EEG Accessibility Buggy

BCI User, Daily Independent Navigation scenario: the primary purpose of the system is to restore independent mobility to individuals with severe motor disabilities who cannot operate conventional wheelchairs or joystick-controlled devices.

BCI User, all scenarios: user has severe motor disability and cannot self-extract from hazardous situations — the system is the sole protection layer between cognitive intent and physical harm. Driven by H-001 (signal loss), H-002 (collision), H-006 (seizure).

BCI User, Cognitive Fatigue scenario: after 25-30 minutes of continuous BCI use, classification accuracy degrades from 85% to 68%. Without detection and adaptation, misclassified commands become a collision and safety risk (H-004).

Care Attendant scenario: carer rotation means individuals may encounter the device with no prior training. The ≤5-minute orientation threshold reflects NHS Band 3 carer induction constraints (maximum 5-minute device briefing per Assistive Technology Support Protocol). The 60-second operational readiness criterion is derived from emergency response time requirements — if a clinical incident occurs, the carer must be able to take control immediately after a brief orientation. 100ms handover latency ensures no perceptible delay during the authority transfer. Obstacle detection remains active per BS EN ISO 13482 (Safety requirements for personal care robots) to prevent collision hazards during carer operation.

Care Attendant scenario: carer may be in an adjacent room or attending another patient. The ≥75 dBA threshold at 1 m (measured per IEC 60068-2-64: Vibration test, acoustic emission) is the minimum level audible over typical clinical environment noise (NHS estates guidance: 65 dB background). The ≥5 m LED distinguishability criterion is derived from typical ward bay dimensions (4 m × 6 m) — a carer at the far end of the bay must see the alert. Amber/red colour coding follows BS EN 60073 (Basic safety principles for man-machine interfaces) actuator/indicator assignment. The 1-second response deadline ensures the alert precedes any secondary clinical consequence of the mode transition.

Maintenance Technician, Weekly Maintenance scenario: fleet of 4 buggies must be inspected in a 2-hour maintenance window. 20 min per buggy (80 min total) leaves margin for fault investigation and electrode replacement.

Maintenance Technician, Weekly Maintenance scenario: firmware updates are applied weekly from the facility server. Dual-bank flash with rollback is essential because a bricked buggy removes it from the fleet and impacts user mobility. IEC 62304 requires controlled software update processes.

Clinical Prescriber (OT/rehab physician): each user has different motor imagery capability, fatigue tolerance, and risk profile. A C4 SCI patient may need different parameters than an ALS patient. Clinical configuration drives safe individualised therapy.

Clinical Prescriber requirement: outcome data must be exportable for NHS clinical audit trails and therapy effectiveness review. JSON format is specified because it is machine-readable by standard clinical outcome tools and is required by NHS Digital Data Standards for Class IIb medical device reporting. The maintenance interface (USB-C service port, per IFC-REQ-024) is the designated export channel to prevent unauthorised BLE data extraction. The 60-second export window ensures data availability before the next session begins.

Regulatory Authority (MHRA/FDA/TGA): the system is a Class IIb medical device. Without compliant documentation, the device cannot receive market authorisation and cannot legally be used with patients.

Regulatory Authority: EU MDR Article 83 and FDA 21 CFR 803 require active post-market surveillance for Class IIb devices. Automated data collection reduces reporting burden and ensures adverse events are captured promptly.

Facility Management: facilities operate fleets of 2-8 buggies. Manual maintenance tracking is error-prone — missed inspections create regulatory and safety liability. CMMS integration automates compliance evidence.

Facility Management: care facilities and hospitals cannot undertake corridor widening or door replacement for a mobility device. The buggy must fit existing DDA-compliant corridors (≥1200mm), doorways (≥900mm), and lifts (≥1100×1400mm).

Bystanders/Pedestrians, collision scenario (H-002): bystanders include elderly residents with slow reaction times, children, and wheelchair users. Unpredictable movement or abrupt stops create secondary injury risk in shared spaces.

Bystanders/Pedestrians: unlike conventional wheelchairs, a BCI-controlled buggy gives no visible human-body cues about direction. Pedestrians cannot predict movement from the user's gaze or posture, requiring engineered warning signals.

Environmental constraint, Signal Degradation scenario and H-007: hospital and care facility environments contain significant EMI sources that directly interfere with EEG signal acquisition. The system must degrade safely rather than misclassify corrupted signals.

Environmental constraint, Daily Independent Navigation scenario: users navigate between indoor and outdoor spaces (e.g., care home to garden patio). The system must handle UK/temperate climate conditions without degradation of safety functions.

Regulatory Authority and BCI User: EEG data is biometric personal data under GDPR Article 9. Brain signal recordings reveal health status and potentially cognitive state — requiring the highest category of data protection.

Derived from STK-REQ-001 (independent navigation) and STK-REQ-002 (user safety). The 85% threshold is the minimum accuracy at which misclassification rate (<15%) keeps unintended manoeuvres within the obstacle detection recovery envelope. Below 85%, the misclassification rate exceeds the system's ability to correct via obstacle avoidance, creating collision risk (H-002, H-004).

Derived from STK-REQ-002 (user safety). H-001 (signal loss) and H-002 (collision) both require SIL 2-3 emergency stop. 200ms budget: 50ms detection + 50ms processing + 100ms mechanical actuation. At 6 km/h (1.67 m/s), 200ms yields 0.33m travel — within the 0.5m safety margin to nearest obstacle at trigger point.

ISO 7176-14 (Power wheelchairs — Maximum speed) permits up to 15 km/h for powered mobility devices on pathways. 6 km/h Normal Navigation cap is a comfortable indoor walking pace, safe for corridor/building use. 3 km/h Degraded/Assisted cap (50% of Normal) provides meaningful mobility while limiting consequence of mis-commands when BCI accuracy is compromised. Aligns with SYS-REQ-022 which specifies the Degraded/Assisted behaviour in detail.

Derived from STK-REQ-001 (independent navigation) and operational tempo constraint (2-4 sessions/day, 15-45 min each). 4 hours covers a full day's use with margin. 15 km at 4 km/h average matches the Daily Independent Navigation scenario profile.

Derived from STK-REQ-002 (user safety). H-006 (seizure during operation) is rated catastrophic/SIL 3. 150ms budget is tighter than general E-stop (200ms) because seizure-induced EEG patterns can be misclassified as movement commands, causing erratic buggy behaviour before detection completes. The 50ms margin accounts for the unique danger of a non-ambulatory user seizing while in a moving vehicle.

Derived from STK-REQ-002 (user safety) and STK-REQ-014 (bystander safety). H-002 (collision) is rated SIL 2. 2m forward range at 6 km/h provides 1.2s stopping margin. 50mm height threshold catches kerbs, feet, and dropped objects while filtering floor texture variations.

5-second SNR threshold prevents transient signal glitches from triggering mode transitions, while still catching genuine degradation within a safe reaction time. 3 km/h Degraded speed (50% Normal Navigation cap) aligns with SYS-REQ-003 and SYS-REQ-022. Binary go/stop reduces cognitive load when the BCI classifier cannot reliably discriminate four motor imagery classes.

Derived from STK-REQ-003 (fatigue detection). Cognitive Fatigue scenario: accuracy dropped from 85% to 68% over 3 minutes. The 70% threshold with 2-minute rolling window detects this drift pattern with sufficient lead time to prevent dangerous misclassification. H-004 (misclassification) drives this requirement.

