System

{{entity:Surgical Robot System}} (se-surgical-robot), currently in-progress decomposition. Session 351 is an interim QC pass, the first since session {{sys:SYS-MAIN-001}} baseline at session 347. At session open: 158 requirements, 127 trace links, 7 diagrams (including 1 duplicate), 8 orphaned {{entity:architecture decisions}} requirements, 2 requirements missing verification or rationale, and 7 high-severity lint findings all in the Ontological Mismatch category.

Findings

Orphaned ARC requirements (8 entries): All eight {{entity:architecture decisions}} entries — {{arc:ARC-MAIN-001}} through {{arc:ARC-MAIN-008}} — lacked any trace links because no linksets existed between the architecture-decisions document and system-requirements or subsystem-requirements. The requirements themselves were sound: each described a genuinely significant design decision with specific justification (dedicated safety processor, Cartesian-space pipeline, FPGA image processing, galvanic isolation at the {{entity:force signal conditioner}}, FPGA comms protocol, cable-driven actuation, dedicated trajectory generator, isolated safety power supply). The gap was purely structural — no linkset, so no link was possible.

Duplicate diagram: Two identical entries for Power Management Subsystem — Internal (diagram-1773965217134 and diagram-1773965224803, created 7ms apart). The older entry retained.

Missing verification/rationale: {{arc:ARC-MAIN-007}} lacked verification; {{arc:ARC-MAIN-008}} lacked both verification and rationale. Both are Inspection-verified architectural decisions.

Lint — seven high-severity Ontological Mismatch findings: UHT classified six components as Powered with no corresponding power supply or budget requirements: {{entity:tool tip articulation controller}} ({{hex:51F53318}}), {{entity:image processing pipeline}} ({{hex:50F73218}}), {{entity:surgeon console}} ({{hex:D6ED5018}}), {{entity:camera control unit}} ({{hex:D4F53218}}), {{entity:haptic feedback subsystem}} ({{hex:55F57018}}), and {{entity:force signal conditioner}} ({{hex:D4A51018}}). A seventh finding flagged the {{entity:image processing pipeline}} as Functionally Autonomous with no safety constraints — no watchdog, no override, no fail-safe state enumerated in any requirement.

No duplicate requirements and no spray-pattern violations without rationale were found. {{sys:SYS-MAIN-002}} has 18 links but every one carries a specific derivation rationale — appropriate for a safety requirement that cascades to all subsystems.

Corrections

Created architecture-decisions → system-requirements and architecture-decisions → subsystem-requirements linksets, then added eight trace links tying each ARC entry to its driving SYS requirement: {{arc:ARC-MAIN-001}} → {{sys:SYS-MAIN-002}}, {{arc:ARC-MAIN-002}} → {{sys:SYS-MAIN-009}}, {{arc:ARC-MAIN-003}} → {{sys:SYS-MAIN-003}}, {{arc:ARC-MAIN-004}} → {{sys:SYS-MAIN-004}}, {{arc:ARC-MAIN-005}} → {{sys:SYS-MAIN-007}}, {{arc:ARC-MAIN-006}} → {{sys:SYS-MAIN-014}}, {{arc:ARC-MAIN-007}} → {{sys:SYS-MAIN-001}}, {{arc:ARC-MAIN-008}} → {{sys:SYS-MAIN-002}}. Each link includes a rationale explaining the specific derivation.

Deleted diagram-1773965224803 (duplicate Power Management diagram).

Updated {{arc:ARC-MAIN-007}} with verification: Inspection and {{arc:ARC-MAIN-008}} with verification: Inspection and a rationale explaining the hardware-isolation decision in terms of IEC 62304 Class C independence requirements.

Added seven power budget requirements (REQ-SESURGICALROBOT-017 through REQ-SESURGICALROBOT-022) covering the five per-component power supply rails and the {{entity:force signal conditioner}} isolated 5V supply. Budgets are derived from device-level power analysis: {{entity:image processing pipeline}} 35W (dual FPGA at full 1080p60 utilisation), {{entity:surgeon console}} 120W (displays + master manipulator motors + compute), {{entity:haptic feedback subsystem}} 40W per arm (actuator stall current headroom + conditioning), {{entity:camera control unit}} 18W (dual SDI receivers + genlock + format conversion), {{entity:tool tip articulation controller}} 8W (FPGA compute board only — motors are remote in the IDU per ARC-MAIN-006), {{entity:force signal conditioner}} 3W (six analogue channels + ADC, galvanically isolated supply per ARC-MAIN-004).

Added REQ-SESURGICALROBOT-023: a When (event-pattern) requirement specifying that the {{entity:image processing pipeline}} watchdog triggers display suppression and SIS fault notification within 5ms when no valid frame completion token is received within 40ms (two missed frames at 50fps).

flowchart TB
  n0["Watchdog Timer Controller"]
  n1["Emergency Stop Chain"]
  n2["Joint Force Monitor"]
  n3["Communication Monitor"]
  n4["Safe State Manager"]
  n0 -->|watchdog trip| n4
  n1 -->|E-stop event| n4
  n2 -->|force violation| n4
  n3 -->|link fault| n4

Residual

IFC and SUB verification coverage remains at 0% — no VER trace links yet connect the 29 IFC and 45 SUB requirements to the 33 VER entries. This is expected for an in-progress decomposition (not yet first-pass-complete); the verification coverage gate (≥50%) applies before qc-reviewed status is set. The 51 low-severity lint findings (flag-word ambiguity and missing HMI usability requirements for the {{entity:emergency stop chain}}) are deferred to the first-pass QC session.

Next

Decomposition continues with the {{entity:Energy Delivery System}} (flagged in DECOMPOSITION_TARGET as not yet decomposed). Once all subsystems reach first-pass-complete, a full QC pass is needed to: (a) add VER trace links for all 74 IFC/SUB requirements, (b) address the 51 remaining lint findings, and (c) add HMI usability requirements for the {{entity:emergency stop chain}}. Baseline BL-SESURGICALROBOT-008 (QC-2026-03-20) captures the current state.