System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Autonomous Underwater Vehicle"] n1["subsystem<br>Navigation and Guidance"] n2["subsystem<br>Propulsion"] n3["subsystem<br>Power"] n4["subsystem<br>Sensor Payload"] n5["subsystem<br>Communications"] n6["subsystem<br>Vehicle Management Computer"] n7["subsystem<br>Pressure Hull and Structure"] n8["subsystem<br>Emergency and Safety"]
AUV — Subsystem Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-FUNC-001 | The Inertial Navigation Unit SHALL provide attitude measurement with drift rate not exceeding 0.1 degrees per hour and accelerometer bias stability not exceeding 10 microg, sampled at a minimum of 200 Hz across all six degrees of freedom. Rationale: At 3-knot cruise speed over 24 hours, INS alone accumulates approximately 1.3km drift per degree-per-hour of gyro bias. 0.1 deg/hr limits unbounded INS drift to 130m, within the DVL re-acquisition envelope. The 200Hz rate is required for the EKF to maintain attitude stability during vehicle manoeuvring. | Test | subsystem, navigation, session-316, idempotency:sub-nav-ins-performance-316 |
| SUB-FUNC-002 | The Doppler Velocity Log SHALL measure ground-referenced velocity with accuracy of 0.3 percent of speed or better at altitudes from 1m to 200m above seafloor, outputting 3-axis velocity and altitude at a minimum of 5 Hz. Rationale: 0.3% velocity accuracy at 3 knots (1.5 m/s) yields 4.5 mm/s error, bounding INS position drift to approximately 0.4m per 100 seconds between DVL updates. The 200m altitude ceiling matches typical survey altitude profiles for multibeam bathymetry operations. | Test | subsystem, navigation, session-316, idempotency:sub-nav-dvl-accuracy-316 |
| SUB-FUNC-003 | The Navigation Processor SHALL fuse INS, DVL, USBL, depth sensor, and GPS inputs via an extended Kalman filter and output filtered position, velocity, and attitude at a minimum rate of 50 Hz with latency not exceeding 5 ms from sensor input to navigation solution output. Rationale: 50 Hz output rate matches the vehicle management computer control loop. 5ms latency bound ensures navigation solution freshness for real-time obstacle avoidance and trajectory tracking. EKF architecture selected for computational tractability on embedded processors while providing optimal state estimation. | Test | subsystem, navigation, session-316, idempotency:sub-nav-processor-fusion-316 |
| SUB-FUNC-004 | When any navigation sensor input fails or produces measurements outside its validity envelope, the Navigation Processor SHALL detect the fault within 500 ms, exclude the faulty sensor from the filter, and continue producing a valid navigation solution using remaining sensors. Rationale: Sensor failures underwater cannot be manually detected or repaired. The 500ms detection window limits position error accumulation to 0.75m at 3 knots before isolation. The filter must be robust to single-sensor loss to maintain mission continuity for the 24-hour endurance requirement. | Test | subsystem, navigation, session-316, idempotency:sub-nav-fdi-316 |
| SUB-FUNC-005 | The USBL Acoustic Transponder SHALL provide absolute position fixes with accuracy of 0.1 percent of slant range or better when interrogated by a ship-mounted USBL array, at depths up to 6000m and horizontal ranges up to 4000m. Rationale: At maximum operating depth of 6000m with 4000m horizontal offset, slant range is approximately 7200m. 0.1% yields 7.2m position accuracy, sufficient to bound long-term INS drift during mid-water transits where DVL bottom-track is unavailable. | Test | subsystem, navigation, session-316, idempotency:sub-nav-usbl-accuracy-316 |
| SUB-FUNC-006 | The Depth Pressure Sensor SHALL measure hydrostatic depth from 0 to 6500m with accuracy of 0.01 percent full scale and response time not exceeding 50 ms, outputting calibrated depth at a minimum of 10 Hz. Rationale: 0.01% of 6500m yields 0.65m depth accuracy, which constrains the vertical component of the EKF state estimate. The 50ms response time ensures depth data is current during vertical manoeuvres. 10Hz output rate provides adequate vertical channel update for the 50Hz navigation filter. | Test | subsystem, navigation, session-316, idempotency:sub-nav-depth-accuracy-316 |
| SUB-FUNC-007 | The Surface GPS Antenna Module SHALL acquire a valid GPS position fix within 60 seconds of the antenna clearing the water surface and SHALL provide UTC time reference accurate to 100 nanoseconds for navigation data timestamping. Rationale: Surfacing windows are operationally constrained to minimise surface exposure in high-traffic areas. 60-second acquisition time allows GPS recalibration within a typical 5-minute surface interval. 100ns UTC accuracy ensures timestamp coherence across all sensor data for post-mission processing. | Test | subsystem, navigation, session-316, idempotency:sub-nav-gps-ttff-316 |
| SUB-FUNC-008 | When both DVL and USBL aiding sources are unavailable, the Navigation Processor SHALL maintain position estimation using INS-only dead reckoning with position uncertainty growth rate not exceeding 0.5 percent of distance travelled, for a minimum of 30 minutes. Rationale: DVL loss occurs above 200m altitude; USBL loss occurs beyond acoustic range or in acoustic shadow zones. 30 minutes of INS-only operation at 3 knots covers approximately 2.8km, with 0.5% drift yielding 14m uncertainty — sufficient for the vehicle to descend to DVL range or transit to USBL coverage. | Analysis | subsystem, navigation, session-316, idempotency:sub-nav-degraded-316 |
| SUB-FUNC-009 | The Lithium-Ion Battery Pack SHALL provide a minimum usable energy capacity of 10 kWh at beginning of life with no more than 20 percent capacity degradation after 500 full charge-discharge cycles, at a nominal bus voltage of 48V DC. Rationale: 10kWh at 3-knot cruise with 400W hotel load supports the 24-hour mission requirement with 15% energy margin. 500-cycle life provides 3 years of weekly deployment operations. 48V bus minimises conductor mass for the 500W peak power draw. | Test | subsystem, power, session-316, idempotency:sub-pwr-battery-capacity-316 |
| SUB-FUNC-010 | The Battery Management System SHALL detect cell over-voltage exceeding 4.25V, under-voltage below 2.5V, over-temperature exceeding 60 degrees C, and cell imbalance exceeding 100mV within 100 ms, and SHALL activate an independent hardware protection circuit to disconnect the affected cell string. Rationale: NCA cells risk thermal runaway above 60C or when overcharged past 4.25V. 100ms detection window limits energy release during a cell fault to levels manageable by the oil-filled enclosure thermal mass. Hardware protection circuit is independent of software BMS to provide defense-in-depth. | Test | subsystem, power, session-316, idempotency:sub-pwr-bms-safety-316 |
| SUB-FUNC-011 | The Battery Management System SHALL estimate state-of-charge with accuracy within 5 percent of actual remaining capacity and SHALL report remaining energy and estimated time-to-depletion to the Vehicle Management Computer at 1 Hz. Rationale: 5% SOC accuracy provides the VMC with reliable data for mission abort decisions. The vehicle must surface with at least 10% energy reserve for recovery operations; a 5% estimation error still leaves a 5% true margin above the minimum. | Test | subsystem, power, session-316, idempotency:sub-pwr-bms-soc-316 |
| SUB-FUNC-012 | The Power Distribution Unit SHALL isolate any faulted load channel within 10 ms of detecting an overcurrent condition exceeding 150 percent of rated channel current, without disrupting power to other channels. Rationale: 10ms isolation prevents fault propagation to the battery bus which would black out the entire vehicle. Solid-state switching enables the speed required — electromechanical relays cannot reliably achieve sub-50ms switching in pressure-compensated oil at low temperatures. | Test | subsystem, power, session-316, idempotency:sub-pwr-pdu-isolation-316 |
| SUB-FUNC-013 | The DC-DC Converter Module SHALL maintain output voltage regulation within 1 percent on all rails under load transients up to 200 percent of rated current for durations up to 100 ms, with combined conversion efficiency not less than 94 percent at 50 percent rated load. Rationale: Thruster start-up transients produce 2x current spikes lasting approximately 50ms. 1% regulation prevents sensor subsystem brownout during these events. 94% efficiency at typical operating point limits thermal dissipation to under 21W, within the oil-bath cooling capacity. | Test | subsystem, power, session-316, idempotency:sub-pwr-dcdc-regulation-316 |
| SUB-FUNC-014 | The Motor Drive Electronics SHALL execute field-oriented control commutation of the Brushless DC Propulsion Motor with switching frequency no less than 20 kHz to keep switching harmonics above the 10 Hz to 1 kHz hydroacoustic survey band. Rationale: SYS-FUNC-009 constrains propulsion noise to 130 dB re 1 uPa at 1m in 10Hz-1kHz. BLDC commutation produces harmonics at the switching frequency and its multiples. Keeping switching above 20kHz ensures these harmonics fall outside the constrained band. FOC specifically minimises torque ripple compared to trapezoidal commutation, reducing broadband mechanical noise transmitted through the shaft to the propeller. | Test | subsystem, propulsion, motor-drive, session-317, idempotency:sub-mde-foc-317 |
| SUB-FUNC-015 | The Motor Drive Electronics SHALL regulate propulsion motor speed to within 1 percent of the commanded RPM under load variations from zero thrust to maximum rated thrust of 150 N. Rationale: Precise speed control is necessary to maintain consistent cruise velocity for survey track accuracy. The Navigation Processor relies on stable propulsion output to predict vehicle trajectory. One percent tolerance ensures that speed perturbations from current or payload drag do not accumulate into unacceptable cross-track error during bathymetric survey lines. | Test | subsystem, propulsion, motor-drive, session-317, idempotency:sub-mde-speed-317 |
| SUB-FUNC-016 | The Brushless DC Propulsion Motor SHALL deliver continuous mechanical output power of at least 250 W at 3-knot cruise speed with electrical-to-mechanical efficiency no less than 88 percent across the operating depth range of 0 to 6000 m. Rationale: SYS-FUNC-001 requires 24-hour mission endurance at 3-knot cruise with 10 kWh battery capacity. At 250W mechanical output and 88 percent efficiency, electrical draw is approximately 284W, consuming 6.8 kWh over 24 hours and leaving margin for payload, hotel loads, and battery ageing. Below 88 percent, the power budget cannot support full mission duration with adequate reserves. | Test | subsystem, propulsion, bldc-motor, session-317, idempotency:sub-bldc-power-317 |
| SUB-FUNC-017 | The Brushless DC Propulsion Motor SHALL not contribute more than 120 dB re 1 uPa at 1 m radiated noise in the 10 Hz to 1 kHz frequency band when operating at continuous cruise power. Rationale: SYS-FUNC-009 sets the total propulsion noise budget at 130 dB re 1 uPa at 1m. The motor shares this budget with the propeller, shaft bearings, and control surface servos. Allocating 120 dB to the motor leaves 10 dB margin for the propeller and other mechanical sources to sum below the 130 dB system limit. Motor noise sources include electromagnetic torque ripple, bearing vibration, and housing resonances transmitted through the structure. | Test | subsystem, propulsion, bldc-motor, session-317, idempotency:sub-bldc-noise-317 |
| SUB-FUNC-018 | The Propeller and Shaft Assembly SHALL produce at least 80 N of thrust at 3-knot cruise speed with cavitation inception speed no less than 4.5 knots at any operating depth from 0 to 6000 m. Rationale: 80 N thrust at 3 knots matches the estimated drag of a 350 kg, 4.5 m torpedo-form AUV at cruise. Cavitation inception above 4.5 knots ensures the propeller operates cavitation-free through the entire cruise and maneuvering envelope. At depth, hydrostatic pressure raises cavitation inception naturally, so the surface condition is the binding constraint. Cavitation would generate broadband noise violating SYS-FUNC-009. | Test | subsystem, propulsion, propeller, session-317, idempotency:sub-prop-thrust-317 |
