Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Propeller strike causing laceration or eye injury during hand launch, landing catch, or ground handling with motor armed | critical | medium | SIL 2 | motor de-energised, propeller stationary |
| H-002: LiPo battery thermal runaway causing fire and toxic fumes after crash damage, overcharge, or cell imbalance | catastrophic | rare | SIL 2 | battery disconnected and isolated in fireproof container, charger power removed |
| H-003: Aircraft flyaway beyond VLOS due to wind, disorientation, or control link failure, striking people or property | critical | low | SIL 1 | motor cut, controlled glide descent via failsafe |
| H-004: Uncontrolled or failsafe aircraft descent striking bystander, causing blunt force injury from 500g mass at 15-25 m/s | major | medium | SIL 1 | motor off, aircraft on ground, minimum energy state |
| H-005: Exposed battery wiring after crash causing burns from short-circuit heating (20-40A through damaged conductors) when child handles wreckage | major | low | SIL 1 | battery connector unplugged, no current flow |
| H-006: RF interference or cross-binding causing loss of control when multiple RC aircraft operate in proximity | critical | rare | SIL 1 | receiver enters failsafe on loss of bound transmitter signal |
| H-007: Small detachable parts (propeller nut, control horns, battery connector) presenting choking hazard to siblings under 3, and button cell ingestion risk causing chemical burns | critical | low | SIL 1 | small parts secured, battery compartment child-proofed with screw closure |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| IFC-REQ-007 | SIL 2 | The interface between the Electronic Speed Controller MOSFET Half-Bridge and the Brushless DC Motor SHALL provide three-phase commutation at switching... | Test |
| IFC-REQ-008 | SIL 2 | The mechanical interface between the Brushless DC Motor shaft and the Propeller SHALL maintain positive engagement under a minimum axial extraction fo... | Test |
| IFC-REQ-021 | SIL 2 | The interface between the LiPo Battery Pack and the Power Distribution PCB SHALL use an XT30 polarised connector rated to 30 A continuous, with the po... | Inspection |
| IFC-REQ-022 | SIL 2 | The interface between the AC-DC Power Supply Module and the LiPo Balance Charger IC SHALL provide 12 V DC at up to 500 mA with voltage tolerance of pl... | Test |
| IFC-REQ-023 | SIL 1 | The interface between the Radio Transmitter and the Flight Control Electronics Receiver during the binding procedure SHALL exchange a unique transmitt... | Test |
| IFC-REQ-024 | SIL 1 | The interface between the Radio Transmitter RF Module and the Flight Control Electronics Receiver SHALL convey a Received Signal Strength Indicator (R... | Test |
| IFC-REQ-025 | SIL 2 | The interface between the Electronic Speed Controller MCU and the MOSFET Gate Driver IC SHALL use 3.3 V CMOS logic level gate control signals with a r... | Test |
| IFC-REQ-026 | SIL 1 | The interface between the Radio Transmitter Joystick Axes and the 2.4 GHz RF Module SHALL sample stick position at a minimum of 100 Hz and SHALL trans... | Test |
| SUB-REQ-001 | SIL 2 | The Propulsion Subsystem ESC SHALL respond to a PWM throttle command change from idle to full (1000 us to 2000 us) with motor RPM increase to 80% of m... | Test |
| SUB-REQ-002 | SIL 2 | The Propulsion Subsystem Brushless DC Motor SHALL generate a minimum thrust of 80 g when supplied with the nominal 7.4 V bus and a 100% throttle comma... | Test |
| SUB-REQ-003 | SIL 2 | The Propulsion Subsystem Propeller SHALL fragment or plastically deform on impact with a rigid surface at a blade tip velocity of 15 m/s or greater, r... | Test |
| SUB-REQ-004 | SIL 2 | When any LiPo cell voltage drops below 3.3 V, the ESC SHALL progressively reduce motor power by 50% per 100 mV below the 3.3 V threshold and SHALL cut... | Test |
| SUB-REQ-007 | SIL 1 | The Radio Transmitter SHALL transmit a new control frame containing proportional stick positions within 20 ms of a stick deflection input change excee... | Test |
| SUB-REQ-008 | SIL 1 | The Radio Transmitter 2.4GHz RF Module SHALL maintain a frame loss rate of less than 1 percent during transmission to the paired airborne receiver at ... | Test |
