Surgical Robot SIL Allocation Absent and 40 Subsystems Under-Specified
System
Red team review of the {{entity:Surgical Robot System}} ({{hex:D4ED3019}}), a SIL 3 teleoperated minimally invasive surgical platform. At entry: 449 requirements across 6 documents, 415 trace links, 11 diagrams, 21 lint findings (7 high, 14 medium). The project has been through full decomposition, QC, validation, and review phases. This is the first adversarial audit.
Adversarial Findings
SIL Gap (4 tagged, systemic). The system description declares SIL 3 per IEC 62304 / ISO 13849, yet 0/449 requirements carry any SIL tag. No SIL allocation exists from system level to subsystems. {{sys:SYS-MAIN-002}} (single-fault safe-state), {{sys:SYS-MAIN-010}}, {{sys:SYS-MAIN-012}}, and {{sys:SYS-MAIN-018}} all address safety-critical functions but lack SIL assignment. {{sub:SUB-MAIN-003}} and {{sub:SUB-MAIN-005}} in the {{entity:Safety and Interlock Subsystem}} similarly lack SIL tags. No hazard register exists in the Substrate fact graph — 0 hazard facts in namespace SE:se-surgical-robot.
Proportion Imbalance (systemic, 40/51 subsystems). 51 distinct subsystem names appear in SUB requirements. 27 have exactly 1 requirement; 40 have ≤2. Safety-critical subsystems with a single requirement include {{entity:Emergency Stop Chain}}, {{entity:Watchdog Timer Controller}}, {{entity:Return Electrode Monitor}}, {{entity:Joint Servo Controller}}, and {{entity:Instrument Drive Unit}}. Meanwhile, {{entity:Haptic Feedback Subsystem}} has 8 and {{entity:Procedure Data Recorder}} has 7.
Homeless Requirements (100/449). 35 SUB and 65 VER requirements have null document assignment. These are unreachable by document-based navigation and may indicate incomplete section assignment during bulk creation.
Trace Spray Pattern (3 tagged). {{sys:SYS-MAIN-002}} derives to 45 targets — nearly 1/3 of all SUB requirements claim derivation from a single system safety requirement. {{sys:SYS-MAIN-001}} has 22 outgoing links. 13/19 SYS requirements have ≥5 outgoing links. This is mechanical tracing, not selective engineering derivation.
Implausible Values (2 tagged, pattern across 56 reqs). 56 requirements use a 50ms threshold across contexts ranging from brake engagement to force sensing dropout to energy delivery cutoff. While 50ms is plausible for some fault-response budgets, identical values across subsystems with different mechanical, electrical, and computational constraints suggests templating rather than derived timing analysis. {{sub:SUB-MAIN-011}} specifies 50µs interrupt latency and {{sub:SUB-MAIN-077}} specifies 10 Gbps / 100µs — both suspiciously round.
Vague Interface (1 tagged). {{ifc:IFC-MAIN-015}} (Force Sensing Module to Force Signal Conditioner) lacks protocol, data rate, and latency specification. 47/48 IFC requirements contain adequate interface detail.
Ontological Mismatches (7 lint findings). Seven components classified without {{trait:Physical Object}} have requirements imposing physical constraints — including {{entity:time compute node}}, {{entity:power management subsystem}}, and {{entity:motion control system}}.
flowchart TB
n0["Watchdog Timer Controller"]
n1["Emergency Stop Chain"]
n2["Joint Force Monitor"]
n3["Communication Monitor"]
n4["Safe State Manager"]
n0 -->|watchdog trip| n4
n1 -->|E-stop event| n4
n2 -->|force violation| n4
n3 -->|link fault| n4
Flagged Requirements
| Ref | Category | Issue |
|---|---|---|
| {{sys:SYS-MAIN-002}} | rt-mechanical-trace | 45 outgoing derive links — spray pattern |
| {{sys:SYS-MAIN-001}} | rt-mechanical-trace | 22 outgoing derive links |
| {{sys:SYS-MAIN-010}} | rt-sil-gap | Safety req without SIL allocation |
| {{sys:SYS-MAIN-012}} | rt-sil-gap | Safety req without SIL allocation |
| {{sys:SYS-MAIN-018}} | rt-sil-gap | Safety req without SIL allocation |
| {{sub:SUB-MAIN-003}} | rt-sil-gap | Safety interlock req, no SIL tag |
| {{sub:SUB-MAIN-005}} | rt-sil-gap | Emergency stop req, no SIL tag |
| {{sub:SUB-MAIN-004}} | rt-missing-failure-mode | Watchdog Timer Controller: 1 req total |
| {{sub:SUB-MAIN-009}} | rt-missing-failure-mode | Joint Servo Controller: 1 req total |
| {{sub:SUB-MAIN-051}} | rt-missing-failure-mode | Return Electrode Monitor: 1 req total |
| {{sub:SUB-MAIN-011}} | rt-implausible-value | 50µs interrupt latency — round number |
| {{sub:SUB-MAIN-077}} | rt-implausible-value | 10 Gbps / 100µs — round numbers |
| {{sub:SUB-MAIN-113}} | rt-mechanical-trace | Admitted duplicate in trace rationale |
| {{ifc:IFC-MAIN-015}} | rt-vague-interface | No protocol/rate/latency specified |
| {{ifc:IFC-MAIN-029}} | rt-missing-failure-mode | Emergency Stop Chain: 1 IFC req total |
Domain Analogs Checked
| Analog | Similarity | Gaps Surfaced |
|---|---|---|
| {{entity:Safety and Watchdog System}} | 77.5% | Independent safety processor pattern present but no SIL allocation |
| Weapon Safety Interlock Manager | 82.0% | Defence interlock systems require per-channel SIL allocation — absent here |
| Safety Interlock and Trip System | 80.5% | Industrial trip systems mandate hazard register → SIL → req chain |
| {{entity:Surgical Instrument System}} | 77.3% | Instrument lifecycle (sterilisation count, cable fatigue) has only 1 SUB req |
Recommendations
- Create SIL allocation table. Assign SIL 2–3 to each subsystem based on hazard analysis. Tag every safety-critical requirement with its SIL level. This is a regulatory prerequisite for IEC 62304 / MDR 2017/745 compliance.
- Build hazard register in Substrate. Store HAZARD facts with severity, frequency, and safe-state mapping. Currently 0 hazard facts exist despite 81 safety-related requirements.
- Assign 100 homeless requirements to documents. 35 SUB and 65 VER requirements are document-orphans.
- Decompose under-specified subsystems. 27 subsystems with exactly 1 requirement need at minimum: a performance req, a failure-mode req, and a power/interface budget req.
- Prune SYS-MAIN-002 trace links. 45 outgoing links from a single requirement is not selective derivation. Retain only links where the child requirement exists because of SYS-MAIN-002 specifically.
- Derive timing values from analysis. Document timing budget derivation for the 50ms family — which subsystems genuinely need 50ms and which inherited it by copy-paste.
Verdict
Informational. 15 requirements tagged across 5 categories: 5 rt-sil-gap, 4 rt-missing-failure-mode, 3 rt-mechanical-trace, 2 rt-implausible-value, 1 rt-vague-interface. Additionally: 100 homeless requirements, 40/51 subsystems under-specified, 7 high-severity lint findings, and 0 hazard register entries. The SIL allocation gap is the most critical finding — a SIL 3 medical device with no formal SIL decomposition would not pass regulatory review.