What does FDA's Predetermined Change Control Plan guidance mean for surgical robotics AI adversarial testing?

FDA's January 2023 PCCP guidance allows AI model updates in da Vinci 5 and Mako VirtualSurgery without a new PMA supplement if the original submission includes a PCCP specifying anticipated modification types, a performance monitoring plan, and a testing protocol. The 2023 FDA Cybersecurity Guidance requires adversarial machine learning attacks (including adversarial examples and model evasion) to be addressed in the cybersecurity risk management process for AI/ML SaMD under 21 CFR Part 820. A Glyphward pre-scan gate trained on surgical AI perturbation patterns provides a runtime adversarial detection layer that complements pre-deployment adversarial robustness testing and addresses the production monitoring arm of the PCCP performance monitoring plan.

How does da Vinci 5 differ from da Vinci Xi in terms of adversarial injection surface?

The da Vinci Xi lacks the onboard GPU AI unit of the da Vinci 5 and runs only stereo reconstruction and Firefly NIR processing — no tissue segmentation AI overlay or haptic proximity alerts. The da Vinci 5 adds concurrent tissue segmentation, instrument-awareness, and fluorescence classification AI running against the stereo stream, creating a larger total AI ingestion boundary surface with more direct AI-to-actuator pathways. As the installed base transitions from Xi to da Vinci 5 through 2025-2028, the surgical AI adversarial injection surface across the US installed base will expand substantially.

Stereo endoscope tissue segmentation AI · CT bone model haptic boundary AI · NIR fluorescence guidance AI · Robotic instrument awareness AI

Prompt injection in surgical robotics AI

Q: Why does surgical robotics AI use threshold 35 — the lowest Glyphward threshold — rather than the threshold of 40 used for other life-critical AI contexts?

Threshold 35 for surgical robotics AI reflects the closed-loop real-time actuator control architecture: the da Vinci 5 tissue segmentation AI operates at 60fps with a 50ms inference latency requirement, and the AI output influences instrument haptic feedback signals that the surgeon acts on within 200-400ms — with no human verification opportunity between AI classification and robotic arm response. Every other medical AI context has at least one human decision point between AI error and patient harm; surgical robotics AI does not. The threshold of 35 accepts a higher false positive rate (frames quarantined with operating mode fallback) in exchange for the lowest achievable false negative rate for the only context where a single adversarial frame-level perturbation can cause immediate irreversible intraoperative tissue injury with no interception possibility.

Q: How does the Stryker Mako intraoperative registration step interact with CT bone model adversarial injection?

Mako intraoperative registration aligns the pre-operative 3D bone model to the patient's actual position using 8-20 surface landmark contact points, detecting gross positional and rotational misalignment. It does not verify full surface geometry against the patient's actual bone across the entire resection zone. A local mesh distortion of 2-5mm in a specific region — sufficient to shift the haptic boundary envelope into adjacent neurovascular territory — falls below the landmark sampling density that registration can detect as a fit residual. The appropriate scan gate is at the VirtualSurgery CT slice ingestion boundary before bone segmentation AI processes the DICOM volume, since the registration-detectable error class does not fully overlap the adversarially exploitable distortion class.

Q: What integration architecture places the Glyphward scan gate within the 50ms surgical AI frame processing window?

The practical architecture uses selective frame sampling (scanning 1 in N frames, N=10-30) with the scan gate operating asynchronously on a parallel processing thread alongside the main inference pipeline. On detection, the gate signals the inference pipeline to enter operating mode fallback for a defined window (e.g., 60 frames = 1 second). This provides adversarial detection latency of approximately 167-500ms — within the window of a surgical instrument motion — without blocking the real-time stereo reconstruction pipeline driving the console display. The sampling rate can be increased during critical anatomical identification phases (CBD/ureter identification, haptic boundary approach) and reduced during non-critical phases.

