Design of a Safe Active Orthosis for Full Assistance of the Human Knee Joint

Abstract

Ensuring user safety while enabling independent mobility is crucial to autonomous healthcare and rehabilitation robots, such as active lower-limb orthoses and exoskeletons. A key requirement for these devices is to provide full assistance without supervision; however, existing designs do not simultaneously satisfy autonomous operation and inherent safety. To address this gap, a novel safety principle, Safety by Design, and a corresponding system architecture for a fully assistive active knee orthosis are introduced. The proposed architecture is based on a comprehensive risk analysis for the use of active orthoses and exoskeletons and integrates redundancies for all safety-critical components while minimizing additional weight. This redundancy enables the orthosis to remain operational at reduced power in the event of component failure, improving both user safety and system reliability. The design supports safe, unsupervised operation by ambulatory users, enhancing independent patient mobility and the performance of the gait activities of level walking, stair climbing and sitting down/standing up. The proposed architecture is scalable and adaptable to a wide range of robotic devices. By improving robustness, efficiency, and safety, this work contributes to the advancement of autonomous biomedical robotic systems and wearable assistive devices.

1. Introduction

The development of active orthoses and exoskeletons has advanced rapidly in the last two decades and is now a fundamental part of biomedical engineering and robotics [1,2,3,4,5,6]. Some models are already well established on the market [7,8,9]. They are used for patient rehabilitation or worker safety.

The terms active orthoses and exoskeletons are often used synonymously, as both are body-worn systems that support the user with an external structure adapted to human anatomy. However, exoskeletons are defined as devices that augment the performance of able-bodied users [10,11], orthoses are typically limited to restoring or supporting normal human capabilities and are used mainly in medical contexts [11]. In this paper, exoskeleton refers to active assistive devices in general and orthosis to the proposed system architecture.

Despite significant progress in exoskeletons, there are still many challenges to overcome. One of these challenges is that active orthoses and exoskeletons are becoming increasingly powerful and gaining the ability to provide full assistance. At the same time, the safety principles of these devices require external supervision and therefore are falling behind in terms of usability.

This paper proposes a conceptual design of a fully assistive active knee joint orthosis that follows an innovative safety principle capable of unsupervised use. Without the need for supervision, the independence of disabled patients will increase, and the application of fully assistive devices in daily living environments and activities will be enabled.

The safety principle is based on redundancy and considers requirements originating from risk analyses and safety considerations. Redundant systems usually are twice as heavy as non-redundant systems, due to duplicated components. By introducing redundancies only in the electronics, the weight increase is minimal in the proposed design. The orthosis can provide full assistance to the knee joint during the walking activities of level walking, stair ascending and stair descending.

Active exoskeletons and orthoses can be distinguished by the degree of assistance. There are two types, partial-assistance exoskeletons and full-assistance exoskeletons.

1.1. Partial-Assistance Exoskeletons

These devices are designed for users that have full control of their limbs but need some amount of assistance, e.g., patients with muscle fatigue. The devices provide limited torque, much less than normally generated by the human body. In this approach, the user can override the device in case of a failure.

1.2. Full-Assistance Exoskeletons

These devices are designed for severely disabled users who cannot move on their own without assistance, e.g., paraplegic or stroke patients. The devices can provide sufficient torque to replace disabled body function.

The amount of assistance provided defines not only the purpose of the devices but also their weight. The higher the degree of assistance is, the higher the weight of the devices becomes. This is due to heavy components like high-torque actuators, structures, and high-capacity batteries. This correlation of the parameters can be derived from the literature [8,9,12,13,14] and is visualized in Figure 1. Examples of known exoskeleton systems have been added.

The correlation reveals the power density research gap. To the authors’ knowledge, no modern designs of the last ten years exist for exoskeletons or orthoses that are lightweight with a total weight below 20 kg and provide full assistance at the same time.

The degree of assistance also corresponds with the level of risk when using the exoskeleton. Two state-of-the-art safety principles can be identified by analyzing the existing exoskeleton systems.

1.3. Safety by Supervision

Full-assistance devices provide high torques and pose a major risk to the user. To reduce this risk, these devices move very slowly and are observed or controlled by a trained supervisor. The supervisor can intervene in case of failure or emergency and controls the device. This safety principle is defined as Safety by Supervision.

1.4. Safety by Limitation

Due to the limited torque, partial-assistance devices pose less risk to the user’s body than full-assistance devices. The user has complete control over the assisted body parts and can resist the system in case of failure. Therefore, partial-assistance devices do not need supervision and are operated by the user themselves. This safety principle is defined as Safety by Limitation.

These principles have two significant disadvantages. On the one hand, supervision of patients in their home environment cannot always be guaranteed. On the other hand, assistance for movements at normal human speed and torque has to be provided to enable patients to perform activities of daily living independently. In conclusion, these principles are unsuitable for independent rehabilitation and support in ADLs of severely disabled people. This shows the safety design research gap in the development of exoskeletons. There is a lack of full-assistance devices that provide a safety concept allowing them to be used unsupervised. To close this gap, a new safety principle, Safety by Design, is proposed in this paper.

1.5. Safety by Design

This safety principle combines the advantages of the two principles Safety by Supervision and Safety by Limitation. Full-assistance devices are improved with a safe system architecture, which protects the user by design through system internal safety measures. In this way, devices can be used unsupervised and provide full assistance with ADL tasks.

The proposed device design necessary to fill the two identified research gaps is visualized in the diagram in Figure 1. One of the biggest challenges for a safety concept for active exoskeletons is to ensure the safety of patients, even if the device develops a fault. A small failure during a critical phase of the gait cycle (e.g., the swing phase) or while the patient moves in an unsafe environment (e.g., climbing stairs) can lead to a harmful situation. The device has to be fault-operational as long as possible and therefore needs redundancies to mitigate faults. Lower-limb exoskeletons can fully overtake the function of a human body part by applying an external torque of more than 100 Nm to joints [9,22]. Considering this, an active knee orthosis poses a high safety risk for patients even when it is mechanically and electronically operational but is controlled in a faulty, harmful way.