Derived from STK-REQ-004 (carer override). The 100ms handover time ensures seamless transition during emergency or post-degradation situations. Obstacle detection remains active during override because the carer may be unfamiliar with the environment or distracted by the user's condition.

Derived from STK-REQ-013 (facility infrastructure compatibility). 700mm width provides clearance through 900mm DDA-compliant doorways. 1200mm length fits 1100×1400mm lift cabs. 1500mm turning radius enables U-turns in 2000mm wide corridors. 120 kg covers 95th percentile adult wheelchair users.

Derived from STK-REQ-002 (user safety). H-005 (tip-over) is rated SIL 2. 15° tilt threshold provides margin above the 8° maximum ramp gradient (operational constraint) while triggering before the vehicle's centre-of-gravity reaches the tip-over angle (~25° for a 120 kg user at maximum seat height).

Derived from STK-REQ-002 (user safety). H-003 (battery thermal runaway) is rated catastrophic/SIL 3. 60°C cell temperature is the thermal runaway onset threshold for NMC lithium-ion cells per IEC 62133 (Secondary lithium cells — Safety requirements). 500ms response prevents cascade. The non-ambulatory user cannot self-evacuate, making suppression and external alerting critical.

Derived from STK-REQ-016 (EMI tolerance). H-007 (EMI-corrupted EEG) is rated SIL 1. Hospital corridors are the primary operating environment and contain aggressive EMI sources. EMC compliance ensures the EEG acquisition chain degrades gracefully rather than producing undetectable classification errors.

Derived from STK-REQ-001 (independent navigation) and power constraint. Overnight charging (22:00-06:00) provides 8 hours — 4-hour charge time ensures full charge with margin for late docking. Same-day top-up between sessions is feasible during the 2-hour midday gap.

Derived from STK-REQ-006 (diagnostic interface). Weekly Maintenance scenario: technician must inspect 4 buggies in a 2-hour window. 20-minute test suite per buggy allocates the budget correctly. Any buggy failing brake torque or cell imbalance tests is automatically flagged for removal from service.

Derived from STK-REQ-007 (firmware updates with rollback). IEC 62304 (Medical device software — Software life cycle processes) requires controlled software update mechanisms for Class C software (safety-critical). Dual-bank ensures the device is never bricked by a failed update — critical for fleet availability.

Derived from STK-REQ-005 (carer alerts) and Seizure scenario. The non-ambulatory user cannot call for help — the system must autonomously summon assistance. 500ms transmission latency ensures the facility nurse call system receives the alert before the carer would otherwise notice the stationary buggy.

Derived from STK-REQ-001 (independent navigation). Startup/Calibration mode: concept defines 30s diagnostics + 3 min calibration = 3.5 min typical, 5 min maximum. 80% calibration threshold is the minimum accuracy at which the 4-class command set is usable — below this, misclassification exceeds 1-in-5 commands.

Derived from STK-REQ-018 (GDPR data protection). EEG data is Article 9 special category biometric data under GDPR. AES-256 and TLS 1.3 are the current minimum standards for health data protection. Role-based access prevents maintenance staff accessing clinical data and vice versa.

The EEG headset is a skin-contact medical device worn daily for extended sessions by users who may have limited ability to remove it themselves. ISO 10993-1 biocompatibility evaluation is mandatory under IEC 60601-1 for patient-contacting parts. Users with neurological conditions may have reduced skin sensation, increasing risk of contact dermatitis or pressure injury from non-biocompatible materials. This addresses the high-severity lint finding that the system classification includes Biological/Biomimetic traits with no biocompatibility requirements.

EEG accessibility buggy is classified without Physical Object trait (hex 50800000) despite being a physical vehicle. This requirement establishes the physical embodiment: a unified housing with IP54 protection for indoor healthcare and light outdoor use. IP54 is the minimum for wheelchair-equivalent environments per IEC 60601-1-11 (home healthcare environments) and ensures electrode/electronics survive routine cleaning.

STK-REQ-004 requires manual override with obstacle detection remaining active but specifies no measurable degraded-mode performance floor. STK-REQ-005 requires distinct alerts on mode transitions. 3 km/h limit (half of full speed) reduces collision energy by 75% and gives the care attendant additional reaction time, which is derived from pedestrian collision safety analysis (EN ISO 13482: safety requirements for personal care robots). Obstacle detection must remain active to prevent hazards during reduced user control.

IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 2 requires independent fault detection and response for System-Essential components. MAP is system-essential (single point of failure for BCI command processing); without a watchdog-monitored independent failover channel, a stuck MAP executing incorrect commands would have no automatic mitigation. The 50ms watchdog timeout and 200ms failsafe response are consistent with SYS-REQ-002 which mandates 200ms total emergency stop latency. This requirement establishes the SYS-level mandate for the independence implemented in ARC-REQ-002 and SUB-REQ-061.

20ms latency budget derived from 50ms total BCI pipeline budget (SYS-REQ-001 <150ms classification latency). False rejection of >10% degrades classification accuracy below the 70% threshold in SYS-REQ-008, causing unnecessary safe-stop transitions. IEC 60601-1 applies to EMC performance of medical devices.

75% accuracy floor is derived from SYS-REQ-008 which triggers adaptive feedback mode at 70%. The 5% margin allows the Command Arbitration Module's confidence threshold (70% per-command) to remain effective without generating spurious safe-stop events under mildly degraded signal conditions. Below 70% system accuracy the user loses meaningful volitional control, creating an unsafe condition.

150ms end-to-end latency directly derived from SYS-REQ-001. This is the cognitive-motor feedback loop constraint: delays >200ms cause users to generate corrective commands before the original command executes, resulting in command accumulation and erratic vehicle behaviour. 150ms allows 50ms margin below the 200ms perceptual threshold.

Directly implements SYS-REQ-007 at the subsystem level. 3-second timeout balances false-positive rate (transient signal dropout from head movement) against safety risk of continued motion with unreliable control. Safe state is vehicle stop, consistent with the hazard register. SIL-3 requirement because failure to stop on signal loss could result in uncontrolled vehicle motion near vulnerable users.

MoP basis: Published motor imagery BCI research (Blankertz et al. 2008, 'Optimizing Spatial Filters for Robust EEG Single-Trial Analysis', NeuroImage) documents 15–25% accuracy reduction when using population-averaged vs. subject-specific CSP spatial filters across EEG motor imagery tasks. Per-user matrices are therefore essential for the ≥80% classification accuracy required by SYS-REQ-006. 5-second load time is within the SYS-REQ-018 30-second startup budget. Encryption required under STK-REQ-018 (EEG biometric data, GDPR Article 9 special category). Failure to load forces operation on default matrices, triggering SYS-REQ-007 signal degradation pathway and Degraded/Assisted mode.

IEC 61508 SIL-3 requires monitoring of autonomous processing functions. The Artifact Rejection Engine is functionally autonomous (runs its own ICA pipeline without per-frame supervision) but can enter a deadlock or memory leak state. 500ms without output is an unambiguous failure indicator — the nominal output period is 500ms (2 epochs/second), so one missed window triggers reset. This provides a bounded recovery time compatible with the BCI pipeline latency budget.

