System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-MAIN-001 | The Safety and Interlock Subsystem SHALL detect any single axis joint torque exceedance above 110% rated limit and initiate a controlled brake sequence within 50ms, and SHALL trigger an emergency stop within 20ms at 150% rated limit. Rationale: Graduated response: 50ms at 110% allows controlled deceleration reducing tissue trauma risk; immediate stop at 150% prevents structural damage to arm or patient. Thresholds derived from actuator datasheet maximum continuous and peak ratings. | Test | subsystem, sis, safety, session-341, idempotency:sub-sis-force-limits-001-341 |
| SUB-MAIN-002 | When communication latency between surgeon console and patient-side cart exceeds 20ms or 3 consecutive frames are lost, the Safety and Interlock Subsystem SHALL freeze all arm motion and hold joints at current position within 10ms of threshold breach. Rationale: 20ms / 3-frame threshold was selected as the point at which bilateral haptic control becomes unstable (Ryu et al. 2004 teleoperation stability criterion). At this threshold, uncontrolled arm motion during communication fault is safer than continued operation. | Test | subsystem, sis, safety, communication, session-341, idempotency:sub-sis-comms-loss-001-341 |
| SUB-MAIN-003 | The Safety and Interlock Subsystem SHALL achieve a complete safe state (all joints braked, all surgical energy de-energised) within 250ms of any safety event trigger, across all single-point failure modes. Rationale: 250ms system-level budget is derived from SYS-MAIN-002. This SUB requirement allocates the full system budget to SIS as the responsible subsystem; downstream subsystems (servo drives, energy generator) must respond within their share of this window. | Test | rt-sil-gap, red-team-session-502 |
| SUB-MAIN-004 | The Watchdog Timer Controller SHALL operate on a processor physically isolated from the motion control CPU and SHALL maintain braking authority independently of motion control software state. Rationale: Common-cause failure between safety monitor and controlled system is the primary SIL 3 architectural hazard. Physical isolation (separate processor, separate power rail, hardware brake authority) eliminates this common cause. Required by IEC 61508 SIL 3 architectural constraints (HFT=1). | Inspection | rt-missing-failure-mode, red-team-session-502 |
| SUB-MAIN-005 | The Emergency Stop Chain SHALL be a hardwired series loop independent of software, completing through all E-stop actuators (surgeon console, patient-side x3, facility), and SHALL de-energise servo drive contactors within 50ms of any break in the loop. Rationale: Software-controlled E-stop cannot be relied upon as a safety function because software faults (deadlock, exception) are the fault mode it is intended to protect against. Hardwired series-loop is the IEC 60204 standard for Category 0 stop in machinery. | Test | rt-sil-gap, red-team-session-502 |
| SUB-MAIN-006 | The Motion Control System SHALL execute the complete kinematic computation pipeline (tremor filter, motion scaling, inverse kinematics, safety enforcement, servo command) within 10ms per 1kHz cycle. Rationale: 10ms computation budget is the largest single allocation within the 100ms end-to-end system latency budget; remaining 90ms covers network (3ms), sensor acquisition (2ms), actuation settling (5ms), and display pipeline (50ms for video). If this budget is exceeded, the overall 100ms SYS-MAIN-007 cannot be met. | Test | subsystem, motion-control, performance, session-340 |
| SUB-MAIN-007 | The Motion Control System SHALL reject all Cartesian velocity command components above 6Hz by at least 40dB using the Tremor Rejection Filter before motion scaling is applied. Rationale: Derived from SYS-MAIN-009: tremor filtration must occur before motion scaling in the pipeline to prevent scaling up residual filter artefacts. 40dB attenuation at 6Hz cutoff reduces 0.3mm/s tremor amplitude to 0.03mm/s, within acceptable tissue contact tolerance at 5:1 scaling. | Test | subsystem, motion-control, tremor, session-340 |
| SUB-MAIN-008 | The Kinematics Engine SHALL compute joint-angle setpoints for all 7 DOF of a single instrument arm within 2ms of receiving a Cartesian end-effector command. Rationale: 2ms IK computation is the largest individual stage within the 10ms pipeline budget. Damped least-squares Jacobian pseudo-inverse complexity for 7-DOF is O(n^3) = O(343 FLOP), achievable in under 1ms on target hardware; 2ms includes singularity handling and redundancy resolution. | Test | subsystem, motion-control, kinematics, session-340 |
| SUB-MAIN-009 | The Joint Servo Controller SHALL achieve position tracking error below 0.1 degrees RMS during continuous trajectory following at maximum instrument velocity of 200mm/s tip speed. Rationale: 0.1-degree joint error at 570mm arm reach produces approximately 1mm tip error, which at 10:1 motion scaling maps to 0.1mm at the surgeon console — below the surgeon's proprioceptive discrimination threshold of 0.3mm. Derived from system-level tip accuracy requirement. | Test | rt-missing-failure-mode, red-team-session-502 |
| SUB-MAIN-010 | The Workspace Safety Enforcer SHALL prevent any joint-angle command that would exceed hardware end-stop minus 5-degree software margin, and SHALL enforce the trocar-pivoting constraint to within 2mm of the insertion point at the abdominal wall. Rationale: 5-degree software margin prevents mechanical joint binding under servo control; trocar-pivoting constraint to 2mm limits lateral force on the abdominal wall to under 2N based on tissue stiffness model, preventing port-site herniation or inadvertent viscus contact. | Test | subsystem, motion-control, safety, session-340 |
| SUB-MAIN-011 | The Real-Time Compute Node SHALL guarantee a worst-case interrupt latency of 50 microseconds on all Motion Control threads, and SHALL assert the hardware safety output within 5ms of detecting a motion-control thread heartbeat timeout. Rationale: 50 microsecond PREEMPT_RT latency is achievable on target hardware (Intel Xeon with kernel 6.x PREEMPT_RT, measured P99.99 latency <45us in qualification testing). 5ms watchdog assertion leaves 45ms for the Safety and Watchdog System to complete brake engagement within the 50ms emergency stop budget. | Test | rt-implausible-value, red-team-session-502 |
| SUB-MAIN-012 | The Safe State Manager SHALL initiate all safety state transitions automatically, without requiring any operator action. Recovery from SAFE-HOLD to OPERATIONAL SHALL require an explicit, deliberate surgeon re-engagement sequence. Rationale: Analog: Reactor Trip Subsystem (nuclear) requires automatic trip initiation — waiting for operator confirmation during a fault introduces unacceptable delay and human-error exposure. For surgical safety, the same principle applies: automatic entry to safe state, deliberate manual recovery. This design pattern is codified in IEC 61508 for safety instrumented systems. | Test | subsystem, sis, safety, auto-initiation, session-341, idempotency:sub-sis-auto-initiation-001-341 |
| SUB-MAIN-013 | The Stereo Endoscope SHALL provide a minimum optical resolution of 20 line pairs per millimetre across both channels, with less than 2% geometric distortion at the image periphery, to enable the surgeon to distinguish tissue structures at 0.5mm scale. Rationale: Sub-millimetre instrument precision (STK-MAIN-001) requires the surgeon to resolve tissue structures at 0.5mm, which demands 20 lp/mm optical resolution. 2% distortion limit prevents spatial misjudgement during instrument manipulation near field edges. | Test | subsystem, vision, endoscope, session-341, idempotency:sub-endoscope-resolution-341 |
| SUB-MAIN-014 | The Camera Control Unit SHALL maintain inter-channel synchronisation between left and right stereo video streams with temporal skew not exceeding 500 microseconds, to prevent stereoscopic fusion artifacts that could cause surgeon depth misjudgement. Rationale: Temporal skew above 500us between stereo channels causes perceptible depth shimmer during instrument motion at typical surgical velocities (5-20mm/s), degrading the surgeon's depth accuracy below the 1mm threshold required by SYS-MAIN-003. | Test | subsystem, vision, ccu, session-341, idempotency:sub-ccu-sync-341 |
| SUB-MAIN-015 | The Surgical Illumination Source SHALL regulate light intensity such that tissue surface temperature at the endoscope distal tip does not exceed 41 degrees Celsius under any operating mode, as measured at 10mm distance from the tip with tissue-equivalent thermal phantom. Rationale: IEC 60601-2-18 mandates maximum tissue temperature limits for endoscopic illumination. The 41C limit applies at the distal tip where energy density is highest. Closed-loop regulation is required because tissue reflectance varies 4x between organ types, making fixed intensity unsafe. | Test | subsystem, vision, illumination, session-341, idempotency:sub-illumination-thermal-341 |
| SUB-MAIN-016 | The Image Processing Pipeline SHALL add no more than 2ms total processing latency from input frame reception to output frame availability, measured end-to-end across all processing stages including edge enhancement, noise reduction, and overlay compositing. Rationale: Total system visual feedback latency budget is 50ms (surgeon hand motion to display update). Motion control consumes 10ms, display scan-out consumes 16ms. The image processing pipeline's 2ms allocation ensures the vision chain does not exceed its share of the latency budget, preventing surgeon-perceptible lag that degrades hand-eye coordination. | Test | subsystem, vision, ipp, session-341, idempotency:sub-ipp-latency-341 |
| SUB-MAIN-017 | The Tool Tip Articulation Controller compute board SHALL operate from the 5V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 8W during full-bandwidth kinematic computation. Rationale: TTAC is a signal-processing compute board driving cable displacement commands to the IDU. The 8W budget is derived from FPGA plus motor-driver gate-drive logic at full computational load; the 5V rail is the standard embedded compute supply in the instrument drive chain. | Test | |
| SUB-MAIN-017 | The Stereoscopic Display System SHALL achieve less than 1% inter-channel crosstalk (ghosting) across the full luminance range at viewing distances between 500mm and 700mm, to prevent false depth cues that could cause instrument positioning errors. Rationale: Crosstalk above 1% introduces ghost images that create false depth cues. During precise dissection near critical structures (nerves, vessels), even 2mm of apparent depth error from display crosstalk could result in inadvertent tissue damage. The 500-700mm viewing distance range covers ergonomic surgeon positioning. | Test | subsystem, vision, display, session-341, idempotency:sub-display-ghosting-341 |
| SUB-MAIN-018 | The Image Processing Pipeline SHALL operate from the 12V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 35W during dual-channel 1080p60 stereo processing. Rationale: The IPP is an FPGA-based image processing board processing two independent 1080p60 HD-SDI streams. The 35W budget is derived from FPGA device power at full utilisation plus DDR memory. 12V allows on-board DC-DC regulation for FPGA core and I/O rails. | Test | |
| SUB-MAIN-018 | The Procedure Video Recorder SHALL record composited 2D video continuously for at least 8 hours at 1080p60 resolution with H.265 encoding at 50Mbps CBR, with frame-accurate timestamps synchronised to the system event log within 1ms accuracy. Rationale: SYS-MAIN-015 requires recording of all video streams at sufficient quality for post-operative review and audit. 8-hour continuous recording matches the system operational endurance requirement (SYS-MAIN-013). Frame-accurate synchronisation with the event log enables post-operative correlation of instrument movements with video for complication analysis. | Test | subsystem, vision, recorder, session-341, idempotency:sub-recorder-duration-341 |
| SUB-MAIN-019 | The Surgeon Console SHALL operate from a 24V ±5% medical-grade isolated power supply, drawing a maximum continuous power of 120W including master manipulator motors, stereoscopic display panels, and embedded compute. Rationale: The Surgeon Console is the largest non-arm power consumer. The 120W budget covers dual 1080p display panels (~50W), master manipulator force-feedback motors (~40W), and embedded compute/comms (~30W). 24V medical-grade isolated supply is specified per IEC 60601-1 clause 8 for patient-proximate equipment. | Test | |
| SUB-MAIN-019 | When one stereo channel of the Stereo Endoscope fails, the Vision and Imaging System SHALL continue to provide the surgeon with 2D monocular video from the remaining channel at 1080p60 with no interruption exceeding 500ms, and SHALL display a persistent visual alert on the remaining channel indicating loss of stereoscopic depth perception. Rationale: Complete loss of visual feedback during surgery is catastrophic. Single-channel failure must degrade gracefully to 2D rather than blacking out. The 500ms switchover limit ensures the surgeon does not lose visual contact with instruments in tissue. The persistent alert is required because operating without depth perception changes the surgical technique required. | Test | subsystem, vision, degraded-mode, safety, session-341, idempotency:sub-vision-degraded-mono-341 |
| SUB-MAIN-020 | The Camera Control Unit SHALL operate from the 12V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 18W during dual-channel 1080p60 HD-SDI capture and format conversion. Rationale: The CCU processes dual HD-SDI streams from the stereo endoscope. The 18W budget covers two SDI receivers, genlock circuitry, and format conversion ASICs. 12V supply shared with IPP to simplify rail distribution in the vision rack. | Test | |
| SUB-MAIN-020 | The Surgical Illumination Source SHALL provide fluorescence excitation at 805nm with irradiance of ≥5 mW/cm² at tissue surface to enable ICG fluorescence imaging at tissue depths up to 10mm, with mode switching between visible and NIR completing within 200ms. Rationale: 5 mW/cm² is the minimum surface irradiance required for clinically detectable ICG fluorescence at 10mm tissue depth based on Beer-Lambert attenuation at 805nm. Below this threshold, signal-to-noise ratio falls below clinical utility (>3:1 contrast ratio) for sentinel node mapping. Value derived from published photon transport models for ICG in human tissue. | Test | subsystem, vision, illumination, session-341, idempotency:sub-illumination-nir-341 |
| SUB-MAIN-021 | The Haptic Feedback Subsystem SHALL operate from the 24V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 40W per instrument arm during simultaneous force rendering on both haptic actuator channels. Rationale: The HFS drives force-feedback actuators at the master manipulator with peak forces up to 5N per axis. The 40W per-arm budget is derived from actuator stall current headroom plus conditioning electronics. 24V rail is shared with master manipulator motor drive to minimise converter stages. | Test | |
| SUB-MAIN-021 | The Camera Control Unit SHALL provide at least three surgeon-selectable image enhancement modes (standard white light, narrow-band imaging for vascular contrast, and ICG fluorescence overlay) with mode switching completing within 100ms and no frame drops during transition. Rationale: Different surgical phases require different visualisation modalities. Narrow-band imaging enhances mucosal vascular patterns for tumour margin identification. ICG overlay shows perfusion. Mode switching must be seamless because the surgeon may need to toggle rapidly between views during active dissection near critical structures. | Demonstration | subsystem, vision, ccu, session-341, idempotency:sub-ccu-modes-341 |
| SUB-MAIN-022 | The Force Signal Conditioner SHALL operate from the galvanically isolated 5V ±2% supply within the Haptic Feedback Subsystem, drawing a maximum continuous power of 3W during six-axis force/torque signal conditioning. Rationale: The FSC requires galvanic isolation from the main power bus per ARC-MAIN-004 to maintain patient electrical safety. The 5V isolated supply is generated by a dedicated isolated DC-DC converter in the HFS. The 3W budget covers six analogue conditioning channels plus ADC. | Test | |
| SUB-MAIN-022 | The Haptic Feedback Subsystem SHALL measure instrument-tissue interaction forces with a resolution of 0.05N and a range of ±30N across all six force/torque axes, sampled at 1kHz. Rationale: Minimum force resolution of 0.05N is derived from the haptic discrimination threshold: human fingers detect force differences of approximately 0.1N; the sensor must resolve half this value to prevent perceptible quantisation steps during delicate tissue manipulation. Inadequate resolution produces a coarse, jerky haptic feedback that degrades surgical precision and may mask tissue damage. | Test | subsystem, haptic, performance, session-342, idempotency:sub-haptic-force-res-342 |
| SUB-MAIN-023 | When the Image Processing Pipeline watchdog timer expires without a valid frame completion token within 40ms, the Vision and Imaging System SHALL suppress the display output and assert an IMAGE_PIPELINE_FAULT signal to the Safety and Interlock Subsystem within 5ms. Rationale: The IPP operates autonomously on a real-time FPGA pipeline; a hung or corrupted pipeline could deliver frozen or misleading frames to the surgeon. The 40ms watchdog (two missed frames at 50fps) triggers display suppression to prevent the surgeon acting on stale imagery, and SIS notification enables the safe-state decision chain. | Test | |
| SUB-MAIN-023 | The Haptic Feedback Subsystem SHALL deliver rendered force feedback to the master handle actuators with an end-to-end latency no greater than 2ms from force measurement at the instrument tip. Rationale: The haptic control loop must close at >500Hz to maintain passivity and prevent energy accumulation that leads to instability (oscillation or divergence). A 2ms bound provides margin above the 1kHz sampling cycle while keeping the phase lag below 1 degree at the highest feedback bandwidth (20Hz), ensuring stable contact rendering on stiff tissue. | Test | subsystem, haptic, performance, session-342, idempotency:sub-haptic-latency-342 |
| SUB-MAIN-024 | The Console Computer SHALL implement network traffic isolation between the surgical control network and the hospital information network, with no direct data path between safety-critical control functions and external network interfaces. Rationale: Console Computer is the only subsystem with external network access for hospital PACS/HIS integration. A bridge to the CAN-FD surgical control bus would create a remote code execution vector on the motion control chain. IEC 81001-5-1 mandates network boundary controls for Class IIb medical devices. | Test | |
| SUB-MAIN-024 | The Haptic Feedback Subsystem SHALL limit the maximum feedback force applied to the surgeon's master handles to 1N in any single axis under all operating conditions, including sensor fault conditions. Rationale: Exceeding 1N feedback force risks startle response causing unintended master handle motion that is teleoperated to the instrument, potentially causing patient injury. The 1N limit is derived from IEC 80601-2-77 guidance on master device force limits in surgical robot systems. The limit must hold under sensor fault to prevent uncontrolled force buildup. | Test | subsystem, haptic, safety, session-342, idempotency:sub-haptic-force-limit-342 |
| SUB-MAIN-025 | The Force Signal Conditioner SHALL provide galvanic isolation of not less than 4kVrms (50Hz, 1 minute) between the strain gauge bridge circuit and the digital signal processing stage. Rationale: IEC 60601-1 patient leakage current limits for Type CF applied parts require isolation of the patient-contact instrument circuit from the mains-connected digital electronics. A 4kVrms isolation barrier provides the required 1500V patient-to-earth working voltage margin with appropriate derating. Failure of this isolation constitutes a Class I critical hazard. | Test | subsystem, haptic, safety, isolation, session-342, idempotency:sub-haptic-isolation-342 |
| SUB-MAIN-026 | When the Force Sensing Module on one instrument arm reports a sensor fault, the Haptic Feedback Subsystem SHALL disable force feedback on that arm only, continue providing force feedback on all remaining arms at full specification, and notify the surgeon via a visual alert within 200ms. Rationale: Disabling only the faulted arm preserves surgical utility on remaining arms, which is safer than total feedback loss since the surgeon retains haptic sense for other instruments. The 200ms alert requirement matches the minimum safe reaction window from IEC 62443 guidance for real-time operator warnings in safety-relevant systems. | Test | subsystem, haptic, degraded-mode, safety, session-342, idempotency:sub-haptic-degraded-342 |
| SUB-MAIN-027 | The Communication and Data Management System SHALL maintain end-to-end kinematic command transmission latency below 1ms from Surgeon Console to Patient-Side Cart under peak load (all 21 joint channels active, full video traffic). Rationale: 1ms is the latency budget allocated to the communications layer in the 1ms end-to-end control loop specified by SYS-MAIN-001. Exceeding this budget causes the kinematics pipeline to run on stale commands, introducing effective dead time that degrades motion tracking and may cause trajectory overshoot at high motion speeds. | Test | subsystem, comms, performance, session-342, idempotency:sub-comms-latency-342 |
| SUB-MAIN-028 | The Communication and Data Management System SHALL detect fibre link failure within 5ms and complete switchover to the standby fibre path within 10ms, with no loss of kinematic command frames during the switchover. Rationale: 10ms switchover time is derived from the safety requirement in SYS-MAIN-002 and SYS-MAIN-005: a 10ms gap in commands at 1kHz represents 10 missed frames, within the 100ms safe coast period defined for the motion controller. Faster detection (5ms) provides margin before the safety monitor declares a communication fault and initiates safe-hold. | Test | subsystem, comms, reliability, safety, session-342, idempotency:sub-comms-failover-342 |
| SUB-MAIN-029 | The Kinematics Engine SHALL authenticate all joint-space command inputs via HMAC-SHA256 signed frames, rejecting any command with an invalid signature within one 1ms control cycle and logging authentication failures to the Procedure Data Recorder. Rationale: The Kinematics Engine is a purely digital component — a compromised kinematics computation could generate arm trajectories exceeding workspace limits, causing patient injury. HMAC-SHA256 per-frame authentication ensures only authorised motion commands reach the inverse kinematics solver. The 1ms rejection window matches the 1kHz servo rate. | Test | |
| SUB-MAIN-029 | The Procedure Data Recorder SHALL record all kinematic data at 1kHz, both stereo video streams, and all system events without data loss for a minimum continuous operating period of 8 hours, with post-procedure data protected in WORM mode. Rationale: 8-hour capacity matches SYS-MAIN-013 (operational capability for 8 consecutive hours). WORM protection is required by FDA 21 CFR Part 820 (QSR) device history records and by IEC 62304 for surgical device audit trails. Data loss during recording constitutes a regulatory non-conformance and may compromise post-incident investigation. | Test | subsystem, comms, recording, compliance, session-342, idempotency:sub-comms-recorder-342 |
| SUB-MAIN-030 | The Trajectory Generator SHALL validate all motion waypoints against a cryptographically signed workspace envelope before generating trajectory segments, rejecting any waypoint outside the signed envelope and initiating a controlled stop within 50ms. The envelope definition SHALL be loaded from write-protected memory at startup and verified by RSA-2048 signature. Rationale: The Trajectory Generator is a purely digital component computing motion paths for all robot arms. An attacker with access to waypoint inputs could inject trajectories moving instruments outside the sterile field or into anatomical structures. Signing the workspace envelope and validating each waypoint prevents malicious waypoints from being executed. RSA-2048 signature protection is consistent with IEC 62443 requirements for safety-critical motion systems. | Test | |
| SUB-MAIN-030 | When the Real-Time Protocol Engine detects a frame sequence error or CRC failure, the Communication and Data Management System SHALL discard the corrupted frame, log the error with timestamp and channel identifier, and continue processing the next valid frame without resetting the communication channel. Rationale: Frame-level error recovery is preferred over channel reset because a reset introduces a 10ms+ dead period that would trigger the comms-loss safety path. Discarding a single corrupted frame produces at most one missed command cycle (1ms), which the motion controller can interpolate safely. Logging enables post-procedure analysis of communication reliability. | Test | subsystem, comms, fault-handling, session-342, idempotency:sub-comms-framing-342 |
| SUB-MAIN-031 | The Real-Time Protocol Engine SHALL authenticate all synchronisation messages using IEEE 1588v2 PTP with HMAC-SHA256 message authentication codes, discarding timing frames with invalid MACs and logging each rejection. When authenticated timing frames are unavailable for more than 10ms, the system SHALL enter a safe hold state and alert the surgeon console. Rationale: The Real-Time Protocol Engine distributes the master clock used by every servo controller and sensor sampler. A time-injection attack shifting the distributed clock could cause phase misalignment between motion command generation and joint servo execution, producing uncontrolled arm movements. IEEE 1588v2 with HMAC authentication prevents clock spoofing. The 10ms safe-hold threshold is the maximum permissible phase error before joint servo controllers saturate error integrals and produce runaway torque commands. | Test | |
| SUB-MAIN-032 | The Instrument Recognition Module SHALL read and validate the instrument identity chip within 200ms of mechanical coupling detection, providing instrument type code, calibration offsets, remaining use count, and sterilization history to the Tool Tip Articulation Controller and Instrument Lifecycle Controller. Rationale: STK-MAIN-013 requires rapid instrument exchange. The 200ms budget derives from 15-second total swap time: 10s manual handling, 3s coupling, 2s recognition and reconfiguration. 200ms chip read ensures recognition is not the bottleneck. | Test | surgical-instrument-system, instrument-recognition, session-346 |
| SUB-MAIN-033 | The Instrument Drive Unit SHALL actuate all four instrument degrees of freedom (wrist pitch, yaw, roll, and grip) with a position accuracy of +/-0.1mm at the instrument tip across the full 10-procedure instrument lifetime, at a servo update rate of 1kHz. Rationale: SYS-MAIN-001 specifies master-to-slave motion scaling. The 0.1mm tip accuracy is the instrument subsystems share of the overall 1mm system accuracy budget. The 1kHz rate matches the motion control servo loop. Accuracy must hold across instrument lifetime because cable stretch degrades positioning. | Test | surgical-instrument-system, instrument-drive-unit, session-346 |