| SUB-REQ-009 | SIL 1 | The Radio Transmitter SHALL support a bind-time configurable failsafe output state, transmittable as a distinct packet type to the airborne receiver, ... | Demonstration |
| SUB-REQ-010 | SIL 2 | The Power System LiPo Battery Pack SHALL provide a minimum usable capacity of 400 mAh at a 10C continuous discharge rate at 7.4V nominal, sustaining f... | Test |
| SUB-REQ-011 | SIL 2 | The Power System 5V BEC SHALL maintain output voltage between 4.75 V and 5.25 V under loads from 0 mA to 1500 mA, with transient response returning to... | Test |
| SUB-REQ-012 | SIL 2 | The Power System LiPo Battery Pack SHALL have a total mass not exceeding 30 g when fully charged. | Inspection |
| SUB-REQ-013 | SIL 2 | When any individual LiPo cell voltage drops below 3.3 V during discharge, the Power System SHALL signal the ESC to engage low-voltage cutoff within 20... | Test |
| SUB-REQ-014 | SIL 2 | The Power Distribution PCB SHALL incorporate a resettable PTC fuse rated to interrupt current at 8 A within 1 second to protect wiring from short-circ... | Test |
| SUB-REQ-015 | SIL 2 | The Ground Charging System LiPo Balance Charger IC SHALL terminate charging when any individual cell voltage reaches 4.20 V plus or minus 0.01 V, or w... | Test |
| SUB-REQ-016 | SIL 2 | The Ground Charging System LiPo Balance Charger IC SHALL charge a fully depleted 450 mAh 2S LiPo pack to 95 percent capacity within 90 minutes at a ch... | Test |
| SUB-REQ-017 | SIL 2 | The Ground Charging System Charge Status LED Indicator SHALL display red during active charging and green upon charge completion, with the green indic... | Test |
| SUB-REQ-018 | SIL 1 | The Flight Control Electronics 2.4GHz FHSS Receiver SHALL initiate failsafe output within 500 ms of detecting loss of valid control frames, setting th... | Test |
| SUB-REQ-019 | SIL 1 | The Flight Control Electronics Flight Control MCU SHALL apply gyro-assisted stability augmentation to limit bank angle excursion to plus or minus 45 d... | Test |
| SUB-REQ-020 | SIL 1 | The Flight Control Electronics Elevator Servo and Rudder Servo SHALL each achieve full deflection travel (10 mm) in less than 100 ms under a 100 g-cm ... | Test |
| SUB-REQ-021 | SIL 1 | The Flight Control Electronics subsystem (receiver, FCE board with MCU and IMU, two servos, and all interconnect wiring) total mass SHALL not exceed 2... | Inspection |
| SUB-REQ-022 | SIL 1 | The Airframe Subsystem EPP Foam Fuselage SHALL withstand a 10 m/s nose-first impact onto a grass surface without battery ejection from the battery tra... | Test |
| SUB-REQ-023 | SIL 1 | The Airframe Subsystem (fuselage, wing, tail, control surfaces, pushrods, and all structural hardware) total mass SHALL not exceed 80 g. | Inspection |
| SUB-REQ-024 | SIL 1 | The Airframe Subsystem Elevator Control Surface and Rudder Control Surface SHALL each provide a minimum neutral-to-full-deflection mechanical travel o... | Inspection |
| SUB-REQ-025 | SIL 2 | When the ESC loses the PWM throttle input signal for more than 100 ms, the Electronic Speed Controller SHALL reduce motor drive to zero throttle outpu... | Test |
| SUB-REQ-026 | SIL 1 | The Flight Control Electronics Flight Control MCU SHALL implement stability augmentation using 3-axis gyroscope feedback to limit commanded bank angle... | Test |
| SUB-REQ-027 | SIL 2 | When the Flight Control Electronics 2.4GHz FHSS Receiver does not receive a valid control frame for more than 500 ms, the receiver SHALL output a pre-... | Test |
| SUB-REQ-028 | SIL 2 | The Airframe Subsystem EPP foam fuselage battery bay SHALL retain the LiPo battery pack under nose-first impact at 10 m/s using a latched hatch mechan... | Test |
| SUB-REQ-032 | SIL 1 | The Radio Transmitter 2.4 GHz RF Module SHALL operate at a conducted transmit power not exceeding 100 mW EIRP in compliance with FCC Part 15.247 and E... | Test |
| SUB-REQ-033 | SIL 1 | The Radio Transmitter SHALL incorporate a physical bind button that initiates the receiver binding sequence when held for 3 seconds with the transmitt... | Test |
| SUB-REQ-034 | SIL 2 | The Electronic Speed Controller MOSFET Half-Bridge SHALL use switching transistors rated for a minimum drain-source breakdown voltage of 20 V and a co... | Test |
