Surgical Robot Planning Through Governed Speculative Branches

Regulatory Framework

Surgical robots sit at the intersection of the most demanding regulatory regimes in medical devices. Six instruments together define the planner's required behavior.

FDA AI/ML SaMD PCCP guidance (final, December 2024). A PCCP is a manufacturer's pre-authorized description of the modifications a device may undergo without a new 510(k), De Novo, or PMA submission. The guidance is explicit that the PCCP must include a description of the modifications, a modification protocol specifying the methods used to develop, validate, and implement them, and an impact assessment of the modifications on safety and effectiveness. A surgical planner whose runtime behavior depends on intraoperative learning or speculative replanning falls squarely within PCCP scope; without a containment boundary, the manufacturer cannot bound the modification space, and the device cannot be authorized.

21 CFR Part 820 (Quality System Regulation, transitioning to QMSR alignment with ISO 13485 in February 2026) and 21 CFR Part 11. Design controls under 820.30 require that every change to a planning algorithm be traceable to a verified and validated requirement. Part 11 imposes electronic-record and electronic-signature controls on any record relied upon for regulatory decisions, including intraoperative planning logs that support post-market surveillance.

IEC 62304 software lifecycle. A planner that can command actuators in a robotic-surgery system is, by failure mode, IEC 62304 Class C software (death or serious injury possible). Class C requires segregation of safety-critical components, rigorous unit and integration verification, and architectural mechanisms that prevent non-safety-critical code from compromising safety-critical code. The containment boundary is the canonical such mechanism.

ISO 14971 risk management. Every speculative branch represents a hazardous-situation hypothesis that must be analyzed, with risk controls that reduce residual risk to acceptable. The planner must be able to enumerate, at the moment of branch evaluation, which risk controls apply and whether they are satisfied.

ISO 13485 quality management and ANSI/AAMI HE75 human-factors. The surgeon must remain in meaningful control. HE75 and the associated FDA human-factors guidance require that the user interface support correct use under realistic conditions, including time pressure and cognitive load. A planner that surfaces a hundred raw branches to the surgeon fails HE75; one that surfaces a single promoted plan with a defensible rationale satisfies it.

EU MDR and ISO 80601-2-77. EU MDR Annex I general safety and performance requirements, together with the particular standard ISO 80601-2-77 for robotic surgical equipment, define essential performance: the freedom from unacceptable risk that must be maintained even under single-fault conditions. The containment boundary is the structural means by which speculative computation is shown not to compromise essential performance.

Architectural Requirement

The convergent demand of these regimes is a planner whose every speculative computation is provably isolated from actuation, whose every promoted plan carries a complete record of the constraints it satisfied, and whose modification space is bounded in advance by the device's PCCP.

Three architectural elements are required. First, a planning graph in which branches are explicit data structures carrying their own state, risk assessment, constraint-evaluation status, and provenance. Second, a containment boundary that is not a software check but a structural separation: speculative branches execute in a domain that has no causal path to actuator commands except through the promotion gate. Third, a promotion gate that evaluates a branch against the full constraint stack, including IEC 62304 segregation invariants, ISO 14971 risk-control satisfaction, ISO 80601-2-77 essential-performance bounds, and the device PCCP envelope, and emits a signed attestation that becomes part of the device-history record under Part 820.

These elements are not features layered onto a planner. They are the planner.

Why Procedural Compliance Fails

The dominant compliance approach in surgical robotics is procedural and pre-operative. The plan is locked before incision, change controls are paper-based, and the runtime is treated as a deterministic executor. This approach handled the first generation of robotic surgery, in which the robot was a precision motion amplifier for a fully human-authored plan. It fails the second generation, in which the robot must reason about intraoperative findings.

Locking the plan pre-operatively does not satisfy clinical reality. Tissue varies, anatomy varies, instruments deflect, bleeding obscures landmarks. The procedural compromise, return control to the surgeon when reality diverges from imaging, converts the robot into a sophisticated retractor at exactly the moment its capabilities are most needed. It also creates a regulatory artifact problem: there is no record of what the robot would have done, only of what the human did after the robot stopped.

Layering an unconstrained reinforcement-learning controller on top of the planner fails the regulatory test in the opposite way. Such a controller can in principle adapt, but its modification space is unbounded and its risk controls are statistical at best. The PCCP guidance explicitly contemplates and excludes this pattern: the modification protocol must be specifiable, and a black-box adaptive controller cannot specify it.

Software guards, range checks, watchdogs, interlocks, are necessary but evidentiarily and architecturally insufficient. A guard that rejects an unsafe command is a check on output. The IEC 62304 Class C demand is segregation of computation, not just filtering of output. A planner whose speculative computation runs on the same execution domain as the actuator-command path cannot demonstrate segregation regardless of how thorough its output checks are.

Monte Carlo replanning, finally, generates branches but does not govern them. The branches are samples; the surgeon must triage them. HE75 fails in the opposite direction: the user is overwhelmed.

What AQ Primitive Provides

Adaptive Query's forecasting-engine primitive instantiates the planning graph, containment boundary, and promotion gate as a single integrated substrate. Branches are first-class structures with explicit lifecycles: spawn, simulate, evaluate, prune, promote, retire. Spawning is governed by personality-modulated speculation parameters, which the manufacturer fixes per device configuration and which the surgeon can tune within manufacturer-bounded ranges, conservative configurations explore near-modifications of the locked pre-operative plan, aggressive configurations explore topologically distinct approaches when intraoperative findings warrant.