2. Materials and Methods

The development of the proposed system architecture is based on a risk evaluation of lower-limb active exoskeletons. A literature search is performed to identify hazards and existing safety methods of exoskeletons. The hazards are classified in a hazard matrix. The results of the literature search are presented in Section 3.1 and Section 3.2.

Knowledge of kinetics, kinematics, and power during the gait cycle is required to properly design the drivetrain and safety functions of an active knee exoskeleton. The walking activities considered for the proposed design are level walking, stair ascending, and stair descending. To gain a representative insight into the walking activities, data published throughout the literature are searched for and compared. Data are imported by either using the provided data asset (in case of Bovi et al. [23]) or digitizing them using the “WebPlotDigitizer” (Version 5.2) [24] (in case of Riener et al. [25]). The angular data and torque data are interpolated to a 1/1000 of a gait cycle, and the angular velocity is calculated as the discrete derivative of the angle. In addition to that, a moving mean using a window of 40 samples is applied to the angular velocity data, to smooth out noise. Biomechanical data are subject to fluctuations and measurement errors. The errors that occur during the digitization of data are insignificant compared with the measurement errors in the calculations performed and can be neglected. The software MATLAB (The MathWorks Inc., MATLAB, version: R2025b Update 3 (25.2.0.3123386), Natick, MA, USA) was used for the calculations and plotting data.

The results from the literature search are used to define the requirements for the proposed system architecture. A block diagram of the system architecture is developed based on these requirements. Reliability block diagrams (RBDs) are created to analyze the effect of redundancy on the assistance function of the active orthosis. The failure rate of the proposed system is calculated and compared with a non-redundant system. Finally, the concepts of the chosen system architecture components are described in more detail.

3. Results

3.1. Risk Analysis

Schick et al. and Bessler et al. identified risks for lower-limb exoskeletons [26,27] and Nasr et al. for exoskeletons in general [28]. In addition, Schick et al. performed a risk analysis for each risk. These risks are summarized in the following subchapters. Each risk can be classified in a risk matrix, rating severity and occurrence (see Figure 2). For each risk, the two most severe harms were analyzed. The results are listed in

Table 1. Risk table for active knee orthoses. The listed risks correspond with the risks visualized in Figure 2. The risk level is the product of the severity level and the occurrence level.

Risk	Cause	Harm	Severity Level	Occurrence Level	Risk Level
(1) Misalignment	Device incorrectly fitted or donned	Fractures	4 Severe	2 Unlikely	8 Moderate
		Bruises	3 Moderate	3 Possible	9 Moderate
(2) Hazardous forces at interface	Dangerous torque actuator	Fractures Bruises	5 Catastrophic 3 Moderate	5 Frequent 5 Frequent	25 Extreme 15 Very High
(3) Thermal destruction of battery	Battery fault	Traumata	5 Catastrophic	3 Possible	15 Very High
		Skin burn	4 Severe	3 Possible	12 High
(4) Exceeding range of motion	Dangerous torque actuator	Fractures	5 Catastrophic	5 Frequent	25 Extreme
		Bruises	3 Moderate	5 Frequent	15 Very High
(5) Falling	Loss of performance	Death and fractures	5 Catastrophic	4 Likely	20 Extreme
		Bruises	3 Moderate	5 Frequent	15 Very High

.

The risk analysis delivers risks for which mitigation strategies must be found in the next development step. In their analysis, Schick et al. suggest mitigation approaches to reduce the discovered risks [26]. The most critical identified risks are falling due to loss of power, exceeding range of motion, and hazardous forces at the interface due to dangerous torque of the actuator. The mitigation of these risks should have the highest priority.

The proposed design concept of an active exoskeleton implements mitigation approaches to increase the safety and reliability of the device. The key of the design is the redundancy of the most critical components of the device.

3.1.1. Misalignment

One of the most critical challenges in exoskeleton development is the alignment of the device with the human body. Exoskeleton joints are usually simplifications of the human joints and do not match their anatomical functions in detail. For example, exoskeletons for the human knee approximate the knee as a simple hinge joint with a fixed axis of rotation, while the human knee joint follows a combination of rolling and gliding movement [27,29,30,31].

Misalignment of the mechanical joint axes with the human joints creates additional undesired interaction forces between exoskeleton and human body, which affects the musculoskeletal system [26,27]. When these forces are not compensated for in the design of the device or its interface [27], they can lead to skin irritation and bruises or even more severe injuries, such as bone fractures [26].

Schick et al. considered the occurrence of biomechanical incompatibility, including misalignment, to be abundant (probability per hour that the cause will occur during the next hour: 10⁻⁵ 1/h) [26]. Misalignments occur if the exoskeleton is not properly applied or the device does not fit the user.

3.1.2. Hazardous Forces at Interface

Even if no misalignment between exoskeleton and user occurs, there is a risk of hazardous forces induced by the interfaces. Bessler et al. differentiate between normal forces and pressure, and shear forces and friction [27]. Normal forces and pressure are unavoidable when attaching exoskeletons to the human body. Attaching interfaces like cuffs, harnesses or straps causes pressure on the soft tissue. When tightened too much, these interfaces can obstruct blood flow and cause bruises [27].

Shear forces and friction between the skin and the interfaces often occur in dynamic movements and when the interface slips on the skin [27]. These forces are influenced by pressure, contact area, and the friction coefficients of the interface material and the skin [27]. They can cause injuries, such as abrasions, skin lesions, and discomfort. The risk also refers to biomechanical incompatibility and its occurrence can be considered to be 10⁻⁵ 1/h [26].

3.1.3. Exceeding Range of Motion

When applying torque to a human joint with an exoskeleton, there is the risk of exceeding the range of motion (ROM) of the human joint. This can happen if no safety measures have been taken to allow the device to move within a safe range or if a fault occurs in these safety measurements. Exceeding the physiological range of motion of a joint can lead to obvious traumatic joint injuries (ligament tears or capsule injuries) or microscopic injuries, which cause serious harm if they occur repeatedly [27]. Schick et al. reports an occurrence of 10⁻³ 1/h for this risk [26].