| SUB-MAIN-034 | The Cable Tensioning System SHALL maintain cable tension on all four instrument DoF cables within +/-5% of the instrument-specific nominal set-point, and SHALL detect cable tension deviation exceeding 15% within 10ms, reporting a tension anomaly to the Safety and Interlock Subsystem. Rationale: Cable tension directly governs instrument tip accuracy. The 5% tolerance derives from the 0.1mm tip accuracy requirement and the cable-to-tip displacement ratio of approximately 4:1. A 15% deviation indicates fraying, disconnection, or mechanical failure requiring safety intervention. The 10ms detection window ensures motion arrest before tip displacement exceeds the safe envelope. | Test | surgical-instrument-system, cable-tensioning, session-346 |
| SUB-MAIN-035 | The Sterile Adapter SHALL maintain sterile barrier integrity per ISO 11607-1 under continuous operating loads of 50N axial force and 2Nm torque per rotary feedthrough channel for a single surgical procedure up to 8 hours, and SHALL transmit torque through all six sealed rotary feedthroughs with no more than 5% torque loss. Rationale: SYS-MAIN-006 and STK-MAIN-004/008/011 require sterile field compliance. The 50N and 2Nm loads represent worst-case instrument insertion force and wrist actuation torque from cadaver studies of complex procedures. The 5% torque loss limit ensures the Cable Tensioning System can compensate without saturating. 8-hour duration covers extended procedures. | Test | surgical-instrument-system, sterile-adapter, session-346 |
| SUB-MAIN-036 | The Tool Tip Articulation Controller SHALL compute cable displacement commands for all four instrument DoF from a desired end-effector pose within 500 microseconds worst-case latency, loading instrument-specific kinematic models from the Instrument Recognition Module at instrument coupling time. Rationale: The 1kHz motion control loop allocates 1ms per cycle. The Tool Tip Articulation Controller shares this cycle with the Kinematics Engine and Joint Servo Controller. The 500us budget is the instrument subsystems allocation after 300us for forward kinematics and 200us for servo command dispatch. Exceeding this budget causes jitter visible as instrument tip tremor. | Test | surgical-instrument-system, articulation-controller, session-346 |
| SUB-MAIN-037 | The Instrument Lifecycle Controller SHALL prevent coupling of any instrument that has exceeded its manufacturer-defined use limit (actuation cycles, sterilization count, or calendar age), inhibiting arm enable via the Safe State Manager until a valid instrument is detected, and SHALL log all lifecycle events to the Procedure Data Recorder per FDA 21 CFR Part 820. Rationale: STK-MAIN-007/010 require prevention of inadvertent patient tissue damage. An instrument past its rated lifecycle has degraded cable integrity, worn joints, and reduced force accuracy. Regulatory traceability (21 CFR 820) mandates that every instrument use event is recorded with disposition. Arm lockout is the enforcement mechanism because the Safe State Manager is the single authority for arm enable. | Demonstration | surgical-instrument-system, lifecycle-controller, session-346 |
| SUB-MAIN-038 | When the Cable Tensioning System detects a tension anomaly on any single cable, the Surgical Instrument System SHALL disable the affected instrument arm within 50ms while maintaining full motion control on all remaining instrument arms, and SHALL display the affected arm identity and failure type on the surgeon console. Rationale: SYS-MAIN-016 requires graceful degradation when one arm fails. A cable tension anomaly means the affected instruments tip position is no longer trustworthy. The 50ms shutdown window is derived from the maximum safe tip displacement at full operating speed (100mm/s): 5mm of uncontrolled travel is the safety limit. Other arms must remain operational because mid-procedure instrument loss is recoverable but total system shutdown may endanger the patient. | Test | surgical-instrument-system, degraded-mode, session-346 |
| SUB-MAIN-039 | The Trajectory Generator SHALL compute interpolated Cartesian pose setpoints at 1kHz with S-curve velocity profiling, limiting instrument tip acceleration to 2g and jerk to 50g/s, ensuring smooth instrument motion that does not induce tissue tearing or excessive contact forces. Rationale: Trajectory smoothness directly governs tissue interaction safety. The 2g acceleration limit derives from biomechanical studies of safe tissue manipulation forces during laparoscopic procedures. S-curve profiling eliminates jerk discontinuities that cause vibration in the cable-driven transmission, which degrades instrument tip position accuracy. The 1kHz rate matches the servo loop frequency to avoid interpolation artefacts. | Analysis | subsystem, motion-control, session-348, idempotency:sub-trajectory-generator-motion-profile-348 |
| SUB-MAIN-040 | When the primary haptic force-rendering processor fails, the haptic feedback subsystem SHALL switch to a secondary rendering path within 50 ms, maintaining contact-force reproduction accuracy within 20 percent of nominal and holding maximum perceivable force above 5 N until the surgeon withdraws the instrument. Rationale: Haptic feedback is system-essential: loss of force cues mid-dissection prevents tissue plane discrimination and risks inadvertent perforation. 50 ms switchover is within the 200 ms perceptual threshold for force discontinuity per IEC 60601-1 Clause 14. | Test | redundancy, safety, haptics, session-367 |
| SUB-MAIN-040 | The Motion Scaling Module SHALL apply the surgeon-selected scaling ratio (3:1, 5:1, or 10:1) to filtered Cartesian velocity commands with gain accuracy of ±0.5%, and SHALL complete the scaling computation within 100 microseconds per cycle to maintain pipeline timing margin. Rationale: Scaling accuracy of ±0.5% ensures the surgeon perceives consistent motion amplification across the workspace. At 10:1 scaling, a 0.5% error corresponds to 50μm at 10mm instrument travel — within the 100μm instrument tip repeatability budget. The 100μs execution budget allocates half the 200μs total pipeline margin to downstream stages (Trajectory Generator, Kinematics Engine). | Test | subsystem, motion-control, session-348, idempotency:sub-motion-scaling-accuracy-348 |
| SUB-MAIN-041 | When the primary IEEE 1588 grandmaster clock source fails or exceeds 1 microsecond offset from UTC, the time protocol engine SHALL switch to the hot-standby grandmaster within 200 ms without disrupting subsystem synchronisation by more than 5 microseconds, and SHALL log the switchover event with timestamp and root cause code. Rationale: Time protocol engine is system-essential: inter-subsystem synchronisation loss causes motion command latency spikes that manifest as jerky or uncontrolled arm motion. The 5 microsecond continuity window is derived from the motion control loop rate of 4 kHz; offsets beyond this cause missed motion cycles. 200 ms switchover is within the 500 ms maximum tolerable disruption defined in IEC 62304 architectural risk analysis. | Test | redundancy, timing, session-367 |
| SUB-MAIN-041 | When the Trajectory Generator detects that a computed trajectory segment would exceed the workspace boundary or violate acceleration limits, the Trajectory Generator SHALL clamp the output to the last safe pose and assert a trajectory-violation flag to the Workspace Safety Enforcer within 1ms, halting all further interpolation until the Workspace Safety Enforcer acknowledges the clamp. Rationale: The Trajectory Generator is the first stage that can detect demand violations before they propagate to the Kinematics Engine. Without this clamp, an out-of-bounds demand would force the Workspace Safety Enforcer to reject the entire joint-angle command downstream, causing a harder motion discontinuity. Clamping at the Cartesian level preserves motion smoothness during limit events. The 1ms assertion budget allows the violation to be caught within the same control cycle. | Test | subsystem, motion-control, safety, session-348, idempotency:sub-tg-safety-clamp-348 |
| SUB-MAIN-042 | When primary AC mains supply fails or drops below 85 VAC, the power management subsystem SHALL transfer all patient-safety loads to the internal UPS within 10 ms, sustaining surgical operations at full rated power for a minimum of 15 minutes to allow orderly procedure completion and instrument retraction. Rationale: Power management is system-essential and Regulated: an uncontrolled power loss mid-procedure immobilises robotic arms in situ, creating a patient entrapment hazard and preventing safe instrument withdrawal. 10 ms transfer time is derived from the motion controller's minimum command cycle; slower transfer causes the servo watchdog to trigger an uncontrolled halt. 15 minutes is the clinical consensus minimum for orderly procedure close cited in IEC 60601-1-1 Annex J. | Test | redundancy, power, safety, session-367 |
| SUB-MAIN-042 | When the Motion Scaling Module receives a velocity command magnitude exceeding 200mm/s (corresponding to maximum safe instrument tip velocity at 1:1 scaling), the Motion Scaling Module SHALL reject the command, hold the last valid output, and report an over-velocity fault to the Safety and Interlock Subsystem within 500 microseconds. Rationale: The Motion Scaling Module is the earliest point in the pipeline where absolute velocity limits can be enforced independent of the selected scaling ratio. The 200mm/s threshold corresponds to the maximum safe instrument tip velocity derived from tissue damage studies — exceeding this at any scaling ratio indicates either a sensor fault or an uncontrolled input. The 500μs detection budget ensures the fault is flagged within the same control cycle, preventing propagation to the Trajectory Generator. | Test | subsystem, motion-control, safety, session-348, idempotency:sub-msm-safety-overvel-348 |
| SUB-MAIN-043 | When the primary procedure data recorder storage medium fails or write latency exceeds 200 ms, the procedure data recorder SHALL simultaneously stream all kinematic, video, and event data to a secondary hot-standby recorder such that no more than 2 seconds of procedure data is lost and recording resumes on the backup without operator intervention. Rationale: Procedure data recorder is system-essential: complete surgical records are required by IEC 62304 and regulatory bodies (FDA 21 CFR Part 820) for post-incident reconstruction, device liability, and surgical training. A 2-second data gap is the maximum acceptable loss established by clinical risk analysis; longer gaps may obscure the causal chain in adverse event investigations. | Test | redundancy, data-recording, regulatory, session-367 |
| SUB-MAIN-043 | The Power Management Subsystem SHALL maintain all surgical robot system functions from the UPS Battery Module for a minimum of 30 minutes following loss of mains power, permitting controlled procedure completion and safe shutdown. Rationale: IEC 60601-1 clause 11.8.4 requires medical electrical equipment to maintain operation from internal energy source for defined periods; 30 minutes is the minimum required to complete a laparoscopic procedure segment and park all arms safely. Loss of power mid-procedure constitutes a patient safety event. | Test | subsystem, power-management, session-350, idempotency:sub-power-ups-duration-350 |
| SUB-MAIN-044 | The interlock subsystem SHALL be designed, verified, and validated to IEC 61508 SIL 3, achieving a PFH (probability of dangerous failure per hour) of less than 1e-7 per hour, with documented FMEA, fault-injection testing, and independent third-party assessment prior to regulatory submission. Rationale: Interlock subsystem is Regulated and classified as the last line of defence against uncontrolled robotic motion near the patient. SIL 3 is required because the hazardous event (uncontrolled arm motion causing patient injury) is classified as Catastrophic + Frequent in the system-level HAZOP. IEC 61508 is the applicable functional safety standard for programmable electronic safety systems in medical robotics per IEC 80601-2-77. | Analysis | compliance, safety, SIL3, regulatory, session-367 |
| SUB-MAIN-044 | The Power Management Subsystem SHALL energise subsystems in the following order during startup: Safety and Interlock Subsystem, Auxiliary Power Supply, Communication and Data Management System, Motion Control System, Surgical Instrument System. Shutdown SHALL reverse this sequence. Rationale: Energising the safety subsystem first ensures that the watchdog and E-stop chain are active before any motion-capable subsystem receives power. Reverse-sequence shutdown ensures that motion-capable drives are de-energised before safety supervision is withdrawn. Any other order creates a window where actuators are powered without protection. | Inspection | subsystem, power-management, session-350, idempotency:sub-power-sequencing-order-350 |
| SUB-MAIN-045 | The motion control system software SHALL be developed to IEC 62304 Class C (safety class), with complete requirements traceability, code review, unit and integration test evidence, and a software hazard analysis prior to release. All Class C software modules SHALL achieve modified condition/decision coverage (MC/DC) of 100 percent. Rationale: Motion control system is Regulated: its software directly commands robotic arm position; a defect causing unintended motion constitutes a Catastrophic hazard under ISO 14971. IEC 62304 Class C is mandatory for software whose failure can cause death or serious injury; MC/DC 100 percent is required by DO-178C and adopted by IEC 62304 supplementary guidance for safety-critical medical motion control. | Inspection | compliance, software, IEC62304, session-367 |
| SUB-MAIN-045 | The Auxiliary Power Supply SHALL remain energised and supply the Safety and Interlock Subsystem, Watchdog Timer Controller, and Emergency Stop Chain contactor coils during any main bus fault, brownout below 85% nominal, or deliberate mains disconnection. Rationale: The Safety and Interlock Subsystem must remain operational to initiate controlled safe-state during power faults. A brownout that de-energises the watchdog before safe-state is reached would leave joint motors in an undefined state — creating a patient harm risk equivalent to a software crash. | Test | subsystem, power-management, session-350, idempotency:sub-power-aux-isolation-350 |
| SUB-MAIN-046 | The workspace safety enforcer SHALL comply with IEC 80601-2-77:2021 Clause 201.11 (Accuracy of controls and instruments) and ISO 10218-1:2011 Clause 5.4 (Safety-rated monitored stop), achieving a safety-rated monitored stop reaction time of less than 10 ms from workspace boundary violation detection to servo torque cutoff. Rationale: Workspace safety enforcer is Regulated: it prevents robotic arms from entering anatomical exclusion zones during surgery. IEC 80601-2-77 is the applicable collateral standard for surgical robot systems; ISO 10218-1 Clause 5.4 provides the safety-rated stop performance benchmark. 10 ms is derived from the worst-case arm velocity (0.5 m/s) and maximum tolerable penetration depth (5 mm) before tissue contact. | Test | compliance, safety, workspace, regulatory, session-367 |
| SUB-MAIN-046 | While the Image Processing Pipeline is processing stereoscopic video, it SHALL detect any frame that contains artefacts exceeding 5% pixel corruption or latency exceeding 33ms (2-frame drop at 60fps) and substitute a frozen clean frame, generating a latency-exceeded alert to the Surgeon Console within 10ms of detection. Rationale: Lint finding: Image Processing Pipeline is Functionally Autonomous (FPGA-based, minimal external oversight). A corrupted or latency-violated frame delivered to the surgeon without notification constitutes a patient safety risk — the surgeon may act on an inaccurate view of the surgical field. Frozen frame substitution is the standard safety response in medical video chains (IEC 62304 guidance); the 5% threshold is derived from psychophysical research showing artefacts above this level impair depth perception in stereoscopic displays. | Test | subsystem, vision, safety, session-350, idempotency:sub-image-safety-constraint-350 |
| SUB-MAIN-047 | The console computer SHALL be qualified as a medical device accessory per EU MDR 2017/745 Annex I and FDA 21 CFR Part 820, with a Quality Management System certified to ISO 13485:2016, and SHALL display a current CE mark and 510(k) clearance number on the labelling prior to clinical deployment. Rationale: Console computer is Regulated: as the primary surgeon-facing interface that initiates and controls all robotic motion, it is a medical device accessory that requires regulatory approval before clinical use. EU MDR and FDA 510(k) clearance are the applicable market authorisations; ISO 13485 QMS certification is a prerequisite for both submission pathways. | Inspection | compliance, regulatory, MDR, session-367 |
| SUB-MAIN-047 | The Electrosurgical Generator SHALL produce monopolar RF output power of 10-400W and bipolar RF output power of 10-80W at frequencies between 300kHz and 3MHz, with actual output power within 10% of the selected setting across the load impedance range of 100Ω to 2kΩ. Rationale: Power range and impedance bounds are derived from IEC 60601-2-2 and clinical electrosurgical unit specifications. Monopolar 400W maximum covers major vessel haemostasis; bipolar 80W maximum covers delicate tissue coagulation. 10% output accuracy prevents surgeon from applying unintended power levels that could cause deep thermal injury. | Test | subsystem, energy-delivery, performance, session-352, idempotency:sub-eds-esg-rf-power-352 |
| SUB-MAIN-048 | The Electrosurgical Generator SHALL achieve full output power within 100ms of receiving an activation command and SHALL reduce output to below 1W within 50ms of receiving a deactivation command. Rationale: Activation 100ms bound allows surgeon intent recognition by the Energy Delivery Controller before energy reaches tissue. Deactivation 50ms bound is the safety-critical parameter: at 400W monopolar, 50ms corresponds to approximately 20J of unintended energy delivery — the upper threshold for acceptable unintended thermal damage per IEC 60601-2-2 risk analysis. | Test | subsystem, energy-delivery, safety, performance, session-352, idempotency:sub-eds-esg-latency-352 |
| SUB-MAIN-049 | The Ultrasonic Energy Module SHALL drive the ultrasonic transducer at 55.5kHz ± 500Hz with selectable power levels from 10% to 100% in 10% increments, and SHALL detect blade temperature via thermocouple and inhibit activation when blade temperature exceeds 100°C. Rationale: 55.5kHz is the standard resonant frequency for Harmonic-class ultrasonic surgical devices; ± 500Hz tolerance maintains resonance efficiency above 95%. 100°C blade temperature inhibit prevents retained heat burns from a previously activated blade contacting unintended tissue — a documented adverse event class in ultrasonic surgery (FDA MAUDE database, 2015-2022). | Test | subsystem, energy-delivery, performance, safety, session-352, idempotency:sub-eds-uem-freq-temp-352 |
| SUB-MAIN-050 | The Energy Delivery Controller SHALL enforce mutual exclusion between RF and ultrasonic modalities such that activation of one modality SHALL automatically inhibit the other, with the inhibition taking effect within 10ms of detecting concurrent activation requests. Rationale: Simultaneous RF and ultrasonic energy delivery through the same instrument port could generate resonance artefacts in tissue or overload instrument drive electronics. 10ms inhibition response is derived from the 100ms activation latency requirement — inhibition must be faster than the energy-reaching-tissue window. | Test | subsystem, energy-delivery, safety, session-352, idempotency:sub-eds-edc-mutual-exclusion-352 |
| SUB-MAIN-051 | The Return Electrode Monitor SHALL continuously sample patient return electrode impedance at a minimum of 100Hz and SHALL inhibit monopolar energy delivery within 500ms when sampled impedance exceeds 135 ohms, with inhibition persisting until the pad impedance is restored and the surgeon actively resets the alarm. Rationale: 135Ω threshold and 500ms response are per IEC 60601-2-2 Annex J requirements for REM circuits. Partial pad lift is the primary cause of alternate site burns in monopolar electrosurgery; active surgeon reset prevents automatic re-enable after transient impedance excursion, ensuring the surgeon consciously acknowledges the alarm before energy resumes. | Test | rt-missing-failure-mode, red-team-session-502 |
| SUB-MAIN-052 | The Tissue Effect Monitor SHALL detect vessel seal completion by impedance rise signature and SHALL command the Electrosurgical Generator to cease energy delivery within 200ms of endpoint detection, with endpoint defined as an impedance increase of at least 1.5kΩ occurring within any 400ms window during active vessel sealing. Rationale: 1.5kΩ rise in 400ms is derived from validated impedance signatures for collagen denaturation in bipolar vessel sealing (cf. LigaSure algorithm patent family, published clinical studies on tissue impedance monitoring). Automatic cutoff prevents over-application beyond seal completion, which is the primary cause of vessel charring and reduced seal burst strength. | Test | subsystem, energy-delivery, performance, session-352, idempotency:sub-eds-tem-endpoint-352 |
| SUB-MAIN-053 | The Energy Delivery Controller SHALL automatically terminate energy delivery and generate a surgeon console alarm if continuous activation exceeds 15 seconds for RF modality or 5 seconds for ultrasonic modality, with resumption requiring explicit surgeon re-activation. Rationale: 15s RF timeout prevents inadvertent extended electrosurgery from a held footswitch (e.g., surgeon distraction or equipment malfunction). 5s ultrasonic timeout is shorter because blade thermal accumulation above the 100°C inhibit threshold occurs within 7-10s of continuous activation at full power — the 5s limit provides 2-5s safety margin. Both timeouts are surgeon-acknowledged to prevent silent energy restart. | Test | subsystem, energy-delivery, safety, session-352, idempotency:sub-eds-edc-timeout-352 |
| SUB-MAIN-054 | The Energy Delivery System SHALL provide electrical isolation between the energy delivery circuit and the robotic control network such that patient leakage current through any energy path does not exceed 10μA in normal condition and 50μA in single-fault condition, per IEC 60601-1 Type CF applied part classification. Rationale: Type CF classification is mandatory for equipment making direct cardiac contact or used near the heart — surgical robot instruments may be used in cardiac procedures. 10μA/50μA limits are per IEC 60601-1 Table 1 for Type CF applied parts. Isolation is safety-critical: conductive coupling between the RF generator and servo control bus could introduce high-frequency noise causing servo instability or patient microshock. | Test | subsystem, energy-delivery, safety, session-352, idempotency:sub-eds-isolation-leakage-352 |
| SUB-MAIN-055 | The Foot Pedal Array SHALL transmit energy activation, clutch, and camera control pedal events to the corresponding subsystem controllers within 50ms of pedal mechanical actuation. Rationale: 50ms is the maximum latency consistent with transparent surgeon control: beyond 50ms, pedal-to-action delays become perceptible and can cause unintended energy delivery or motion. The E-stop pedal is hardwired and has a separate sub-millisecond hardware path; this requirement covers only the software-mediated pedals. | Test | subsystem, surgeon-console, foot-pedal, session-353, idempotency:sub-sic-pedal-latency-353 |
| SUB-MAIN-056 | The Voice Command Module SHALL recognise predefined surgical commands from the active vocabulary with a word error rate below 5% in an operating room acoustic environment with background noise up to 65dB SPL. Rationale: A 5% WER ceiling ensures that no more than 1 in 20 commands is misrecognised in the worst-case OR noise environment. Validated against reference vocabulary of 200 surgical commands. Higher error rates create workflow interruption and require repeated commands, increasing procedure duration. | Test | subsystem, surgeon-console, voice, session-353, idempotency:sub-sic-voice-wer-353 |
| SUB-MAIN-057 | The Voice Command Module SHALL dispatch a recognised command to the Console Computer within 200ms of speech onset. Rationale: 200ms is the perceptibility threshold for voice-to-action feedback in human factors studies for surgical environments. Commands exceeding 200ms latency break cognitive flow and may lead the surgeon to repeat the command, creating duplicate-command hazard. | Test | subsystem, surgeon-console, voice, session-353, idempotency:sub-sic-voice-latency-353 |
| SUB-MAIN-058 | The Console Computer SHALL require surgeon authentication before enabling robotic motion, and SHALL log the authenticated user identity, authentication time, and case start time to the Procedure Data Recorder. Rationale: Regulatory requirement under MDR 2017/745 and FDA 21 CFR Part 820 for medical device traceability. Authentication prevents unauthorised use and creates an auditable record linking each surgical case to a credentialled operator. | Test | subsystem, surgeon-console, authentication, compliance, session-353, idempotency:sub-sic-auth-353 |
| SUB-MAIN-059 | The Arm Positioning System SHALL prevent motorised adjustment of any axis while the system is in OPERATIONAL state, and SHALL complete position lock-out within 500ms of the system entering OPERATIONAL state. Rationale: Arm movement during robotic operation would change the master-to-slave kinematic calibration mid-procedure, causing instrument tip position error. 500ms lock-out allows the safety state broadcast (IFC-MAIN-004) to propagate and the positioning motor controllers to confirm brake engagement before motion commands are accepted. | Test | subsystem, surgeon-console, arm-positioning, safety, session-353, idempotency:sub-sic-armpos-lockout-353 |
| SUB-MAIN-060 | The Console Computer SHALL complete a startup self-test within 90 seconds of power-on, verifying connectivity to the Surgeon Interface Panel, Voice Command Module, Arm Positioning System, and Real-Time Protocol Engine, and SHALL display the test result on the Surgeon Interface Panel before enabling case start. Rationale: 90-second startup target matches pre-operative room setup workflow; longer startup delays operating theatre utilisation. Self-test covers all console-side interfaces so fault detection occurs before the surgical team proceeds to patient positioning. | Test | subsystem, surgeon-console, startup, session-353, idempotency:sub-sic-startup-selftest-353 |
| SUB-MAIN-061 | When the Voice Command Module fails or is disabled, the Surgeon Input Console SHALL continue to provide full surgical system control through the Surgeon Interface Panel and Foot Pedal Array with no reduction in motion control, energy delivery, or camera control capability. Rationale: Voice command is a convenience input and must not be a single point of failure for any surgical function. All capabilities accessible via voice must also be reachable via touchscreen or foot pedal, ensuring the surgeon retains complete system control through hardware-only input paths during voice system fault. | Test | subsystem, surgeon-console, degraded-mode, session-353, idempotency:sub-sic-voice-degraded-353 |
