System

{{entity:Remote Weapon Station (RWS)}} — project se-remote-weapon-station-rws, QC pass following completion of all 8 subsystem decompositions. Entry state: 244 requirements, 235 trace links, 62 lint findings (1 HIGH, 61 medium), 0 orphans. Exit state: 260 requirements, 250 trace links, 57 findings (0 HIGH, 57 medium).

Findings

HIGH finding resolved. The {{entity:Tactical Data Link Processor}} ({{hex:50F57258}}) carried the {{trait:Powered}} trait but no power envelope requirements existed, preventing the {{entity:power distribution unit}} from allocating circuit protection or thermal management. Lint flagged this as ontologically incoherent — a powered component with no power budget.

System-Essential redundancy gaps (findings 13–21). Eight components classified {{trait:System-Essential}} lacked failover or fault tolerance requirements. The most critical: {{entity:fire control computer}} ({{hex:51B73219}}), {{entity:weapon control interface}} ({{hex:50F57A19}}), {{entity:target tracking processor}} ({{hex:D1F77219}}), {{entity:ballistic computation module}} ({{hex:41F73B19}}), {{entity:optical sensor assembly}} ({{hex:D6C51018}}), and {{entity:power distribution unit}}. A System-Essential component with no failure response requirement leaves a silent single-point failure mode in the safety case.

Ethical coverage gap (findings 35–41). The RWS carries the {{trait:Ethically Significant}} trait across system and subsystem classifications, but no requirements formalised positive target identification or rules-of-engagement gating before fire-ready state. This was the most significant engineering gap: the system was fully functional in its decomposition but had no traceable requirement enforcing the human-in-the-loop control that international humanitarian law demands.

Coverage gaps (findings 43–62). {{stk:STK-REQ-012}} (degraded mode) specified no measurable performance floor. {{sys:SYS-REQ-013}} (MIL-STD-6016 data link) and {{sys:SYS-REQ-015}} (automated boresight) had no decomposition into subsystem requirements.

Bulk ontological mismatch findings (findings 2–10, 26–34). Physical Medium material-property findings on electronic assemblies and Regulated compliance findings on weapons-grade components were reviewed and acknowledged: material property requirements belong in procurement specifications, and system-level compliance is captured by {{sys:SYS-REQ-017}} (MIL-STD-461G RE102/RS103).

Corrections

SUB-REQ-072 — TDLP power envelope: 28V DC bus, 18–32V operating range, 45W peak (derived from JTIDS/MIDS Class 2H terminal specification at maximum duty cycle), 8W quiescent. Traced from {{sys:SYS-REQ-013}}.

SUB-REQ-073 — FCC fault safe-state: When internal processing fault detected, weapon firing inhibited within 100ms, fault annunciated, system transitions to safe state. Traced from {{sys:SYS-REQ-010}}.

SUB-REQ-074 — WCI dual-confirmation hardware logic: Hardware-enforced AND gate requiring simultaneous fire command AND safety controller channel-agree to energise firing relay; either input independently de-energises relay within 5ms. Traced from {{sys:SYS-REQ-007}}.

SUB-REQ-075 — TTP track-loss failover: Track loss beyond 500ms triggers automatic target deselection, firing inhibit, and operator re-designation requirement. Traced from {{sys:SYS-REQ-009}}.

SUB-REQ-076 — BCM data authentication: Firing table and meteorological data accepted only from cryptographically signed sources; unsigned data rejected and logged.

SUB-REQ-077 — PDU branch isolation: Independent fused circuit branches for safety-critical loads; single branch overcurrent fault cannot interrupt other safety-critical loads. SIL-3 hardware fault tolerance.

SUB-REQ-078 — EOSA channel failover: Thermal-channel fallback within 2 seconds of EO failure with operator alert. Traced from {{sys:SYS-REQ-011}}.

SUB-REQ-079 — Positive target ID / ROE: Fire-ready state requires explicit operator IFF acknowledgement; timestamp and operator ID logged. Traced from {{sys:SYS-REQ-007}}.

SUB-REQ-080 — TDLP MIL-STD-6016E compliance: Standard version and minimum J-series message set (J2.2, J3.0, J7.0) specified. Traced from {{sys:SYS-REQ-013}}.

SUB-REQ-081 — Automated boresight verification: Pass/fail within 60s, 0.3 mrad threshold, triggered at power-on and after barrel replacement. Traced from {{sys:SYS-REQ-015}}.

SUB-REQ-082 — Degraded mode measurable floor: 800m minimum engagement range, 3-second operator alert on sensor failure. Traced from {{sys:SYS-REQ-011}}.

Verification entries VER-REQ-098 through VER-REQ-101 created for {{sub:SUB-REQ-073}}, {{sub:SUB-REQ-074}}, {{sub:SUB-REQ-079}}, and {{sub:SUB-REQ-081}} with boundary-value test criteria.

flowchart TB
  n0["system<br>Remote Weapon Station (RWS)"]
  n1["subsystem<br>Electro-Optical Sensor Assembly (EOSA)"]
  n2["subsystem<br>Fire Control System (FCS)"]
  n3["subsystem<br>Turret Drive Assembly (TDA)"]
  n4["subsystem<br>Operator Control Unit (OCU)"]
  n5["subsystem<br>Safety Interlock System (SIS)"]
  n6["subsystem<br>Weapon and Ammo Handling (WAH)"]
  n7["subsystem<br>Power Distribution Unit (PDU)"]
  n8["subsystem<br>Communications Interface Unit (CIU)"]
  n1 -->|Sensor video, target data| n2
  n2 -->|Servo commands, pointing| n3
  n2 -->|Fire request, arm status| n5
  n5 -->|Fire enable/inhibit| n6
  n5 -->|Drive enable, brake cmd| n3
  n4 -->|Operator commands| n2
  n2 -->|Display data, video| n4
  n4 -->|E-STOP, arm/safe| n5
  n7 -.->|28V/12V/5V power| n1
  n7 -.->|12V/5V power| n2
  n7 -.->|28V drive power| n3
  n8 -->|GPS, BMS target data| n2
  n2 -->|Video export, status| n8

Residual

57 medium findings remain. The dominant categories are: (a) {{trait:Physical Medium}} material-property mismatches on assemblies — acknowledged as procurement-spec scope; (b) {{trait:Regulated}} compliance findings — partially addressed by SYS-REQ-017 and SUB-REQ-080; (c) STK→SYS concept propagation gaps for “vehicle commander”, “1500m”, and similar — these reflect conceptual terms in stakeholder language that are captured functionally in SYS requirements (SYS-REQ-001 through SYS-REQ-006) but the lint tool cannot resolve the semantic mapping. These residual findings require human review to determine whether additional requirements are needed or whether the coverage is adequate at a different abstraction level.

The HIGH finding count is now 0.

Next

A second QC pass should address the remaining STK→SYS coverage gaps — specifically whether “vehicle commander” and “tactical commander” stakeholder roles need explicit role-based access control requirements at the FCS or OCU level. A validation pass is appropriate once the remaining medium findings are reviewed.