Surgical Robot System

Rationale: SUB-MAIN-001 is a SIL 3 safety function requiring a quantified test procedure. Bench isolation confirms detection function.

Rationale: Integration test proves the data pipeline meets both rate and latency requirements simultaneously under representative surgical load conditions.

Rationale: Direct oscilloscope measurement of contactor drop-out provides unambiguous evidence of the 50ms requirement. Cold soak tests component behaviour near lower operating temperature limit.

Rationale: Three separate trigger paths must each be verified independently since each has distinct signal routing; shared test would not reveal path-specific faults.

Rationale: Fault injection testing is the only way to verify the communication monitor sees faults correctly without disrupting the data path. Threshold accuracy must be tested at both nominal and boundary conditions.

Rationale: Latency detection threshold verified with injected faults to confirm sensitivity and specificity without waiting for real fault events.

Rationale: State broadcast latency directly affects the 250ms safe-state budget; the 5ms requirement needs verification under full system bus load to rule out congestion effects.

Rationale: Physical isolation of watchdog power is a SIL 3 hardware independence requirement; must be verified by actual power interruption, not simulation, to prove no common-cause power coupling.

Rationale: End-to-end safe-state timing is a system-level property that cannot be decomposed to subsystem tests — the orchestration latency (SIS, servo, energy) is only visible at system integration level.

Rationale: Hardware E-stop series loop independence from software must be verified by physical loop interruption at every segment. Single-point break tests confirm the loop cannot be bypassed by a software or firmware fault.

Rationale: Integration test at the console-MC boundary verifies the network substrate delivers commands within latency budget. 60-second test captures steady-state behaviour after any TCP slow-start or OS scheduling settling.

Rationale: Workspace boundary enforcement is a safety function preventing collision with patient anatomy; must be tested at each of six boundary planes to confirm independent enforcement.

Rationale: Direct test of the safety-critical heartbeat fault path: this is a SIL 3 safety function and must be demonstrated under fault injection, not inferred from analysis.

Rationale: IK computation WCET must be verified on target hardware under representative surgical trajectories, not simulation, as jitter varies with trajectory complexity and cache state.

Rationale: Worst-case timing must be demonstrated on real hardware (not simulation) at realistic load because PREEMPT_RT latency spikes occur under thermal stress and simultaneous IO; P99 headroom of 2ms allows for measurement overhead and production unit variation.

Rationale: Position tracking accuracy is the foundational servo loop performance metric; tested under representative surgical bandwidths (0.5-2Hz covers intentional motion; tremor filtered above 6Hz).

Rationale: End-to-end step response test validates the integrated system behaviour combining network latency, computation, servo control, and mechanics. Must include contact conditions because compliance at the instrument tip changes closed-loop dynamics and can destabilise the servo at high scaling ratios.

Rationale: Resolution verification must be performed at the actual surgical working distance on real optics, not from specification sheets, as lens-sensor assembly tolerances affect delivered resolution.

Rationale: BER measurement with PRBS-31 is the standard method for characterising SDI link quality. Independent channel test confirms graceful degradation path.

Rationale: Inter-channel synchronisation is safety-critical for 3D depth perception accuracy; asynchrony above 100us creates measurable depth parallax errors. Must be verified in hardware as FPGA timing parameters can drift with temperature.

Rationale: Inter-channel skew measurement requires precision timestamping equipment. 30-minute test duration covers thermal stabilisation effects on cable propagation delay.

Rationale: Display crosstalk above 1% causes ghosting visible during 3D depth perception, potentially causing misjudgement of depth during fine dissection. Measured directly on the integrated display assembly.

Rationale: Step-change stimulus provides worst-case latency measurement. 100 cycle repetition ensures statistical confidence in the latency bound.

Rationale: IFC-020 data accuracy is required for correct cable displacement calculation; incorrect calibration offsets cause tip position error, directly violating SYS-001 precision.

Rationale: Photodiode measurement of photon emission time is the gold standard for display latency characterisation. 1000-frame test covers worst-case frame timing.

Rationale: IFC-021 is the signal path enabling SIS detection of cable mechanical faults; accuracy and latency must be verified to confirm the safety function meets its 250ms safe-state budget.

Rationale: 8-hour endurance recording test matches operational requirement. Spot-check of 100 frames provides statistical confidence in timestamp accuracy across the full recording duration.

Rationale: IFC-022 command resolution drives achievable tip position accuracy; 0.01mm resolution supports the ±0.1mm tip precision in SYS-001. Latency verified under dynamic motion, not static commands.

Rationale: Physical disconnection simulates the most common single-channel failure mode. Testing both channels confirms symmetric degradation. Recovery test validates the system can return to stereo operation without restart.

Rationale: IFC-023 is a patient safety interface: preventing use of an overused instrument eliminates a mechanical failure mode. Must be tested with full lockout chain, not mock signals, to confirm end-to-end enforcement.

Rationale: End-to-end vision chain test validates the complete optical path from endoscope through CCU, IPP, to display. 35ms latency budget is the vision chain allocation from the 50ms total hand-to-eye budget. High-speed camera method provides ground-truth latency measurement independent of system clocks.