| SUB-FUNC-019 | The Propeller and Shaft Assembly magnetic coupling SHALL transfer torque of at least 5 Nm continuously and 12 Nm peak without slippage or demagnetisation across the operating temperature range of 1 to 35 degrees Celsius. Rationale: Continuous 5 Nm at cruise RPM delivers the 250W mechanical output required by the motor specification with margin. Peak 12 Nm covers startup transients and current-induced load spikes. The coupling must not slip under any operational condition because slippage would leave the vehicle without propulsion and unable to return. Temperature range covers Arctic to tropical deployment conditions per stakeholder ConOps. | Test | subsystem, propulsion, propeller, session-317, idempotency:sub-prop-coupling-317 |
| SUB-FUNC-020 | The Control Surface Actuator Assembly SHALL deflect each control fin through a range of plus or minus 30 degrees with angular resolution of 0.1 degrees and full-sweep response time no greater than 200 ms. Rationale: 30-degree deflection range provides adequate authority for depth changes, turns, and obstacle avoidance at 3-knot cruise speed. 0.1-degree resolution is needed to maintain cross-track accuracy within 2 m during survey operations where small heading corrections dominate. 200 ms response time ensures the autopilot control loop at 10 Hz can achieve effective closed-loop bandwidth for trajectory tracking. | Test | subsystem, propulsion, control-surfaces, session-317, idempotency:sub-csaa-deflection-317 |
| SUB-FUNC-021 | The Buoyancy Trim System SHALL adjust vehicle displacement by plus or minus 2 kg equivalent at a transfer rate of no less than 50 mL per minute against ambient pressure up to 600 bar. Rationale: Plus or minus 2 kg displacement range covers the buoyancy variation from payload configuration changes, water density stratification from surface to 6000 m depth, and temperature-driven hull compression. The 50 mL per minute transfer rate allows full trim adjustment within 3 minutes, which is acceptable for pre-dive trimming and gradual depth-hold corrections. Operating against 600 bar requires a high-pressure hydraulic pump rated for the full depth envelope. | Test | subsystem, propulsion, buoyancy-trim, session-317, idempotency:sub-bts-displacement-317 |
| SUB-FUNC-022 | When motor winding temperature exceeds 120 degrees Celsius or phase current exceeds 25 A, the Motor Drive Electronics SHALL reduce output power to 50 percent within 100 ms and report the fault condition to the Vehicle Management Computer. Rationale: Over-temperature and over-current are the two primary failure modes for BLDC drives in sealed, oil-filled housings where convective cooling is limited. 120 degrees Celsius is the typical winding insulation limit for Class F insulation common in subsea motors. 25 A at 48V represents 1200W, well above the 800W peak rating, indicating a short-circuit or mechanical stall. Graceful derating to 50 percent preserves some propulsion for return-to-base rather than full shutdown. | Test | subsystem, propulsion, motor-drive, session-317, idempotency:sub-mde-fault-317 |
| SUB-FUNC-023 | The Control Surface Actuator Assembly servo housings SHALL withstand continuous external hydrostatic pressure of 600 bar with a safety factor of 1.5 on yield strength while maintaining fin actuation performance within specification. Rationale: Each fin actuator servo is exposed to full ocean depth pressure. SYS-FUNC-010 requires the vehicle structure to withstand 600 bar with 1.5 safety factor. The same structural criterion applies to actuator housings because a flooded servo would disable the associated control axis, potentially rendering the vehicle uncontrollable. Oil-filled housings eliminate differential pressure but the housing must still contain the oil and protect electronics. | Analysis | subsystem, propulsion, control-surfaces, session-317, idempotency:sub-csaa-pressure-317 |
| SUB-FUNC-024 | The Drop Weight Release Mechanism SHALL jettison the 15 kg tungsten ballast mass within 2 seconds of receiving the release command from the Emergency Surfacing Controller, achieving net positive buoyancy of at least 8 kg at any depth from 0 to 6000 m. Rationale: The 2-second release time derives from the 120-second emergency surfacing window in STK-OPS-002 minus ascent time at terminal velocity. 8 kg positive buoyancy at 350 kg vehicle mass yields approximately 0.7 m/s terminal ascent velocity, reaching surface from 6000m in approximately 140 minutes. The 15 kg ballast provides margin for seawater density variations and any entanglement drag. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-dropweight-release-318 |
| SUB-FUNC-025 | The Drop Weight Release Mechanism SHALL include a nichrome burn-wire backup release that activates independently of the primary solenoid latch, triggered by the Emergency Surfacing Controller via a separate circuit, and SHALL complete ballast release within 15 seconds of burn-wire activation at any temperature between 2 and 30 degrees Celsius. Rationale: The burn-wire provides a diverse redundant release path addressing common-cause failure of the solenoid mechanism (e.g., mechanical seizure from corrosion or pressure deformation). 15-second activation accounts for thermal inertia of the nichrome element at deep-ocean temperatures (2-4 degrees C) where heat dissipation into surrounding seawater slows wire heating. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-dropweight-burnwire-318 |
| SUB-FUNC-026 | When any emergency surfacing trigger is asserted (watchdog timeout, leak detection, battery critical, or VMC abort command), the Emergency Surfacing Controller SHALL initiate the emergency surfacing sequence within 500 ms, including: issuing the drop weight release command, de-energising non-essential load channels via the Power Distribution Unit, and activating the Acoustic Emergency Pinger. Rationale: The 500 ms initiation time ensures the emergency sequence begins well within the first second of fault detection, preserving maximum battery reserve for beacon operation on the surface. The sequence order (drop weight first, then load shed, then pinger) prioritises buoyancy recovery over diagnostics. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-sequence-318 |
| SUB-FUNC-027 | The Emergency Surfacing Controller SHALL operate from a dedicated lithium primary emergency battery providing at least 48 hours of continuous ESC operation, independent of the main Lithium-Ion Battery Pack and main power bus. Rationale: Power independence ensures the ESC can execute emergency surfacing even after complete main battery depletion, which is a credible failure mode during extended missions. 48-hour capacity covers the maximum plausible time from main battery failure through surfacing and surface beacon operation until recovery. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-power-318 |
| SUB-FUNC-028 | The Emergency Surfacing Controller SHALL implement two-of-three majority voting on all safety-critical inputs (watchdog timeout, leak detection, battery critical low) using three independent input channels per signal, and SHALL reject single-channel transient faults of duration less than 100 ms. Rationale: Triple-redundant voting prevents spurious emergency surfacing from single-channel transient faults (EMI, connector intermittency) which would abort an expensive deep-ocean mission unnecessarily. The 100 ms debounce window filters noise without compromising response time for genuine faults, as real failure modes (water ingress, VMC hang) persist well beyond 100 ms. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-voting-318 |
| SUB-FUNC-029 | The Emergency Locator Beacon SHALL activate automatically within 10 seconds of detecting ambient pressure below 1.5 bar and SHALL transmit VHF AIS SART signals on 156.525 MHz detectable by vessels at a minimum range of 10 nautical miles, and illuminate a xenon strobe visible at 3 nautical miles in darkness. Rationale: The 1.5 bar pressure threshold reliably distinguishes surface conditions from submerged operation with margin for wave action. AIS SART on 156.525 MHz is the standard maritime distress frequency monitored by all SOLAS-equipped vessels and shore stations, ensuring maximum detection probability. The 3 NM strobe range matches typical nighttime visual search patterns for small objects. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-beacon-activation-318 |
| SUB-FUNC-030 | The Emergency Locator Beacon SHALL sustain continuous VHF transmission and strobe operation for at least 72 hours from a dedicated lithium primary cell without dependence on any other vehicle power source. Rationale: 72-hour continuous operation aligns with SOLAS LSA Code requirements for EPIRBs and accounts for worst-case recovery scenarios in remote ocean areas where rescue vessel transit may take 48+ hours. Lithium primary chemistry provides stable voltage output across the temperature range and 10-year shelf life for pre-deployment storage. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-beacon-battery-318 |
| SUB-FUNC-031 | The Acoustic Emergency Pinger SHALL transmit at 37.5 kHz with source level of at least 185 dB re 1 uPa at 1 m, pulse duration of 10 ms at 1 pulse per second, and SHALL operate continuously for at least 90 days from a dedicated lithium primary cell rated to 700 bar. Rationale: 37.5 kHz is the standard frequency for underwater acoustic search receivers used by naval and commercial salvage operations (per IHO standards). 185 dB source level ensures detection at ranges exceeding 3 km in typical deep-ocean acoustic conditions. 90-day operation covers the time required to mobilise deep-ocean search and recovery assets, which may take weeks in remote areas. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-pinger-spec-318 |
| SUB-FUNC-032 | The Leak Detection Sensor Array SHALL detect water ingress of 0.5 ml or greater at any hull penetrator location and report the alarm to the Emergency Surfacing Controller within 500 ms of water contact, and SHALL distinguish between condensation (humidity rise above 85 percent RH sustained for more than 60 seconds) and active leak (liquid water contact). Rationale: 0.5 ml detection threshold catches leaks early enough to initiate surfacing before water reaches electronics. The 500 ms response time ensures the ESC receives the alarm within its decision cycle. Distinguishing condensation from active leaks prevents false emergency surfacing: internal hull condensation is common in AUVs operating in thermocline regions and does not warrant mission abort. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-leak-detection-318 |
| SUB-FUNC-033 | The Hardware Watchdog Timer SHALL require a heartbeat pulse from the Vehicle Management Computer at intervals not exceeding 30 seconds, and SHALL assert a hardware interrupt to the Emergency Surfacing Controller within 100 ms of timeout expiry, operating from the emergency power rail independent of the main power bus. Rationale: The 30-second heartbeat interval balances between catching genuine VMC failures promptly and tolerating transient processing delays during computationally intensive mission phases (e.g., sonar data processing). 100 ms assertion time ensures the ESC receives a clean, debounced interrupt. Power independence from the main bus ensures the watchdog functions even during main battery brownout scenarios. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-watchdog-spec-318 |
| SUB-FUNC-034 | When the primary solenoid release of the Drop Weight Release Mechanism fails to confirm ballast release within 5 seconds, the Emergency Surfacing Controller SHALL automatically activate the burn-wire backup release and SHALL log the primary release failure to non-volatile memory for post-mission analysis. Rationale: The 5-second timeout for primary release confirmation provides sufficient margin beyond the 2-second nominal release time to account for mechanical stiction at extreme depth, while remaining short enough that the burn-wire backup activates well within the overall emergency timeline. NVM logging enables post-recovery failure analysis without relying on the VMC which may have already failed. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-fallback-318 |
| SUB-FUNC-035 | The Multibeam Echosounder SHALL acquire bathymetric depth measurements with 256 equidistant beams across a 120-degree swath, achieving lateral resolution of 0.5 m and vertical depth accuracy of 0.1 m at survey altitude of 50 m above the seabed. Rationale: Lateral resolution of 0.5m and 0.1m vertical accuracy are derived from IHO S-44 Order 1a survey standards required by STK-OPS-003. 256 beams at 120-degree swath achieves full bottom coverage at 50m altitude with appropriate beam overlap. | Test | subsystem, sensor-payload, mbes, session-319, idempotency:sub-mbes-resolution-319 |