| SUB-REQ-035 | SIL 2 | The Electronic Speed Controller Gate Driver IC SHALL enforce a minimum dead-time of 100 ns between the high-side and low-side MOSFET gate signals on e... | Test |
| SUB-REQ-036 | SIL 2 | The Electronic Speed Controller Microcontroller SHALL execute the motor commutation loop with a maximum cycle time of 20 µs to support sensorless back... | Test |
| SUB-REQ-037 | SIL 1 | The Flight Control Electronics 2.4 GHz FHSS Receiver SHALL output a CPPM stream at 50 Hz frame rate on a single signal wire, encoding all received cha... | Test |
| SYS-REQ-003 | SIL 1 | The aircraft SHALL incorporate gyro-assisted stability augmentation that limits bank angle to ±45 degrees and pitch angle to ±30 degrees in beginner m... | Test |
| SYS-REQ-004 | SIL 1 | When the receiver detects loss of valid control frames for more than 500 ms, the Kids Remote Control Airplane SHALL cut motor power to idle and set co... | Test |
| SYS-REQ-005 | SIL 2 | The balance charger SHALL monitor individual cell voltage during charging with automatic charge termination when any cell exceeds 4.20 V ±0.025 V, and... | Test |
| SYS-REQ-006 | SIL 2 | The propeller SHALL be constructed from a material that yields or fragments on impact with a force not exceeding 15 N, preventing transmission of cutt... | Test |
| SYS-REQ-008 | SIL 1 | The aircraft airframe SHALL withstand a 10 m/s nose-first impact onto grass without battery ejection, exposure of electrical wiring, or creation of sh... | Test |
| SYS-REQ-010 | SIL 1 | The ESC SHALL progressively reduce motor power when battery cell voltage drops below 3.3 V and SHALL cut motor power completely at 3.0 V per cell, whi... | Test |
| SYS-REQ-011 | SIL 1 | The Kids Remote Control Airplane total flight-ready mass (airframe, LiPo pack, avionics, propulsion) SHALL not exceed 250 g in ready-to-fly configurat... | Test |
| SYS-REQ-012 | SIL 1 | The Kids Remote Control Airplane SHALL display EN 71 Part 1 and ASTM F963 mandatory safety labelling on the airframe and packaging, including minimum ... | Inspection |
| SYS-REQ-013 | SIL 2 | Following any unplanned ground contact, the Kids Remote Control Airplane product documentation SHALL require the user to: (a) disconnect the LiPo batt... | Inspection |
| VER-REQ-003 | SIL 2 | Verify SUB-REQ-004: Power ESC from variable bench supply. Set 100% throttle, then reduce supply voltage per-cell below 3.3V in 50mV steps while monito... | Test |
| VER-REQ-016 | SIL 2 | Verify SUB-REQ-013: Power the ESC from a variable bench supply set to 8.4V (full charge). Drive motor to 50% throttle. Ramp supply voltage down at 0.1... | Test |
| VER-REQ-017 | SIL 2 | Verify SUB-REQ-010: Discharge new battery pack at 2.5A constant current (representing mean cruise power) from 8.4V until either LVC trips or terminal ... | Test |
| VER-REQ-019 | SIL 2 | Verify SUB-REQ-015: Connect a 2S LiPo pack with one cell at 4.18V and one at 4.17V to the charger. Apply a bench supply at the charger input and initi... | Test |
| VER-REQ-021 | SIL 1 | Verify SUB-REQ-018: Bind transmitter to receiver. Power system on. Using oscilloscope, monitor receiver throttle output channel. Disable transmitter R... | Test |
| VER-REQ-022 | SIL 1 | Verify SUB-REQ-019: Mount aircraft in 3-axis gimbal. Apply maximum stick deflection on pitch axis. Use digital inclinometer to measure maximum achieve... | Test |
| VER-REQ-023 | SIL 1 | Verify SUB-REQ-022: Load battery into aircraft. Drop aircraft nose-first from height of 5.1 m onto a grass surface (impact velocity at contact ~10 m/s... | Test |
| VER-REQ-028 | SIL 2 | Verify SUB-REQ-014: Connect a calibrated constant-current load to the power distribution PCB output. Ramp current to 8 A and start a stopwatch. Measur... | Test |
| VER-REQ-029 | SIL 2 | Verify SUB-REQ-016: Fully discharge a 450 mAh 2S LiPo to 3.0 V/cell. Connect to charger set at 0.5C (225 mA). Record charge start time and monitor cha... | Test |
| VER-REQ-040 | SIL 2 | Verify SUB-REQ-025: Connect ESC to motor test stand. Apply 1500 us throttle via signal generator. Disconnect PWM signal wire while monitoring motor RP... | Test |