Rationale: Functional test on production hardware verifying CMRR against OR noise frequencies. 10mV threshold derived from 80dB CMRR at 10V CM input.

Rationale: Latency measurement on target hardware under load validates the 100us propagation budget that feeds into the 2ms end-to-end haptic latency requirement.

Rationale: Hardware torque limit verification requires commanding beyond the limit; this test confirms the motor driver hardware enforces the cap independently of software. Dropped-frame test validates bandwidth adequacy.

Rationale: Worst-case throughput test on target hardware; hardware timestamping eliminates OS jitter from measurements.

Rationale: Physical transceiver disconnection simulates the most severe link failure. Sequence number continuity check in the recorder log verifies zero-loss switchover at the application layer, not just the physical layer.

Rationale: Tests all instrument types across all arm positions to detect any position-dependent or type-dependent recognition delays. The 100-cycle endurance test validates NFC reader reliability under repeated mechanical coupling vibration.

Rationale: Frequency sweep validates dynamic tension control under realistic cable loads. The 20% step injection exceeds the 15% anomaly threshold to verify detection latency under worst-case conditions.

Rationale: Sample size of 20 provides statistical confidence for a single-use medical device. The dye penetration test is the regulatory standard for sterile barrier validation. Torque measurement after endurance cycling captures any degradation from wear.

Rationale: Penetration testing is required (not just inspection) because network isolation failures are often due to misconfigured firewall rules or VLAN tagging errors that are not visible in design documentation. Active attack simulation is the only reliable verification method per IEC 81001-5-1 Annex C.

Rationale: Tests the full degraded-mode chain: anomaly detection, safety shutdown of affected arm, isolation of remaining arms, and operator notification. The 0.1mm position check on remaining arms ensures the shutdown transient does not propagate through shared power or communication buses.

Rationale: Validates shared-memory interface timing and data integrity under sustained load. The 99.99% threshold allows 6 exceedances per minute, consistent with PREEMPT_RT scheduling guarantees on the target platform.

Rationale: Exercises the ring buffer under worst-case jitter conditions to confirm the 4-frame depth provides adequate margin. Quaternion norm check detects any corruption in the lock-free transfer path.

Rationale: A haptic actuator that holds non-zero force in STANDBY creates a control input bias that the surgeon cannot distinguish from genuine force feedback. Measuring 10 positions ensures coverage of the full cam profile, not just the nominal centre position where most bias errors are zero.

Rationale: EtherCAT frame delivery timing is the tightest constraint in the servo loop. The 30-minute duration exercises the interface through thermal steady-state of the servo drives and compute node, which is when timing margins are smallest.

Rationale: The dynamic boundary update during active motion is the highest-risk scenario for IFC-MAIN-028 — a partial read could create a non-convex feasible region allowing unsafe motion outside the intended workspace. The 20ms response target is 2× the 10ms update interval, providing margin.

Rationale: Scaling ratio transitions during active motion are a common surgical workflow — the surgeon changes scaling mid-procedure. The test validates that ratio metadata propagation does not cause the Trajectory Generator to apply stale scaling, which would produce a motion discontinuity.

Rationale: System-level integration test exercising the complete Cartesian-to-joint-space pipeline under realistic surgical motion profiles. This test cannot be decomposed into component-level tests because it validates the interaction between tremor rejection, scaling, trajectory generation, kinematics, servo control, and workspace enforcement as a coupled chain.

Rationale: Authentication test must cover both the rejection path and the logging path to verify the security requirement is fully implemented. The 1kHz injection rate matches the operational servo rate, ensuring the test exercises the authentication mechanism under realistic timing conditions.

Rationale: Direct measurement at the interface boundary under the worst-case transient condition (full-load mains loss). Oscilloscope capture at 1MHz is necessary to detect sub-millisecond interruptions that cause contactor dropout.

Rationale: The test must verify both the RSA signature check at boot and the per-waypoint envelope validation at runtime. Testing with a mix of valid and invalid waypoints ensures the validation logic is correctly implemented for both the positive and negative cases.

Rationale: Full-load discharge test with pre-conditioned battery state (80%) represents realistic worst-case surgical scenario. Testing from full charge would not reveal battery capacity margins under normal operational conditions.

Rationale: The three-phase test exercises the authentication rejection path, the timing-loss safe-hold path, and the HMI alert path, matching the three SHALL clauses in the requirement. The 15ms gap exceeds the 10ms threshold, ensuring the safe-hold trigger is verified within budget.

Rationale: Integration test at the physical CAN interface validates both protocol compliance and timing under sustained load — essential for a safety-critical command bus.

Rationale: IEC 62304 Class C qualification requires documented lifecycle evidence for motion control software that can cause patient harm. Inspection is the appropriate method because the requirement specifies a process standard, not a functional behaviour; functional testing cannot verify development-phase compliance.

Rationale: Blade temperature telemetry is the safety-critical output of this interface; 50Hz minimum must be verified under sustained load to confirm the 100°C inhibit will function correctly.

