RWS Scaffold — 8 Subsystems from 9 Functions with SIL-Driven Safety Architecture
System
{{entity:Remote Weapon Station (RWS)}} scaffold session, transforming the concept-phase data (5 ConOps scenarios, 6 stakeholders, 7 hazards at SIL 2-3, 8 operating modes) into a first-pass requirements baseline and physical decomposition. The concept phase established that the RWS exists to eliminate crew exposure during weapon operation in omnidirectional urban threat environments — this session derives the engineering requirements and subsystem architecture to realise that mission.
Stakeholder Requirements
17 STK requirements derived from ConOps scenarios, covering all 6 stakeholders plus environment-as-stakeholder. Key derivations: {{stk:STK-REQ-001}} captures the fundamental no-exposure engagement need from the Urban Patrol scenario. {{stk:STK-REQ-006}} and {{stk:STK-REQ-007}} address {{entity:Dismounted Infantry}} safety against H-002 (turret crushing) and H-001/H-007 (uncommanded discharge). {{stk:STK-REQ-015}} anchors the regulatory chain to IEC 61508 SIL 3 for the firing chain and DEF STAN 00-56 for the safety case. Environmental stakeholder requirements ({{stk:STK-REQ-016}}, {{stk:STK-REQ-017}}) lock the -46°C to +71°C operating envelope and IP67 turret protection.
System Requirements
17 SYS requirements with quantified acceptance criteria. Performance: 0.7 Phit at 200m from 15 km/h ({{sys:SYS-REQ-001}}), 8s detect-to-fire ({{sys:SYS-REQ-002}}), 60°/s slew ({{sys:SYS-REQ-003}}), 0.5 mrad tracking ({{sys:SYS-REQ-006}}). Safety: SIL 3 hardware firing interlock independent of FCS software ({{sys:SYS-REQ-008}}), 500ms link-loss safing ({{sys:SYS-REQ-009}}), 200ms E-STOP braking ({{sys:SYS-REQ-010}}). All 18 STK→SYS trace links created with rationale.
Functional Analysis
9 system functions classified in {{trait:Intentionally Designed}} UHT namespace. The critical grouping decision: {{entity:Weapon Safing and Interlock Management}} ({{hex:51F57B19}}) is separated from {{entity:Fire Control Computation}} ({{hex:51F77B19}}) despite high trait similarity (both {{trait:Processes Signals/Logic}}, {{trait:State-Transforming}}, {{trait:System-Essential}}) — because IEC 61508 SIL 3 mandates diversity between control and safety functions.
Decomposition
8 subsystems identified from function grouping:
flowchart TB
n0["system<br>Remote Weapon Station (RWS)"]
n1["subsystem<br>Electro-Optical Sensor Assembly (EOSA)"]
n2["subsystem<br>Fire Control System (FCS)"]
n3["subsystem<br>Turret Drive Assembly (TDA)"]
n4["subsystem<br>Operator Control Unit (OCU)"]
n5["subsystem<br>Safety Interlock System (SIS)"]
n6["subsystem<br>Weapon and Ammo Handling (WAH)"]
n7["subsystem<br>Power Distribution Unit (PDU)"]
n8["subsystem<br>Communications Interface Unit (CIU)"]
n1 -->|Sensor video, target data| n2
n2 -->|Servo commands, pointing| n3
n2 -->|Fire request, arm status| n5
n5 -->|Fire enable/inhibit| n6
n5 -->|Drive enable, brake cmd| n3
n4 -->|Operator commands| n2
n2 -->|Display data, video| n4
n4 -->|E-STOP, arm/safe| n5
n7 -.->|28V/12V/5V power| n1
n7 -.->|12V/5V power| n2
n7 -.->|28V drive power| n3
n8 -->|GPS, BMS target data| n2
n2 -->|Video export, status| n8
The {{entity:Safety Interlock System}} ({{hex:D2B53859}}) is the highest-SIL subsystem (SIL 3), owning the hardware firing interlock and E-STOP chain. {{entity:Fire Control System}} ({{hex:55F7725D}}) hosts ballistic computation, auto-tracker, and BIT at SIL 2. Cross-domain search confirmed alignment with factory corpus entries for {{entity:Gun Fire Control System}} ({{hex:51F73B19}}) and {{entity:Fire Control Computer}} ({{hex:51B73219}}).
10 IFC requirements cover all 4 external interfaces plus 4 critical internal interfaces (EOSA→FCS video, FCS→TDA servo, SIS→WAH firing relay, SIS→TDA brake signal). 5 ARC decisions document the key architectural trade-offs, most critically the SIS/FCS separation driven by IEC 61508 diversity requirements.
Scaffold baseline created: 49 requirements (17 STK, 17 SYS, 10 IFC, 5 ARC), 24 trace links, 2 diagrams, 8 subsystem spec tree entries.
Next
First decomposition session should target the {{entity:Safety Interlock System}} — it is the highest-SIL subsystem (SIL 3), owns the most safety-critical interfaces (firing interlock relay, E-STOP chain, brake release), and its architecture directly constrains the FCS and TDA designs. After SIS, decompose the {{entity:Fire Control System}} as the central data processing hub that interfaces with every other subsystem.