Robotic surgery systems have redefined the architecture of the operating room over the past two decades, replacing the direct mechanical linkage between surgeon hand and surgical instrument with a computer-mediated control interface that interposes signal processing, motion scaling, tremor filtering, and increasingly artificial intelligence between the surgeon’s console inputs and the robotic arms that hold and actuate instruments inside the patient’s body. The Intuitive Surgical da Vinci platform — with approximately 9,500 systems installed worldwide as of 2025, 4,100 of those in the United States, and approximately 2.2 million procedures performed annually across general surgery, urology, gynecology, and thoracic surgery — is the defining platform of modern robotic surgery; the da Vinci Xi (FDA PMA P940001, cleared 2000 with successive generations through Xi in 2014) and the da Vinci 5 (FDA K203277, cleared 2024 with integrated computer vision and AI infrastructure) together represent the AI-enabled instrument in the operative field for more than 60 percent of minimally invasive robotic procedures in the United States. The Stryker Mako SmartRobotics system (FDA K112789, initial clearance 2006; Mako THA clearance 2014; Mako TKA clearance 2015), deployed in more than 2,500 hospital and ambulatory surgery center installations globally, represents the AI platform for robotic-assisted orthopedic arthroplasty: total hip arthroplasty (THA) and total knee arthroplasty (TKA), procedures performed at a combined annual rate exceeding 800,000 in the United States. The Medtronic Hugo RAS (Robotic-Assisted Surgery) system (FDA K220534, cleared 2022; CE mark 2021), deployed across Europe, the UK, Middle East, and North America, represents the newest entrant in the soft-tissue robotic surgery category, using a distributed robotic arm architecture with a stereo endoscope vision AI platform architecturally similar to da Vinci. All three of these platforms share a fundamental architectural property that creates a class of adversarial pixel injection vulnerabilities distinct from any other medical AI context: their AI systems operate in the closed-loop surgical control pathway, where AI outputs influence robotic actuator behavior — tool articulation, haptic boundary enforcement, motion scaling, fluorescence overlay rendering — in real time during live surgery, with a frame-to-frame inference latency requirement of 50 milliseconds or less that structurally prevents any human interposition between adversarial input and robotic actuator response. In surgical robotics AI, there is no downstream human decision point between a corrupted AI output and a robotic arm acting on it.

TL;DR

Intuitive Surgical da Vinci Xi / da Vinci 5 stereo endoscope tissue segmentation AI, Stryker Mako SmartRobotics pre-operative CT bone model haptic boundary AI, Medtronic Hugo RAS tissue segmentation AI, and da Vinci 5 Firefly near-infrared fluorescence guidance AI all process pixel-level image inputs at the AI inference boundary in real-time surgical control loops. Adversarially crafted images can cause tissue boundary misclassification leading to bile duct or ureter transection during soft-tissue robotic surgery, bone saw overrun beyond the haptic boundary during arthroplasty, and suppression of fluorescence-marked critical structure identification — at a threshold of 35 across all surgical robotics AI contexts, the lowest Glyphward threshold reflecting the closed-loop real-time actuator control architecture that eliminates any human correction opportunity after AI error. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in surgical robotics AI

1. Da Vinci Xi / da Vinci 5 stereo endoscope tissue segmentation and instrument-awareness AI (Intuitive Surgical)

The da Vinci platform uses a proprietary stereo endoscope — a 12mm diameter rigid endoscope with two optical channels separated by approximately 6mm providing stereoscopic baseline — to capture a continuous dual-channel high-definition video stream of the operative field at 1080p resolution and 60 frames per second. The dual-channel stereo image is processed through Intuitive Surgical’s onboard computer vision pipeline to produce the three-dimensional perspective view rendered on the surgeon’s console display, providing the magnified, immersive operative field view through which the surgeon perceives tissue planes, instrument position, and anatomical landmarks during surgery. In the da Vinci 5, introduced with the K203277 clearance and equipped with a dedicated AI processing unit (a 10-teraflop GPU cluster integrated into the patient cart), this stereo video stream is also processed by a set of AI vision models that perform tissue segmentation — classifying pixel regions in the endoscope frame into tissue type categories including serosa, muscle, fat, vasculature, and critical structure classifications (common bile duct, ureter, major vessels) — and instrument-awareness AI that tracks instrument tip position, tissue contact force estimation, and proximity to classified critical structures.