SYS-REQ-015 requires a USB-C diagnostic suite completing in 20 minutes. The Main Application Processor hosts the diagnostic executive and has access to all subsystem buses (CAN, I2C, SPI, UART). Authentication is required to prevent unauthenticated firmware or calibration access. 20-minute completion time is derived from scheduled maintenance window constraints in care facility operational planning.

SYS-REQ-019 mandates AES-256 and TLS 1.3 for EEG biometric data. The Main Application Processor is the data custodian for all BCI pipeline data. Three-role RBAC (clinical, maintenance, user) is the minimum partition required by GDPR Article 25 (data protection by design) and IEC 62443 (Security for industrial automation) tier partitioning. Audit logging supports forensic investigation and regulatory compliance.

Lint finding: artifact rejection engine is Powered but has no power source requirements. The ARE is a software-firmware block executing on the BCI DSP and draws power through the DSP supply rail. Bounding the current draw to 250mA peak prevents thermal shutdown of the 3.3V converter during simultaneous EEG acquisition and artifact processing bursts. Brown-out on this rail would cause BCI pipeline failure and trigger emergency stop.

Lint finding: Normal Navigation mode is a Functionally Autonomous operational state with no safety or override constraints. This requirement addresses the autonomous operation safety gap per IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 requirements for autonomous command generation. The 100ms halt time is bounded by the 200ms total emergency stop response budget from SYS-REQ-002.

The buggy is Biological/Biomimetic (interfaces with biological EEG signals via wet electrodes on user scalp). Scalp-contact electrodes are skin-contacting medical devices under ISO 10993-1. Clinical deployment in care facilities serving multiple users requires decontamination capability to prevent infection transmission. IEC 60601-1 (Medical electrical equipment — Part 1: General requirements for basic safety) also requires biocompatibility for patient-applied parts.

The lint finding flags the Artifact Rejection Engine as lacking Physical Object trait but having physical embodiment constraints. As a software algorithm running on the Feature Extraction Processor, it must be bounded in resource consumption to not starve classifier and acquisition processes. The 30% CPU budget preserves headroom for the BCI Classifier (50%) and overhead (20%). The 4ms latency ensures artifact-free EEG is available within the 10ms BCI processing frame.

Normal Navigation mode and Artifact Rejection Engine are classified as Digital/Virtual with no cybersecurity requirement at SUB level. A BCI mobility device controls physical motion — unauthorised injection of navigation commands could result in collision or unsafe motion. HMAC-SHA256 command authentication provides integrity protection against replay attacks and command injection without requiring a symmetric key exchange per session, which is appropriate for the embedded MAP execution environment. This requirement closes the cybersecurity gap identified by UHT Substrate classification of the Normal Navigation mode (hex 40B72300).

BCI signal path requires continuous EEG data at 8kHz to meet the classification accuracy in SYS-REQ-001. The 7.5ms BLE connection interval is the minimum supported by BLE 5.2 and the tightest interval that avoids BCI latency degradation. 3m range covers all typical headset-to-buggy cable routing scenarios within a clinical environment.

A cellular modem is an externally accessible network endpoint. Without isolation, a compromised modem could inject spoofed drive or safety commands on the CAN bus, constituting a cybersecurity attack path directly threatening occupant safety. The firewall is the primary control for IEC 62443 network segmentation of the safety domain from the external domain.

SYS-REQ-017 requires BLE alert transmission within 500ms on emergency triggers. The Communication Controller manages the BLE 5.0 module (nRF52840) and is the component responsible for alert generation. 500ms is the maximum acceptable caregiver notification latency before a seizure or emergency becomes unmanageable.

SYS-REQ-019 requires TLS 1.3 for data in transit. The Cellular Modem is the only component with external IP connectivity; mutual TLS with per-device certificates prevents impersonation of the server (downgrade attack) and spoofing of the device. Device certificates provisioned at manufacture ensure the credential chain cannot be forged in the field.

Care attendants and clinical teams rely on near-real-time session data for remote supervision of users with severe motor impairments. A 10-second interval balances cellular data consumption against clinical oversight needs. The 2-second uplink latency bound ensures that location and safety events reach the monitoring platform while the user is still at the reported position.

SYS-REQ-015 specifies USB-C access to an automated diagnostic suite; the Communication Subsystem hosts the USB-C physical interface and routes diagnostic commands to the Main Application Processor, making it the correct implementation locus.

Derives from SYS-REQ-005 which requires BLE emergency alert transmission to facility emergency system on seizure detection. 500ms transmission budget allows for BLE connection establishment (max 200ms for pre-paired devices) plus packet delivery, while the Emergency Stop itself is completed within 150ms. The facility receiver must get actionable location data to dispatch care staff rapidly.

Closed-loop control at 100Hz is required to achieve accurate differential-drive steering. The ±0.1 km/h accuracy threshold is derived from SYS-REQ-003 speed limits: at 6km/h maximum, a ±1.7% error is acceptable for stable path tracking while avoiding overspeed. Encoder feedback rate of 1024 PPR at 250mm wheel diameter gives 0.77mm/pulse resolution, sufficient for the control loop.

Derives from SYS-REQ-003. Speed limits are enforced in firmware to prevent unsafe motion: 6km/h is consistent with IEC 62133 electric mobility device guidance for indoor environments, and 2km/h Restricted mode is for narrow corridors and near-bystander situations. Clamping in MCU firmware rather than relying on upstream command rejection provides defence-in-depth at SIL 2.

Derives from SYS-REQ-002: 250ms safe stop is the system-level budget. The MCU's 250ms hard stop matches the system-level requirement. CAN heartbeat loss at 100ms provides early detection (50% of the 200ms upstream timeout in SUB-REQ-010) to allow regenerative braking time. Regenerative braking is preferred over freewheeling to maintain directional control during deceleration on slopes.

Hardware overcurrent protection independent of MCU firmware is required at SIL 2 because firmware-only protection cannot be credited under IEC 61508 (Functional safety of E/E/PE safety-related systems) at SIL 2 without redundant validation. 30A trip threshold is derived from 500W peak motor rating at 48V nominal (10.4A max continuous, 30A provides 3x margin for inrush while protecting MOSFET switches rated at 80V/40A). 5ms trip time ensures MOSFET junctions do not exceed thermal limits.

250W continuous per motor is required to achieve 6km/h with a 150kg total vehicle load (occupant + buggy) on a 5% gradient, per the mechanical traction analysis in the ConOps. 48V supply matches the LiFePO4 battery pack nominal voltage. 0-40°C operating range covers typical indoor clinical and office environments per the operating environment constraint.

Motor Controller Unit (hex D4F57A18) is System-Essential; undetected MCU loss leads to silent loss of propulsion authority. 100 ms heartbeat timeout provides two missed 50 Hz frames before declaring fault, balancing false-positive avoidance with response timeliness.

Motor Controller Unit is classified System-Essential (hex D4F57A18). Firmware-dependent overcurrent protection is insufficient for a SIL-2 drive function: if the MAP is faulted or busy, motor runaway or coil burn is possible within milliseconds. Hardware-only protection eliminates this failure mode and is standard practice in IEC 61800-5-2 (Safety requirements for adjustable speed electrical power drive systems).

SYS-REQ-022 requires 3 km/h maximum in Degraded mode. Implementing the cap in the Drive Subsystem firmware (not in the BCI pipeline) ensures it applies regardless of BCI or joystick source, preventing the cap from being bypassed if the BCI subsystem transitions incorrectly.