3.1.4. Falling

Lower-limb exoskeletons for the purpose of rehabilitation are linked to a higher risk of falling than exoskeletons operated by healthy users [27]. Impaired patients may not be able to walk or even stand on their own and are dependent on these devices to prevent them from falling. In case of fault and failure of the device, the risk is high for severe injuries, ranging from bruises to fractures or death. The most critical faults that can lead to a failure of the system and possibly a fall concern the drivetrain, the power supply, and the control system. The occurrence of this risk can be assumed to be 10⁻³ 1/h [26].

3.1.5. Thermal Destruction of Battery

Most active exoskeletons which are used for mobile applications use batteries to power electric actuators [14]. These batteries and the associated electronics can be faulty or damaged (e.g., due to falling). Commonly used lithium-ion batteries can suffer from thermal runaway, which can lead to explosion or thermal destruction of the battery [26]. Since the batteries are carried close to the user’s body, this might lead to severe injuries, such as skin burns and traumas. Schick et al. report an occurrence of 10⁻⁵ 1/h for this risk [26].

3.2. Risk Mitigation in the Literature

In the literature, approaches for safety functions for active exoskeletons are described. These approaches could be adapted to close the research gaps identified in Section 1 and to mitigate the risks identified in Section 3.1.

3.2.1. Mitigation of Falling

Masood et al. proposed concepts of active safety functions for industrial lower-body exoskeletons based on the Robo-Mate exoskeleton [32]. They described an Active Balancing and Fall Detection function that utilizes foot force sensors to detect the weight distribution on each foot. Inertial Measurement Units (IMUs) can be used to detect system unbalance and fall. Additionally, force sensors at the hands can detect the presence of a load in the hand.

The information from these three sensors is provided to a central embedded computer to update torque control. Depending on the situation, the control algorithm can generate different torque profiles for the left and right leg actuators to maintain balance or to bring the system into fall mode.

Furthermore, Masood et al. described the idea of a collision detection function, which is based on a hybrid-torque control strategy [32]. This strategy entails that a collision detection warning is generated, and the user is asked to return to a safe configuration. If they do not, the system is set to halt mode.

3.2.2. Mitigation of Misalignment

To mitigate misalignment, an adjustable interface design with passive compliance mechanisms should be integrated, according to Nasr et al. [32]. Mechanical failures should be addressed by durable but lightweight materials and redundancy of critical mechanical parts. They also suggest a sensor system that monitors component health. To prevent hazard due to individual sensor failure, the exoskeleton should also employ sensor redundancy and sensor fusion techniques. Furthermore, sensor noise should be reduced by low-pass filters or model-based observers.

3.2.3. Mitigation of Hazardous Forces

According to Nasr et al., control algorithms should incorporate watchdog systems to detect and correct malfunctions [28]. The control strategy should adapt control parameters to unexpected user movement and environmental conditions, to maintain safety and performance. Nasr et al. suggest a phased testing approach which gradually increases human–machine interaction [28], starting with a computer simulation, progressing based on validation tests with mannequins, and finishing with real human users.

3.2.4. Mitigation of Exceeding Range of Motion

Masood et al. proposed another safety function, which addresses the issue of exceeding the range of motion. The exoskeleton should monitor the user’s movement and alert them when they are approaching the limits of safe range of motion. When they exceed the limit, the exoskeleton should provide opposite torque to constrain the user’s motion [32].

Nasr et al. suggest to incorporate mechanical stops to prevent hyperextension [28]. To detect and prevent rapid motions, real-time movement monitoring and adaptive or predictive control algorithms are suggested.

3.2.5. Mitigation in Other Domains

Exoskeletons are not the only active mechatronic systems that demand high safety and reliability. Other domains can be consulted for safe actuation architectures. One example is subsea technology. Regular maintenance or failures of subsea production systems for oil and gas at depths of up to 3000 m are financially not viable and cause significant environmental pollution. Therefore, these systems are designed to have a service life of 25 years without maintenance [33]. Crucial to the safety of these systems is a safety valve that must be closed in the event of a production stop or a safety function trigger [34]. A novel approach to the closing mechanism features an all-electric actuation system, which is based on the energize-to-trip method [33,34]. This method requires high safety strategies regarding communication and software. Imle et al. proposed to use a Black Channel Communication, which separates non-safe and safe software and hardware. For this, they suggested the implementation of synthetic Central Processing Units (CPUs) with Field-Programmable Gate Arrays (FPGAs).

Safe actuator systems are also relevant in the automotive industry. Technologies such as steer-by-wire offer safety concepts that could be implemented in exoskeleton devices [35,36,37,38]. Kocahan et al. performed a functional safety analysis on an existing steer-by-wire system and improved its reliability and safety by implementing redundancies in sensors, actuators, and control units. Cross-connections between components and controllers allow for anomaly detection and seamless switching to backup components.

3.2.6. Regulatory Affairs

The above suggestions are in line with the regulatory safety requirements for exoskeletons. In 2017, the European Union’s Medical Device Regulation (MDR) 2017/745/EU [39] came into force. The regulation declares that for devices with a medical or non-medical intended purpose, cumulatively medical and non-medical requirements are to be applied [40]. This regulation has resulted in the fact that further regulations, such as Machinery Regulation 2023/1230/EU [41] and Personal Protective Equipment Regulation 2016/425/EU [42], and directives, such as Low Voltage Directive 2014/35/EU [43] and Product Safety Directive 2023/988/EU [44], must be considered. These regulations are design targets for the orthosis proposed in this study and future work.

Regarding the US market, the U.S. Food and Drug Administration (FDA) declared Regulation 21 CFR Part 890 [45], which classifies active exoskeletons as class II medical devices with special controls. The regulation demands nonclinical performance testing, including the mechanical bench testing and simulated use testing of device commands and safeguard under worst-case conditions.