The most consequential AI classification in da Vinci soft-tissue surgery is the identification of the common bile duct (CBD) during laparoscopic cholecystectomy — the surgical removal of the gallbladder, performed robotically at a rate of approximately 400,000 procedures annually in the United States and representing one of the highest-volume abdominal procedures performed on the da Vinci platform. Bile duct injury (BDI) during laparoscopic cholecystectomy — inadvertent transection or clipping of the common bile duct, which runs in close proximity to the cystic duct that must be transected to remove the gallbladder — is the most feared complication of the procedure, occurring at a rate of 0.1–0.5% in laparoscopic cholecystectomy series and carrying a long-term morbidity burden including biliary stricture, recurrent cholangitis, secondary biliary cirrhosis, and in severe cases liver failure requiring transplantation. The da Vinci 5 tissue segmentation AI model, trained on a large library of annotated intraoperative endoscope images, generates real-time tissue classification overlays on the console display and provides haptic feedback alerts (through the instrument console’s force feedback channels) when instrument tips approach classified critical structures. When the stereo endoscope frame is the pixel-level input to this tissue classification AI, it is also an adversarial injection surface: a crafted perturbation in the endoscope image frame, introduced at the frame buffer before AI ingestion, can cause the tissue segmentation AI to misclassify the common bile duct pixel region as serosa or fat — suppressing the critical structure alert and the haptic proximity warning — while the surgeon, relying on AI assistance to disambiguate the CBD from the cystic duct in an inflamed or fibrotic operative field, proceeds with clipping and transection. The analogous vulnerability exists for ureter identification during robotic-assisted radical prostatectomy (RARP, ~80,000 procedures annually in the US) and robotic hysterectomy (~250,000 annually in the US), where the da Vinci 5 ureter segmentation AI provides real-time ureter location alerts to prevent inadvertent ureteral injury — a complication occurring at a rate of 0.5–2% in laparoscopic hysterectomy series and causing ureteral stricture, hydronephrosis, and renal loss in severe cases.

The adversarial injection attack on da Vinci stereo endoscope tissue segmentation AI targets the dual-channel frame buffer at the AI ingestion boundary — either within the patient cart’s onboard AI processing unit (an internal injection surface accessible via network interfaces to the hospital surgical information system), or at the endoscope image transmission pathway between the patient cart and the surgeon’s console (a high-bandwidth video link that in legacy da Vinci Xi installations may use unencrypted proprietary video protocols over short-haul fiber within the operating room). The attacker’s goal is to craft a per-frame adversarial perturbation — imperceptible to the surgeon viewing the console display, which renders the stereoscopic image through a consumer-grade high-brightness OLED display at viewing distances of 20–40cm — that consistently shifts the tissue segmentation AI’s classification boundary for the bile duct or ureter pixel cluster from “critical structure” to “non-critical tissue” across the 5–15 second window during which the surgeon performs the critical anatomical identification step. FDA’s October 2021 draft guidance on AI/ML-Based SaMD and the January 2023 Predetermined Change Control Plan (PCCP) guidance establish the regulatory framework for AI components in Class III robotic surgery devices, but neither addresses adversarial pixel injection against real-time surgical AI inference specifically; the cybersecurity requirements for PMA Class III devices under FDA’s 2023 Cybersecurity Guidance (“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions”) include threat model requirements for software-mediated attacks on AI decision modules in active surgical devices.

2. Stryker Mako SmartRobotics CT-derived haptic boundary enforcement AI

The Stryker Mako system operates on a fundamentally different architectural principle from soft-tissue robotic surgery platforms: rather than using real-time endoscope video as its primary AI input, the Mako system builds its operative model from a pre-operative CT scan of the patient’s hip or knee joint, which is processed by the Stryker VirtualSurgery AI platform (a cloud-based orthopedic surgical planning AI) to generate a patient-specific 3D bone model — a three-dimensional mesh reconstruction of the femur, tibia, and acetabulum calibrated to the patient’s specific anatomy — on which the surgeon (or Stryker’s proprietary planning software) pre-operatively defines the implant position, orientation, and bone resection boundaries. These pre-operatively defined resection boundaries are loaded into the Mako patient cart as a set of three-dimensional haptic boundary surfaces — mathematically defined zones within which the Mako’s motorized robotic arm permits free movement of the bone preparation tool (a saw or burr), and at whose surfaces the Mako’s active constraint system applies haptic resistance forces to the robotic arm and tool attachment, physically preventing the tool from cutting beyond the defined boundary. This active constraint haptic boundary enforcement is the Mako’s fundamental safety feature: by mechanically restraining the bone preparation tool within the pre-defined resection zone, the Mako prevents the over-resection of bone that causes implant malalignment, periprosthetic fracture risk, and impingement in total knee and hip arthroplasty.