Rationale: IFC-MAIN-040 defines the kinematic command frame format (48-byte little-endian, 1kHz, sequence number, CRC-CCITT) that the Console Computer writes to the Inter-Cart Fibre Link. This protocol integrity is safety-critical: a framing error or dropped frame on the kinematic command path can cause the Real-Time Protocol Engine to stall or misinterpret commands, potentially resulting in uncontrolled arm motion. The test captures sufficient frames to detect systematic errors at the <1e-4 frame error rate used for safety-critical communication links.

Rationale: Hardwired interlock must be verified at the hardware level, not via software simulation. Timing from oscilloscope provides ground truth for the de-energise-to-inhibit response.

Rationale: SUB-MAIN-071 specifies the +/-50 microsecond jitter budget for the TDM frame scheduler. This budget is the foundation of all downstream latency allocations in the control loop — if the RTPE scheduler drifts, downstream stages exceed their cycle windows and the 1ms end-to-end motion control budget is violated. Verification by direct oscilloscope measurement is mandatory because jitter cannot be inferred from software timing alone.

Rationale: Vessel seal endpoint detection must be verified against a known impedance profile; real tissue is not available for hardware-level testing, so validated test loads are standard practice.

Rationale: SUB-MAIN-082 specifies the real-time proximity enforcement that prevents surgical instrument over-penetration into protected anatomy. Failure of the WSE to activate constraints in time is a patient safety hazard. The test directly exercises the collision detection path under representative surgical motion and verifies the non-penetration guarantee that the requirement establishes.

Rationale: E-STOP response requires repeated testing to confirm reliability across the 20ms window — a single pass test would not reveal marginal timing cases. 20 repetitions is consistent with IEC 62061 functional safety evidence requirements for SIL 2 functions.

Rationale: SUB-MAIN-083 specifies the degraded-mode behaviour for the WSE when the anatomy mesh is unavailable. Without verified fallback behaviour, a mesh database fault would leave the arm with no proximity constraints, creating an uncontrolled motion risk. Verification requires injecting the specific fault condition because normal integration testing cannot exercise degraded-mode paths.

Rationale: End-to-end test exercises the full command chain from surgeon input through Energy Delivery Controller through ESG to tissue, validating that SYS-MAIN-017 and safety monitoring function together as an integrated system. Multi-power-level testing confirms compliance across the operating envelope.

Rationale: REM threshold response is a patient safety function verified by simulating the actual pad-lift impedance signature. 10 repetitions provide statistical confidence in the 500ms response time.

Rationale: IEC 60601-1 Type CF compliance must be verified by electrical safety testing per the standard's prescribed test methodology. These limits are absolute safety boundaries that cannot be relaxed.

Rationale: Integration test for energy pedal CAN interface. 100-event sample provides statistical confidence on latency performance. Isolation test verifies patient safety protection against return current paths through the pedal cable.

Rationale: Clutch interface must be verified under bus-congestion conditions matching realistic surgical use where configuration and telemetry traffic competes for bus bandwidth.

Rationale: Patient privacy audit: USB traffic analysis is the only reliable method to confirm that raw audio does not leave the Voice Command Module, as software assertions could be bypassed by firmware update.

Rationale: Lock-out timing is safety-critical: an adjustment command accepted after state transition but before lock-out completes could shift master arm calibration. Test verifies both the timing bound and that the rejection is active across the full state transition window.

Rationale: End-to-end test validates that the Surgeon Input Console correctly multiplexes simultaneous motion and energy commands through independent paths without cross-interference, which cannot be verified by testing each interface in isolation.

Rationale: SIL2 certification is verified by third-party assessment of the safety case, not by in-house bench test alone.

Rationale: Haptic processor redundancy is a safety-critical function; fault injection testing on the integration bench is the only method that can directly measure switchover latency under controlled conditions without risk to a patient.

Rationale: Stability must be demonstrated across the full operating envelope; an isolated soft-tissue or single-ratio pass is insufficient because instability is a boundary phenomenon.

Rationale: UPS transfer timing must be verified under actual surgical load at worst-case input voltage; simulation cannot capture the real contactor and controller behavior during a live mains dropout.

Rationale: Session management is the data path for surgical case configuration and instrument profile loading. Latency and integrity verification under soak conditions catches USB buffer issues and driver-level race conditions that only manifest after sustained operation.

Rationale: Hardware-in-the-loop testing against the actual WSE FPGA firmware is the only method to verify the 1-cycle rejection latency under real interrupt timing. Simulation cannot accurately model FPGA-level preemption.

Rationale: Mechanical jig actuation eliminates human reaction time variation. Logic analyser timestamps provide sub-microsecond precision needed to distinguish 50ms pass/fail boundary. 200 samples per function provides statistical confidence on the latency tail.

Rationale: Software-only timing measurement cannot exclude OS scheduling effects. Hardware logic analyser provides ground-truth latency independent of the kernel under test. 10,000 events provides statistical confidence >3-sigma for rare worst-case conditions.

