System

Remote Weapon Station (RWS), decomposition phase. Session 617 completed the scaffold: 17 STK, 17 SYS, and 10 external IFC requirements established. This session opens the subsystem decomposition work on the {{entity:Safety Interlock System}} — the highest-SIL subsystem in the spec tree at {{trait:Regulated}} SIL 3. All eight subsystems remain pending; SIS was selected first due to its SIL 3 classification and the largest number of safety-critical SYS requirements (SYS-REQ-007, SYS-REQ-008, SYS-REQ-009, SYS-REQ-010) pointing into it.

Decomposition

The {{entity:Safety Interlock System}} ({{hex:D2B53859}}) was decomposed into five components representing the complete SIL-3 safety chain from operator input to actuator output:

• {{entity:Dual-Channel Safety Controller}} ({{hex:D1F57059}}) — 1oo2D redundant processor running the safety state machine. Takes inputs from the arming key, E-stop module, and link watchdog; outputs firing-enable and brake-release commands. PFD ≤ 1×10⁻⁴/hr to meet SIL 3.
• {{entity:Hardware Firing Interlock Relay}} ({{hex:D6F51019}}) — Normally-open fail-safe relay in series with the firing solenoid, independent of fire control software. Energised only on dual-channel AND: controller fire-enable AND physical key in ARMED position.
• {{entity:Arming Key Switch Assembly}} ({{hex:C6CD5819}}) — Three-position physical key switch (SAFE / ARMED / MAINTENANCE-LOCKOUT) providing the hardware arm input in the two-action arming sequence. Hardwired 28VDC to controller; not software-mediated.
• E-stop and Link Watchdog Module ({{hex:D6C55018}}) — Dedicated hardware module monitoring the physical E-stop button and data link heartbeat (<200ms watchdog). Both channels hardwired into the safety controller.
• Safe State Output Driver ({{hex:D0D51018}}) — Galvanically isolated relay driver (1500V isolation) conditioning controller outputs to drive brake solenoids and firing inhibit coil. Fail-safe: de-energised = brakes on + firing inhibited.

flowchart TB
  n2["Arming Key Switch Assembly"]
  n3["E-stop and Link Watchdog Module"]
  n0["Dual-Channel Safety Controller"]
  n1["Hardware Firing Interlock Relay"]
  n4["Safe State Output Driver"]
  n2 -->|arm-key-status 28VDC hardwired| n0
  n3 -->|safe-state-trigger hardwired| n0
  n0 -->|fire-enable digital| n1
  n0 -->|brake+inhibit command| n4

Architecture decision ARC-REQ-006 records the 1oo2D topology choice: IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 2 clause 7.4.3 mandates HFT=1 for SIL 3 with complex hardware (type B). A single channel cannot achieve SIL 3 with COTS processors; dual-channel 1oo2D achieves >90% diagnostic coverage and the required PFD ceiling.

Requirements

Nine {{trait:Normative}} SUB requirements derived from the four SIL-3/SIL-2 system requirements:

• {{sub:SUB-REQ-001}} — 1oo2D architecture with PFD ≤ 1×10⁻⁴/hr (derives {{sys:SYS-REQ-007}})
• {{sub:SUB-REQ-002}} — Two-action arming: key AND software within 2-second coincidence window (derives {{sys:SYS-REQ-007}})
• {{sub:SUB-REQ-003}} — Hardware Firing Interlock Relay independence from software (derives {{sys:SYS-REQ-008}})
• {{sub:SUB-REQ-004}} — Relay de-energises within 10ms on fire-enable withdrawal (derives {{sys:SYS-REQ-008}})
• {{sub:SUB-REQ-005}} — E-stop/Watchdog asserts safe-state trigger within 200ms of heartbeat loss (derives {{sys:SYS-REQ-009}})
• {{sub:SUB-REQ-006}} — Safe State Output Driver de-energises all actuators within 50ms of E-stop (derives {{sys:SYS-REQ-010}})
• {{sub:SUB-REQ-007}} — MAINTENANCE-LOCKOUT key position prevents arming regardless of software commands (derives {{sys:SYS-REQ-007}})
• {{sub:SUB-REQ-008}} — Fault detection triggers safe state within 100ms with operator-reset latch (derives {{sys:SYS-REQ-007}})
• {{sub:SUB-REQ-009}} — SIS operates on 28VDC (22–32V), max 50W peak, survives MIL-STD-704 transients

Four internal IFC requirements ({{ifc:IFC-REQ-011}} through {{ifc:IFC-REQ-014}}) define: key switch hardwired 28VDC discrete signal with 100Hz continuity monitoring; E-stop/watchdog dual-channel galvanically isolated trigger; controller-to-relay AND-gate with feedback; controller-to-SSOD per-actuator command bus with current monitoring. All four have SYS→IFC derives traces.

Six VER entries created (50% coverage of SUB+IFC): FMEDA analysis for the 1oo2D PFD claim; combinatorial state test for two-action arming; temperature-swept timing test for the watchdog; fault injection test for the safe-state response; interface tests for key switch and relay AND-gate.

Lint identified four high-severity “Powered but no power requirements” findings for SIS components — addressed by {{sub:SUB-REQ-009}}. Three similar findings for FCS, TDA, and EOSA were acknowledged as belonging to their respective future decomposition sessions.

Next

Seven subsystems remain pending in the spec tree. The next highest-SIL pending subsystems are the Fire Control System, Turret Drive Assembly, and Weapon and Ammunition Handling Assembly (all SIL 2). The Fire Control System is architecturally the most complex — it integrates sensor data, ballistic computation, target tracking, and weapon control — and should be decomposed first. The TDA has a known ARC (spring-applied brakes) and is a reasonable second. Session 619 should target FCS.