| VER-REQ-041 | SIL 1 | Verify SUB-REQ-026: Mount aircraft in 3-axis gimbal with FCE powered in beginner mode. Command 60-degree bank via transmitter and measure actual maxim... | Test |
| VER-REQ-042 | SIL 2 | Verify SUB-REQ-027: Bind transmitter to receiver. Set failsafe channel positions. Power aircraft without transmitter active. Measure time from power-o... | Test |
| VER-REQ-043 | SIL 2 | Verify SUB-REQ-028: Install LiPo battery in aircraft. Drop aircraft from 0.5m height onto concrete (nose-first, 10 m/s equivalent impact). Inspect bat... | Test |
| VER-REQ-046 | SIL 2 | Verify SUB-REQ-006: Mount ESC in nominal airframe thermal environment (enclosed fuselage, no forced airflow). Run motor at 75% throttle for 10 minutes... | Test |
| VER-REQ-047 | SIL 2 | Verify SUB-REQ-009: Bind transmitter and receiver. Configure failsafe (throttle 0%, servos neutral). Power cycle receiver only. Block TX RF for 2 seco... | Test |
| VER-REQ-050 | SIL 2 | Verify SUB-REQ-013: Discharge 2S LiPo until cell 1 is at 3.4V. Connect to powered ESC/motor bench setup. Reduce load until cell 1 drops below 3.3V. Me... | Test |
| VER-REQ-051 | SIL 2 | Verify SUB-REQ-015: Discharge 2S LiPo to 3.7V/cell. Connect to charger under test. Monitor individual cell voltages at 1-second intervals. Charge at r... | Test |
| VER-REQ-052 | SIL 2 | Verify SUB-REQ-018: Bind TX and RX. With aircraft powered, interrupt RF signal (Faraday bag or power off TX). Start stopwatch. Measure time until ESC ... | Test |
| VER-REQ-054 | SIL 2 | Verify SUB-REQ-022: Assemble complete aircraft with LiPo battery installed and latched. Drop aircraft nose-first from height producing 10 m/s impact v... | Test |
| VER-REQ-071 | SIL 2 | Verify IFC-REQ-021: Inspect power distribution PCB for XT30 polarised connector rating marking and PTC fuse placement. Attempt reverse polarity connec... | Test |
| VER-REQ-076 | SIL 2 | Verify SYS-REQ-004: Power aircraft and transmitter. Confirm all control surfaces deflect to commanded positions within 50 ms and motor responds to thr... | Test |
| VER-REQ-077 | SIL 2 | Verify SYS-REQ-005: Connect deeply discharged 2S LiPo to charger. Monitor each cell voltage and battery surface temperature with calibrated thermistor... | Test |
| VER-REQ-078 | SIL 2 | Verify SYS-REQ-006: Mount propeller on motor at rated RPM (6000 rpm). Strike rotating blade with calibrated force gauge rod at a perpendicular directi... | Test |
| VER-REQ-080 | SIL 1 | Verify SYS-REQ-008: Drop assembled aircraft nose-first from 5 m height onto level grass surface (equivalent to 10 m/s impact velocity). Inspect aircra... | Test |
| VER-REQ-082 | SIL 2 | Verify SYS-REQ-010: Connect aircraft to variable bench supply simulating 2S LiPo discharge. Reduce per-cell voltage from 3.5V through 3.3V to 3.0V in ... | Test |
| VER-REQ-095 | SIL 2 | Verify post-crash battery safety protocol: (a) Inspect final production quick-start guide and printed safety card for mandatory post-crash battery dis... | Test |
| VER-REQ-099 | SIL 1 | Verify STK-REQ-005 (kinetic energy limit): Measure total flight-ready mass on calibrated scales (aircraft, battery, propeller). Record maximum level-f... | Test |
| VER-REQ-104 | SIL 1 | Verify STK-REQ-014 (RF coexistence): Operate aircraft in an environment with at least 5 co-located 2.4 GHz Wi-Fi access points measured by spectrum an... | Test |
| VER-REQ-106 | SIL 1 | Verify IFC-REQ-023 (bind protocol exclusivity): Bind transmitter A to receiver. Power on transmitter B (identical make and model). Command full thrott... | Test |
| VER-REQ-107 | SIL 1 | Verify IFC-REQ-024 (RSSI-triggered failsafe): Bind transmitter and receiver. Monitor RSSI output on receiver telemetry port with oscilloscope. Increme... | Test |
| VER-REQ-110 | SIL 2 | Verify SUB-REQ-035 (gate driver dead-time): Connect dual-channel oscilloscope probes to high-side and low-side gate pins of one MOSFET half-bridge. Se... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>Kids Remote Control Airplane is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Propeller strike causing laceration or eye injury during han...<br/>SIL 2"]
S0 --> G1
Sn0_0(["<b>SUB-REQ-001</b>"])
G1 --> Sn0_0
Sn0_1(["<b>SUB-REQ-025</b>"])
G1 --> Sn0_1
Sn0_2(["<b>SYS-REQ-006</b>"])
G1 --> Sn0_2