The adversarial injection surface in the Mako system exists at the pre-operative CT bone model processing pipeline. The Stryker VirtualSurgery cloud AI platform receives the pre-operative CT scan as a DICOM image series — a three-dimensional stack of axial cross-sectional images of the joint in DICOM format — and applies AI-based bone segmentation to extract the three-dimensional bone surface mesh from the CT image data. This segmentation step — classifying voxels in the CT volume as bone, cartilage, soft tissue, or air — is performed by a convolutional neural network trained on large libraries of annotated orthopedic CT scans. The resulting 3D bone mesh is the geometric foundation on which the haptic boundary surfaces are defined. An adversarial perturbation applied to the CT DICOM images at the VirtualSurgery AI ingestion boundary — before the bone segmentation AI processes the volumetric CT data — can cause the AI to misclassify bone voxels in a specific anatomical region as cartilage or soft tissue, displacing the reconstructed bone surface mesh boundary in that region and causing the haptic boundary enforcement surfaces derived from the mesh to be defined in incorrect positions relative to the true anatomy. In a total knee arthroplasty context, a haptic boundary shift that allows the tibial bone preparation burr to cut 2–5mm beyond the intended distal femoral resection plane can cause inadvertent entry into the distal femoral metaphysis — a cortical bone perforation associated with periprosthetic fracture risk — or into the popliteal neurovascular bundle territory. In a total hip arthroplasty context, a miscalibrated acetabular cup reaming boundary can cause inadvertent cortical perforation of the acetabular floor, an injury with risk of vascular injury to the obturator artery and pelvic structures. Mako’s intraoperative registration process — which uses a bone-mounted optical tracker and a probe-based surface registration routine to align the 3D bone model to the patient’s actual intraoperative position — provides a partial defence in that gross bone model errors may be detectable during registration; however, the registration detects positional and rotational misalignment of the bone model relative to the patient, not voxel-level segmentation errors in the bone surface definition.

3. Da Vinci 5 Firefly near-infrared fluorescence guidance AI

The da Vinci 5 Firefly system extends the platform’s stereo endoscope with a near-infrared illumination channel (excitation at 760–790nm, detection in the 800–850nm NIR band) that enables intraoperative fluorescence guidance when the patient has received an intravenous injection of indocyanine green (ICG) — an FDA-approved NIR fluorescent dye (approved under NDA 011525) that is taken up by hepatocytes and excreted in bile, producing fluorescence in biliary structures including the common bile duct, cystic duct, and bile ducts of Luschka. During Firefly-guided laparoscopic cholecystectomy — a technique increasingly adopted as the recommended approach for complex cholecystectomy in the 2022 SAGES guidelines — the Firefly NIR channel illuminates the biliary anatomy in the hepatocystic triangle with a fluorescent signal that highlights bile duct structures against a dark background, providing a visual guide to bile duct identification that supplements the tissue segmentation AI overlay. The da Vinci 5 incorporates an AI fluorescence classification model that processes the NIR endoscope channel images to identify and classify fluorescent structures, generate a fluorescence intensity heat map overlay on the combined white-light/NIR display, and provide alert signals when instrument tips approach fluorescent bile duct structures.

The adversarial attack against the Firefly NIR AI targets the NIR channel image at the fluorescence classification AI ingestion boundary. The NIR endoscope image is a single-channel 1080p frame with intensity values proportional to ICG fluorescence emission in the 800–850nm band; the fluorescence classification AI processes this image to segment fluorescent structures (high-intensity pixel regions corresponding to bile-filled ducts) from non-fluorescent background. An adversarial perturbation in the NIR channel frame — crafted to introduce high-intensity pixel clusters in non-biliary regions or to suppress high-intensity pixels in true biliary regions — can cause the fluorescence classification AI to generate phantom bile duct alerts in incorrect anatomical positions (misdirecting the surgeon’s attention away from the true CBD) or to suppress the true CBD fluorescence alert when the instrument approaches the actual bile duct. The consequence is equivalent to the tissue segmentation AI attack: the surgeon, relying on the AI-augmented Firefly display to identify the CBD in a complex operative field with adhesions or inflammation obscuring normal anatomy, may proceed with transection of an incompletely identified structure. The 2020 meta-analysis by Dip et al. (published in Surgical Endoscopy) reported that ICG fluorescence guidance reduced BDI rates in laparoscopic cholecystectomy compared to standard white-light technique in high-complexity cases; adversarial suppression of the Firefly AI converts this advantage back to baseline risk or below, specifically in the patient population for whom Firefly guidance was selected because standard white-light anatomy identification was judged insufficient.