The EU project COVR provides a toolkit for the development of collaborative robots, including exoskeletons, which is continuously expanding [46]. Included is a selection of protocols for the safety validation of various systems. These tools provide a good starting point for the development of safety functions, although no guideline is available for the implementation of such functions.

3.2.7. Conclusion on Literature Search

Both the literature and legislation resources lack explicit descriptions on how to implement and realize mandatory safety functions and testing methods for active exoskeletons [47]. Furthermore, there is a lack of a comprehensive safety concept for active exoskeletons and implementation guidelines. Therefore, this paper proposes a concept for a safe, full-assistance, lower-limb active orthosis.

3.3. Gait Analysis Data

Gait analyses give insights into the kinetics and kinematics of human gait and the trajectory of the human knee joint. Although, in rehabilitation, gait trajectories have a wide variation, requirements for the drivetrain and battery design of the proposed active orthosis can be derived from this information (see Section 3.4). In Figure 3, Figure 4 and Figure 5 gait data for the human knee based on studies by Bovi et al. and Riener et al. are visualized [23,25]. The data have been standardized to a gait cycle duration of 1 s and by the body weight of the user. With this, the results can be used to calculate the quantities for any gait cycle duration and body weight. The angular velocity was determined by numerical differentiation of the joint angle data. The course of power was calculated as the product of angular velocity and extension torque. Positive power is defined as concentric muscle action phases (power generation, motor power) and negative power as eccentric muscle action phases (power absorption, generative power).

The differences in the data from Bovi et al. and Riener et al.’s [23,25] works can be explained by the differences in the experimental setup. Riener et al. used a four-step staircase and Bovi et al. [23] a two-step staircase for their data collection [26]. Bovi et al. claim that the two-step setup does not provide the proper stair negotiation but an analogous task [23]. With two steps, no steady state of stair climbing can be established.

From the literature data, the following summarized quantities for the knee joint are extracted (the results are shown in

Table 2. Comparison of peak angular data for the human knee.

Quantity	Unit	Riener			Bovi			Summary
		Walk	Ascend	Descend	Walk	Ascend	Descend
Max Flexion	deg	64.24	94.68	93.44	63.40	67.63	94.78	94.78
Min Flexion	deg	10.43	9.30	15.98	3.79	16.04	11.36	3.79
Range of Motion	deg	53.81	85.38	77.46	59.60	51.59	83.43	90.99
Max Velocity	deg/s	309.54	517.10	285.41	334.65	360.46	216.14	517.10
Min Velocity	deg/s	−350.08	−215.53	−386.47	−405.39	−376.79	−382.14	−405.39

,

Table 3. Comparison of peak torque data for the human knee.

Quantity	Unit	Riener			Bovi			Summary
		Walk	Ascend	Descend	Walk	Ascend	Descend
Extension Torque	Nm/kg	0.48	1.09	1.35	0.42	1.16	1.17	1.35
Flexion Torque	Nm/kg	−0.26	−0.22	−0.09	−0.14	−0.10	−0.11	−0.26
RMS Torque	Nm/kg	0.20	0.42	0.66	0.17	0.46	0.55	0.66

and

Table 4. Comparison of peak power data for the human knee.

Quantity	Unit	Riener			Bovi			Summary
		Walk	Ascend	Descend	Walk	Ascend	Descend
Motor Power	W/kg	0.44	3.65	0.26	0.32	3.99	0.39	3.99
Generative Power	W/kg	−1.33	−0.54	−5.31	−0.88	−0.64	−3.98	−5.31
Average Power	W/kg	−0.23	0.67	−1.13	−0.19	0.65	−1.03	-

):

• Joint angle (Max and Min Flexion, and Range of Motion).
• Angular velocity (Max and Min).
• Torque (Max Extension, Max Flexion, and RMS).
• Power (Max Motor, Max Generative, and Average Power).

3.4. Requirements

Each identified risk from Section 3.1 can be translated into a safety requirement of the active orthosis, as shown in

Table 5. Summarized safety requirements of the active orthosis.

Risk	Mitigation Requirements
Misalignment	The thigh and shank shells are individually adapted to the user of the orthosis.
Hazardous forces at interfaces	The motors are torque-controlled to limit the produced output torque of the actuator.
Exceeding range of motion	The range of motion which can be utilized by the orthosis is limited by the mechanical design of the kinematics. The joint angle is measured using two independent sensors (which allows for diagnosis), to prevent the actuator control from using incorrect values.
Falling	The loss of performance is mitigated by using a redundant system architecture, which provides a fail-operational behavior in case of the first fault.
Thermal destruction of battery	The battery cells use a cell chemistry which reduces the likelihood of thermal runaway. The batteries use a management system which ensures proper charging and discharging of the cells within their state of charge and discharge current limits.

.

For further development, parameters for a patient model were defined. The average value of the body weight of a German adult is given as 77.7 kg [48]. For simplified calculations, the rounded value of 80 kg was chosen. The average stride length of an adult can be assumed to be 1.6 m [49,50,51]. The average walking speed was calculated by the heuristic cadence of 100 steps/min proposed by Tudor-Locke et al. [52]. The average walking speed results in 1.3 m/s (4.68 km/h) which corresponds to a gait cycle duration of 1.2 s. With these parameter requirements can be calculated from the normalized data from Table 2, Table 3 and Table 4. The results are presented in

Table 6. Summarized drivetrain requirements for a full-assistance active orthosis for the human knee.

	Normalized	Body Weight = 80 kg, Gait Cycle Duration = 1.2 s
Peak Velocity	517.10 deg/s	430.92 deg/s
Peak Torque	1.35 Nm/kg	108.00 Nm
RMS Torque	0.66 Nm/kg	52.80 Nm
Motor Power	3.99 W/kg	266.00 W
Generative Power	−5.31 W/kg	−354.00 W
Average Power Walk	−0.23 W/kg	−15.33 W
Average Energy Walk	−0.23 Ws/kg	−18.40 Ws
Average Power Ascend	0.67 W/kg	44.67 W
Average Energy Ascend	0.67 Ws/kg	53.60 Ws
Average Power Descend	−1.13 W/kg	−75.33 W
Average Energy Descend	−1.13 Ws/kg	−90.40 Ws

.

