System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| IEC 60204 | — |
| IEC 60204-1 | — |
| IEC 60601-1 | Medical electrical equipment — General requirements for basic safety and essential performance |
| IEC 60601-1-1 | Medical electrical equipment — General requirements for basic safety and essential performance |
| IEC 60601-1-2 | EMC requirements and tests for medical electrical equipment |
| IEC 60601-1-6 | Medical electrical equipment — General requirements for basic safety and essential performance |
| IEC 60601-1-8 | Alarm systems — General requirements, tests, and guidance |
| IEC 60601-2-18 | — |
| IEC 60601-2-2 | — |
| IEC 61000-4-2 | — |
| IEC 61000-4-3 | Electromagnetic compatibility — Radiated, radio-frequency, electromagnetic field immunity test |
| IEC 61000-4-6 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-1 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61800-3 | — |
| IEC 62061 | — |
| IEC 62133 | — |
| IEC 62304 | Medical device software — Software life cycle processes |
| IEC 62353 | — |
| IEC 62366 | — |
| IEC 62366-1 | — |
| IEC 62443 | Industrial communication networks — Network and system security |
| IEC 62443-3-3 | System security requirements and security levels |
| IEC 62443-4-2 | Industrial communication networks — Network and system security |
| IEC 80001-1 | — |
| IEC 80601-2-77 | Particular requirements for the basic safety and essential performance of robotically assisted surgical equipment |
| IEC 81001-5-1 | — |
| IEEE 1588 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 1588v2 | Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems |
| IEEE 754 | — |
| IEEE 802.1Qbv | — |
| ISO 10218-1 | Robotics — Safety requirements for industrial robots — Part 1: Robots |
| ISO 11135 | — |
| ISO 11607-1 | — |
| ISO 13482 | — |
| ISO 13485 | Medical devices — Quality management systems — Requirements for regulatory purposes |
| ISO 14971 | Medical devices — Application of risk management to medical devices |
| ISO 17665 | — |
| ISO 9241-302 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| DHF | Design History File |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-MAIN-001 | The system SHALL enable surgeons to perform minimally invasive procedures with sub-millimetre tip precision, 3D visualisation, and hand-tremor elimination, reducing incision trauma compared to open surgery. Rationale: Core value proposition of the surgical robot — patients require reduced trauma and recovery time; surgeons require precision beyond unaided manual capability for complex anatomical regions. | Test | stakeholder, core-capability, session-341, idempotency:stk-precision-001-341 |
| STK-MAIN-002 | The system SHALL not deliver uncontrolled force, energy, or motion to the patient at any time, including during power failure, communication loss, instrument fault, or operator error. Rationale: Fundamental patient safety obligation. Uncontrolled actuator motion or energy delivery during loss of control is a Class III hazard (irreversible patient harm). Regulatory bodies (FDA 510(k), MDR) mandate fault-containment as a baseline approval criterion. | Test | stakeholder, safety, session-341, idempotency:stk-safety-001-341 |
| STK-MAIN-003 | The system SHALL integrate with existing operating room infrastructure including hospital networks, anaesthesia monitoring systems, and electrosurgery generators without requiring room modification. Rationale: Hospitals will not accept systems requiring structural OR modifications; retrofit-free integration is a purchasing prerequisite for the majority of target customers and is mandated by facilities management policies. | Inspection | stakeholder, integration, session-341, idempotency:stk-or-integration-001-341 |
| STK-MAIN-004 | All patient-side components entering or approaching the sterile field SHALL be designed for draping, sterilisation, or single-use, maintaining sterility throughout the procedure duration. Rationale: Surgical site infection (SSI) is a primary post-operative complication; regulatory sterility requirements (ISO 13485, EU MDR Annex I) impose design obligations. Breach of sterile field is a never-event in regulated healthcare environments. | Inspection | stakeholder, sterility, session-341, idempotency:stk-sterility-001-341 |
| STK-MAIN-005 | The surgeon console SHALL be ergonomically operable for procedures of up to 4 hours duration without inducing physical fatigue, and SHALL support a structured simulation-based training pathway to proficiency. Rationale: Surgeon fatigue during long procedures increases error rate and is a patient safety risk; ergonomic design is required by IEC 62366 (usability). Simulation training pathway is required by hospital credentialing committees before granting robotic surgery privileges. | Test | stakeholder, ergonomics, training, session-341, idempotency:stk-ergonomics-001-341 |
| STK-MAIN-009 | Surgeons shall be able to perform minimally invasive procedures with instrument precision exceeding freehand capability, including motion scaling and tremor elimination. Rationale: Fundamental stakeholder need: surgical robot adoption is justified only if it enables operations beyond freehand limits. | Demonstration | stakeholder, precision, session-340 |
| STK-MAIN-010 | The system shall prevent inadvertent patient tissue damage caused by control errors, communication failures, or unintended instrument motion. Rationale: Regulatory requirement per ISO 13485 and IEC 60601-1: active surgical devices cannot create new patient hazards. Uncontrolled instrument motion in a body cavity is immediately life-threatening. | Test | stakeholder, safety, session-340 |
| STK-MAIN-011 | All components contacting the patient or operating within the sterile field shall be sterilisable or provided as sterile-draped without compromising system function. Rationale: Infection control and regulatory requirement: surgical site infection from non-sterile instrumentation can be fatal; EN ISO 11135 sterilisation standards must be met for EU and US market approval. | Inspection | stakeholder, sterility, session-340 |
| STK-MAIN-012 | The surgeon shall maintain full situational awareness through high-definition 3D visualisation of the surgical field at all times during an active procedure. Rationale: Stakeholder need from surgical user research: loss of visual feedback during robotic surgery is the leading cause of conversion to open surgery; 3D HD stereo has been shown to reduce depth-perception errors by 40% vs. 2D in laparoscopic studies. | Demonstration | stakeholder, vision, session-340 |
| STK-MAIN-013 | The system shall enable rapid instrument exchange during a procedure without breaking the sterile field or requiring scrub nurse re-draping. Rationale: Operational efficiency requirement: laparoscopic procedures require 8-15 instrument changes on average; each break in sterility adds risk and OR time, increasing cost and infection probability. | Demonstration | stakeholder, workflow, session-340 |
| STK-MAIN-014 | The system shall support clinical data recording for post-operative review, audit, and regulatory reporting of each procedure. Rationale: Hospital governance and regulatory mandate: EU MDR Article 83 and FDA 21 CFR Part 820 require post-market surveillance data; malpractice liability creates institutional demand for full procedure recording. | Inspection | stakeholder, data, session-340 |
| STK-MAIN-015 | The system shall operate continuously for at least 8 hours without requiring maintenance intervention during scheduled surgical lists. Rationale: Operational requirement from theatre schedulers: a typical surgical list runs 7-9 hours with up to 4 procedures; unplanned system downtime forces cancellation, increasing patient waiting lists and OR costs. | Test | stakeholder, availability, session-340 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-MAIN-001 | The system SHALL provide master-to-slave motion scaling from 1:1 to 10:1 with <1ms end-to-end control loop latency and tip position repeatability of ±0.1mm under nominal OR conditions. Rationale: Sub-millimetre precision (STK-MAIN-001) requires quantified latency and repeatability: >1ms control loop latency introduces perceptible lag causing surgical error; ±0.1mm repeatability matches fine suture placement requirements in cardiovascular and ENT surgery. | Test | rt-mechanical-trace, red-team-session-502 |
| SYS-MAIN-002 | The system SHALL detect any single-point failure (communication loss, power fault, sensor fault, software exception) and achieve a safe state (all joints braked, energy de-energised) within 250ms of fault onset. Rationale: 250ms is derived from maximum safe uncontrolled instrument travel distance (<0.5mm at typical 2mm/s max tip velocity) — a hard limit from hazard analysis. Single-point failure coverage required for SIL 3 classification under IEC 62061. | Test | rt-mechanical-trace, red-team-session-502 |
| SYS-MAIN-003 | The system SHALL provide the surgeon with stereoscopic 3D high-definition video (minimum 1080p per eye at 60Hz) with colour fidelity sufficient for tissue and bleeding discrimination, at <100ms end-to-end video latency. Rationale: 60Hz 3D video prevents perception of flicker; <100ms latency is the threshold above which surgeons report disorientation (clinical usability studies). Tissue colour discrimination is safety-critical for distinguishing healthy and ischaemic tissue. | Test | system, imaging, performance, session-341, idempotency:sys-imaging-quality-001-341 |
| SYS-MAIN-004 | The system SHALL measure instrument-tissue interaction forces at the instrument tip with resolution of ≤0.1N over a range of 0–10N and transmit force feedback cues to the surgeon's master manipulator with fidelity sufficient to distinguish tissue planes. Rationale: Haptic feedback prevents inadvertent excessive tissue force; ≤0.1N resolution is required to feel tissue-plane transitions (typically 0.2–0.5N differential). Without force feedback, suture breakage rates and inadvertent organ perforation increase (documented in clinical literature). | Test | system, haptics, force, session-341, idempotency:sys-force-sensing-001-341 |
| SYS-MAIN-005 | The system SHALL maintain controlled arm position and instrument retraction capability for a minimum of 60 seconds following loss of mains power, sufficient to complete safe withdrawal of all instruments from the patient. Rationale: Mains power failure during active surgery is a known hazard; uncontrolled arm drop on mains loss is life-threatening. 60s battery bridge covers typical handoff time for instrument withdrawal based on human factors study of procedural steps. | Test | system, power, reliability, session-341, idempotency:sys-power-continuity-001-341 |
| SYS-MAIN-006 | All components rated for the sterile field SHALL be compatible with full fluid immersion using standard hospital disinfectants (IPA 70%, glutaraldehyde) or single-use disposability, and SHALL meet ISO 11135 sterilisation standards. Rationale: ISO 11135 and EU MDR Annex I mandate validated sterility assurance for patient-contacting devices. IPA 70% and glutaraldehyde are the standard biocides used in OR disinfection protocols; compatibility prevents material degradation and failure in service. | Test | system, sterility, compliance, session-341, idempotency:sys-sterile-compliance-001-341 |
| SYS-MAIN-007 | The Surgical Robot System SHALL transmit surgeon hand motion commands from master manipulator to instrument tip within 100ms end-to-end under all operating conditions. Rationale: Latency budget derived from human motor control studies: perceptible lag above 100ms disrupts surgeon proprioception and creates oscillatory overcorrection. Value validated by da Vinci and RAVEN II published performance data. | Test | system, latency, performance, session-340 |
| SYS-MAIN-008 | The Surgical Robot System SHALL provide selectable motion scaling ratios of 3:1, 5:1, and 10:1 between surgeon console input and instrument tip output. Rationale: Motion scaling enables micro-surgical precision: a 10mm surgeon hand movement produces a 1mm instrument movement at 10:1, enabling suturing of 1-2mm vessels not achievable with freehand technique. Three ratios cover different procedure types from gross to micro. | Test | system, motion-scaling, session-340 |
| SYS-MAIN-009 | The Surgical Robot System SHALL attenuate involuntary hand tremor frequency components above 6Hz by at least 40dB at the instrument tip. Rationale: Physiological tremor in surgeons is 8-12Hz at 0.1-0.5mm amplitude; at 10:1 motion scaling without filtration this would translate to unacceptable 0.01-0.05mm tip oscillation on delicate tissue. 6Hz cutoff preserves intentional motion bandwidth while removing tremor. | Test | system, tremor, session-340 |
| SYS-MAIN-010 | When an emergency stop command is issued via any input (surgeon foot pedal, bedside assistant button, or safety watchdog fault), the Surgical Robot System SHALL arrest all instrument motion and cut servo power within 50ms. Rationale: 50ms arrest time derived from worst-case instrument velocity of 50mm/s: at 50ms arrest, maximum overshoot is 2.5mm. Any larger overshoot risks laceration of adjacent tissue. This is an IEC 62304 SIL 3 safety function. | Test | rt-sil-gap, red-team-session-502 |
| SYS-MAIN-011 | The Surgical Robot System SHALL provide the surgeon with synchronised stereo HD video of the surgical field at 1080p per eye at 60Hz with end-to-end display latency below 50ms. Rationale: 50ms video latency budget is half the motor latency budget to ensure visual feedback arrives before the surgeon's corrective motion: higher video latency than motor latency causes the surgeon to over-correct. 1080p/60Hz matches clinical standard for high-fidelity tissue discrimination. | Test | system, vision, session-340 |
| SYS-MAIN-012 | The Surgical Robot System SHALL limit the force applied to patient tissue by any instrument tip to a maximum of 5N under normal operating conditions, with a safety cutoff at 8N triggering automatic clutch disengagement. Rationale: Tissue damage threshold studies show that inadvertent forces above 5N on bowel serosa or vessel walls cause serosal tears; 8N exceeds the tensile strength of small bowel mesentery. Dual thresholds allow warning before hard cutoff to avoid abrupt motion. | Test | rt-sil-gap, red-team-session-502 |
| SYS-MAIN-013 | The Surgical Robot System SHALL maintain full operational capability for a minimum of 8 consecutive hours without requiring maintenance, cooling, or consumable replacement. Rationale: Derived from STK-MAIN-015: surgical lists run 7-9 hours. System must outlast the list; thermal modelling of electronics and actuator duty cycles must confirm no performance degradation in the final hour of a maximum-length list. | Test | system, availability, session-340 |
| SYS-MAIN-014 | The Surgical Robot System SHALL enable patient-side robotic arm surfaces and instrument channels to be sterile-draped or autoclaved to EN ISO 17665 standard before each procedure. Rationale: Derived from STK-MAIN-011: all surface-contacting components must support validated sterilisation cycle. Autoclave compatibility restricts material selection (no ABS plastics, requires PEEK and 316L stainless on patient-contact surfaces). | Inspection | system, sterility, session-340 |
| SYS-MAIN-015 | The Surgical Robot System SHALL record all kinematic data, video streams, and system events at 1kHz temporal resolution to an encrypted on-system storage, retained for a minimum of 90 days. Rationale: Derived from STK-MAIN-014: EU MDR Article 83 and NHS clinical governance require procedure-level audit trails. 1kHz kinematics captures all motion events; 90-day retention covers most surgical complication investigation windows. | Inspection | system, data-recording, session-340 |
| SYS-MAIN-016 | When one instrument arm loses servo communication, the Surgical Robot System SHALL maintain full function on all remaining arms and alert the surgeon within 500ms, without requiring system restart. Rationale: Single-arm dropout must not abort a procedure mid-operation: patient is already prepared and open. Maintaining 2 of 3 arms allows the surgeon to complete critical steps before safely withdrawing. 500ms alert keeps surgeon awareness within one action cycle. | Test | system, degraded-mode, resilience, session-340 |
| SYS-MAIN-017 | The Surgical Robot System SHALL deliver controlled electrosurgical energy through robotic instruments in RF and ultrasonic modalities, with energy activation latency no greater than 100ms and deactivation latency no greater than 50ms from input command. Rationale: Electrosurgical energy delivery is a core surgical function of a robotic system. Activation and deactivation latency bounds are derived from IEC 60601-2-2 and clinical workflow requirements: 100ms activation is acceptable for surgeon intent recognition; 50ms deactivation is the safety-critical parameter preventing unintended tissue damage after the surgeon releases activation. | Test | system, energy-delivery, session-352 |
| SYS-MAIN-018 | The Surgical Robot System SHALL authenticate all safety-critical inter-subsystem command interfaces using cryptographic message authentication, ensuring that no unauthenticated command can reach a motion control, energy delivery, or safety-critical subsystem, with authentication failure triggering a safe-state transition within one control cycle. Rationale: IEC 62443-3-3 SR 1.2 requires authentication for all users, software processes, and devices that access control system resources. In a surgical robot, command injection at inter-subsystem interfaces represents a Class III medical device cybersecurity risk per FDA 2023 guidance. Authentication must be a system-level requirement so it cascades to all critical subsystems including KE, TG, RTPE, and TTAC. | Test | rt-sil-gap, red-team-session-502 |
| SYS-MAIN-019 | The Surgical Robot System SHALL comply with IEC 60601-1-2:2014 for healthcare facility environments, demonstrating immunity to radiated and conducted RF disturbances at professional healthcare facility levels and producing conducted and radiated emissions within Group 1 Class B limits. Rationale: The OR environment contains monopolar electrosurgical generators at 300kHz-3MHz and up to 400W, diathermy equipment, and wireless patient monitoring. IEC 60601-1-2 HPHE immunity compliance is mandatory for CE marking under MDR 2017/745 and directly mitigates risk of motion commands being corrupted by conducted interference from co-located electrosurgical equipment. | Test | system, emc, regulatory, validation, session-377 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-MAIN-001 | The Safety and Interlock Subsystem SHALL detect any single axis joint torque exceedance above 110% rated limit and initiate a controlled brake sequence within 50ms, and SHALL trigger an emergency stop within 20ms at 150% rated limit. Rationale: Graduated response: 50ms at 110% allows controlled deceleration reducing tissue trauma risk; immediate stop at 150% prevents structural damage to arm or patient. Thresholds derived from actuator datasheet maximum continuous and peak ratings. | Test | subsystem, sis, safety, session-341, idempotency:sub-sis-force-limits-001-341 |
| SUB-MAIN-002 | When communication latency between surgeon console and patient-side cart exceeds 20ms or 3 consecutive frames are lost, the Safety and Interlock Subsystem SHALL freeze all arm motion and hold joints at current position within 10ms of threshold breach. Rationale: 20ms / 3-frame threshold was selected as the point at which bilateral haptic control becomes unstable (Ryu et al. 2004 teleoperation stability criterion). At this threshold, uncontrolled arm motion during communication fault is safer than continued operation. | Test | subsystem, sis, safety, communication, session-341, idempotency:sub-sis-comms-loss-001-341 |
| SUB-MAIN-003 | The Safety and Interlock Subsystem SHALL achieve a complete safe state (all joints braked, all surgical energy de-energised) within 250ms of any safety event trigger, across all single-point failure modes. Rationale: 250ms system-level budget is derived from SYS-MAIN-002. This SUB requirement allocates the full system budget to SIS as the responsible subsystem; downstream subsystems (servo drives, energy generator) must respond within their share of this window. | Test | rt-sil-gap, red-team-session-502 |
| SUB-MAIN-004 | The Watchdog Timer Controller SHALL operate on a processor physically isolated from the motion control CPU and SHALL maintain braking authority independently of motion control software state. Rationale: Common-cause failure between safety monitor and controlled system is the primary SIL 3 architectural hazard. Physical isolation (separate processor, separate power rail, hardware brake authority) eliminates this common cause. Required by IEC 61508 SIL 3 architectural constraints (HFT=1). | Inspection | rt-missing-failure-mode, red-team-session-502 |
| SUB-MAIN-005 | The Emergency Stop Chain SHALL be a hardwired series loop independent of software, completing through all E-stop actuators (surgeon console, patient-side x3, facility), and SHALL de-energise servo drive contactors within 50ms of any break in the loop. Rationale: Software-controlled E-stop cannot be relied upon as a safety function because software faults (deadlock, exception) are the fault mode it is intended to protect against. Hardwired series-loop is the IEC 60204 standard for Category 0 stop in machinery. | Test | rt-sil-gap, red-team-session-502 |
| SUB-MAIN-006 | The Motion Control System SHALL execute the complete kinematic computation pipeline (tremor filter, motion scaling, inverse kinematics, safety enforcement, servo command) within 10ms per 1kHz cycle. Rationale: 10ms computation budget is the largest single allocation within the 100ms end-to-end system latency budget; remaining 90ms covers network (3ms), sensor acquisition (2ms), actuation settling (5ms), and display pipeline (50ms for video). If this budget is exceeded, the overall 100ms SYS-MAIN-007 cannot be met. | Test | subsystem, motion-control, performance, session-340 |
| SUB-MAIN-007 | The Motion Control System SHALL reject all Cartesian velocity command components above 6Hz by at least 40dB using the Tremor Rejection Filter before motion scaling is applied. Rationale: Derived from SYS-MAIN-009: tremor filtration must occur before motion scaling in the pipeline to prevent scaling up residual filter artefacts. 40dB attenuation at 6Hz cutoff reduces 0.3mm/s tremor amplitude to 0.03mm/s, within acceptable tissue contact tolerance at 5:1 scaling. | Test | subsystem, motion-control, tremor, session-340 |
| SUB-MAIN-008 | The Kinematics Engine SHALL compute joint-angle setpoints for all 7 DOF of a single instrument arm within 2ms of receiving a Cartesian end-effector command. Rationale: 2ms IK computation is the largest individual stage within the 10ms pipeline budget. Damped least-squares Jacobian pseudo-inverse complexity for 7-DOF is O(n^3) = O(343 FLOP), achievable in under 1ms on target hardware; 2ms includes singularity handling and redundancy resolution. | Test | subsystem, motion-control, kinematics, session-340 |
| SUB-MAIN-009 | The Joint Servo Controller SHALL achieve position tracking error below 0.1 degrees RMS during continuous trajectory following at maximum instrument velocity of 200mm/s tip speed. Rationale: 0.1-degree joint error at 570mm arm reach produces approximately 1mm tip error, which at 10:1 motion scaling maps to 0.1mm at the surgeon console — below the surgeon's proprioceptive discrimination threshold of 0.3mm. Derived from system-level tip accuracy requirement. | Test | rt-missing-failure-mode, red-team-session-502 |
| SUB-MAIN-010 | The Workspace Safety Enforcer SHALL prevent any joint-angle command that would exceed hardware end-stop minus 5-degree software margin, and SHALL enforce the trocar-pivoting constraint to within 2mm of the insertion point at the abdominal wall. Rationale: 5-degree software margin prevents mechanical joint binding under servo control; trocar-pivoting constraint to 2mm limits lateral force on the abdominal wall to under 2N based on tissue stiffness model, preventing port-site herniation or inadvertent viscus contact. | Test | subsystem, motion-control, safety, session-340 |
| SUB-MAIN-011 | The Real-Time Compute Node SHALL guarantee a worst-case interrupt latency of 50 microseconds on all Motion Control threads, and SHALL assert the hardware safety output within 5ms of detecting a motion-control thread heartbeat timeout. Rationale: 50 microsecond PREEMPT_RT latency is achievable on target hardware (Intel Xeon with kernel 6.x PREEMPT_RT, measured P99.99 latency <45us in qualification testing). 5ms watchdog assertion leaves 45ms for the Safety and Watchdog System to complete brake engagement within the 50ms emergency stop budget. | Test | rt-implausible-value, red-team-session-502 |
| SUB-MAIN-012 | The Safe State Manager SHALL initiate all safety state transitions automatically, without requiring any operator action. Recovery from SAFE-HOLD to OPERATIONAL SHALL require an explicit, deliberate surgeon re-engagement sequence. Rationale: Analog: Reactor Trip Subsystem (nuclear) requires automatic trip initiation — waiting for operator confirmation during a fault introduces unacceptable delay and human-error exposure. For surgical safety, the same principle applies: automatic entry to safe state, deliberate manual recovery. This design pattern is codified in IEC 61508 for safety instrumented systems. | Test | subsystem, sis, safety, auto-initiation, session-341, idempotency:sub-sis-auto-initiation-001-341 |
| SUB-MAIN-013 | The Stereo Endoscope SHALL provide a minimum optical resolution of 20 line pairs per millimetre across both channels, with less than 2% geometric distortion at the image periphery, to enable the surgeon to distinguish tissue structures at 0.5mm scale. Rationale: Sub-millimetre instrument precision (STK-MAIN-001) requires the surgeon to resolve tissue structures at 0.5mm, which demands 20 lp/mm optical resolution. 2% distortion limit prevents spatial misjudgement during instrument manipulation near field edges. | Test | subsystem, vision, endoscope, session-341, idempotency:sub-endoscope-resolution-341 |
| SUB-MAIN-014 | The Camera Control Unit SHALL maintain inter-channel synchronisation between left and right stereo video streams with temporal skew not exceeding 500 microseconds, to prevent stereoscopic fusion artifacts that could cause surgeon depth misjudgement. Rationale: Temporal skew above 500us between stereo channels causes perceptible depth shimmer during instrument motion at typical surgical velocities (5-20mm/s), degrading the surgeon's depth accuracy below the 1mm threshold required by SYS-MAIN-003. | Test | subsystem, vision, ccu, session-341, idempotency:sub-ccu-sync-341 |
| SUB-MAIN-015 | The Surgical Illumination Source SHALL regulate light intensity such that tissue surface temperature at the endoscope distal tip does not exceed 41 degrees Celsius under any operating mode, as measured at 10mm distance from the tip with tissue-equivalent thermal phantom. Rationale: IEC 60601-2-18 mandates maximum tissue temperature limits for endoscopic illumination. The 41C limit applies at the distal tip where energy density is highest. Closed-loop regulation is required because tissue reflectance varies 4x between organ types, making fixed intensity unsafe. | Test | subsystem, vision, illumination, session-341, idempotency:sub-illumination-thermal-341 |
| SUB-MAIN-016 | The Image Processing Pipeline SHALL add no more than 2ms total processing latency from input frame reception to output frame availability, measured end-to-end across all processing stages including edge enhancement, noise reduction, and overlay compositing. Rationale: Total system visual feedback latency budget is 50ms (surgeon hand motion to display update). Motion control consumes 10ms, display scan-out consumes 16ms. The image processing pipeline's 2ms allocation ensures the vision chain does not exceed its share of the latency budget, preventing surgeon-perceptible lag that degrades hand-eye coordination. | Test | subsystem, vision, ipp, session-341, idempotency:sub-ipp-latency-341 |
| SUB-MAIN-017 | The Tool Tip Articulation Controller compute board SHALL operate from the 5V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 8W during full-bandwidth kinematic computation. Rationale: TTAC is a signal-processing compute board driving cable displacement commands to the IDU. The 8W budget is derived from FPGA plus motor-driver gate-drive logic at full computational load; the 5V rail is the standard embedded compute supply in the instrument drive chain. | Test | |
| SUB-MAIN-017 | The Stereoscopic Display System SHALL achieve less than 1% inter-channel crosstalk (ghosting) across the full luminance range at viewing distances between 500mm and 700mm, to prevent false depth cues that could cause instrument positioning errors. Rationale: Crosstalk above 1% introduces ghost images that create false depth cues. During precise dissection near critical structures (nerves, vessels), even 2mm of apparent depth error from display crosstalk could result in inadvertent tissue damage. The 500-700mm viewing distance range covers ergonomic surgeon positioning. | Test | subsystem, vision, display, session-341, idempotency:sub-display-ghosting-341 |
| SUB-MAIN-018 | The Image Processing Pipeline SHALL operate from the 12V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 35W during dual-channel 1080p60 stereo processing. Rationale: The IPP is an FPGA-based image processing board processing two independent 1080p60 HD-SDI streams. The 35W budget is derived from FPGA device power at full utilisation plus DDR memory. 12V allows on-board DC-DC regulation for FPGA core and I/O rails. | Test | |
| SUB-MAIN-018 | The Procedure Video Recorder SHALL record composited 2D video continuously for at least 8 hours at 1080p60 resolution with H.265 encoding at 50Mbps CBR, with frame-accurate timestamps synchronised to the system event log within 1ms accuracy. Rationale: SYS-MAIN-015 requires recording of all video streams at sufficient quality for post-operative review and audit. 8-hour continuous recording matches the system operational endurance requirement (SYS-MAIN-013). Frame-accurate synchronisation with the event log enables post-operative correlation of instrument movements with video for complication analysis. | Test | subsystem, vision, recorder, session-341, idempotency:sub-recorder-duration-341 |
| SUB-MAIN-019 | The Surgeon Console SHALL operate from a 24V ±5% medical-grade isolated power supply, drawing a maximum continuous power of 120W including master manipulator motors, stereoscopic display panels, and embedded compute. Rationale: The Surgeon Console is the largest non-arm power consumer. The 120W budget covers dual 1080p display panels (~50W), master manipulator force-feedback motors (~40W), and embedded compute/comms (~30W). 24V medical-grade isolated supply is specified per IEC 60601-1 clause 8 for patient-proximate equipment. | Test | |
| SUB-MAIN-019 | When one stereo channel of the Stereo Endoscope fails, the Vision and Imaging System SHALL continue to provide the surgeon with 2D monocular video from the remaining channel at 1080p60 with no interruption exceeding 500ms, and SHALL display a persistent visual alert on the remaining channel indicating loss of stereoscopic depth perception. Rationale: Complete loss of visual feedback during surgery is catastrophic. Single-channel failure must degrade gracefully to 2D rather than blacking out. The 500ms switchover limit ensures the surgeon does not lose visual contact with instruments in tissue. The persistent alert is required because operating without depth perception changes the surgical technique required. | Test | subsystem, vision, degraded-mode, safety, session-341, idempotency:sub-vision-degraded-mono-341 |
| SUB-MAIN-020 | The Camera Control Unit SHALL operate from the 12V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 18W during dual-channel 1080p60 HD-SDI capture and format conversion. Rationale: The CCU processes dual HD-SDI streams from the stereo endoscope. The 18W budget covers two SDI receivers, genlock circuitry, and format conversion ASICs. 12V supply shared with IPP to simplify rail distribution in the vision rack. | Test | |
| SUB-MAIN-020 | The Surgical Illumination Source SHALL provide fluorescence excitation at 805nm with irradiance of ≥5 mW/cm² at tissue surface to enable ICG fluorescence imaging at tissue depths up to 10mm, with mode switching between visible and NIR completing within 200ms. Rationale: 5 mW/cm² is the minimum surface irradiance required for clinically detectable ICG fluorescence at 10mm tissue depth based on Beer-Lambert attenuation at 805nm. Below this threshold, signal-to-noise ratio falls below clinical utility (>3:1 contrast ratio) for sentinel node mapping. Value derived from published photon transport models for ICG in human tissue. | Test | subsystem, vision, illumination, session-341, idempotency:sub-illumination-nir-341 |
| SUB-MAIN-021 | The Haptic Feedback Subsystem SHALL operate from the 24V ±5% rail supplied by the Power Management Subsystem, drawing a maximum continuous power of 40W per instrument arm during simultaneous force rendering on both haptic actuator channels. Rationale: The HFS drives force-feedback actuators at the master manipulator with peak forces up to 5N per axis. The 40W per-arm budget is derived from actuator stall current headroom plus conditioning electronics. 24V rail is shared with master manipulator motor drive to minimise converter stages. | Test | |
| SUB-MAIN-021 | The Camera Control Unit SHALL provide at least three surgeon-selectable image enhancement modes (standard white light, narrow-band imaging for vascular contrast, and ICG fluorescence overlay) with mode switching completing within 100ms and no frame drops during transition. Rationale: Different surgical phases require different visualisation modalities. Narrow-band imaging enhances mucosal vascular patterns for tumour margin identification. ICG overlay shows perfusion. Mode switching must be seamless because the surgeon may need to toggle rapidly between views during active dissection near critical structures. | Demonstration | subsystem, vision, ccu, session-341, idempotency:sub-ccu-modes-341 |
| SUB-MAIN-022 | The Force Signal Conditioner SHALL operate from the galvanically isolated 5V ±2% supply within the Haptic Feedback Subsystem, drawing a maximum continuous power of 3W during six-axis force/torque signal conditioning. Rationale: The FSC requires galvanic isolation from the main power bus per ARC-MAIN-004 to maintain patient electrical safety. The 5V isolated supply is generated by a dedicated isolated DC-DC converter in the HFS. The 3W budget covers six analogue conditioning channels plus ADC. | Test | |
| SUB-MAIN-022 | The Haptic Feedback Subsystem SHALL measure instrument-tissue interaction forces with a resolution of 0.05N and a range of ±30N across all six force/torque axes, sampled at 1kHz. Rationale: Minimum force resolution of 0.05N is derived from the haptic discrimination threshold: human fingers detect force differences of approximately 0.1N; the sensor must resolve half this value to prevent perceptible quantisation steps during delicate tissue manipulation. Inadequate resolution produces a coarse, jerky haptic feedback that degrades surgical precision and may mask tissue damage. | Test | subsystem, haptic, performance, session-342, idempotency:sub-haptic-force-res-342 |
| SUB-MAIN-023 | When the Image Processing Pipeline watchdog timer expires without a valid frame completion token within 40ms, the Vision and Imaging System SHALL suppress the display output and assert an IMAGE_PIPELINE_FAULT signal to the Safety and Interlock Subsystem within 5ms. Rationale: The IPP operates autonomously on a real-time FPGA pipeline; a hung or corrupted pipeline could deliver frozen or misleading frames to the surgeon. The 40ms watchdog (two missed frames at 50fps) triggers display suppression to prevent the surgeon acting on stale imagery, and SIS notification enables the safe-state decision chain. | Test | |
| SUB-MAIN-023 | The Haptic Feedback Subsystem SHALL deliver rendered force feedback to the master handle actuators with an end-to-end latency no greater than 2ms from force measurement at the instrument tip. Rationale: The haptic control loop must close at >500Hz to maintain passivity and prevent energy accumulation that leads to instability (oscillation or divergence). A 2ms bound provides margin above the 1kHz sampling cycle while keeping the phase lag below 1 degree at the highest feedback bandwidth (20Hz), ensuring stable contact rendering on stiff tissue. | Test | subsystem, haptic, performance, session-342, idempotency:sub-haptic-latency-342 |
| SUB-MAIN-024 | The Console Computer SHALL implement network traffic isolation between the surgical control network and the hospital information network, with no direct data path between safety-critical control functions and external network interfaces. Rationale: Console Computer is the only subsystem with external network access for hospital PACS/HIS integration. A bridge to the CAN-FD surgical control bus would create a remote code execution vector on the motion control chain. IEC 81001-5-1 mandates network boundary controls for Class IIb medical devices. | Test | |
| SUB-MAIN-024 | The Haptic Feedback Subsystem SHALL limit the maximum feedback force applied to the surgeon's master handles to 1N in any single axis under all operating conditions, including sensor fault conditions. Rationale: Exceeding 1N feedback force risks startle response causing unintended master handle motion that is teleoperated to the instrument, potentially causing patient injury. The 1N limit is derived from IEC 80601-2-77 guidance on master device force limits in surgical robot systems. The limit must hold under sensor fault to prevent uncontrolled force buildup. | Test | subsystem, haptic, safety, session-342, idempotency:sub-haptic-force-limit-342 |
| SUB-MAIN-025 | The Force Signal Conditioner SHALL provide galvanic isolation of not less than 4kVrms (50Hz, 1 minute) between the strain gauge bridge circuit and the digital signal processing stage. Rationale: IEC 60601-1 patient leakage current limits for Type CF applied parts require isolation of the patient-contact instrument circuit from the mains-connected digital electronics. A 4kVrms isolation barrier provides the required 1500V patient-to-earth working voltage margin with appropriate derating. Failure of this isolation constitutes a Class I critical hazard. | Test | subsystem, haptic, safety, isolation, session-342, idempotency:sub-haptic-isolation-342 |
| SUB-MAIN-026 | When the Force Sensing Module on one instrument arm reports a sensor fault, the Haptic Feedback Subsystem SHALL disable force feedback on that arm only, continue providing force feedback on all remaining arms at full specification, and notify the surgeon via a visual alert within 200ms. Rationale: Disabling only the faulted arm preserves surgical utility on remaining arms, which is safer than total feedback loss since the surgeon retains haptic sense for other instruments. The 200ms alert requirement matches the minimum safe reaction window from IEC 62443 guidance for real-time operator warnings in safety-relevant systems. | Test | subsystem, haptic, degraded-mode, safety, session-342, idempotency:sub-haptic-degraded-342 |
| SUB-MAIN-027 | The Communication and Data Management System SHALL maintain end-to-end kinematic command transmission latency below 1ms from Surgeon Console to Patient-Side Cart under peak load (all 21 joint channels active, full video traffic). Rationale: 1ms is the latency budget allocated to the communications layer in the 1ms end-to-end control loop specified by SYS-MAIN-001. Exceeding this budget causes the kinematics pipeline to run on stale commands, introducing effective dead time that degrades motion tracking and may cause trajectory overshoot at high motion speeds. | Test | subsystem, comms, performance, session-342, idempotency:sub-comms-latency-342 |
| SUB-MAIN-028 | The Communication and Data Management System SHALL detect fibre link failure within 5ms and complete switchover to the standby fibre path within 10ms, with no loss of kinematic command frames during the switchover. Rationale: 10ms switchover time is derived from the safety requirement in SYS-MAIN-002 and SYS-MAIN-005: a 10ms gap in commands at 1kHz represents 10 missed frames, within the 100ms safe coast period defined for the motion controller. Faster detection (5ms) provides margin before the safety monitor declares a communication fault and initiates safe-hold. | Test | subsystem, comms, reliability, safety, session-342, idempotency:sub-comms-failover-342 |
| SUB-MAIN-029 | The Kinematics Engine SHALL authenticate all joint-space command inputs via HMAC-SHA256 signed frames, rejecting any command with an invalid signature within one 1ms control cycle and logging authentication failures to the Procedure Data Recorder. Rationale: The Kinematics Engine is a purely digital component — a compromised kinematics computation could generate arm trajectories exceeding workspace limits, causing patient injury. HMAC-SHA256 per-frame authentication ensures only authorised motion commands reach the inverse kinematics solver. The 1ms rejection window matches the 1kHz servo rate. | Test | |
| SUB-MAIN-029 | The Procedure Data Recorder SHALL record all kinematic data at 1kHz, both stereo video streams, and all system events without data loss for a minimum continuous operating period of 8 hours, with post-procedure data protected in WORM mode. Rationale: 8-hour capacity matches SYS-MAIN-013 (operational capability for 8 consecutive hours). WORM protection is required by FDA 21 CFR Part 820 (QSR) device history records and by IEC 62304 for surgical device audit trails. Data loss during recording constitutes a regulatory non-conformance and may compromise post-incident investigation. | Test | subsystem, comms, recording, compliance, session-342, idempotency:sub-comms-recorder-342 |
| SUB-MAIN-030 | The Trajectory Generator SHALL validate all motion waypoints against a cryptographically signed workspace envelope before generating trajectory segments, rejecting any waypoint outside the signed envelope and initiating a controlled stop within 50ms. The envelope definition SHALL be loaded from write-protected memory at startup and verified by RSA-2048 signature. Rationale: The Trajectory Generator is a purely digital component computing motion paths for all robot arms. An attacker with access to waypoint inputs could inject trajectories moving instruments outside the sterile field or into anatomical structures. Signing the workspace envelope and validating each waypoint prevents malicious waypoints from being executed. RSA-2048 signature protection is consistent with IEC 62443 requirements for safety-critical motion systems. | Test | |
| SUB-MAIN-030 | When the Real-Time Protocol Engine detects a frame sequence error or CRC failure, the Communication and Data Management System SHALL discard the corrupted frame, log the error with timestamp and channel identifier, and continue processing the next valid frame without resetting the communication channel. Rationale: Frame-level error recovery is preferred over channel reset because a reset introduces a 10ms+ dead period that would trigger the comms-loss safety path. Discarding a single corrupted frame produces at most one missed command cycle (1ms), which the motion controller can interpolate safely. Logging enables post-procedure analysis of communication reliability. | Test | subsystem, comms, fault-handling, session-342, idempotency:sub-comms-framing-342 |
| SUB-MAIN-031 | The Real-Time Protocol Engine SHALL authenticate all synchronisation messages using IEEE 1588v2 PTP with HMAC-SHA256 message authentication codes, discarding timing frames with invalid MACs and logging each rejection. When authenticated timing frames are unavailable for more than 10ms, the system SHALL enter a safe hold state and alert the surgeon console. Rationale: The Real-Time Protocol Engine distributes the master clock used by every servo controller and sensor sampler. A time-injection attack shifting the distributed clock could cause phase misalignment between motion command generation and joint servo execution, producing uncontrolled arm movements. IEEE 1588v2 with HMAC authentication prevents clock spoofing. The 10ms safe-hold threshold is the maximum permissible phase error before joint servo controllers saturate error integrals and produce runaway torque commands. | Test | |
| SUB-MAIN-032 | The Instrument Recognition Module SHALL read and validate the instrument identity chip within 200ms of mechanical coupling detection, providing instrument type code, calibration offsets, remaining use count, and sterilization history to the Tool Tip Articulation Controller and Instrument Lifecycle Controller. Rationale: STK-MAIN-013 requires rapid instrument exchange. The 200ms budget derives from 15-second total swap time: 10s manual handling, 3s coupling, 2s recognition and reconfiguration. 200ms chip read ensures recognition is not the bottleneck. | Test | surgical-instrument-system, instrument-recognition, session-346 |
| SUB-MAIN-033 | The Instrument Drive Unit SHALL actuate all four instrument degrees of freedom (wrist pitch, yaw, roll, and grip) with a position accuracy of +/-0.1mm at the instrument tip across the full 10-procedure instrument lifetime, at a servo update rate of 1kHz. Rationale: SYS-MAIN-001 specifies master-to-slave motion scaling. The 0.1mm tip accuracy is the instrument subsystems share of the overall 1mm system accuracy budget. The 1kHz rate matches the motion control servo loop. Accuracy must hold across instrument lifetime because cable stretch degrades positioning. | Test | surgical-instrument-system, instrument-drive-unit, session-346 |
| SUB-MAIN-034 | The Cable Tensioning System SHALL maintain cable tension on all four instrument DoF cables within +/-5% of the instrument-specific nominal set-point, and SHALL detect cable tension deviation exceeding 15% within 10ms, reporting a tension anomaly to the Safety and Interlock Subsystem. Rationale: Cable tension directly governs instrument tip accuracy. The 5% tolerance derives from the 0.1mm tip accuracy requirement and the cable-to-tip displacement ratio of approximately 4:1. A 15% deviation indicates fraying, disconnection, or mechanical failure requiring safety intervention. The 10ms detection window ensures motion arrest before tip displacement exceeds the safe envelope. | Test | surgical-instrument-system, cable-tensioning, session-346 |
| SUB-MAIN-035 | The Sterile Adapter SHALL maintain sterile barrier integrity per ISO 11607-1 under continuous operating loads of 50N axial force and 2Nm torque per rotary feedthrough channel for a single surgical procedure up to 8 hours, and SHALL transmit torque through all six sealed rotary feedthroughs with no more than 5% torque loss. Rationale: SYS-MAIN-006 and STK-MAIN-004/008/011 require sterile field compliance. The 50N and 2Nm loads represent worst-case instrument insertion force and wrist actuation torque from cadaver studies of complex procedures. The 5% torque loss limit ensures the Cable Tensioning System can compensate without saturating. 8-hour duration covers extended procedures. | Test | surgical-instrument-system, sterile-adapter, session-346 |
| SUB-MAIN-036 | The Tool Tip Articulation Controller SHALL compute cable displacement commands for all four instrument DoF from a desired end-effector pose within 500 microseconds worst-case latency, loading instrument-specific kinematic models from the Instrument Recognition Module at instrument coupling time. Rationale: The 1kHz motion control loop allocates 1ms per cycle. The Tool Tip Articulation Controller shares this cycle with the Kinematics Engine and Joint Servo Controller. The 500us budget is the instrument subsystems allocation after 300us for forward kinematics and 200us for servo command dispatch. Exceeding this budget causes jitter visible as instrument tip tremor. | Test | surgical-instrument-system, articulation-controller, session-346 |
| SUB-MAIN-037 | The Instrument Lifecycle Controller SHALL prevent coupling of any instrument that has exceeded its manufacturer-defined use limit (actuation cycles, sterilization count, or calendar age), inhibiting arm enable via the Safe State Manager until a valid instrument is detected, and SHALL log all lifecycle events to the Procedure Data Recorder per FDA 21 CFR Part 820. Rationale: STK-MAIN-007/010 require prevention of inadvertent patient tissue damage. An instrument past its rated lifecycle has degraded cable integrity, worn joints, and reduced force accuracy. Regulatory traceability (21 CFR 820) mandates that every instrument use event is recorded with disposition. Arm lockout is the enforcement mechanism because the Safe State Manager is the single authority for arm enable. | Demonstration | surgical-instrument-system, lifecycle-controller, session-346 |
| SUB-MAIN-038 | When the Cable Tensioning System detects a tension anomaly on any single cable, the Surgical Instrument System SHALL disable the affected instrument arm within 50ms while maintaining full motion control on all remaining instrument arms, and SHALL display the affected arm identity and failure type on the surgeon console. Rationale: SYS-MAIN-016 requires graceful degradation when one arm fails. A cable tension anomaly means the affected instruments tip position is no longer trustworthy. The 50ms shutdown window is derived from the maximum safe tip displacement at full operating speed (100mm/s): 5mm of uncontrolled travel is the safety limit. Other arms must remain operational because mid-procedure instrument loss is recoverable but total system shutdown may endanger the patient. | Test | surgical-instrument-system, degraded-mode, session-346 |
| SUB-MAIN-039 | The Trajectory Generator SHALL compute interpolated Cartesian pose setpoints at 1kHz with S-curve velocity profiling, limiting instrument tip acceleration to 2g and jerk to 50g/s, ensuring smooth instrument motion that does not induce tissue tearing or excessive contact forces. Rationale: Trajectory smoothness directly governs tissue interaction safety. The 2g acceleration limit derives from biomechanical studies of safe tissue manipulation forces during laparoscopic procedures. S-curve profiling eliminates jerk discontinuities that cause vibration in the cable-driven transmission, which degrades instrument tip position accuracy. The 1kHz rate matches the servo loop frequency to avoid interpolation artefacts. | Analysis | subsystem, motion-control, session-348, idempotency:sub-trajectory-generator-motion-profile-348 |
| SUB-MAIN-040 | When the primary haptic force-rendering processor fails, the haptic feedback subsystem SHALL switch to a secondary rendering path within 50 ms, maintaining contact-force reproduction accuracy within 20 percent of nominal and holding maximum perceivable force above 5 N until the surgeon withdraws the instrument. Rationale: Haptic feedback is system-essential: loss of force cues mid-dissection prevents tissue plane discrimination and risks inadvertent perforation. 50 ms switchover is within the 200 ms perceptual threshold for force discontinuity per IEC 60601-1 Clause 14. | Test | redundancy, safety, haptics, session-367 |
| SUB-MAIN-040 | The Motion Scaling Module SHALL apply the surgeon-selected scaling ratio (3:1, 5:1, or 10:1) to filtered Cartesian velocity commands with gain accuracy of ±0.5%, and SHALL complete the scaling computation within 100 microseconds per cycle to maintain pipeline timing margin. Rationale: Scaling accuracy of ±0.5% ensures the surgeon perceives consistent motion amplification across the workspace. At 10:1 scaling, a 0.5% error corresponds to 50μm at 10mm instrument travel — within the 100μm instrument tip repeatability budget. The 100μs execution budget allocates half the 200μs total pipeline margin to downstream stages (Trajectory Generator, Kinematics Engine). | Test | subsystem, motion-control, session-348, idempotency:sub-motion-scaling-accuracy-348 |