4. Medtronic Hugo RAS tissue segmentation AI and instrument proximity detection

The Medtronic Hugo Robotic-Assisted Surgery system, developed following Medtronic’s 2014 acquisition of Covidien and 2019 completion of robotic surgery platform development, uses a distributed four-arm patient cart architecture with a 3D stereoscopic camera tower (comparable optical specifications to da Vinci Xi) and an AI platform that incorporates tissue segmentation models, instrument proximity detection, and motion envelope monitoring AI. The Hugo system received FDA 510(k) clearance K220534 in April 2022 for use in urological, gynecological, and thoracic procedures, with CE marking across Europe and UK coverage from 2021. Hugo’s AI tissue classification pipeline processes the stereoscopic endoscope frames through a set of AI models that produce tissue type annotations and critical structure proximity alerts equivalent in architectural function to da Vinci 5’s tissue segmentation AI — with the same adversarial injection vulnerability at the frame buffer AI ingestion boundary. Hugo’s distributed arm architecture (four independent robotic arm carts rather than da Vinci’s single patient cart) introduces additional network interfaces between the arm controllers and the central AI processing unit — interfaces that in the early-deployment generations of Hugo may represent additional injection surface perimeters relative to da Vinci’s more tightly integrated platform. FDA cybersecurity requirements under 21 CFR Part 820 Quality System Regulations and the 2023 Cybersecurity Guidance require that surgical robot manufacturers document threat models for software-mediated attacks on AI decision modules, but the distributed arm architecture in Hugo introduces multi-interface attack surface topology that is not fully addressed in legacy device cybersecurity frameworks designed for single-patient-cart architectures.

The combined adversarial injection risk across Intuitive Surgical da Vinci (Xi and 5), Stryker Mako SmartRobotics, and Medtronic Hugo creates an AI security exposure in the operating room that has no analogue in outpatient or imaging AI contexts. Unlike radiological AI (where AI-assisted reads are reviewed by radiologists before clinical action), pathology AI (where AI classifications are confirmed by pathologists), or even point-of-care diagnostic AI (where a clinician interprets the AI output and makes a treatment decision with time for re-evaluation), surgical robotics AI operates in a closed-loop actuator control pathway where the consequence of an adversarial AI classification error is intraoperative tissue damage — occurring in less than one second from AI inference output to robotic arm response, inside a sterile surgical field in an anesthetized patient, without the possibility of undoing the action once taken.

Integration: surgical robotics AI frame buffer scanning with Glyphward pre-scan

The Glyphward scan gate in surgical robotics AI belongs at the frame ingestion boundary — before each stereo endoscope frame pair reaches the da Vinci 5 or Hugo tissue segmentation AI, before the DICOM CT volume slice reaches the Stryker Mako VirtualSurgery bone segmentation AI, and before the NIR channel frame reaches the da Vinci 5 Firefly fluorescence classification AI. The threshold of 35 for all surgical robotics AI contexts reflects the closed-loop real-time actuator architecture: no human interposition is architecturally possible within the 50ms inference-to-action latency window. The implementation below uses a dedicated asynchronous scan client with sub-5ms API timeout — fail-closed: any Glyphward API error blocks frame passage to the surgical AI and triggers a graceful operating mode fallback (white-light only, haptic boundary override to conservative 2mm inset).

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# All surgical robotics AI contexts share threshold 35 — lowest in Glyphward framework.
# Closed-loop real-time actuator control: no human interposition possible after AI error.
SURGICAL_ROBOTICS_THRESHOLD = 35


class SurgicalRoboticsAIContext(Enum):
    DAVINCI_TISSUE_SEGMENTATION  = "davinci_tissue_segmentation"    # threshold 35 — stereo endoscope frame
    DAVINCI_FIREFLY_NIR          = "davinci_firefly_nir"            # threshold 35 — NIR channel frame
    MAKO_CT_BONE_SEGMENTATION    = "mako_ct_bone_segmentation"      # threshold 35 — CT DICOM slice
    HUGO_TISSUE_SEGMENTATION     = "hugo_tissue_segmentation"       # threshold 35 — stereo endoscope frame


class AdversarialSurgicalImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in a surgical
    robotics AI image above the threshold of 35.