Rationale: Combined WER and latency test using standardised noise conditions matches the surgical theatre acoustic environment. 500-item vocabulary covers the full command set plus confusables. Multi-speaker sample ensures the 5 percent WER criterion is not passed by a model overfitted to a single accent.

Rationale: Blanked operator displays ensure the test is not contaminated by accidental operator input. 50ms sub-budget is the SIS internal allocation within the 250ms system budget. Fault injection controller provides controlled, repeatable fault conditions isolated from normal operation.

Rationale: Authentication is a regulatory control; demonstration by qualified test engineers is the required verification method under IEC 62304 for software safety requirements. The audit trail check ensures the control is forensically traceable, not just functionally correct.

Rationale: Cosine-corrected irradiance meter matches tissue surface geometry. 30-minute duration exceeds typical surgical procedure phase length to detect drift. Direct measurement is the only reliable verification method for a photon dose safety limit.

Rationale: Cold-start verification from power-off state, not warm reboot, is the clinically relevant scenario. 10 repeats provide statistical confidence across power-supply and thermal variation. The 90-second criterion directly matches the pre-operative scrub-in workflow window.

Rationale: Hardware timestamping eliminates OS scheduling jitter from the measurement. 1,000-frame sample covers statistically rare worst-case IPP pipeline stalls. 2ms budget is the IPP allocation within the 33.3ms surgeon-to-display path.

Rationale: Fault injection test is the only method to verify graceful degradation without relying on a real hardware failure. The check on alternative input channels confirms the voice module is correctly isolated from the critical motion control path, not just that the fault detection works.

Rationale: 180 minutes exceeds the 95th-percentile robotic procedure duration, providing confidence the recorder does not exhibit buffer overflow or storage performance degradation over typical procedure lengths.

Rationale: 10000 cycles at 1kHz provides a 10-second sample per run, repeated over 30 minutes to catch thermal drift and bus saturation effects. The 99.9th percentile criterion aligns with the haptic transparency requirement where occasional single-cycle exceedances are perceptible but rare.

Rationale: Tissue phantom replicates 10mm optical path specified in SUB-MAIN-020. Photodiode measurement is ground truth for irradiance. SNR >3:1 is the published clinical utility threshold for ICG sentinel node mapping. Mode switch measured with hardware timer to exclude display latency.

Rationale: Spectral analysis of the pose stream is the most reliable method to verify the actual output rate independent of internal timestamps. The 10kHz instrumentation sample rate provides Nyquist margin above the 1kHz criterion. Quantisation is verified by calculating minimum position step in recorded trajectory data.

Rationale: Demonstration by a trained operator reflects real-world intraoperative access patterns. Frame-synchronous switching avoids tearing artefacts which could disorient the surgeon.

Rationale: Step input characterisation is the standard method for actuator latency measurement. Force plate at 10kHz provides resolution well above the 1ms criterion. The 90 percent threshold for latency avoids confounding rise time with latency in the time-domain measurement.

Rationale: Calibrated force applicator provides ground-truth reference independent of the sensor under test. Multi-axis testing is necessary because cable-driven instruments exhibit cross-axis coupling; each axis must be independently verified.

Rationale: 100-event sample provides statistical confidence on the 50ms upper bound with probability of passing by chance less than 0.001 for a system with 60ms true latency. The downstream motion cessation check closes the loop to confirm inhibit propagation reaches the instrument, not just the console output.

Rationale: The 2N limit is a patient safety threshold derived from tissue fragility models. Verification with in-line load cell provides calibrated ground truth independent of the actuator control firmware. Testing at values above the limit verifies the saturation behaviour, not just nominal operation.

Rationale: IEC 62304 and MDR compliance are regulatory obligations verified by notified body inspection, not by functional test. The audit-and-inspection method matches the regulatory assurance activity required for CE marking.

Rationale: Dielectric withstand test at 500V is the IEC 60601-1 mandatory type test for BF applied parts. This is the regulatory gold standard; simulation cannot substitute for high-voltage breakdown testing.

Rationale: Direct exception injection is the only reliable method to verify software failsafe behaviour without waiting for a real fault. Timing of safe-state broadcast is measured at the bus level to capture total system latency including exception handler execution time.

Rationale: Hardware-synchronised timestamps eliminate clock drift error from the measurement. 60,000 frames captures rare burst-traffic interactions. 3ms is the CDMS allocation within the 100ms system command latency budget.

Rationale: Integration test verifying that the optical receiver and SERDES layer deliver frames to the Real-Time Protocol Engine within the timing specification required for SUB-MAIN-071 compliance.

Rationale: Simultaneous full-load testing validates PDR does not degrade control loop performance via resource contention. Timestamp jitter analysis detects DMA buffer overruns that would compromise forensic value of recordings.

Rationale: EtherCAT process data object structure and timing must be verified at the subsystem integration level before patient-side cart integration. A 2-node bench test validates the topology management and per-node fault isolation behaviour defined in SUB-MAIN-074.