3.5. Active Orthosis System Design

This paper proposes a system architecture for a full-assistance active orthosis for the human knee joint. The intended application for this device is the rehabilitation and treatment of patients with ambulatory impairments caused by paralysis or paraplegia. The architecture is based on the concept of redundancy, to increase the safety and reliability of the system. The failure of the assistance function during usage has been identified as a potentially hazardous event [26,27,28,53].

Figure 6 shows an overview of the proposed active orthosis architecture for the left and right legs. It visualizes the interactions between the components for power, communication, and mechanical flow. The architecture, primarily the arrangement of the battery packs, is inspired by the redundant design of all-electric actuator systems in subsea applications, which are designed for high safety and reliability [54].

The proposed active orthosis consists of two main modules: the Central Module and the Orthosis Module. The Central Module controls the behavior of the orthosis. It also holds battery packs and battery management systems. Two redundant controllers are integrated in the module. Each controller generates control commands, which are sent to two drives each. The drive connections are implemented crosswise for two orthoses for the left and right leg. Controller A controls one drive for the left leg (Drive A left) and one drive for the right leg (Drive A right). Controller B controls redundant Drives B of the left and right legs.

The controllers are linked together via Inter-Channel Communication (ICC). With this, they can exchange information about their status and coordinate and verify their control commands. If a controller fails, it will stop sending control commands to the corresponding drives. The second redundant controller will ensure that the motors of the left and right legs are still under control and move safely.

The system is powered by two redundant battery packs. Each battery pack holds multiple cells connected in series. More details about the battery packs can be found in Section 3.6. Two redundant BMSs are implemented. Each BMS is designed to provide electronics for charging, discharging, and balancing each battery cell. The battery packs are charged with a grid connection when the orthosis is not used (see dashed lines in Figure 6). There will also be electronics that distribute the power from the battery pack to the drives. One battery pack will be connected to one BMS each. This combination resembles a redundant power supply. They form two independent power supplies. Battey Pack A and BMS A supply Controller A, and Battey Pack B and BMS B supply Controller B. Two additional power outputs are proposed for each BMS. They will be connected to a drive each. The crosswise connection pattern for the drive supply is the same as that for the controllers. If one power supply fails, the corresponding controller and drives will be without power. Still, one controller and one drive at each orthosis will be active, powered by the second power supply. The PCBs for the controller and the BMS are designed to be connected without cables but directly via a connector on the PCBs, to form a compact stack.

Every component of the Central Module is stored in a backpack that the user of the orthoses is carrying. With this, the weight of the components is distributed more conveniently and effectively.

The Orthosis Module controls the actuator of the orthosis and determines the movement and actual torque output at the knee joint. For left and right leg support, two active orthoses can be used, with an Orthosis Module each. One Orthosis Module holds two redundant drives. These receive the control commands from the two controllers and convert them into operating signals for the actuator. A dual-channel actuator is designed to be integrated in the orthosis (see Section 3.6 for more details). One of each drive per Orthosis Module is connected to one channel of this actuator. The drives are again connected via ICC. With this, they can act synchronously and drive the two channels of the actuator at the same time for maximum torque. If one drive of an Orthosis Module fails, one channel of the actuator will be out of order. In this case, the maximum torque output of the actuator will be halved. Nevertheless, the orthosis will still be operational and can assist the user to reach a safe position.

The actuators are intended to recuperate energy while performing walking activities. The power connection from the battery packs to the BMS, the drive and the winding of the redundant motor is bidirectional. Therefore, the recuperated electrical energy can be stored in the battery packs.

To control the angle of the orthosis joint, the rotor position is captured. Two redundant measurement systems are proposed to ensure that the position is accurate and available even if one system fails. The rotor position information is returned to the drives, where one measurement system is connected to the first drive and the other to the second one. Additionally, IMU sensors are planned in the system. One sensor will be attached to the thigh and one to the shank of each leg. With these sensors, it will be possible to capture the inclination of the limbs and the enclosed angle between the limbs, i.e., the knee joint angle, respectively. The IMU sensors of the left leg are powered by BMS A and feed the sensor data to Controller A. Similarly, the IMU sensors of the right leg are powered by BMS B and feed data to Controller B. For this data acquisition process, the SensAA system is used [55]. The Orthosis Module, the orthosis and the IMU sensors of the thigh are intended to be attached to an orthopedic shell, which is placed on the user’s thigh.

The actuator output shaft is mechanically connected to a gearbox, which reduces the velocity and increases the output torque of the orthosis. This gearbox is linked to the mechanical knee joint of the orthosis. The knee joint will be attached to a second orthopedic shell, which will be attached to the shank of the user.

It is proposed to use, for all communication lines (blue lines in Figure 6), a Black Channel and a CANopen Safety protocol, to transmit data securely (see [33] for more details).

3.6. Components

The main function of the active orthosis is the assistance function. The purpose of this function is to provide torque to assist the user’s knee joint.

Table 7. Overview of system components.

Active Orthosis
Mechanics	Electronics	Software
Motor Rotor	Battery Pack	Drive Control
Kinematics	Battery Management System	Orthosis Control
Backpack	Controller	Communication Stacks
Thigh Shells	Drive
Shank Shells	Rotor Position
	Motor Windings
	Inertial Measurement Units

lists the components of the active orthosis that are involved in fulfilling this function. The fundamental single-channel design is comparable to other active orthosis designs [56,57,58]. The redundant orthosis design follows our own original design.

3.6.1. Battery Pack

The proposed system is powered by electric energy. The function of the battery pack is to store and provide electrical energy for the system. This way, the orthosis is mobile and independent of the power grid supply. The battery pack is an assembly of cells connected in parallel and serial configurations to achieve overall voltage and capacity. Failures of the cells may leave the system unpowered.