STK-REQ-004 mandates carer override with obstacle detection active but specifies no measurable performance floor for the override mode. 100ms joystick response derived from SYS-REQ-009 (handover latency). 6 km/h matches Normal Navigation maximum. The original 30-minute duration floor at 50% speed was flagged rt-implausible-value because it is far weaker than the 4-hour battery capacity guarantee in SUB-REQ-014, creating an artificial and non-binding constraint. The revised requirement instead bounds override-mode power consumption relative to Normal Navigation, preventing undisclosed high-drain override modes from undermining the SUB-REQ-014 runtime guarantee.

Drive subsystem contains 48V DC power electronics in direct proximity to a patient-class user. IEC 60601-1 applies because the EEG Accessibility Buggy is a medical device (confirmed by STK-REQ-010 requirement for design history file and clinical evaluation report). The Motor Controller Unit (MCU) and Motor Power Isolation Relay are classified as Regulated by UHT Substrate but no compliance requirement existed at subsystem level. IEC 60601-1-2 EMC compliance is separately required because the drive PWM switching may interfere with EEG acquisition — this requirement closes that gap with a regulatory floor.

MoP basis: IEC 60601-1-8 (Medical electrical equipment — Alarm systems) clause 6.3.2 specifies a minimum of 65 dBA for high-priority alarm signals in medical environments. The 80dB SPL floor in this requirement adds a 15dB safety margin above the IEC 60601-1-8 baseline to account for clinical environment background noise (hospital ward ambient noise typically 60–70 dB, per HSE noise guidance for NHS environments). STK-REQ-005 sets the stakeholder-level threshold at ≥75 dBA at 1m; SUB-REQ-032 allocates the Audio Alert Module a 5dB margin above the stakeholder minimum, accounting for measurement uncertainty and acoustic absorption at distance. 100ms onset ensures auditory alert is concurrent with physical braking deceleration at 6 km/h (vehicle travels <17cm before alert fires).

STK-REQ-005 requires distinct visual alerts for the care attendant. Using the five colours above maps directly to the ConOps operating modes and allows unambiguous state identification without requiring the attendant to read text on the display. 200ms transition time is fast enough to appear instantaneous to the human observer.

SYS-REQ-009 mandates 100ms joystick authority transfer. This decomposes the latency budget to the HMI/Drive interface. Failure to meet this threshold risks momentary loss of directional authority during handover, which is a collision risk in tight corridors. The 100ms bound is derived from vehicle control latency studies in powered wheelchair standards (ISO 7176-11).

Derived from SYS-REQ-008 (accuracy threshold) and SYS-REQ-018 (calibration readiness). Care attendants require real-time visibility of BCI performance to intervene before accuracy degrades below the 70% transition threshold. A 300 cd/m2 brightness floor ensures readability in hospital dayroom and outdoor settings. 2Hz update prevents perceived lag in a medical device.

Care attendants typically approach from behind or to the side of the buggy. An angular field of 120 degrees to the rear ensures the attendant can read the vehicle state (green/amber/red) at normal approach angles without requiring a direct line of sight from the front. The 10mcd intensity is derived from ISO 7176-22 (powered wheelchair signal lamp requirements).

SYS-REQ-009 requires care attendant steering transfer within 100 ms end-to-end; the HMI Subsystem accounts for the first 50 ms of that budget through hardwired (not software) assertion to prevent software-layer latency from delaying the takeover.

SYS-REQ-009 requires joystick steering transfer within 100 ms; 20 ms HMI command latency plus 50 ms safety assertion budget leaves 30 ms for drive subsystem response, satisfying the end-to-end bound at 50 Hz control rate.

SYS-REQ-009 requires authority transfer within 100ms. This timing is derived from a 6 km/h maximum speed giving 167mm travel per 100ms; exceeding this window allows the vehicle to travel approximately one chair-width during uncontrolled motion, which is unacceptable for a safety-critical handover. The 100ms budget is decomposed as: 20ms switch debounce, 30ms CARER_OVERRIDE propagation, 50ms Drive Subsystem command accept latency.

Derives from SYS-REQ-008 which requires audible alert to care attendant when entering Degraded/Assisted mode. 85 dBSPL at 880Hz is audible over typical care facility ambient noise (60-70 dB) without exceeding care setting guidelines. 200ms alert latency is well within the 2-minute rolling window that triggers the mode change, ensuring the care attendant is notified before the buggy is in degraded state for more than a few seconds.

Derives from SYS-REQ-009 which requires joystick handover within 100ms of care attendant override. The 100ms budget is split: 20ms for switch debounce and signal propagation, 50ms for authority transfer to Drive Subsystem, 30ms for BCI command disable confirmation. This ensures care attendants can take safe control rapidly during user distress or post-degradation handover without perceptible delay.

Derives from SYS-REQ-022 which requires amber LED and text notification on entry to Degraded/Assisted mode. The 2Hz amber pulse is distinct from normal mode (solid green) and emergency stop (1Hz red), providing unambiguous visual status across the three primary operating modes. The text notification includes the speed limit to inform both the user and any bystanders of reduced capability. 100ms display latency is within the HMI response budget after mode transition.

SYS-REQ-006 mandates detection of obstacles within 2m forward zone. Three VL53L5CX sensors in a 120° arc provide full forward coverage with 8x8 depth grids. Accuracy of ±50mm is sufficient to trigger an alert with >1 update cycle margin at 6 km/h (vehicle travels 167mm per 100ms). 10Hz update rate matches minimum safety reaction loop.

At 6 km/h the vehicle travels 83mm in 50ms. Combined with forward sensor range of 2m, the 50ms processing budget leaves a minimum 1.9m braking margin for the Safety Subsystem to act. This derives from SYS-REQ-006 and the 20ms relay cutoff time in SYS-REQ-002.

At 6 km/h during a tight turn, lateral obstacles present risk of entrapment or collision with door frames. The 0.5m detection threshold at 30ms latency provides 83mm travel margin before the safety chain can respond. Derived from STK-REQ-014 (safe stopping distances) and the maximum vehicle width of 700mm per SYS-REQ-010.

IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 2 requires fail-safe behaviour on subsystem communication loss. Absence of sensor data is a credible failure mode (MCU lockup, I2C bus fault). Treating silence as an obstacle-present condition is the most conservative safe state and prevents motion through undetected obstacles.

SYS-REQ-011 requires braking on 15-degree tilt detection. This decomposes the sensing element to the Perception Subsystem. The 50ms assertion time leaves 150ms for the Safety Monitor Processor to command brake application within the 200ms total SYS-REQ-002 safety response budget. The inclinometer is physically in the Perception subsystem's sensor suite (Electronics Bay mounting).

Lint finding: inclinometer is Powered but has no power source requirements. The inclinometer is a MEMS device (e.g. ST LSM6DSO) operating at 3.3V logic level consistent with the Perception MCU. Defining the power envelope prevents sensor brown-out during load transients from the drive motors, which would cause spurious tilt alarms and emergency stops.

SYS-REQ-011 triggers automated halt on 15-degree tilt; the Perception Subsystem must provide tilt data at sufficient rate (20 Hz) to ensure the Safety Subsystem can detect and respond within 200 ms before the system enters an unsafe attitude.