Rationale: 60,000 cycles provides >99.9% confidence interval for rare worst-case branch paths. Watchdog timer provides independent overrun detection separate from the instrumented timing, preventing self-referential measurement errors.

Rationale: The 60-minute soak validates steady-state NVMe write performance under sustained 1kHz load, including garbage collection pauses that might delay individual DMA completions. Sequence number verification provides a comprehensive check on data completeness without relying on file size alone.

Rationale: 10-400W monopolar range covers standard laparoscopic and open surgical applications. RF wattmeter provides calibrated power measurement per IEC 60601-2-2. ±5% accuracy is the maximum tolerable power error for tissue effect repeatability.

Rationale: IFC-MAIN-025 has no existing verification entry. This test validates the shared-memory ring buffer pathway between the two software components on the Real-Time Compute Node, ensuring no priority inversion or scheduler jitter causes a velocity command to be silently dropped or delayed beyond the pipeline budget.

Rationale: Concurrent RF+ultrasonic activation is the failure mode that can cause uncontrolled tissue heating. 1,000 concurrent command pair test provides statistical confidence that the mutex logic has no race-condition path. Must be tested at the hardware interface level, not software simulation.

Rationale: Integration test verifying IFC-MAIN-024 interface compliance end-to-end at the component boundary, covering both the frequency-domain and timing properties required for safe motion command delivery.

Rationale: Ex-vivo tissue testing provides the ground-truth biological reference for impedance-based seal detection. Histological confirmation eliminates observer bias. 500ms detection window prevents energy over-delivery which causes thermal spread injury.

Rationale: Integration test verifying IFC-MAIN-025 scaling accuracy, velocity clamping safety, and data integrity across the Motion Scaling to Trajectory Generator boundary.

Rationale: Automatic timeout is the primary guard against unintentional tissue damage from persistent energy delivery. 10ms overshoot tolerance accounts for RTOS task scheduling. Test at three timeout values verifies the timer across different operational contexts.

Rationale: Validates IFC-MAIN-026 interpolated pose delivery, timing integrity, and abort-on-violation behavior at the Trajectory Generator to Kinematics Engine boundary.

Rationale: IEC 60601-1 compliance certification requires accredited third-party laboratory testing — self-certification is not accepted by notified bodies for Class IIb medical devices. Accreditation is a regulatory prerequisite for CE marking and FDA 510(k) submission.

Rationale: Validates IFC-MAIN-027 joint angle delivery rate, magnitude continuity, and fault rejection at the Kinematics Engine to Joint Servo Controller boundary.

Rationale: Direct kinematic measurement at each prescribed ratio is the authoritative test. 1% tolerance reflects achievable precision of cable-driven instrument actuation. Six-DOF uniform application prevents axis-dependent scaling errors that cause surgeon disorientation.

Rationale: Validates the IFC-MAIN-028 proximity enforcement channel under realistic anatomy-boundary approach conditions, confirming that the WSE repulsive constraint prevents boundary violation at the required response latency.

Rationale: HIL testing allows precise boundary approach scenarios that are infeasible on physical hardware without collision risk. Boundary clamping prevents instrument-tissue collision caused by commanded trajectories that exceed reachable workspace.

Rationale: End-to-end system integration test exercises the complete Tremor Rejection Filter to Joint Servo Controller chain simultaneously, confirming that pipeline latency, tremor rejection, safety enforcement, and reliability figures are all met together under peak load, not just in isolation.

Rationale: Testing at multiples of the limit (110%, 150%, 200%) verifies the saturation logic holds under extreme over-command conditions that might occur if scaling parameters are incorrectly configured. Safety saturation event enables autonomous loop review of velocity limit violations.

Rationale: IFC-MAIN-001 specifies the joint force safety limit interface. This test validates the 2ms detection latency required for safe force limiting — failure to detect within this window risks tissue damage or structural overload. 1000-cycle statistical basis required due to IEC 62061 SIL 2 demands on the safety function.

Rationale: Logic analyser provides hardware-level ground truth for power sequencing independent of firmware reporting. 20 cold-start cycles tests consistency across power-supply voltage variation within tolerance. 100ms margin prevents sequencing race conditions during transient loads.

Rationale: IFC-MAIN-002 defines the hardwired E-stop interface to servo power. The 150ms de-energisation budget is derived from IEC 60601-1 general collapse time limit for Class II medical devices; failure to de-energise risks operator injury from uncontrolled arm motion. Physical actuation testing is mandatory — simulation cannot validate the hardware interlock chain.

Rationale: Physical power removal test is the only reliable method to validate auxiliary hold-up time under real capacitor state-of-charge conditions. 60 seconds exceeds the safe-state procedure time to confirm the system can execute full shutdown without main power.

Rationale: Known disparity pattern provides quantitative ground truth for stereoscopic processing accuracy. Testing with all enhancement modes active verifies that image processing algorithms do not corrupt inter-frame phase relationships required for depth calculation.