For the battery management system, thermal destruction of the batteries is the most harmful failure. To mitigate this harm, batteries based on Lithium Iron Phosphate (LFP) chemistry are selected. These are less prone to thermal runaway due to incorrect charging or discharging. The power supply voltage of the device will be chosen in the range of 24 to 48 V, to reduce the danger due to high voltage.

To reach the desired average power, multiple cells must be connected. A combination of serial and parallel connections might be necessary.

Biomechanical data show that some energy can be recuperated during walking and stair descent. Based on a weight of 80 kg and a gait cycle period of 1,2 s, a peak generative power of up to 354 W is reached. The batteries of the battery pack should be chosen so that this power does not exceed the maximum charging power. This way, the recuperation could be realized without any additional protection circuits which reduce the power. It would allow the battery to be directly connected to the DC link of the power amplifier by using a bidirectional switch. A suitable example would be the 26,650 cells by LithiumWerks [59], which have a continuous maximum charging current of 26 A (equal to a 10C rate). With this, the maximum charging power of the battery pack is between 624 W and 1248 W.

3.6.2. Battery Management System

The function of the battery management system (BMS) is to balance the cells of the battery packs during charging and to distribute the power correctly. It provides power supply outputs for each component. For some cell chemistries, additional functions, like protection from high temperatures, high currents (“electrical fuse”), or deep discharge, need to be performed by the BMS. While in some cases a failure of the BMS may not directly lead to a loss of battery power, this possibility is considered in this paper.

3.6.3. Controller

The controller determines the assistive torque that the motors have to provide to the knee joint. A failure of the controller leads to incorrect torque being applied (too high or too low), failing the assistive function of the orthosis.

3.6.4. Drive

The drive includes the power stage, the closed-loop pulse width modulation (PWM), and current control functions for torque generation. A failure in the drive leaves the actuator unpowered.

3.6.5. Redundant Motor

The functions of the electrical motor are to convert electrical into mechanical power and to generate torque, which is applied to the knee joint. While, in theory, different motor technologies can be used, this paper considers a permanent magnet synchronous machine (PMSM) for the reasons of torque density and control capabilities. A failure of the motor (e.g., winding shorts and damage to the rotor) leads to a loss of output torque.

The gait analysis data from Section 3.3 show that the requirements for the motor of the exoskeleton are controversial. The application requires, on the one hand, high torque at low velocity and, on the other hand, high velocity at low torque. A motor specialized for these two operating points must be designed.

To minimize the additional load imposed on the patient by the mass and dimensions of the actuator, the motor is designed with a focus on high power density. Simultaneously, improvements in efficiency and thermal resistance are targeted to extend the operating time of the exoskeleton when powered by the battery pack. The torque density of the drive can be increased by utilizing the reluctance torque. This requires a dedicated design of the magnetic circuit.

The motor will be developed with an emphasis on high safety and reliability. A dual-channel architecture is planned. The motor features two separate three-phase winding systems on a single stator, which couple with the same permanent magnet rotor. The redundant winding configurations will allow the motor to remain operational in the event of failure in one of the windings, thereby ensuring continued functionality and mitigating the risk of falling. If one winding fails, the torque output will be halved. However, it will be possible to apply more current to a winding for a short amount of time, to reach the full torque of the motor.

To replicate human gait, variable motion with a repetitive reversing operation is required. This leads to an oscillation of energy between kinetic energy (stored in the moment of inertia) and electrical or chemical energy (through recuperation into the battery). The conversion of electrical and mechanical energy results in losses, particularly in the motor windings. These losses can be reduced by minimizing the moment of inertia.

This can be achieved by favoring a slim and elongated form factor of the motor. In addition to efficiency reasons, this shape offers ergonomic advantages. A long, slim motor can be positioned along the thigh and would protrude less than a motor with a large diameter. An additional opportunity to enhance motor dynamics is the use of field weakening operation. This approach enables the motor to deliver almost constant mechanical shaft power over a wider speed range. Furthermore, it helps compensate for the negative effects of reduced input voltage during battery operation and supports the downsizing of the drive components.

The motor is designed to be complemented with a gearbox to reduce velocity and increase torque, up to the maximum identified torque of 108 Nm.

3.6.6. Gear

Mechanical gears scale the motor torque and revolution to meet the required torque and revolution of the knee joint. A failure of the gears leads to a loss of output torque.

3.6.7. Joint Angle Sensor

The angle of the knee joint established during the use of the orthosis has to be monitored continuously. For this function two measurement systems are proposed: rotor position measurement systems in the motor and IMUs at the thigh and shank of the user. Failure in these systems leads to incorrect joint measurements and therefore incorrect torque calculations.

3.6.8. Backpack

The components of the Central Module (battery packs, BMSs and controllers) will be stored in a backpack that the exoskeleton user will carry themselves. Therefore, the weight of all components will be minimized, and the capacity to weight ratio of the battery cells will be limited. To reduce the impact of additional weight on the back on the center of mass of the user, the backpack should feature a close-fitting design, which can be found, for example, in backpacks for runners.

3.6.9. Orthosis Shell Concept

The most crucial factor in avoiding the harm of misalignment is the fit and biomechanical compatibility of the orthosis with the user. Much knowledge and experience of orthopedic human interfaces has been gathered over the past decades. Combining this know-how with modern technology and materials can increase the precision, durability, and ergonomics of human–machine interfaces [26]. The interfaces of the proposed orthosis should be based on 3D scans of the intended user. Peng et al. give an example of optimization of orthosis with 3D scanning using the case of foot orthoses [60]. With this scan, the shells can be manufactured so that they fit the shape of the legs perfectly. An individually fitted shell will reduce the risk of hazardous forces from the interfaces to the human body. The applied forces will be distributed over a large contact surface. The inside of the shells will be lined with orthopedic-graded padding, to dampen force peaks and mitigate skin abrasions.