| SUB-FUNC-036 | The Multibeam Echosounder SHALL accept real-time sound velocity profile updates from the CTD Sensor Package and apply ray-tracing corrections to all beam depth calculations within the same ping cycle. Rationale: Without real-time sound velocity correction, refraction errors in thermocline conditions can exceed 1% of water depth. Applying correction within the same ping cycle prevents stale-SV artifacts visible as depth banding in post-processed bathymetry. | Test | subsystem, sensor-payload, mbes, session-319, idempotency:sub-mbes-svp-319 |
| SUB-FUNC-037 | The Multibeam Echosounder SHALL operate at a centre frequency of 400 kHz with source level not exceeding 220 dB re 1 uPa at 1 m, and SHALL not contribute more than 130 dB re 1 uPa at 1 m of radiated noise outside its operating band. Rationale: 400 kHz is standard for high-resolution near-bottom bathymetry; 220 dB source level provides adequate signal-to-noise at 100m range. Out-of-band radiated noise limit of 130 dB re 1 uPa aligns with SYS-FUNC-009 environmental noise constraint. | Test | subsystem, sensor-payload, mbes, session-319, idempotency:sub-mbes-acoustic-319 |
| SUB-FUNC-038 | The Digital Still Camera SHALL capture 24-megapixel images at a configurable trigger rate of 1 to 10 Hz, with each image geotagged to the navigation solution within 1 ms of shutter activation. Rationale: 24 MP provides 2cm/pixel at 5m altitude which is the minimum for seabed feature identification per STK-OPS-003 optical imagery requirement. 1ms geotag accuracy ensures pixel-level positional alignment for photomosaic stitching. | Test | subsystem, sensor-payload, camera, session-319, idempotency:sub-camera-capture-319 |
| SUB-FUNC-039 | The Digital Still Camera LED array SHALL provide at least 12000 lumens of uniform illumination across the camera field of view with colour temperature of 5500 K plus or minus 500 K to ensure consistent white balance for seabed imagery at altitudes from 2 to 10 m. Rationale: 12000 lumens provides adequate exposure for 24MP capture at 5m altitude in zero-ambient-light deep ocean conditions. 5500K approximates daylight balance, critical for colour-accurate habitat classification from optical imagery. | Test | subsystem, sensor-payload, camera, session-319, idempotency:sub-camera-led-319 |
| SUB-FUNC-040 | The CTD Sensor Package SHALL measure conductivity with accuracy of 0.003 PSU, temperature with accuracy of 0.001 degrees Celsius, and pressure with accuracy of 0.01 percent of full scale, sampling at 24 Hz via pumped flow path. Rationale: Conductivity and temperature accuracies are required to compute sound velocity to 0.05 m/s, which limits MBES depth error contribution from sound velocity uncertainty to less than 0.01% of depth. 24 Hz sample rate resolves thin thermocline layers during vertical profiling. | Test | subsystem, sensor-payload, ctd, session-319, idempotency:sub-ctd-accuracy-319 |
| SUB-FUNC-041 | The Sensor Payload Processor SHALL synchronise all sensor data acquisition timestamps to a PPS-disciplined clock with jitter not exceeding 10 microseconds, and SHALL apply real-time georeferencing using the navigation solution received at 50 Hz from the Navigation Processor. Rationale: 10 microsecond PPS jitter ensures sub-millimetre spatial error at 3 knots cruise speed. 50 Hz navigation updates are the native output rate of the Navigation Processor (SUB-FUNC-003) providing sub-ping-interval position interpolation for MBES beam georeferencing. | Test | subsystem, sensor-payload, payload-processor, session-319, idempotency:sub-spp-sync-319 |
| SUB-FUNC-042 | The Sensor Payload Processor SHALL sustain aggregate sensor data write throughput of at least 200 MB/s to the Mass Storage Array during concurrent multibeam, camera, and CTD data acquisition. Rationale: Peak data rate is driven by concurrent MBES water-column data at 150 MB/s plus 24MP camera images at 40 MB/s plus CTD at 0.1 MB/s. 200 MB/s provides 5% headroom for filesystem overhead and metadata. Derived from SYS-FUNC-006 sustained write requirement. | Test | subsystem, sensor-payload, payload-processor, session-319, idempotency:sub-spp-throughput-319 |
| SUB-FUNC-043 | The Mass Storage Array SHALL provide at least 4 TB of usable storage capacity with RAID-1 mirroring across two independent NVMe drives, and SHALL detect and report single-drive failure to the Sensor Payload Processor within 100 ms without data loss. Rationale: 4 TB capacity derived from SYS-FUNC-006. RAID-1 ensures no data loss from single-drive failure during a 24-hour mission at 200 MB/s peak write rate. 100 ms failure detection enables the payload processor to log the event and alert VMC before any write buffer overflow. | Test | subsystem, sensor-payload, storage, session-319, idempotency:sub-msa-capacity-319 |
| SUB-FUNC-044 | When any individual sensor fails or becomes unavailable, the Sensor Payload Processor SHALL continue acquiring and storing data from all remaining operational sensors without interruption, and SHALL log the fault with timestamp and sensor identity to the mission log. Rationale: Single sensor failure must not abort the mission or corrupt other sensor data streams. Oceanographic AUV missions are expensive to repeat and partial survey data retains significant value for the operator. | Demonstration | subsystem, sensor-payload, payload-processor, session-319, idempotency:sub-spp-degraded-319 |
| SUB-FUNC-045 | The Acoustic Modem SHALL provide half-duplex digital communication at a minimum data rate of 3 kbps at horizontal ranges up to 5 km in typical ocean sound velocity conditions, with bit error rate not exceeding 1e-6. Rationale: 3 kbps at 5 km range enables mission status telemetry and abort commands while the AUV operates within a realistic survey box relative to the support vessel. 1e-6 BER ensures command integrity without excessive retransmission overhead on the low-bandwidth link. | Test | subsystem, communications, acoustic-modem, session-319, idempotency:sub-amodem-range-319 |
| SUB-FUNC-046 | The Iridium SBD Transceiver SHALL transmit a position report containing GPS coordinates, battery state-of-charge, and mission status within 90 seconds of the antenna clearing the sea surface, and SHALL repeat position reports at intervals not exceeding 5 minutes while surfaced. Rationale: 90-second first-report time accounts for GPS cold start (60s per SUB-FUNC-007) plus Iridium network registration (30s typical). 5-minute repeat interval derives from SYS-FUNC-008 requirement and provides adequate tracking granularity for the support vessel. | Test | subsystem, communications, iridium, session-319, idempotency:sub-iridium-report-319 |
| SUB-FUNC-047 | The Wi-Fi Radio Module SHALL sustain data transfer throughput of at least 100 MB/s at ranges up to 200 m line-of-sight from the support vessel, enabling offload of a 4 TB mission dataset within 12 hours. Rationale: 100 MB/s sustained throughput at 200m provides realistic offload capability while the AUV bobs on the surface near the vessel. 12-hour offload window matches typical overnight recovery-to-redeployment cycle for oceanographic survey operations. | Test | subsystem, communications, wifi, session-319, idempotency:sub-wifi-offload-319 |
| SUB-FUNC-048 | The Communications Controller SHALL buffer outbound messages in non-volatile memory with capacity for at least 1000 messages and SHALL deliver buffered messages in priority order when the appropriate link becomes available, without message loss across controller or VMC restarts. Rationale: Non-volatile buffering ensures critical mission events logged during submerged operation are not lost if the VMC restarts or acoustic link is intermittent. 1000-message capacity covers 24 hours of 1-per-minute telemetry plus emergency events. | Test | subsystem, communications, controller, session-319, idempotency:sub-cc-buffer-319 |
| SUB-FUNC-049 | The Communications Controller SHALL encrypt all command and control messages using AES-256-GCM with per-session key exchange, and SHALL reject any command that fails authentication or integrity verification. Rationale: AUV command channel must be encrypted to prevent unauthorised control of the vehicle in open-ocean operations. AES-256-GCM provides authenticated encryption suitable for low-bandwidth acoustic links with minimal overhead. | Test | subsystem, communications, controller, security, session-319, idempotency:sub-cc-crypto-319 |
| SUB-FUNC-050 | The Main Pressure Hull Cylinder SHALL withstand continuous external hydrostatic pressure of 600 bar at 6000 m depth with a minimum safety factor of 1.5 on yield stress, and SHALL be proof-tested to 900 bar before first deployment. Rationale: 600 bar at 6000m is the design operating pressure. Safety factor of 1.5 on yield for Ti-6Al-4V (880 MPa yield) provides margin for manufacturing variation and fatigue. 900 bar proof test (1.5x operating) verifies structural integrity per DNV-GL rules for underwater vehicles. | Test | subsystem, hull, session-319, idempotency:sub-hull-pressure-319 |
| SUB-FUNC-051 | The Pressure Hull and Structure including all endcaps, fairing, penetrators, and internal mounting frame SHALL not exceed 140 kg dry mass, providing at least 210 kg payload mass allocation within the 350 kg total vehicle mass budget. Rationale: 140 kg hull mass allocation is derived from SYS-FUNC-007 total 350 kg vehicle mass. Leaves 210 kg for batteries (80 kg), electronics (30 kg), sensors (40 kg), propulsion (25 kg), and safety systems (15 kg) with 20 kg margin. | Inspection | subsystem, hull, session-319, idempotency:sub-hull-mass-319 |
| SUB-FUNC-052 | The Aft Endcap and Shaft Seal Assembly SHALL maintain pressure-tight integrity at the propeller shaft penetration at all depths to 6000 m, with oil-compensated cavity maintaining at least 0.5 bar overpressure relative to ambient at all depths. Rationale: Oil-compensated shaft seal is the most failure-prone hull element. 0.5 bar overpressure ensures outward oil flow past the seal lips, preventing water ingress even with seal wear. Failure of this seal is a vehicle-loss scenario. | Test | subsystem, hull, session-319, idempotency:sub-hull-shaft-seal-319 |
| SUB-FUNC-053 | Each Hull Penetrator in the Hull Penetrator Array SHALL be individually pressure-tested to 900 bar and SHALL maintain electrical isolation of at least 100 megaohms between conductors and hull body at all depths to 6000 m. Rationale: Individual penetrator proof testing to 1.5x operating pressure catches manufacturing defects before hull integration. 100 megaohm isolation prevents ground loops and ensures safety of high-voltage power penetrators (48V battery bus) in seawater. | Test | subsystem, hull, session-319, idempotency:sub-hull-penetrator-319 |
| SUB-FUNC-054 | The Free-Flood Fairing SHALL provide a vehicle drag coefficient not exceeding 0.15 referenced to frontal area at Reynolds numbers corresponding to 1 to 5 knot forward speed, and SHALL be removable in field conditions using standard hand tools within 30 minutes. Rationale: Cd of 0.15 at fineness ratio 8:1 is achievable with a well-designed torpedo-form fairing and directly affects endurance (SYS-FUNC-001 24-hour mission). 30-minute field removal enables at-sea maintenance access without specialised tooling. | Test | subsystem, hull, session-319, idempotency:sub-hull-fairing-319 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-INTERFACEDEFINITIONS-001 | The interface between the Inertial Navigation Unit and the Navigation Processor SHALL transfer 6-DOF inertial measurement data at 200 Hz over a synchronous serial link with maximum latency of 1 ms and bit error rate not exceeding 1e-9. Rationale: 200Hz IMU data requires deterministic low-latency delivery for real-time EKF updates. 1ms latency budget allocated from the 5ms total sensor-to-output pipeline. 1e-9 BER prevents corrupted IMU samples that could cause filter divergence. | Test | interface, navigation, session-316, idempotency:ifc-ins-navproc-316 |