| SUB-MAIN-062 | The Haptic Controller SHALL be developed and validated to IEC 62061 Safety Integrity Level 2 (SIL2), including hardware fault tolerance requirements and safe-state transition to zero-torque output within 10ms of any detected CPU fault, EtherCAT timeout, or watchdog expiry. Rationale: Direct patient-contact force pathway: a runaway torque command from a failed haptic controller would render uncontrolled forces on the surgeon's hands that could mask or amplify dangerous tissue contact events. SIL2 derives from FMEA on the haptic render loop — single CPU fault without safe-state fallback is classified as a hazardous event at severity level S2, probability class P2 under IEC 62061. | Analysis | subsystem, haptic, session-354, idempotency:sub-haptic-sil2-354 |
| SUB-MAIN-063 | The Haptic Feedback Subsystem SHALL remain stable (no limit cycles or sustained oscillations) during instrument-tissue contact for all tissue impedances within the range 0.1 N/mm to 10 N/mm and all motion scaling ratios 1:1 to 10:1. Rationale: Haptic rendering loops coupled to stiff tissue models are susceptible to Z-width instability when the contact admittance exceeds the passivity boundary. The specified tissue stiffness range covers all soft to semi-rigid tissue types in abdominal surgery. Failure to maintain stability produces oscillating forces at the master handle that corrupt tactile perception and may cause the surgeon to lose grip control. | Test | subsystem, haptic, session-354, idempotency:sub-haptic-stability-354 |
| SUB-MAIN-064 | When the Haptic Feedback Subsystem is in STANDBY or DISABLED state, the Master Handle Actuator SHALL present a backdrive torque of no more than 0.05 Nm at any joint, ensuring force-transparent kinaesthetic operation independent of haptic rendering. Rationale: Surgeons must be able to move master handles freely even when haptic rendering is inactive (e.g., during tele-operation setup or soft-tissue navigation without force feedback). Backdrive torque above 0.05 Nm creates proprioceptive masking, reducing tremor filtering effectiveness and increasing surgeon fatigue during procedures exceeding 2 hours. | Test | subsystem, haptic, session-354, idempotency:sub-haptic-backdrive-354 |
| SUB-MAIN-065 | The Haptic Feedback Subsystem SHALL be designed and manufactured in compliance with IEC 60601-1:2005+AMD1:2012 (medical electrical equipment safety) and IEC 60601-1-6 (usability), including classification as Type CF applied part where patient-contact signal pathways exist, and meeting continuous leakage current limits of ≤10µA under single fault conditions. Rationale: The force sensing chain contacts the instrument tip which contacts the patient — this constitutes a Type CF applied part under IEC 60601-1. The 10µA limit at single fault is the most stringent patient leakage requirement and is mandated for devices with direct cardiac path access risk in intra-abdominal surgery. Compliance failure blocks FDA 510(k) clearance. | Analysis | subsystem, haptic, compliance, session-354, idempotency:sub-haptic-compliance-60601-354 |
| SUB-MAIN-066 | The Surgeon Interface Panel SHALL transmit 7-DOF Cartesian pose data from each master manipulator arm to the Console Computer at a minimum rate of 1kHz, with position resolution ≤0.1mm and angular resolution ≤0.1°, measured at the instrument-side tooltip for motion scaling computation. Rationale: 1kHz sampling is the Nyquist floor for transparent 500Hz haptic control loops; lower rates introduce perceptible latency and quantisation artefacts in master arm motion. Position resolution ≤0.1mm matches the minimum clinically significant motion increment for microsurgical tasks per ISO 13482 guidance on medical robot kinematics. | Test | subsystem, surgeon-console, haptic, session-356, idempotency:sub-sip-pose-rate-356 |
| SUB-MAIN-067 | The Surgeon Interface Panel SHALL render haptic force feedback at the master arm fingertips within 1ms of receiving a force command from the Console Computer, with force rendering accuracy within 15 percent of commanded value across the 0 to 5N operating range. Rationale: 1ms haptic loop closure is the perceptibility threshold for transparent force feedback; latencies above 5ms introduce phase lag that disrupts hand-eye coordination during delicate tissue manipulation. 15 percent accuracy matches the resolution of the force sensing at the instrument tip, ensuring the rendered feedback is not more accurate than the source measurement. | Test | subsystem, surgeon-console, haptic, session-356, idempotency:sub-sip-haptic-force-356 |
| SUB-MAIN-068 | The Surgeon Interface Panel SHALL detect surgeon hand disengagement from master arm handles within 50ms and immediately signal the Console Computer to inhibit motion transmission to patient-side instruments. Rationale: Hand disengagement without inhibition would allow free-running slave arm motion with no surgeon intent, creating a direct patient injury hazard. 50ms is the upper bound derived from the system 1ms E-stop latency budget: sensor debounce 10ms plus signal propagation 40ms, ensuring disengagement is communicated before the 100ms safety watchdog deadline. | Test | subsystem, surgeon-console, safety, session-356, idempotency:sub-sip-handle-engage-356 |
| SUB-MAIN-069 | The Console Computer software SHALL be developed and documented to IEC 62304 Class C, with traceability from requirements to software units, and the overall system integration SHALL demonstrate conformance with IEC 60601-1-8 for alarm management and MDR 2017/745 Annex I essential safety requirements. Rationale: The Console Computer is a Class C medical device software component under IEC 62304 because its failure mode can lead to patient injury without opportunity for intermediate detection. MDR 2017/745 Annex I essential requirements are mandatory for CE marking and apply to the complete robotic surgery system with the console as primary control surface. | Inspection | subsystem, surgeon-console, compliance, regulatory, session-356, idempotency:sub-cc-compliance-iec62304-356 |
| SUB-MAIN-070 | When the Console Computer detects a software exception or watchdog timeout, the system SHALL enter SAFE-HOLD state within 500ms, transmit a safe-state broadcast to all subsystems, and retain the last 30 seconds of kinematic and video data in battery-backed non-volatile storage for post-incident analysis. Rationale: 500ms safe-state entry on console computer failure is within the clinical tolerance for motion freeze in surgical robotics before the surgeon can intervene manually. Retaining 30 seconds of pre-fault data supports root-cause analysis and is required under MDR 2017/745 for post-market surveillance of Class IIb devices. Battery-backed storage ensures retention even if main power is lost in the same fault event. | Test | subsystem, surgeon-console, safety, redundancy, session-356, idempotency:sub-cc-failsafe-safehold-356 |
| SUB-MAIN-071 | The Real-Time Protocol Engine SHALL execute time-division multiplexed frame scheduling with a cycle-to-cycle jitter of no more than 1 microsecond, measured at the frame start pulse on the inter-cart fibre transmitter. Rationale: The 1kHz control loop has a total latency budget of 1ms end-to-end (SYS-MAIN-001). The FPGA frame scheduler is the first element in the surgeon-to-instrument chain; a jitter above 1 microsecond accumulates across 7 pipeline stages to exceed the allowed latency variance. Verified by oscilloscope capture of 10,000 consecutive frame-start pulses with a <2ns resolution clock source. | Test | subsystem, motion-control, infrastructure, real-time-protocol-engine, session-357, idempotency:sub-rtpe-tdm-jitter-357 |
| SUB-MAIN-072 | When the Real-Time Protocol Engine detects absence of a valid surgeon console frame for more than 3 consecutive TDM cycles (3ms), the Real-Time Protocol Engine SHALL assert a link-fault signal to the Workspace Safety Enforcer and transmit a zero-velocity command on all 6 DOF within 1ms of fault assertion. Rationale: Three missed cycles at 1kHz equals 3ms, matching the system emergency-stop response budget in SYS-MAIN-010. A zero-velocity command within 1ms of fault assertion ensures the joint servos receive a valid safe command before the watchdog timer in the patient-side cart triggers a power-off, preventing uncontrolled arm movement during comms loss. | Test | subsystem, motion-control, infrastructure, real-time-protocol-engine, safety, session-357, idempotency:sub-rtpe-fault-halt-357 |
| SUB-MAIN-073 | The Network Management Controller SHALL maintain EtherCAT distributed clock synchronisation across all patient-side servo nodes with a maximum inter-node timing skew of 500 nanoseconds during continuous operation. Rationale: Joint Servo Controllers on different patient-side cart nodes execute torque commands sampled from the same 1kHz kinematic frame. A timing skew above 500ns causes inter-joint command phase errors that produce coordinated arm jerks visible as position discontinuities. 500ns corresponds to one-quarter of the EtherCAT propagation jitter budget at 2Mbps, leaving margin for cable length variation. | Test | subsystem, motion-control, infrastructure, network-management, session-357, idempotency:sub-nmc-ethercat-sync-357 |
| SUB-MAIN-074 | When the Network Management Controller receives no valid EtherCAT response from a servo node for 2 consecutive bus cycles (2ms), the Network Management Controller SHALL remove the node from the active topology, assert a per-node fault flag to the Workspace Safety Enforcer, and maintain full communication with all remaining nodes within the same bus cycle. Rationale: SYS-MAIN-016 requires continued full function on remaining instrument arms when one arm loses servo communication. Isolation within a single bus cycle (1ms) ensures the remaining nodes do not experience frame corruption due to a misbehaving slave, which would cause system-wide motion interruption rather than a contained single-arm fault. | Test | subsystem, motion-control, infrastructure, network-management, safety, session-357, idempotency:sub-nmc-fault-isolation-357 |
| SUB-MAIN-075 | The Procedure Data Recorder SHALL continuously record all 7-DOF joint angles, joint torques, and Cartesian velocities for each active instrument arm at 1kHz sample rate, with a maximum write latency of 10ms from sample acquisition to persistent storage. Rationale: SYS-MAIN-015 mandates 1kHz kinematic data recording across all arms. A 10ms write latency ceiling (10 samples) matches the size of the in-memory ring buffer allocated on the Real-Time Compute Node before data is handed to the recorder. Exceeding 10ms risks ring buffer overflow during sustained peak I/O load, causing permanent sample loss that cannot be reconstructed for post-procedure audit. | Test | subsystem, motion-control, infrastructure, procedure-data-recorder, session-357, idempotency:sub-pdr-recording-rate-357 |
| SUB-MAIN-076 | The Procedure Data Recorder SHALL store data on dual-mirrored NVMe drives, detect any write or read failure on either drive within 1 second, and notify the Surgeon Interface Panel with an audible alarm while continuing to record on the remaining healthy drive without interruption. Rationale: Clinical and regulatory standards (IEC 62133, MDR Annex I General Safety clause 17.2) require that medical device data integrity is maintained during single-component storage failure. Dual-mirror NVMe provides hot-standby redundancy. A 1-second fault detection window is achievable via SMART polling at 100ms intervals and is the minimum acceptable for surgeon notification before a second fault could cause total data loss during a long procedure. | Demonstration | subsystem, motion-control, infrastructure, procedure-data-recorder, reliability, session-357, idempotency:sub-pdr-storage-integrity-357 |
| SUB-MAIN-077 | The Inter-Cart Fibre Link SHALL provide a minimum bidirectional throughput of 10 Gbps with a one-way optical propagation latency not exceeding 100 microseconds for cable lengths up to 10 metres between Surgeon Console and Patient-Side Cart. Rationale: The motion control pipeline requires approximately 2.4Mbps of kinematic data per arm (7 joints × 3 values × 64-bit × 1kHz), and the system supports up to 4 arms plus video metadata, totalling under 100Mbps even with control overhead. 10Gbps provides a 100× safety margin for future capability expansion. 100 microseconds propagation at 10m is well within the 1ms end-to-end latency budget of SYS-MAIN-001. | Test | rt-implausible-value, red-team-session-502 |
| SUB-MAIN-078 | When the active Inter-Cart Fibre Link channel fails (signal loss, CRC error rate exceeding 10^-9 per frame), the Inter-Cart Fibre Link SHALL switch to the redundant fibre channel within 1 millisecond without loss of any in-flight kinematic command frames. Rationale: A 1ms failover aligns with the 3-missed-cycle fault threshold of the Real-Time Protocol Engine (SUB-MAIN-072), ensuring a channel switch does not itself trigger a controlled stop. Kinematic frame loss during failover would be indistinguishable from a comms fault and would unnecessarily halt the procedure. Dual-fibre switchover with in-flight frame buffering is standard in deterministic real-time networks (e.g., HSR/PRP protocols). | Test | subsystem, motion-control, infrastructure, inter-cart-fibre, resilience, session-357, idempotency:sub-icfl-redundancy-failover-357 |
| SUB-MAIN-079 | The Inter-Cart Fibre Link shall provide complete galvanic isolation between the Surgeon Console and Patient-Side Cart, with reinforced insulation rated to a minimum of 4000 VAC (IEC 60601-1 Clause 8.8), ensuring no conductive path exists between the two cart chassis. Rationale: IEC 60601-1 type B applied part requirements prohibit any continuous conductive path between the surgeon side and the patient side of a surgical system. Optical fibre is the preferred isolation mechanism because it inherently provides infinite DC resistance. The 4000 VAC reinforced insulation rating is the IEC 60601-1 requirement for patient-contacting applied parts with highest risk classification, ensuring patient safety even under single-fault conditions in the mains power circuitry. | Test | subsystem, motion-control, infrastructure, inter-cart-fibre, safety, iec60601, session-357, idempotency:sub-icfl-galvanic-isolation-357 |
| SUB-MAIN-080 | The Tremor Rejection Filter SHALL implement a zero-phase 8th-order Butterworth low-pass filter at 6Hz cutoff, achieving ≥40dB attenuation above 6Hz and ≤0.5dB passband ripple below 3Hz, with an initial transient settling time of ≤5ms on mode activation. Rationale: Involuntary physiological tremor spans 6-12Hz; the 6Hz cutoff preserves intentional surgical motion (typically 0-3Hz) while eliminating tremor. 8th-order provides the 40dB/octave slope needed without adding unacceptable group-delay. Zero-phase implementation prevents latency-induced instability. | Test | subsystem, motion-control, tremor, session-358, idempotency:sub-tremor-filter-attenuation-358 |
| SUB-MAIN-081 | When the Tremor Rejection Filter detects a sustained high-frequency velocity component above 8Hz for more than 200ms, it SHALL log a TREMOR_ELEVATED event to the Procedure Data Recorder and maintain filtering without operator intervention. Rationale: Elevated tremor (e.g., fatigue, medication effect) changes filter operating point. Automatic logging captures surgeon physiology data for post-operative review and enables future adaptive filtering without requiring mid-procedure UI interaction. | Test | subsystem, motion-control, tremor, session-358, idempotency:sub-tremor-adaptive-log-358 |
| SUB-MAIN-082 | The Workspace Safety Enforcer SHALL compute signed penetration depth for all 7-DOF arm configurations against the patient anatomy mesh and instrument collision model at 1kHz, and SHALL generate a repulsive joint-space torque that limits Cartesian approach velocity to less than 5mm/s within 5mm of any restricted surface. Rationale: Patient anatomy mesh defines no-go zones near vessels and organs. At 5mm proximity, a 5mm/s maximum approach rate gives the surgeon 1 second to redirect before potential tissue contact; at full 1kHz rate the enforcer can react within a single control cycle to prevent boundary violation. | Test | subsystem, motion-control, workspace-safety, session-358, idempotency:sub-wse-proximity-enforcement-358 |
| SUB-MAIN-083 | When the Workspace Safety Enforcer cannot access a valid patient anatomy mesh (model corruption or load failure), it SHALL transition the Motion Control and Scaling Subsystem to a reduced-mobility mode that limits Cartesian workspace to a predefined 150mm-radius sphere centred on the instrument tip position at fault onset, and SHALL generate a WORKSPACE_MODEL_FAULT alert within 50ms. Rationale: Loss of anatomy mesh eliminates proximity safety guarantees. The 150mm sphere provides a safe enclosure around the current instrument position, preventing gross motion while allowing the surgeon to retract instruments. 50ms alert latency matches the safety watchdog cycle time. | Test | subsystem, motion-control, workspace-safety, session-358, idempotency:sub-wse-degraded-mode-358 |
| SUB-MAIN-084 | When the Kinematics Engine detects a kinematic singularity condition (Jacobian determinant below threshold 1e-4), it SHALL activate damped-least-squares inverse kinematics with a damping coefficient lambda of 0.05, and SHALL maintain commanded Cartesian velocity direction error below 5 degrees while limiting joint velocity to 80% of maximum. Rationale: Surgical manipulators with 7-DOF pass near singularities during routine retraction and rotation. At singularity, standard pseudoinverse produces infinite joint velocities; DLS with lambda=0.05 caps joint speed while preserving directional intent. 5-degree directional error is within the surgeon motion resolution threshold. | Test | subsystem, motion-control, kinematics, session-358, idempotency:sub-ke-singularity-handling-358 |
| SUB-MAIN-085 | When the Joint Servo Controller detects a joint position error exceeding 0.5 degrees for more than 10ms during a commanded trajectory, it SHALL command the affected joint brake to engage within 2ms, halt motion on all joints of the affected arm, and report a SERVO_FAULT event to the Safe State Manager with joint ID, error magnitude, and timestamp. Rationale: A 0.5-degree uncorrected error at the instrument tip can translate to 3-5mm tip displacement depending on arm configuration; at 10ms detection window this stays within the 2mm maximum allowable tip error envelope. Brake engage within 2ms prevents runaway while reporting enables root-cause analysis. | Test | subsystem, motion-control, servo, session-358, idempotency:sub-jsc-fault-isolation-358 |
| SUB-MAIN-086 | The Procedure Data Recorder SHALL be housed in a dedicated 1U rack-mount enclosure (430mm × 44mm × 380mm) integrated into the patient cart, rated IP21, operating from the 12V patient cart rail, with WORM-compliant SSD storage and a removable front-panel USB-C port for intraoperative data export. Rationale: Physical embodiment requirement derived from ontological analysis showing PDR has physical environmental constraints (SUB-MAIN-086). Dedicated enclosure isolates PDR from vibration and RF emitted by energy delivery subsystem; IP21 matches clinical environment; rack-mount integration mandated by cart geometry and field-service requirements. | Inspection | |
| SUB-MAIN-086 | While the Real-Time Compute Node CPU junction temperature exceeds 85 degrees Celsius, the node SHALL reduce non-critical background processing priority and maintain full deterministic scheduling for Motion Control threads, with junction temperature logged to the Procedure Data Recorder at 1Hz; if temperature reaches 95 degrees Celsius, the node SHALL generate a THERMAL_CRITICAL alert and transition to Safe Hold. Rationale: Real-time scheduling must be immune to thermal throttling; standard OS thermal management interrupts deterministic task execution. 85C threshold provides 10C headroom before critical shutdown. Safe Hold at 95C prevents silicon damage that could cause unpredictable motion. | Test | subsystem, motion-control, compute, session-358, idempotency:sub-rtcn-thermal-management-358 |
| SUB-MAIN-087 | The Power Management Subsystem SHALL be implemented as two physically separated LRUs: a mains power entry module (400mm × 200mm × 100mm) mounted in the patient cart base handling AC-DC conversion for 24V, 12V, and 5V rails, and a surgeon console power board (250mm × 150mm × 60mm) supplying the console computer and haptic subsystem; both rated IP21 and conformal-coated for cleaning agent resistance. Rationale: Physical embodiment required by ontological mismatch finding (SUB-MAIN-102, VER-MAIN-107): PMS has physical environmental constraints but was classified without Physical Object trait. Separation into two LRUs reflects actual surgical robot architectures where console and cart power domains are galvanically isolated for patient safety per IEC 60601-1 clause 8. | Inspection | |
| SUB-MAIN-087 | The Motion Control and Scaling Subsystem SHALL authenticate all external configuration commands (scaling ratio updates, workspace model loads, and motion enable/disable) via HMAC-SHA256 with a session key established at system startup, and SHALL reject and log any command failing authentication within one control cycle (1ms) without interrupting the real-time motion pipeline. Rationale: IEC 62443-3-3 SR 1.1 requires authentication for all control commands in medical device systems. Unauthorised scaling ratio or workspace mesh injection could cause unsafe instrument motion; HMAC-SHA256 with a session key provides integrity without adding per-cycle cryptographic load to the deterministic pipeline. Rejection within 1ms ensures the safety check does not degrade pipeline timing. | Test | subsystem, motion-control, cybersecurity, session-358, idempotency:sub-mcs-command-auth-358 |
| SUB-MAIN-088 | The Motion Control System SHALL be implemented as a physically distinct compute subsystem comprising a real-time motion controller card (PCIe half-length, 210mm × 111mm) installed in the patient cart chassis, with direct hardware backplane connections to actuator drive electronics, operating from the 12V patient cart rail and rated for continuous operation at 45°C ambient without forced air cooling. Rationale: Physical embodiment needed per lint finding: MCS lacks Physical Object trait but SUB-MAIN-086 imposes physical environmental constraints. Real-time constraint requires dedicated hardware, not virtualised compute; 45°C ambient without forced cooling is derived from operating theatre HVAC limits and OR noise requirements (IEC 60601-1 Part 12 compatibility). | Inspection | |
| SUB-MAIN-088 | The Main Power Distribution Unit SHALL distribute mains AC power to all surgical robot subsystems via independently fused branch circuits, with each branch rated at no less than 125% of its maximum load current. Rationale: Branch circuit over-sizing to 125% of peak load current is required by IEC 60601-1 clause 10.2 for medical electrical equipment, preventing nuisance trips during startup inrush while ensuring branch faults do not propagate to adjacent subsystems via shared conductors. | Test | subsystem, power-management, power-distribution, session-361, idempotency:sub-pdu-branch-circuits-361 |
| SUB-MAIN-089 | The Time Compute Node SHALL be a dedicated timing hardware module (70mm × 45mm, M.2 form factor) installed on the system backplane, providing IEEE 1588v2 PTP grandmaster function with internal TCXO reference oscillator, GPS-disciplined timing input, and hardware timestamping to within ±500ns for all inter-subsystem data frames. Rationale: Physical embodiment needed per lint finding: TCN lacks Physical Object trait but SUB-MAIN-086 imposes physical environmental constraints. Dedicated timing hardware (rather than software PTP stack) provides deterministic ±500ns accuracy required for synchronised sensor fusion; TCXO reference maintains accuracy during GPS signal loss in RF-shielded operating theatres. | Test | |
| SUB-MAIN-089 | The Main Power Distribution Unit SHALL detect line-to-earth leakage current exceeding 500 µA on any branch and remove power from that branch within 100 ms, transmitting a fault code to the Power Sequencing Controller via the internal CAN bus. Rationale: IEC 60601-1 clause 8.7.3 limits patient-accessible leakage current to 500 µA in normal condition and to 1 mA in single fault. The 100 ms response time ensures the Safety and Interlock Subsystem can initiate protective shutdown before accumulated charge reaches dangerous thresholds, given the capacitance of typical OR wiring harnesses. | Test | subsystem, power-management, safety, iec60601, session-361, idempotency:sub-pdu-ground-fault-361 |
| SUB-MAIN-090 | The Motion Control System SHALL be developed and validated in conformance with IEC 62304:2006 (Medical device software lifecycle) at Software Safety Class C, and shall satisfy IEC 60601-1:2005+A1:2012 clause 14 (Programmable electrical medical systems) with a certified PEMS development file submitted to the notified body. Rationale: MCS is classified as Regulated (UHT hex 51F73A18) but had no compliance requirements. Class C classification is required because MCS failure can cause serious injury or death (loss of motion control during surgery). IEC 62304 mandates software lifecycle documentation; IEC 60601-1 PEMS requirements apply to all software-controlled medical devices in EU MDR scope. | Analysis | |
| SUB-MAIN-090 | The UPS Battery Module SHALL report state-of-charge to the Power Sequencing Controller at 1 Hz via the battery management system interface, with accuracy of ±2% across the 20–95% charge range, and SHALL assert a low-battery warning when state-of-charge falls below 25%. Rationale: Accurate state-of-charge telemetry at 1 Hz allows the Power Sequencing Controller to trigger an orderly shutdown before battery depletion causes an uncontrolled power loss during surgery. The 25% warning threshold provides at minimum 8 minutes of bridging time (from SUB-MAIN-043 minimum 10-minute UPS duration) for an orderly instrument retraction procedure. | Test | subsystem, power-management, ups, reliability, session-361, idempotency:sub-ups-soc-reporting-361 |
| SUB-MAIN-091 | The Workspace Safety Enforcer SHALL be designed, implemented, and independently verified to achieve Safety Integrity Level 3 (SIL 3) per IEC 61508-1:2010, with a target hardware fault tolerance of HFT ≥ 1, probabilistic failure to perform on demand of <10⁻⁷ per hour, and third-party functional safety assessment prior to clinical deployment. Rationale: WSE is classified as Regulated (UHT hex 51B73818) and is the primary safety boundary preventing instrument collision with anatomy outside the surgical workspace. SIL 3 is required for functions where failure can result in serious irreversible injury; HFT ≥ 1 means no single hardware failure can defeat the safety function. | Analysis | |
| SUB-MAIN-091 | When mains supply voltage falls below 80% of nominal for more than 20 ms, the Power Sequencing Controller SHALL initiate transfer to UPS Battery Module within 10 ms, ensuring no subsystem experiences a supply interruption exceeding 30 ms total. Rationale: The 30 ms total transfer budget is derived from joint servo control loop requirements: a 30 ms power interruption is the maximum before the joint controllers enter fault state (losing current position data), which would require a full arm re-homing sequence and loss of the sterile field. The 80% voltage threshold prevents false triggers from short-duration sags common in hospital OR environments. | Test | subsystem, power-management, ups, failover, safety, session-361, idempotency:sub-psc-mains-loss-transfer-361 |