With lightweight material like carbon fiber, aluminum, and titanium, the weight of the shells can be reduced, which optimizes the handling and the efficiency of the orthosis. Two different designs of the shells have been considered: One completely encloses the limbs with rigid interfaces. The interfaces are split into two parts that can be put together by a tightening mechanism. The other leaves either the frontal or the dorsal side exposed and uses straps to attach the shells to the limbs. We suggest a shell design consisting of an interface at the frontal side of the thigh and an interface on the dorsal side of the shank. The weight of such shells can be assumed to be 1.5 kg for the thigh and shank shells.

Hook-and-loop straps can be used to adjust and tighten the shells to the leg. This setup is advantageous for applying extension torque to the knee joint, which is most required when climbing stairs. The half open design makes it easy and quick to don and doff the system. This design can consider the anatomical loading and nonloading zones of the human leg. The shells are supported by bony landmarks (e.g., the femur condyles) and leave pressure-sensitive areas (e.g., the popliteal fossa) exposed.

3.7. Reliability Analysis

3.7.1. Component Reliability

The reliability of each component was calculated with the following equation:

$$R=e^{-\lambda t}$$

For simplicity, the failure rate is assumed to be time-independent. Above, $\lambda$ is the failure rate of the component in ${10}^{-9}$ 1/h (FIT—Failure in Time) and t the defined mission time in hours. The chosen failure rates of the components are based on data from the literature [61,62,63]. Comparable known circuit boards were analyzed for the electronic components of BMS, controller, and drive, and the numbers of parts $N_n$ (resistors, transistors, diodes, capacitors, and integrated circuits) were determined.

Table 8. Estimated number of parts for each component and base failure rates.

	Controller Parts	BMS Parts	Drive Parts	$\mathbf{Base} \mathbf{Failure} \mathbf{Rate} {\mathit{\lambda }}_{\mathit{n}}$ in FIT
Number of resistors	300	260	120	5
Number of power transistors	0	40	10	5
Number of diodes	10	45	25	1
Number of capacitors	200	400	120	5
Number of integrated circuits	25	45	30	120
Resulting failure rate ${\lambda }_{total}$	5510	8145	4875	-

shows the estimated numbers of parts for each component.

Assuming that the base failure rates ${\lambda }_n$ of the individual part on a circuit board are independent of each other, the resulting total failure rate ${\lambda }_{total}$ of the circuit board can be calculated as follows:

$${\lambda }_{total}=\sum _{n=1}^i{\lambda }_n·N_n$$

The base failure rates for the parts are obtained from Siemens standard SN 29500, since this is a commonly used handbook for failure rates [61]. The values are listed in Table 8. The resulting total failure rates ${\lambda }_{total}$ of each component are shown in

Table 9. Total failure rates for active orthosis components and reliability for mission time of 10,000 h.

	$\mathbf{Failure} \mathbf{Rates} {\mathit{\lambda }}_{\mathit{t}\mathit{o}\mathit{t}\mathit{a}\mathit{l}}$ in FIT	$\mathbf{Reliability} {\mathit{R}}_{\mathit{i}}$
Battery Pack (BP)	2400	0.976
Battery Management System (BMS)	8145	0.933
Controller (C)	5510	0.946
Drive (D)	4875	0.952
Motor (M)	26	0.999
Gear (G)	436	0.990
Serial Reliability Block Diagram	9538	0.803
Redundant Reliability Block Diagram	436	0.990

. There is little information on failure rates of battery cells in the literature, as it depends heavily on usage, environmental conditions, and failure modes. The RDF 2000 Reliability Handbook gives a failure rate for secondary lithium-ion cells of 150 FIT [62]. With an estimated number of 16 cells for the battery pack, the total failure rate can be calculated as 2400 FIT. The values given in the literature should be sufficient for a rough estimate of the failure rates for comparing the two systems. A mission time of 10,000 h was chosen for the calculation of the reliability of each component. All values and results are listed in Table 9. The reliability of the gear was estimated based on the basis of experience.

3.7.2. Single-Channel Reliability

The assistive function of orthoses depends on all the components mentioned above. In the case of an exoskeleton without redundancies, a failure in one component leads to a failure of the assistance function. This can be expressed in the RBD of the assistance function as a serial connection, as shown in Figure 7.

The reliability $R_{serial}$ of this system can be calculated with the following equation:

$$R_{serial}=R_{BP}·R_{BMS}·R_C·R_D·R_M·R_G$$

where $R_{BP}$, $R_{BMS}$, $R_C$, $R_D$, $R_M$ and $R_G$ are the reliabilities of the single components (see Figure 7).

3.7.3. Dual-Channel Reliability

The redundancy introduced makes the assistance function more robust to failures in the components. From the system architecture in Figure 6, an RBD for the assistive function of the orthosis for one leg can be derived. It is shown in Figure 8.

Mechanical components of the system (gearing and motor rotor) have comparably low complexity and low probability of failure if properly selected. The electrical and electronic components have high complexity (e.g., multiple power electronic circuits, processors, and software). Therefore, it is beneficial to implement redundancy on the electronics side while preserving the mechanical part. This can be achieved by connecting two parallel electronic channels to a single motor.

The first failure of an electronic component will not directly lead to a loss of the assistance function but can be mitigated by the second electronic channel. With the still-working redundant channel and one remaining motor winding, the orthosis will be able to stay operational with a limited power output of 50%. This is enough power to keep the patient safe until they reach a secure position and environment. In case of a high-power demanding situation (climbing stairs), the remaining motor winding is designed to withstand overcurrent, which can allow a power output of 100% for a short period of time.

The resulting equation for the overall reliability of the redundant system $R_{redundant}$ is as follows:

$$R_{redundant}=\left[1-\left(\right(1-R_{BP})·(1-R_{BMS})·{(1-R}_C)·(1-R_D)·(1-R_M))\right]·R_G$$

3.8. Validation Approach

At this point, the proposed orthosis design is conceptual only. A road map which shows how the orthosis will be gradually validated was designed (see Figure 9).