| IFC-INTERFACEDEFINITIONS-002 | The interface between the Doppler Velocity Log and the Navigation Processor SHALL transmit 3-axis velocity, altitude, and beam validity data at 5 Hz over RS-422 serial at 115200 baud, with each message including a CRC-16 integrity check. Rationale: RS-422 differential signalling provides noise immunity in the electromagnetically noisy hull environment near thrusters. CRC-16 integrity check ensures corrupt velocity data does not enter the EKF, which is sensitive to velocity measurement errors. | Test | interface, navigation, session-316, idempotency:ifc-dvl-navproc-316 |
| IFC-INTERFACEDEFINITIONS-003 | The interface between the USBL Acoustic Transponder and the Navigation Processor SHALL deliver position fix messages containing latitude, longitude, depth, and position uncertainty estimate, with message reception latency not exceeding 200 ms from acoustic reception to navigation processor input. Rationale: 200ms latency budget accounts for acoustic propagation time compensation. Position uncertainty estimate is required for the EKF to correctly weight USBL fixes, which vary in accuracy with range and acoustic conditions. | Test | interface, navigation, session-316, idempotency:ifc-usbl-navproc-316 |
| IFC-INTERFACEDEFINITIONS-004 | The interface between the Navigation Processor and the Vehicle Management Computer SHALL transmit the fused navigation solution at 50 Hz over Ethernet UDP with message format including position, velocity, attitude, position uncertainty, and sensor health status, with end-to-end latency not exceeding 2 ms. Rationale: The VMC control loop runs at 50Hz and requires synchronous navigation updates. Ethernet UDP chosen for bandwidth and to support the full state vector including uncertainty. 2ms latency budget is the allocation from the 5ms total navigation pipeline to the VMC interface. | Test | interface, navigation, session-316, idempotency:ifc-navproc-vmc-316 |
| IFC-INTERFACEDEFINITIONS-005 | The interface between the Depth Pressure Sensor and the Navigation Processor SHALL transmit calibrated depth and water temperature at 10 Hz over RS-485 serial, with each message including sensor status flags and a sequence counter for data loss detection. Rationale: RS-485 selected for multi-drop capability allowing the depth sensor to also feed the emergency subsystem on the same bus. Sequence counter enables the navigation processor to detect missed samples that would degrade vertical channel estimation. | Test | interface, navigation, session-316, idempotency:ifc-depth-navproc-316 |
| IFC-INTERFACEDEFINITIONS-006 | The interface between the Battery Management System and the Vehicle Management Computer SHALL transmit battery status messages at 1 Hz over CAN bus, containing cell voltages, pack temperature, state-of-charge, remaining energy in Wh, estimated time to depletion, and fault flags. Rationale: CAN bus selected for robustness in the electrically noisy power compartment and deterministic message scheduling. 1Hz update rate matches VMC mission planning loop. Remaining energy in Wh is the actionable metric for mission abort decisions. | Test | interface, power, session-316, idempotency:ifc-bms-vmc-316 |
| IFC-INTERFACEDEFINITIONS-007 | The interface between the Vehicle Management Computer and the Power Distribution Unit SHALL support individual channel enable and disable commands with acknowledgement, and the PDU SHALL execute load shed commands within 50 ms of receipt. Rationale: VMC-controlled load shedding enables intelligent mission extension by disabling non-essential subsystems as energy depletes. 50ms execution time ensures load shedding takes effect before energy reaches critical reserve levels during transient overload events. | Test | interface, power, session-316, idempotency:ifc-vmc-pdu-316 |
| IFC-INTERFACEDEFINITIONS-008 | The interface between the Motor Drive Electronics and the Brushless DC Propulsion Motor SHALL carry 3-phase sinusoidal current up to 25 A per phase at switching frequency of 20 kHz minimum via shielded power cables no longer than 500 mm, and return Hall-effect rotor position feedback at 10 kHz sample rate. Rationale: Short cable run minimises EMI radiation and voltage drop. Shielding prevents switching noise from coupling into nearby sensor cables. Hall-effect feedback at 10 kHz provides sufficient rotor position resolution for smooth FOC commutation at the maximum motor speed. The bidirectional nature of this interface (power down, feedback up) requires careful cable routing to prevent crosstalk. | Test | interface, propulsion, session-317, idempotency:ifc-mde-bldc-317 |
| IFC-INTERFACEDEFINITIONS-009 | The interface between the Vehicle Management Computer and the Motor Drive Electronics SHALL use CAN 2.0B at 250 kbps to transmit speed commands at 10 Hz update rate and receive motor status telemetry including RPM, phase current, winding temperature, and fault flags at 10 Hz. Rationale: CAN bus is the standard subsea vehicle control bus, providing differential signalling with noise immunity suitable for operation near high-current motor drives. 250 kbps bandwidth supports the 10 Hz command and telemetry cycle with margin for other CAN nodes. 10 Hz update rate matches the autopilot control loop frequency. Motor telemetry is essential for the VMC to detect fault conditions and implement power management. | Test | interface, propulsion, session-317, idempotency:ifc-vmc-mde-317 |
| IFC-INTERFACEDEFINITIONS-010 | The interface between the Vehicle Management Computer and the Control Surface Actuator Assembly SHALL use CAN 2.0B at 250 kbps to transmit fin deflection angle commands for rudder, elevator, and roll fins at 10 Hz and receive actual fin position feedback and actuator health status at 10 Hz. Rationale: Three-axis control requires coordinated fin commands at the autopilot update rate. CAN bus allows all fin actuators to share a single bus segment with the motor drive. Position feedback closes the servo loop and allows the VMC to detect jammed or failed fins. Health status includes servo current draw and temperature for predictive maintenance and fault isolation. | Test | interface, propulsion, session-317, idempotency:ifc-vmc-csaa-317 |
| IFC-INTERFACEDEFINITIONS-011 | The interface between the Vehicle Management Computer and the Buoyancy Trim System SHALL use CAN 2.0B at 250 kbps to transmit target buoyancy offset commands and receive current oil volume position, pump pressure, pump motor current, and system fault status at 1 Hz update rate. Rationale: Buoyancy trimming is a slow process with time constants of minutes, so 1 Hz update rate is sufficient and conserves CAN bus bandwidth for higher-priority propulsion and steering messages. Pump pressure feedback is critical because operating the hydraulic pump against increasing ambient pressure as the vehicle descends requires monitoring to prevent pump stall. Oil volume position confirms that trim commands are being executed. | Test | interface, propulsion, session-317, idempotency:ifc-vmc-bts-317 |
| IFC-INTERFACEDEFINITIONS-012 | The interface between the Power Distribution Unit and the Motor Drive Electronics SHALL deliver 48 V DC power at up to 20 A continuous via a 2-conductor shielded cable with connector rated to 600 bar immersion pressure and include a solid-state switch enabling remote channel isolation by the PDU within 10 ms. Rationale: 48V at 20A provides 960W capacity, covering the 800W peak motor drive output plus conversion losses. The PDU must be able to isolate the motor drive channel remotely in case of a short circuit or thermal fault detected by the BMS or VMC. 10 ms isolation time matches SUB-FUNC-012 on the PDU side. Pressure-rated connectors are mandatory because the power cable passes through or between pressure-compensated housings at full ocean depth. | Test | interface, propulsion, session-317, idempotency:ifc-pdu-mde-317 |
| IFC-INTERFACEDEFINITIONS-013 | The interface between the Brushless DC Propulsion Motor and the Propeller and Shaft Assembly SHALL transfer torque through a rare-earth magnetic coupling with an air gap no greater than 8 mm across the pressure boundary, maintaining alignment concentricity within 0.05 mm under thermal expansion from 1 to 35 degrees Celsius. Rationale: The magnetic coupling is the critical pressure boundary between the oil-filled motor housing and the seawater-exposed propeller shaft. Air gap directly affects torque transfer capacity: every millimetre of gap reduces coupling strength significantly. 8 mm maximum accounts for the titanium pressure boundary wall thickness plus manufacturing tolerances. Concentricity within 0.05 mm prevents vibration-induced noise and bearing wear that would degrade acoustic performance. | Inspection | interface, propulsion, session-317, idempotency:ifc-bldc-prop-317 |
| IFC-INTERFACEDEFINITIONS-014 | The interface between the Leak Detection Sensor Array and the Emergency Surfacing Controller SHALL use an I2C bus at 100 kHz with dedicated interrupt lines per sensor zone, transmitting sensor status (leak detected, humidity percentage, sensor health) in a 4-byte message frame, with the ESC polling all sensors at 2 Hz and each sensor capable of asserting a hardware interrupt on water contact detection. Rationale: I2C is appropriate for the short cable runs inside the pressure hull (under 50 cm) and the low data rates required. Hardware interrupt lines per zone provide immediate notification without waiting for the polling cycle, critical for rapid leak response. 2 Hz polling provides continuous health monitoring and trend detection for condensation. | Test | interface, emergency-safety, session-318, idempotency:ifc-leak-esc-318 |
| IFC-INTERFACEDEFINITIONS-015 | The interface between the Hardware Watchdog Timer and the Emergency Surfacing Controller SHALL be a single dedicated GPIO line that transitions from high to low on watchdog timeout, with the ESC reading this input through its triple-redundant voting circuit. The GPIO signal SHALL be active-low, open-drain with a 10 kohm pull-up to the emergency power rail. Rationale: A dedicated GPIO line with active-low open-drain topology ensures fail-safe behaviour: if the watchdog timer itself fails or its power is lost, the line floats low (pulled by the pull-up through the voting circuit), triggering the emergency sequence. This is the simplest and most reliable interface for a single binary safety signal. | Test | interface, emergency-safety, session-318, idempotency:ifc-hwt-esc-318 |
| IFC-INTERFACEDEFINITIONS-016 | The interface between the Emergency Surfacing Controller and the Drop Weight Release Mechanism SHALL consist of two independent circuits: a 24 V solenoid drive line capable of sourcing 2 A for the primary release, and a separate burn-wire activation line capable of sourcing 5 A at 12 V for the backup nichrome wire. Both circuits SHALL include a release confirmation feedback signal (ballast-away microswitch) returning to the ESC. Rationale: Two independent release circuits implement the diverse redundancy architecture decision (ARC-ARCHITECTUREDECISIONS-005). The solenoid at 24 V/2 A provides instantaneous electromagnetic release; the burn-wire at 12 V/5 A provides thermal release via a separate mechanism. Confirmation feedback from a microswitch closes the loop so the ESC can detect primary release failure and escalate to burn-wire within 5 seconds. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-dropweight-318 |
| IFC-INTERFACEDEFINITIONS-017 | The interface between the Emergency Surfacing Controller and the Acoustic Emergency Pinger SHALL be a single activation line that enables pinger operation when pulled low by the ESC, with the pinger self-sustaining operation from its internal lithium primary cell once activated. The activation line SHALL be latching such that pinger operation continues even if the ESC subsequently loses power. Rationale: A latching activation ensures the pinger continues transmitting even if the ESC battery is exhausted during a prolonged seabed stranding. Self-sustaining operation from an internal cell provides 90-day autonomy independent of all other vehicle power systems, matching the search and recovery timeline for deep-ocean assets. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-pinger-318 |
