoS), se- 25 cured network, telerobotics control. 26 I. I NTRODUCTION 27 28 R ECENTLY, medical teleoperation systems involving two 29 distant master and slave robots through the Internet or 30 other Internet protocol (IP)-based wide area networks have 31 become an emerging technology. As an example, telesurgical 32 robotics systems (TRSs) where the master (surgeon controller) 33 interacts with the slave (surgical robot) placed in a remote 34 geographical location have revolutionized minimally invasive 35 surgical procedures [1]. The world’s first telerobotic surgery 36 over the public Internet was performed in 2003, and since then, 37 several hundred more have been performed [2]. The next gener- 38 ation of surgical telerobotics systems, including portable TRS, 39 is envisioned to provide medical relief in the areas of natural 40 disasters and battlefield environments [3]. The European Space 41 Manuscript received October 1, 2013; revised February 21, 2014, May 21, 2014, August 21, 2014, and December 2, 2014; accepted March 22, 2015. This work was supported by the Conseil Général 18, Bourges Plus Agglomeration and the Région Centre, France under the Grant MICROROB (2013-2016). A. Abou El Kalam was with the IRIT-CNRS Laboratory, University of Toulouse, 31000 Toulouse, France. He is now with the IPI Research Laboratory, France (e-mail: elkalam@hotmail.fr). AQ1 A. Ferreira and F. Kratz are with INSA Centre Val de Loire, Univer- sité d’Orléans, 18000 Bourges, France (e-mail: antoine.ferreira@insa-cvl.fr; frederic.kratz@insa-cvl.fr). Digital Object Identifier 10.1109/JSYST.2015.2422992 Agency has initiated experiments with telerobotic imaging for 42 potential use in its space program. Researchers have proposed 43 a master–slave-type remote ultrasound diagnostic system for 44 acquisition and transmission of diagnostic images [4], [5]. 45 Position, orientation, and the contact force between the ultra- 46 sound probe and the affected area of the patient are controlled 47 through the communication network. A major problem that 48 can be found in these medical teleoperation systems is time 49 delay. In teleoperation over Internet, the originally delay issue, 50 essentially confined to the time constant case, is moved toward 51 time-varying delay [6]. While control theory for bilateral tele- 52 operation systems under constant time delay is well developed, 53 the research on time-varying communication delay is still on- 54 going [7], [8]. Standard control architectures for bilateral tele- 55 operation systems are based on the scattering theory formalism 56 [9] and subsequently reformulated using wave variables [10], 57 [11] or controller passivity [12]. The situation becomes more 58 complicated when the communication channel has intermittent 59 transmissions as well as random delays. These problems can 60 be neglected, where quality of service (QoS) guarantees can 61 be made, such as with asynchronous transfer mode networks. 62 However, IP-based networks are the main alternatives for use 63 in teleoperation systems, and the delay varies with congestion, 64 bandwidth, and distance, leading to values of several tens of 65 seconds [13]. TRS needs reliable and performant transport 66 protocols to guarantee a certain level of QoS [14]. As a result, 67 bilateral teleoperator performances may severely degrade, and 68 instability may also arise, if random communication delays are 69 not controlled. Recently, advanced control methods proposed 70 in the field of networked teleoperation, including gain schedul- 71 ing, Markov jump linear systems [6], event-based approaches 72 [15], discrete time passivity [16], and linear matrix inequali- 73 ties, consider networks with packet loss and varying bounded 74 delays [17]. 75 In such TRS systems, a relevant but more serious issue is 76 network attacks, such as denial of service (DoS), compromise 77 in integrity, as well as information disclosure in data exchange. 78 To securely transmit sensitive data, e.g., force and position 79 feedback in TRS systems, across the Internet network, bilateral 80 controllers need thus to ensure stability/performance criteria 81 while preventing potential network attacks. These attacks are 82 a real problem because they have been proven capable of 83 shutting off a teleoperated system from the Internet or dra- 84 matically slowing down network links [18], [19]. For example, 85 in classical DoS attacks, malicious users send a large num- 86 ber of SYN flooding packets or any other spurious packets 87 to a destination to consume excessive amounts of endpoint 88 1932-8184 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.