Red Team Exposes Missing Hazard Register and Ethics Gap in RWS Specification
System
{{entity:Remote Weapon Station (RWS)}} ({{hex:DEF53059}}), red team adversarial review of completed system decomposition. Entry statistics: 272 requirements across 6 documents, 275 trace links, 10 diagrams, 15 classified entities. 8 subsystems decomposed. The project reached validated state at session 635 and has undergone QC and validation passes. This red team session applies 8 adversarial checks to break confidence in the specification before it can be considered production-grade.
Adversarial Findings
Failure Modes (moderate): 101/272 requirements address fault/failure scenarios — strong coverage overall. However, the lint analysis reveals 9/15 components classified as {{trait:System-Essential}} have zero redundancy or failover requirements. {{entity:fire control computer}} ({{hex:51B73219}}), {{entity:optical sensor assembly}} ({{hex:D6C51018}}), {{entity:ballistic computation module}} ({{hex:41F73B19}}), {{entity:target tracking processor}} ({{hex:D1F77219}}), {{entity:weapon control interface}} ({{hex:50F57A19}}), {{entity:Tactical Data Link Processor}} ({{hex:50F57258}}), and {{entity:power distribution unit}} ({{hex:D6C51018}}) all lack redundancy requirements despite being system-essential.
Safety Integrity (critical): Hazards H-001 through H-006 are referenced in 30 requirement rationale fields but no formal hazard register exists — no severity classifications, frequency estimates, SIL allocations, or safe state definitions are documented as requirements or facts. 119 requirements carry SIL tags (76 SIL-2, 44 SIL-3), but these allocations have no traceable derivation from a documented hazard analysis. {{sub:SUB-REQ-079}} is tagged SIL-3 for positive target identification, but no parent SYS-level requirement at SIL-3 addresses target identification — the SIL appears to have escalated during decomposition.
Ethical/RoE Gap (critical): 10/15 entities are classified {{trait:Ethically Significant}}, yet only {{sub:SUB-REQ-079}} addresses rules of engagement. No system-level requirements address proportionality, civilian protection, human-in-the-loop mandates, or IHL (International Humanitarian Law) compliance. For a remotely operated weapon system, this is a fundamental specification gap.
Testability (low): Quality analysis scores 86–100 across 30 sampled requirements. EARS pattern compliance is good. 6/275 trace links lack rationale — 2.2% brittleness rate is acceptable.
Interface Plausibility (low-moderate): 5/29 IFC requirements lack protocol/rate/latency keywords. {{ifc:IFC-REQ-009}} (safety relay interface) omits response timing. {{ifc:IFC-REQ-001}} (turret ring) specifies loads but no vibration/shock qualification.
Implausible Values (moderate): {{sub:SUB-REQ-032}} (100ms display latency), {{sub:SUB-REQ-033}} (100Hz/10ms hand controller), and {{sub:SUB-REQ-041}} (10Hz power monitoring) use round numbers without derivation rationale. The 100ms watchdog timeout in both {{sub:SUB-REQ-020}} and {{sub:SUB-REQ-052}} is a near-duplicate.
Coverage Gaps (moderate): 23 STK/SYS concepts do not flow down to SUB level. Key gaps include the 1500m engagement range from {{stk:STK-REQ-002}}, vehicle commander role, weapon-target alignment during motion, and MIL-STD-810H Method 514 vibration qualification.