    Consequence if not raised: robotic actuator acts on corrupted AI output
    within the 50ms inference-to-action window — no human correction possible.
    """

    def __init__(self, scan_id: str, score: int, context: SurgicalRoboticsAIContext,
                 flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial surgical robotics AI image detected: "
            f"context={context.value} score={score} scan_id={scan_id}"
        )


async def scan_surgical_robotics_frame(
    frame_bytes: bytes,
    context: SurgicalRoboticsAIContext,
    procedure_id: str,
    frame_seq: int,
    client: httpx.AsyncClient,
) -> dict:
    """Scan a surgical robotics AI input image for adversarial pixel content.

    Args:
        frame_bytes: Raw image bytes for the frame (stereo endoscope frame,
            NIR channel frame, or CT DICOM slice rendering).
        context: SurgicalRoboticsAIContext identifying the AI pipeline.
        procedure_id: Anonymised procedure identifier for audit log.
        frame_seq: Frame sequence number within the procedure video stream.
        client: Shared httpx.AsyncClient — connection reuse critical at 60fps.

    Returns:
        Glyphward scan result dict: scan_id, score, flagged_region, modality.

    Raises:
        AdversarialSurgicalImageError: if score exceeds threshold 35.
        httpx.HTTPStatusError: on Glyphward API error — fail-closed: caller
            must block frame from reaching surgical AI on any API error.
    """
    image_hash = hashlib.sha256(frame_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(frame_bytes).decode(),
        "source": f"surgical_robotics:{context.value}:{procedure_id}:{frame_seq}",
        "metadata": {
            "procedure_id": procedure_id,
            "frame_seq": frame_seq,
            "image_sha256": image_hash,
            "context": context.value,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=4.0,  # 4s hard timeout — fail-closed on exceeded threshold
    )
    resp.raise_for_status()
    result = resp.json()

    if result["score"] > SURGICAL_ROBOTICS_THRESHOLD:
        raise AdversarialSurgicalImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            flagged_region=result.get("flagged_region"),
        )
    return result


async def process_endoscope_frame_pipeline(
    frame_bytes: bytes,
    context: SurgicalRoboticsAIContext,
    procedure_id: str,
    frame_seq: int,
    surgical_ai_client: object,
    client: httpx.AsyncClient,
) -> dict:
    """Gate-and-forward: scan frame, then call surgical AI only if scan passes.

    On AdversarialSurgicalImageError or any httpx error: block the frame,
    log the quarantine event, trigger operating-mode fallback (haptic boundary
    inset to conservative 2mm, disable AI tissue overlay, alert surgeon console).
    """
    try:
        await scan_surgical_robotics_frame(
            frame_bytes=frame_bytes,
            context=context,
            procedure_id=procedure_id,
            frame_seq=frame_seq,
            client=client,
        )
        return await surgical_ai_client.infer(frame_bytes)
    except (AdversarialSurgicalImageError, httpx.HTTPError) as exc:
        await _log_surgical_quarantine(procedure_id, frame_seq, context, exc)
        return {"status": "quarantined", "fallback": "conservative_boundary"}


async def _log_surgical_quarantine(
    procedure_id: str,
    frame_seq: int,
    context: SurgicalRoboticsAIContext,
    exc: Exception,
) -> None:
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "procedure_id": procedure_id,
        "frame_seq": frame_seq,
        "context": context.value,
        "threshold": SURGICAL_ROBOTICS_THRESHOLD,
        "event": "adversarial_frame_quarantined",
        "exception": str(exc),
        "regulatory_refs": [
            "FDA PMA P940001 (da Vinci)",
            "FDA K112789 (Stryker Mako)",
            "FDA K220534 (Medtronic Hugo)",
            "FDA 2023 Cybersecurity Guidance SaMD",
        ],
    }
    log_path = Path("/var/log/glyphward/surgical_robotics_ai_scan_audit.jsonl")
    log_path.parent.mkdir(parents=True, exist_ok=True)
    with log_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")

Deploy process_endoscope_frame_pipeline at the frame buffer before each surgical AI ingestion boundary: before da Vinci 5 or Hugo stereo endoscope frames reach the tissue segmentation AI (threshold 35), before the da Vinci 5 NIR channel frames reach the Firefly fluorescence classification AI (threshold 35), and before Stryker VirtualSurgery CT DICOM slice renderings reach the bone segmentation AI (threshold 35, offline scan possible before procedure). Any Glyphward API error or threshold exceedance triggers fail-closed operating mode: conservative haptic boundary inset, AI tissue overlay disabled, surgeon console alert. Get early access

Related questions

Why does surgical robotics AI use threshold 35 — the lowest Glyphward threshold — rather than the threshold of 40 used for other life-critical AI contexts like ABO crossmatch or sepsis prediction?