Simulation runs in the contained domain. The contained domain is architecturally separated from the actuation domain; the only path between them is the promotion gate, and the gate is the only code that can write to the actuator-command channel. This separation is the IEC 62304 Class C segregation artifact and the ISO 80601-2-77 essential-performance argument. It is verifiable at the architectural level rather than re-verified per change.

Evaluation runs the full constraint stack against each branch. Patient-specific anatomical constraints derived from registration. Instrument kinematic and force-limit constraints. Proximity constraints around critical structures, vessels, nerves, bowel, ureter. ISO 14971 risk-control satisfaction, including those introduced by the device's risk file specifically for replanning scenarios. ISO 80601-2-77 essential-performance bounds, including the single-fault-condition envelope. And the device's PCCP envelope: the branch's modifications relative to the locked plan must lie within the pre-authorized modification space, or the branch is rejected and flagged for surgeon decision rather than promoted.

The promotion gate is the only structural path to actuation. A branch that passes evaluation generates a signed attestation, which is recorded under Part 11 controls and which the executive aggregation layer uses to select between competing valid branches. The surgeon sees one promoted plan with its rationale, not a Monte Carlo cloud, satisfying HE75 cognitive-load constraints. The retired branches and their rejection rationale are recorded in the device-history record for post-market surveillance and for the PCCP impact assessment cycle.

Regression detection runs continuously: if a class of branches that previously passed begins to fail, or vice versa, the change is flagged against the PCCP modification protocol. The planner's behavior is therefore not just bounded but observably bounded, and observability is the substrate of the modification protocol.

Compliance Mapping

FDA AI/ML SaMD PCCP. The personality-modulated speculation parameters define the modification space; the promotion gate's constraint stack is the modification protocol; the device-history record of branch outcomes is the impact assessment input. Adaptation is bounded by construction.

21 CFR 820 / QMSR / Part 11. Design-control traceability is preserved because every promoted plan carries its constraint-evaluation provenance into the device history record. Part 11 electronic-record controls apply uniformly to the signed attestations.

IEC 62304 Class C. The containment boundary is the architectural segregation between safety-critical actuation code and speculative planning code. Verification of the boundary is independent of and prior to verification of branches.

ISO 14971. Risk controls are evaluated per branch; residual risk is bounded by the constraint stack; the rejected-branch log is the hazard-analysis artifact for replanning scenarios.

ISO 13485 / ANSI/AAMI HE75. The surgeon receives a single promoted plan with rationale, satisfying cognitive-load and use-error mitigation requirements. The rejected-branch trail is available on demand for post-hoc review without burdening the intraoperative interface.

EU MDR / ISO 80601-2-77. The containment boundary is the means by which essential performance is maintained under the single-fault-condition envelope, including faults in the speculative-planning subsystem itself.

Adoption Pathway

Phase one (months 1-3): scope and PCCP drafting. The manufacturer identifies the procedure family and the modification space the device requires, common laparoscopic procedures, orthopedic resection planning, or transbronchial navigation. The personality-modulation parameters and constraint stack are encoded; the PCCP draft modification protocol is anchored to them.

Phase two (months 4-9): bench and cadaveric validation. The forecasting engine runs against bench fixtures and cadaveric models. Branches are promoted only in simulation; actuation is disabled. The transition log produces the IEC 62304 verification evidence and the ISO 14971 hazard-analysis update.

Phase three (months 10-15): IDE clinical study. Under an Investigational Device Exemption, the engine is enabled in supervised clinical use with a prospective protocol. Each promoted plan is surgeon-confirmed; rejected branches are reviewed by the safety committee. The branch-outcome record becomes the primary effectiveness evidence and the PCCP impact-assessment baseline.

Phase four (months 16-24): submission and post-market. The 510(k), De Novo, or PMA submission incorporates the PCCP. Post-market, the regression-detection subsystem feeds the modification-protocol cycle; updates within the pre-authorized modification space deploy without new submissions, while excursions trigger the change-control pathway the PCCP itself defines.

The endpoint is a surgical robot whose intraoperative reasoning is governed at the same architectural level as its actuation, and whose regulatory submission is shorter, not longer, than that of a comparable non-adaptive device, because the adaptation envelope is provable rather than asserted.

Two further considerations shape practical adoption. The first is the relationship between the forecasting engine and the surgeon. HE75 and the FDA human-factors guidance are not procedural overlays; they are essential-performance constraints. The engine therefore exposes its rationale at the level of clinical reasoning rather than algorithmic internals: the promoted plan is accompanied by the constraints it satisfied, the risks it mitigated, and the alternatives it dominated, in language and visualization that the surgeon can interpret in seconds. The retired-branch trail remains available for institutional review, morbidity and mortality conferences, and post-market surveillance, but it does not compete with the surgeon's intraoperative attention.

The second is the relationship between the engine and the institution's quality system. The branch-outcome record, signed promotion attestations, and regression-detection alerts are first-class inputs to ISO 13485 management review and to the corrective and preventive action (CAPA) loop. A branch class that begins to fail at higher rates is a CAPA trigger; a constraint that consistently dominates rejection is a design-input candidate; a personality-modulation parameter whose chosen ranges no longer match clinical practice is a labeling and training input. The forecasting engine therefore does not sit beside the QMS; it feeds it. Continual improvement under ISO 13485 clause 10 becomes an evidence-driven cycle rather than a documentation exercise, and the device's safety case grows stronger over its market lifetime rather than degrading toward the next submission.