Partial failure of the forward sensor array reduces obstacle coverage below the full 120-degree arc, creating blind zones. At 1.5 km/h, the vehicle travels 83mm per 200ms safety response cycle, maintaining a minimum 1.9m stopping margin within the 2m sensor range. This degraded safe state allows continued slow-speed operation; total perception failure escalates to emergency stop per the Perception MCU watchdog requirement.

At 6 km/h, a 150ms perception blackout allows 250mm of undetected travel within the 2m sensor range. The Safety Monitor Processor must treat heartbeat loss as equivalent to an obstacle detection event. 150ms timeout is 1.5 times the nominal 100ms sensor-MCU processing cycle, allowing one missed frame before fault assertion. Derived from SYS-REQ-002 (200ms total safety response budget) and SYS-REQ-006 (obstacle detection).

Side proximity sensor failure creates a blind zone for lateral obstacles during turns. At 6 km/h in a 700mm-wide vehicle in 900mm doorways this presents entrapment risk per the Daily Independent Navigation ConOps scenario. Reducing speed to 0.5 km/h provides minimum 100ms carer reaction margin to apply emergency stop before a lateral collision. Derived from STK-REQ-014 (safe stopping distances) and doorway clearance analysis.

An inclinometer that goes silent may have failed at or beyond the 15-degree threshold, creating an undetected tip-over hazard. Conservative fail-safe policy per IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-2 fault-detection requirements. 200ms timeout is 4 times the nominal 50ms assertion time, providing three missed-update margin before fault declaration to avoid nuisance stops.

Tilt-data absence during navigation is treated as tilt-threshold exceedance per fail-safe policy. At 20Hz publication rate, 100ms silence represents two missed updates — sufficient margin to distinguish transient jitter from sensor failure without nuisance stops. This ensures the 15-degree tilt halt condition in SYS-REQ-011 cannot be bypassed by a publication failure in the Perception Subsystem.

Directly implements SYS-REQ-012 at the BMS level. 200ms disconnect time is the IEC 62133 (Secondary lithium cells — Safety requirements) maximum allowable time before sustained OV or OT can initiate thermal runaway in LiFePO4 chemistry. Failure to disconnect risks irreversible thermal runaway with fire hazard near a vulnerable user.

Directly implements SYS-REQ-004 at subsystem level. 10% SoC floor preserves headroom for safe-stop execution and BMS shutdown sequence without total power loss. 4-hour operational duration is the STK-derived minimum for full-day facility use between charges. SIL-3 classification rationale: the 10% SoC floor is the trigger condition for the SIL-3 safe-stop sequence defined in the companion failure-mode requirement (idempotency:fm-sub-014-battery-socdepleted-717). The battery pack capacity requirement is the performance prerequisite for that safety function — battery depletion before 10% SoC remaining would prevent safe-stop execution, resulting in uncontrolled motion hazard H-001 and tip-over hazard H-005. SIL-3 is appropriate because loss of this function could result in serious or fatal injury to the EEG-impaired user.

IEC 60601-1 (Medical electrical equipment — General requirements for basic safety) requires stable power supply to safety-critical electronics. ±5% regulation covers the input tolerance range of embedded processors and wireless modules. 50mV ripple is the maximum specification for the BCI processing modules' switching noise sensitivity on EEG acquisition circuitry.

SYS-REQ-014 requirement cascaded directly. 3-hour charge time allows overnight charging on standard facility schedules (facility changeover at 18:00, vehicle available by 21:00 for next-day use). Faster charging is not feasible within the 3kW facility outlet rating while maintaining the CC/CV profile required for LiFePO4 longevity. SIL escalation resolution: the SIL-3 tag on this requirement reflects its role as the primary charge timing specification for the SIL-3 power system. However, the charge timing function itself is not the SIL-3 safety function — the mains fault isolation function is (addressed in companion requirement idempotency:fm-sub-016-charger-mainsfault-717 at SIL-2). This requirement's SIL-3 tag should be understood as marking it as part of the SIL-3 power subsystem scope, not as claiming the charge timing is itself a SIL-3 safety function. The IEC 62368-1 fault isolation companion requirement carries the appropriate SIL-2 classification for the fault-isolation function.

SYS-REQ-014 specifies 4-hour charging from facility dock at both EU and US mains voltages. The Charge Controller is the Power Subsystem component responsible for dock interface and CC/CV charge management. Compliance with both supply standards is required for international deployment in care facilities.

SYS-REQ-014 sets the 4-hour charge window; the Power Subsystem must manage inrush and thermal limits to use facility power safely and meet the charge time without exceeding the 16 A standard socket circuit protection threshold.

Derives from SYS-REQ-014 which specifies the 4-hour charge window from 20% to 100% SOC. The LiFePO4 48V 30Ah pack requires approximately 28.8Ah at 48V = 1.38 kWh from 20% to 100%. A CC-CV profile at 10A charge current achieves this in under 3.5 hours with end-of-charge cut-off, providing margin against cell aging degradation. Dual-voltage acceptance (230V/120V) enables international facility deployment.

BMS disconnect failure leaves LiFePO4 cells at sustained overvoltage or overtemperature, the initiating conditions for thermal runaway per IEC 62133 (Secondary lithium cells — Safety requirements). The Safety Monitor Processor's independent watchdog on the BMS status line ensures the safety chain remains active even if the BMS processor itself fails. 250ms detection covers the 200ms BMS disconnect budget plus 50ms measurement margin.

Loss of drive power at SoC below 10% without a controlled safe-stop creates H-005 (tip-over) and H-001 (uncontrolled motion) hazards if brakes are not engaged before total power loss. Five-minute emergency power reserve covers safe user evacuation per STK-REQ-002 minimum carer response time. This failure-mode requirement also addresses the rt-sil-escalation finding on SUB-REQ-014: the SIL-3 classification applies to the safety-power maintenance function, not to the 4-hour runtime performance floor.

Processor and sensor power deviation beyond 10% causes undefined behaviour in BCI processing, Perception MCU, and Safety Monitor Processor sub-circuits. Transition to power-fault safe state (drives off, brakes on) prevents uncontrolled motion during supply instability per IEC 60601-1 (Medical electrical equipment — General requirements for basic safety). The 100ms tolerance window matches the minimum hold-up time of DC-DC filter capacitors before output degrades below logic-level thresholds.

Mains fault conditions during charging present fire and electric shock hazards in a care environment. 200ms disconnect is within IEC 62368-1 (Audio/video and IT equipment — Safety requirements) fast overcurrent protection requirements. Ground fault detection at 10mA RMS is required by IEC 60364-4-41 for care environments where users have reduced protective reflexes. This also addresses the rt-sil-escalation finding on SUB-REQ-016: the SIL-relevant function is fault isolation, not the 3-hour charge timing.

Operating the Charge Controller on an out-of-range supply risks uncontrolled charging current that could trigger thermal runaway in the LiFePO4 pack. Maintaining galvanic isolation as the rejection safe state aligns with IEC 62368-1 (Audio/video and IT equipment — Safety requirements) energy hazard reduction requirements. Voltage acceptance windows are plus or minus 10% of nominal per IEC 60038 standard voltages.

Inclinometer operation below 3.0V produces out-of-specification tilt readings, creating false-negative tilt alarms and potential for undetected tip-over. 50ms fault assertion tolerance matches the maximum hold-up time of 3.3V rail decoupling capacitors before output degrades below the sensor minimum operating threshold. The safety impact is equivalent to tilt-sensor failure under SYS-REQ-011 and warrants immediate halt.