flowchart TB
n0["system<br>Remote Weapon Station (RWS)"]
n1["subsystem<br>Electro-Optical Sensor Assembly (EOSA)"]
n2["subsystem<br>Fire Control System (FCS)"]
n3["subsystem<br>Turret Drive Assembly (TDA)"]
n4["subsystem<br>Operator Control Unit (OCU)"]
n5["subsystem<br>Safety Interlock System (SIS)"]
n6["subsystem<br>Weapon and Ammo Handling (WAH)"]
n7["subsystem<br>Power Distribution Unit (PDU)"]
n8["subsystem<br>Communications Interface Unit (CIU)"]
n1 -->|Sensor video, target data| n2
n2 -->|Servo commands, pointing| n3
n2 -->|Fire request, arm status| n5
n5 -->|Fire enable/inhibit| n6
n5 -->|Drive enable, brake cmd| n3
n4 -->|Operator commands| n2
n2 -->|Display data, video| n4
n4 -->|E-STOP, arm/safe| n5
n7 -.->|28V/12V/5V power| n1
n7 -.->|12V/5V power| n2
n7 -.->|28V drive power| n3
n8 -->|GPS, BMS target data| n2
n2 -->|Video export, status| n8
Flagged Requirements
| Ref | Tag | Issue |
|---|---|---|
| {{sub:SUB-REQ-020}} | rt-near-duplicate | FCC watchdog 100ms — near-identical to SUB-REQ-052 |
| {{sub:SUB-REQ-052}} | rt-near-duplicate | FCC watchdog 100ms — near-identical to SUB-REQ-020 |
| {{ifc:IFC-REQ-009}} | rt-vague-interface | Safety relay interface omits response timing |
| {{ifc:IFC-REQ-001}} | rt-vague-interface | Turret ring mounting omits vibration/shock qualification |
| {{sub:SUB-REQ-032}} | rt-implausible-value | 100ms display latency — round number, no derivation |
| {{sub:SUB-REQ-033}} | rt-implausible-value | 100Hz/10ms hand controller — round numbers |
| {{sub:SUB-REQ-041}} | rt-implausible-value | 10Hz power monitoring — suspiciously low rate |
| {{sub:SUB-REQ-079}} | rt-sil-escalation | SIL-3 for target ID with no SIL-3 SYS parent |
Domain Analogs Checked
| Analog | Similarity | Gaps Surfaced |
|---|---|---|
| {{entity:Main Battle Tank Turret}} | 96.9% (31/32 traits) | MBT turrets require fire suppression systems — RWS spec has none |
| {{entity:Weapon Safety Interlock Manager}} (naval CMS) | 85.8% | Naval analog has multi-level authorization chain (OOW, CO) — RWS has only operator + arm key |
| {{entity:Samson Remote Controlled Weapon Station}} | 81.8% | Production RWS analog — validates architecture but no EMC/EMI requirements in this spec |
| Nuclear reactor | 93.8% (30/32 traits) | Safety-critical analog emphasises defence-in-depth layers and formal hazard register — both absent here |
| {{entity:Automated Fire Detection and Suppression System}} | 90.6% | Fire suppression is standard in enclosed weapon stations — absent from RWS spec |
Recommendations
- Create a formal hazard register as a dedicated document or Substrate fact set. H-001 through H-006 must have severity, frequency, SIL allocation, and defined safe states. All SIL tags on requirements should trace to this register.
- Add system-level ethical/RoE requirements. IHL compliance, proportionality constraints, and human-in-the-loop mandates must flow from STK through SYS before they can be meaningfully verified. A weapon system without explicit ethics requirements at the system level is not certifiable.
- Add redundancy/failover requirements for the 7 System-Essential components currently lacking them. At minimum: fire control computer, target tracking processor, and ballistic computation module.
- Resolve the SUB-REQ-020/052 near-duplicate — consolidate into a single requirement during next QC pass.
- Close the 23 coverage gaps identified by lint — especially the 1500m engagement range and MIL-STD-810H vibration qualification.
- Add fire suppression requirements — cross-domain analogs (MBT turret, nuclear reactor) consistently include fire detection and suppression for enclosed powered systems.
- Derive round-number values or replace with analytically justified thresholds.
Verdict
Informational. 8 requirements rt-tagged across 4 categories. 6 structural findings stored in Substrate. 2 critical gaps (missing hazard register, missing ethics/RoE requirements) and 4 moderate gaps (redundancy, coverage, implausible values, near-duplicate). The specification demonstrates strong safety architecture at the component level but lacks the foundational hazard analysis and ethical framework that a weapon system requires for certification.