G2["<b>G2: H-002</b><br/>LiPo battery thermal runaway causing fire and toxic fumes af...<br/>SIL 2"]
S0 --> G2
Sn1_0(["<b>SUB-REQ-028</b>"])
G2 --> Sn1_0
Sn1_1(["<b>SUB-REQ-035</b>"])
G2 --> Sn1_1
Sn1_2(["<b>SYS-REQ-005</b>"])
G2 --> Sn1_2
G3["<b>G3: H-003</b><br/>Aircraft flyaway beyond VLOS due to wind, disorientation, or...<br/>SIL 1"]
S0 --> G3
Sn2_0(["<b>SUB-REQ-004</b>"])
G3 --> Sn2_0
Sn2_1(["<b>SUB-REQ-026</b>"])
G3 --> Sn2_1
Sn2_2(["<b>SYS-REQ-004</b>"])
G3 --> Sn2_2
G4["<b>G4: H-004</b><br/>Uncontrolled or failsafe aircraft descent striking bystander...<br/>SIL 1"]
S0 --> G4
Sn3_0(["<b>SYS-REQ-008</b>"])
G4 --> Sn3_0
Sn3_1(["<b>SYS-REQ-012</b>"])
G4 --> Sn3_1
G5["<b>G5: H-005</b><br/>Exposed battery wiring after crash causing burns from short-...<br/>SIL 1"]
S0 --> G5
Sn4_0(["<b>SYS-REQ-008</b>"])
G5 --> Sn4_0
G6["<b>G6: H-006</b><br/>RF interference or cross-binding causing loss of control whe...<br/>SIL 1"]
S0 --> G6
Sn5_0(["<b>IFC-REQ-023</b>"])
G6 --> Sn5_0
Sn5_1(["<b>SUB-REQ-033</b>"])
G6 --> Sn5_1
Sn5_2(["<b>VER-REQ-106</b>"])
G6 --> Sn5_2
G7["<b>G7: H-007</b><br/>Small detachable parts (propeller nut, control horns, batter...<br/>SIL 1"]
S0 --> G7 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — Kids Remote Control Airplane
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "Kids Remote Control Airplane is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7]
G1:
text: "H-001: Propeller strike causing laceration or eye injury during hand launch, landing catch, or ground handling with motor armed"
sil: 2
safe_state: "motor de-energised, propeller stationary"
supported_by: [SUB-REQ-001, SUB-REQ-025, SYS-REQ-006, VER-REQ-047, VER-REQ-052]
evidence: [VER-REQ-078]
G2:
text: "H-002: LiPo battery thermal runaway causing fire and toxic fumes after crash damage, overcharge, or cell imbalance"
sil: 2
safe_state: "battery disconnected and isolated in fireproof container, charger power removed"
supported_by: [SUB-REQ-028, SUB-REQ-035, SYS-REQ-005, SYS-REQ-010, SYS-REQ-013, VER-REQ-028, VER-REQ-050, VER-REQ-054, VER-REQ-110]
evidence: [VER-REQ-084, SUB-REQ-014]
G3:
text: "H-003: Aircraft flyaway beyond VLOS due to wind, disorientation, or control link failure, striking people or property"
sil: 1
safe_state: "motor cut, controlled glide descent via failsafe"
supported_by: [SUB-REQ-004, SUB-REQ-026, SYS-REQ-004]
evidence: []
G4:
text: "H-004: Uncontrolled or failsafe aircraft descent striking bystander, causing blunt force injury from 500g mass at 15-25 m/s"
sil: 1
safe_state: "motor off, aircraft on ground, minimum energy state"
supported_by: [SYS-REQ-008, SYS-REQ-012]
evidence: [VER-REQ-089]
G5:
text: "H-005: Exposed battery wiring after crash causing burns from short-circuit heating (20-40A through damaged conductors) when child handles wreckage"
sil: 1
safe_state: "battery connector unplugged, no current flow"
supported_by: [SYS-REQ-008]
evidence: []
G6:
text: "H-006: RF interference or cross-binding causing loss of control when multiple RC aircraft operate in proximity"
sil: 1
safe_state: "receiver enters failsafe on loss of bound transmitter signal"
supported_by: [IFC-REQ-023, SUB-REQ-033, VER-REQ-106]
evidence: []
G7:
text: "H-007: Small detachable parts (propeller nut, control horns, battery connector) presenting choking hazard to siblings under 3, and button cell ingestion risk causing chemical burns"
sil: 1
safe_state: "small parts secured, battery compartment child-proofed with screw closure"
supported_by: []
evidence: []
solutions:
IFC-REQ-007:
text: "The interface between the Electronic Speed Controller MOSFET Half-Bridge and the Brushless DC Motor SHALL provide three-"
verification: Test
sil: 2
IFC-REQ-008:
text: "The mechanical interface between the Brushless DC Motor shaft and the Propeller SHALL maintain positive engagement under"
verification: Test
sil: 2
IFC-REQ-021:
text: "The interface between the LiPo Battery Pack and the Power Distribution PCB SHALL use an XT30 polarised connector rated t"
verification: Inspection
sil: 2
IFC-REQ-022:
text: "The interface between the AC-DC Power Supply Module and the LiPo Balance Charger IC SHALL provide 12 V DC at up to 500 m"
verification: Test
sil: 2
IFC-REQ-023:
text: "The interface between the Radio Transmitter and the Flight Control Electronics Receiver during the binding procedure SHA"
verification: Test
sil: 1
IFC-REQ-024:
text: "The interface between the Radio Transmitter RF Module and the Flight Control Electronics Receiver SHALL convey a Receive"
verification: Test
sil: 1
IFC-REQ-025:
text: "The interface between the Electronic Speed Controller MCU and the MOSFET Gate Driver IC SHALL use 3.3 V CMOS logic level"
verification: Test
sil: 2
IFC-REQ-026:
text: "The interface between the Radio Transmitter Joystick Axes and the 2.4 GHz RF Module SHALL sample stick position at a min"
verification: Test
sil: 1
SUB-REQ-001:
text: "The Propulsion Subsystem ESC SHALL respond to a PWM throttle command change from idle to full (1000 us to 2000 us) with "
verification: Test
sil: 2
SUB-REQ-002:
text: "The Propulsion Subsystem Brushless DC Motor SHALL generate a minimum thrust of 80 g when supplied with the nominal 7.4 V"
verification: Test
sil: 2
SUB-REQ-003:
text: "The Propulsion Subsystem Propeller SHALL fragment or plastically deform on impact with a rigid surface at a blade tip ve"
verification: Test
sil: 2
SUB-REQ-004:
text: "When any LiPo cell voltage drops below 3.3 V, the ESC SHALL progressively reduce motor power by 50% per 100 mV below the"
verification: Test
sil: 2
SUB-REQ-007:
text: "The Radio Transmitter SHALL transmit a new control frame containing proportional stick positions within 20 ms of a stick"
verification: Test
sil: 1
SUB-REQ-008:
text: "The Radio Transmitter 2.4GHz RF Module SHALL maintain a frame loss rate of less than 1 percent during transmission to th"
verification: Test
sil: 1
SUB-REQ-009:
text: "The Radio Transmitter SHALL support a bind-time configurable failsafe output state, transmittable as a distinct packet t"
verification: Demonstration
sil: 1
SUB-REQ-010:
text: "The Power System LiPo Battery Pack SHALL provide a minimum usable capacity of 400 mAh at a 10C continuous discharge rate"
verification: Test
sil: 2
SUB-REQ-011:
text: "The Power System 5V BEC SHALL maintain output voltage between 4.75 V and 5.25 V under loads from 0 mA to 1500 mA, with t"
verification: Test
sil: 2
SUB-REQ-012:
text: "The Power System LiPo Battery Pack SHALL have a total mass not exceeding 30 g when fully charged."
verification: Inspection
sil: 2
SUB-REQ-013:
text: "When any individual LiPo cell voltage drops below 3.3 V during discharge, the Power System SHALL signal the ESC to engag"
verification: Test
sil: 2
SUB-REQ-014:
text: "The Power Distribution PCB SHALL incorporate a resettable PTC fuse rated to interrupt current at 8 A within 1 second to "
verification: Test
sil: 2
SUB-REQ-015:
text: "The Ground Charging System LiPo Balance Charger IC SHALL terminate charging when any individual cell voltage reaches 4.2"
verification: Test
sil: 2
SUB-REQ-016:
text: "The Ground Charging System LiPo Balance Charger IC SHALL charge a fully depleted 450 mAh 2S LiPo pack to 95 percent capa"
verification: Test
sil: 2
SUB-REQ-017:
text: "The Ground Charging System Charge Status LED Indicator SHALL display red during active charging and green upon charge co"
verification: Test
sil: 2
SUB-REQ-018:
text: "The Flight Control Electronics 2.4GHz FHSS Receiver SHALL initiate failsafe output within 500 ms of detecting loss of va"
verification: Test
sil: 1
SUB-REQ-019:
text: "The Flight Control Electronics Flight Control MCU SHALL apply gyro-assisted stability augmentation to limit bank angle e"
verification: Test
sil: 1
SUB-REQ-020:
text: "The Flight Control Electronics Elevator Servo and Rudder Servo SHALL each achieve full deflection travel (10 mm) in less"
verification: Test
sil: 1
SUB-REQ-021:
text: "The Flight Control Electronics subsystem (receiver, FCE board with MCU and IMU, two servos, and all interconnect wiring)"
verification: Inspection
sil: 1
SUB-REQ-022:
text: "The Airframe Subsystem EPP Foam Fuselage SHALL withstand a 10 m/s nose-first impact onto a grass surface without battery"
verification: Test
sil: 1
SUB-REQ-023:
text: "The Airframe Subsystem (fuselage, wing, tail, control surfaces, pushrods, and all structural hardware) total mass SHALL "
verification: Inspection
sil: 1
SUB-REQ-024:
text: "The Airframe Subsystem Elevator Control Surface and Rudder Control Surface SHALL each provide a minimum neutral-to-full-"