| SUB-MAIN-092 | The Motion Scaling Module SHALL be developed under a Design History File (DHF) as required by 21 CFR Part 820.30 and EU MDR Annex II, shall implement scaling algorithms in a verified, MISRA C:2012 compliant codebase, and shall undergo human factors validation per IEC 62366-1 to confirm surgeons can accurately select and apply scaling ratios from 1:1 to 10:1 without error. Rationale: MSM is classified as Regulated (UHT hex 50B53B18) with no compliance requirements. DHF requirement satisfies FDA QSR for Class II/III devices; MISRA C compliance prevents safety-critical coding errors in scaling computation; IEC 62366-1 human factors validation is required because erroneous scaling selection (surgeon input error) is a foreseeable use error hazard. | Analysis | |
| SUB-MAIN-092 | The Auxiliary Power Supply SHALL maintain 24 VDC output within plus or minus 2% under load variations from 0 to 100% of rated capacity, and SHALL remain energised for a minimum of 20 minutes following complete loss of mains and UPS supply, sourced from a dedicated internal battery. Rationale: The 24 VDC auxiliary rail exclusively powers safety circuits: the Safe State Manager, Emergency Stop Chain, and Watchdog Timer Controller. These circuits must remain active after main UPS depletion to enable controlled arm retraction and safe-state assertion. 20 minutes exceeds the longest documented emergency surgical exit procedure (12 minutes per clinical operations data) with 8 minutes margin. | Test | subsystem, power-management, auxiliary-power, safety, session-361, idempotency:sub-aux-psu-24v-361 |
| SUB-MAIN-093 | The Power Management Subsystem SHALL provide patient-applied part (Type B minimum, Type BF preferred) galvanic isolation meeting IEC 60601-1:2005 clause 8 with patient leakage current <10µA (normal condition) and <50µA (single fault condition), and shall comply with IEC 60601-1-2:2014 (EMC) for conducted and radiated emissions in a clinical environment. Rationale: PMS is classified as Regulated (UHT hex 54F53018) but had no compliance requirements. IEC 60601-1 isolation is mandatory for all mains-powered medical devices. Leakage thresholds prevent microshock hazard to patients; EMC compliance prevents PMS switching noise from interfering with electrophysiology monitoring equipment co-located in the OR. | Test | |
| SUB-MAIN-093 | The Safety and Interlock Subsystem SHALL be designed, implemented, and verified to achieve Safety Integrity Level 3 (SIL 3) per IEC 62061, with a probability of dangerous failure per hour (PFH) not exceeding 1×10⁻⁷/h for each safety function (joint force limiting, E-stop chain, communication watchdog). Rationale: A surgical robot operating on an anaesthetised patient is a Class IIb/III medical device; safety functions that prevent uncontrolled arm motion or tissue penetration must meet SIL 3 under IEC 62061. PFH ≤1×10⁻⁷/h is the SIL 3 threshold. Failure to meet this leaves the safety case without regulatory acceptance. | Analysis | subsystem, sis, compliance, sil3, session-362, idempotency:sub-sis-sil3-compliance-362 |
| SUB-MAIN-094 | When the primary Procedure Data Recorder storage medium fails during an active surgical procedure, the system SHALL automatically failover to a secondary redundant recording path within 500ms, maintaining all video, telemetry, and event log streams with no data loss; the surgeon display SHALL indicate recording medium degradation within 1 second of failover. Rationale: PDR is System-Essential (UHT hex 50851208): procedure recordings are required for post-surgical review, complication investigation, and regulatory audit. Without recording continuity, any intraoperative event loses its evidential record. 500ms failover allows one frame of 4K video to be dropped but ensures continuous recording; surgical data continuity is mandated by EU MDR Article 83 (UDI) and hospital governance policies. | Test | |
| SUB-MAIN-094 | The Motion Control System software SHALL be developed and qualified under IEC 62304 Safety Class C, with full software lifecycle documentation including software development plan, software requirements, detailed design, unit and integration test records, and risk analysis. Rationale: Motion control software executes joint servo commands in real time for a Class IIb medical device; IEC 62304 Class C applies when software failure can cause death or serious injury. Absence of IEC 62304 classification prevents regulatory submission and creates unmanaged software risk. | Analysis | subsystem, motion-control, compliance, iec62304, session-362, idempotency:sub-mcs-iec62304-classC-362 |
| SUB-MAIN-095 | When the primary Time Protocol Engine TCXO reference or GPS disciplining input fails, the system SHALL maintain inter-subsystem synchronisation to within ±2µs holdover accuracy for a minimum of 30 minutes using the secondary crystal oscillator, and SHALL log the timing source degradation event with timestamp and subsystem notification within 100ms of fault detection. Rationale: TPE is System-Essential (UHT hex 50B57B08): loss of time synchronisation degrades sensor fusion accuracy, invalidates haptic feedback timing, and breaks inter-cart communication framing. 30-minute holdover covers typical OR interruption events (power blip, GPS shielding). ±2µs holdover bound is derived from maximum acceptable jitter in the 1kHz haptic control loop (1µs phase error is within 0.1% of sample period). | Test | |
| SUB-MAIN-095 | The Console Computer SHALL detect its own software watchdog failure within 500ms and automatically transfer console control authority to the backup processing path, preserving the surgeon's last commanded instrument position and annunciating the transfer via an audio tone and on-screen status update. Rationale: The Console Computer is the single physical host for the surgeon interface; a software hang without automatic recovery requires manual intervention during surgery, creating a potential patient safety event. 500ms timeout is consistent with the 150ms E-stop latency requirement — sufficient margin for detection before motion state becomes stale. | Test | subsystem, surgeon-console, redundancy, failover, session-362, idempotency:sub-cc-watchdog-failover-362 |
| SUB-MAIN-096 | When the Haptic Feedback Subsystem force-feedback actuator channel for any master manipulator axis fails, the system SHALL continue operating in degraded haptic mode, suppressing force feedback for the affected axis only, displaying a force feedback degraded warning to the surgeon within 200ms, and maintaining full motion control capability for all operational axes at the nominal 1kHz servo rate. Rationale: HFS is System-Essential (UHT hex 55F57018): complete haptic loss prevents the surgeon from detecting tissue contact forces, risking inadvertent perforation. Per-axis degraded mode (rather than full shutdown) preserves surgical capability for the critical axis while alerting to reduced fidelity. 200ms notification latency matches the surgeon's tactile attention refresh rate; 1kHz servo rate preservation ensures motion precision is not compromised. | Test | |
| SUB-MAIN-096 | When the Haptic Controller loses communication with the Force Sensing Module for more than 50ms, the Haptic Feedback Subsystem SHALL enter a force-blind degraded mode: the Master Handle Actuator SHALL apply a constant 0.3N braking force to all degrees of freedom, audible and visual alerts SHALL be activated, and the surgeon SHALL retain full kinematic control of instrument motion. Rationale: Complete loss of force feedback creates the risk of over-insertion or excessive tissue force without surgeon awareness. A 0.3N constant braking force (below the 5N tissue-force limit from SYS-MAIN-012) provides passive cue that force feedback is impaired without preventing emergency instrument withdrawal. 50ms threshold is consistent with the 15ms haptic render rate — three missed render cycles triggers degraded mode. | Test | subsystem, haptic, redundancy, degraded-mode, session-362, idempotency:sub-haptic-fbd-degraded-362 |
| SUB-MAIN-097 | The Power Management Subsystem SHALL provide redundant power paths for the Safety-Critical power domain (interlock subsystem, workspace safety enforcer, and emergency stop circuits): two independent DC supply rails each capable of sustaining full safety function load, with automatic switchover within 5ms of primary rail failure, supporting at least 60 seconds of safe-state hold from the onboard UPS battery. Rationale: PMS is System-Essential (UHT hex 54F53018): safety function power loss without backup results in uncontrolled actuator freewheel during surgery. Dual-rail architecture prevents single power supply failure from defeating the safety function. 5ms switchover is derived from the 250ms safe-state achievement budget (SYS-MAIN-002) — power switchover must not consume more than 2% of the fault budget. | Test | |
| SUB-MAIN-097 | The Motion Control and Scaling Subsystem command interfaces (Trajectory Generator inputs, Motion Scaling Module configuration parameters) SHALL authenticate all incoming command frames using a session-keyed HMAC-SHA256 message authentication code; any frame failing authentication SHALL be rejected and a security violation event logged to the Procedure Data Recorder within 10ms. Rationale: The Trajectory Generator and Motion Scaling Module accept commands that directly translate to physical arm motion. A spoofed or replayed command could cause unintended motion during surgery. HMAC-SHA256 provides integrity protection without the latency overhead of asymmetric encryption; session-key binding prevents replay across power cycles. IEC 80001-1 and the FDA cybersecurity guidance for networked medical devices both require integrity controls on safety-critical command paths. | Test | subsystem, motion-control, cybersecurity, authentication, session-362, idempotency:sub-mcs-command-hmac-362 |
| SUB-MAIN-098 | The Communication and Data Management Subsystem SHALL implement HMAC-SHA-256 message authentication on all safety-critical command channels (motion control, energy delivery, workspace safety enforcer), with per-message authentication tags verified by the receiving subsystem within one control cycle (≤1ms), and SHALL reject and log any command with an invalid or missing authentication tag, triggering a safe-state transition. Rationale: Subsystem decomposition of SYS-MAIN-018: CDMS is the inter-subsystem communication backbone and is therefore the natural implementation locus for command authentication. HMAC-SHA-256 is selected as it is computationally feasible within a 1ms control cycle on embedded hardware while providing 128-bit security level. Per-message authentication prevents replay and injection attacks identified in FDA 2023 cybersecurity guidance for surgical robots. | Test | |
| SUB-MAIN-098 | The Tool Tip Articulation Controller SHALL authenticate all incoming joint-space position commands using a 32-bit HMAC signature, rejecting any command with an invalid or missing signature within one control cycle (1ms), and logging all rejected commands to the Procedure Data Recorder. Rationale: IEC 62443-4-2 requires authentication of all command inputs to safety-critical embedded controllers. The TTAC directly drives distal DOFs; an unauthenticated command injected via a compromised Instrument Drive Unit bus could cause unexpected instrument motion at the tissue interface. 32-bit HMAC at 1kHz control rate is computationally feasible on the TTAC compute board and matches the authentication scheme applied to Kinematics Engine, Trajectory Generator, and Real-Time Protocol Engine. | Test | subsystem, surgical-instrument-system, cybersecurity, authentication, session-365, idempotency:sub-ttac-cybersecurity-auth-365 |
| SUB-MAIN-099 | The Vision and Imaging Subsystem SHALL deliver stereoscopic 3D video at 1080p per eye at 60Hz to the surgeon console display with end-to-end latency from endoscope tip to surgeon display of <50ms under nominal operating conditions, and SHALL maintain continuous stereo video output with no more than one dropped frame per 10 seconds during any intraoperative phase. Rationale: Subsystem decomposition of STK-MAIN-012 (surgeon situational awareness) and SYS-MAIN-003 (stereoscopic HD video). <50ms latency threshold is derived from human perception: beyond 50ms surgeons report motion sickness in VR-coupled tasks; frame-drop continuity specification ensures no interruption of tissue visualisation during critical dissection phases. | Test | |
| SUB-MAIN-099 | The Kinematics Engine SHALL authenticate all joint-space command packets received from the Motion Control System using a 32-bit HMAC-SHA256 keyed with a session key negotiated at startup, rejecting any packet with an invalid or missing signature within one control cycle. Rationale: IEC 62443-4-2 requires input authentication for safety-critical control software. Unauthenticated Cartesian commands injected at the inter-subsystem interface could be used to drive arm joints beyond safe workspace limits. Session-key HMAC provides both authentication and replay protection without requiring persistent key storage on the RTCN. | Test | subsystem, motion-control, cybersecurity, session-365, idempotency:sub-ke-auth-iec62443-365 |
| SUB-MAIN-100 | The Trajectory Generator SHALL validate all motion waypoints against the active workspace safety envelope before execution, rejecting any waypoint that would place an instrument tip within 5mm of a registered keep-out zone boundary, and halting trajectory execution with a safe-state transition within 5ms of detection. Rationale: Trajectory-level validation provides defence-in-depth upstream of the Joint Servo Controller. Rejecting unsafe waypoints at the Trajectory Generator prevents the Workspace Safety Enforcer from being the sole line of defence against workspace boundary violations, meeting IEC 80601-2-77 requirement for layered safety barriers in surgical robots. | Test | subsystem, motion-control, workspace-safety, session-365, idempotency:sub-tg-waypoint-validation-365 |
| SUB-MAIN-101 | The Real-Time Protocol Engine SHALL authenticate all synchronisation frames received on the inter-cart fibre link using a 16-bit CRC combined with a 32-bit session token, discarding any frame that fails authentication and triggering a communication fault event within one synchronisation period. Rationale: RTPE processes all time-critical synchronisation traffic between Surgeon Console and Patient-Side Cart at 1kHz. An injected or replayed synchronisation frame could desynchronise the master-slave control loop, causing latency spikes or control instability. Frame-level authentication is consistent with IEC 62443 requirements and matches the HMAC scheme applied to KE and TG. | Test | subsystem, infrastructure, cybersecurity, session-365, idempotency:sub-rtpe-auth-sync-365 |
| SUB-MAIN-102 | The Workspace Safety Enforcer SHALL be designed and verified to IEC 60601-1:2005+A1:2012 and ISO 14971:2019, achieving Classification III risk acceptability for joint workspace limit enforcement, with documented residual risk below the acceptable limit defined in the system risk management file. Rationale: Workspace Safety Enforcer is Regulated per UHT classification (51B73818). Enforces hard joint limits whose violation risks direct patient injury. IEC 60601-1 clause 14 and ISO 14971 are legally mandated under MDR 2017/745. This requirement establishes the certification basis for the workspace limit function. | Analysis | |
| SUB-MAIN-102 | The Power Management Subsystem SHALL comply with IEC 60601-1:2005+AMD1:2012 (Medical electrical equipment — General requirements for basic safety and essential performance) and IEC 60601-1-2:2014 (electromagnetic compatibility), with applied part classification F-Type for all outputs connected to patient-coupled circuits, achieving 500 VAC dielectric withstand between mains and patient outputs. Rationale: IEC 60601-1 compliance is mandatory for medical electrical equipment connected to or supplying patient-coupled circuits. F-Type floating isolation is required because the PDU supplies the patient-side cart, which may have instruments in contact with the patient; a ground fault on the mains side must not cause patient injury. The 500 VAC withstand is the IEC 60601-1 Table 2 value for F-Type parts at 230V mains. | Test | subsystem, power-management, compliance, iec60601, session-368, idempotency:sub-pms-iec60601-compliance-368 |
| SUB-MAIN-103 | The Communication and Data Management System SHALL implement HMAC-SHA256 message authentication on all safety-critical inter-subsystem command interfaces over the inter-cart fibre link, verifying each command frame before forwarding to motion control, with authentication failure causing immediate command rejection and SAFE-HOLD transition within 50ms. Rationale: SYS-MAIN-018 mandates cryptographic message authentication on safety-critical interfaces. HMAC-SHA256 selected over AES-GCM because it has lower compute latency (<10 microseconds on embedded DSP) while providing equivalent message authentication strength for the 1kHz control frame rate. Failure to authenticate must trigger SAFE-HOLD rather than continue — any accepted spoofed or corrupted command could cause uncontrolled arm motion. | Test | |
| SUB-MAIN-103 | The Inter-Cart Fibre Link SHALL provide a minimum sustained one-way latency of ≤500µs for all real-time kinematic command frames under peak traffic load (21 kinematics channels at 1kHz simultaneously with dual stereo HD video streams). Rationale: The 500µs one-way latency budget for the fibre link is derived from the 1ms end-to-end control loop requirement in SYS-MAIN-001. With 250µs allocated to outbound processing and 250µs for return path encoding, 500µs is the maximum permissible fibre path delay. Exceeding this would violate the haptic feedback realism threshold of <1ms round-trip, causing perceptible surgeon-to-instrument lag during tissue manipulation. | Test | subsystem, comms, inter-cart-fibre, session-369, idempotency:sub-icfl-latency-369 |
| SUB-MAIN-104 | The Inter-Cart Fibre Link SHALL switch from the primary to the redundant fibre path within 5ms of primary link failure detection, with no loss of kinematic command continuity beyond the within the 100ms safety timeout window. Rationale: 5ms failover is derived from SUB-MAIN-028 which requires link failure detection within 5ms and transition to safe state. A 5ms failover without command loss is achievable with hot-standby redundancy at FPGA-level path switching; a longer switchover would require the Safety and Interlock Subsystem to initiate arm park, disrupting the procedure unnecessarily. | Test | subsystem, comms, inter-cart-fibre, redundancy, session-369, idempotency:sub-icfl-failover-369 |
| SUB-MAIN-105 | The Real-Time Protocol Engine SHALL encapsulate each 1kHz kinematic command frame with a 32-bit sequence number, HMAC-SHA256 authentication tag, and CRC-32 error detection field within a total frame overhead of 64 bytes or less. Rationale: Frame overhead must be bounded so that the 1kHz cycle at 21 joint channels fits within the 1Gbps link budget. HMAC-SHA256 per frame satisfies SYS-MAIN-018 cryptographic authentication. CRC-32 provides independent error detection; HMAC alone is not sufficient for in-flight bit error detection due to compute latency. 64-byte overhead yields <7% protocol overhead at peak data load. | Analysis | subsystem, comms, real-time-protocol-engine, session-369, idempotency:sub-rtpe-framing-369 |
| SUB-MAIN-106 | The Real-Time Protocol Engine SHALL detect frame loss or sequence discontinuity within one 1kHz frame period (1ms) and report a COMM_FAULT event to the Safety and Interlock Subsystem within 2ms of detection. Rationale: 1ms detection aligns with the 1kHz kinematic control cycle: a missed frame is visible at the next expected sequence number. The 2ms reporting budget allows one additional frame cycle for COMM_FAULT generation, keeping total fault propagation under 3ms, well within the 100ms safety timeout. Delayed detection would allow incorrect kinematics to accumulate before safe-state is initiated. | Test | subsystem, comms, real-time-protocol-engine, fault-handling, session-369, idempotency:sub-rtpe-fault-detect-369 |
| SUB-MAIN-107 | The Network Management Controller SHALL monitor both primary and secondary fibre link health at 100Hz and classify each link as HEALTHY, DEGRADED, or FAILED based on bit error rate, frame loss ratio, and inter-frame jitter thresholds. Rationale: 100Hz monitoring provides 10ms resolution on link degradation events, sufficient to initiate failover before the 100ms safety timeout. Three-state classification allows the system to pre-arm failover on DEGRADED links before outright failure, reducing unexpected switchover events during procedures. | Test | subsystem, comms, network-management, session-369, idempotency:sub-nmc-health-monitor-369 |
| SUB-MAIN-108 | The Network Management Controller SHALL implement strict-priority queuing with three traffic classes: SAFETY (heartbeats and E-stop, highest priority), KINEMATIC (1kHz command frames), and DATA (video and procedure recording, lowest priority), ensuring SAFETY and KINEMATIC frames are never delayed by DATA traffic. Rationale: Priority queuing is required because safety heartbeats and kinematic commands have hard real-time deadlines (5ms and 1ms respectively) while video and recording data have soft deadlines. Without traffic class isolation, burst video traffic could compete for bandwidth with safety-critical frames, introducing jitter that violates SYS-MAIN-001 and SYS-MAIN-002. | Analysis | subsystem, comms, network-management, session-369, idempotency:sub-nmc-qos-369 |
| SUB-MAIN-109 | The Procedure Data Recorder SHALL sustain a continuous write throughput of at least 2 GB/s to NVMe RAID storage while simultaneously recording 21-channel kinematics at 1kHz, dual stereo HD video at 60fps, and timestamped system events without buffer overflow or dropped frames for a minimum 8-hour procedure duration. Rationale: 2 GB/s throughput is derived from peak data rates: 21 joints x 3 values x 2 bytes x 1000Hz = ~126 KB/s kinematics; 2x1080p60 H.264 at 50Mbps = ~12.5 MB/s video; event log negligible. Total ~13 MB/s sustained, with 2 GB/s NVMe capacity providing 150x headroom for burst and redundancy writes. SYS-MAIN-015 requires 8-hour continuous recording. | Test | subsystem, comms, procedure-data-recorder, session-369, idempotency:sub-pdr-throughput-369 |
| SUB-MAIN-110 | The Procedure Data Recorder SHALL generate a SHA-256 hash of the complete procedure dataset at end-of-procedure and store it alongside the data, enabling post-hoc integrity verification of all recorded kinematic, video, and event data. Rationale: Cryptographic hash verification satisfies regulatory requirements for surgical record integrity (IEC 62304 and FDA 21 CFR Part 11 audit trail obligations). Without hash verification, undetected storage corruption could render recorded data inadmissible for post-procedural review or incident investigation. | Test | subsystem, comms, procedure-data-recorder, session-369, idempotency:sub-pdr-integrity-369 |
| SUB-MAIN-111 | The Surgical Instrument System patient-side components (Sterile Adapter, Surgical Instruments, and Cable Tensioning System) SHALL withstand full fluid immersion in IPA 70% and quaternary ammonium compound disinfectants for minimum 30-minute contact time without degradation of structural integrity, sterile barrier, or instrument articulation performance. Rationale: SYS-MAIN-006 mandates IPA 70% compatibility for all sterile-field components. The Surgical Instrument System houses the cable-driven wrist mechanism, sterile adapters, and instrument channels that routinely contact surgical irrigation and disinfectants. Failure to resist IPA 70% immersion risks stress-cracking of polymer housings, corrosion of cable sheaths, and loss of sterile barrier — potential patient infection pathways. | Test | subsystem, surgical-instrument, sterility, session-373, idempotency:sub-sis-ipa-disinfectant-373 |
| SUB-MAIN-112 | The Procedure Data Recorder SHALL be implemented as a rack-mounted 2U line-replaceable unit (LRU) housed within the Vision Cart, with RAID-1 mirrored storage of minimum 2TB, compliant with IP32 ingress protection to tolerate operating-room fluid splash, and a front-panel status LED visible from 3 metres. Rationale: The Procedure Data Recorder stores complete procedural data streams that may be used for post-operative review, regulatory audit, and litigation evidence. Physical embodiment as a 2U rack LRU enables field replacement without cart teardown. IP32 protects against OR fluid management. RAID-1 ensures no data loss on single-drive failure. | Inspection | subsystem, comms, pdr, physical, session-374, idempotency:sub-pdr-physical-embodiment-374 |
| SUB-MAIN-113 | The Procedure Data Recorder SHALL be a rack-mounted 2U line-replaceable unit in the Vision Cart with 2TB RAID-1 mirrored storage and IP32 ingress protection. Rationale: Defined as LRU for field replacement without Vision Cart teardown. IP32 protects against OR fluid splash. RAID-1 ensures no data loss on single-drive failure during procedure. | Inspection | rt-mechanical-trace, red-team-session-502 |
| SUB-MAIN-114 | The Power Management Subsystem SHALL be housed in a dedicated sealed electronics bay within the Patient-Side Cart, with the Main Power Distribution Unit and UPS Battery Module installed as field-replaceable assemblies, accessible via a locked service panel requiring IEC 62353 isolation verification before access. Rationale: Power management handles 240V AC mains and high-capacity battery systems. Physical enclosure in a sealed bay with locked access prevents inadvertent contact with live voltages in the sterile surgical environment. Field-replaceable assemblies reduce mean-time-to-repair and avoid full cart downtime. | Inspection | subsystem, power-management, physical, session-374, idempotency:sub-pms-physical-embodiment-374 |
| SUB-MAIN-115 | The Real-Time Compute Node SHALL be packaged as a single-board computing module conforming to VITA 57.1 FMC form factor, installed in a vibration-isolated slot within the Patient-Side Cart electronics bay, with conformal coating for condensation protection and operational temperature range of 0 to 50 degrees Celsius. Rationale: VITA 57.1 FMC standardises the physical interface and enables like-for-like replacement for RTCN variants without cart redesign. Conformal coating addresses OR humidity. The 0-50C range covers cold storage to a warm operating room, which is the real thermal envelope for medical cart electronics. | Inspection | subsystem, motion-control, physical, rtcn, session-374, idempotency:sub-rtcn-physical-embodiment-374 |
| SUB-MAIN-116 | The Motion Control System SHALL be implemented as a distributed electronics assembly across the Patient-Side Cart with the Real-Time Compute Node, Trajectory Generator, and Motion Scaling Module co-located in the same vibration-isolated electronics chassis to minimise inter-module latency, with individual modules accessible for replacement without full cart disassembly. Rationale: Co-location of the RTCN, Trajectory Generator, and Motion Scaling Module on a common backplane eliminates inter-chassis cabling latency, keeping the computation pipeline within the 1ms end-to-end cycle budget. Physical modularity enables field repair without returning the full cart to depot, reducing surgical suite downtime. | Inspection | subsystem, motion-control, physical, session-374, idempotency:sub-mcs-physical-embodiment-374 |