Inrush exceeding 16A may trip facility circuit breakers per BS EN 60898-1 (Electrical accessories — Circuit-breakers for overcurrent protection) 16A Type B/C trip curves. Cell temperature exceeding 45 degrees C indicates abnormal electrochemical activity; IEC 62133 (Secondary lithium cells — Safety requirements) specifies 45 degrees C as the maximum permissible cell temperature during charging. Persistent fault state prevents automatic resumption without operator acknowledgement, complying with IEC 60601-1 alarm persistence requirements.

CC-CV charging the 48V 30Ah LiFePO4 pack from 20% to 100% requires approximately 1.4 kWh; at 10A charge current this completes in 3.5 hours under normal conditions. Five hours allows for capacity degradation to approximately 70% of rated before flagging — at which point battery replacement is required to maintain the 4-hour operational duration in SUB-REQ-014. Failure to terminate indicates abnormal internal resistance increase per IEC 62133 (Secondary lithium cells — Safety requirements) and requires maintenance assessment.

IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 3 requires that safety functions be independent of the control path. If the Safety Monitor Processor shared resources with the main processor, a single processor fault could simultaneously disable vehicle control and safety response, violating independence and allowing uncontrolled motion — hazards H-001 and H-006.

The 200ms E-stop response budget allocated in SYS-REQ-002 (derived from H-001 severity and stopping distance analysis at 6 km/h maximum speed) requires relay actuation <20ms to allow margin for brake actuation time. Mechanical relay de-energisation is the single longest latency element; a longer response risks the vehicle travelling an additional 33mm per ms, which at 20ms already represents 33cm of uncontrolled motion.

H-006 (catastrophic severity) requires seizure detection to precede motor response — 150ms detection plus relay actuation leaves within the 200ms SYS-REQ-002 window. False positive limit of 1 per 8-hour session is derived from stakeholder acceptability analysis: more frequent nuisance stops would cause users to abandon the system, defeating its purpose as a mobility aid. Algorithm validated against CHB-MIT epilepsy EEG dataset.

SYS-REQ-011 derives from H-005 (critical severity): vehicle tipping on slopes where user cannot self-extract. 15° threshold is derived from EN 12184 (electrically powered wheelchairs) stability testing requirements — vehicles must not tip under static conditions up to this angle. 200ms debounce prevents nuisance stops from dynamic bumps while still catching sustained tilt indicating a genuine tip-over condition.

Software-mediated E-stop cannot satisfy SIL 3 (IEC 61508) because it introduces a single point of failure in the software execution path. Hardwired series circuit means no combination of software fault, processor reset, or firmware bug can prevent E-stop actuation. 5ms latency is achievable with direct relay contact in series — it is the emergency stop mechanism of last resort required by EN 12184 for powered wheelchairs.

IEC 61508 SIL 3 requires a defined safe state for every safety function. The safe state for this system is motor power removed and brakes engaged. 200ms total budget is derived from stopping distance analysis: at 6 km/h maximum speed, a 200ms response results in 33cm of forward travel before braking begins — within the 2m obstacle detection zone defined in SYS-REQ-006, leaving 1.67m braking distance for the mechanical brake.

Main processor failure (software hang, voltage fault, thermal fault) is not detectable by the main processor itself. Watchdog heartbeat is the only mechanism by which the independent Safety Monitor Processor can detect this class of failure and transition to safe state. 500ms absence timeout: derived from worst-case main processor boot time (allowing 5 missed beats) versus the need to detect a genuine hang within 2 processor cycles.

Lint finding: safety subsystem lacks Physical Object trait but has physical embodiment constraints. IEC 61508 SIL-3 requires independence between safety function and non-safety processing to prevent common-cause failures. The physical separation on an independent PCB with independent power ensures the safety monitor can operate when the main processor fails, which is the primary failure mode requiring emergency braking.

SYS-REQ-005 mandates facility emergency integration but assigns no subsystem-level implementation. The Safety Subsystem owns motor de-energisation; 150 ms is derived from the 200 ms SYS-level bound minus 50 ms signal propagation budget for the worst-case wireless link.

Main Application Processor (hex D2F51008) is System-Essential; loss of the MAP without a safety response leaves the drive subsystem without commands, creating an uncontrolled state. IEC 61508 SIL-2 requires defined response to essential processor failure.

Safety Monitor Processor (hex D5F37858) is Regulated and Institutionally Defined; IEC 61508 (Functional safety of E/E/PE safety-related systems) is the applicable standard for safety-critical embedded processors in this domain. SIL 3 is inherited from the Safety Subsystem parent requirement hazard classification.

Emergency stop is classified System-Essential (hex 408D6AC0); a single-channel E-stop circuit is a single point of failure on a SIL-3 function. Dual NC contacts ensure any wiring fault or contact failure still de-energises the relay, meeting IEC 62061 PLd requirements for safety function SF1.

Main Application Processor is classified System-Essential (hex D2F51008). Without explicit failover specification, a MAP crash could leave the drive system in an undefined state. This requirement ensures the Safety Monitor Processor has unconditional authority on MAP failure, consistent with IEC 61508 SIL-3 defensive design.

Safety Subsystem is classified Regulated (hex D7F73058). The EEG buggy is a medical-adjacent personal mobility device for users who cannot remove themselves from a hazardous situation during a seizure event. SIL-3 certification is required because a Safety Subsystem failure combined with a seizure event (probability of demand: multiple times per year for epileptic users) gives an unacceptable combined risk. Third-party assessment is required by the UK Medical Device Regulations 2002 (as amended) for Class IIa active devices.

Derives from SYS-REQ-011 which requires braking on 15-degree tilt detection. A pre-warning at 12 degrees gives the Safety Monitor Processor 150ms lead time (at typical incline approach speeds of 0.8 km/h) before the 15-degree hard stop, enabling softer brake application and reducing tip-over risk. The 50ms response time from threshold crossing to brake application is necessary to arrest motion before tilt increases to 18 degrees (tip threshold) at maximum buggy speed.

A 150kg gross vehicle weight covers the 99th percentile adult occupant mass plus battery and electronics. The 3g shock load covers a threshold crossing at 6 km/h. ISO 7176-8 is the applicable standard for powered wheelchair structural integrity; failure to meet this would result in frame collapse under foreseeable use conditions.

The processor and power conversion components within the Electronics Bay have a maximum junction temperature of 85 degrees Celsius; maintaining the bay below 70 degrees provides a 15 degree thermal margin. 40W is the worst-case total dissipation of all hosted components at peak load. Passive cooling must work with the vehicle stationary as active cooling adds failure modes.

ISO 7176-15 (Wheelchairs — Requirements and test methods for wheelchairs used in motor vehicles) defines the occupant range for accessibility equipment. 3g deceleration matches the emergency stop force at 6 km/h. Failure to restrain the occupant during E-stop is a direct patient safety hazard.

Derived from SYS-REQ-010 (700mm vehicle footprint and accessibility environments). A 900mm doorway minus 150mm clearance each side leaves 600mm for the vehicle width plus the swept turning radius. Compliance with BS 8300 (Design of an accessible and inclusive built environment) requires navigation through standard accessible doorway widths. 6-degree gradient is the maximum ramp slope in UK building regulations Part M.