| IFC-INTERFACEDEFINITIONS-018 | The interface between the Emergency Surfacing Controller and the Emergency Locator Beacon SHALL be a single activation line that arms the beacon for automatic surface activation. The beacon SHALL independently monitor ambient pressure and self-activate when pressure drops below 1.5 bar, drawing power from its internal 72-hour lithium primary cell. Rationale: Separating the arming function (ESC-controlled) from the activation function (pressure-triggered) ensures the beacon does not activate at depth, conserving its 72-hour battery for surface operations. The beacon's independent pressure sensor provides a final layer of autonomy: even if the ESC fails after arming the beacon, surface activation still occurs automatically. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-beacon-318 |
| IFC-INTERFACEDEFINITIONS-019 | The interface between the Emergency Surfacing Controller and the Vehicle Management Computer SHALL use a dedicated UART at 9600 baud transmitting ESC health status, leak sensor readings, watchdog state, and emergency battery voltage at 1 Hz. The VMC SHALL reset the Hardware Watchdog Timer via a separate dedicated GPIO line independent of the UART link. Rationale: UART at 9600 baud provides a simple, robust telemetry link for the VMC to monitor safety subsystem health during normal operations without introducing software coupling between VMC and ESC. The watchdog reset on a separate GPIO ensures that UART communication failures do not mask a genuine VMC hang — the watchdog GPIO requires active firmware execution to toggle, not just a functioning serial port. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-vmc-318 |
| IFC-INTERFACEDEFINITIONS-020 | The interface between the Battery Management System and the Emergency Surfacing Controller SHALL include a dedicated hardwired active-low signal that asserts when main battery state-of-charge falls below 5 percent or any cell voltage drops below 2.8 V, independent of the CAN bus link between BMS and VMC. Rationale: A hardwired signal independent of the CAN bus ensures the ESC receives battery critical-low notification even if the CAN bus or VMC has failed. The 5 percent SOC threshold provides sufficient remaining energy for load shedding and emergency surfacing sequence execution. The 2.8 V cell voltage threshold protects against lithium-ion cell damage from deep discharge while providing margin above the 2.5 V disconnect threshold in SUB-FUNC-010. | Test | interface, emergency-safety, session-318, idempotency:ifc-bms-esc-318 |
| IFC-INTERFACEDEFINITIONS-021 | The interface between the Multibeam Echosounder and the Sensor Payload Processor SHALL transfer raw bathymetric ping data including per-beam depth, intensity, and optional water-column samples via Ethernet UDP at a sustained rate of at least 150 MB/s with packet loss not exceeding 0.001 percent. Rationale: Ethernet UDP is standard for high-bandwidth sonar data transfer (Kongsberg EM2040, Teledyne Reson T50). 150 MB/s accommodates 256-beam pings with water column at 10 Hz ping rate. 0.001% packet loss ensures bathymetric data continuity for IHO-compliant surveys. | Test | interface, sensor-payload, session-319, idempotency:ifc-mbes-spp-319 |
| IFC-INTERFACEDEFINITIONS-022 | The interface between the Digital Still Camera and the Sensor Payload Processor SHALL transfer uncompressed 24-megapixel images via GigE Vision protocol with hardware trigger synchronisation signal and exposure-complete acknowledgement, at frame rates up to 10 Hz. Rationale: GigE Vision is the industrial standard for machine vision data transfer providing deterministic triggering. Hardware trigger sync ensures the shutter event is timestamped at the PPS-disciplined clock, not at the software receive time, eliminating camera-to-navigation time offset. | Test | interface, sensor-payload, session-319, idempotency:ifc-camera-spp-319 |
| IFC-INTERFACEDEFINITIONS-023 | The interface between the CTD Sensor Package and the Sensor Payload Processor SHALL transfer conductivity, temperature, and pressure measurements at 24 Hz via RS-232 at 115200 baud using the sensor manufacturer ASCII telegram format. Rationale: RS-232 is the standard CTD interface used by Sea-Bird and RBR instruments. 115200 baud provides adequate bandwidth for 24 Hz sample triplets. ASCII telegram format enables field-swappable CTD replacement without firmware changes. | Test | interface, sensor-payload, session-319, idempotency:ifc-ctd-spp-319 |
| IFC-INTERFACEDEFINITIONS-024 | The interface between the CTD Sensor Package and the Multibeam Echosounder SHALL provide real-time sound velocity at the transducer face, updated at least once per second, via RS-232 serial link at 9600 baud using the standard SVP telegram format. Rationale: Direct CTD-to-MBES sound velocity link provides the transducer-face value needed for beamforming with less than 100ms latency. 1 Hz update rate is sufficient because sound velocity at a fixed depth changes slowly. Separate from the CTD-to-processor link to maintain independence of the beamforming correction path. | Test | interface, sensor-payload, session-319, idempotency:ifc-ctd-mbes-319 |
| IFC-INTERFACEDEFINITIONS-025 | The interface between the Sensor Payload Processor and the Mass Storage Array SHALL transfer sensor data via PCIe Gen3 x4 NVMe protocol at sustained sequential write throughput of at least 200 MB/s with write latency not exceeding 500 microseconds at the 99th percentile. Rationale: PCIe NVMe provides the lowest-latency high-bandwidth storage interface, critical for sustaining 200 MB/s concurrent write from multiple sensor streams without buffer overflow. 500 microsecond P99 write latency prevents write stalls that would cause sensor data buffer drops. | Test | interface, sensor-payload, session-319, idempotency:ifc-spp-msa-319 |
| IFC-INTERFACEDEFINITIONS-026 | The interface between the Sensor Payload Processor and the Vehicle Management Computer SHALL use Gigabit Ethernet with a defined message set for mission control commands, sensor health telemetry at 1 Hz, and post-mission data offload at a minimum of 100 MB/s. Rationale: GbE provides adequate bandwidth for both real-time telemetry and bulk data offload. 1 Hz health telemetry enables VMC to detect sensor faults within the mission replanning cycle. 100 MB/s offload rate allows transferring a full 4 TB mission dataset within 12 hours via the communications subsystem. | Test | interface, sensor-payload, session-319, idempotency:ifc-spp-vmc-319 |
| IFC-INTERFACEDEFINITIONS-027 | The interface between the Acoustic Modem and the Communications Controller SHALL transfer variable-length data packets up to 256 bytes via RS-232 at 19200 baud, with CRC-16 error detection on each packet. Rationale: RS-232 at 19200 baud is standard for acoustic modem command interfaces (EvoLogics, LinkQuest). 256-byte max packet matches typical acoustic modem MTU. CRC-16 provides error detection on the serial link distinct from the acoustic channel FEC. | Test | interface, communications, session-319, idempotency:ifc-amodem-cc-319 |
| IFC-INTERFACEDEFINITIONS-028 | The interface between the Iridium SBD Transceiver and the Communications Controller SHALL use 3.3V UART at 19200 baud with AT command protocol, supporting Mobile Originated messages up to 340 bytes and Mobile Terminated messages up to 270 bytes. Rationale: AT command interface over UART is the standard Iridium 9603N transceiver interface. MO/MT message sizes are fixed by the Iridium SBD protocol specification. | Test | interface, communications, session-319, idempotency:ifc-iridium-cc-319 |
| IFC-INTERFACEDEFINITIONS-029 | The interface between the Wi-Fi Radio Module and the Communications Controller SHALL use Gigabit Ethernet with TCP for reliable bulk data transfer and UDP for real-time telemetry forwarding, supporting concurrent operation of both protocols. Rationale: TCP for bulk transfer ensures data integrity during multi-hour offload sessions. UDP for telemetry minimises latency for time-critical status updates. Both protocols must operate concurrently to allow monitoring during data offload. | Test | interface, communications, session-319, idempotency:ifc-wifi-cc-319 |
| IFC-INTERFACEDEFINITIONS-030 | The interface between the Communications Controller and the Vehicle Management Computer SHALL use Gigabit Ethernet with a defined message set including mission commands, telemetry relay, link status at 1 Hz, and data offload routing, with message delivery confirmation for all safety-critical commands. Rationale: GbE matches the VMC internal network standard. 1 Hz link status enables VMC to select appropriate communication strategy. Delivery confirmation for safety-critical commands (abort, surface) ensures the operator knows the command reached the vehicle. | Test | interface, communications, session-319, idempotency:ifc-cc-vmc-319 |
| IFC-INTERFACEDEFINITIONS-031 | The interface between the Surface GPS Antenna Module and the Navigation Processor SHALL deliver NMEA 0183 position and PPS time synchronisation data via RS-232 at 9600 baud within 100 ms of GPS fix acquisition, with the PPS signal providing UTC epoch alignment accurate to 100 nanoseconds for navigation filter time-stamping. Rationale: SUB-FUNC-007 specifies GPS fix acquisition within 60 seconds and 100 ns time accuracy, but no interface requirement existed to define how GPS data reaches the navigation processor. The PPS signal is essential for disciplining the navigation filter clock and for cross-sensor timestamp alignment. RS-232 at 9600 baud is standard for NMEA output on marine GPS receivers. | Test | interface, navigation, gps, validation, session-321 |
| IFC-INTERFACEDEFINITIONS-032 | The interface between the Vehicle Management Computer and the Navigation Processor SHALL transmit mission waypoint updates and guidance mode commands via Ethernet UDP at a minimum rate of 1 Hz, and the Navigation Processor SHALL acknowledge each waypoint acceptance within 50 ms including confirmation of waypoint coordinate validity check. Rationale: The VMC executes the mission plan and must command the navigation processor with waypoint targets and guidance mode transitions. Without this interface, there is no defined mechanism for the VMC to direct the vehicle along its survey path. The acknowledgement loop ensures the navigation processor has validated each waypoint before the VMC advances the mission sequence. | Test | interface, navigation, guidance, validation, session-321 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-ARCHITECTUREDECISIONS-001 | ARC: Navigation and Guidance Subsystem — Multi-sensor fusion with INS-primary architecture chosen over pure acoustic navigation. The FOG-based INS provides continuous high-rate dead-reckoning that is bounded by DVL bottom-track for near-seafloor operations and USBL transponder fixes for mid-water transits. This topology tolerates loss of any single aiding source while maintaining sub-meter accuracy for survey-grade bathymetry registration. Alternative of SLAM-based navigation rejected due to featureless abyssal terrain in target operating environment. Rationale: GPS-denied environment at depth demands autonomous dead-reckoning with periodic recalibration. INS-primary architecture is proven in oceanographic AUVs and provides deterministic worst-case drift bounds needed for survey data georeferencing. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-002 | ARC: Power Subsystem — Pressure-compensated oil-filled battery enclosure chosen over pressure vessel approach. Oil compensation eliminates the mass penalty of a thick-walled pressure housing at 6000m depth while providing thermal coupling for passive cell cooling. NCA cell chemistry selected over LFP for energy density (250 Wh/kg vs 160 Wh/kg), accepting the higher thermal runaway risk mitigated by per-cell monitoring and independent hardware protection. Centralised PDU with solid-state switching preferred over distributed fusing to enable VMC-commanded load shedding for mission extension. Rationale: 6000m depth rating at 350kg dry mass budget demands maximum energy density. Oil compensation is standard practice for deep-rated AUV battery packs and avoids the 40kg pressure housing mass penalty that would reduce payload capacity. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-004 | ARC: Propulsion Subsystem — Magnetic coupling and oil-compensated motor chosen over direct-drive shaft seal. The 6000m depth rating makes rotary shaft seals unreliable at 600 bar; magnetic coupling eliminates the dynamic seal at the cost of 5 percent torque transfer efficiency. Oil-filled motor housing equalises pressure. Separate control surface actuators chosen over vectored thrust for maneuvering. Buoyancy trim system included to decouple depth control from propulsive power for silent depth holds. Rationale: Deep-rated AUV propulsion must solve the shaft seal problem at 600 bar. Magnetic coupling is proven to 6500m. The acoustic noise constraint of 130 dB drives FOC commutation and fixed-pitch propeller choice. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-005 | ARC: Emergency and Safety Subsystem — Independent emergency surfacing controller architecture chosen over VMC-integrated safety functions. The ESC is a separate processor on a dedicated emergency power rail, ensuring that VMC failure, main battery depletion, or software faults cannot prevent emergency surfacing. This separation follows IEC 61508 principles of functional independence between the control system and its safety function. A burn-wire backup release on the drop weight mechanism provides a tertiary path independent of both VMC and ESC. The trade-off is added mass, complexity, and cost of a redundant processor and battery, but this is justified by the 6000m operating depth where recovery of a stranded vehicle is impractical. Rationale: At 6000m depth, vehicle loss from a failed emergency surfacing is catastrophic and unrecoverable. Functional independence between control (VMC) and safety (ESC) is mandated by IEC 61508 SIL 2 principles and is standard practice in deep-rated AUVs. The burn-wire tertiary path addresses common-cause failure of electronic release mechanisms. | Inspection | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-006 | ARC: Sensor Payload Subsystem — Centralised payload processor architecture chosen over distributed per-sensor processing. All three sensor types (MBES, camera, CTD) feed raw data to a single x86 compute module that handles time-stamping against PPS-disciplined clock, real-time georeferencing using the navigation solution, and write scheduling to RAID-1 NVMe storage. Centralised approach was chosen because: (1) a single PPS-synchronised clock source eliminates inter-sensor timestamp drift that plagued distributed architectures in the Hugin 1000 and REMUS 6000 designs; (2) CTD-derived sound velocity must be applied to MBES beamforming with less than 100ms latency, which is trivial on a local bus but problematic across an Ethernet switch with variable buffering; (3) a single NVMe write scheduler can coalesce data streams to maintain the 200 MB/s sustained throughput required by the 24-hour mission without per-sensor write contention. Rationale: Centralised processing eliminates timestamp coherence issues observed in distributed AUV payload architectures and enables real-time sound velocity correction within MBES ping cycle. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-008 | ARC: Communications Subsystem — Three-link architecture (acoustic, satellite, Wi-Fi) with centralised controller chosen over single-link designs. Acoustic modem provides the only submerged communication path for mission status and remote abort. Iridium SBD provides global position reporting independent of vessel proximity. Wi-Fi provides high-bandwidth data offload only when surfaced near the support vessel. The communications controller implements store-and-forward buffering and automatic link selection, avoiding the reliability problems of direct VMC-to-radio interfaces where VMC reboot would lose queued messages. Rationale: Three independent links with distinct range/bandwidth characteristics cover all AUV operational states. Centralised controller with store-and-forward ensures no message loss during VMC restarts or link transitions. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-009 | ARC: Pressure Hull and Structure — Single-cylinder titanium hull with O-ring sealed endcaps chosen over multi-section aluminium design. Ti-6Al-4V provides superior strength-to-weight ratio at 6000m depth rating (600 bar) with thinner walls (12mm vs 18mm aluminium), leaving more internal volume for payload. Single cylinder avoids inter-section seal failure modes present in modular designs. Forward endcap integrates optical viewport and sensor penetrators; aft endcap houses the pressure-compensated shaft seal with oil reservoir. Rationale: Titanium single-cylinder design maximises payload volume fraction at 6000m depth while eliminating inter-section seal joints that are the primary leak source in modular hull designs. | Analysis | architecture, informational, session-320 |
flowchart TB n0["component<br>Lithium-Ion Battery Pack"] n1["component<br>Battery Management System"] n2["component<br>Power Distribution Unit"] n3["component<br>DC-DC Converter Module"] n4["external<br>Vehicle Management Computer"] n5["external<br>Subsystem Loads"] n0 -->|48V DC bus| n2 n1 -->|Cell monitoring and protection| n0 n2 -->|Switched 48V| n3 n3 -->|24V, 12V, 5V rails| n5 n1 -->|SOC and battery status| n4 n4 -->|Load shed commands| n2
Power Subsystem — Internal
flowchart TB n0["controller<br>Motor Drive Electronics"] n1["actuator<br>Brushless DC Propulsion Motor"] n2["mechanism<br>Propeller and Shaft Assembly"] n3["actuator<br>Control Surface Actuator Assembly"] n4["actuator<br>Buoyancy Trim System"] n5["external<br>Vehicle Management Computer"] n6["external<br>Power Distribution Unit"] n5 -->|CAN: speed/torque cmds| n0 n0 -->|3-phase commutated power| n1 n1 -->|torque via magnetic coupling| n2 n5 -->|CAN: fin deflection cmds| n3 n5 -->|CAN: buoyancy offset cmds| n4 n6 -->|48V DC power| n0 n6 -->|24V DC power| n3 n6 -->|48V DC power| n4
Propulsion Subsystem — Internal
flowchart TB n0["component<br>Emergency Surfacing Controller"] n1["component<br>Drop Weight Release Mechanism"] n2["component<br>Hardware Watchdog Timer"] n3["component<br>Leak Detection Sensor Array"] n4["component<br>Emergency Locator Beacon"] n5["component<br>Acoustic Emergency Pinger"] n6["component<br>Emergency Battery"] n7["external<br>Vehicle Management Computer"] n8["external<br>Battery Management System"] n2 -->|GPIO timeout interrupt| n0 n3 -->|I2C leak alarm| n0 n8 -->|Hardwired battery critical-low| n0 n7 -->|Heartbeat and abort command| n0 n0 -->|Solenoid and burn-wire release| n1 n0 -->|Activation line| n5 n0 -->|Arming line| n4 n6 -->|Independent power| n0 n7 -->|30s heartbeat pulse| n2 n0 -->|UART health telemetry| n7
Emergency and Safety Subsystem — Internal
flowchart TB n0["component<br>Acoustic Modem"] n1["component<br>Iridium SBD Transceiver"] n2["component<br>Wi-Fi Radio Module"] n3["component<br>Communications Controller"] n0 -->|Acoustic telemetry via RS-232| n3 n1 -->|SBD messages via UART| n3 n2 -->|Data offload via Ethernet| n3
Communications Subsystem — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Acoustic Emergency Pinger | D6C54218 | Underwater acoustic beacon operating at 37.5 kHz for location of a lost AUV on the seabed, compatible with standard naval and commercial acoustic search receivers. Source level 185 dB re 1 uPa at 1m. Pulse repetition rate 1 pulse per second, pulse duration 10ms. Powered by lithium primary cell providing 90 days continuous operation. Pressure-rated to 700 bar (7000m) for operation at full ocean depth. Activated by Emergency Surfacing Controller on mission abort if vehicle fails to achieve positive buoyancy. Also serves as tracking aid during normal recovery operations. |
| Acoustic Modem | D4F57018 | Mid-frequency (9-14 kHz) underwater acoustic modem providing half-duplex digital communication at up to 3 kbps over ranges to 5 km. Supports both command/telemetry messaging and ranging for USBL position aiding. Operates from 6000m depth. Used for vehicle-to-surface communication during submerged survey operations on an AUV, enabling mission status updates and remote abort commands without surfacing. |
| Aft Endcap and Shaft Seal Assembly | CE851018 | Titanium endcap housing the propeller shaft mechanical seal (double-lip rotary seal with oil-filled cavity), motor power penetrators, and aft sensor penetrators. Includes pressure-compensated oil reservoir maintaining 0.5 bar overpressure at the shaft seal to prevent water ingress at depth. Depth rated to 6000m. Critical seal interface between the flooded aft section and dry pressure hull interior. |
| Autonomous Underwater Vehicle | DFF75018 | Unmanned submersible platform designed for deep-sea survey, inspection, and environmental monitoring missions at depths to 6000m. Operates autonomously for 24-72 hour missions using lithium-polymer battery power with inertial/acoustic navigation (no GPS underwater). Integrates forward-looking sonar, multibeam bathymetry, HD cameras, CTD sensors, and mission-specific payloads. Communicates via acoustic modem subsea and RF/satellite on surface. Must withstand 600 bar pressure, near-freezing temperatures, and biofouling. Safety-critical: must surface autonomously on any fault that could lead to vehicle loss. |
| Battery Management System | 55F77A19 | Safety-critical controller monitoring lithium-ion battery pack health. Performs cell voltage monitoring, temperature sensing, state-of-charge estimation via coulomb counting with Kalman filter correction, and fault detection including over-current, over-temperature, and cell imbalance. Provides remaining energy estimates to vehicle management computer for mission abort decisions. Independent hardware protection circuit for over-voltage and thermal runaway prevention. |
| Brushless DC Propulsion Motor | D7C51018 | Oil-filled, pressure-compensated brushless DC motor serving as the primary thrust actuator for a 6000m-rated autonomous underwater vehicle. Operates at depths to 6000m with external hydrostatic pressure up to 600 bar. Provides approximately 200W continuous power at 3-knot cruise and 800W peak for maneuvering in currents. Oil-compensated housing eliminates pressure differential across seals. Must meet stringent acoustic noise limits (<130 dB re 1µPa at 1m in 10Hz-1kHz band). Interfaces with motor drive electronics via 3-phase power cables and Hall-effect sensor feedback. |
| Buoyancy Trim System | 53F53208 | Oil-hydraulic variable buoyancy system for a 6000m-rated AUV providing static buoyancy adjustment and fine depth control. Transfers hydraulic oil between an internal reservoir (within the pressure hull) and an external elastomeric bladder to change vehicle displacement by up to ±2kg equivalent. Uses a high-pressure hydraulic pump capable of operating against 600 bar ambient pressure. Provides trim authority for compensating payload changes, water density variations with depth and salinity, and low-speed depth holding without propulsive thrust. Controlled by the Vehicle Management Computer, which commands target buoyancy offset based on depth error and vertical velocity. Pump draws approximately 150W during active trimming. |
| Communications Controller | 51F77008 | Embedded ARM processor running message routing firmware. Manages all external communications interfaces: acoustic modem (submerged), Iridium SBD (surfaced), and Wi-Fi (surfaced near vessel). Handles message prioritisation, store-and-forward buffering for intermittent links, encryption of command channels, and automatic link selection based on vehicle state (submerged, surfaced, near vessel). Interfaces to VMC via internal Ethernet for command relay and telemetry forwarding. |
| Communications Subsystem | 54E57018 | Dual-domain communications for AUV operating subsea and at surface. Underwater: 10kHz acoustic modem providing 1kbps data link to surface vessel at ranges up to 5km, used for status telemetry, mission updates, and emergency recall commands. Surface: WiFi (802.11n) for high-bandwidth data offload when within 200m of support vessel, Iridium SBD satellite modem for position reporting and mission status when operating beyond vessel range. Emergency locator beacon (EPIRB) on 406MHz with GPS for post-loss recovery. Acoustic transponder for USBL tracking integration with navigation subsystem. |
| Control Surface Actuator Assembly | D7F51018 | Servo-driven rudder and elevator fin actuators mounted on the AUV tail section for 3-axis attitude and trajectory control. Each fin is driven by a brushless servo motor in an oil-filled housing rated to 600 bar. Provides pitch, yaw, and roll authority for waypoint tracking, depth changes, and obstacle avoidance. Fin deflection range ±30 degrees with 0.1-degree resolution and 200ms full-sweep response time. Receives heading, depth, and attitude commands from Vehicle Management Computer at 10Hz update rate. Critical for maintaining survey track accuracy during multibeam bathymetry operations where cross-track deviation must stay within 2m. |