Rationale: IFC-MAIN-001 defines the joint force safety detection interface at 1kHz. The 2ms limit is derived from the 5ms total safety response budget under IEC 62061 SIL 2. Statistical basis of 1000 cycles required for SIL 2 probability of failure on demand.

Rationale: Activation latency directly affects surgeon cut/coagulate feel. 100ms is the maximum delay before the surgeon perceives a response lag. Testing at three power levels verifies the power ramp rate is consistent across the full range, not only at nominal settings.

Rationale: IFC-MAIN-002 defines the hardwired E-stop to servo drive interface. The 150ms de-energisation budget is set by IEC 60601-1 clause 9.8.3 maximum permitted collapse time for active implant-class devices. Physical actuation mandatory — simulation cannot validate the HW interlock chain.

Rationale: 55.5kHz ±200Hz is the manufacturers tolerance band for ultrasonic transducer resonance. Frequency deviation beyond this band causes off-resonance operation, reducing cavitation efficiency and increasing transducer heating. Harmonic check ensures mechanical resonance does not activate tissue at unexpected frequencies.

Rationale: IFC-MAIN-003 requires the Communication Monitor to expose CRC errors on the fibre link within one frame period. Verification requires BER injection because real-world fibre faults are too infrequent to validate statistically in test; the no-false-alarm threshold prevents nuisance shutdowns under IEC 62061 SIL 2 diagnostic coverage requirements.

Rationale: Sequence error and CRC failure injection replicates the electromagnetic interference conditions expected in an OR environment. Three injection rates test normal noise, degraded link, and burst-fault scenarios. 1ms response matches the 1kHz RTPE cycle period — critical for maintaining kinematic continuity.

Rationale: IFC-MAIN-004 specifies the Safe State Manager broadcast timing that gates downstream subsystem response. The 5ms broadcast budget and 10ms acknowledgement window are derived from the overall 150ms E-stop response chain; missing this window causes subsystems to act on stale state.

Rationale: Haptic rendering fidelity is central to safe tissue manipulation — rendering delay >10ms breaks surgeon sensorimotor loop. 15% magnitude tolerance reflects the haptic JND (just-noticeable difference) threshold for surgical tactile tasks.

Rationale: IFC-MAIN-005 defines the surgeon console to motion scaling command interface. The 100ms end-to-end latency budget is the clinically established threshold for transparent teleoperation; exceeding it causes surgeon disorientation and loss of feel. Test at 200Hz exercises the interface beyond nominal rate to confirm no buffer overflow or frame drop degradation.

Rationale: EtherCAT distributed clock jitter >1μs causes inter-axis coordination errors at 1kHz update rates, producing visible vibration artefacts. Network oscilloscope measures the actual hardware SYNC0 timing, independent of application-layer reporting.

Rationale: IFC-MAIN-006 specifies the 250Hz joint command rate that drives servo loop stability. Jitter above 500us causes the servo PID to perceive command steps rather than smooth trajectories, degrading tip positioning accuracy. Thirty-minute duration covers a typical operative case to detect thermal or load-dependent drift.

Rationale: 8th-order Butterworth specification mandates the pass/stop band boundary at 8Hz. Zero-phase requirement prevents the filter from adding predictive bias to surgeon intent, which would cause over/undershoot in intentional motions. Direct frequency sweep is the only reliable method to characterise a real-time DSP filter.

Rationale: IFC-MAIN-007 defines the safety heartbeat interface that provides liveness monitoring between subsystems. The 110ms detection window equals two missed heartbeat periods; the recovery time ensures the system can resume operation without manual reset after transient link failures, reducing unnecessary procedure interruptions.

Rationale: Physical friction induction replicates real joint-error conditions (cable stretch, mechanism wear) more faithfully than software simulation. 20ms response time allocates one-fifth of the 100ms command-to-arm latency budget to the servo error detection path.

Rationale: IFC-MAIN-008 defines the stereo video interface from imaging to display. The 100ms latency limit is the clinical threshold for visual-motor coordination; ΔE<2 is the clinical colour reproduction standard for surgical tissue discrimination. Sixty-minute run mirrors a typical laparoscopic case duration.

Rationale: PDR throughput must be tested under simultaneous full-data-rate conditions — kinematic at 1kHz and stereo video at 60Hz create correlated burst patterns that a sequential throughput test would miss. 2ms p99 write latency prevents DMA buffer overflow on the RTPE thread.

Rationale: IFC-MAIN-009 defines the torque feedback interface from instrument to motion control, which drives the haptic rendering and safety torque limiting. The 500Hz rate is set by the haptic loop update frequency; errors above 5% cause inaccurate haptic rendering and unreliable safety limiting.

Rationale: Independent hash computation provides a tamper-evidence baseline for regulatory audit trail purposes (EU MDR Article 83). Verifying the hash is stored in a tamper-evident header ensures the integrity check itself cannot be silently overwritten.

Rationale: IFC-MAIN-010 defines the dual-channel endoscope to CCU interface. Inter-channel sync within 500us is required for stereopsis: timing errors above this threshold introduce perceived depth distortion that impairs surgical judgement. SNR >50dB ensures image quality does not degrade under LED illumination at minimum intensity.