The threshold of 35 for surgical robotics AI reflects a structural difference between surgical AI and all other medical AI contexts: the closed-loop real-time actuator control architecture. In every other medical AI deployment — ABO crossmatch AI, sepsis deterioration AI, ICU hemodynamic AI, even the lowest-threshold contexts outside surgical robotics — the AI output enters a human decision pathway before causing patient harm: a blood bank technologist reviews the crossmatch AI result and approves product release; a critical care nurse or physician receives the sepsis alert and initiates assessment; a radiologist reviews the AI-flagged scan before reporting. Even in contexts with very short time windows, the human intermediary creates at least one verification opportunity between AI error and patient harm. In surgical robotics AI, this human intermediary is architecturally absent.

The da Vinci 5 tissue segmentation AI operates at 60 frames per second with a maximum acceptable latency of 50 milliseconds from frame capture to AI classification output — a constraint imposed by the requirement for smooth, delay-free stereoscopic vision at the surgeon’s console that would be disrupted by any perceptible processing lag. Within this 50ms window, the AI output influences the instrument proximity alert rendering on the console and the haptic feedback signals in the surgeon’s console handpieces — signals that the surgeon perceives, integrates into surgical decision-making, and acts on in the next hand movement, which takes approximately 200–400ms. The total loop from frame capture to instrument motion is approximately 250–450ms. There is no time in this loop for human assessment of whether the AI classification is correct before the next instrument motion is made in reliance on it. A threshold of 35 accepts a higher false positive rate — more legitimate endoscope frames that trigger quarantine and operating mode fallback — in exchange for the lowest achievable false negative rate, reflecting the complete absence of any second-chance interception after a false negative passes an adversarially perturbed frame to the surgical AI.

How does the Stryker Mako intraoperative registration step interact with CT bone model adversarial injection?

The Mako intraoperative registration process — in which a bone-mounted tracker array is attached to the patient’s femur or tibia after anesthetic induction, and a probe-based surface registration routine touches landmark points on the exposed bone surface to align the pre-operative 3D bone model to the patient’s actual intraoperative position — is designed to detect and correct positional and rotational misalignment of the bone model relative to the patient’s actual anatomy. This registration step provides genuine protection against pre-operative bone model positioning errors and against errors in the model’s global coordinate registration. However, it provides limited protection against adversarial bone surface mesh distortion from CT segmentation AI injection. The registration process aligns the model to the patient using a small set (typically 8–20) of surface landmark contact points; it does not verify the full surface geometry of the bone mesh against the patient’s actual bone surface across the entire resection zone. A local mesh distortion — a 2–5mm displacement of the bone surface definition in the distal femoral posterior condyle region, for example — would be below the landmark sampling density that the registration routine can detect as a landmark fit residual, yet would be sufficient to shift the posterior haptic boundary envelope into the popliteal tissue territory.

The practical defensive implication is that CT bone model AI adversarial injection is not fully mitigated by intraoperative registration, and the appropriate scan gate is at the VirtualSurgery platform CT slice ingestion boundary — before the bone segmentation AI processes the DICOM volume — rather than at the intraoperative step, since the registration-detectable error class does not fully overlap the adversarially exploitable distortion class. This is a defensibility argument for the Glyphward CT slice scan gate that is specific to the Mako architecture and has no equivalent in soft-tissue robotic surgery platforms: scanning the pre-operative CT data is the only intervention point where the bone segmentation AI adversarial injection surface can be gated before it produces a bone model that will be loaded into the patient cart and used to define haptic boundaries during the procedure.

What does FDA’s Predetermined Change Control Plan (PCCP) guidance mean for surgical robotics AI adversarial testing requirements?