Derived from SYS-REQ-010 and expected deployment in care facilities. Hospital environments include wet floor cleaning with mop spray and occasional outdoor transport. IP54 is the minimum medical device enclosure rating for mobile use (IEC 60601-1 clause 11.6.5). The 100-cycle maintenance life ensures IP rating persists through the 5-year expected service life at quarterly inspection intervals.

Derives from SYS-REQ-015 which requires an automated diagnostic suite via USB-C service port. USB-C 3.1 Gen 1 provides 5 Gbps bandwidth and 5A power delivery for bench test equipment. Each diagnostic metric has explicit acceptance criteria to make the test deterministic and repeatable. The 20-minute window accommodates preventive maintenance between shifts without disrupting care schedules.

Lint finding: Chassis Frame is classified as Physical Medium but has no material property requirements. 6061-T6 aluminium provides an acceptable strength-to-weight ratio for medical mobility equipment (yield strength 276 MPa). 150kg load capacity with 2:1 safety margin covers the 95th percentile user weight plus equipment. 95% RH corrosion resistance is required for care facility environments including wet areas and cleaning protocols.

Lint finding: Electronics Bay classified as Physical Medium but has no material property or environmental requirements. IP54 is the minimum for care facility environments where cleaning fluids may be applied nearby. The 0-55°C thermal range matches the operating envelope of COTS embedded processors and power electronics within. 2g vibration at 5-50Hz reflects doorway-crossing and ramp-traversal shock loads in a care facility environment.

Chassis Frame is classified as Regulated and Structural by UHT Substrate. ISO 7176-8 is the applicable standard for powered wheelchair structural requirements, which is the closest normative framework for a BCI-controlled mobility device. Without a structural compliance requirement, there is no design floor for chassis member sizing against user mass plus overturning loads. 1.5× safety factor and 70J impact threshold are drawn from ISO 7176-8 Table 1 for Class B (indoor/light outdoor) powered wheelchairs, consistent with the care facility operating environment defined in STK-REQ-013.

A 3g impact at the ISO 7176-8 (Static, impact, and fatigue strengths for wheelchairs) chassis load limit may cause micro-fractures or fastener loosening not visible externally. Inhibiting motion after a 3g shock event prevents operation with potentially compromised structural integrity. The inclinometer shock detection channel on the ST LSM6DSO used in the Perception Subsystem provides the detection mechanism without additional hardware. This defines the safe state for chassis structural limit exceedance identified by the rt-missing-safe-state finding on SUB-REQ-027.

External interface: the headset is the sole BCI input device. BLE 5.0 provides sufficient bandwidth (~2 Mbps) for 32×24bit×250Hz = 192 kbps with margin. 50ms latency budget is derived from the 200ms E-stop requirement minus processing and actuation time.

256 Hz is the headset sampling rate; all 32 channels required for spatial filtering in artifact rejection. 5ms latency budget is allocated from the 20ms artifact rejection window. 0.1% sample loss is the threshold at which artifact rejection algorithms begin to produce corrupted output windows, as gap-filling interpolation errors compound across the 1-second epoch.

1-second window with 50% overlap is the standard for motor imagery classification: shorter windows sacrifice spectral resolution, longer windows add latency. Float32 format preserves dynamic range without overflow on standard DSP operations. 2 epochs/second output rate is the foundation for the 150ms pipeline latency in SUB-REQ-010.

Feature vector format must include quality index (derived from electrode contact impedance) to allow the classifier to apply quality-weighted inference. 30ms is the allocation within the 150ms pipeline budget after 5ms acquisition and 20ms artifact rejection, leaving 50ms for classification and 45ms for arbitration.

All four probability values required so the Command Arbitration Module can apply multi-class confidence thresholding and detect ambiguous dual-intent activations. Rolling accuracy metric enables SYS-REQ-008 adaptive mode transition without querying the classifier. SNR index enables SYS-REQ-007 signal-loss detection at the arbitration layer without feedback to the acquisition stage.

CAN 2.0B is selected for deterministic latency and EMI robustness in the motor-drive environment (12V bus noise). Status counter enables Drive Subsystem to detect missed arbitration frames and transition to safe stop. 5ms transmission latency is within the 150ms pipeline budget. CAN is consistent with the Drive Subsystem architecture decision (ARC-REQ-001).

External companion app interface for carer situational awareness. BLE 5.0 LE Secure Connections (LESC) with AES-CCM-128 is the correct BLE 5.0 security mechanism (replaces the imprecise 'TLS 1.3 equivalent' phrasing). GDPR Article 9 requires link-layer encryption for EEG and health-status data. The ≥1 Hz status rate and ≤500ms emergency latency are derived from VER-REQ-109 acceptance criteria, which were validated against carer response-time requirements in the Signal Degradation scenario.

External interface: CMMS integration automates compliance evidence for facility management. Wi-Fi provides sufficient bandwidth for periodic telemetry and maintenance logs. TLS 1.3 and authentication prevent unauthorised fleet data access and comply with GDPR for device usage data.

HCI over UART at 1Mbps is the standard interface for Nordic nRF52840 host communication. Hardware flow control prevents buffer overflow at the 8kHz EEG data rate. 2ms maximum latency ensures the BLE connection interval of 7.5ms is not consumed by interface overhead.

The Communication Controller acts as data gateway and must command-and-control the Cellular Modem (APN config, registration, reset). USB CDC-ECM provides a standard IP stack interface avoiding proprietary serial AT tunnelling of IP frames. The 100ms RTT bound enables the 2-second telemetry uplink latency in SUB-REQ-046.

The 50ms end-to-end BCI latency budget (SYS-REQ-001) allocates 20ms to wireless transport. BLE 5.2 at 7.5ms connection interval delivers 8-channel 16-bit EEG data (32 bytes per packet) within this window. Longer connection intervals cause acquisition dropouts; shorter intervals increase power consumption above the headset battery limit.

20kHz PWM frequency is above the audible range to prevent tonal noise in clinical environments (IEC 60601-1 noise limits). 1024 PPR provides 0.77mm/pulse wheel displacement resolution, sufficient for the 0.1km/h velocity accuracy requirement. 10kHz encoder sampling (4× oversampling of 1024 PPR at max 2.5 rev/s) ensures Nyquist compliance. 1ms propagation limit fits within the 10ms velocity control cycle.

Identical to the left motor interface specification — differential drive requires symmetric performance on both channels to achieve straight-line travel. Asymmetric encoder latency would cause directional drift under constant velocity commands. Matched interface specification simplifies integration test and EMC compliance (IEC 60601-1-2).

The pre-charge sequencing prevents inrush current spikes when the Drive Subsystem powers on, protecting the LiFePO4 battery pack and motor MOSFET switches. Overcurrent trip feedback to the MCU in <5ms (matching the hardware trip time) ensures the MCU logs the event and can generate a diagnostic fault code before the watchdog triggers a safe-state. The 48V rail is isolated upstream by the Motor Power Isolation Relay, so the Power Stage–MCU interface is the last active interface before mechanical load.

30 fps is sufficient for smooth status updates in a mobility aid context; higher frame rates are unnecessary and would increase EMI. SPI at 40MHz provides 320Mbps raw bandwidth, adequate for 800x480x16bit at 30fps (236Mbps required).

SYS-REQ-002 requires Emergency Stop actuation within 500ms of trigger detection. The 50ms audio alert onset budget is the human-perceptible notification latency allocated from the total response chain. I2C at 400kHz is sufficient for single-byte command codes; storing tone patterns in the Audio Alert Module firmware decouples HMI response from application processor availability during fault conditions.