| SUB-MAIN-041 | When the primary IEEE 1588 grandmaster clock source fails or exceeds 1 microsecond offset from UTC, the time protocol engine SHALL switch to the hot-standby grandmaster within 200 ms without disrupting subsystem synchronisation by more than 5 microseconds, and SHALL log the switchover event with timestamp and root cause code. Rationale: Time protocol engine is system-essential: inter-subsystem synchronisation loss causes motion command latency spikes that manifest as jerky or uncontrolled arm motion. The 5 microsecond continuity window is derived from the motion control loop rate of 4 kHz; offsets beyond this cause missed motion cycles. 200 ms switchover is within the 500 ms maximum tolerable disruption defined in IEC 62304 architectural risk analysis. | Test | redundancy, timing, session-367 |
| SUB-MAIN-041 | When the Trajectory Generator detects that a computed trajectory segment would exceed the workspace boundary or violate acceleration limits, the Trajectory Generator SHALL clamp the output to the last safe pose and assert a trajectory-violation flag to the Workspace Safety Enforcer within 1ms, halting all further interpolation until the Workspace Safety Enforcer acknowledges the clamp. Rationale: The Trajectory Generator is the first stage that can detect demand violations before they propagate to the Kinematics Engine. Without this clamp, an out-of-bounds demand would force the Workspace Safety Enforcer to reject the entire joint-angle command downstream, causing a harder motion discontinuity. Clamping at the Cartesian level preserves motion smoothness during limit events. The 1ms assertion budget allows the violation to be caught within the same control cycle. | Test | subsystem, motion-control, safety, session-348, idempotency:sub-tg-safety-clamp-348 |
| SUB-MAIN-042 | When primary AC mains supply fails or drops below 85 VAC, the power management subsystem SHALL transfer all patient-safety loads to the internal UPS within 10 ms, sustaining surgical operations at full rated power for a minimum of 15 minutes to allow orderly procedure completion and instrument retraction. Rationale: Power management is system-essential and Regulated: an uncontrolled power loss mid-procedure immobilises robotic arms in situ, creating a patient entrapment hazard and preventing safe instrument withdrawal. 10 ms transfer time is derived from the motion controller's minimum command cycle; slower transfer causes the servo watchdog to trigger an uncontrolled halt. 15 minutes is the clinical consensus minimum for orderly procedure close cited in IEC 60601-1-1 Annex J. | Test | redundancy, power, safety, session-367 |
| SUB-MAIN-042 | When the Motion Scaling Module receives a velocity command magnitude exceeding 200mm/s (corresponding to maximum safe instrument tip velocity at 1:1 scaling), the Motion Scaling Module SHALL reject the command, hold the last valid output, and report an over-velocity fault to the Safety and Interlock Subsystem within 500 microseconds. Rationale: The Motion Scaling Module is the earliest point in the pipeline where absolute velocity limits can be enforced independent of the selected scaling ratio. The 200mm/s threshold corresponds to the maximum safe instrument tip velocity derived from tissue damage studies — exceeding this at any scaling ratio indicates either a sensor fault or an uncontrolled input. The 500μs detection budget ensures the fault is flagged within the same control cycle, preventing propagation to the Trajectory Generator. | Test | subsystem, motion-control, safety, session-348, idempotency:sub-msm-safety-overvel-348 |
| SUB-MAIN-043 | When the primary procedure data recorder storage medium fails or write latency exceeds 200 ms, the procedure data recorder SHALL simultaneously stream all kinematic, video, and event data to a secondary hot-standby recorder such that no more than 2 seconds of procedure data is lost and recording resumes on the backup without operator intervention. Rationale: Procedure data recorder is system-essential: complete surgical records are required by IEC 62304 and regulatory bodies (FDA 21 CFR Part 820) for post-incident reconstruction, device liability, and surgical training. A 2-second data gap is the maximum acceptable loss established by clinical risk analysis; longer gaps may obscure the causal chain in adverse event investigations. | Test | redundancy, data-recording, regulatory, session-367 |
| SUB-MAIN-043 | The Power Management Subsystem SHALL maintain all surgical robot system functions from the UPS Battery Module for a minimum of 30 minutes following loss of mains power, permitting controlled procedure completion and safe shutdown. Rationale: IEC 60601-1 clause 11.8.4 requires medical electrical equipment to maintain operation from internal energy source for defined periods; 30 minutes is the minimum required to complete a laparoscopic procedure segment and park all arms safely. Loss of power mid-procedure constitutes a patient safety event. | Test | subsystem, power-management, session-350, idempotency:sub-power-ups-duration-350 |
| SUB-MAIN-044 | The interlock subsystem SHALL be designed, verified, and validated to IEC 61508 SIL 3, achieving a PFH (probability of dangerous failure per hour) of less than 1e-7 per hour, with documented FMEA, fault-injection testing, and independent third-party assessment prior to regulatory submission. Rationale: Interlock subsystem is Regulated and classified as the last line of defence against uncontrolled robotic motion near the patient. SIL 3 is required because the hazardous event (uncontrolled arm motion causing patient injury) is classified as Catastrophic + Frequent in the system-level HAZOP. IEC 61508 is the applicable functional safety standard for programmable electronic safety systems in medical robotics per IEC 80601-2-77. | Analysis | compliance, safety, SIL3, regulatory, session-367 |
| SUB-MAIN-044 | The Power Management Subsystem SHALL energise subsystems in the following order during startup: Safety and Interlock Subsystem, Auxiliary Power Supply, Communication and Data Management System, Motion Control System, Surgical Instrument System. Shutdown SHALL reverse this sequence. Rationale: Energising the safety subsystem first ensures that the watchdog and E-stop chain are active before any motion-capable subsystem receives power. Reverse-sequence shutdown ensures that motion-capable drives are de-energised before safety supervision is withdrawn. Any other order creates a window where actuators are powered without protection. | Inspection | subsystem, power-management, session-350, idempotency:sub-power-sequencing-order-350 |
| SUB-MAIN-045 | The motion control system software SHALL be developed to IEC 62304 Class C (safety class), with complete requirements traceability, code review, unit and integration test evidence, and a software hazard analysis prior to release. All Class C software modules SHALL achieve modified condition/decision coverage (MC/DC) of 100 percent. Rationale: Motion control system is Regulated: its software directly commands robotic arm position; a defect causing unintended motion constitutes a Catastrophic hazard under ISO 14971. IEC 62304 Class C is mandatory for software whose failure can cause death or serious injury; MC/DC 100 percent is required by DO-178C and adopted by IEC 62304 supplementary guidance for safety-critical medical motion control. | Inspection | compliance, software, IEC62304, session-367 |
| SUB-MAIN-045 | The Auxiliary Power Supply SHALL remain energised and supply the Safety and Interlock Subsystem, Watchdog Timer Controller, and Emergency Stop Chain contactor coils during any main bus fault, brownout below 85% nominal, or deliberate mains disconnection. Rationale: The Safety and Interlock Subsystem must remain operational to initiate controlled safe-state during power faults. A brownout that de-energises the watchdog before safe-state is reached would leave joint motors in an undefined state — creating a patient harm risk equivalent to a software crash. | Test | subsystem, power-management, session-350, idempotency:sub-power-aux-isolation-350 |
| SUB-MAIN-046 | The workspace safety enforcer SHALL comply with IEC 80601-2-77:2021 Clause 201.11 (Accuracy of controls and instruments) and ISO 10218-1:2011 Clause 5.4 (Safety-rated monitored stop), achieving a safety-rated monitored stop reaction time of less than 10 ms from workspace boundary violation detection to servo torque cutoff. Rationale: Workspace safety enforcer is Regulated: it prevents robotic arms from entering anatomical exclusion zones during surgery. IEC 80601-2-77 is the applicable collateral standard for surgical robot systems; ISO 10218-1 Clause 5.4 provides the safety-rated stop performance benchmark. 10 ms is derived from the worst-case arm velocity (0.5 m/s) and maximum tolerable penetration depth (5 mm) before tissue contact. | Test | compliance, safety, workspace, regulatory, session-367 |
| SUB-MAIN-046 | While the Image Processing Pipeline is processing stereoscopic video, it SHALL detect any frame that contains artefacts exceeding 5% pixel corruption or latency exceeding 33ms (2-frame drop at 60fps) and substitute a frozen clean frame, generating a latency-exceeded alert to the Surgeon Console within 10ms of detection. Rationale: Lint finding: Image Processing Pipeline is Functionally Autonomous (FPGA-based, minimal external oversight). A corrupted or latency-violated frame delivered to the surgeon without notification constitutes a patient safety risk — the surgeon may act on an inaccurate view of the surgical field. Frozen frame substitution is the standard safety response in medical video chains (IEC 62304 guidance); the 5% threshold is derived from psychophysical research showing artefacts above this level impair depth perception in stereoscopic displays. | Test | subsystem, vision, safety, session-350, idempotency:sub-image-safety-constraint-350 |
| SUB-MAIN-047 | The console computer SHALL be qualified as a medical device accessory per EU MDR 2017/745 Annex I and FDA 21 CFR Part 820, with a Quality Management System certified to ISO 13485:2016, and SHALL display a current CE mark and 510(k) clearance number on the labelling prior to clinical deployment. Rationale: Console computer is Regulated: as the primary surgeon-facing interface that initiates and controls all robotic motion, it is a medical device accessory that requires regulatory approval before clinical use. EU MDR and FDA 510(k) clearance are the applicable market authorisations; ISO 13485 QMS certification is a prerequisite for both submission pathways. | Inspection | compliance, regulatory, MDR, session-367 |
| SUB-MAIN-047 | The Electrosurgical Generator SHALL produce monopolar RF output power of 10-400W and bipolar RF output power of 10-80W at frequencies between 300kHz and 3MHz, with actual output power within 10% of the selected setting across the load impedance range of 100Ω to 2kΩ. Rationale: Power range and impedance bounds are derived from IEC 60601-2-2 and clinical electrosurgical unit specifications. Monopolar 400W maximum covers major vessel haemostasis; bipolar 80W maximum covers delicate tissue coagulation. 10% output accuracy prevents surgeon from applying unintended power levels that could cause deep thermal injury. | Test | subsystem, energy-delivery, performance, session-352, idempotency:sub-eds-esg-rf-power-352 |
| SUB-MAIN-048 | The Electrosurgical Generator SHALL achieve full output power within 100ms of receiving an activation command and SHALL reduce output to below 1W within 50ms of receiving a deactivation command. Rationale: Activation 100ms bound allows surgeon intent recognition by the Energy Delivery Controller before energy reaches tissue. Deactivation 50ms bound is the safety-critical parameter: at 400W monopolar, 50ms corresponds to approximately 20J of unintended energy delivery — the upper threshold for acceptable unintended thermal damage per IEC 60601-2-2 risk analysis. | Test | subsystem, energy-delivery, safety, performance, session-352, idempotency:sub-eds-esg-latency-352 |
| SUB-MAIN-049 | The Ultrasonic Energy Module SHALL drive the ultrasonic transducer at 55.5kHz ± 500Hz with selectable power levels from 10% to 100% in 10% increments, and SHALL detect blade temperature via thermocouple and inhibit activation when blade temperature exceeds 100°C. Rationale: 55.5kHz is the standard resonant frequency for Harmonic-class ultrasonic surgical devices; ± 500Hz tolerance maintains resonance efficiency above 95%. 100°C blade temperature inhibit prevents retained heat burns from a previously activated blade contacting unintended tissue — a documented adverse event class in ultrasonic surgery (FDA MAUDE database, 2015-2022). | Test | subsystem, energy-delivery, performance, safety, session-352, idempotency:sub-eds-uem-freq-temp-352 |
| SUB-MAIN-050 | The Energy Delivery Controller SHALL enforce mutual exclusion between RF and ultrasonic modalities such that activation of one modality SHALL automatically inhibit the other, with the inhibition taking effect within 10ms of detecting concurrent activation requests. Rationale: Simultaneous RF and ultrasonic energy delivery through the same instrument port could generate resonance artefacts in tissue or overload instrument drive electronics. 10ms inhibition response is derived from the 100ms activation latency requirement — inhibition must be faster than the energy-reaching-tissue window. | Test | subsystem, energy-delivery, safety, session-352, idempotency:sub-eds-edc-mutual-exclusion-352 |
| SUB-MAIN-051 | The Return Electrode Monitor SHALL continuously sample patient return electrode impedance at a minimum of 100Hz and SHALL inhibit monopolar energy delivery within 500ms when sampled impedance exceeds 135 ohms, with inhibition persisting until the pad impedance is restored and the surgeon actively resets the alarm. Rationale: 135Ω threshold and 500ms response are per IEC 60601-2-2 Annex J requirements for REM circuits. Partial pad lift is the primary cause of alternate site burns in monopolar electrosurgery; active surgeon reset prevents automatic re-enable after transient impedance excursion, ensuring the surgeon consciously acknowledges the alarm before energy resumes. | Test | rt-missing-failure-mode, red-team-session-502 |
| SUB-MAIN-052 | The Tissue Effect Monitor SHALL detect vessel seal completion by impedance rise signature and SHALL command the Electrosurgical Generator to cease energy delivery within 200ms of endpoint detection, with endpoint defined as an impedance increase of at least 1.5kΩ occurring within any 400ms window during active vessel sealing. Rationale: 1.5kΩ rise in 400ms is derived from validated impedance signatures for collagen denaturation in bipolar vessel sealing (cf. LigaSure algorithm patent family, published clinical studies on tissue impedance monitoring). Automatic cutoff prevents over-application beyond seal completion, which is the primary cause of vessel charring and reduced seal burst strength. | Test | subsystem, energy-delivery, performance, session-352, idempotency:sub-eds-tem-endpoint-352 |
| SUB-MAIN-053 | The Energy Delivery Controller SHALL automatically terminate energy delivery and generate a surgeon console alarm if continuous activation exceeds 15 seconds for RF modality or 5 seconds for ultrasonic modality, with resumption requiring explicit surgeon re-activation. Rationale: 15s RF timeout prevents inadvertent extended electrosurgery from a held footswitch (e.g., surgeon distraction or equipment malfunction). 5s ultrasonic timeout is shorter because blade thermal accumulation above the 100°C inhibit threshold occurs within 7-10s of continuous activation at full power — the 5s limit provides 2-5s safety margin. Both timeouts are surgeon-acknowledged to prevent silent energy restart. | Test | subsystem, energy-delivery, safety, session-352, idempotency:sub-eds-edc-timeout-352 |
| SUB-MAIN-054 | The Energy Delivery System SHALL provide electrical isolation between the energy delivery circuit and the robotic control network such that patient leakage current through any energy path does not exceed 10μA in normal condition and 50μA in single-fault condition, per IEC 60601-1 Type CF applied part classification. Rationale: Type CF classification is mandatory for equipment making direct cardiac contact or used near the heart — surgical robot instruments may be used in cardiac procedures. 10μA/50μA limits are per IEC 60601-1 Table 1 for Type CF applied parts. Isolation is safety-critical: conductive coupling between the RF generator and servo control bus could introduce high-frequency noise causing servo instability or patient microshock. | Test | subsystem, energy-delivery, safety, session-352, idempotency:sub-eds-isolation-leakage-352 |
| SUB-MAIN-055 | The Foot Pedal Array SHALL transmit energy activation, clutch, and camera control pedal events to the corresponding subsystem controllers within 50ms of pedal mechanical actuation. Rationale: 50ms is the maximum latency consistent with transparent surgeon control: beyond 50ms, pedal-to-action delays become perceptible and can cause unintended energy delivery or motion. The E-stop pedal is hardwired and has a separate sub-millisecond hardware path; this requirement covers only the software-mediated pedals. | Test | subsystem, surgeon-console, foot-pedal, session-353, idempotency:sub-sic-pedal-latency-353 |
| SUB-MAIN-056 | The Voice Command Module SHALL recognise predefined surgical commands from the active vocabulary with a word error rate below 5% in an operating room acoustic environment with background noise up to 65dB SPL. Rationale: A 5% WER ceiling ensures that no more than 1 in 20 commands is misrecognised in the worst-case OR noise environment. Validated against reference vocabulary of 200 surgical commands. Higher error rates create workflow interruption and require repeated commands, increasing procedure duration. | Test | subsystem, surgeon-console, voice, session-353, idempotency:sub-sic-voice-wer-353 |
| SUB-MAIN-057 | The Voice Command Module SHALL dispatch a recognised command to the Console Computer within 200ms of speech onset. Rationale: 200ms is the perceptibility threshold for voice-to-action feedback in human factors studies for surgical environments. Commands exceeding 200ms latency break cognitive flow and may lead the surgeon to repeat the command, creating duplicate-command hazard. | Test | subsystem, surgeon-console, voice, session-353, idempotency:sub-sic-voice-latency-353 |
| SUB-MAIN-058 | The Console Computer SHALL require surgeon authentication before enabling robotic motion, and SHALL log the authenticated user identity, authentication time, and case start time to the Procedure Data Recorder. Rationale: Regulatory requirement under MDR 2017/745 and FDA 21 CFR Part 820 for medical device traceability. Authentication prevents unauthorised use and creates an auditable record linking each surgical case to a credentialled operator. | Test | subsystem, surgeon-console, authentication, compliance, session-353, idempotency:sub-sic-auth-353 |
| SUB-MAIN-059 | The Arm Positioning System SHALL prevent motorised adjustment of any axis while the system is in OPERATIONAL state, and SHALL complete position lock-out within 500ms of the system entering OPERATIONAL state. Rationale: Arm movement during robotic operation would change the master-to-slave kinematic calibration mid-procedure, causing instrument tip position error. 500ms lock-out allows the safety state broadcast (IFC-MAIN-004) to propagate and the positioning motor controllers to confirm brake engagement before motion commands are accepted. | Test | subsystem, surgeon-console, arm-positioning, safety, session-353, idempotency:sub-sic-armpos-lockout-353 |
| SUB-MAIN-060 | The Console Computer SHALL complete a startup self-test within 90 seconds of power-on, verifying connectivity to the Surgeon Interface Panel, Voice Command Module, Arm Positioning System, and Real-Time Protocol Engine, and SHALL display the test result on the Surgeon Interface Panel before enabling case start. Rationale: 90-second startup target matches pre-operative room setup workflow; longer startup delays operating theatre utilisation. Self-test covers all console-side interfaces so fault detection occurs before the surgical team proceeds to patient positioning. | Test | subsystem, surgeon-console, startup, session-353, idempotency:sub-sic-startup-selftest-353 |
| SUB-MAIN-061 | When the Voice Command Module fails or is disabled, the Surgeon Input Console SHALL continue to provide full surgical system control through the Surgeon Interface Panel and Foot Pedal Array with no reduction in motion control, energy delivery, or camera control capability. Rationale: Voice command is a convenience input and must not be a single point of failure for any surgical function. All capabilities accessible via voice must also be reachable via touchscreen or foot pedal, ensuring the surgeon retains complete system control through hardware-only input paths during voice system fault. | Test | subsystem, surgeon-console, degraded-mode, session-353, idempotency:sub-sic-voice-degraded-353 |
| SUB-MAIN-062 | The Haptic Controller SHALL be developed and validated to IEC 62061 Safety Integrity Level 2 (SIL2), including hardware fault tolerance requirements and safe-state transition to zero-torque output within 10ms of any detected CPU fault, EtherCAT timeout, or watchdog expiry. Rationale: Direct patient-contact force pathway: a runaway torque command from a failed haptic controller would render uncontrolled forces on the surgeon's hands that could mask or amplify dangerous tissue contact events. SIL2 derives from FMEA on the haptic render loop — single CPU fault without safe-state fallback is classified as a hazardous event at severity level S2, probability class P2 under IEC 62061. | Analysis | subsystem, haptic, session-354, idempotency:sub-haptic-sil2-354 |
| SUB-MAIN-063 | The Haptic Feedback Subsystem SHALL remain stable (no limit cycles or sustained oscillations) during instrument-tissue contact for all tissue impedances within the range 0.1 N/mm to 10 N/mm and all motion scaling ratios 1:1 to 10:1. Rationale: Haptic rendering loops coupled to stiff tissue models are susceptible to Z-width instability when the contact admittance exceeds the passivity boundary. The specified tissue stiffness range covers all soft to semi-rigid tissue types in abdominal surgery. Failure to maintain stability produces oscillating forces at the master handle that corrupt tactile perception and may cause the surgeon to lose grip control. | Test | subsystem, haptic, session-354, idempotency:sub-haptic-stability-354 |
| SUB-MAIN-064 | When the Haptic Feedback Subsystem is in STANDBY or DISABLED state, the Master Handle Actuator SHALL present a backdrive torque of no more than 0.05 Nm at any joint, ensuring force-transparent kinaesthetic operation independent of haptic rendering. Rationale: Surgeons must be able to move master handles freely even when haptic rendering is inactive (e.g., during tele-operation setup or soft-tissue navigation without force feedback). Backdrive torque above 0.05 Nm creates proprioceptive masking, reducing tremor filtering effectiveness and increasing surgeon fatigue during procedures exceeding 2 hours. | Test | subsystem, haptic, session-354, idempotency:sub-haptic-backdrive-354 |
| SUB-MAIN-065 | The Haptic Feedback Subsystem SHALL be designed and manufactured in compliance with IEC 60601-1:2005+AMD1:2012 (medical electrical equipment safety) and IEC 60601-1-6 (usability), including classification as Type CF applied part where patient-contact signal pathways exist, and meeting continuous leakage current limits of ≤10µA under single fault conditions. Rationale: The force sensing chain contacts the instrument tip which contacts the patient — this constitutes a Type CF applied part under IEC 60601-1. The 10µA limit at single fault is the most stringent patient leakage requirement and is mandated for devices with direct cardiac path access risk in intra-abdominal surgery. Compliance failure blocks FDA 510(k) clearance. | Analysis | subsystem, haptic, compliance, session-354, idempotency:sub-haptic-compliance-60601-354 |
| SUB-MAIN-066 | The Surgeon Interface Panel SHALL transmit 7-DOF Cartesian pose data from each master manipulator arm to the Console Computer at a minimum rate of 1kHz, with position resolution ≤0.1mm and angular resolution ≤0.1°, measured at the instrument-side tooltip for motion scaling computation. Rationale: 1kHz sampling is the Nyquist floor for transparent 500Hz haptic control loops; lower rates introduce perceptible latency and quantisation artefacts in master arm motion. Position resolution ≤0.1mm matches the minimum clinically significant motion increment for microsurgical tasks per ISO 13482 guidance on medical robot kinematics. | Test | subsystem, surgeon-console, haptic, session-356, idempotency:sub-sip-pose-rate-356 |
| SUB-MAIN-067 | The Surgeon Interface Panel SHALL render haptic force feedback at the master arm fingertips within 1ms of receiving a force command from the Console Computer, with force rendering accuracy within 15 percent of commanded value across the 0 to 5N operating range. Rationale: 1ms haptic loop closure is the perceptibility threshold for transparent force feedback; latencies above 5ms introduce phase lag that disrupts hand-eye coordination during delicate tissue manipulation. 15 percent accuracy matches the resolution of the force sensing at the instrument tip, ensuring the rendered feedback is not more accurate than the source measurement. | Test | subsystem, surgeon-console, haptic, session-356, idempotency:sub-sip-haptic-force-356 |
| SUB-MAIN-068 | The Surgeon Interface Panel SHALL detect surgeon hand disengagement from master arm handles within 50ms and immediately signal the Console Computer to inhibit motion transmission to patient-side instruments. Rationale: Hand disengagement without inhibition would allow free-running slave arm motion with no surgeon intent, creating a direct patient injury hazard. 50ms is the upper bound derived from the system 1ms E-stop latency budget: sensor debounce 10ms plus signal propagation 40ms, ensuring disengagement is communicated before the 100ms safety watchdog deadline. | Test | subsystem, surgeon-console, safety, session-356, idempotency:sub-sip-handle-engage-356 |
| SUB-MAIN-069 | The Console Computer software SHALL be developed and documented to IEC 62304 Class C, with traceability from requirements to software units, and the overall system integration SHALL demonstrate conformance with IEC 60601-1-8 for alarm management and MDR 2017/745 Annex I essential safety requirements. Rationale: The Console Computer is a Class C medical device software component under IEC 62304 because its failure mode can lead to patient injury without opportunity for intermediate detection. MDR 2017/745 Annex I essential requirements are mandatory for CE marking and apply to the complete robotic surgery system with the console as primary control surface. | Inspection | subsystem, surgeon-console, compliance, regulatory, session-356, idempotency:sub-cc-compliance-iec62304-356 |
| SUB-MAIN-070 | When the Console Computer detects a software exception or watchdog timeout, the system SHALL enter SAFE-HOLD state within 500ms, transmit a safe-state broadcast to all subsystems, and retain the last 30 seconds of kinematic and video data in battery-backed non-volatile storage for post-incident analysis. Rationale: 500ms safe-state entry on console computer failure is within the clinical tolerance for motion freeze in surgical robotics before the surgeon can intervene manually. Retaining 30 seconds of pre-fault data supports root-cause analysis and is required under MDR 2017/745 for post-market surveillance of Class IIb devices. Battery-backed storage ensures retention even if main power is lost in the same fault event. | Test | subsystem, surgeon-console, safety, redundancy, session-356, idempotency:sub-cc-failsafe-safehold-356 |
| SUB-MAIN-071 | The Real-Time Protocol Engine SHALL execute time-division multiplexed frame scheduling with a cycle-to-cycle jitter of no more than 1 microsecond, measured at the frame start pulse on the inter-cart fibre transmitter. Rationale: The 1kHz control loop has a total latency budget of 1ms end-to-end (SYS-MAIN-001). The FPGA frame scheduler is the first element in the surgeon-to-instrument chain; a jitter above 1 microsecond accumulates across 7 pipeline stages to exceed the allowed latency variance. Verified by oscilloscope capture of 10,000 consecutive frame-start pulses with a <2ns resolution clock source. | Test | subsystem, motion-control, infrastructure, real-time-protocol-engine, session-357, idempotency:sub-rtpe-tdm-jitter-357 |
| SUB-MAIN-072 | When the Real-Time Protocol Engine detects absence of a valid surgeon console frame for more than 3 consecutive TDM cycles (3ms), the Real-Time Protocol Engine SHALL assert a link-fault signal to the Workspace Safety Enforcer and transmit a zero-velocity command on all 6 DOF within 1ms of fault assertion. Rationale: Three missed cycles at 1kHz equals 3ms, matching the system emergency-stop response budget in SYS-MAIN-010. A zero-velocity command within 1ms of fault assertion ensures the joint servos receive a valid safe command before the watchdog timer in the patient-side cart triggers a power-off, preventing uncontrolled arm movement during comms loss. | Test | subsystem, motion-control, infrastructure, real-time-protocol-engine, safety, session-357, idempotency:sub-rtpe-fault-halt-357 |
| SUB-MAIN-073 | The Network Management Controller SHALL maintain EtherCAT distributed clock synchronisation across all patient-side servo nodes with a maximum inter-node timing skew of 500 nanoseconds during continuous operation. Rationale: Joint Servo Controllers on different patient-side cart nodes execute torque commands sampled from the same 1kHz kinematic frame. A timing skew above 500ns causes inter-joint command phase errors that produce coordinated arm jerks visible as position discontinuities. 500ns corresponds to one-quarter of the EtherCAT propagation jitter budget at 2Mbps, leaving margin for cable length variation. | Test | subsystem, motion-control, infrastructure, network-management, session-357, idempotency:sub-nmc-ethercat-sync-357 |
| SUB-MAIN-074 | When the Network Management Controller receives no valid EtherCAT response from a servo node for 2 consecutive bus cycles (2ms), the Network Management Controller SHALL remove the node from the active topology, assert a per-node fault flag to the Workspace Safety Enforcer, and maintain full communication with all remaining nodes within the same bus cycle. Rationale: SYS-MAIN-016 requires continued full function on remaining instrument arms when one arm loses servo communication. Isolation within a single bus cycle (1ms) ensures the remaining nodes do not experience frame corruption due to a misbehaving slave, which would cause system-wide motion interruption rather than a contained single-arm fault. | Test | subsystem, motion-control, infrastructure, network-management, safety, session-357, idempotency:sub-nmc-fault-isolation-357 |
| SUB-MAIN-075 | The Procedure Data Recorder SHALL continuously record all 7-DOF joint angles, joint torques, and Cartesian velocities for each active instrument arm at 1kHz sample rate, with a maximum write latency of 10ms from sample acquisition to persistent storage. Rationale: SYS-MAIN-015 mandates 1kHz kinematic data recording across all arms. A 10ms write latency ceiling (10 samples) matches the size of the in-memory ring buffer allocated on the Real-Time Compute Node before data is handed to the recorder. Exceeding 10ms risks ring buffer overflow during sustained peak I/O load, causing permanent sample loss that cannot be reconstructed for post-procedure audit. | Test | subsystem, motion-control, infrastructure, procedure-data-recorder, session-357, idempotency:sub-pdr-recording-rate-357 |
| SUB-MAIN-076 | The Procedure Data Recorder SHALL store data on dual-mirrored NVMe drives, detect any write or read failure on either drive within 1 second, and notify the Surgeon Interface Panel with an audible alarm while continuing to record on the remaining healthy drive without interruption. Rationale: Clinical and regulatory standards (IEC 62133, MDR Annex I General Safety clause 17.2) require that medical device data integrity is maintained during single-component storage failure. Dual-mirror NVMe provides hot-standby redundancy. A 1-second fault detection window is achievable via SMART polling at 100ms intervals and is the minimum acceptable for surgeon notification before a second fault could cause total data loss during a long procedure. | Demonstration | subsystem, motion-control, infrastructure, procedure-data-recorder, reliability, session-357, idempotency:sub-pdr-storage-integrity-357 |
| SUB-MAIN-077 | The Inter-Cart Fibre Link SHALL provide a minimum bidirectional throughput of 10 Gbps with a one-way optical propagation latency not exceeding 100 microseconds for cable lengths up to 10 metres between Surgeon Console and Patient-Side Cart. Rationale: The motion control pipeline requires approximately 2.4Mbps of kinematic data per arm (7 joints × 3 values × 64-bit × 1kHz), and the system supports up to 4 arms plus video metadata, totalling under 100Mbps even with control overhead. 10Gbps provides a 100× safety margin for future capability expansion. 100 microseconds propagation at 10m is well within the 1ms end-to-end latency budget of SYS-MAIN-001. | Test | rt-implausible-value, red-team-session-502 |
| SUB-MAIN-078 | When the active Inter-Cart Fibre Link channel fails (signal loss, CRC error rate exceeding 10^-9 per frame), the Inter-Cart Fibre Link SHALL switch to the redundant fibre channel within 1 millisecond without loss of any in-flight kinematic command frames. Rationale: A 1ms failover aligns with the 3-missed-cycle fault threshold of the Real-Time Protocol Engine (SUB-MAIN-072), ensuring a channel switch does not itself trigger a controlled stop. Kinematic frame loss during failover would be indistinguishable from a comms fault and would unnecessarily halt the procedure. Dual-fibre switchover with in-flight frame buffering is standard in deterministic real-time networks (e.g., HSR/PRP protocols). | Test | subsystem, motion-control, infrastructure, inter-cart-fibre, resilience, session-357, idempotency:sub-icfl-redundancy-failover-357 |
| SUB-MAIN-079 | The Inter-Cart Fibre Link shall provide complete galvanic isolation between the Surgeon Console and Patient-Side Cart, with reinforced insulation rated to a minimum of 4000 VAC (IEC 60601-1 Clause 8.8), ensuring no conductive path exists between the two cart chassis. Rationale: IEC 60601-1 type B applied part requirements prohibit any continuous conductive path between the surgeon side and the patient side of a surgical system. Optical fibre is the preferred isolation mechanism because it inherently provides infinite DC resistance. The 4000 VAC reinforced insulation rating is the IEC 60601-1 requirement for patient-contacting applied parts with highest risk classification, ensuring patient safety even under single-fault conditions in the mains power circuitry. | Test | subsystem, motion-control, infrastructure, inter-cart-fibre, safety, iec60601, session-357, idempotency:sub-icfl-galvanic-isolation-357 |
| SUB-MAIN-080 | The Tremor Rejection Filter SHALL implement a zero-phase 8th-order Butterworth low-pass filter at 6Hz cutoff, achieving ≥40dB attenuation above 6Hz and ≤0.5dB passband ripple below 3Hz, with an initial transient settling time of ≤5ms on mode activation. Rationale: Involuntary physiological tremor spans 6-12Hz; the 6Hz cutoff preserves intentional surgical motion (typically 0-3Hz) while eliminating tremor. 8th-order provides the 40dB/octave slope needed without adding unacceptable group-delay. Zero-phase implementation prevents latency-induced instability. | Test | subsystem, motion-control, tremor, session-358, idempotency:sub-tremor-filter-attenuation-358 |
| SUB-MAIN-081 | When the Tremor Rejection Filter detects a sustained high-frequency velocity component above 8Hz for more than 200ms, it SHALL log a TREMOR_ELEVATED event to the Procedure Data Recorder and maintain filtering without operator intervention. Rationale: Elevated tremor (e.g., fatigue, medication effect) changes filter operating point. Automatic logging captures surgeon physiology data for post-operative review and enables future adaptive filtering without requiring mid-procedure UI interaction. | Test | subsystem, motion-control, tremor, session-358, idempotency:sub-tremor-adaptive-log-358 |
| SUB-MAIN-082 | The Workspace Safety Enforcer SHALL compute signed penetration depth for all 7-DOF arm configurations against the patient anatomy mesh and instrument collision model at 1kHz, and SHALL generate a repulsive joint-space torque that limits Cartesian approach velocity to less than 5mm/s within 5mm of any restricted surface. Rationale: Patient anatomy mesh defines no-go zones near vessels and organs. At 5mm proximity, a 5mm/s maximum approach rate gives the surgeon 1 second to redirect before potential tissue contact; at full 1kHz rate the enforcer can react within a single control cycle to prevent boundary violation. | Test | subsystem, motion-control, workspace-safety, session-358, idempotency:sub-wse-proximity-enforcement-358 |
| SUB-MAIN-083 | When the Workspace Safety Enforcer cannot access a valid patient anatomy mesh (model corruption or load failure), it SHALL transition the Motion Control and Scaling Subsystem to a reduced-mobility mode that limits Cartesian workspace to a predefined 150mm-radius sphere centred on the instrument tip position at fault onset, and SHALL generate a WORKSPACE_MODEL_FAULT alert within 50ms. Rationale: Loss of anatomy mesh eliminates proximity safety guarantees. The 150mm sphere provides a safe enclosure around the current instrument position, preventing gross motion while allowing the surgeon to retract instruments. 50ms alert latency matches the safety watchdog cycle time. | Test | subsystem, motion-control, workspace-safety, session-358, idempotency:sub-wse-degraded-mode-358 |
| SUB-MAIN-084 | When the Kinematics Engine detects a kinematic singularity condition (Jacobian determinant below threshold 1e-4), it SHALL activate damped-least-squares inverse kinematics with a damping coefficient lambda of 0.05, and SHALL maintain commanded Cartesian velocity direction error below 5 degrees while limiting joint velocity to 80% of maximum. Rationale: Surgical manipulators with 7-DOF pass near singularities during routine retraction and rotation. At singularity, standard pseudoinverse produces infinite joint velocities; DLS with lambda=0.05 caps joint speed while preserving directional intent. 5-degree directional error is within the surgeon motion resolution threshold. | Test | subsystem, motion-control, kinematics, session-358, idempotency:sub-ke-singularity-handling-358 |
| SUB-MAIN-085 | When the Joint Servo Controller detects a joint position error exceeding 0.5 degrees for more than 10ms during a commanded trajectory, it SHALL command the affected joint brake to engage within 2ms, halt motion on all joints of the affected arm, and report a SERVO_FAULT event to the Safe State Manager with joint ID, error magnitude, and timestamp. Rationale: A 0.5-degree uncorrected error at the instrument tip can translate to 3-5mm tip displacement depending on arm configuration; at 10ms detection window this stays within the 2mm maximum allowable tip error envelope. Brake engage within 2ms prevents runaway while reporting enables root-cause analysis. | Test | subsystem, motion-control, servo, session-358, idempotency:sub-jsc-fault-isolation-358 |
| SUB-MAIN-086 | The Procedure Data Recorder SHALL be housed in a dedicated 1U rack-mount enclosure (430mm × 44mm × 380mm) integrated into the patient cart, rated IP21, operating from the 12V patient cart rail, with WORM-compliant SSD storage and a removable front-panel USB-C port for intraoperative data export. Rationale: Physical embodiment requirement derived from ontological analysis showing PDR has physical environmental constraints (SUB-MAIN-086). Dedicated enclosure isolates PDR from vibration and RF emitted by energy delivery subsystem; IP21 matches clinical environment; rack-mount integration mandated by cart geometry and field-service requirements. | Inspection | |
| SUB-MAIN-086 | While the Real-Time Compute Node CPU junction temperature exceeds 85 degrees Celsius, the node SHALL reduce non-critical background processing priority and maintain full deterministic scheduling for Motion Control threads, with junction temperature logged to the Procedure Data Recorder at 1Hz; if temperature reaches 95 degrees Celsius, the node SHALL generate a THERMAL_CRITICAL alert and transition to Safe Hold. Rationale: Real-time scheduling must be immune to thermal throttling; standard OS thermal management interrupts deterministic task execution. 85C threshold provides 10C headroom before critical shutdown. Safe Hold at 95C prevents silicon damage that could cause unpredictable motion. | Test | subsystem, motion-control, compute, session-358, idempotency:sub-rtcn-thermal-management-358 |
| SUB-MAIN-087 | The Power Management Subsystem SHALL be implemented as two physically separated LRUs: a mains power entry module (400mm × 200mm × 100mm) mounted in the patient cart base handling AC-DC conversion for 24V, 12V, and 5V rails, and a surgeon console power board (250mm × 150mm × 60mm) supplying the console computer and haptic subsystem; both rated IP21 and conformal-coated for cleaning agent resistance. Rationale: Physical embodiment required by ontological mismatch finding (SUB-MAIN-102, VER-MAIN-107): PMS has physical environmental constraints but was classified without Physical Object trait. Separation into two LRUs reflects actual surgical robot architectures where console and cart power domains are galvanically isolated for patient safety per IEC 60601-1 clause 8. | Inspection | |
| SUB-MAIN-087 | The Motion Control and Scaling Subsystem SHALL authenticate all external configuration commands (scaling ratio updates, workspace model loads, and motion enable/disable) via HMAC-SHA256 with a session key established at system startup, and SHALL reject and log any command failing authentication within one control cycle (1ms) without interrupting the real-time motion pipeline. Rationale: IEC 62443-3-3 SR 1.1 requires authentication for all control commands in medical device systems. Unauthorised scaling ratio or workspace mesh injection could cause unsafe instrument motion; HMAC-SHA256 with a session key provides integrity without adding per-cycle cryptographic load to the deterministic pipeline. Rejection within 1ms ensures the safety check does not degrade pipeline timing. | Test | subsystem, motion-control, cybersecurity, session-358, idempotency:sub-mcs-command-auth-358 |
| SUB-MAIN-088 | The Motion Control System SHALL be implemented as a physically distinct compute subsystem comprising a real-time motion controller card (PCIe half-length, 210mm × 111mm) installed in the patient cart chassis, with direct hardware backplane connections to actuator drive electronics, operating from the 12V patient cart rail and rated for continuous operation at 45°C ambient without forced air cooling. Rationale: Physical embodiment needed per lint finding: MCS lacks Physical Object trait but SUB-MAIN-086 imposes physical environmental constraints. Real-time constraint requires dedicated hardware, not virtualised compute; 45°C ambient without forced cooling is derived from operating theatre HVAC limits and OR noise requirements (IEC 60601-1 Part 12 compatibility). | Inspection | |
| SUB-MAIN-088 | The Main Power Distribution Unit SHALL distribute mains AC power to all surgical robot subsystems via independently fused branch circuits, with each branch rated at no less than 125% of its maximum load current. Rationale: Branch circuit over-sizing to 125% of peak load current is required by IEC 60601-1 clause 10.2 for medical electrical equipment, preventing nuisance trips during startup inrush while ensuring branch faults do not propagate to adjacent subsystems via shared conductors. | Test | subsystem, power-management, power-distribution, session-361, idempotency:sub-pdu-branch-circuits-361 |
| SUB-MAIN-089 | The Time Compute Node SHALL be a dedicated timing hardware module (70mm × 45mm, M.2 form factor) installed on the system backplane, providing IEEE 1588v2 PTP grandmaster function with internal TCXO reference oscillator, GPS-disciplined timing input, and hardware timestamping to within ±500ns for all inter-subsystem data frames. Rationale: Physical embodiment needed per lint finding: TCN lacks Physical Object trait but SUB-MAIN-086 imposes physical environmental constraints. Dedicated timing hardware (rather than software PTP stack) provides deterministic ±500ns accuracy required for synchronised sensor fusion; TCXO reference maintains accuracy during GPS signal loss in RF-shielded operating theatres. | Test | |
| SUB-MAIN-089 | The Main Power Distribution Unit SHALL detect line-to-earth leakage current exceeding 500 µA on any branch and remove power from that branch within 100 ms, transmitting a fault code to the Power Sequencing Controller via the internal CAN bus. Rationale: IEC 60601-1 clause 8.7.3 limits patient-accessible leakage current to 500 µA in normal condition and to 1 mA in single fault. The 100 ms response time ensures the Safety and Interlock Subsystem can initiate protective shutdown before accumulated charge reaches dangerous thresholds, given the capacitance of typical OR wiring harnesses. | Test | subsystem, power-management, safety, iec60601, session-361, idempotency:sub-pdu-ground-fault-361 |
| SUB-MAIN-090 | The Motion Control System SHALL be developed and validated in conformance with IEC 62304:2006 (Medical device software lifecycle) at Software Safety Class C, and shall satisfy IEC 60601-1:2005+A1:2012 clause 14 (Programmable electrical medical systems) with a certified PEMS development file submitted to the notified body. Rationale: MCS is classified as Regulated (UHT hex 51F73A18) but had no compliance requirements. Class C classification is required because MCS failure can cause serious injury or death (loss of motion control during surgery). IEC 62304 mandates software lifecycle documentation; IEC 60601-1 PEMS requirements apply to all software-controlled medical devices in EU MDR scope. | Analysis | |
| SUB-MAIN-090 | The UPS Battery Module SHALL report state-of-charge to the Power Sequencing Controller at 1 Hz via the battery management system interface, with accuracy of ±2% across the 20–95% charge range, and SHALL assert a low-battery warning when state-of-charge falls below 25%. Rationale: Accurate state-of-charge telemetry at 1 Hz allows the Power Sequencing Controller to trigger an orderly shutdown before battery depletion causes an uncontrolled power loss during surgery. The 25% warning threshold provides at minimum 8 minutes of bridging time (from SUB-MAIN-043 minimum 10-minute UPS duration) for an orderly instrument retraction procedure. | Test | subsystem, power-management, ups, reliability, session-361, idempotency:sub-ups-soc-reporting-361 |
| SUB-MAIN-091 | The Workspace Safety Enforcer SHALL be designed, implemented, and independently verified to achieve Safety Integrity Level 3 (SIL 3) per IEC 61508-1:2010, with a target hardware fault tolerance of HFT ≥ 1, probabilistic failure to perform on demand of <10⁻⁷ per hour, and third-party functional safety assessment prior to clinical deployment. Rationale: WSE is classified as Regulated (UHT hex 51B73818) and is the primary safety boundary preventing instrument collision with anatomy outside the surgical workspace. SIL 3 is required for functions where failure can result in serious irreversible injury; HFT ≥ 1 means no single hardware failure can defeat the safety function. | Analysis | |
| SUB-MAIN-091 | When mains supply voltage falls below 80% of nominal for more than 20 ms, the Power Sequencing Controller SHALL initiate transfer to UPS Battery Module within 10 ms, ensuring no subsystem experiences a supply interruption exceeding 30 ms total. Rationale: The 30 ms total transfer budget is derived from joint servo control loop requirements: a 30 ms power interruption is the maximum before the joint controllers enter fault state (losing current position data), which would require a full arm re-homing sequence and loss of the sterile field. The 80% voltage threshold prevents false triggers from short-duration sags common in hospital OR environments. | Test | subsystem, power-management, ups, failover, safety, session-361, idempotency:sub-psc-mains-loss-transfer-361 |
| SUB-MAIN-092 | The Motion Scaling Module SHALL be developed under a Design History File (DHF) as required by 21 CFR Part 820.30 and EU MDR Annex II, shall implement scaling algorithms in a verified, MISRA C:2012 compliant codebase, and shall undergo human factors validation per IEC 62366-1 to confirm surgeons can accurately select and apply scaling ratios from 1:1 to 10:1 without error. Rationale: MSM is classified as Regulated (UHT hex 50B53B18) with no compliance requirements. DHF requirement satisfies FDA QSR for Class II/III devices; MISRA C compliance prevents safety-critical coding errors in scaling computation; IEC 62366-1 human factors validation is required because erroneous scaling selection (surgeon input error) is a foreseeable use error hazard. | Analysis | |
| SUB-MAIN-092 | The Auxiliary Power Supply SHALL maintain 24 VDC output within plus or minus 2% under load variations from 0 to 100% of rated capacity, and SHALL remain energised for a minimum of 20 minutes following complete loss of mains and UPS supply, sourced from a dedicated internal battery. Rationale: The 24 VDC auxiliary rail exclusively powers safety circuits: the Safe State Manager, Emergency Stop Chain, and Watchdog Timer Controller. These circuits must remain active after main UPS depletion to enable controlled arm retraction and safe-state assertion. 20 minutes exceeds the longest documented emergency surgical exit procedure (12 minutes per clinical operations data) with 8 minutes margin. | Test | subsystem, power-management, auxiliary-power, safety, session-361, idempotency:sub-aux-psu-24v-361 |
| SUB-MAIN-093 | The Power Management Subsystem SHALL provide patient-applied part (Type B minimum, Type BF preferred) galvanic isolation meeting IEC 60601-1:2005 clause 8 with patient leakage current <10µA (normal condition) and <50µA (single fault condition), and shall comply with IEC 60601-1-2:2014 (EMC) for conducted and radiated emissions in a clinical environment. Rationale: PMS is classified as Regulated (UHT hex 54F53018) but had no compliance requirements. IEC 60601-1 isolation is mandatory for all mains-powered medical devices. Leakage thresholds prevent microshock hazard to patients; EMC compliance prevents PMS switching noise from interfering with electrophysiology monitoring equipment co-located in the OR. | Test | |
| SUB-MAIN-093 | The Safety and Interlock Subsystem SHALL be designed, implemented, and verified to achieve Safety Integrity Level 3 (SIL 3) per IEC 62061, with a probability of dangerous failure per hour (PFH) not exceeding 1×10⁻⁷/h for each safety function (joint force limiting, E-stop chain, communication watchdog). Rationale: A surgical robot operating on an anaesthetised patient is a Class IIb/III medical device; safety functions that prevent uncontrolled arm motion or tissue penetration must meet SIL 3 under IEC 62061. PFH ≤1×10⁻⁷/h is the SIL 3 threshold. Failure to meet this leaves the safety case without regulatory acceptance. | Analysis | subsystem, sis, compliance, sil3, session-362, idempotency:sub-sis-sil3-compliance-362 |
| SUB-MAIN-094 | When the primary Procedure Data Recorder storage medium fails during an active surgical procedure, the system SHALL automatically failover to a secondary redundant recording path within 500ms, maintaining all video, telemetry, and event log streams with no data loss; the surgeon display SHALL indicate recording medium degradation within 1 second of failover. Rationale: PDR is System-Essential (UHT hex 50851208): procedure recordings are required for post-surgical review, complication investigation, and regulatory audit. Without recording continuity, any intraoperative event loses its evidential record. 500ms failover allows one frame of 4K video to be dropped but ensures continuous recording; surgical data continuity is mandated by EU MDR Article 83 (UDI) and hospital governance policies. | Test | |