| SUB-MAIN-117 | The Power Management Subsystem SHALL comply with IEC 60601-1:2005+AMD1:2012 medical electrical equipment safety standard, with dielectric withstand testing at 4000V AC applied between primary circuit and patient-accessible parts, and leakage current not exceeding 500 microamperes under normal condition and 1000 microamperes under single-fault condition. Rationale: IEC 60601-1 is mandatory for medical electrical equipment in all major markets (EU MDR, FDA 510k). The 500/1000 microampere leakage limits are the Class I limits for non-cardiac-applied equipment. Dielectric withstand at 4kV AC demonstrates adequate insulation margin against mains voltage transients in hospital environments. | Test | subsystem, power-management, compliance, regulatory, session-374, idempotency:sub-pms-iec60601-compliance-374 |
| SUB-MAIN-118 | The Motion Scaling Module SHALL implement motion-to-command scaling in compliance with IEC 80601-2-77 (medical robot requirements), producing scaling factors adjustable from 1:1 to 10:1 in 0.5 increments, with scaling coefficient verified to be monotonically decreasing and configurable only during instrument change-out state, not during active manipulation. Rationale: IEC 80601-2-77 sets specific requirements for the motion path of surgical robots. Restricting scaling adjustment to instrument change-out state prevents mid-procedure parameter changes that could startle the surgeon. 10:1 maximum provides fine tremor filtering without eliminating proprioceptive workspace awareness. | Test | subsystem, motion-control, compliance, regulatory, session-374, idempotency:sub-msm-iec80601-compliance-374 |
| SUB-MAIN-119 | The Workspace Safety Enforcer SHALL comply with ISO 10218-1:2011 industrial robot safety requirements as adapted for medical use under IEC 80601-2-77, implementing a minimum of SIL 2 (IEC 62061) safety integrity level for all workspace boundary enforcement functions, with a probability of dangerous failure per hour (PFHd) not exceeding 1E-7. Rationale: The Workspace Safety Enforcer is the last software defence against robot arm collision with patient anatomy or OR equipment. ISO 10218-1 and IEC 80601-2-77 together mandate SIL 2 for safety functions in collaborative and surgical robotics. PFHd 1E-7 corresponds to a target risk reduction of 10 million operations per dangerous failure. | Analysis | subsystem, motion-control, workspace-safety, compliance, safety, session-374, idempotency:sub-wse-sil2-compliance-374 |
| SUB-MAIN-120 | The Real-Time Protocol Engine SHALL implement dual-path redundancy with a primary Ethernet deterministic path (IEEE 802.1Qbv TSN) and a secondary CAN FD backup path, automatically failing over to the backup path within 5ms of detecting primary path loss, with no motion command gap exceeding 20ms during failover transition. Rationale: The Real-Time Protocol Engine is classified System-Essential: its failure stops all motion. Single-path Ethernet has documented failure modes (cable damage, switch failure) unacceptable in a surgical environment. TSN primary provides deterministic 1ms jitter; CAN FD backup provides hardware-level reliability at reduced bandwidth. 5ms failover is within the 100ms motion safety envelope. | Test | subsystem, comms, real-time-protocol-engine, redundancy, session-374, idempotency:sub-rtpe-redundancy-374 |
| SUB-MAIN-121 | The Haptic Feedback Subsystem SHALL maintain force-feedback rendering to the surgeon master handles from a hot-standby Haptic Controller process that assumes command within 10ms of primary controller failure, with the standby process running on a physically separate processor sharing force sensor data via a dedicated inter-processor link. Rationale: Loss of haptic feedback during a surgical manoeuvre removes the surgeon's only sense of tissue resistance, increasing the risk of inadvertent tissue damage. The Haptic Feedback Subsystem is System-Essential. Hot standby on separate silicon prevents correlated failures from a single compute fault. 10ms switchover preserves the surgeon's control loop without perceptible discontinuity. | Test | subsystem, haptic, redundancy, session-374, idempotency:sub-hfs-redundancy-374 |
| SUB-MAIN-122 | The Stereoscopic Display System SHALL present the left and right stereo channels with inter-ocular distance adjustable from 58 to 72mm and vergence-accommodation conflict (VAC) below the 0.6 dioptre perceptual threshold, ensuring the surgeon's eyes converge at the same depth as the displayed surgical field. Rationale: Vergence-accommodation conflict causes visual fatigue and depth perception errors in stereoscopic systems. The 0.6 dioptre threshold is the published human factors limit before perceptual discomfort. Adjustable inter-ocular distance (58-72mm) covers the 5th-95th percentile of adult surgeons. Without this requirement, the display system risks long-duration visual fatigue in multi-hour procedures. | Test | subsystem, vision, eye, ergonomics, session-374, idempotency:sub-sds-eye-ergonomics-374 |
| SUB-MAIN-123 | The Motion Scaling Module SHALL implement master-to-slave motion scaling ratios from 1:1 to 10:1 in configurable steps, with the active ratio displayed continuously at the surgeon console, and any ratio change requiring explicit confirmation via foot-pedal hold during instrument change-out state only. Rationale: System requirement SYS-MAIN captures 1:1 to 10:1 master-to-slave scaling as a core surgical robot capability. This subsystem requirement operationalises the scaling ratio range, confirmation workflow, and display requirement needed to implement it safely. Confirmation workflow prevents accidental ratio change; continuous display prevents the surgeon operating with an unintended ratio. | Test | subsystem, motion-control, tremor, scaling, session-374, idempotency:sub-msm-scaling-workflow-374 |
| SUB-MAIN-124 | The Master Handle Actuator SHALL provide 6-DOF force reflection to the surgeon's master manipulator with a bandwidth of at least 30Hz and force dynamic range of 0.01N to 10N, with position sensing resolution finer than 0.1mm at the instrument tip-equivalent workspace position. Rationale: 30Hz bandwidth matches the human proprioceptive resolution limit, ensuring the surgeon perceives all force events at the instrument tip. 0.01N minimum force reflects delicate tissue contact; 10N maximum corresponds to maximum safe instrument force. 0.1mm tip-equivalent resolution prevents staircase artefacts when the surgeon palpates tissue margins. | Test | subsystem, haptic, master-manipulator, session-374, idempotency:sub-mha-master-manipulator-374 |
| SUB-MAIN-125 | The Surgeon Input Console outer surfaces and all non-sterile patient-side cart covers SHALL withstand repeated wiping with 70% isopropyl alcohol (IPA) solution, 2% glutaraldehyde, and quaternary ammonium compound wipes without surface degradation, delamination, or ingress into electronics over a service life of 10 years and 3000 cleaning cycles. Rationale: IPA 70%, glutaraldehyde 2%, and QAC wipes are the three most common OR surface disinfectants. Compatibility with all three is required because hospital purchasing decisions vary by institution. 3000 cycles corresponds to daily disinfection over a 10-year device lifetime. Surface failure risks chemical ingress causing electrical faults in a clinical environment. | Test | subsystem, surgeon-console, sterility, compliance, session-374, idempotency:sub-console-ipa-disinfection-374 |
| SUB-MAIN-126 | The Communication and Data Management System SHALL authenticate all inter-cart command messages using HMAC-SHA256 with a 256-bit session key negotiated at cart pair-up via ECDH-P384, rejecting any message with invalid authentication tag within one communication cycle (1ms), logging the rejection as a security event, and triggering SAFE_HOLD after 3 consecutive authentication failures. Rationale: Cryptographic authentication mitigates spoofed motion command injection, a credible attack vector in robotic surgery given the increasing connectivity of OR equipment. HMAC-SHA256 provides collision-resistant authentication within the 1ms cycle budget. ECDH-P384 key exchange avoids pre-shared keys that would be impractical to rotate. 3-failure threshold limits denial-of-service via message flooding while tolerating transient bit errors. | Test | subsystem, comms, cybersecurity, compliance, session-374, idempotency:sub-cdms-crypto-auth-374 |
| SUB-MAIN-127 | The Motion Control and Scaling Subsystem SHALL enforce a minimum inter-arm clearance of 15mm between any two patient-side arm segments by computing pairwise convex-hull distances at 100Hz and commanding the affected arms to halt and retract when predicted clearance falls below 25mm, completing the halt within 50ms of detection. Rationale: With three instrument arms operating simultaneously in a body cavity of approximately 150mm diameter, arm-to-arm collision is a credible failure mode not addressed by the existing workspace boundary enforcement which only constrains each arm against patient anatomy. A 15mm hard limit with a 25mm warning threshold at 100Hz gives 100ms reaction window at maximum arm velocity (250mm/s); the 50ms halt budget leaves margin for mechanical deceleration. Analogous requirement present in ISO 10218-1 Clause 5.11 for industrial robot systems operating in collaborative workspace. | Test | subsystem, motion-control, collision-avoidance, safety, validation, session-377 |
| SUB-MAIN-128 | The Surgeon Input Console SHALL implement a compliant alarm management system per IEC 60601-1-8:2006, assigning each alarm condition to one of three priority levels (HIGH, MEDIUM, LOW), providing distinct visual alarm signals (red flashing for HIGH, amber flashing for MEDIUM, amber steady for LOW) and distinct auditory alarm signals with signal patterns per IEC 60601-1-8 Annex F, and continuing to signal active alarms on internal battery power following loss of mains. Rationale: IEC 60601-1-8 alarm management is a mandatory collateral standard under IEC 60601-1 for medical devices that generate alarm conditions. A surgical robot generates multiple concurrent alarm conditions (communication fault, energy delivery fault, instrument fault, force limit, watchdog) that must be prioritised and clearly distinguished to prevent alarm fatigue causing surgeons to miss safety-critical alerts during a procedure. The internal battery continuation requirement prevents alarm masking during the UPS power-bridge period. | Inspection | subsystem, surgeon-console, alarm-management, regulatory, validation, session-377 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-MAIN-001 | The interface between the Joint Force Monitor and the Motion Control and Scaling Subsystem SHALL carry per-axis joint torque readings at 1kHz over a dedicated real-time bus with <200µs latency, using hardware checksums for data integrity. Rationale: 1kHz at <200µs is required for the Joint Force Monitor to execute its 50ms graduated brake response with sufficient measurement cycles (50 samples) to avoid false triggers. Hardware checksum prevents corrupted torque values from masking force limit exceedances. | Test | interface, sis, mcs, joint-force, session-341, idempotency:ifc-jfm-mcs-torque-001-341 |
| IFC-MAIN-002 | The interface between the Emergency Stop Chain and the Power Management Subsystem servo drive contactors SHALL be a hardwired 24V DC control loop; interruption of the loop SHALL cause contactor drop-out within 50ms by capacitor discharge drive. Rationale: Hardwired loop (not digital signal) ensures contactor drop-out survives software fault or bus failure. 50ms is achievable with the capacitor hold-in drive approach without an external power supply. | Test | interface, sis, pms, estop, hardware, session-341, idempotency:ifc-estop-pms-contactor-001-341 |
| IFC-MAIN-003 | The interface between the Communication Monitor and the inter-cart fibre link SHALL expose per-frame CRC pass/fail, round-trip latency in microseconds, and receive buffer occupancy at 1kHz to the Communication Monitor via a sideband status register, without interrupting the data path. Rationale: Sideband status register (not in-band signalling) prevents monitoring from interfering with the real-time control stream. 1kHz status updates are necessary to meet the 3-frame loss detection latency requirement in SUB-MAIN-002. | Test | interface, sis, communication, fibre, session-341, idempotency:ifc-comms-monitor-fibre-001-341 |
| IFC-MAIN-004 | The Safe State Manager SHALL broadcast the current system safety state (OPERATIONAL, DEGRADED, SAFE-HOLD) to all subsystems over a dedicated safety bus within 5ms of any state transition, using a publisher-subscriber protocol with guaranteed delivery. Rationale: 5ms broadcast latency ensures all subsystems receive the new state within the first 2% of the 250ms safe-state window, allowing coordinated response without race conditions between independently-responding subsystems. | Test | interface, sis, safe-state, broadcast, session-341, idempotency:ifc-ssm-broadcast-001-341 |
| IFC-MAIN-005 | The interface between the Surgeon Console and the Motion Scaling Module SHALL transmit Cartesian velocity commands for all 6 DOF at 1kHz using a UDP/multicast protocol over 1GbE fibre with maximum one-way latency of 3ms and packet loss tolerance of 0 (zero packet drop acceptable; retransmit on loss). Rationale: 1kHz command rate is the Nyquist minimum for 500Hz servo bandwidth; 3ms one-way latency is the network share of the 100ms system budget. Zero packet loss is mandatory: a dropped command packet causes a missed servo cycle and potential jerk at the instrument tip. | Test | interface, console-mc, session-340 |
| IFC-MAIN-006 | The interface between the Motion Control System and the Patient-Side Cart SHALL transmit 21 joint-angle setpoints (7 per arm x 3 arms) at 1kHz via CAN-FD at 5Mbps with maximum command-to-actuation latency of 2ms and shall include a CRC on every frame. Rationale: CAN-FD at 5Mbps provides sufficient bandwidth for 21 x 2-byte joint setpoints (42 bytes) at 1kHz = 336kbps, well within 5Mbps limit. 2ms latency includes transmission and joint servo processing. CRC mandated because a corrupted setpoint could command a joint to an incorrect position, creating patient risk. | Test | interface, mc-cart, session-340 |
| IFC-MAIN-007 | The interface between the Motion Control System and the Safety and Watchdog System SHALL provide a dedicated hardwired heartbeat signal at 200Hz; loss of heartbeat for more than 3 consecutive pulses (15ms) SHALL be interpreted by the Safety System as a Motion Control fault requiring immediate brake engagement. Rationale: Hardwired heartbeat is used (not software message) because a software crash could prevent sending a fault notification; hardware signal remains functional even when the compute node OS has hung. 15ms timeout gives 35ms margin within the 50ms emergency stop budget. | Test | interface, mc-safety, session-340 |
| IFC-MAIN-008 | The interface between the Vision and Imaging System and the Surgeon Console SHALL transmit two independent uncompressed 1080p/60Hz video streams over 10GbE, synchronised within 1ms between left and right channels, with end-to-end latency below 50ms. Rationale: Left-right synchronisation within 1ms is required to prevent vergence-accommodation conflict in the stereoscopic display; mismatches above 5ms cause eye strain and nausea in surgeons. 50ms end-to-end is the video share of the total latency budget. | Test | interface, vision-console, session-340 |
| IFC-MAIN-009 | The interface between the Surgical Instrument System and the Motion Control System SHALL transmit instrument type identifier, usage count, and 3-axis tip force measurements at 500Hz via CAN-FD; instrument type SHALL be validated within 500ms of instrument insertion before motion commands are accepted. Rationale: Instrument type is required by the Kinematics Engine to load correct DH parameters and mass properties; wrong kinematics model creates joint-space errors. Force measurements at 500Hz provide the Motion Control pipeline with tissue-contact data for the Workspace Safety Enforcer force limits. | Test | interface, instrument-mc, session-340 |
| IFC-MAIN-010 | The interface between the Stereo Endoscope and the Camera Control Unit SHALL carry two independent HD-SDI video channels at 1.485 Gbps each, transmitting raw Bayer-pattern sensor data at 1920x1080 resolution and 60 frames per second, with BER not exceeding 1e-12. Rationale: Dual independent HD-SDI channels ensure single-channel failure does not affect the other (graceful degradation to 2D). Raw Bayer-pattern data is required because demosaicing and colour correction must be performed in the CCU where calibration data is stored. BER of 1e-12 prevents visible artifacts in the surgical image that could be mistaken for tissue features. | Test | interface, vision, session-341, idempotency:ifc-endoscope-ccu-341 |
| IFC-MAIN-011 | The interface between the Camera Control Unit and the Image Processing Pipeline SHALL transmit two synchronised 3G-SDI video streams at 2.97 Gbps each, carrying colour-corrected 1080p60 10-bit 4:2:2 video with inter-channel temporal skew not exceeding 100 microseconds. Rationale: 3G-SDI at 2.97 Gbps provides sufficient bandwidth for 10-bit 4:2:2 colour depth which preserves tissue colour fidelity for narrow-band imaging modes. The 100us inter-channel skew budget at this interface is tighter than the 500us end-to-end stereo sync requirement because downstream processing adds additional jitter. | Test | interface, vision, session-341, idempotency:ifc-ccu-ipp-341 |
| IFC-MAIN-012 | The interface between the Camera Control Unit and the Surgical Illumination Source SHALL transmit exposure metering data at 60Hz via RS-422 serial link at 115200 baud, with command-to-intensity-change latency not exceeding 16ms (one frame period). Rationale: Closed-loop illumination control requires exposure feedback at frame rate to prevent tissue overheating during endoscope repositioning (tissue reflectance changes abruptly as the tip moves between organs). RS-422 provides differential signalling for noise immunity in the OR electromagnetic environment. 16ms response ensures intensity tracks scene changes within one frame. | Test | interface, vision, session-341, idempotency:ifc-ccu-illumination-341 |
| IFC-MAIN-013 | The interface between the Image Processing Pipeline and the Stereoscopic Display System SHALL transmit two independent DisplayPort 1.2 video streams at 3840x2160 resolution and 60Hz with 10-bit colour depth, with maximum end-to-end latency from IPP output to photon emission not exceeding 8ms. Rationale: 4K resolution per eye at 10-bit depth provides tissue colour fidelity required for narrow-band imaging differential diagnosis. The 8ms photon emission budget includes display controller processing and LCD response time. This budget is derived from the total 50ms hand-to-eye latency budget minus upstream processing and motion control allocations. | Test | interface, vision, session-341, idempotency:ifc-ipp-display-341 |
| IFC-MAIN-014 | The interface between the Image Processing Pipeline and the Procedure Video Recorder SHALL provide a composited 2D 1080p60 video stream via 3G-SDI at 2.97 Gbps, with embedded audio channels for OR ambient audio capture, and a parallel Ethernet link carrying timestamped system event metadata at 1kHz. Rationale: Composited 2D output combines left/right channels with overlay annotations for a single-stream recording suitable for review and teaching. Embedded audio captures surgeon voice notes. The parallel metadata link at 1kHz enables frame-accurate correlation between video and kinematic data per SYS-MAIN-015, which is critical for post-operative complication analysis. | Test | interface, vision, session-341, idempotency:ifc-ipp-recorder-341 |
| IFC-MAIN-015 | The interface between the Force Sensing Module and the Force Signal Conditioner SHALL carry six-axis strain gauge bridge differential signals with a common-mode rejection ratio of at least 80dB, connecting via a 12-conductor shielded cable with maximum length of 0.5m. Rationale: Strain gauge bridge output is a low-level differential signal (typically 1-10mV full scale). 80dB CMRR is required to reject the >10V common-mode noise present in the OR environment from surgical energy generators and motor drive switching. Cable length limit prevents impedance mismatch that degrades CMRR at high frequencies. | Test | rt-vague-interface, red-team-session-502 |
| IFC-MAIN-016 | The interface between the Force Signal Conditioner and the Haptic Controller SHALL transmit six-axis 16-bit digitised force samples at 1kHz via an isolated SPI bus operating at 10MHz, with a maximum bus propagation latency of 100us. Rationale: 16-bit resolution at 10MHz SPI provides sufficient bandwidth for six channels at 1kHz with headroom for protocol overhead. 100us propagation latency budget ensures the full haptic loop (sense-transmit-compute-actuate) stays within the 2ms latency requirement allocated in SUB-MAIN-023. | Test | interface, haptic, digital, session-342, idempotency:ifc-fsc-hc-342 |
| IFC-MAIN-017 | The interface between the Haptic Controller and the Master Handle Actuator motor driver SHALL transmit per-joint torque setpoints at 1kHz via CAN FD at 5Mbit/s, with hardware-enforced torque limiting such that no frame can command a torque greater than 1.2Nm on any joint. Rationale: CAN FD at 5Mbit/s provides sufficient bandwidth for 7-DOF torque commands at 1kHz with message latency under 100us. Hardware torque limiting on the motor driver provides a second layer of force protection independent of the Haptic Controller software, meeting the safety-in-depth requirement for the 1N feedback limit. | Test | interface, haptic, actuator, session-342, idempotency:ifc-hc-mha-342 |
| IFC-MAIN-018 | The interface between the Real-Time Protocol Engine and the Inter-Cart Fibre Link SHALL operate at 10Gbit/s with a maximum per-frame latency of 200us for kinematic command frames, and SHALL support a minimum of 8 logical channels multiplexed onto one physical fibre wavelength. Rationale: 10Gbit/s capacity accommodates 21-joint kinematics (21x64-byte frames at 1kHz = 10.7Mbit/s), two 4K60 video streams (~4Gbit/s combined), and headroom for safety and logging traffic. 200us per-frame latency contributes less than 20% of the 1ms communications budget allocated in SUB-MAIN-027. | Test | interface, comms, fibre, session-342, idempotency:ifc-rpe-fibre-342 |
| IFC-MAIN-019 | The interface between the Network Management Controller and the Safety and Interlock Subsystem SHALL provide a unidirectional status register update at 100Hz, reporting optical power level (dBm), frame loss rate (frames/s), and active link identity (primary or standby), readable by the Communication Monitor component. Rationale: 100Hz polling rate ensures the Communication Monitor (operating at 1kHz internal rate) has a link health update no older than 10ms, consistent with the 5ms fault detection target in SUB-MAIN-028. Unidirectional (read-only) access from Safety subsystem preserves safety isolation — the SIS can observe but not command the network. | Test | interface, comms, safety, session-342, idempotency:ifc-nmc-sis-342 |
| IFC-MAIN-020 | The interface between the Instrument Recognition Module and the Tool Tip Articulation Controller SHALL transfer instrument kinematic model parameters (cable routing geometry, pulley ratios, coupling compliance coefficients, and Bouc-Wen hysteresis model parameters) as a structured data packet of no more than 2KB via the internal CAN-FD bus within 50ms of instrument identity validation. Rationale: The Tool Tip Articulation Controller requires instrument-specific kinematic parameters to compute accurate cable displacement commands. The 2KB limit is derived from the maximum parameter set size for a 6-DoF instrument with per-cable hysteresis model (24 floats per cable x 6 cables + metadata). The 50ms transfer time is a sub-budget of the 200ms total recognition time in SUB-MAIN-032. | Test | surgical-instrument-system, interface, session-346 |
| IFC-MAIN-021 | The interface between the Cable Tensioning System and the Safety and Interlock Subsystem SHALL transmit cable tension anomaly alerts as a priority CAN-FD frame containing affected arm ID, cable channel, measured tension, nominal tension, and timestamp, with a maximum end-to-end latency of 2ms from anomaly detection to Safety and Interlock Subsystem receipt. Rationale: The Safety and Interlock Subsystem must receive cable anomaly data fast enough to enforce the 50ms arm shutdown in SUB-MAIN-038. The 2ms interface latency consumes only 4% of the total budget, leaving adequate margin for safety processing and actuator command. Priority CAN-FD framing ensures the alert is not delayed by regular control traffic. | Test | surgical-instrument-system, interface, safety, session-346 |
| IFC-MAIN-022 | The interface between the Tool Tip Articulation Controller and the Instrument Drive Unit SHALL deliver cable displacement commands for all four instrument DoF as a single CAN-FD frame at 1kHz, with each command expressed as a 16-bit signed integer representing micrometers of cable displacement, achieving command-to-actuation latency of no more than 200 microseconds. Rationale: The 1kHz update rate matches the motion control servo loop. 16-bit signed integer resolution provides +/-32mm range at 1um precision, sufficient for the cable displacement range of +/-20mm. The 200us command-to-actuation latency is the Instrument Drive Units share of the 1ms servo cycle, after the Tool Tip Articulation Controllers 500us computation budget. | Test | surgical-instrument-system, interface, session-346 |
| IFC-MAIN-023 | The interface between the Instrument Lifecycle Controller and the Safe State Manager SHALL transmit instrument lockout commands as a CAN-FD frame containing arm ID and lockout reason code, with the Safe State Manager acknowledging receipt within 5ms and inhibiting arm enable until a valid instrument is coupled. Rationale: The Safe State Manager is the single authority for arm enable per the safety architecture (ARC-MAIN-001). Instrument lockout must route through the safety chain rather than being enforced locally by the Instrument Lifecycle Controller, because bypassing the safety processor would violate the SIL 3 architecture. The 5ms acknowledgement ensures the lockout is enforced before the surgeon can begin using the arm. | Demonstration | surgical-instrument-system, interface, safety, session-346 |
| IFC-MAIN-024 | The interface between the Tremor Rejection Filter and the Motion Scaling Module SHALL carry filtered 6-DOF Cartesian velocity vectors (3 translational, 3 rotational) at 1kHz as 64-bit IEEE 754 floating-point values over shared memory, with worst-case read latency below 5 microseconds and a sequence counter for stale-data detection. Rationale: Shared memory is mandated by the sub-millisecond pipeline budget — IPC mechanisms such as sockets or message queues would introduce unacceptable jitter. The 64-bit float format preserves the 15-digit precision needed for sub-100μm tip positioning. The sequence counter enables the Motion Scaling Module to detect and reject stale frames, which is the primary defence against pipeline stall propagation. | Test | interface, motion-control, session-348, idempotency:ifc-trf-msm-velocity-348 |
| IFC-MAIN-025 | The interface between the Motion Scaling Module and the Trajectory Generator SHALL transmit scaled 6-DOF Cartesian velocity commands at 1kHz via shared memory, including the active scaling ratio as a metadata field, with data validity indicated by a monotonically incrementing timestamp synchronized to the Real-Time Compute Node system clock. Rationale: Including the active scaling ratio as metadata enables the Trajectory Generator to adjust acceleration limits proportionally — at 10:1 scaling, the same surgeon hand velocity produces 10× lower instrument velocity, allowing tighter acceleration bounds. The synchronized timestamp is essential for the Trajectory Generator to compute correct velocity integration and detect timing faults. | Test | interface, motion-control, session-348, idempotency:ifc-msm-tg-scaled-velocity-348 |