Rationale: Thermal chamber testing provides controlled, repeatable temperature conditions independent of ambient variation. The real-time constraint (zero missed deadlines) must be verified at elevated temperature because thermal throttling changes memory bus timing and cache hit rates.

Rationale: System-level integration test validates the full teleoperation chain as an assembled system. Individual subsystem tests cannot reveal timing interactions across the fibre link, shared compute resources, or priority conflicts on the real-time bus that only emerge under concurrent load. This test is the primary evidence for surgical effectiveness claims.

Rationale: RFC 2544 is the standard bidirectional throughput test methodology for point-to-point links. 10 Gbps supports simultaneous 1kHz kinematic commands (small frame, high rate) plus 4K stereo video (large frame, 60Hz) with 30% margin. 10-minute sustained load validates thermal stability of the optical transceiver under continuous operation.

Rationale: IFC-MAIN-011 defines the haptic force rendering interface. The 15ms render latency budget is the threshold for perceptual transparency in force-feedback teleoperation; exceeding it causes time-domain distortion that reduces surgical sensitivity. The ±10% accuracy threshold is set by the minimum force resolution clinically meaningful for tissue differentiation.

Rationale: IFC-MAIN-012 defines the UPS interface between Power Management Subsystem and mains supply. The 20ms switchover limit prevents servo control loop dropout; 10-minute UPS run time allows a controlled procedure termination. Testing with actual supply interruption is required — power supply simulation cannot reproduce inrush dynamics of the real switchover.

Rationale: IFC-MAIN-013 defines the Energy Delivery Controller to Electrosurgical Generator activation interface. The 500ms power-on time is acceptable for surgical energy tools; the 100ms off time is safety-critical to prevent inadvertent tissue damage after command withdrawal. Mandatory return electrode check verifies patient protection function.

Rationale: IFC-MAIN-020 defines instrument recognition interface. The 2-second recognition window is the maximum acceptable delay between instrument coupling and system readiness; false acceptance of expired instruments risks patient infection or instrument mechanical failure during procedure.

Rationale: Integration test confirms CAN FD frame throughput and latency budget under realistic 12-channel load, plus electrical isolation integrity per IEC 60601-1 reinforced insulation requirements.

Rationale: Pulse load test replicates worst-case six-axis arm energisation. Continuous test confirms thermal rating of connectors and cabling at sustained surgical operation current.

Rationale: Timing test confirms mode acknowledgement meets the 50 ms requirement; CAN-bus disconnected test confirms discrete fallback operation critical to the safety argument that auxiliary circuits remain controllable during bus faults.

Rationale: Tests the full leakage detection and branch isolation response chain per IEC 60601-1 clause 8.7.3; adjacent-branch isolation confirmation prevents common-mode removal of healthy circuits.

Rationale: End-to-end transfer time measurement confirms the 30 ms budget derived from joint servo controller fault tolerance; measurement at the PDU rail catches any delay in switching circuitry that bench tests of individual components might miss.

Rationale: SoC accuracy test at multiple discharge points confirms calibration over the full operating range specified in SUB-MAIN-090; low-battery alert timing is verified at the exact 25% threshold.

Rationale: Load regulation test confirms the plus or minus 2% output accuracy across the full load range; battery endurance test at full rated load confirms the 20-minute minimum independent operation specified in SUB-MAIN-092.

Rationale: Integration test to verify that all four DOF of the Instrument Drive Unit meet the positional accuracy and response time required for precise surgical manipulation.

Rationale: Integration test to verify the Tool Tip Articulation Controller compensates for real-world cable elongation and maintains sub-millimetre tip accuracy at clinical motion rates.

Rationale: Integration test to verify the lifecycle enforcement boundary conditions, including the exact rejection threshold and audit trail — both are required for IEC 62061 and FDA 21 CFR Part 820 traceability of reprocessable instruments.

Rationale: SIL 3 compliance requires independent assessment per IEC 62061 clause 12; self-assessment is not acceptable for certification. Pass criterion is the IEC 62061 SIL 3 PFH boundary.

Rationale: Verification of REQ-SESURGICALROBOT-094 (PDR redundancy). Storage failover must be tested under realistic intraoperative conditions including concurrent video and telemetry streams; passive inspection cannot verify failover timing or data continuity.

Rationale: Fault injection testing of watchdog failover verifies the real-time response and state preservation guarantees under controlled failure conditions, with repeatability check to confirm no timing jitter.

Rationale: Verification of REQ-SESURGICALROBOT-097 (PMS redundant power). Switchover timing must be verified under realistic load conditions; a 5ms criterion cannot be verified by inspection of design documents alone; UPS capacity test requires bench-level endurance measurement.

Rationale: Live fault injection test on integrated haptic hardware verifies degraded-mode entry timing and the 0.3N braking force value are within the specified limits, and that the surgeon retains kinematic control during the degraded state.

Rationale: Active penetration testing of the HMAC authentication boundary verifies both the authentication logic and the security audit trail under representative attack scenarios.

Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component.

Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component.

Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component.

Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component.

Rationale: Hardwired E-stop interlock is the last hardware defence against uncontrolled joint motion. 10ms drop requirement derived from worst-case contact-open detection delay plus contactor release time; if contactors remain energised, drives remain powered and a faulty motion command can cause patient harm.

Rationale: Hardwired E-stop interlock is the last hardware defence against uncontrolled joint motion. 10ms drop derived from worst-case contact-open detection delay plus contactor release time; failure to drop keeps drives powered and enables uncontrolled motion under a faulty command.

Rationale: Heartbeat monitors liveness of MCS to watchdog path; loss of heartbeat must trigger SAFE-HOLD to prevent unmonitored motion. 20ms limit keeps total detection-to-stop time under 50ms worst case.

Rationale: Cable overtension can snap instrument cables causing patient injury; this interface carries the primary measurement that drives lockout. Verification proves the data path and flag encoding are correct before integration with live surgical instruments.

Rationale: Correct cable displacement delivery is prerequisite for accurate instrument tip positioning; errors propagate directly to surgical accuracy. Kinematic model validation at the interface catches encoding or scaling errors before instrument assembly.

Rationale: Instrument lifecycle lockout prevents reuse of expired or contaminated instruments. This interface carries safety-critical lockout commands; failure to deliver or act on them enables patient infection or mechanical failure from worn instruments.

Rationale: The command stream from console to patient cart is the primary teleoperation data path; latency above 5ms degrades surgeon feel and tracking precision, and dropped frames cause motion discontinuities that risk tissue damage.

Rationale: P99 measurement over 10,000 frames characterises worst-case latency including interrupt service variability. Hardware timestamps eliminate OS jitter from the measurement.

Rationale: Relay-controlled break ensures repeatable fault injection. Oscilloscope measurement captures FPGA-level switchover independent of host software latency. 20 trials provide statistical confidence on switchover time distribution.

Rationale: BERT injection provides controlled, repeatable bit error rates. Two monitoring cycles (20ms) reflects the 100Hz poll rate, ensuring classification occurs within two expected sample periods.

Rationale: Oscilloscope measurement on LVDS line captures hardware-layer timing independent of software. 10 trials verify consistency of the FPGA-based fault detection path.

Rationale: Kernel tracepoints measure the DMA path without requiring hardware instrumentation. RTPE jitter comparison verifies the recording path does not interfere with the hard real-time control loop.

Rationale: Immersion test replicates worst-case field disinfection practice. The three-component scope covers the components most exposed to disinfectant ingress during intraoperative instrument exchange.

Rationale: Third-party accredited testing is required for regulatory submission under EU MDR and FDA 510k. Pass/fail criteria match the standard's limits for Class I medical electrical equipment.

Rationale: SIL 2 demonstration under IEC 62061 requires documented fault tree analysis and FMEA with quantified PFHd. Hardware testing alone cannot demonstrate a 1E-7/hour failure rate; probabilistic analysis is the accepted method for safety integrity verification.

Rationale: Live failover injection test is the only way to verify the 5ms and 20ms timing requirements under realistic load. Simulation cannot capture real OS scheduling latency and hardware detection timing.

Rationale: Haptic switchover must be verified under operational conditions because OS process scheduling under load differs from idle state. The 0.05N perceptible threshold is derived from psychophysics literature on force JND at the fingertip during fine manipulation.

Rationale: VAC measurement requires optical instrumentation; human subject testing with surgeons is impractical at verification stage. 0.6 dioptre threshold is from ISO 9241-302 and published stereoscopic ergonomics literature.

Rationale: Authentication rejection must be verified at scale to confirm the system is not vulnerable to replay attacks or timing side-channels. 10,000 injected messages stress the authentication pipeline at operational data rates. SAFE_HOLD trigger verification confirms the escalation path is functional.

Rationale: Accredited laboratory testing with UKAS/ILAC accreditation is required for CE marking under MDR 2017/745 and cannot be replaced by in-house bench testing. The specific pass criteria (0.5mm position error, no spurious E-stop) define what constitutes essential performance per IEC 60601-1-2 Annex A for this system class.

Rationale: Accredited laboratory testing is required for CE marking under MDR 2017/745. The 0.5mm position error pass criterion defines essential performance per IEC 60601-1-2 Annex A for this system class; no spurious E-stop criterion ensures the immunity testing environment does not trigger the safety system.

Rationale: Hardware-in-the-loop test on the actual patient-side cart mechanical assembly is required because inter-arm clearance depends on the precise kinematic model including cable deflection under load; simulation alone is insufficient. All three arm-pair combinations must be tested because asymmetric cable routing creates different compliance characteristics per pair.

Rationale: IEC 60601-1-8 Clause 6.8 requires each alarm signal to be verified by functional test against the standard tables. The 65 dB(A) minimum level ensures alarms are audible over typical OR background noise (55-60 dB(A)). Battery continuity must be tested in the integrated system rather than simulation because alarm circuitry involves the display, audio, and power management subsystems together.