| SUB-MAIN-094 | The Motion Control System software SHALL be developed and qualified under IEC 62304 Safety Class C, with full software lifecycle documentation including software development plan, software requirements, detailed design, unit and integration test records, and risk analysis. Rationale: Motion control software executes joint servo commands in real time for a Class IIb medical device; IEC 62304 Class C applies when software failure can cause death or serious injury. Absence of IEC 62304 classification prevents regulatory submission and creates unmanaged software risk. | Analysis | subsystem, motion-control, compliance, iec62304, session-362, idempotency:sub-mcs-iec62304-classC-362 |
| SUB-MAIN-095 | When the primary Time Protocol Engine TCXO reference or GPS disciplining input fails, the system SHALL maintain inter-subsystem synchronisation to within ±2µs holdover accuracy for a minimum of 30 minutes using the secondary crystal oscillator, and SHALL log the timing source degradation event with timestamp and subsystem notification within 100ms of fault detection. Rationale: TPE is System-Essential (UHT hex 50B57B08): loss of time synchronisation degrades sensor fusion accuracy, invalidates haptic feedback timing, and breaks inter-cart communication framing. 30-minute holdover covers typical OR interruption events (power blip, GPS shielding). ±2µs holdover bound is derived from maximum acceptable jitter in the 1kHz haptic control loop (1µs phase error is within 0.1% of sample period). | Test | |
| SUB-MAIN-095 | The Console Computer SHALL detect its own software watchdog failure within 500ms and automatically transfer console control authority to the backup processing path, preserving the surgeon's last commanded instrument position and annunciating the transfer via an audio tone and on-screen status update. Rationale: The Console Computer is the single physical host for the surgeon interface; a software hang without automatic recovery requires manual intervention during surgery, creating a potential patient safety event. 500ms timeout is consistent with the 150ms E-stop latency requirement — sufficient margin for detection before motion state becomes stale. | Test | subsystem, surgeon-console, redundancy, failover, session-362, idempotency:sub-cc-watchdog-failover-362 |
| SUB-MAIN-096 | When the Haptic Feedback Subsystem force-feedback actuator channel for any master manipulator axis fails, the system SHALL continue operating in degraded haptic mode, suppressing force feedback for the affected axis only, displaying a force feedback degraded warning to the surgeon within 200ms, and maintaining full motion control capability for all operational axes at the nominal 1kHz servo rate. Rationale: HFS is System-Essential (UHT hex 55F57018): complete haptic loss prevents the surgeon from detecting tissue contact forces, risking inadvertent perforation. Per-axis degraded mode (rather than full shutdown) preserves surgical capability for the critical axis while alerting to reduced fidelity. 200ms notification latency matches the surgeon's tactile attention refresh rate; 1kHz servo rate preservation ensures motion precision is not compromised. | Test | |
| SUB-MAIN-096 | When the Haptic Controller loses communication with the Force Sensing Module for more than 50ms, the Haptic Feedback Subsystem SHALL enter a force-blind degraded mode: the Master Handle Actuator SHALL apply a constant 0.3N braking force to all degrees of freedom, audible and visual alerts SHALL be activated, and the surgeon SHALL retain full kinematic control of instrument motion. Rationale: Complete loss of force feedback creates the risk of over-insertion or excessive tissue force without surgeon awareness. A 0.3N constant braking force (below the 5N tissue-force limit from SYS-MAIN-012) provides passive cue that force feedback is impaired without preventing emergency instrument withdrawal. 50ms threshold is consistent with the 15ms haptic render rate — three missed render cycles triggers degraded mode. | Test | subsystem, haptic, redundancy, degraded-mode, session-362, idempotency:sub-haptic-fbd-degraded-362 |
| SUB-MAIN-097 | The Power Management Subsystem SHALL provide redundant power paths for the Safety-Critical power domain (interlock subsystem, workspace safety enforcer, and emergency stop circuits): two independent DC supply rails each capable of sustaining full safety function load, with automatic switchover within 5ms of primary rail failure, supporting at least 60 seconds of safe-state hold from the onboard UPS battery. Rationale: PMS is System-Essential (UHT hex 54F53018): safety function power loss without backup results in uncontrolled actuator freewheel during surgery. Dual-rail architecture prevents single power supply failure from defeating the safety function. 5ms switchover is derived from the 250ms safe-state achievement budget (SYS-MAIN-002) — power switchover must not consume more than 2% of the fault budget. | Test | |
| SUB-MAIN-097 | The Motion Control and Scaling Subsystem command interfaces (Trajectory Generator inputs, Motion Scaling Module configuration parameters) SHALL authenticate all incoming command frames using a session-keyed HMAC-SHA256 message authentication code; any frame failing authentication SHALL be rejected and a security violation event logged to the Procedure Data Recorder within 10ms. Rationale: The Trajectory Generator and Motion Scaling Module accept commands that directly translate to physical arm motion. A spoofed or replayed command could cause unintended motion during surgery. HMAC-SHA256 provides integrity protection without the latency overhead of asymmetric encryption; session-key binding prevents replay across power cycles. IEC 80001-1 and the FDA cybersecurity guidance for networked medical devices both require integrity controls on safety-critical command paths. | Test | subsystem, motion-control, cybersecurity, authentication, session-362, idempotency:sub-mcs-command-hmac-362 |
| SUB-MAIN-098 | The Communication and Data Management Subsystem SHALL implement HMAC-SHA-256 message authentication on all safety-critical command channels (motion control, energy delivery, workspace safety enforcer), with per-message authentication tags verified by the receiving subsystem within one control cycle (≤1ms), and SHALL reject and log any command with an invalid or missing authentication tag, triggering a safe-state transition. Rationale: Subsystem decomposition of SYS-MAIN-018: CDMS is the inter-subsystem communication backbone and is therefore the natural implementation locus for command authentication. HMAC-SHA-256 is selected as it is computationally feasible within a 1ms control cycle on embedded hardware while providing 128-bit security level. Per-message authentication prevents replay and injection attacks identified in FDA 2023 cybersecurity guidance for surgical robots. | Test | |
| SUB-MAIN-098 | The Tool Tip Articulation Controller SHALL authenticate all incoming joint-space position commands using a 32-bit HMAC signature, rejecting any command with an invalid or missing signature within one control cycle (1ms), and logging all rejected commands to the Procedure Data Recorder. Rationale: IEC 62443-4-2 requires authentication of all command inputs to safety-critical embedded controllers. The TTAC directly drives distal DOFs; an unauthenticated command injected via a compromised Instrument Drive Unit bus could cause unexpected instrument motion at the tissue interface. 32-bit HMAC at 1kHz control rate is computationally feasible on the TTAC compute board and matches the authentication scheme applied to Kinematics Engine, Trajectory Generator, and Real-Time Protocol Engine. | Test | subsystem, surgical-instrument-system, cybersecurity, authentication, session-365, idempotency:sub-ttac-cybersecurity-auth-365 |
| SUB-MAIN-099 | The Vision and Imaging Subsystem SHALL deliver stereoscopic 3D video at 1080p per eye at 60Hz to the surgeon console display with end-to-end latency from endoscope tip to surgeon display of <50ms under nominal operating conditions, and SHALL maintain continuous stereo video output with no more than one dropped frame per 10 seconds during any intraoperative phase. Rationale: Subsystem decomposition of STK-MAIN-012 (surgeon situational awareness) and SYS-MAIN-003 (stereoscopic HD video). <50ms latency threshold is derived from human perception: beyond 50ms surgeons report motion sickness in VR-coupled tasks; frame-drop continuity specification ensures no interruption of tissue visualisation during critical dissection phases. | Test | |
| SUB-MAIN-099 | The Kinematics Engine SHALL authenticate all joint-space command packets received from the Motion Control System using a 32-bit HMAC-SHA256 keyed with a session key negotiated at startup, rejecting any packet with an invalid or missing signature within one control cycle. Rationale: IEC 62443-4-2 requires input authentication for safety-critical control software. Unauthenticated Cartesian commands injected at the inter-subsystem interface could be used to drive arm joints beyond safe workspace limits. Session-key HMAC provides both authentication and replay protection without requiring persistent key storage on the RTCN. | Test | subsystem, motion-control, cybersecurity, session-365, idempotency:sub-ke-auth-iec62443-365 |
| SUB-MAIN-100 | The Trajectory Generator SHALL validate all motion waypoints against the active workspace safety envelope before execution, rejecting any waypoint that would place an instrument tip within 5mm of a registered keep-out zone boundary, and halting trajectory execution with a safe-state transition within 5ms of detection. Rationale: Trajectory-level validation provides defence-in-depth upstream of the Joint Servo Controller. Rejecting unsafe waypoints at the Trajectory Generator prevents the Workspace Safety Enforcer from being the sole line of defence against workspace boundary violations, meeting IEC 80601-2-77 requirement for layered safety barriers in surgical robots. | Test | subsystem, motion-control, workspace-safety, session-365, idempotency:sub-tg-waypoint-validation-365 |
| SUB-MAIN-101 | The Real-Time Protocol Engine SHALL authenticate all synchronisation frames received on the inter-cart fibre link using a 16-bit CRC combined with a 32-bit session token, discarding any frame that fails authentication and triggering a communication fault event within one synchronisation period. Rationale: RTPE processes all time-critical synchronisation traffic between Surgeon Console and Patient-Side Cart at 1kHz. An injected or replayed synchronisation frame could desynchronise the master-slave control loop, causing latency spikes or control instability. Frame-level authentication is consistent with IEC 62443 requirements and matches the HMAC scheme applied to KE and TG. | Test | subsystem, infrastructure, cybersecurity, session-365, idempotency:sub-rtpe-auth-sync-365 |
| SUB-MAIN-102 | The Workspace Safety Enforcer SHALL be designed and verified to IEC 60601-1:2005+A1:2012 and ISO 14971:2019, achieving Classification III risk acceptability for joint workspace limit enforcement, with documented residual risk below the acceptable limit defined in the system risk management file. Rationale: Workspace Safety Enforcer is Regulated per UHT classification (51B73818). Enforces hard joint limits whose violation risks direct patient injury. IEC 60601-1 clause 14 and ISO 14971 are legally mandated under MDR 2017/745. This requirement establishes the certification basis for the workspace limit function. | Analysis | |
| SUB-MAIN-102 | The Power Management Subsystem SHALL comply with IEC 60601-1:2005+AMD1:2012 (Medical electrical equipment — General requirements for basic safety and essential performance) and IEC 60601-1-2:2014 (electromagnetic compatibility), with applied part classification F-Type for all outputs connected to patient-coupled circuits, achieving 500 VAC dielectric withstand between mains and patient outputs. Rationale: IEC 60601-1 compliance is mandatory for medical electrical equipment connected to or supplying patient-coupled circuits. F-Type floating isolation is required because the PDU supplies the patient-side cart, which may have instruments in contact with the patient; a ground fault on the mains side must not cause patient injury. The 500 VAC withstand is the IEC 60601-1 Table 2 value for F-Type parts at 230V mains. | Test | subsystem, power-management, compliance, iec60601, session-368, idempotency:sub-pms-iec60601-compliance-368 |
| SUB-MAIN-103 | The Communication and Data Management System SHALL implement HMAC-SHA256 message authentication on all safety-critical inter-subsystem command interfaces over the inter-cart fibre link, verifying each command frame before forwarding to motion control, with authentication failure causing immediate command rejection and SAFE-HOLD transition within 50ms. Rationale: SYS-MAIN-018 mandates cryptographic message authentication on safety-critical interfaces. HMAC-SHA256 selected over AES-GCM because it has lower compute latency (<10 microseconds on embedded DSP) while providing equivalent message authentication strength for the 1kHz control frame rate. Failure to authenticate must trigger SAFE-HOLD rather than continue — any accepted spoofed or corrupted command could cause uncontrolled arm motion. | Test | |
| SUB-MAIN-103 | The Inter-Cart Fibre Link SHALL provide a minimum sustained one-way latency of ≤500µs for all real-time kinematic command frames under peak traffic load (21 kinematics channels at 1kHz simultaneously with dual stereo HD video streams). Rationale: The 500µs one-way latency budget for the fibre link is derived from the 1ms end-to-end control loop requirement in SYS-MAIN-001. With 250µs allocated to outbound processing and 250µs for return path encoding, 500µs is the maximum permissible fibre path delay. Exceeding this would violate the haptic feedback realism threshold of <1ms round-trip, causing perceptible surgeon-to-instrument lag during tissue manipulation. | Test | subsystem, comms, inter-cart-fibre, session-369, idempotency:sub-icfl-latency-369 |
| SUB-MAIN-104 | The Inter-Cart Fibre Link SHALL switch from the primary to the redundant fibre path within 5ms of primary link failure detection, with no loss of kinematic command continuity beyond the within the 100ms safety timeout window. Rationale: 5ms failover is derived from SUB-MAIN-028 which requires link failure detection within 5ms and transition to safe state. A 5ms failover without command loss is achievable with hot-standby redundancy at FPGA-level path switching; a longer switchover would require the Safety and Interlock Subsystem to initiate arm park, disrupting the procedure unnecessarily. | Test | subsystem, comms, inter-cart-fibre, redundancy, session-369, idempotency:sub-icfl-failover-369 |
| SUB-MAIN-105 | The Real-Time Protocol Engine SHALL encapsulate each 1kHz kinematic command frame with a 32-bit sequence number, HMAC-SHA256 authentication tag, and CRC-32 error detection field within a total frame overhead of 64 bytes or less. Rationale: Frame overhead must be bounded so that the 1kHz cycle at 21 joint channels fits within the 1Gbps link budget. HMAC-SHA256 per frame satisfies SYS-MAIN-018 cryptographic authentication. CRC-32 provides independent error detection; HMAC alone is not sufficient for in-flight bit error detection due to compute latency. 64-byte overhead yields <7% protocol overhead at peak data load. | Analysis | subsystem, comms, real-time-protocol-engine, session-369, idempotency:sub-rtpe-framing-369 |
| SUB-MAIN-106 | The Real-Time Protocol Engine SHALL detect frame loss or sequence discontinuity within one 1kHz frame period (1ms) and report a COMM_FAULT event to the Safety and Interlock Subsystem within 2ms of detection. Rationale: 1ms detection aligns with the 1kHz kinematic control cycle: a missed frame is visible at the next expected sequence number. The 2ms reporting budget allows one additional frame cycle for COMM_FAULT generation, keeping total fault propagation under 3ms, well within the 100ms safety timeout. Delayed detection would allow incorrect kinematics to accumulate before safe-state is initiated. | Test | subsystem, comms, real-time-protocol-engine, fault-handling, session-369, idempotency:sub-rtpe-fault-detect-369 |
| SUB-MAIN-107 | The Network Management Controller SHALL monitor both primary and secondary fibre link health at 100Hz and classify each link as HEALTHY, DEGRADED, or FAILED based on bit error rate, frame loss ratio, and inter-frame jitter thresholds. Rationale: 100Hz monitoring provides 10ms resolution on link degradation events, sufficient to initiate failover before the 100ms safety timeout. Three-state classification allows the system to pre-arm failover on DEGRADED links before outright failure, reducing unexpected switchover events during procedures. | Test | subsystem, comms, network-management, session-369, idempotency:sub-nmc-health-monitor-369 |
| SUB-MAIN-108 | The Network Management Controller SHALL implement strict-priority queuing with three traffic classes: SAFETY (heartbeats and E-stop, highest priority), KINEMATIC (1kHz command frames), and DATA (video and procedure recording, lowest priority), ensuring SAFETY and KINEMATIC frames are never delayed by DATA traffic. Rationale: Priority queuing is required because safety heartbeats and kinematic commands have hard real-time deadlines (5ms and 1ms respectively) while video and recording data have soft deadlines. Without traffic class isolation, burst video traffic could compete for bandwidth with safety-critical frames, introducing jitter that violates SYS-MAIN-001 and SYS-MAIN-002. | Analysis | subsystem, comms, network-management, session-369, idempotency:sub-nmc-qos-369 |
| SUB-MAIN-109 | The Procedure Data Recorder SHALL sustain a continuous write throughput of at least 2 GB/s to NVMe RAID storage while simultaneously recording 21-channel kinematics at 1kHz, dual stereo HD video at 60fps, and timestamped system events without buffer overflow or dropped frames for a minimum 8-hour procedure duration. Rationale: 2 GB/s throughput is derived from peak data rates: 21 joints x 3 values x 2 bytes x 1000Hz = ~126 KB/s kinematics; 2x1080p60 H.264 at 50Mbps = ~12.5 MB/s video; event log negligible. Total ~13 MB/s sustained, with 2 GB/s NVMe capacity providing 150x headroom for burst and redundancy writes. SYS-MAIN-015 requires 8-hour continuous recording. | Test | subsystem, comms, procedure-data-recorder, session-369, idempotency:sub-pdr-throughput-369 |
| SUB-MAIN-110 | The Procedure Data Recorder SHALL generate a SHA-256 hash of the complete procedure dataset at end-of-procedure and store it alongside the data, enabling post-hoc integrity verification of all recorded kinematic, video, and event data. Rationale: Cryptographic hash verification satisfies regulatory requirements for surgical record integrity (IEC 62304 and FDA 21 CFR Part 11 audit trail obligations). Without hash verification, undetected storage corruption could render recorded data inadmissible for post-procedural review or incident investigation. | Test | subsystem, comms, procedure-data-recorder, session-369, idempotency:sub-pdr-integrity-369 |
| SUB-MAIN-111 | The Surgical Instrument System patient-side components (Sterile Adapter, Surgical Instruments, and Cable Tensioning System) SHALL withstand full fluid immersion in IPA 70% and quaternary ammonium compound disinfectants for minimum 30-minute contact time without degradation of structural integrity, sterile barrier, or instrument articulation performance. Rationale: SYS-MAIN-006 mandates IPA 70% compatibility for all sterile-field components. The Surgical Instrument System houses the cable-driven wrist mechanism, sterile adapters, and instrument channels that routinely contact surgical irrigation and disinfectants. Failure to resist IPA 70% immersion risks stress-cracking of polymer housings, corrosion of cable sheaths, and loss of sterile barrier — potential patient infection pathways. | Test | subsystem, surgical-instrument, sterility, session-373, idempotency:sub-sis-ipa-disinfectant-373 |
| SUB-MAIN-112 | The Procedure Data Recorder SHALL be implemented as a rack-mounted 2U line-replaceable unit (LRU) housed within the Vision Cart, with RAID-1 mirrored storage of minimum 2TB, compliant with IP32 ingress protection to tolerate operating-room fluid splash, and a front-panel status LED visible from 3 metres. Rationale: The Procedure Data Recorder stores complete procedural data streams that may be used for post-operative review, regulatory audit, and litigation evidence. Physical embodiment as a 2U rack LRU enables field replacement without cart teardown. IP32 protects against OR fluid management. RAID-1 ensures no data loss on single-drive failure. | Inspection | subsystem, comms, pdr, physical, session-374, idempotency:sub-pdr-physical-embodiment-374 |
| SUB-MAIN-113 | The Procedure Data Recorder SHALL be a rack-mounted 2U line-replaceable unit in the Vision Cart with 2TB RAID-1 mirrored storage and IP32 ingress protection. Rationale: Defined as LRU for field replacement without Vision Cart teardown. IP32 protects against OR fluid splash. RAID-1 ensures no data loss on single-drive failure during procedure. | Inspection | rt-mechanical-trace, red-team-session-502 |
| SUB-MAIN-114 | The Power Management Subsystem SHALL be housed in a dedicated sealed electronics bay within the Patient-Side Cart, with the Main Power Distribution Unit and UPS Battery Module installed as field-replaceable assemblies, accessible via a locked service panel requiring IEC 62353 isolation verification before access. Rationale: Power management handles 240V AC mains and high-capacity battery systems. Physical enclosure in a sealed bay with locked access prevents inadvertent contact with live voltages in the sterile surgical environment. Field-replaceable assemblies reduce mean-time-to-repair and avoid full cart downtime. | Inspection | subsystem, power-management, physical, session-374, idempotency:sub-pms-physical-embodiment-374 |
| SUB-MAIN-115 | The Real-Time Compute Node SHALL be packaged as a single-board computing module conforming to VITA 57.1 FMC form factor, installed in a vibration-isolated slot within the Patient-Side Cart electronics bay, with conformal coating for condensation protection and operational temperature range of 0 to 50 degrees Celsius. Rationale: VITA 57.1 FMC standardises the physical interface and enables like-for-like replacement for RTCN variants without cart redesign. Conformal coating addresses OR humidity. The 0-50C range covers cold storage to a warm operating room, which is the real thermal envelope for medical cart electronics. | Inspection | subsystem, motion-control, physical, rtcn, session-374, idempotency:sub-rtcn-physical-embodiment-374 |
| SUB-MAIN-116 | The Motion Control System SHALL be implemented as a distributed electronics assembly across the Patient-Side Cart with the Real-Time Compute Node, Trajectory Generator, and Motion Scaling Module co-located in the same vibration-isolated electronics chassis to minimise inter-module latency, with individual modules accessible for replacement without full cart disassembly. Rationale: Co-location of the RTCN, Trajectory Generator, and Motion Scaling Module on a common backplane eliminates inter-chassis cabling latency, keeping the computation pipeline within the 1ms end-to-end cycle budget. Physical modularity enables field repair without returning the full cart to depot, reducing surgical suite downtime. | Inspection | subsystem, motion-control, physical, session-374, idempotency:sub-mcs-physical-embodiment-374 |
| SUB-MAIN-117 | The Power Management Subsystem SHALL comply with IEC 60601-1:2005+AMD1:2012 medical electrical equipment safety standard, with dielectric withstand testing at 4000V AC applied between primary circuit and patient-accessible parts, and leakage current not exceeding 500 microamperes under normal condition and 1000 microamperes under single-fault condition. Rationale: IEC 60601-1 is mandatory for medical electrical equipment in all major markets (EU MDR, FDA 510k). The 500/1000 microampere leakage limits are the Class I limits for non-cardiac-applied equipment. Dielectric withstand at 4kV AC demonstrates adequate insulation margin against mains voltage transients in hospital environments. | Test | subsystem, power-management, compliance, regulatory, session-374, idempotency:sub-pms-iec60601-compliance-374 |
| SUB-MAIN-118 | The Motion Scaling Module SHALL implement motion-to-command scaling in compliance with IEC 80601-2-77 (medical robot requirements), producing scaling factors adjustable from 1:1 to 10:1 in 0.5 increments, with scaling coefficient verified to be monotonically decreasing and configurable only during instrument change-out state, not during active manipulation. Rationale: IEC 80601-2-77 sets specific requirements for the motion path of surgical robots. Restricting scaling adjustment to instrument change-out state prevents mid-procedure parameter changes that could startle the surgeon. 10:1 maximum provides fine tremor filtering without eliminating proprioceptive workspace awareness. | Test | subsystem, motion-control, compliance, regulatory, session-374, idempotency:sub-msm-iec80601-compliance-374 |
| SUB-MAIN-119 | The Workspace Safety Enforcer SHALL comply with ISO 10218-1:2011 industrial robot safety requirements as adapted for medical use under IEC 80601-2-77, implementing a minimum of SIL 2 (IEC 62061) safety integrity level for all workspace boundary enforcement functions, with a probability of dangerous failure per hour (PFHd) not exceeding 1E-7. Rationale: The Workspace Safety Enforcer is the last software defence against robot arm collision with patient anatomy or OR equipment. ISO 10218-1 and IEC 80601-2-77 together mandate SIL 2 for safety functions in collaborative and surgical robotics. PFHd 1E-7 corresponds to a target risk reduction of 10 million operations per dangerous failure. | Analysis | subsystem, motion-control, workspace-safety, compliance, safety, session-374, idempotency:sub-wse-sil2-compliance-374 |
| SUB-MAIN-120 | The Real-Time Protocol Engine SHALL implement dual-path redundancy with a primary Ethernet deterministic path (IEEE 802.1Qbv TSN) and a secondary CAN FD backup path, automatically failing over to the backup path within 5ms of detecting primary path loss, with no motion command gap exceeding 20ms during failover transition. Rationale: The Real-Time Protocol Engine is classified System-Essential: its failure stops all motion. Single-path Ethernet has documented failure modes (cable damage, switch failure) unacceptable in a surgical environment. TSN primary provides deterministic 1ms jitter; CAN FD backup provides hardware-level reliability at reduced bandwidth. 5ms failover is within the 100ms motion safety envelope. | Test | subsystem, comms, real-time-protocol-engine, redundancy, session-374, idempotency:sub-rtpe-redundancy-374 |
| SUB-MAIN-121 | The Haptic Feedback Subsystem SHALL maintain force-feedback rendering to the surgeon master handles from a hot-standby Haptic Controller process that assumes command within 10ms of primary controller failure, with the standby process running on a physically separate processor sharing force sensor data via a dedicated inter-processor link. Rationale: Loss of haptic feedback during a surgical manoeuvre removes the surgeon's only sense of tissue resistance, increasing the risk of inadvertent tissue damage. The Haptic Feedback Subsystem is System-Essential. Hot standby on separate silicon prevents correlated failures from a single compute fault. 10ms switchover preserves the surgeon's control loop without perceptible discontinuity. | Test | subsystem, haptic, redundancy, session-374, idempotency:sub-hfs-redundancy-374 |
| SUB-MAIN-122 | The Stereoscopic Display System SHALL present the left and right stereo channels with inter-ocular distance adjustable from 58 to 72mm and vergence-accommodation conflict (VAC) below the 0.6 dioptre perceptual threshold, ensuring the surgeon's eyes converge at the same depth as the displayed surgical field. Rationale: Vergence-accommodation conflict causes visual fatigue and depth perception errors in stereoscopic systems. The 0.6 dioptre threshold is the published human factors limit before perceptual discomfort. Adjustable inter-ocular distance (58-72mm) covers the 5th-95th percentile of adult surgeons. Without this requirement, the display system risks long-duration visual fatigue in multi-hour procedures. | Test | subsystem, vision, eye, ergonomics, session-374, idempotency:sub-sds-eye-ergonomics-374 |
| SUB-MAIN-123 | The Motion Scaling Module SHALL implement master-to-slave motion scaling ratios from 1:1 to 10:1 in configurable steps, with the active ratio displayed continuously at the surgeon console, and any ratio change requiring explicit confirmation via foot-pedal hold during instrument change-out state only. Rationale: System requirement SYS-MAIN captures 1:1 to 10:1 master-to-slave scaling as a core surgical robot capability. This subsystem requirement operationalises the scaling ratio range, confirmation workflow, and display requirement needed to implement it safely. Confirmation workflow prevents accidental ratio change; continuous display prevents the surgeon operating with an unintended ratio. | Test | subsystem, motion-control, tremor, scaling, session-374, idempotency:sub-msm-scaling-workflow-374 |
| SUB-MAIN-124 | The Master Handle Actuator SHALL provide 6-DOF force reflection to the surgeon's master manipulator with a bandwidth of at least 30Hz and force dynamic range of 0.01N to 10N, with position sensing resolution finer than 0.1mm at the instrument tip-equivalent workspace position. Rationale: 30Hz bandwidth matches the human proprioceptive resolution limit, ensuring the surgeon perceives all force events at the instrument tip. 0.01N minimum force reflects delicate tissue contact; 10N maximum corresponds to maximum safe instrument force. 0.1mm tip-equivalent resolution prevents staircase artefacts when the surgeon palpates tissue margins. | Test | subsystem, haptic, master-manipulator, session-374, idempotency:sub-mha-master-manipulator-374 |
| SUB-MAIN-125 | The Surgeon Input Console outer surfaces and all non-sterile patient-side cart covers SHALL withstand repeated wiping with 70% isopropyl alcohol (IPA) solution, 2% glutaraldehyde, and quaternary ammonium compound wipes without surface degradation, delamination, or ingress into electronics over a service life of 10 years and 3000 cleaning cycles. Rationale: IPA 70%, glutaraldehyde 2%, and QAC wipes are the three most common OR surface disinfectants. Compatibility with all three is required because hospital purchasing decisions vary by institution. 3000 cycles corresponds to daily disinfection over a 10-year device lifetime. Surface failure risks chemical ingress causing electrical faults in a clinical environment. | Test | subsystem, surgeon-console, sterility, compliance, session-374, idempotency:sub-console-ipa-disinfection-374 |
| SUB-MAIN-126 | The Communication and Data Management System SHALL authenticate all inter-cart command messages using HMAC-SHA256 with a 256-bit session key negotiated at cart pair-up via ECDH-P384, rejecting any message with invalid authentication tag within one communication cycle (1ms), logging the rejection as a security event, and triggering SAFE_HOLD after 3 consecutive authentication failures. Rationale: Cryptographic authentication mitigates spoofed motion command injection, a credible attack vector in robotic surgery given the increasing connectivity of OR equipment. HMAC-SHA256 provides collision-resistant authentication within the 1ms cycle budget. ECDH-P384 key exchange avoids pre-shared keys that would be impractical to rotate. 3-failure threshold limits denial-of-service via message flooding while tolerating transient bit errors. | Test | subsystem, comms, cybersecurity, compliance, session-374, idempotency:sub-cdms-crypto-auth-374 |
| SUB-MAIN-127 | The Motion Control and Scaling Subsystem SHALL enforce a minimum inter-arm clearance of 15mm between any two patient-side arm segments by computing pairwise convex-hull distances at 100Hz and commanding the affected arms to halt and retract when predicted clearance falls below 25mm, completing the halt within 50ms of detection. Rationale: With three instrument arms operating simultaneously in a body cavity of approximately 150mm diameter, arm-to-arm collision is a credible failure mode not addressed by the existing workspace boundary enforcement which only constrains each arm against patient anatomy. A 15mm hard limit with a 25mm warning threshold at 100Hz gives 100ms reaction window at maximum arm velocity (250mm/s); the 50ms halt budget leaves margin for mechanical deceleration. Analogous requirement present in ISO 10218-1 Clause 5.11 for industrial robot systems operating in collaborative workspace. | Test | subsystem, motion-control, collision-avoidance, safety, validation, session-377 |
| SUB-MAIN-128 | The Surgeon Input Console SHALL implement a compliant alarm management system per IEC 60601-1-8:2006, assigning each alarm condition to one of three priority levels (HIGH, MEDIUM, LOW), providing distinct visual alarm signals (red flashing for HIGH, amber flashing for MEDIUM, amber steady for LOW) and distinct auditory alarm signals with signal patterns per IEC 60601-1-8 Annex F, and continuing to signal active alarms on internal battery power following loss of mains. Rationale: IEC 60601-1-8 alarm management is a mandatory collateral standard under IEC 60601-1 for medical devices that generate alarm conditions. A surgical robot generates multiple concurrent alarm conditions (communication fault, energy delivery fault, instrument fault, force limit, watchdog) that must be prioritised and clearly distinguished to prevent alarm fatigue causing surgeons to miss safety-critical alerts during a procedure. The internal battery continuation requirement prevents alarm masking during the UPS power-bridge period. | Inspection | subsystem, surgeon-console, alarm-management, regulatory, validation, session-377 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-MAIN-001 | The interface between the Joint Force Monitor and the Motion Control and Scaling Subsystem SHALL carry per-axis joint torque readings at 1kHz over a dedicated real-time bus with <200µs latency, using hardware checksums for data integrity. Rationale: 1kHz at <200µs is required for the Joint Force Monitor to execute its 50ms graduated brake response with sufficient measurement cycles (50 samples) to avoid false triggers. Hardware checksum prevents corrupted torque values from masking force limit exceedances. | Test | interface, sis, mcs, joint-force, session-341, idempotency:ifc-jfm-mcs-torque-001-341 |
| IFC-MAIN-002 | The interface between the Emergency Stop Chain and the Power Management Subsystem servo drive contactors SHALL be a hardwired 24V DC control loop; interruption of the loop SHALL cause contactor drop-out within 50ms by capacitor discharge drive. Rationale: Hardwired loop (not digital signal) ensures contactor drop-out survives software fault or bus failure. 50ms is achievable with the capacitor hold-in drive approach without an external power supply. | Test | interface, sis, pms, estop, hardware, session-341, idempotency:ifc-estop-pms-contactor-001-341 |
| IFC-MAIN-003 | The interface between the Communication Monitor and the inter-cart fibre link SHALL expose per-frame CRC pass/fail, round-trip latency in microseconds, and receive buffer occupancy at 1kHz to the Communication Monitor via a sideband status register, without interrupting the data path. Rationale: Sideband status register (not in-band signalling) prevents monitoring from interfering with the real-time control stream. 1kHz status updates are necessary to meet the 3-frame loss detection latency requirement in SUB-MAIN-002. | Test | interface, sis, communication, fibre, session-341, idempotency:ifc-comms-monitor-fibre-001-341 |
| IFC-MAIN-004 | The Safe State Manager SHALL broadcast the current system safety state (OPERATIONAL, DEGRADED, SAFE-HOLD) to all subsystems over a dedicated safety bus within 5ms of any state transition, using a publisher-subscriber protocol with guaranteed delivery. Rationale: 5ms broadcast latency ensures all subsystems receive the new state within the first 2% of the 250ms safe-state window, allowing coordinated response without race conditions between independently-responding subsystems. | Test | interface, sis, safe-state, broadcast, session-341, idempotency:ifc-ssm-broadcast-001-341 |
| IFC-MAIN-005 | The interface between the Surgeon Console and the Motion Scaling Module SHALL transmit Cartesian velocity commands for all 6 DOF at 1kHz using a UDP/multicast protocol over 1GbE fibre with maximum one-way latency of 3ms and packet loss tolerance of 0 (zero packet drop acceptable; retransmit on loss). Rationale: 1kHz command rate is the Nyquist minimum for 500Hz servo bandwidth; 3ms one-way latency is the network share of the 100ms system budget. Zero packet loss is mandatory: a dropped command packet causes a missed servo cycle and potential jerk at the instrument tip. | Test | interface, console-mc, session-340 |
| IFC-MAIN-006 | The interface between the Motion Control System and the Patient-Side Cart SHALL transmit 21 joint-angle setpoints (7 per arm x 3 arms) at 1kHz via CAN-FD at 5Mbps with maximum command-to-actuation latency of 2ms and shall include a CRC on every frame. Rationale: CAN-FD at 5Mbps provides sufficient bandwidth for 21 x 2-byte joint setpoints (42 bytes) at 1kHz = 336kbps, well within 5Mbps limit. 2ms latency includes transmission and joint servo processing. CRC mandated because a corrupted setpoint could command a joint to an incorrect position, creating patient risk. | Test | interface, mc-cart, session-340 |
| IFC-MAIN-007 | The interface between the Motion Control System and the Safety and Watchdog System SHALL provide a dedicated hardwired heartbeat signal at 200Hz; loss of heartbeat for more than 3 consecutive pulses (15ms) SHALL be interpreted by the Safety System as a Motion Control fault requiring immediate brake engagement. Rationale: Hardwired heartbeat is used (not software message) because a software crash could prevent sending a fault notification; hardware signal remains functional even when the compute node OS has hung. 15ms timeout gives 35ms margin within the 50ms emergency stop budget. | Test | interface, mc-safety, session-340 |
| IFC-MAIN-008 | The interface between the Vision and Imaging System and the Surgeon Console SHALL transmit two independent uncompressed 1080p/60Hz video streams over 10GbE, synchronised within 1ms between left and right channels, with end-to-end latency below 50ms. Rationale: Left-right synchronisation within 1ms is required to prevent vergence-accommodation conflict in the stereoscopic display; mismatches above 5ms cause eye strain and nausea in surgeons. 50ms end-to-end is the video share of the total latency budget. | Test | interface, vision-console, session-340 |
| IFC-MAIN-009 | The interface between the Surgical Instrument System and the Motion Control System SHALL transmit instrument type identifier, usage count, and 3-axis tip force measurements at 500Hz via CAN-FD; instrument type SHALL be validated within 500ms of instrument insertion before motion commands are accepted. Rationale: Instrument type is required by the Kinematics Engine to load correct DH parameters and mass properties; wrong kinematics model creates joint-space errors. Force measurements at 500Hz provide the Motion Control pipeline with tissue-contact data for the Workspace Safety Enforcer force limits. | Test | interface, instrument-mc, session-340 |
| IFC-MAIN-010 | The interface between the Stereo Endoscope and the Camera Control Unit SHALL carry two independent HD-SDI video channels at 1.485 Gbps each, transmitting raw Bayer-pattern sensor data at 1920x1080 resolution and 60 frames per second, with BER not exceeding 1e-12. Rationale: Dual independent HD-SDI channels ensure single-channel failure does not affect the other (graceful degradation to 2D). Raw Bayer-pattern data is required because demosaicing and colour correction must be performed in the CCU where calibration data is stored. BER of 1e-12 prevents visible artifacts in the surgical image that could be mistaken for tissue features. | Test | interface, vision, session-341, idempotency:ifc-endoscope-ccu-341 |
| IFC-MAIN-011 | The interface between the Camera Control Unit and the Image Processing Pipeline SHALL transmit two synchronised 3G-SDI video streams at 2.97 Gbps each, carrying colour-corrected 1080p60 10-bit 4:2:2 video with inter-channel temporal skew not exceeding 100 microseconds. Rationale: 3G-SDI at 2.97 Gbps provides sufficient bandwidth for 10-bit 4:2:2 colour depth which preserves tissue colour fidelity for narrow-band imaging modes. The 100us inter-channel skew budget at this interface is tighter than the 500us end-to-end stereo sync requirement because downstream processing adds additional jitter. | Test | interface, vision, session-341, idempotency:ifc-ccu-ipp-341 |
| IFC-MAIN-012 | The interface between the Camera Control Unit and the Surgical Illumination Source SHALL transmit exposure metering data at 60Hz via RS-422 serial link at 115200 baud, with command-to-intensity-change latency not exceeding 16ms (one frame period). Rationale: Closed-loop illumination control requires exposure feedback at frame rate to prevent tissue overheating during endoscope repositioning (tissue reflectance changes abruptly as the tip moves between organs). RS-422 provides differential signalling for noise immunity in the OR electromagnetic environment. 16ms response ensures intensity tracks scene changes within one frame. | Test | interface, vision, session-341, idempotency:ifc-ccu-illumination-341 |
| IFC-MAIN-013 | The interface between the Image Processing Pipeline and the Stereoscopic Display System SHALL transmit two independent DisplayPort 1.2 video streams at 3840x2160 resolution and 60Hz with 10-bit colour depth, with maximum end-to-end latency from IPP output to photon emission not exceeding 8ms. Rationale: 4K resolution per eye at 10-bit depth provides tissue colour fidelity required for narrow-band imaging differential diagnosis. The 8ms photon emission budget includes display controller processing and LCD response time. This budget is derived from the total 50ms hand-to-eye latency budget minus upstream processing and motion control allocations. | Test | interface, vision, session-341, idempotency:ifc-ipp-display-341 |
| IFC-MAIN-014 | The interface between the Image Processing Pipeline and the Procedure Video Recorder SHALL provide a composited 2D 1080p60 video stream via 3G-SDI at 2.97 Gbps, with embedded audio channels for OR ambient audio capture, and a parallel Ethernet link carrying timestamped system event metadata at 1kHz. Rationale: Composited 2D output combines left/right channels with overlay annotations for a single-stream recording suitable for review and teaching. Embedded audio captures surgeon voice notes. The parallel metadata link at 1kHz enables frame-accurate correlation between video and kinematic data per SYS-MAIN-015, which is critical for post-operative complication analysis. | Test | interface, vision, session-341, idempotency:ifc-ipp-recorder-341 |
| IFC-MAIN-015 | The interface between the Force Sensing Module and the Force Signal Conditioner SHALL carry six-axis strain gauge bridge differential signals with a common-mode rejection ratio of at least 80dB, connecting via a 12-conductor shielded cable with maximum length of 0.5m. Rationale: Strain gauge bridge output is a low-level differential signal (typically 1-10mV full scale). 80dB CMRR is required to reject the >10V common-mode noise present in the OR environment from surgical energy generators and motor drive switching. Cable length limit prevents impedance mismatch that degrades CMRR at high frequencies. | Test | rt-vague-interface, red-team-session-502 |
| IFC-MAIN-016 | The interface between the Force Signal Conditioner and the Haptic Controller SHALL transmit six-axis 16-bit digitised force samples at 1kHz via an isolated SPI bus operating at 10MHz, with a maximum bus propagation latency of 100us. Rationale: 16-bit resolution at 10MHz SPI provides sufficient bandwidth for six channels at 1kHz with headroom for protocol overhead. 100us propagation latency budget ensures the full haptic loop (sense-transmit-compute-actuate) stays within the 2ms latency requirement allocated in SUB-MAIN-023. | Test | interface, haptic, digital, session-342, idempotency:ifc-fsc-hc-342 |
| IFC-MAIN-017 | The interface between the Haptic Controller and the Master Handle Actuator motor driver SHALL transmit per-joint torque setpoints at 1kHz via CAN FD at 5Mbit/s, with hardware-enforced torque limiting such that no frame can command a torque greater than 1.2Nm on any joint. Rationale: CAN FD at 5Mbit/s provides sufficient bandwidth for 7-DOF torque commands at 1kHz with message latency under 100us. Hardware torque limiting on the motor driver provides a second layer of force protection independent of the Haptic Controller software, meeting the safety-in-depth requirement for the 1N feedback limit. | Test | interface, haptic, actuator, session-342, idempotency:ifc-hc-mha-342 |
| IFC-MAIN-018 | The interface between the Real-Time Protocol Engine and the Inter-Cart Fibre Link SHALL operate at 10Gbit/s with a maximum per-frame latency of 200us for kinematic command frames, and SHALL support a minimum of 8 logical channels multiplexed onto one physical fibre wavelength. Rationale: 10Gbit/s capacity accommodates 21-joint kinematics (21x64-byte frames at 1kHz = 10.7Mbit/s), two 4K60 video streams (~4Gbit/s combined), and headroom for safety and logging traffic. 200us per-frame latency contributes less than 20% of the 1ms communications budget allocated in SUB-MAIN-027. | Test | interface, comms, fibre, session-342, idempotency:ifc-rpe-fibre-342 |
| IFC-MAIN-019 | The interface between the Network Management Controller and the Safety and Interlock Subsystem SHALL provide a unidirectional status register update at 100Hz, reporting optical power level (dBm), frame loss rate (frames/s), and active link identity (primary or standby), readable by the Communication Monitor component. Rationale: 100Hz polling rate ensures the Communication Monitor (operating at 1kHz internal rate) has a link health update no older than 10ms, consistent with the 5ms fault detection target in SUB-MAIN-028. Unidirectional (read-only) access from Safety subsystem preserves safety isolation — the SIS can observe but not command the network. | Test | interface, comms, safety, session-342, idempotency:ifc-nmc-sis-342 |
| IFC-MAIN-020 | The interface between the Instrument Recognition Module and the Tool Tip Articulation Controller SHALL transfer instrument kinematic model parameters (cable routing geometry, pulley ratios, coupling compliance coefficients, and Bouc-Wen hysteresis model parameters) as a structured data packet of no more than 2KB via the internal CAN-FD bus within 50ms of instrument identity validation. Rationale: The Tool Tip Articulation Controller requires instrument-specific kinematic parameters to compute accurate cable displacement commands. The 2KB limit is derived from the maximum parameter set size for a 6-DoF instrument with per-cable hysteresis model (24 floats per cable x 6 cables + metadata). The 50ms transfer time is a sub-budget of the 200ms total recognition time in SUB-MAIN-032. | Test | surgical-instrument-system, interface, session-346 |
| IFC-MAIN-021 | The interface between the Cable Tensioning System and the Safety and Interlock Subsystem SHALL transmit cable tension anomaly alerts as a priority CAN-FD frame containing affected arm ID, cable channel, measured tension, nominal tension, and timestamp, with a maximum end-to-end latency of 2ms from anomaly detection to Safety and Interlock Subsystem receipt. Rationale: The Safety and Interlock Subsystem must receive cable anomaly data fast enough to enforce the 50ms arm shutdown in SUB-MAIN-038. The 2ms interface latency consumes only 4% of the total budget, leaving adequate margin for safety processing and actuator command. Priority CAN-FD framing ensures the alert is not delayed by regular control traffic. | Test | surgical-instrument-system, interface, safety, session-346 |
| IFC-MAIN-022 | The interface between the Tool Tip Articulation Controller and the Instrument Drive Unit SHALL deliver cable displacement commands for all four instrument DoF as a single CAN-FD frame at 1kHz, with each command expressed as a 16-bit signed integer representing micrometers of cable displacement, achieving command-to-actuation latency of no more than 200 microseconds. Rationale: The 1kHz update rate matches the motion control servo loop. 16-bit signed integer resolution provides +/-32mm range at 1um precision, sufficient for the cable displacement range of +/-20mm. The 200us command-to-actuation latency is the Instrument Drive Units share of the 1ms servo cycle, after the Tool Tip Articulation Controllers 500us computation budget. | Test | surgical-instrument-system, interface, session-346 |
| IFC-MAIN-023 | The interface between the Instrument Lifecycle Controller and the Safe State Manager SHALL transmit instrument lockout commands as a CAN-FD frame containing arm ID and lockout reason code, with the Safe State Manager acknowledging receipt within 5ms and inhibiting arm enable until a valid instrument is coupled. Rationale: The Safe State Manager is the single authority for arm enable per the safety architecture (ARC-MAIN-001). Instrument lockout must route through the safety chain rather than being enforced locally by the Instrument Lifecycle Controller, because bypassing the safety processor would violate the SIL 3 architecture. The 5ms acknowledgement ensures the lockout is enforced before the surgeon can begin using the arm. | Demonstration | surgical-instrument-system, interface, safety, session-346 |
| IFC-MAIN-024 | The interface between the Tremor Rejection Filter and the Motion Scaling Module SHALL carry filtered 6-DOF Cartesian velocity vectors (3 translational, 3 rotational) at 1kHz as 64-bit IEEE 754 floating-point values over shared memory, with worst-case read latency below 5 microseconds and a sequence counter for stale-data detection. Rationale: Shared memory is mandated by the sub-millisecond pipeline budget — IPC mechanisms such as sockets or message queues would introduce unacceptable jitter. The 64-bit float format preserves the 15-digit precision needed for sub-100μm tip positioning. The sequence counter enables the Motion Scaling Module to detect and reject stale frames, which is the primary defence against pipeline stall propagation. | Test | interface, motion-control, session-348, idempotency:ifc-trf-msm-velocity-348 |
| IFC-MAIN-025 | The interface between the Motion Scaling Module and the Trajectory Generator SHALL transmit scaled 6-DOF Cartesian velocity commands at 1kHz via shared memory, including the active scaling ratio as a metadata field, with data validity indicated by a monotonically incrementing timestamp synchronized to the Real-Time Compute Node system clock. Rationale: Including the active scaling ratio as metadata enables the Trajectory Generator to adjust acceleration limits proportionally — at 10:1 scaling, the same surgeon hand velocity produces 10× lower instrument velocity, allowing tighter acceleration bounds. The synchronized timestamp is essential for the Trajectory Generator to compute correct velocity integration and detect timing faults. | Test | interface, motion-control, session-348, idempotency:ifc-msm-tg-scaled-velocity-348 |