verification: Inspection
sil: 1
SUB-REQ-025:
text: "When the ESC loses the PWM throttle input signal for more than 100 ms, the Electronic Speed Controller SHALL reduce moto"
verification: Test
sil: 2
SUB-REQ-026:
text: "The Flight Control Electronics Flight Control MCU SHALL implement stability augmentation using 3-axis gyroscope feedback"
verification: Test
sil: 1
SUB-REQ-027:
text: "When the Flight Control Electronics 2.4GHz FHSS Receiver does not receive a valid control frame for more than 500 ms, th"
verification: Test
sil: 2
SUB-REQ-028:
text: "The Airframe Subsystem EPP foam fuselage battery bay SHALL retain the LiPo battery pack under nose-first impact at 10 m/"
verification: Test
sil: 2
SUB-REQ-032:
text: "The Radio Transmitter 2.4 GHz RF Module SHALL operate at a conducted transmit power not exceeding 100 mW EIRP in complia"
verification: Test
sil: 1
SUB-REQ-033:
text: "The Radio Transmitter SHALL incorporate a physical bind button that initiates the receiver binding sequence when held fo"
verification: Test
sil: 1
SUB-REQ-034:
text: "The Electronic Speed Controller MOSFET Half-Bridge SHALL use switching transistors rated for a minimum drain-source brea"
verification: Test
sil: 2
SUB-REQ-035:
text: "The Electronic Speed Controller Gate Driver IC SHALL enforce a minimum dead-time of 100 ns between the high-side and low"
verification: Test
sil: 2
SUB-REQ-036:
text: "The Electronic Speed Controller Microcontroller SHALL execute the motor commutation loop with a maximum cycle time of 20"
verification: Test
sil: 2
SUB-REQ-037:
text: "The Flight Control Electronics 2.4 GHz FHSS Receiver SHALL output a CPPM stream at 50 Hz frame rate on a single signal w"
verification: Test
sil: 1
SYS-REQ-003:
text: "The aircraft SHALL incorporate gyro-assisted stability augmentation that limits bank angle to ±45 degrees and pitch angl"
verification: Test
sil: 1
SYS-REQ-004:
text: "When the receiver detects loss of valid control frames for more than 500 ms, the Kids Remote Control Airplane SHALL cut "
verification: Test
sil: 1
SYS-REQ-005:
text: "The balance charger SHALL monitor individual cell voltage during charging with automatic charge termination when any cel"
verification: Test
sil: 2
SYS-REQ-006:
text: "The propeller SHALL be constructed from a material that yields or fragments on impact with a force not exceeding 15 N, p"
verification: Test
sil: 2
SYS-REQ-008:
text: "The aircraft airframe SHALL withstand a 10 m/s nose-first impact onto grass without battery ejection, exposure of electr"
verification: Test
sil: 1
SYS-REQ-010:
text: "The ESC SHALL progressively reduce motor power when battery cell voltage drops below 3.3 V and SHALL cut motor power com"
verification: Test
sil: 1
SYS-REQ-011:
text: "The Kids Remote Control Airplane total flight-ready mass (airframe, LiPo pack, avionics, propulsion) SHALL not exceed 25"
verification: Test
sil: 1
SYS-REQ-012:
text: "The Kids Remote Control Airplane SHALL display EN 71 Part 1 and ASTM F963 mandatory safety labelling on the airframe and"
verification: Inspection
sil: 1
SYS-REQ-013:
text: "Following any unplanned ground contact, the Kids Remote Control Airplane product documentation SHALL require the user to"
verification: Inspection
sil: 2
VER-REQ-003:
text: "Verify SUB-REQ-004: Power ESC from variable bench supply. Set 100% throttle, then reduce supply voltage per-cell below 3"
verification: Test
sil: 2
VER-REQ-016:
text: "Verify SUB-REQ-013: Power the ESC from a variable bench supply set to 8.4V (full charge). Drive motor to 50% throttle. R"
verification: Test
sil: 2
VER-REQ-017:
text: "Verify SUB-REQ-010: Discharge new battery pack at 2.5A constant current (representing mean cruise power) from 8.4V until"
verification: Test
sil: 2
VER-REQ-019:
text: "Verify SUB-REQ-015: Connect a 2S LiPo pack with one cell at 4.18V and one at 4.17V to the charger. Apply a bench supply "
verification: Test
sil: 2
VER-REQ-021:
text: "Verify SUB-REQ-018: Bind transmitter to receiver. Power system on. Using oscilloscope, monitor receiver throttle output "
verification: Test
sil: 1
VER-REQ-022:
text: "Verify SUB-REQ-019: Mount aircraft in 3-axis gimbal. Apply maximum stick deflection on pitch axis. Use digital inclinome"