The road map consists of three main steps: simulation, testbench, and supervised subject study. The input of the first step includes CAD models of the mechanical components of the orthosis. Load and FEM (finite element method) simulations are performed on these models based on the identified loads of the gait cycle. When the simulation gives confirmation that the components can withstand the load, a demonstrator of the orthosis can be manufactured. For the second validation step, a novel testbench which is designed to simulate the human gait with a mechatronic leg will be implemented. With this testbench, the torque, force, and joint angle which are generated by the orthosis will be measured. Furthermore, faults will be injected into the system to test the fault detection and the safety response of the device.

By measuring the temperature of the drivetrain components and the electronics, the heat input to the patient will be checked to prevent skin burn. In addition, lifetime tests of the device can be performed. During this phase, the mitigation of four risks can be validated. Once the phase will have been successfully completed and the security measures proven to work, the next step can be taken.

The third validation phase consists of a supervised subject study. This study will involves the manufacture of individual orthoses for patients and testing their functionality under real-life conditions. A survey will be conducted to identify and analyze user experience, fit, and other potential problems.

4. Discussion and Conclusions

The proposed system architecture addresses the identified risks of active exoskeletons and orthoses. Safety with respect to component failures is increased by implementing redundancy into the system.

The starting point of the development of this architecture was gait data analysis, which gave information about the average healthy human gait. The targets of the proposed orthosis are disabled elderly patients. It can be assumed that these people weigh less and have a lower walking speed and less ROM than average healthy persons. For example, Xie et al. showed that walking speed decreases with age from 1.12 m/s (participants aged 50 to 59) to 0.84 m/s (participants aged over 80) [64]. Although there can be a wide diversity of gait patterns in the field of rehabilitation, with these parameters, the orthosis exceeds the expected future requirements of the use case and should be able to fully support all patients. The selected parameters describe the upper limit of the orthosis. If necessary, the power, speed and ROM of the device can be reduced either by software or mechanically and can individually be adapted to the patient.

The comparison of the calculated failure rates of a non-redundant system and the proposed redundant system shows a decrease of 95% at a mission time of 10,000 h. The reliability of the redundant system is equal to the reliability of the gear. This shows that overall reliability depends on the components that are downstream of the redundant components.

Wearing an active orthosis adds weight to the patient’s body, which might cause unbalance and increased dynamic loading on the joints, legs, and trunk. This is especially the case when the weight is not distributed symmetrically and placed distal from the center of mass. Therefore, the components of the orthosis will be placed as proximally as possible to the patient’s body to minimize a center of mass shift and the mass moment of inertia. This could be achieved with a close-fitting backpack design and orthopedic shells that tightly cover the body.

Incorporating individually manufactured shells based on 3D scans is elaborate and costly. But it is the most accurate method to mitigate the risk of misalignment and biomechanical incompatibility. Perfectly fitted shells increase the ergonomics of orthoses and the effectiveness of the system [30].

The downside of redundancies usually is an increase in the number of components and, therefore, an increase in weight, volume, and price. The proposed design includes several measures to reduce the weight and increase the power density of the active orthosis. The additional components added for redundancy are limited to electronics. The total weight of the PCBs of a non-redundant system can be estimated at 300 g. With the proposed redundant architecture, the weight is doubled at most. With a targeted total weight of the bipedal system below 20 kg, the added weight of the electronic components contributes only a small amount to the system.

The redundancy of the proposed motor is designed so that both windings must be active to achieve the required nominal torque. For the design, the motor winding of a non-redundant motor is split into two independent windings while keeping the amount of wire equal. This ensures that the motor is not oversized and is as light as possible. A PMSM with a rated power of about 300 W can be estimated to weigh 400 g. A comparable example is the cyber dynamic line d40 servo motor by Wittenstein [65]. The weight of the redundant motor can be estimated about the same.

Furthermore, lightweight materials and structural design will minimize the weight of the orthosis. The battery packs will be among the heaviest components of the orthosis. The weight depends on the amount of battery cells. The required energy per gait cycle was determined from gait analysis data. Further research is required to determine the daily energy consumption of the orthosis and thus define the number of battery cells necessary for one full day of operation.

With a large number of components, the probability of failure increases. When the safety-relevant components of a system fail, the residual risk of this system is increased [33]. With the proposed architecture, the safety of the orthosis is ensured at reduced power. If the residual risk exceeds a defined threshold, the device has to undergo maintenance, which can negatively affect the availability of the system. The availability of the system can be increased through easy maintenance.

For production-related devices, availability can be a crucial parameter. In case of body-worn and medical-related orthoses, the safety of the patient is the highest priority. The potentially reduced availability can be justified by increased safety.

Since redundancy is focused on electronic components, some potential points of failure remain. Mechanical faults can lead to failure of the orthosis. Wear and tear of other mechanical components such as bearings and gears can increase friction and therefore reduce the efficiency and torque output of the system. Furthermore, the orthopedic shells might get damaged, e.g., by deformation or breakage, which can influence the fit and misalignment of the orthosis. These mechanical faults have to be prevented by appropriate maintenance intervals. In addition to mechanical risks, the risk analysis has to be extended with user-influenced risks like user control errors, sensing latency and gait variability. These risks have to be discussed in future work.

This paper presents the fundamental concept of a safe system architecture. The goal of the architecture is to achieve an orthosis design, which is fail-operational for faults regarding the electronics of the device. In case of mechanical faults, the device has to be at least fail-safe. To reach this goal, a fault detection, diagnosis and switching logic has to be defined. The behavior of the orthosis also depends on the motion control law of the orthosis and the actuator. This control should be subordinate to the security measures and independent of the redundant architecture. The proposed sensor suite gives opportunities for intent recognition, such as tracking the gait trajectory and detecting gait features for classification of gait phases and specific ADL movements. Such classification algorithm could also include anomaly detection, to detect, e.g., stumbles or sudden stops. However, these aspects go beyond the scope of this paper and will be addressed in future work.

The proposed system architecture and safety measures for an active knee orthosis represent a step toward the development of full-assistance exoskeletons and orthoses with unsupervised safety. However, a detailed validation and testing phase must be carried out before these devices can be used in everyday clinical practice. The establishment of this safety principle could be beneficial for the success of these devices for all application areas, especially for robot-assisted rehabilitation.