| IFC-MAIN-026 | The interface between the Trajectory Generator and the Kinematics Engine SHALL deliver interpolated Cartesian pose setpoints (position as 3-element vector in mm, orientation as unit quaternion) at 1kHz via a lock-free SPSC ring buffer, with buffer depth of at least 4 frames to tolerate scheduling jitter up to 3ms without data loss. Rationale: A lock-free single-producer/single-consumer ring buffer eliminates mutex contention in the real-time pipeline. The 4-frame buffer depth provides 3ms of jitter tolerance, which exceeds the measured worst-case PREEMPT_RT scheduling jitter of 1.5ms on the target compute platform. Quaternion representation avoids gimbal lock that would occur with Euler angles during wrist-over manoeuvres common in surgical procedures. | Test | interface, motion-control, session-348, idempotency:ifc-tg-ke-cartesian-pose-348 |
| IFC-MAIN-027 | The interface between the Kinematics Engine and the Joint Servo Controller SHALL transmit per-joint angle setpoints for all 7 DOF of each instrument arm at 1kHz over the EtherCAT fieldbus, with each frame containing position (32-bit), velocity feedforward (32-bit), and torque feedforward (32-bit) per joint, and end-to-end frame delivery latency below 250 microseconds. Rationale: EtherCAT provides deterministic sub-microsecond synchronization across all servo drives, which is mandatory for coordinated multi-joint motion. The 250μs delivery budget consumes one quarter of the 1ms control cycle, leaving 750μs for servo computation and actuation. Velocity and torque feedforward terms are essential for high-bandwidth tracking — position-only control produces unacceptable following error during fast surgical manoeuvres. | Test | interface, motion-control, session-348, idempotency:ifc-ke-jsc-joint-setpoints-348 |
| IFC-MAIN-028 | The interface between the Workspace Safety Enforcer and the Kinematics Engine SHALL provide a real-time workspace boundary constraint set updated at 100Hz, specifying the active Cartesian workspace limits as a convex polytope (up to 24 half-plane constraints) and per-joint angle limits, transmitted via shared memory with atomic compare-and-swap to prevent partial reads. Rationale: The workspace boundary is dynamically reconfigured during surgery (e.g., when the operating table repositions or when the surgeon redefines the working volume). 100Hz update rate ensures the Kinematics Engine operates within constraints that lag the actual boundary by at most 10ms. Convex polytope representation enables efficient real-time collision checking via linear programming, which the Kinematics Engine can evaluate within its 2ms computation window. Atomic CAS prevents the Kinematics Engine from reading a partially-updated polytope, which could create a non-convex feasible region and allow unsafe motion. | Test | interface, motion-control, session-348, idempotency:ifc-wse-ke-boundary-348 |
| IFC-MAIN-029 | The interface between the Auxiliary Power Supply and the Emergency Stop Chain SHALL maintain contactor coil energisation voltage within 22–26V DC continuously, including during mains loss events, with no interruption exceeding 10ms. Rationale: The Emergency Stop Chain contactors must remain closed during normal operation. A voltage interruption exceeding 10ms will cause contactor dropout and trigger an uncontrolled E-stop during surgery. The 10ms limit matches the contactor dropout time specification in IEC 60204-1 Category 3 systems. | Test | rt-missing-failure-mode, red-team-session-502 |
| IFC-MAIN-030 | The interface between Energy Delivery Controller and Electrosurgical Generator SHALL use a dedicated isolated CAN bus at 1Mbit/s, transmitting power setpoint, modality selection, and enable/disable commands from controller to generator at 100Hz, with generator acknowledging each command within 5ms. Rationale: CAN bus provides deterministic messaging with hardware-level error detection and isolation capability. 1Mbit/s supports 100Hz command rate with headroom for status return frames. 5ms acknowledgement timeout allows the controller to detect generator fault within one command cycle and trigger safety shutdown. Isolation prevents RF noise from the generator corrupting control traffic. | Test | interface, energy-delivery, session-352, idempotency:ifc-edc-esg-can-352 |
| IFC-MAIN-031 | The interface between Energy Delivery Controller and Ultrasonic Energy Module SHALL use a dedicated isolated RS-485 link at 115200 baud, carrying power level commands and blade temperature telemetry, with the module transmitting blade temperature to the controller at minimum 50Hz. Rationale: RS-485 is appropriate for point-to-point ultrasonic generator control at the required data rate. 50Hz blade temperature telemetry gives the controller 20ms resolution for the 100°C inhibit threshold response — adequate given the thermal time constant of the blade (estimated 200-500ms for 1°C change at full power). | Test | interface, energy-delivery, session-352, idempotency:ifc-edc-uem-rs485-352 |
| IFC-MAIN-032 | The interface between Return Electrode Monitor and Electrosurgical Generator SHALL include a hardwired safety interlock line that the Return Electrode Monitor holds in a de-energised (fail-safe) state; the Electrosurgical Generator SHALL not enable monopolar output unless this line is actively energised by a Return Electrode Monitor that has confirmed pad impedance below 135 ohms. Rationale: Hardwired fail-safe interlock (de-energise-to-inhibit) ensures monopolar energy is prohibited by hardware in the event of REM failure, communication loss, or power loss — no software path can override it. This is a common safety architecture in electrosurgical units per IEC 60601-2-2 and IEC 61508 SIL 2 guidance for patient-contact safety functions. | Test | interface, energy-delivery, safety, session-352, idempotency:ifc-rem-esg-interlock-352 |
| IFC-MAIN-033 | The interface between Tissue Effect Monitor and Electrosurgical Generator SHALL provide the monitor with access to real-time RF output voltage and current waveform samples at minimum 200kHz sampling rate, enabling impedance calculation at 1kHz; the monitor SHALL write shutoff commands to the generator via the CAN interface within 200ms of detecting seal endpoint. Rationale: 200kHz sampling of RF waveforms (at 300kHz-3MHz carrier) requires adequate Nyquist headroom for the envelope extraction used in impedance calculation. 1kHz impedance update rate is the minimum for the 400ms detection window. 200ms shutoff command latency ensures the system meets the vessel seal endpoint response requirement (SUB-MAIN-052) with margin. | Test | interface, energy-delivery, session-352, idempotency:ifc-tem-esg-impedance-352 |
| IFC-MAIN-034 | The interface between Energy Delivery Controller and Safety and Interlock Subsystem SHALL use the system safety bus to receive system state broadcast at 100Hz; the Energy Delivery Controller SHALL inhibit all energy delivery within 20ms of receiving a SAFE_STATE or E-STOP signal on this bus. Rationale: Energy delivery must respond to system-level emergency stop faster than the 50ms deactivation requirement (SUB-MAIN-048). 20ms allows the EDC to process the safety signal and command generator deactivation with 30ms margin for the generator hardware response. Bus-based integration avoids a dedicated hardwire for every energy modality, but the safety bus itself is hardware-isolated and deterministic. | Test | interface, energy-delivery, safety, session-352, idempotency:ifc-edc-safety-bus-352 |
| IFC-MAIN-035 | The interface between the Foot Pedal Array and the Energy Delivery Controller SHALL transmit energy modality (RF monopolar, RF bipolar, ultrasonic) and activation state (active/inactive) over a dedicated isolated CAN bus at 1Mbit/s, with a maximum message latency of 10ms. Rationale: Energy activation commands are safety-critical: a delayed or missed deactivation command could deliver unintended energy to tissue. 10ms message latency budget is compatible with the 50ms end-to-end pedal latency requirement (SUB-MAIN-055) after accounting for pedal debounce (10ms) and controller processing (5ms). | Test | interface, surgeon-console, energy-delivery, session-353, idempotency:ifc-pedal-edc-can-353 |
| IFC-MAIN-036 | The interface between the Foot Pedal Array and the Motion Control and Scaling Subsystem SHALL transmit instrument clutch state (engaged/disengaged) and camera control commands over the console CAN bus within 10ms, using message priority higher than configuration traffic but lower than safety bus messages. Rationale: Clutch engage/disengage decouples master arm motion from instrument motion, allowing the surgeon to reposition hands. A 10ms latency ensures sub-50ms end-to-end response (SUB-MAIN-055). Priority scheme prevents clutch messages from being starved by high-bandwidth configuration traffic. | Test | interface, surgeon-console, motion-control, session-353, idempotency:ifc-pedal-mcs-clutch-353 |
| IFC-MAIN-037 | The interface between the Console Computer and the Real-Time Protocol Engine SHALL exchange session management messages (case start, case end, configuration sync, surgeon identity) over gigabit Ethernet using a defined session protocol, with message delivery confirmation within 100ms. Rationale: Session management messages configure the patient-side cart with the correct instrument parameters, scaling, and surgeon profile before motion is enabled. The 100ms confirmation window allows the Console Computer to detect a failed session start and display an error before the surgical team proceeds. | Test | interface, surgeon-console, comms, session-353, idempotency:ifc-cc-rtpe-session-353 |
| IFC-MAIN-038 | The interface between the Voice Command Module and the Console Computer SHALL deliver recognised command identifiers (from a defined vocabulary enumeration) with a confidence score and timestamp over USB 3.0, and SHALL NOT transmit raw audio data outside the module to protect patient privacy. Rationale: Privacy constraint: raw audio captured in the OR may contain patient-identifiable information and must not be stored or transmitted beyond the recognition module. The command ID plus confidence score gives the Console Computer sufficient information to confirm or reject the command without retaining audio. | Test | interface, surgeon-console, voice, privacy, session-353, idempotency:ifc-vcm-cc-commands-353 |
| IFC-MAIN-039 | The interface between the Surgeon Interface Panel and the Console Computer SHALL carry master arm pose data at 1kHz in the upstream direction and haptic force commands at 1kHz in the downstream direction over a dedicated real-time EtherCAT bus, with end-to-end latency no greater than 1ms in each direction. Rationale: The haptic control loop is closed across this interface; a bidirectional 1kHz rate and 1ms one-way latency are the minimum specification consistent with transparent teleoperation as defined in SYS-MAIN-001 (<1ms end-to-end motion scaling). EtherCAT is selected over CAN or EtherNet/IP because it provides deterministic cycle times below 100us supporting the 1kHz control rate with headroom for jitter tolerance. | Test | interface, surgeon-console, haptic, session-356, idempotency:ifc-sip-cc-ethercat-356 |
| IFC-MAIN-040 | The interface between the Console Computer and the Inter-Cart Fibre Link SHALL carry a continuous 6-DOF Cartesian velocity command stream encoded as 48-byte little-endian frames at 1kHz, with a per-frame sequence number and 16-bit CRC-CCITT checksum. Rationale: The Console Computer is the upstream source of surgeon hand motion data. Explicit frame numbering at the interface allows the Real-Time Protocol Engine at the patient end to detect dropped frames immediately rather than processing stale data. CRC-CCITT provides the standard error detection for deterministic serial links, and is already used in the EtherCAT frame format for consistency. | Test | interface, motion-control, infrastructure, inter-cart-fibre, session-357, idempotency:ifc-cc-icfl-command-357 |
| IFC-MAIN-041 | The interface between the Inter-Cart Fibre Link and the Real-Time Protocol Engine SHALL deliver decoded 6-DOF velocity frames with a worst-case inter-frame delivery jitter of no more than 5 microseconds, providing the sequence number and CRC validity flag alongside each frame. Rationale: The Real-Time Protocol Engine's TDM scheduler has a 1-microsecond jitter budget (SUB-MAIN-071). Optical transceiver deserialization and clock recovery introduce additional timing uncertainty; 5 microseconds is the worst-case SERDES CDR lock window for the selected 10GBase-SR transceiver at 10m. Validity flags allow the RTPE to apply the fault-halt policy (SUB-MAIN-072) without a separate CRC computation on the RT task. | Test | interface, motion-control, infrastructure, inter-cart-fibre, real-time-protocol-engine, session-357, idempotency:ifc-icfl-rtpe-frames-357 |
| IFC-MAIN-042 | The interface between the Network Management Controller and each Joint Servo Controller SHALL use EtherCAT with a bus cycle of 1ms, delivering a 16-byte process data object containing target joint angle (float32), feed-forward torque (float32), control mode (uint8), and node fault mask (uint8) per servo node per cycle. Rationale: 1ms EtherCAT cycle matches the 1kHz kinematic pipeline rate end-to-end. The feed-forward torque field enables velocity-mode operation to complement the position PID in Joint Servo Controller, reducing steady-state tracking error at high speed. The fault mask byte allows per-node disablement without a separate out-of-band channel, consistent with IEC 61800-3 functional safety profile requirements for SIL 2 motion systems. | Test | interface, motion-control, infrastructure, network-management, joint-servo, session-357, idempotency:ifc-nmc-jsc-ethercat-357 |
| IFC-MAIN-043 | The interface between the Real-Time Compute Node and the Procedure Data Recorder SHALL transfer kinematic sample frames via PCIe DMA at 1kHz, where each frame contains a 64-bit UTC timestamp, 7-element float32 joint angle array, 7-element float32 joint torque array, and 6-element float32 Cartesian velocity array for each active arm, with a DMA transfer latency not exceeding 10 microseconds per frame. Rationale: PCIe DMA is the only interconnect capable of sustaining continuous 1kHz structured data transfer from a PREEMPT_RT kernel with sub-100-microsecond latency without consuming CPU cycles on a memory-copy path. A 10-microsecond DMA ceiling leaves the real-time CPU interrupt budget intact (SUB-MAIN-011 specifies 50-microsecond ISR worst case). The timestamp must be captured in hardware at the RTPE frame boundary, not in software, to avoid jitter from OS scheduling. | Test | interface, motion-control, infrastructure, procedure-data-recorder, session-357, idempotency:ifc-rtcn-pdr-dma-357 |
| IFC-MAIN-044 | The interface between the Main Power Distribution Unit and the Power Sequencing Controller SHALL use a galvanically isolated CAN FD bus operating at 1 Mbit/s, transmitting branch current, voltage, and fault status at 10 Hz with a maximum latency of 5 ms. Rationale: CAN FD at 1 Mbit/s provides sufficient bandwidth for 12-branch telemetry frames at 10 Hz while meeting automotive EMC standards tested for hospital OR environments. Galvanic isolation prevents ground loop noise from the high-current main bus from corrupting the low-voltage control bus, a known failure mode in earlier surgical robot power architectures. | Test | interface, power-management, can-bus, session-361, idempotency:ifc-pdu-psc-can-361 |
| IFC-MAIN-045 | The interface between the UPS Battery Module and the Main Power Distribution Unit SHALL provide a 48 VDC bulk link with a maximum impedance of 50 mOhm at the PDU input terminals, supporting peak discharge currents of up to 200 A for a maximum of 500 ms during startup inrush, and sustain 20 A continuous during surgical operation. Rationale: The 48 VDC bus voltage is the minimum that allows the DC-DC converters within the PDU to maintain regulated outputs during rapid transient loads from arm actuator energisation (up to 180 A peak measured at worst-case six-axis simultaneous joint engagement). The 50 mOhm impedance limit ensures less than 1 V bus droop during 20 A continuous load, preventing brownout resets in the downstream servo controllers. | Test | interface, power-management, ups, power-bus, session-361, idempotency:ifc-ups-pdu-dc-link-361 |
| IFC-MAIN-046 | The interface between the Power Sequencing Controller and the Auxiliary Power Supply SHALL use an isolated discrete signal to command charge/standby/discharge modes, with mode transitions acknowledged within 50 ms via a return status signal. Rationale: Discrete hardware signalling is used rather than bus-based control to ensure the Auxiliary Power Supply can receive commands even when the CAN bus has faulted, maintaining safety circuit availability in the worst-case scenario of bus communication failure during a power event. | Test | interface, power-management, auxiliary-power, session-361, idempotency:ifc-psc-auxpsu-control-361 |
| IFC-MAIN-047 | The interface between the Network Management Controller and the Safety and Interlock Subsystem SHALL transmit COMM_FAULT notifications within 2ms of link failure detection, using a dedicated LVDS hardwired signal independent of the fibre link under test. Rationale: LVDS hardwired signal ensures the fault notification channel is not dependent on the fibre link it monitors — the fibre link cannot report its own failure. 2ms budget matches the Real-Time Protocol Engine fault reporting window and keeps total fault propagation under 5ms required by SUB-MAIN-028. | Test | interface, comms, network-management, safety, session-369, idempotency:ifc-nmc-sis-fault-notify-369 |
| IFC-MAIN-048 | The interface between the Real-Time Protocol Engine and the Procedure Data Recorder SHALL deliver a time-stamped stream of decoded kinematic frames at 1kHz using shared memory DMA transfer with less than 100us delivery latency, without interrupting the Real-Time Protocol Engine deterministic cycle. Rationale: Shared memory DMA avoids adding any kernel scheduling latency to the RTPE deterministic cycle. 100us delivery budget allows the Procedure Data Recorder to buffer a full cycle before the next frame arrives. This decouples recording latency from the hard real-time control loop. | Test | interface, comms, real-time-protocol-engine, procedure-data-recorder, session-369, idempotency:ifc-rtpe-pdr-dma-369 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-MAIN-001 | ARC: Safety and Interlock Subsystem — dedicated safety processor with hardware watchdog authority. The SIS runs on a processor physically separated from motion control compute with independent power and CAN-bus brake authority. Alternatives considered: software safety monitor on shared CPU (rejected — common-cause fault kills both monitor and controlled system, violates SIL 3 HFT=1 requirement); safety PLC (rejected — latency budget incompatible with 1kHz control loop). Chosen architecture satisfies IEC 61508 SIL 3 Hardware Fault Tolerance = 1 with <1% common-cause exposure. Rationale: Architectural decision: Safety-Integrity Level 3 requires hardware fault tolerance that physically separate execution cannot provide on shared compute. This decision constrains all downstream SIS design. | Inspection | informational |
| ARC-MAIN-002 | ARC: Motion Control System — Cartesian-space pipeline with independent tremor filter and scaling stages. Cartesian-space scaling chosen over joint-space to preserve instrument orientation during scaled motion; joint-space scaling produces unexpected end-effector trajectories under redundancy resolution. Tremor filter precedes scaling to avoid amplifying filtered residuals. Six-component pipeline (Filter → Scale → IK → Safety → Servo) chosen for independent testability of each function, enabling SIL 3 V&V decomposition. Redundant compute node mandated by single-point-of-failure analysis: a compute failure in motion control must degrade to safe-stop, not uncontrolled motion. Rationale: Design rationale for the most safety-critical subsystem: captures key architectural choices that constrain all downstream component specifications and must be preserved across future refactors. | Inspection | informational |
| ARC-MAIN-003 | ARC: Vision and Imaging System — FPGA-based deterministic image processing pipeline with separated optical acquisition and display stages. The CCU performs per-channel sensor correction (white balance, gamma, chromatic aberration) before the FPGA pipeline adds enhancement and overlay compositing. FPGA was chosen over GPU because IEC 62304 Class C certification requires deterministic worst-case latency guarantees that GPU scheduling cannot provide. The stereo endoscope uses paired CMOS sensors with fixed 6mm baseline rather than a beam-splitter design because paired sensors allow independent channel failure (graceful degradation to 2D) and simpler sterilisation of the rigid optical assembly. Illumination uses closed-loop intensity feedback from the CCU to prevent tissue thermal damage, rather than fixed-intensity operation, because tissue reflectance varies 4x between organ types. Rationale: Architecture driven by three constraints: IEC 62304 Class C certification demands deterministic processing latency; graceful degradation from stereo to mono requires independent channel paths; IEC 60601-2-18 tissue temperature limits require closed-loop illumination control. | Analysis | informational |
| ARC-MAIN-004 | ARC: Haptic Feedback Subsystem — Galvanic isolation at Force Signal Conditioner boundary. The Force Signal Conditioner introduces a 4kVrms isolation barrier rather than isolating at the instrument tip. This choice keeps the patient-contact chain entirely analog (passive strain gauge) while confining the isolation requirement to a single, testable PCB boundary. Alternative (digital sensor in handle) was rejected due to sterilisation constraints on active electronics in the wristed instrument channel. Rationale: Architecture decisions are narrative records of design trade-offs; the rationale is embedded in the requirement text. The isolation placement choice (at FSC boundary rather than instrument tip) is driven by sterilisation constraints and regulatory compliance with IEC 60601-1 patient leakage current limits. | Inspection | informational |
| ARC-MAIN-005 | ARC: Communication and Data Management System — FPGA-based real-time protocol rather than OS-scheduled networking. A custom FPGA protocol engine rather than a Linux kernel TCP/IP stack is used for kinematic command framing because TCP cannot guarantee sub-millisecond per-frame latency under video traffic coexistence. The FPGA provides hardware-guaranteed timing isolation between priority channels, eliminating head-of-line blocking. A proprietary TDM protocol over 10GbE is preferred over TSN (802.1Qbv) because TSN requires switches to participate in time synchronisation, adding network device dependencies outside the system boundary. Rationale: Architecture decisions are narrative records of design trade-offs; the rationale is embedded in the requirement text. FPGA-based TDM over 10GbE was chosen over Linux TCP/IP and IEEE 802.1Qbv TSN to avoid OS scheduling jitter and external network device dependencies in the deterministic control path. | Inspection | informational |
| ARC-MAIN-006 | ARC: Surgical Instrument System uses cable-driven actuation with remote motors in the Instrument Drive Unit rather than direct-drive or gear-driven end-effector actuation. Alternatives considered: direct-drive motors at instrument tip (rejected: tip diameter constraint of 8mm precludes motors with sufficient torque; sterilization incompatible with embedded electronics); gear-driven actuation through instrument shaft (rejected: gear backlash exceeds 0.1mm accuracy requirement; maintenance burden of gear wear in disposable instruments is cost-prohibitive). Cable-driven approach enables all motors to reside in the non-sterile Instrument Drive Unit, separated from the sterile instrument by the Sterile Adapter. The Bouc-Wen hysteresis compensation in the Tool Tip Articulation Controller addresses the primary disadvantage of cable drive — nonlinear cable friction. Rationale: The cable-driven architecture is the only approach that simultaneously satisfies the 8mm instrument diameter constraint, the 0.1mm tip accuracy requirement, the sterile barrier architecture, and the disposable instrument cost target. This decision constrains all downstream instrument mechanical and control design. | Inspection | informational |
| ARC-MAIN-007 | ARC: Motion Control System — Dedicated Trajectory Generator between Motion Scaling and Kinematics Engine. The pipeline was extended to include an explicit trajectory generation stage that performs S-curve velocity profiling and acceleration limiting. This was chosen over embedding trajectory generation within the Kinematics Engine because: (1) separation of Cartesian-space trajectory planning from joint-space kinematics enables independent testing and tuning of motion smoothness constraints, (2) the Trajectory Generator can enforce tissue-safe acceleration limits before the kinematic solution, preventing the Kinematics Engine from ever receiving a demand that would produce unsafe tip forces, (3) the lock-free SPSC ring buffer interface provides timing isolation — a transient overrun in trajectory computation does not stall the kinematics cycle. Rationale: Separating trajectory generation from inverse kinematics enables independent testing of motion smoothness and prevents unsafe demands reaching the Kinematics Engine. SPSC ring buffer provides timing isolation between stages. | Inspection | architecture, motion-control, session-348 |
| ARC-MAIN-008 | ARC: Power Management Subsystem — Dedicated auxiliary 24V supply for safety circuits, electrically isolated from main bus. Considered single-supply architecture with software-controlled priority; rejected because any main bus controller firmware fault could de-energise safety contactors. Hardware isolation ensures safety supervision remains active regardless of software state. Rationale: Hardware isolation of safety circuits from main bus ensures safety supervision cannot be defeated by a firmware fault in the main bus controller. Single-supply with software priority was rejected because software-controlled switching cannot provide the necessary independence for IEC 62304 Class C safety circuitry. | Inspection | architecture, power-management, session-350 |
| ARC-MAIN-009 | ARC: Energy Delivery System — Dual-modality architecture (RF electrosurgery + 55.5kHz ultrasonic) with centralised Energy Delivery Controller. RF chosen for vessel sealing and haemostasis (monopolar/bipolar); ultrasonic chosen for structures within 1mm of critical vessels due to lower thermal spread. Separate Return Electrode Monitor mandated by IEC 60601-2-2 for monopolar monopolar patient safety; Tissue Effect Monitor added to detect vessel seal endpoints automatically, reducing surgeon reliance on subjective colour assessment. Single controller enforces mutual exclusion — simultaneous RF and ultrasonic activation is prohibited by interlock, not by convention. Rationale: Mixed-modality energy delivery is standard in advanced robotic surgery (cf. da Vinci ESS, Medtronic Thunderbeat), where no single energy type covers all tissue types. Centralised controller enforces safety envelope; distributed generators maintain isolation from each other and from the robot control network. | Inspection | architecture, energy-delivery, session-352 |
| ARC-MAIN-012 | ARC: Surgeon Input Console — Physical integration of haptic master arms, stereo viewer, foot pedals, and touchscreen into one ergonomic station, with strict separation of safety-critical hardware (foot pedal E-stop, hardwired) from software-mediated controls (touchscreen, voice). Rationale: decoupling safety-path hardware (E-stop pedal → Emergency Stop Chain) from the software configuration interface (touchscreen → Console Computer) ensures a firmware or OS fault on the Console Computer cannot suppress a surgeon-initiated emergency stop. Alternative of routing all pedal inputs through the Console Computer was rejected for this reason. Rationale: Architectural safety requirement: the IEC 62304 and IEC 80601-2-77 framework requires hardware independence between safety-critical inputs (E-stop) and non-safety software systems. This decision is traceable to STK-MAIN-002 (no uncontrolled energy or motion at any time). | Inspection | architecture, surgeon-console, safety, session-353 |
| ARC-MAIN-014 | ARC: Haptic Feedback Subsystem — galvanic isolation break between patient-side sensing and surgeon-side actuation. The signal chain is split into Force Sensing Module (sterile field) → Force Signal Conditioner (galvanic isolation, ≥4kVrms) → Haptic Controller (console-side, SIL2) → Master Handle Actuator. Alternatives considered: (a) direct digital fibre link eliminating analogue conditioning — rejected due to sensor power budget constraints in the sterile field; (b) single integrated controller spanning both sides — rejected because it creates a conductive path violating IEC 60601-1 patient leakage current limits. The 4kVrms isolation barrier is the single safety-critical boundary in the haptic chain. Rationale: IEC 60601-1 requires patient leakage current < 10µA in CF-type applied parts; a conductive signal path spanning the sterile and console sides would create unacceptable leakage current. The 4kVrms galvanic isolation barrier physically prevents this path. Verification by design review of isolation barrier certification documentation. | Inspection | architecture, haptic, session-354 |
| ARC-MAIN-015 | ARC: Motion Control System — FPGA-based infrastructure layer (Real-Time Protocol Engine, Inter-Cart Fibre Link, Network Management Controller, Procedure Data Recorder) is separated from the algorithmic layer (Tremor Filter, Motion Scaling, Trajectory Generator, Kinematics Engine, Workspace Safety Enforcer, Joint Servo Controller) because the two layers have fundamentally different failure modes and verification requirements. Infrastructure components are hardware-fixed timing elements verified by oscilloscope measurement; algorithmic components are software-configurable and verified by functional test. This separation also allows the FPGA layer to enforce timing guarantees independently of software faults — if the algorithmic layer hangs, the FPGA continues transmitting watchdog frames to trigger a controlled stop. Rationale: The two-layer decomposition separates hardware-fixed timing from software-configurable algorithms. This allows the FPGA infrastructure layer to enforce timing guarantees independently of software faults: if the algorithmic layer hangs, the FPGA continues transmitting watchdog frames to the patient cart, triggering a controlled stop. Infrastructure components are verified by oscilloscope measurement; algorithmic components are verified by functional test. This separation is consistent with IEC 60601-1 risk management requirements for partitioning safety-critical timing from application software. | Inspection | architecture, motion-control, infrastructure, session-357 |
| ARC-MAIN-018 | ARC: Motion Control and Scaling Subsystem — linear pipeline topology with safety injection. Components are ordered as: Tremor Rejection Filter → Motion Scaling Module → Trajectory Generator → Kinematics Engine → Joint Servo Controller, with the Workspace Safety Enforcer injecting repulsive constraints directly into the Kinematics Engine rather than acting as a separate gate. The Real-Time Compute Node hosts all pipeline stages on a single RTOS. Alternative considered: distributed pipeline across multiple CPUs for fault isolation. Rejected because cross-CPU IPC adds 0.2-0.4ms per stage, making the 1ms end-to-end budget unachievable. The single-node topology is acceptable because the Real-Time Compute Node is itself triple-redundant (2-of-3 voting) at the hardware level. Rationale: Documents the primary architectural trade-off driving the MC subsystem topology: determinism over distributed fault isolation. The 1ms end-to-end latency in SYS-MAIN-007 is the binding constraint; this decision records why distributed alternatives were rejected and what compensating mechanism (hardware triple-redundancy) provides the required fault tolerance. | Inspection | architecture, motion-control, session-358 |
| ARC-MAIN-019 | ARC: Verification Plan Coverage — Verification entries cover all safety-critical IFC requirements first (IFC-001 through IFC-013, IFC-020), prioritised by SIL classification under IEC 62061. Interface verification is selected as the minimum viable verification set because every cross-subsystem interface is a potential failure propagation path in a safety-critical medical robot. Performance threshold values (2ms joint force detection, 150ms E-stop de-energisation, 100ms teleoperation latency, 15ms haptic render) are derived from published clinical evidence and applicable standards (IEC 62061, IEC 60601-1), not estimated. Rationale: This architectural decision records the rationale for prioritising safety-critical IFC requirements in the verification plan. The coverage set (IFC-001 to IFC-013, IFC-020) maps directly to cross-subsystem interfaces with SIL 3 classification under IEC 62061; performance thresholds are derived from IEC 60601-1 and published surgical robotics clinical evidence, ensuring the verification plan is traceable to recognised standards rather than arbitrary estimates. | Inspection | architecture, verification, session-360 |
| ARC-MAIN-020 | ARC: Communication and Data Management System — dual-redundant fibre topology with FPGA-level failover and strict-priority traffic shaping. The architecture separates the real-time kinematic command path (RTPE on compute node) from the link management plane (NMC in FPGA) so that link health monitoring and failover do not share any compute resources with the 1kHz control loop. LVDS hardwired fault notification to SIS ensures the communication system can report its own failure without relying on the link it monitors. PDR uses DMA shared memory to record data without touching the RTPE thread. Alternative considered: single-port fibre with software failover — rejected because software-layer switchover could not meet the 5ms deadline under worst-case OS scheduling latency. Rationale: Architecture decision captures why the RTPE/NMC separation was chosen over integrated approaches, ensuring future maintainers understand the SIL 3 isolation rationale. | Inspection | architecture, comms, session-369, idempotency:arc-comms-369 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-MAIN-001 | Verify SUB-MAIN-001: On integrated arm test bench, ramp joint torque via calibrated load cell on each of 7 DOF to 110% of threshold. Measure time from threshold crossing to SIS safe-state assertion. Repeat 30 cycles per axis. Accept: detection within specification; zero missed trips. Rationale: SUB-MAIN-001 is a SIL 3 safety function requiring a quantified test procedure. Bench isolation confirms detection function. | Test | |
| VER-MAIN-001 | Verify IFC-MAIN-001: Inject synthetic joint torque ramp via test harness on real-time bus; measure monitor receipt latency with logic analyser. Pass criteria: ≥1000 frames/s received, all frames pass CRC, latency <200µs at 99th percentile over 60-second test. Rationale: Integration test proves the data pipeline meets both rate and latency requirements simultaneously under representative surgical load conditions. | Test | verification, sis, ifc, session-341, idempotency:ver-ifc1-torque-bus-001-341 |
| VER-MAIN-002 | Verify IFC-MAIN-002: Inject E-stop loop break via test relay; measure contactor drop-out time with oscilloscope across contactor coil. Pass criteria: contactor opens within 50ms of loop break across 10 trials at ambient temperature (22°C) and at cold soak (5°C). Rationale: Direct oscilloscope measurement of contactor drop-out provides unambiguous evidence of the 50ms requirement. Cold soak tests component behaviour near lower operating temperature limit. | Test | verification, sis, estop, session-341, idempotency:ver-ifc2-estop-contactor-001-341 |
| VER-MAIN-003 | Verify SUB-MAIN-003: Trigger emergency stop from all three input paths (surgeon foot pedal, bedside button, software watchdog). Measure time from trigger to confirmed safe state (all joints braked, energy de-energised) using oscilloscope on brake coil drive and energy enable signals. Pass: ≤150ms for each of 20 trials per path (total 60 trials). Rationale: Three separate trigger paths must each be verified independently since each has distinct signal routing; shared test would not reveal path-specific faults. | Test | |
| VER-MAIN-003 | Verify IFC-MAIN-003: Using communication test tool, introduce artificial latency (10ms, 20ms steps) and packet loss (1, 3, 5 frame bursts) on fibre link; monitor sideband register via logic probe. Pass criteria: Communication Monitor reads correct latency and loss values within 1 status cycle (1ms) and triggers alert/safe-state at defined thresholds. Rationale: Fault injection testing is the only way to verify the communication monitor sees faults correctly without disrupting the data path. Threshold accuracy must be tested at both nominal and boundary conditions. | Test | verification, sis, comms, session-341, idempotency:ver-ifc3-comms-monitor-001-341 |
| VER-MAIN-004 | Verify SUB-MAIN-002: Inject 90ms, 100ms, and 110ms artificial latency on inter-cart fibre link via delay injector. Verify SIS detects latency exceeding threshold and initiates controlled hold. Pass: 100% detection at 100ms-plus, zero false positives at 90ms over 50 injection cycles. Rationale: Latency detection threshold verified with injected faults to confirm sensitivity and specificity without waiting for real fault events. | Test | |
| VER-MAIN-004 | Verify IFC-MAIN-004: Trigger OPERATIONAL→DEGRADED and DEGRADED→SAFE-HOLD transitions via fault simulator; capture safety bus traffic with protocol analyser. Pass criteria: all subscribing subsystems receive state broadcast within 5ms, zero frames lost, publisher-subscriber acknowledgment complete within 10ms across 100 trials. Rationale: State broadcast latency directly affects the 250ms safe-state budget; the 5ms requirement needs verification under full system bus load to rule out congestion effects. | Test | verification, sis, safe-state, broadcast, session-341, idempotency:ver-ifc4-ssm-broadcast-001-341 |
| VER-MAIN-005 | Verify SUB-MAIN-004: Power the Watchdog Timer Controller from the auxiliary supply rail only. Trigger a main system power fault. Confirm watchdog continues counting on oscilloscope. Trigger a normal software heartbeat reset and confirm timeout. Pass: watchdog persists through main power fault; timeout behaviour correct on loss of heartbeat. Rationale: Physical isolation of watchdog power is a SIL 3 hardware independence requirement; must be verified by actual power interruption, not simulation, to prove no common-cause power coupling. | Test | |
| VER-MAIN-005 | Verify SYS-MAIN-002 end-to-end: Inject simulated single-point failure (joint torque, comms loss, power fault — one at a time) during active simulated procedure; measure time from fault onset to all-joints-braked and energy-off confirmation via instrumented test rig. Pass criteria: ≤250ms across 50 trials per fault type, zero cases of uncontrolled arm motion. Rationale: End-to-end safe-state timing is a system-level property that cannot be decomposed to subsystem tests — the orchestration latency (SIS, servo, energy) is only visible at system integration level. | Test | verification, system-level, safe-state, integration, session-341, idempotency:ver-sys2-e2e-safe-state-001-341 |
| VER-MAIN-006 | Verify SUB-MAIN-005: With system in OPERATIONAL state, manually break the E-stop series loop at each of six loop segments in sequence. At each break, verify: all joint brakes engage within 20ms (measured with oscilloscope on brake relay coils), energy delivery de-energised, system enters SAFE-HOLD. Total: 6 independent break-point tests. Rationale: Hardware E-stop series loop independence from software must be verified by physical loop interruption at every segment. Single-point break tests confirm the loop cannot be bypassed by a software or firmware fault. | Test | |
| VER-MAIN-006 | Verify IFC-MAIN-005: Inject synthetic Cartesian velocity commands at 1kHz from a simulated Surgeon Console and measure packet arrival timestamps at the Motion Scaling Module input. Pass criteria: 100% packet delivery, mean latency <3ms, P99 latency <5ms over 60-second test at maximum command rate. Rationale: Integration test at the console-MC boundary verifies the network substrate delivers commands within latency budget. 60-second test captures steady-state behaviour after any TCP slow-start or OS scheduling settling. | Test | verification, interface, session-340 |
| VER-MAIN-007 | Verify SUB-MAIN-007: Command the Motion Control System with synthetic Cartesian velocity vectors that violate workspace boundaries on each of six boundary planes. Verify each command is rejected and substituted with a zero-velocity setpoint within one control cycle (1ms). Run 200 boundary-crossing events per plane. Pass: 100% rejection rate; no boundary violation recorded in joint encoder log. Rationale: Workspace boundary enforcement is a safety function preventing collision with patient anatomy; must be tested at each of six boundary planes to confirm independent enforcement. | Test | |
| VER-MAIN-007 | Verify IFC-MAIN-007: Halt the Motion Control heartbeat signal and measure the time from last heartbeat to brake engagement confirmation. Pass criteria: brake engagement in ≤50ms in 100 trials, P99 ≤55ms, zero trials exceeding 60ms. Rationale: Direct test of the safety-critical heartbeat fault path: this is a SIL 3 safety function and must be demonstrated under fault injection, not inferred from analysis. | Test | verification, safety, session-340 |
| VER-MAIN-008 | Verify SUB-MAIN-008: On the Real-Time Compute Node, run the Kinematics Engine at 1kHz with full 7-DOF arm configuration changes sampled from representative surgical trajectory database. Instrument worst-case execution time using hardware cycle counter. Pass: WCET for IK computation less than 500 microseconds at 99.9th percentile over 1 million samples. Rationale: IK computation WCET must be verified on target hardware under representative surgical trajectories, not simulation, as jitter varies with trajectory complexity and cache state. | Test | |
| VER-MAIN-008 | Verify SUB-MAIN-006: Run the Motion Control pipeline on target hardware at 1kHz for 30 minutes with 3-arm full load, instrument tip contact force at 4N (near-limit), and motion at maximum velocity. Instrument pipeline execution time on every cycle. Pass: worst-case single cycle <10ms, P99 <8ms, zero missed deadline across 1.8 million cycles. Rationale: Worst-case timing must be demonstrated on real hardware (not simulation) at realistic load because PREEMPT_RT latency spikes occur under thermal stress and simultaneous IO; P99 headroom of 2ms allows for measurement overhead and production unit variation. | Test | verification, motion-control, session-340 |
| VER-MAIN-009 | Verify SUB-MAIN-009: Command each of the 7 arm joints through representative surgical motion profiles (sinusoidal at 0.5, 1, and 2Hz). Measure position error between setpoint and encoder feedback at 1kHz for 60-second runs per frequency per joint. Pass: RMS tracking error below 0.05 degrees at all frequencies; no excursion above 0.1 degrees at any sample. Rationale: Position tracking accuracy is the foundational servo loop performance metric; tested under representative surgical bandwidths (0.5-2Hz covers intentional motion; tremor filtered above 6Hz). | Test | |
| VER-MAIN-009 | Verify end-to-end control loop: Apply a 10mm/s step input at the master manipulator and measure instrument tip response. Pass: tip begins moving within 100ms, steady-state tracking error <0.5mm, no oscillation above 0.1mm amplitude after 200ms. Test at all three scaling ratios (3:1, 5:1, 10:1) and both free-space and simulated tissue-contact conditions. Rationale: End-to-end step response test validates the integrated system behaviour combining network latency, computation, servo control, and mechanics. Must include contact conditions because compliance at the instrument tip changes closed-loop dynamics and can destabilise the servo at high scaling ratios. | Test | verification, system-integration, session-340 |
| VER-MAIN-010 | Verify SUB-MAIN-013: Present a Ronchi ruling resolution chart at the surgical working distance (50-250mm range). Capture images from both stereo channels. Measure limiting resolution using MTF analysis. Pass: both channels resolve 20 lp/mm at 50mm working distance; no inter-channel resolution difference greater than 10%. Rationale: Resolution verification must be performed at the actual surgical working distance on real optics, not from specification sheets, as lens-sensor assembly tolerances affect delivered resolution. | Test | |
| VER-MAIN-010 | Verify IFC-MAIN-010: Connect Stereo Endoscope to Camera Control Unit via dual HD-SDI cables. Inject PRBS-31 test pattern on each channel independently. Measure BER over 10-minute continuous transmission using SDI analyser. Verify each channel achieves 1.485 Gbps data rate with BER below 1e-12. Disconnect one channel and verify the other continues uninterrupted. Pass: both channels meet BER threshold independently. Rationale: BER measurement with PRBS-31 is the standard method for characterising SDI link quality. Independent channel test confirms graceful degradation path. | Test | verification, vision, session-341 |
| VER-MAIN-011 | Verify SUB-MAIN-014: Using a photodiode array triggered by a common LED strobe, capture stereo channel timing signals. Measure phase difference between left and right channel frame-valid pulses over 10,000 frames. Pass: all inter-channel phase differences less than 100 microseconds; zero frames with phase difference above 200 microseconds. Rationale: Inter-channel synchronisation is safety-critical for 3D depth perception accuracy; asynchrony above 100us creates measurable depth parallax errors. Must be verified in hardware as FPGA timing parameters can drift with temperature. | Test | |
| VER-MAIN-011 | Verify IFC-MAIN-011: Transmit colour bar test pattern from CCU to Image Processing Pipeline via dual 3G-SDI. Measure inter-channel temporal skew using dual-channel frame grabber with sub-microsecond timestamp resolution. Verify skew does not exceed 100 microseconds over 30-minute continuous operation. Pass: all measured skew values below 100us threshold. Rationale: Inter-channel skew measurement requires precision timestamping equipment. 30-minute test duration covers thermal stabilisation effects on cable propagation delay. | Test | verification, vision, session-341 |
| VER-MAIN-012 | Verify SUB-MAIN-017: Display a full-white left-channel image with full-black right-channel image. Measure luminance from both left and right eyepieces using calibrated photometer. Calculate crosstalk ratio. Pass: crosstalk from left-to-right and right-to-left both less than 1%. Repeat with channels swapped. Rationale: Display crosstalk above 1% causes ghosting visible during 3D depth perception, potentially causing misjudgement of depth during fine dissection. Measured directly on the integrated display assembly. | Test | |
| VER-MAIN-012 | Verify IFC-MAIN-012: Stimulate CCU with abrupt scene brightness change (white-to-black target swap). Measure time from CCU exposure metering output to illumination intensity change using photodiode and oscilloscope. Verify command-to-intensity latency does not exceed 16ms. Repeat for 100 cycles. Pass: all latencies below 16ms, no RS-422 frame errors. Rationale: Step-change stimulus provides worst-case latency measurement. 100 cycle repetition ensures statistical confidence in the latency bound. | Test | verification, vision, session-341 |
| VER-MAIN-013 | Verify IFC-MAIN-020: Couple five instrument types to the Instrument Recognition Module in sequence. Capture the data payload transmitted to the Tool Tip Articulation Controller after each coupling. Verify instrument type code, calibration offsets, use count, and sterilisation history are all present and correct against the instrument chip contents. Pass: 100% field accuracy across all 5 instruments; transfer complete within 200ms of coupling. Rationale: IFC-020 data accuracy is required for correct cable displacement calculation; incorrect calibration offsets cause tip position error, directly violating SYS-001 precision. | Test | |
| VER-MAIN-013 | Verify IFC-MAIN-013: Drive Stereoscopic Display System from Image Processing Pipeline via dual DisplayPort 1.2 with synthetic surgical scene. Measure end-to-end latency from IPP output timestamp to photon emission using photodiode on display surface and oscilloscope. Verify latency does not exceed 8ms for 1000 consecutive frames. Verify 3840x2160 resolution and 10-bit colour depth via display analyser. Pass: all latencies below 8ms, resolution and colour depth confirmed. Rationale: Photodiode measurement of photon emission time is the gold standard for display latency characterisation. 1000-frame test covers worst-case frame timing. | Test | verification, vision, session-341 |
| VER-MAIN-014 | Verify IFC-MAIN-021: Using a cable tension simulator, inject known tension values (nominal, low-threshold, high-threshold, and anomalous) on each of 4 cable channels. Monitor the SIS input bus with a logic analyser. Verify reported tension values match injected values within tolerance, and verify SIS receives anomaly assertion within 10ms of threshold breach. Rationale: IFC-021 is the signal path enabling SIS detection of cable mechanical faults; accuracy and latency must be verified to confirm the safety function meets its 250ms safe-state budget. | Test | |
| VER-MAIN-014 | Verify IFC-MAIN-014: Record 8-hour continuous procedure simulation from Image Processing Pipeline to Procedure Video Recorder. Verify recorded video is 1080p60 H.265 at 50Mbps CBR with no frame drops. Verify embedded audio channels are present. Verify parallel metadata timestamps correlate with video frames within 1ms using spot-check of 100 randomly selected frames. Pass: zero frame drops, audio present, all timestamp correlations within 1ms. Rationale: 8-hour endurance recording test matches operational requirement. Spot-check of 100 frames provides statistical confidence in timestamp accuracy across the full recording duration. | Test | verification, vision, session-341 |
| VER-MAIN-015 | Verify IFC-MAIN-022: Command the Tool Tip Articulation Controller through a representative wrist-flexion trajectory (±90 degrees at 30 degrees/s). Monitor cable displacement commands delivered to the Instrument Drive Unit via the interface bus. Measure command latency and resolution. Pass: latency less than 1ms per command cycle; displacement resolution at or better than 0.01mm. Rationale: IFC-022 command resolution drives achievable tip position accuracy; 0.01mm resolution supports the ±0.1mm tip precision in SYS-001. Latency verified under dynamic motion, not static commands. | Test | |
| VER-MAIN-015 | Verify SUB-MAIN-019: During active stereo display operation, disconnect one HD-SDI channel at the endoscope connector. Measure time from disconnection to 2D monocular video appearing on display. Verify visual alert is displayed. Reconnect channel and verify stereo recovery. Repeat for both left and right channels. Pass: switchover to 2D within 500ms for both channels, alert displayed within 500ms, stereo recovery within 2s of reconnection. Rationale: Physical disconnection simulates the most common single-channel failure mode. Testing both channels confirms symmetric degradation. Recovery test validates the system can return to stereo operation without restart. | Test | verification, vision, safety, session-341 |
| VER-MAIN-016 | Verify IFC-MAIN-023: Using a test fixture, trigger the Instrument Lifecycle Controller to issue a lockout command by presenting an instrument with use count at maximum. Capture the lockout command transmission to the Safe State Manager. Verify the Safe State Manager inhibits instrument coupling within 500ms. Pass: lockout command issued; coupling inhibited; no mechanism for surgeon override without authorised code. Rationale: IFC-023 is a patient safety interface: preventing use of an overused instrument eliminates a mechanical failure mode. Must be tested with full lockout chain, not mock signals, to confirm end-to-end enforcement. | Test | |