| IFC-MAIN-026 | The interface between the Trajectory Generator and the Kinematics Engine SHALL deliver interpolated Cartesian pose setpoints (position as 3-element vector in mm, orientation as unit quaternion) at 1kHz via a lock-free SPSC ring buffer, with buffer depth of at least 4 frames to tolerate scheduling jitter up to 3ms without data loss. Rationale: A lock-free single-producer/single-consumer ring buffer eliminates mutex contention in the real-time pipeline. The 4-frame buffer depth provides 3ms of jitter tolerance, which exceeds the measured worst-case PREEMPT_RT scheduling jitter of 1.5ms on the target compute platform. Quaternion representation avoids gimbal lock that would occur with Euler angles during wrist-over manoeuvres common in surgical procedures. | Test | interface, motion-control, session-348, idempotency:ifc-tg-ke-cartesian-pose-348 |
| IFC-MAIN-027 | The interface between the Kinematics Engine and the Joint Servo Controller SHALL transmit per-joint angle setpoints for all 7 DOF of each instrument arm at 1kHz over the EtherCAT fieldbus, with each frame containing position (32-bit), velocity feedforward (32-bit), and torque feedforward (32-bit) per joint, and end-to-end frame delivery latency below 250 microseconds. Rationale: EtherCAT provides deterministic sub-microsecond synchronization across all servo drives, which is mandatory for coordinated multi-joint motion. The 250μs delivery budget consumes one quarter of the 1ms control cycle, leaving 750μs for servo computation and actuation. Velocity and torque feedforward terms are essential for high-bandwidth tracking — position-only control produces unacceptable following error during fast surgical manoeuvres. | Test | interface, motion-control, session-348, idempotency:ifc-ke-jsc-joint-setpoints-348 |
| IFC-MAIN-028 | The interface between the Workspace Safety Enforcer and the Kinematics Engine SHALL provide a real-time workspace boundary constraint set updated at 100Hz, specifying the active Cartesian workspace limits as a convex polytope (up to 24 half-plane constraints) and per-joint angle limits, transmitted via shared memory with atomic compare-and-swap to prevent partial reads. Rationale: The workspace boundary is dynamically reconfigured during surgery (e.g., when the operating table repositions or when the surgeon redefines the working volume). 100Hz update rate ensures the Kinematics Engine operates within constraints that lag the actual boundary by at most 10ms. Convex polytope representation enables efficient real-time collision checking via linear programming, which the Kinematics Engine can evaluate within its 2ms computation window. Atomic CAS prevents the Kinematics Engine from reading a partially-updated polytope, which could create a non-convex feasible region and allow unsafe motion. | Test | interface, motion-control, session-348, idempotency:ifc-wse-ke-boundary-348 |
| IFC-MAIN-029 | The interface between the Auxiliary Power Supply and the Emergency Stop Chain SHALL maintain contactor coil energisation voltage within 22–26V DC continuously, including during mains loss events, with no interruption exceeding 10ms. Rationale: The Emergency Stop Chain contactors must remain closed during normal operation. A voltage interruption exceeding 10ms will cause contactor dropout and trigger an uncontrolled E-stop during surgery. The 10ms limit matches the contactor dropout time specification in IEC 60204-1 Category 3 systems. | Test | rt-missing-failure-mode, red-team-session-502 |
| IFC-MAIN-030 | The interface between Energy Delivery Controller and Electrosurgical Generator SHALL use a dedicated isolated CAN bus at 1Mbit/s, transmitting power setpoint, modality selection, and enable/disable commands from controller to generator at 100Hz, with generator acknowledging each command within 5ms. Rationale: CAN bus provides deterministic messaging with hardware-level error detection and isolation capability. 1Mbit/s supports 100Hz command rate with headroom for status return frames. 5ms acknowledgement timeout allows the controller to detect generator fault within one command cycle and trigger safety shutdown. Isolation prevents RF noise from the generator corrupting control traffic. | Test | interface, energy-delivery, session-352, idempotency:ifc-edc-esg-can-352 |
| IFC-MAIN-031 | The interface between Energy Delivery Controller and Ultrasonic Energy Module SHALL use a dedicated isolated RS-485 link at 115200 baud, carrying power level commands and blade temperature telemetry, with the module transmitting blade temperature to the controller at minimum 50Hz. Rationale: RS-485 is appropriate for point-to-point ultrasonic generator control at the required data rate. 50Hz blade temperature telemetry gives the controller 20ms resolution for the 100°C inhibit threshold response — adequate given the thermal time constant of the blade (estimated 200-500ms for 1°C change at full power). | Test | interface, energy-delivery, session-352, idempotency:ifc-edc-uem-rs485-352 |
| IFC-MAIN-032 | The interface between Return Electrode Monitor and Electrosurgical Generator SHALL include a hardwired safety interlock line that the Return Electrode Monitor holds in a de-energised (fail-safe) state; the Electrosurgical Generator SHALL not enable monopolar output unless this line is actively energised by a Return Electrode Monitor that has confirmed pad impedance below 135 ohms. Rationale: Hardwired fail-safe interlock (de-energise-to-inhibit) ensures monopolar energy is prohibited by hardware in the event of REM failure, communication loss, or power loss — no software path can override it. This is a common safety architecture in electrosurgical units per IEC 60601-2-2 and IEC 61508 SIL 2 guidance for patient-contact safety functions. | Test | interface, energy-delivery, safety, session-352, idempotency:ifc-rem-esg-interlock-352 |
| IFC-MAIN-033 | The interface between Tissue Effect Monitor and Electrosurgical Generator SHALL provide the monitor with access to real-time RF output voltage and current waveform samples at minimum 200kHz sampling rate, enabling impedance calculation at 1kHz; the monitor SHALL write shutoff commands to the generator via the CAN interface within 200ms of detecting seal endpoint. Rationale: 200kHz sampling of RF waveforms (at 300kHz-3MHz carrier) requires adequate Nyquist headroom for the envelope extraction used in impedance calculation. 1kHz impedance update rate is the minimum for the 400ms detection window. 200ms shutoff command latency ensures the system meets the vessel seal endpoint response requirement (SUB-MAIN-052) with margin. | Test | interface, energy-delivery, session-352, idempotency:ifc-tem-esg-impedance-352 |
| IFC-MAIN-034 | The interface between Energy Delivery Controller and Safety and Interlock Subsystem SHALL use the system safety bus to receive system state broadcast at 100Hz; the Energy Delivery Controller SHALL inhibit all energy delivery within 20ms of receiving a SAFE_STATE or E-STOP signal on this bus. Rationale: Energy delivery must respond to system-level emergency stop faster than the 50ms deactivation requirement (SUB-MAIN-048). 20ms allows the EDC to process the safety signal and command generator deactivation with 30ms margin for the generator hardware response. Bus-based integration avoids a dedicated hardwire for every energy modality, but the safety bus itself is hardware-isolated and deterministic. | Test | interface, energy-delivery, safety, session-352, idempotency:ifc-edc-safety-bus-352 |
| IFC-MAIN-035 | The interface between the Foot Pedal Array and the Energy Delivery Controller SHALL transmit energy modality (RF monopolar, RF bipolar, ultrasonic) and activation state (active/inactive) over a dedicated isolated CAN bus at 1Mbit/s, with a maximum message latency of 10ms. Rationale: Energy activation commands are safety-critical: a delayed or missed deactivation command could deliver unintended energy to tissue. 10ms message latency budget is compatible with the 50ms end-to-end pedal latency requirement (SUB-MAIN-055) after accounting for pedal debounce (10ms) and controller processing (5ms). | Test | interface, surgeon-console, energy-delivery, session-353, idempotency:ifc-pedal-edc-can-353 |
| IFC-MAIN-036 | The interface between the Foot Pedal Array and the Motion Control and Scaling Subsystem SHALL transmit instrument clutch state (engaged/disengaged) and camera control commands over the console CAN bus within 10ms, using message priority higher than configuration traffic but lower than safety bus messages. Rationale: Clutch engage/disengage decouples master arm motion from instrument motion, allowing the surgeon to reposition hands. A 10ms latency ensures sub-50ms end-to-end response (SUB-MAIN-055). Priority scheme prevents clutch messages from being starved by high-bandwidth configuration traffic. | Test | interface, surgeon-console, motion-control, session-353, idempotency:ifc-pedal-mcs-clutch-353 |
| IFC-MAIN-037 | The interface between the Console Computer and the Real-Time Protocol Engine SHALL exchange session management messages (case start, case end, configuration sync, surgeon identity) over gigabit Ethernet using a defined session protocol, with message delivery confirmation within 100ms. Rationale: Session management messages configure the patient-side cart with the correct instrument parameters, scaling, and surgeon profile before motion is enabled. The 100ms confirmation window allows the Console Computer to detect a failed session start and display an error before the surgical team proceeds. | Test | interface, surgeon-console, comms, session-353, idempotency:ifc-cc-rtpe-session-353 |
| IFC-MAIN-038 | The interface between the Voice Command Module and the Console Computer SHALL deliver recognised command identifiers (from a defined vocabulary enumeration) with a confidence score and timestamp over USB 3.0, and SHALL NOT transmit raw audio data outside the module to protect patient privacy. Rationale: Privacy constraint: raw audio captured in the OR may contain patient-identifiable information and must not be stored or transmitted beyond the recognition module. The command ID plus confidence score gives the Console Computer sufficient information to confirm or reject the command without retaining audio. | Test | interface, surgeon-console, voice, privacy, session-353, idempotency:ifc-vcm-cc-commands-353 |
| IFC-MAIN-039 | The interface between the Surgeon Interface Panel and the Console Computer SHALL carry master arm pose data at 1kHz in the upstream direction and haptic force commands at 1kHz in the downstream direction over a dedicated real-time EtherCAT bus, with end-to-end latency no greater than 1ms in each direction. Rationale: The haptic control loop is closed across this interface; a bidirectional 1kHz rate and 1ms one-way latency are the minimum specification consistent with transparent teleoperation as defined in SYS-MAIN-001 (<1ms end-to-end motion scaling). EtherCAT is selected over CAN or EtherNet/IP because it provides deterministic cycle times below 100us supporting the 1kHz control rate with headroom for jitter tolerance. | Test | interface, surgeon-console, haptic, session-356, idempotency:ifc-sip-cc-ethercat-356 |
| IFC-MAIN-040 | The interface between the Console Computer and the Inter-Cart Fibre Link SHALL carry a continuous 6-DOF Cartesian velocity command stream encoded as 48-byte little-endian frames at 1kHz, with a per-frame sequence number and 16-bit CRC-CCITT checksum. Rationale: The Console Computer is the upstream source of surgeon hand motion data. Explicit frame numbering at the interface allows the Real-Time Protocol Engine at the patient end to detect dropped frames immediately rather than processing stale data. CRC-CCITT provides the standard error detection for deterministic serial links, and is already used in the EtherCAT frame format for consistency. | Test | interface, motion-control, infrastructure, inter-cart-fibre, session-357, idempotency:ifc-cc-icfl-command-357 |
| IFC-MAIN-041 | The interface between the Inter-Cart Fibre Link and the Real-Time Protocol Engine SHALL deliver decoded 6-DOF velocity frames with a worst-case inter-frame delivery jitter of no more than 5 microseconds, providing the sequence number and CRC validity flag alongside each frame. Rationale: The Real-Time Protocol Engine's TDM scheduler has a 1-microsecond jitter budget (SUB-MAIN-071). Optical transceiver deserialization and clock recovery introduce additional timing uncertainty; 5 microseconds is the worst-case SERDES CDR lock window for the selected 10GBase-SR transceiver at 10m. Validity flags allow the RTPE to apply the fault-halt policy (SUB-MAIN-072) without a separate CRC computation on the RT task. | Test | interface, motion-control, infrastructure, inter-cart-fibre, real-time-protocol-engine, session-357, idempotency:ifc-icfl-rtpe-frames-357 |
| IFC-MAIN-042 | The interface between the Network Management Controller and each Joint Servo Controller SHALL use EtherCAT with a bus cycle of 1ms, delivering a 16-byte process data object containing target joint angle (float32), feed-forward torque (float32), control mode (uint8), and node fault mask (uint8) per servo node per cycle. Rationale: 1ms EtherCAT cycle matches the 1kHz kinematic pipeline rate end-to-end. The feed-forward torque field enables velocity-mode operation to complement the position PID in Joint Servo Controller, reducing steady-state tracking error at high speed. The fault mask byte allows per-node disablement without a separate out-of-band channel, consistent with IEC 61800-3 functional safety profile requirements for SIL 2 motion systems. | Test | interface, motion-control, infrastructure, network-management, joint-servo, session-357, idempotency:ifc-nmc-jsc-ethercat-357 |
| IFC-MAIN-043 | The interface between the Real-Time Compute Node and the Procedure Data Recorder SHALL transfer kinematic sample frames via PCIe DMA at 1kHz, where each frame contains a 64-bit UTC timestamp, 7-element float32 joint angle array, 7-element float32 joint torque array, and 6-element float32 Cartesian velocity array for each active arm, with a DMA transfer latency not exceeding 10 microseconds per frame. Rationale: PCIe DMA is the only interconnect capable of sustaining continuous 1kHz structured data transfer from a PREEMPT_RT kernel with sub-100-microsecond latency without consuming CPU cycles on a memory-copy path. A 10-microsecond DMA ceiling leaves the real-time CPU interrupt budget intact (SUB-MAIN-011 specifies 50-microsecond ISR worst case). The timestamp must be captured in hardware at the RTPE frame boundary, not in software, to avoid jitter from OS scheduling. | Test | interface, motion-control, infrastructure, procedure-data-recorder, session-357, idempotency:ifc-rtcn-pdr-dma-357 |
| IFC-MAIN-044 | The interface between the Main Power Distribution Unit and the Power Sequencing Controller SHALL use a galvanically isolated CAN FD bus operating at 1 Mbit/s, transmitting branch current, voltage, and fault status at 10 Hz with a maximum latency of 5 ms. Rationale: CAN FD at 1 Mbit/s provides sufficient bandwidth for 12-branch telemetry frames at 10 Hz while meeting automotive EMC standards tested for hospital OR environments. Galvanic isolation prevents ground loop noise from the high-current main bus from corrupting the low-voltage control bus, a known failure mode in earlier surgical robot power architectures. | Test | interface, power-management, can-bus, session-361, idempotency:ifc-pdu-psc-can-361 |
| IFC-MAIN-045 | The interface between the UPS Battery Module and the Main Power Distribution Unit SHALL provide a 48 VDC bulk link with a maximum impedance of 50 mOhm at the PDU input terminals, supporting peak discharge currents of up to 200 A for a maximum of 500 ms during startup inrush, and sustain 20 A continuous during surgical operation. Rationale: The 48 VDC bus voltage is the minimum that allows the DC-DC converters within the PDU to maintain regulated outputs during rapid transient loads from arm actuator energisation (up to 180 A peak measured at worst-case six-axis simultaneous joint engagement). The 50 mOhm impedance limit ensures less than 1 V bus droop during 20 A continuous load, preventing brownout resets in the downstream servo controllers. | Test | interface, power-management, ups, power-bus, session-361, idempotency:ifc-ups-pdu-dc-link-361 |
| IFC-MAIN-046 | The interface between the Power Sequencing Controller and the Auxiliary Power Supply SHALL use an isolated discrete signal to command charge/standby/discharge modes, with mode transitions acknowledged within 50 ms via a return status signal. Rationale: Discrete hardware signalling is used rather than bus-based control to ensure the Auxiliary Power Supply can receive commands even when the CAN bus has faulted, maintaining safety circuit availability in the worst-case scenario of bus communication failure during a power event. | Test | interface, power-management, auxiliary-power, session-361, idempotency:ifc-psc-auxpsu-control-361 |
| IFC-MAIN-047 | The interface between the Network Management Controller and the Safety and Interlock Subsystem SHALL transmit COMM_FAULT notifications within 2ms of link failure detection, using a dedicated LVDS hardwired signal independent of the fibre link under test. Rationale: LVDS hardwired signal ensures the fault notification channel is not dependent on the fibre link it monitors — the fibre link cannot report its own failure. 2ms budget matches the Real-Time Protocol Engine fault reporting window and keeps total fault propagation under 5ms required by SUB-MAIN-028. | Test | interface, comms, network-management, safety, session-369, idempotency:ifc-nmc-sis-fault-notify-369 |
| IFC-MAIN-048 | The interface between the Real-Time Protocol Engine and the Procedure Data Recorder SHALL deliver a time-stamped stream of decoded kinematic frames at 1kHz using shared memory DMA transfer with less than 100us delivery latency, without interrupting the Real-Time Protocol Engine deterministic cycle. Rationale: Shared memory DMA avoids adding any kernel scheduling latency to the RTPE deterministic cycle. 100us delivery budget allows the Procedure Data Recorder to buffer a full cycle before the next frame arrives. This decouples recording latency from the hard real-time control loop. | Test | interface, comms, real-time-protocol-engine, procedure-data-recorder, session-369, idempotency:ifc-rtpe-pdr-dma-369 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-MAIN-001 | ARC: Safety and Interlock Subsystem — dedicated safety processor with hardware watchdog authority. The SIS runs on a processor physically separated from motion control compute with independent power and CAN-bus brake authority. Alternatives considered: software safety monitor on shared CPU (rejected — common-cause fault kills both monitor and controlled system, violates SIL 3 HFT=1 requirement); safety PLC (rejected — latency budget incompatible with 1kHz control loop). Chosen architecture satisfies IEC 61508 SIL 3 Hardware Fault Tolerance = 1 with <1% common-cause exposure. Rationale: Architectural decision: Safety-Integrity Level 3 requires hardware fault tolerance that physically separate execution cannot provide on shared compute. This decision constrains all downstream SIS design. | Inspection | informational |
| ARC-MAIN-002 | ARC: Motion Control System — Cartesian-space pipeline with independent tremor filter and scaling stages. Cartesian-space scaling chosen over joint-space to preserve instrument orientation during scaled motion; joint-space scaling produces unexpected end-effector trajectories under redundancy resolution. Tremor filter precedes scaling to avoid amplifying filtered residuals. Six-component pipeline (Filter → Scale → IK → Safety → Servo) chosen for independent testability of each function, enabling SIL 3 V&V decomposition. Redundant compute node mandated by single-point-of-failure analysis: a compute failure in motion control must degrade to safe-stop, not uncontrolled motion. Rationale: Design rationale for the most safety-critical subsystem: captures key architectural choices that constrain all downstream component specifications and must be preserved across future refactors. | Inspection | informational |
| ARC-MAIN-003 | ARC: Vision and Imaging System — FPGA-based deterministic image processing pipeline with separated optical acquisition and display stages. The CCU performs per-channel sensor correction (white balance, gamma, chromatic aberration) before the FPGA pipeline adds enhancement and overlay compositing. FPGA was chosen over GPU because IEC 62304 Class C certification requires deterministic worst-case latency guarantees that GPU scheduling cannot provide. The stereo endoscope uses paired CMOS sensors with fixed 6mm baseline rather than a beam-splitter design because paired sensors allow independent channel failure (graceful degradation to 2D) and simpler sterilisation of the rigid optical assembly. Illumination uses closed-loop intensity feedback from the CCU to prevent tissue thermal damage, rather than fixed-intensity operation, because tissue reflectance varies 4x between organ types. Rationale: Architecture driven by three constraints: IEC 62304 Class C certification demands deterministic processing latency; graceful degradation from stereo to mono requires independent channel paths; IEC 60601-2-18 tissue temperature limits require closed-loop illumination control. | Analysis | informational |
| ARC-MAIN-004 | ARC: Haptic Feedback Subsystem — Galvanic isolation at Force Signal Conditioner boundary. The Force Signal Conditioner introduces a 4kVrms isolation barrier rather than isolating at the instrument tip. This choice keeps the patient-contact chain entirely analog (passive strain gauge) while confining the isolation requirement to a single, testable PCB boundary. Alternative (digital sensor in handle) was rejected due to sterilisation constraints on active electronics in the wristed instrument channel. Rationale: Architecture decisions are narrative records of design trade-offs; the rationale is embedded in the requirement text. The isolation placement choice (at FSC boundary rather than instrument tip) is driven by sterilisation constraints and regulatory compliance with IEC 60601-1 patient leakage current limits. | Inspection | informational |
| ARC-MAIN-005 | ARC: Communication and Data Management System — FPGA-based real-time protocol rather than OS-scheduled networking. A custom FPGA protocol engine rather than a Linux kernel TCP/IP stack is used for kinematic command framing because TCP cannot guarantee sub-millisecond per-frame latency under video traffic coexistence. The FPGA provides hardware-guaranteed timing isolation between priority channels, eliminating head-of-line blocking. A proprietary TDM protocol over 10GbE is preferred over TSN (802.1Qbv) because TSN requires switches to participate in time synchronisation, adding network device dependencies outside the system boundary. Rationale: Architecture decisions are narrative records of design trade-offs; the rationale is embedded in the requirement text. FPGA-based TDM over 10GbE was chosen over Linux TCP/IP and IEEE 802.1Qbv TSN to avoid OS scheduling jitter and external network device dependencies in the deterministic control path. | Inspection | informational |
| ARC-MAIN-006 | ARC: Surgical Instrument System uses cable-driven actuation with remote motors in the Instrument Drive Unit rather than direct-drive or gear-driven end-effector actuation. Alternatives considered: direct-drive motors at instrument tip (rejected: tip diameter constraint of 8mm precludes motors with sufficient torque; sterilization incompatible with embedded electronics); gear-driven actuation through instrument shaft (rejected: gear backlash exceeds 0.1mm accuracy requirement; maintenance burden of gear wear in disposable instruments is cost-prohibitive). Cable-driven approach enables all motors to reside in the non-sterile Instrument Drive Unit, separated from the sterile instrument by the Sterile Adapter. The Bouc-Wen hysteresis compensation in the Tool Tip Articulation Controller addresses the primary disadvantage of cable drive — nonlinear cable friction. Rationale: The cable-driven architecture is the only approach that simultaneously satisfies the 8mm instrument diameter constraint, the 0.1mm tip accuracy requirement, the sterile barrier architecture, and the disposable instrument cost target. This decision constrains all downstream instrument mechanical and control design. | Inspection | informational |
| ARC-MAIN-007 | ARC: Motion Control System — Dedicated Trajectory Generator between Motion Scaling and Kinematics Engine. The pipeline was extended to include an explicit trajectory generation stage that performs S-curve velocity profiling and acceleration limiting. This was chosen over embedding trajectory generation within the Kinematics Engine because: (1) separation of Cartesian-space trajectory planning from joint-space kinematics enables independent testing and tuning of motion smoothness constraints, (2) the Trajectory Generator can enforce tissue-safe acceleration limits before the kinematic solution, preventing the Kinematics Engine from ever receiving a demand that would produce unsafe tip forces, (3) the lock-free SPSC ring buffer interface provides timing isolation — a transient overrun in trajectory computation does not stall the kinematics cycle. Rationale: Separating trajectory generation from inverse kinematics enables independent testing of motion smoothness and prevents unsafe demands reaching the Kinematics Engine. SPSC ring buffer provides timing isolation between stages. | Inspection | architecture, motion-control, session-348 |
| ARC-MAIN-008 | ARC: Power Management Subsystem — Dedicated auxiliary 24V supply for safety circuits, electrically isolated from main bus. Considered single-supply architecture with software-controlled priority; rejected because any main bus controller firmware fault could de-energise safety contactors. Hardware isolation ensures safety supervision remains active regardless of software state. Rationale: Hardware isolation of safety circuits from main bus ensures safety supervision cannot be defeated by a firmware fault in the main bus controller. Single-supply with software priority was rejected because software-controlled switching cannot provide the necessary independence for IEC 62304 Class C safety circuitry. | Inspection | architecture, power-management, session-350 |
| ARC-MAIN-009 | ARC: Energy Delivery System — Dual-modality architecture (RF electrosurgery + 55.5kHz ultrasonic) with centralised Energy Delivery Controller. RF chosen for vessel sealing and haemostasis (monopolar/bipolar); ultrasonic chosen for structures within 1mm of critical vessels due to lower thermal spread. Separate Return Electrode Monitor mandated by IEC 60601-2-2 for monopolar monopolar patient safety; Tissue Effect Monitor added to detect vessel seal endpoints automatically, reducing surgeon reliance on subjective colour assessment. Single controller enforces mutual exclusion — simultaneous RF and ultrasonic activation is prohibited by interlock, not by convention. Rationale: Mixed-modality energy delivery is standard in advanced robotic surgery (cf. da Vinci ESS, Medtronic Thunderbeat), where no single energy type covers all tissue types. Centralised controller enforces safety envelope; distributed generators maintain isolation from each other and from the robot control network. | Inspection | architecture, energy-delivery, session-352 |