The FDA’s January 2023 guidance on Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions establishes a framework under which AI/ML-based medical device functions (including the tissue segmentation and fluorescence classification AI in da Vinci 5 and the bone segmentation AI in Mako VirtualSurgery) can be continuously updated without requiring a new 510(k) or PMA supplement for each model update — provided the manufacturer includes a PCCP in the original device submission that specifies the types of modifications anticipated, the performance monitoring plan that will detect performance drift, and the testing protocol that governs model updates. The adversarial robustness of the AI model — its performance under adversarial pixel perturbation attacks — is a performance dimension that should be addressed in the PCCP’s performance monitoring plan and in the pre-deployment testing protocol for each model update.

FDA’s 2023 Cybersecurity Guidance specifically identifies adversarial machine learning attacks (including adversarial examples and model evasion) as a threat category that must be addressed in the cybersecurity risk management process for AI/ML-based SaMD under 21 CFR Part 820 QSR. For surgical robotics AI, the adversarial robustness evaluation should be conducted against a threat model that includes frame-level perturbation attacks on the endoscope video stream, DICOM slice manipulation for CT-based AI, and NIR channel perturbation for fluorescence AI — the three injection surfaces identified in this document. A Glyphward pre-scan gate that is trained on the adversarial perturbation patterns relevant to surgical AI endoscope inputs provides a runtime adversarial detection layer that complements the pre-deployment adversarial robustness testing required under PCCP, addressing the monitoring arm of the PCCP performance monitoring plan: detecting adversarial inputs in production deployments that were not represented in the pre-deployment adversarial test corpus.

How does the da Vinci 5 AI architecture differ from the da Vinci Xi in terms of adversarial injection surface?

The da Vinci Xi (the generation preceding da Vinci 5, still the most widely deployed platform in the US with approximately 4,200 installed systems as of 2024) does not include the onboard GPU AI processing unit that the da Vinci 5 adds for tissue segmentation, instrument-awareness, and fluorescence classification AI. The da Vinci Xi’s computer vision pipeline is confined to stereo reconstruction (depth map generation from the dual-channel endoscope) and the Firefly NIR channel processing for fluorescence detection, without the tissue classification AI overlay and haptic proximity alerts of the da Vinci 5. The adversarial injection surface in the da Vinci Xi is therefore narrower — limited to the Firefly NIR fluorescence processing (if the Firefly endoscope is used) and any third-party AI applications integrated at the endoscope output via Intuitive Surgical’s open AI platform interfaces.

The da Vinci 5 expands the injection surface substantially: the onboard AI processing unit runs multiple AI models concurrently against the stereo endoscope stream, creating a larger total AI ingestion boundary surface and a more direct connection between AI output and surgical actuator behavior (through the enhanced haptic feedback and AI overlay rendering paths in the da Vinci 5 console). The transition of the installed base from Xi to da Vinci 5 across 2025–2028 — driven by Intuitive Surgical’s active replacement program and the new procedures opening up on the da Vinci 5 platform under its expanded PCCP-enabled AI capabilities — means that the surgical AI adversarial injection surface across the US installed base will expand substantially as the da Vinci 5 penetration grows. Adversarial injection defences deployed today for da Vinci 5 are the architectural foundation for defending the full platform transition.

What integration architecture places the Glyphward scan gate within the 50ms surgical AI frame processing window without adding unacceptable latency?

The Glyphward API is designed for low-latency image scanning with a target response time of under 200ms for standard endoscope frame sizes (1080p JPEG, approximately 150–400KB per frame). At 60 fps, the da Vinci 5 generates a new stereo frame pair every 16.7ms; scanning every frame at 200ms API latency is not compatible with real-time 60fps processing. The practical integration architecture for surgical robotics AI uses selective frame sampling — scanning 1 in N frames (N typically 10–30, depending on required detection latency and API throughput budget) rather than scanning every frame — with the scan gate operating asynchronously alongside the main inference pipeline on a parallel processing thread. On adversarial detection, the gate signals the inference pipeline to enter operating mode fallback (conservative haptic boundary, overlay disabled) for a defined number of subsequent frames (e.g., 60 frames = 1 second) before resuming AI-assisted mode. This architecture provides adversarial detection latency of approximately N × 16.7ms = 167–500ms — within the window of a surgical instrument motion — without blocking the real-time stereo reconstruction pipeline that drives the console display. The selective sampling rate can be increased during the critical anatomical identification phase (CBD/ureter identification, haptic boundary approach) where adversarial injection risk is highest and operating mode fallback is most protective, and reduced during non-critical phases (tissue retraction, instrument exchange) where the cost of a false positive fallback is lower.