| CTD Sensor Package | D6851018 | Integrated conductivity-temperature-depth sensor measuring seawater salinity (0-42 PSU, accuracy 0.003 PSU), temperature (-2 to 35 deg C, accuracy 0.001 deg C), and pressure (0-6500 dbar, accuracy 0.01% FS). Pumped flow path with anti-fouling guard. Samples at 24 Hz for sound velocity profile computation used to correct multibeam echosounder beamforming. Also records water column profiles for oceanographic survey data products. |
| DC-DC Converter Module | D6C51018 | High-efficiency isolated DC-DC converters stepping down 48V battery bus to 24V, 12V, and 5V regulated rails. Combined efficiency above 94 percent across load range. Operates in oil-filled pressure-compensated enclosure at depths to 6000m. Input voltage range 38-58V to accommodate battery discharge curve. Output regulation within 1 percent under transient loads. Total rated output 350W continuous. |
| Depth Pressure Sensor | D4C55018 | Paroscientific Digiquartz pressure transducer providing depth measurement from 0 to 6500m with accuracy of 0.01% full scale (0.65m). Temperature-compensated with response time under 50ms. Provides both depth for navigation and pressure for hull integrity monitoring. Connected to navigation processor via RS-485 serial interface at 10Hz output rate. |
| Digital Still Camera with LED Illumination | D6C51008 | Downward-looking 24-megapixel CMOS camera with integrated 4-LED array providing 12000 lumens. Captures georeferenced seabed imagery at 2cm/pixel resolution from 5m altitude. Triggered by sensor payload processor at configurable interval (1-10 Hz) synchronised to navigation fixes. Titanium pressure housing rated to 6000m. Provides optical ground-truth imagery for AUV survey missions complementing acoustic bathymetry data. |
| Doppler Velocity Log | D4C51018 | Acoustic bottom-tracking DVL operating at 300kHz with 4-beam Janus configuration. Provides ground-referenced velocity measurements accurate to 0.3% of speed at ranges up to 200m altitude. Used to bound INS drift during near-bottom survey operations. Outputs 3-axis velocity at 5 Hz. Also provides altitude measurement for terrain-following. Transducer array flush-mounted in hull with acoustic window. |
| Drop Weight Release Mechanism | D6C51018 | Electromechanical ballast jettison system for emergency positive buoyancy recovery of a 350kg AUV rated to 6000m depth. Primary release via solenoid latch drawing 2A at 24V; backup release via nichrome burn-wire activated independently by the Emergency Surfacing Controller. Drops a 15kg tungsten ballast mass to achieve positive buoyancy of approximately 8kg net. Release time under 2 seconds from command. Must function reliably after 6000m pressure soak and extended dormancy. Single-use per mission; reloaded on deck. |
| Emergency and Safety Subsystem | 51F77A18 | Independent safety layer for AUV loss prevention, operating on dedicated emergency power bus isolated from main vehicle power. Drop weight release (2kg tungsten) triggered by watchdog timer timeout, acoustic command, or critical fault detection — provides positive buoyancy for passive surfacing from 6000m. Hardware watchdog timer (independent microcontroller) monitors vehicle management computer heartbeat; triggers emergency surfacing sequence if heartbeat lost for >60 seconds. Xenon strobe and RF beacon activate on surfacing for visual/electronic recovery. Leak detection sensors in all pressure hull compartments trigger immediate mission abort. System is fail-safe: loss of power or communication defaults to surface. |
| Emergency Locator Beacon | D6F57018 | Combined surface recovery aid for a deep-rated AUV, activated upon emergency surfacing. Integrates xenon strobe visible at 3 nautical miles, VHF radio beacon on 156.525 MHz with AIS SART function detectable at 10+ NM, and GPS receiver for self-localisation. Position encoded in AIS transmissions. Powered by dedicated lithium primary cell with 72-hour continuous operation. Waterproof IP68. Activated by Emergency Surfacing Controller upon detecting surface conditions (pressure < 1.5 bar). |
| Emergency Surfacing Controller | D1F37218 | Independent safety-critical processor separate from the main Vehicle Management Computer, managing the emergency surfacing sequence for a deep-rated AUV. Monitors hardware watchdog, leak sensors, and battery critical-low signals. When triggered, executes a deterministic sequence: drop weight release, power down non-essential loads, activate acoustic pinger, and upon surfacing activate locator beacon. ARM Cortex-M0 class MCU with triple-redundant voting on critical inputs. Powered from a dedicated emergency battery cell independent of the main pack. Must operate even if main VMC, main battery, and all comms are lost. |
| Forward Endcap Assembly | CE851008 | Titanium endcap with integrated optical viewport (BK7 glass, 100mm diameter) for downward-looking camera, and 12 SubConn MCBH wet-mate connector penetrations for sensor interfaces. O-ring face seal with backup quad-ring. Depth rated to 6000m. Provides pressure-tight feedthrough for all forward-facing sensor cables (MBES, camera, CTD, DVL) on the AUV. |
| Free-Flood Fairing | C6841008 | Streamlined fibreglass composite outer shell providing hydrodynamic form factor (fineness ratio 8:1) around the pressure hull and free-flood sections. Houses control surface fins, propeller guard, and external sensor mounts. Not pressure-rated — floods freely during descent. Reduces vehicle drag coefficient to less than 0.15 at 3-knot cruise speed. Removable in sections for field maintenance access to internal components. |
| Hardware Watchdog Timer | D6F57A08 | Independent hardware watchdog circuit for AUV emergency surfacing failsafe. External to the Vehicle Management Computer, implemented as a discrete timer IC (e.g., MAX6369) with independent crystal oscillator. The VMC must reset the watchdog via a dedicated GPIO pulse every 30 seconds. If the watchdog times out (VMC crash, hang, or power loss), it asserts a hardware interrupt to the Emergency Surfacing Controller, triggering the emergency surfacing sequence. Timeout period configurable between 15-120 seconds via resistor selection, set to 60 seconds for operational missions. Powered from the emergency battery rail independent of main power. |
| Hull Penetrator Array | D2855008 | Set of 24 SubConn MCBH-series wet-mateable bulkhead connectors distributed across forward and aft endcaps. Each penetrator provides pressure-tight electrical feedthrough rated to 6000m depth. Connector types include power (600V, 10A), signal (Ethernet, RS-232, RS-485), and fibre optic (single-mode). Provides all electrical and optical connections between internal hull electronics and external sensors, actuators, and antennas. |
| Inertial Navigation Unit | D4E73018 | Fibre-optic gyroscope (FOG) based inertial measurement unit providing 6-DOF acceleration and angular rate sensing. Drift rate < 0.1 deg/hr, accelerometer bias stability < 10 µg. Primary dead-reckoning source for AUV operating in GPS-denied underwater environment at depths to 6000m. Outputs body-frame velocity and attitude at 200 Hz to the navigation processor. Pressure-rated titanium housing. |
| Iridium SBD Transceiver | D7F75008 | Iridium Short Burst Data satellite transceiver with integrated GPS receiver. Transmits 340-byte SBD messages via the Iridium constellation when the AUV antenna is above the sea surface. Primary surfaced communications link for position reporting, mission status, and emergency alerts. Activates automatically upon detecting surface conditions (ambient pressure below 200 mbar). Rated for marine environment with conformal antenna integrated into the AUV tailfin. |
| Leak Detection Sensor Array | D4F55208 | Distributed humidity and water ingress detection system inside the AUV pressure hull. Comprises 4 point sensors at hull penetrator locations and 2 condensation sensors on internal hull surfaces. Each sensor detects liquid water contact and reports via I2C bus to the Emergency Surfacing Controller. Detection threshold: 0.5ml water presence. Response time under 500ms from water contact to alarm signal. Operates at 3.3V with total current draw under 50mA. Must distinguish between condensation (gradual humidity rise) and active leak (rapid water contact). |
| Lithium-Ion Battery Pack | D6D51018 | Primary energy storage for deep-sea AUV. Pressure-compensated lithium-ion battery pack using NCA cells in oil-filled enclosure rated to 600 bar. Total usable capacity 10kWh at 48V nominal. Supports 24-hour mission endurance at 3-knot cruise. Maximum discharge rate 2C for thruster transients. Operating temperature range -2 to 45 degrees C. Includes cell-level balancing and thermal management. |
| Main Pressure Hull Cylinder | CE850018 | Grade 5 titanium alloy (Ti-6Al-4V) cylindrical pressure vessel, 1800mm internal length by 250mm internal diameter, wall thickness 12mm. Houses all electronics, batteries, and payload instruments. Rated to 6000m depth (600 bar external hydrostatic pressure) with safety factor of 1.5 on yield. O-ring sealed at both endcaps. External surface hard-anodised for corrosion resistance. Primary structural element of the autonomous underwater vehicle. |
| Mass Storage Array | D6851008 | Redundant NVMe SSD storage array providing 4 TB minimum usable capacity with sustained sequential write throughput of 200 MB/s. Configured as RAID-1 mirror across two 4 TB drives for data integrity. Pressure-compensated enclosure rated to 6000m. Stores all mission sensor data: multibeam bathymetry pings, camera images, CTD profiles. Interfaces to sensor payload processor via PCIe NVMe. Supports post-mission data offload via dedicated high-speed link to communications subsystem. |
| Motor Drive Electronics | D1F53018 | Field-oriented control (FOC) motor drive for a brushless DC propulsion motor on a 6000m-rated AUV. Housed in a pressure-rated electronics canister within the tail section. Receives speed/torque commands from the Vehicle Management Computer via RS-485/CAN bus and executes sinusoidal commutation for low acoustic noise and high efficiency. Provides regenerative braking capability, over-current protection, and thermal monitoring. Draws from 48V DC bus via the Power Distribution Unit. Maximum continuous output 800W, switching frequency >20kHz to stay above the audible/hydroacoustic band. |
| Multibeam Echosounder | D4E71018 | Hull-mounted 400 kHz multibeam echosounder with 256 beams across 120-degree swath. Provides bathymetric depth measurements at 0.5m lateral resolution and 0.1m vertical accuracy at survey altitude of 50m above seabed. Equidistant beam spacing with electronic beam stabilisation for roll, pitch, and heave compensation. Operating depth rated to 6000m. Primary survey instrument for georeferenced seabed mapping on an autonomous underwater vehicle. |
| Navigation and Guidance Subsystem | 45F73018 | |
| Navigation Processor | 51F77208 | Embedded real-time computer running extended Kalman filter for multi-sensor fusion. Fuses INS, DVL, USBL, depth sensor, and surface GPS data into optimal state estimate. Outputs filtered position, velocity, and attitude at 50 Hz to the vehicle management computer. Implements fault detection and isolation for sensor failures. Dual-redundant ARM Cortex-R5 processors with lockstep for safety integrity. Power consumption under 15W. |
| Power Distribution Unit | D6C51018 | Central power switching and distribution unit for AUV subsystems. Receives 48V DC from battery pack and provides regulated outputs at 48V, 24V, 12V, and 5V rails. Solid-state switching with current limiting and fault isolation per channel. Implements power sequencing for controlled startup and emergency load shedding. Maximum throughput 500W continuous. EMI-filtered outputs for sensor subsystems. |