| ARC-MAIN-012 | ARC: Surgeon Input Console — Physical integration of haptic master arms, stereo viewer, foot pedals, and touchscreen into one ergonomic station, with strict separation of safety-critical hardware (foot pedal E-stop, hardwired) from software-mediated controls (touchscreen, voice). Rationale: decoupling safety-path hardware (E-stop pedal → Emergency Stop Chain) from the software configuration interface (touchscreen → Console Computer) ensures a firmware or OS fault on the Console Computer cannot suppress a surgeon-initiated emergency stop. Alternative of routing all pedal inputs through the Console Computer was rejected for this reason. Rationale: Architectural safety requirement: the IEC 62304 and IEC 80601-2-77 framework requires hardware independence between safety-critical inputs (E-stop) and non-safety software systems. This decision is traceable to STK-MAIN-002 (no uncontrolled energy or motion at any time). | Inspection | architecture, surgeon-console, safety, session-353 |
| ARC-MAIN-014 | ARC: Haptic Feedback Subsystem — galvanic isolation break between patient-side sensing and surgeon-side actuation. The signal chain is split into Force Sensing Module (sterile field) → Force Signal Conditioner (galvanic isolation, ≥4kVrms) → Haptic Controller (console-side, SIL2) → Master Handle Actuator. Alternatives considered: (a) direct digital fibre link eliminating analogue conditioning — rejected due to sensor power budget constraints in the sterile field; (b) single integrated controller spanning both sides — rejected because it creates a conductive path violating IEC 60601-1 patient leakage current limits. The 4kVrms isolation barrier is the single safety-critical boundary in the haptic chain. Rationale: IEC 60601-1 requires patient leakage current < 10µA in CF-type applied parts; a conductive signal path spanning the sterile and console sides would create unacceptable leakage current. The 4kVrms galvanic isolation barrier physically prevents this path. Verification by design review of isolation barrier certification documentation. | Inspection | architecture, haptic, session-354 |
| ARC-MAIN-015 | ARC: Motion Control System — FPGA-based infrastructure layer (Real-Time Protocol Engine, Inter-Cart Fibre Link, Network Management Controller, Procedure Data Recorder) is separated from the algorithmic layer (Tremor Filter, Motion Scaling, Trajectory Generator, Kinematics Engine, Workspace Safety Enforcer, Joint Servo Controller) because the two layers have fundamentally different failure modes and verification requirements. Infrastructure components are hardware-fixed timing elements verified by oscilloscope measurement; algorithmic components are software-configurable and verified by functional test. This separation also allows the FPGA layer to enforce timing guarantees independently of software faults — if the algorithmic layer hangs, the FPGA continues transmitting watchdog frames to trigger a controlled stop. Rationale: The two-layer decomposition separates hardware-fixed timing from software-configurable algorithms. This allows the FPGA infrastructure layer to enforce timing guarantees independently of software faults: if the algorithmic layer hangs, the FPGA continues transmitting watchdog frames to the patient cart, triggering a controlled stop. Infrastructure components are verified by oscilloscope measurement; algorithmic components are verified by functional test. This separation is consistent with IEC 60601-1 risk management requirements for partitioning safety-critical timing from application software. | Inspection | architecture, motion-control, infrastructure, session-357 |
| ARC-MAIN-018 | ARC: Motion Control and Scaling Subsystem — linear pipeline topology with safety injection. Components are ordered as: Tremor Rejection Filter → Motion Scaling Module → Trajectory Generator → Kinematics Engine → Joint Servo Controller, with the Workspace Safety Enforcer injecting repulsive constraints directly into the Kinematics Engine rather than acting as a separate gate. The Real-Time Compute Node hosts all pipeline stages on a single RTOS. Alternative considered: distributed pipeline across multiple CPUs for fault isolation. Rejected because cross-CPU IPC adds 0.2-0.4ms per stage, making the 1ms end-to-end budget unachievable. The single-node topology is acceptable because the Real-Time Compute Node is itself triple-redundant (2-of-3 voting) at the hardware level. Rationale: Documents the primary architectural trade-off driving the MC subsystem topology: determinism over distributed fault isolation. The 1ms end-to-end latency in SYS-MAIN-007 is the binding constraint; this decision records why distributed alternatives were rejected and what compensating mechanism (hardware triple-redundancy) provides the required fault tolerance. | Inspection | architecture, motion-control, session-358 |
| ARC-MAIN-019 | ARC: Verification Plan Coverage — Verification entries cover all safety-critical IFC requirements first (IFC-001 through IFC-013, IFC-020), prioritised by SIL classification under IEC 62061. Interface verification is selected as the minimum viable verification set because every cross-subsystem interface is a potential failure propagation path in a safety-critical medical robot. Performance threshold values (2ms joint force detection, 150ms E-stop de-energisation, 100ms teleoperation latency, 15ms haptic render) are derived from published clinical evidence and applicable standards (IEC 62061, IEC 60601-1), not estimated. Rationale: This architectural decision records the rationale for prioritising safety-critical IFC requirements in the verification plan. The coverage set (IFC-001 to IFC-013, IFC-020) maps directly to cross-subsystem interfaces with SIL 3 classification under IEC 62061; performance thresholds are derived from IEC 60601-1 and published surgical robotics clinical evidence, ensuring the verification plan is traceable to recognised standards rather than arbitrary estimates. | Inspection | architecture, verification, session-360 |
| ARC-MAIN-020 | ARC: Communication and Data Management System — dual-redundant fibre topology with FPGA-level failover and strict-priority traffic shaping. The architecture separates the real-time kinematic command path (RTPE on compute node) from the link management plane (NMC in FPGA) so that link health monitoring and failover do not share any compute resources with the 1kHz control loop. LVDS hardwired fault notification to SIS ensures the communication system can report its own failure without relying on the link it monitors. PDR uses DMA shared memory to record data without touching the RTPE thread. Alternative considered: single-port fibre with software failover — rejected because software-layer switchover could not meet the 5ms deadline under worst-case OS scheduling latency. Rationale: Architecture decision captures why the RTPE/NMC separation was chosen over integrated approaches, ensuring future maintainers understand the SIL 3 isolation rationale. | Inspection | architecture, comms, session-369, idempotency:arc-comms-369 |
flowchart TB n0["component<br>Watchdog Timer Controller"] n1["component<br>Emergency Stop Chain"] n2["component<br>Joint Force Monitor"] n3["component<br>Communication Monitor"] n4["component<br>Safe State Manager"] n0 -->|watchdog trip| n4 n1 -->|E-stop event| n4 n2 -->|force violation| n4 n3 -->|link fault| n4
Safety and Interlock Subsystem — Internal
flowchart TB n0["component<br>Tremor Rejection Filter"] n1["component<br>Motion Scaling Module"] n2["component<br>Kinematics Engine"] n3["component<br>Workspace Safety Enforcer"] n4["component<br>Joint Servo Controller"] n5["subsystem<br>Real-Time Compute Node"] n6["actor<br>Surgeon Console"] n7["external<br>Patient-Side Cart"] n8["component<br>Trajectory Generator"] n6 -->|6-DOF vel cmds 1kHz| n0 n0 -->|filtered vel 1kHz| n1 n2 -->|joint setpoints| n3 n3 -->|validated cmds| n4 n4 -->|CAN-FD 5Mbps| n7 n3 -->|fault signal| n5 n5 -->|heartbeat 200Hz| n0 n1 -->|scaled velocity 1kHz| n8 n8 -->|Cartesian poses 1kHz| n2
Motion Control System — Internal
flowchart TB n0["component<br>Force Sensing Module"] n1["component<br>Force Signal Conditioner"] n2["component<br>Haptic Controller"] n3["component<br>Master Handle Actuator"] n0 -->|strain gauge signals| n1 n1 -->|SPI 16-bit force data| n2 n2 -->|CAN FD torque setpoints| n3
Haptic Feedback Subsystem — Internal
flowchart TB n0["component<br>Instrument Drive Unit"] n1["component<br>Instrument Recognition Module"] n2["component<br>Sterile Adapter"] n3["component<br>Cable Tensioning System"] n4["component<br>Tool Tip Articulation Controller"] n5["component<br>Instrument Lifecycle Controller"] n1 -->|kinematic model params| n4 n1 -->|instrument identity and usage data| n5 n4 -->|cable displacement commands CAN-FD 1kHz| n0 n3 -->|tension set-points and feedback| n0 n2 -->|torque via rotary feedthroughs| n0
Surgical Instrument System — Internal
flowchart TB n0["component<br>Main Power Distribution Unit"] n1["component<br>UPS Battery Module"] n2["component<br>Auxiliary Power Supply"] n3["component<br>Power Sequencing Controller"] n1 -->|48VDC bulk| n0 n0 -->|CAN FD status| n3 n3 -->|discrete control| n2 n3 -->|sequencing commands| n0
Power Management Subsystem — Internal
flowchart TB n0["component<br>Surgeon Interface Panel"] n1["component<br>Console Computer"] n2["component<br>Foot Pedal Array"] n3["component<br>Voice Command Module"] n4["component<br>Arm Positioning System"] n0 -->|EtherCAT haptic bus bidirectional, 1kHz| n1 n2 -->|CAN pedal events 50ms| n1 n3 -->|USB voice commands 200ms| n1 n4 -->|Arm position status| n1
Surgeon Input Console — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Arm Positioning System | 54FC1018 | Motorized ergonomic adjustment mechanism on the Surgeon Input Console that positions the two 7-DOF master arms and the binocular viewer for individual surgeon fit. Five motorized axes: master arm height (bilateral, ±100mm), master arm lateral offset (bilateral, ±50mm), and viewer vertical/tilt (±80mm / ±20°). Each axis is a DC motor with worm gear drive and absolute encoder. All motorized adjustment axes are locked when the system is in OPERATIONAL state — adjustments only permitted during setup (system not in robotic motion). Adjustment speed: 5mm/s maximum to prevent collision risk. Position is saved per surgeon profile. |
| Auxiliary Power Supply | D4C51018 | Dedicated isolated 24V DC supply for the Safety and Interlock Subsystem and Watchdog Timer Controller. Operates from UPS battery during mains failure, guaranteed active for minimum 30 minutes. Physically wired in parallel with the main supply but logically isolated; cannot be de-energised by any application software command or main bus fault. Feeds the hardwired Emergency Stop Chain contactor coils. |
| Backdrive Monitor | 50B73808 | Dedicated safety monitor for haptic master handle backdrivability. Continuously compares commanded torque against actual joint velocity to detect if a handle joint has become non-backdrivable (jam or mechanical fault). Triggers Haptic Controller safe-hold if backdrive torque exceeds 2N for >100ms in STANDBY mode. Implemented as a separate FPGA safety island to maintain independence from the Haptic Controller's ARM processor. |
| Cable Tensioning System | 55F73208 | Spring-loaded and motor-driven cable pretension mechanism inside the Instrument Drive Unit of a surgical robot. Maintains consistent cable tension across all 4 instrument degrees of freedom (wrist pitch, yaw, roll, grip) to ensure position accuracy at the instrument tip. Compensates for cable stretch and hysteresis over the instrument's operational lifetime (typically 10 procedures). Uses strain-gauge feedback on each cable to detect tension anomalies indicating cable fraying or disconnection. Operates at 1kHz servo rate synchronized with the joint servo controllers. Tension set-points vary per instrument type based on calibration data from the Instrument Recognition Module. |
| Camera Control Unit | D4F53218 | Dual-channel camera head processor receiving raw Bayer-pattern sensor data from both stereo endoscope channels via HD-SDI at 60fps. Performs real-time white balance, gain control, gamma correction, and chromatic aberration compensation per channel. Outputs synchronised left/right 1080p60 video streams to Image Processing Pipeline via 3G-SDI. Maintains sub-frame (<1ms) inter-channel synchronisation critical for stereoscopic fusion. Provides surgeon-selectable enhancement modes (narrow-band imaging, fluorescence overlay for ICG). Rack-mounted in equipment tower, passively cooled, operating continuously for 8+ hour procedures. |
| Communication and Data Management System | 50F57318 | High-bandwidth real-time communication subsystem linking Surgeon Console and Patient-Side Cart. Master-slave control link: 1Gbps fibre, 1kHz command packets, <3ms latency. Video transport: 4x uncompressed 1080p/60Hz streams over 10GbE. Maintains TCP/IP and dedicated FPGA protocol stack. Logs all kinematics, video, and system events to encrypted SSD at 1kHz for clinical audit. Interfaces with hospital PACS and EMR via HL7/DICOM. Implements CAN-FD bus for inter-subsystem telemetry. Provides encrypted operator console for remote diagnostics. |
| Communication Monitor | 55B77A18 | Monitors real-time fibre link between surgeon console and patient-side cart. Checks CRC integrity, packet loss rate, and round-trip latency at 1kHz. Latency threshold: 10ms (alert), 20ms (safe-state). Packet loss threshold: 3 consecutive missed frames. On loss-of-communication, initiates controlled arm freeze: joints held in current position with increased brake gain, instrument retracted 3mm per safety protocol. |
| Console Computer | D0F51018 | Host x86-64 workstation embedded in the Surgeon Input Console base unit, running a non-real-time Linux OS. Manages session lifecycle (authentication, case start/end, configuration loading), hosts the voice command recognition engine, drives the Surgeon Interface Panel display, manages system configuration and calibration data, and provides the non-real-time side of the surgeon-side software stack. Communicates with the Real-Time Protocol Engine for session handshake and configuration sync, but does NOT relay motion commands. Interfaces: USB 3.0 to Surgeon Interface Panel, gigabit Ethernet to Real-Time Protocol Engine session bus, HDMI to secondary display for circulating nurse. |
| Electrosurgical Generator | D4F73019 | High-frequency RF energy source generating 200-400W monopolar and 50-80W bipolar electrosurgical power at 300kHz-3MHz. Outputs controlled energy via the robotic instrument port to active electrodes. Implements adaptive power regulation with tissue impedance sensing to prevent unintended thermal spread. Provides cut, coagulation, and vessel-sealing energy modes with independent waveform profiles. Must respond to footswitch activation within 100ms and deactivate within 50ms. |
| Emergency Stop Chain | 44AD7810 | Hardwired E-stop circuit forming a series loop through surgeon console E-stop button, patient-side E-stop buttons (x3), foot pedal dead-man switch, and facility E-stop. Any break de-energises all servo drives via contactor within 50ms. Independent of software control. Includes optical isolation to prevent ground loop faults from triggering spurious stops. Monitored for open-circuit faults at 100Hz. |
| Energy Delivery Controller | 41B53B18 | Embedded software module on the surgical system control computer orchestrating all energy activation decisions. Arbitrates footswitch inputs, instrument-reported activation requests, and safety interlock states. Enforces mutual exclusion between RF and ultrasonic modes. Implements energy timeout (max 15s continuous activation), power-level ramping, and dead-man safety (energy stops if console presence is not confirmed every 2s). Interfaces with Safety and Interlock Subsystem via hardwired interlock bus. |
| Energy Delivery System | 54F53059 | Electrosurgery and energy management subsystem. Provides monopolar RF energy at 20-300W for cutting and coagulation, bipolar RF at 5-80W for vessel sealing, and ultrasonic energy at 55.5kHz for simultaneous cutting and coagulation. Isolated floating output to prevent stray current burns. Integrates with instrument system to detect instrument type and enable appropriate energy modes. Patient return electrode monitoring for impedance-based contact quality. Activated only when surgeon depresses foot pedal with correct instrument selected. EN IEC 60601-2-2 compliance. |
| Foot Pedal Array | C6AD7018 | Multi-pedal foot-operated control array mounted on the floor at the Surgeon Input Console. Contains 4 independently assignable pedal clusters: energy activation (RF and ultrasonic), camera control (focus, zoom, mode), instrument clutch (decouple master-slave motion), and emergency stop (one of three hardwired E-stop nodes). Each pedal has <2ms mechanical actuation sensing. The emergency stop pedal is hardwired to the E-stop series loop and does NOT pass through software. Energy and clutch pedals send activation commands over the console CAN bus to the Energy Delivery Controller and Motion Control System. |
| Force Sensing Module | D4C51008 | 6-axis force/torque sensor array embedded in each instrument drive unit. Strain gauge-based, measuring instrument-tissue interaction forces at the tool tip with resolution better than 0.05N and range ±30N. Operates at 1kHz sampling rate, provides raw force data to Haptic Controller for feedback scaling. Calibrated for temperature drift and offset at startup. |
| Force Signal Conditioner | D4A51018 | Analog signal conditioning circuit for strain gauge bridge outputs from Force Sensing Module. Provides instrumentation amplification (gain 100-1000), low-pass filtering at 500Hz anti-alias cutoff, and 16-bit ADC conversion at 1kHz. Mounted on patient-side cart electronics bay. Provides galvanic isolation barrier (4kVrms) between surgical instrument and digital electronics. |
| Haptic Controller | 54FD7208 | Real-time software module running on dedicated haptic processor at 1kHz. Receives force measurements from Force Sensing Module, applies scaling, workspace-safe force limiting (max 1N feedback to master), and renders force as torque commands to Master Handle Actuators. Implements transparency and stability algorithms to prevent master-slave force oscillation. SIL 2 function. |
| Haptic Feedback Subsystem | 55F57018 | Closes force feedback loop between instrument tip and surgeon master handles. Reads tip force from Instrument Drive Unit strain gauges (0–10N, ≤0.1N resolution, 1kHz). Applies scaling and tissue-model filtering. Drives back-drive torque motors in master manipulator to present force cue to surgeon. Prevents force feedback from exceeding safe handle force limits. Runs in same RTOS partition as motion control to maintain phase coherence. |
| Image Processing Pipeline | 50F73218 | FPGA-based real-time video processing system receiving synchronised stereo 1080p60 streams from the Camera Control Unit. Performs edge enhancement, noise reduction (temporal and spatial), automatic scene brightness adjustment, and optional augmented reality overlay (instrument tracking markers, anatomical annotations from pre-operative imaging). Adds <2ms total processing latency to maintain surgeon-perceived real-time response. Outputs processed left/right streams to the 3D Display System via dual DisplayPort 1.2 at 60Hz. Also provides a composited 2D stream to the Video Recorder. Implements ICG fluorescence overlay compositing when Surgical Illumination Source is in NIR mode. FPGA fabric chosen over GPU for deterministic latency and medical device certification path (IEC 62304 Class C). |
| Instrument Drive Unit | D6E51018 | Terminal segment of each robotic arm. Accepts interchangeable sterile wristed instruments (graspers, scissors, needle drivers, clip appliers, energy instruments). 4-cable drive train transmits wrist and jaw motion into 8mm instrument shaft. Includes chip-in-tip RFI sensors to read instrument identity, use count, and calibration data. Tip force sensing via strain gauges. Single-use instrument heads, reusable drive unit body draped for sterility. |
| Instrument Lifecycle Controller | 41B77B58 | Software module running on the patient-side cart controller of a surgical robot. Tracks per-instrument usage metrics: total actuation cycles per DoF, cumulative tip force-time integral, sterilization count, and elapsed time since manufacture. Compares current metrics against manufacturer-defined end-of-life thresholds stored on the instrument's identity chip. Prevents coupling of expired instruments by inhibiting arm enable until a valid instrument is detected. Logs all lifecycle events to the Procedure Data Recorder for regulatory traceability per FDA 21 CFR Part 820 requirements. Communicates with Instrument Recognition Module for chip read/write and with Safe State Manager for instrument lockout enforcement. |
| Instrument Recognition Module | D5F57018 | NFC/RFID reader with embedded microcontroller at the instrument coupling interface of a surgical robot patient-side arm. Reads instrument identity chip containing type code (grasper, scissors, needle driver, cautery hook), remaining use count, sterilization cycle history, and per-instrument calibration offsets. Communicates instrument identity to Motion Control System for automatic kinematic model selection. Must read instrument chip within 200ms of coupling to avoid delaying instrument exchange. Operates in sterile field proximity, powered via the arm's internal bus. |
| Inter-Arm Collision Monitor | 51F77B18 | Real-time pairwise inter-arm clearance computation module running in the Motion Control and Scaling Subsystem of a surgical robot. Computes convex-hull distances between all three patient-side instrument arm segments at 100Hz using forward-kinematics model. Issues halt-and-retract command to approaching arm pairs when predicted clearance falls below 25mm warning threshold; enforces 15mm hard minimum clearance. Runs inline in motion control pipeline on the Real-Time Compute Node. Critical for multi-arm laparoscopic procedures where arms converge in a body cavity of approximately 150mm diameter. |
| Inter-Cart Fibre Link | C6855008 | Dual-redundant single-mode fibre optic cable assembly connecting Surgeon Console to Patient-Side Cart. Carries all real-time control, video, and data traffic over a single 10Gbit/s wavelength-division multiplexed fibre pair. Maximum cable run 10m (OR layout), minimum bend radius enforced. Hot-standby second fibre pair switches within 5ms on primary failure. |
| Joint Force Monitor | 55F77B18 | Software safety function running at 1kHz on safety processor. Reads joint torque from all arm axes. Applies threshold comparison against configurable joint force limits (per-axis, per-procedure type). Triggers graceful brake sequence if any axis exceeds 110% rated limit, or emergency stop at 150%. Tracks force trend to detect stuck/jammed conditions before limit breach. Alerts operator via audible and visual warning at 90%. |
| Joint Servo Controller | 55F53018 | Per-joint closed-loop servo controller for surgical robot arm joints. Cascade PID architecture: outer position loop at 1kHz, inner current loop at 10kHz. Controls brushless DC motors with 14-bit encoder feedback and current sensing. Implements following-error detection: if position error exceeds 2 degrees for >10ms, flags fault to Safety Monitor. Seven instances per arm (21 total across 3 arms). Anti-windup limiting prevents integrator saturation during end-stop contact. Gain scheduling between free-space motion and tissue-contact phases based on force feedback. |
| Kinematics Engine | 41F53309 | Real-time inverse kinematics solver for surgical robot 7-DOF redundant arm. Receives Cartesian end-effector pose commands at 1kHz from Motion Scaling Module. Computes joint-angle trajectories using damped least-squares Jacobian pseudo-inverse. Handles redundancy resolution to avoid joint limits and singularities. Outputs 7 joint-angle setpoints per arm at 1kHz to Joint Servo Controllers. Implemented in C++ on PREEMPT_RT Linux. Computation budget: 2ms per cycle per arm. Singularity handling via SVD decomposition with damping threshold 0.05. |
| Main Power Distribution Unit | D6851058 | AC power distribution unit for the Surgical Robot System. Receives single-phase 230V AC from hospital mains and distributes protected 48V DC and 24V DC rails to all patient-side cart subsystems. Includes overcurrent protection per IEC 60601-1, earth leakage monitoring, and feeds contactor inputs in the Emergency Stop Chain. Controls power sequencing order at startup and shutdown. |
| Master Handle Actuator | D7F51008 | Backdriveable brushless DC torque motor integrated into each 7-DOF haptic master arm. Provides force feedback at each joint to render instrument-tissue contact forces to the surgeon's hand. Continuous torque 0.3Nm per joint, peak 1.2Nm. Position-sensing via absolute encoder at 14-bit resolution. Driven by dedicated motor driver boards commanded by Haptic Controller. |
| Master Handle Actuator Motor Driver | D4F53018 | Multi-axis PWM motor driver for the surgeon-side master handle actuators. Receives torque setpoints from Haptic Controller at 1kHz via CAN bus. Drives 7-DOF brushless DC motors with current control at 20kHz PWM. Implements hardware overcurrent protection (5A limit) and emergency disable input from E-stop chain. Operating environment: surgeon console enclosure, 24V ±5% medical-grade isolated supply. |
| Motion Control and Scaling Subsystem | 51F73B08 | Real-time software and hardware responsible for master-to-slave kinematics. Runs on RTOS at 1kHz. Implements forward and inverse kinematics for 7-DOF arms, configurable motion scaling (1:1 to 10:1), tremor filter (adaptive bandpass eliminating 6-12Hz physiological hand tremor), workspace boundary enforcement (software joint limits, virtual fixtures). Outputs joint torque commands to servo drives. Hard real-time; task jitter <50µs. |
| Motion Control System | 51F73A18 | Real-time kinematic computation and servo-control subsystem for surgical robot. Executes inverse kinematics for all robot DOF at 1kHz, applies motion scaling 3:1 to 10:1, removes hand tremor above 6Hz, enforces workspace safety limits and soft tissue contact force limits under 5N. Runs on dedicated real-time Linux (PREEMPT_RT) compute node with dual-redundant watchdog. Directly commands joint-level servo drives on Patient-Side Cart. Latency budget: 10ms computation, 3ms network, contributing to overall 100ms end-to-end. Safety-critical: SIL 3. |
| Motion Scaling Module | 50B53B18 | Cartesian-space velocity scaling component that reduces surgeon console hand velocity to instrument tip velocity. Applies selectable gain in Cartesian space (3:1, 5:1, 10:1) to preserve instrument orientation during scaled motion. Surgeon selects ratio via foot pedal or console menu before incision. Module stores current ratio in NVRAM, applies it to all 6 Cartesian DOF uniformly, and logs ratio changes with timestamp to audit buffer. Instantaneous ratio change rejected during active tissue contact (force > 1N). |
| Network Management Controller | 51B73818 | |