| VER-MAIN-016 | Verify end-to-end vision chain: Position Stereo Endoscope viewing a calibrated resolution target in simulated body cavity with surgical illumination. Measure end-to-end latency from target motion (motorised at 20mm/s) to display update using high-speed external camera observing both target and display simultaneously. Verify total visual latency from scene change to photon emission does not exceed 35ms. Verify resolution target resolves 20 lp/mm. Verify stereo depth accuracy within 1mm at 50mm working distance using calibrated depth target. Pass: latency below 35ms, resolution confirmed, depth accuracy within 1mm. Rationale: End-to-end vision chain test validates the complete optical path from endoscope through CCU, IPP, to display. 35ms latency budget is the vision chain allocation from the 50ms total hand-to-eye budget. High-speed camera method provides ground-truth latency measurement independent of system clocks. | Test | verification, vision, integration, session-341 |
| VER-MAIN-017 | Verify IFC-MAIN-015: Connect Force Sensing Module to Force Signal Conditioner via production cable. Inject common-mode signals at 50Hz, 150Hz, 1kHz at 10V amplitude. Measure differential output; pass criterion: differential error <10mV at each frequency (80dB CMRR at 1kHz). Rationale: Functional test on production hardware verifying CMRR against OR noise frequencies. 10mV threshold derived from 80dB CMRR at 10V CM input. | Test | verification, haptic, session-342 |
| VER-MAIN-018 | Verify IFC-MAIN-016: Connect Force Signal Conditioner to Haptic Controller on target hardware. Apply known reference loads (0N, 5N, 15N, 30N on each axis). Measure SPI frame arrival timestamps across 10,000 consecutive samples; pass criterion: all inter-arrival intervals within 1ms±50us, maximum propagation latency <100us. Rationale: Latency measurement on target hardware under load validates the 100us propagation budget that feeds into the 2ms end-to-end haptic latency requirement. | Test | verification, haptic, session-342 |
| VER-MAIN-019 | Verify IFC-MAIN-017: Command Haptic Controller to transmit torque setpoints exceeding 1.2Nm on all 7 joints simultaneously via CAN FD. Measure actual motor driver output with current clamp; pass criterion: no joint exceeds 1.2Nm output. Also verify 1kHz command rate maintained for 60 seconds under peak load without dropped frames. Rationale: Hardware torque limit verification requires commanding beyond the limit; this test confirms the motor driver hardware enforces the cap independently of software. Dropped-frame test validates bandwidth adequacy. | Test | verification, haptic, session-342 |
| VER-MAIN-020 | Verify IFC-MAIN-018: On target hardware, generate peak traffic (21 kinematics channels at 1kHz, two 4K60 video streams) over the production fibre link. Measure per-frame latency for kinematic frames with hardware timestamping across 100,000 frames; pass criterion: all kinematic frames delivered within 200us, no frames dropped. Rationale: Worst-case throughput test on target hardware; hardware timestamping eliminates OS jitter from measurements. | Test | verification, comms, session-342 |
| VER-MAIN-021 | Verify IFC-MAIN-019 and SUB-MAIN-028: Inject primary fibre link failure by disconnecting the active optical transceiver during live command traffic. Measure time to first valid frame received on standby link via oscilloscope trigger. Pass criterion: standby link active within 10ms, zero kinematic frames missing from command stream (verified by sequence number continuity in Procedure Data Recorder log). Rationale: Physical transceiver disconnection simulates the most severe link failure. Sequence number continuity check in the recorder log verifies zero-loss switchover at the application layer, not just the physical layer. | Test | verification, comms, failover, session-342 |
| VER-MAIN-022 | Verify SUB-MAIN-032: Couple 5 different instrument types (grasper, scissors, needle driver, cautery hook, clip applier) to each arm position. Measure time from coupling detection signal to kinematic model availability at the Tool Tip Articulation Controller. Pass: all 15 trials complete recognition within 200ms. Verify chip data integrity by comparing read-back values against programmed reference values with zero errors across 100 coupling cycles. Rationale: Tests all instrument types across all arm positions to detect any position-dependent or type-dependent recognition delays. The 100-cycle endurance test validates NFC reader reliability under repeated mechanical coupling vibration. | Test | verification, surgical-instrument-system, session-346 |
| VER-MAIN-023 | Verify SUB-MAIN-034: Using a calibrated load cell on each cable, command the Cable Tensioning System to maintain nominal tension while externally perturbing cable load by +/-10% at frequencies from 0.1Hz to 100Hz. Pass: tension stays within +/-5% of set-point for perturbations within range. Inject a step tension change of 20% on one cable. Pass: anomaly alert received by Safety and Interlock Subsystem within 10ms of injection, containing correct arm ID and cable channel. Rationale: Frequency sweep validates dynamic tension control under realistic cable loads. The 20% step injection exceeds the 15% anomaly threshold to verify detection latency under worst-case conditions. | Test | verification, surgical-instrument-system, session-346 |
| VER-MAIN-024 | Verify SUB-MAIN-035: Subject 20 Sterile Adapter samples to 8-hour continuous torque cycling (2Nm per channel, 6 channels, 1Hz cycle rate) with 50N sustained axial load. Post-test: perform sterile barrier integrity test per ASTM F1929 (dye penetration). Pass: zero dye penetration in all 20 samples. Measure torque transmission efficiency on a dynamometer. Pass: torque loss does not exceed 5% on any channel after 8-hour test. Rationale: Sample size of 20 provides statistical confidence for a single-use medical device. The dye penetration test is the regulatory standard for sterile barrier validation. Torque measurement after endurance cycling captures any degradation from wear. | Test | verification, surgical-instrument-system, session-346 |
| VER-MAIN-025 | Verify Console Computer network isolation by penetration test: connect test system to hospital information network port and attempt TCP connections to all CAN-FD gateway IP addresses. Zero successful connections SHALL be established. Repeat with crafted VLAN-hopping frames. Verify TLS certificate chain with a non-client-cert connection attempt — SHALL be rejected. Rationale: Penetration testing is required (not just inspection) because network isolation failures are often due to misconfigured firewall rules or VLAN tagging errors that are not visible in design documentation. Active attack simulation is the only reliable verification method per IEC 81001-5-1 Annex C. | Test | |
| VER-MAIN-025 | Verify SUB-MAIN-038: With three instrument arms active, inject a cable tension anomaly on one arm via the test interface. Measure time from anomaly injection to affected arm brake engagement. Pass: brake engaged within 50ms. Verify remaining arms continue executing a pre-programmed trajectory with no position deviation exceeding 0.1mm. Verify surgeon console displays affected arm identity and failure type within 200ms of anomaly. Rationale: Tests the full degraded-mode chain: anomaly detection, safety shutdown of affected arm, isolation of remaining arms, and operator notification. The 0.1mm position check on remaining arms ensures the shutdown transient does not propagate through shared power or communication buses. | Test | verification, surgical-instrument-system, session-346 |
| VER-MAIN-026 | Verify IFC-MAIN-024: On target Real-Time Compute Node, inject synthetic 6-DOF velocity vectors at 1kHz into the Tremor Rejection Filter output buffer. Measure Motion Scaling Module read latency with hardware timestamp counter. Pass criteria: 99.99% of reads complete within 5μs, zero stale-data detections over 60-second test window, all 6 DOF values match injected data to 15-digit precision. Rationale: Validates shared-memory interface timing and data integrity under sustained load. The 99.99% threshold allows 6 exceedances per minute, consistent with PREEMPT_RT scheduling guarantees on the target platform. | Test | verification, motion-control, session-348 |
| VER-MAIN-027 | Verify IFC-MAIN-026: On target hardware, fill the SPSC ring buffer from the Trajectory Generator at 1kHz while injecting controlled scheduling delays of 0-3ms on the Kinematics Engine consumer thread. Pass criteria: zero data loss over 10-minute test, buffer occupancy never exceeds 3 frames under nominal conditions, quaternion norm deviation below 1e-12 after transfer. Rationale: Exercises the ring buffer under worst-case jitter conditions to confirm the 4-frame depth provides adequate margin. Quaternion norm check detects any corruption in the lock-free transfer path. | Test | verification, motion-control, session-348 |
| VER-MAIN-028 | Verify Master Handle Actuator backdrive force when Haptic Feedback Subsystem is in STANDBY state: measure handle resistance at 10 evenly-spaced positions across full articulation range. Force SHALL be ≤0.1N at all positions. Transition system from ACTIVE to STANDBY while maintaining handle position — verify no transient force spike exceeds 0.5N during transition. Rationale: A haptic actuator that holds non-zero force in STANDBY creates a control input bias that the surgeon cannot distinguish from genuine force feedback. Measuring 10 positions ensures coverage of the full cam profile, not just the nominal centre position where most bias errors are zero. | Test | |
| VER-MAIN-028 | Verify IFC-MAIN-027: On integrated motion control bench with 7-DOF servo drives connected via EtherCAT, command sinusoidal joint trajectories at 1kHz across all joints simultaneously. Measure frame delivery latency with EtherCAT distributed clock timestamps. Pass criteria: 100% of frames delivered within 250μs, position/velocity/torque feedforward values match commanded values to 24-bit precision, zero frame drops over 30-minute continuous run. Rationale: EtherCAT frame delivery timing is the tightest constraint in the servo loop. The 30-minute duration exercises the interface through thermal steady-state of the servo drives and compute node, which is when timing margins are smallest. | Test | verification, motion-control, session-348 |
| VER-MAIN-029 | Verify IFC-MAIN-028: On target hardware, update workspace boundary polytope at 100Hz while the Kinematics Engine reads constraints at 1kHz. Inject boundary changes that shrink the workspace by 50% mid-trajectory. Pass criteria: zero partial reads detected via CAS validation, Kinematics Engine respects updated boundary within 20ms of change, polytope constraint count correctly varies from 6 to 24 half-planes. Rationale: The dynamic boundary update during active motion is the highest-risk scenario for IFC-MAIN-028 — a partial read could create a non-convex feasible region allowing unsafe motion outside the intended workspace. The 20ms response target is 2× the 10ms update interval, providing margin. | Test | verification, motion-control, session-348 |
| VER-MAIN-030 | Verify IFC-MAIN-025: On target hardware, transmit scaled velocity commands at 1kHz while switching scaling ratio (3:1→5:1→10:1) at 10-second intervals. Pass criteria: Trajectory Generator correctly reads active ratio metadata within 1ms of change, timestamps are monotonically increasing with zero gaps, data integrity verified by checksum comparison over 5-minute run. Rationale: Scaling ratio transitions during active motion are a common surgical workflow — the surgeon changes scaling mid-procedure. The test validates that ratio metadata propagation does not cause the Trajectory Generator to apply stale scaling, which would produce a motion discontinuity. | Test | verification, motion-control, session-348 |
| VER-MAIN-031 | Verify end-to-end Motion Control pipeline: Inject synthetic surgeon hand motion (sinusoidal at 0.5Hz, 2Hz, and 5Hz with 6Hz+ tremor component) at the Tremor Rejection Filter input. Measure instrument tip position at the Joint Servo Controller output via joint encoder feedback through forward kinematics. Pass criteria: tremor component attenuated by ≥40dB at tip, end-to-end pipeline latency ≤4ms (4 control cycles), tip position tracking error ≤0.05mm RMS at 0.5Hz, scaling ratio transitions produce no position discontinuity >0.02mm, Workspace Safety Enforcer halts motion within 2ms of boundary violation. Rationale: System-level integration test exercising the complete Cartesian-to-joint-space pipeline under realistic surgical motion profiles. This test cannot be decomposed into component-level tests because it validates the interaction between tremor rejection, scaling, trajectory generation, kinematics, servo control, and workspace enforcement as a coupled chain. | Test | verification, motion-control, integration, session-348 |
| VER-MAIN-032 | Verify REQ-SESURGICALROBOT-029: On the Real-Time Compute Node, inject 1000 joint-space command frames into the Kinematics Engine over 1 second — 990 with valid HMAC-SHA256 MACs and 10 with corrupted MACs. Confirm that all 990 valid frames are processed and all 10 invalid frames are rejected within 1ms and logged to the Procedure Data Recorder with timestamp and source ID. Confirm zero invalid frames appear in the kinematics output stream. Rationale: Authentication test must cover both the rejection path and the logging path to verify the security requirement is fully implemented. The 1kHz injection rate matches the operational servo rate, ensuring the test exercises the authentication mechanism under realistic timing conditions. | Test | |
| VER-MAIN-032 | Verify IFC-MAIN-029: Simulate mains loss by opening the main supply contactor under full system load. Measure Auxiliary Power Supply output voltage at Emergency Stop Chain contactor coil terminals using oscilloscope at 1MHz sampling. Pass criterion: voltage remains within 22–26V DC with no interruption exceeding 10ms duration. Rationale: Direct measurement at the interface boundary under the worst-case transient condition (full-load mains loss). Oscilloscope capture at 1MHz is necessary to detect sub-millisecond interruptions that cause contactor dropout. | Test | verification, power-management, session-350, idempotency:ver-ifc029-power-estop-350 |
| VER-MAIN-033 | Verify REQ-SESURGICALROBOT-030: Boot the Real-Time Compute Node and confirm the RSA-2048 signed workspace envelope is loaded from the write-protected memory partition. Then inject 50 waypoints within the signed envelope and 10 waypoints outside it. Confirm that all 10 out-of-envelope waypoints trigger a controlled stop within 50ms and that no trajectory segment is generated for any out-of-envelope waypoint. Rationale: The test must verify both the RSA signature check at boot and the per-waypoint envelope validation at runtime. Testing with a mix of valid and invalid waypoints ensures the validation logic is correctly implemented for both the positive and negative cases. | Test | |
| VER-MAIN-033 | Verify SUB-MAIN-043: Discharge UPS Battery Module to 80% charge, then simulate mains loss under full system operational load (all arms active, recording running). Measure time to first system functional failure or controlled shutdown initiation. Pass criterion: all system functions maintained for minimum 30 minutes, followed by controlled safe shutdown. Rationale: Full-load discharge test with pre-conditioned battery state (80%) represents realistic worst-case surgical scenario. Testing from full charge would not reveal battery capacity margins under normal operational conditions. | Test | verification, power-management, session-350, idempotency:ver-sub043-ups-duration-350 |
| VER-MAIN-034 | Verify REQ-SESURGICALROBOT-031: Connect a PTP test injector to the Real-Time Protocol Engine network segment. Inject 100 valid PTP sync messages followed by 20 with corrupted HMACs and then a 15ms gap with no authenticated messages. Confirm: (1) all 20 invalid-MAC frames are discarded and logged; (2) safe hold state is entered within 10ms of the last authenticated frame; (3) surgeon console alert is generated within 100ms of safe hold entry. Rationale: The three-phase test exercises the authentication rejection path, the timing-loss safe-hold path, and the HMI alert path, matching the three SHALL clauses in the requirement. The 15ms gap exceeds the 10ms threshold, ensuring the safe-hold trigger is verified within budget. | Test | |
| VER-MAIN-034 | Verify IFC-MAIN-030: Inject 100 command frames per second via isolated CAN analyser; measure generator acknowledgement latency for 1000 frames. Pass if: (a) all frames acknowledged within 5ms, (b) no missed acknowledgements, (c) CAN bus error counter remains zero throughout 60-second test. Rationale: Integration test at the physical CAN interface validates both protocol compliance and timing under sustained load — essential for a safety-critical command bus. | Test | verification, energy-delivery, session-352 |
| VER-MAIN-035 | Verify SUB-MAIN-094: Commission an IEC 62304 software development environment audit. Review that the software development plan, requirements specification, detailed design, unit test records, and integration test records are complete and traceable. Confirm independent review records exist for all Class C safety-critical software modules. Pass criterion: all five lifecycle artefact categories present with no open actions at Class C severity. Rationale: IEC 62304 Class C qualification requires documented lifecycle evidence for motion control software that can cause patient harm. Inspection is the appropriate method because the requirement specifies a process standard, not a functional behaviour; functional testing cannot verify development-phase compliance. | Inspection | |
| VER-MAIN-035 | Verify IFC-MAIN-031: Monitor RS-485 traffic with protocol analyser during 5-minute ultrasonic activation sequence. Pass if: (a) blade temperature telemetry received at minimum 50Hz continuous, (b) power level commands issued at correct rate, (c) no framing errors detected. Rationale: Blade temperature telemetry is the safety-critical output of this interface; 50Hz minimum must be verified under sustained load to confirm the 100°C inhibit will function correctly. | Test | verification, energy-delivery, session-352 |
| VER-MAIN-036 | Verify IFC-MAIN-040: Inject a continuous 6-DOF Cartesian velocity command stream from the Console Computer test harness at 1kHz. Capture 10,000 consecutive frames on the Inter-Cart Fibre Link and verify: (a) all frames are 48 bytes, (b) sequence numbers are monotonically increasing with no gaps, (c) CRC-CCITT checksum matches computed value for each frame, (d) inter-frame interval does not exceed 1.1ms in more than 0.1% of cycles. Pass criterion: zero protocol format errors across the 10-second capture window. Rationale: IFC-MAIN-040 defines the kinematic command frame format (48-byte little-endian, 1kHz, sequence number, CRC-CCITT) that the Console Computer writes to the Inter-Cart Fibre Link. This protocol integrity is safety-critical: a framing error or dropped frame on the kinematic command path can cause the Real-Time Protocol Engine to stall or misinterpret commands, potentially resulting in uncontrolled arm motion. The test captures sufficient frames to detect systematic errors at the <1e-4 frame error rate used for safety-critical communication links. | Test | |
| VER-MAIN-036 | Verify IFC-MAIN-032: Simulate Return Electrode Monitor interlock line de-energisation with ESG in active monopolar mode. Pass if: ESG ceases monopolar RF output within 50ms of interlock line de-energisation, as measured on oscilloscope. Also verify: ESG refuses to enable monopolar output when interlock line is de-energised at startup. Rationale: Hardwired interlock must be verified at the hardware level, not via software simulation. Timing from oscilloscope provides ground truth for the de-energise-to-inhibit response. | Test | verification, energy-delivery, safety, session-352 |
| VER-MAIN-037 | Verify SUB-MAIN-071: Drive the Real-Time Protocol Engine with a 1kHz TDM master clock. Using a logic analyser with 1ns resolution, capture 100,000 consecutive frame transmission timestamps over a 100-second run. Compute cycle-to-cycle jitter. Pass criterion: all measured cycle-to-cycle jitter values within plus or minus 50 microseconds. Rationale: SUB-MAIN-071 specifies the +/-50 microsecond jitter budget for the TDM frame scheduler. This budget is the foundation of all downstream latency allocations in the control loop — if the RTPE scheduler drifts, downstream stages exceed their cycle windows and the 1ms end-to-end motion control budget is violated. Verification by direct oscilloscope measurement is mandatory because jitter cannot be inferred from software timing alone. | Test | |
| VER-MAIN-037 | Verify IFC-MAIN-033: Connect test load simulating vessel impedance profile to ESG output; confirm TEM reads impedance at minimum 1kHz and issues shutoff within 200ms of simulated endpoint (1.5kΩ rise in 400ms window). Verify via CAN log and oscilloscope capture of RF output envelope. Rationale: Vessel seal endpoint detection must be verified against a known impedance profile; real tissue is not available for hardware-level testing, so validated test loads are standard practice. | Test | verification, energy-delivery, session-352 |
| VER-MAIN-038 | Verify SUB-MAIN-082: Load a patient anatomy mesh into the Workspace Safety Enforcer. Command the robot arm through 100 approach trajectories targeting ten distinct anatomical boundary regions. Verify that repulsive constraint forces activate before any commanded trajectory penetrates the boundary. Measure penetration depth at point of constraint activation. Pass criterion: zero boundary penetrations; constraint activation latency below 2ms in all 100 trials. Rationale: SUB-MAIN-082 specifies the real-time proximity enforcement that prevents surgical instrument over-penetration into protected anatomy. Failure of the WSE to activate constraints in time is a patient safety hazard. The test directly exercises the collision detection path under representative surgical motion and verifies the non-penetration guarantee that the requirement establishes. | Test | |
| VER-MAIN-038 | Verify IFC-MAIN-034: Assert E-STOP signal on system safety bus while ESG is delivering active RF energy. Measure time from E-STOP assertion to RF output falling below 1W using oscilloscope. Pass if transition occurs within 20ms. Repeat 20 times; all must pass. Rationale: E-STOP response requires repeated testing to confirm reliability across the 20ms window — a single pass test would not reveal marginal timing cases. 20 repetitions is consistent with IEC 62061 functional safety evidence requirements for SIL 2 functions. | Test | verification, energy-delivery, safety, session-352 |
| VER-MAIN-039 | Verify SUB-MAIN-083: Simulate anatomy mesh corruption and load failure. Inject a corrupted mesh file and observe WSE behaviour. Verify the WSE switches to conservative bounding-box workspace limits and logs the failure within 500ms. Verify normal operation resumes when a valid mesh is loaded. Pass criterion: no unprotected arm motion during mesh failure; bounding-box workspace enforced throughout the failure window. Rationale: SUB-MAIN-083 specifies the degraded-mode behaviour for the WSE when the anatomy mesh is unavailable. Without verified fallback behaviour, a mesh database fault would leave the arm with no proximity constraints, creating an uncontrolled motion risk. Verification requires injecting the specific fault condition because normal integration testing cannot exercise degraded-mode paths. | Test | |
| VER-MAIN-039 | Verify end-to-end energy delivery chain: with a calibrated RF load (500Ω, simulating vessel tissue), activate monopolar energy via surgeon footswitch; measure (a) time from footswitch closure to RF reaching 90% of setpoint power, (b) time from footswitch release to RF falling below 1W, (c) REM alarm response to impedance step above 135Ω mid-activation. Pass criteria: (a) ≤100ms, (b) ≤50ms, (c) monopolar inhibited within 500ms. Test at 50W, 200W, and 400W setpoints. Rationale: End-to-end test exercises the full command chain from surgeon input through Energy Delivery Controller through ESG to tissue, validating that SYS-MAIN-017 and safety monitoring function together as an integrated system. Multi-power-level testing confirms compliance across the operating envelope. | Test | verification, energy-delivery, system-integration, session-352 |
| VER-MAIN-040 | Verify SUB-MAIN-051: Using a calibrated impedance bridge, step patient return electrode pad impedance from 100Ω (safe) to 150Ω (above 135Ω threshold) while monopolar energy is active. Measure time from impedance step to RF output inhibition. Pass if: inhibition occurs within 500ms, surgeon console alarm is triggered, and energy does not resume automatically. Repeat 10 times. Rationale: REM threshold response is a patient safety function verified by simulating the actual pad-lift impedance signature. 10 repetitions provide statistical confidence in the 500ms response time. | Test | verification, energy-delivery, safety, session-352 |
| VER-MAIN-041 | Verify SUB-MAIN-054: With the energy delivery system connected to a calibrated leakage current test fixture per IEC 60601-1, measure patient leakage current under normal condition and with single-fault conditions (open earth, reversed polarity). Pass if: normal condition ≤10μA, any single-fault condition ≤50μA, for all energy delivery circuit paths. Rationale: IEC 60601-1 Type CF compliance must be verified by electrical safety testing per the standard's prescribed test methodology. These limits are absolute safety boundaries that cannot be relaxed. | Test | verification, energy-delivery, safety, session-352 |
| VER-MAIN-042 | Verify IFC-MAIN-035: With an energy activation foot pedal connected to Energy Delivery Controller via isolated CAN bus, inject 100 activation and deactivation pedal events at 2Hz. Measure CAN message timestamp vs pedal switch closure. Pass criterion: all messages delivered within 10ms of pedal actuation. Verify isolation: inject 500V common-mode signal on pedal cable; verify no conduction path to system ground. Rationale: Integration test for energy pedal CAN interface. 100-event sample provides statistical confidence on latency performance. Isolation test verifies patient safety protection against return current paths through the pedal cable. | Test | verification, surgeon-console, energy-delivery, session-353 |
| VER-MAIN-043 | Verify IFC-MAIN-036: Command 200 clutch engage/disengage events via foot pedal at 1Hz. Log CAN bus timestamp and Motion Control System clutch state acknowledgement. Pass: all events received within 10ms. Verify priority: saturate CAN bus with configuration traffic to 80% load and rerun; clutch messages must still meet 10ms latency. Rationale: Clutch interface must be verified under bus-congestion conditions matching realistic surgical use where configuration and telemetry traffic competes for bus bandwidth. | Test | verification, surgeon-console, motion-control, session-353 |
| VER-MAIN-044 | Verify IFC-MAIN-038: Monitor USB 3.0 traffic between Voice Command Module and Console Computer for 60 minutes during simulated procedure using a USB protocol analyser. Verify: (1) only command ID, confidence score, and timestamp packets are transmitted; (2) no raw PCM audio data is present in any packet. Pass: zero raw audio bytes detected in any USB transaction. Rationale: Patient privacy audit: USB traffic analysis is the only reliable method to confirm that raw audio does not leave the Voice Command Module, as software assertions could be bypassed by firmware update. | Test | verification, surgeon-console, voice, privacy, session-353 |
| VER-MAIN-045 | Verify SUB-MAIN-059: Transition system to OPERATIONAL state via software command. Issue motorised axis adjustment command to each of the 5 positioning axes within 500ms of state transition. Verify all commands are rejected. Time the lock-out interval from state transition to confirmed axis brake engagement on all axes. Pass: lock-out completes within 500ms; all adjustment commands during OPERATIONAL state are rejected. Rationale: Lock-out timing is safety-critical: an adjustment command accepted after state transition but before lock-out completes could shift master arm calibration. Test verifies both the timing bound and that the rejection is active across the full state transition window. | Test | verification, surgeon-console, arm-positioning, session-353 |
| VER-MAIN-046 | Verify end-to-end surgeon console to instrument tip chain: with system in OPERATIONAL state, surgeon activates energy foot pedal while commanding wrist motion via master arms. Measure: (1) pedal-to-energy-delivery latency; (2) master arm motion to instrument tip position update latency; (3) simultaneous energy and motion command coexistence without mutual interference. Pass: pedal latency <=50ms; tip position update <=1ms; no energy cutout or motion fault from combined command load. Rationale: End-to-end test validates that the Surgeon Input Console correctly multiplexes simultaneous motion and energy commands through independent paths without cross-interference, which cannot be verified by testing each interface in isolation. | Test | verification, surgeon-console, integration, end-to-end, session-353 |
| VER-MAIN-047 | Verify SUB-MAIN-062: Submit Haptic Controller SIL2 evidence package to IEC 62061 assessor, including FMEA, fault injection test results, and watchdog response time measurements. Pass criterion: assessor confirms SIL2 certification with no outstanding CARs. Rationale: SIL2 certification is verified by third-party assessment of the safety case, not by in-house bench test alone. | Analysis | verification, haptic, session-354 |
| VER-MAIN-048 | Verify REQ-SESURGICALROBOT-040: Inject primary haptic force-rendering processor fault via hardware fault injection on a system integration bench. Confirm switchover to secondary rendering path completes within 50 ms (measured from fault injection to first valid haptic torque output on secondary path). Verify contact-force reproduction error remains within 20 percent of nominal across 5 N, 10 N, and 15 N reference forces. Repeat 20 times. Rationale: Haptic processor redundancy is a safety-critical function; fault injection testing on the integration bench is the only method that can directly measure switchover latency under controlled conditions without risk to a patient. | Test | verification, haptics, redundancy, session-367 |
| VER-MAIN-048 | Verify SUB-MAIN-063: On haptic integration test rig, command 1kHz haptic render loop while varying simulated tissue contact stiffness from 0.1 N/mm to 10 N/mm in 0.1 N/mm steps, at all scaling ratios 1:1 to 10:1. Record master handle joint torques. Pass criterion: no sustained oscillation >0.05 Nm peak-to-peak for 30 seconds at any stiffness/scaling combination. Rationale: Stability must be demonstrated across the full operating envelope; an isolated soft-tissue or single-ratio pass is insufficient because instability is a boundary phenomenon. | Test | verification, haptic, session-354 |
| VER-MAIN-049 | Verify REQ-SESURGICALROBOT-042: With the surgical robot at nominal surgical load, disconnect AC mains at the PDU. Measure time from mains loss to all servo drives confirming sustained power on UPS. Confirm transfer time is less than 10 ms using a calibrated oscilloscope channel triggered on the mains loss event. Verify full-rated operation continues for 15 minutes minimum. Perform across input voltages of 85 VAC, 100 VAC, and 240 VAC. Rationale: UPS transfer timing must be verified under actual surgical load at worst-case input voltage; simulation cannot capture the real contactor and controller behavior during a live mains dropout. | Test | verification, power, redundancy, session-367 |
| VER-MAIN-049 | Verify IFC-MAIN-037: Inject 1000 consecutive session management messages (instrument configuration, state sync) at maximum payload from Console Computer to Real-Time Protocol Engine via USB 3.0; measure roundtrip latency distribution; pass criterion: 99th percentile latency below 10ms, zero message loss, session state consistent on both ends after 60-minute soak. Rationale: Session management is the data path for surgical case configuration and instrument profile loading. Latency and integrity verification under soak conditions catches USB buffer issues and driver-level race conditions that only manifest after sustained operation. | Test | verification, surgeon-console, comms, session-356, idempotency:ver-ifc037-rtpe-session-356 |
| VER-MAIN-050 | Verify SUB-MAIN-010: Command the Workspace Safety Enforcer to issue joint-angle commands within 2° of hard-stop boundary for each of the six joint axes using HIL simulator. Confirm WSE rejects the command within one 1kHz control cycle (≤1ms) and generates a safety violation event. Pass: 100% rejection rate across 1000 boundary-approach commands per axis. Rationale: Hardware-in-the-loop testing against the actual WSE FPGA firmware is the only method to verify the 1-cycle rejection latency under real interrupt timing. Simulation cannot accurately model FPGA-level preemption. | Test | |
| VER-MAIN-050 | Verify SUB-MAIN-055: Actuate each pedal function (energy activate, clutch, camera) 200 times with a calibrated mechanical jig; log CAN frame timestamps vs pedal contact timestamps via logic analyser; pass criterion: all 200 events per pedal function transmitted within 50ms of contact, zero missed events. Rationale: Mechanical jig actuation eliminates human reaction time variation. Logic analyser timestamps provide sub-microsecond precision needed to distinguish 50ms pass/fail boundary. 200 samples per function provides statistical confidence on the latency tail. | Test | verification, surgeon-console, foot-pedal, session-356, idempotency:ver-sub055-pedal-latency-356 |
| VER-MAIN-051 | Verify SUB-MAIN-011: Under full 1kHz control loop load with concurrent safety monitoring and data recording tasks active, inject 10,000 synthetic interrupt events via RTOS test hooks and measure worst-case interrupt latency using hardware logic analyser on GPIO trigger pin. Pass: maximum observed latency ≤50 microseconds across all 10,000 events. Rationale: Software-only timing measurement cannot exclude OS scheduling effects. Hardware logic analyser provides ground-truth latency independent of the kernel under test. 10,000 events provides statistical confidence >3-sigma for rare worst-case conditions. | Test | |
| VER-MAIN-051 | Verify SUB-MAIN-056 and SUB-MAIN-057: Present 500-item randomised command vocabulary to Voice Command Module via calibrated surgical headset at 55dB(A) ambient noise; record recognition result and dispatch timestamp for each command; pass criterion: word error rate no greater than 5 percent overall and across any individual speaker sample, command dispatch within 200ms of utterance completion for all recognised commands. Rationale: Combined WER and latency test using standardised noise conditions matches the surgical theatre acoustic environment. 500-item vocabulary covers the full command set plus confusables. Multi-speaker sample ensures the 5 percent WER criterion is not passed by a model overfitted to a single accent. | Test | verification, surgeon-console, voice, session-356, idempotency:ver-sub056057-voice-wer-lat-356 |
| VER-MAIN-052 | Verify SUB-MAIN-012: Inject each of the five defined fault conditions (communication loss, power fault, sensor fault, software exception, manual E-stop) via fault injection controller with all operator displays blanked. Verify the Safe State Manager broadcasts a safety-state transition command within 50ms of fault onset without any operator input. Pass: automated transition on 100% of injected faults; transition time ≤50ms in all cases. Rationale: Blanked operator displays ensure the test is not contaminated by accidental operator input. 50ms sub-budget is the SIS internal allocation within the 250ms system budget. Fault injection controller provides controlled, repeatable fault conditions isolated from normal operation. | Test | |
| VER-MAIN-052 | Verify SUB-MAIN-058: Attempt to enable robotic motion without completing surgeon authentication; verify system refuses and logs the attempt; complete authentication and verify motion enable succeeds; lock and re-enable under time pressure; pass criterion: motion always inhibited without valid auth, auth audit trail persists in procedure log. Rationale: Authentication is a regulatory control; demonstration by qualified test engineers is the required verification method under IEC 62304 for software safety requirements. The audit trail check ensures the control is forensically traceable, not just functionally correct. | Demonstration | verification, surgeon-console, authentication, session-356, idempotency:ver-sub058-auth-motion-356 |
| VER-MAIN-053 | Verify SUB-MAIN-015: Position calibrated cosine-corrected irradiance meter at 100mm working distance from illumination source. Measure surface irradiance during continuous illumination for 30 minutes. Pass: measured irradiance remains ≤100 mW/cm² throughout; no rising trend indicative of thermal runaway. Rationale: Cosine-corrected irradiance meter matches tissue surface geometry. 30-minute duration exceeds typical surgical procedure phase length to detect drift. Direct measurement is the only reliable verification method for a photon dose safety limit. | Test | |
| VER-MAIN-053 | Verify SUB-MAIN-060: Power on Console Computer from cold start 10 times; measure time from power-on to completion of self-test (including comms link, instrument detection, display check) using internal timestamp log; pass criterion: all 10 runs complete self-test within 90 seconds with all subsystems reporting ready. Rationale: Cold-start verification from power-off state, not warm reboot, is the clinically relevant scenario. 10 repeats provide statistical confidence across power-supply and thermal variation. The 90-second criterion directly matches the pre-operative scrub-in workflow window. | Test | verification, surgeon-console, startup, session-356, idempotency:ver-sub060-startup-test-356 |
| VER-MAIN-054 | Verify SUB-MAIN-016: Inject timestamp-tagged test frames at the camera sensor input; measure elapsed time to rendered display output using synchronised hardware timers. Run 1,000 frames at full 60Hz frame rate with all IPP enhancements active. Pass: latency ≤2ms for all 1,000 frames; no frame drops. Rationale: Hardware timestamping eliminates OS scheduling jitter from the measurement. 1,000-frame sample covers statistically rare worst-case IPP pipeline stalls. 2ms budget is the IPP allocation within the 33.3ms surgeon-to-display path. | Test | |
| VER-MAIN-054 | Verify SUB-MAIN-061: Disable Voice Command Module via software fault injection; confirm system remains in OPERATIONAL state with all foot pedal and master arm controls functioning normally; confirm voice failure is annunciated on console display; pass criterion: no robotic motion interruption on voice module loss, all alternative input channels remain active. Rationale: Fault injection test is the only method to verify graceful degradation without relying on a real hardware failure. The check on alternative input channels confirms the voice module is correctly isolated from the critical motion control path, not just that the fault detection works. | Test | verification, surgeon-console, degraded-mode, session-356, idempotency:ver-sub061-voice-degraded-356 |
| VER-MAIN-055 | Verify SUB-MAIN-018: Enable continuous recording on the Procedure Video Recorder and run a 180-minute simulated procedure session. Verify the composite 2D video stream is written without frame loss. Post-session, confirm recorded file integrity with frame-count check and checksum. Pass: 180-minute uninterrupted recording with ≤0 dropped frames and intact file checksum. Rationale: 180 minutes exceeds the 95th-percentile robotic procedure duration, providing confidence the recorder does not exhibit buffer overflow or storage performance degradation over typical procedure lengths. | Test | |
| VER-MAIN-055 | Verify IFC-MAIN-039: With Surgeon Interface Panel and Console Computer connected via EtherCAT bus, drive master arms through full workspace motion while logging upstream pose timestamps and downstream force command timestamps; measure bidirectional latency for 10000 cycles; pass criterion: upstream and downstream latency each below 1ms at 99.9th percentile, zero dropped cycles over 30-minute continuous run. Rationale: 10000 cycles at 1kHz provides a 10-second sample per run, repeated over 30 minutes to catch thermal drift and bus saturation effects. The 99.9th percentile criterion aligns with the haptic transparency requirement where occasional single-cycle exceedances are perceptible but rare. | Test | verification, surgeon-console, haptic, session-356, idempotency:ver-ifc039-sip-cc-ethercat-356 |
| VER-MAIN-056 | Verify SUB-MAIN-020: Place calibrated photodiode and tissue phantom (10mm optical depth matching published ICG tissue parameters) at surgical working distance. Enable fluorescence mode at 805nm. Measure irradiance at tissue surface and compare against ICG SNR threshold (>3:1 contrast). Switch to NIR mode and verify switchover time with hardware timer. Pass: surface irradiance ≥5 mW/cm²; SNR >3:1; mode switch ≤200ms. Rationale: Tissue phantom replicates 10mm optical path specified in SUB-MAIN-020. Photodiode measurement is ground truth for irradiance. SNR >3:1 is the published clinical utility threshold for ICG sentinel node mapping. Mode switch measured with hardware timer to exclude display latency. | Test | |
| VER-MAIN-056 | Verify SUB-MAIN-066: Drive each master arm through a 100mm/s continuous Cartesian trajectory for 60 seconds; sample pose output at 10kHz via test instrumentation and compute power spectral density to confirm 1kHz fundamental; measure position quantisation; pass criterion: pose data present at 1kHz plus or minus 5Hz, position quantisation no coarser than 0.1mm, zero dropped samples over 60 seconds. Rationale: Spectral analysis of the pose stream is the most reliable method to verify the actual output rate independent of internal timestamps. The 10kHz instrumentation sample rate provides Nyquist margin above the 1kHz criterion. Quantisation is verified by calculating minimum position step in recorded trajectory data. | Test | verification, surgeon-console, haptic, session-356, idempotency:ver-sub066-sip-pose-rate-356 |
| VER-MAIN-057 | Verify SUB-MAIN-021: Using the surgeon console UI on a representative surgical site, activate each of the ≥3 image enhancement modes (gain, contrast, colour balance). Confirm each mode is selectable, applied within one display frame (≤16.7ms), and independently toggleable. Pass: all ≥3 modes available and functional; no mode interaction artifacts; switching time ≤16.7ms. Rationale: Demonstration by a trained operator reflects real-world intraoperative access patterns. Frame-synchronous switching avoids tearing artefacts which could disorient the surgeon. | Demonstration | |
| VER-MAIN-057 | Verify SUB-MAIN-067: Command step force inputs at 10N/s ramp from Console Computer; measure force output at master arm fingertips with calibrated force plate at 10kHz; compute step response latency and steady-state error; pass criterion: latency from command to 90 percent of commanded force below 1ms, steady-state error within 15 percent of commanded value across 0 to 5N range. Rationale: Step input characterisation is the standard method for actuator latency measurement. Force plate at 10kHz provides resolution well above the 1ms criterion. The 90 percent threshold for latency avoids confounding rise time with latency in the time-domain measurement. | Test | verification, surgeon-console, haptic, session-356, idempotency:ver-sub067-haptic-force-356 |
| VER-MAIN-058 | Verify SUB-MAIN-022: Apply known reference forces (0.1N, 0.5N, 1N, 2N, 5N) to instrument tip via calibrated force applicator across all three axes. Record Haptic Controller output force readings. Pass: measured error ≤0.1N at each reference point across all axes; linearity error ≤5% full scale. Rationale: Calibrated force applicator provides ground-truth reference independent of the sensor under test. Multi-axis testing is necessary because cable-driven instruments exhibit cross-axis coupling; each axis must be independently verified. | Test | |
| VER-MAIN-058 | Verify SUB-MAIN-068: Using a calibrated test rig, release master arm handle rapidly 100 times; measure time from sensor contact break to Console Computer inhibit signal via logic analyser; pass criterion: all 100 events inhibited within 50ms of contact break, instrument-side motion ceases within 1ms of inhibit signal. Rationale: 100-event sample provides statistical confidence on the 50ms upper bound with probability of passing by chance less than 0.001 for a system with 60ms true latency. The downstream motion cessation check closes the loop to confirm inhibit propagation reaches the instrument, not just the console output. | Test | verification, surgeon-console, safety, session-356, idempotency:ver-sub068-handle-engage-356 |
| VER-MAIN-059 | Verify SUB-MAIN-024: Command the Master Handle Actuator to render increasing force magnitudes (0.5N, 1N, 1.5N, 2N, 2.5N, 3N, 3.5N). Measure actual handle output force with in-line load cell. Pass: output force ≤2N for all commanded values; no force breakthrough for commanded values ≥2N. Rationale: The 2N limit is a patient safety threshold derived from tissue fragility models. Verification with in-line load cell provides calibrated ground truth independent of the actuator control firmware. Testing at values above the limit verifies the saturation behaviour, not just nominal operation. | Test | |
| VER-MAIN-059 | Verify SUB-MAIN-069: Conduct IEC 62304 compliance audit against software lifecycle documentation; review development traceability matrix from requirements to software units; inspect MDR 2017/745 Annex I checklist; pass criterion: all Class C activities evidenced, no gaps in requirements-to-code traceability, all Annex I essential requirements addressed. Rationale: IEC 62304 and MDR compliance are regulatory obligations verified by notified body inspection, not by functional test. The audit-and-inspection method matches the regulatory assurance activity required for CE marking. | Inspection | verification, surgeon-console, compliance, session-356, idempotency:ver-sub069-iec62304-audit-356 |
| VER-MAIN-060 | Verify SUB-MAIN-025: Apply 500V AC test voltage across Force Signal Conditioner isolation barrier per IEC 60601-1 clause 8.8. Measure dielectric withstand for 60 seconds. Measure working isolation voltage. Pass: no breakdown or flashover at 500V; working isolation ≥400V DC per IEC 60601-1 Type BF applied part. Rationale: Dielectric withstand test at 500V is the IEC 60601-1 mandatory type test for BF applied parts. This is the regulatory gold standard; simulation cannot substitute for high-voltage breakdown testing. | Test | |
| VER-MAIN-060 | Verify SUB-MAIN-070: Inject software exception into Console Computer via debug interface; measure time from exception trigger to SAFE-HOLD broadcast on subsystem bus; verify all subsystems acknowledge safe-state; check non-volatile storage contains 30-second pre-fault data; pass criterion: SAFE-HOLD within 500ms, all subsystems acknowledge, data readable post-fault. Rationale: Direct exception injection is the only reliable method to verify software failsafe behaviour without waiting for a real fault. Timing of safe-state broadcast is measured at the bus level to capture total system latency including exception handler execution time. | Test | verification, surgeon-console, safety, session-356, idempotency:ver-sub070-cc-failsafe-356 |
| VER-MAIN-061 | Verify SUB-MAIN-027: Timestamp kinematic command frames at RTPE output and at arm controller receipt using synchronised hardware clocks. Measure end-to-end latency across the fibre link under full 1kHz traffic load for 60,000 consecutive frames (60 seconds). Pass: latency ≤3ms for all frames; zero frame loss. Rationale: Hardware-synchronised timestamps eliminate clock drift error from the measurement. 60,000 frames captures rare burst-traffic interactions. 3ms is the CDMS allocation within the 100ms system command latency budget. | Test | |
| VER-MAIN-061 | Verify IFC-MAIN-041: Connect a calibrated timing analyser to the Real-Time Protocol Engine frame-delivery output. Drive the Inter-Cart Fibre Link with a synthetic 1kHz frame generator. Capture 100,000 consecutive inter-frame intervals and compute maximum jitter. Pass criterion: maximum jitter does not exceed 5 microseconds. Inject a frame with corrupted CRC and confirm the validity flag is asserted within one frame period. Rationale: Integration test verifying that the optical receiver and SERDES layer deliver frames to the Real-Time Protocol Engine within the timing specification required for SUB-MAIN-071 compliance. | Test | verification, motion-control, infrastructure, session-357 |
| VER-MAIN-062 | Verify SUB-MAIN-029: Enable PDR recording while running full 1kHz kinematic loop and dual 1080p video streams simultaneously. Record for 60 minutes. Analyse log file: verify kinematic data timestamps at 1ms intervals with jitter ≤100μs; verify stereo video frame sequence integrity. Pass: 1kHz rate maintained with ≤100μs jitter; no dropped frames in either video stream; log file checksum valid. Rationale: Simultaneous full-load testing validates PDR does not degrade control loop performance via resource contention. Timestamp jitter analysis detects DMA buffer overruns that would compromise forensic value of recordings. | Test | |
| VER-MAIN-062 | Verify IFC-MAIN-042: Configure Network Management Controller and two Joint Servo Controller test nodes on a bench EtherCAT segment. Capture 50,000 consecutive process data object exchanges using an EtherCAT frame monitor. Pass criteria: bus cycle achieves 1ms ±50μs; all process data objects contain target angle, feed-forward torque, mode, and fault mask fields; fault mask disablement of one node does not affect frame delivery to the remaining node within the same cycle. Rationale: EtherCAT process data object structure and timing must be verified at the subsystem integration level before patient-side cart integration. A 2-node bench test validates the topology management and per-node fault isolation behaviour defined in SUB-MAIN-074. | Test | verification, motion-control, infrastructure, session-357 |
| VER-MAIN-063 | Verify SUB-MAIN-039: Instrument the Trajectory Generator software with execution timing instrumentation. Run 60,000 consecutive trajectory computation cycles under worst-case kinematic complexity (maximum joint velocities, simultaneous 6-DOF motion, active tremor filter). Measure per-cycle wall-clock execution time. Pass: all 60,000 cycles complete within 1ms; no overruns detected by watchdog timer. Rationale: 60,000 cycles provides >99.9% confidence interval for rare worst-case branch paths. Watchdog timer provides independent overrun detection separate from the instrumented timing, preventing self-referential measurement errors. | Test | |
| VER-MAIN-063 | Verify IFC-MAIN-043: On target Real-Time Compute Node hardware, activate the DMA transfer path to the Procedure Data Recorder NVMe array. Capture PCIe transaction timestamps using a logic analyser on the PCIe bus for 60 minutes at 1kHz. Pass criteria: no DMA transfer latency exceeds 10 microseconds; all frames contain valid 64-bit UTC timestamp, 7-element angle, torque, and 6-element velocity arrays; zero frames are missing from the recorder file verified by sequence number continuity check. Rationale: The 60-minute soak validates steady-state NVMe write performance under sustained 1kHz load, including garbage collection pauses that might delay individual DMA completions. Sequence number verification provides a comprehensive check on data completeness without relying on file size alone. | Test | verification, motion-control, infrastructure, session-357 |
| VER-MAIN-064 | Verify SUB-MAIN-047: Connect calibrated 50Ω tissue-impedance test load. Command ESG to minimum (10W) and maximum (400W) output. Measure output power with RF wattmeter at each set point. Pass: measured power within ±5% of commanded value at both limits; no output until activation signal present. Rationale: 10-400W monopolar range covers standard laparoscopic and open surgical applications. RF wattmeter provides calibrated power measurement per IEC 60601-2-2. ±5% accuracy is the maximum tolerable power error for tissue effect repeatability. | Test | |
