Autonomous Surgical Execution Under Governed Actuation
by Nick Clark | Published April 25, 2026
Autonomous and semi-autonomous surgical robots present a regulatory problem that procedural compliance alone cannot resolve: every actuation is potentially irreversible, the surgeon-of-record bears legal responsibility for outcomes, and regulators must be able to reconstruct what happened, under whose authority, with what verification, after the fact. Governed actuation supplies a cryptographic pre-action gate that binds each motion to a composite authority record covering FDA device class, IEC 62304 software safety class, ISO 13485 quality-system controls, ISO 14971 residual-risk acceptance, and surgeon-of-record credentialing. This article maps the primitive to the surgical-robotics regulatory stack and shows how reversibility-aware staging, post-actuation verification, and graduated authority compose into an architecture suitable for FDA AI/ML SaMD submissions and Predetermined Change Control Plans.
Regulatory Framework
The U.S. regulatory baseline for autonomous surgical execution is constructed from layered authorities rather than a single governing instrument. FDA 21 CFR Part 820 establishes the Quality System Regulation that surgical-robotic manufacturers must satisfy across design controls, production, and post-market surveillance. IEC 62304 governs the software lifecycle, classifying surgical-robot control software as Class C where failure could lead to death or serious injury and imposing the corresponding architecture, unit verification, integration testing, and problem-resolution obligations. ISO 13485 layers in the quality-management-system requirements specific to medical devices, while ISO 14971 governs the risk-management process, requiring that residual risks be identified, evaluated, mitigated, and formally accepted. IEC 60601-1 supplies the basic safety and essential-performance requirements for the medical electrical equipment on which surgical robots operate.
Above this lifecycle stack sits the emerging FDA AI/ML SaMD Action Plan and the Predetermined Change Control Plan (PCCP) framework, which together define how a manufacturer may legitimately update the learned components of an autonomous surgical system after market clearance without re-submission for every modification. The PCCP requires a sponsor to declare, in advance, the scope of permitted modifications, the verification protocol that will accompany each modification, and the mechanism by which post-market behavior will be monitored. Surgical-robot safety case standards, drawn from IEC 80001 and from emerging consensus documents on autonomous medical systems, layer in the obligation to produce a structured argument that the device is acceptably safe in its intended operating context, supported by evidence that an external auditor can examine and reproduce.
The cumulative effect is that any autonomous surgical actuation is required, by regulation, to be traceable to a credentialed authority chain, to a verified software state, to a risk acceptance recorded under ISO 14971, and to a clinical-context determination made by an authorized surgeon-of-record. Procedural documentation can describe these obligations; it cannot, on its own, enforce them at the moment of actuation.
Architectural Requirement
The architectural requirement that follows from the regulatory framework is precise. Each surgical actuation must be admitted, before motion begins, against a composite authority record that simultaneously satisfies the device-class clearance, the software-safety classification, the institutional credentialing of the operator, the surgeon-of-record's procedure-class authority, and the ISO 14971 residual-risk acceptance for the specific clinical context. The record must be produced in a form that can be replayed by an auditor, that resists tampering, and that is bound cryptographically to the actuation it authorized so that no later reconstruction can substitute or reorder the authority basis.
Surgical procedures decompose structurally into reversible setup, partial commitment with intermediate verification, and irreversible commit. Governed actuation supports each phase under a declared admissibility envelope. Reversible setup actions admit at lower friction because their consequences can be undone within the procedure; partial-commitment actions admit only when intermediate verification has produced credentialed evidence that the procedure is on the intended trajectory; irreversible commit actions admit only when the surgeon-of-record's authority has been freshly bound to the specific commit, with the residual-risk acceptance carried forward into the actuation record.
Authority composition structures map cleanly to surgical reality. Surgeon-of-record authority governs procedure-class admissibility. Hospital-credentialing authority governs institutional admissibility, including the privileging decisions that determine which clinicians may operate which devices in which contexts. Regulatory authority, expressed through FDA clearance under 510(k), De Novo, or PMA pathways, governs device-class admissibility. The architecture supports the multi-authority reality of surgical practice rather than collapsing it into a single permission boundary, because the regulatory framework itself is multi-authority.
Why Procedural Compliance Fails
Procedural compliance fails autonomous surgical execution for three structural reasons. First, surgical actuations occur at machine timescales while procedural verification occurs at human timescales; the moment a learned component selects a motion plan and the moment a clinical reviewer could examine the basis for that plan are separated by orders of magnitude. By the time procedural review is possible, the actuation has already happened, and the actuation cannot be unwound.
Second, current surgical-robotics autonomy faces a binary regulatory trap: full autonomy is regulatorily distant because the safety case for unsupervised learned behavior under ISO 14971 has not been established for most procedure classes; teleoperated assistance, where every motion is directly commanded by the surgeon, is the current cleared state; and the architectural path between them is underspecified. A procedure cannot bridge this gap, because the gap is not procedural. The gap is a missing structural mechanism by which graduated autonomy can be admitted phase by phase under credentialed authority, with the autonomy level itself recorded as part of the authority basis.