| Patient-Side Cart | DFE53018 | Mobile robotic arm assembly mounted at the surgical table. Contains 3-4 robotic arms: one camera arm and 2-3 instrument arms, each with 7 DOF and cable-driven joints. Positions and holds EndoWrist instruments inserted through trocar ports in the patient. Receives motion commands from Surgeon Console at 1kHz and executes scaled, tremor-filtered movements. Each arm has joint torque sensors and limit switches. Operates in sterile field. Must arrest motion within 50ms of emergency stop signal. Arm workspace: 570mm reach per instrument arm. |
| Power Management Subsystem | 54F53018 | Supplies regulated DC and AC power to all subsystems. Accepts 3-phase 400V AC mains input, conditions through isolation transformer and EMC filters for medical environment (IEC 60601-1). Provides 48V DC bus for servo drives and 24V DC for control electronics. Includes 60s UPS (supercapacitor bank) for fault and withdrawal power continuity. Controls surgical energy delivery (monopolar 350W RF, bipolar 50W) routed through isolated generator. |
| Power Sequencing Controller | D1F77A18 | Embedded microcontroller managing the startup and shutdown power sequencing of the Surgical Robot System. Enforces a defined power-on order (safety subsystem first, then compute nodes, then motor drives) to prevent undefined intermediate states. On shutdown command, reverses sequence. Monitors rail voltages and reports to the system supervisor; inhibits startup if any rail is out of tolerance. Drives the contactor coils for each subsystem. |
| Procedure Data Recorder | 50851208 | NVMe RAID storage system recording all kinematic data (joint angles, torques, velocities at 1kHz), video streams (two 4K60 streams), system events, and alarms for the full procedure duration. Minimum capacity 8 hours uncompressed. Write bandwidth 2GB/s sustained. WORM (write-once read-many) mode prevents data modification post-procedure for forensic integrity. |
| Procedure Video Recorder | 54E47218 | Medical-grade video recording system capturing composited 2D procedure video from the Image Processing Pipeline at 1080p60 in H.265 encoding (50Mbps CBR). Records continuously for 8+ hour procedures to internal RAID-1 SSD storage (minimum 4TB usable). Simultaneously streams a reduced-resolution feed (720p30) over hospital network for remote observation or teaching. Provides frame-accurate timestamps synchronised with the system event log (kinematic data, instrument changes, cautery activation) for post-operative review and audit per SYS-MAIN-015. Supports DICOM-compatible export for integration with hospital PACS. Controlled via touch panel on equipment tower — surgeon does not interact during procedure. |
| Real-Time Compute Node | D6B51018 | Dedicated processing hardware running Motion Control System software. Dual Intel Xeon with PREEMPT_RT Linux providing worst-case interrupt latency under 50 microseconds. Hardware watchdog timer: if no heartbeat from Motion Control thread for >5ms, asserts safety output and freezes joint commands. Dual-redundant power supplies. ECC RAM. Fanless design for silent OR environment. Interfaces: 1GbE to Surgeon Console link, CAN-FD to Joint Servo Controllers, PCIe to Safety and Watchdog System via dedicated interrupt line. |
| Real-Time Protocol Engine | 51F77208 | FPGA-based deterministic communication processor implementing custom time-division multiplexed protocol over 10Gbit Ethernet fibre. Guarantees 1ms frame cycle for kinematic command and telemetry channels. Separate priority queues for safety messages (highest, 100us latency), kinematics (1ms), video (best-effort). Hardware CRC and sequence-number checking on all frames. |
| Return Electrode Monitor | 54F77858 | Impedance-sensing patient safety device monitoring return electrode (REM pad) contact quality during monopolar electrosurgery. Measures dual-zone pad impedance at 100Hz and shuts off monopolar energy if impedance rises above 135 ohms (indicating partial pad lift). Provides alarm output to surgeon console within 500ms of detection. Regulatory requirement under IEC 60601-2-2 for all monopolar electrosurgical equipment. Interfaces with Electrosurgical Generator and system safety bus. |
| Safe State Manager | 40B57A10 | State machine coordinating system response to safety events. Has three states: OPERATIONAL, DEGRADED (one arm out of service, others active), and SAFE-HOLD (all arms held, energy off, awaiting surgeon action). Transitions are one-directional toward SAFE-HOLD during faults; recovery requires explicit surgeon re-engagement sequence. Broadcasts system state to all subsystems and logs all transitions to tamper-evident audit trail. |
| Safety and Interlock Subsystem | 50B53A18 | SIL 3 safety function layer monitoring all joints, instruments, power, and communications. Implements hardware watchdog timers, software safety monitors, and independent E-stop chain. Detects communication loss, joint force violations, power anomalies, and software exceptions. Brakes all joints and de-energises surgical energy within 250ms of fault onset. Runs on dedicated safety processor physically isolated from control processor to prevent common-cause failure. |
| Safety and Watchdog System | 55F37359 | Independent safety monitoring and fault-response subsystem for surgical robot. Runs on separate processor with no shared memory with motion control. Monitors all joint positions, velocities, currents, temperatures, and communication integrity at 1kHz. Detects faults: joint limits exceeded, communication dropout >10ms, force limits exceeded, watchdog timeout. Responds within 5ms: commands all joint brakes, cuts servo power, issues emergency stop to all subsystems via dedicated hardwired signal. SIL 3 per IEC 62304 and ISO 13849 Category 4 / PLe. Maintains independent power from UPS. |
| Stereo Endoscope | D6C51018 | Dual-channel rigid endoscope (0° or 30° tip angle) with paired 1/3-inch CMOS image sensors (1920x1080 per channel) and integrated fibre-optic illumination bundle. Inserted through 12mm trocar into body cavity. Provides two spatially offset optical paths (6mm inter-pupillary baseline) for stereoscopic depth perception. Operating wavelength 400-700nm visible spectrum. Must withstand repeated autoclave sterilisation at 134°C. Connected to Camera Control Unit via dual HD-SDI cables. Critical safety component — loss of one channel degrades to 2D; loss of both is a surgical emergency requiring immediate manual takeover. |
| Stereoscopic Display System | D4ED1018 | High-resolution stereoscopic 3D display integrated into the Surgeon Console, presenting separate left/right eye images via polarised optics or active-shutter glasses. Dual 4K panels (3840x2160 per eye) with 10-bit colour depth, 1000:1 contrast ratio, and <5ms pixel response time. Viewing distance 500-700mm with adjustable interpupillary distance (55-75mm). Maintains consistent stereoscopic depth cues without flicker or crosstalk (<1% ghosting). Brightness minimum 350 cd/m² to maintain visibility under OR lighting. Connected to Image Processing Pipeline via dual DisplayPort 1.2. Critical for surgeon depth perception — loss of stereoscopy degrades to 2D monocular viewing, requiring surgeon notification within 500ms. |
| Sterile Adapter | CE853058 | Mechanical drape-and-coupling interface between the non-sterile patient-side robotic arm and the sterile surgical instrument shaft. Provides torque transmission through 6 sealed rotary feedthroughs (4 instrument DoF cables plus roll and insertion axes) while maintaining a sterile barrier compliant with ISO 11607 packaging standards. Constructed from medical-grade polymer with stainless steel coupling pins. Single-use per procedure. Must withstand 50N axial insertion force and 2Nm continuous torque per channel without sterile breach. Includes electrical pass-through for instrument recognition chip data line. |
| Surgeon Console | D6ED5018 | Surgeon-operated master interface for teleoperated surgical robot. Houses dual 7-DOF haptic master manipulators, stereo 3D HD display at 1080p/60Hz per eye, foot pedal cluster for mode switching, head sensor for presence detection, and ergonomic seating. Transmits master arm pose, velocity, and grip commands to patient-side cart at 1kHz. Receives 3D video stream and haptic force feedback. Surgeon sits immersed in stereo view while operating in a non-sterile console area. Primary safety interface for clutch, emergency stop, and energy activation. |
| Surgeon Input Console | D4FD3018 | Master control station for the surgeon. Ergonomic seat with binocular 3D display (stereoscopic endoscope imagery), dual master manipulator arms (7 DOF each), foot pedal array (clutch, camera control, energy modes), head sensor for sterile field limitation. Scales surgeon hand motions to slave, renders haptic force feedback, processes voice commands. Generates motion commands at 1kHz. Isolated from sterile field. |
| Surgeon Interface Panel | D4AC5018 | Touchscreen control panel integrated into the Surgeon Input Console, positioned alongside the binocular viewer. 15-inch medical-grade capacitive touchscreen running ARM-embedded Linux. Provides non-motion system controls: instrument selection and configuration, energy mode and power level setting, endoscope orientation, system setup, ICG fluorescence toggle, and telestration overlay controls. Communicates with the Console Computer via USB 3.0. Does not transmit real-time motion or safety commands — all safety-critical inputs are separate hardware paths. |
| Surgical Illumination Source | 54F51018 | High-intensity LED light source (300W equivalent, 5600K colour temperature) providing surgical field illumination via fibre-optic bundle to the stereo endoscope. Delivers 40,000-60,000 lux at the distal tip. Automatic intensity regulation based on camera exposure feedback to prevent tissue thermal damage (maximum 41°C tissue surface temperature per IEC 60601-2-18). Supports fluorescence excitation at 805nm for ICG near-infrared imaging. Mean time between failures >10,000 hours. Connected to Camera Control Unit for closed-loop intensity feedback and to Power Management Subsystem for regulated DC power. |
| Surgical Instrument System | D6FD3059 | Interchangeable EndoWrist instruments and instrument-exchange mechanisms for surgical robot. Instruments 8mm diameter, wristed 7-DOF distal mechanism with cable actuation through 3 drive cables. Sterile single-use or re-sterilisable depending on type. Types: needle drivers, graspers, scissors, clip appliers, bipolar forceps, monopolar cautery hook. Instrument drive unit reads instrument chip for type/usage-count identification and loads kinematic model. Force feedback from cable tension sensors passed to haptic system. 10-use or 30-use limits enforced by software based on chip data. |
| Tissue Effect Monitor | 55F77218 | Real-time tissue response monitoring module that reads RF output impedance and temperature waveforms during vessel sealing operations. Detects vessel seal endpoint by impedance rise signature (>1.5kΩ rise within 400ms) indicating completed collagen denaturation. Triggers automatic generator shutoff at seal completion. Provides tissue state feedback to the Energy Delivery Controller at 1kHz. Reduces seal failures and thermal damage by preventing over-application. Integrated with the Electrosurgical Generator measurement circuitry. |
| Tool Tip Articulation Controller | 51F53318 | Real-time software controller running at 1kHz on the patient-side cart compute node of a surgical robot. Maps desired end-effector pose (3-DoF wrist orientation plus grip aperture) from the Kinematics Engine into individual cable displacement commands for the Instrument Drive Unit motors. Implements instrument-specific kinematic models loaded from the Instrument Recognition Module — each instrument type has different cable routing geometry, pulley ratios, and coupling compliance. Compensates for cable hysteresis using a Bouc-Wen friction model with parameters identified during instrument calibration. Outputs motor position setpoints to the Joint Servo Controller over the internal CAN-FD bus at 1kHz. Critical path for instrument tip positioning accuracy: controller latency budget is 500µs maximum. |
| Trajectory Generator | 41F53B08 | Software module running on the Real-Time Compute Node that computes smooth, collision-free instrument tip trajectories from surgeon input waypoints. Accepts Cartesian velocity commands from the Motion Scaling Module at 1kHz, performs velocity profiling with S-curve acceleration limits (max 2g at tip), enforces workspace boundary constraints, and outputs interpolated Cartesian poses to the Kinematics Engine. Operates under PREEMPT_RT with worst-case execution time <200μs per cycle. Critical for ensuring instrument motion is smooth, bounded, and does not exceed tissue force limits. |
| Tremor Rejection Filter | 40A53108 | 4th-order Butterworth low-pass digital filter attenuating surgeon hand tremor. Applied to Cartesian velocity commands from Surgeon Console before motion scaling. Cutoff frequency: 6Hz to preserve intentional motion bandwidth while removing 8-12Hz physiological tremor. Zero-phase forward-backward implementation to eliminate phase lag. Operates on 3 translational and 3 rotational velocity channels independently. Implemented as fixed-point arithmetic to guarantee deterministic latency under 0.5ms. |
| Ultrasonic Energy Module | 54D51019 | 55.5kHz piezoelectric ultrasonic generator producing mechanical cutting and coagulation energy through a resonant blade delivered via robotic instrument port. Provides 0-100% power in 10 steps. Detects blade temperature via thermocouple to prevent unintended tissue burns from retained blade heat. Shear energy modality with lower thermal spread than RF; preferred for structures within 1mm of critical vessels. Drives the ultrasonic transducer in the instrument drive interface. |
| UPS Battery Module | D6D51058 | 24V sealed lead-acid or Li-Fe battery bank providing emergency backup power for the surgical robot. Rated for 30 minutes at full system load to allow controlled procedure completion and safe shutdown. Monitored for state of charge, temperature, and capacity by the power management controller. Triggers charging from mains when capacity drops below 80%. Mandatory for IEC 60601-1 emergency power requirements. |
| Vision and Imaging Subsystem | 54F57018 | Captures and processes 3D HD surgical imagery for the surgeon display. Comprises dual-channel 4K laparoscopic endoscope (Karl Storz style), stereo camera head, high-bandwidth cable to CCU, video processing unit performing synchronisation, colour correction, 3D reconstruction, and overlay rendering. Outputs to surgeon 3D display and records to NAS. Latency target: <100ms end-to-end. Also hosts fluorescence overlay mode (ICG imaging). |
| Vision and Imaging System | D4FD7019 | 3D high-definition endoscopic imaging subsystem. Dual-channel 10mm 3D endoscope with 2x 1080p/60Hz CMOS sensors separated 8mm for stereoscopic depth. Image processor handles real-time demosaicing, colour correction, distortion correction, and stereo synchronisation. Outputs independent left/right video streams to Surgeon Console display at <50ms latency. Provides near-infrared fluorescence imaging mode using ICG dye for tissue perfusion assessment. Camera arm servo maintains endoscope orientation on command. Sterile draping of camera arm required. |
| Voice Command Module | D5FD7018 | Embedded speech recognition module in the Surgeon Input Console. Microphone array with beamforming (4 microphones, cardioid pattern) mounted in the binocular viewer shroud to capture surgeon speech during procedure. Runs an on-device neural network inference engine (no cloud dependency) with a surgical vocabulary of approximately 200 commands: instrument name, procedure step markers, endoscope commands, system mode changes. Latency requirement: <200ms from speech onset to command dispatch. Must operate in typical OR acoustic environment with background noise up to 65dB SPL. Sends recognized commands to Console Computer via USB audio and command bus. |
| Watchdog Timer Controller | D6B53A08 | Dedicated hardware safety processor (separate from main compute) implementing independent watchdog timers for each axis controller and the main supervisory CPU. Configured for 250ms timeout per channel. Arm position held on watchdog expiry; requires active heartbeat from motion control to remain enabled. Hardware-based — cannot be disabled by software. |
| Workspace Safety Enforcer | 51B73818 | Cartesian and joint-space safety boundary enforcement component running inline in Motion Control pipeline before servo commands are issued. Enforces: joint angle limits (hard stops minus 5-degree software margin), Cartesian workspace boundary (no-go zones around trocar insertion point and patient anatomy model), and instrument-tissue force limits (5N warning, 8N cutoff). Checks run at 1kHz; any violation triggers immediate clutch disengagement and alert to Safety and Watchdog System. Implements trocar-pivoting constraint to prevent lateral force on abdominal wall. |
| Component | Belongs To |
|---|---|
| Surgeon Console | Surgical Robot System |
| Patient-Side Cart | Surgical Robot System |
| Motion Control System | Surgical Robot System |
| Vision and Imaging System | Surgical Robot System |
| Surgical Instrument System | Surgical Robot System |
| Safety and Watchdog System | Surgical Robot System |
| Energy Delivery System | Surgical Robot System |
| Communication and Data Management System | Surgical Robot System |
| Safety and Interlock Subsystem | Surgical Robot System |
| Surgeon Input Console | Surgical Robot System |
| Instrument Drive Unit | Surgical Instrument System |
| Vision and Imaging Subsystem | Surgical Robot System |
| Motion Control and Scaling Subsystem | Surgical Robot System |
| Haptic Feedback Subsystem | Surgical Robot System |
| Power Management Subsystem | Surgical Robot System |
| Watchdog Timer Controller | Safety and Interlock Subsystem |
| Emergency Stop Chain | Safety and Interlock Subsystem |
| Joint Force Monitor | Safety and Interlock Subsystem |
| Communication Monitor | Safety and Interlock Subsystem |
| Safe State Manager | Safety and Interlock Subsystem |
| Kinematics Engine | Motion Control System |
| Tremor Rejection Filter | Motion Control System |
| Motion Scaling Module | Motion Control System |
| Joint Servo Controller | Motion Control System |
| Workspace Safety Enforcer | Motion Control System |
| Real-Time Compute Node | Motion Control System |
| Stereo Endoscope | Vision and Imaging System |
| Camera Control Unit | Vision and Imaging System |
| Surgical Illumination Source | Vision and Imaging System |
| Image Processing Pipeline | Vision and Imaging System |
| Stereoscopic Display System | Vision and Imaging System |
| Procedure Video Recorder | Vision and Imaging System |
| Force Sensing Module | Haptic Feedback Subsystem |
| Haptic Controller | Haptic Feedback Subsystem |
| Master Handle Actuator | Haptic Feedback Subsystem |
| Force Signal Conditioner | Haptic Feedback Subsystem |
| Inter-Cart Fibre Link | Communication and Data Management System |
| Real-Time Protocol Engine | Communication and Data Management System |
| Procedure Data Recorder | Communication and Data Management System |
| Network Management Controller | Communication and Data Management System |
| Instrument Recognition Module | Surgical Instrument System |
| Sterile Adapter | Surgical Instrument System |
| Cable Tensioning System | Surgical Instrument System |
| Instrument Lifecycle Controller | Surgical Instrument System |
| Tool Tip Articulation Controller | Surgical Instrument System |
| Trajectory Generator | Motion Control System |
| Main Power Distribution Unit | Power Management Subsystem |
| Auxiliary Power Supply | Power Management Subsystem |
| UPS Battery Module | Power Management Subsystem |
| Power Sequencing Controller | Power Management Subsystem |
| Electrosurgical Generator | Energy Delivery System |
| Ultrasonic Energy Module | Energy Delivery System |
| Energy Delivery Controller | Energy Delivery System |
| Return Electrode Monitor | Energy Delivery System |
| Tissue Effect Monitor | Energy Delivery System |
| Foot Pedal Array | Surgeon Input Console |
| Surgeon Interface Panel | Surgeon Input Console |
| Console Computer | Surgeon Input Console |
| Voice Command Module | Surgeon Input Console |
| Arm Positioning System | Surgeon Input Console |
| Watchdog Timer Controller | Safety and Watchdog System |
| Stereo Endoscope | Vision and Imaging Subsystem |
| Camera Control Unit | Vision and Imaging Subsystem |
| Surgical Illumination Source | Vision and Imaging Subsystem |
| Image Processing Pipeline | Vision and Imaging Subsystem |
| Procedure Video Recorder | Vision and Imaging Subsystem |
| Stereoscopic Display System | Vision and Imaging Subsystem |
| Real-Time Protocol Engine | Motion Control System |
| Network Management Controller | Motion Control System |
| Procedure Data Recorder | Motion Control System |
| Inter-Cart Fibre Link | Motion Control System |
| Tremor Rejection Filter | Motion Control and Scaling Subsystem |
| Motion Scaling Module | Motion Control and Scaling Subsystem |
| Trajectory Generator | Motion Control and Scaling Subsystem |
| Kinematics Engine | Motion Control and Scaling Subsystem |
| Joint Servo Controller | Motion Control and Scaling Subsystem |
| Real-Time Compute Node | Motion Control and Scaling Subsystem |
| Workspace Safety Enforcer | Motion Control and Scaling Subsystem |
| Master Handle Actuator Motor Driver | Haptic Feedback Subsystem |
| Backdrive Monitor | Haptic Feedback Subsystem |
| From | To |
|---|---|
| Joint Force Monitor | Motion Control and Scaling Subsystem |
| Emergency Stop Chain | Power Management Subsystem |
| Communication Monitor | Motion Control and Scaling Subsystem |
| Safe State Manager | Surgeon Input Console |
| Safe State Manager | Patient-Side Cart |
| Surgeon Console | Motion Control System |
| Motion Control System | Patient-Side Cart |
| Motion Control System | Safety and Watchdog System |
| Vision and Imaging System | Surgeon Console |
| Surgical Instrument System | Motion Control System |
| Stereo Endoscope | Camera Control Unit |
| Stereo Endoscope | Surgical Illumination Source |
| Camera Control Unit | Image Processing Pipeline |
| Camera Control Unit | Surgical Illumination Source |
| Image Processing Pipeline | Stereoscopic Display System |
| Image Processing Pipeline | Procedure Video Recorder |
| Stereoscopic Display System | Surgeon Console |
| Surgical Illumination Source | Power Management Subsystem |
| Force Sensing Module | Force Signal Conditioner |
| Force Signal Conditioner | Haptic Controller |
| Haptic Controller | Master Handle Actuator |
| Haptic Controller | Safety and Interlock Subsystem |
| Real-Time Protocol Engine | Inter-Cart Fibre Link |
| Network Management Controller | Inter-Cart Fibre Link |
| Network Management Controller | Safety and Interlock Subsystem |
| Procedure Data Recorder | Real-Time Protocol Engine |
| Instrument Recognition Module | Instrument Lifecycle Controller |
| Cable Tensioning System | Instrument Drive Unit |
| Tool Tip Articulation Controller | Instrument Drive Unit |
| Sterile Adapter | Instrument Drive Unit |
| Instrument Lifecycle Controller | Safety and Interlock Subsystem |
| Tremor Rejection Filter | Motion Scaling Module |
| Motion Scaling Module | Trajectory Generator |
| Trajectory Generator | Kinematics Engine |
| Kinematics Engine | Joint Servo Controller |
| Workspace Safety Enforcer | Kinematics Engine |
| Workspace Safety Enforcer | Joint Servo Controller |
| Real-Time Compute Node | Kinematics Engine |
| Real-Time Compute Node | Joint Servo Controller |
| Main Power Distribution Unit | Auxiliary Power Supply |
| Main Power Distribution Unit | Power Sequencing Controller |
| UPS Battery Module | Auxiliary Power Supply |
| Power Sequencing Controller | Emergency Stop Chain |
| Energy Delivery Controller | Electrosurgical Generator |
| Energy Delivery Controller | Ultrasonic Energy Module |
| Return Electrode Monitor | Electrosurgical Generator |
| Tissue Effect Monitor | Electrosurgical Generator |
| Energy Delivery Controller | Safety and Interlock Subsystem |
| Foot Pedal Array | Emergency Stop Chain |
| Foot Pedal Array | Energy Delivery Controller |
| Voice Command Module | Console Computer |
| Console Computer | Real-Time Protocol Engine |
| Arm Positioning System | Console Computer |
| Surgeon Interface Panel | Console Computer |
| Console Computer | Inter-Cart Fibre Link |
| Inter-Cart Fibre Link | Real-Time Protocol Engine |
| Real-Time Protocol Engine | Tremor Rejection Filter |
| Network Management Controller | Joint Servo Controller |
| Real-Time Compute Node | Procedure Data Recorder |
| Real-Time Compute Node | Tremor Rejection Filter |
| UPS Battery Module | Main Power Distribution Unit |
| Power Sequencing Controller | Auxiliary Power Supply |
| Haptic Controller | Master Handle Actuator Motor Driver |
| Real-Time Protocol Engine | Procedure Data Recorder |
| Component | Output |
|---|---|
| Watchdog Timer Controller | brake enable/disable signal per axis |
| Emergency Stop Chain | hardwired servo de-energise signal |
| Joint Force Monitor | per-axis force violation alert |
| Communication Monitor | link quality status and loss-of-comms event |
| Safe State Manager | system safety state broadcast |
| Stereo Endoscope | raw stereo video (dual 1080p Bayer-pattern) |
| Camera Control Unit | synchronised stereo 1080p60 corrected video |
| Surgical Illumination Source | visible and NIR surgical field illumination |
| Image Processing Pipeline | processed stereo video with AR overlay |
| Stereoscopic Display System | stereoscopic 3D visual presentation |
| Procedure Video Recorder | archived procedure video with synchronised event data |
| Force Sensing Module | raw force/torque measurements |
| Haptic Controller | master actuator torque commands |
| Master Handle Actuator | force feedback to surgeon |
| Force Signal Conditioner | conditioned digitised force signal |
| Real-Time Protocol Engine | deterministic control frames |
| Procedure Data Recorder | procedure audit record |
| Network Management Controller | link health status |
| Instrument Recognition Module | instrument identity and calibration data |
| Tool Tip Articulation Controller | cable displacement commands |
| Cable Tensioning System | tension anomaly alerts |
| Instrument Lifecycle Controller | instrument lockout decisions |
| Trajectory Generator | interpolated Cartesian pose setpoints at 1kHz |
| Electrosurgical Generator | high-frequency RF energy (300kHz-3MHz, up to 400W monopolar/80W bipolar) |
| Ultrasonic Energy Module | 55.5kHz ultrasonic cutting/coagulation energy via resonant blade |
| Energy Delivery Controller | activation decisions and power-level commands to energy generators |
| Return Electrode Monitor | patient pad contact quality status and monopolar enable/inhibit signal |
| Tissue Effect Monitor | vessel seal endpoint detection and tissue state feedback at 1kHz |
| Foot Pedal Array | energy activation signal |
| Foot Pedal Array | clutch command |
| Force Sensing Module | six-axis force/torque analog signal |
| Force Signal Conditioner | digitised force/torque EtherCAT frame at 1kHz |
| Haptic Controller | per-joint torque setpoints at 1kHz |
| Master Handle Actuator | rendered force feedback torque at surgeon handle |
| Force Sensing Module | six-axis force/torque measurement |
| Force Signal Conditioner | digitised 16-bit six-axis force vector at 1kHz |
| Haptic Controller | per-joint torque commands at 1kHz |
| Backdrive Monitor | backdrive fault signal |