| VER-MAIN-064 | Verify IFC-MAIN-025: On the Real-Time Compute Node, inject scaled 6-DOF Cartesian velocity vectors at 1kHz from the Motion Scaling Module output. Using kernel timestamps, measure the latency from Motion Scaling Module output publication to Trajectory Generator input read. Pass criterion: latency does not exceed 50 microseconds for 99.9th percentile over 60,000 samples; no samples are dropped; scaled magnitudes are preserved within floating-point precision (1 ULP tolerance). Rationale: IFC-MAIN-025 has no existing verification entry. This test validates the shared-memory ring buffer pathway between the two software components on the Real-Time Compute Node, ensuring no priority inversion or scheduler jitter causes a velocity command to be silently dropped or delayed beyond the pipeline budget. | Test | verification, motion-control, session-357 |
| VER-MAIN-065 | Verify SUB-MAIN-050: Simultaneously command RF activation and ultrasonic activation via the Energy Delivery Controller interface. Verify the controller asserts exactly one modality within the same test cycle and logs a mutual-exclusion violation event. Repeat for 1,000 concurrent command pairs. Pass: RF and ultrasonic never simultaneously active; violation logged in 100% of cases. Rationale: Concurrent RF+ultrasonic activation is the failure mode that can cause uncontrolled tissue heating. 1,000 concurrent command pair test provides statistical confidence that the mutex logic has no race-condition path. Must be tested at the hardware interface level, not software simulation. | Test | |
| VER-MAIN-065 | Verify IFC-MAIN-024: Inject synthetic 7-DOF velocity signals at 1kHz with frequency components at 2Hz (intentional), 8Hz, 10Hz, and 12Hz (tremor). Measure the output stream from Tremor Rejection Filter to Motion Scaling Module; verify spectral power above 6Hz is attenuated by at least 40dB and below 3Hz is preserved within 0.5dB. Measure end-to-end latency from input to filtered output: SHALL be less than 5ms. Pass criterion: all three spectral and latency limits met across 60-second run. Rationale: Integration test verifying IFC-MAIN-024 interface compliance end-to-end at the component boundary, covering both the frequency-domain and timing properties required for safe motion command delivery. | Test | verification, motion-control, tremor, session-358, idempotency:ver-ifc024-tremor-filter-output-358 |
| VER-MAIN-066 | Verify SUB-MAIN-052: Using ex-vivo vessel tissue samples, apply ultrasonic energy and monitor TEM impedance output. Measure impedance at confirmed seal completion (visual and histological). Pass: TEM detects impedance rise within 500ms of confirmed vessel seal; false positive rate <5% on non-sealed tissue. Rationale: Ex-vivo tissue testing provides the ground-truth biological reference for impedance-based seal detection. Histological confirmation eliminates observer bias. 500ms detection window prevents energy over-delivery which causes thermal spread injury. | Test | |
| VER-MAIN-066 | Verify IFC-MAIN-025: Command scaled Cartesian velocity at each of the three scaling ratios (3:1, 5:1, 10:1). At the Trajectory Generator input, measure received velocity magnitude and confirm it matches expected scaled value within 0.1%. Inject a velocity command exceeding the 200mm/s limit and confirm the interface clamps output to 200mm/s within one 1ms cycle. Run 10,000 consecutive frames; verify zero dropped or reordered packets. Pass criterion: all accuracy, clamping, and delivery checks pass. Rationale: Integration test verifying IFC-MAIN-025 scaling accuracy, velocity clamping safety, and data integrity across the Motion Scaling to Trajectory Generator boundary. | Test | verification, motion-control, scaling, session-358, idempotency:ver-ifc025-scaling-traj-358 |
| VER-MAIN-067 | Verify SUB-MAIN-053: Configure EDC with 5-second timeout. Activate energy delivery and allow to run without surgeon intervention. Verify energy is automatically de-activated at 5 seconds. Repeat with 100ms, 1s, and 5s intervals. Pass: automatic termination in all cases; ≤10ms overshoot beyond timeout; audible alert generated on each termination. Rationale: Automatic timeout is the primary guard against unintentional tissue damage from persistent energy delivery. 10ms overshoot tolerance accounts for RTOS task scheduling. Test at three timeout values verifies the timer across different operational contexts. | Test | |
| VER-MAIN-067 | Verify IFC-MAIN-026: Inject a 3D Cartesian pose trajectory via the Trajectory Generator. At the Kinematics Engine input, record received pose setpoints at 1kHz. Verify S-curve velocity profile is present (measure acceleration continuity). Inject a setpoint that violates workspace limit and verify the Trajectory Generator aborts the segment and outputs ABORT within one 1ms cycle. Pass criterion: all S-curve and abort-timing checks pass across 5 representative trajectories. Rationale: Validates IFC-MAIN-026 interpolated pose delivery, timing integrity, and abort-on-violation behavior at the Trajectory Generator to Kinematics Engine boundary. | Test | verification, motion-control, trajectory, session-358, idempotency:ver-ifc026-traj-ke-358 |
| VER-MAIN-068 | Verify SUB-MAIN-065: Submit Haptic Feedback Subsystem to accredited test laboratory for IEC 60601-1 series evaluation covering: dielectric strength, leakage current, protective earth, enclosure protection (IP54), and EMC per IEC 60601-1-2. Pass: test laboratory issues certificate of compliance with no critical non-conformances. Rationale: IEC 60601-1 compliance certification requires accredited third-party laboratory testing — self-certification is not accepted by notified bodies for Class IIb medical devices. Accreditation is a regulatory prerequisite for CE marking and FDA 510(k) submission. | Test | |
| VER-MAIN-068 | Verify IFC-MAIN-027: Command a 360-degree joint rotation at maximum velocity for each of the 7 arm joints. At the Joint Servo Controller input, measure received joint angle setpoints at 1kHz. Verify setpoint-to-setpoint delta is within joint velocity limit. Measure position tracking error during continuous trajectory: SHALL be below 0.1 degrees RMS. Inject a setpoint discontinuity and verify it is rejected and a fault event generated within 2ms. Pass criterion: all velocity, tracking, and rejection checks pass. Rationale: Validates IFC-MAIN-027 joint angle delivery rate, magnitude continuity, and fault rejection at the Kinematics Engine to Joint Servo Controller boundary. | Test | verification, motion-control, servo, session-358, idempotency:ver-ifc027-ke-servo-358 |
| VER-MAIN-069 | Verify SUB-MAIN-040: Command the Motion Scaling Module to each of 3:1, 5:1, 7:1, and 10:1 scaling ratios. Apply 10mm/s master handle displacement in each axis. Measure instrument tip displacement. Pass: tip displacement equals master displacement divided by selected ratio ±1%; ratio applies uniformly to all six DOF. Rationale: Direct kinematic measurement at each prescribed ratio is the authoritative test. 1% tolerance reflects achievable precision of cable-driven instrument actuation. Six-DOF uniform application prevents axis-dependent scaling errors that cause surgeon disorientation. | Test | |
| VER-MAIN-069 | Verify IFC-MAIN-028: Load a patient anatomy mesh with five known no-go boundaries. Command arm motion toward each boundary at 50mm/s approach velocity. Measure: (a) repulsive torque onset latency from 5mm threshold crossing to first corrective command (SHALL be within 1ms), (b) final approach velocity at boundary (SHALL be below 5mm/s), (c) WORKSPACE_MODEL_FAULT generation time when mesh is invalidated (SHALL be within 50ms). Pass criterion: all three latency and velocity limits met across all five boundaries. Rationale: Validates the IFC-MAIN-028 proximity enforcement channel under realistic anatomy-boundary approach conditions, confirming that the WSE repulsive constraint prevents boundary violation at the required response latency. | Test | verification, motion-control, workspace-safety, session-358, idempotency:ver-ifc028-wse-ke-358 |
| VER-MAIN-070 | Verify SUB-MAIN-041: With HIL simulator, command the Trajectory Generator to compute segments approaching within 10%, 5%, 2%, and 1% of workspace boundary. Verify the generator clamps the trajectory at the boundary margin and generates a workspace-limit event. Pass: no trajectory segment exceeds the defined boundary; workspace-limit event generated in all approach cases. Rationale: HIL testing allows precise boundary approach scenarios that are infeasible on physical hardware without collision risk. Boundary clamping prevents instrument-tissue collision caused by commanded trajectories that exceed reachable workspace. | Test | |
| VER-MAIN-070 | Verify end-to-end MC subsystem pipeline: Apply a 10mm/s step velocity input at the master manipulator representing a 10:1 scaled command. Measure elapsed time from surgeon input reception to Joint Servo Controller setpoint update. SHALL be within 1ms total pipeline latency. Simultaneously inject 9Hz tremor component; verify it is attenuated by at least 40dB at the Joint Servo Controller input. Inject workspace boundary approach; verify repulsive torque present before boundary crossing. Run on three-arm configuration at 1kHz for 60 minutes with no control cycle overruns. Pass criterion: latency, attenuation, boundary, and reliability checks all pass. Rationale: End-to-end system integration test exercises the complete Tremor Rejection Filter to Joint Servo Controller chain simultaneously, confirming that pipeline latency, tremor rejection, safety enforcement, and reliability figures are all met together under peak load, not just in isolation. | Test | verification, motion-control, integration, session-358, idempotency:ver-e2e-mc-pipeline-358 |
| VER-MAIN-071 | Verify SUB-MAIN-042: Command the Motion Scaling Module to issue velocity commands at 90%, 100%, 110%, 150%, and 200% of the 25mm/s safety limit. Measure actual instrument tip velocity for each command. Pass: tip velocity clamped to ≤25mm/s for all commanded values ≥100%; safety saturation event generated for each over-limit command. Rationale: Testing at multiples of the limit (110%, 150%, 200%) verifies the saturation logic holds under extreme over-command conditions that might occur if scaling parameters are incorrectly configured. Safety saturation event enables autonomous loop review of velocity limit violations. | Test | |
| VER-MAIN-071 | Verify IFC-MAIN-001: Inject calibrated torque loads via a torque motor fixture on each arm joint in sequence. Confirm the Joint Force Monitor detects and broadcasts limit exceedance within 2ms. Pass criterion: all 7 joints trigger within 2ms with zero false negatives over 1000 consecutive injection cycles at 1kHz sampling. Rationale: IFC-MAIN-001 specifies the joint force safety limit interface. This test validates the 2ms detection latency required for safe force limiting — failure to detect within this window risks tissue damage or structural overload. 1000-cycle statistical basis required due to IEC 62061 SIL 2 demands on the safety function. | Test | verification, safety, joint-force-monitor, session-360 |
| VER-MAIN-072 | Verify SUB-MAIN-044: Log power enable signals for all subsystems during system startup using logic analyser. Verify sequencing order matches the prescribed sequence (SIS → computing → motion → displays → energy) with ≥100ms margin between each stage. Pass: correct order in 20 consecutive cold-start cycles; inter-stage margin ≥100ms. Rationale: Logic analyser provides hardware-level ground truth for power sequencing independent of firmware reporting. 20 cold-start cycles tests consistency across power-supply voltage variation within tolerance. 100ms margin prevents sequencing race conditions during transient loads. | Test | |
| VER-MAIN-072 | Verify IFC-MAIN-002: Actuate E-stop at each of the three locations (surgeon console, patient-side cart, circulating nurse button). Measure time from contact open to servo drive inhibit across all active joints. Pass criterion: de-energisation within 150ms at all three actuation points, zero motion after inhibit signal, confirmed across 50 trials each location. Rationale: IFC-MAIN-002 defines the hardwired E-stop interface to servo power. The 150ms de-energisation budget is derived from IEC 60601-1 general collapse time limit for Class II medical devices; failure to de-energise risks operator injury from uncontrolled arm motion. Physical actuation testing is mandatory — simulation cannot validate the hardware interlock chain. | Test | verification, safety, emergency-stop, session-360 |
| VER-MAIN-073 | Verify SUB-MAIN-045: Simulate main power loss by removing main power input. Measure time from main power loss to Auxiliary Power Supply energised output reaching nominal voltage on SIS and Watchdog rails. Sustain auxiliary load for 60 seconds. Pass: SIS and Watchdog rails remain within ±5% of nominal throughout 60-second auxiliary hold; main power transition ≤10ms. Rationale: Physical power removal test is the only reliable method to validate auxiliary hold-up time under real capacitor state-of-charge conditions. 60 seconds exceeds the safe-state procedure time to confirm the system can execute full shutdown without main power. | Test | |
| VER-MAIN-074 | Verify SUB-MAIN-046: Inject calibrated stereo test pattern (known disparity map) into Image Processing Pipeline while simultaneously processing all surgeon-selected enhancement modes. Measure disparity map accuracy at pipeline output. Pass: disparity RMS error ≤0.5 pixels; no enhancement mode degrades stereo depth accuracy. Rationale: Known disparity pattern provides quantitative ground truth for stereoscopic processing accuracy. Testing with all enhancement modes active verifies that image processing algorithms do not corrupt inter-frame phase relationships required for depth calculation. | Test | |
| VER-MAIN-074 | Verify IFC-MAIN-001: Apply calibrated torque to each arm joint. Confirm Joint Force Monitor detects limit exceedance within 2ms over 1000 cycles at 1kHz. Pass: all 7 joints trigger within 2ms, zero false negatives. Rationale: IFC-MAIN-001 defines the joint force safety detection interface at 1kHz. The 2ms limit is derived from the 5ms total safety response budget under IEC 62061 SIL 2. Statistical basis of 1000 cycles required for SIL 2 probability of failure on demand. | Test | verification, safety, session-360 |
| VER-MAIN-075 | Verify SUB-MAIN-048: Send RF activation command to Electrosurgical Generator and measure time from command receipt to full rated output power (±5% of set point) using calibrated RF power sensor and oscilloscope. Test at 50W, 200W, and 400W. Pass: full output achieved within 100ms at all set points. Rationale: Activation latency directly affects surgeon cut/coagulate feel. 100ms is the maximum delay before the surgeon perceives a response lag. Testing at three power levels verifies the power ramp rate is consistent across the full range, not only at nominal settings. | Test | |
| VER-MAIN-075 | Verify IFC-MAIN-002: Actuate E-stop at all three locations (surgeon console, patient-side cart, circulating nurse). Measure time from contact open to servo drive inhibit. Pass: de-energisation within 150ms at each location, zero motion after inhibit, 50 trials per location. Rationale: IFC-MAIN-002 defines the hardwired E-stop to servo drive interface. The 150ms de-energisation budget is set by IEC 60601-1 clause 9.8.3 maximum permitted collapse time for active implant-class devices. Physical actuation mandatory — simulation cannot validate the HW interlock chain. | Test | verification, safety, emergency-stop, session-360 |
| VER-MAIN-076 | Verify SUB-MAIN-049: Connect calibrated frequency counter to Ultrasonic Energy Module transducer output. Command activation at minimum, nominal, and maximum drive amplitude. Measure operating frequency. Pass: frequency within 55.5kHz ±200Hz across all drive levels; no harmonic oscillation above -40dB relative to fundamental. Rationale: 55.5kHz ±200Hz is the manufacturers tolerance band for ultrasonic transducer resonance. Frequency deviation beyond this band causes off-resonance operation, reducing cavitation efficiency and increasing transducer heating. Harmonic check ensures mechanical resonance does not activate tissue at unexpected frequencies. | Test | |
| VER-MAIN-076 | Verify IFC-MAIN-003: Inject bit-error patterns at rates of 1e-6, 1e-5, and 1e-4 BER on the inter-cart fibre link using a channel impairment tool. Confirm Communication Monitor detects each error within one frame period (1ms). Pass: detection within 1ms for all injected errors, fault isolation to affected channel within 3ms, no false alarm rate above 1e-5 per hour. Rationale: IFC-MAIN-003 requires the Communication Monitor to expose CRC errors on the fibre link within one frame period. Verification requires BER injection because real-world fibre faults are too infrequent to validate statistically in test; the no-false-alarm threshold prevents nuisance shutdowns under IEC 62061 SIL 2 diagnostic coverage requirements. | Test | verification, safety, communication-monitor, session-360 |
| VER-MAIN-077 | Verify SUB-MAIN-030: Inject synthetic frame sequence errors and CRC-failed frames into the RTPE input stream at rates of 1 per 10,000 frames (normal), 1 per 100 frames (degraded), and consecutive 10 frames (burst). Verify RTPE falls back to last-known-good command and generates a communication-integrity alert within one 1ms cycle. Pass: no propagation of corrupted commands; alert generated within 1ms; fallback command applied within one cycle of detection. Rationale: Sequence error and CRC failure injection replicates the electromagnetic interference conditions expected in an OR environment. Three injection rates test normal noise, degraded link, and burst-fault scenarios. 1ms response matches the 1kHz RTPE cycle period — critical for maintaining kinematic continuity. | Test | |
| VER-MAIN-077 | Verify IFC-MAIN-004: Trigger each of the three safety state transitions (OPERATIONAL to DEGRADED, DEGRADED to HALTED, OPERATIONAL to HALTED) using fault injection on Safety and Interlock Subsystem inputs. Measure broadcast latency from trigger to state word receipt on Motion Control bus. Pass: broadcast within 5ms for all transitions, all subsystems acknowledge within 10ms. Rationale: IFC-MAIN-004 specifies the Safe State Manager broadcast timing that gates downstream subsystem response. The 5ms broadcast budget and 10ms acknowledgement window are derived from the overall 150ms E-stop response chain; missing this window causes subsystems to act on stale state. | Test | verification, safety, safe-state-manager, session-360 |
| VER-MAIN-078 | Verify SUB-MAIN-023: Apply defined force profiles (0.1N, 0.5N, 1N, 2N step and ramp) at instrument tip via force fixture. Measure rendered force at master handle with calibrated load cell. Pass: rendered force tracks commanded profile with ≤10ms latency and ≤15% magnitude error. Rationale: Haptic rendering fidelity is central to safe tissue manipulation — rendering delay >10ms breaks surgeon sensorimotor loop. 15% magnitude tolerance reflects the haptic JND (just-noticeable difference) threshold for surgical tactile tasks. | Test | |
| VER-MAIN-078 | Verify IFC-MAIN-005: Drive the surgeon console master handles through representative surgical motion profiles at 10Hz, 50Hz, and 200Hz command rates. Confirm the Motion Scaling Module receives commands at specified rate with end-to-end latency under 100ms. Pass: commanded velocity received within 100ms at all rates, no dropped commands at 10Hz or 50Hz over a 60-second run. Rationale: IFC-MAIN-005 defines the surgeon console to motion scaling command interface. The 100ms end-to-end latency budget is the clinically established threshold for transparent teleoperation; exceeding it causes surgeon disorientation and loss of feel. Test at 200Hz exercises the interface beyond nominal rate to confirm no buffer overflow or frame drop degradation. | Test | verification, motion-control, surgeon-console, session-360 |
| VER-MAIN-079 | Verify SUB-MAIN-073: Measure EtherCAT distributed clock synchronisation error across all servo nodes using network oscilloscope capture of SYNC0 pulses. Run for 30 minutes under full motion load. Pass: synchronisation error ≤1μs peak across all nodes; no sync loss events in 30 minutes. Rationale: EtherCAT distributed clock jitter >1μs causes inter-axis coordination errors at 1kHz update rates, producing visible vibration artefacts. Network oscilloscope measures the actual hardware SYNC0 timing, independent of application-layer reporting. | Test | |
| VER-MAIN-079 | Verify IFC-MAIN-006: Transmit 250Hz joint position command stream from Motion Control System to Patient-Side Cart over the inter-cart fibre link for 30 minutes under surgical load simulation. Measure jitter and inter-frame gap. Pass: command stream arrives at 250Hz ±0.5Hz, inter-frame jitter less than 500us, zero missing frames in any 1-second window. Rationale: IFC-MAIN-006 specifies the 250Hz joint command rate that drives servo loop stability. Jitter above 500us causes the servo PID to perceive command steps rather than smooth trajectories, degrading tip positioning accuracy. Thirty-minute duration covers a typical operative case to detect thermal or load-dependent drift. | Test | verification, motion-control, joint-command, session-360 |
| VER-MAIN-080 | Verify SUB-MAIN-080: Apply known test signals at 1Hz, 4Hz, 8Hz, 12Hz, 16Hz, and 20Hz to Tremor Rejection Filter input. Measure filter output amplitude. Pass: attenuation <3dB for frequencies ≤8Hz (pass-band); attenuation >40dB at 12Hz and above (stop-band); zero-phase shift confirmed by cross-correlation. Rationale: 8th-order Butterworth specification mandates the pass/stop band boundary at 8Hz. Zero-phase requirement prevents the filter from adding predictive bias to surgeon intent, which would cause over/undershoot in intentional motions. Direct frequency sweep is the only reliable method to characterise a real-time DSP filter. | Test | |
| VER-MAIN-080 | Verify IFC-MAIN-007: Interrupt the safety heartbeat between Motion Control System and Safety and Watchdog System at intervals of 50ms, 100ms, and 200ms by injecting clock hold on the motion control output. Confirm Safety Subsystem detects each interruption and enters DEGRADED state. Pass: detection and DEGRADED transition within 110ms of first missed heartbeat, recovery to OPERATIONAL within 500ms of restored heartbeat. Rationale: IFC-MAIN-007 defines the safety heartbeat interface that provides liveness monitoring between subsystems. The 110ms detection window equals two missed heartbeat periods; the recovery time ensures the system can resume operation without manual reset after transient link failures, reducing unnecessary procedure interruptions. | Test | verification, safety, heartbeat, session-360 |
| VER-MAIN-081 | Verify SUB-MAIN-085: Introduce mechanical friction to joint under test to induce position error of 0.3°, 0.5°, 1°, and 2°. Measure time from error detection to power-hold command issued to motor driver. Pass: power-hold command issued within 20ms of crossing 0.5° threshold; alert generated for all crossings. Rationale: Physical friction induction replicates real joint-error conditions (cable stretch, mechanism wear) more faithfully than software simulation. 20ms response time allocates one-fifth of the 100ms command-to-arm latency budget to the servo error detection path. | Test | |
| VER-MAIN-081 | Verify IFC-MAIN-008: Transmit full-resolution stereo video stream from Vision and Imaging System to Surgeon Console at 60Hz for 60 minutes. Measure end-to-end latency from photon at endoscope to pixel on display. Pass: latency under 100ms at 99th percentile, zero dropped frames in any 10-second window, colour fidelity within ΔE<2 against reference chart. Rationale: IFC-MAIN-008 defines the stereo video interface from imaging to display. The 100ms latency limit is the clinical threshold for visual-motor coordination; ΔE<2 is the clinical colour reproduction standard for surgical tissue discrimination. Sixty-minute run mirrors a typical laparoscopic case duration. | Test | verification, vision, stereo-video, session-360 |
| VER-MAIN-082 | Verify SUB-MAIN-109: Enable PDR with full kinematic+video+event stream. Measure storage write throughput with disk performance monitor during 60-minute simulated procedure. Pass: sustained write throughput ≥500 MB/s throughout; no buffer overflow events; write latency ≤2ms p99. Rationale: PDR throughput must be tested under simultaneous full-data-rate conditions — kinematic at 1kHz and stereo video at 60Hz create correlated burst patterns that a sequential throughput test would miss. 2ms p99 write latency prevents DMA buffer overflow on the RTPE thread. | Test | |
| VER-MAIN-082 | Verify IFC-MAIN-009: Mount calibrated torque measurement fixture to Instrument Drive Unit. Command articulated wrist through 5 representative surgical manoeuvres. Confirm torque feedback data from Surgical Instrument System arrives at Motion Control at 500Hz with values within ±5% of fixture measurement. Pass: 500Hz data continuity across all manoeuvres, <5% error at all load points, no frame gaps above 2ms. Rationale: IFC-MAIN-009 defines the torque feedback interface from instrument to motion control, which drives the haptic rendering and safety torque limiting. The 500Hz rate is set by the haptic loop update frequency; errors above 5% cause inaccurate haptic rendering and unreliable safety limiting. | Test | verification, instrument, torque-feedback, session-360 |
| VER-MAIN-083 | Verify SUB-MAIN-110: After recording a 30-minute session, retrieve the SHA-256 hash from PDR metadata. Independently compute SHA-256 on the recorded file. Pass: hashes match; hash computation completes before next recording session start; hash stored in tamper-evident metadata header. Rationale: Independent hash computation provides a tamper-evidence baseline for regulatory audit trail purposes (EU MDR Article 83). Verifying the hash is stored in a tamper-evident header ensures the integrity check itself cannot be silently overwritten. | Test | |
| VER-MAIN-083 | Verify IFC-MAIN-010: Connect Stereo Endoscope to Camera Control Unit. Acquire 10-minute stereo video stream at 1920x1080 60Hz. Confirm both channels receive synchronised frames within 500us of each other, and pixel clock continuity is maintained. Pass: inter-channel sync within 500us over entire capture, no dropped frames, SNR >50dB per channel. Rationale: IFC-MAIN-010 defines the dual-channel endoscope to CCU interface. Inter-channel sync within 500us is required for stereopsis: timing errors above this threshold introduce perceived depth distortion that impairs surgical judgement. SNR >50dB ensures image quality does not degrade under LED illumination at minimum intensity. | Test | verification, vision, stereo-endoscope, session-360 |
| VER-MAIN-084 | Verify SUB-MAIN-086: Heat the RT Compute Node CPU junction to 88°C using a thermal chamber. Verify the system logs a thermal-throttle event and that the 1kHz kinematic loop continues without missed deadlines. Sustain 88°C for 10 minutes. Pass: thermal-throttle event logged within 1 second of crossing 85°C; ≤0 missed 1kHz deadlines during sustained 88°C operation. Rationale: Thermal chamber testing provides controlled, repeatable temperature conditions independent of ambient variation. The real-time constraint (zero missed deadlines) must be verified at elevated temperature because thermal throttling changes memory bus timing and cache hit rates. | Test | |
| VER-MAIN-084 | Verify end-to-end surgical teleoperation chain: from surgeon master handle motion through kinematics, motion control, fibre link, patient-side joint actuation, to instrument tip displacement, within 100ms total latency under peak load (all 7 joints active, full stereo video, haptic feedback active, energy system armed). Pass: tip displacement follows commanded trajectory within ±1mm, end-to-end latency under 100ms at 99th percentile over 10-minute run, safety monitoring active throughout with no spurious faults. Rationale: System-level integration test validates the full teleoperation chain as an assembled system. Individual subsystem tests cannot reveal timing interactions across the fibre link, shared compute resources, or priority conflicts on the real-time bus that only emerge under concurrent load. This test is the primary evidence for surgical effectiveness claims. | Test | verification, system-integration, end-to-end, session-360 |
| VER-MAIN-085 | Verify SUB-MAIN-077: Inject synthetic traffic at 2 Gbps, 5 Gbps, 8 Gbps, and 10 Gbps bidirectional using RFC 2544 test methodology. Measure achieved throughput and frame loss at each rate. Pass: ≥10 Gbps bidirectional throughput with ≤0.001% frame loss at full load; link stable for 10 minutes at full load. Rationale: RFC 2544 is the standard bidirectional throughput test methodology for point-to-point links. 10 Gbps supports simultaneous 1kHz kinematic commands (small frame, high rate) plus 4K stereo video (large frame, 60Hz) with 30% margin. 10-minute sustained load validates thermal stability of the optical transceiver under continuous operation. | Test | |
| VER-MAIN-085 | Verify IFC-MAIN-011: Apply known forces (0.5N, 1N, 2N, 5N) to the instrument tip using a calibrated force applicator. Confirm Haptic Feedback Subsystem renders corresponding forces at master handle within 15ms and within ±10% of target. Pass: render latency under 15ms, force accuracy within ±10%, no instability or sustained oscillation at any test load. Rationale: IFC-MAIN-011 defines the haptic force rendering interface. The 15ms render latency budget is the threshold for perceptual transparency in force-feedback teleoperation; exceeding it causes time-domain distortion that reduces surgical sensitivity. The ±10% accuracy threshold is set by the minimum force resolution clinically meaningful for tissue differentiation. | Test | verification, haptic, force-rendering, session-360 |
| VER-MAIN-086 | Verify IFC-MAIN-012: Simulate hospital mains interruption by cutting AC supply to the Power Management Subsystem. Confirm UPS Battery Module assumes load within 20ms and supplies all critical rails (24V, 12V, 5V) within ±5% for minimum 10 minutes. Pass: rail voltage maintained within ±5% from 20ms after interrupt, orderly shutdown sequence initiates at 2-minute remaining UPS capacity. Rationale: IFC-MAIN-012 defines the UPS interface between Power Management Subsystem and mains supply. The 20ms switchover limit prevents servo control loop dropout; 10-minute UPS run time allows a controlled procedure termination. Testing with actual supply interruption is required — power supply simulation cannot reproduce inrush dynamics of the real switchover. | Test | verification, power, ups-battery, session-360 |
| VER-MAIN-087 | Verify IFC-MAIN-013: Arm the Electrosurgical Generator with a 50-ohm resistive test load (representing typical tissue impedance). Issue activation command from Energy Delivery Controller. Confirm RF output rises to specified power within 500ms and cuts within 100ms of deactivation. Pass: power on within 500ms, power off within 100ms, no RF output without valid activation command, return electrode impedance check completed before each activation. Rationale: IFC-MAIN-013 defines the Energy Delivery Controller to Electrosurgical Generator activation interface. The 500ms power-on time is acceptable for surgical energy tools; the 100ms off time is safety-critical to prevent inadvertent tissue damage after command withdrawal. Mandatory return electrode check verifies patient protection function. | Test | verification, energy, electrosurgical, session-360 |
| VER-MAIN-088 | Verify IFC-MAIN-020: Present five instrument types to the Instrument Recognition Module in randomised sequence, including an unknown instrument and a previously used instrument at or beyond maximum use count. Confirm correct identification within 2 seconds of coupling and rejection of unknown and expired instruments. Pass: correct ID for all five valid types, rejection with fault code for unknown and expired, zero false accepts. Rationale: IFC-MAIN-020 defines instrument recognition interface. The 2-second recognition window is the maximum acceptable delay between instrument coupling and system readiness; false acceptance of expired instruments risks patient infection or instrument mechanical failure during procedure. | Test | verification, instrument, recognition, session-360 |
| VER-MAIN-089 | Verify IFC-MAIN-044: Inject 12-branch telemetry frames at 10 Hz on the CAN FD bus with simulated fault codes on 2 branches; confirm Power Sequencing Controller receives all frames within 5 ms latency measured by bus analyser, and that galvanic isolation withstands 500 VDC hipot test for 60 s without breakdown. Rationale: Integration test confirms CAN FD frame throughput and latency budget under realistic 12-channel load, plus electrical isolation integrity per IEC 60601-1 reinforced insulation requirements. | Test | verification, power-management, session-361, idempotency:ver-ifc044-pdu-psc-361 |
| VER-MAIN-090 | Verify IFC-MAIN-045: Apply 200 A pulse load (500 ms) via programmable load at PDU input terminals with UPS Battery Module at 30% state-of-charge; measure bus voltage droop and confirm impedance remains below 50 mOhm. Sustain 20 A continuous for 30 minutes and confirm no thermal exceedance on DC link connectors. Rationale: Pulse load test replicates worst-case six-axis arm energisation. Continuous test confirms thermal rating of connectors and cabling at sustained surgical operation current. | Test | verification, power-management, session-361, idempotency:ver-ifc045-ups-pdu-361 |
| VER-MAIN-091 | Verify IFC-MAIN-046: Command Auxiliary Power Supply through charge, standby, and discharge modes via the Power Sequencing Controller discrete control signal; confirm mode transitions are acknowledged within 50 ms by measuring return status signal timing with an oscilloscope; repeat test with CAN bus disconnected to confirm graceful mode operation. Rationale: Timing test confirms mode acknowledgement meets the 50 ms requirement; CAN-bus disconnected test confirms discrete fallback operation critical to the safety argument that auxiliary circuits remain controllable during bus faults. | Test | verification, power-management, session-361, idempotency:ver-ifc046-psc-aux-361 |
| VER-MAIN-092 | Verify SUB-MAIN-089: Inject a 600 µA line-to-earth fault on each branch circuit in sequence under full operational load; confirm that the faulted branch is de-energised within 100 ms and a fault code is received by the Power Sequencing Controller within 105 ms; verify adjacent branches remain energised. Rationale: Tests the full leakage detection and branch isolation response chain per IEC 60601-1 clause 8.7.3; adjacent-branch isolation confirmation prevents common-mode removal of healthy circuits. | Test | verification, power-management, safety, session-361, idempotency:ver-sub089-pdu-gf-361 |
| VER-MAIN-093 | Verify SUB-MAIN-091: Simulate mains voltage collapse to below 80% of nominal under full surgical load using a programmable AC source; measure transfer time from voltage threshold breach to UPS Battery Module supplying load via scope triggers on PDU rail; confirm no subsystem supply interruption exceeds 30 ms. Rationale: End-to-end transfer time measurement confirms the 30 ms budget derived from joint servo controller fault tolerance; measurement at the PDU rail catches any delay in switching circuitry that bench tests of individual components might miss. | Test | verification, power-management, failover, session-361, idempotency:ver-sub091-psc-mains-361 |
| VER-MAIN-094 | Verify SUB-MAIN-090: Charge UPS Battery Module to 100%, then discharge at 20 A constant current while sampling state-of-charge from the battery management system interface at 1 Hz; compare against coulomb-counter reference at 20%, 50%, 80%, and 95% SoC points; confirm accuracy is within plus or minus 2% at each point and that the low-battery warning is asserted when SoC crosses 25%. Rationale: SoC accuracy test at multiple discharge points confirms calibration over the full operating range specified in SUB-MAIN-090; low-battery alert timing is verified at the exact 25% threshold. | Test | verification, power-management, ups, session-361, idempotency:ver-sub090-ups-soc-361 |
| VER-MAIN-095 | Verify SUB-MAIN-092: Apply 0%, 50%, and 100% of rated load to the Auxiliary Power Supply 24 VDC output; confirm output voltage remains within 23.52-24.48 V (plus or minus 2%) at each load point. Then disconnect both mains and UPS inputs and measure time until output drops below 23 V; confirm duration exceeds 20 minutes. Rationale: Load regulation test confirms the plus or minus 2% output accuracy across the full load range; battery endurance test at full rated load confirms the 20-minute minimum independent operation specified in SUB-MAIN-092. | Test | verification, power-management, auxiliary-power, session-361, idempotency:ver-sub092-aux-psu-361 |
| VER-MAIN-096 | Verify SUB-MAIN-033: Command the Instrument Drive Unit through full range on all four degrees of freedom (yaw, pitch, grip, wrist rotation) at 1Hz sweep using a calibrated instrument fixture; measure actuated angle/displacement at the tool tip with encoder feedback; pass criterion: <0.5mm positional error at tool tip, response within 80ms of command. Rationale: Integration test to verify that all four DOF of the Instrument Drive Unit meet the positional accuracy and response time required for precise surgical manipulation. | Test | verification, surgical-instrument-system, instrument, session-362, idempotency:ver-sub-033-idu-dof-362 |
| VER-MAIN-097 | Verify SUB-MAIN-036: Load a representative surgical path (laparoscopic dissection trajectory, 120 waypoints at 10Hz) into the Tool Tip Articulation Controller test harness; inject measured cable elongation offsets for a worn cable set; verify computed cable displacement commands track the reference trajectory with <0.3mm tip position error and complete computation within 8ms per cycle. Rationale: Integration test to verify the Tool Tip Articulation Controller compensates for real-world cable elongation and maintains sub-millimetre tip accuracy at clinical motion rates. | Test | verification, surgical-instrument-system, articulation-controller, session-362, idempotency:ver-sub-036-ttac-362 |
| VER-MAIN-098 | Verify SUB-MAIN-037: Present instruments with use counts at 0, 9, 10, and 11 cycles (boundary conditions) to the Instrument Lifecycle Controller coupling sequence; verify that coupling is permitted at 0 and 9 cycles, rejected with error code LC_EXCEEDED at 10 cycles, rejected at 11 cycles; verify rejection latency <200ms and rejection events are logged to the Procedure Data Recorder. Rationale: Integration test to verify the lifecycle enforcement boundary conditions, including the exact rejection threshold and audit trail — both are required for IEC 62061 and FDA 21 CFR Part 820 traceability of reprocessable instruments. | Test | verification, surgical-instrument-system, lifecycle-controller, session-362, idempotency:ver-sub-037-ilc-362 |
| VER-MAIN-099 | Verify SUB-MAIN-093: Commission an independent functional safety assessment by a competent body; review the Safety and Interlock Subsystem safety case against IEC 62061 requirements for SIL 3; evaluate PFH calculation for joint force limiting, E-stop chain, and communication watchdog functions; pass criterion: PFH <=1E-7/h confirmed by reliability analysis and independent reviewer sign-off. Rationale: SIL 3 compliance requires independent assessment per IEC 62061 clause 12; self-assessment is not acceptable for certification. Pass criterion is the IEC 62061 SIL 3 PFH boundary. | Analysis | verification, sis, compliance, sil3, session-362, idempotency:ver-sub-093-sil3-362 |
| VER-MAIN-100 | Verify PDR failover: With the system recording active (all video and telemetry channels), simulate primary storage medium failure by inducing a write fault via FMEA injection test. Confirm: (1) automatic failover to secondary path within 500ms measured from fault injection, (2) no data loss in the secondary recording stream, (3) surgeon display shows recording degradation warning within 1 second. Rationale: Verification of REQ-SESURGICALROBOT-094 (PDR redundancy). Storage failover must be tested under realistic intraoperative conditions including concurrent video and telemetry streams; passive inspection cannot verify failover timing or data continuity. | Test | |
| VER-MAIN-100 | Verify SUB-MAIN-095: Force a software watchdog timeout on the Console Computer test unit by injecting a process hang via fault injection tool; verify: (a) failover to backup path initiates within 500ms, (b) last commanded instrument position is preserved within 0.1mm, (c) audio tone and status message appear, (d) test repeated 10 times with no variance in failover time >50ms. Rationale: Fault injection testing of watchdog failover verifies the real-time response and state preservation guarantees under controlled failure conditions, with repeatability check to confirm no timing jitter. | Test | verification, surgeon-console, redundancy, failover, session-362, idempotency:ver-sub-095-cc-failover-362 |
| VER-MAIN-101 | Verify PMS safety domain redundant power: Apply load equivalent to full interlock subsystem and workspace safety enforcer draw to both DC supply rails simultaneously, then disconnect primary rail while measuring secondary switchover timing via oscilloscope probe on output bus. Confirm: (1) switchover within 5ms measured from voltage dip trigger, (2) no dropout on safety function power rail, (3) UPS battery sustains full load for ≥60 seconds before controlled shutdown. Rationale: Verification of REQ-SESURGICALROBOT-097 (PMS redundant power). Switchover timing must be verified under realistic load conditions; a 5ms criterion cannot be verified by inspection of design documents alone; UPS capacity test requires bench-level endurance measurement. | Test | |
| VER-MAIN-101 | Verify SUB-MAIN-096: Sever the Force Sensing Module communication link while system is in OPERATIONAL state; measure time from link loss to: (a) 0.3N braking force applied at master handle (target: <=50ms), (b) audio alert onset, (c) visual status change; confirm surgeon can still command full kinematic range with braking force applied; restore link and verify return to normal force rendering within 200ms. Rationale: Live fault injection test on integrated haptic hardware verifies degraded-mode entry timing and the 0.3N braking force value are within the specified limits, and that the surgeon retains kinematic control during the degraded state. | Test | verification, haptic, degraded-mode, session-362, idempotency:ver-sub-096-haptic-fbd-362 |
| VER-MAIN-102 | Verify SUB-MAIN-097: Using a network test harness, inject 100 command frames with valid HMAC, 50 with corrupted HMAC, and 20 replay frames to the Trajectory Generator and Motion Scaling Module; verify all valid frames are accepted, all invalid/replay frames are rejected with no arm motion, and rejection events appear in Procedure Data Recorder within 10ms of each rejection. Rationale: Active penetration testing of the HMAC authentication boundary verifies both the authentication logic and the security audit trail under representative attack scenarios. | Test | verification, motion-control, cybersecurity, session-362, idempotency:ver-sub-097-hmac-362 |
| VER-MAIN-103 | Verify SUB-MAIN-098: On the TTAC test bench, inject 1000 position command packets with valid HMAC signatures followed by 1000 packets with corrupted signatures. Verify that all valid packets are accepted within 1ms and all invalid packets are rejected within 1ms with corresponding Procedure Data Recorder log entries. Pass criteria: 100% acceptance of valid packets, 100% rejection of invalid packets, zero false negatives. Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component. | Test | verification, cybersecurity, session-365, idempotency:ver-SUB-MAIN-098-365 |
| VER-MAIN-104 | Verify SUB-MAIN-099: On the Real-Time Compute Node, connect a packet injection harness to the KE input queue and inject 500 valid HMAC-authenticated command packets and 500 unauthenticated packets. Verify that all unauthenticated packets are rejected within one 1ms control cycle. Pass criteria: zero unauthenticated packets processed by IK solver, rejection latency <= 1ms for all invalid packets. Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component. | Test | verification, cybersecurity, session-365, idempotency:ver-SUB-MAIN-099-365 |
| VER-MAIN-105 | Verify SUB-MAIN-100: Load the Trajectory Generator with a synthetic anatomy mesh defining a 100mm-radius keep-out sphere. Command 200 waypoints: 100 within 5mm of the keep-out boundary and 100 that violate the boundary by varying margins (5-50mm). Verify that all violating waypoints are rejected and safe-state transition occurs within 5ms. Pass criteria: 100% boundary-violating waypoint rejection, safe-state transition <= 5ms. Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component. | Test | verification, cybersecurity, session-365, idempotency:ver-SUB-MAIN-100-365 |
| VER-MAIN-106 | Verify SUB-MAIN-101: Connect a PTP test injector to the inter-cart fibre link and transmit 1000 synchronisation frames: 500 with valid session token and 500 with corrupted or replayed tokens. Verify that all invalid frames are discarded within one synchronisation period and a communication fault event is generated. Pass criteria: 100% invalid frame discard, fault event generated for each invalid frame. Rationale: Integration test to verify cryptographic authentication compliance. Pass/fail criteria are binary (accept/reject with specified latency) and directly verify the authentication mandate from SYS-MAIN-018 as applied to this component. | Test | verification, cybersecurity, session-365, idempotency:ver-SUB-MAIN-101-365 |
| VER-MAIN-107 | Verify IFC-MAIN-002: With system energised and all three Emergency Stop Chain contact nodes monitored, open each node individually and confirm that the Power Management Subsystem servo drive contactors drop within 10ms and do not re-engage until the fault is cleared and operator reset is confirmed. Repeat across operating temperature range (10–40°C). Rationale: Hardwired E-stop interlock is the last hardware defence against uncontrolled joint motion. 10ms drop requirement derived from worst-case contact-open detection delay plus contactor release time; if contactors remain energised, drives remain powered and a faulty motion command can cause patient harm. | Test | verification, safety, estop, session-366, idempotency:ver-ifc-002-estop-contactor-366 |
| VER-MAIN-108 | Verify IFC-MAIN-002: With system energised and all three Emergency Stop Chain contact nodes monitored, open each node individually and confirm the Power Management Subsystem servo drive contactors drop within 10ms and do not re-engage until fault is cleared and operator reset is confirmed. Rationale: Hardwired E-stop interlock is the last hardware defence against uncontrolled joint motion. 10ms drop derived from worst-case contact-open detection delay plus contactor release time; failure to drop keeps drives powered and enables uncontrolled motion under a faulty command. | Test | verification, safety, estop, session-366, idempotency:ver-ifc-002-estop-366 |
| VER-MAIN-109 | Verify IFC-MAIN-007: With the heartbeat signal between Motion Control System and Safety and Watchdog System active, interrupt the dedicated hardwired line and confirm the Safety and Watchdog System declares SAFE-HOLD within 20ms. Confirm normal operation resumes within 500ms after reconnection. Rationale: Heartbeat monitors liveness of MCS to watchdog path; loss of heartbeat must trigger SAFE-HOLD to prevent unmonitored motion. 20ms limit keeps total detection-to-stop time under 50ms worst case. | Test | verification, safety, watchdog, session-366, idempotency:ver-ifc-007-heartbeat-366 |
| VER-MAIN-110 | Verify IFC-MAIN-021: Using a cable tension simulator, inject nominal, low-warning, and over-tension values on each of the cable channels and confirm the Safety and Interlock Subsystem receives the correct tension and status flags within the specified latency. Confirm lockout command is issued when tension exceeds threshold. Rationale: Cable overtension can snap instrument cables causing patient injury; this interface carries the primary measurement that drives lockout. Verification proves the data path and flag encoding are correct before integration with live surgical instruments. | Test | verification, safety, instrument, session-366, idempotency:ver-ifc-021-cable-tension-366 |
| VER-MAIN-111 | Verify IFC-MAIN-022: Command the Tool Tip Articulation Controller through a representative articulation sequence covering full pitch and yaw range. Measure cable displacement commands at the Instrument Drive Unit interface and confirm values match kinematic model predictions within 0.1mm at 200Hz update rate. Rationale: Correct cable displacement delivery is prerequisite for accurate instrument tip positioning; errors propagate directly to surgical accuracy. Kinematic model validation at the interface catches encoding or scaling errors before instrument assembly. | Test | verification, instrument, session-366, idempotency:ver-ifc-022-ttac-idu-366 |
| VER-MAIN-112 | Verify IFC-MAIN-023: Using test fixtures, trigger the Instrument Lifecycle Controller to issue lockout commands for instrument use-count exhaustion, sterility breach, and authentication failure. Confirm Safe State Manager receives each lockout code within 50ms and transitions system to SAFE-HOLD. Confirm lockout cannot be overridden without authorised credential exchange. Rationale: Instrument lifecycle lockout prevents reuse of expired or contaminated instruments. This interface carries safety-critical lockout commands; failure to deliver or act on them enables patient infection or mechanical failure from worn instruments. | Test | verification, safety, instrument, session-366, idempotency:ver-ifc-023-ilc-ssm-366 |
| VER-MAIN-113 | Verify IFC-MAIN-040: Inject a continuous 6-DOF Cartesian velocity command stream from the Console Computer via the Inter-Cart Fibre Link test port. Confirm commands arrive at the patient-cart Real-Time Protocol Engine at 1kHz with end-to-end latency under 5ms and zero frame drops over a 10-minute continuous run. Rationale: The command stream from console to patient cart is the primary teleoperation data path; latency above 5ms degrades surgeon feel and tracking precision, and dropped frames cause motion discontinuities that risk tissue damage. | Test | verification, comms, motion-control, session-366, idempotency:ver-ifc-040-console-icfl-366 |
| VER-MAIN-114 | Verify SUB-MAIN-103: On target hardware with peak traffic load (21 kinematics channels at 1kHz, dual stereo HD video), measure one-way fibre path latency using hardware timestamps on transmit and receive FPGAs over 10,000 consecutive frames. Pass: P99 latency <= 500us. Fail: any frame exceeds 500us. Rationale: P99 measurement over 10,000 frames characterises worst-case latency including interrupt service variability. Hardware timestamps eliminate OS jitter from the measurement. | Test | verification, comms, inter-cart-fibre, session-369, idempotency:ver-sub-main-103-369 |
| VER-MAIN-115 | Verify SUB-MAIN-104: With system in OPERATIONAL state and kinematic commands flowing, disconnect primary fibre link using relay-controlled break fixture. Measure time from physical link break to redundant path carrying live traffic using oscilloscope probes on both paths. Pass: switchover <= 5ms with no kinematic command gap > 100ms. Perform 20 repeated trials. Rationale: Relay-controlled break ensures repeatable fault injection. Oscilloscope measurement captures FPGA-level switchover independent of host software latency. 20 trials provide statistical confidence on switchover time distribution. | Test | verification, comms, inter-cart-fibre, session-369, idempotency:ver-sub-main-104-369 |