| Power Subsystem | 56F71218 | Provides electrical power for all AUV subsystems during autonomous missions of 24-72 hours. Primary energy storage is 10kWh lithium-polymer battery in pressure-compensated oil-filled housing rated to 6000m depth. Power management unit distributes 48VDC main bus and 24VDC/12VDC regulated rails. Battery management system monitors cell voltages, temperatures, and state-of-charge, triggering mission abort at 15% remaining capacity. Shore charging via wet-mate connector at 1kW. Includes emergency power reserve (separate 500Wh pack) for safety-critical systems during emergency surfacing. |
| Pressure Hull and Structure | CE851018 | Torpedo-shaped pressure vessel and external fairing providing structural integrity and buoyancy for AUV operations to 6000m (600 bar). Main pressure hull is Grade 5 titanium (Ti-6Al-4V) cylinder, 250mm internal diameter, 2.2m length, housing electronics and batteries. Forward and aft hemispherical endcaps with penetrators for cables and sensors. External syntactic foam fairing provides hydrodynamic shape and positive buoyancy to achieve neutral trim. Total vehicle length 4.5m, dry mass 350kg, slightly positive buoyancy in seawater. Ballast system: variable buoyancy engine (VBE) using hydraulic oil/seawater exchange for ±2kg buoyancy trim. |
| Propeller and Shaft Assembly | CEC51008 | Fixed-pitch, 5-blade propeller with magnetic coupling shaft seal for a 6000m-rated AUV. Propeller diameter approximately 250mm, optimized for maximum efficiency at 3-knot cruise speed with low cavitation inception to meet noise requirements (<130 dB re 1µPa at 1m). Magnetic coupling eliminates rotary shaft seals, providing zero-leak torque transfer through the pressure boundary. Shaft supported by polymer bearings lubricated by seawater. Assembly must withstand 600 bar external pressure and biofouling. Key design constraint is balancing propulsive efficiency against radiated noise in the 10Hz-1kHz band. |
| Propulsion Subsystem | D6D53218 | |
| Sensor Payload Processor | 51B77208 | Embedded x86 compute module running real-time Linux, responsible for synchronised data acquisition from multibeam echosounder, camera, and CTD sensor. Timestamps all sensor data against PPS-disciplined clock from the navigation processor. Performs real-time georeferencing by fusing sensor data with navigation solution. Manages write scheduling to the mass storage array at sustained 200 MB/s. Interfaces to VMC via Gigabit Ethernet for mission control, health reporting, and sensor mode configuration. |
| Sensor Payload Subsystem | D4C51208 | Modular sensor bay housing mission-specific instrumentation for deep-sea survey and inspection. Core sensors: 400kHz multibeam echosounder (120-degree swath, 0.5m resolution at 100m range), dual-frequency side-scan sonar (100/400kHz), 4K HDR camera with LED lighting array (6000 lumens), CTD probe (conductivity-temperature-depth with 0.001 PSU accuracy). Payload bay accepts additional instruments via standardised mechanical/electrical interfaces: magnetometer, sub-bottom profiler, water sampling carousel. All sensor data timestamped to PPS-synchronised clock and logged to 4TB SSD at up to 200MB/s aggregate. |
| Surface GPS Antenna Module | D6C45018 | Integrated GPS L1/L2 receiver with patch antenna in a pressure-rated mast-mounted housing. Acquires GPS fix within 60 seconds of surfacing for position recalibration before and after dive. Provides position accuracy of 2.5m CEP. Also supplies precise UTC time reference for synchronising navigation data timestamps. Active only when vehicle is at or near surface. Connected to navigation processor via serial interface. |
| USBL Acoustic Transponder | D4F54008 | Ultra-short baseline acoustic positioning transponder operating at 20-30kHz. Receives interrogation signals from ship-mounted USBL array and replies for range-bearing position fixes accurate to 0.1 percent of slant range. Provides periodic absolute position updates to recalibrate INS drift. Also supports acoustic telemetry for low-bandwidth command/status exchange with surface vessel. Operates at depths to 6000m. |
| Vehicle Management Computer | 51B77008 | Central processing node executing mission control, health management, and fault response for the AUV. Dual-redundant ARM-based compute modules in hot-standby configuration running real-time Linux (PREEMPT_RT). Executes mission plan interpreter, coordinates subsystem modes, monitors 200+ health parameters via CAN bus and Ethernet. Fault management engine implements hierarchical response: sensor reconfiguration, mission modification, and emergency surfacing. Logs all vehicle state and decisions to non-volatile storage. Provides operator interface via Ethernet when docked. 50W nominal power consumption. |
| Wi-Fi Radio Module | D6E55018 | Dual-band 802.11ac Wi-Fi radio with directional antenna providing 300 Mbps throughput at ranges to 500m line-of-sight. Used for high-bandwidth data offload when the AUV is surfaced within range of the support vessel. Enables transfer of mission sensor data (up to 4 TB) without physical recovery. Also provides a secondary command channel for mission upload and diagnostics. Marine-hardened enclosure with splash-proof antenna. |
| Component | Belongs To |
|---|---|
| Navigation and Guidance Subsystem | Autonomous Underwater Vehicle |
| Propulsion Subsystem | Autonomous Underwater Vehicle |
| Power Subsystem | Autonomous Underwater Vehicle |
| Sensor Payload Subsystem | Autonomous Underwater Vehicle |
| Communications Subsystem | Autonomous Underwater Vehicle |
| Vehicle Management Computer | Autonomous Underwater Vehicle |
| Pressure Hull and Structure | Autonomous Underwater Vehicle |
| Emergency and Safety Subsystem | Autonomous Underwater Vehicle |
| Inertial Navigation Unit | Navigation and Guidance Subsystem |
| Doppler Velocity Log | Navigation and Guidance Subsystem |
| USBL Acoustic Transponder | Navigation and Guidance Subsystem |
| Navigation Processor | Navigation and Guidance Subsystem |
| Depth Pressure Sensor | Navigation and Guidance Subsystem |
| Surface GPS Antenna Module | Navigation and Guidance Subsystem |
| Lithium-Ion Battery Pack | Power Subsystem |
| Power Distribution Unit | Power Subsystem |
| Battery Management System | Power Subsystem |
| DC-DC Converter Module | Power Subsystem |
| Brushless DC Propulsion Motor | Propulsion Subsystem |
| Motor Drive Electronics | Propulsion Subsystem |
| Propeller and Shaft Assembly | Propulsion Subsystem |
| Control Surface Actuator Assembly | Propulsion Subsystem |
| Buoyancy Trim System | Propulsion Subsystem |
| Drop Weight Release Mechanism | Emergency and Safety Subsystem |
| Emergency Surfacing Controller | Emergency and Safety Subsystem |
| Emergency Locator Beacon | Emergency and Safety Subsystem |
| Acoustic Emergency Pinger | Emergency and Safety Subsystem |
| Leak Detection Sensor Array | Emergency and Safety Subsystem |
| Hardware Watchdog Timer | Emergency and Safety Subsystem |
| Multibeam Echosounder | Sensor Payload Subsystem |
| Digital Still Camera with LED Illumination | Sensor Payload Subsystem |
| CTD Sensor Package | Sensor Payload Subsystem |
| Sensor Payload Processor | Sensor Payload Subsystem |
| Mass Storage Array | Sensor Payload Subsystem |
| Acoustic Modem | Communications Subsystem |
| Iridium SBD Transceiver | Communications Subsystem |
| Wi-Fi Radio Module | Communications Subsystem |
| Communications Controller | Communications Subsystem |
| Main Pressure Hull Cylinder | Pressure Hull and Structure |
| Forward Endcap Assembly | Pressure Hull and Structure |
| Aft Endcap and Shaft Seal Assembly | Pressure Hull and Structure |
| Free-Flood Fairing | Pressure Hull and Structure |
| Hull Penetrator Array | Pressure Hull and Structure |
| From | To |
|---|---|
| Inertial Navigation Unit | Navigation Processor |
| Doppler Velocity Log | Navigation Processor |
| USBL Acoustic Transponder | Navigation Processor |
| Depth Pressure Sensor | Navigation Processor |
| Surface GPS Antenna Module | Navigation Processor |
| Navigation Processor | Vehicle Management Computer |
| USBL Acoustic Transponder | Communications Subsystem |
| Lithium-Ion Battery Pack | Power Distribution Unit |
| Power Distribution Unit | DC-DC Converter Module |
| Battery Management System | Lithium-Ion Battery Pack |
| Battery Management System | Vehicle Management Computer |
| Power Distribution Unit | Vehicle Management Computer |
| Motor Drive Electronics | Brushless DC Propulsion Motor |
| Brushless DC Propulsion Motor | Propeller and Shaft Assembly |
| Motor Drive Electronics | Vehicle Management Computer |
| Control Surface Actuator Assembly | Vehicle Management Computer |
| Buoyancy Trim System | Vehicle Management Computer |
| Power Distribution Unit | Motor Drive Electronics |
| Power Distribution Unit | Control Surface Actuator Assembly |
| Power Distribution Unit | Buoyancy Trim System |
| Leak Detection Sensor Array | Emergency Surfacing Controller |
| Hardware Watchdog Timer | Emergency Surfacing Controller |
| Emergency Surfacing Controller | Drop Weight Release Mechanism |
| Emergency Surfacing Controller | Acoustic Emergency Pinger |
| Emergency Surfacing Controller | Emergency Locator Beacon |
| Emergency Surfacing Controller | Vehicle Management Computer |
| Battery Management System | Emergency Surfacing Controller |
| Multibeam Echosounder | Sensor Payload Processor |
| Digital Still Camera with LED Illumination | Sensor Payload Processor |
| CTD Sensor Package | Sensor Payload Processor |
| Sensor Payload Processor | Mass Storage Array |
| Sensor Payload Processor | Vehicle Management Computer |
| CTD Sensor Package | Multibeam Echosounder |
| Acoustic Modem | Communications Controller |
| Iridium SBD Transceiver | Communications Controller |
| Wi-Fi Radio Module | Communications Controller |
| Communications Controller | Vehicle Management Computer |
| Component | Output |
|---|---|
| Inertial Navigation Unit | body-frame velocity and attitude at 200Hz |
| Doppler Velocity Log | ground-referenced 3-axis velocity and altitude at 5Hz |
| USBL Acoustic Transponder | absolute position fixes via acoustic ranging |
| Navigation Processor | fused position velocity attitude at 50Hz |
| Depth Pressure Sensor | depth measurement at 10Hz |
| Surface GPS Antenna Module | GPS position fix and UTC time reference |
| Lithium-Ion Battery Pack | 48V DC bus power at 10kWh capacity |
| Power Distribution Unit | switched and fused power to all subsystems |
| Battery Management System | SOC estimates and battery health status |
| DC-DC Converter Module | regulated 24V 12V 5V rails |
| Brushless DC Propulsion Motor | rotary torque |
| Motor Drive Electronics | 3-phase commutated power |
| Propeller and Shaft Assembly | hydrodynamic thrust |
| Control Surface Actuator Assembly | fin deflection forces |
| Buoyancy Trim System | variable displacement |
| Drop Weight Release Mechanism | emergency positive buoyancy via 15kg ballast jettison |
| Emergency Surfacing Controller | deterministic emergency surfacing sequence commands |
| Emergency Locator Beacon | VHF AIS SART signal and xenon strobe for surface recovery |
| Acoustic Emergency Pinger | 37.5 kHz acoustic pulses at 185 dB for underwater localisation |
| Leak Detection Sensor Array | water ingress alarm and humidity trend data |
| Hardware Watchdog Timer | VMC health status and timeout interrupt to ESC |
| Multibeam Echosounder | 256-beam bathymetric depth swath at 0.5m resolution and 0.1m vertical accuracy |
| Digital Still Camera with LED Illumination | georeferenced 24MP seabed images at 2cm/pixel resolution |
| CTD Sensor Package | salinity, temperature, depth profiles at 24Hz and derived sound velocity |
| Sensor Payload Processor | timestamped georeferenced sensor data written to storage at 200 MB/s |
| Mass Storage Array | 4TB persistent mission data with RAID-1 integrity |
| Acoustic Modem | half-duplex digital telemetry at 3 kbps over 5 km underwater |
| Iridium SBD Transceiver | 340-byte satellite messages for position and status reporting |
| Wi-Fi Radio Module | 300 Mbps high-bandwidth link for surfaced data offload |
| Communications Controller | routed and prioritised messages across all comms links |
| Main Pressure Hull Cylinder | 1-atmosphere dry environment at 6000m depth for all internal electronics |
| Forward Endcap Assembly | pressure-tight sensor cable feedthrough and optical viewport |
| Aft Endcap and Shaft Seal Assembly | pressure-tight rotary shaft seal with oil compensation |
| Free-Flood Fairing | streamlined hydrodynamic form with Cd less than 0.15 |
| Hull Penetrator Array | 24 pressure-rated electrical and optical feedthroughs to 6000m |