LED state must update within one control cycle (100ms) of a mode transition to avoid giving false state information to the care attendant. The 20ms SPI frame latency leaves 80ms for the application processor to detect the mode change and issue the update command. SPI is preferred over PWM for multi-element RGB addressing flexibility.

I2C 400 kHz mode provides adequate bandwidth for 3x 64-byte depth grids at 10Hz (total 19.2 kbps, well within the 400 kHz bus capacity). Individual addressing allows the MCU to identify which sensor has failed. CRC-8 detects single-byte errors from EEG-band EMI as required by SYS-REQ-013.

GPIO is the lowest-latency interface option for a binary proximity alert and has no protocol overhead that could delay the alert beyond the 30ms window. Using dedicated lines per side allows the MCU to distinguish left and right obstacle sources for directional alert reporting.

SPI is chosen over I2C for the safety interface because it provides deterministic transfer timing with no clock stretching ambiguity. A rolling frame counter allows the Safety Monitor Processor to detect missed frames independently of the communication line state, satisfying IEC 61508 SIL 2 independence requirements. The 4-byte frame is the minimum size to encode proximity status, distance, and counter.

External interface: galvanic isolation protects the user from mains faults — the non-ambulatory user cannot self-disconnect. Drive lockout during charging prevents movement with a power cable connected. IEC 60601-1 requires double isolation for patient-connected medical devices.

Dedicated GPIO fault line is required because the SIL-3 safety response to thermal runaway risk must not depend on CAN bus availability (which could be disrupted by the same electrical fault event). 55°C threshold is 5°C below the 60°C cutoff to give the Safety Monitor Processor a warning before hard disconnect, enabling graceful deceleration before power cutoff.

100ms update rate is adequate for SoC display refresh in HMI and charging state estimation. CAN 2.0B matches the vehicle bus standard. Cell-level voltage data required for compliance with IEC 62133 maintenance documentation and BMS diagnostic functions. SoC data drives the 4-hour runtime monitoring in SYS-REQ-004.

External interface: wired USB-C ensures reliable high-bandwidth data transfer for firmware images (dual-bank flash) and diagnostic logs. Authentication key prevents unauthorised firmware modification — critical for IEC 62304 software change control and preventing malicious firmware injection.

External interface: the non-ambulatory user cannot call for help. The facility nurse call system is the fastest path to human assistance. 30m range covers typical hospital ward dimensions. iBeacon protocol ensures compatibility with existing facility BLE infrastructure.

IEC 61508-2 (Functional Safety of E/E/PE Safety-related Systems, Part 2) requires diagnostic test intervals ≤DC-category period for the claimed SIL. A 20ms heartbeat period (50Hz) provides 25 consecutive missed-pulse checks within the 500ms E-stop window specified in VER-REQ-004, improving fault-detection confidence over the previous 100ms period (5 missed pulses). The no-payload constraint preserves SMP independence — shared data channels between control and safety processors are prohibited under IEC 61508-2 clause 7.4.3. Dedicated GPIO eliminates shared-bus arbitration latency.

Dual-channel opto-isolation prevents ground loops between the safety processor and the high-current relay circuit. The 1oo2 energisation architecture means either a stuck-at-low fault in one channel or a single opto-coupler failure causes safe-state relay opening — avoiding a single-point-of-failure that would allow the relay to remain closed on a fault.

SPI is selected over I2C for deterministic transfer latency — I2C clock stretching can violate the 100Hz data rate budget. CRC and consecutive-error E-stop protect against sensor communication faults being silently treated as valid zero-tilt readings, which would mask an actual tip-over condition.

Seizure Detection Module executes as a co-resident software task on the Safety Monitor Processor — inter-task shared memory with mutex is lower latency than inter-processor communication (which would require a serial bus with handshake overhead). 50Hz update rate provides 20ms temporal resolution — adequate since the detection algorithm requires 150ms pattern window, meaning the Safety Monitor Processor will see the flag within one read cycle of it being set.

500N pull-out strength exceeds the 3g shock force applied to the 2kg Electronics Bay mass by a factor of 8, providing adequate margin for ISO 7176-8 compliance. Rubber isolation prevents resonant transmission of kerb-crossing vibration into the processor PCBs which are rated for 2g sinusoidal vibration.

Wheel replacement is a field maintenance task performed by care facility staff without specialist tools (SYS-REQ-015). The 15N force limit is derived from ISO 7176-1 control force limits adapted for maintenance operations — ensuring the task is within capability of care staff regardless of hand strength. The binary interlock prevents wheel detachment due to partial engagement during operation, which would be a safety-critical failure.

Co-location of acquisition and classification on a single processor eliminates a high-bandwidth inter-subsystem link for raw 250Hz 32-channel EEG data. The 50ms end-to-end latency threshold is derived from BCI usability research (mean motor imagery detection lag must be <50ms for natural-feeling control). Separate boards would require ≥10ms DMA transfer overhead, consuming the entire latency margin.

IEC 61508 (Functional safety of E/E/PE safety-related systems) clause 7.4.2 requires that SIL 3 safety functions be implemented on hardware independent from the control path. A separate watchdog processor satisfies this independence requirement. Verifiable by inspection of the hardware architecture and IEC 61508 compliance matrix confirming independent power supply, independent clock, and independent activation path for motor power disconnect.

Failure independence between perception and drive is required under BS EN ISO 13482 (Safety requirements for personal care robots) clause 5.4 (hazardous failure avoidance). If a single processor controlled both functions, a software fault could disable the obstacle detection while the drive motors remain energised. Separation ensures the Safety Subsystem watchdog can still trigger E-stop via hardware timeout even with Perception failed.

BLE emergency alert latency (500ms SYS-REQ-017) and Wi-Fi CMMS telemetry (background, best-effort) have incompatible QoS requirements. Grouping both under Communication Subsystem allows a unified RF compliance boundary for CE marking and a single TLS/GDPR security review scope. Distributing radios across subsystems would require separate EMC test campaigns per subsystem and complicate GDPR data flow documentation.

Dual-authority thermal protection is required because H-003 (battery thermal runaway) is classified as catastrophic under BS EN 62133-2 (Safety requirements for portable sealed secondary lithium cells). A single BMS processor failure must not prevent safe battery disconnect. IEC 61508 SIL 3 allocation for H-003 requires that no single-point failure in the safety function is credible — hence the Safety Subsystem holds independent temperature sensing and direct relay control.

SYS-REQ-003 requires speed limiting at 6km/h (Normal) and 2km/h (Restricted), which must be enforced in the Motor Controller Unit firmware. SYS-REQ-002 requires 250ms safe stop — hardware relay isolation ensures this is achievable independent of MCU state. Differential drive was selected over Ackermann steering because the buggy's narrow indoor operating environment requires a turning radius of <800mm, achievable only with zero-radius turns on differential drive.

A separate IP54 Electronics Bay satisfies IEC 60529 ingress protection and MHRA MDR Annex I Essential Requirements for implant-adjacent electronics. Field serviceability is an operational requirement (Carer Maintenance scenario): technicians must be able to replace individual modules without returning the vehicle to the manufacturer. Integrating electronics into the chassis weldment would require certified welding inspection on every repair — disproportionate to the service risk.