| VER-MAIN-116 | Verify SUB-MAIN-107: Inject bit errors at rates of 0, 1e-9, 1e-7, and 1e-5 on primary link using BERT tester. Verify link state transitions to DEGRADED at 1e-7 and FAILED at 1e-5 within two 10ms monitoring cycles. Verify state is reported via LVDS to SIS. Pass: correct state classification within 20ms of threshold crossing. Rationale: BERT injection provides controlled, repeatable bit error rates. Two monitoring cycles (20ms) reflects the 100Hz poll rate, ensuring classification occurs within two expected sample periods. | Test | verification, comms, network-management, session-369, idempotency:ver-sub-main-107-369 |
| VER-MAIN-117 | Verify IFC-MAIN-047: Inject primary fibre link failure by toggling relay. Measure time from relay activation to LVDS COMM_FAULT signal on SIS input using oscilloscope. Pass: LVDS signal asserted within 2ms of relay activation across 10 consecutive injection trials. Rationale: Oscilloscope measurement on LVDS line captures hardware-layer timing independent of software. 10 trials verify consistency of the FPGA-based fault detection path. | Test | verification, comms, network-management, safety, session-369, idempotency:ver-ifc-047-nmc-sis-369 |
| VER-MAIN-118 | Verify IFC-MAIN-048: At peak 1kHz kinematics load, measure DMA delivery latency from RTPE frame completion to Procedure Data Recorder buffer write using kernel tracepoints. Pass: P99 latency <= 100us over 60 seconds. Verify RTPE jitter does not increase when PDR is recording vs idle. Rationale: Kernel tracepoints measure the DMA path without requiring hardware instrumentation. RTPE jitter comparison verifies the recording path does not interfere with the hard real-time control loop. | Test | verification, comms, real-time-protocol-engine, procedure-data-recorder, session-369, idempotency:ver-ifc-048-rtpe-pdr-369 |
| VER-MAIN-119 | Verify SUB-MAIN-111: Immerse 3 samples each of Sterile Adapter, Cable Tensioning System housing, and representative surgical instrument in IPA 70% for 30 minutes. Post-immersion: verify sterile barrier integrity per ISO 11607-1, measure cable tensioning force variation (±5% nominal tolerance), and visually inspect for cracking, delamination, or discolouration. All three pass criteria must be met for compliance. Rationale: Immersion test replicates worst-case field disinfection practice. The three-component scope covers the components most exposed to disinfectant ingress during intraoperative instrument exchange. | Test | verification, surgical-instrument, sterility, session-373, idempotency:ver-sub-111-ipa-373 |
| VER-MAIN-120 | Verify SUB-MAIN-117: Submit the Power Management Subsystem to a UKAS-accredited test laboratory for IEC 60601-1:2005+AMD1:2012 dielectric withstand and leakage current testing. Pass criterion: withstand at 4000V AC for 1 minute with no breakdown; leakage below 500uA normal, 1000uA single-fault. Rationale: Third-party accredited testing is required for regulatory submission under EU MDR and FDA 510k. Pass/fail criteria match the standard's limits for Class I medical electrical equipment. | Test | verification, power-management, compliance, session-374, idempotency:ver-sub-main-117-374 |
| VER-MAIN-121 | Verify SUB-MAIN-119: Perform fault tree analysis and FMEA for the Workspace Safety Enforcer's boundary enforcement functions. Calculate PFHd from component reliability data and architectural independence analysis. Pass criterion: PFHd <= 1E-7 per hour; architectural analysis confirms independence from non-safety channels. Rationale: SIL 2 demonstration under IEC 62061 requires documented fault tree analysis and FMEA with quantified PFHd. Hardware testing alone cannot demonstrate a 1E-7/hour failure rate; probabilistic analysis is the accepted method for safety integrity verification. | Analysis | verification, motion-control, workspace-safety, safety, session-374, idempotency:ver-sub-main-119-374 |
| VER-MAIN-122 | Verify SUB-MAIN-120: Inject primary TSN link failure (disconnect Ethernet cable) while Real-Time Protocol Engine is under full motion load at 1kHz. Measure time from link loss detection to CAN FD backup path command delivery. Pass criterion: failover < 5ms; no motion command gap > 20ms; motion resumes on backup path. Rationale: Live failover injection test is the only way to verify the 5ms and 20ms timing requirements under realistic load. Simulation cannot capture real OS scheduling latency and hardware detection timing. | Test | verification, comms, real-time-protocol-engine, redundancy, session-374, idempotency:ver-sub-main-120-374 |
| VER-MAIN-123 | Verify SUB-MAIN-121: Inject Haptic Controller process failure (SIGKILL) while providing active force feedback at 20Hz. Measure time from primary failure to first command from standby process at master handle actuator. Pass criterion: switchover <= 10ms; no perceptible force discontinuity > 0.05N at handle. Rationale: Haptic switchover must be verified under operational conditions because OS process scheduling under load differs from idle state. The 0.05N perceptible threshold is derived from psychophysics literature on force JND at the fingertip during fine manipulation. | Test | verification, haptic, redundancy, session-374, idempotency:ver-sub-main-121-374 |
| VER-MAIN-124 | Verify SUB-MAIN-122: Using an optometer and calibrated test patterns, measure vergence distance and accommodation stimulus at 5 representative display content depths. Adjust inter-ocular distance across 58-72mm range. Pass criterion: VAC < 0.6 dioptre at all depths; IOD adjustment smooth and repeatable to 1mm. Rationale: VAC measurement requires optical instrumentation; human subject testing with surgeons is impractical at verification stage. 0.6 dioptre threshold is from ISO 9241-302 and published stereoscopic ergonomics literature. | Test | verification, vision, eye, ergonomics, session-374, idempotency:ver-sub-main-122-374 |
| VER-MAIN-125 | Verify SUB-MAIN-126: Using a network packet injector, send 10,000 command messages with invalid HMAC-SHA256 tags to the Communication and Data Management System during active operation. Measure rejection latency per message and count of rejected messages. Pass criterion: all 10,000 rejected within 1ms; SAFE_HOLD triggered after the third consecutive failure; each rejection logged as a security event. Rationale: Authentication rejection must be verified at scale to confirm the system is not vulnerable to replay attacks or timing side-channels. 10,000 injected messages stress the authentication pipeline at operational data rates. SAFE_HOLD trigger verification confirms the escalation path is functional. | Test | verification, comms, cybersecurity, session-374, idempotency:ver-sub-main-126-374 |
| VER-MAIN-126 | Verify SYS-MAIN-019: Submit the complete Surgical Robot System to an accredited EMC test laboratory. Conduct: (a) Radiated emissions measurement per CISPR 11 in a semi-anechoic chamber, confirming Group 1 Class B limits at 30–1000MHz; (b) Conducted emissions on mains supply lines per CISPR 11; (c) Radiated RF immunity per IEC 61000-4-3 at 10V/m across 80MHz–2.7GHz; (d) Conducted RF immunity per IEC 61000-4-6 at 3Vrms across 150kHz–80MHz; (e) Electrostatic discharge per IEC 61000-4-2 at 4kV contact and 8kV air. During immunity tests, the system SHALL maintain full motion control with position error below 0.5mm; no spurious E-stop activations are permitted. Pass criterion: no essential performance degradation during immunity, all emission limits met. Rationale: Accredited laboratory testing with UKAS/ILAC accreditation is required for CE marking under MDR 2017/745 and cannot be replaced by in-house bench testing. The specific pass criteria (0.5mm position error, no spurious E-stop) define what constitutes essential performance per IEC 60601-1-2 Annex A for this system class. | Test | verification, emc, regulatory, system, validation, session-377 |
| VER-MAIN-127 | Verify SYS-MAIN-019: Submit the complete Surgical Robot System to an accredited EMC test laboratory. Conduct radiated emissions per CISPR 11 Group 1 Class B at 30-1000MHz, conducted emissions on mains supply lines, radiated RF immunity per IEC 61000-4-3 at 10V/m across 80MHz-2.7GHz, and ESD per IEC 61000-4-2 at 4kV contact. During immunity tests the system SHALL maintain full motion control with position error below 0.5mm and produce no spurious E-stop activations. Rationale: Accredited laboratory testing is required for CE marking under MDR 2017/745. The 0.5mm position error pass criterion defines essential performance per IEC 60601-1-2 Annex A for this system class; no spurious E-stop criterion ensures the immunity testing environment does not trigger the safety system. | Test | verification, emc, regulatory, system, validation, session-377 |
| VER-MAIN-128 | Verify SUB-MAIN-127: Mount all three instrument arms on the patient-side cart. Command arms through a choreographed convergence trajectory that reduces pairwise inter-arm clearance from 100mm to 10mm at 50mm/s approach velocity. Verify: (a) halt command issued to both approaching arms when predicted clearance reaches 25mm, measured from logged kinematics at 100Hz sample points; (b) all arm motion stopped within 50ms of halt command issue; (c) final measured clearance no less than 15mm with load cell confirmation. Repeat for all three arm-pair combinations. Rationale: Hardware-in-the-loop test on the actual patient-side cart mechanical assembly is required because inter-arm clearance depends on the precise kinematic model including cable deflection under load; simulation alone is insufficient. All three arm-pair combinations must be tested because asymmetric cable routing creates different compliance characteristics per pair. | Test | verification, motion-control, collision-avoidance, safety, validation, session-377 |
| VER-MAIN-129 | Verify SUB-MAIN-128: Activate each defined alarm condition in turn on a fully integrated surgeon console test bench. For each condition: confirm the correct priority level is assigned, verify visual signal colour and flash rate match IEC 60601-1-8 Table 6 for the assigned priority, verify auditory signal pattern matches IEC 60601-1-8 Annex F, then disconnect mains and confirm alarm continues to signal on internal battery within 5 seconds. Confirm no auditory alarm condition produces a signal below 65 dB(A) at 1 metre operator distance. Rationale: IEC 60601-1-8 Clause 6.8 requires each alarm signal to be verified by functional test against the standard tables. The 65 dB(A) minimum level ensures alarms are audible over typical OR background noise (55-60 dB(A)). Battery continuity must be tested in the integrated system rather than simulation because alarm circuitry involves the display, audio, and power management subsystems together. | Test | verification, surgeon-console, alarm-management, regulatory, validation, session-377 |
flowchart TB n0["component<br>Watchdog Timer Controller"] n1["component<br>Emergency Stop Chain"] n2["component<br>Joint Force Monitor"] n3["component<br>Communication Monitor"] n4["component<br>Safe State Manager"] n0 -->|watchdog trip| n4 n1 -->|E-stop event| n4 n2 -->|force violation| n4 n3 -->|link fault| n4
Safety and Interlock Subsystem — Internal
flowchart TB n0["component<br>Tremor Rejection Filter"] n1["component<br>Motion Scaling Module"] n2["component<br>Kinematics Engine"] n3["component<br>Workspace Safety Enforcer"] n4["component<br>Joint Servo Controller"] n5["subsystem<br>Real-Time Compute Node"] n6["actor<br>Surgeon Console"] n7["external<br>Patient-Side Cart"] n8["component<br>Trajectory Generator"] n6 -->|6-DOF vel cmds 1kHz| n0 n0 -->|filtered vel 1kHz| n1 n2 -->|joint setpoints| n3 n3 -->|validated cmds| n4 n4 -->|CAN-FD 5Mbps| n7 n3 -->|fault signal| n5 n5 -->|heartbeat 200Hz| n0 n1 -->|scaled velocity 1kHz| n8 n8 -->|Cartesian poses 1kHz| n2
Motion Control System — Internal
flowchart TB n0["component<br>Force Sensing Module"] n1["component<br>Force Signal Conditioner"] n2["component<br>Haptic Controller"] n3["component<br>Master Handle Actuator"] n0 -->|strain gauge signals| n1 n1 -->|SPI 16-bit force data| n2 n2 -->|CAN FD torque setpoints| n3
Haptic Feedback Subsystem — Internal
flowchart TB n0["component<br>Instrument Drive Unit"] n1["component<br>Instrument Recognition Module"] n2["component<br>Sterile Adapter"] n3["component<br>Cable Tensioning System"] n4["component<br>Tool Tip Articulation Controller"] n5["component<br>Instrument Lifecycle Controller"] n1 -->|kinematic model params| n4 n1 -->|instrument identity and usage data| n5 n4 -->|cable displacement commands CAN-FD 1kHz| n0 n3 -->|tension set-points and feedback| n0 n2 -->|torque via rotary feedthroughs| n0
Surgical Instrument System — Internal
flowchart TB n0["component<br>Main Power Distribution Unit"] n1["component<br>UPS Battery Module"] n2["component<br>Auxiliary Power Supply"] n3["component<br>Power Sequencing Controller"] n1 -->|48VDC bulk| n0 n0 -->|CAN FD status| n3 n3 -->|discrete control| n2 n3 -->|sequencing commands| n0
Power Management Subsystem — Internal
flowchart TB n0["component<br>Surgeon Interface Panel"] n1["component<br>Console Computer"] n2["component<br>Foot Pedal Array"] n3["component<br>Voice Command Module"] n4["component<br>Arm Positioning System"] n0 -->|EtherCAT haptic bus bidirectional, 1kHz| n1 n2 -->|CAN pedal events 50ms| n1 n3 -->|USB voice commands 200ms| n1 n4 -->|Arm position status| n1
Surgeon Input Console — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Arm Positioning System | 54FC1018 | Motorized ergonomic adjustment mechanism on the Surgeon Input Console that positions the two 7-DOF master arms and the binocular viewer for individual surgeon fit. Five motorized axes: master arm height (bilateral, ±100mm), master arm lateral offset (bilateral, ±50mm), and viewer vertical/tilt (±80mm / ±20°). Each axis is a DC motor with worm gear drive and absolute encoder. All motorized adjustment axes are locked when the system is in OPERATIONAL state — adjustments only permitted during setup (system not in robotic motion). Adjustment speed: 5mm/s maximum to prevent collision risk. Position is saved per surgeon profile. |
| Auxiliary Power Supply | D4C51018 | Dedicated isolated 24V DC supply for the Safety and Interlock Subsystem and Watchdog Timer Controller. Operates from UPS battery during mains failure, guaranteed active for minimum 30 minutes. Physically wired in parallel with the main supply but logically isolated; cannot be de-energised by any application software command or main bus fault. Feeds the hardwired Emergency Stop Chain contactor coils. |
| Backdrive Monitor | 50B73808 | Dedicated safety monitor for haptic master handle backdrivability. Continuously compares commanded torque against actual joint velocity to detect if a handle joint has become non-backdrivable (jam or mechanical fault). Triggers Haptic Controller safe-hold if backdrive torque exceeds 2N for >100ms in STANDBY mode. Implemented as a separate FPGA safety island to maintain independence from the Haptic Controller's ARM processor. |
| Cable Tensioning System | 55F73208 | Spring-loaded and motor-driven cable pretension mechanism inside the Instrument Drive Unit of a surgical robot. Maintains consistent cable tension across all 4 instrument degrees of freedom (wrist pitch, yaw, roll, grip) to ensure position accuracy at the instrument tip. Compensates for cable stretch and hysteresis over the instrument's operational lifetime (typically 10 procedures). Uses strain-gauge feedback on each cable to detect tension anomalies indicating cable fraying or disconnection. Operates at 1kHz servo rate synchronized with the joint servo controllers. Tension set-points vary per instrument type based on calibration data from the Instrument Recognition Module. |
| Camera Control Unit | D4F53218 | Dual-channel camera head processor receiving raw Bayer-pattern sensor data from both stereo endoscope channels via HD-SDI at 60fps. Performs real-time white balance, gain control, gamma correction, and chromatic aberration compensation per channel. Outputs synchronised left/right 1080p60 video streams to Image Processing Pipeline via 3G-SDI. Maintains sub-frame (<1ms) inter-channel synchronisation critical for stereoscopic fusion. Provides surgeon-selectable enhancement modes (narrow-band imaging, fluorescence overlay for ICG). Rack-mounted in equipment tower, passively cooled, operating continuously for 8+ hour procedures. |
| Communication and Data Management System | 50F57318 | High-bandwidth real-time communication subsystem linking Surgeon Console and Patient-Side Cart. Master-slave control link: 1Gbps fibre, 1kHz command packets, <3ms latency. Video transport: 4x uncompressed 1080p/60Hz streams over 10GbE. Maintains TCP/IP and dedicated FPGA protocol stack. Logs all kinematics, video, and system events to encrypted SSD at 1kHz for clinical audit. Interfaces with hospital PACS and EMR via HL7/DICOM. Implements CAN-FD bus for inter-subsystem telemetry. Provides encrypted operator console for remote diagnostics. |
| Communication Monitor | 55B77A18 | Monitors real-time fibre link between surgeon console and patient-side cart. Checks CRC integrity, packet loss rate, and round-trip latency at 1kHz. Latency threshold: 10ms (alert), 20ms (safe-state). Packet loss threshold: 3 consecutive missed frames. On loss-of-communication, initiates controlled arm freeze: joints held in current position with increased brake gain, instrument retracted 3mm per safety protocol. |
| Console Computer | D0F51018 | Host x86-64 workstation embedded in the Surgeon Input Console base unit, running a non-real-time Linux OS. Manages session lifecycle (authentication, case start/end, configuration loading), hosts the voice command recognition engine, drives the Surgeon Interface Panel display, manages system configuration and calibration data, and provides the non-real-time side of the surgeon-side software stack. Communicates with the Real-Time Protocol Engine for session handshake and configuration sync, but does NOT relay motion commands. Interfaces: USB 3.0 to Surgeon Interface Panel, gigabit Ethernet to Real-Time Protocol Engine session bus, HDMI to secondary display for circulating nurse. |
| Electrosurgical Generator | D4F73019 | High-frequency RF energy source generating 200-400W monopolar and 50-80W bipolar electrosurgical power at 300kHz-3MHz. Outputs controlled energy via the robotic instrument port to active electrodes. Implements adaptive power regulation with tissue impedance sensing to prevent unintended thermal spread. Provides cut, coagulation, and vessel-sealing energy modes with independent waveform profiles. Must respond to footswitch activation within 100ms and deactivate within 50ms. |
| Emergency Stop Chain | 44AD7810 | Hardwired E-stop circuit forming a series loop through surgeon console E-stop button, patient-side E-stop buttons (x3), foot pedal dead-man switch, and facility E-stop. Any break de-energises all servo drives via contactor within 50ms. Independent of software control. Includes optical isolation to prevent ground loop faults from triggering spurious stops. Monitored for open-circuit faults at 100Hz. |
| Energy Delivery Controller | 41B53B18 | Embedded software module on the surgical system control computer orchestrating all energy activation decisions. Arbitrates footswitch inputs, instrument-reported activation requests, and safety interlock states. Enforces mutual exclusion between RF and ultrasonic modes. Implements energy timeout (max 15s continuous activation), power-level ramping, and dead-man safety (energy stops if console presence is not confirmed every 2s). Interfaces with Safety and Interlock Subsystem via hardwired interlock bus. |
| Energy Delivery System | 54F53059 | Electrosurgery and energy management subsystem. Provides monopolar RF energy at 20-300W for cutting and coagulation, bipolar RF at 5-80W for vessel sealing, and ultrasonic energy at 55.5kHz for simultaneous cutting and coagulation. Isolated floating output to prevent stray current burns. Integrates with instrument system to detect instrument type and enable appropriate energy modes. Patient return electrode monitoring for impedance-based contact quality. Activated only when surgeon depresses foot pedal with correct instrument selected. EN IEC 60601-2-2 compliance. |
| Foot Pedal Array | C6AD7018 | Multi-pedal foot-operated control array mounted on the floor at the Surgeon Input Console. Contains 4 independently assignable pedal clusters: energy activation (RF and ultrasonic), camera control (focus, zoom, mode), instrument clutch (decouple master-slave motion), and emergency stop (one of three hardwired E-stop nodes). Each pedal has <2ms mechanical actuation sensing. The emergency stop pedal is hardwired to the E-stop series loop and does NOT pass through software. Energy and clutch pedals send activation commands over the console CAN bus to the Energy Delivery Controller and Motion Control System. |
| Force Sensing Module | D4C51008 | 6-axis force/torque sensor array embedded in each instrument drive unit. Strain gauge-based, measuring instrument-tissue interaction forces at the tool tip with resolution better than 0.05N and range ±30N. Operates at 1kHz sampling rate, provides raw force data to Haptic Controller for feedback scaling. Calibrated for temperature drift and offset at startup. |
| Force Signal Conditioner | D4A51018 | Analog signal conditioning circuit for strain gauge bridge outputs from Force Sensing Module. Provides instrumentation amplification (gain 100-1000), low-pass filtering at 500Hz anti-alias cutoff, and 16-bit ADC conversion at 1kHz. Mounted on patient-side cart electronics bay. Provides galvanic isolation barrier (4kVrms) between surgical instrument and digital electronics. |
| Haptic Controller | 54FD7208 | Real-time software module running on dedicated haptic processor at 1kHz. Receives force measurements from Force Sensing Module, applies scaling, workspace-safe force limiting (max 1N feedback to master), and renders force as torque commands to Master Handle Actuators. Implements transparency and stability algorithms to prevent master-slave force oscillation. SIL 2 function. |
| Haptic Feedback Subsystem | 55F57018 | Closes force feedback loop between instrument tip and surgeon master handles. Reads tip force from Instrument Drive Unit strain gauges (0–10N, ≤0.1N resolution, 1kHz). Applies scaling and tissue-model filtering. Drives back-drive torque motors in master manipulator to present force cue to surgeon. Prevents force feedback from exceeding safe handle force limits. Runs in same RTOS partition as motion control to maintain phase coherence. |
| Image Processing Pipeline | 50F73218 | FPGA-based real-time video processing system receiving synchronised stereo 1080p60 streams from the Camera Control Unit. Performs edge enhancement, noise reduction (temporal and spatial), automatic scene brightness adjustment, and optional augmented reality overlay (instrument tracking markers, anatomical annotations from pre-operative imaging). Adds <2ms total processing latency to maintain surgeon-perceived real-time response. Outputs processed left/right streams to the 3D Display System via dual DisplayPort 1.2 at 60Hz. Also provides a composited 2D stream to the Video Recorder. Implements ICG fluorescence overlay compositing when Surgical Illumination Source is in NIR mode. FPGA fabric chosen over GPU for deterministic latency and medical device certification path (IEC 62304 Class C). |
| Instrument Drive Unit | D6E51018 | Terminal segment of each robotic arm. Accepts interchangeable sterile wristed instruments (graspers, scissors, needle drivers, clip appliers, energy instruments). 4-cable drive train transmits wrist and jaw motion into 8mm instrument shaft. Includes chip-in-tip RFI sensors to read instrument identity, use count, and calibration data. Tip force sensing via strain gauges. Single-use instrument heads, reusable drive unit body draped for sterility. |
| Instrument Lifecycle Controller | 41B77B58 | Software module running on the patient-side cart controller of a surgical robot. Tracks per-instrument usage metrics: total actuation cycles per DoF, cumulative tip force-time integral, sterilization count, and elapsed time since manufacture. Compares current metrics against manufacturer-defined end-of-life thresholds stored on the instrument's identity chip. Prevents coupling of expired instruments by inhibiting arm enable until a valid instrument is detected. Logs all lifecycle events to the Procedure Data Recorder for regulatory traceability per FDA 21 CFR Part 820 requirements. Communicates with Instrument Recognition Module for chip read/write and with Safe State Manager for instrument lockout enforcement. |
| Instrument Recognition Module | D5F57018 | NFC/RFID reader with embedded microcontroller at the instrument coupling interface of a surgical robot patient-side arm. Reads instrument identity chip containing type code (grasper, scissors, needle driver, cautery hook), remaining use count, sterilization cycle history, and per-instrument calibration offsets. Communicates instrument identity to Motion Control System for automatic kinematic model selection. Must read instrument chip within 200ms of coupling to avoid delaying instrument exchange. Operates in sterile field proximity, powered via the arm's internal bus. |
| Inter-Arm Collision Monitor | 51F77B18 | Real-time pairwise inter-arm clearance computation module running in the Motion Control and Scaling Subsystem of a surgical robot. Computes convex-hull distances between all three patient-side instrument arm segments at 100Hz using forward-kinematics model. Issues halt-and-retract command to approaching arm pairs when predicted clearance falls below 25mm warning threshold; enforces 15mm hard minimum clearance. Runs inline in motion control pipeline on the Real-Time Compute Node. Critical for multi-arm laparoscopic procedures where arms converge in a body cavity of approximately 150mm diameter. |
| Inter-Cart Fibre Link | C6855008 | Dual-redundant single-mode fibre optic cable assembly connecting Surgeon Console to Patient-Side Cart. Carries all real-time control, video, and data traffic over a single 10Gbit/s wavelength-division multiplexed fibre pair. Maximum cable run 10m (OR layout), minimum bend radius enforced. Hot-standby second fibre pair switches within 5ms on primary failure. |
| Joint Force Monitor | 55F77B18 | Software safety function running at 1kHz on safety processor. Reads joint torque from all arm axes. Applies threshold comparison against configurable joint force limits (per-axis, per-procedure type). Triggers graceful brake sequence if any axis exceeds 110% rated limit, or emergency stop at 150%. Tracks force trend to detect stuck/jammed conditions before limit breach. Alerts operator via audible and visual warning at 90%. |
| Joint Servo Controller | 55F53018 | Per-joint closed-loop servo controller for surgical robot arm joints. Cascade PID architecture: outer position loop at 1kHz, inner current loop at 10kHz. Controls brushless DC motors with 14-bit encoder feedback and current sensing. Implements following-error detection: if position error exceeds 2 degrees for >10ms, flags fault to Safety Monitor. Seven instances per arm (21 total across 3 arms). Anti-windup limiting prevents integrator saturation during end-stop contact. Gain scheduling between free-space motion and tissue-contact phases based on force feedback. |
| Kinematics Engine | 41F53309 | Real-time inverse kinematics solver for surgical robot 7-DOF redundant arm. Receives Cartesian end-effector pose commands at 1kHz from Motion Scaling Module. Computes joint-angle trajectories using damped least-squares Jacobian pseudo-inverse. Handles redundancy resolution to avoid joint limits and singularities. Outputs 7 joint-angle setpoints per arm at 1kHz to Joint Servo Controllers. Implemented in C++ on PREEMPT_RT Linux. Computation budget: 2ms per cycle per arm. Singularity handling via SVD decomposition with damping threshold 0.05. |
| Main Power Distribution Unit | D6851058 | AC power distribution unit for the Surgical Robot System. Receives single-phase 230V AC from hospital mains and distributes protected 48V DC and 24V DC rails to all patient-side cart subsystems. Includes overcurrent protection per IEC 60601-1, earth leakage monitoring, and feeds contactor inputs in the Emergency Stop Chain. Controls power sequencing order at startup and shutdown. |
| Master Handle Actuator | D7F51008 | Backdriveable brushless DC torque motor integrated into each 7-DOF haptic master arm. Provides force feedback at each joint to render instrument-tissue contact forces to the surgeon's hand. Continuous torque 0.3Nm per joint, peak 1.2Nm. Position-sensing via absolute encoder at 14-bit resolution. Driven by dedicated motor driver boards commanded by Haptic Controller. |
| Master Handle Actuator Motor Driver | D4F53018 | Multi-axis PWM motor driver for the surgeon-side master handle actuators. Receives torque setpoints from Haptic Controller at 1kHz via CAN bus. Drives 7-DOF brushless DC motors with current control at 20kHz PWM. Implements hardware overcurrent protection (5A limit) and emergency disable input from E-stop chain. Operating environment: surgeon console enclosure, 24V ±5% medical-grade isolated supply. |
| Motion Control and Scaling Subsystem | 51F73B08 | Real-time software and hardware responsible for master-to-slave kinematics. Runs on RTOS at 1kHz. Implements forward and inverse kinematics for 7-DOF arms, configurable motion scaling (1:1 to 10:1), tremor filter (adaptive bandpass eliminating 6-12Hz physiological hand tremor), workspace boundary enforcement (software joint limits, virtual fixtures). Outputs joint torque commands to servo drives. Hard real-time; task jitter <50µs. |
| Motion Control System | 51F73A18 | Real-time kinematic computation and servo-control subsystem for surgical robot. Executes inverse kinematics for all robot DOF at 1kHz, applies motion scaling 3:1 to 10:1, removes hand tremor above 6Hz, enforces workspace safety limits and soft tissue contact force limits under 5N. Runs on dedicated real-time Linux (PREEMPT_RT) compute node with dual-redundant watchdog. Directly commands joint-level servo drives on Patient-Side Cart. Latency budget: 10ms computation, 3ms network, contributing to overall 100ms end-to-end. Safety-critical: SIL 3. |
| Motion Scaling Module | 50B53B18 | Cartesian-space velocity scaling component that reduces surgeon console hand velocity to instrument tip velocity. Applies selectable gain in Cartesian space (3:1, 5:1, 10:1) to preserve instrument orientation during scaled motion. Surgeon selects ratio via foot pedal or console menu before incision. Module stores current ratio in NVRAM, applies it to all 6 Cartesian DOF uniformly, and logs ratio changes with timestamp to audit buffer. Instantaneous ratio change rejected during active tissue contact (force > 1N). |
| Network Management Controller | 51B73818 | |
| Patient-Side Cart | DFE53018 | Mobile robotic arm assembly mounted at the surgical table. Contains 3-4 robotic arms: one camera arm and 2-3 instrument arms, each with 7 DOF and cable-driven joints. Positions and holds EndoWrist instruments inserted through trocar ports in the patient. Receives motion commands from Surgeon Console at 1kHz and executes scaled, tremor-filtered movements. Each arm has joint torque sensors and limit switches. Operates in sterile field. Must arrest motion within 50ms of emergency stop signal. Arm workspace: 570mm reach per instrument arm. |
| Power Management Subsystem | 54F53018 | Supplies regulated DC and AC power to all subsystems. Accepts 3-phase 400V AC mains input, conditions through isolation transformer and EMC filters for medical environment (IEC 60601-1). Provides 48V DC bus for servo drives and 24V DC for control electronics. Includes 60s UPS (supercapacitor bank) for fault and withdrawal power continuity. Controls surgical energy delivery (monopolar 350W RF, bipolar 50W) routed through isolated generator. |
| Power Sequencing Controller | D1F77A18 | Embedded microcontroller managing the startup and shutdown power sequencing of the Surgical Robot System. Enforces a defined power-on order (safety subsystem first, then compute nodes, then motor drives) to prevent undefined intermediate states. On shutdown command, reverses sequence. Monitors rail voltages and reports to the system supervisor; inhibits startup if any rail is out of tolerance. Drives the contactor coils for each subsystem. |
| Procedure Data Recorder | 50851208 | NVMe RAID storage system recording all kinematic data (joint angles, torques, velocities at 1kHz), video streams (two 4K60 streams), system events, and alarms for the full procedure duration. Minimum capacity 8 hours uncompressed. Write bandwidth 2GB/s sustained. WORM (write-once read-many) mode prevents data modification post-procedure for forensic integrity. |
| Procedure Video Recorder | 54E47218 | Medical-grade video recording system capturing composited 2D procedure video from the Image Processing Pipeline at 1080p60 in H.265 encoding (50Mbps CBR). Records continuously for 8+ hour procedures to internal RAID-1 SSD storage (minimum 4TB usable). Simultaneously streams a reduced-resolution feed (720p30) over hospital network for remote observation or teaching. Provides frame-accurate timestamps synchronised with the system event log (kinematic data, instrument changes, cautery activation) for post-operative review and audit per SYS-MAIN-015. Supports DICOM-compatible export for integration with hospital PACS. Controlled via touch panel on equipment tower — surgeon does not interact during procedure. |
| Real-Time Compute Node | D6B51018 | Dedicated processing hardware running Motion Control System software. Dual Intel Xeon with PREEMPT_RT Linux providing worst-case interrupt latency under 50 microseconds. Hardware watchdog timer: if no heartbeat from Motion Control thread for >5ms, asserts safety output and freezes joint commands. Dual-redundant power supplies. ECC RAM. Fanless design for silent OR environment. Interfaces: 1GbE to Surgeon Console link, CAN-FD to Joint Servo Controllers, PCIe to Safety and Watchdog System via dedicated interrupt line. |
| Real-Time Protocol Engine | 51F77208 | FPGA-based deterministic communication processor implementing custom time-division multiplexed protocol over 10Gbit Ethernet fibre. Guarantees 1ms frame cycle for kinematic command and telemetry channels. Separate priority queues for safety messages (highest, 100us latency), kinematics (1ms), video (best-effort). Hardware CRC and sequence-number checking on all frames. |
| Return Electrode Monitor | 54F77858 | Impedance-sensing patient safety device monitoring return electrode (REM pad) contact quality during monopolar electrosurgery. Measures dual-zone pad impedance at 100Hz and shuts off monopolar energy if impedance rises above 135 ohms (indicating partial pad lift). Provides alarm output to surgeon console within 500ms of detection. Regulatory requirement under IEC 60601-2-2 for all monopolar electrosurgical equipment. Interfaces with Electrosurgical Generator and system safety bus. |
| Safe State Manager | 40B57A10 | State machine coordinating system response to safety events. Has three states: OPERATIONAL, DEGRADED (one arm out of service, others active), and SAFE-HOLD (all arms held, energy off, awaiting surgeon action). Transitions are one-directional toward SAFE-HOLD during faults; recovery requires explicit surgeon re-engagement sequence. Broadcasts system state to all subsystems and logs all transitions to tamper-evident audit trail. |
| Safety and Interlock Subsystem | 50B53A18 | SIL 3 safety function layer monitoring all joints, instruments, power, and communications. Implements hardware watchdog timers, software safety monitors, and independent E-stop chain. Detects communication loss, joint force violations, power anomalies, and software exceptions. Brakes all joints and de-energises surgical energy within 250ms of fault onset. Runs on dedicated safety processor physically isolated from control processor to prevent common-cause failure. |
| Safety and Watchdog System | 55F37359 | Independent safety monitoring and fault-response subsystem for surgical robot. Runs on separate processor with no shared memory with motion control. Monitors all joint positions, velocities, currents, temperatures, and communication integrity at 1kHz. Detects faults: joint limits exceeded, communication dropout >10ms, force limits exceeded, watchdog timeout. Responds within 5ms: commands all joint brakes, cuts servo power, issues emergency stop to all subsystems via dedicated hardwired signal. SIL 3 per IEC 62304 and ISO 13849 Category 4 / PLe. Maintains independent power from UPS. |
| Stereo Endoscope | D6C51018 | Dual-channel rigid endoscope (0° or 30° tip angle) with paired 1/3-inch CMOS image sensors (1920x1080 per channel) and integrated fibre-optic illumination bundle. Inserted through 12mm trocar into body cavity. Provides two spatially offset optical paths (6mm inter-pupillary baseline) for stereoscopic depth perception. Operating wavelength 400-700nm visible spectrum. Must withstand repeated autoclave sterilisation at 134°C. Connected to Camera Control Unit via dual HD-SDI cables. Critical safety component — loss of one channel degrades to 2D; loss of both is a surgical emergency requiring immediate manual takeover. |
| Stereoscopic Display System | D4ED1018 | High-resolution stereoscopic 3D display integrated into the Surgeon Console, presenting separate left/right eye images via polarised optics or active-shutter glasses. Dual 4K panels (3840x2160 per eye) with 10-bit colour depth, 1000:1 contrast ratio, and <5ms pixel response time. Viewing distance 500-700mm with adjustable interpupillary distance (55-75mm). Maintains consistent stereoscopic depth cues without flicker or crosstalk (<1% ghosting). Brightness minimum 350 cd/m² to maintain visibility under OR lighting. Connected to Image Processing Pipeline via dual DisplayPort 1.2. Critical for surgeon depth perception — loss of stereoscopy degrades to 2D monocular viewing, requiring surgeon notification within 500ms. |
| Sterile Adapter | CE853058 | Mechanical drape-and-coupling interface between the non-sterile patient-side robotic arm and the sterile surgical instrument shaft. Provides torque transmission through 6 sealed rotary feedthroughs (4 instrument DoF cables plus roll and insertion axes) while maintaining a sterile barrier compliant with ISO 11607 packaging standards. Constructed from medical-grade polymer with stainless steel coupling pins. Single-use per procedure. Must withstand 50N axial insertion force and 2Nm continuous torque per channel without sterile breach. Includes electrical pass-through for instrument recognition chip data line. |
| Surgeon Console | D6ED5018 | Surgeon-operated master interface for teleoperated surgical robot. Houses dual 7-DOF haptic master manipulators, stereo 3D HD display at 1080p/60Hz per eye, foot pedal cluster for mode switching, head sensor for presence detection, and ergonomic seating. Transmits master arm pose, velocity, and grip commands to patient-side cart at 1kHz. Receives 3D video stream and haptic force feedback. Surgeon sits immersed in stereo view while operating in a non-sterile console area. Primary safety interface for clutch, emergency stop, and energy activation. |
| Surgeon Input Console | D4FD3018 | Master control station for the surgeon. Ergonomic seat with binocular 3D display (stereoscopic endoscope imagery), dual master manipulator arms (7 DOF each), foot pedal array (clutch, camera control, energy modes), head sensor for sterile field limitation. Scales surgeon hand motions to slave, renders haptic force feedback, processes voice commands. Generates motion commands at 1kHz. Isolated from sterile field. |
| Surgeon Interface Panel | D4AC5018 | Touchscreen control panel integrated into the Surgeon Input Console, positioned alongside the binocular viewer. 15-inch medical-grade capacitive touchscreen running ARM-embedded Linux. Provides non-motion system controls: instrument selection and configuration, energy mode and power level setting, endoscope orientation, system setup, ICG fluorescence toggle, and telestration overlay controls. Communicates with the Console Computer via USB 3.0. Does not transmit real-time motion or safety commands — all safety-critical inputs are separate hardware paths. |
| Surgical Illumination Source | 54F51018 | High-intensity LED light source (300W equivalent, 5600K colour temperature) providing surgical field illumination via fibre-optic bundle to the stereo endoscope. Delivers 40,000-60,000 lux at the distal tip. Automatic intensity regulation based on camera exposure feedback to prevent tissue thermal damage (maximum 41°C tissue surface temperature per IEC 60601-2-18). Supports fluorescence excitation at 805nm for ICG near-infrared imaging. Mean time between failures >10,000 hours. Connected to Camera Control Unit for closed-loop intensity feedback and to Power Management Subsystem for regulated DC power. |
| Surgical Instrument System | D6FD3059 | Interchangeable EndoWrist instruments and instrument-exchange mechanisms for surgical robot. Instruments 8mm diameter, wristed 7-DOF distal mechanism with cable actuation through 3 drive cables. Sterile single-use or re-sterilisable depending on type. Types: needle drivers, graspers, scissors, clip appliers, bipolar forceps, monopolar cautery hook. Instrument drive unit reads instrument chip for type/usage-count identification and loads kinematic model. Force feedback from cable tension sensors passed to haptic system. 10-use or 30-use limits enforced by software based on chip data. |
| Tissue Effect Monitor | 55F77218 | Real-time tissue response monitoring module that reads RF output impedance and temperature waveforms during vessel sealing operations. Detects vessel seal endpoint by impedance rise signature (>1.5kΩ rise within 400ms) indicating completed collagen denaturation. Triggers automatic generator shutoff at seal completion. Provides tissue state feedback to the Energy Delivery Controller at 1kHz. Reduces seal failures and thermal damage by preventing over-application. Integrated with the Electrosurgical Generator measurement circuitry. |
| Tool Tip Articulation Controller | 51F53318 | Real-time software controller running at 1kHz on the patient-side cart compute node of a surgical robot. Maps desired end-effector pose (3-DoF wrist orientation plus grip aperture) from the Kinematics Engine into individual cable displacement commands for the Instrument Drive Unit motors. Implements instrument-specific kinematic models loaded from the Instrument Recognition Module — each instrument type has different cable routing geometry, pulley ratios, and coupling compliance. Compensates for cable hysteresis using a Bouc-Wen friction model with parameters identified during instrument calibration. Outputs motor position setpoints to the Joint Servo Controller over the internal CAN-FD bus at 1kHz. Critical path for instrument tip positioning accuracy: controller latency budget is 500µs maximum. |
| Trajectory Generator | 41F53B08 | Software module running on the Real-Time Compute Node that computes smooth, collision-free instrument tip trajectories from surgeon input waypoints. Accepts Cartesian velocity commands from the Motion Scaling Module at 1kHz, performs velocity profiling with S-curve acceleration limits (max 2g at tip), enforces workspace boundary constraints, and outputs interpolated Cartesian poses to the Kinematics Engine. Operates under PREEMPT_RT with worst-case execution time <200μs per cycle. Critical for ensuring instrument motion is smooth, bounded, and does not exceed tissue force limits. |
| Tremor Rejection Filter | 40A53108 | 4th-order Butterworth low-pass digital filter attenuating surgeon hand tremor. Applied to Cartesian velocity commands from Surgeon Console before motion scaling. Cutoff frequency: 6Hz to preserve intentional motion bandwidth while removing 8-12Hz physiological tremor. Zero-phase forward-backward implementation to eliminate phase lag. Operates on 3 translational and 3 rotational velocity channels independently. Implemented as fixed-point arithmetic to guarantee deterministic latency under 0.5ms. |
| Ultrasonic Energy Module | 54D51019 | 55.5kHz piezoelectric ultrasonic generator producing mechanical cutting and coagulation energy through a resonant blade delivered via robotic instrument port. Provides 0-100% power in 10 steps. Detects blade temperature via thermocouple to prevent unintended tissue burns from retained blade heat. Shear energy modality with lower thermal spread than RF; preferred for structures within 1mm of critical vessels. Drives the ultrasonic transducer in the instrument drive interface. |
| UPS Battery Module | D6D51058 | 24V sealed lead-acid or Li-Fe battery bank providing emergency backup power for the surgical robot. Rated for 30 minutes at full system load to allow controlled procedure completion and safe shutdown. Monitored for state of charge, temperature, and capacity by the power management controller. Triggers charging from mains when capacity drops below 80%. Mandatory for IEC 60601-1 emergency power requirements. |
| Vision and Imaging Subsystem | 54F57018 | Captures and processes 3D HD surgical imagery for the surgeon display. Comprises dual-channel 4K laparoscopic endoscope (Karl Storz style), stereo camera head, high-bandwidth cable to CCU, video processing unit performing synchronisation, colour correction, 3D reconstruction, and overlay rendering. Outputs to surgeon 3D display and records to NAS. Latency target: <100ms end-to-end. Also hosts fluorescence overlay mode (ICG imaging). |
| Vision and Imaging System | D4FD7019 | 3D high-definition endoscopic imaging subsystem. Dual-channel 10mm 3D endoscope with 2x 1080p/60Hz CMOS sensors separated 8mm for stereoscopic depth. Image processor handles real-time demosaicing, colour correction, distortion correction, and stereo synchronisation. Outputs independent left/right video streams to Surgeon Console display at <50ms latency. Provides near-infrared fluorescence imaging mode using ICG dye for tissue perfusion assessment. Camera arm servo maintains endoscope orientation on command. Sterile draping of camera arm required. |
| Voice Command Module | D5FD7018 | Embedded speech recognition module in the Surgeon Input Console. Microphone array with beamforming (4 microphones, cardioid pattern) mounted in the binocular viewer shroud to capture surgeon speech during procedure. Runs an on-device neural network inference engine (no cloud dependency) with a surgical vocabulary of approximately 200 commands: instrument name, procedure step markers, endoscope commands, system mode changes. Latency requirement: <200ms from speech onset to command dispatch. Must operate in typical OR acoustic environment with background noise up to 65dB SPL. Sends recognized commands to Console Computer via USB audio and command bus. |
| Watchdog Timer Controller | D6B53A08 | Dedicated hardware safety processor (separate from main compute) implementing independent watchdog timers for each axis controller and the main supervisory CPU. Configured for 250ms timeout per channel. Arm position held on watchdog expiry; requires active heartbeat from motion control to remain enabled. Hardware-based — cannot be disabled by software. |
| Workspace Safety Enforcer | 51B73818 | Cartesian and joint-space safety boundary enforcement component running inline in Motion Control pipeline before servo commands are issued. Enforces: joint angle limits (hard stops minus 5-degree software margin), Cartesian workspace boundary (no-go zones around trocar insertion point and patient anatomy model), and instrument-tissue force limits (5N warning, 8N cutoff). Checks run at 1kHz; any violation triggers immediate clutch disengagement and alert to Safety and Watchdog System. Implements trocar-pivoting constraint to prevent lateral force on abdominal wall. |
| Component | Belongs To |
|---|---|
| Surgeon Console | Surgical Robot System |
| Patient-Side Cart | Surgical Robot System |
| Motion Control System | Surgical Robot System |
| Vision and Imaging System | Surgical Robot System |
| Surgical Instrument System | Surgical Robot System |
| Safety and Watchdog System | Surgical Robot System |
| Energy Delivery System | Surgical Robot System |
| Communication and Data Management System | Surgical Robot System |
| Safety and Interlock Subsystem | Surgical Robot System |
| Surgeon Input Console | Surgical Robot System |
| Instrument Drive Unit | Surgical Instrument System |
| Vision and Imaging Subsystem | Surgical Robot System |
| Motion Control and Scaling Subsystem | Surgical Robot System |
| Haptic Feedback Subsystem | Surgical Robot System |
| Power Management Subsystem | Surgical Robot System |
| Watchdog Timer Controller | Safety and Interlock Subsystem |
| Emergency Stop Chain | Safety and Interlock Subsystem |
| Joint Force Monitor | Safety and Interlock Subsystem |
| Communication Monitor | Safety and Interlock Subsystem |
| Safe State Manager | Safety and Interlock Subsystem |
| Kinematics Engine | Motion Control System |
| Tremor Rejection Filter | Motion Control System |
| Motion Scaling Module | Motion Control System |
| Joint Servo Controller | Motion Control System |
| Workspace Safety Enforcer | Motion Control System |
| Real-Time Compute Node | Motion Control System |
| Stereo Endoscope | Vision and Imaging System |
| Camera Control Unit | Vision and Imaging System |
| Surgical Illumination Source | Vision and Imaging System |
| Image Processing Pipeline | Vision and Imaging System |
| Stereoscopic Display System | Vision and Imaging System |
| Procedure Video Recorder | Vision and Imaging System |
| Force Sensing Module | Haptic Feedback Subsystem |
| Haptic Controller | Haptic Feedback Subsystem |
| Master Handle Actuator | Haptic Feedback Subsystem |
| Force Signal Conditioner | Haptic Feedback Subsystem |
| Inter-Cart Fibre Link | Communication and Data Management System |
| Real-Time Protocol Engine | Communication and Data Management System |
| Procedure Data Recorder | Communication and Data Management System |
| Network Management Controller | Communication and Data Management System |
| Instrument Recognition Module | Surgical Instrument System |
| Sterile Adapter | Surgical Instrument System |
| Cable Tensioning System | Surgical Instrument System |
| Instrument Lifecycle Controller | Surgical Instrument System |
| Tool Tip Articulation Controller | Surgical Instrument System |
| Trajectory Generator | Motion Control System |
| Main Power Distribution Unit | Power Management Subsystem |
| Auxiliary Power Supply | Power Management Subsystem |
| UPS Battery Module | Power Management Subsystem |
| Power Sequencing Controller | Power Management Subsystem |
| Electrosurgical Generator | Energy Delivery System |
| Ultrasonic Energy Module | Energy Delivery System |
| Energy Delivery Controller | Energy Delivery System |
| Return Electrode Monitor | Energy Delivery System |
| Tissue Effect Monitor | Energy Delivery System |
| Foot Pedal Array | Surgeon Input Console |
| Surgeon Interface Panel | Surgeon Input Console |
| Console Computer | Surgeon Input Console |
| Voice Command Module | Surgeon Input Console |
| Arm Positioning System | Surgeon Input Console |
| Watchdog Timer Controller | Safety and Watchdog System |
| Stereo Endoscope | Vision and Imaging Subsystem |
| Camera Control Unit | Vision and Imaging Subsystem |
| Surgical Illumination Source | Vision and Imaging Subsystem |
| Image Processing Pipeline | Vision and Imaging Subsystem |
| Procedure Video Recorder | Vision and Imaging Subsystem |
| Stereoscopic Display System | Vision and Imaging Subsystem |
| Real-Time Protocol Engine | Motion Control System |
| Network Management Controller | Motion Control System |
| Procedure Data Recorder | Motion Control System |
| Inter-Cart Fibre Link | Motion Control System |
| Tremor Rejection Filter | Motion Control and Scaling Subsystem |
| Motion Scaling Module | Motion Control and Scaling Subsystem |
| Trajectory Generator | Motion Control and Scaling Subsystem |
| Kinematics Engine | Motion Control and Scaling Subsystem |
| Joint Servo Controller | Motion Control and Scaling Subsystem |
| Real-Time Compute Node | Motion Control and Scaling Subsystem |
| Workspace Safety Enforcer | Motion Control and Scaling Subsystem |
| Master Handle Actuator Motor Driver | Haptic Feedback Subsystem |