verification: Test
sil: 1
VER-REQ-023:
text: "Verify SUB-REQ-022: Load battery into aircraft. Drop aircraft nose-first from height of 5.1 m onto a grass surface (impa"
verification: Test
sil: 1
VER-REQ-028:
text: "Verify SUB-REQ-014: Connect a calibrated constant-current load to the power distribution PCB output. Ramp current to 8 A"
verification: Test
sil: 2
VER-REQ-029:
text: "Verify SUB-REQ-016: Fully discharge a 450 mAh 2S LiPo to 3.0 V/cell. Connect to charger set at 0.5C (225 mA). Record cha"
verification: Test
sil: 2
VER-REQ-040:
text: "Verify SUB-REQ-025: Connect ESC to motor test stand. Apply 1500 us throttle via signal generator. Disconnect PWM signal "
verification: Test
sil: 2
VER-REQ-041:
text: "Verify SUB-REQ-026: Mount aircraft in 3-axis gimbal with FCE powered in beginner mode. Command 60-degree bank via transm"
verification: Test
sil: 1
VER-REQ-042:
text: "Verify SUB-REQ-027: Bind transmitter to receiver. Set failsafe channel positions. Power aircraft without transmitter act"
verification: Test
sil: 2
VER-REQ-043:
text: "Verify SUB-REQ-028: Install LiPo battery in aircraft. Drop aircraft from 0.5m height onto concrete (nose-first, 10 m/s e"
verification: Test
sil: 2
VER-REQ-046:
text: "Verify SUB-REQ-006: Mount ESC in nominal airframe thermal environment (enclosed fuselage, no forced airflow). Run motor "
verification: Test
sil: 2
VER-REQ-047:
text: "Verify SUB-REQ-009: Bind transmitter and receiver. Configure failsafe (throttle 0%, servos neutral). Power cycle receive"
verification: Test
sil: 2
VER-REQ-050:
text: "Verify SUB-REQ-013: Discharge 2S LiPo until cell 1 is at 3.4V. Connect to powered ESC/motor bench setup. Reduce load unt"
verification: Test
sil: 2
VER-REQ-051:
text: "Verify SUB-REQ-015: Discharge 2S LiPo to 3.7V/cell. Connect to charger under test. Monitor individual cell voltages at 1"
verification: Test
sil: 2
VER-REQ-052:
text: "Verify SUB-REQ-018: Bind TX and RX. With aircraft powered, interrupt RF signal (Faraday bag or power off TX). Start stop"
verification: Test
sil: 2
VER-REQ-054:
text: "Verify SUB-REQ-022: Assemble complete aircraft with LiPo battery installed and latched. Drop aircraft nose-first from he"
verification: Test
sil: 2
VER-REQ-071:
text: "Verify IFC-REQ-021: Inspect power distribution PCB for XT30 polarised connector rating marking and PTC fuse placement. A"
verification: Test
sil: 2
VER-REQ-076:
text: "Verify SYS-REQ-004: Power aircraft and transmitter. Confirm all control surfaces deflect to commanded positions within 5"
verification: Test
sil: 2
VER-REQ-077:
text: "Verify SYS-REQ-005: Connect deeply discharged 2S LiPo to charger. Monitor each cell voltage and battery surface temperat"
verification: Test
sil: 2
VER-REQ-078:
text: "Verify SYS-REQ-006: Mount propeller on motor at rated RPM (6000 rpm). Strike rotating blade with calibrated force gauge "
verification: Test
sil: 2
VER-REQ-080:
text: "Verify SYS-REQ-008: Drop assembled aircraft nose-first from 5 m height onto level grass surface (equivalent to 10 m/s im"
verification: Test
sil: 1
VER-REQ-082:
text: "Verify SYS-REQ-010: Connect aircraft to variable bench supply simulating 2S LiPo discharge. Reduce per-cell voltage from"
verification: Test
sil: 2
VER-REQ-095:
text: "Verify post-crash battery safety protocol: (a) Inspect final production quick-start guide and printed safety card for ma"
verification: Test
sil: 2
VER-REQ-099:
text: "Verify STK-REQ-005 (kinetic energy limit): Measure total flight-ready mass on calibrated scales (aircraft, battery, prop"
verification: Test
sil: 1
VER-REQ-104:
text: "Verify STK-REQ-014 (RF coexistence): Operate aircraft in an environment with at least 5 co-located 2.4 GHz Wi-Fi access "
verification: Test
sil: 1
VER-REQ-106:
text: "Verify IFC-REQ-023 (bind protocol exclusivity): Bind transmitter A to receiver. Power on transmitter B (identical make a"
verification: Test
sil: 1
VER-REQ-107:
text: "Verify IFC-REQ-024 (RSSI-triggered failsafe): Bind transmitter and receiver. Monitor RSSI output on receiver telemetry p"
verification: Test
sil: 1
VER-REQ-110:
text: "Verify SUB-REQ-035 (gate driver dead-time): Connect dual-channel oscilloscope probes to high-side and low-side gate pins"
verification: Test
sil: 2