Third, post-incident reconstruction under procedural regimes depends on logs whose integrity is asserted rather than enforced. When a surgical adverse event occurs and the FDA, an institutional review board, or a malpractice tribunal needs to determine which actuation occurred, under what authority, with what verification, with what residual-risk acceptance, and with what software state, the procedural artifact is a collection of system logs whose binding to the actuation is procedural. A defendant or a sponsor can reconstruct an alternative narrative; an auditor cannot independently verify that the logs were not edited after the fact. Governed actuation produces a cryptographically bound record whose integrity does not depend on the trustworthiness of the manufacturer's log-management procedures.
What the AQ Primitive Provides
The AQ governed-actuation primitive provides a cryptographic pre-action gate. Before the surgical robot actuates, the control software must produce, and the gate must verify, a composite admissibility record. The record contains the device-class clearance reference, the software build attestation against the IEC 62304 verification record, the surgeon-of-record's freshly bound authority for the procedure class, the institutional credentialing reference, and the ISO 14971 residual-risk acceptance for the specific clinical context. The actuation proceeds only when the record verifies; the record itself is bound to the actuation so that the audit chain cannot be reordered.
Reversibility classification determines the autonomy level admitted at the gate. Reversible-phase actuations may proceed under broader autonomy because their consequences can be undone within the procedural envelope. Partial-commitment actuations admit only when the gate has received credentialed intermediate-verification evidence; this is the architectural mechanism by which stage-gated commitment becomes operationally enforceable rather than merely documented. Irreversible-commit actuations require the surgeon-of-record's freshly bound authority to be present at the gate, so that the commit cannot occur without the surgeon's contemporaneous, cryptographically-recorded acceptance of the specific commit.
Post-actuation verification produces credentialed outcomes for downstream audit. After each actuation, the gate records the verification result against the planned outcome, with the verification itself bound to the original admissibility record. Adverse events therefore admit structural reconstruction: post-incident audit traverses the full chain from the device-class clearance through the software build, through the surgeon's authority, through the residual-risk acceptance, through the actuation, through the verification, and through the outcome. Liability, regulatory review, and PCCP-driven post-market surveillance all proceed against architecturally-supported records whose integrity is enforced rather than asserted.
Compliance Mapping
Each obligation in the regulatory stack maps to a specific element of the governed-actuation record. The 21 CFR 820.30 design-control obligation maps to the device-class clearance reference carried in every actuation record. The IEC 62304 software-class verification obligation maps to the software build attestation, which proves at the moment of actuation that the executing software corresponds to the verified build. The ISO 13485 quality-system obligation maps to the institutional credentialing reference, which proves that the operator and the institution stand within the quality envelope cleared for the device. The ISO 14971 risk-management obligation maps to the residual-risk acceptance carried into each actuation, so that no commit occurs without the residual risk having been formally accepted for the specific clinical context.
The IEC 60601-1 basic-safety obligation maps to the gate's enforcement of essential-performance preconditions before motion. The FDA AI/ML SaMD Action Plan and PCCP framework map to the architecture in two ways. First, the PCCP-declared scope of permitted modifications becomes a parameter of the admissibility envelope: actuations using a learned component that has been modified within the PCCP scope admit when the modified component carries a build attestation tied to the PCCP-declared verification protocol; actuations using a component modified outside the PCCP scope do not admit. Second, the post-market monitoring obligation becomes a continuous read against the credentialed actuation records, so that the sponsor's post-market surveillance is conducted against tamper-evident evidence rather than against asserted logs.
The surgical-robot safety-case obligation maps to the structured argument that can be assembled directly from the actuation records. Where the safety case asserts that irreversible commits occur only under surgeon-of-record authority with residual-risk acceptance, the supporting evidence is the actuation-record corpus itself, which an auditor can examine, sample, and verify cryptographically.
Adoption Pathway
The adoption pathway for governed actuation in autonomous surgical execution begins with the reversible phases of cleared procedures, where the autonomy expansion carries the lowest residual risk and the verification burden is most tractable. A sponsor introduces the governed-actuation gate first as an architectural overlay on existing teleoperated systems, with the gate initially admitting all surgeon-commanded actuations and producing the credentialed actuation records as the substrate for post-market surveillance. This step alone strengthens the sponsor's PCCP submission and produces the audit-grade evidence that future autonomy expansions will require.
The second step expands the admissibility envelope to allow autonomous execution of reversible setup actions under the gate, with the reversibility classification declared per procedure class and the expansion carried as a PCCP modification. Because the gate enforces reversibility at the moment of actuation and produces tamper-evident records, the sponsor can demonstrate to FDA, through the PCCP verification protocol, that the autonomy expansion does not exceed the declared scope. The third step extends the envelope to partial-commitment actions under stage-gated intermediate verification, again as a declared PCCP modification, with the gate enforcing the requirement that intermediate-verification evidence be present before commitment proceeds.
The fourth step, when the safety case has matured sufficiently, admits selected irreversible-commit actions under autonomous execution with surgeon-of-record authority freshly bound at the gate. The architecture also supports surgical evolution beyond the initial deployment: as new procedures admit autonomy, as new evidence supports autonomy expansion, as new regulatory regimes emerge, and as the FDA AI/ML SaMD framework matures into final guidance, the architecture admits the changes through declared admissibility evolution rather than through architectural rewrite. The same primitive that supports the first reversible-phase deployment supports the eventual mature-autonomy operating envelope, with the regulatory record growing continuously and remaining auditable across the full lifecycle.