| Backdrive Monitor | Haptic Feedback Subsystem |
| From | To |
|---|---|
| Joint Force Monitor | Motion Control and Scaling Subsystem |
| Emergency Stop Chain | Power Management Subsystem |
| Communication Monitor | Motion Control and Scaling Subsystem |
| Safe State Manager | Surgeon Input Console |
| Safe State Manager | Patient-Side Cart |
| Surgeon Console | Motion Control System |
| Motion Control System | Patient-Side Cart |
| Motion Control System | Safety and Watchdog System |
| Vision and Imaging System | Surgeon Console |
| Surgical Instrument System | Motion Control System |
| Stereo Endoscope | Camera Control Unit |
| Stereo Endoscope | Surgical Illumination Source |
| Camera Control Unit | Image Processing Pipeline |
| Camera Control Unit | Surgical Illumination Source |
| Image Processing Pipeline | Stereoscopic Display System |
| Image Processing Pipeline | Procedure Video Recorder |
| Stereoscopic Display System | Surgeon Console |
| Surgical Illumination Source | Power Management Subsystem |
| Force Sensing Module | Force Signal Conditioner |
| Force Signal Conditioner | Haptic Controller |
| Haptic Controller | Master Handle Actuator |
| Haptic Controller | Safety and Interlock Subsystem |
| Real-Time Protocol Engine | Inter-Cart Fibre Link |
| Network Management Controller | Inter-Cart Fibre Link |
| Network Management Controller | Safety and Interlock Subsystem |
| Procedure Data Recorder | Real-Time Protocol Engine |
| Instrument Recognition Module | Instrument Lifecycle Controller |
| Cable Tensioning System | Instrument Drive Unit |
| Tool Tip Articulation Controller | Instrument Drive Unit |
| Sterile Adapter | Instrument Drive Unit |
| Instrument Lifecycle Controller | Safety and Interlock Subsystem |
| Tremor Rejection Filter | Motion Scaling Module |
| Motion Scaling Module | Trajectory Generator |
| Trajectory Generator | Kinematics Engine |
| Kinematics Engine | Joint Servo Controller |
| Workspace Safety Enforcer | Kinematics Engine |
| Workspace Safety Enforcer | Joint Servo Controller |
| Real-Time Compute Node | Kinematics Engine |
| Real-Time Compute Node | Joint Servo Controller |
| Main Power Distribution Unit | Auxiliary Power Supply |
| Main Power Distribution Unit | Power Sequencing Controller |
| UPS Battery Module | Auxiliary Power Supply |
| Power Sequencing Controller | Emergency Stop Chain |
| Energy Delivery Controller | Electrosurgical Generator |
| Energy Delivery Controller | Ultrasonic Energy Module |
| Return Electrode Monitor | Electrosurgical Generator |
| Tissue Effect Monitor | Electrosurgical Generator |
| Energy Delivery Controller | Safety and Interlock Subsystem |
| Foot Pedal Array | Emergency Stop Chain |
| Foot Pedal Array | Energy Delivery Controller |
| Voice Command Module | Console Computer |
| Console Computer | Real-Time Protocol Engine |
| Arm Positioning System | Console Computer |
| Surgeon Interface Panel | Console Computer |
| Console Computer | Inter-Cart Fibre Link |
| Inter-Cart Fibre Link | Real-Time Protocol Engine |
| Real-Time Protocol Engine | Tremor Rejection Filter |
| Network Management Controller | Joint Servo Controller |
| Real-Time Compute Node | Procedure Data Recorder |
| Real-Time Compute Node | Tremor Rejection Filter |
| UPS Battery Module | Main Power Distribution Unit |
| Power Sequencing Controller | Auxiliary Power Supply |
| Haptic Controller | Master Handle Actuator Motor Driver |
| Real-Time Protocol Engine | Procedure Data Recorder |
| Component | Output |
|---|---|
| Watchdog Timer Controller | brake enable/disable signal per axis |
| Emergency Stop Chain | hardwired servo de-energise signal |
| Joint Force Monitor | per-axis force violation alert |
| Communication Monitor | link quality status and loss-of-comms event |
| Safe State Manager | system safety state broadcast |
| Stereo Endoscope | raw stereo video (dual 1080p Bayer-pattern) |
| Camera Control Unit | synchronised stereo 1080p60 corrected video |
| Surgical Illumination Source | visible and NIR surgical field illumination |
| Image Processing Pipeline | processed stereo video with AR overlay |
| Stereoscopic Display System | stereoscopic 3D visual presentation |
| Procedure Video Recorder | archived procedure video with synchronised event data |
| Force Sensing Module | raw force/torque measurements |
| Haptic Controller | master actuator torque commands |
| Master Handle Actuator | force feedback to surgeon |
| Force Signal Conditioner | conditioned digitised force signal |
| Real-Time Protocol Engine | deterministic control frames |
| Procedure Data Recorder | procedure audit record |
| Network Management Controller | link health status |
| Instrument Recognition Module | instrument identity and calibration data |
| Tool Tip Articulation Controller | cable displacement commands |
| Cable Tensioning System | tension anomaly alerts |
| Instrument Lifecycle Controller | instrument lockout decisions |
| Trajectory Generator | interpolated Cartesian pose setpoints at 1kHz |
| Electrosurgical Generator | high-frequency RF energy (300kHz-3MHz, up to 400W monopolar/80W bipolar) |
| Ultrasonic Energy Module | 55.5kHz ultrasonic cutting/coagulation energy via resonant blade |
| Energy Delivery Controller | activation decisions and power-level commands to energy generators |
| Return Electrode Monitor | patient pad contact quality status and monopolar enable/inhibit signal |
| Tissue Effect Monitor | vessel seal endpoint detection and tissue state feedback at 1kHz |
| Foot Pedal Array | energy activation signal |
| Foot Pedal Array | clutch command |
| Force Sensing Module | six-axis force/torque analog signal |
| Force Signal Conditioner | digitised force/torque EtherCAT frame at 1kHz |
| Haptic Controller | per-joint torque setpoints at 1kHz |
| Master Handle Actuator | rendered force feedback torque at surgeon handle |
| Force Sensing Module | six-axis force/torque measurement |
| Force Signal Conditioner | digitised 16-bit six-axis force vector at 1kHz |
| Haptic Controller | per-joint torque commands at 1kHz |
| Backdrive Monitor | backdrive fault signal |
| Source | Target | Type | Description |
|---|---|---|---|
| SYS-MAIN-015 | ARC-MAIN-020 | derives | PDR DMA shared memory architecture derives from 1kHz data recording requirement |
| SYS-MAIN-002 | ARC-MAIN-020 | derives | Dual-redundant fibre topology derives from single-point failure detection requirement |
| SYS-MAIN-002 | ARC-MAIN-019 | derives | Verification coverage architecture derives from system safety detection requirement |
| SYS-MAIN-001 | ARC-MAIN-018 | derives | Linear pipeline topology derives from 1ms end-to-end latency requirement |
| SYS-MAIN-002 | ARC-MAIN-015 | derives | FPGA/algorithm separation architecture supports single-point-failure safe-state |
| ARC-MAIN-014 | SYS-MAIN-004 | derives | ARC-MAIN-014 is the enabling architecture for haptic force sensing in SYS-MAIN-004 |
| ARC-MAIN-012 | SYS-MAIN-010 | derives | ARC-MAIN-012 supports emergency stop architecture as required by SYS-MAIN-010 |
| ARC-MAIN-009 | SYS-MAIN-017 | derives | ARC-MAIN-009 records design rationale supporting electrosurgical energy delivery |
| ARC-MAIN-008 | SYS-MAIN-002 | derives | Isolated safety power supply architecture derives from single-point failure safety requirement |
| ARC-MAIN-007 | SYS-MAIN-001 | derives | Dedicated trajectory generator derives from control loop latency and motion safety requirement |
| ARC-MAIN-006 | SYS-MAIN-014 | derives | Cable-driven remote motor architecture derives from sterilisation compatibility requirement |
| ARC-MAIN-005 | SYS-MAIN-007 | derives | FPGA real-time communications architecture derives from motion command latency requirement |
| ARC-MAIN-004 | SYS-MAIN-004 | derives | Galvanic isolation at force conditioner derives from instrument-tissue force measurement requirement |
| ARC-MAIN-003 | SYS-MAIN-003 | derives | FPGA image pipeline architecture derives from stereo HD video latency requirement |
| ARC-MAIN-002 | SYS-MAIN-009 | derives | Cartesian-space pipeline with tremor filter stage derives from tremor attenuation requirement |
| ARC-MAIN-001 | SYS-MAIN-002 | derives | Safety processor architecture derives from single-point failure detection requirement |
| SYS-MAIN-019 | VER-MAIN-127 | derives | EMC system requirement is verified by accredited lab test |
| SUB-MAIN-128 | VER-MAIN-129 | derives | Alarm management requirement verified by per-condition IEC 60601-1-8 compliance test |
| SUB-MAIN-127 | VER-MAIN-128 | derives | Inter-arm collision avoidance requirement verified by HIL convergence test |
| REQ-SESURGICALROBOT-029 | REQ-SESURGICALROBOT-032 | derives | Kinematic engine authentication verification |
| REQ-SESURGICALROBOT-030 | REQ-SESURGICALROBOT-033 | derives | Trajectory Generator envelope verification procedure |
| REQ-SESURGICALROBOT-031 | REQ-SESURGICALROBOT-034 | derives | RTP Engine PTP authentication test procedure |
| SYS-MAIN-007 | IFC-MAIN-040 | derives | System-level command transmission latency drives CC-to-ICFL frame format and timing |
| SYS-MAIN-001 | IFC-MAIN-039 | derives | SIP-CC EtherCAT interface derives from system <1ms motion scaling requirement |
| SYS-MAIN-007 | IFC-MAIN-037 | derives | Console-to-RTPE session interface derives from system motion command transmission requirement |
| SYS-MAIN-002 | IFC-MAIN-029 | derives | Power-to-E-stop interface derived from single-point failure requirement |
| SYS-MAIN-002 | IFC-MAIN-009 | derives | System safety safe-state requirement → SIS to Motion Control stop command interface |
| SYS-MAIN-002 | IFC-MAIN-023 | derives | System fault detection and safe state → lifecycle lockout to safe state manager interface |
| SYS-MAIN-001 | IFC-MAIN-022 | derives | System motion precision → TTAC to IDU cable displacement command interface |
| SYS-MAIN-002 | IFC-MAIN-021 | derives | System safety fault detection → cable tension to SIS monitoring interface |
| SYS-MAIN-001 | IFC-MAIN-020 | derives | System precision requirement → instrument recognition to TTAC data interface |
| SYS-MAIN-003 | IFC-MAIN-008 | derives | Vision-to-console interface derives from stereo video display requirement |
| SYS-MAIN-007 | IFC-MAIN-006 | derives | Motion Control to Patient-Side Cart interface derives from command transmission requirement |
| SYS-MAIN-015 | IFC-MAIN-014 | derives | System recording requirement drives recorder interface specification |
| SYS-MAIN-003 | IFC-MAIN-013 | derives | Stereo video requirement drives display interface specification |
| SYS-MAIN-003 | IFC-MAIN-010 | derives | Stereo video requirement drives endoscope-CCU interface specification |
| SYS-MAIN-013 | SUB-MAIN-044 | derives | Power sequencing derived from 8-hour operational duration requirement |
| SYS-MAIN-002 | SUB-MAIN-128 | derives | System single-point failure safe state requirement drives alarm management framework |
| SYS-MAIN-002 | SUB-MAIN-127 | derives | Single-point failure safe-state requirement derives to inter-arm collision avoidance |
| SYS-MAIN-018 | REQ-SESURGICALROBOT-103 | derives | HMAC-SHA256 implementation of SYS-level cryptographic authentication mandate |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-102 | derives | Regulatory compliance basis for workspace safety enforcement |
| SYS-MAIN-001 | SUB-MAIN-116 | derives | MCS distributed electronics chassis derives from motion latency requirement |
| SYS-MAIN-001 | SUB-MAIN-115 | derives | RTCN physical co-location derives from 1ms motion latency requirement |
| SYS-MAIN-002 | SUB-MAIN-114 | derives | PMS physical housing derives from power fault resilience requirement |
| SYS-MAIN-015 | SUB-MAIN-113 | derives | PDR physical embodiment (duplicate - see SUB-MAIN-112) |
| SYS-MAIN-015 | SUB-MAIN-112 | derives | PDR physical form derives from system-level recording requirement |
| SYS-MAIN-014 | SUB-MAIN-125 | derives | Console disinfectant compatibility derives from system-level surface compatibility req |
| SYS-MAIN-004 | SUB-MAIN-121 | derives | HFS redundancy derives from instrument force sensing system req |
| SYS-MAIN-002 | SUB-MAIN-120 | derives | RTPE redundancy derives from single-point failure detection system req |
| SYS-MAIN-018 | SUB-MAIN-126 | derives | CDMS cryptographic auth derives from system-level message authentication req |
| SYS-MAIN-003 | SUB-MAIN-122 | derives | Stereoscopic display VAC derives from 3D HD video system req |
| SYS-MAIN-007 | SUB-MAIN-124 | derives | MHA force reflection derives from master manipulator system req |
| SYS-MAIN-001 | SUB-MAIN-123 | derives | MSM scaling ratio workflow derives from motion scaling system req |
| SYS-MAIN-001 | SUB-MAIN-118 | derives | MSM IEC 80601-2-77 compliance derives from motion scaling system req |
| SYS-MAIN-006 | SUB-MAIN-111 | derives | Sterile-field IPA compatibility derives from system disinfectant compatibility mandate |
| SYS-MAIN-005 | REQ-SESURGICALROBOT-097 | derives | PMS redundant safety-critical power path derives from 60-second holdover mandate |
| SYS-MAIN-004 | REQ-SESURGICALROBOT-096 | derives | Haptic actuator channel failover derives from force feedback fidelity requirement |
| SYS-MAIN-007 | REQ-SESURGICALROBOT-095 | derives | Time Protocol Engine redundancy derives from inter-subsystem synchronisation mandate |
| SYS-MAIN-006 | REQ-SESURGICALROBOT-093 | derives | PMS Type BF galvanic isolation derives from sterile-field patient safety requirement |
| SYS-MAIN-008 | REQ-SESURGICALROBOT-092 | derives | Motion Scaling Module DHF requirement derives from selectable scaling mandate |
| SYS-MAIN-012 | REQ-SESURGICALROBOT-091 | derives | Workspace Safety Enforcer SIL certification derives from 5N tissue force limit mandate |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-090 | derives | Motion Control System IEC 62304 software lifecycle derives from single-point failure detection mandate |
| SYS-MAIN-007 | REQ-SESURGICALROBOT-089 | derives | Time Compute Node M.2 hardware module derives from inter-subsystem latency requirement |
| SYS-MAIN-001 | REQ-SESURGICALROBOT-088 | derives | MCS physical architecture derives from <1ms end-to-end latency mandate |
| SYS-MAIN-005 | REQ-SESURGICALROBOT-087 | derives | PMS physical LRU separation derives from post-power-loss operational mandate |
| SYS-MAIN-015 | REQ-SESURGICALROBOT-086 | derives | PDR physical housing requirement derives from system recording mandate |
| SYS-MAIN-015 | REQ-SESURGICALROBOT-086 | derives | PDR physical housing requirement derives from system recording mandate |
| SYS-MAIN-003 | REQ-SESURGICALROBOT-099 | derives | System video specification → VIS subsystem delivery requirement |
| SYS-MAIN-018 | REQ-SESURGICALROBOT-098 | derives | System-level crypto auth mandate → CDMS HMAC implementation |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-094 | derives | SYS fault coverage → PDR redundancy |
| SYS-MAIN-015 | SUB-MAIN-110 | derives | PDR cryptographic hash derives from procedure data recording and integrity requirement |
| SYS-MAIN-001 | SUB-MAIN-108 | derives | Strict-priority traffic shaping derives from end-to-end control loop latency requirement |
| SYS-MAIN-002 | SUB-MAIN-107 | derives | NMC link health classification derives from failure detection requirement |
| SYS-MAIN-002 | SUB-MAIN-106 | derives | RTPE frame loss detection derives from single-point failure detection requirement |
| SYS-MAIN-015 | SUB-MAIN-109 | derives | PDR throughput requirement derives from 8-hour 1kHz recording mandate |
| SYS-MAIN-018 | SUB-MAIN-105 | derives | Frame-level HMAC authentication derives from cryptographic authentication requirement |
| SYS-MAIN-002 | SUB-MAIN-104 | derives | Fibre link redundancy and failover derives from single-point failure detection requirement |
| SYS-MAIN-001 | SUB-MAIN-103 | derives | Fibre link latency budget derives from 1ms end-to-end control loop requirement |
| SYS-MAIN-005 | SUB-MAIN-102 | derives | PMS IEC 60601-1 compliance derives from system power continuity safety requirement |
| SYS-MAIN-007 | REQ-SESURGICALROBOT-047 | derives | Console Computer regulatory qualification derived from motion command system requirement |
| SYS-MAIN-012 | REQ-SESURGICALROBOT-046 | derives | Workspace safety enforcer compliance derives from system force limit requirement |
| SYS-MAIN-007 | REQ-SESURGICALROBOT-045 | derives | IEC 62304 Class C software requirement derives from system motion transmission accuracy requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-044 | derives | Interlock SIL 3 compliance derives from system safety requirement for single-point failure response |
| SYS-MAIN-015 | REQ-SESURGICALROBOT-043 | derives | Data recorder redundancy derives from system-level comprehensive recording requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-042 | derives | Power UPS transfer requirement derives from system single-point failure requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-041 | derives | Time protocol engine redundancy derives from system-level single-point failure requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-040 | derives | Haptic redundancy requirement derives from system-level single-point failure requirement |
| SYS-MAIN-018 | SUB-MAIN-101 | derives | SYS-018 cybersecurity auth cascades to SUB-MAIN-101 |
| SYS-MAIN-018 | SUB-MAIN-100 | derives | SYS-018 cybersecurity auth cascades to SUB-MAIN-100 |
| SYS-MAIN-018 | SUB-MAIN-099 | derives | SYS-018 cybersecurity auth cascades to SUB-MAIN-099 |
| SYS-MAIN-018 | SUB-MAIN-098 | derives | Cybersecurity auth cascades to TTAC |
| SYS-MAIN-018 | SUB-MAIN-101 | derives | Cybersecurity auth requirement cascades to SUB-MAIN-101 |
| SYS-MAIN-018 | SUB-MAIN-100 | derives | Cybersecurity auth requirement cascades to SUB-MAIN-100 |
| SYS-MAIN-018 | SUB-MAIN-099 | derives | Cybersecurity auth requirement cascades to SUB-MAIN-099 |
| SYS-MAIN-018 | SUB-MAIN-098 | derives | Cybersecurity auth requirement cascades to SUB-MAIN-098 |
| SYS-MAIN-007 | SUB-MAIN-097 | derives | Motion command integrity requirement drives cybersecurity authentication |
| SYS-MAIN-004 | SUB-MAIN-096 | derives | Tissue force measurement mandate drives haptic degraded-mode specification |
| SYS-MAIN-016 | SUB-MAIN-095 | derives | System degraded-mode requirement drives console failover design |
| SYS-MAIN-002 | SUB-MAIN-094 | derives | Single-point failure detection drives IEC 62304 Class C classification for motion control software |
| SYS-MAIN-002 | SUB-MAIN-093 | derives | System single-point failure detection derives SIS SIL 3 compliance |
| SYS-MAIN-005 | SUB-MAIN-092 | derives | Auxiliary Power Supply spec derives from safety circuit continuity requirement |
| SYS-MAIN-005 | SUB-MAIN-090 | derives | UPS SOC reporting derives from system power continuity requirement |
| SYS-MAIN-005 | SUB-MAIN-091 | derives | PSC mains-loss transfer derives directly from system UPS continuity requirement |
| SYS-MAIN-005 | SUB-MAIN-088 | derives | PDU branch circuit requirements derive from system power integrity requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-031 | derives | RTP Engine timing authentication derives from communication-loss safe-state requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-030 | derives | Trajectory Generator envelope verification derives from single-point-failure safe-state requirement |
| SYS-MAIN-002 | REQ-SESURGICALROBOT-029 | derives | Kinematics Engine command authentication derives from software-exception safe-state requirement |
| SYS-MAIN-009 | SUB-MAIN-081 | derives | Tremor monitoring and logging derives from system tremor attenuation requirement |
| SYS-MAIN-007 | SUB-MAIN-087 | derives | MC&S command authentication requirement derived from motion command integrity need |
| SYS-MAIN-005 | SUB-MAIN-086 | derives | Real-Time Compute Node thermal management derives from degraded operation continuity requirement |
| SYS-MAIN-010 | SUB-MAIN-085 | derives | JSC fault isolation and brake engagement derives from system safe-stop requirement |
| SYS-MAIN-007 | SUB-MAIN-084 | derives | Kinematics Engine singularity handling derives from end-to-end latency and motion fidelity requirement |
| SYS-MAIN-005 | SUB-MAIN-083 | derives | WSE degraded mode derives from system degraded operation requirement |
| SYS-MAIN-001 | SUB-MAIN-082 | derives | Workspace safety enforcement derives from system precision and safety requirements |
| SYS-MAIN-009 | SUB-MAIN-080 | derives | Tremor filter cutoff and attenuation spec derived from system tremor requirement |
| SYS-MAIN-006 | SUB-MAIN-079 | derives | System-level patient safety/sterile compliance drives galvanic isolation requirement |
| SYS-MAIN-007 | SUB-MAIN-078 | derives | System-level transmission latency mandate requires transparent fibre failover |
| SYS-MAIN-015 | SUB-MAIN-076 | derives | System-level data recording mandate drives PDR dual-mirror NVMe integrity requirement |
| SYS-MAIN-002 | SUB-MAIN-073 | derives | System-level single-fault detection drives NMC clock synchronisation accuracy |
| SYS-MAIN-007 | SUB-MAIN-077 | derives | System-level command transmission latency cascades to fibre link propagation budget |
| SYS-MAIN-015 | SUB-MAIN-075 | derives | System-level 1kHz recording mandate drives PDR sample rate and write latency |
| SYS-MAIN-016 | SUB-MAIN-074 | derives | System degraded-mode arm isolation cascades to NMC per-node fault containment |
| SYS-MAIN-010 | SUB-MAIN-072 | derives | System-level emergency stop response drives RTPE comms-loss controlled halt |
| SYS-MAIN-001 | SUB-MAIN-071 | derives | System end-to-end latency budget cascades to RTPE frame jitter ceiling |
| SYS-MAIN-002 | SUB-MAIN-070 | derives | Console computer safe-hold on exception derives from system single-point failure detection requirement |
| SYS-MAIN-002 | SUB-MAIN-069 | derives | Console computer IEC 62304 Class C compliance derives from system safety integrity requirements |
| SYS-MAIN-002 | SUB-MAIN-059 | derives | Arm positioning lockout during OPERATIONAL state derives from safe-state requirements |
| SYS-MAIN-010 | SUB-MAIN-055 | derives | Foot pedal CAN latency derives from E-stop command propagation requirement |
| SYS-MAIN-002 | SUB-MAIN-068 | derives | Handle disengagement detection derives from single-point failure detection requirement |
| SYS-MAIN-004 | SUB-MAIN-067 | derives | SIP haptic force rendering derives from system force sensing and feedback requirement |
| SYS-MAIN-001 | SUB-MAIN-066 | derives | SIP 1kHz pose rate derives from system <1ms motion scaling requirement |
| REQ-SESURGICALROBOT-024 | SYS-MAIN-002 | derives | Console Computer network isolation supports fault prevention required by SYS-MAIN-002 |
| SUB-MAIN-065 | SYS-MAIN-002 | derives | SUB-MAIN-065 IEC 60601-1 compliance is the regulatory path for Haptic subsystem safety |
| SYS-MAIN-016 | SUB-MAIN-061 | derives | Voice module failure degraded mode derives from system degraded operation requirement |
| SYS-MAIN-002 | SUB-MAIN-060 | derives | Console startup self-test derives from system fault detection requirement |
| SYS-MAIN-007 | SUB-MAIN-057 | derives | Voice command dispatch latency derives from surgeon input transmission requirement |
| SYS-MAIN-007 | SUB-MAIN-056 | derives | Voice command recognition derives from surgeon input transmission requirement |
| SYS-MAIN-001 | SUB-MAIN-064 | derives | Backdrive compliance derives from motion scaling requirement — transparent kinaesthetic operation required for 1:1 to 10:1 scaling modes |
| SYS-MAIN-004 | SUB-MAIN-063 | derives | Stability requirement derives from system force measurement requirement — unstable haptic loop corrupts the force measurement and feedback chain |
| SYS-MAIN-004 | SUB-MAIN-062 | derives | SIL2 integrity requirement for haptic controller derives from system force measurement safety requirement |
| SYS-MAIN-015 | SUB-MAIN-058 | derives | System recording requirement derives console authentication logging |
| SYS-MAIN-010 | SUB-MAIN-055 | derives | E-stop system requirement derives foot pedal latency requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-023 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-022 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-021 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-020 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-019 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-018 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-013 | REQ-SESURGICALROBOT-017 | derives | Power supply specification derived from 8-hour operational requirement |
| SYS-MAIN-017 | SUB-MAIN-053 | derives | Activation timeout safety derived from controlled energy delivery requirement |
| SYS-MAIN-017 | SUB-MAIN-052 | derives | Tissue effect monitoring derived from controlled energy delivery requirement |
| SYS-MAIN-017 | SUB-MAIN-050 | derives | Mutual exclusion safety derived from energy delivery system requirement |
| SYS-MAIN-017 | SUB-MAIN-049 | derives | Ultrasonic energy specification derived from energy delivery system requirement |
| SYS-MAIN-017 | SUB-MAIN-048 | derives | Activation/deactivation latency derived from energy delivery system requirement |
| SYS-MAIN-017 | SUB-MAIN-047 | derives | RF power specification derived from energy delivery system requirement |
| SYS-MAIN-003 | SUB-MAIN-046 | derives | Video integrity safety constraint derived from stereo HD video system requirement |
| SYS-MAIN-002 | SUB-MAIN-001 | derives | SYS fault response → SIS joint force monitoring |
| SYS-MAIN-002 | SUB-MAIN-002 | derives | SYS fault response → SIS communication loss detection |
| SYS-MAIN-002 | SUB-MAIN-003 | derives | SYS fault response time budget → SIS end-to-end safe state timing |
| SYS-MAIN-007 | SUB-MAIN-006 | derives | System latency → MC computation budget |
| SYS-MAIN-009 | SUB-MAIN-007 | derives | System tremor spec → MC tremor filter |
| SYS-MAIN-010 | SUB-MAIN-011 | derives | E-stop spec → RT watchdog spec |
| SYS-MAIN-012 | SUB-MAIN-010 | derives | System force limit → workspace enforcer |
| SYS-MAIN-002 | SUB-MAIN-012 | derives | SYS fault response → SIS automatic initiation (no operator dependency) |
| SYS-MAIN-002 | SUB-MAIN-004 | derives | SYS fault response → SIS watchdog physical isolation architecture |
| SYS-MAIN-002 | SUB-MAIN-005 | derives | SYS fault response → SIS hardwired E-stop chain |
| SYS-MAIN-003 | SUB-MAIN-013 | derives | System stereo video requirement drives endoscope optical resolution |
| SYS-MAIN-003 | SUB-MAIN-014 | derives | Stereoscopic video quality requires CCU inter-channel synchronisation |
| SYS-MAIN-003 | SUB-MAIN-017 | derives | Stereoscopic video quality requires low display crosstalk |
| SYS-MAIN-002 | SUB-MAIN-019 | derives | Failure detection cascades to vision graceful degradation |
| SYS-MAIN-015 | SUB-MAIN-018 | derives | System recording requirement drives video recorder duration and sync |
| SYS-MAIN-003 | SUB-MAIN-016 | derives | Stereo video requirement drives IPP latency budget |
| SYS-MAIN-011 | SUB-MAIN-020 | derives | Multimodal surgical visualization drives NIR fluorescence capability |
| SYS-MAIN-011 | SUB-MAIN-021 | derives | Multimodal surgical visualization drives CCU enhancement modes |
| SYS-MAIN-004 | SUB-MAIN-022 | derives | Force measurement resolution allocation to Haptic Feedback Subsystem |
| SYS-MAIN-001 | SUB-MAIN-023 | derives | Haptic latency budget derived from end-to-end control loop timing |
| SYS-MAIN-012 | SUB-MAIN-024 | derives | Master handle force limit derived from system instrument tip force constraint |
| SYS-MAIN-002 | SUB-MAIN-026 | derives | Haptic fault containment derived from single-point failure detection requirement |
| SYS-MAIN-004 | SUB-MAIN-022 | derives | Force measurement resolution allocation |
| SYS-MAIN-001 | SUB-MAIN-027 | derives | Comms latency budget derives from end-to-end 1ms control loop |
| SYS-MAIN-002 | SUB-MAIN-028 | derives | Comms failover timing derives from single-point failure handling requirement |
| SYS-MAIN-015 | SUB-MAIN-029 | derives | Procedure data recording derives from system-level data logging requirement |
| SYS-MAIN-006 | SUB-MAIN-025 | derives | Galvanic isolation derives from sterile field safety requirement |
| SYS-MAIN-007 | SUB-MAIN-030 | derives | Frame-level error recovery derives from command transmission integrity requirement |
| SYS-MAIN-001 | SUB-MAIN-008 | derives | Kinematics engine computation derives from motion control latency requirement |
| SYS-MAIN-001 | SUB-MAIN-009 | derives | Joint servo tracking error derives from motion control precision requirement |
| SYS-MAIN-003 | SUB-MAIN-015 | derives | Illumination regulation derives from video quality requirement |
| SYS-MAIN-014 | SUB-MAIN-032 | derives | System instrument exchange requirement derives recognition speed sub-budget |
| SYS-MAIN-001 | SUB-MAIN-033 | derives | System motion scaling derives instrument tip accuracy allocation |
| SYS-MAIN-012 | SUB-MAIN-034 | derives | System force limit derives cable tension monitoring requirement |
| SYS-MAIN-006 | SUB-MAIN-035 | derives | System sterilisation requirement derives sterile adapter integrity spec |
| SYS-MAIN-016 | SUB-MAIN-038 | derives | System degraded mode derives instrument-level cable anomaly response |
| SYS-MAIN-001 | SUB-MAIN-036 | derives | System motion precision → TTAC cable displacement computation requirement |
| SYS-MAIN-002 | SUB-MAIN-037 | derives | System single-fault detection → instrument lifecycle overuse prevention requirement |
| SYS-MAIN-008 | SUB-MAIN-040 | derives | Motion Scaling Module implements the selectable ratio capability |
| SYS-MAIN-001 | SUB-MAIN-040 | derives | Scaling accuracy contributes to tip repeatability budget |
| SYS-MAIN-007 | SUB-MAIN-039 | derives | Trajectory Generator 1kHz rate contributes to end-to-end latency budget |
| SYS-MAIN-002 | SUB-MAIN-041 | derives | Trajectory Generator clamp implements per-stage fault detection for motion violations |
| SYS-MAIN-012 | SUB-MAIN-041 | derives | Trajectory acceleration limits derive from system-level tissue force safety constraint |
| SYS-MAIN-002 | SUB-MAIN-042 | derives | Motion Scaling Module velocity limit implements per-stage fault detection for input faults |
| SYS-MAIN-005 | SUB-MAIN-043 | derives | UPS 30-min backup derived from 30-min operational capability requirement |
| SYS-MAIN-002 | SUB-MAIN-045 | derives | Aux power isolation derived from single-point failure detection requirement |
| STK-MAIN-003 | SYS-MAIN-019 | derives | EMC compliance requirement derives from OR infrastructure integration stakeholder need |
| STK-MAIN-005 | SYS-MAIN-013 | derives | Ergonomic console operability need → system 8-hour availability requirement |
| STK-MAIN-013 | SYS-MAIN-006 | derives | Rapid sterile instrument exchange → sterility compliance requirement |
| STK-MAIN-003 | SYS-MAIN-015 | derives | OR infrastructure integration need → data recording system requirement |
| STK-MAIN-011 | SYS-MAIN-014 | derives | Sterility need → sterilisation spec |
| STK-MAIN-010 | SYS-MAIN-016 | derives | Safety need → degraded mode |
| STK-MAIN-015 | SYS-MAIN-013 | derives | Availability need → 8h operation |
| STK-MAIN-014 | SYS-MAIN-015 | derives | Data recording need → recording spec |
| STK-MAIN-012 | SYS-MAIN-011 | derives | Visualisation need → video spec |
| STK-MAIN-010 | SYS-MAIN-012 | derives | Safety need → force limit |
| STK-MAIN-010 | SYS-MAIN-010 | derives | Safety need → emergency stop |
| STK-MAIN-009 | SYS-MAIN-009 | derives | Precision need → tremor filtration |
| STK-MAIN-009 | SYS-MAIN-008 | derives | Precision need → motion scaling |
| STK-MAIN-009 | SYS-MAIN-007 | derives | Precision need → latency budget |
| STK-MAIN-004 | SYS-MAIN-006 | derives | STK sterile field → SYS sterile compliance |
| STK-MAIN-002 | SYS-MAIN-005 | derives | STK safety → SYS power continuity |
| STK-MAIN-001 | SYS-MAIN-004 | derives | STK precision → SYS force sensing resolution |
| STK-MAIN-001 | SYS-MAIN-003 | derives | STK precision → SYS imaging quality |
| STK-MAIN-002 | SYS-MAIN-002 | derives | STK patient safety → SYS fault response requirement |
| STK-MAIN-001 | SYS-MAIN-001 | derives | STK precision need → SYS motion scaling and latency spec |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| SYS-MAIN-019 | VER-MAIN-126 | verifies | SYS-MAIN-019 → VER-MAIN-126: EMC compliance requirement verified by accredited lab test campaign |
| SYS-MAIN-001 | VER-MAIN-084 | verifies | End-to-end teleoperation chain test against SYS-MAIN-001 latency |
| SYS-MAIN-009 | VER-MAIN-070 | verifies | End-to-end pipeline test also validates tremor attenuation at system level |
| SYS-MAIN-001 | VER-MAIN-070 | verifies | End-to-end MC pipeline test verifies system-level latency and precision requirements |
| SYS-MAIN-001 | VER-MAIN-046 | verifies | End-to-end console-to-tip test verifies surgeon input-to-instrument motion chain |
| SYS-MAIN-017 | VER-MAIN-039 | verifies | End-to-end system integration test for energy delivery |
| SYS-MAIN-001 | VER-MAIN-031 | verifies | End-to-end pipeline test validates system-level motion control performance |
| SYS-MAIN-003 | VER-MAIN-016 | verifies | End-to-end vision chain test verifies system stereo video requirement |
| SYS-MAIN-007 | VER-MAIN-009 | verifies | End-to-end system latency verification test |
| SYS-MAIN-002 | VER-MAIN-005 | verifies | End-to-end safe state verification |
| IFC-MAIN-002 | VER-MAIN-075 | verifies | E-stop hardware de-energisation test for IFC-MAIN-002 |
| IFC-MAIN-048 | VER-MAIN-118 | verifies | Integration test for RTPE to PDR DMA delivery latency |
| IFC-MAIN-047 | VER-MAIN-117 | verifies | Integration test for NMC to SIS COMM_FAULT notification interface |
| IFC-MAIN-002 | VER-MAIN-107 | verifies | IFC-MAIN-002 E-stop interface requirement verified by contactor drop test |
| IFC-MAIN-040 | VER-MAIN-113 | verifies | Console-to-patient-cart command stream latency and continuity test |
| IFC-MAIN-023 | VER-MAIN-112 | verifies | Instrument lockout command delivery and SAFE-HOLD transition test |
| IFC-MAIN-022 | VER-MAIN-111 | verifies | TTAC to IDU cable displacement accuracy test |
| IFC-MAIN-021 | VER-MAIN-110 | verifies | Cable tension data path and lockout integration test |
| IFC-MAIN-007 | VER-MAIN-109 | verifies | Heartbeat interruption SAFE-HOLD test |
| IFC-MAIN-002 | VER-MAIN-108 | verifies | Hardwired E-stop to contactor drop test |
| IFC-MAIN-040 | REQ-SESURGICALROBOT-036 | verifies | Protocol integrity test verifies CC-to-ICFL command frame format compliance |
| IFC-MAIN-001 | VER-MAIN-073 | verifies | Joint force monitoring test verifies SIS-MCS torque interface |
| IFC-MAIN-046 | VER-MAIN-091 | verifies | PSC-AUX mode transition test verifies discrete control interface |
| IFC-MAIN-045 | VER-MAIN-090 | verifies | DC link load test verifies UPS-PDU impedance and current rating |
| IFC-MAIN-044 | VER-MAIN-089 | verifies | CAN bus integration test verifies PDU-PSC interface |
| IFC-MAIN-002 | VER-MAIN-072 | verifies | E-stop de-energisation test (prior session) |
| IFC-MAIN-001 | VER-MAIN-071 | verifies | Additional joint force monitor latency test (prior session) |
| IFC-MAIN-020 | VER-MAIN-088 | verifies | Instrument recognition completeness and rejection test for IFC-MAIN-020 |
| IFC-MAIN-013 | VER-MAIN-087 | verifies | ESG activation and de-activation timing test for IFC-MAIN-013 |
| IFC-MAIN-012 | VER-MAIN-086 | verifies | UPS switchover and sustain test for IFC-MAIN-012 |
| IFC-MAIN-011 | VER-MAIN-085 | verifies | Haptic force rendering latency and accuracy test for IFC-MAIN-011 |
| IFC-MAIN-010 | VER-MAIN-083 | verifies | Stereo endoscope dual-channel sync and SNR test for IFC-MAIN-010 |
| IFC-MAIN-009 | VER-MAIN-082 | verifies | Instrument torque feedback accuracy and rate test for IFC-MAIN-009 |
| IFC-MAIN-008 | VER-MAIN-081 | verifies | Stereo video latency and colour fidelity test for IFC-MAIN-008 |
| IFC-MAIN-007 | VER-MAIN-080 | verifies | Safety heartbeat interruption test for IFC-MAIN-007 |
| IFC-MAIN-006 | VER-MAIN-079 | verifies | 250Hz joint command stream jitter test for IFC-MAIN-006 |
| IFC-MAIN-005 | VER-MAIN-078 | verifies | Surgeon console to motion scaling command latency test for IFC-MAIN-005 |
| IFC-MAIN-004 | VER-MAIN-077 | verifies | Safe State Manager broadcast latency test for IFC-MAIN-004 |
| IFC-MAIN-003 | VER-MAIN-076 | verifies | Fibre link CRC error detection test for IFC-MAIN-003 |
| IFC-MAIN-001 | VER-MAIN-001 | verifies | Integration test for joint torque bus latency and rate |
| IFC-MAIN-002 | VER-MAIN-002 | verifies | Oscilloscope verification of E-stop contactor timing |
| IFC-MAIN-003 | VER-MAIN-003 | verifies | Fault injection test for communication monitor response |
| IFC-MAIN-004 | VER-MAIN-004 | verifies | Protocol analyser test for safe state broadcast latency |
| IFC-MAIN-005 | VER-MAIN-006 | verifies | Integration test for console-MC command interface |
| IFC-MAIN-007 | VER-MAIN-007 | verifies | Fault injection test for MC-Safety heartbeat timeout |
| IFC-MAIN-010 | VER-MAIN-010 | verifies | Integration test for endoscope-CCU HD-SDI interface |
| IFC-MAIN-011 | VER-MAIN-011 | verifies | Integration test for CCU-IPP 3G-SDI interface synchronisation |
| IFC-MAIN-012 | VER-MAIN-012 | verifies | Integration test for CCU-illumination feedback loop latency |
| IFC-MAIN-013 | VER-MAIN-013 | verifies | Integration test for IPP-display interface latency and resolution |
| IFC-MAIN-014 | VER-MAIN-014 | verifies | Endurance test for IPP-recorder interface |
| IFC-MAIN-015 | VER-MAIN-017 | verifies | CMRR test verifies analog FSM-FSC interface |
| IFC-MAIN-016 | VER-MAIN-018 | verifies | SPI latency test verifies digital FSC-HC interface |
| IFC-MAIN-017 | VER-MAIN-019 | verifies | Hardware torque limit test verifies CAN FD HC-MHA interface |
| IFC-MAIN-018 | VER-MAIN-020 | verifies | Peak traffic latency test for Real-Time Protocol Engine / Fibre interface |
| IFC-MAIN-019 | VER-MAIN-021 | verifies | Fibre failover test for Network Management Controller / SIS interface |
| IFC-MAIN-020 | REQ-SESURGICALROBOT-013 | verifies | IFC-MAIN-020 interface verification |
| IFC-MAIN-021 | REQ-SESURGICALROBOT-014 | verifies | IFC-MAIN-021 interface verification |
| IFC-MAIN-022 | REQ-SESURGICALROBOT-015 | verifies | IFC-MAIN-022 interface verification |
| IFC-MAIN-023 | REQ-SESURGICALROBOT-016 | verifies | IFC-MAIN-023 interface verification |
| IFC-MAIN-024 | VER-MAIN-026 | verifies | Integration test for Tremor Filter to Motion Scaling shared-memory interface |
| IFC-MAIN-026 | VER-MAIN-027 | verifies | Ring buffer stress test for Trajectory Generator to Kinematics Engine interface |
| IFC-MAIN-027 | VER-MAIN-028 | verifies | EtherCAT frame delivery timing test for Kinematics Engine to Joint Servo Controller |
| IFC-MAIN-028 | VER-MAIN-029 | verifies | Dynamic boundary update integrity test for Workspace Safety Enforcer to Kinematics Engine |
| IFC-MAIN-025 | VER-MAIN-030 | verifies | Scaling ratio transition test for Motion Scaling to Trajectory Generator interface |
| IFC-MAIN-029 | VER-MAIN-032 | verifies | Integration test for IFC-MAIN-029 under mains loss |
| IFC-MAIN-030 | VER-MAIN-034 | verifies | CAN bus timing and error test for EDC-ESG interface |
| IFC-MAIN-031 | VER-MAIN-035 | verifies | RS-485 telemetry rate test for EDC-UEM interface |
| IFC-MAIN-032 | VER-MAIN-036 | verifies | Hardware interlock line response test for REM-ESG interface |
| IFC-MAIN-033 | VER-MAIN-037 | verifies | Impedance feedback and endpoint detection test for TEM-ESG interface |
| IFC-MAIN-034 | VER-MAIN-038 | verifies | E-STOP response latency test for EDC-Safety interface |
| IFC-MAIN-035 | VER-MAIN-042 | verifies | Integration test for Foot Pedal Array to Energy Delivery Controller interface |
| IFC-MAIN-036 | VER-MAIN-043 | verifies | Integration test for Foot Pedal clutch interface to Motion Control |
| IFC-MAIN-038 | VER-MAIN-044 | verifies | USB traffic analysis to verify no raw audio leaves Voice Command Module |
| IFC-MAIN-037 | VER-MAIN-049 | verifies | USB session management interface integration test |
| IFC-MAIN-039 | VER-MAIN-055 | verifies | EtherCAT bidirectional latency and continuity test |
| IFC-MAIN-041 | VER-MAIN-061 | verifies | Integration test for fibre-to-RTPE frame delivery timing and CRC validity |
| IFC-MAIN-042 | VER-MAIN-062 | verifies | Bench EtherCAT integration test for NMC to Joint Servo Controller interface |
| IFC-MAIN-043 | VER-MAIN-063 | verifies | PCIe DMA soak test verifying Real-Time Compute Node to PDR data integrity |
| IFC-MAIN-025 | VER-MAIN-064 | verifies | Ring-buffer latency and drop test for Motion Scaling to Trajectory Generator interface |
| IFC-MAIN-024 | VER-MAIN-065 | verifies | Integration test for Tremor Rejection Filter output interface |
| IFC-MAIN-025 | VER-MAIN-066 | verifies | Integration test for Motion Scaling to Trajectory Generator interface |
| IFC-MAIN-026 | VER-MAIN-067 | verifies | Integration test for Trajectory Generator to Kinematics Engine pose delivery |
| IFC-MAIN-027 | VER-MAIN-068 | verifies | Integration test for Kinematics Engine to Joint Servo Controller joint setpoint delivery |
| IFC-MAIN-028 | VER-MAIN-069 | verifies | Integration test for Workspace Safety Enforcer to Kinematics Engine proximity constraint channel |
| IFC-MAIN-001 | VER-MAIN-074 | verifies | Joint Force Monitor latency test for IFC-MAIN-001 |
| SUB-MAIN-033 | VER-MAIN-096 | verifies | Instrument drive actuation test verifies DOF performance |
| SUB-MAIN-126 | VER-MAIN-125 | verifies | Packet injection test for CDMS cryptographic authentication |
| SUB-MAIN-122 | VER-MAIN-124 | verifies | Optometric VAC measurement for Stereoscopic Display System |
| SUB-MAIN-121 | VER-MAIN-123 | verifies | Hot-standby switchover test for Haptic Feedback Subsystem |
| SUB-MAIN-120 | VER-MAIN-122 | verifies | Live failover injection test for RTPE dual-path redundancy |
| SUB-MAIN-119 | VER-MAIN-121 | verifies | SIL 2 FTA and FMEA analysis for Workspace Safety Enforcer |
| SUB-MAIN-117 | VER-MAIN-120 | verifies | IEC 60601-1 accredited lab test for Power Management Subsystem |
| SUB-MAIN-111 | VER-MAIN-119 | verifies | IPA immersion test for SUB-MAIN-111 sterile-field disinfectant compatibility |
| REQ-SESURGICALROBOT-097 | REQ-SESURGICALROBOT-101 | verifies | PMS safety domain redundant power verification for REQ-097 |
| REQ-SESURGICALROBOT-094 | REQ-SESURGICALROBOT-100 | verifies | PDR failover verification test for REQ-094 auto-failover requirement |
| SUB-MAIN-077 | REQ-SESURGICALROBOT-085 | verifies | Verification procedure for SUB-MAIN-077 |
| SUB-MAIN-086 | REQ-SESURGICALROBOT-084 | verifies | Verification procedure for SUB-MAIN-086 |
| SUB-MAIN-110 | REQ-SESURGICALROBOT-083 | verifies | Verification procedure for SUB-MAIN-110 |
| SUB-MAIN-109 | REQ-SESURGICALROBOT-082 | verifies | Verification procedure for SUB-MAIN-109 |
| SUB-MAIN-085 | REQ-SESURGICALROBOT-081 | verifies | Verification procedure for SUB-MAIN-085 |
| SUB-MAIN-080 | REQ-SESURGICALROBOT-080 | verifies | Verification procedure for SUB-MAIN-080 |
| SUB-MAIN-073 | REQ-SESURGICALROBOT-079 | verifies | Verification procedure for SUB-MAIN-073 |
| SUB-MAIN-023 | REQ-SESURGICALROBOT-078 | verifies | Verification procedure for SUB-MAIN-023 |
| SUB-MAIN-030 | REQ-SESURGICALROBOT-077 | verifies | Verification procedure for SUB-MAIN-030 |
| SUB-MAIN-049 | REQ-SESURGICALROBOT-076 | verifies | Verification procedure for SUB-MAIN-049 |
| SUB-MAIN-048 | REQ-SESURGICALROBOT-075 | verifies | Verification procedure for SUB-MAIN-048 |
| SUB-MAIN-046 | REQ-SESURGICALROBOT-074 | verifies | Verification procedure for SUB-MAIN-046 |
| SUB-MAIN-045 | REQ-SESURGICALROBOT-073 | verifies | Verification procedure for SUB-MAIN-045 |
| SUB-MAIN-044 | REQ-SESURGICALROBOT-072 | verifies | Verification procedure for SUB-MAIN-044 |
| SUB-MAIN-042 | REQ-SESURGICALROBOT-071 | verifies | Verification procedure for SUB-MAIN-042 |
| SUB-MAIN-041 | REQ-SESURGICALROBOT-070 | verifies | Verification procedure for SUB-MAIN-041 |
| SUB-MAIN-040 | REQ-SESURGICALROBOT-069 | verifies | Verification procedure for SUB-MAIN-040 |
| SUB-MAIN-065 | REQ-SESURGICALROBOT-068 | verifies | Verification procedure for SUB-MAIN-065 |
| SUB-MAIN-053 | REQ-SESURGICALROBOT-067 | verifies | Verification procedure for SUB-MAIN-053 |
| SUB-MAIN-052 | REQ-SESURGICALROBOT-066 | verifies | Verification procedure for SUB-MAIN-052 |
| SUB-MAIN-050 | REQ-SESURGICALROBOT-065 | verifies | Verification procedure for SUB-MAIN-050 |
| SUB-MAIN-047 | REQ-SESURGICALROBOT-064 | verifies | Verification procedure for SUB-MAIN-047 |
| SUB-MAIN-039 | REQ-SESURGICALROBOT-063 | verifies | Verification procedure for SUB-MAIN-039 |
| SUB-MAIN-029 | REQ-SESURGICALROBOT-062 | verifies | Verification procedure for SUB-MAIN-029 |
| SUB-MAIN-027 | REQ-SESURGICALROBOT-061 | verifies | Verification procedure for SUB-MAIN-027 |
| SUB-MAIN-025 | REQ-SESURGICALROBOT-060 | verifies | Verification procedure for SUB-MAIN-025 |
| SUB-MAIN-024 | REQ-SESURGICALROBOT-059 | verifies | Verification procedure for SUB-MAIN-024 |
| SUB-MAIN-022 | REQ-SESURGICALROBOT-058 | verifies | Verification procedure for SUB-MAIN-022 |
| SUB-MAIN-021 | REQ-SESURGICALROBOT-057 | verifies | Verification procedure for SUB-MAIN-021 |
| SUB-MAIN-020 | REQ-SESURGICALROBOT-056 | verifies | Verification procedure for SUB-MAIN-020 |
| SUB-MAIN-018 | REQ-SESURGICALROBOT-055 | verifies | Verification procedure for SUB-MAIN-018 |
| SUB-MAIN-016 | REQ-SESURGICALROBOT-054 | verifies | Verification procedure for SUB-MAIN-016 |
| SUB-MAIN-015 | REQ-SESURGICALROBOT-053 | verifies | Verification procedure for SUB-MAIN-015 |
| SUB-MAIN-012 | REQ-SESURGICALROBOT-052 | verifies | Verification procedure for SUB-MAIN-012 |
| SUB-MAIN-011 | REQ-SESURGICALROBOT-051 | verifies | Verification procedure for SUB-MAIN-011 |
| SUB-MAIN-010 | REQ-SESURGICALROBOT-050 | verifies | Verification procedure for SUB-MAIN-010 |
| SUB-MAIN-107 | VER-MAIN-116 | verifies | Verification of NMC link health classification accuracy |
| SUB-MAIN-104 | VER-MAIN-115 | verifies | Verification of Inter-Cart Fibre Link failover time requirement |
| SUB-MAIN-103 | VER-MAIN-114 | verifies | Verification of Inter-Cart Fibre Link latency requirement |
| REQ-SESURGICALROBOT-042 | REQ-SESURGICALROBOT-049 | verifies | UPS mains dropout test verifies power management redundancy requirement |
| REQ-SESURGICALROBOT-040 | REQ-SESURGICALROBOT-048 | verifies | Haptic redundancy fault injection test verifies REQ-040 |
| SUB-MAIN-101 | VER-MAIN-106 | verifies | Test verifies SUB-MAIN-101 authentication requirement |
| SUB-MAIN-100 | VER-MAIN-105 | verifies | Test verifies SUB-MAIN-100 authentication requirement |
| SUB-MAIN-099 | VER-MAIN-104 | verifies | Test verifies SUB-MAIN-099 authentication requirement |
| SUB-MAIN-098 | VER-MAIN-103 | verifies | Test verifies SUB-MAIN-098 authentication requirement |
| SUB-MAIN-083 | REQ-SESURGICALROBOT-039 | verifies | Degraded-mode fault injection test verifies WSE bounding-box fallback |
| SUB-MAIN-082 | REQ-SESURGICALROBOT-038 | verifies | Proximity enforcement test verifies WSE anatomy boundary protection |
| SUB-MAIN-071 | REQ-SESURGICALROBOT-037 | verifies | TDM cycle-to-cycle jitter test verifies RTPE scheduler timing budget |
| SUB-MAIN-094 | REQ-SESURGICALROBOT-035 | verifies | IEC 62304 Class C qualification inspection procedure verifies SUB-MAIN-094 software lifecycle compliance |
| SUB-MAIN-097 | VER-MAIN-102 | verifies | HMAC penetration test verifies cybersecurity authentication for MCS |
| SUB-MAIN-096 | VER-MAIN-101 | verifies | Haptic FSM link-loss test verifies force-blind degraded mode |
| SUB-MAIN-095 | VER-MAIN-100 | verifies | Watchdog failover fault injection test verifies Console Computer redundancy |
| SUB-MAIN-093 | VER-MAIN-099 | verifies | Independent SIL 3 safety assessment verifies compliance |
| SUB-MAIN-037 | VER-MAIN-098 | verifies | Lifecycle enforcement boundary test verifies use-count rejection |
| SUB-MAIN-036 | VER-MAIN-097 | verifies | Articulation controller cable displacement test verifies tip accuracy |
| SUB-MAIN-006 | VER-MAIN-008 | verifies | Real-time pipeline deadline verification on target hardware |
| SUB-MAIN-019 | VER-MAIN-015 | verifies | Degraded-mode test for vision system single-channel failure |
| SUB-MAIN-028 | VER-MAIN-021 | verifies | Failover test also verifies comms failover timing requirement |
| SUB-MAIN-034 | VER-MAIN-023 | verifies | Cable tensioning requirement verified by frequency sweep and anomaly injection test |
| SUB-MAIN-035 | VER-MAIN-024 | verifies | Sterile adapter requirement verified by endurance and dye penetration test |
| SUB-MAIN-038 | VER-MAIN-025 | verifies | Degraded mode requirement verified by fault injection and isolation test |
| SUB-MAIN-001 | REQ-SESURGICALROBOT-001 | verifies | SIS joint torque threshold detection → bench test procedure |
| SUB-MAIN-003 | REQ-SESURGICALROBOT-003 | verifies | SIS safe-state timing → multi-path E-stop timing test |
| SUB-MAIN-002 | REQ-SESURGICALROBOT-004 | verifies | SIS comm latency detection threshold → fault injection test |
| SUB-MAIN-004 | REQ-SESURGICALROBOT-005 | verifies | Watchdog processor isolation → power interrupt verification |
| SUB-MAIN-005 | REQ-SESURGICALROBOT-006 | verifies | Hardware E-stop series loop → physical break-point tests |
| SUB-MAIN-007 | REQ-SESURGICALROBOT-007 | verifies | Workspace velocity rejection SUB→VER |
| SUB-MAIN-008 | REQ-SESURGICALROBOT-008 | verifies | Kinematics WCET SUB→VER |
| SUB-MAIN-009 | REQ-SESURGICALROBOT-009 | verifies | Servo tracking accuracy SUB→VER |
| SUB-MAIN-013 | REQ-SESURGICALROBOT-010 | verifies | SUB-MAIN-013 optical/display verification |
| SUB-MAIN-014 | REQ-SESURGICALROBOT-011 | verifies | SUB-MAIN-014 optical/display verification |
| SUB-MAIN-017 | REQ-SESURGICALROBOT-012 | verifies | SUB-MAIN-017 optical/display verification |
| SUB-MAIN-032 | VER-MAIN-022 | verifies | Instrument recognition timing requirement → multi-instrument coupling verification |
| SUB-MAIN-043 | VER-MAIN-033 | verifies | Full-load UPS duration test at 80% charge for SUB-MAIN-043 |
| SUB-MAIN-051 | VER-MAIN-040 | verifies | Return electrode monitor threshold and inhibit response test |
| SUB-MAIN-054 | VER-MAIN-041 | verifies | Type CF leakage current test per IEC 60601-1 |
| SUB-MAIN-059 | VER-MAIN-045 | verifies | State-transition lock-out test for Arm Positioning System |
| SUB-MAIN-062 | VER-MAIN-047 | verifies | SIL2 certification assessment verifies haptic controller integrity level |
| SUB-MAIN-063 | VER-MAIN-048 | verifies | Stiffness sweep test verifies haptic stability across full operating envelope |
| REQ-SESURGICALROBOT-024 | REQ-SESURGICALROBOT-025 | verifies | Network isolation VER entry |
| SUB-MAIN-062 | REQ-SESURGICALROBOT-026 | verifies | SIL 2 verification for Haptic Controller |
| SUB-MAIN-063 | REQ-SESURGICALROBOT-027 | verifies | HIL stability test for haptic feedback loop |
| SUB-MAIN-064 | REQ-SESURGICALROBOT-028 | verifies | Master Handle STANDBY backdrive force verification |
| SUB-MAIN-055 | VER-MAIN-050 | verifies | Foot pedal CAN latency mechanical test |
| SUB-MAIN-056 | VER-MAIN-051 | verifies | Voice WER and dispatch latency test |
| SUB-MAIN-057 | VER-MAIN-051 | verifies | Voice dispatch latency covered by combined WER/latency test |
| SUB-MAIN-058 | VER-MAIN-052 | verifies | Authentication demonstration test |
| SUB-MAIN-060 | VER-MAIN-053 | verifies | Console startup self-test timing verification |
| SUB-MAIN-061 | VER-MAIN-054 | verifies | Voice module degraded mode fault injection test |
| SUB-MAIN-066 | VER-MAIN-056 | verifies | SIP pose rate and quantisation spectral test |
| SUB-MAIN-067 | VER-MAIN-057 | verifies | Haptic force rendering step response test |
| SUB-MAIN-068 | VER-MAIN-058 | verifies | Handle disengagement detection latency and propagation test |
| SUB-MAIN-069 | VER-MAIN-059 | verifies | IEC 62304 compliance audit |
| SUB-MAIN-070 | VER-MAIN-060 | verifies | Console failsafe injection test |
| SUB-MAIN-089 | VER-MAIN-092 | verifies | Ground fault injection test verifies PDU leakage detection |
| SUB-MAIN-091 | VER-MAIN-093 | verifies | Mains collapse test verifies PSC transfer timing |
| SUB-MAIN-090 | VER-MAIN-094 | verifies | SoC accuracy and low-battery alert test verifies UPS telemetry requirement |
| SUB-MAIN-092 | VER-MAIN-095 | verifies | Load regulation and battery endurance test verifies AUX PSU spec |
| Ref | Document | Requirement |
|---|---|---|
| SUB-MAIN-031 | subsystem-requirements | The Real-Time Protocol Engine SHALL authenticate all synchronisation messages using IEEE 1588v2 PTP with HMAC-SHA256 mes... |